STADLER VÖLKEL Rechtsanwälte GmbH

Smart Contracts under the EU Data Act

16 April 2023
Smart Contracts under the EU Data Act

The Internet of Things (IoT) is a rapidly growing network of interconnected devices that are capable of exchanging data and communicating with each other without human intervention. These devices, which include everything from sensors and smart home appliances to industrial machinery and medical equipment, are embedded with technology that allows them to collect and transmit data in real-time. As a result, the amount of data generated by IoT devices is vast and continues to grow at an exponential rate. This data is incredibly valuable, as it can be used to inform decision-making, improve efficiencies, and create new business opportunities. However, the vast amounts of data collected by the IoT also present significant challenges in terms of data management, privacy, and security. In February 2022, the European Commission proposed the EU Data Act, which aims to address these challenges by modernizing data protection and privacy laws. The Act gives data subjects more control over the sharing of data collected by IoT devices with third parties. On 17 March 2023, the Council of the European Union published its version of the Data Act. The proposed text brings some types of smart contracts within the scope of the Act and includes provisions on how those smart contracts must be designed and controlled. The Act will now be the subject of trilogue negotiations between the European Parliament, the Council of the European Union and the European Commission in order to produce a final text. Article 30 of the Council's compromise text sets out four essential requirements for smart contracts regarding data sharing:

  • robustness: ensure that the smart contract has been designed to offer a very high degree of robustness to avoid functional errors and to withstand manipulation by third parties;
  • safe termination and interruption: ensure that a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions;
  • data archiving and continuity: foresee, if a smart contract must be terminated or deactivated, a possibility to archive transactional data, the smart contract logic and code to keep the record of the operations performed on the data in the past (auditability); and
  • access control: a smart contract shall be protected through rigorous access control mechanisms at the governance and smart contract layers. The requirement that smart contracts effectively contain a "kill switch" under subparagraph (b) has sparked concerns that this would undermine the defining features of smart contracts—their immutability and autonomy. The scope of the Data Act regarding smart contracts is still uncertain, as it is not entirely clear which aspects of smart contracts the Act will cover. While the Act does include provisions for smart contracts, Article 30 specifically applies to smart contracts "regarding data sharing". This suggests that the Act may focus primarily on smart contracts that involve the sharing of personal data, rather than all smart contracts. As such, it remains to be seen how the Act will regulate other types of smart contracts and how it will balance legal certainty with innovation in the blockchain industry. It will be important for legislators to clarify the scope of the Act and ensure that it provides the necessary legal framework for smart contracts while not stifling innovation.
STADLER VÖLKEL Rechtsanwälte Logo