Privacy, Cyber & Data Strategy Advisory | The Data Act: 5 Things to Know About How the Data Act Mitigates Risks to Cybersecurity and Trade Secrets

This article is part of a series that summarises the key issues arising from the introduction of the Data Act. See:

• The Data Act: 5 Things to Know About the Data Act and New Switching Requirements for Providers of Cloud Services
• The Data Act: 7 Things to Know About the Data Act and Connected Products

The EU Data Act requires companies to share data generated by ‘connected products’ and their ‘related services’ with users and, in some cases, third parties. As these data-sharing obligations take effect, they raise questions about cybersecurity risks and the protection of trade secrets. This advisory outlines five things stakeholders should know about how the Data Act addresses those issues.

1. Data-sharing obligations can create cybersecurity and confidentiality risks

As we set out in our previous advisory, the Data Act’s rules require ‘data holders’ (typically manufacturers of connected products and providers of related digital services) to comply with a trio of data-sharing obligations:

• An ‘access by design’ obligation. Where relevant and technically feasible, connected products should be designed and manufactured (and related services provided) so that users can have direct access to certain data, for example, via a data access portal on the device.
• A ‘right of access’ obligation. Where the user cannot directly access the data, the data holder must at least ensure indirect access, by making data accessible upon request.
• A ‘right to portability’ obligation. Upon request by a user (or someone acting on behalf of a user), the data holder must make data available to a third party with whom the user has concluded a data-sharing agreement.

The Data Act permits (and in some cases may oblige) data holders to apply ‘appropriate technical protection measures’ to prevent unauthorised access to the data. But—as in all circumstances where data is shared externally—cybersecurity and trade secret risks may arise.

2. A ‘safety and security handbrake’ can limit data-sharing when cybersecurity and safety are at stake

The Data Act provides for a ‘safety and security handbrake’, which allows data holders to restrict access to data to ensure the cybersecurity of connected products.

In contracts with users, data holders may restrict or even prohibit accessing, using, or further sharing data if such activities could undermine security requirements of the connected product. Two cumulative conditions must be met before this handbrake can be applied:

• The security requirements must be laid down by EU or EU Member State law - for example, under the EU Cyber Resilience Act (CRA).
• The access, use, or further sharing of the data would result in a serious adverse effect on the health, safety, or security of individuals. 

3. A ‘trade secrets handbrake’ can help protect confidential information 

The Data Act does not include a general carve-out for trade secrets: in principle, data holders must share data with users and third parties even when the data constitutes a trade secret (as defined in the EU Trade Secrets Directive). However, the ‘trade secrets handbrake’ enables data holders to protect the ongoing confidentiality of such information.

Under the trade secrets handbrake, the data holder (or trade secret holder) must identify any data constituting a trade secret and attempt to agree with the user or third party on technical and organisational measures (TOMs) necessary to preserve confidentiality. Such measures may include agreements, strict access protocols, or technical standards.

The trade secrets handbrake covers two scenarios:

• The data holder may withhold or suspend the sharing of trade secrets if: (1) there is no agreement on TOMs; (2) the user or third party fails to implement the TOMs; or (3) the user or third party undermines the confidentiality of the trade secrets.
• In exceptional circumstances, a data holder who is also the trade secret holder may refuse to share trade secrets if it can demonstrate that it is ‘highly likely to suffer serious economic damage’ despite the TOMs. The risk of such damage occurring needs to be assessed on a case-by-case basis.

There is an additional protection for the ‘right to portability’: data holders must disclose trade secrets to third parties only to the extent strictly necessary to fulfil the purpose agreed between the user and third party.

4. Data holders must justify using handbrakes and may face oversight

To prevent over-reliance on handbrakes, the Data Act includes accountability measures—meaning that data holders will need to conduct robust assessments before applying them. Depending on the circumstances, data holders may need to substantiate their reasoning for applying a handbrake (and provide a written explanation to the relevant user or third party), and/or notify the EU Member State authority responsible for enforcing the Data Act.

Users and third parties who disagree with the application of a handbrake may seek redress before a court, lodge a complaint with the relevant authority, or agree with the data holder to refer the matter to a dispute settlement body.

5. Cybersecurity and trade secret rules apply differently across obligations

Data holders will need a clear understanding of the Data Act’s provisions to assess when they can apply handbrakes. Where handbrakes do not apply, they may still be able to limit access to data or implement appropriate protections to mitigate risk.

For example, data holders cannot apply the trade secrets handbrake in connection with the access by design obligation; however, FAQs published by the European Commission emphasise that the obligation applies only ‘where relevant and technically feasible’. When assessing relevance and feasibility, cybersecurity concerns and trade secret protections may be taken into account. 

In other words, at the design stage of a product or service, data holders have flexibility in choosing whether to provide direct or indirect data access—and cybersecurity and trade secret protections can influence that choice. Data holders may also impose restrictions on users with direct access to connected product data, provided those protections do not undermine users’ rights under the Data Act. 

Conclusion

Data holders subject to the Data Act should consider the following action items:

• Create an inventory of connected products, related services, and associated data that fall under the Data Act.
• Identify any cybersecurity requirements that could be undermined by the data-sharing obligations—particularly where such requirements arise under EU or EU Member State law such as the EU Cyber Resilience Act.
• Identify whether any in-scope data could defensibly constitute a trade secret (and identify the trade secret holder).
• Identify technical and organisational measures/technical protection measures to protect shared data.
• Assess whether it would be appropriate and defensible to apply handbrakes—and prepare to notify EU Member State authorities and/or document the reasoning as required.
• Draft appropriate contractual provisions (in particular, restrictions and protections) to be included in agreements with users and third parties. 

Ransomware Fusion Center

Stay ahead of evolving ransomware threats with Alston & Bird's Ransomware Fusion Center. Our Privacy, Cyber & Data Strategy Team offers comprehensive resources and expert guidance to help your organization prepare for and respond to ransomware incidents. Visit Alston & Bird's Ransomware Fusion Center to learn more and access our tools.

If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy team.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.