The Value and Vulnerability of Enterprise Data
In the era of digitalization, data has become omnipresent, ready for collection and utilization by relevant actors. While we often distinguish personal data from enterprise data, it is the latter, namely, large-scale data collections generated or acquired by firms during business operations, that holds immense commercial value. Despite vigorous global debates on appropriate legal frameworks (for example, copyright, sui generis database right, property-like right), jurisdictions worldwide have not reached a consensus on how enterprise data may receive legal protection.
How Trade Secrets Apply to Data
An emerging viewpoint across jurisdictions is protecting enterprise data as trade secrets. Trade secrets law demonstrates surprising resilience in the data economy, despite being a product of the traditional economy. The subject matter of modern trade secrets law is extremely broad, often described as all-encompassing. As long as enterprise data can confer actual or potential economic value when kept secret, it may be subject to protection, provided reasonable measures are taken to maintain secrecy.
As such, trade secrets law may easily be applied to protect two main categories of enterprise data:
1. Purely Confidential Enterprise Data
This data is kept private and confidential, making it easily satisfy the secrecy requirement of being “not publicly known or readily ascertainable.”
2. Private Data Compilations
This data contains both private and publicly accessible information and falls aptly into the preexisting doctrine of combination or compilation trade secrets. Protection resides in the unique synthesis or arrangement itself, rather than the public components.
Indeed, judicial recognition for purely confidential data and private data compilations as trade secrets is growing and consistent. US courts routinely recognize data compilations as trade secrets, even if component parts are public, provided replicating the compilation requires “substantial time, effort, and expense.” China is seeing an increasing application of trade secrets law to dynamic, large-scale data, such as back-end data related to livestreaming or derivative data products. Furthermore, some Chinese local governments designing data property registration systems require data to be non-public and possess commercial value, effectively following the trade secrets model. In the EU, firms rely heavily on trade secrets protection when sharing confidential data. The EU Data Act explicitly acknowledges that certain confidential enterprise data may be protected as trade secrets under the EU Trade Secrets Directive (TSD), essentially recognizing the existence of “data secrets.”
The Challenge of “Semi-Public” Data
The third and most challenging category is “semi-public” enterprise data compilations. These involve business models where companies must make some or most data points publicly accessible at the front-end (for example, via a website or application interface), while keeping the back-end compilation secret. Doctrinally, the combination trade secrets doctrine appears applicable here, contingent on the public not being able to easily reproduce the aggregation.
However, the application of trade secrets law to “semi-public” data compilations remains limited. While Compulife Software Inc. v. Newman suggested that mass scraping of insurance quotes could constitute trade secret misappropriation because manual reconstruction would be “nearly impossible for a human”, subsequent disputes involving similar scraping often bypass trade secrets law in favor of other causes of action, such as breach of contract or the Computer Fraud and Abuse Act (CFAA).
It is, however, argued that the limited application to “semi-public” compilations is warranted due to fundamental issues surrounding the “not readily ascertainable” standard. The Compulife ruling adopted an overly lenient interpretation, appearing to hinge solely on the difficulty of reconstruction using manual human effort. Yet, assessing whether information is readily ascertainable must account for technological tools like scraping technology. When technological assistance is factored in, retrieving and recompiling most “semi-public” data compilations is not overly difficult. Broadly adopting the Compulife standard would risk “open[ing] the floodgates of trade secret protection,” disregarding public interests in data access.
Furthermore, extending protection here fails to serve the core theoretical purpose of trade secrets law: limiting the inefficient arms race between secret holders and appropriators. Since “semi-public” business models require open front-end access, data holders must adopt layered technical measures to deter scraping (e.g., IP blocking, CAPTCHAs). Granting a powerful remedy through trade secrets law, while leaving the “not readily ascertainable” standard uncertain, only incentivizes platforms to adopt even more aggressive and costly anti-scraping measures to counter evolving scraping technologies, thereby exacerbating rather than alleviating the arms race.
Drawing the Line on Data Secrecy
Therefore, trade secrets law is normatively justified in offering protection only when front-end data access is truly and meaningfully restricted to a limited number of users. Examples of this high-threshold protection include business models like that in DHI Group v. Kent in the US or Taobao’s “Business Advisor” in China, where access requires paid subscriptions subject to strict contractual limitations, making the data compilation genuinely difficult to ascertain. Common business models used by social media platforms, online shopping sites, and airlines, which deliberately permit wide access to front-end data points, should fall outside the domain of trade secrets law. For those data compilations left unprotected by trade secrets law, reliance on existing legal causes of action, particularly contract law, may offer a more prudent and efficient approach by regulating front-end scraping behavior directly.
The analysis must also address whether data scraping constitutes “acquisition by improper means,” a key element of trade secret misappropriation. Acquiring data by directly hacking or electronically intruding into a data holder’s back-end system is clearly improper means. However, scraping publicly accessible front-end data and recompiling it is conceptually closer to legitimate reverse engineering. Reverse engineering is a critical feature distinguishing trade secrets law from patent law, ensuring cumulative competition and innovation. Technical restrictions imposed by platforms, such as IP blocking or CAPTCHAs, often function merely as “speed bumps.” Circumventing these limitations does not fundamentally transform the act of collecting publicly available information into improper acquisition.
When dealing with authentication measures, like login credentials, merely creating automated accounts or using third-party’s accounts to access data should generally not be treated as improper means. To interpret these actions as improper would lead to the same extreme outcome as a lenient “not readily ascertainable” standard: nearly all scraping activities would trigger trade secret liability, excessively tilting the balance toward data holders and risking the creation of information monopolies.
Furthermore, data scraping that breaches anti-reverse engineering clauses in terms of service should not, by itself, trigger trade secrets liability. Allowing contract law to override the doctrine of reverse engineering undermines the careful doctrinal equilibrium intended by the trade secrets law. Such an approach would severely exacerbate the growing problem of trade secret overclaiming.
For more details on the arguments and relevant cases discussed, please see the article forthcoming in 29 Stanford Technology Law Review.
About Yang Chen
Yang Chen is an assistant professor at the City University of Hong Kong. He has received an LLB from China University of Political Science and Law, an LLM from London School of Economics, and another LLM and SJD from the University of Pennsylvania Carey Law School. Yang works primarily in the areas of intellectual property law, with a keen interest in particularly trade secrets law and right of publicity. He also researches in trademark law and copyright law. His works have appeared in several journals such as the Columbia Journal of Law and the Arts, University of Pennsylvania Journal of Business Law, and Stanford Technology Law Review.
