How to Keep Trade Secrets Secret When Regulators Expect AI Transparency

Trade secrets are a pivotal element in the competitive strategies of businesses, fostering innovation and providing a flexible, cost-effective means to safeguard valuable business information. They are an instrumental part of both corporate governance and compliance. 

Anything that is safeguarded and has independent economic value can be a trade secret, including business processes, advances in technology, secret formulas, algorithms and more. The protection of trade secrets is fundamental for maintaining a competitive edge, spurring investment in research and development and driving economic growth. 

This is particularly salient in the age of AI, where organizations are using generative AI prompts and outputs to improve operations and are, in some cases, creating new AI-based technologies. 

Trade secrets are subject to certain risks and compliance obligations as a result of new AI-related laws and regulations in the EU and the US. For instance, an EU regulation laying down harmonized rules on artificial intelligence is the first comprehensive AI law in the world, and the EU regulation on harmonized rules on fair access to and use of data introduces new rules regarding the access, use and sharing of data generated by connected products or related services, as well as new obligations to ensure fairness in the data economy. 

Simultaneously, the EU has set out a path to the creation of Common European Data Spaces, aimed at fostering the sharing and utilization of data across different sectors. In this context, the European Health Data Space Regulation has been proposed. The EHDS aims to improve access to health data by establishing, among other things, a system for the reuse of health data for research, innovation, policy-making and regulatory activities. 

Meanwhile, in the US, a flurry of state-level activity in AI law has set the stage for regulation. In particular, Colorado has passed an AI law that requires regulatory compliance for certain high-risk AI systems that make “consequential decisions” spanning education, employment, healthcare, insurance and many more industries. 

The existence of regulations to mitigate AI risks are important. But compliance with certain obligations provided within the new laws can create some tensions with the protection of trade secrets, and compliance managers should be aware of those tensions. 

Featured

New White House, New AI Rules: Corporate America’s Next Move

by Alla Digilova, Eugene Goryunov and Alok Choksi

February 5, 2025

Read moreDetails

Lurking risks

Transparency plays a central role in recent AI and data laws, underpinning a range of obligations enshrined therein. Under the EU AI Act, this includes the obligation to provide detailed technical documentation, which must cover information about the general logic of the AI system and of the algorithms; training methodologies and techniques, as well as information about the training data sets used; and more. Under the EU Data Act, manufacturers of connected products or related services are required to provide a list of data generated by connected products or related services. In the Colorado AI law, extensive documentation must be provided to the Colorado attorney general about AI systems that are deployed by organizations, including a risk management policy and impact assessment.

Furthermore, a fundamental pillar found in recent AI and data laws is the mandate to enhance data access and data sharing. Under the EU Data Act, this entails the obligation to grant access to raw and pre-processed data to users and third parties designated by the users of the concerned products. Additionally, under the EDHS, health organizations in scope will need to provide access to electronic health data for a defined list of permitted secondary uses, including scientific research, certain development and innovation activities and algorithmic training.

Despite the EU AI Act and other laws saying that trade secret information should be safeguarded in connection with the above transparency requirements, companies that comply with these obligations risk disclosing trade secrets related to critical aspects of their products and technologies to a wide array of stakeholders, potentially including other businesses and competitors. This risk is amplified when companies are required to share multiple datasets and information, which, when combined, could reveal sensitive information about their technology, the training sets employed or the algorithms used. Such scenarios heighten the risk of reverse-engineering, potentially leading to a loss of competitive advantage, financial repercussions and reputational and operational disruptions. 

Another common feature of recent AI and data laws is the extensive access powers granted to competent authorities for the exercise of their enforcement duties. These entail disclosure of a broad range of information to competent authorities that can pertain even to the core elements of a company’s technology protected by trade secrets, such as source code.

While competent authorities are bound by certain confidentiality obligations, such disclosure can have several significant effects on a company, in particular in case of unauthorized access or leaks. This could occur due to cybersecurity breaches, human error or inadequate protective measures within an authority.

Moreover, this is not the end of the regulatory evolution. Further advancements in AI and data regulations are anticipated in the near future. Specifically, more regulatory developments on AI liability are expected soon in the EU, while the European Commission has already signaled its plans to bolster data availability and sharing through the implementation of a “European Data Union Strategy” and the development of an “Apply AI Strategy” to boost new industrial uses of AI. These forthcoming developments could potentially reignite concerns among businesses about the protection of their trade secrets.

What can you do?

As a forward-thinking company aiming to comply with recent AI and data laws while protecting trade secrets, it is essential to develop a robust business strategy. Compliance managers should have safeguards in place to conspicuously identify, label and determine whether trade secrets should be disclosed in connection with transparency obligations. They should also evaluate the extent to which the transparency obligations require disclosure of trade secrets. One of the principles of the EU AI Act and similar laws is proportionality, and part of that principle is to ensure that transparency is maintained but that trade secret information is disclosed only to the extent necessary. And the Colorado AI law makes clear that nothing in the law “requires a deployer” of AI “to disclose a trade secret.” Here are several key recommendations to achieve this balance between transparency and proportionality:

Identify which data and information you are obliged to share and which you are not

Conduct a thorough analysis to determine which data you are legally required to share and which data is exempt from this obligation. While you may hold vast amounts of data, not all of it will be relevant for compliance purposes. 

Determine and document the data and information that need to be protected as trade secrets

Ensure a common understanding within your company of what constitutes a trade secret. Identify and document the data essential for safeguarding your business models and competitiveness, thereby deserving trade secret protection. This may require the creation of internal policies and procedures for the identification of trade secret information. In our experience, many companies have policies and procedures to identify patented inventions but do not have explicit procedures for the identification of trade secrets.

Conspicuously label and identify trade secret disclosures

To the extent that you determine that disclosure is required under one of the new AI laws or transparency requirements, it is critical that any trade secret information is conspicuously identified and labeled, so that the governmental third party maintains the information’s trade secrecy. One of the biggest risks in trade secret law is inadvertent public disclosure.

Implement additional mitigation measures

Simply identifying and labeling trade secrets is not sufficient. It is also important to develop and implement appropriate technical and organizational measures to protect your trade secrets, whether known or unknown. Such measures are particularly important if trade secrets might be shared with third parties. This should be a continuous and iterative process within any organization, with the appropriateness of these measures constantly monitored and updated as needed. Additional measures can include the following:

• Confidentiality clauses and nondisclosure agreements (NDAs): These clauses and agreements can significantly aid in the protection of trade secrets by providing a standardized and legally robust framework to govern the sharing and safeguarding of trade secrets. Confidentiality clauses should explicitly define what constitutes confidential information and legally obligate all parties involved to keep trade secrets private. NDAs can legally bind parties to confidentiality, preventing them from sharing trade secrets with unauthorized parties.
• Usage restrictions: Incorporate both contractual terms and technical specifications that limit how and for what purposes the data protected by trade secrets can be used, ensuring they are not exploited beyond the agreed scope.
• Intellectual property clauses: Include clear stipulations on the ownership of trade secrets to prevent disputes and ensure that you, as the originating party, retain control over them.
• Technical standards and related terms: Specify technical standards that must be implemented to protect trade secrets, including access controls, encryption, incident response plans and regular security audits.
• Audit rights clauses: Include clauses that allow you, as the trade secret-holder, to periodically verify that other parties are complying with the agreed-upon protection standards and measures.
• Codes of conduct: Participate in the drafting and preparation of codes of conduct relevant to your sector. This could allow you to contribute to establishing clear guidelines and benchmarks for compliance and trade secret protection practices within your industry.
• Monitor regulatory developments and engage in advocacy efforts: In the context of recent AI and data laws, there are several opportunities to influence the implementation process and the interpretation of various legal requirements enshrined therein. Keeping abreast of the regulatory developments, engaging with regulators and responding to public consultations can be key in shaping the AI and data regulatory landscape in a way that it reflects your views on its implications to trade secrets.

Protecting your trade secrets while ensuring compliance with recent AI and data laws is a delicate exercise, and compliance requires a methodological and structural approach. By crafting a comprehensive strategy now to protect your trade secrets, you could ensure that your trade secrets are well-protected and your policies, procedures, and systems are aligned with the latest AI and data regulatory requirements. This would permit you to have the right structures in place before you might be subject to the transparency requirements of the EU AI Act, the EU Data Act, the Colorado AI law and other laws and regulatory requirements on the horizon. Developing your compliance strategy early on will not only help mitigate legal risks but also safeguard your company’s products, technologies, business model and financial interests.