Data Act and trade secrets

Image created by AI.
One of the key objectives of the Data Act is to ensure that users of connected products or related services in the EU have easy and timely access to the data collected by the products or services they use, with the option to also share this data with third parties. By making the data generated by products and services more widely available, the Data Act aims to stimulate the development of new data-driven businesses, increase competition, and foster innovation. The availability of data is intended to facilitate the development of new services based on the data collected.
Although the objectives of the Data Act are ambitious, the possibility for users to share data with third parties may pose certain challenges for data holders, particularly concerning the protection of trade secrets. This raises the question of whether the Data Act weakens the protection of trade secrets with respect to data subject to sharing obligations.
The challenges of interpretation
In principle, the Data Act does not require data holders to share their trade secrets with users and is therefore not intended to undermine the protection of trade secrets under the Trade Secrets Directive. However, the interpretation of what constitutes a trade secret can vary, likely leading to disagreements between data holders and third parties (or users) over which sensitive data should be classified as a trade secret and which should not. This interpretation is even more challenging when applied to primary or pre-processed data generated by a connected product or related service, which falls explicitly within the scope of the Data Act.
According to the Data Act, data that has been concluded or derived from primary data and for which additional investment has been required to process it does not have to be handed over to the user. An example of this is data derived by sensor fusion using complex algorithms. However, it is open to interpretation whether all processing operations on primary data exceed the threshold of additional investment specified in the Data Act, thus excluding this data from the scope of application.
Still, it is likely that a significant amount of the data held by data holders, which has been subjectively assessed as sensitive, does not individually or as a group meet the definition of a trade secret. Therefore, in accordance with the Data Act, this data must be shared with the user and, at the user's request, also with third parties.
Reverse engineering as a threat to confidentiality
From a trade secrets perspective, one of the emerging challenges is the reverse engineering of data shared under the obligation specified by the Data Act. This allows, for example, data shared with a third party to be analyzed with data processing solutions to find trade secrets or other sensitive information for business purposes. Although the Data Act seeks to address this confidentiality challenge by prohibiting analysis aimed at obtaining information on the economic situation, production methods, or assets of the data holder, the restriction remains rather limited in terms of the protection of the data holder. Moreover, reverse engineering always carries a risk of unauthorized implementation, which is very difficult for the data holder to prove in practice.
The challenge of confidentiality is further increased by the fact that the Data Act does not allow the data holder to choose their data-sharing partner, nor to refuse to share data, except in exceptional circumstances where the data holder must be able to objectively demonstrate that sharing the data in question would cause very serious economic damage despite the technical and organizational measures taken. In such situations, the refusal to disclose data and the reasons for it must be made known to the competent national authorities, which is likely to contribute to raising the threshold for refusal to disclose data.
Data Act must be considered already in the design phase of connected products and related services
Ultimately, the design solutions for the collection of data under the sharing obligation will remain in the hands of product manufacturers and service providers. This means that, when designing products or related services connected to the network, product manufacturers and service providers will need to assess more carefully the data they actually need to collect, knowing that they will need to share it with users and potentially also with their competitors.
Additionally, data holders should carefully consider the level at which data collected from connected products or related services is processed, as well as the stage in the process where this processing occurs. This approach helps to ensure that resources invested in processing do not, for example, flow directly to a competitor.
Impact on trade secret protection
Given the development of analytical tools and artificial intelligence, as well as the data-sharing obligations of the Data Act, it seems that the protection of trade secrets for data holders is not getting stronger. In the future, it may therefore not matter who is able to collect the relevant data, but rather who is able to process the data to find the most relevant information.
However, the real impact of the Data Act will remain to be seen as case law and concrete applications accumulate.
Fondia's experts at your side
Help in figuring out the business implications of the Data Act is available from Fondia's Data Economy expert group.
This article is part of a series of articles focusing on the Data Act, which delves into individual issues of the Data Act from different perspectives and as practically as possible. Previous parts of the series: