Protection
Legislation and legal definitionWhat legislation governs the protection of trade secrets in your jurisdiction? How is a ‘trade secret’ legally defined?
Trade secrets are mainly covered by the new Trade Secret Act (GeschGehG), which implements Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of confidential know-how and confidential business information (business secrets) against unlawful acquisition, use and disclosure, and entered into force on 26 April 2019. Trade secrets may also be protected in parallel by claims based on other acts (for example, by the Act Against Unfair Competition). However, these acts regularly have a different scope of protection outside of the GeschGehG and therefore usually require special accompanying circumstances.
Under section 2, paragraph 1 of the GeschGehG, ‘trade secret’ is legally defined as:
Ownershipinformation that is not, either as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons in the circles that normally deal with the kind of information and that is therefore of commercial value; that is subject to reasonable steps under the circumstances, by its rightful owner, to keep it secret; and where there is a legitimate interest in confidentiality.
How is ownership of a trade secret established?
The GeschGehG and Directive (EU) 2016/943 do not use the term owner. While secret know-how has been qualified as economic asset closely resembling an ownership right, it has not been qualified as full property right. The new act has narrowed this gap further since it contains provisions dealing with the fungibility of secret information. However, the term used is ‘holder’ (inhaber). The trade secret holder is any natural or legal person lawfully controlling a trade secret (see section 2, paragraph 2 of the GeschGehG). This means that, with regard to the same information, more than one holder may exist provided that the trade secret was acquired lawfully and the holder exercises control, which is more than actual knowledge of the secret and comprises legal and factual dominion, such as by the employer in a labour relationship. Such control may be the basis of licensing a trade secret.
SecrecyWhat criteria are used to establish the state of secrecy of a trade secret before misappropriation or disclosure?
The GeschGehG provides for the requirements in section 2(1) of the GeschGehG to be met. Unlike the absolute ‘novelty’ requirement set out in Germany’s patent law, information is protected as trade secret if it 1) is not easily accessible to third parties active in the relevant field of knowledge and 2) has a commercial value. The threshold for establishing such value will usually not be very high. However, while under the old law only a perceivable will to maintain secrecy was required, the GeschGehG now requires that steps have been taken by the holder to maintain secrecy under the circumstances. A lack of appropriate confidentiality measures has the consequence that the protection of a trade secret based on the GeschGehG is lost.
The required steps are not defined in the act and criteria have only been partly defined through case law since 2019. Hence, there are no uniform requirements for the protection of trade secrets and the courts decide on a case-by-case basis. Adequate protection does not require the best possible protection, so as not to restrict the concept of secrecy too much. The trade secret holder should at least be able to prove that a protection concept tailored to the respective trade secrets was applied. In this respect, pure general references to technical IT security measures or access controls to the business premises typically do not meet the requirements for demonstrating an appropriate confidentiality protection concept. With regard to the criteria to be used to establish the state of secrecy in a protection concept, the legal literature recommends implementing a three-part distinction between top secret (highest protection level), important (medium protection level) and sensitive (low protection level) information.
Minimum standards defined by case law are, for example, complying with a need-to-know principle, eliminating emerging data leaks, and prohibiting employees from storing electronic files (without password protection) on private data carriers.
Further, generally held employment contract provisions that extend boundlessly to all company information received during the employment relationship (‘catch-all clauses’) are seen as critical if relevant trade secrets are disclosed on the basis of such agreements.
Further examples of possible confidentiality measures, mentioned by the legislator in the explanatory memorandum to the GeschGehG, are technical access barriers (access locks, spatial access protections, cybersecurity measures, etc), general internal guidelines and instructions, and labour law security mechanisms.
Commercial valueHow is the commercial value of a trade secret established?
There is no legal definition of the ‘commercial value of a trade secret’ required for information to be protected as a trade secret. The threshold should, however, be very low and information should only be excluded if it is ‘irrelevant’ and has no value from an economic point of view.
Protective measuresWhat criteria are used to determine whether the rights holder has adopted reasonable protective measures to prevent disclosure and misappropriation of trade secrets?
The GeschGehG does not require specific protective measures. The required minimum steps by the holder under the circumstances required for protection as a secret are emerging on a case-by-case basis, in other words, as precedents. Reasonable protective measures will probably be defined by reference to actual practice in the concerned industry sector and with regard to the category of trade secret concerned. Because duties to maintain secrecy are usually included in labour and service agreements and in non-disclosure agreements with commercial partners that may involve communication of confidential information, such legal precaution will usually be required. However, recent case law by labour courts points into the direction that broad catch-all secrecy provisions in labour contracts alone may not be sufficient and that the concerned information may need to be more precisely defined therein. It may also not be excluded that certain internal information management measures may be required, such as access to secrets on a need-to-know basis and the identification and categorisation of trade secrets based on importance. This highlights the need for inventory, documentation and classification of information; organisational measures such as intellectual property compliance management, including instruction of employees and monitoring and controlling of security measures (the presentation of a protection concept has already been considered a basic requirement in some court decisions); restriction of the persons getting access to information; non-disclosure agreements (NDAs) that are not too general; technical access protection (password and encryption); and evidence-securing measures to enable legal prosecution, such as digital watermarking and signatures.
Best practicesWhat best practices and internal policies should rights holders consider to ensure maximum protection of their trade secrets?
Trade secret rights holders should not limit protective measures to confidentiality agreements alone, and should also take steps to manage the handling of trade secrets by organisational measures. They must also be able to prove to the satisfaction of a court that they have taken the appropriate measures to protect their trade secrets to prove their claims. This requires policy and internal protection measures within the organisation of the right owner. Some of these measures are:
- systematic use of NDAs - whenever trade secrets are shared with third parties, such as employees, suppliers, cooperation partners and external consultants - that reasonably specify the categories of secret information. If clauses with employees are broad and unspecific, secrets should be specifically addressed when the employee leaves the company;
- restrictions to physical and IT access to trade secrets on a need-to-know basis (role model); and
- classification of trade secrets considering their value and sensitivity and applying customised measures concerning the different levels of secrecy, namely:
- the higher the level of secrecy, the more restrictive the numbers of persons who are given access should be; and
- the higher the technical access protection, the more specific NDAs governing the confidentiality of the trade secrets should be.
The above ultimately requires that there are processes in the rights holder’s organisation that serve to identify and document trade secrets with a view to categorising their importance so that they may be assigned a relevance level, which, in turn, determines the level of protective measures. These processes also comprise the management of NDAs and the information disclosed and received under each such agreement.
Such documented measures also assist in proving and defining the concerned trade secret in the event of misappropriation - an enforcement aspect that too often causes practical difficulties, except in simple clear-cut cases, such as misappropriated customer databases.
