Future IP issues relating to data-driven business models

The EU Data Act: a single market for data versus trade secrets?

On 23 February 2022, the European Commission officially presented its proposal for an EU Data Act, which aims to establish a European single market for data – a core component of the digital economy. The proposal sets out a cross-sectoral and harmonised legal framework for the access to and use of data, both personal and non-personal, whether by individuals, businesses, public sector bodies or European public authorities. 

The proposed regulation mainly applies to manufacturers and users of connected products and providers of related services within the EU. It governs rights and obligations with respect to the data generated by the use of connected devices and related services. A key element is that manufacturers of such products and providers of related services would have to make data generated by their use easily accessible to users, businesses or consumers alike. 

Users would have the right to share this data with third parties or demand that the data is made directly available to third parties. By doing so, the stated aim is to foster access to and use of data and to ensure fairness in the allocation of value from data among actors in the data economy. 

The proposed regulation has the potential to change the ecosystem for data-driven business models in the EU and it is hoped that it will foster innovation and preserve incentives to invest in ways of generating value through data. 

Conflicting objectives?

At first blush, the objectives of the proposed regulation and existing trade secrets protection may seem at odds. The Data Act seeks to facilitate the sharing of and access to data. While the Trade Secrets Directive aims to harmonise protection of confidential information across the EU, thereby recognising that ensuring control on undisclosed information is particularly important for business competitiveness and innovation-related performance. 

Despite the desire to facilitate more open access to data, the Data Act states that existing rules for the legal protection of trade secrets should not be affected. Trade secrets must be respected in the context of data use between businesses or by consumers and their confidentiality preserved.

They should only be disclosed provided that "all specific necessary measures are taken to preserve [their] confidentiality", particularly with respect to third parties. 

Where data disclosure to a third party is requested by a user and trade secrets are involved, disclosure shall be limited to the extent strictly necessary to fulfil the agreed purpose and only provided where specific confidentiality measures are agreed between the data holder and the third party. Moreover, the obligation to make data available to a data recipient does not oblige the disclosure of trade secrets, unless otherwise provided by EU law.

Practical tips for data holders – maintaining trade secrets protection

With respect to direct disclosure to third parties, data holders should consider whether the disclosure of any trade secrets is strictly necessary for the purpose agreed between the user and the third party. If not, the data holder should resist such disclosure. 

In doing so, the data holder will need to prove the data at stake qualifies as a trade secret and that reasonable steps have been taken to protect the confidentiality of the data. This will require having a proper trade secrets management and protection policy in place. Data holders should anticipate the receipt of access requests and prepare for them by conducting a trade secrets audit, maintaining a trade secrets register, and having all reasonable confidentiality measures in place.

Where trade secrets should be disclosed, the proposal emphasises the need to ensure that appropriate confidentiality measures are in place between the parties. Such measures will need to be agreed and implemented before any trade secrets are disclosed (and any related data shared). They should set out the obligations imposed on the receiver, be appropriate to the information being shared, address the specific purpose of providing the data, and set out the outcomes and remedies available should the measures be breached. 

Implementing monitoring and other technical protection measures, such as smart contracts, to ensure compliance with the agreed measures may be prudent. These are explicitly permitted by the proposal, provided that such measures are not used to hinder a user's right to provide data to third parties. 

If many access requests involving trade secrets are anticipated, data holders might want to formulate a uniform confidentiality policy to ensure consistent steps are followed for each access request and trade secrets appropriately protected in each instance. 

It is important to bear in mind that the Data Act aims to prevent the unilateral imposition of unfair contractual terms on micro, small or medium-sized enterprises by rendering any such terms non-binding. To assist in this regard, the Commission has committed to developing non-binding model contractual terms. It remains to be seen whether these will involve model provisions aimed at ensuring the confidentiality of trade secrets. If they do, these will serve as a good starting point for considering what measures to put in place. 

Practical tips for users and other data recipients – accessing trade secrets

Users and other data recipients should firstly consider whether receiving trade secrets is necessary for the purposes they wish to pursue. If possible, any data qualifying as trade secrets should be avoided as this may involve limitations on the use of the shared data. 

If such data needs to be received, users and other data recipients must ensure they understand the implications of receiving the trade secrets, including putting in place proper processes for their handling and to ensure compliance with any agreed protective measures. 

Challenging whether specific data qualifies as a trade secret may also be well advised as the data holder will bear the burden of proof of such qualification. 

As to third parties, they should ensure they are aware of the obligations the Data Act places on them, including, for example, the restrictions on the purposes for which the data can be used. 

Next steps 

At present, the Data Act remains a proposal and the draft is likely to be subject to change. We would expect the progress of the Data Act to become clear over the next year. However, the Commission's intentions are apparent: it intends to create a European data economy. All parties involved in the access to data need to be alert to the interplay between the desire for openness and existing protection of trade secrets. 

Patentability of AIgenerated inventions (inventorship and entitlement): the state of play in the EU and UK 

In the EU, inventions generated by artificial intelligence (AI) are presently not patentable. The European Patent Office has rejected the notion that an AI system can be regarded as an inventor. Only humans can be named as inventors on a patent application. As a result, an invention generated autonomously by an AI system without human involvement will not be attributed to any inventor and will not be patentable. 

The sole ownership of the AI system generating the invention is not sufficient to determine inventorship. Any European patent application treating such an owner as the inventor will be rejected. Further, a machine cannot legally transfer any rights under EU law and therefore the owner of an AI system cannot be the machine’s successor in title to apply for a patent. The debate heats up when considering AI as a tool for the human inventor. If AI is used in the process of developing an invention, the assessment of inventive step may be challenging: the higher the degree of autonomy, the more difficult it will be to speak of the AI as a tool.

Similarly in the UK, the Court of Appeal has also recently held that an AI system cannot be an "inventor" for the purposes of filing a patent. Nor is the owner of an AI machine entitled to any intangibles produced by the machine. However, the owner of the AI system in question before the Court of Appeal (known as "DABUS") has sought leave to appeal this judgment to the UK's Supreme Court. The UK Intellectual Property Office (UKIPO) also recently closed a second consultation on whether an AI-devised invention should be patentable in the UK, and we currently await the government's decision in response. 

Even more recently, the German Federal Patent Court provided a pragmatic solution to obtaining patent protection for inventions created by AI and gave clarity on how to correctly register inventions created by AI.6 The court held that the listed inventor on a patent application must be a human, even when the AI system devised the invention. However, the AI system can also be named on the patent application. 

Copyright protection for computer-generated works: contrasting positions in the EU and UK

AI is increasingly used to generate creative works, but are those works protected by copyright? In the EU, the short answer is no. Although the Court of Justice of the European Union (CJEU) has not yet dealt with the copyrightability of computer-generated works, previous judgments have confirmed that copyright protection requires some form of human input because it must reflect the author’s personality. Purely computer-generated works, by definition, lack any form of human contribution and are, as such, not eligible for copyright protection. If a computer programme is copyrightable, such protection is separate from any protection that could potentially be afforded to any works it autonomously creates. 

In contrast to the position under EU law, the UK has expressly provided for copyright protection of computer-generated works (which would include works generated by AI) by the Copyright, Designs and Patents Act 1988. Care must be taken to distinguish between works that are created by a computer or AI, which have a 50 year protection from the date the work is made, and works created by a person using a computer (or AI) as a tool, which will have a longer copyright protection.

Exemptions to copyright protection for text and data mining – the EU and UK positions

Data mining – the extraction of certain contents from a database – is useful to provide AI systems with large datasets from which to learn. EU law provides for two exemptions to copyright protection of works for the sake of text and data mining (TDM). 

The first exemption is for a specified class of users, applying only to research organisations and cultural heritage institutions, including: universities, libraries, museums, and archives. These institutions may conduct TDM of copyrightable works. Copies of mined works must be securely stored and may be retained by these institutions for the purposes of scientific research, including the verification of research results.

However, this exception only applies to works or databases to which the extractor has lawful access. The extracted works must therefore be freely available online or made accessible to the extractor via the rightsholder, for example through a subscription service. It is not possible for rightsholders to contractually rule out TDM of these types of organisations and no financial compensation is provided. 

The second exemption to copyright protection for TDM under EU law applies to everyone and provides for TDM and retention of lawfully-accessed copyright-protected works for non-research uses. The rightsholder does, however, have the possibility to 'opt-out' of this exemption to copyright protection, thereby prohibiting the collection and extraction of the relevant copyrighted works for commercial purposes. In order to opt-out, rightsholders must reserve their rights in the specified manner. For example, this can be declared by machine-readable means, including metadata and terms and conditions of a website or a service, or by a contractual agreement or unilateral declaration. 

At present in the UK, a specific copyright exception exists but, as for the EU exception, a number of specified conditions must be met including that the TDM must be for non-commercial research. The copyright exception also does not apply to database rights so TDM on databases that qualify for database right protection require a licence. 

However, the UKIPO's second recent AI consultation also asked for comments on whether to amend the existing TDM exemption. The consultation asked for responses on various options including whether to widen the existing TDM exception to cover commercial research and database rights, and whether rightsholders should be able to opt-out their works from the exception. We await the government's response to the outcome of the consultation.