When a data holder declines to share data, it is required to notify the EU Member State Competent Authority of its decision to decline access. The Competent Authority is empowered to conduct investigations, impose, where appropriate, ‘proportionate and dissuasive’ financial penalties or initiate legal proceedings. Individuals and companies also have a right to lodge complaints with the Competent Authority if they consider their rights under this regulation to have been infringed.
In the regulation preamble (which spans over 100 paragraphs), the right of the data users of a connected product to share data with third parties is acknowledged:
This Regulation ensures that users of a connected product or related Service in the Union can access, in a timely manner, the data generated by the user of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice.
Data must be made available in fair, reasonable and nondiscriminatory terms and conditions, and in a transparent manner. It states plainly: “[t]herefore, this regulation adapts rules of contract law and prevents exploitation of contractual imbalances that hinder fair access to and use of data.” The preamble acknowledges that this data is valuable in the context of the "health and the circular" economy, including through facilitating the “maintenance and repair” of the connected products in question.
The preamble notes that the regulation enables users of connected products to benefit from
aftermarket, ancillary and other services based on data collected by sensors embedded in such products. It also acknowledges the difficulty in accessing some of this data and informs manufacturers that they need in the future to design products to permit the users an easier way to access data. The regulation suggests that EU law or EU member state law could be introduced to address further product design to permit greater access to data.
Need to inform national authority of trade secret claim
While acknowledging that “trade secrets shall be preserved and shall be disclosed only where the data holder and the user take all necessary measures prior to the disclosure to preserve their confidentiality, in particular regarding third parties,” the data holder in asserting the trade secrets is required to identify the data which is protected and agree with the user-proportionate technical and organization measures to preserve the confidentiality of the shared data.
