After last year, when the General Data Protection Regulation (GDPR) came into force for companies, the focus was on the implementation of the requirements there, the forthcoming entry into force of the new Trade Secrets Act should bring a new important topic into the focus of management: Measures to protect own trade secrets.
The new law will implement the EU Directive 2016/943 of April 2016 on the protection of trade secrets and know-how. So far, German law has contained provisions on the protection of trade and business secrets in Sec. 15 to 17 of the Act against Unfair Competition (UWG) and Sec. 823 and 826 of the German Civil Code. According to the provisions of the aforementioned EU Directive, these regulations are not sufficient and give the legislator reason to implement the new requirements in a separate law, the Trade Secret Protection Law (TSPL). The law was passed on 21 March 2019, approved by the Federal Council on 12 April 2019, promulgated today and will enter into force on 26 April 2019.
1. Content of the regulation and structure of the Trade Secret Protection Law
The new rules are designed to protect companies from unlawful acquisition, use and disclosure of their trade secrets.
The law is divided into three parts. The first part contains the scope, definitions, permitted and prohibited acts to obtain a trade secret, and grounds under which the obtaining, use or disclosure of a trade secret may be justified. Part 2 sets out the claims of the holder of a trade secret against the infringer. For example, omission, destruction, surrender, information and damages may be considered. Part 3 contains provisions on judicial proceedings and part4 contains the previous provisions of Sec. 15 to 17 UWG.
According to Sec. 2 number 1 TSPL, information is business secrets within the meaning of the law which are not generally known or publicly accessible and therefore have an economic value, are subject to “appropriate confidentiality measures” and in which there is a legitimate interest in confidentiality.
According to grounds aof the law, this may include manufacturing processes, customer and supplier lists, cost information, business strategies, company data, market analyses, prototypes and research results of universities. This does not include purely private information that cannot be used in the course of business – even if the owner has an interest in confidentiality.
Appropriate protective measures
Information that is intended to be trade secrets within the meaning of the law must be protected by “appropriate confidentiality measures”. This can be achieved, for example, through contractual non-disclosure agreements or technical access barriers such as encrypted storage and communication. A mere interest on the part of the owner of the secret in maintaining secrecy, without the implementation of appropriate protective measures, is therefore not sufficient.
Companies that have adapted their data protection organisation to the requirements of the GDPR, in particular have implemented technical and organisational measures (here to protect personal data), will also be able to use these measures for non-personal data.
Permitted and prohibited actions
The acquisition of trade secrets is lawful under the conditions of Sec. 3 TSPL. This includes the independent creation (para 1) as well as the permission by law, on the basis of a law or by legal transaction (para 3).
Software development companies should pay attention to Sec. 3 para 2 number 2 TSPL: According to this, reverse engineering (“observing, investigating, dismantling or testing a product or object”) is expressly permitted within the limits of the Unfair Competition Act and in compliance with protected intellectual property, unless other contractual agreements have been made.
Sec. 4 standardizes unfair practices that involve unlawful obtaining or unlawful use or disclosure. According to Sec. 4 para 1, this includes, among other things, unauthorized access to documents, objects or files that contain the trade secret or from which the trade secret can be derived; as well as the unauthorized appropriation or copying of such documents, objects or files.
In the case of authorised access, subsequent disclosure or use may be unlawful (Sec. 4 para 2), namely if a contractual or other obligation to restrict the use or disclosure of the trade secret is hereby violated.
Sec. 5 takes account of the fact that the protection of trade secrets cannot be absolute and must in individual cases take precedence over interests of the public interest. The use or disclosure of a trade secret is therefore justified for the purpose of exercising the right to freedom of expression and information in accordance with the Charter of Fundamental Rights of the European Union (Sec. 5 number 1), as well as for uncovering unlawful acts or professional or other misconduct if the person acting has the intention of protecting the general public interest (Sec. 5 number 2).
Finally, Sec. 5 number 3 protects employees who turn to the employee representatives and disclose business secrets in order for the employee representatives to be able to fulfil their duties. Conversely, the employee representation is also protected, which thereby acquires a trade secret.
Claims in the event of infringement
If a trade secret is unlawfully obtained, used or disclosed, the company has claims to removal and omission, destruction, surrender and recall, information and damages (Sec. 6 to 10 TSPL).
In order to be able to enforce these claims, not only knowledge of the opposing party is a prerequisite, but in particular the provability of the protective measures taken in the process. Documentation of the measures taken is therefore unavoidable. Pursuant to Sec. 16 para 1 TSPL, it is possible for the court to classify the disputed information as requiring secrecy in whole or in part at the request of one of the parties if it can be a trade secret in order to prevent the (further) disclosure of the secrets through public proceedings. Access to the information may also be limited to a certain number of persons and the public may be excluded from oral proceedings (Sec. 19).
2. Need for action for companies
In order to benefit from the new provisions of the law, companies should
- Identify and classify their sensitive information in all departments,
- define, implement and document appropriate protective measures depending on the need for protection and criticality,
- sensitise their staff through training and/or guidelines, as the best technical measures are of little help if staff are not properly informed.
In particular, companies in the software development sector should also conclude agreements that explicitly prohibit the reverse engineering of their products.