Share This Article
On March 14, 2023, the European Parliament approved the bill for the Data Act, legislation that is part of the European data strategy and aims to contribute to the development of new digital services through increased data sharing, with a considerable impact on trade secrets.
Below are the most relevant contents of the Data Act
Data Act approved: the European data strategy and the Internet of Things
The Data Act is the second pillar of the European data strategy, following the Data Governance Act, which entered into force on June 23, 2022, and is applicable from September 2023. Specifically, with the development of a data strategy, the European Union aims to gain leadership by creating a single market where data can flow freely across all sectors, benefiting businesses, researchers, and public administrations.
The Data Act, initially proposed in February 2022, stems from several findings: first, the volume of data generated by people and machines is increasing exponentially, making it a key driver of innovation by businesses and public authorities; and second, about 80 percent of industrial data is currently never used, resulting in a loss of value.
In this context, the Data Act aims to regulate data access and facilitate data sharing by providing clear rules on who can access and use specific data and for what purposes across all economic sectors in the EU. This proposal is especially relevant for so-called “smart objects” and similar products on the Internet of Things (IoT). Indeed, by purchasing a “traditional” product, one becomes the owner of all the parts and accessories of that given product. In contrast, when one purchases a “smart” product, such as a smart household appliance or industrial machinery, the use of which generates data, it is often unclear which parties can access it. Not infrequently, this right of access remains exclusively with the manufacturers, thus slowing down after-sales services and innovation opportunities.
The Data Act would make transferring data related to “smart objects easier,” giving individuals and businesses more control over the data they generate and enabling them to enjoy the benefits of product digitization. For example, this could result in users being able to choose a cheaper repair and maintenance provider than the manufacturer, stimulating competition. Such data, aggregated from multiple users, could also help develop or improve other digital services or enable public agencies to respond more quickly and safely to an emergency.
Data Act and trade secrets
Among other provisions, provisions of the Data Act aimed at protecting trade secrets have been strengthened to prevent greater access to data from being used by competitors to change the services they offer or the devices themselves, as well as establishing stricter conditions for data requests from companies to government agencies.
Precisely, Articles 4 and 5 of the Data Act it is specified that trade secrets will be disclosed only on the condition that all specific measures are taken to protect their confidentiality, particularly concerning third parties, and that, in any case, the data owner and the user may agree on measures to preserve their confidentiality. Furthermore, if the user or a third party compromises trade secrets, the data owner can suspend the data-sharing agreement.
Finally, in the specific case of B2G (Business to Government) data transfer, the company may also decide to refuse the data request if the public entity does not take all sufficient technical or organizational measures or where the company demonstrates that the disclosure of the data may result in serious harm.
In any case, to date, the Data Act, as passed, does not appear to entail any changes to the Trade Secrets Directive 2016/943. It reiterates that “the obligation to make data available to a recipient of data does not require the disclosure of trade secrets within the meaning of Directive (EU) 2016/943,” with the effect that coordination difficulties between the two pieces of legislation cannot be ruled out.
After the joint opinion of the European Data Protection Board and the European Privacy Supervisor last year and the approval of the text by the Parliament, negotiations with the Council on the final form of the law will follow as soon as the latter has approved its mandate.
On a similar topic, the article “Cyber Resilience Act will impose new cybersecurity obligations for IoT devices” may be interesting.
Authors: Lara Mastrangelo and Gaia Gasparini