Structuring and legal considerationsKey laws and regulations
What are the key laws and regulations implicated in technology M&A transactions that may not be relevant to other types of M&A transactions? Are there particular government approvals required, and how are those addressed in the definitive documentation?
When considering German laws and regulations implicated in technology M&A transactions, one may distinguish between foreign direct investment restrictions that generally apply in the event of a ‘threat’ to national security and certain overlapping rules applicable to regulated industries.Foreign direct investment rules
Pursuant to the German Foreign Trade and Payments Act (AWG) and the German Foreign Trade and Payments Ordinance (AWV), the German Federal Ministry for Economic Affairs and Energy (BMWi) is entitled to review inbound transactions by foreign investors based outside the European Union or the European Free Trade Association (EFTA). The BMWi may prohibit or restrict an acquisition should it be deemed to pose a threat to the ‘public order or security’ of Germany.
The AWV distinguishes between a cross-sectoral review for all industries (typically having a strong nexus to technology) and a sector-specific review that applies to certain sensitive industries. The scope of the latter includes arms and military equipment as well as encryption technologies and other key defence technologies, such as reconnaissance, sensor and protection technology. Both types of review apply irrespective of the size or enterprise value of the business acquired.
The BMWi is entitled to review all acquisitions, whether by way of asset and share deal or by non-EU/EFTA-based investors. The sector-specific review applies to direct or indirect share acquisitions reaching or exceeding 10 per cent of the target’s voting rights, whereas the cross-sectoral review provides for a 25 per cent threshold of voting rights unless the target is engaged in sectors identified by the AWV as particularly sensitive, in which case the 10 per cent threshold also applies. The calculation of voting rights will take into account certain undertakings that may be attributed to the ultimate owner, such as an agreement on the joint exercise of voting rights. Asset deals require a comparable test for the respective asset values, that is, 10 or 25 per cent of the assets of the acquired business. In contrast to the sector-specific review, which is applicable to all foreign buyers, the general review process only applies to non-EU or non-EFTA-based investors unless there are indications for abuse or a transaction circumventing foreign direct investment control rules.
An intervention by the BMWi requires a threat to public policy or security. The German legislator assumes such threat for investments into the following (non-exhaustive) list of technology assets:
- operators of critical infrastructure that is of particular importance for the functioning of the community;
- companies developing or changing industry-specific software for the operation of critical infrastructure;
- companies entrusted with organisational monitoring measures for telecommunication facilities;
- companies providing cloud computing services above a certain volume;
- companies engaged in the area of telematics infrastructure; and
- companies of the media industry which contribute to the formation of public opinion via broadcasting, telemedia or printed products and is characterised by particular topicality and breadth of impact.
The completion of the investment review process for cross-sector reviews is by law not required for the consummation of a transaction. However, foreign investors often decide to initiate the review process by submitting an application to the BMWi for a non-objection certificate to obtain legal certainty for a transaction. Depending on the transaction at hand, the parties may also be subject to a general notification obligation.
Recent acquisitions have shown that the BMWi has become more sensitive to acquisitions by non-EU or non-EFTA investors, especially in the technology sector (see question 20 for further outlook on this subject and recent proposals on the European level).
Both European and German export control restrictions may also impact M&A transactions in cases where the acquirer is considering ‘exporting’ technology (including intellectual property, know-how and software) outside Germany to facilitate integration with other group functions.Sector-specific rules applicable to media, broadcasting and fintech
To provide broadcasting services in Germany, as regulated under the German Federal Broadcasting Treaty, a media provider must obtain permission from either the Commission for Approval and Control at the federal government level or the state media authority at the state government level. The Federal Broadcasting Treaty applies to the provision of broadcasting services in the form of linear information and communication services in picture or sound via radio frequencies, including digital information and communication services, such as those used by livestream providers (eg, Twitch or YouTube). In addition, acquisitions (including certain minority investments) of a media or broadcasting company providing services in Germany are subject to the prior approval of the relevant media authority, subject to the provider operating on a state or federal level. In the absence of such approval, the relevant authority may revoke the broadcasting licence previously granted to the provider.
Certain technology business models within the financial industry (such as fintech and insurtech) may constitute regulated activities, the acquisition of which is subject to an ownership control procedure. As part of such proceedings, the acquirer’s creditworthiness and financial soundness will be accessed by the German Federal Financial Supervisory Authority (BaFin). In the case of the acquisition of a majority stake, the future business plan is subject to review by BaFin as well. Even if the target considers itself as unregulated, a buyer should in any event perform its own analysis of whether a regulatory licence is required at present or upon the business model advancing further to avoid unforeseen regulatory issues.
With respect to technology targets that are regulated entities, BaFin may exercise extensive interference rights if an investor acquires shares in such entity without fulfilling the clearance prerequisites. This may, in a worst-case scenario, result in the transfer of the voting rights to a trustee or a disposal order.Relevant federal intellectual property statutes
Other German statutes relevant for technology transactions include federal acts specifically addressing:
- copyright (including rights in databases and rights in software);
- patents (which may also be granted for software);
- utility models;
- semiconductor topography rights;
- plant varieties;
- trademarks; and
As technology M&A transactions often involve a transfer of data, data protection laws applicable in Germany (ie, the directly applicable provisions of the EU General Data Protection Regulation (GDPR) and the additional provisions of the Federal Data Protection Act) may be relevant.Government rights
Are there government march-in or step-in rights with respect to certain categories of technologies?
Under German law, regimes exist that lead to a result broadly comparable to the exercise of government march-in or step-in rights under the Bayh-Dole Act, which affects government funded research projects in the United States (see answer to question 2 for the United States).
In respect of patents, competent courts can, under certain conditions, grant a ‘compulsory’ licence to commercially exploit a patent if public interest demands such licence. If a patent owner cannot exploit its invention because of a pre-existing patent, such owner of the ‘younger’ patent may further be entitled to be granted a compulsory licence in and to the pre-existing patent. Similar rules apply to utility models and plant varieties.Legal assets
How is legal title to each type of technology and intellectual property asset conveyed in your jurisdiction? What types of formalities are required to effect transfer?
Under German law, the number of IP rights affording an absolute protection toward all is limited to those IP rights codified in specific acts (broadly those mentioned in the last paragraph of question 1).
In general, German IP rights other than copyright (industrial property rights) can be transferred by agreement between the transferor and the transferee without any formal requirements. It is recommendable and common, though, to document a transfer of industrial property rights in a written instrument. For the transfer of supranational applications or IP rights, sometimes, a written form is required (eg, transfer of a European patent application under the European Patent Convention and transfer of an EU trademark).
Copyright itself cannot be transferred under German law because of the author’s moral rights. Exploitation of a copyrighted work requires a licence, which can go through multiple tiers, stemming from the author’s principal exploitation rights. For transfers of licences, see question 9.
Under German law, domain names as such are not considered an IP right with the meaning set forth above. The registrar operating the German country top level domain ‘.de’ (DeNIC e.G.) in its general terms and conditions and its procedural rules does not envisage a transfer of a domain name as such. Instead, it only envisages a termination of the contract for the registration of the relevant domain name between the current holder of the domain name with the subsequent entering into a new contract for the registration of the relevant domain name with the future holder.
Know-how is also not protected as an IP right within the meaning set forth above under German law. Hence, an in rem transfer of rights in know-how is not possible.
Due diligenceTypical areas
What are the typical areas of due diligence undertaken in your jurisdiction with respect to technology and intellectual property assets in technology M&A transactions? How is due diligence different for mergers or share acquisitions as compared to carveouts or asset purchases?
Typical areas of intellectual property and technology due diligence undertaken in Germany with respect to technology M&A transactions include:
- identifying all registrations and applications for IP assets owned by the target and confirming the status, lien status, chain-of-title, expiration date (if applicable), scope of protection and ownership thereof;
- identifying all other IP assets (ie, unregistered intellectual property and IP assets that are not capable of registration) owned or used by the target and confirming the ownership thereof, any restrictions thereon, and the target’s scope of rights therein;
- reviewing and analysing the target’s agreements with past or present employees, independent contractors and consultants with respect to the creation and ownership of IP assets and the use and disclosure of trade secrets and other confidential information;
- identifying and determining the scope of licences-in and licences-out in respect of IP rights granted by or to the target;
- reviewing and analysing all other IP-related agreements (or intellectual provisions in agreements), including research and development agreements, consulting agreements, manufacturing, supply, and distribution agreements, settlement agreements, and IP licensing and assignment agreements;
- determining and analysing the target’s process for IP clearance, protection, and enforcement and for protecting trade secrets and confidential information;
- determining and analysing any past, present, or threatened intellectual property-related claims or disputes involving the target, such as infringement actions, cease-and-desist letters, requests for intellectual property-related indemnification, disputes with past or present employees or contractors, and claims for remuneration for the creation of intellectual property;
- reviewing and analysing the target’s processes and procedures for developing software code, including identifying open source or copyleft code, reviewing source code scans and identifying third-party access to code as well as the target’s processes and procedures in respect of employee inventions;
- reviewing and analysing agreements and rights with respect to information and communication technology assets and equipment;
- where the target’s business is subject to regulatory requirements with regard to technology (eg, applicable to technology outsourcing in the financial industry sector), reviewing the target’s compliance with such requirements;
- reviewing the target’s compliance with privacy and data protection laws, contractual obligations and company policies;
- vetting the extent and ramifications of any privacy or breaches or security incidents; and
- determining whether and what rights to process and use personal data will be available to the buyer.
Although the due diligence process for share deals and carveouts or asset purchases are similar, there are several key differences.
Where a business to be divested is not organised in the form of separate legal entities, the assets, contracts, rights, liabilities, employees and other resources pertaining to the business will have to be carved-out from existing legal entities. As part of such transactions, an additional focus of due diligence is identifying and understanding:
- what is within the scope of the transaction and what is not;
- which resources have to be and can be transferred;
- whether there are any such resources that are in shared use;
- which activities are required to separate the business; and
- which interdependencies exist between the business to be divested and the business to be retained.
Where carveout or asset purchase transactions require the assignment and transfer of IP rights, the buyer should confirm that all desired IP assets may be transferred (and are properly transferred) under applicable law. The buyer should ensure that any shared rights in intellectual property are properly allocated (usually on the basis of concepts of exclusive use or predominant use) and cross-licensed between the parties post-closing in appropriate fields of use.
If source code or data is being transferred, the right of the seller to transfer any third-party code (including open source) or third-party data (including personally identifiable information) should be properly vetted.
With respect to mergers or share acquisitions, the buyer should review material intellectual property, information and communication technology contracts to determine whether they include change of control provisions triggered by the contemplated transaction, whereas for carveouts or asset purchases, the buyer should analyse any anti--assignment provisions triggered by the contemplated transaction. In Germany, where a contract is silent on transferability of the contract as a whole, consent by the third-party counterparty to the transfer is required.
German law also provides for transfer of assets by way of (partial) universal succession in the context of transformations under the German Transformation Act (such as statutory mergers or hive-downs). It requires a case-by-case analysis whether assignment restrictions or change of control termination rights may have an impact in the context of such transformations.
If a carveout or asset-purchase transaction does not include all employees relevant to the purchased IP assets or business, the buyer should perform sufficient diligence to confirm that there is no ‘key person’ risk, whether the seller will need to give or receive any (transitional) services, whether any information and communication technology systems or data will need to be migrated or separated, and whether the buyer will be able to use, maintain and exploit the purchased IP assets post-closing.Customary searches
What types of public searches are customarily performed when conducting technology M&A due diligence? What other types of publicly available information can be collected or reviewed in the conduct of technology M&A due diligence?
Counsel for the buyer typically conducts:
- searches of publicly available databases (including the German Patent and Trademark Office and domain name registries) to identify and confirm the status, chain-of-title, expiration date (if applicable), scope of protection and ownership of the registered IP rights purportedly owned by the seller;
- trademark clearance and availability searches may be performed to identify potential third-party trademark rights, or ‘freedom to operate’ searches may be performed to identify potentially problematic patents;
- searches of websites owned by the target to analyse privacy policies, terms of service and other publicly available information regarding the target; and
- if the target is a public company, searches for public disclosures, such as annual reports.
What types of intellectual property are registrable, what types of intellectual property are not, and what due diligence is typically undertaken with respect to each?
A copyright is not registrable (but authors of anonymous works can apply for registration in a separate register to extend the duration of protection). All IP rights mentioned in the last paragraph of the answer to question 1 other than copyright are capable of registration.
For IP rights that can be registered and domain names, typically register searches are conducted to assess if the target is the registered owner. Since domain name registrars, in the context of the GDPR, have drastically reduced the scope of information that can be retrieved via ‘whois’ queries without demonstrating a legitimate interest, domain name searches in these registers may become less important going forward.
For non-registrable IP rights, review of underlying employment, development, contractor or licence agreements is important to determine their scope or the relevant rights to use and licences.Liens
Can liens or security interests be granted on intellectual property or technology assets, and if so, how do acquirers conduct due diligence on them?
Liens and security interests (including security assignment) can be granted on intellectual property. Liens and security interests in trademarks can be registered in Germany, but there is no obligation to do so.Employee IP due diligence
What due diligence is typically undertaken with respect to employee-created and contractor-created intellectual property and technology?
With respect to contractor-created intellectual property, the underlying development or contractor agreements are reviewed for clauses addressing the allocation, transfer and licensing of the IP rights created by the contractor.
The same applies with respect to employee-created intellectual property, it being understood that statutory law in respect of some forms of IP rights provides for legal presumptions or grants of rights regarding employee-created intellectual property. Inventions created or conceived by employees in connection with their employment are subject to a specific regime under which the employee has to notify its employer of the invention. If the employer claims the invention, all title, right and interest is acquired by the employer. The same applies if the employer does not release the invention within a specified period of time. The employee then has the right to claim an appropriate remuneration. As part of customary due diligence, typically the processes and procedures in place at the target are reviewed and any outstanding amounts of employee inventor remuneration or any disputes in connection therewith are sought to be identified.Transferring licensed intellectual property
Are there any requirements to enable the transfer or assignment of licensed intellectual property and technology? Are exclusive and non-exclusive licences treated differently?
In general, the terms of a licence agreement govern whether the licence can be transferred or assigned. If the licence is not only a pure right of the licensee, but the licensee also assumes obligations under the licence, transfer of the licence requires a transfer of agreement, which requires the counterparty’s consent (which may also be given in advance and is often given in advance to facilitate transfers to affiliates).
Regardless of the above, the transfer of copyright licences in general requires the consent of the copyright owner.Software due diligence
What types of software due diligence is typically undertaken in your jurisdiction? Do targets customarily provide code scans for third-party or open source code?
Software due diligence generally consists of the following steps (in no particular order):
- What kind of software is involved? Proprietary, self-developed, purchased, open source?
- Who developed the software? Have all rights to the software been allocated or transferred to the target to allow the use of the software for the intended purpose?
- Is the scope and term of the licence appropriate for the intended purpose?
- Do the relevant software agreements contain any termination rights or change-of-control clauses that would enable the respective licensor to terminate the licence?
- For open source software and for software that includes any open source components or libraries, have these parts and the corresponding licence terms been identified accordingly?
Where software is ‘a’ or ‘the’ key asset, source code may be scanned by specialised providers for open source components or vulnerabilities within the source code.Other due diligence
What are the additional areas of due diligence undertaken or unique legal considerations in your jurisdiction with respect to special or emerging technologies?
In due diligence involving artificial intelligence products, the following points may be considered:
- the rights in and to the artificial intelligence (ie, the software itself, and the resources and databases it is based on); and
- the ownership in IP rights for something that the artificial intelligence may be able to create (whereby it is worth noting that current German copyright law and patent law envisages a natural person as an author).
Additionally, depending on the field of use, further specific regulations may have to be observed and compliance may have to be checked.
As regards autonomous driving, unique legal considerations include the liability for decisions taken by the autonomously driving vehicle, in particular in case of death, bodily injury or damage to property caused by such decision.
Big data raises legal issues mainly in respect of data protection and data security compliance, where personal data is part of the big data. Key issues to be considered in this context are:
- Can valid consent of data subjects for processing of their personal data be obtained in a situation where the scope and purpose of the processing is not yet defined when the personal data is collected?
- Do data points, which in themselves do not allow to identify a natural person, become personal data because, when taken together with other data points included in the big data, they allow such identification?
Purchase agreementRepresentations and warranties
In technology M&A transactions, is it customary to include representations and warranties for intellectual property, technology, cybersecurity or data privacy?
In share deals, warranties with respect to intellectual property may vary widely in scope and be subject to knowledge and disclosure, but usually contain, at a minimum, the following warranties:
- the target owns (free of liens or rights of third parties) or has a valid right to use the IP rights used in its business, and the schedule listing such IP rights is true, complete and accurate;
- the target is not violating IP rights of third parties;
- there is no written claim or action pending relating to an infringement or misappropriation of IP rights of any third party;
- contracts under which IP rights are licensed to the target are valid and there are no facts known that may lead to them being or becoming invalid;
- there is proper maintenance of IP rights to ensure that the target’s registered IP rights continue to be registered and all related fees have been paid when due and all necessary applications for renewal have been filed;
- the target’s IP assets are sufficient to continue its business after closing as before (this is usually heavily negotiated);
- completion of the transaction does not negatively impact the target’s right to use IP rights co-owned or used by the target;
- the use of IP rights is compliant with law or regulatory requirements;
- there are no (exclusive) licence agreements regarding the target’s IP rights;
- no licences, premiums or other compensation are paid for the use of IP rights by the target to third parties;
- the target has all the required rights to inventions made by employees and freelancers;
- the target’s IP rights have not unlawfully been obtained or used by third parties;
- IP rights owned by the target are valid, in full force and enforceable; and
- the target has implemented and maintained adequate measures to protect its business and trade secrets.
Typical warranties with respect to information technology would generally be shorter and cover:
- title in and to the target’s hardware and software;
- functionality of and absence of breakdowns for relevant IT systems; due maintenance (possibly including sufficiency to continue the business as before closing for a certain time period after closing); and that IT systems are sufficiently redundant and safeguarded;
- validity of agreements with third parties in relation to hardware or software (in particular, material or business-critical licensing, outsourcing or maintenance agreements);
- compliance with the terms of all licences in respect of open source software or any third party software;
- no disclosure of the company’s source code to third parties; and
- no infection by any material virus or other extraneously induced malfunction.
Typical warranties concerning data privacy commonly cover:
- compliance with data protection and privacy laws, contractual obligations, as well as internal and external (e.g. concerning customers) standards and policies in the areas of data protection and cybersecurity (usually heavily negotiated);
- the existence of a compliance management system that is able to ensure the fulfilment of these requirements;
- taking adequate technical and organisational measures to protect against cyber attacks;
- the installation and use of up-to-date and effective security programmes and standards that protect sensitive data (including personal data, customer and supplier data, trade secrets and other confidential information) from unauthorised access;
- if the IT is outsourced to external IT service providers, the existence of effective agreements on the protection of data and any indemnification for damages by the service provider;
- no (ongoing) investigations, lawsuits or threats of lawsuits concerning data security or data protection issues;
- the existence of guidelines, compliance manuals, contingency plans, etc, in the event of a cybersecurity breach;
- no past or present data breach or claim of such, resulting in damages, downtime, loss of or unlawful access to personal data; and
- no receipt of any written communication from any applicable authority alleging and/or enforcing non-compliance with any data protection law, or requesting an audit or compliance check relating to data protection law.
Considering the implementation of the GDPR and rising awareness for cybersecurity risks, there is a trend towards such warranties receiving greater attention by the parties involved in a transaction.
In asset deals, the warranties with respect to intellectual property and technology will typically be similar to the ones for share deals with the exclusion of such warranties that relate to a liability of the entity in itself rather than a liability in connection with certain IP assets or contracts. Since, in an asset deal, IP rights need to be individually identified and transferred, the sufficiency warranty (guaranteeing that the sold IP rights are sufficient to operate the business as before closing) may be of particular importance for the acquirer in deals where whole business units (not just single assets) are acquired.Customary ancillary agreements
What types of ancillary agreements are customary in a carveout or asset sale?
Ancillary agreements customary in carveout or asset sales include:
- short form IP assignments that are typically executed for purposes of recording assignments;
- transitional trademark and other IP cross-licences;
- transitional services agreements;
- IT and data migration agreements; and
- agreements for the separation of IT system and sites.
What kinds of intellectual property or tech-related pre- or post-closing conditions or covenants do acquirers typically require?
Typical IP or tech-related signing or closing conditions include:
- obtaining (confirmatory) invention and IP assignments and confidentiality agreements from former and current employees and independent contractors (if such assignments were not previously obtained, are deficient, or to correct chain-of-title issues or ambiguities);
- third-party consents to change of control or assignment under material IP- or IT-related agreements with third parties or waivers of corresponding rights to terminate;
- amendments to material IP or IT contracts as may be required in order to successfully integrate the target into buyer’s business; and
- settlements or releases of outstanding adverse IP claims or actions.
Covenants will typically include specific restrictions on the target’s business between signing and closing to prevent a seller, among other things, from disposing material IP assets or entering into material licence agreements outside the ordinary course of business. Covenants may also include specific tasks for the seller, such as remediation measures, carrying out or renewing IP registrations or open source remediation measures by updating or replacing software to ensure compliance with open source licences and to eliminate potential inadvertent grants of open source licences or disclosure of source code to third parties. Remediation measures may also include clean-ups of cyber security incidents or improvements of compliance systems relative to cybersecurity.
Conditions to closing or covenants of the seller that apply to the period after closing may include:
- transitional trademark licences for any retained trademarks and licence or cross-licence agreements for any shared intellectual property; and
- entering into ancillary agreements, including supporting the transition of the business to the buyer’s IT systems.
Are intellectual property representations and warranties typically subject to longer survival periods than other representations and warranties?
In the German market, claims based on ordinary business warranties will typically survive for a period of 12 to 24 months from closing. Tech M&A transactions with material IP and technology assets will occasionally recognise longer limitation periods.Breach of representations and warranties
Are liabilities for breach of intellectual property representations and warranties typically subject to a cap that is higher than the liability cap for breach of other representations and warranties?
With respect to liability caps, intellectual property, information technology and data privacy warranties will typically be synchronised with other business warranties, subject to few exceptions outside competitive auctions or especially focused on the acquisition of defined IP rights. Caps frequently range from 10 to 30 per cent of the purchase price for slight negligence depending on the target’s risk profile and due diligence results obtained by the acquirer. Liability caps are gradually declining owing to the increasing use of warranty and indemnity insurance where acquisition agreements tend to operate with a ‘zero liability concept’. Caps also tend to be lower for transactions with a volume of more than €100 million. Against this background, buyers of technology assets, especially from the United States, are pushing increasingly for higher caps specific to intellectual property, and technology warranties where intellectual property and technology constitute the main assets of the target.
Are liabilities for breach of intellectual property representations subject to, or carved out from, de minimis thresholds, baskets, or deductibles or other limitations on recovery?
In the German market, IP warranties will typically be subject to the same limitations as other business warranties. The same applies to warranties relative to the target’s technology, cybersecurity or data privacy. If and to the extent, there are known IP risks (such as third-party claims or challenges to IP rights, change of control issues), buyers will frequently seek specific indemnities from a seller that do not apply the same type of limitations as applied for warranty breaches (see question 18).Indemnities
Does the definitive agreement customarily include specific indemnities related to intellectual property, data security or privacy matters?
Specific indemnities usually cover risks identified through due diligence or disclosure that are not yet quantified and cannot be addressed through warranty claims to the extent they are known to the purchaser. Typical examples include financial risks associated with ongoing IP litigation or disputes, investigations, compliance breaches or data security incidents. Indemnification will typically be requested on a dollar-for-dollar basis (ie, without de minimis thresholds, baskets or deductibles). Depending on the financial exposure associated with the risks that form the basis for the indemnity and the value the parties associate with the respective IP right or other technology asset, the parties will discuss a cap for the liability a seller is prepared to cover. Indemnities will often be associated with the request of the seller to ‘hold back’ in escrow part of the purchase price to ensure recoverability of the financial risk covered by the indemnity.Walk rights
As a closing condition, are intellectual property representations and warranties required to be true in all respects, in all material respects, or except as would not cause a material adverse effect?
It is fairly common that intellectual property, technology and data privacy warranties are given both at signing and closing. Having said this, ‘walk away’ rights for the buyer for breach of warranties and covenants are still rather uncommon (more frequently raised by US buyers) and, if applied, are usually limited to material warranty and covenant breaches or other material adverse effect type events, such as the occurance of cyber attacks affecting the target business. A seller will perceive any walk away scenario without clear materiality qualifications as reducing transaction certainty, which makes this a heavily negotiated area for discussion when pushed by a buyer.
Updates and trendsKey developments of the past year
What were the key cases, decisions, judgments and policy and legislative developments of the past year?Key developments of the past year20 What were the key cases, decisions, judgments and policy and legislative developments of the past year?
On 26 April 2019, the German act that implements the Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure entered into force (GeschGehG). The GeschGehG in particular provides for specific civil law remedies in the case of unlawful acquisition, use or disclosure of business secrets, including claims to cease and desist, claims for information and claims for damages. To be protected, a business secret needs to have been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret. It is expected that particularly in technology companies the determination of the ‘reasonable steps’ will become part of the compliance organisation.
The GeschGehG arguably further introduced a paradigm shift in German law, as pursuant to the GeschGehG reverse engineering now can be lawful under certain circumstances. Although the interplay with specific legal regimes on reverse engineering (eg, in respect of software code) is not yet entirely clear, it appears quite likely that the stricter rules will prevail. The holder of a business secret who wants to (further) restrict the right to reverse engineer, will now have to contractually agree on such restrictions (thereby also taking into account limitations to such agreements as part of general terms and conditions even in a B2B context).
Implementation of compliance with the GDPR, which is required since 25 May 2018, has been a hot topic and will remain so for years to come. This is mainly driven by drastically increased statutory fines and enforcement as well as potential group liability comparable to that under EU competition law.
Requirements resulting from the IT security Act for operators of critical infrastructures also remain a hot topic in technology M&A.