This article was written by Ricardo Filipe Costa and Marie Barani *
* The views expressed are personal and are not made by or on behalf of Allen Overy Shearman Sterling LLP and its affiliated undertakings including Allen Overy Shearman Sterling (Belgium) LLP
The Data Act and its data-driven innovation objective
Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (the ‘Data Act’) became fully applicable on 12 September 2025.
The Data Act primarily:
– requires that data holders (i) make personal and non-personal data generated by connected products and related services accessible to data users and third parties, and (ii) provide public bodies with access to data they own in specific circumstances,
– prohibits unfair data sharing contractual terms related to data sharing and use in B2B relationships,
-provides for the gradual withdrawal of switching charges, and
-requires interoperability between data processing services.
While the declared objective of the Data Act is to stimulate data-driven innovation, the overriding question is whether its rules on intellectual property (IP), trade secrets and competition are well suited to achieve that objective.
The Data Act and intellectual property
The Data Act includes provisions pertaining to trade secrets and the sui generis database right.
Under the Data Act, data holders are required to make data accessible to data users, as well as to third parties acting on behalf of the data user or upon the data user’s request.
Certain limitations apply for trade secrets: these are intangible assets that are secret, derive their commercial value from their secrecy and have been subject to measures to maintain and protect their secrecy, reason why any unauthorised and uncontrolled disclosure thereof will affect their value as well as their very qualification as a trade secret.
The Data Act seeks to safeguard trade secrets by restricting their disclosure to data users solely when the data user and the data holder or the trade secret owner have taken all necessary measures to preserve the confidentiality of the trade secret. Moreover, with respect to third parties, trade secrets must be disclosed to the extent that they are strictly necessary to fulfil the purpose agreed between the user and the third party.
Furthermore, a data holder or trade secret owner may, after notifying its substantiated decision to the competent authority:
-withdraw or suspend the data sharing whenever there is no agreement with the data user or third party, or the data user or third party fails to implement agreed measures or undermines the confidentiality of the trade secret; and
-refuse to share the data whenever it considers that, even if technical and organisational measures are implemented, sharing the data makes them highly likely to suffer economic damage.
While these provisions attempt to provide a safe framework for the disclosure of trade secrets, they may prove challenging on three aspects:
Even if subject to measures protecting the confidentiality of the trade secret, sharing of trade secrets is automatic. However, the more trade secrets are disclosed, the less secrecy and value they will have.
The withdrawal or suspension of data sharing only takes place once the data user or third party has undermined the confidentiality of the trade secret or failed to implement agreed measures. In most cases, this may be too late to protect the trade secret.
How will the appropriate protection measures be determined, and how will one demonstrate and quantify that the data user or third party has undermined the confidentiality of the trade secret or failed to sufficiently implement measures?
The second right affected by the Data Act is the sui generis database right, which protects databases for which there has been a substantial qualitative and/or quantitative investment in obtaining, verifying or presenting its content against any extraction and/or re-utilisation of the whole or a substantial part of the database.
Under the Data Act, the sui generis right shall not apply to data generated by connected products falling within the scope of the Data Act. This may prove problematic, considering that connected products collect and present an ever-increasing amount and variety of data to users, which may be arranged in a database.
The Data Act and competition
From a competition law viewpoint, the Data Act takes account of both traditional competition law rules as well as contemporary instruments, most notably the Digital Markets Act[1] (hereinafter ‘DMA’).
The Data Act is express to the fact that it does not affect the application of competition rules, nor may it be used to unlawfully restrict competition.
Any undertaking designated as a ‘gatekeeper’ for the purposes of the DMA shall not be an eligible third party under the Data Act, and, as such, it shall not receive data from a user or solicit or commercially incentivise a user to make data available to one of its services or to request the data holder to make data available to one of its services. By the same token, any third party shall not make the data it receives available to an undertaking designated as a gatekeeper under the DMA.
Although a third party may use the data it receives to develop a new and innovative connected product or related service, it cannot use the data to develop a competing connected product or share the data with another third party for that purpose. Third parties shall also not use any non-personal data or related service data made available to them to derive insights into the economic situation, assets and production methods of the data holder. The Data Act thus seeks to strike a balance between maintaining the investment incentives for the type of connected product from which the data are obtained (by prohibiting the use of data to develop a competing connected product) and encouraging innovation (by not blocking the development of a related product or service using the data obtained), which, however, will need to be tested in practice.
Subject to practical application and enforcement, a number of provisions in the Data Act may help foster competition in the market.
By imposing an obligation to provide data, upon a user’s request, to any third party, except for undertakings designated as ‘gatekeepers’ under the DMA, the Data Act may help address potential competition issues in aftermarkets, where currently only the primary service or product provider is guaranteed access to data.
By setting forth rules promoting cloud data portability and the interoperability of data-processing services, the Data Act may likewise foster consumer choice and customers’ freedom to switch between cloud data-processing services.
Finally, by recognising certain data access rights for data co-generators, the Data Act may also help prevent exclusive control of individual-level data, which constitutes an increasingly relevant input in an increasingly data-driven economy.
The Data Act: objectives, challenges and concerns From all of the foregoing, the Data Act may incentivize competition, most notably by making data more generally available to third parties. Conversely, it may also lower the protection of trade secrets, and the sui generis database right will most likely prove useless for connected products, despite this field being where such protection could be most effective. In light of such an uncertain and possibly conflicting landscape, it remains to be seen how the Data Act will apply in practice, and how data-related product/service competitors and IP holders will adapt.
[1] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828.
