New German Law on the Protection of Trade Secrets
Germany will introduce a new act on the protection of trade secrets; the legislator is expected to pass the new law in December 2018. As the term is used in Germany, “trade secrets” relate to both technical know-how (such as construction drawings, manufacturing methods, ingredients and recipes) as well as business information (such as customer data, purchasing prices and market studies).
Once the act is introduced, there will be substantial changes to the way trade secrets are protected in Germany. Due to the effects of a European Directive, some of the expected changes have already become relevant in June 2018 and enterprises doing business in Germany should be aware of the new opportunities, threats and requirements:
- Only information that is subject to actual and reasonable measures to maintain it secret will be protected as a trade secret. Such requirement did not exist in the past, and enterprises may have to react to this new requirement by adopting additional contractual, organizational and technical measures to protect their trade secrets. Also, in order to be in a position to enforce trade secret-derived claims against third parties, enterprises should immediately start documenting the measures they adopt to protect trade secrets.
- Reverse engineering (i.e. deconstructing a third-party product to reveal its design or to extract other information from the product) is permitted, except when otherwise contractually agreed. A general freedom to reverse engineer did not exist in the past, and enterprises may want to include clauses against reverse engineering in agreements with third parties such as their suppliers, customers or R&D partners. However, reverse engineering will still be possible for third parties (i.e., competitors which are under no obligation to refrain from reverse engineering). This poses new threats to the secrecy of information. Hence, enterprises may want to adjust their strategies for the protection of proprietary information, seeking a new balance between protecting secrets and obtaining IP rights such as patents.
- Under the new law, an enterprise may be liable for an infringement of trade secrets even if its management has not acted culpably. This facilitates enforcement against competitors, but at the same time creates a risk in terms of defending third-party claims. This new risk may influence the employment contracts that enterprises conclude with people that come to them from a competitor and that may bring with them information that is proprietary to their former employer.
Current Developments and Background
In Germany, a special act on the protection of trade secrets does not yet exist. And while regulations on trade secrets did exist, they were scattered over several acts and fragmentary in nature.
The impulse for the law on the protection of trade secrets came from the European Union Directive 2016/943, which is a Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. The Directive serves to harmonize the protection of trade secrets in Europe; it had to be implemented into national laws by 9 June 2018. Where the Directive has not been implemented yet, such as in Germany, individuals may to a certain extent rely on the Directive itself, arguing that the existing national law must be construed in a way that brings it in line with the Directive. Substantial new rules as discussed above (requirement of reasonable measure to protect secrecy; admissibility of reverse engineering; liability even without a culpable act) result from the Directive itself; hence these new rules are potentially relevant for any business now conducted in Germany since 9 June 2018 was the date when the deadline for implementing the Directive into German law expired.
In order to formally implement the Directive, Germany will pass a Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen). On 19 April 2018 a first draft of such an act was presented (the draft as well as an explanatory memorandum can be seen here are available at. The draft Trade Secrets Act provides companies with claims against infringers who unlawfully acquired, used or disclosed a trade secret. In addition to claims for damages, injunctive relief and information, companies may also have claims for recall and destruction of products that were manufactured and marketed as a consequence of infringement of a trade secret (Sections 5-7 of the German draft Trade Secrets Act). However, a mere pecuniary compensation, in the form of a notional license fee, may be paid to the infringed party (replacing any other liability) if the infringer did not act culpably and if a pecuniary compensation to the infringed party appears reasonably satisfactory (Section 10 of the German draft Trade Secrets Act). Also, claims do not exist as far as they would be excessive considering the specific circumstances of the case, including (1) the value of the trade secret, (2) the measures taken to protect the trade secret, (3) the conduct of the infringer in acquiring, using or disclosing the trade secret and (4) the impact of the unlawful use or disclosure of the trade secret (Section 8 of the German draft Trade Secrets Act). In addition to civil law claims against an infringer, consequences under criminal law will still be possible (Section 22 of the German draft Trade Secrets Act).
Furthermore, the German Trade Secrets Act will contain special provisions for trade secret litigation. A court will be able to classify a trade secret as confidential, and then the alleged infringer and its attorneys must treat the secret as confidential even after the end of the legal proceedings (Sections 15-17 of the German draft Trade Secrets Act). Also, and as a novelty in German procedural law, the court will be able to limit a party’s access to evidence embodying trade secrets (Section 18 of the German draft Trade Secrets Act).
It is expected that the German government will decide on the Trade Secrets Act by the beginning of August 2018, and after further legislative procedures the act may enter into force in late 2018.
Strategies for an Effective Protection of Proprietary Information
Enterprises doing business in Germany should consider the impact that the European Directive already has now, and they should consider the implications of the upcoming German Trade Secrets Act. And obviously, in the background is the ever-present threat to misappropriation of trade secrets: a study reports that 53 percent of German enterprises have fallen victim to economic espionage, sabotage or data theft in the past two years, resulting in an annual loss of around 55 billion euros.
All this suggests re-evaluating strategies for protecting proprietary information. Enterprises should double-check their approach to taking—and documenting—contractual and technical measures to protect secrecy. Doing so can help maintaining a good position in competition. But not doing so may put at risk that there is any legal protection for the information in the first place, and it may even make an enterprise’s management responsible for unintentionally losing protection of proprietary information.
The advisable confidentiality measures will depend on the specific circumstances of the case, such as the value of a given trade secret, its importance to the business and customary confidentiality measures in the relevant business. In any event, the explanatory memorandum on the German draft Trade Secrets Act clarifies that contractual provisions to protect secrecy as well as physical access restrictions may be appropriate. The following should be considered:
1. Identifying the important proprietary information
Companies should establish a process for identifying and categorizing proprietary information as well as the people who have access to the information and what the status quo of protection is. The aim of this process will often be to identify the perhaps 20 percent of existing information that is not easily accessible to competitors and that is of key importance for business success. This kind of information (the “crown jewels” of an enterprise) deserves effective protection.
Also, it is important to make the identification and categorization of proprietary information a continuous or regular process because new information may be generated continuously.
2. Mixing secrecy and intellectual property rights
A strategic decision should be made about the extent to which secrecy is best suited to protect proprietary information and where intellectual property rights such as patents should be obtained. Under the specific circumstances, one or the other may be better. For example, secrecy gives no protection against independent developments by competitors (or where one cannot disprove a competitor’s allegation that something has been developed independently). Also, maintaining secrecy of technical information may become increasingly difficult with powerful technical means of reverse engineering becoming available and with reverse engineering becoming basically admissible in Europe. In contrast to potential permissible reverse engineering of a trade secret, patents provide effective protection against a competitor’s later independent developments. Moreover, patents are easier to license and may be easier to use for advertisement and promotional purposes, if those are considerations. However, patents have a limited lifetime, make proprietary information available even in regions where no protection is sought, and involve associated costs such as annual renewal fees. Effectively protected secrecy does not come free of costs either, but an enterprise may be able to spread the costs of secrecy over a broad range of products.
Still it will often be possible to combine the advantages of intellectual property rights and protection of secrecy. While patents may be obtained for certain generalized aspects of a technology (which may be easily accessible by reverse engineering anyway), other more specific features of the technology can still be kept secret. For example, assume a certain chemical process is patented and if reverse engineered would show that certain catalysts are used. Aspects of such a process can still be kept secret, e.g., how the starting materials are made or at what temperature the chemical process should be run for an optimal result.
3. Organizational measures
Clear responsibilities and access rights should be defined for proprietary information. The more important secret information is for the company’s business, the more restrictive should access rights be granted. This applies both to internal access and to providing information to external parties such as customers; access to important and proprietary information may be granted on a need-to-know basis only. For example, even an enterprise’s own senior marketing manager may not need access to detailed technical information about ongoing product developments.
Since a significant real-life threat to secrecy results from employees’ lacking awareness or from targeted attacks against employees, it is helpful to establish a safety culture through regular training. This may include, for example, raising awareness towards social engineering approaches (that is, a competitor using psychological manipulation of employees into divulging secret information). Often advisable are also clear rules for dealing with private and business IT devices such as storage media, or for data that may be taken (or not) on business trips abroad.
4. Contract housekeeping
Enterprises should make use of available contractual means to protect secrecy. First, this concerns contracts with employees: explicit confidentiality clauses may become more important than they used to be. It can also be good to explicitly prohibit employees from using any information that is proprietary to their former employer. In addition, post-contractual non-compete clauses may be considered—but mainly in contracts with selected key employees because the clauses need to be drafted case-specific, and because a post-contractual restraint will incur costs for the employer.
Also, trade secrets need to be protected in contracts with third parties such as customers, suppliers, licensees or R&D partners. Non-disclosure agreements (NDAs) will often include contractual penalties because it can be difficult to establish any specific amount of damages that are suffered due to the unlawful disclosure of a trade secret, and because the penalty may have an extra deterring effect. In view of the new rules on reverse engineering it may also be chosen to include an explicit prohibition of reverse engineering in commercial agreements.
5. Technical measures
In addition to the above, it has been customary before and has become even more important now to establish IT measures to protect secret information, such as firewalls, encryption, monitoring access to information and rules on the use of private storage media.