About controlling genies

On March 17, 2023, the Council of the European Union published an amended version of the draft Data Act. Among other things, this includes changes as a result of the ongoing discussions about the relationship between the freedom of use of non-personal data and the protection of trade secrets, a topic that was treated rather neglected in the first draft from last year.

In the draft of February 22, 2022, the Commission had created rights for users to have access to the data generated during the use of products or associated services, to use them and also to be allowed to pass them on to third parties, Art. 4 and 5 Data Act-E. At the same time, the draft provides that trade secrets will only be disclosed if all specific measures are taken that are necessary to maintain the confidentiality of the trade secrets, in particular vis-à-vis third parties, Art. 4(3) Data Act-E. In view of the right to disclosure, the data holder has no possibility to prohibit its disclosure in order to safeguard the secret. He can only agree on measures to maintain confidentiality, whereby he should at least directly agree with the third party and is not dependent on a contractual chain in this respect, Art. 5 (8) Data Act-E. To protect the interests of the data holder, both provisions also contain prohibitions on using the data to develop a product that competes with the product from which the data originated: With respect to the user, this is regulated in Art. 4(4), and with respect to the third party, in Art. 6(2e) Data Act-E. However, these barriers only extend to the development of a competing product, but not to the development of a "related service". The latter is not just a peripheral appendage, but very close to the product: according to the definition in Art. 2(3) Data Act-E, it is a digital service, including software, which is incorporated in or interconnected with a product in such a way that its absence would prevent the product from performing one of its functions. However, this freedom to develop and offer an "aftermarket" service that competes with a service of the data holder is not only implicit in the limitation of the prohibition to products, but is explicitly highlighted in recital 28. Immediately following, there is then first the terse sentence that trade secrets will be preserved when processing the data, before a tension is built up with the prohibition of using the data for the development of a competing product: still in this recital, the objective of the regulation is described, among other things, as promoting the development of new, innovative products, "including on the basis of data from a variety of products and related services." At the same time, investment incentives for the type of product from which the data is obtained should not be undermined by the use of data to develop competing products. There are certainly cases in product development where a "competing product" can be easily and clearly distinguished from a "new, innovative product." But in the majority of conceivable constellations, difficult questions will certainly arise here, for the resolution of which clearer and less contradictory specifications would be desirable.

And regarding the established "protection of trade secrets when processing data": well... according to the definition in Art. 2 (1) of the Trade Secrets Directive, the secret character is characterized by the fact that the relevant information is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question. The EU Legislator has so far failed to provide even a halfway plausible answer to the question of how a secret character can be maintained in the long term if the Data Act ensures that the underlying information is not known only to a limited circle of people. The access and disclosure rights make it possible to share the information with anyone, as long as they promise to keep it confidential. However, then the information is no longer secret in the sense of "unknown to the general public": the genie may not be openly out of the bottle, but since it can be in any bottle, the practical difference is not so great. In a contribution worth reading in RDI 2023, 173, Sabine Grapentin has shown that the regulatory approach contains many other inconsistencies and imponderables.

The EU Council has now presented a revised proposal on March 17, 2023 as a basis for discussions with the Parliament, incorporating further considerations on balancing the apparently conflicting interests between the regulatory approach of promoting fair data sharing and maintaining trade secret protection. Among other things, the Council proposes further amendments to Recital 28a, which provides a variety of details to flesh out the confidentiality requirements. This relates in particular to risks associated with the cross-border transfer of data and adequate protection in the country in question. In addition, there is a possibility to refuse disclosure of trade secrets in exceptional cases if the data holder can demonstrate that disclosure is highly likely to cause serious damage. The latter includes significant economic losses that endanger the viability of the company or pose an insolvency risk, which the data holder must, however, substantiate, and provide in writing and without delay.

Even though the number of words has increased significantly, their practical weight remains limited: the data holder is still largely relegated to requiring, specifying, and tightening confidentiality measures. Under the proposed rule, however, corresponding requirements may not include compliance with and monitoring of the prohibition against creating a competing product. The draft clarifies through the provision in Art. 4 (1a) Data Act-E that an additional contractual requirement would not have a binding effect. If this remains the case in the final version of the Data Act, this would be a deliberate, obvious loophole in the protection of trade secrets.

If the third party violates the agreed confidentiality or the legal prohibition of use, the data holder must sue him for injunctive relief and damages. One can only wish the data holders good luck in this regard. The requirements regarding the burden of substantiation and proof are still fully incumbent on the holder and concern precisely internal information of the data recipient which the data holder is not aware of and has no access to. Moreover, in the case of cross-border transfers to non-EU countries, there will be no international jurisdiction of German courts according to higher court rulings in Germany. In such constellations, affected companies are therefore likely to develop a keen interest in Ethan Hunt's current contact data.

It is to be feared that the EU legislator will nevertheless launch his project despite the recognized and now also lively discussed inadequacies, even without a more precise plausible solution to the dilemma. The rest should then please be clarified by the courts. However, the courts will obviously be overwhelmed by this, and at best there will be years of uncertainty due to missing and contradictory decisions by national courts and a considerable delay in harmonization due to decisions by the ECJ - as the example of trade secret protection unfortunately proves.

Companies that have corresponding concerns should above all also concern themselves with developing and implementing, on a purely practical level, concepts for the collection and storage of data that encompass only the data relating to specific use in the narrower sense and record these separately. Other data that allow conclusions to be drawn about properties of the product during whose use they are collected should be collected and stored separately. "Mixed" data sets should be avoided wherever possible. Corresponding discussions in practice have presumably led to the fact that the March 17, 2023 proposal also contains specifications on the release of metadata that are necessary to interpret and use the data. Even if the demarcation is presumably not always easy here, separate recording gives scope for argumentation to plausibly justify a restriction of the release to the data of use in the narrower sense.

Stay tuned.