The protection of business and trade secrets is of central importance to companies. Often, trade secrets represent a significant business value that not only promises an advantage over competitors but can even be fundamental to the business model. This not only applies for large groups, but especially for start-ups that have a good idea and a promising business approach.
There are high expectations (but also justified fears) of the German Trade Secrets Act (GTSA), which entered into force on 26 April 2019. The GTSA is a new principal law passed by the legislator against the unlawful acquisition, use and disclosure of trade secrets and implements Directive (EU) 2016/943 (TSD) on the protection of undisclosed know-how and business information. The Implementation Act on the GTSA also repeals Sec. 17 et seq. of Unfair Competition Act (UWG), which up to now regulated the (punishable) protection of business and trade secrets.
Formerly known as “Know-how protection guideline”, the implementation of the specifications of the GTSA raised high expectations. It is all the more surprising since many companies will now be forced to react quickly if they want to continue protecting their business and trade secrets.
Those companies that have taken organisational, technical and legal measures in the context of the implementation of the General Data Protection Regulation (GDPR) may have already made valuable preparatory work.
Trade Secret – new definition – new challenges
According to the previous definition of the German jurisdiction, anyone, who wanted to protect his know-how, could easily declare it to be a trade secret (subjective intention). Even without an explicit explanation, it could still be argued that the intention to secrecy results “out of the nature of the secret matter” (so far, the will to secrecy was derived from an objectively legitimate economic interest). In case, the secret fact was also company-related and not notoriously known, the scope of protection had already been opened to application.
However, anyone wishing to invoke trade secrets under the new legal framework must be able to state that he has protected his know-how through outwardly recognisable (objective) appropriate non-disclosure measures.
In particular, companies face two major challenges with the new definition. On the one hand, it should be clear that there is a need for action if important know-how or other information worthy of protection should fall under the protection of the secret. On the other hand, however, the question arises: “What is an appropriate measure?” This can only be answered on a case-by-case basis. In other words, depending on the information worthy of protection, different non-disclosure measures must be taken. This dynamic concept provides companies a certain room for manoeuvre regarding the measures to be taken. Not all information requires strict confidentiality. However, understated non-disclosure measures may have drastic consequences: it means that the information is not protected as a secret and the company can lose ownership of the information.
For this reason, companies should first of all evaluate which information should be kept a secret. Anyone who has already become familiar with handling records of processing activities in accordance with Art. 30 GDPR, can fall back on the practise gained there. Even though there is no obligation to maintain such a record (but this is recommended for evidence in litigation – see below), it is important to identify which trade secrets, e.g. in the form of know-how within the company and to what extent they are to be evaluated as particularly secretive. In particular, it must be taken into account which employees and business partners are aware of which business secrets or should be acquainted with such.
Particular attention should be paid to the verification of the status quo, e.g. information such as customer data, balance sheets, data on suppliers, calculations, prototypes, plans, recipes, algorithms, source codes and the documentation of the programmer.
Recognise the need for action and seize confidentiality measures
If the information worthy of protection has been determined in the company, it is then necessary to take appropriate measures within the meaning of the German Trade Secrets Act.
Especially, since the measures to be taken always depend on the individual case (for example, the nature and value of the information, the circle of the participants, context of use) that we recommend carrying out a tripartite examination of the appropriate measures to be taken:
(1) Organisational measures
First, clear responsibilities for the protection of information should be developed. Information worth protection should be marked or explained as confidential and employees of the company should be trained and sensitised to dealing with trade secrets. Employees should also be informed about Whistleblowing in order to avoid misunderstandings. Depending on the scope of the information to be marked, the effort for the measures is limited, but must be well documented.
(2) Technical measures
If information is determined to be secret, technical measures must be taken to protect it from unauthorised access. For most companies, the focus will be on IT security. However, anyone who already took action on implementing appropriate technical measures under Art. 32 GDPR will not find it difficult to do so. However, it also applies here that, depending on the information, a different benchmark must be set to the appropriateness of the measure.
(3) Legal measures
After all, legal measures can also make a crucial contribution to protecting the secret. In particular, this requires that the holder of the trade secret must demonstrate that he has lawful control over the information. Often, the company’s own employees are one of the major risks in the protection of trade secrets. The employees are already obliged to secrecy due to secondary contractual obligations, but for effective protection of the secret it is advisable to conclude specific non-disclosure agreements. The maintaining of secrecy required by the GTSA can only be achieved, if the recipient is obliged to take specific confidentiality measures as well. Companies that previously contented themselves with a general secrecy clause in the employment contracts of all employees, have to take special attention to confidentiality clauses. There is no catch-all solution. This means that they alone are not enough to effectively maintain secrecy. But it also means that the same agreement should not be presented to every employee. The more one employee gets in touch with business secrets, the more precise it should be. What has already been mentioned regarding the employees, shall apply especially for business partners. These, too, should also be contractually tied to protection of the secret (via so-called NDA: non-disclosure agreements).
The admissibility of the so-called reverse engineering (obtaining a secret by reverse engineering a product) has been newly introduced into German law, since according to the previous legal situation, it was predominantly considered as inadmissible. However, through contractual arrangements, reverse engineering can still be excluded – within certain limits. Therefore, one should design corresponding contractual drafts in cooperation agreements e.g. with customers, licensees, or partners.
Update and document confidentiality measures
Adopted confidentiality measures should be reviewed on a regular basis and the developed protection concept should be updated where needed. Establishing a know-how management system can ensure that there are clear responsibilities for this task and that appropriate measures are taken to protect trade secrets.
A detailed documentation of the know-how worth protecting and the measures that have been taken pays off at the latest in the event of a dispute. Anyone who wants to invoke a trade secret bears the full burden of evidence and proof regarding the confidentiality measures taken. Those who can adhere their burden of proof through detailed documentation, clearly has the advantage.
Protect trade secrets and enforce them in court
Even though the German Trade Secret Act brings up a lot of work and effort for companies, it simplifies judicial intervention and the enforcement of the protection of secrets.
In addition to claims for cease and desist and removal of the infringement, the trade secret holder is eligible for destruction, restitution, return, removal and market withdrawal regarding the infringing products, documents, objects or files containing or embodying the trade secret against the infringer. If the trade secret is violated by employees of a company, the company itself may be subject to these obligations.
In order to provide the business owner with the most effective protection possible for his trade secrets, he has a right of access on e.g. the origin and recipients of unlawfully obtained or disclosed trade secrets against the infringer.
Anyone who violates a trade secret is also liable for damages under the GTSA. In addition to the obligation to pay civil damages, any breach of a trade secret always bears the risk of imprisonment or a fine.