The Data Act and Trade Secrets

Author: Vilhelm Schröder

Introduction

On 23 February 2022, the European Commission issued a proposal for harmonised rules on fair access to and use of data — the Data Act. The proposal is a key part of the EU’s data strategy, which aims to make the EU a leader in leveraging data to drive innovation and growth. The Data Act (along with the Data Governance Act) aim to create a single market for data, where data flows freely for the benefit of all.

The Data Act is designed to play its part in the above-mentioned vision by aiming to free data collected by private entities for fair use to enable economic growth. The proposal includes measures to allow users of connected devices to gain access to data generated by them, and to share such data with third parties to provide aftermarket or other data-driven innovative services. The proposal also includes measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts.

Following initial disagreement on issues related to, among other things, trade secrets, the European Parliament and the Council of the European Union reached a provisional agreement for the Data Act (later on referenced to as the “Provisional Agreement”) on 14 July 2023. The Provisional Agreement contains enhanced protection for trade secrets in comparison to the original proposal by the Commission.

Trade secrets are regulated regionally in the EU primarily by the Trade Secrets Directive (2016/943), which, inter alia, harmonises the definition of trade secrets and prohibits unlawful acquisition, use, and disclosure of trade secrets.

Protection of Trade Secrets

Article 4(3) of the Provisional Agreement of the proposed Data Act regulates the disclosure of trade secrets to users. Article 5(8) contain similar provisions regarding the disclosure of trade secrets to third parties. Under Article 4(3), trade secrets must be preserved and only be disclosed provided that all specific necessary measures are taken by the data holder and the user to preserve the confidentiality of trade secrets in particular with respect to third parties. The data holder or the trade secret holder must identify the data that is protected as trade secrets and agree with the user on proportionate technical and organisational measures that are necessary to preserve the shared data. Examples of technical and organisational measures that can be used to preserve the confidentiality of shared data include model contractual terms, confidentiality agreements, strict access protocols, technical standards, and the application of codes of conduct.

If the necessary measures cannot be agreed on or if the user fails to implement the agreed measures or undermines the confidentiality of the trade secrets, the data holder may withhold or suspend the sharing of data that is identified as trade secrets (Article 4(3a)). The data holder may also refuse access to data, if it can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets (Article 4(3b)). In the recitals of the Provisional Agreement, “serious economic damage” is described as “serious and irreparable economic losses”. Under Article 4(3c), the user can challenge the data holder’s decision to refuse access to the data by lodging a complaint with a national competent authority. The national competent authority will then decide whether and under which conditions the sharing of data shall start or resume. Alternatively, the data holder and the user may agree to refer the matter to a dispute settlement body.

The Provisional Agreement added new safeguards against the misuse of trade secrets, such as the option to withhold or suspend the sharing of data. However, despite these measures, protecting trade secrets will still most likely become more difficult after the Data Act comes into force. As data holders are still effectively forced to disclose trade secrets under the Data Act (which they would not be otherwise), they will lose a layer of protection and be forced to rely on the users and third parties not to misuse this information. Furthermore, the threshold for refusing access to data is high (highly likely to suffer serious economic damage from disclosure). It is also noteworthy that as the national competent authorities will decide on the continuation of data sharing, their stances on acceptable grounds to withhold or suspend data sharing may have a considerable impact on the actual level of protection of trade secrets.

Pursuant to Article 4(4), the user must not use the obtained data to develop a product that competes with the product from which the data originate nor share the data with another third party with that intent and must not use such data to derive insights about the economic situation, assets, and production methods of the manufacturer or, where applicable, the data holder. A competing product is described in the recitals of the Provisional Agreement to be a product that is “interchangeable or substitutable by users, in particular based on the product’s characteristics, its price and intended use”. A competing product would also need to be in competition with the product from which the data originates on the same product market. Article 6(2)(e) contains a similar provision regarding third parties.

Article 8(6) states that unless otherwise provided by the Union law, including Articles 4(3) and 5(8) of the Data Act, or by national legislation adopted in accordance with the Union law, an obligation to make data available to a data recipient shall not oblige the disclosure of trade secrets within the meaning of the Trade Secrets Directive. It remains to be seen how much protection this provision actually grants for trade secrets. Including Articles 4(3) and 5(8) in the exemptions to the rule would seem to indicate that disclosing trade secrets as part of making data available takes precedence over the provisions of the Trade Secrets Directive. By laying down that that trade secrets must be disclosed when data sharing is performed under Articles 4(3) and 5(8), the users and third parties obtaining the trade secrets have not done so in an unauthorised manner. Subsequently, the Trade Secrets Directive will seemingly only be applicable when the user or third party is in breach of their duty not to use or disclose the trade secrets and when operating outside the scope of Articles 4(3) and 5(8).

Pursuant to Article 11(2), where a third party or a data recipient has unlawfully obtained or used data or unlawfully disclosed data to another party, the third party or a data recipient must comply without undue delay with the requests of the data holder to erase the data and any copies thereof, end the production, marketing, or use of any goods derived from the data, and compensate the suffering party for the misuse of the data.

Only the future will tell how the interest of all the different stakeholders involved will be safeguarded in practice. While data sharing can be regarded as an important element in driving progress and innovation in the EU, it is equally important to remember that sufficient protection of trade secrets is also required for exactly the same purposes.