Trade Secret Protection in Germany an Update

What you need to know

• Just over three years ago, trade secret protection in Germany was put on a new legal basis with the Trade Secret Protection Act ("TSPA"). 

• The TSPA changed the requirements for trade secret protection significantly. 

• Since then, various court rulings have given valuable insight into how the TSPA is to be interpreted and what steps companies need to take to be able to rely on the protection awarded under the TSPA. 

What you need to do

• Check your trade secret protection scheme against the TSPA and the findings by the courts outlined below to ensure your trade secrets are sufficiently protected.
• Especially, make sure you have implemented the required "adequate protection measures" by relying on a combination of technical, organisational and contractual steps. 
• Prepare for the worst case by thinking about how you would react to a misappropriation of your trade secrets and how you would be able to show a court that you took all the steps necessary. If you start doing this once a breach has occurred, it might be too late. 

The (still quite new) Trade Secret Protection Act

In 2016, the European Union presented the Know-how directive (2016/943), aiming to harmonise and strengthen trade secret protection in all member states. 

With some delay, Germany in April 2019 implemented this Know-how directive by adopting a new law, the Trade Secret Protection Act ("TSPA"). This meant a major change for trade secret protection in Germany: Trade secret protection was given an act of its own, and it was no longer hidden in the rear part of the German Unfair Competition Act. 

Most importantly were two changes: First, a legal definition for trade secrets was adopted. Prior to the TSPA, this had been determined by courts based on individual cases. And second, a trade secret under the new code only enjoys protection if it is subject to "adequate protection measures" by its owner. Under the old regime, no such active measures were necessary, and the owners of the trade secrets could rely on courts honouring their implied will to keep valuable information secret. 

What case law has taught us (so far)

Three years have passed since the TSPA was adopted, and we can already rely on a number of court rulings to gain insight into how the TSPA is handled in practice and interpreted by courts. 
This insight is highly valuable when checking your own trade secret protection measures to see whether they hold up to the requirements set by the law and the courts. 

So what have we learned? 

There is more than one form of trade secrets

The TSPA – in a nutshell – defines a trade secret to be any information that is secret (ie not generally known) and thus of commercial value, is subject to adequate protection measures, and can claim a legitimate interest to be protected. 

Although one of the main benefits of the TSPA was stated to be the existence of a uniform legal definition of trade secrets, courts made it clear immediately that the definition from the TSPA is not to be applied everywhere:

Where trade secrets are used to defend against third party claims, the previous definition (determined by courts) still applies. Especially, this was decided for investigations for supposed patent infringements: German law provides for the possibility to have an expert investigate the machine or premises of a supposed infringer to determine whether indeed an infringement had occurred. The defendant will almost always try to prevent the expert report from being provided to the plaintiff (usually a competitor) by claiming that the report contains trade secrets. The Higher Regional Court Dusseldorf – the most important court in Germany for such proceedings – clarified that in these investigation proceedings, the "old" definition of trade secrets still applies. 

The same was decided for public law information claims. In one case, a journalist relied on a public law information claim to be provided with information about a meeting between the German transport minister and the CEO of Volkswagen regarding illegal software. The ministry invoked trade secret protection on behalf of Volkswagen to deny such request, and the court found the definition of the TSPA to be not applicable.

In these situations, trade secrets thus still can enjoy protection even if they do not fulfil the requirements under the new law, especially even if they have not been made subject to adequate protection measures. The binding link between both situations describe above and the rationale behind these court decisions is that in both situations the trade secret is "ripped away" from its owner, whereas under the TSPA, the owner himself raises claims based on its trade secrets and thus makes active use of them. 

Thus, trade secret owners may enjoy a broader scope of protection where trade secrets are used as a defence. 

What qualifies as trade secrets

Most of the court decisions handed down since the TSPA entered into force relate to "classical" types of trade secrets such as construction drawings and customer information, but nevertheless give valuable insight into how far this term might stretch: 

• Metadata of files, such as file size, file type, and file name, can be trade secrets if they provide information on, eg the software type used or the efforts invested. 
• Documents that contain both, information from the public domain and proprietary to the trade secret owner (such as eg construction drawings) can be protected as a whole. 
• Even documents that contain only publicly available information (eg market data) can be a trade secret if the specific combination and evaluation of this data is not publicly available. 
• Private notes of employees about eg customer meetings and volumes of previous sales are (in general) trade secrets, and belong to the employer, just like if these had been recorded on the company system instead of in a private calendar.

The measures you need to implement 

What measures need to be implemented to still be able to rely on trade secret protection was – and is – the most discussed topic surrounding the TSPA. And rightly so, since failure in this regard will not decrease your trade secret protection – but destroy it altogether. There is no grey area, its either black or white. 

Especially rulings by the Higher Regional courts of Dusseldorf, Hamm and Stuttgart are a worthwhile read. The principles that can be derived from these are the following: 

• Protection does not need to be "perfect". But it must be adequate in light of especially the value of the trade secret concerned, the economic strength and size of the company;
• Protection must be a combination of technical, organisational and contractual measures. This includes especially password protection, recording log-in details, implementing different access levels for different persons, establishing firewall and VPN measures. Similar measures need to be taken offline, eg key-card access. And such duties have to be passed on to contractual partners as well;
• Explicitly stated to be a minimum requirements is a strict need-to-know principle, under which employees and third parties not only need to have a need to be shown the trade secret concerned, but also need to be aware that the specific information is a trade secret and be under a duty of confidentiality themselves; 
• Trade secret owners must follow up these measures, ie see that these are actually implemented and lived. This includes to actively request the return (or destruction) of trade secrets after an employment or collaboration. It is thus not sufficient to simply rely on the existence of such contractual measures. 

Courts have also further confirmed that "catch all" clauses putting each and every piece of information exchanged under a duty of confidentiality without further specification face a very high risk of being invalid. This especially applies to employment situations. Confidentiality agreements therefore should always seek to identify the trade secrets as far as possible, eg via the product they concern, the project, or the type of information.

Open Questions

Yet, there are of course still questions that have not yet been addressed by the courts. 

One of the most important is whether the definition of trade secrets is exhaustive so that NDAs and similar agreements may only include such, or whether a confidentiality agreement may also include information that the TSPA does not qualify as a trade secret. 

Another open question is whether confidentiality agreements need to be limited in time (eg three or five years after the term of the agreement), or whether this would automatically end all trade secret protection as well. 

Trade Secrets are the new oil

It will certainly be worthwhile to keep an eye on the further developments. 

It cannot only be expected that some questions will reach the ECJ to find a uniform interpretation for all member states, but also that additional detailed insight into how exactly the measures need to be implemented will be given. In other words, you can learn from the experience (and mistakes) of others. 

But more importantly, the importance of trade secret protection will likely increase significantly. New business models vastly rely on data pools and their evaluation, on algorithms and market insights. Most of this information cannot be protected by classic IP rights such as patents or copyrights. Trade secret protection will therefore likely become the best tool to defend this valuable information. 

And there are new challenges on the horizon. Especially the EU Data Act aims to facilitate and incentivise the sharing of data. New access rights for text and data mining have already been adopted. In short: It is the goal of the EU to give greater access to more data to more players. 

If companies rely on proprietary data to keep a competitive advantage, trade secret protection is certainly one ally to focus on.