Recently, the legislative bodies of the EU reached a provisional agreement on a new ‘Regulation on harmonised rules on fair access to and use of data’, the Data Act. On 9 November 2024, the final version of the Data Act was formally approved by the European Parliament and will now be sent to the Council of the EU to become law after its approval.
The Data Act aims at ensuring fairness in the allocation of value from data among actors in the digital environment. It also seeks to stimulate a competitive data market, open up opportunities for data-driven innovation, and make data more accessible to all.
The data in question – data generated by connected devices and related services – might also contain or represent valuable proprietary and confidential information, i.e., trade secrets. Not surprisingly, one of the key and most contentious issues during the Data Act’s legislative process was how to reconcile the data holders’ interest in protecting trade secrets with the Data Act’s express goal to promote broader data sharing and access.
Under the Trade Secrets Directive, trade secret protection requires its holder to maintain the information’s secrecy and take reasonable steps under the circumstances to keep it secret. According to European Council, the Data Act "ensures an adequate level of protection of trade secrets and intellectual property rights, accompanied by relevant safeguards against possible abusive behaviour of data holders".
Notably, the text of the draft regulation was subject to several amendments in this regard, inviting the question as to whether the Council’s claim is true. In this blog post, we take a closer look as to what the new rules mean and where pitfalls may lie. As similar issues arise under other recent EU laws, we also take a broader look at trade secret protection in other EU legislative acts, in particular in the EU’s Digital Agenda.
Access to Trade Secrets under the Data Act
According to Articles 4 and 5 of the Data Act, users of certain products and related services have a claim against the data holder for access to the data generated by the use of such products or services. They can also demand the transfer of this data to a third party selected by them. To the extent the data contains trade secrets, Article 4 (para. 6 et seq.) and Article 5 (para. 9 et seq.) provide for some specific requirements:
- Trade secrets shall be preserved and only be disclosed if the data holder and the user take all necessary measures before the disclosure to preserve their confidentiality. This requires data holders to identify trade secrets and agreeing with the user on proportionate technical and organisational measures necessary to preserve the confidentiality of the shared data. In this regard, the Data Act refers to model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.
- The data holder may decide to withhold or, as the case may be, suspend the sharing of data identified as trade secrets if (i) there is no agreement on the necessary measures in place, (ii) the user fails to implement the agreed measures, (iii) or the user undermines the confidentiality of the trade secrets.
- Only in "exceptional circumstances", when the data holder can demonstrate that – despite the technical and organisational measures taken by the user – it is "highly likely to suffer serious economic damage from the disclosure of trade secrets", the data holder may refuse the request for access to the specific data in question on a case-by-case basis.
- In both cases (i.e., decision to withhold or suspend data sharing and refusal of the request) the data holder must provide its ‘duly substantiated’ decision to the user in writing without undue delay. The data holder also has to notify the national competent authority (to be designated in accordance with Article 37 of the Data Act), and users can lodge a complaint with the authority against the data holder’s decision.
Trade Secret Safeguards are the exception, not the rule
The new rules set out in the Data Act seek to strike a balance between the aim of making data accessible and, on the other hand, the need to safeguard the protection of trade secrets. And indeed, the provisions are more trade secret friendly than in earlier drafts of the Data Act.
Nonetheless, invoking trade secret safeguards as a defence against overly broad data access requests appear only to be an exception to the rule of having to provide such data under the Data Act: Data holders are required to actively invoke trade secrets protection, and a promising defence can be based only on the absence of ‘proportionate’ protective measures or ‘exceptional circumstances’ suggesting the threat of ‘serious economic damage’.
How well this mechanism will work (and how high the evidentiary bar for data holders will be) in practice remains yet to be seen. In strategising their compliance with the Data Act, companies should consider the following key issues:
- The new rules differentiate between (regular) trade secrets and particularly sensitive trade secrets the disclosure of which may lead to ‘serious economic damage’. Whereas the strongest form of protection (non-disclosure) will only be available for the latter, data holders have to define and agree on ‘proportionate’ protective measures for the first – which could lead to less protective standards for trade secrets which are no key assets.
- With regard to the additional obligations for substantiation and notification of the competent national authority, data holders should also be conscious to ensure protection of their trade secrets during this process and in possible complaint proceedings. This requires clear guardrails and knowledge on which procedural tools are available to safeguard secrecy.
- Applying the new mechanism therefore requires (i) an understanding of which information is to be considered a trade secret and (ii) a classification of particularly sensitive information that should not leave the company's internal sphere of secrecy.
Drawing parallels? Trade Secret protection in the context of other EU legislation
In its 2016 Trade Secrets Directive, the importance of trade secrets as the "currency of the knowledge economy" was emphasised. Since then, some flagship legislative acts in the EU, in particular as parts of the EU’s Digital Agenda, provide for access rights regarding certain sensitive information and data – seemingly colliding with the aim of gold-standard trade secret protection and not always suggesting a consistent approach to the issue. Some recent examples:
- For providers of ‘high-risk AI systems’, the Proposal for the AI Act contains increased transparency obligations vis-à-vis (i) users to enable them to interpret the system’s output and use it appropriately (cf. Art. 13), and (ii) supervisory and enforcement authorities to assess the compliance of the AI system with the requirements of the AI Act (cf. Art. 11 and 23). As regards ensuring confidentiality in this context, Art. 70(1) of the current proposal merely states that national competent authorities and notified bodies involved in the application of the AI Act "shall respect the confidentiality of information and data obtained in carrying out their tasks and activities in such a manner as to protect, in particular […] trade secrets". However, the proposal does not contain any further practical guidance on that issue – leaving it open how trade secret protection and transparency obligations can be reconciled.
- According to Article 3 of the Proposal of an AI Liability Directive, member states shall ensure that national courts have the authority to order the disclosure of evidence by a provider of a ‘high-risk AI system’. Where a defendant fails to comply with such order, a national court shall presume that the defendant’s does not comply with the duty of care that the evidence requested was intended to prove. For providers of such systems, this could lead to a choice between disclosing the inner workings of their AI, which will regularly constitute a trade secret, or losing the litigation due to the reversal of the burden of proof if they don’t disclose the information. With regard to trade secret protection, Article 4(3) of the current proposal merely mentions that it has to be taken into account when determining whether an order for the disclosure of evidence is proportionate, and procedural protective measures as mentioned in Article 9 of the Trade Secrets Directive may have to be taken in order to preserve confidentiality in the course of legal proceedings. This is a rather rough guideline and it would have to been seen how the member states apply it, creating an uncertainty for trade secret holders.
- The Digital Services Act (DSA) also provides for various transparency, reporting and information obligations applicable to online intermediation services of various types. These provisions are (at least potentially) in a natural tension with the protection of trade secrets of the companies concerned. Most notably, very large online platforms (VLOPs) within the meaning of the DSA will have to grant the European Commission, the national regulatory authorities (Digital Services Coordinators) and vetted researchers access to certain data necessary to assess and monitor compliance with the DSA and to understand certain systemic risks (Article 40 DSA). Article 40(5) lit. b DSA recognises the vulnerability of trade secrets as an exceptional ground to request the amendment of such data access (but not to fully decline such request). It will have to be seen how this mechanism will work in practice once the Digital Service Coordinators are established in 2024.
- Similarly, under the DMA, and to ensure compliance with its requirements, additional reporting and information obligations apply to ‘gatekeepers’, i.e. undertakings providing core platform services as designated under Art. 3 of the DMA. Whereas the DMA mentions in several sections that “the legitimate interest of gatekeepers in the protection of their business secrets and other confidential information” shall be taken into account (e.g., in recital 68) and that “the gatekeeper shall be entitled to take account of the need to respect its business secrets” (Art. 15(3) DMA), it does not contain further guidance on how to strike that balance in practice.
- On 16 March 2022, the Administrative Court of Vienna lodged a request for a preliminary ruling (Case C-203/22) including several questions concerning the interplay between information claims under Article 15 of the General Data Protection Regulation (GDPR) and the protection of sensitive information under the Trade Secrets Directive. In particular, the court asks how the tension between the right of access guaranteed by Article 15(1)(h) of the GDPR and the right to non-disclosure of a trade secret can be resolved. It remains to be seen where the CJEU will draw the line between the two conflicting interests of data access and confidentiality.
New data access rights and disclosure obligations in digital regulation result in a natural tension with legitimate interests of trade secret holders. The final text of the Data Act sets out a novel approach and tries to strike a delicate balance between the conflicting interests. Whether this balance can be achieved in practice, and whether this approach can be a model for other legislation such as AI or platform regulation, remains to be seen. The practice of regulatory authorities, courts, and ultimately the CJEU will be key in ensuring a consistent approach on how to strike that balance.