The volume of data is mindboggling, the EU expects 175 zettabytes in 2025 (33 in 2018). As untapped potential, 80% of industrial data is never used, that is a massive IoT and cybersecurity risk and potential.

The Commission has found a very nice, even literary, way to talk about data. That is not an easy thing to do. Data belongs to the ‘hard’ sciences, to robots and binary systems running computers. Data always underlies information, the latter being the stuff of stories and storytelling, the first being its building blocks. Data is grammar. Information its actual daily use. And yet the Commission has found a way to describe data that everyone intuitively gets, and is relevant in a policy perspective:

Data is a non-rival good, in the same way as streetlight or a scenic view: many people can access them at the same time, and they can be consumed over and over again without impacting their quality or running the risk that supply will be depleted.

After reading this, one does not ask what it means, but what policy setting was creative and innovative enough to come up with this line and turn it into a centerpiece of this dialogue on data.

Data is a non-rival good:

“Non-rivalrous goods are public goods that are consumed by people but whose supply is not affected by people’s consumption. In other words, when an individual or a group of individuals use a particular good, the supply left for other people to use remains unchanged. Therefore, non-rivalrous goods can be consumed over and over again without the fear of depletion of supply.”[1]

Other examples are the internet and television, clean air, and public safety. The data strategy is all about putting non rival data into productive use, as the green transition can only happen if we become more energy efficient – and improve the use of for example traffic data to anticipate traffic congestion and improve public transport. There are legal safeguards to shield privacy, sharing of personal data needs to be done in compliance with GDPR.

The Data Act addresses the legal, economic, and technical issues that lead to data being under-used. These new rules will make more data available for reuse and create €270 billions of additional GDP by 2028. In a nutshell, “it looks to make data sharing and use/reuse easier for all by setting standards at an EU-wide level. “[2] It does not look to change the legal positions around intellectual property rights, trade secrets and competition.

There is one exception, however, in that it “does address certain rights in respect of databases; notably, it clarifies that databases containing data from IoT devices should not be subject to separate legal protection under database rights to ensure that they can be accessed and used. In other words, the application of the sui generis right under Directive 96/9/EC (the EU Database Directive) would not apply to databases containing data generated or obtained by the use of IoT/connected products or related services, such as sensors, or other types of machine-generated data. This is to prevent holders of data claiming exclusivity over data generated by connected products.”[3]

The Data Governance Act was agreed by legislators in November 2021 It creates the processes and structures to facilitate data sharing by companies, individuals, and the public sector.

The Data Act clarifies who can create value from data and under which conditions. The Data Act will go before European Parliament and the Council of Ministers – representatives from the governments of members states. They will come up with their own texts with the commission acting as an “honest broker” to negotiate a final text to be put before parliament. The process rarely takes 18 months to two years.”[4] The President of the European Commission, Ursula von der Leyen, declared that the Data Act “will give businesses and individuals more control over the data they produce while using a connected device and more control over how their data are processed.”[5]  It may force manufacturers to share streams of after-sale data with third-party tech firms.

What will the Data Act do? It ensures fairness in the digital world, stimulates a competitive data market, opens opportunities for data-driven innovation and makes data more accessible for all. Those are quite some serious promises. Although it sounds very citizen centric the Data Act is specifically tuned to Internet of Things, IoT, the world of connected objects as it will lead to more competitive prices for aftermarket services and repairs of connected objects.  (Right to Repair). According to Eurocities one of its objectives is to “build trust in the face of the sheer volume of data generated by humans and machines on a daily basis and unlock the potential of data-driven innovation by opening opportunities for the reuse of data and removing barriers to the development of the European data economy.”[6]

“Margrethe Vestager, Executive Vice-President for a Europe fit for the Digital Age, said: “We want to give consumers and companies even more control over what can be done with their data, clarifying who can access data and on what terms.  Thierry Breton, Commissioner for Internal Market, added: “Today is an important step in unlocking a wealth of industrial data in Europe, benefiting businesses, consumers, public services, and society as a whole. So far, only a small part of industrial data is used and the potential for growth and innovation is enormous. The Data Act will ensure that industrial data is shared, stored, and processed in full respect of European rules. It will form the cornerstone of a strong, innovative and sovereign European digital economy.”[7]

The proposal for the Data Act includes:

            “•        Measures to allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers; and to share such data with third parties to provide aftermarket or other data-driven innovative services. It maintains incentives for manufacturers to continue investing in high-quality data generation, by covering their transfer-related costs and excluding use of shared data in direct competition with their product.

  • Means for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency, such as floods and wildfires, or to implement a legal mandate if data are not otherwise available. Data insights are needed to respond quickly and securely, while minimising the burden on businesses.
  • New rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.  

In addition, the Data Act reviews certain aspects of the Database Directive, which was created in the 1990s to protect investments in the structured presentation of data. Notably, it clarifies that databases containing data from Internet-of-Things (IoT) devices and objects should not be subject to separate legal protection. This will ensure they can be accessed and used. Consumers and businesses will be able to access the data of their device and use it for aftermarket and value-added services, like predictive maintenance.”[8]

The idea behind this is that by having more information, consumers, and users such as farmers, airlines or construction companies will be in a position to take better decisions,

business and industrial players will have more data available and will thus benefit from a competitive data market, and aftermarkets services providers will be able to offer more personalized services, and thus be able to compete as an equal with comparable services offered by manufacturers, while data can be combined to develop entirely new digital services as well.

Being part of the IoT Expert Group in 2009, made up of about 50 members representing organisations from industry, standardisation, research, civil society and other sectors with representatives from member states, the European Data Protection Supervisor and the Article 29 Working Party as observers, we foreshadowed the steps taking now by the Commission on IoT, that were to early then. The mental framework was RFID, not a fully connected world of dynamically evolving smart objects.

At least the focus is there now. With the increasing and unstoppable interconnectedness of the world and the spread of Internet-of-Things (IoT) devices, the need for a Data Act and a clear set of rules on the sharing of data and information has become even more clear – from a smart fridge in someone’s kitchen to connected medical devices.[9] In the Data Act, the data we have in mind is typically generated by connected machines or connected devices,” added Commission EVP, Margrethe Vestager, speaking at the press conference:

“That could be a smart watch, it could be a car, or eventually even your coffee machine. These devices generate a huge amount of data in what we call the “internet of things”. So do all those sensors that automatically take in information from our environment. A lot of this data is non-personal data, and most of it is currently unused. If used, such data can provide a multitude of possibilities for new products, new services, or they can foster research. But for this to happen, we need to define who has control over such data, and who can use it for what purpose.”[10]

Guillaume Couneson, data protection and technology partner at law firm Linklaters, said that if adopted in its current form, the Act “would have an important impact on a number of big tech players providing IoT, virtual assistant, cloud or blockchain-based products and services.

“Such companies may have to make data generated through the use of their products and services accessible to users, provide transparent information in that respect and remove obstacles which inhibit switching,” he said.”[11]

Connected devices (i.e., IoT) include vehicles, home equipment, consumer goods, medical and health devices, and agricultural or industrial machinery (i.e., IoT) that generate performance, usage or environmental data. Products designed primarily to display, play, record, or transmit content such as personal computers, servers, tablets, smart phones, cameras, webcams, sound recording systems, and text scanners are not covered by the Act.

The Regulation applies to (a) manufacturers of products and suppliers of related services placed on the market in the Union (b) users of such products or services; (b) data holders that make data available to data recipients in the Union; (c) data recipients in the Union to whom data are made available; (d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request; and (e) providers of data processing services offering such services to customers in the Union.[12]

This will have a strong effect throughout the supply chain as new mechanisms of cooperation and ecosystem building have to be built as under the Act, the device owner will be able to use the data for after-market purposes: “For example, a car owner might share usage data with their insurance company, or a business owner might use data from a connected manufacturing device to perform its own maintenance in lieu of using the manufacturer’s services. In support of these measures, manufacturers and designers must disclose what data is accessible and design products and services so the data is easily accessible by default.”[13]

We, at Asvin, are very much in favor of these new co-creation tools to facilitate sharing data that must be invented in the coming years as it touches our core business which is trust. Especially D-SBOM (Distributed Software Bills of Material) will provide a solution in complex IoT software supply chains to document all the software used in IoT devices and distribute this information in a secure and trusted way towards all users and actors.

“With D-SBOM, IoT vendors can keep track of the software installed on IoT devices and their origin. The information will enable operators to continuously monitor IoT devices on known software vulnerabilities (CVE) and plan their risk mitigation as updating or isolating devices. Using blockchain and DLT, D-SBOM will provide a novel solution, which is more secure and advanced than existing centralized models:

  • Immutable storage of information, protected from manipulation by cyberattacks
  • Increased trust by consensus mechanism in the software supply chain
  • Protocols using open-source stacks of Hyperledger and Ethereum Foundation”[14]

The coming years will see a lot of innovation in stakeholder coordination and ecosystem management to convince all parties in the supply chain that these new ideas and regulations will be as positive to the entire business ecology then GDPR currently is. Although not warmly welcomed it is one of the most copied frameworks in the world today. And in terms of end-user acceptance it is very timely, as citizens should  not only equate IoT with tracking and tracing beyond their agency.

Rob van Kranenburg (CIO) Chief Innovation Officer of asvin

Founder of IoT Council, the most prominent independent IoT thinktank and Creator of the yearly IoT Day

Rob is globally considered one of the most influential thought-leaders in IoT,
renowned for his keynote talks on various topics in the industry.
Rob paves the way for more robust, secure devices within the IoT and IIoT ecosystems
and is in the Top 100 #IOT Influencers list and the Top 10 of IIoT Influencers to watch in 2022.
Additionally, in 2019 he was listed by Telensa as one of the 100 most important influencers
for the Smart City.



[3] What you need to know about the new EU Data Act

Authors: Elle Todd Francesca Moss









[12] The EU Data Act and Its Effects on the Data Economy

By Mary T. Costigan on March 29, 2022

The EU Data Act and Its Effects on the Data Economy

[13] The EU Data Act and Its Effects on the Data Economy

By Mary T. Costigan on March 29, 2022

The EU Data Act and Its Effects on the Data Economy