Authentication and authorisation and the access of the user in the Data Act

The Data Act creates rights of access for the user of a connected product or related service. This access can be provided in two ways. First, it can be provided through ‘direct’ access by the product or service itself. Second, it can be provided through the data holder. The rights of access allow the user to benefit from the generated data. However, these products and services may also generate personal data about other people. The rights under the Data Act could thus enable a user to gain ‘unauthorised’ access to personal data of others without a valid legal basis under the GDPR. The Data Act imposes safeguards to prevent this. More specifically, it requires the authentication and authorisation of the user. In this contribution, we examine whether these safeguards are sufficiently effective and whether and to what extent they are compatible with the objectives of the Data Act and the rights of access of the user in particular. We answer the following research question: “ To what extent does the Data Act require authentication and authorisation to prevent unauthorised access to personal data of others? How do these obligations affect the balance between data protection and data access? ” We show that there are major differences between direct access through the product or service and access through the data holder. The safeguards for direct access are limited to design obligations. These safeguards do not prevent access to personal data of others in all situations. In contrast, the safeguards for access through the data holder are more stringent. Although the exact requirements remain unclear, a strict interpretation would mean that the safeguards effectively prevent the unauthorised access to personal data of others, but also severely limit the added value of this form of access. The precise authentication and authorisation requirements are of great importance to balance and, where possible, reconcile data protection and data access. However, this contribution shows that the balance between these interests largely depends on the mode of access. In this light, the safeguards in the Data Act do not consistently prevent unauthorised access to personal data of others and the Data Act does not lead to a clear and consistent balance between data protection and data access.