Protection of trade secrets is now regulated uniformly throughout the European Union (EU). Since requirements for the existence of a trade secret have increased compared to the previous legal situation, companies should clarify which kind of protection measures they need to implement if they want to benefit from the new law. This LexShot sets out to show the framework which is also of relevance for non-European companies that have invested in the EU.
Data theft, economic espionage and sabotage cause significant damage every year. Especially in times of digital transformation and increasing digital innovation, protection against cyber crime therefore plays a major role for many European companies. In the past, business secrets were protected at different levels under the local law of EU countries which was perceived as inadequate. In order to enforce claims, trade secrets had to be disclosed, among other things, in court proceedings.
Significantly more claims in case of secret violations
As a result of the European Trade Secrets Directive (EU) 2016/943), this has changed: in case of trade secrets violations, the holder of secret has significantly more claims at its disposal than before:
In addition, it is now regulated by law that the holder of the trade secret can choose between three types of damage calculation: licence analogy, recovery of the infringer’s profit and a specific economic loss.
Appropriate confidentiality measures required
What sounds positive for companies at first, however, requires action. The new protection does not come by itself since information is now only protected if appropriate confidentiality measures have been taken. This means that, unlike in the past, information is no longer classified as secret if it is to be kept secret from the company’s point of view and if the nature of the information could give rise to a corresponding will to secrecy. On the contrary, the company must be able to demonstrated that it has taken appropriate measures of confidentiality, which can be implemented as follows:
1. Organisational protection measures
Anyone wishing to benefit from the new Trade Secrets Act must first create organisational preconditions to protect confidential information. This includes regulating clear responsibilities internally: who has access to trade secrets and who is operationally managing them? A small group of employees should be defined by name and a know-how officer and deputy should be appointed.
In addition, it is necessary to regulate who has access to secret information and also to document in accordance with data protection law who has retrieved and/or viewed which documents. For this purpose, an authorization concept should be developed which governs who is allowed to access which information on a need-to-know basis. Areas with particularly sensitive information (e.g. R&D department) should be separated, if necessary, by structural and personnel protection measures. Organisational measures also comprise labelling of secret information and regular training of employees who get in contact with trade secrets.
2. Technical protection measures
In addition, companies must take sufficient technical IT security measures, in particular:
• Two-factor authentication
• Encryption of data and connections
• Anti-virus and malware protection
• Secure user administration with active locking by the administrator
• Personalized user IDs and password protection
• Technical separation of private and corporate devices
Further detals can be derived from the DIN ISO/IEC 27001 standard as it stipulates the requirements for the installation, implementation, operation, monitoring and evaluation of documented information security management systems, among other things.
3. Legal protection measures
The highest risks to trade secrets often stem from employees when they leave the company, for instance. In addition to organisational and technical measures, these risks can be mitigated by way of confidentiality obligations in the employment contract. In order to ensure effective protection in any legal proceedings and not to risk ineffectiveness, information covered by the obligation should be sufficiently defined in the clauses. This is not appropriate for catch-all clauses, which classify all trade secrets that have become known during the employment relationship as secret. Rather, it should be determined specifically for the respective work area and on the basis of authorizations and markings (see organizational measures) which information is confidential. Therefore, employers or human resources departments should now clarify for each individual employee how the respective employment contract is to be adapted by means of a supplementary agreement with an effective obligation of confidentiality. This also applies to cooperation partners who should be obliged to keep trade secrets confidential by way of a non-disclosure agreement (NDA).
In both cases, an appropriate contractual penalty should be agreed. In order to enusre an effective protection, the holder of the trade secret may first unilaterally determine, based on the circumstances of the individual case, the amount of the contractual penalty which can then be reviewed by a court in the event of a dispute.
Finally, it should be clarified on a case-by-case basis how long the confidentiality obligation applies. For this purpose, a time limit must be provided for with regard to employees or managing directors/boards, which may not exceed two years from the date of departure.
In addition, the newly permitted reverse engineering (i.e. obtaining a trade secret by re-engineering a product) is relevant in particular for companies with technical products or services. In order to avoid this consequence, affected companies must explicitly exclude reverse engineering in relation to their customers, suppliers, cooperation partners or licensees. To this end, existing contracts should be reviewed and, if necessary, adapted by way of sideletters.
It needs to be highlighted that the described measures should not be regarded as legal requirements that companies must comply with and which otherwise result in penalties. However, those who wish to benefit from the protection of the new legal framework and rely on it must take the necessary measures. If there is a breach of trade secrets and claims are to be enforced, the injured company must demonstrate the appropriate confidentiality measures it has taken to protect trade secrets. This is the only way to ensure an effective level of protection.