The Data Act and Trade Secrets – Part II: Refusing Access to Data Under the Data Act Based on Trade Secret Protection
11 January 2024
Authors: Liisa Vaaraniemi and Vilhelm Schröder
In our previous blog post The Data Act and Trade Secrets regarding the European Commission’s proposal of 23 February 2022 for harmonised rules on fair access to and use of data (the “Data Act”), we discussed the protection of trade secrets under the provisional agreement of 14 July 2023 between the European Parliament and the Council of the European Union for the Data Act (the “Provisional Agreement”). On 11 January 2024, the Data Act entered into force. In this blog post, we take a closer look at how trade secrets are protected in the adopted Data Act. We particularly review the grounds on which trade secret protection may be invoked to restrict the use of and refuse access to trade secrets under the Data Act. Special attention will be paid to specific issues of concern related to the restriction and refusal process under the Data Act.
Right to Restrict Use and Refuse Access
As the volume of data generated by machines and devices is increasing exponentially, the Data Act was enacted to remove barriers for consumers and businesses to access machine-generated data. To that purpose, the Data Act introduces a right for users of products and services to access data generated by the use of a product or related service. This data could, in certain cases, include trade secrets of the service provider or third parties.
To avoid a situation where companies would be forced to share data protected as trade secrets with users or third parties of a user’s choice and lose control of the trade secrets, the Data Act introduces certain mechanisms to protect data qualifying as trade secrets in connection with access requests and, ultimately, a veto right where the protection of trade secrets would be endangered.
The Data Act includes two sets of rules providing for a right to restrict use of and refuse access to data including trade secrets:
Article 4 – The right of users to access and use data: Article 4(6)-(9) applies to situations where a user requests access to product data and related service data including trade secrets from its service provider, i.e. the data holder. A prerequisite for the disclosure is that the data holder and the user take all necessary measures prior to the disclosure to preserve the confidentiality of the trade secrets. Such measures should be proportionate and necessary to preserve the confidentiality and could include, for example, contractual non-disclosure obligations, access protocols, and technical standards. For the purposes of the provision, it is for the data holder (or trade secret holder where such party is not the data holder) to identify the data that are protected as trade secrets.
Should the parties fail to agree on the necessary measures, or if the user fails to implement such measures or undermines the confidentiality of the trade secrets, the data holder has the right to withhold or suspend the sharing of trade secrets under Article 4(7). Such decision to withhold or suspend data sharing should be duly substantiated, provided to the user in writing without undue delay, and notified to the competent national authority.
Article 4(8) lays down special rules to be applied in exceptional circumstances. Should the data holder be able to demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets despite the technical and organisational measures taken by the user, the data holder may refuse the request for access. Such refusal should be duly substantiated on the basis of objective elements, provided to the user in writing without undue delay, and notified to the competent national authority.
Article 5 – Right of the user to share data with third parties: Article 5(9)-(12) applies to situations where a user requests data including trade secrets to be shared with a third party, for example, a maintenance service provider. Unlike above, a user could request such disclosure only if the disclosure would be strictly necessary to fulfil the purpose agreed between the user and the third party. Furthermore, a prerequisite for the disclosure would be that the data holder and the third party agree on and the third party takes all proportionate technical and organisational measures necessary to preserve confidentiality of the trade secrets prior to the disclosure. Similarly as above, it would be for the data holder (or trade secret holder) to identify the data that are protected as trade secrets.
Furthermore, similarly to Article 4(7), should the parties fail to reach an agreement on the necessary measures or should the third party fail to implement such measures or undermine the confidentiality of the trade secrets, the data holder may withhold or suspend the sharing of trade secrets.
Finally, Article 5(11) lays down a right to refuse an access request in exceptional circumstances where the data holder would be highly likely to suffer serious economic damage from the disclosure of the trade secrets, despite the technical and organisational measures taken by the third party.
Accordingly, Articles 4 and 5 provide for very similar mechanisms, which will be discussed in further detail below.
Taking the Necessary Measures
The starting point of both Article 4 and Article 5 is that the fact that the requested data contains trade secrets is not an immediate ground for refusing an access request. Instead, the data including trade secrets should be disclosed, but the data holder has a right to require the users, and third parties of the user’s choice, to preserve the confidential nature of the trade secrets by necessary measures.
Thus, the user making the access request would generally be allowed to receive data including trade secrets, provided that they accept the terms regarding confidentiality and technical and organisational measures laid down by the data holder. However, the user is protected against any arbitrary demands of the service provider as, according to both Article 4(6) and Article 5(9), the required measures must be proportionate. Article 5(9) also poses an additional prerequisite for making an access request, namely that the disclosure of trade secrets is strictly necessary to fulfil the purpose agreed between the user and a third party. Should the user fail to show such necessity, the data holder could refuse the request alone on this ground.
While a user would have a right to receive trade secrets under Articles 4 and 5, it may, in fact, be in the interest of a user to limit their requests for trade secrets to situations where such access is genuinely necessary. Considering the significant value of trade secrets, the data holder would generally want to ensure that the conditions under which trade secrets are disclosed to the user are strict. Any data sets containing trade secrets received by the user may, therefore, come with restrictive conditions regarding the purposes for which the requested data may be used, burdensome obligations to implement technical and organisational measures, and a high risk of liability, in which case it may be better for the user to obtain the data sets without the trade secrets, where possible.
Defining a Trade Secret
Both Article 4(6) and Article 5(9) lay the responsibility to identify the trade secrets in the data that is subject to an access request on the data holder or the trade secret holder (where this is another party). This division of responsibility seems natural as the obligation lies with the party holding the data.
Based on Article 2(1) of the EU Trade Secrets Directive (2016/943), any data can be protected as a trade secret if the data is secret, has commercial value because it is secret, and reasonable steps have been taken to keep it secret. Determining whether particular data qualifies for trade secret protection requires assessing whether all of these requirements are met. While any data can qualify as a trade secret, not all data does. It may be that a quite small amount of a company’s data fulfils the conditions for trade secret protection, while a very large amount of a company’s data may be confidential information, which a company may not wish to disclose to its competitors and which is protected under the company’s non-disclosure agreements, but which is not protected by the law. Making this distinction is important.
While determining whether particular data sets contain trade secrets can be challenging for the data holder, it would be even more so for the user. Challenging whether the requested data actually contains trade secrets after having received the data holder’s claim that it does may thus be difficult. Appropriate trade secrets management can help overcome this challenge and facilitate data holders in responding to access requests, sharing confidential information under appropriate confidentiality undertakings, requiring adequate technical and organisational measures when disclosing trade secrets, and justifying refusal of access requests.
High Likelihood of Serious Economic Damage
The actual veto right under Articles 4(8) and 5(11), i.e. the right to refuse access to data including trade secrets, is restricted to situations where the data holder demonstrates that it is highly likely to suffer serious economic damage from the disclosure of trade secrets. Based on the wording, the threshold for refusing a request appears to be very high. Both Article 4(8) and Article 5(11) also require that such demonstration is duly substantiated, provided to the user in writing and without undue delay, and also notified to the competent national authority.
Recital 31 sets out that “serious economic damage” implies serious and irreparable economic loss. Based on the recital, the substantiation given to the user making the request should be based on objective elements, demonstrating the concrete risk expected from the data disclosure. The data holder would also need to explain why the technical and organisational measures would not be enough to protect the data. It should be noted that the Provisional Agreement listed certain factors, such as the enforceability of trade secrets in a third country where the user or third party chose to process the data, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the product, as factors that could be taken into account. However, it should be noted that this list has not been included in the final version of the Data Act.
Where the data holder refuses access or withholds or suspends data sharing, a user or a third party can challenge this decision by lodging a complaint with the competent national authority, who decides on the continuance of the data sharing or, together with the data holder, the referral of the dispute to a dispute settlement body (Article 4(9) and Article 5(12)). The Data Act states that such complaint should be handled by the authority without undue delay. While the aim appears to have been to provide for a rapid dispute resolution mechanism, only time will tell whether the authorities will have the necessary resources to handle these complaints quickly or whether the parties will have to try to resolve the issues amicably to avoid prolonged disputes.
The Data Act entered into force on 11 January 2024. Pursuant to Article 50, it will generally become applicable in all EU Member States on 12 September 2025. Some provisions will become applicable later.