Industry 4.0: legal protection of machine-generated data

Stefan Hessel

In the past, data from production processes tended to be seen as a secondary byproduct with little economic value. But with the progressive digitization of production processes as part of Industry 4.0, analysis of data from the hardware and software elements of machinery is becoming increasingly important economically. Analyzing machine-generated data from a smart factory (only in German) may enable improvements to production processes, and the ability to analyze machine-generated data for the entire supply chain or entire manufacturing segments may be even more intriguing.

But trading and exchanging machine-generated data involves a high risk that the data will fall into the hands of unauthorized third parties. Since companies have an interest in protecting their data, this raises the question of how the data can be protected. Particularly sensitive are cases in which companies make their data available to outsiders, e.g. for inter-company analyses, which offer the greatest potential benefits. Technical methods such as encryption have significant limitations in such cases, and traditional legal options for protecting company data are not much more effective.

A right of ownership to data does not exist and copyrights cannot be invoked because the data are machine-generated, rather than being the intellectual creation of an individual. Moreover, the data typically cannot be matched to any specific individual, so that data protection law does not apply. Application of this law would in any case be undesirable since it would open the door to possible rights of access for data subjects. Criminal penalties generally apply only if the data were obtained without authorization, which is not the case if the data were originally released voluntarily. While contractual arrangements (such as NDAs) may provide a certain degree of protection, the sharpest tool which the legal system provides, that of criminal sanctions, is not available in this case. And contractual arrangements have another weakness as well: they only apply between the contracting parties. Once the data leave the circle of the contracting parties and fall into the hands of third parties, those third parties are not bound by the contractual arrangement.

However, the German Trade Secret Act offers potential solutions for these problems. This legislation was enacted a relatively short time ago, and did not take effect until 26 April 2019. It defines the legal consequences for the acquisition, use and disclosure of trade secrets between private individuals. Its protective mechanisms are applicable in all cases where a trade secret exists, as defined in § 2(1) of the Trade Secret Act, i.e. in cases involving non-public information of economic value where the lawful owner has taken adequate measures to maintain the confidentiality of this information. Otherwise, it is only necessary for the owner to have a legitimate interest in maintaining secrecy.

Since for information to be considered "non-public" in accordance with § 2 No. 1 (a) of the Trade Secret Act it is only necessary for access to be restricted in practice, the question as to whether information qualifies as a trade secret centers upon whether adequate measures have been taken to keep the information secret.  These measures must afford adequate protection against unauthorized access, but do not necessarily have to include technical precautions: legal measures, such as the aforementioned non-disclosure agreements, may be sufficient. The specific measures which are required in each case are to be determined based on a risk assessment.

If the Trade Secret Act applies, secret holders have extensive options for obtaining legal relief, such as abatement and desistance claims, as well as damage claims. These claims may be asserted against each and every infringer, unlike claims based on non-disclosure agreements, which can only be asserted against contracting parties. Those who violate trade secrets may face criminal liability as well.

Accordingly, companies are emphatically advised to establish adequate protective measures and set up a management system for the protection of their secrets. If done properly, this need not result in a great expense for the company but may produce enormous benefit.

For detailed background information, also see: Hessel/Leffer, Rechtlicher Schutz maschinengenerierter Daten – Schutz durch das GeschGehG, MMR 2020, 647 et seq.

[October 2020]