Going "old school" to protect new assets

With AI and the IoE expanding, reliance on big data and increasingly sophisticated ways of combining and analysing such data moves to the heart of business processes and strategies.  Some most recent developments in the EU, however, emphasize the importance of not to forget about old-school trade secrets when it comes to defending these modern assets of your business.

What is the EU Data Act?

A few days ago, the EU Parliament adopted the EU Data Act, which is an EU Regulation “on fair access to and use of data”. The EU Data Act is quite legalese insofar as you cannot sensibly read it without simultaneously looking at all the definitions for the various technical terms it uses.

Among other things, this EU Data Act imposes certain obligations on “data holders” to share certain data with professional or private users and third parties acting on behalf of such a user.¹ Slightly simplified, a “data holder” is any person or company who uses data of whatever kind that such person or company retrieved or generated via its products or services, in particular via “connected products” or related services. A “connected product” is any item “that obtains, generates or collects data concerning its use or environment and that is able to communicate product data via an electronic communications service, physical connection or on-device access”. This encompasses the vast majority of new products and services ranging from wearables and apps via smartphones or smart home and smart factory appliances to cars, logistics control or entertainment devices. The data that is subject to these obligations expressly includes “[relevant] metadata”, which according to the EU Data Act means “a structured description of the contents or the use of data facilitating the discovery or use of that data”.

Despite a long list of definitions of the technical terms used, the EU Data Act does not precisely determine the scope of such data and metadata. Does this mean that you are at risk of having to disclose your data lakes and the sophisticated analyses and tools you just have developed for capitalising on your data? All your investments into big data and AI will become public domain?

Not exactly: The EU Data Act does not require a general publication of data and relevant metadata. Instead, the disclosure obligation covers data and metadata in relation to a certain user of a connected product, meaning the disclosure will always be within the scope of a bilateral relationship (though a third party acting on behalf of the user might turn this into a trilateral situation). The rationale behind this is to foster competition in the data economy by preventing data from being siloed – for example:

• Users can switch vendors more easily.
• Competition in the aftermarket increases because certain data, e.g., of the use and condition of a machine no longer is the secret property of the OEM only.
• Everyone can benefit from the data that they generate, e.g., where a company gets access to data from connected devices they use in their manufacturing process and can use such data for improving such process.

How can companies with “connected products” protect their data and metadata?

Even if we all welcome competition, the idea is not very comforting that a competitor whom a customer of yours wants to switch to, might get access to data and metadata that you have with regard to that customer, thus possibly allowing the competitor to draw some conclusions about the way you are handling and analysing data. If you want to minimize your exposure in this regard, do your homework as it regards to trade secrets protection. In principle, any information (data) can qualify as a trade secret if the three basic requirements set out by the EU Trade Secrets Directive are met:

• Your data must actually be secret, i.e. it must not be generally known or readily accessible. 
• You must derive a commercial value from it and from the fact that it is secret.
• And you must have put in place appropriate measures to maintain the secrecy of your data.

Nowadays, every business should have a robust trade secrets system in place that identifies and classifies its trade secrets by business relevance, and that describes the measures for keeping them secret. Of course, there would be a lot to say about the difficulty in determining what qualifies as an “appropriate” secrecy measure. And none of these exercises are of real value unless the business respects and implements them in everyday life. If you get this reasonably right, however, you will be able to qualify certain data and metadata, including certain ways of how you combine and analyse data, as a trade secret which may allow you to prevent, under certain circumstances, that information from the disclosure obligations that the EU Data Act will bring about.

Under the quite new EU regime on trade secrets, their prerequisites, scope of protection and enforcement are still evolving.² The practical relevance of trade secrets protection for data and data analysis is not totally new, as a court decision³ from Italy in 2018 illustrates: Even before the new EU trade secrets regime came into force, the court of Milan held that even if certain data in itself might not qualify as a trade secret, the configuration and combination of the data elements and the way these can be analysed by artificial intelligence tools might do so.

These aspects will likely become even more relevant in light of the upcoming Financial Data Access Regulation (FiDA) and draft EU AI Act. FiDA will require financial services providers to share financial data with a third party which, again, might include a competitor, at a user’s request. Under the current draft of the EU AI Act, providers of foundation models might become subject to additional transparency obligations as it regards to their training data (while these aspects are still subject to political discussion). Neither of the two are in final form yet, but trade secrets protection might be a good defence argument against disclosure obligations in all EU regulations. The interplay between trade secrets protection for big data and regulatory disclosure requirements will become a slithery field in the near future, and solid identification and protection, including related documentation, of what part of your data and data analysis tools qualifies as valuable trade secrets will be key for limiting these disclosures as much as possible.

¹Art. 4(1) and 5(1) of the Draft Data Act, see previous footnote. Definitions of “user”, “data holder” and “connected device” are in Art. 2(5), 2(12) and 2(13).

²Cf. The EUIPO’s report on trade secrets litigation in the EU published in June 2023.

³Tribunale di Milano, decision of 14 May 2018 (Leonardo Assicurazioni s.r.l. v Pro Insurance s.r.l. et al.) as reported in the EUIPO’s report on trade secrets litigation, see footnote 2.