Our recommendations and amendments proposal for the Digital Omnibus: Data Act and GDPR

Data Act

While APPLiA supports the Data Act’s goal of fostering a fair and innovation-friendly data economy, the regulation, as adopted, raises serious concerns over the protection of trade secrets and confidential business information. Mandatory sharing of potentially sensitive data with users and third parties lacks sufficient safeguards, creating legal uncertainty and competitive risks for the European industry.

Inadequate protection of trade secrets

The current “handbrake,” requiring an agreement on technical-organisational measures (TOMs) with the user, is inadequate and practically unworkable, as it risks trade secrets being widely shared or aggregated to reveal confidential information through multiple data requests.

1. Reversal of trade secret protection: The Data Act shifts ultimate protection to the (often unknown) data recipient, making enforcement nearly impossible and increasing the risk of data leakage or reverse engineering by third-party competitors. Art. 4(6)-(12) and Art. 5(9)(12) Data Act allows users to request access to data generated by connected products and services, even if such data is protected as trade secrets. 
2. Ineffective TOMs: Legal uncertainty surrounds what constitutes adequate TOMs. Measures like encryption, digital rights, or hashing do not reliably prevent malicious disclosure, and breaches of non-disclosure agreements are often undetectable. Unlike GDPR, where processors protect data in their possession, releasing sensitive data to multiple actors cannot realistically ensure protection after disclosure.
3. High threshold for refusal and proof: Under Recital 31, Art. 4(8), and Art. 5(11), demonstrating “serious economic damage” or “irreparable loss” ex-ante is extremely difficult. The potential financial risk, even with TOMs in place, may not be evident to the data holder before disclosure. 

GDPR 

APPLiA opposes the introduction of Article 88a into the GDPR, which seeks to transpose and 'modernize' the access rules currently found in Article 5(3) of the ePrivacy Directive. While intended to simplify the 'cookie' regime, this amendment creates a legal overlap for the home appliance sector. By shifting these rules into the GDPR, the Commission subjects physical terminal equipment, such as connected household appliances, to a rigid, browser-centric consent framework that was never designed for the Internet of Things (IoT).