I. Background to the new regulations

Slightly delayed Germany has now finally transposed the European Directive 2016/943/EU on the protection of confidential know-how and confidential business information against illicit acquisition, use and disclosure (“Directive on the Protection of Secrets”) into national law. The so-called German Trade Secrets Act (TSA) now combines all rights related to business and trade secrets and thus creates its own set of rules with protection rights that are strongly based on the protection rights regarding intellectual property.
Independent of branch of industry, know-how is of high economic value. Thus, the loss of know-how to competitors poses a grave threat to the market position and can cause considerable damage. Whereas patents, registered designs or intellectual property rights are particularly protected, data from customers and suppliers, calculations, business strategies, (unless subject to mandatory publication) balance sheets or other technical information do not enjoy this protection, even though they can be as valuable for businesses as the aforementioned. The TSA is now intended to remedy this situation by bringing at least the protective rights of the owner of the confidential information closer to those of the intellectual property rights.

II. Changes in content

The new regulation, however, does not only bring advantages. Due to the harmonization of the national legislative provisions of the Member States, German entrepreneurs are confronted with a drastic change in the protection of secrets.
Up until now, internal company information had already been protected as a trade secret if the will of the business owner to maintain secrecy was clearly apparent. Now, with the introduction of the TSA, it is necessary to firstly classify the information as confidential and then, secondly, to protect it by taking appropriate confidentiality measures. Which measures are deemed appropriate is a question of the individual case, the answers to which may vary according to the information provided.
Excluded from protection of the TSA are public information, information which employees regularly obtain during occupation and information that is generally known to or easily accessible by a group of people who would normally deal with such information.
The ‘legalization’ of ‘reverse engineering’ is particularly incisive. According to section 3 section 1 no. 1 TSA, trade secrets can legally be obtained through independent discovery or creation, as before. However, contrary to the previous legal situation, now even the discovery by observing, investigating, dismantling or testing of the product of another company is admissible, section 3, para. 1 no. 2 TSA (‘Reverse Engineering’). This means, a company that buys a competing product, disassembles and examines it, can generally use the knowledge gained for its own products. The patent law remains unaffected by this, though through this, there are considerable gaps in protection for the company.
Under the previous law, the jurisdiction had already assessed the secrecy protection against freedom of the press and freedom of expression on a case by case basis. So far, there had been no legal regulation or clear-cut case groups. According to the new legal situation (section 5 TSA), trade secrets are generally unprotected in those cases, where there is a legitimate interest to obtain, use or disclose them. Protected by this are especially investigative journalism (section 5 no. 1 TSA) and whistleblowing (section 5 no. 2 TSA). Whistleblowing is permitted, whenever it is suited to protect the general public interest. Secretly selling sensitive business data to competitive businesses should not be covered by this, the notification to an authority or to the media, however, should. As long as the publication of the information is suited to protect the public interest, other motives, for example, revenge, are therefore not excluded.

III. Consequences for entrepreneurs

There are many facets to the new rules for protection of trade secrets. So far, the focus has been on finding out what the appropriate protection measures are in each individual case. This first step is absolutely necessary and must not be neglected. Particularly in the event of a later judicial assertion, the burden of proof for the ‘adequate precaution’ lies with the entrepreneur.
But there are further aspects which must not be neglected: An unintentional publication of secrets and an authorized unrestricted access to information. Under the TSA, the former leads to a loss of all protection. With the latter, Reverse Engineering or Whistleblowing can occur.
Thus, the minimum requirements for the handling of business secrets shall be clarified hereinafter, as well as the consequences within the scope of transactions and in relation to employment relationships.

1. Obtaining the original protection

In order to benefit from the TSA, new requirements have been set. In one point, however, one can be relieved – especially with regard to data, e.g. customer data, which is already subject to a certain security standard under the General Data Protection Regulation (GDPR) and which, in most cases, can be protected as applicable under the GDPR. The GDPR’s high requirements will probably also be appropriate for the protection of trade secrets. This, however, should be evaluated on a case by case basis. Furthermore, entrepreneurs should proceed in accordance with a strict test sequence, which shall also be comprehensibly documented. This could be as follows:

• Identification all of the information to be protected and detection if, in accordance with TSA, they are worthy of protection (in particular not “usually known” and not published)
• Classification of the information to be protected in (at least) the following areas: Information requiring special protection (referred to in literature as ‘crown jewels’, with the highest level of protection), important information (with a high security standard) and sensitive information
• Determination of respective security measures

According to the legislative draft statement of the German Federal Government, the specific security measures to be defined can be oriented on the following criteria:

• Value of the trade secret and its costs of development
• Nature of the information
• Significance for the company
• Size of the company
• Company’s common security measures
• Type of labelling of the information (please refer to the aforementioned classification)
• Agreed contractual arrangements with business partners and employees

The entrepreneur can only assert rights arising from TSA in relation to specific information if evidence of adequate security measures can be provided. Here, it is particularly important not to apply the same security measures to all information, unless a very high overall level of protection is achieved. Otherwise, on the basis of the value of the information and its importance for the company, a security measure could again be recognized as inappropriate, since any other “less important” information has the same protection.

2. Impact on transactions

According to TSA, the entrepreneur can only reach protection for trade secrets as long as and to the extent that the information has not been made publicly available or the person who lawfully obtains knowledge of the information is not restricted in obtaining the trade secret.
So far as the information, classified as trade secret to be protected and accordingly secured, only is made available to an investor/purchaser (e.g. during a Due Diligence process), the standard Non-Disclosure Agreement ‘NDA’ can prevent an unauthorized use, in particular Reverse Engineering. However, it must be observed that the typical standard NDA do not completely offer this protection. Thus, Reverse Engineering generally remains admissible, though the knowledge gained through this cannot be used, due to the other provisions of the NDA. If Reverse Engineering itself is to be ruled out in future, the relevant contractual documents would have to be adapted.
In the scope of a bidding process, the provision of confidential information can be problematic. Especially if mainly competitors/co-bidders are involved, this could be equivalent to a ‘disclosure’ of or ‘publishing’ the trade secret. So far, there is no experience in this regard. Though it is recommended to pay more attention to aspects of secrecy protection within the framework of corporate transactions, as, according to the TSA, once a publication is made it leads to the loss of legal positions. From this moment on, the information will no longer be considered a trade secret.
With regard to rights of access regarding information to be protected by TSA, a step-by-step approach should be chosen, similar as with the implementation of the GDPR, where at first only information is provided, which is available without restrictions or such information that are among the least sensitive information. However, the information most important, the so-called crown jewels, should only then be made available, if this has become necessary according to the status of the transaction.

3. Dealing with employees

In regard to trade secrets, employees are the biggest “risk”. In many cases, employees are “whistleblowers” who have been granted with a wide scope for the detection of grievances by TSA. In addition, after termination of employment much of the information to be protected is very often taken by employees from one place of work to the next. There, unless contractually restricted, the use of information through the employee could lead to a self-made trade secret, which the new employer could protect accordingly.
Companies will increasingly come into conflict with alternative forms of employee participation. In recent years, more and more emphasis has been placed on transparency towards employees and access has been granted to them in order to create a better involvement of the employees, but specialist literature nowadays only speaks of the ‘need to know’ principle. For adequate protection of trade secrets, employees are only granted with access to identified information and only to the extent necessary for work.
Regardless of whether it is feasible to achieve a compartmentalization of the information among the employees, it is safe to say that a stronger focus should lay on the contractual designs. The contractual restrictions on the use of obtained information in accordance with TSA in particular offers an opportunity to secure the information even after termination of the employment relationship.

4. Claims for infringement

The now regulated claims in the event of infringement of TSA are, however, to be welcomed. Since TSA has come into effect, trade secret holders have the option to demand that products, in which the trade secret is embodied, are, among other things, to be destroyed or removed from the market (section 7 TSA). The individual claims are designed to be independent of fault, they must, however, be proportionate in the individual case. According to section 8 TSA, the right to information shall also be included in these claims, as well as the right to compensation (section 10 TSA). The latter, however, is with a fault-dependent design, which means for the claim for damages it is decisive whether the infringer has obtained the trade secret intentionally or negligently.
The legal consequences defined within TSA thus comply with current claims in patent and trademark law. In the explanatory memorandum to the Act, reference is therefore also made in part to the rulings on the claims governed by the individual provisions with regard to their interpretation.
Companies should take note, that, according to section 14 TSA, an “abusive” assertion of claims leads to a cost reimbursement claim of the opponent. Whether an assertion of claims is to be regarded as abusive shall be judged by the standard of good faith. According to the explanatory memorandum, it will be considered as an abusive assertion of claims, if claims are made in order to unreasonable delay the opponent’s access to the market.

IV. Forecast

In order to be able to effectively protect trade secrets in future, an examination of all unpublished information of the company is essential, as well as a review of contractual documents. In many cases, a subsequent amendment will be vital. In particular, confidentiality clauses in employment contracts and NDAs ought to be amended accordingly.
It is also recommended, that NDAs are indefinitely valid and to explicitly exclude Reverse Engineering.