Data Act & Trade Secrets

With its 119 recitals and 50 articles, the Data Act¹ does indeed provide for a substantial addition to the EU regulatory framework in the digital space. As many of our readers have probably already noted, one of the key purposes of the Data Act is to ensure that users of a connected product or related service in the EU can easily access and use the data generated by their use, including by sharing them with third parties of their choice. In this post of Schjødt's Technology Update, we would like to briefly comment on how data holders' protection of trade secrets is addressed under the Data Act.

When the Data Act starts applying from 12 September 2025, data holders' obligations to share relevant data will be wide. As a main rule, trade secrets are not exempt. In short, the rules are as follows:

1. Data holders must disclose trade secrets to a user (or third party, as applicable) provided that the data holder and such data recipients agree on proportionate technical and organizational measures to preserve the confidentiality of the shared data.

2. Data holders may withhold or suspend the sharing of trade secrets if:
a) there is no agreement on proportionate measures,
b) the user or third party fails to implement the agreed measures, or
c) the user or third party undermines the confidentiality of the trade secrets. 

If a data holder decides to withhold or suspend the sharing of trade secrets, the decision must be duly substantiated and provided in writing to the user or third party without undue delay. Further, the data holder must notify the competent national authority of the decision. 

3. Data holders may only refuse disclosure of trade secrets under exceptional circumstances, on a case-by-case basis. To refuse disclosure of trade secrets under the Data Act, data holders must demonstrate, on the basis of objective elements, that they are highly likely to suffer serious economic damage from the disclosure of trade secrets, despite the technical and organizational measures taken by the user or third party. The data holder's demonstration must be provided in writing to the user (or third party, as applicable) without undue delay. In addition, the competent national authority must be notified of the refusal.

If your business has not already started to review and update existing policies and procedures to comply with the Data Act (and to protect its trade secret investments), now is the time to do so. If you want to know more about how to best update your business practices to ensure protection of trade secrets and other intellectual property, Schjødt's team of IP & Technology lawyers are at your service.

^{1 REGULATION (EU) 2023/2854 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).}