Insights on Data Sharing in the Industrial and Manufacturing Sector

Data Spaces

The EC has estimated that the potential value for the use of non-personal data in the industrial and manufacturing sector will be 1.5 trillion euros by 20271. The sharing of data will be based on both voluntary agreements as well as the mandatory Data Act within the Industrial & Manufacturing sector.

Increased, voluntary data sharing within the Industrial and Manufacturing sector is expected to enable companies to optimise existing processes and to develop new products, data intensive applications as well as artificial intelligence systems and create new businesses. According to the EC, the workshops with stakeholders have, however, shown that in order to be able to talk about an efficient industrial data space, “a critical mass” of manufacturing companies should join the space and start sharing data among themselves, within shared infrastructures. This could also motivate technology providers to adapt their technology solutions to meet the requirements for data sharing.2 The EC is funding a coordination and support action through Digital Europe Programme to create governance models and identify common principles of data sharing in the Industrial and Manufacturing sector.

The draft Data Act has raised several questions and concerns within the Industrial & Manufacturing sector, with one of the most compelling questions being the actual scope of the industrial data subject to the mandatory data sharing obligation.

The proposed Data Act, on the other hand, will impose concrete, mandatory obligations on, among others, manufacturers of IoT (the Internet of Things) devices, to share (without delay, for free and in real-time!) data generated by the use of such IoT devices and/or related services in the industrial context, excluding, however, any information derived or inferred from this data. The Data Act targets industrial ‘non-personal’ data and will apply also in the industrial setting to data generated by the use of industrial IoT machinery. The draft Data Act has raised several questions and concerns within the Industrial & Manufacturing sector, with one of the most compelling questions being the actual scope of the industrial data subject to the mandatory data sharing obligation. The reason for this is that many IoT machinery makers are concerned of leakage of their trade secrets within the data despite the safety mechanisms introduced by the Data Act, as well as the impact on monetising their existing data-driven services.

Both the recently published position of the European Parliament3 and the fifth presidency compromise text4 by the Council of the EU, have modified the original EC proposal text regarding the scope of data subject to the sharing obligation. In both versions, the scope of data to be shared would extend, in addition to the data generated by the use of such IoT devices and/or related services, to metadata as well as data, that has been pre-processed or modified into an understandable form in order to be further used by a third party. The Parliament would apply the obligation to share to data “in the form in which they have been collected, obtained or generated by the connected product, along with only the minimal adaptations necessary to make them useable by a third party”. The Council has noted that the data should include data that is “pre-processed for the purpose of making it understandable and useable”. Both exclude from the scope further results of processing or information derived from the data.

The device manufacturers appear to call for a carefully framed and narrow definition of data including only raw data generated by or during the use of the product, excluding any processed, derivative data. In order to preserve the service earning logic around value-added services as part of an industrial IoT offering, many device manufacturers would wish to explicitly exclude downstream data together with any other derivative data from the scope of mandatory sharing obligation.

We note, first of all, that at the time of writing this article, the Council has not yet adopted its final amendments on the Data Act proposal, and more importantly the exact scope will be defined through the trilogies between the Council, Parliament and the EC. The different views and wordings highlight, however, the fact that the nuances in the final text may have an important effect on the device manufacturers’ obligations to share data. The device manufacturers appear to call for a carefully framed and narrow definition of data including only raw data generated by or during the use of the product, excluding any processed, derivative data. In order to preserve the service earning logic around value-added services as part of an industrial IoT offering, many device manufacturers would wish to explicitly exclude downstream data together with any other derivative data from the scope of mandatory sharing obligation.

Another important question relates to trade secrets. The draft Data Act includes protection mechanisms such as contract-based confidentiality undertakings, but they do not appear to be effective in all situations. In an industrial environment, service provider markets are often rather limited and operators are regularly very knowledgeable and specialised in their field. Trade secrets included in a competitor’s data could potentially be quite easily readable “in between the lines”. Both the Council of the EU in its compromise proposal and the Parliament in its final report have attempted to further clarify how trade secrets would be protected under the Data Act and the trade secrets directive. The Council’s latest compromise proposal includes a possibility for the data holder not to disclose certain data if it is able to demonstrate that it would highly likely lead to serious economic damage. Such an element has sparked discussion as there is a fear that the change would give manufacturers too much control. Ultimately, while trust (invoked by confidentiality undertakings) is good, control (secured by non-disclosure) might be better, at least according to the device manufacturers. Therefore, the final form of the scope of the data sharing obligation is eagerly awaited.

Further, some industrial players might also be wondering whether the Data Act will obligate manufacturers to make their devices “smart” and turn on any connectivity features within a device if that is possible even if not agreed with the users. This question boils down to the definitions too. In the Commission’s proposal for the Data Act, a ‘data holder’, on which the data sharing obligations are imposed, would include the party that through control of the technical design of the product and related services has the ability to make certain data available. In the draft legislation adopted by the Parliament only the technical ability would not yet make anyone a data holder, but rather the actual access to the data, which makes more sense in our opinion.

In line with the objectives of the EU Data Strategy a vast amount data should be opened up to the users and all in a form that they will eventually be able to make further use of. However, the Data Act, if and when it enters into force, should not lead to a situation where the highest performing innovators are afraid of offering new data intensive technologies in an attempt to retain their competitive edge. It will be interesting to monitor how the text of the Data Act shapes up towards its final version. In the meantime, we look forward to continuing the impact assessment and gradual implementation step plans within all strategic economic sectors subject to the Data Act, including also Industrial and Manufacturing companies.

1Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, A European strategy for data, COM(2020), 19.2.2020.
2 Commission Staff Working Document on Common European Data Spaces, SWD(2022) 45 final, 23.2.2022.
3 Amendments adopted by the European Parliament on 14 March 2023 on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (COM(2022)0068 – C9-0051/2022 – 2022/0047(COD)).
4 Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data. (Data Act) – Fifth Presidency compromise text by the Council of the European Union 6360/23, 21.2.2023

Article Series: Common European Data Spaces Being Developed in Strategic Economic Sectors

More by the same author

Use of Artificial Intelligence Calls for Transparency

AI accelerates business, yet requires governance The recent emergence of artificial intelligence (AI) systems has enabled companies to boost their efficiency. AI tools may be used for a wide variety of purposes, from simpler, administrative tasks to complex tasks such as core business purposes like planning business strategies and compiling analytical action plans for projects. The rise of AI systems has impacted how companies conduct their day-to-day business as they provide easy-to-use tools for making daily business more efficient. While AI systems are given increasing emphasis in businesses, companies may not disregard establishing control and governance mechanisms for understanding their obligations and mitigating the compliance-related risks.

AI, Free and Open Source Software and IPRs in the Context of Software Development

Artificial intelligence is speeding up software development Artificial intelligence (AI) has taken the world by storm and is becoming a common accelerator also in software development. Although AI in general is not something entirely new, with its roots reaching to the 1950s, generative AI has been soaring since the first commonly known large language models (LLMs) were launched a few years back. Generative AI tools are trained with content often referred to as training data (input) and they generate new content (output), such as software code, based on the user’s command, a prompt. The output may resemble human-generated text, pictures, sounds, videos – or software, for that matter.

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

Latest insights

The Ministry of Finance Proposes a New Tax Credit for Large Industrial Investments

Article / 7 Oct 2024
Reading time 2 minutes

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes