1 Introduction

The ever-increasing availability of digital technologies, from smart cars to various applications under the umbrella of the internet of things (IoT), and artificial intelligence (AI), is shaping today’s society. Automated systems collect vast amounts of non-personal information, which could be utilized across various business sectors. These data-driven models are affecting even such traditional industries as agriculture, with this sector moving towards the utilization of various smart-farming solutions.Footnote 1 The EU has recognized the potential of economic growth related to the data-driven economy. In this scenario, data is held in as high esteem as oil or a new currency. Yet, to benefit from the potential of the data-driven economy, there is a need to provide access to data, whether it is held by public or private entities. It is important that the pool of information be available and open if additional value is to be obtained from it. The EU has also supported the establishment of data ecosystems. This type of collaboration for information and data exchange is seen as important for the EU’s competitiveness and economic growth.Footnote 2 In line with such broader aims, the objective of the EU’s Data Act is to provide new possibilities for accessing and reusing information.Footnote 3

New technologies and possibilities for accessing information provide new opportunities for companies too. Information that has been collected for one specific purpose can also be used for other purposes, including innovation.Footnote 4 Some information accessed may be subject to trade secret protection or intellectual property protection.Footnote 5 The protection may limit the availability of information and possibilities of reuse, thus restricting access to and reuse of information.

Legal scholars have analyzed to what extent trade secret protection covers information and data.Footnote 6 Some have argued that the scope of protection is flexible enough to cover almost any type of information and data.Footnote 7 However, not all information generated by machine or collected qualifies for protection. For example, raw data does not normally meet the requirements.Footnote 8 This article will elaborate on the requirements for trade secret protection in the light of the Data Act. Importantly, under the Trade Secrets Directive (TSD),Footnote 9 three cumulative criteria for protection must be met in order for information to be protected. One of the requirements under Art. 2 TSD is that information must not be generally known. Another important requirement is that reasonable steps must be taken to keep information secret. This requirement essentially restricts access to information.Footnote 10 These combined requirements mean that information that is protected as a trade secret cannot be shared without the risk of losing its status as such. Consequently, adequate access restrictions are essential for safeguarding competitive advantages based on trade secret protection.

Notwithstanding access restrictions, many of the provisions under the TSD aim to enable openness and access to information. The provisions of the TSD leave considerable room for competition. These pro-competitive aspects and the flexibility of protection arguably make trade secret protection particularly suited to the data-driven economy. In particular, it has been argued that the fact that trade secret protection is not an exclusive right makes it a good fit for the data economy and freedom of information.Footnote 11 However, the fleeting nature of trade secret protection makes it an uncertain means of protecting competitive advantage.Footnote 12

This article focuses on the specific characteristics of trade secret protection and analyzes their impact on data-sharing practices and information flows. It will analyze in particular the challenges related to trade secret protection in the context of information and data networks. The provisions of the EU’s Data Act will be brought into the discussion from this perspective in order to elaborate on the enforcement challenges and potential consequences of uncertainties surrounding this form of protection. The objective of the EU’s Data Act is to mandate access to and reuse of information. At the same time, it aims to ensure the protection of trade secrets and prevent their further circulation. It is apparent that the uncertainties surrounding trade secret protection have consequences for how willing trade secret holders are to provide access. During the EU’s legislative procedure for preparing the Data Act, demands for stronger protection for trade secrets were spelled out. Consequently, the final Data Act gives trade secret holders the option of denying access to its information in exceptional circumstances. Such denial of access may lead to information lockdown, which is not in line with either the need for access to information related to the data economy or the objective of mandatory access rules under the Data Act. The paper analyzes the conflict between the protection of trade secrets and the rules on access to information under the Data Act.

After this introduction, Section 2 defines data in the light of the Data Act and its relationship with information that is eligible for trade secret protection. Section 3 will firstly, in Section 3.1, look at the specifics of trade secret protection and essentially the requirement under the current regime that access to information must be restricted. Without access restrictions trade secrets do not even exist. This section will also discuss the constructive knowledge requirement for trade secret infringement and how this creates challenges in enforcing trade secret protection against third parties. Secondly, Section 3.2 will elaborate on the TSD’s provisions that enable free competition and make it possible for many entities to lawfully access and utilize the same or similar information. These pro-competitive elements of trade secret protection also add to the uncertainties surrounding protection, as any competitive advantage based on secrecy of information may be quickly lost in today’s technological landscapes, where the utilization of various analysis techniques have become commonplace. The subsections analyze how these characteristics of trade secret protection impact on the uncertainties surrounding protection, on information-sharing practices and, especially, on the reluctance of trade secret holders to share information. Next, Section 4 elaborates on mandatory data-sharing rules under the Data Act, which will create a type of compulsory licensing system. The focus is on business-to-consumer and business-to-business sharing obligations to the exclusion of business-to-government rules. This section illuminates how the challenges of trade secret enforcement discussed in previous sections are reflected in the provisions of the Data Act. It will analyze how the Data Act provides very explicit safeguards for trade secrets before data is shared. By these provisions, the Data Act complements the rules under the TSD and aims to ensure that trade secret rights are enforceable, especially vis-à-vis third parties. Lastly, Section 5 concludes by analyzing the tension between trade secret protection and the Data Act’s objectives of access to information, as well as the potential consequences of this conflict.

2 Defining Data Under the Data Act and Its Relationship to Trade Secrets

When data is being defined, it is often referred to as the raw, pure material for the further development of information, which can then mature to knowledge and even wisdom. In this definition, information refers to understanding, which requires that some human endeavor be involved in data processing.Footnote 13 Other definitions of data and information make a distinction between syntactic data and the semantic level of information. The difference between the two is that the semantic level refers to information that already has a meaning, while syntactic data is just encoded information, for example digital text or video in the form of just bits and bytes, before its meaning has been processed or analyzed.Footnote 14

The Data Act’s general definition of data does not distinguish between the syntactic and the semantic level, but is quite broad and covers both. This approach is understandable, as the Data Act regulates IoT data.Footnote 15 Article 2(1) of the Data Act applies the same general definition of data as that already adopted in the Data Governance ActFootnote 16 and Digital Markets Act.Footnote 17 All these recent instruments provide the following definition of data: “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”.Footnote 18 This definition is a broad one. The main limitation is that it applies only to data in digital form.

The Data Act further defines, for example, product data and related service data, which both fall within its scope.Footnote 19 The scope of various data-sharing obligations under the Data Act is explained in more detail in other provisions and definitions. Importantly, the scope of data-sharing obligations under the Data Act treats raw data differently from processed data.

In particular, the recitals of the Data Act clarify the scope of the Act and the sharing obligations. Recital 15 provides:

[…] Data which are not substantially modified, meaning data in raw form, also known as source or primary data which refer to data points that are automatically generated without any further form of processing, as well as data which have been pre-processed for the purpose of making them understandable and useable prior to subsequent processing and analysis fall within the scope of this Regulation.

These definitions seem to refer to the syntactic level of data when it has not yet developed into meaningful information. Yet the pre-processing activities referred to in the Recital enable the data to be understandable to some extent, even though it has not yet been subject to more in-depth analysis.

Recital 15 further provides that:

[…] By contrast, information inferred or derived from such data, which is the outcome of additional investments into assigning values or insights from the data, in particular by means of proprietary, complex algorithms, including those that are a part of proprietary software, should not be considered to fall within the scope of this Regulation and consequently should not be subject to the obligation of a data holder to make it available to a user or a data recipient, unless otherwise agreed between the user and the data holder.

These definitions refer to data that has been subject to various forms of analysis and has clearly become information. For example, the reference to insights from data relates to the degree of understanding. The definitions in Recital 15 seem to differentiate between raw data and information. Consequently, under the Data Act, the scope of data-sharing obligations appears to apply only to raw data, not information.

Scholars have suggested that trade secret protection refers to the semantic level of information and therefore does not protect raw data as such at the syntactic level.Footnote 20 Consequently, the definitions under the recitals of the Data Act seem to exclude information potentially protected as a trade secret from the scope of the sharing obligations. It has been recognized that later provisions of the Data Act regarding the protection of trade secrets seem to be at odds with this interpretation. If sharing obligations, when focusing on raw data, do not cover trade secrets, then what is the purpose of the precautions, for example under Arts. 4(6) and 5(9), in respect of information protected as a trade secret?Footnote 21

However, access to certain data may cause concern for trade secret holders, even though the data itself might not yet be understood as having trade secret protection. This applies in particular to the fact, also indirectly referred to in the recitals of the Data Act, that the use of various analysis techniques turns data into information. Also, Drexl has pointed out that meaning can be drawn from syntactic-level data.Footnote 22 This suggests that it might not always be easy to draw a line between information with trade secret protection and unprotected raw data. However, further requirements need to be met before information can be treated as a trade secret.

The starting point of trade secret protection is inherently flexible because there is no limitation of the subject matter. According to Recital 2 of the TSD, confidentiality is used in relation to “a diverse range of information that extends beyond technological knowledge to […] information on customers and suppliers, business plans, and market research and strategies”. Consequently, trade secret protection covers both technological and business information, as restated in Recital 14 of the TSD. The fact that trade secret protection is not a registered right also contributes to its flexibility. There is no ex ante confirmation of the existence of a trade secret. This causes uncertainty about the scope of protection and may also lead to the overclaiming of trade secrets.Footnote 23 Even though the starting point is flexible, Art. 2 TSD has three cumulative requirements for trade secrets. These requirements are important for limiting the scope of protection.

Firstly, information must be secret in the sense that it is not generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question. Secondly, it must have commercial value precisely because it is secret. Thirdly, the person lawfully in control of the information must have taken reasonable steps, under the circumstances, to keep it secret. All these requirements must be met if a trade secret right is to be enforceable.

The TSD’s definition of commercial value seems to be quite broad, as it covers both actual and potential commercial value. Recital 14 of the TSD explains that

know-how or information should be considered to have a commercial value, for example, where its unlawful acquisition, use or disclosure is likely to harm the interests of the person lawfully controlling it, in that it undermines that person’s scientific and technical potential, business or financial interests, strategic positions or ability to compete.

As the definition is broad, the commercial value requirement is often assumed to be easily met.Footnote 24 This is one case in which trade secret protection may be overclaimed to cover information that is merely commercially valuable. However, what is often overlooked is that the commercial value requirement under Art. 2 TSD is connected to the secrecy requirement.Footnote 25 Because of this connection, for example, datasets that contain information from generally available sources do not meet the requirement of having commercial value because of being secret, and therefore cannot receive trade secret protection.Footnote 26 Commercial value alone is not sufficient.

One of the requirements of Art. 2(1)(a) TSD is that the information “is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question”. This requirement has an impact on how willing trade secret holders are to share information. If information is shared with too many persons in the relevant industry circles, the information may lose its status as a trade secret. Moreover, each disclosure increases a risk of information leakage and consequent loss of protection.Footnote 27 Therefore, in many cases, trade secret holders may prefer to lock down information rather than share it.

In addition, a closely connected requirement is that the information has been “subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret”. These “reasonable steps” require activity on the part of the trade secret holder.Footnote 28 Access to information must be limited. This requirement has also been understood in the sense that the putative trade secret holder needs to identify information protected as a trade secret. This is because efforts to keep information secret can be targeted only if they are adequately identified.Footnote 29 Both identification measures and reasonable protection measures are needed in order for there to be an enforceable right.Footnote 30 The identification of trade secrets is also required by Arts. 4(6) and 5(9) of the Data Act, which also refer to measures to preserve confidentiality. These provisions clearly seek to protect trade secrets as enforceable rights. How the Data Act aims to do this at the same time as mandating access will be discussed in more depth in Section 4.

The definitions and requirements under the TSD have an impact on how willing and able trade secret holders are to share their information with others. If information is shared without sufficient precautions, the information will lose its trade secret nature. Trade secret protection assumes that information is not disseminated. Even though trade secret protection does not require absolute secrecy, information must be kept at least relatively secret. What is key to trade secret protection is trade secret holders’ ability to control the exchange of information. Their advantage over competitors is based on limited access to information.

3 Specific Characteristics of the Trade Secret Regime and Its Impact on Access to Data

3.1 How Trade Secret Protection Limits Access to Information

How trade secrets and the need for trade secret holders to control the information exchange are defined is closely connected with the special characteristic of trade secret protection as not being an exclusive right. This special characteristic also means that trade secret holders can only remedy specific types of act. In the case of infringement, it is not sufficient that a competitor is in possession of the same or a similar type of information: there must be an unlawful act. And these unlawful acts relate closely to the breach of access restrictions put in place to protect trade secrets.

What acts are unlawful are defined in Art. 4 TSD. The first group of activities that are defined to be infringing practices refer to the primary actors, meaning those who are in direct contact with the trade secret holder or the source of information. Acquisition is unlawful if trade secrets are acquired without the consent of the trade secret holder, for example, by means of unauthorized access to, appropriation of, or copying of any documents, objects or materials (Art. 4(2)(a) TSD). Disclosure and use are considered unlawful where there has been unlawful access to the trade secrets or where acts have been committed in breach of a contractual or other duty not to disclose or use trade secrets. To sum up, all unlawful acts refer to a breach of duty or clear breach of restriction of access to information held as a trade secret.Footnote 31

As already indicated, a breach of access restriction, in other words infringement, is closely connected to the cumulative requirements for trade secret protection, particularly to the requirement that reasonable efforts be taken to maintain secrecy. The “reasonable efforts” under the TSD have been interpreted as covering clear safekeeping measures and explicit agreements.Footnote 32 Clear safekeeping measures would cover, for example, organizational measures and physical safekeeping measures, including technological protection. For technological protection measures, encryption and embedding may fulfill the criterion of reasonable steps.Footnote 33 However, the signal given about the existence of trade secrets and restriction of access should be clear. Even though the protection measures do not need to provide absolute protection, merely minimal efforts will not suffice. Therefore, reliance on technological measures is somewhat uncertain, as the strength of technological protection measures should make it clear that they are in place to protect trade secrets.Footnote 34 Only where sufficient measures are in place, can the acquisition of information be considered contrary to honest commercial practices, as required for infringement.

For companies, reasonable in-house steps require that the circle of employees entitled to access to such information be limited and that they be aware of the trade secret nature of the information. Without this, a trade secret does not even exist as such.Footnote 35 Even though the TSD does not explicitly require the first group of actors to have intent or knowledge when unlawfully acquiring, using or disclosing trade secrets, the requirement of knowledge can be presumed from the definitions of unlawful acts.Footnote 36

Access limitations must also be clear when it comes to unauthorized access by close circles of persons other than employees. It is up to the trade secret holder to ensure that there is no uncertainty over these issues. When considering data networks, one way of signaling the existence of trade secrets and access restrictions is through contracts.Footnote 37 Moreover, access should only be provided to a somehow limited and manageable amount of people with contractual confidentiality obligations.Footnote 38 Within data networks, protection through contracts may have its limits when the number of participants increases.Footnote 39 Yet the plaintiff has the burden of proving dishonest practices in the accessing of information.Footnote 40

When it comes to the infringing acts of third parties who do not directly access information through dishonest commercial practices, a finding of infringement requires constructive knowledge of earlier dishonest disclosure or use of trade secret information. Article 4(4) TSD provides that a third party will be held liable if a party “knew or ought, under the circumstances, to have known” that the trade secret had been “obtained directly or indirectly” from another person who was using or disclosing the trade secret unlawfully.

It is noteworthy here that liability extends even to those who indirectly receive information that has been the subject of unlawful acts. In data networks, information can very quickly pass forward. Consequently, the information chain can be a long one. Yet, the fact is that a third party can be held liable only if they knew or ought to have known about wrongdoing. When the information chain is long, it becomes challenging for a trade secret holder to rely on the criterion for liability of “ought to have known”. The circumstances should be such that, for there to be an “ought to have known” situation, a third party should have paid attention to the possibility of wrongdoing in previous information exchanges.Footnote 41 An infringing act requires mens rea. Therefore, in many instances, trade secret protection is extremely uncertain, as it cannot be guaranteed to reach third parties.

However, the TSD has adopted a solution that extends protection even against those who have initially acquired information without knowledge of previous illegal acts. The TSD enables a trade secret holder to serve notice on such third parties of the existence of trade secret protection and previous unlawful acts. In this way, those who initially acquired a trade secret in good faith become liable (Recital 29 and Art. 13(3) TSD). Such liability has faced criticism.Footnote 42 However, this mechanism reduces the uncertainty surrounding the enforcement of trade secrets. It makes those acquiring information downstream in the information chains liable.Footnote 43

When serving a notice of liability on third parties, the trade secret holder still needs to be able to prove that there is a causal link between the unlawful acquisition, use or disclosure and a third party’s subsequently receiving the information in question. When the information chain between the initial unlawful act and later utilization is a long one, it becomes challenging to prove that the information that a third party is utilizing derives from information protected as a trade secret. This limits the possibilities of serving third parties with notices of liability. In addition, when information chains are long, trade secrets may have become generally known over time and lost their eligibility for protection.Footnote 44

In addition to acts related to the acquisition, disclosure and use of information that is protected as a trade secret, acts that relate to the infringing goods also give rise to liability. Under Art. 2(4) TSD, “infringing goods” are “goods, the design, characteristics, functioning, production process or marketing of which significantly benefits from trade secrets unlawfully acquired, used or disclosed”. Article 4(5) TSD defines acts related to infringing goods that give rise to liability as follows:

The production, offering or placing on the market of infringing goods, or the importation, export or storage of infringing goods for those purposes, shall also be considered an unlawful use of a trade secret where the person carrying out such activities knew, or ought, under the circumstances, to have known that the trade secret was used unlawfully within the meaning of paragraph 3”. (Emphasis added)

The definition of infringing goods needs to be interpreted for the data economy. One interpretation, based on the German- and French-language versions of the TSD, is that infringing goods are not only physical manufactured objects but can be digital goods, downloadable through the internet.Footnote 45 In addition, Finland’s implementation of the TSD defines infringing goods as also covering services.Footnote 46 This implementation assumes that there is no need for physical objects in order for there to be an infringing good.

One of the specific challenges in detecting infringement is that the information contained in infringing goods need not be similar to the source information. This approach is different from the IP regimes, like the patent system, where similarity is key for infringement.Footnote 47 An important issue therefore is how the phrase applied to infringing goods, “significantly benefits from trade secrets unlawfully acquired, used or disclosed”, will be interpreted.

One example of when the end product does not contain similar information is the utilization of negative information with trade secret protection. Negative information refers to knowledge that something does not work.Footnote 48 Detecting this type of infringement may prove problematic for the trade secret holder, especially if the information chain is a long one and there is no clear connection between the initial trade secret holder and the competitor.Footnote 49

The EU’s TSD has adopted some measures to make trade secret protection stronger in the EU than in the US. The first such legislative tool is that of serving notice of liability on initially innocent persons. Another tool is related to liability for infringing goods. Both these techniques make it easier for a trade secret holder to hold third parties liable for their use of information. These elements of the TSD have faced criticism, and it has been argued that they align trade secret protection with IP protection.Footnote 50 For example, Professor Sandeen has described the liability in respect of infringing goods as a new “wrong”, because there is no such liability under US trade secret law.Footnote 51 However, these elements of the EU’s TSD do not change the inherent nature of trade secret protection, which is still subject to numerous uncertainties and practical enforcement problems.

In line with what legal scholars have identified about uncertainties stemming from the nature of trade secrets, a recent empirical study on trade secrets in a data economy shows that firms are reluctant to share their confidential data by relying on trade secrets as a form of protection, because trade secrets are not easily enforceable. This study raised the point that it is difficult to control and trace information protected as a trade secret. Similarly, acts of possible misappropriation are challenging to detect, as are trade secrets in infringing goods.Footnote 52 It is noteworthy that, in the empirical study, one factor for successful information sharing was when it was done with trusted collaborators.Footnote 53 This is one way that trade secret holders can try to control the risks and possible leaks associated with information sharing.

Under the Data Act, these uncertainties are currently at the fore, and demands to give trade secret holders sufficient tools to protect trade secrets were expressed during the legislative procedure. Some of these tools relate to protective measures for trade secrets. Without such measures, trade secret holders would not be able to claim protection or remedy the unlawful acquisition, use or disclosure of their trade secrets. In this way, the Data Act complements the provisions of the TSD and aims to ensure the enforceability of trade secret protection for information.

However, the TSD also has a number of provisions that allow the acquisition of information protected as a trade secret. These are in place to allow honest competition. Such lawful practices add to the uncertainty around trade secrets, as a trade secret holder’s competitive advantage may be lost even through honest competition. Next, we will analyze such characteristics of trade secrets.

3.2 How Trade Secret Rules Allow Competition and Access to Data

One important aspect of trade secret protection is that it leaves room for free competition and the public domain.Footnote 54 This is connected to the issue that trade secrets are not exclusive rights and therefore do not grant their holder a right to prevent others from using the trade secret information unless inappropriate conduct has been involved in the acquisition of the information. Consequently, many entities may be legally in possession of a similar type of information without this being considered an infringement. Innovators and other actors in the data economy are allowed to carry out a variety of measures to access information and compete with the trade secret holder.

Trade secret rules define activities that are considered to be honest and legal means of accessing or creating similar information. These rules are laid down in Art. 3 TSD. Firstly, Art. 3(1)(a) states that it is lawful to acquire trade secrets through independent discovery or creation. Consequently, when a third party arrives at the same information through its own development activities, a trade secret holder cannot prevent them from utilizing that information. Such third party may have a different policy on openness and might be willing to share this information without confidentiality obligations. Such disclosures may destroy the trade secret nature for all those who have developed similar information initially. Normally there are no remedies in place to stop such behavior.Footnote 55

Within the context of the data economy and sets of big data, it has become more common to utilize big data tools and artificial intelligence to uncover information that has not previously been so easy to detect. Access to and analysis of various patterns in those data sets enable discoveries and new innovations to be made, which might relate, inter alia, to customer patterns and market trends. It has been reckoned that this phenomenon diminishes the role of trade secret protection.Footnote 56 In modern contexts, many entities will be more likely to uncover the same patterns in the information sources, especially when information is derived from publicly available sources and not held inside businesses (such as factories). In these situations, the source information itself may not necessarily qualify for trade secret protection if it is readily accessible (Art. 2 TSD).Footnote 57 In addition, what firms make out of such readily accessible information may not give them a long-lasting competitive advantage based on trade secret protection, as many others may be able to achieve the same type of end result through independent creation. This may not only diminish any competitive advantage based on such independent creations but also put this form of protection at risk, as information may become generally known if a sufficient number of entities in relevant industry circles possess the information, or if any entity decides to disclose their development outcomes to the public.

Even though the similarity may stem from independent discovery and creation, in some instances a competitor might also have had access to information protected as a trade secret. Therefore, similarity may occasionally indicate an infringement. To complicate the issue further, it is acknowledged that a case may involve both lawful and unlawful access. In such cases, the time dimension becomes an important aspect of an analysis. The question is whether the alleged infringer undertook their development work before their unlawful access or use of another entity’s trade secrets.Footnote 58

The challenge in the context of various data pools is that several parties who access information from such sources may already be in possession of similar information. Yet, accessing the information in such data pools may bring new insights related to various possibilities for utilizing the information. Where is the line to be drawn in such cases, when a party is already privy to important elements of information but still learns something new through data networks where other parties might have included restrictions on the utilization of information protected as a trade secret?Footnote 59 Aplin has highlighted that, in addition to the time dimension, causality plays a role when evaluating end results. The question then is whether the end results stem from independent creation or from information that has allegedly been unlawfully or dishonestly accessed and used. In these cases, the relevant remedies would depend on the harm causally linked to the unlawful acts insofar as it can be established.Footnote 60

In such instances, the Art. 2(1) TSD definition of infringing goods also acquires importance. For acts related to infringing goods, the goods must significantly benefit from information protected as a trade secret that has been unlawfully acquired, disclosed or used.Footnote 61 Therefore, the relationship between the lawfully acquired information and the additional benefit of unlawfully acquired, used or disclosed information may be an important element when analyzing infringing goods. If the added value of the information protected as a trade secret is of minor importance compared with the information already lawfully in a collaborator’s possession, then the outputs might not even qualify as infringing goods. However, in the case of infringement actions for unlawful access, use and disclosure might themselves be actionable if there is a harm to be remedied. All these scenarios mean that a party referring to lawful access might need to be able to prove the time dimension of their own independent development activities in order to escape liability under the TSD.

In addition to allowing the acquisition of trade secrets through independent discovery and creation, Art. 3(1)(b) TSD provides that reverse engineering is a lawful means of accessing a trade secret:

The acquisition of a trade secret shall be considered lawful when the trade secret is obtained by […] observation, study, disassembly or testing of a product or object that has been made available to the public or that is lawfully in the possession of the acquirer of the information who is free from any legally valid duty to limit the acquisition of the trade secret.

Consequently, the starting point is that reverse engineering is allowed unless prohibited by the trade secret holder.

The reverse engineering provision in the TSD refers to both products and objects. The reference to products in addition to objects allows the interpretation that reverse engineering as a lawful technique for uncovering information not only targets physical, tangible, objects but also products in digital form. Therefore, reverse engineering activities can cover information, data sets and related services. This interpretation can also be derived from the interpretation suggested for infringing goods, where Drexl has argued that goods in that provision refer not only to tangible objects but also to digital goods.Footnote 62 In this way, the reverse engineering provision is relevant not only to the sale or licensing of physical objects but also to various data pools.

Various scholars have opined that anti-reverse engineering contracts would not be legally valid when products have been made available on the mass market.Footnote 63 Anti-reverse engineering clauses would be possible only in direct contractual situations in an information value chain.Footnote 64 While the TSD leaves Member States considerable scope when it comes to the validity of anti-reverse engineering clauses, it has been argued that, if trade secrets are to be understood as part of information law, the enforceability of anti-reverse engineering clauses should be construed narrowly.Footnote 65

In any case, the reach of anti-reverse engineering obligations does not extend beyond contractual relationships. Therefore, the possibility that a third party may reverse engineer information outside the scope of a contract creates additional risks for a trade secret holder. It is becoming increasingly possible to utilize new AI-based technologies to uncover information held in information products and services, and such techniques would be lawful under the TSD. Their availability increases the risk of losing trade secret protection.

In addition to that, Nordberg also finds that the situations in which trade secret holders are in control of their information in data networks are open to interpretation. Under Art. 2(2) TSD, ‘trade secret holder’ means any natural or legal person that lawfully controls a trade secret. Consequently, under the TSD, a party that is not in control of its information cannot be entitled to any remedy. Therefore, information protected as a trade secret within information networks may be lost not only when a third party accesses trade secret information honestly, but also because of the challenge for the trade secret holder of controlling and managing information in such a way that it qualifies for protection. According to Nordberg, if access in the data networks, for example access to information stored on servers, cannot be sufficiently restricted, a trade secret holder’s control over its information may not be sufficient.Footnote 66 However, she considers that the requirement for control in these contexts should be minimal and not require disproportionate protection measures.Footnote 67 The question of control as a requirement for protection is thus closely connected to the requirement of taking reasonable steps to keep information secret. And this requirement has an impact also on the measures to preserve trade secrets under the provisions of the Data Act, as will be explained later in this article.

In addition to what Art. 3 TSD defines as lawful, it is also lawful for an employee to use experience and skills honestly acquired in the normal course of their employment (Art. 1(3)(b) TSD). This is an important dimension of employee mobility, which the TSD does not seek to limit (Art. 1(3) TSD). It has been interpreted that, under the TSD, an employee’s experience and skills do not relate to information and therefore cannot even qualify for trade secret protection.Footnote 68 It has also been argued that an employee’s experience and skills refer rather to tacit knowledge, which is not readily transferrable but rather connected to a person with specific skills.Footnote 69 Yet, at a practical level, it may be difficult to draw a line between information protected as a trade secret, which can be subject to employee confidentiality obligations, and employees’ experience and skills, the use of which cannot be restricted.Footnote 70 In the context of the data economy, one could associate experiences and skills with, for example, knowing how to efficiently utilize various AI tools to uncover information patterns in big data, while the patterns uncovered and information inferred from those patterns might then be subject to trade secret protection.

A specific problem with the TSD is that it does not harmonize post-employment confidentiality and non-compete obligations, which are left to the discretion of the Member States.Footnote 71 Therefore, an important aspect related to potential outflows of trade secrets through ex-employees is left unharmonized. It has been suggested that divergences in national legislation create a barrier to the cross-border sharing of data.Footnote 72 Such divergences have an impact on what is to be considered lawful practice for employees beyond what the TSD has defined as belonging to their experience and skills.

Lawful access to information forms part of the TSD’s underlying pro-competition objective. Yet, in the context of big data, AI, and the data economy, lawful practices allow ample scope for access to information. Compared with when it was possible to maintain secrecy by imposing strong restrictions on access to information, possibly even within businesses such as factories, in the new context it is far more likely that information will lose its secret nature and consequently its trade secret protection as a result of practices that are lawful under the trade secret regime.

4 How the Data Act Accommodates the Need for Access to Data and Trade Secrets

Notwithstanding the underlying lack of faith placed by firms in trade secret protection when sharing their commercially confidential data, the Data Act provides for mandatory access to data. The B2C and B2B rules will be analyzed next in the light of what has been elaborated above about the characteristics of trade secret protection.Footnote 73 When access is provided, the Data Act aims to simultaneously ensure the protection of trade secrets. While a trade secret holder cannot deny access to information solely on the basis that it is a trade secret, rules must be put in place to govern such access (Recital 31).

Through these statutory access rules, the Data Act takes away a trade secret holder’s decision-making power over the authorization of access to its information. By introducing a type of compulsory licensing scheme for trade secrets, it therefore dilutes an important element of the competitive advantage held by a trade secret holder.Footnote 74 It is noteworthy that, in the empirical study referred to above, one factor for successful information sharing was when it was done with trusted collaborators.Footnote 75 Under the Data Act, a trade secret holder will have no say on whom the information is to be shared with.

As trade secret rules require access to be restricted, the mandatory information-sharing objectives under the Data Act are necessarily to some degree in conflict with trade secret protection. Nevertheless, trade secret holders do not expect trade secret protection to become meaningless as a result of these sharing obligations. To accommodate the needs of protection, many provisions of the Data Act aim to ensure the protection of trade secrets in the event that data-sharing obligations demand the disclosure of information protected as a trade secret.

For example, under Art. 4(6) of the Data Act (when data is shared with a user) and Art. 5(9) (when data is shared with a third party), the data holder (or, where they are not the same entity, the trade secret holder) should identify information that is protected as a trade secret. As explained above, such requirement is essential for being defined as a trade secret under the TSD. Without identification measures, the cumulative requirements for protection as a trade secret cannot be met.Footnote 76

What is noteworthy here is that, at this point in time, the identification of information protected as a trade secret is based on the trade secret holder’s own evaluation. The latter might be inclined to overclaim.Footnote 77 A particularly important aspect here is that sharing obligations under the Data Act seem to refer a type of data that does not necessarily qualify for protection at all. As elaborated earlier in this article, scholars have highlighted that raw data does not normally qualify for trade secret protection.Footnote 78

However, where data does qualify for trade secret protection, there are limitations imposed on the sharing. Trade secrets are disclosed to third parties only to the extent strictly necessary to fulfil the purpose agreed between the user and the third party (Art. 5(9) of the Data Act). Even though only strictly necessary information is to be shared, the importance of this limitation is somewhat diluted because it is the user and a third party who decide the purpose. The Data Act allows the use of information for any lawful purpose (Recital 30). This enables a third party, for example, to offer an aftermarket service that competes with a service provided by a data holder (Recitals 30 and 32). Therefore, the Data Act has an impact on competition in aftermarket services and opens up a possibility for innovation based on data. This is one of the clear objectives of the Act.

However, Arts. 4(10) and 6(2)(e) of the Data Act explicitly prohibit third parties from using the data to create a product that competes with the product from which the data originates or from sharing the information with other parties for such a purpose. In this way, the Data Act aims to avoid undermining the investment incentives for the type of product from which the data are obtained (Recital 32).Footnote 79 Here, complications may arise where a party with whom data is to be shared has previously created a competing product. Will the data sharing then prevent further development of the earlier competing product? This situation resembles the challenge under the TSD, discussed above, where a party has independently created something but has also had unlawful access to information. Under the Data Act, access to data in this situation is lawful, but use of the information is limited to prevent the creation of a competing product. This use limitation might lead to a situation where competitors will not be interested in receiving the data, as access to it may limit their future possibilities of competing in the relevant market.

In addition to use limitations, the Data Act explicitly requires protective measures to be taken when access to information is to be provided. Articles 4(6) and 5(9) of the Data Act provide that trade secrets will be disclosed only if all necessary measures are taken to preserve the confidentiality of trade secrets prior to disclosure. The same provisions further stipulate that the measures agreed between the parties must be proportionate technical and organizational measures, such as model contractual terms, confidentiality agreements, strict access protocols, technical standards and the application of codes of conduct.

The provisions of the Data Act seem to give guidance on requirements for enforceable trade secret rights. The preventive measures can be seen as being what is normally required for enforceable trade secrets under the TSD. However, it is noteworthy that the TSD does not define what is meant by “reasonable steps under the circumstances to keep information secret”, but leaves the concept open, to be interpreted in context.Footnote 80 Therefore, the definitions and requirements under the Data Act may in the future have consequences for interpreting protection requirements under the TSD. The protective measures under the Data Act address in particular the enforceability of trade secrets vis-à-vis third parties, which is the element of trade secret protection that causes the most uncertainty.

But the provisions also clearly refer to measures that need to be in place within the organization with which information is to be shared. For example, access protocols and codes of conduct may have an impact on information flows within a firm and therefore also affect employee relationships. It is worth noting here that the empirical study referred to above recognized that more attention should be paid to internal managerial procedures for protecting trade secrets. Such procedures include in particular those related to employees.Footnote 81 Even though the list of protective measures already clarifies what type of measures can be demanded by the trade secret holder, Art. 41 of the Data Act stipulates that the Commission will later provide model contractual terms on data access and use, including terms on reasonable compensation and the protection of trade secrets. These model contractual terms may help to further define the proportionate protective measures. All the Data Act’s specific provisions on protective measures seem to refer to the protection techniques normally deployed. In this way, the provisions may increase firms’ awareness of what practices are appropriate. Such knowledge may likewise help firms overcome concerns related to the exchange of information.

However, the measures to keep information confidential need to be proportionate. This concept differs from that of the TSD’s “reasonable steps under the circumstances” to keep information secret, but the proportionate measures under the Data Act do need at least to meet the same standard. This is because a trade secret holder needs to take such measures if they are to have an enforceable right. However, proportionality can be understood as referring to what is considered proportionate by both parties to the data exchange agreement,Footnote 82 namely what is proportionate to a third party and a trade secret holder. In this context, the proportionality requirement would prevent a trade secret holder from demanding excessive protection measures from a third party. This aspect of proportionality is an important one because trade secret holders can withhold or suspend access to data if parties have not been able to agree on the necessary measures or if agreed protective measures are not implemented (Arts. 4(7) and 5(10) of the Data Act).

The protective measures are important not only for meeting the cumulative requirements for trade secret definition, in particular the requirement of taking reasonable steps to keep information secret, but also for enabling remedies to be pursued against unlawful use, access and the disclosure of information protected as a trade secret under the TSD. Without clear restrictions, third parties would not know when they were committing an unlawful act or infringement under the TSD. In addition to the remedies available under the TSD, the Data Act offers further remedies, for example, where data has been used or disclosed against the provisions of the Data Act.Footnote 83 Some of the remedies appear to overlap with those available under the TSD. However, as the shared data does not always qualify for trade secret protection and there are some specific limitations on the possibilities of use thereof, the remedy system under the Data Act addresses acts that go beyond those actionable under the TSD. For example, the Data Act prohibits the use of data to develop a product that competes with the product from which the accessed data originates. Creation of such a competing product is actionable under the provisions of the Data Act.

Interestingly, the Data Act also utilizes the concept “infringing goods” and provides remedies that can target the importation, exportation, or storage thereof. However, the Data Act has no provision that defines “infringing goods”. It can be assumed that this term would cover competing products, the development of which is prohibited under the Data Act, but otherwise its scope is unclear. The TSD’s definition of “infringing goods”, discussed earlier in this article, may provide some guidance for interpretation. Where shared data can be protected as a trade secret, the TSD definition would most likely apply also to the Data Act’s system of remedies against infringing goods.

Notwithstanding the Data Act’s detailed provisions on the safeguarding of trade secrets, not all of the reservations that trade secret holders have about mandatory data-sharing obligations have been mitigated. Owing to stakeholder concerns during the legislative process, the Data Act now enables trade secret holders to deny access to their information in exceptional circumstances. For example, under Arts. 4(8) and 5(11), access can be denied if the trade secret holder can demonstrate that it is highly likely to suffer serious economic damage from the disclosure of trade secrets. Such demonstration must be duly substantiated and based on objective elements. The above articles also make reference to the enforceability of trade secrets in third countries. This is one factor that may contribute to the likelihood of a trade secret holder suffering serious economic damage and may lead to access being denied. Yet, when a trade secret holder refers to enforceability issues as a basis for denial, it must substantiate these too on the basis of objective elements. In addition, when a data holder refuses to share data, it must, according to the Data Act, notify the national competent authority designated. Both the user and a third party can contest the refusal to allow access by lodging a complaint with the national competent authority. The latter must give its decision on the matter without undue delay.Footnote 84

The option of denying access to data afforded by the Data Act may lead to information lockdown, which clearly conflicts with the Act’s objectives. Therefore, this provision should be applied only in very specific cases. It is tailored so that any denial of access can be evaluated externally by a national competent authority. It is laudable that such external assessment by the competent authority is provided for. It ensures that there will be no unnecessary information hold-ups based only on a trade secret holder’s own evaluation of the economic risks involved.

As the Data Act mandates access to data, it further defines how the data can be used. It is particularly important that it be lawful to analyze data further. Recital 32 explicitly mentions that lawful purposes for the use of the data may include reverse engineering, provided it complies with the requirements laid down in the Act and in EU and national law. Reverse engineering is also lawful under the TSD, as explained in the section above that deals with the characteristics of trade secret protection. This aspect of trade secret protection creates challenges for a trade secret holder that is trying to maintain its competitive advantage. This is especially true nowadays when highly developed analysis technologies, including AI, are available on the market. Consequently, both users and third parties may derive insights from the data that could uncover information related to trade secrets even if the data shared does not itself contain trade secrets or qualify for protection.

During the legislative process, some stakeholders commented that they were concerned about the possibility of reverse engineering and analysis of the shared data, and suggested that such analysis should be prohibited.Footnote 85 Even though the basic idea of the Data Act is to allow reverse engineering, there are provisions that limit a party’s possibility to analyze data to some extent. Articles 4(10) and 6(2)(e) of the Data Act explicitly prohibit the analysis of data for the purposes of deriving insights about the manufacturer’s economic situation, assets and production methods. This prohibition on the analysis of production methods together with a provision that prohibits the creation of a competing product clearly protect the manufacturer’s investments in the development of the underlying IoT product. But the analysis of data is not explicitly further limited under the Data Act.

Further limitations on the analysis techniques allowed can be derived from EU and national law. Under Art. 3(1)(b) TSD, the basic idea about reverse engineering is that it is a lawful means of accessing trade secrets. However, the TSD also allows this analysis technique to be restricted between parties by anti-reverse engineering contracts. As previously explained in this article, the enforceability of such contracts may vary between EU Member States. Scholars have suggested that the enforceability of such contracts should be interpreted narrowly, as allowing reverse engineering is an important element of information law.Footnote 86

One possible limitation on the enforceability of anti-reverse engineering clauses may stem from the provisions of the Data Act that list unfair contractual terms and terms presumed to be unfair. Art. 13(5) is particularly important in this regard, stipulating that

A contractual term shall be presumed to be unfair for the purposes of paragraph 3 if its object or effect is to […] prevent the party upon whom the term has been unilaterally imposed from using the data provided or generated by that party during the period of the contract, or to limit the use of such data to the extent that that party is not entitled to use, capture, access or control such data or exploit the value of such data in an adequate manner. (Emphasis added)

Considering that the Data Act already specifies some limitations on data analysis and that the recitals recognize reverse engineering as a lawful means of using data, this provision may be interpreted as meaning that further limitations on the use of data, including analysis thereof, cannot be imposed unilaterally. Prohibiting reverse engineering and data analysis might prevent data from being used appropriately. Such a limitation on the analysis of data might, for example, reduce the possibilities for innovation and creation for third parties.

Innovation is one of the underlying objectives of the Data Act and its data-sharing obligations. Shared data and analysis thereof make new innovative services and completely new products possible. The Data Act aims to make space for competition on the basis of the innovative reutilization of shared data. If access is lawful and the type of utilization in question is not explicitly prohibited under the Data Act, the outcomes should be welcomed.

These aims under the Data Act are to some extent aligned with the TSD’s pro-competitive characteristics, one of which, importantly, is to allow independent creation. Under the TSD, creation is independent when access to information has been lawful. Consequently, in cases of lawful reverse engineering, the outputs developed with the help of analyzed information are lawful and independent. Competition based on such achievements is considered honest and fair. Even though both the TSD and the Data Act focus to some extent on preserving the confidentiality of trade secrets and agreeing on measures that limit access to information, both also have important characteristics that promote freedom of information and leave room for competition. These pro-competitive elements cause concern for those who want to have a competitive advantage based on restricted access to data and information.

5 Conclusions

It has become apparent from recent technological developments in big data and AI that secrecy of information may not provide a long-lasting competitive advantage. Moreover, the new rules, which require increasing access to information, may reduce reliance on trade secret protection even more, notwithstanding the safeguards put in place under the Data Act. It is less attractive for firms to rely on this form of protection. Thus, maintaining the status quo in trade secret protection may in the future diminish its importance. Yet, the enforceability of trade secrets is inherently uncertain, and sound reasons would be needed for changing that. The elements of the TSD that already align trade secret protection with IP protection has faced criticism.Footnote 87 Thus, possible future demands for stronger protection should be treated with caution, as that might change the nature of the trade secret regime, which should not be done without a thorough assessment of the arguments for it.Footnote 88

The vulnerabilities related to the protection of trade secrets where there is information sharing are clearly visible in the provisions of the Data Act, which seem to go to the very heart of the uncertain nature of trade secret protection and the specific challenges involved in its enforcement. To overcome the conflict between trade secret protection and access to information, the Data Act provides for an arsenal of measures and remedies to protect trade secrets. The protection measures specified under the Data Act are much more explicit than the open concepts utilized under the TSD. These provisions may in the future also clarify the measures that under the TSD are considered sufficient for enforceable trade secret rights. Therefore, the provisions may have a role in building confidence in trade secret protection.

Yet, the attention given to trade secrets is remarkable, as it seems that, under normal circumstances, the data-sharing obligations under the Data Act do not require information that is protected as a trade secret to be disclosed at all. The sharing obligations under the Data Act focus on raw data, which normally does not receive protection but belongs to the public domain. But the data holder is now given the possibility of identifying in the shared data any information that is protected as a trade secret. And then of demanding that a variety of protective measures be put in place. The toolkit available under the Data Act may lead to a situation where the free flow of data is restricted unjustifiably, for example by the overclaiming of trade secrets.

It is worth remembering that, not so long ago, academics were critical of the idea of creating a new exclusive right for data. The idea was abandoned, not least because of the lack of justification and the conflict with freedom of information.Footnote 89 Now it may become possible to have control over data by overclaiming trade secret protection. As there is no ex ante confirmation that such right exists, that possibility persists. It remains to be seen whether the measures under the Data Act will be relied on extensively and used to protect data that is not actually eligible for protection. Another consequence may be that mandatory data-sharing will lead firms to rely on other types of protection mechanism, where available, including IP protection, and technological design and protection measures, which will be utilized to limit the availability of data.Footnote 90 All in all, the Data Act may have the opposite effect to what is intended. Those unintended consequences may include new innovative restrictions on the free flow of information.