The oil of the 21st century

EU data protection law: ownership of data in Germany in 2016

By Dr. Claudia Milbradt

Download article as PDF

Introduction

In the digital age, ownership and protection of data have become two key issues. This applies not only to individuals and their personal information, but, in particular, to companies and their ability to maintain a competitive business advantage. Data is, inter alia, subject to commercial interests in regard to consumers (personalized advertising, online payments) and it acts as a safety feature for interacting with third parties (for example, cloud computing), a source of information (for instance, whistleblowing) and a requirement for the functioning of connected devices, vehicles buildings and other devices (the internet of things). In the process of fulfilling all these roles, data is being generated, stored, spread and analyzed in ever-increasing quantities.

The analysis of data and any knowledge gained during that process require a certain level of secrecy to prohibit immediate use by unauthorized third parties, devaluation of the information and, finally, loss of a potential competitive edge. For these reasons, it is vital to the producer of data to ensure ownership of the data and its analyses. In this respect, of course, applicable data-protection law has to be respected in terms of personal data (which is not the subject of this article).

In contrast to enacting protective measures, the EU envisions a free flow of data between different stakeholders to maintain time and cost efficiencies in the interchange of data (which is also an important pillar of the European Commission’s current Digital Single Market and its Free Flow of Data Initiative). As a result, the ownership of data interferes with the idea of the free flow of data as well as with the restrictions imposed by data-protection law. This article summarizes the instruments provided by German law regarding the ownership of data, particularly as this pertains to trade secrets and copyright-protected databases.

Trade-secret protection

In Germany, trade-secret protection is governed by the (criminal) provisions of Section 17 and Section 18 of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb or UWG). For a subject matter to be considered a protectable trade secret pursuant to Section 17 (1) of the UWG, it must be (a) a fact related to business operations (b) that is not obvious to the public, and (c) the business owner has a legitimate commercial interest in keeping the fact a secret. The statute does not explicitly mention data as protectable subject matter, however various court decisions have clearly stated that trade-secret protection may apply to such digital data as technical data, computer programs or parts of a program. In addition, keeping the information secret calls for not disclosing it to the public, and protective measures (for example, nondisclosure agreements [NDAs]) must be implemented should access be granted to a restricted number of people. Lastly, the business owner must have a legitimate interest for keeping the data secret. That is often the case if, for example, the information is vital for maintaining a competitive edge (for example, client contact data, market data and the like). The actual monetary value of the data, however, is less relevant.

If data fulfills the above-mentioned requirements, Section 17 (1) of the UWG sanctions the disclosure of such information to a third party by any employee, requiring that the employee had acted, inter alia, in his or her own interest or with the intent to harm the company. The provision penalizes such disclosures with imprisonment up to three years or a monetary penalty. This statutory penalty only applies, however, if the act of disclosure occurred when the employment contract was still in effect. After contract termination, companies may only invoke civil claims on the basis of post-contractual NDAs, for example. While the first paragraph of Section 17 of the UWG relates to employees authorized to know the particular trade secret, Section 17 (2) of the UWG governs unauthorized access by anyone (industrial espionage) who obtains (Section 17 [2], No. 1) or saves (No. 2) the information through technical means, by producing an embodied copy of the secret or by taking away an object containing the secret. If these acts are committed within a commercial context – that is, on a regular basis, they can be penalized with imprisonment up to five years.

Section 18 of the UWG relates to the disclosure of technical templates or instructions such as drawings, models, stencils, patterns or formulas. Here, too, the statue does not explicitly mention data, however it could be included by more broadly interpreting the technical aspects of the subject matter indicated in Section 18 (1) of the UWG. It should also be noted that the relevant templates or technical instructions have to be disclosed to the offender “in the course of trade.”

A harmonized European legal framework for the protection of trade secrets did not exist prior to recent introduction of (EU) Directive 2016/943 on the protection of undisclosed know-how and business information against their unlawful acquisition, use and disclosure dated July 5, 2016 (the Trade Secret Directive). The Trade Secret Directive aims to create an EU-wide harmonized minimum level of protection for trade secrets. Very similar to the existing German provisions of the UWG, information is considered to be a trade secret pursuant to Article 2 (1) (a)-(c) of the EU provisions if it fulfills the following requirements:

1. a) It is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question.
2. b) It has commercial value because it is secret.
3. c) It has been subject to reasonable steps under the circumstances by the person lawfully in control of the information to keep it secret.

In the case of reverse engineering – that is, extracting knowledge of any existing human-made product with the intent to reproduce it or to reproduce anything on the basis of the extracted information, the German courts have acknowledged reverse engineering as not constituting an illegal act of disclosure. Recital 16 of the Trade Secret Directive now clearly states that “reverse engineering of a lawfully acquired product should be considered as a lawful means of acquiring information, except when otherwise contractually agreed.”

Another important aspect of the Trade Secret Directive is the preservation of confidentiality during court proceedings (Article 9). The party in question may request an in-camera proceeding if one party has a legitimate interest in keeping the information in dispute secret from the other party or the general public. As directives (other than regulations) do not become enforceable immediately, the Trade Secret Directive needs to be adopted, where required, into the UWG (and other respective national laws) within a two-year period for it to take full effect in the particular member state.

Database protection

The German Copyright Act (Urheberrechtsgesetz, or UrhG) provides two mechanisms to protect data and databases. General protection of databases such as “standard” copyrighted work is provided by Section 4 (2) of the UrhG. The subject matter is not the data itself (which mostly consist of noncopyrightable numbers, facts and the like), but the specific way data is arranged within the database. As is the case with any other copyrightable work, a database within the context of Section 4 (2) of the UrhG must show a certain degree of originality (Schöpfungshöhe) to be considered a protectable creation, and this can be difficult to prove. In addition, the collection of data must constitute a personal intellectual creation – that is, a piece of work created by a person. This may not be the case if a software program is automatically analyzing and sorting the data.

The other, even more important, source of legal protection for data is the protection sui generis stipulated in Sections 87a et seq. of the UrhG, which draws from the (EU) Directive 96/9/EC (Database Directive). The Database Directive aims to achieve (harmonized) protection against unauthorized extraction or reuse of data for an author’s substantial investment in the collection, verification or presentation of the contents of a database. Within the meaning of the Database Directive, a maker of a database is the person or company bearing the risk of initiative and investment in the creation of the database (as opposed to, for example, mere subcontractors). Due to the specific purpose of the Database Directive to protect the commercial value of databases, it does not encompass the expression of creativity as traditionally required by copyright law (see above). A database sui generis does not, therefore, need to show any degree of originality. The extraction of a sui generis database must be ““substantial” in order to justify damage claims by the maker of the database. That is usually the case if 50% of the database is copied.

The text of the Database Directive as well as its interpretation by the Court of Justice of the European Union have, however, been widely criticized and are considered insufficient to fulfill all current needs of the digital economy. In particular, the issue of the free flow of data and the concept of ownership have become important topics in the general discussion as an excessive protection of individual personal data is seen by some stakeholders as an impediment to further developments. Just recently, the Committee on Industry, Research and Energy and the Committee on the Internal Market and Consumer protection both advised the Commission to consider ways to amend the Database Directive, leading to the introduction of the Commission’s Free Flow of Data Initiative that aims to strike a balance between ownership of data and its portability and free flow. As a result, the Database Directive might soon be subject to revision by the Commission and EU legislators.

Concluding remarks and ­recommendations

The current legal framework regarding trade-secret protection and the protection of databases ensures the ownership of data to a certain extent. The protection of database rights might be adopted by the EU in the foreseeable future. Against this background, know-how protection is vital in the digital environment. Companies have to provide to employees clear guidelines on handling data within the company and transferring it to third parties. Trade secrets in particular must be handled with the necessary degree of sensibility, secrecy and confidentiality to avoid misunderstandings and any accidental disclosure of the data to unauthorized persons and/or the general public. This means, for example, any exchange of data with business partners should take place on a need-to-know basis and no more information than is absolutely necessary should be revealed for each business interaction.

In addition, companies should negotiate confidentiality agreements or agree on standards with respect to IT safeguard measures as well as establish regulations regarding exclusive or nonexclusive rights to use trade secrets, software or protected processes. Rights to changes or further developments of data and databases should be clearly stipulated in advance. The same applies to any questions of liability for handing over or, for example, a software program incorrectly analyzing data. Of utmost importance here as well is a comprehensive, thorough legal assessment in terms of cybersecurity and data-protection laws. Diligent protection of digital assets thus requires an awareness of IP and criminal and data-protection law. Each company dealing with data and investing money in its analysis will have to establish an internal compliance regulation that deals with these topics.

claudia.milbradt@cliffordchance.com