Simple facts …
In 2018, an employee requested access and a copy of all his personal data processed by the employer over the past decade (in accordance with the data subject’s right of access enshrined in Article 15 (1) and (3) of the General Data Protection Regulation (“GDPR”)). The employee considered the response unsatisfactory and filed a complaint with the Belgian Data Protection Authority (“DPAâ€). The DPA issued a decision on February 9, 2021 (the “Decisionâ€).
Simple reasoning of the DPA
After having highlighted certain principles of the GDPR, the DPA turned to the more specific question of the protection of trade secrets. The employer had raised the issue of its own “privacy” as a legal person to deny access to the emails. The DPA recalled on the one hand that any derogation from the right of access of a data subject to his personal data (that is to say a derogation from his rights to data protection and privacy) must be interpreted restrictively. On the other hand, the DPA also referred to Article 15 (4) of the GDPR (the right of access of the data subject must not infringe the rights and freedoms of others, such as trade secrets (recital (63) of the GDPR)). Accordingly, the DPA stressed that as a derogation from the employee’s right of access, the employer’s trade secrets must also be interpreted restrictively and examined on a case-by-case basis. From the above, the DPA has developed the following test: In order to successfully invoke trade secrets as an exception to the right of access of the data subject, a threat to the alleged trade secrets must be clearly demonstrated by the controller.
Applying its test to the facts of the case, the DPA agreed there was such a clear threat. Surprisingly, the DPA did not base its decision on written arguments from the employer, but on simple statements made by the employer at the hearing. There, the employer said that the employee’s role in the company allowed him to know the names of customers, account and billing data, which all make up “potentially sensitive information on the employer’s activity.Additionally, the employer claimed that the employee often disclosed confidential company information on a private blog prior to the company’s public announcement. Based on the above, the DPA was satisfied that a threat to the employer’s trade secrets was sufficiently proven. Therefore, by denying access to their personal emails containing suspected trade secrets, the employer did not violate the employee’s right of access. As a obiter dictum, the DPA also added that if a trade secret threat had not been demonstrated, it would have been appropriate to grant access to a redacted version of the employee’s emails. This would have allowed the employee to exercise their right to privacy while protecting confidential company information.
While the DPA’s ruling appears favorable to any controller protecting its trade secrets, any trade secret aficionado, it has several flaws that could affect its value as a precedent.
First, the DPA has not defined what a “threat†to trade secrets is. While a trade secret expert may infer that a “threat” equates to a risk of misrepresentation or misappropriation, nothing in the decision provides guidance to the reader.
Second, the assessment by the DPA of the exception relating to business secrets to the exercise of the right of access is in flagrant contradiction with the principles applicable to fundamental rights and freedoms as set out by the DPA in the decision . Although the DPA recognized that a restriction on a data subject’s right to privacy should be interpreted restrictively, it seemed easily satisfied with the data controller general assertion that work-related emails of the data subject contained “potentially sensitive information†for the employer’s business. In fact, the DPA did not run the three-part test at all to determine if the information is considered a protectable trade secret (see our blog posts here and here). As a reminder, in accordance with the European directive on trade secrets and the Belgian provisions transposing it, commercial information can only be classified as a trade secret if the following three conditions are met:
- it is secret (that is, it is generally not known to those in circles who normally deal with the type of information in question);
- it has commercial value because it is secret;
- it has been subjected to reasonable measures by its holder to keep it secret.
Thirdly, the DPA’s approach is also contrary to certain Belgian case law on trade secrets, in particular as regards the type of commercial information subject to trade secret protection. As explained in our blog post on this subject, some Belgian civil courts have ruled that data which is also in the hands of customers (account and billing data) and which can be reconstructed by competitors probably does not meet the conditions. of fixed secrecy and commercial value. above.
Conclusion: a trade secret exception to a right to privacy must be justified
The decision cannot be considered the gold standard for companies to rely on certain obscure trade secrets to deny a data subject’s request under their right of access under the GDPR. The decision is the first (published) of its kind and has several flaws.
This does not mean that companies should never rely on trade secrets in similar circumstances. It simply means that companies must carefully justify their decision to deny (partially or entirely) a data subject’s request to access their personal data on the basis of their trade secrets. As a backup solution, if a threat to these trade secrets is not sufficiently demonstrated, a company seeking to protect its confidential information could still provide a data subject with access to a redacted copy of the data, in accordance with the DPAs. obiter dictumsuggestion.