Double-Edged Data: The Trade Secret Dilemma In India's DPDP Act

I. Introduction

Trade secrets are important for business competitiveness, encompassing confidential information like formulas, processes and design because they hold economic values due to their secrecy. To qualify, information must be secret, possess commercial value from its secrecy, and be actively protected through reasonable efforts, such as Non-Disclosure Agreements (NDAs), physical security, and digital safeguards. According to its reason for being, the DPDP Act aims to promote privacy, raise safety standards in the data industry and ensure clear guidelines for processing digital personal data which lead with consent, transparency and responsibility and give users more control over their data. A key paradox arises from trade secrets requiring information not to be public knowledge, while the DPDP Act exempts data voluntarily made publicly available by individuals. If personal data, potentially part of a trade secret (a customer list), becomes public through the data principal's actions, its trade secret status is questioned. The DPDP Act's exemption, without specific trade secret carve-outs, could inadvertently undermine protection.¹

New developments in information technology have connected business secrets with personal data. As a result, there is tension because of trade secret laws that declare data confidential, as compared to the extensive rights individuals have under the DPDP Act. Because trade secrets have rights-based protection compared to common law, there is a need to better align these two rules in India.

II. Understanding Trade Secrets Under the Indian IP Framework

Under the WTO TRIPS Agreement, Article 39,² trade secrets require three conditions: secrecy, the commercial value from that secrecy, and reasonable protection efforts. Secret means not generally known, even if not entirely novel. Commercial value means economic benefit from confidentiality. Reasonable efforts include NDAs, restricted access, firewalls, and physical security.

India lacks a specific trade secret statute, relying on Contract Law (enforcing NDAs), Common Law Principles (breach of confidence), and Indirect Statutory Protection (Indian Penal Code, IT Act). The proposed Protection of Trade Secrets Bill 2024 aims to codify this, but it is not yet law. This reliance on ex post facto enforcement makes protection less robust than in jurisdictions with dedicated statutes, creating unpredictability and a need for codified law.

Trade secrets often include source code, client databases, R&D, pricing, and manufacturing processes. Indian cases like Zee Telefilms Ltd. v. Sundial Communications Pvt. Ltd.³ highlights common law protection for confidential ideas. However, American Express Bank Ltd. v. Ms. Priya Puri⁴ established that publicly available information (like customer contacts) isn't a trade secret, balancing employer interests with employee mobility. This case also underscored that information easily compiled from public digital sources weakens its secrecy, creating a direct conflict with data privacy concerns, as this publicly available information is often personal data. Many companies use personal data, such as access logs and signed NDA records, when working to protect their trade secrets. Any lack of organization could lead to more data gathering, meaning companies must deal with more demanding data privacy compliance. The end result is that keeping trade secrets safe can lead to more difficulties in meeting data privacy laws.⁵

III. Understanding the Overview of India's DPDP Act, 2023

The Digital Personal Data Protection Act, which became law in August 2023, is India's leading framework for its personal data online. It tries to harmonize the protection of personal data by following the law. Digital personal data processed in India, whether online and electronic or not, is included under the Act, and it applies outside of India for any services provided to Indians. It makes consent, openness, and accountability the key values of its guidelines. Data Principals may access their data, correct any errors, delete them, get redressed for problems, and end their consent. Data Fiduciaries (entities processing data) must obtain free, specific, informed consent, minimize data, ensure accuracy, implement security, cease processing, and erase data when the purpose is fulfilled or consent is withdrawn, and can easily report breaches to the Data Protection Board of India (DPBI) and affected individuals.⁶

Section 7(i),⁷ employers do not need to obtain employees consent to use their data if the reason is to help safeguard against legal risks, support employment to protect company secrets. However, this exemption is limited to employees, excluding contractual staff, and its interaction with other data principal rights like erasure remains ambiguous, potentially leading to disputes.

The Principle act of allowing data to be deleted when its purpose is done, and consent is revoked conflicts with the interest in keeping data for a long term (possibly many years) to maintain trade secrets for AI and machine learning. As a result, innovation is made more difficult.

Specific sections address children's data (Section 9),⁸ mandating verifiable parental consent and prohibiting harmful processing. Section 10,⁹ outlines additional obligations for Significant Data Fiduciaries (SDFs), including appointing a Data Protection Officer (DPO) and conducting Data Protection Impact Assessments. And Section 15¹⁰ mandates breach notifications.

There are advanced compliance issues in business, such as difficulties with managing consent, rules for moving data between nations, keeping data safe for a long time, and redressing complaints. Lacking compliance with the regulations could cost a company up to ₹250 crore in case of a data breach.¹¹ Since strict liability can lead to significant financial consequences for a business, it may motivate them to focus on DPDP instead of protecting trade secrets in disagreements.

IV. The Legal Conflict: Trade Secrets vs. Data Privacy

This Act creates a conflict allowing Data Principals access, and erasing their data goes against protecting the secrecy of trade data. It is difficult and costly to remove data in AI today, which might erase the company's unique experiments. The law fails to see how data is linked in this way, so now businesses must remove data without knowing how it is used. It demonstrates that there is a significant need for clear laws covering both the feasibility and proportionality of deletion requests related to complex trade secrets.

Examples of the Data-Trade Secret Conflict:

1. AI Training Data: Much of the value in trade secrets, like AI models, depends on using huge collections of customer data when creating them. Deleting personal data at a user's request is not easy for technical reasons. This infringement brings doubt to the model, using its private knowledge in a way that challenges the company in court.¹²
2. Confidential Performance Review Systems: Organizations use confidential performance review systems containing sensitive employee data, which can be trade secrets. If an employee requests access, correction, or erasure of their data, it creates a conflict. The ability to use data for employment under Section 7(i) of the DPDP Act does not settle this dispute. Disclosing or altering data might reveal proprietary evaluation methods, compromising the system's trade secret status. Confidential performance review systems used by organizations, both their approach and main findings, might be considered trade secrets. A conflict arises if employees, as Data Principals, request access, correction, or erasure of their sensitive performance data. If the information is shared or altered, the approach to evaluation may be revealed, threatening the system's trade secret status.¹³

The Act does not clearly explain if companies can refuse to delete someone's data when it involves trade secrets. While there are some valid reasons for keeping data, companies (called Data Fiduciaries) are not allowed to say no to data deletion just because it involves trade secrets. Also, the rule under Section 7(i), which allows using data for jobs, does not apply to all cases. Because the law is not clear, companies might be forced to break the rules or reveal their confidential business information in court to defend themselves. This creates a strange situation where following the law could mean doing something illegal.

V. Corporate Risk & Compliance Strategy

The DPDP Act is vague in its treatment of balancing data privacy and trade secrets, and businesses face a lot of uncertainty regarding compliance and lawsuits. Firms are regularly faced with the challenge of complying with data erasure while still keeping their business information secure. Setting up tough solutions like granular data categorization and more advanced anonymization costs a lot of resources and is very complex. The complex task of covering technology, staff, and training can be very tough for SMEs and startups, so they surely need government help to handle these many operational challenges and expenses.¹⁴

Industries heavily reliant on data and innovation are at elevated risk due to this legal ambiguity. These include:

1. IT and BPO: IT and BPO companies store a lot of customer and client information in their own special systems and software. They handle this data carefully because it's often sensitive and must follow strict privacy rules. Since they work with other companies data, they need to protect it and follow the law to keep it safe.¹⁵
2. AI: Because AI uses large amounts of data to learn and make decisions. This data often includes personal details about people. Because of privacy laws, AI companies have to be careful with this data and respect people's rights to control their information. Sometimes, this can be tricky because deleting data can affect how well the AI works.¹⁶
3. Health tech and Pharma: Health tech and pharmaceutical companies collect private patient information to help with medical research, treatments, and health services. This information is very sensitive and protected by strict rules. Sharing or deleting this data can be difficult because it might reveal secret medical research or treatments.¹⁷
4. Fintech: Fintech companies handle personal financial information to offer services like online banking, credit checks, and fraud detection. They use this data to build systems that keep money safe and help decide who gets loans. Because this information is private and important for their work, they have to follow data protection laws carefully.¹⁸

Firms that use large amounts of data must stick to data privacy rules and guard their valuable industry secrets at the same time. When companies do not control these risks, they may lose the trust of their customers and cause investors to withdraw their support if trade secrets are released. This situation leads to a problem where a company must deal with two forms of risk at once. If regulations are not equal, neither innovation nor investment will be solid, which may result in a less bright future and a weaker position for the company.

Steps for Risk Reduction

1. Structured Data Management: Internal policies for data classification and finding personal data, trade secrets, and their common areas should be introduced by organizations. Setting access permissions by the principle of "need to know" is very important. You should put how long you will keep these kinds of data separately to protect your trade secrets when following deletion obligations.¹⁹
2. Strengthening Confidentiality Through Contracts: It is necessary to create solid NDAs and confidentiality agreements for all people and companies involved. Both of these should make clear the meaning of trade secrets and what it means to handle private information in trade secrets to comply with both DPDP and IP regulations. By offering learning and exit interviews, these are reinforced further. In the Indian legal system, the strongest contractual agreements are used to stop or respond to breaches through injunctions or compensation, making them a central first defense.²⁰
3. Data Anonymization Techniques: Leverage anonymization, pseudonymization, and aggregation to protect personal data while retaining analytical value for AI models and research. Techniques like data masking or synthetic data can safeguard trade secrets by fulfilling DPDP erasure/minimization, though it may limit personalization.²¹
4. Policy Advocacy for a Clarifying Amendment or Rules under DPDP: Taking part in government processes and DPBI activities is necessary to ensure clear subordinate laws solve the conflict between trade secrets and data privacy. Both the balancing rules similar to GDPR and the quick approval of the Protection of Trade Secrets Bill, 2024 should be supported by businesses. To ensure a stable environment for new ideas, being proactive with regulations is very important. Because of the new DPDP Act and the proposed Bill on Trade Secrets, companies must adjust their compliance strategies often. Agile laws and systems, supported by dedicated specialists, allow organizations to watch, modify policies, and adopt new technologies frequently. If firms rely on a static approach, they may face more dangers and a delay in complying with regulations.²²
5. Use Technology and Checks to Protect Information: Use tools like strong passwords, two-step verification, and secure networks (VPNs) to keep information safe. Clearly label any confidential documents or emails so everyone knows they are private. Keep track of who accesses sensitive information and check regularly for any unauthorized use. Make sure to remove access rights when someone leaves the company. Avoid marking too much information as secret because it can cause confusion and make people less careful.²³

VI. Policy Recommendations

There should be clear rules that resolve the difference between what a data principal can do with their data and what is protected as a trade secret, which should be issued by the government and DPBI. The guidance ought to give data fiduciaries some practical options to address these concerns when enterprise trade secrets, including personal data, are subject to such requests. Having such rules would limit confusion, provide a clear direction for courts, and ensure that decisions aren't left to arbitrators. Because there are rapid developments in AI, the legislation needs to be able to adapt and be re-examined occasionally to support both progress and people's rights.

India should align its DPDP framework with international principles. As a TRIPS Agreement signatory, India is obligated to protect undisclosed information. Future DPDP rules should integrate with this IP framework to avoid undermining international commitments. Adopting GDPR's balancing language (Article 15(4) and Recital 63) or principles allowing proportionality tests for data disclosure, where it disproportionately harms a legitimate trade secret, would be beneficial. The approach in the U.S. (DTSA and state privacy laws), as well as the APEC Privacy Framework, are helpful in this effort. Aligning with international best practices will enhance India's appeal for foreign direct investment and foster innovation. Since there is current confusion, leading companies and up-and-coming Indian startups avoid making major investments in data-focused research.

The DPBI should consult extensively with industry members, law specialists, advocates for privacy, and technology professionals. Teamwork in this process will help find balanced and practical answers. It is urgent to explain under Section 7(i) what constitutes a legitimate use of trade secrets compared to the rights of data principals. Both checking for compliance and explaining legislation from the state are tasks handled by the DPBI. Mistakes in passing laws can result in courts making decisions based on older related court cases which confuses businesses. Compliance with all necessary laws would smooth out many business issues for organizations.

VII. Conclusion

A major problem is ensuring that both individual information and business secrets are safeguarded when Privacy Law and the Investigatory Powers Act interact. Although individuals have rights under the DPDP Act, these generally cannot conflict with a company's duty to protect its trade secrets. Whenever there is no clear law on the subject, companies may be unclear about their duties when dealing with these requests. Creating explicit exceptions or a balance system, for example, as found in the GDPR, can fix this problem. Furthermore, making trade secret protection part of Indian law would bring definition and keep India up to date with the practices followed worldwide. Because sectors such as AI and healthcare heavily depend on data, India has to make sure that privacy is always part of new developments. Comparable regulations strengthen privacy and give firms a chance to succeed in the quickly advancing digital market. If India wants to be a major center for technological and innovative work, managing privacy laws and trade secrets will benefit individuals and corporations.

Footnotes

1. Jake Frankenfield, 'Trade Secret' (Investopedia, 31 January 2023) https://www.investopedia.com/terms/t/trade-secret.asp accessed 23 May 2025.

2. World Trade Organization, Agreement on Trade-Related Aspects of Intellectual Property Rights, Part IV: Acquisition and Maintenance of Intellectual Property Rights and Related Inter-Partes Procedures (1994) https://www.wto.org/english/docs_e/legal_e/27-trips_04d_e.htm accessed 23 May 2025.

3. Zee Telefilms Ltd v Union of India (2005) 4 SCC 649 https://indiankanoon.org/doc/603848/ accessed 23 May 2025.

4. American Express Bank Ltd v Ms Priya Puri (2006) 110 DLT 670 (Del)

5. A K Pandey, 'Conceptual Understanding of Privacy: A Fundamental Right' (2020) 7(1) Journal of Law and Jurisprudence https://lawjournals.celnet.in/index.php/Jolj/article/view/1802 accessed 23 May 2025.

6. DPDP Consultants, 'DPDP Act 2023: A Comprehensive Guide for Indian Businesses' (DPDP Consultants Blog, 29 August 2023)https://www.dpdpconsultants.com/blog/DPDP_Act_2023_A_Comprehensive_Guide_for_Indian_Businesses.php accessed 23 May 2025.

7. Puthran's, '7 Key Highlights of the Digital Personal Data Protection Act, 2023' (Puthran's Blog, 21 August 2023) https://www.puthrans.com/7idpdpact2023/ accessed 23 May 2025.

8. ApniLaw, 'Section 9 – Processing of Personal Data of Children | DPDP Act, 2023' (ApniLaw, 2023) https://www.apnilaw.com/bare-act/dpdp/section-9-digital-personal-data-protection-act-dpdp-processing-of-personal-data-of-children/ accessed 23 May 2025.

9. DPDPA.com, 'Rule 10 – Right of Grievance Redressal | Draft Rules under DPDP Act, 2023' (DPDPA.com, 2024) https://dpdpa.com/dpdparules/rule10.html accessed 23 May 2025.

10. DPDPA.com, 'Rule 15 – Voluntary Undertaking | Draft Rules under DPDP Act, 2023' (DPDPA.com, 2024) https://dpdpa.com/dpdparules/rule15.html accessed 23 May 2025.

11. JISA Softech, 'The Digital Personal Data Protection (DPDP) Act, 2023: Key Challenges and Compliance Framework' (JISA Softech Blog, 5 September 2023) https://www.jisasoftech.com/the-digital-personal-data-protection-dpdp-act-2023-key-challenges-and-compliance-framework/ accessed 23 May 2025.

12. KTS Law, 'Gen AI: The Artificial Threat to Trade Secrets' (KTS Law Insights, 22 April 2025) https://ktslaw.com/en/insights/perspectives/2025/4/gen%20ai%20the%20artificial%20threat%20to%20trade%20secrets accessed 23 May 2025.

13. Teamflect, 'Employee Performance Evaluation Laws: Everything You Need to Know' (Teamflect Blog, 19 April 2023) https://teamflect.com/blog/performance-management/employee-performance-evaluation-laws accessed 23 May 2025.

14. Pravin Anand, Achuthan Sreekumar, and Rohit Bansal, 'Trade Secrets 2025' (Anand & Anand, 25 April 2025) https://www.anandandanand.com/news-insights/trade-secrets-2025/ accessed 24 May 2025.

15. Infosys BPM, 'The Role of Data Security in Business Process Outsourcing for Financial Institutions' (Infosys BPM Blogs, 5 May 2023) https://www.infosysbpm.com/blogs/finance-accounting/the-role-of-data-security-in-business-process-outsourcing-for-financial-institutions.html accessed 24 May 2025

16. Velaro, 'The Privacy Paradox of AI: Emerging Challenges on Personal Data' (Velaro Blog, 19 April 2023) https://velaro.com/blog/the-privacy-paradox-of-ai-emerging-challenges-on-personal-data accessed 24 May 2025

17. Rakesh Shukla, 'Data Privacy & Protection in HealthTech: An Indian Legal Framework Overview' (Digital Health News, 17 April 2023) https://www.digitalhealthnews.com/data-privacy-protection-in-healthtech-an-indian-legal-framework-overview accessed 24 May 2025

18. Bhairav Acharya, 'Privacy and Fintech in India: Balancing Innovation and Data Protection' (ORF Expert Speak, 9 November 2021) https://www.orfonline.org/expert-speak/privacy-and-fintech-in-india-balancing-innovation-and-data-protection accessed 24 May 2025

19. Leeron G Kalay, Katherine D Prescott, and Qiuyi (Autumn) Wu, 'Protecting and Enforcing Your Trade Secrets in a Global Economy' (Fish & Richardson, 22 January 2025) https://www.fr.com/insights/thought-leadership/blogs/protecting-and-enforcing-your-trade-secrets-in-a-global-economy-2/ accessed 24 May 2025.

20. BLTG Team, 'How to Protect Trade Secrets in an NDA: Key Guidelines' (Berkeley Law & Technology Group, 31 January 2025) https://bltg-ip.com/how-to-protect-trade-secrets-in-an-nda-key-guidelines/ accessed 24 May 2025.

21. Imperva, 'What is Data Anonymization | Pros, Cons & Common Techniques' (Imperva) https://www.imperva.com/learn/data-security/anonymization/ accessed 24 May 2025.

22. Shivang Mishra, Akarsh Singh, Arohi Pathak, Prajwala D, and Dinesh, 'The DPDP Act, 2023 and the Draft DPDP Rules, 2025: What Do They Mean for India's AI Startups?' (Tsaaro, 3 February 2025) https://tsaaro.com/blogs/the-dpdp-act-2023-and-the-draft-dpdp-rules-2025-what-do-they-mean-for-indias-ai-start-ups/ accessed 24 May 2025.

23. De Penning & De Penning, 'Trade Secrets and Confidential Information' (De Penning Blog, 19 August 2022) https://depenning.com/blog/trade-secrets-confidential-information/ accessed 24 May 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.