EU Data Act (part 8): smart contracts

Juan Ramón Robles
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

Now that the Data Act has been approved it will clearly be a revolution for the Internet of things (IoT) providers and for companies interested in accessing data generated by the IoT. The Data Act has finally envisaged the right of users of IoT devices to mandate this data to be shared with third party recipients, subject to conditions and limits.

In this context, IoT providers (data holders) and third-party recipients will need to enter into a data sharing agreement to regulate this data flow. The Data Act includes the option to use smart contracts for this purpose, meaning that for the first time, smart contracts have been regulated by the European Union for data sharing agreements. They bring several advantages, but also some limits and conditions apply as we will explore in this publication.

As data sharing agreements may vary minimally, for example only changing in scope a from one to another, smart contracts may be a effective in reducing costs. Smart contracts could also be used as a protection measure, to prevent unauthorised use of the data by the data recipients.

It’s worth noting that, the rules for smart contracts will also be applicable for any other kind of data sharing agreements, not only where a data holder needs to share data with recipients. In other words, any other player that, acting as vendor, makes use of smart contracts to execute data sharing agreements (potentially the crypto industry) will also be bound by the Data Act.

Some context

The Data Act is an EU “regulation”, which means that it will be directly applicable in the European Union without the need of EU members to adopt implementing laws.

The core of the Data Act is the obligation for manufacturers and designers of IoT devices to share, as data holders, the data generated by the use of the devices with the users (or third parties as instructed by the user). The “user” is any natural or legal person who has the right to use the IoT device. More info can be found in our previous post here.

The Data Act will be applicable as of September 2025.

Concept and utility of smart contracts for holders

The Data Act defines smart contract as a “computer program used for the automated execution of an agreement or part thereof, using a sequence of electronic data records and ensuring their integrity and the accuracy of their chronological ordering”. This means that once the parties have agreed on the use and content of the smart contract, the performance of the agreement will occur automatically (in full or in part).

It should be noted that the requirements for “regulated” smart contracts only apply to agreements with the purpose of “making data available”. This means that many different agreements that are in use in the industry (where there is an automated performance with the use of computer program) will need to comply with Data Act. On the other hand, the use of smart contracts with a purpose different from “making data available” will not be in-scope of the Data Act.

It is important to highlight that, in order to foster innovation, the notion of a smart contract is technologically neutral (eg. at least in theory it does not need to be based on blockchain solutions). Any technology that complies with the requirements of the Data Act and that could be used for the automatic execution of a data sharing agreement could fall within the concept of smart contract. A smart contract could be, for instance, connected to an electronic ledger.

Smart contracts for any vendor sharing data (apart from holders)

The rules on smart contracts will not only affect data holders as manufacturers of IoT devices. It will also affect any vendor of applications making use of smart contracts in the context of executing an agreement or part of it, to make data available to third parties. In the absence of a vendor, the Data Act will apply to the person whose commercial activity involves making data available with the use of smart contracts.

Crypto industry may therefore be affected by the Data Act, as the use of smart contracts is prevalent (even being a core aspect) by crypto players. The fact that the Data Act may be applicable to smart contracts in the crypto environment has been very controversial. Even if it the application of the Data Act for the crypto industry may have not been an initial intention of the EU legislator, it could apply if the described conditions are met (eg. if the objective of the underlying agreement is the “sharing of data”).

Smart contracts for data holders of IoT providers

Data holders of IoT products, if instructed by the data user, will need to share in-scope data with data recipients. This sharing of data will need to be regulated through a data sharing agreement, where the parties will need to agree the confidentiality obligations, the remuneration, the scope of the obligations and any other aspect that the holder and the recipient may want to include.

Due to (i) the potential multiple requests that will be carried out by third party recipients to obtain data from data holders, and that (ii) often the only difference between requests will be the categories of data, making the process quite repetitive - the Data Act has envisaged the possibility for data holders to make use of smart contracts when they act as vendors of the information.

In addition, the use of smart contracts could be a useful tool to avoid the unauthorised use of the data by data recipients or the breach of the data sharing agreement. If the “smart contract” can automatically stop the flow of data to the data recipient upon the occurrence of one of the situations that the parties have agreed to provoke this result, the data holder would be in a better position to defend its rights. For instance, the data holder would not need to be proactively monitoring recipient compliance as, for many situations, a situation of non-compliance would result in automatic consequences. 

Technical requirements for smart contracts: special reference to “Kill switch”

Vendors of applications using smart contracts to make data available shall comply with the following requirements of the Data Act:

  • Robustness and access control shall be ensured to avoid functional errors and withstand manipulation by third parties;
  • Data archiving and continuity, to ensure (in circumstances in which a smart contract must be terminated or deactivated) there is a possibility to archive the transactional data, smart contract logic, and code in order to keep the record of operations;
  • access control, to ensure that a smart contract is protected through rigorous access control mechanisms at the governance and smart contract layers;
  • consistency with the terms of the data sharing agreement that the smart contract executes shall be ensured.
  • Kill switch: smart contracts shall ensure that (i) a mechanism exists to terminate the continued execution of transactions and that (ii) it includes internal functions which can reset or instruct the contract to stop or interrupt the operation, in particular to avoid future accidental executions. This has been criticized by the industry as this requirement goes against the core tenets of decentralization and trustlessness that underpin blockchain technology. In a fully decentralised and automated system, none should be able to operate a kill switch, some experts state.

The vendor shall perform a conformity assessment with the requirements above and issue an EU declaration of conformity. The EU Commission will request EU standardisation organisations to draft harmonised standards that satisfy the essential requirements laid down above. This has been considered as a positive gesture for the industry that will be able to participate in the design of the final and specific requirements.

Legal requirements for smart contracts

The use of smart contracts in the context of data sharing agreements shall not undermine the applicability of relevant rules of civil, contractual and consumer protection. Those laws will apply regardless of the technology used for the execution of agreements.

For instance, agreements between data holders and data recipients cannot include unfair contractual terms (as regulated in Chapter IV of the Data Act). Agreements with consumers will need to comply with consumer laws and, in any case, agreements shall also comply with applicable civil and commercial laws.

What to do next?

  • Data holders (IoT providers) with the intention to make use of smart contracts to share data with third parties will need to ensure consistency with (i) the conformity requirements of the Data Act; (ii) ensure that agreements do not contain unfair terms.
  • Vendors that make data available to other parties with the use of smart contracts (eg. crypto companies) should (i) assess whether the product is in-scope of the Data Act and; (ii) if applicable, ensure compliance with the conformity requirements of the Data Act (including kill switch requirement).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide