Key takeaways

  • It is clear now that governments and regulators recognise the importance of big data to the future economy and it appears that they are willing to act to ensure that data is not a locked vault that only large incumbents have access to.
  • The Data Act 2022 (EU) has introduced new obligations for manufacturers of Internet of Things (IoT) devices in the EU, as well as cloud services and data spaces. Organisations offering goods or services in those industries need to be prepared to comply with these new obligations.
  • The Data Act has introduced new rights for consumers of IoT devices in the EU. These rights will allow consumers to benefit from the data they generate by requiring data holders to provide consumers access to IoT data, and on the request of consumers, share that data with third party data recipients.

What are Internet of Things (IoT) devices?

IoT devices, also known as “smart” or “connected” devices, are electronic products that connect to the internet and/or other devices. The popularity of IoT devices has drastically increased in the last decade and it is estimated that there will be 75 billion IoT devices installed worldwide by 2025. Statista Research Department Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (2016). Today, almost everything can be an IoT device, from household appliances such as dishwashers and kettles to heavy machinery such as transport trucks, mining equipment and airplane jet engines. Electricity networks are even connected to the internet by IoT devices. All of these IoT devices collect and generate data. This has created an explosion of exploitable data which has the potential to fuel a whole new data economy.

Unfortunately, there is growing concern that IoT data is a locked vault — particularly that data from IoT devices is only accessible by incumbents who can use IoT data to further entrench their dominant positions and that consumers are not deriving any real benefit from the data they are creating.

The Data Act (EU)

The European Commission (Commission) recently released a report for its sector inquiry into Consumer IoT which expresses concern about the accumulation and sequestration of IoT data. In short, the report suggests that the main drivers of data sequestration are the complex and fragmented state of the IoT standards landscape and the use of gateways such as voice assistants as “central nodes” through which consumers access IoT ecosystems. The report concluded that there is a need for further investigation and regulation in the IoT sector.

We have already seen the introduction of the Data Act which requires manufacturers to share data with third parties. The Data Act will likely come into effect in 2024 and aims to enhance access to data for consumers and third parties to encourage innovation and facilitate the growth of a new data economy.

The proposed Data Act imposes a range of new obligations relating to both personal and non-personal data generated and by IoT devices in the EU as well as cloud services and data spaces. We have summarised the most important obligations below:

  • Users of IoT devices must have direct access to their data as part of the device’s design. Where this is not possible, the data must be made available at no extra cost.
  • Data holders must give third parties access to a user’s data on request, and where there is a demonstrated exceptional need, data holders must also share data with certain public sector bodies.
  • Terms for sharing of data must be fair and reasonable. This means data sharing companies may only charge reasonable compensation for most recipients, and for small, medium-sized or microenterprises, only the costs directly related to making the data available.
  • The Data Act prevents international transfer or governmental access of non-personal data if it would result in a conflict with Union law or a Member State’s national law (including the Data Act).
  • Dominant firms that have been designated as “gatekeepers” under the EU’s Digital Markets Act cannot ask for or receive access to user data generated by products or related services.

The Data Act also requires operators of data spaces to comply with requirements to facilitate interoperability of data and data sharing mechanisms. These requirements include describing the dataset content, restrictions and quality to ensure data recipients can access and use the data. Additionally, the technical means for accessing the data, including the application programming interfaces and their terms of use and quality of service, must be described in enough detail to allow automatic access and transmission of data in a machine-readable format. The Commission can specify further requirements and impose standards which are consistent with the requirements set out under the Data Act.

The Consumer Data Right (Australia)

Australia has responded to the need for increased data availability in the future economy by establishing the Consumer Data Right (CDR). The CDR is a consumer-directed data portability regime which allows consumers to require the sharing of their data with certain third parties. The primary objective of the regime is to facilitate informed decision-making by consumers by providing consumers greater access to information about themselves and the way that they use certain goods and services. Explanatory Memorandum, Treasury Laws Amendment (Consumer Data Right) Bill 2019 (Cth) 5.

The CDR is intended to be an economy-wide regime. However, it is being rolled out on a sector-by-sector basis beginning with the banking sector which commenced in 2019, followed by energy, telecommunication and finance sectors. In order to trigger CDR obligations in a sector, the government must make a designation. The designation instrument will specify the classes of information which are subject to the CDR in that particular sector, and the data holders who are obliged to share that data.

Once a sector is designated, the government will create sector-specific rules which implement the CDR in that sector and govern how data should be shared. The CDR rules set out the details of how the CDR regime works, including obligations relating to accreditation, consumer privacy and minimum information controls. Importantly, the data standards body will also create sector-specific standards to enable data sharing.

The CDR creates obligations for data holders and for the recipients of shared data. The primary obligations under the CDR apply to data holders, and they require data holders to:

  • transfer a consumer’s data in response to a data-sharing request and
  • publicly release general data about the products and services the data holder offers

Australian Government “Compliance requirements for data holders” media release (4 June 2020).

The data must comply with the strict data standards set by the data standards body, including a requirement that the data is transferred in machine-readable format via application programming interface (API), as well as API availability and response time requirements.

There are also obligations relating to data security, privacy and obtaining consumer consent which apply to both the data holder and the third parties receiving the shared data.

Comparison between The Consumer Data Right and the Data Act

The CDR and the Data Act have similar aims: to enhance decision-making by consumers, encourage innovation and enable businesses to realise the value of data. However, these two regimes take different approaches which will inevitably result in different obligations for sharing data in Australia and in the EU.

The CDR is a much more prescriptive and consumer-centric approach to the regulation of data sharing. For example, The CDR addresses the lack of robust and trusted industry standards for data sharing by setting sector-specific standards and providing specific frameworks for the protection of consumers using the regime. Such standards are necessary for efficient data sharing and mandated interoperability has been seen to provide benefits for consumers in the fixed and mobile networks which provide IoT services. M Noura, M Atiquzzaman and M Gaedke “Interoperability in Internet of Things: Taxonomies and Open Challenges” (2018) 24 Mobile Netw Appl. The Data Act does not currently address the lack of standards. However, it is possible that the obligation to share data may provide the much-needed impetus for the development of robust standards for data sharing in the IoT ecosystem. We also note that the Data Act gives the Commission the power to mandate standards if required.

The CDR rules also strictly regulate the interaction between the data holder and the data recipient. Instead of a contractual relationship between the data holder and the data recipient, the Consumer Experience Standards provide strict requirements to ensure that the regime is efficient and protects consumers. Importantly, except in very limited circumstances, data holders cannot charge a fee for data sharing. By contrast, the Data Act anticipates a contractual relationship between data holder and data recipient and allows data holders to charge reasonable compensation for the sharing of data.

The consent-focused nature of the CDR allows the government to take a more hands-off approach to uses of data once consent has been received. For example, the Data Act does not allow data recipients to use the received data to create IoT products or services which compete with the original data holder. This is said to be necessary to “avoid undermining the investment incentives for the type of product from which the data are obtained”. There is no restriction on data recipients using data received under the CDR to create new products or services that compete with the original data holder provided adequate consent is received from the consumer.

While both regimes implement strategies to even the playing field when it comes to capitalising on the use of data, the Data Act takes a more aggressive approach by prohibiting dominant firms from using the Data Act to gather more data. There is no equivalent provision in Australia. This means large firms may also benefit from the obligations under the CDR.

What's next for IoT ecosystems? 

Neither regime is currently in force, with the Data Act slated to come into effect in 2024. We will be watching with interest to see whether the Data Act will lead to meaningful data sharing in the IoT ecosystem and whether the Australian Government will be influenced by these developments in the EU when it determines which sector will be subject to the CDR next.


Authors: Michael Caplan, Joy Kim and Lauren Arthur

Expertise Area