The new European Union (EU) directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (the “Directive”) was adopted on 8 June 2016 and Member States were required to comply with the Directive by 9 June 2018. Laws relating to trade secrets have varied across the EU in the past with some Member States having fragmented laws or protections derived from common law. However, the new Directive will change this and introduce a more uniform approach across the EU.
Progress has been made in each Member State towards implementing the Directive. A number have introduced new trade secret laws in order to implement it, such as in the United Kingdom, Hungary and Belgium, whereas other Member States have implemented the Directive by amending existing legislation, such as in Poland and Slovakia. There are also a number of Member States which have not yet completed the legislative process, such as Germany and Spain. The degree of implementation required in each Member State necessarily varied depending on the protections already in place.
Overview of the Directive
The overall aim of the Directive was to harmonise the protection of trade secrets across the EU by defining a “trade secret” and creating a minimum level of protection. The Directive sets out what would be considered a lawful acquisition, use and disclosure of a trade secret and what would be unlawful. It also clarifies the remedies available to trade secret holders, both in terms of interim and final relief.
Under the new definition, information is considered a trade secret if:
- it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
- it has commercial value because it is secret;
- it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.
The most notable element of the new definition, which is novel to a number of Member States including the United Kingdom, is the third element. Briefly, a company will have to show that they have actively taken steps to identify and protect their trade secrets. If they are unable to show that such steps have been taken, the information may lose its trade secret status.
A key question is therefore what would constitute “reasonable steps” for these purposes. Unfortunately, the Directive does not expressly set out what steps a company is required to take. Looking back to the origin of the requirement for protection, the Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS), an international agreement between member nations of the World Trade Organisation, similarly sets out a three-part definition in connection with the protection of undisclosed information. Previously, this agreement guided Member States which did not have a specific legislative definition of a trade secret. However, again, the agreement does not specify the required steps.
The infancy of the Directive and the new implementing local laws means that there is also limited case law to assist in interpreting “reasonable steps”. However, some national courts have considered the issue in assessing trade secret violations under their national laws and this may provide some guidance as to what would constitute reasonable steps under the Directive.
For example, the Spanish case of Civil Judgment No 441/2016, Provincial Court of Madrid, Section 28, Rec 11/2015 of 19 December 2016 considered the disclosure and exploitation of trade secrets and noted that the concept of secrecy had developed from TRIPS. In this case, the Spanish courts found that the confidential information should not be considered secret. In reaching this conclusion, the court assessed whether the necessary measures had been taken to maintain the secrecy of the information. The court suggested that the steps to avoid disclosure should be “adequate and reasonable” and should be taken both externally and internally. The external steps should prevent third parties from accessing the information and the internal steps should limit access to “employees and collaborators” who know or handle the information.
An Austrian case, namely Austrian Supreme Court, Decision No 4 Ob 165/16t of 25 October 2016, also provides some assistance with understanding the scope of the concept of “reasonable steps”. This case concerned a security breach and the Austrian court found that under national law the trade secret holder had adequately demonstrated their intention to keep the information secret. Their efforts included maintaining a logging system with a username and password and ensuring that only a limited number of identified people knew the information. This was the case even though there had been a security breach. The court made reference to the Directive and concluded that their interpretation aligned with the third element of the new definition. This case demonstrates that the Directive does not require that the owner of the trade secret must successfully keep the confidential information secret, but rather states that they must be able to demonstrate that they had taken reasonable action to try maintain its secrecy.
Notably, the Defend Trade Secrets Act of 2016 (the “DTSA”) in the U.S. requires comparable steps to be taken in order for information to be considered a trade secret. The definition introduced by the DTSA requires the owner of the trade secret to take “reasonable measures” to keep the information secret and the information must derive “independent economic value” from being secret. The enactment of the DTSA increased the protection afforded to trade secrets in the U.S. consistently with aim of the Directive to strengthen protection across the EU.
Whilst, the two above cases provide some guidance as to how the courts may approach the new definition, generally it is advisable for a company to have an appropriate organisational structure and adequate internal procedures to record, store and protect trade secrets. In order to do this, a company should consider taking the following steps:
- identify their trade secrets;
- develop procedures for protecting data;
- restrict access to trade secrets and limit their distribution;
- establish a trade secrets policy, which would cover how trade secrets should be managed;
- ensure employees sign a document confirming they have read and agree to the policy;
- review employment, partner, customer and supplier contracts to ensure they cover trade secrets and strengthen them if required;
- use Non-Disclosure Agreements and ensure they are followed;
- provide training to anyone who may have access to confidential information which could be considered a trade secret;
- require exiting employees to sign a document to confirm they have returned all information in their possession which could be considered a trade secret;
- designate a team to have ultimate responsibility for protecting trade secrets;
- monitor IT and security systems and ensure they are kept up-to-date; and
- be alert to the risk of trade secrets entering the company.
Overall, the new Directive aligns the laws of the Member States and will enhance the protection of trade secrets across the EU. In doing so, however, it does put an extra burden on companies to take active steps to protect their trade secrets. The more established the company’s policies and procedures are and the more control the company appears to have over the access and use of their trade secrets, the more likely the company will be to satisfy the requirement. More clarity on the reasonable steps requirement will emerge over time as the Directive is interpreted by the courts. Until then, however, companies should actively consider what trade secrets they have and how best to protect them.