Safeguards and Refusal Rights in EU Data Act B2G Requests

Business-to-government data sharing under Chapter V of the EU Data Act is not a one-sided obligation. While the Act does create a legal mechanism through which public sector bodies can demand data from private companies, it also builds in a substantial set of procedural protections for data holders. These protections are not incidental — they were deliberately designed to prevent the B2G mechanism from becoming an instrument of state overreach, competitive harm, or administrative convenience at the expense of private enterprise. For US companies that hold EU data and may receive Chapter V requests, understanding these protections in depth is as important as understanding the obligation itself.

This article focuses on the procedural and substantive rights available to data holders when they receive a B2G request: the right to challenge requests that fail to meet statutory criteria, the role of proportionality review, the compensation framework, confidentiality protections for commercially sensitive data, the prohibition on using B2G data against the data holder, and the internal process that companies should establish for managing these requests. It also addresses the relationship between the Data Act’s B2G mechanism and the GDPR’s provisions for processing personal data in the context of public tasks.

The Right to Challenge a Request

A data holder that receives a Chapter V request is not required to simply comply. If the request does not meet the statutory criteria — exceptional need, no alternative means, proportionality, scope limitation, and a qualifying public interest purpose — the data holder has the right to refuse compliance or to seek a review of the request. This is a meaningful protection. Chapter V was not drafted to create a rubber-stamp compliance obligation; it was drafted to create a structured legal process, and that process is designed to function correctly only when data holders are willing and able to engage with its substance.

In practice, the right to challenge a request means several things. First, a data holder should review every request against each of the statutory criteria before deciding how to respond. A request that states a qualifying purpose but fails to demonstrate exceptional need, or that requests data far beyond what the stated purpose would require, is deficient and may be challenged. Second, a data holder may seek clarification from the requesting body before complying. If a request is ambiguous about its scope, the data holder is not required to make a broad interpretation in the requesting body’s favor. Third, a data holder may ultimately refuse to comply with a request it believes is invalid and seek judicial review of the requesting body’s determination.

Proportionality Review

Proportionality is both a criterion that a request must meet and a basis on which a data holder can challenge a request that seems to ask for more than it needs. The principle of proportionality in EU law requires that public authorities do not impose burdens on private parties greater than those necessary to achieve a legitimate objective. In the context of Chapter V, this means that a requesting body cannot ask for a decade of granular individual-level records when a year of aggregated data would serve the stated purpose.

Data holders should apply proportionality analysis rigorously. When evaluating a request, ask: What is the stated purpose? What is the minimum data necessary to serve that purpose? Does the request as submitted match that minimum, or does it exceed it? If the request exceeds what proportionality would allow, the data holder has a strong basis to push back — either by proposing a narrower scope, by submitting a formal objection, or both.

Proportionality review is not merely a legal technicality. For companies that hold large datasets with commercial sensitivity — energy consumption patterns that reveal competitive positioning, mobility data that reflects proprietary routing algorithms, health data that supports a commercial product — limiting the scope of a B2G response to the proportionate minimum is a direct business interest, not just a compliance preference.

Judicial Oversight Mechanisms

Chapter V anticipates that disputes about whether a request is valid may require judicial resolution. The Act does not eliminate the ordinary judicial oversight mechanisms available under EU and Member State law. A data holder that disputes the validity of a request — for example, because it does not believe the stated purpose qualifies, because it believes the no-alternative-means criterion is not satisfied, or because it believes the scope is disproportionate — may seek review from an administrative tribunal or court.

The precise mechanism for judicial oversight will vary by Member State. National implementing legislation will determine which courts or administrative bodies have jurisdiction to review Chapter V requests, what procedural timelines apply, and whether a pending challenge suspends the obligation to comply. US companies operating through EU subsidiaries or holding EU data should ensure that their legal teams are familiar with the relevant national procedures in the Member States where they are most exposed.

For companies that receive a request they intend to challenge, the most important practical step is to act quickly. Timelines for challenging administrative decisions are typically short, and failing to preserve a legal challenge in a timely way can result in the challenge being foreclosed while the obligation to comply remains. Companies should not wait until they have fully analyzed a request before beginning the preliminary legal steps to preserve their challenge options.

Compensation: What You Are Entitled To and How to Claim It

One of the most commercially significant aspects of Chapter V is the right to compensation. Unlike many regulatory data disclosure obligations — which are treated as a compliance cost with no reimbursement mechanism — Chapter V explicitly provides that data holders are entitled to compensation covering the cost of complying with a request. This is not a full market-value payment for the data itself; it is reimbursement for the reasonable cost of identifying, extracting, formatting, transmitting, and otherwise making the data available.

For a US company receiving a Chapter V request, the cost-based compensation framework means that internal resources consumed in responding are reimbursable. This includes staff time for data engineers who locate and extract the relevant data, legal time for reviewing the request and preparing the response, costs associated with any required data format conversions, and any third-party costs incurred in connection with the response. Companies should track these costs contemporaneously — not as an afterthought — so that they can submit a documented compensation claim after the response is provided.

The compensation framework has an important exception. In the case of data requests arising from public emergencies, the requesting body may not be required to pay full cost-based compensation. The Act acknowledges that in a genuine emergency, imposing full cost recovery requirements on public sector bodies could impede access to data that might save lives. Even in emergency situations, however, the data holder retains some entitlement to compensation, and the Act does not authorize governments to demand data entirely for free simply by invoking an emergency designation.

Companies should also be aware that the compensation mechanism interacts with the proportionality requirement. If a requesting body submits a request that is broader than proportionality allows, and the data holder is required to compile a larger dataset than was strictly necessary, the cost of that excess is a direct financial consequence of the requesting body’s failure to meet its statutory obligations. This creates an indirect incentive for requesting bodies to scope their requests appropriately, and it creates a corresponding incentive for data holders to document carefully what they were asked to produce versus what would have been proportionate.

Confidentiality Protections for Commercially Sensitive Data

Perhaps the most urgent concern for any company receiving a Chapter V request is the risk that compliance will result in the disclosure of competitively sensitive information. Raw operational data — even data that does not immediately appear sensitive — can reveal a great deal about a company’s customer base, pricing strategy, operational efficiency, and business model. Chapter V includes explicit confidentiality protections designed to address this concern.

The Act requires requesting bodies to maintain the confidentiality of commercially sensitive data received in response to a Chapter V request. This obligation is not limited to formal trade secrets — it extends to any information that the data holder reasonably identifies as commercially sensitive. Data holders should designate data as commercially sensitive at the time they provide it, rather than waiting to see whether the requesting body handles it appropriately. A clear designation creates a clear record and activates the requesting body’s confidentiality obligations under the Act.

In practice, companies should consider including a confidentiality notice with every Chapter V response, identifying specifically which elements of the provided data they consider commercially sensitive and explaining briefly why. This notice does not override the requesting body’s ability to use the data for its stated purpose, but it does create a documented basis for any subsequent complaint if the data is handled improperly or disclosed beyond the intended recipients.

The confidentiality protections under Chapter V interact with national freedom of information laws. In many EU Member States, documents held by public authorities are subject to some form of public access regime. If data provided in a Chapter V response ends up in the hands of a public body, there is at least a theoretical risk that a freedom of information request could be used to obtain it. Data holders should raise this concern explicitly when providing data — flagging the commercially sensitive nature of the data and requesting that the public body apply any available exemptions if a freedom of information request is made.

The Prohibition on Using B2G Data Against the Data Holder

Chapter V includes an explicit prohibition that is of particular importance to US companies: data obtained through a Chapter V request may not be used to make decisions that adversely affect the interests of the data holder. This prohibition is designed to prevent a situation where a company is required to provide data to a public body, and that body then uses the data to penalize the company, initiate enforcement action against it, give advantage to a competitor, or otherwise act to the company’s detriment.

This protection is meaningful but not unlimited. It prohibits the use of Chapter V data as an adverse decision-making tool against the data holder itself. It does not prohibit the requesting body from using the data to make decisions that happen to affect the data holder’s market, regulation, or operating environment in ways that are incidental to the stated public interest purpose. The distinction is between targeted adverse action directed at the data holder on the basis of what the data reveals, versus broader policy or statistical conclusions that happen to affect the sector the data holder operates in.

For US companies, this protection should be reflected in their internal documentation of Chapter V responses. When a company provides data in response to a Chapter V request, it should record the stated purpose and the prohibition on adverse use. If, at a later date, the data holder believes the data was used against it in a regulatory proceeding or competitive context, that documentation provides the factual basis for a legal challenge.

Secondary Use Restrictions

The secondary use restrictions in Chapter V are closely related to the adverse use prohibition but broader in scope. Data obtained through a Chapter V request may only be used for the specific purpose stated in the request. It may not be repurposed for commercial use, it may not be shared with parties outside the requesting body except to the extent strictly necessary for the stated purpose, and it must be deleted or anonymized once it is no longer needed for that purpose.

These restrictions place the compliance burden on the requesting body, not the data holder. The data holder’s obligation is to provide the data; what happens to that data afterward is regulated by the Act’s obligations on the receiving side. However, data holders are not entirely passive in this respect. They can and should document what they provided, to whom, and for what stated purpose. If secondary use restrictions are subsequently violated, that documentation is the foundation of any legal complaint or compensation claim.

How to Structure an Internal Process for Chapter V Requests

Given the complexity of Chapter V’s procedural framework, US companies that are plausibly data holders under the Act should build an internal process for receiving, evaluating, and responding to B2G requests before the first request arrives. A reactive approach — scrambling to evaluate the request, locate the data, assess the legal position, and prepare a response under time pressure — will produce worse outcomes than a structured process built in advance.

Intake and Logging

Every Chapter V request should be logged centrally as soon as it is received, including the date of receipt, the identity of the requesting body, the stated purpose, and the specific data requested. This log is the foundation of the compliance record. Companies should designate a specific function — legal, compliance, or a data governance office — as the single point of contact for Chapter V requests, so that requests are not handled inconsistently across different business units.

Criteria Review

Once a request is logged, it should be assessed against each of the statutory criteria: Is the stated purpose a qualifying public interest purpose? Does the request demonstrate exceptional need? Does it credibly establish that no alternative means of obtaining the data exists? Is the scope proportionate to the stated purpose? Are the temporal and categorical boundaries of the request clearly defined? A structured criteria review checklist, prepared in advance with legal input, makes this assessment faster and more consistent.

Challenge Decision

If the criteria review identifies a deficiency in the request, the company must decide whether to seek clarification from the requesting body, to propose a narrower scope, or to formally challenge the request. These options are not mutually exclusive, and in many cases the right approach is to seek clarification first, then escalate to a formal challenge if the requesting body is unwilling to narrow or justify the request. The decision-making authority for challenging a government request should be clearly established in the company’s governance structure — this is not a decision that should be made by a junior compliance analyst without senior legal and business oversight.

Data Compilation and Confidentiality Marking

Once a decision is made to comply — either with the original request or a negotiated narrower version — the data must be identified, extracted, and prepared for transmission. During this process, the company should apply confidentiality markings to commercially sensitive elements and prepare a cover communication that documents what is being provided, under what statutory framework, with what limitations on use. This communication should also include an explicit invocation of the adverse use prohibition.

Cost Documentation

Throughout the process, all internal and external costs should be tracked and attributed to the specific Chapter V request. The company should identify the staff time, third-party vendor costs, and other expenses incurred in preparing the response so that a compensation claim can be submitted in accordance with the Act’s framework.

Relationship to GDPR Article 6(1)(e)

The relationship between Chapter V of the Data Act and the GDPR is a point of significant legal complexity. If the data being requested through a Chapter V mechanism includes personal data — which it often will, particularly in health, mobility, and energy contexts — then the GDPR applies alongside the Data Act, and compliance requires satisfying both frameworks.

Under GDPR Article 6(1)(e), the processing of personal data is lawful when it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.’ This provision is typically the most relevant lawful basis when personal data is disclosed to or processed by a public sector body. However, Article 6(1)(e) applies to the processing by the public sector body receiving the data, not necessarily to the processing by the data holder in preparing and transmitting the response.

For the data holder, the more relevant GDPR question is what lawful basis applies to the disclosure of personal data to the public sector body. The Act does not itself create a GDPR lawful basis for this disclosure — it operates as a legal obligation that can activate Article 6(1)(c) of the GDPR (processing necessary for compliance with a legal obligation). If the Chapter V request is valid, the data holder’s compliance with it is a legal obligation under EU law, and that obligation can serve as the GDPR lawful basis for the disclosure.

However, this analysis is more complicated for special category data — health data, biometric data, data revealing racial or ethnic origin, and similar categories protected under GDPR Article 9. For special category data, Article 6(1)(c) alone is not sufficient. The data holder must also identify an applicable exception under Article 9(2). For disclosures to public sector bodies in connection with public health emergencies, Article 9(2)(i) — which covers processing for public health reasons — may be relevant. For scientific research purposes, Article 9(2)(j) may apply. The specific analysis will depend on the nature of the data and the stated purpose of the Chapter V request.

US companies should not assume that a valid Chapter V request automatically satisfies all GDPR requirements for any personal data included in the response. The two frameworks operate in parallel, and a response that satisfies Chapter V but fails to satisfy GDPR creates a legal exposure that neither framework excuses. Building GDPR analysis into the criteria review process for Chapter V requests — and escalating to specialized data protection counsel when the data includes special category information — is an essential part of a mature compliance program.

Practical Takeaways for US Companies

The procedural protections available under Chapter V are robust, but they only function if data holders are prepared to use them. A company that receives a Chapter V request, assumes it must comply without analysis, and ships data without documenting what it sent and why will have failed to take advantage of the framework the Act provides. Conversely, a company that has built an internal process, trained its legal and compliance teams on the criteria, and prepared its documentation templates in advance will be in a strong position to respond efficiently to valid requests, push back credibly on deficient ones, and recover its costs through the compensation mechanism. The procedural complexity of Chapter V is, in this sense, an opportunity as much as a burden.