Companies having just faced the initial hype around the General Data Protection Regulation (which entered into force at the end of May this year) have just noticed that another new European Regulation has somewhat gone under the radar and escaped their notice. Few noticed that European Parliament and the council of the European Union on June 2016 have passed directive (EU) 2016/943 on the protection of undisclosed know how and business information (trade secrets) against the unlawful acquisition, use and disclosure. Other than a regulation such as GDPR the directive is not directly applicable within the EU, but has to be translated into national laws within a two year implementation period. Germany has – once again – missed that deadline which leads to the consequence, that German courts now have to interpret German law in accordance with the directive although no corresponding German law has yet been past. Nonetheless companies, whose business is based on the protection of business secrets, must act immediately in order to protect their business interests.
New definition of “trade secret” – old clauses useless
The need to act results from a new definition of the term “trade secret” in article 2 (1). The respective definition reads as follows:
“For the purposes of this directive, the following definitions apply:
(1) “Trade secret” means information which meets all of the following requirements:
(a) It is secret in the sense, that it is not, as a body or in the precise configuration and assembly of its components, generally known among already accessible to persons within the circles that normally deal with the kind of information in question;
(b) It has commercial value because it is secret;
(c) It has been subject to reasonable steps under the circumstances by the person lawfully in control of the information, to keep it secret;…”
The main difference from the previous definition is article 2 no. 1 (c) of the directive. Following this part of the definition there will be no trade secret anymore, as long and as far a company has not taken “reasonable steps under the circumstances… to keep it secret”.
German law until now works under the assumption, that employees are by law obliged to keep confidential all business and trade secrets and further internal information of their employer. Thus it was not deemed necessary to have a respective confidentiality clause in the employment contract. Such clause, which is frequently used, has been seen as a here declaration of an obligation, which exists anyhow.
Following the new directive it is now clear, that such broad definition will not be sufficient anymore and that employers need to clarify, which information is secret and which is not. Apart from a clear statement of the company it needs to demonstrate “reasonable steps” which have been taken to maintain the secrecy of the information.
Main issue – what are “reasonable steps” under the directive?
There is no definition of “reasonable steps” in the directive itself. In the discussion among legal practitioners following the introduction of the directive it has become clear – however – that it is a combination of technical and legal measures which is needed to demonstrate to employees, third parties and courts which kind of information is deemed to be a business / trade secret. Especially confidentiality agreements with those employees having access to company secrets will be necessary. In that context it needs to be mentioned, that „catch all“ clauses will not be sufficient, but that it will be rather important to clearly define the secret that needs to be protected. Without such clear confidentiality clause, there is a considerable risk that confidential information will legally not be recognized anymore as a trade secret and thus cannot be protected against third parties in court.
As far as a company is working with employees of third parties or temporary leased personnel confidentiality agreements will as well play a much bigger role than before.
A careful drafting of such clauses (or policy) is needed, since the directive keeps up the differentiation between the confidentiality of trade secrets versus the allowed use of knowledge that has been gained during occupation (in order to ensure the free mobility of employees guaranteed by the EU constitution).
Urgently required: Status Quo Analysis and confidentiality concept
The first step in each company to safeguard the protection of trade secrets will be to determine its internal organization, which is responsible for the organization of confidentiality. Thus, it will be useful to appoint a high-level employee responsible for the coordination for the relevant departments such as IT, HR, Legal, R&D and eventual other relevant departments.
In a second step a Status Quo Analysis will have to done which differentiates between highly important secrets, where a breach would endanger the future of the whole company from strategic risks (where a breach of confidentiality could lead to substantial financial damages) and finally lower risks (where a breach of confidentiality would cause minor damages, which are – however – manageable).
Further, depending on the type of risk category, the appropriate measures need to be determined. Technical measures such as data accessibility and control measures need as well to be taken into account as legal measures such as the introduction of an IT-policy and appropriate confidentiality agreements.
Employment Contract Management
The tasks for HR are clearly defined. As soon as it becomes clear, which employee is considered to be an owner of trade secrets (and must be for employment purposes), appropriate new confidentiality agreements/policies need to be drafted and implemented. It will be the task for the person responsible for the confidentiality management to constantly update all agreements and policies in accordance with changing work environments and fluctuation.
Only in those cases, where employees have no access to business and trade secrets at all a general clause as it is currently used might be sufficient.
Summary and Outlook
The EU directive creates an immediate need to do a thorough analysis of the business and trade secrets management and eventually an adjustment of all relevant agreements and policies. The upcoming German legislation must be taken to account, but the measures described above will not substantially change, since Germany is bound by the general guidelines and definitions of the directive.
Please don’t hesitate to contact us in case of any questions. We are available to support you in the introduction of your business secrets management system and the drafting of all respective policies and agreements.