4 minute read
2.3. Trade secret protection
It also remains unclear how far-reaching the obligation to provide "the data generated by the use of a product or related service" mentioned in Art. 4 (1) DA-E is to be understood. For example, in cases where AI algorithms are trained with the user's data, must the results also be released to the user? This would devalue the performance of the algorithm developer under copyright or possibly patent law. It is still unclear whether the obligation to provide the data leads to an obligation to collect corresponding data, even if this is not collected in the standard configuration.
2.3. Trade secret protection
Trust between different actors is the basis for achieving data-based value creation. Industrial data sharing in the B2B context is very sensitive with regard to the protection of trade secrets, as well as the business aspects, which is why a specific approach should be sought to avoid legal uncertainties. A central interest for the "data holder" lies in the protection of their trade secrets. However, in contrast to the relationship with the GDPR, Chapter II addresses the relationship with the applicable trade secret protection by removing such data from the data holder's sphere of influence via the data access claims. In order to counteract the negative consequences to be feared for the willingness to innovate and invest in the generation and processing of data, the BDI calls for the protection of sensitive information, including trade secrets, to be generally exempted from the obligation to exchange data or at least to be accompanied by the right of the disclosing party, which is limited to trade secrets, to demand significantly more extensive security measures (e.g. of a technical nature), which may, however, prevent the free use of the data by the user. Such an exception would also eliminate the threatening inconsistencies with regard to Chapter III (Article 8(6) DA-E). While Art. 8 (6) DA-E generally exempts the disclosure of trade secrets from the principle of the right to access data, Chapter II deviates from this. Particularly in view of possible further sectoral data access regulations, a uniform definition of the principle of trade secret protection and its concrete scope is needed here.
According to the conception of Art. 4 (3) and Art. 5 (8) DA-E, "data holder" will in future be obliged to pass on such data to the "user" or third parties commissioned by the user. In this respect, the trade secret leaves the sphere of influence of the data holder and the latter must agree on appropriate protective measures with the "user" or "data recipient". In order to prevent misuse, the draft Data Act does provide for numerous restrictions on use for re-users, such as the ban on using the data for other purposes or for the development of competing products. However, how compliance is to be monitored, proven and enforced remains completely open, as the manufacturers lack sufficient control options. The distribution of the burden of proof also remains unclear. It is completely far-fetched that SMEs, for example, could even begin to exercise any agreed audit rights within the framework of the customer relationship. This is especially true if the data
enters international value chains. It also remains unclear to what extent such safeguards can be imposed unilaterally. For example, it remains open what the consequences are if "users" or "data recipients" of the data do not agree to the confidentiality obligation or data use agreement submitted by the "data holder" or only agree to it with (unacceptable) amendments.
Since the principle of data provision even applies to competitors, taking into account the anti-trust regulations according to Art. 101, 102 TFEU, clear regulations are necessary to protect data holder in order to avoid inhibiting effects on the willingness to innovate and invest. This includes that the data holder can demand compensation from the user or third parties if the data provided has been misused -e.g. for the development of a competing product. The right to the mere deletion of the data is not sufficient here. Otherwise, there is a risk that the Data Act will undermine its goal of promoting investment in data-generating products. It is also unclear how contract research is to be assessed in the context of the Data Act. For German industry, contract research represents an important building block and should therefore be treated like research in one's own company in order to ensure effective protection of trade secrets.
2.4. Contractual use of non-personal data pursuant to Art. 4 (6) DA-E
With regard to the framework conditions of the contractual arrangement according to Art. 4 (6) DA-E for non-personal data, it is unclear what effects a termination of such a contract between "data holder" and "user" would have. For example, if the IoT product is resold by the user to a third party, a new contractual agreement pursuant to Art. 4 (6) DA-E is required. Especially in industrial B2B relationships, the "user" can have a strong negotiating position and demand different terms of use from the "data holder". Therefore, it needs to be clarified that the data once provided to the data holder can remain with the data holder.
In addition, for IoT products and connected services with an assumed lifespan of fifteen years, it is impossible to foresee the data use to be expected in the product life cycle at the time of purchase or to leave it unchanged. Subsequent adjustments to the data use agreement must therefore be possible. In addition, the data use agreements must be allowed to be sufficiently abstract to allow software updates "over-the-air", which generate new data points but serve the agreed purposes, to be carried out without contractual adjustments. Otherwise, principles of modern, innovative, incremental product development would be hindered by administrative burdens.
