In 2018, an employee requested access to and a copy of all their personal data processed by the employer during the past decade (this is pursuant to the data subject’s right of access enshrined in art. 15 (1) and (3) of the European General Data Protection Regulation (“GDPR”)). The employee considered the response unsatisfying and filed a complaint with the Belgian Data Protection Authority (“DPA”). The DPA issued a decision on February 9, 2021 (the “Decision”).
Simple reasoning by the DPA
After highlighting some GDPR principles, the DPA turned to the more specific question of trade secrets protection. The employer had raised the issue of its own “privacy” as a corporate entity to refuse access to emails. The DPA recalled on the one hand that any derogation from a data subject’s right of access to their personal data (i.e. a derogation from their data protection and privacy rights) must be interpreted restrictively. On the other hand, the DPA also referred to article 15 (4) of the GDPR (the data subject’s right of access should not adversely affect the rights and freedoms of others, like trade secrets (Recital (63) GDPR)). Accordingly, the DPA highlighted that, as derogation to the employee’s right of access, the employer’s trade secrets must also be interpreted restrictively and examined on a case-by-case basis. From the foregoing, the DPA distilled the following test: to successfully invoke trade secrets as an exception to the data subject’s access right, a threat to the alleged trade secrets ought to be clearly demonstrated by the data controller.
Applying its test to the facts of the case, the DPA agreed that there was such a clear threat. Surprisingly, the DPA did not base its decision on any written arguments of the employer, but on mere declarations made by the employer during the oral hearing. There, the employer stated that the employee’s role in the company made them knowledgeable of the clients’ names, account and invoice data, which all constitute “potentially sensitive information on the employer’s business.” In addition, the employer asserted that the employee had often disclosed the company’s confidential information on a private blog prior to public announcement by the company. On the basis of the above elements, the DPA was satisfied that a threat to the employer’s trade secrets was sufficiently proven. Therefore, by refusing to grant access to their personal emails containing alleged trade secrets, the employer did not violate the employee’s right of access. By way of obiter dictum, the DPA also added that if a threat to the trade secrets had not been demonstrated, it would have been appropriate to grant access to a redacted version of the employee’s emails. This would have allowed the employee to exercise its privacy right while protecting the company’s confidential information.
While the DPA’s Decision seems favorable for any data controller protecting their trade secrets, for any trade secrets aficionado, it has several flaws that might affect its value as precedent.
First, the DPA failed to define what a “threat” to trade secrets is. While a trade secret expert may infer that a “threat” equates a risk of unlawful disclosure or misappropriation, nothing in the Decision provides guidance to the reader.
Second, the DPA’s assessment of the trade secrets exception to the exercise of the right of access is in sharp contradiction with the principles applicable to fundamental rights and freedoms as set out by the DPA in the Decision. While the DPA recognized that a restriction to a data subject’s privacy right should be interpreted restrictively, it seemed easily satisfied with the data controller’s general assertion that the data subject’s work-related emails contained “potentially sensitive information” for the employer’s business. In fact, the DPA did not run at all the three-part test to determine whether information qualifies as a protectable trade secret (see our blog posts here and here). As a reminder, pursuant to the EU Trade Secrets Directive and to the Belgian provisions transposing it, business information only qualifies as a trade secret if the following three conditions are fulfilled:
- it is secret (i.e. it is not generally known by the persons within the circles that normally deal with the kind of information in question);
- it has commercial value because it is secret;
- it has been subject to reasonable steps by the holder thereof to keep it secret.
Third, the DPA’s approach is also contrary to certain Belgian trade secrets case law, in particular as to the type of business information that is subject to trade secret protection. As explained in our blog post on this topic, some Belgian civil courts have ruled that data which is also in the hands of customers (account and invoice data) and which can be reconstructed by competitors is unlikely to meet the secrecy and commercial value conditions set out above.
Bottom line: a trade secret exception to a privacy right should be substantiated
The Decision cannot be considered as the gold standard for companies to rely on some obscure trade secrets to refuse a data subject’s request pursuant to their right of access under the GDPR. The Decision is the first (published one) of its kind and has several flaws.
This does not mean that companies should never invoke trade secrets in similar circumstances. It simply means that businesses should carefully substantiate their decision to (partially or entirely) refuse a data subject’s request to access their personal data on the basis of their trade secrets. As back-up solution, if a threat to these trade secrets is not sufficiently demonstrated, a company looking to protect its confidential information could still provide a data subject access to a redacted copy of the data, as per the DPA’s obiter dictum-suggestion.