Will data protection authorities be a top target for cybercriminals? Forced sharing of trade secrets is one of the consequences of yesterday’s CJEU judgment, in a way that in my view should prompt a serious question: how will organisations share those trade secrets with those supervisory authorities [SAs], and can the latter be trusted to keep them safe?
This is the result of para. 74 of the CJEU’s judgment of 27 February 2025 in case C‑203/22 (Dun & Bradstreet):
[if] the information to be provided to the data subject under the right of access guaranteed by Article 15(1)(h) of the GDPR is likely to result in an infringement of the rights and freedoms of others, in particular in so far as it contains personal data of third parties protected by [the GDPR] or trade secrets […] that information must be disclosed to the competent [SA] or court, which must balance the rights and interests at issue with a view to determining the extent of the data subject’s right of access to personal data concerning him or her
Let’s think about this.
If an organisation wishes *not* to disclose certain information to a data subject because it is a trade secret (= something that is protected by law because of its secrecy and because it has commercial value), that trade secret *must* be disclosed to an SA so that the SA can assess whether the organisation is right in preventing the data subject from receiving such information.
If you casually claim something is business confidential or a trade secret, the logic is understandable – you might be lying or overstating the secrecy of the information.
But if it really is confidential or a trade secret? Too bad, you have to disclose it, says the CJEU.
I have always been uneasy about the sharing of business confidential info with SAs, notably because of their remit, but this *forced* sharing goes even further.
So should controllers start considering how to securely share information with the SA *on their terms*, for instance through a virtual data room environment (// M&A deals) or only showing stuff live?
[Secure file sharing systems just secure the *communication* of the information, not its use by the SA.]
Sure, NIS2 applies to public administration entities, but don’t trust blindly in SAs’ technical security without first seeing evidence of what they do.
So if they want a copy, should you send a security questionnaire first?
Would the SA consider that a failure to cooperate?
You should be at least permitted to ask – especially if you have own cybersecurity obligations under e.g. NIS2, DORA, the Cyber Resilience Act, …
Disclosure can be purely oral, after all.
Similar concerns have long existed re the sharing of information with courts, but the CJEU’s finding that trade secrets “must be disclosed to the competent [SA]”, coupled with the (general) cooperation obligation, makes this issue even more pressing in the field of data protection.
More on the judgment: https://lnkd.in/eJ6YP5MH
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗