He that would keep a secret must keep it secret that he hath a secret to keep
The deadline for implementing the EU Trade Secrets Directive has just expired. For the required implementation law, the German legislator has so far only prepared a draft of a future German Trade Secrets Act (GeschGehG-E), which is controversial in parts (Article in German). The Trade Secrets Directive is therefore directly applicable until the Act is adopted. The following article shows what changes companies will have to make and what needs to be done to protect their trade secrets in future.
Trade secrets – isn’t that what NDAs are for?
If companies want to cooperate, participate in a tender or give business partners an outlook on future products and strategies, a non-disclosure agreement (NDA) is usually quickly drawn up. These NDAs are usually highly standardised contracts, and are therefore also one of the areas in which quick efficiency gains are expected with the help of so-called “legal tech“ applications. Only very infrequently are NDAs reviewed in detail and negotiated. This is usually only done in the context of corporate transactions and R&D.
So why are NDAs so popular if there are laws governing this area?
German law has so far guaranteed the protection of trade secrets by way of the criminal provisions of Sections 17 to 19 of the Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG) as well as Sections 823 and 826 of the German Civil Code (Bürgerliches Gesetzbuch – BGB), sometimes in conjunction with Section 1004 BGB by analogy. The German Criminal Code (Strafgesetzbuch – StGB) also contains many provisions in its Sections 201ff. which apply to trade secrets. For example, under the StGB data espionage or “receiving stolen data” constitute punishable offences. Section 203 StGB is of particular importance to lawyers and clients, as this inter alia imposes sanctions on the violation of the attorney-client privilege.
Other than that, legal provisions in this area are few and far between and there is certainly no coherent set of rules to define “trade secrets”, to protect against such secrets being illegally obtained or against their illegal use and unlawful disclosure. In addition, applicability of the provisions of the UWG requires that offenders have a special intent, as they must act for the purpose of competition for their own benefit or for the benefit of others. In practice, this is often difficult to prove.
This is why German companies have so far tried to compensate for this rather unsatisfactory legal situation with the help of contractual agreements, i.e. NDAs.
Legislative procedure to date
In 2013, the European Commission presented the first draft directive on the protection of confidential know-how and trade secrets, which finally resulted in the “Directive (EU) 2016/943 of the European Parliament and of the Council on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure” (EU Trade Secrets Directive), which was adopted on 8 June 2016.
The aim of the EU Trade Secrets Directive is to harmonise the civil law provisions in the various member states on the protection of trade secrets. On one hand, within the individual EU member states there is currently a very different understanding of how trade secrets are to be protected, as well as different levels of enforcing such protection. On the other hand, the EU legislator is right to believe that an effective protection of trade secrets by civil law is not only of considerable economic importance in general, but is also an important factor in the creation of the EU internal market. However, the EU Trade Secrets Directive is only intended to guarantee a minimum level of protection. Member states remain free to prescribe more extensive protection against the illegal acquisition, use or disclosure of trade secrets, provided that the basic rules for the protection of the interests of other parties laid down in the EU Trade Secrets Directive are observed (cf. recital 10).
But what actually constitutes a “trade secret“?
Obviously, a central concept of the EU Trade Secrets Directive is that of a “trade secret”. It is legally defined in Art. 2 para. 1 of the EU Trade Secrets Directive. In accordance with this, the term “trade secret” refers to information that meets all of the following criteria:
- it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; and
- it has commercial value, because it is secret; and
- It has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
The German GeschGehG-E provides a very similar definition in its Sec. 1 para. 1
What does “commercial value“ mean?
The condition of “commercial value” – referred to as “economic value” in the GeschGehG-E – is intended to exclude irrelevant information from protection. This is certainly more restrictive than what has been previously understood in Germany. Up to now, German law has required that there must be an “economic interest to keep the information confidential”. This also includes secrets which could cause damage if they are disclosed, even though they have no intrinsic value. For example, this would apply to the desire to keep information relating to illegal practices of the company confidential, as disclosure of such information would harm the company, regularly runs counter to the interests of third parties as well as the public interest. If you wanted to protect such information, this would clearly go against the purpose of the EU Trade Secrets Directive and the balance it tries to strike between the interests of the owner of the secret and the interests of others (cf. e.g. recital 20 and Art. 13 of the EU Trade Secrets Directive).
It remains to be seen whether this question is conclusively answered by Section 4 No. 2 GeschGehG-E, according to which the acquisition of a trade secret is justified if the relevant person acts with the intention of protecting the general public interest. In any case, the European Commission recently proposed a new directive to protect so-called “whistle blowers“. This topic is of particular relevance to the banking and financial sector, as the cases at BNP Paribas or the notorious “tax CDs” have shown, where government bodies acted ambivalently. However, a closer look at this particular proposal will be reserved for another article in the future.
The mystery for practitioners: what is meant by “appropriate confidentiality measures”?
From a German perspective, the “appropriate confidentiality measures” required by the Trade Secrets Directive and the GeschGehG-E constitute a new protection requirement. It remains to be seen what specific requirements will be placed on such measures.
Up to now, the prevailing interpretation under German law is that it is sufficient if there is a recognisable subjective intention to keep the secret confidential, which manifests itself in objective circumstances and which is sometimes deemed to exist solely based on the nature of the confidential information. This often results in circular reasoning, e.g. the confidentiality obligation in an NDA applies to all information whose need to be kept confidential arises from the nature of the information. The “appropriate confidentiality measures” mentioned in the EU Trade Secrets Directive and the GeschGehG-E, on the other hand, are an objective condition according to which, in the event of a dispute, the respective owner of the trade secret must prove that they have taken measures to keep the secret a secret.
It is difficult to provide a general answer as to what types of confidentiality measures are required, as this depends on the nature of the trade secret and the significance in each individual case. Typically, the owner of the trade secret will have to implement physical access restrictions and precautions (e.g. encryption or secure storage, control of access, as well as contractual security mechanisms, e.g. with service providers.)
There is also no general way of assessing whether the measures adopted are appropriate. The “commercial value” (Art. 2 para. 1 lit. b EU Trade Secrets Directive or the “economic value” used in the German Act (Section 1 para. 1 No. 1 lit. a GeschGehG-E) will play an important role in this assessment, i.e. the financial value of the trade secret, its development costs, and its strategic and competitive significance to the owner of the secret. In addition, the generally accepted confidentiality measures of the respective organisation could also be considered, as well as whether the trade secret was clearly marked as such, and whether there are relevant contractual rules in place with employees and business partners.
Looking, clicking, smelling, testing – reverse engineering is not just for computer software anymore
It is worth noting that Art. 3 para. 1 lit. b of the EU Trade Secrets Directive or Section 2 para. 2 No. 2 GeschGehG-E expressly stipulate that reverse engineering is a legitimate way of acquiring a trade secret. This means that it is considered a legitimate acquisition of a trade secret if the secret has been obtained by way of
observation, study, disassembly or testing of a product or object that has been made available to the public or that is lawfully in the possession of the person observing, studying, disassembling or testing the same and this person is free from any legal duty to limit the acquisition of the trade secret.
Section 69e of the German Copyright Act (UrhG) contains a similar right, which is based on the EU Software Directive, to reverse-engineer computer software. The legal dispute as to whether Section 69e UrhG is an appropriate justification with regard to Section 17 UWG is at least as old as the EU Software Directive. It remains to be seen whether the EU Trade Secrets Directive and the GeschGehG will continue to provide material for PhD theses.
Synergy effects even without mergers – thanks to the EU GDPR
All those who recently fought their way through the requirements of the EU General Data Protection Regulation (GDPR) will have no difficulty spotting the parallels. For example, there are clear overlaps between the data security requirements contained therein (Art. 32 GDPR) and the security measures required to protect confidentiality. The documentation of the processing activities (Art. 30 GDPR) can also form the basis for a confidentiality protection concept, which can be used in the event of a dispute to prove how much effort the owner of the secret was willing to make to keep his secret a secret. Future NDAs in which confidential information is transmitted to a recipient “for a specific purpose” might closely resemble agreements on data processing (Art. 28 GDPR).
In other words, all those who are very familiar with the GDPR should have no problems in also implementing the requirements of the EU Trade Secrets Directive or the GeschGehG once it comes into effect. Those treating their trade secrets with the same care as the standard required under the GDPR for personal data should only need little additional implementation effort.
An appeal to reason or further unclear equitable concepts?
Both the EU Trade Secrets Directive and the GeschGehG based thereon do not provide for the protection of a trade secret in an absolute sense, as is the case for industrial property rights. They make this protection dependent on a balance of interests between the interests of the owner of the trade secret and the interests of others. Here too, GDPR-expert practitioners should pay attention, as the “balance of interests” is a key feature of data protection and the GDPR. Art. 5 of the EU Trade Secrets Directive and Section 4 GeschGehG-E, for example, provide for exceptions to the confidentiality requirement if the trade secret is acquired, used or disclosed in certain privileged cases, e.g. to exercise freedom of expression and information. In addition, Art. 7 and Section 8 contain provisions which, under certain circumstances, prevent the owner of the trade secret from making claims for injunctive relief, information and deletion. This also closely resembles Art. 6 para. 1 lit. f. GDPR, which permits the processing of data based on a balancing of interests between the controller and the data subject.
The EU Trade Secrets Directive and the GeschGehG-E provide for a clear and comprehensive regulation of the protection of trade secrets in one law. Nevertheless, companies that in relation to their competitors rely on trade secrets rather than on “registrable rights” such as patents or on the protection of their copyright may face a lot of work. Technical and organisational confidentiality rules have to be defined or implemented, NDAs need to be redesigned or updated and it may also be necessary to check whether trade secrets are sufficiently protected by the recipient of the trade secret.
Many of these tasks are very similar to those that arise when implementing and enforcing the GDPR in your own company and with your business partners. Therefore, the know-how (often painfully) gained in the course of implementing the GDPR should also be used for the protection of one’s own trade secrets, and should not simply remain with the internal or external data protection officer.
Titelbild / Cover picture: Copyright © fotolia