Access to data under the draft Data Act. Trust is good ... but also good enough?

On June 28, 2023, the European Commission welcomed the political agreement the negotiators of the EU Council and the European Parliament had reached to finalize the draft of the EU Data Act. 

One of the most important aspects to be resolved was finding the appropriate balance between, on the one hand, the right of users to require data holders to make available product and service data, to be allowed to use this data and pass it on to third parties, and, on the other hand, the interest of data holders to protect their trade secrets that may be contained in such data. The scales have been tipped in favor of the users - or more precisely, in favor of those being interested in harvesting user data they aggregate via such users for their commercial purposes in order to foster innovation and competition. 

The process the Data Act is provided providing for starts with the obligation to design and manufacture connected products and related services in such a way that product data and related service data, including the relevant metadata necessary to interpret and use the data, are directly accessible to the user, Art. 3. If a direct access from the connected productor related service is not available, data holders shall make it available upon an electronic request of the user: Without undue delay, easily, securely and in a comprehensive, structured, commonly used and machine-readable format, free of charge and, where relevant and technically feasible, of the same quality as is available to the data holder, continuously and in real-time, see Art. 4 (1). So far, so good.

Art. 4 (3) now specifies the rules should such data contain trade secrets: The data holder may, prior to their disclosure, require that the user take all “necessary measures to preserve their confidentiality." Such measures include confidentiality obligations and “proportionate technical and measures to maintain the confidentiality of shared data, especially with respect to third parties. In addition to contractual provisions, the Data Act mentions strict access protocols, technical standards and the application of codes of conduct. If the parties cannot reach an agreement, if the user fails to implement the agreed measures or undermines the confidentiality of the trade secrets, the data holder can refuse or suspend the sharing of data identified as trade secrets. The holder must then immediately inform the user in writing of his decision, which must be duly justified, Art. 4 (3a). Should the user insist on his request, he may take legal action or file a complaint with the competent national authority. The details of the procedure for the latter relief have yet to be determined in the course of implementation. In principle, the data holder can only disclose trade secrets in exceptional cases in accordance with Art. 4 (3c). He must demonstrate that despite the technical and organisational measures taken by the user there is a high probability that the disclosure of trade secrets will cause him serious economic damage. This proof must be sufficiently substantiated and based on objective elements, in particular as regards the enforceability of trade secrets protection in third countries, the nature and degree of confidentiality of the requested data, and the uniqueness and novelty of the product, and be provided in writing and without undue delay.

In all other circumstances, the data holders are be required to let users access data generated by their products and services and to share it with third parties willing to accept the same standards.

The hope and efforts of the industry to reverse the rule-exception ratio as regards trade secrets have been shattered. Some thoughts on the current outcome:

The philosophical side of the unknowingness

The measures of the Data Act shall help to maintain the confidentiality of a trade secret, so a prevention of losing its value by disclosure. Avoiding disclosure is surely an essential aspect to explain and justify the overall concept at all. Nevertheless, it touches the property core and the essence of a being a secret: The duty to keep your mouth shut is a second level safeguard to protect the holder from a total loss of the secret’s value, which would otherwise become part of the public domain. But the main reason for such duty consists in the fact that its content not known to everyone. Only seven years ago, the EU legislator, in its Trade Secrets Directive 2016/943 of 8 June 2016 defined a secret per the three requirements in Art. 2 (1) for information (a) being “secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question”, and (b) having a commercial value because it is secret and (c) being subject to appropriate secrecy measures. 

The "unknowingness” and the value resulting from the distinctive factor of having or not having such knowledge - two of the three elements of a secret are getting abandoned here. They are patched by duties prohibiting a further disclosure. Nevertheless - what everybody knows but no one talks about is typically called an “open secret." But that’s not the same anymore.

The more practical conceptual consequences

No big deal, says the EU Legislator, because we will introduce legal restrictions on their use. Well ...

a) The prohibition to use the data for the development of a competing product.

There is the prohibition to use the data for developing a competing product as explicitly set out in Art. 4 (4) in relation to the user itself, and in Art. 6 (2) (e) for the third-party recipient. Nevertheless, the concept and the wording of Art. 4 (3) describing the duties the data holder may impose on the user is only aiming on “measures necessary to preserve the confidentiality of the shared data in relation to third parties”. It is, however, completely silent on anything aiming to control or ensure the compliance with the prohibition to develop a competing product. Including respective provisions in the disclosure terms the data holder is trying to impose should usually not trigger fundamental rejection and resistance, at least not to the extent they reflect statutory provisions as set out in Art. 4(4) and/or 6 (2). If so, there is a dissent, which will lead to a dispute and a corresponding decision. Will take a closer look on the dispute settlement below but let us first take a step back: 

b) The encouragement to use the data for developing a competing service

The EU Legislator is crystal clear as regards a use of the data holders’ trade secrets for developing a competing service: In recital 28b, a recital previously contained in paragraph 28 has been added, stating that 

The aim of this Regulation is to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulate the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of product from which the data are obtained, for instance, by the use of data to develop a competing product which is regarded as interchangeable or substitutable by users, in particular based on the product’s characteristics, its price and intended use. This Regulation provides for no prohibition to develop a related service using data obtained under this Regulation as this would have an undesirable discouraging effect on innovation. 

The rationale of this differentiation is not easy to understand once you leave the surface of the political ambition to foster “innovation”. Trade secrets collected during the use of a product and/or or a service are initially an ownership-like right of the holder. What exactly justifies to differentiate between an illegal use for developing a competing product and the legal and encouraged use for developing a competing service? Why is the service provider not worth to enjoy the same protection as the product manufacturer? Is the product manufacturer really protected in times when the demarcation line between a product and a service gets more and more blurred and many product functionalities can easily be replaced by a corresponding service? The Data Act provides no explanation, so let’s wait whether a corresponding challenge will be brought before the European Court of Justice, e.g. to test its compatibility with the EU Charter of Fundamental Rights.

c) Dispute settlement

If there is a dissent on the terms of the disclosures, the data holder will typically withhold the sharing of data and notify the national competent authority accordingly. The rejected user may now seek to challenge such decision before a court, lodge a complaint with the said national competent authority or agree with the data holder to involve a dispute settlement body, Art. 4 (3b). Let’s disregard to the latter approach requiring consent. The National competent authority shall “without undue delay, decide whether and under which conditions the data sharing shall start or resume”, Art. 4 (3b). The applicable procedure and process and its relation to even parallel court proceedings are not regulated in detail but are of utmost importance for all parties involved. In addition to the necessity of corresponding rules, their drafting and enactment in the Member States will take time. And from a comparative perspective, there will certainly be difference in the Member States attracting forum shopping and endangering the harmonization within the EU.  

Procedural issues tend to be boring (Hey - due process is essential!!), so let’s check the guidance on the substance: Art. 8(2) states that terms concerning the access to and use of data shall not be binding if “it fulfils the conditions of Article 13 or if , to the detriment of the user, it excludes the application of, derogates from or varies the effect of the user’s rights under Chapter II.” Is this a carte blanche to only appear to accept terms of access to trigger the disclosure of the data while never intending to adhere to them and, if caught, invoke their invalidity? 

And for those who prefer to be blunt and pick up the fight on the binding effect of questionable terms of access and use: there are two criteria the decider will have to apply. The first one is the unfairness test pursuant to Art. 13. There are many aspects aiming to provide guidance, i.e. that a term reflecting mandatory provision of Union law is not considered to be unfair while terms grossly deviating from the (not yet existing …) good commercial practice are said to be unfair.  We’re not spending further time now trying to fathom the boundaries of the vague legal concept of fairness as there is more concrete stuff in para 4 (b): a term is presumed unfair if its effect is to “allow the party unilaterally imposed the term to access and use data of the other contracting party in a manner that is significantly detrimental to the legitimate interests of the other contracting party, in particular when such data contains commercially sensitive data or are protected by trade secrets or by intellectual property rights” The last part came in late in the game. It creates a tension not easy to understand. The starting point is, inter alia, that the data to be accessed is protected by trade secrets. Hence, the data holder will want to protect such status, e.g. via confidentiality requirements. Those requirements are perfectly legal as we had learned. The Act provides for a legitimate interest of third parties to harness users for getting access to data containing trade secrets of the data holder for developing a competing service – that’s also understood. Yep, neglect the user as the majority will be unable to exploit such data for a reasonable purpose. There will be third-party data collectors gathering usage data on a large scale by offering attractive benefits (“we pay for your streaming service”) to the initial users in consideration of their support in requesting and providing the usage data. Those third-party data collectors will obviously commercialize the knowledge gained. Obviously, actual and potential competitors are keen to gain such knowledge. 

Assuming that the concept of an ownership-like right in trade secrets is not abandoned: What is that wording aiming for, i.e. what other legitimate interest of the user’s third-party friend can there be to utilize the trade secrets of the data holder for other purposes? And when is such an interest significantly harmed? Is *no* a real option, i.e. should the data holder refuse to accept a disclosure request governed by those terms, may court then order the holder to grant access arguing that the intended use of the trade secrets may be detrimental but not significantly detrimental to the legitimate interests of the data holder? Does Art. 13 para. 4(b) contain an implicit differentiation between inacceptable harm and burden the data holder will have to accept? That’s an open field for legal argumentation …

More practical details

Whenever you disclose trade secrets e.g. in a cooperation agreement, you do not only agree on maintaining confidentiality but you also on a regime of concrete usage being permitted while the rest is prohibited (and as of now: hoping to pass the unfairness test). If you later get suspicious about a presumed breach of those limits and consider litigation, you need to find an answer on how to prove that the recipient has actually used disclosed secrets for prohibited activities. Even if you can start with the suddenly appearing competing product, the other side will always argue that this is the result of a completely independent development. Burden of proof lies on the trade secrets holder - full stop. 

Yes, there are inspection orders, which may be granted as ex-parte order in interim proceedings. Insufficient harmonisation, inconsistent handling of procedural preconditions such as an urgency requirement, the denial of courts to submit relating aspects of interim proceedings to the ECJ (“we never do”), the necessity to specify the location of the objects to be inspected and the defences of the defending side to protect their trade secrets seized during the inspection from being disclosed to the claiming side – there are a lot of pitfalls for a potential case. So, the statutory remedies will not be sufficient.

Okay, and now? If the data holder becomes suspicious that the collector or one of its downstream customers did use the knowledge for the illegal purpose of product development, the data holder has no obvious legal means to detect a corresponding misappropriation. Inspection orders would have to aim at the development materials of a competitor being obviously per se also protected as trade secret so that the inspection order will be either denied or the relating information will not be disclosed to the claiming data holder. So, the data holder better relies on contractual means, such as agreed information, audit and/or inspection rights. We’re back to square one above.

So, in most cases, a competitive advantage that the data holder may have gained through its investments in the development of its products will be gone very soon: Competitors may collect, aggregate and analyse usage data; gain insights in possible weaknesses of the data holder’s products and knowledge for the modification of its own products.

Given the wide area of legal uncertainty, data holders might seek relief in re- re-designing their data collection policies, separate mere usage data from any other data. Even if so, they will not escape from legal discussions as the Data Act also provides for a right to get the “relevant meta data necessary to use the data”, i.e. product data and related service data. Meta data is defined as “structured description of the contents or the use of data facilitating the discovery and use of that data” – a wide approach with no clear limit. But that’s another chapter, stay tuned.