Database Rights vs Data Act obligations

The Question 

“We invest heavily in collecting, structuring, and storing IoT data. Can we rely on EU Database Directive rights (sui generis database right) to block access or control sharing of our device-generated data?”

The Short Answer

No — not if it’s data generated by your connected product or related service.

• The EU Data Act (2023/2854) expressly limits the scope of the sui generis database right.

• You cannot use database protection to deny users (or their chosen third parties) access to or use of such data.

Key Points 

1. Data Act applies to all device-generated data (personal & non-personal).

• Users get the right to access and share these data. 
  
• Must be on FRAND terms (Fair, Reasonable and Non-Discriminatory). 
  

2. Database Directive (96/9/EC) still protects databases where there is:

• Creative selection/arrangement (copyright). 
  
• Substantial investment in obtaining, verifying, presenting contents (sui generis right). 
  

3. BUT: Article 43. of the Data Act → The sui generis right cannot be invoked to block Data Act access to data obtained from or generated by connected products/services.

What You Can Still Protect

• Value-added datasets: If you enrich, curate, or transform raw IoT data (e.g. combining sensor feeds into an analytics platform), that curated database can enjoy database protection.

• Non-IoT databases: Directories, catalogues, or datasets not covered by the Data Act remain fully protected.

What You Must Do as IoT Vendor

• Enable user access & portability → APIs, dashboards, export tools.

• Prepare FRAND contracts for third-party access.

• Review IP strategy → focus on protecting software, algorithms, analytics, not on blocking raw data access.

 Final Takeaway

• Raw IoT/device-generated data = open to user access under the Data Act.

• Database rights = still valid for curated/added-value databases, but not a shield against Data Act obligations.