Zwift and the Upcoming EU Data Act: Third Party API Access

Hey Zwifters,

A common request on this board is to allow third-party API access for syncing Zwift workouts or planning workouts for users in Zwift.

The EU Parliament and the EU Council are in the final stages of negotiating the EU Data Act, which will require data holders to grant access to third parties if users request it.

Here’s a quote from the Parliament’s position:

The Commission is proposing to grant users (consumers or businesses) a new right to access the data they generate and to create a user’s right to share such data with third parties. The draft text also imposes a number of obligations on data-holders (e.g. making data available under fair, reasonable, and non-discriminatory terms and in a transparent manner) and aims to protect micro-enterprises and SMEs against unfair contractual terms in data-sharing contracts (i.e. fairness checks).

Is Zwift prepared for the upcoming legislation? Currently, Zwift grants access to a few selected third parties, such as TrainingPeaks, so the API is available. Why not make it accessible to all requesting applications, as other companies like Garmin, Polar, and Wahoo already do?

It would be a good look for Zwift to grant third-party access to all requesting parties before being compelled by EU legislation to do so.

I don’t think (note, not a lawyer) this applies to giving API access to everyone that wants it.

Just fair access to their data (which I thought was covered under GDPR).

No, it includes all third parties (if the users requests so) and requires the access to be in real-time (if possible) and is far further reaching than the GDPR.

edit:

Draft Article 5.1 states:

"Upon request by a user, or by a party acting on behalf of a user, the data holder shall
make available the data generated by the use of a product or related service to a third
party, without undue delay, free of charge to the user, of the same quality as is
available to the data holder and, where applicable, continuously and in real-time."
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022PC0068

I would not be surprised if the existing access to FIT file downloads is already compliant. Access to that data is available immediately, on-demand, with continuous access, using an open protocol (HTTP), and meets interoperability standards (FIT format). That’s a question for the lawyers and compliance people to answer. An open API would be far better so that third party sites could easily integrate with Zwift. That would make the product better, which is the best reason to do it.

No, it’s not compliant because it is not available to third parties (like an OAuth API would be)

The data is also held locally by each user. Nothing is stopping a third party from creating a client that integrates with their service. Honestly I have no idea if it will be considered compliant, but I think it’s a stretch to assume that Zwift will be compelled to do anything as a result of this rule. Call your lawyer.

No, the legislation is explicitly about the data sharing including B2B. That is one of the main points of the legislation

I agree that the API would be a huge net benefit for Zwift.

edit: Data holders implementing APIs and allowing direct access to the data is pretty much all the legislation is about. It’s not a stretch by any means, this is EU legislation and will apply (at least) to all EU users. Note that it’s not final yet, but already entered the EU trilogue.

Why not just be smart now and improve the whole Zwift ecosystem, basically for free? It’s just good business sense for Zwift.

I’m a big fan of the idea of an open API for Zwift but don’t think that Data Act in any way can force Zwift to provide one. Data Act is essentially about data generated in IoT (Internet of Things), from connected devices - that is not the kind of business Zwift are in.

Quoting one of the EU pages about Data Act:

The Data Act will give both individuals and businesses more control over their data through a reinforced data portability right, copying or transferring data easily from across different services, where the data are generated through smart objects, machines and devices.

No, it’s not only about IoT. The definition of a product in the EU Data Act:

'product’ means a tangible, movable item, including where incorporated in an
immovable item, that obtains, generates or collects, data concerning its use or
environment, and that is able to communicate data via a publicly available electronic
communications service and whose primary function is not the storing and
processing of data

Smartwatches, sensors and smartrainers should fall under this definition. They are also smart objects and devices according to your quote.

the way I read this is to give the customer access to their data. It does not seem to include real time data in the case of Zwift.

So currently every rider has access to all their data that can be downloaded from the Zwift website.

But would that definition cover Zwift, the service? It’s not a smart trainer or a tangible movable item. If this is all true then it might simply apply to the trainer itself, your smart watch, your HRM. (And if it applied to Shimano Di2 that would be awesome.)

Access rights already come from the GDPR. This law is much broader.

There is a definition of related services in the law that use the products.

Let’s wait for the final law and the final definitions, which are currently being discussed in the trilogue. I hope we will finally see an open Zwift API.

The EU Data Act has been published on December 23 and is now in force. I believe that Zwift can adress all the requirements with an standard OAuth API and they may even charge for the use to cover the costs.

You can find it here:

Some quotes:

This Regulation ensures that users of a connected product or related service in the Union can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on data holders to make data available to users and third parties of the user’s choice in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and conditions and in a transparent manner.

Connected products that obtain, generate or collect, by means of their components or operating systems, data concerning their performance, use or environment and that are able to communicate those data via an electronic communications service, a physical connection, or on-device access, often referred to as the Internet of Things, should fall within the scope of this Regulation, with the exception of prototypes. Examples of such electronic communications services include, in particular, land-based telephone networks, television cable networks, satellite- based networks and near-field communication networks. Connected products are found in all aspects of the economy and society, including in private, civil or commercial infrastructure, vehicles, health and lifestyle equipment, ships, aircraft, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. Manufacturers’ design choices, and, where relevant, Union or national law that addresses sector-specific needs and objectives or relevant decisions of competent authorities, should determine which data a connected product is capable of making available.

The data represent the digitisation of user actions and events and should accordingly be accessible to the user. The rules for access to and the use of data from connected products and related services under this Regulation address both product data and related service data. Product data refers to data generated by the use of a connected product that the manufacturer designed to be retrievable from the connected product by a user, data holder or a third party, including, where relevant, the manufacturer. Related service data refers to data, which also represent the digitisation of user actions or events related to the connected product which are generated during the provision of a related service by the provider. Data generated by the use of a connected product or related service should be understood to cover data recorded intentionally or data which result indirectly from the user’s action, such as data about the connected product’s environment or interactions. This should include data on the use of a connected product generated by a user interface or via a related service, and should not be limited to the information that such use took place, but should include all data that the connected product generates as a result of such use, such as data generated automatically by sensors and data recorded by embedded applications, including applications indicating hardware status and malfunctions.

This Regulation enables users of connected products to benefit from aftermarket, ancillary and other services based on data collected by sensors embedded in such products, the collection of those data being of potential value in improving the performance of the connected products. It is important to delineate between, on the one hand, markets for the provision of such sensor-equipped connected products and related services and, on the other, markets for unrelated software and content such as textual, audio or audiovisual content often covered by intellectual property rights.

Product data or related service data should only be made available to a third party at the request of the user. This Regulation complements accordingly the right, provided for in Article 20 of Regulation (EU) 2016/679, of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, as well as to port those data to another controller, where those data are processed by automated means on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b) of that Regulation. Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where that is technically feasible.

Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant metadata necessary to interpret and use those data, to a third party without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. The data shall be made available by the data holder to the third party in accordance with Articles 8 and 9.

This Regulation grants users the right to access and make available to a third party any product data or related service data, irrespective of their nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data falling within its scope, whether personal or non-personal, thereby ensuring that technical obstacles no longer hinder or prevent access to such data. It also allows data holders to set reasonable compensation to be met by third parties, but not by the user, for costs incurred in providing direct access to the data generated by the user’s connected product.

In line with the data minimisation principle, third parties should access only information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it for the purposes agreed with the user without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. Neither third parties nor data holders should make the exercise of choices or rights by the user unduly difficult, including by offering choices to the user in a non-neutral manner, or by coercing, deceiving or manipulating the user, or by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a user digital interface or a part thereof.

Any agreement concluded in business-to-business relations for making data available should be non-discriminatory between comparable categories of data recipients, independently of whether the parties are large enterprises or SMEs. In order to compensate for the lack of information on the conditions contained in different contracts, which makes it difficult for the data recipient to assess whether the terms for making the data available are non- discriminatory, it should be the responsibility of data holders to demonstrate that a contractual term is not discriminatory. It is not unlawful discrimination where a data holder uses different contractual terms for making data available if those differences are justified by objective reasons. Those obligations are without prejudice to Regulation (EU) 2016/679.

Where one party is in a stronger bargaining position, there is a risk that that party could leverage such a position to the detriment of the other contracting party when negotiating access to data with the result that access to data is commercially less viable and sometimes economically prohibitive. Such contractual imbalances harm all enterprises without a meaningful ability to negotiate the conditions for access to data, and which may have no choice but to accept take-it-or-leave-it contractual terms. Therefore, unfair contractual terms regulating access to and the use of data, or liability and remedies for the breach or the termination of data related obligations, should not be binding on enterprises when those terms have been unilaterally imposed on those enterprises.

I believe that only covers access to your own data - You have that data available via a web interface, zwift.com.

Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available readily available data, as well as the relevant metadata necessary to interpret and use those data, to a third party without undue delay, of the same quality as is available to the data holder, easily, securely, free of charge to the user, in a comprehensive, structured, commonly used and machine-readable format and, where relevant and technically feasible, continuously and in real-time. The data shall be made available by the data holder to the third party in accordance with Articles 8 and 9.

We can go back & forth quoting legal text if you like… probably easier to say what explicitly want to do, who & what data do you want access to and what you want to do with it,

European Commission proposal
The Commission is proposing to grant users (consumers or businesses) a new right to access the data they
generate and to create a user’s right to share such data with third parties.

What exactly do you want to be able to do - push data to your profile and pull your own data out of zwift?

There are enough people accessing the API without end user user authentication already, I’m not sure adding the ability for all to pull whatever they want is the first step into the world of privacy that zwift should take.

Apps that users can use to analyze their training - like TrainingPeaks, but allow apps like intervals.icu to access the API in the same way TrainingPeaks does.