New German law respecting the protection of trade secrets: Enterprises need to know about it

By Dr. Henrik Holzapfel and Dr. Martin Königs

Download article as PDF

Germany will soon introduce a new act respecting the protection of trade secrets that will substantially change the way trade secrets are protected in Germany. Some of these changes are already relevant today, and enterprises doing business in Germany should be aware of the new opportunities, threats and requirements.

Key takeaways

Germany is on the cusp of introducing a new act respecting the protection of trade secrets. The German federal government agreed on a draft act on July 18, 2018, and the new law is expected to enter into force in December 2018. As we use the term here, “trade secrets” relates to both technical know-how (such as construction drawings, manufacturing methods, ingredients and recipes) and business information (such as customer data, purchasing prices and market studies).

Once the new law enters into force, there will be substantial changes to the way trade secrets are protected in Germany. However, due to the effects of a European directive, some of the expected changes were already applicable on June 9, 2018:

Only information subject to actual and reasonable measures to maintain its secrecy status will be protected as a trade secret. This requirement did not previously exist, and enterprises may have to react to this new requirement by adopting additional contractual, organizational and technical measures to protect their trade secrets. Also, to be in a position to enforce claims against third parties related to trade secrets, enterprises should immediately start documenting the mea­sures they adopt to protect their trade secrets.

Reverse engineering (that is, deconstructing a third-party product to reveal its design or to extract other information from the product) is permitted, except when otherwise contractually agreed. This freedom to reverse engineer unless otherwise specified is a departure from previous regulations, and enterprises may want to include clauses against reverse engineering in agreements with such third parties as suppliers, customers and R&D partners. However, reverse engineering will still be legal for third parties (that is, competitors are under no obligation to refrain from reverse engineering). Considering these new threats to information secrecy, enterprises may want to adjust their strategies for the protection of proprietary information and seek a new balance between protecting secrets and obtaining IP rights (such as patents).

Under the new law, an enterprise may be liable for infringement of trade secrets even if its management has not acted culpably. This facilitates enforcement against competitors, but also creates a risk when it comes to defending against third-party claims. This new risk may influence the employment contracts enterprises conclude with workers who were previously employed by a competitor, perhaps bringing information proprietary to their former employer.

Current developments and background

The impulse for the new law respecting the protection of trade secrets was the European Union Directive 2016/943, a directive on the protection of undisclosed know-how and business information (trade secrets). This directive is intended to harmonize the protection of trade secrets in Europe. Its content had to be implemented in each country’s national law by June 9, 2018. Where the directive has yet to be implemented — and Germany is one such instance — individuals may, to a certain extent, rely on the directive itself, if necessary arguing that existing national law must be construed in a way that brings it in line with the directive.

In order to implement the directive, Germany will pass a Trade Secrets Act (Gesetz zum Schutz von Geschäftsgeheimnissen; drafts as well as an explanatory memorandum can be viewed by clicking here). The draft Trade Secrets Act sets out types of claims for companies against infringers who unlawfully acquired, used or disclosed a trade secret. In addition to claims for damages, injunctive relief and information, companies may also make claims relating to the  recall and destruction of products. However, a mere pecuniary compensation, in the form of a notional license fee, may be paid to the infringed party and replace any other liability if this appears reasonably satisfactory. Also, claims do not exist as far as they would be excessive considering the specific circumstances of the case, including (1) the value of the trade secret, (2) the measures taken to protect the trade secret, (3) the conduct of the infringer and (4) the impact of the unlawful use or disclosure of the trade secret. In addition to the option to make civil law claims against an infringer, it will still be possible to prosecute under criminal law.

Furthermore, the German Trade Secrets Act will contain special provisions for trade secret litigation. A court will be able to classify a trade secret as confidential; consequently, the alleged infringer and the infringer’s attorneys must treat the secret as confidential even after the end of the legal proceedings. Additionally — and this is a first in German procedural law — the court will be able to limit a party’s access to evidence containing trade secrets.

Strategies for effective protection of proprietary information

Enterprises doing business in Germany should consider the implications of the new law. Of course, this is all set against the backdrop of the ever-present threat of trade secret misappropriation: A study reports that 53% of German enterprises have fallen victim to economic espionage, industrial sabotage or data theft in the past two years.

All of this demonstrates the wisdom of reevaluating strategies for protecting proprietary information. Enterprises should double-check the measures they have implemented to protect information secrecy. This process may help keep a company competitive. Failing to work through this process, on the other hand, may leave proprietary information without any legal protection, and it may even leave an enterprise’s management unintentionally responsible for that loss of protection.

The advisable confidentiality measures vary on the basis of the specific circumstances surrounding the trade secret (such as its value), its importance to the business, and customary confidentiality measures in the business’s field. In any event, the explanatory memorandum on the German draft Trade Secrets Act clarifies that both contractual provisions to protect secrecy and physical access restrictions may be appropriate. The following should be considered:

Identifying the important proprietary information

Companies should establish a process for identifying and categorizing proprietary information as well as determining who has access to the information and what the current  level of protection is. The aim of this process is (often) to identify existing information that is not easily accessible to competitors and is of key importance to the business’s success (often in the range of around 20%). This kind of information — the “crown jewels” of an enterprise — deserves effective protection.

It’s also important to make the identification and categorization of proprietary information a continuous or regular process, as the flow of new information is typically constant.

Mixing secrecy and intellectual property rights

A strategic decision should be made about the best way to protect proprietary information; sometimes this means secrecy, sometimes it involves the procurement of intellectual property rights such as patents. The best option will depend on the circumstances. For example, secrecy does not protect against competitors independently developing a very similar product. Also, keeping technical information secret may become more and more difficult with the advancement of powerful tools for reverse engineering. Another consideration may be that patents are easier to license and may be easier to use for advertising and promotional purposes. It will often still be possible to combine the advantages of intellectual property rights and secrecy protection.

Organizational measures

Responsibilities and access rights should be clearly defined. This applies to both internal access and the provision of information to such external parties as customers — access to important and proprietary information may be granted only on a need-to-know basis: For example, even an enterprise’s own senior marketing manager may not need access to detailed technical information about ongoing product developments.

Since a significant real-life threat to secrecy results from a lack of awareness among employees and targeted attacks against employees, it is helpful to establish a security-minded culture by means of regular training. This may include, for example, raising awareness about social engineering tactics (that is, a competitor psychologically manipulating employees into divulging secret information). It’s also often advisable to set out clear rules for handling private and business IT devices such as storage media as well as for handling data that may or may not be taken on business trips abroad.

Contract housekeeping

Enterprises should make use of available contractual means to protect secrecy. Above all, this concerns contracts with employees: Explicit confidentiality clauses may now become more important. It may also be well advised to explicitly prohibit employees from using any information proprietary to their former employer. In addition, postcontractual noncompete clauses may be worthy of consideration, at least in contracts with key employees.

Trade secrets also need to be protected in contracts with third parties such as customers, suppliers, licensees and R&D partners. Nondisclosure agreements (NDAs) often include contractual penalties. In view of the new rules regarding reverse engineering, a company may also choose to include an explicit prohibition of reverse engineering in commercial agreements.

Technical measures

In addition to the above, now more than ever, it’s particularly important – to establish IT measures to protect secret information. These efforts  include firewalls, encryption, monitoring access to information, and rules regarding the use of private storage media.

Aktuelle Beiträge