Wojdyło - legal aspects of new technologies

In previous articles in our series we discussed whether data can be subject to property rights or can be protected within known categories of intangibles. Today we will consider if and when data can be protected as a trade secret.

First we should clarify what a trade secret is and what protection this classification provides.

Trade secrets: When is protection provided?

Under Polish law, issues relating to the protection of trade secrets are mainly regulated by the Unfair Competition Act of 16 April 1993. At the European level, the Trade Secrets Directive (2016/943) has harmonised the protection of trade secrets to some extent.

The subject of the discussion below will be “trade secrets” (tajemnica przedsiębiorstwa), and not “business confidentiality” (tajemnica przedsiębiorcy) as referred to in Art. 5(2) of the Act on Access to Public Information of 6 September 2001. Judgments issued under that act indicate that in certain situations “business confidentiality” may be understood more broadly than “trade secrets” within the meaning of the Unfair Competition Act, and also includes information which has no economic value as such but the disclosure of which could have a significant impact on the undertaking’s economic situation and competitiveness (Supreme Administrative Court judgments of 17 January 2020, case no. I OSK 3514/18, and 5 July 2013, case no. I OSK 511/13).

To complement our previous considerations about the civil-law status of data, we should analyse the possibility of using data to create security interests in business transactions. The increasing economic value of data inspires a search for effective ways to collateralise these assets.

To better illustrate this point, let us use a visual example. Imagine a server owned by company X. Various data are stored on the server, including data collected by X for the purpose of training an advanced algorithm used for medical diagnostics. The market value of the data stored on the server exceeds many times over the value of the server itself.

X provided its creditor, company Y, with security in the form of a registered pledge on the movables of X. X did not fulfil its obligations towards Y, and therefore Y enforced its security and took ownership of the server storing the data. The value of the server alone is insufficient to satisfy all of Y’s claims against X, while the value of the data stored on the server exceeds X’s debt to Y. What is the effect of Y’s taking ownership of the server?

A natural extension of the consideration of the legal status of data is the question of whether data can be inherited. This is no longer just a theoretical issue. Data are increasingly valuable, making it vital to answer the question of whether data constitute an asset of the decedent’s estate that can be taken over by the heirs.

According to the Polish Civil Code, the decedent’s property rights and obligations are the subject of succession. But the estate does not include the decedent’s rights and obligations closely linked to his person and rights which, upon death, are transferred to designated persons irrespective of whether they are heirs.

Is it possible to inherit data based on such a definition of inheritance?

First of all, to answer this question, it is necessary to recall the division into different categories of data which, like the issue of classifying certain types of data as property rights, has already been analysed in our data economy series. Indeed, depending on which category of data we are dealing with, the assessment of whether a right or obligation should be included in the estate changes.

When seeking inspiration for the future legal status of data, it is worth taking a closer look at how the right to personal data has been shaped. In particular, we could consider whether it is a property right and whether the current legal framework for the right to personal data corresponds to reality and meets our needs.

The attempt to define an absolute right to personal data is mainly driven by Art. 1(2) of the EU’s General Data Protection Regulation, which states that one of the objectives of the regulation is to protect the “right to the protection of personal data.” The right to protection of personal data is also enshrined in the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union.

The source of this right is found in European legislation. For this reason, an attempt to determine the substance of the right to data protection is difficult, as we cannot simply and directly refer to structures known from the different legal systems of the member states.

The essence of the right to data protection seems to be indicated in recital 7 of the GDPR preamble, which states, “Natural persons should have control of their own personal data.” Thus, the right to protection of personal data is primarily intended to give data subjects control over their data. The specific content of this right is defined by the protective instruments provided for in the GDPR. Among other things, these instruments consist of a guaranteed right to information about processed data, the right of control, but also the right to object to data processing. Many of these rights are similar to the bundle of rights also found in classical property law structures. However, important differences also exist.

At first glance, it may not seem obvious to treat data as crypto-assets. But a closer look shows that the current and planned regulations for this new asset class could serve as a key legal framework for the future data economy.

The data economy and blockchain have a lot in common. Blockchain and data tokenisation are also a theme running through our data economy publications. Blockchain has revived the discussion of data tokenisation, i.e. turning data into an identifiable and tradable digital asset.

The contemporary debate about data, including discussions of the legal status of data, are hard to understand without defining the broader context. One element of this context is the demands of the movement referred to collectively as “MyData.”

“A European strategy for data,” published by the European Commission in February 2020, alludes to the MyData movement in the context of the challenge presented by inadequate technological support for data subjects in managing their own personal data. On one hand the Commission perceives the potential inherent in personal data, in particular the potential for the data subjects themselves. Appropriately managed personal data can improve the quality of services received by data subjects (e.g. in the area of healthcare) and increase their control over their data. On the other hand, the Commission found that there is a lack of appropriate tools for managing data, and thus the inherent potential of the data is not being exploited to the fullest.