The EU Data Act: A Complex Role-Play?

The EU Data Act will start to apply in September 2025. It has become clear that one of the most vexing issues in applying the Data Act to real-life scenarios may in fact be a very basic one: Understanding how the apparatus of roles of the Data Act works in practice, and how it interacts with parallel role definitions of other EU laws. We discuss some of these issues and proposed solutions in this brief article.

Understanding the roles - why does it matter?

To put it bluntly, in order to make any sense of one's rights and obligations under the Data Act, it is crucial to understand what role one is playing. If the roles are misunderstood, compliance with the Data Act rules will go astray. At the dawn of the General Data Protection Regulation (GDPR), there was often confusion on the role of a "data processor" (vs. controller) as exemplified by the somewhat frequent (mis)use of data processing agreements. We see potential for similar confusion this time around, however with potentially even more severe consequences. Get this part right, and you are already well underway.

One or more data holders?

To begin with, the central definition of "data holder" is difficult even by EU law standards. According to the definition, the data holder "means a natural or legal person that has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data".

It sounds like circular reasoning, but it is essentially a complex way of saying that the "data holder" is the party that holds and controls the data and has the ability to make it available to others. Very often, the manufacturer of the connected product is also a data holder, but not always: if the manufacturer no longer has control over the product data after the product has been provided to the user, the manufacturer will not be the data holder, and the roles of the data holder and user coincide. On the other hand, considering the various use cases and scenarios that may fall under the Data Act, and that may involve complex chains of various actors, there may well be several parties that eventually qualify as "data holders".

Enter the GDPR: The tricky question of processors and data holders

To complicate things further, recital 22 of the Regulation states that with regard to data processors under the GDPR, they are not considered to be data holders. However, as discussed below, this approach is not unproblematic, as it may lead to unwarranted differences depending on whether it is a B2C or B2B relationship.

In B2B relationships, it is common that the provider of a connected product or related service involving the processing of personal data acts as a data processor on behalf of the client company (i.e., the user) for GDPR purposes, while the client company is the data controller. This holds true even in situations where the product provider has manufactured the product and is therefore, in principle, the best positioned to control the product's data, indicating the role of the data holder under the Data Act.

If all of the data produced by the connected product is considered personal data, according to recital 22 of the Data Act, the provider of the connected product would in a B2B situation not actually be the data holder, regardless of whether it has actual control over the products, services, or the data produced by it.

It can be argued that the better interpretation in this case would be that the client company, as the GDPR data controller, is simultaneously the data holder and user, and can access the provider-processor's data through the mechanisms of the GDPR. However, since the provider is not the data holder, the client would not have rights against the provider under the Data Act, and correspondingly, the provider would not have obligations.

The situation may become challenging if the product or related service data consists partly of personal data and partly of non-personal data. Based solely on the wording of the Data Act, it cannot be inferred whether in such a situation the "data holder" status is divided between the customer (data holder and controller of personal data) and the provider (i.e., data holder of non-personal data), or whether the client company as a whole would be considered the data holder under the Data Act.

It can be anticipated that until preliminary rulings are issued and the case law is settled, the ambiguity of the definition will be used as an argument in disputes concerning the Data Act; it is relatively easy to imagine a situation where a party refuses to share data, claiming that they are not the data holder.

Is there always a user?

Secondly, we have the role of "user", who is supposedly the party benefiting the most from the Data Act. According to the definition, ‘user’ means a natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related service.

This seems simple, but in practice, we have come across situations where a party that first seemingly appears to be a potential "user" may in fact not be a "user" in the Data Act sense, and where a "product" does not necessarily even have an identifiable "user". Let's elaborate on this briefly:

The definition of "user" requires that there is some form of transfer of rights, even temporarily, to use the product, which can be in the form of sale, rent, lease or otherwise. However, what constitutes "temporary right of use" mentioned in the definition, is the difficult point.

Let us think for example of publicly available machines or infrastructure, such as a vending machines, ATMs or parking meters: even though a person may use the device and it could be argued that the user has some form of "temporary right of use" to it, it is debatable, whether such situations involve a "user" in the Data Act sense. Based on the recitals of the Data Act, it appears clear that in order for a party to be a "user", the party would need to "bear the risks and enjoy the benefits of [using] the connected product", and the commission FAQ document further stipulates that the "user's" right on the connected product should be somehow "stable". Now, whether the user of a parking meter really "bears the risks" of using the machine, is uncertain to say the least, and the better interpretation would be to consider that in such situations, there is no "user" under the Data Act.

In our view, the better interpretation of the term "temporary right of use" is indeed that it primarily refers to usage based on sale, rental or leasing, and to other arrangements resembling these; the EU legislator's intention is likely to exclude the possibility of limiting the user's rights by structuring the arrangement to appear as something other than a sale, rental, or leasing. Thus, the factual requirement for user status based on the right of use can be interpreted as a relatively free and stable right to utilize the product in a manner that the benefits of use accrue to the holder of the right in a way that is typical, for instance, for the renter or lessee, and which often involves a consideration.

Additional information

This article is only a snapshot of the practical issues encountered by Krogerus Technology & Data practice in relation to the EU Data Act. For a more comprehensive overview, please refer to our practice's book "The EU Data Act - a Practical Manual" (in Finnish), which will be published in early 2025.

Most of the EU Data Act's obligations start to apply on 12 September 2025. Should you require assistance with any questions concerning the Data Act in general, our team at Krogerus would be more than happy to help.