The EU Data Act contains extensive data sharing provisions, intended to unlock the value of data by giving businesses access to data they contribute to creating. But what happens when that data contains confidential information amounting to trade secrets?
The European Union has taken significant steps in regulating data flow, notably through the EU Data Act (Regulation (EU) 2023/2854), adopted as part of the EU's broader Digital Strategy. The Data Act provides for data sharing, enhancing access to data, and improving the governance of data use. While it presents important opportunities, it also raises significant challenges for businesses in sectors where the protection of confidential information and/or trade secrets is paramount.
This article examines the scope of the Data Act, its relation to confidential information and especially trade secrets as a specific category of confidential information and explores how to navigate the tension between the Data Act’s emphasis on data sharing and the need to safeguard trade secrets under the Trade Secrets Directive ((EU) 2016/943). It highlights the relevant provisions of the Data Act and provides practical advice for companies seeking to comply while protecting their confidential information.
The Data Act and its objectives
The Data Act aims to create a harmonised framework for access to and sharing of data generated by products or services, encouraging data-driven innovation and increasing data availability. One of the ways the Data Act aims to achieve this, is to strengthen users’ rights to access and to share their data from connected products and related services. Users are given more control over their data, even when that data is generated without the active input of the user.
At the same time, many businesses derive competitive value from information that qualifies as confidential information. A major concern for many businesses, particularly those in industries such as technology, pharmaceuticals, and manufacturing, is the protection of confidential information in the context of this new data sharing environment. Businesses also need to consider how to comply with mandatory data access and sharing duties while preventing the disclosure or reconstruction of confidential information.
What data is covered under the Data Act?
The Data Act’s scope consists of both personal and non-personal data. However, in practical terms, the emphasis with regard to the obligation to share data is on raw and pre-processed data, such as data on how a connected product or related service performs and is used – think telemetry, logs, status and error codes, usage statistics, and the basic metadata needed to interpret that information. Personal data might also be covered, but the Data Act makes it clear that the obligations under the GDPR remain unaffected (Article 1(5) Data Act).
Additionally, the Data Act does not provide for the protection of confidential information in general. The right of the user to receive that data is deliberately strong and data holders can’t refuse to share data just because the data is confidential. The only exception to this ground rule relates to legally defined trade secrets, in respect of which the trade secret holder is afforded a degree of protection from the obligation to share data in specific situations.
Trade secrets and the Data Act: key tensions
Under the Trade Secrets Directive, information constitutes a trade secret when all three statutory requirements are met:
- the information is secret
- the information has commercial value because it is secret, and
- the information has been subjected to reasonable steps to keep it confidential.
In practice, meeting these requirements often means operationalising ‘reasonable steps’:
- identifying data elements that could reveal proprietary methods (for example configuration parameters, calibration values, granular telemetry or derived indicators)
- classifying and labelling them, enforcing least-privilege access (NDAs, role-based controls, logging), and
- limiting disclosures to purpose-fit subsets so permitted access cannot reconstruct confidential methodologies or commercially sensitive inferences.
The Data Act does not exclude trade secrets from sharing obligations (eg Recital 31). This in itself is logical: if merely invoking trade secret protection were enough to block disclosure, data holders would have a strong incentive to classify large parts of their data as such. Data holders are, however, allowed to protect the trade secret data using proportionate confidentiality arrangements prior to sharing (Articles 4(6),(7),(8) Data Act).
The tension naturally lies in the boundary cases: not all valuable (confidential) data qualifies as a trade secret, and especially considering the rapid pace of technological development, this can create uncertainty. For example, manufacturers that provide IoT-enabled devices may be required to share data generated by those devices with users. If this data includes operational insights and maintenance algorithms that can be used to reverse engineer the data to provide information about proprietary software, disclosing such information could undermine the manufacturer's competitive position, but the information in itself wouldn’t automatically qualify as trade secret.
To address possible uncertainty with regard to trade secrets, the Data Act has built in specific safeguards. In short, the model is 'protect, then share'. Before data is disclosed to a user’s chosen recipient, the parties are expected to agree proportionate technical and organisational measures to preserve confidentiality, such as purpose limitation, access controls, secure environments, confidentiality undertakings, and no-reverse-engineering commitments. The aim is to make operational data usable for legitimate purposes while preventing recipients from inferring confidential methods or commercially sensitive insights (Article 4(6) Data Act).
Businesses therefore need to approach trade secret protection strategically. Those that heavily rely on generated data should carefully assess which parts of their generated data could, and perhaps should, be qualified and protected as trade secrets. This will strengthen their position to prevent sensitive information from becoming publicly accessible through mandatory sharing obligations.
Balancing trade secret protection with the Data Act’s requirements
For businesses that need to share data in compliance with the Data Act but also want to protect their trade secrets, finding a balance is crucial. Strategies to protect sensitive data while meeting legal obligations include:
Build internal understanding
One of the most practical, but often overlooked, steps companies can take to prepare for Data Act compliance is to build a shared internal understanding of their data landscape. Legal (whether internal or external), technical, and business teams should work together to map out exactly what information their connected products and related services generate, what portion of that data may need to be shared under the Data Act, and which data elements could technically be used to reverse engineer or infer trade secrets.
This joint exercise should go beyond labels like “raw” or “enriched". Technical teams can explain how data is produced, what granularity it has, and what could be inferred from it in the wrong hands. Legal teams can assess how these elements align with the trade secret definition and determine where stricter safeguards may be required. Business units can help prioritise what truly carries commercial sensitivity. Once these categories are clear, the company can design standard contractual safeguards. Just as importantly, this process helps document why certain datasets can be shared and why others may need to be restricted or protected more carefully.
Data sharing agreement (clauses)
When data sharing is unavoidable, businesses in a B2B relationship should use data sharing agreements (DSAs) that on the one hand allow the availability of data sharing to a recipient, and on the other hand include clearly defined confidentiality clauses and set out how trade secrets are protected. For example, using (parts of) the EC model contractual terms covering confidentiality, purpose limitation, no-reverse-engineering, and flow-down obligations (see more on the model contractual terms here).
Last resort: exemptions from obligatory data sharing
In certain cases, businesses may be able to argue an exemption from the mandatory data sharing obligations on the grounds of trade secret protection (article 4(8) Data Act). However, the threshold for such refusals is deliberately high: companies must be able to demonstrate, with objective evidence, that disclosure would be highly likely to cause serious and irreparable economic damage – even after appropriate safeguards have been applied.
Importantly, this same mapping exercise also helps businesses meet the transparency obligations required when invoking an exception. By mapping which data is generated, which elements carry trade secret risks, and where potential exposure lies, businesses can identify concrete and defensible arguments that may support a refusal or suspension of data sharing in exceptional cases. If a data holder decides to refuse or suspend the sharing of data identified as a trade secret, it must inform the user or third party in writing without undue delay and notify the competent authority of the Member State where it is established. That notification must specify which measures were not agreed or implemented and, where applicable, which trade secrets have had their confidentiality undermined. In other words, careful upfront mapping not only supports the substance of an exemption but also provides the structure and evidence needed to meet the procedural requirements that come with it.
Taking a structured approach
The Data Act introduces a new data sharing framework that can coexist with trade secret protection, but only if businesses take a deliberate, structured approach. The Regulation is not designed to strip away confidentiality, but it does shift the burden onto businesses to actively protect what matters most. Identifying which data carries trade secret risk, embedding appropriate safeguards, and documenting why certain information cannot be shared, are no longer optional steps; they are essential compliance tools. Businesses that invest early in understanding their data landscape, aligning legal and technical teams, and building standard contractual and technical protections will be better positioned to navigate the Data Act framework. This not only helps to meet the procedural and transparency obligations under the Data Act but also supports a stronger, evidence-based position if there is a need to rely on the trade secret exemption.
