At the end of November 2023, the Council of the European Union adopted the “Regulation on harmonized rules on fair access to and use of data”. The regulation, known as the “Data Act”, aims to make data generated by the use of connected products and services available to different stakeholders in order to foster innovation and growth.
The Data Act at a glance - user rights to data access and disclosure
- The Data Act establishes an obligation for data holders (typically the product manufacturer, seller or lessor in the case of products such as machines or devices) and a right for users (typically the owner of the product, whether consumer or business) to direct access, free of charge, to the product data and related service data generated through use, Art. 3 (1). The user's right of access is accompanied by pre-contractual information obligations regarding data access, Art. 3 (2) and (3).
- At the same time, the Data Act creates a fundamental right for users to transfer data to third parties (so-called data recipients). The transfer of data in commercial transactions may be made subject to adequate compensation by the third party, Art. 9, and must otherwise be carried out on fair, reasonable and non-discriminatory terms and in a transparent manner, Art. 8 (1).
- In the future, data holders' own use of product data and related service data that is non-personal data, for example in the form of analyses, will only be permitted on the basis of a corresponding contractual agreement with the users, Art. 4 (13).
- Furthermore, the Data Act contains, in particular, provisions on the provision of data to public authorities, facilitating the transition of customers between data processing services, and ensuring data interoperability.
Trade secret protection may entitle companies to refuse data disclosure
The planned data access by users and disclosure to third parties create new risks for companies in the area of trade secret protection. Although they can refuse to disclose the data in cases considered by the legislator, the rule-exception relationship is designed to the detriment of the data holder.
- Art. 8 (6) clarifies that the obligation to disclose data to third parties does not oblige the data holder to disclose trade secrets.
- Nevertheless, even in the event that the requested data contains business secrets, the data holders are obliged to comply with the user's request for data access or disclosure. They may only take all measures necessary to protect trade secrets, such as confidentiality agreements, see Art. 4 (6) and Art. 5 (9). This is in accordance with the definition of trade secrets pursuant to Sec. 2 (1) of the German Law on the Protection of Trade Secrets (Geschäftsgeheimnisgesetz - GeschGehG), according to which, among other things, appropriate confidentiality measures are required, and in this respect should not mean any fundamental change in the handling of trade secrets in practice.
- More interesting for data holders will be the possibility set out in Art. 4 (7) and Art. 5 (10) to refuse or suspend the sharing of data if the user or third party does not take the necessary measures or if no agreement can be reached on the measures to be taken. However, this decision must be justified, communicated to the user or third party in writing without delay and forwarded to the competent authority, stating the specific facts of the case.
- In general, the data holder may only deny the request for access “in exceptional circumstances” pursuant to Art. 4 (8) or Art. 5 (11). In order to do so, the data holder must demonstrate that it is likely to suffer serious economic damage as a result of the disclosure of the trade secrets, despite the security measures taken by the user. The wording already shows that the legislator had in mind a “last resort” situation and that this is likely to require a considerable amount of argumentation on the part of the data holder. The Data Act lists some objective criteria for such an assessment, such as the enforceability of trade secret protection in third countries. Also here, notification to the competent authority is required.
- The development of a competing product with the aid of the data provided or the disclosure of such data in order to gain insight into the economic situation, assets and production methods of the data owner or their use by the data holder is prohibited to users and third parties pursuant to Art. 4 (10) and Art. 6 (2) e).
- In the event of a breach of the agreed confidentiality measures or use for the development of a competing product, the data holder may demand the deletion of the data provided, the destruction of the infringing goods and compensation, depending on the amount of damage and proportionality, in accordance with Art. 11 (2).
- In the case of mandatory cloud interoperability pursuant to Art. 23 et seq. which allows users to transfer data to another service, the definition in Art. 2 no. 38 already provides that data constituting a trade secret are not subject to the Data Act.
In case of doubt, data protection takes precedence over the Data Act
Art. 1 (5) of the Data Act states that this regulation applies without prejudice to the General Data Protection Regulation (GDPR). This means that, in principle, the Data Act and the GDPR initially stand alongside each other, which raises the question of precedence in the event of contradiction. The Data Act answers this question in favor of the GDPR, because according to Art. 1 (5), in the event of a conflict, “Union or national law on the
protection of personal data or privacy shall prevail”.
- If personal data is processed, a legal basis within the meaning of the GDPR is therefore required. If users request access to data or demand disclosure to third parties, a legal basis usually exists in accordance with Art. 6 (1) c) GDPR or Art. 6 (1) f) GDPR.
- Challenges arise if the data also relates to third parties who are not the user. Companies should therefore always bear the provisions of the GDPR in mind when transferring data and check whether there is a legal basis for disclosure.
Contractual regulations via general terms and conditions (GTC) for data access and data usage
The transfer of data to data recipients, if the latter are companies, can be contractually agreed between the data holder and the data recipient, Art. 8 (1).
- Data holders should make use of this contractual arrangement in order to define the precise conditions under which data is transferred and to ensure, as far as possible, that the data transfer takes place within the framework of an orderly process that safeguards both their own interests and the other legal requirements - for example with regard to data protection.
- However, the contractual scope is limited: The Data Act subjects contractual clauses imposed unilaterally with regard to data access and data use or liability and remedies in the event of a breach or termination of data-related obligations to a GTC control. Accordingly, "unfair contract terms" are not binding on the company on which they are imposed, Art. 8 (2) and 13 (1).
- But when are terms "unfair"? Art. 13 (4) and (5) contain catalogs with examples in both directions, i.e. both for unfair terms vis-à-vis the data recipient and for unfair terms vis-à-vis the data holder. In addition, Art. 13 (3) generally stipulates that a term is unfair "if its application constitutes a gross departure from good business practice in relation to access to and use of data or is contrary to the requirement of good faith". However, as there is still no good business practice in this regard, this general clause offers little guidance for companies.
- In contrast, companies will receive guidance and legal certainty from the non-binding standard contractual clauses for data access and data use, including the conditions for appropriate remuneration and the protection of trade secrets, which are still to be drawn up by the European Commission by the end of the transition period (see below). The model clauses are intended to support companies in drafting and negotiating legally compliant contracts (Art. 41).
Outlook and recommendations for action
On November 27, 2023, the Council of the European Union adopted the Data Act. Following its publication in the Official Journal of the EU on December 22, 2023, the Data Act entered into force on January 11, 2024, and will become applicable law on September 12, 2025, after a basic transition period of 20 months. As a European regulation, the Data Act is directly applicable throughout the EU without the need for further implementing legislation.
By the time the Data Act comes into force, companies that are required to disclose their data under the Data Act, in particular manufacturers, sellers and lessors of connected products, should have put in place contractual arrangements to ensure that they can continue to make full use of the data generated by the use of their products and have developed a strategy for providing and disclosing the data in a way that complies with the Data Act while protecting their trade secrets and complying with data protection laws.