Faculty of Science, Technology and Medicine
Faculty of Law, Economics and Finance
Faculty of Humanities, Education and Social Sciences
Interdisciplinary Centre for Security, Reliability and Trust
Luxembourg Centre for Systems Biomedicine
Luxembourg Centre for Contemporary and Digital History
Luxembourg Centre for European Law
Luxembourg Centre for Socio-Environmental Systems
Author
Introduction: From Policy to Practice
The EU’s data strategy is being framed as a transformative shift in the digital economy: the goal is to unlock the value of data across sectors while safeguarding innovation and rights. The Data Act is a major step in this direction and marks a significant policy shift from private control toward regulated access and sharing, responding in particular to structural power imbalances between data holders and users in data-driven markets. Importantly, the Data Act entered into application on 12 September 2025, which means that it is no longer a theoretical policy project but an operational framework that businesses must now implement.1
The Data Act’s main goal is to create a harmonised framework specifying who is entitled to use or service data, under which conditions, and on what basis. 2 In practice, this means that the Data Act can impose compulsory data sharing – namely legally mandated access to data by users of connected products and, at their request, by designated third parties – under certain circumstances, even where data is commercially valuable and even where it is protected as a trade secret.
This raises the central question for IP law: how does the Data Act’s mandatory data-sharing model interact with existing IP rights, especially trade secrets and database protection? The regulation is explicit that it does not create a new exclusive right in data, yet it can deeply affect IPRs.3
The Data Act’s approach is therefore not simply about data access; it is a broader attempt to recalibrate power in data-driven markets while preserving the incentives for innovation that IP rights are meant to provide.4
2. What the Data Act Does
The Data Act applies to non-personal data generated by connected products and related services, such as Internet of Things (IoT) devices, smart manufacturing equipment, or connected medical devices.5 The regulation does not create new grounds for processing personal data; instead, it operates alongside GDPR and focuses on industrial and commercial data.6
The Data Act establishes a set of mandatory access obligations for data holders: entities that control data generated by products or services and are obliged by EU law to share it.7 Importantly, the framework is not universal: it is limited to compulsory data sharing in specific contexts, mainly B2B sharing.8
The Act aims to rebalance bargaining power between data holders and users by enabling users or third parties to access data necessary to use, maintain, or benefit from a product or service.9 In practice, manufacturers and service providers have often retained exclusive control over machine-generated data, allowing them to leverage that control to influence downstream markets such as maintenance, repair, or data-driven services. The Data Act intervenes in this structural asymmetry by treating data access as a matter of internal-market functioning rather than as a purely private prerogative.
Yet this is not a complete removal of IP protection. Instead, the Data Act tries to reconcile compulsory access with IP rights through a system of conditional protection, particularly for trade secrets and database rights.
3. The Central Tension: Mandatory Data Sharing vs. IP Protection
The Data Act encompasses a fundamental tension: on the one hand, the Act requires data holders to share data. On the other hand, the same data may be protected by IP rights, especially trade secrets and the sui generis database rights.
This tension is not just reflected in IP law, but also in competition law. From a competition perspective, control over data – particularly IoT-generated data – can reinforce market power and create lock-in effects that hinder downstream competition and innovation. The Data Act’s mandatory access rights are therefore also designed to rebalance structural asymmetries in data-driven markets by enabling users and third parties to access data that would otherwise remain under the exclusive control of data holders.10
The EU explicitly recognises this tension. Rec. 13 states that the regulation can potentially deeply affect IPRs and acknowledges that many connected products subject to the Data Act are themselves protected by IP. Rec. 30 further reiterates that IPRs must be respected.
In practice, this means the Data Act does not abolish IP protection, but it limits the extent to which IP can be used to deny access. The Act is not a vehicle for IP reform, but it is a powerful instrument that re-orders how IP functions in data-driven markets.
4. Trade Secrets under the Data Act: Protection, But Not Absolute Control
a) Trade secrets as the central IP mechanism for data
Among IPRs, trade secrets are the most relevant to data. Patents and copyrights are – in most cases – structurally ill-suited to protect raw data, while trade secrets can protect information as such, provided it meets the required criteria.11
Trade secret protection is not automatic; it requires three cumulative conditions:
- Secrecy: the information must not be generally known or readily accessible in the relevant industry
- Commercial value from secrecy: the value must derive from the fact that the information is secret
- Reasonable steps to preserve secrecy: the owner must actively maintain confidentiality through appropriate measures12
This is the reason why any uncontrolled disclosure destroys both the economic value of the secret and its legal qualification as a trade secret.13
In the data context, this is complicated by the fact that data is often not “born secret”, especially when generated automatically through sensors or IoT devices.14 Yet, trade secrets can still apply where the dataset is treated as a whole, rather than each individual data point.15
b) The Data Act’s “qualified handbrake” approach
The Data Act expressly recognises trade secrets and allows data holders to protect them, but only under strict conditions.16
An important feature of the Act is that trade secrets cannot be used as a blanket refusal ground. Data holders must share data even when it includes trade secret information, provided the user or third party has taken appropriate measures to preserve confidentiality.17
In particular, the data holder may require the user or third party to implement technical and organisational measures to preserve confidentiality, such as confidentiality agreements, access protocols, and technical standards.18 For third parties, trade secret data may only be disclosed to the extent strictly necessary to fulfil the purpose agreed between the user and the third party.19 The data holder may refuse or suspend sharing if safeguards are not implemented, or if disclosure would likely cause serious economic harm. Such refusal must be reasoned and notified to the competent authority, and can be challenged by the user or third party under the enforcement mechanisms set out in Chapter IX (especially Articles 38 and 39) of the Data Act.20
This model effectively transforms trade secrets from an absolute shield into a conditional safeguard. Trade secret protection is no longer primarily about preventing access, but about controlling how access is granted.21
c) “Data secrets”: A new hybrid category?
Some scholars describe this model as creating a hybrid category of “data secrets”: data that must be shared, yet is also protected as a trade secret.22 This concept is useful because it captures the Data Act’s novelty: the regulation does not simply respect trade secrets; it reconfigures them in a data-sharing context.
d) The role of technical protection measures
The Data Act also explicitly endorses technical protection measures (TPM) to prevent unauthorised access, including encryption and smart contracts.23 These measures must not discriminate between recipients and must not hinder the user’s right.24
Technical protection measures can thus operate as a quasi-property mechanism: they allow data holders to maintain control over data while complying with mandatory access obligations.25
e) Administrative involvement: a new enforcement model
Another novel aspect is the shift from purely private enforcement to administrative oversight. The Data Act requires notification to competent authorities when access is refused or suspended due to trade secret concerns.26 This introduces a new role for national authorities, which is unusual compared to traditional trade secret law, where enforcement is mainly through private litigation.27
5. Database Rights and the Data Act: A Quiet Limitation
A major but often overlooked IP implication of the Data Act concerns the sui generis database right under Directive 96/9/EC. Traditionally, this right protects databases that involve substantial investment in obtaining, verifying, or presenting data.28
However, the Data Act contains a clear and unusual limitation: the sui generis database right does not apply when data is obtained from or generated by a connected product or related service within the scope of the Data Act.29
This is a strong policy signal. It means that database rights cannot be used to lock in data generated by IoT devices or related services. This is especially significant because the database right has often been the closest thing to an exclusive right over structured data in the EU.30
6. Contracts, Licensing and “Unfair Terms”
The Data Act also affects contractual freedom in data-sharing contexts. The regulation includes provisions that prevent unfair contractual terms that limit data access or transfer, particularly in B2B contexts.31
This is important because many data-sharing relationships are governed by licensing agreements and IP allocation clauses. The Data Act forces businesses to review and revise contractual terms in these pre-existing contracts that attempt to block access, even where those terms are linked to IP protection or confidentiality commitments.
The regulation’s impact is particularly relevant for SMEs, which are often disadvantaged in negotiating data access agreements.32 In practice, this means that the Data Act reshapes contractual IP allocation, making data access a default rather than an exception.
7. Clarifying What is Not Covered: Raw Data vs Derived Data
A crucial structural safeguard in the Data Act is the raw data vs derived data distinction. The Act clarifies that algorithms and derived information are not covered.33
This is important for IP-heavy industries because it means that proprietary algorithms, analytics, and software outputs remain protected. While raw and pre-processed data must be shared under certain conditions, inferred or derived information is excluded.34
This has been seen as a built-in IP protection mechanism: it reassures companies that the Data Act does not force them to reveal their most valuable intellectual assets, namely their analytical models and proprietary insights.
8. Compensation: The Economic Value of Access
Another critical but often overlooked aspect is Article 9 of the Data Act, which allows for reasonable compensation when data access imposes costs on data holders.
This is where IP economics re-enters the discussion. Trade secrets and high-value datasets may involve substantial investment, and mandatory access can create economic loss if no compensation is allowed. Article 9 therefore creates a space where the value of data and the cost of protecting it must be balanced against the policy goals of data sharing.
However, “reasonable compensation” is a concept that remains open to interpretation. This is likely to become one of the main areas of dispute and regulatory guidance as implementation proceeds into 2026.
9. Enforcement and Remedies
The Data Act’s enforcement is decentralised. Member States are responsible for enforcement through national competent authorities, and the regulation provides for dispute resolution mechanisms and remedies.35
This decentralised model raises questions about consistency across Member States, especially in relation to trade secret disputes and technical protection measures.36 As the Act becomes operational, the practical outcomes will depend heavily on how national authorities interpret and apply the rules.
10. What This Means for 2026: Practical Questions and Uncertainties
As companies begin applying the Data Act, several practical questions will likely arise:
- How will “reasonable compensation” be assessed? (Art. 9)
- What constitutes sufficient technical and organisational measures to protect trade secrets? (Art. 4(6))
- How will national authorities interpret trade secret exceptions? (Art. 4(8))
- Will TPM requirements favour large incumbents with resources to deploy sophisticated encryption and access controls? (De Noyette and others)
- Will the Data Act’s conditional approach to trade secrets encourage or chill data sharing? (Zoboli and Bernatt)
Conclusion: A New IP Equilibrium for the Data Economy
The Data Act represents a decisive step in the EU’s data strategy, shifting the balance from private control toward regulated access.37 It does not abolish IP protection, but it reconfigures how IP rights function in data-driven markets.
Trade secrets remain an important protection mechanism, but they are now treated as a conditional shield rather than an absolute barrier.38 The sui generis database right is explicitly limited to prevent data lock-in, prioritising access over exclusivity.39 The Act also safeguards IP-heavy outputs by excluding derived and algorithmic information.40
In short, the Data Act is not an IP reform, but an IP recalibration. The true impact won’t be measured in abstract rights but in how effectively the law enables data to circulate without eroding legitimate innovation incentives.41
The next phase, 2026 and beyond, will show whether this new equilibrium works in practice. National authorities, courts, and companies will need to navigate the tension between access and protection, balancing the benefits of data flow against the cost of undermining IP and innovation. For now, the Data Act has set a clear direction: data access by default, and IP protection must be operationalised within that framework.
1 Art. 50 Regulation 2023/2854 on harmonised rules on fair access to and use of data (Data Act).
2 Data Act, rec. 4.
3 Data Act, rec. 5.
4 Montagnani, The Role of Intellectual Property Rights in Data-Sharing Obligations, in: Data Sharing Regulation in Europe (2025) 161, 163.
5 Art. 1 Data Act.
6 Data Act, rec. 7.
7 Tombal and Graef, The European Data Act: A Horizontal Building Block for the Data Economy?, in: From regulating human behavior to regulating data (2025) 131, 134.
8 Tombal and Graef, 134.
9 Art. 4, 5 Data Act.
10 Kerber, EU Data Act: Will new user access and sharing rights on IoT data help competition and innovation? In: Journal of Antitrust Enforcement (SSRN Working Paper 2024) 2.
11 Zoboli and Bernatt, The Interplay of Data Protection, Competition Law, IP Law and Data Sharing, in: Data Sharing Regulation in Europe (2025) 183, 184, 185.
12 Art. 2(1) Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (Trade Secrets Directive).
13 Zoboli and Bernatt, 188.
14 Zoboli and Bernatt, 185.
15 García Vidal, The Data Act: Implications for Trade Secrets and Intellectual Property (2023) 5.
16 Art. 4(6)-(8) Data Act.
17 Art. 4(6) Data Act.
18 Ibid.
19 Ibid.
20 Art. 4(8) Data Act.
21 De Noyette, Stahler and Margoni, Data Secrets: The Data Act’s New Trade Secrets Framework, in: International Review of Intellectual Property and Competition Law (2025) 56, 985, 1009.
22 De Noyette and others, 986.
23 Art. 11 Data Act.
24 Ibid.
25 De Noyette and others, 986.
26 Art. 4(8) Data Act.
27 De Noyette and others, 999.
28 Art. 7 Directive 96/9/EC on the legal protection of databases (Database Directive).
29 Art. 35 Data Act.
30 García Vidal, 2.
31 Chapter IV Data Act.
32 Ibid.
33 Data Act, rec. 15.
34 Ibid.
35 Chapter IX Data Act.
36 De Noyette and others, 1001.
37 Data Act, rec. 4.
38 Art. 4(6)) Data Act.
39 Art. 43 Data Act.
40 Data Act, rec. 15.
41 De Noyette and others, 1010.