The EU Data Act Introduces New IOT Requirments

In today’s world, full of “smart” devices, many ordinary objects connect to the internet. Everything from automobiles and appliances to industrial agriculture equipment has internet connectivity. This ecosystem of internet-enabled products is often referred to as the “Internet of Things” (IOT). In addition to connectivity features that allow for remote monitoring and operation, these devices often collect data. Next month, the EU is mandating that this data be accessible to consumers through the EU Data Act. This includes requirements that companies design newly manufactured products with data accessibility in mind. A recent Faegre Drinker memo discusses:

“Manufacturers must ensure that in-scope products are designed so that data generated through their use is easily, securely and directly accessible to the user by default. This does not mean that the data holder must transfer a copy of the data, but that the data should be made available to the user from a remote server. This technical accessibility must be built into the product itself, representing a significant new data-portability right for users and a corresponding design and compliance burden for manufacturers.”

The new requirements apply to any tangible item that generates and communicates data, whose primary purpose is not the storing and processing of data. Companies selling such products in the EU must ensure compliance with the Data Act both from a design and data management standpoint. The U.S. has limited regulation around IOT devices, mostly focusing on cybersecurity. However, with the EU introducing these new data access requirements, we may see some interest in mirroring that framework from state legislatures.