The new Trade Secrets Act

The new Trade Secrets Act –
Need for action by research institutions and universities

The protection of entrepreneurial know-how has always been a high priority. Securing it has considerable economic significance and can bring a real competitive advantage. The new Trade Secrets Act (GeschGehG), which came into force on April 26 of this year, is intended to provide better protection for entrepreneurs against the unlawful acquisition of trade secrets and their unlawful use and disclosure. Under the premise: Only those who take appropriate protective measures themselves will benefit from the new legislation. There is a need for action in this matter not only among companies, but especially among research institutions and universities.

The Act was enacted in implementation of the requirements of Directive (EU) 2016/943 on the protection of confidential know-how and confidential business information (trade secrets) against unlawful acquisition and unlawful use and disclosure. Until now, the protection of trade and business secrets was scattered across various areas of law, and there was a lack of uniform legal definitions and defined rights for the owners of secrets in the event of infringement by third parties. In particular, trade secrets have so far been protected by the criminal provisions of Sections 17 and 18 of the German Unfair Competition Act (UWG). However, these presupposed a subjective interest in the betrayal of secrets, so that legal enforcement was often only possible with great forensic effort.

The new regulations
First of all, the GeschGehG contains pursuant to § 2 No. 1 a definition of the term “trade secret”. Accordingly, the term includes information that has a commercial value due to its unfamiliarity or inaccessibility to the general public, is the subject of appropriate secrecy measures and there is a legitimate interest in keeping it secret. For the existence of a trade secret, it is therefore no longer sufficient to have a sufficient subjective intention to maintain secrecy; instead, it must be possible to demonstrate that the know-how was (objectively) protected by appropriate secrecy measures. Which measures are to be considered “appropriate” will have to be judged with regard to the individual case. A significant change is that in the future the burden of proof will be shifted, i.e. the infringed party must be able to prove in the event of a legal dispute that the measures it took to protect its trade secrets were sufficient.
A special feature of the new Business Secrets Act is that § 3 GeschGehG specifies actions by which a business secret can be lawfully obtained. In particular, this includes: the independent discovery or creation and an observation, investigation, deconstruction or testing of a product or object that has been made publicly available or is in the lawful possession of the observer, investigator, deconstructor or tester and the latter is not subject to any obligation to restrict the acquisition of the trade secret. In other words, the mere lawful possession of an object (the ownership of which remains disregarded) allows the lawful acquisition of a trade secret, e.g. by reverse engineering, if there are no (contractual or legal) restrictions on the owner. In this respect, owners of secrets are now de facto forced to secure their trade secrets by means of appropriate protective measures.

Approaches for appropriate protective measures
The applicable standards are still unclear due to the broad wording and the lack of case law to date. It is therefore particularly important for universities and research institutions to analyze their organizational structure, determine their individual protection needs, and take appropriate measures in a timely manner commensurate with the value of the secrets.
There are no blanket solutions for choosing suitable and appropriate protective measures. Universities and research institutions must create these individually for their organizational structures, review them regularly and adapt them if necessary. Technical, organizational and legal measures must be interlinked. First, a risk assessment should identify and evaluate the information that needs to be kept confidential and the size- and industry-specific risks, and identify internal and external measures to mitigate the risks.
It will not be necessary to take equally strict secrecy measures for all information, but standards that are set too low will have far-reaching consequences: The information will then not be classified as a trade secret, so that the information owner would lose his ownership of the information and thus its economic value. In view of the lack of case law on the concept of reasonableness, particularly strict standards should therefore be applied initially.
Legal consequences in case of violation
Only if the owner of the secret has adequately protected its trade secrets is it entitled to far-reaching claims in the event of an infringement of rights by a third party pursuant to Sections 6 ff. GeschGehG: First, he can demand that the infringement cease and that the relevant documents be handed over or destroyed. Furthermore, he may take action against the distribution of infringing products (recall, cessation of supply, destruction) and he is entitled to information and damages. He may also request the publication of the judgment on the infringement at the expense of the infringer. If the action has been dismissed, however, this can also be demanded the other way around from the alleged infringer at the expense of the owner of the secret.
Violation of the law may result in criminal penalties: these may include imprisonment of up to five years (e.g. in the case of commercial activities). Against the background of the planned corporate criminal law (Association Sanctions Act), it should be noted above all that infringers can also be legal entities, including in particular universities, if they are not engaged in sovereign activities, e.g. in economic activities such as contract research.
Conversely, the company owner is also liable if the infringer is an employee or agent of his company. In addition to protecting his own trade secrets, the company owner must therefore ensure that no third-party trade secrets are infringed from within his company. It is precisely this obligation that now also applies to universities and publicly funded research institutions that frequently come into contact with other people’s secrets, for example in collaborations and joint research projects.
However, the new Trade Secrets Act provides for a statutory exception: Disclosure of trade secrets by whistleblowers is lawful if it leads to the disclosure of unlawful acts, professional or other misconduct and is suitable for protecting public interests (Section 5 No. 2 GeschGehG). With this far-reaching and contourless regulation, it remains to be seen how it will be interpreted and applied by the courts in the future.

Need for action at universities and research institutions
It is not only companies that need to take action as a result of the new legal regulations. Research institutions and universities are also required by the GeschGehG to take measures to protect trade secrets. This obligation applies to both the university’s own business secrets and those of third parties, knowledge of which may come to the university’s employees through cooperation with third parties. The protection of know-how is of great importance to universities and the companies that work with them. Acquired knowledge and research results cannot always be protected by other property rights (e.g. patents), but still require secrecy in order to maintain the competitive advantage and thus the economic value. The protection of this information is therefore imperative.
Possible measures can include access controls and technical protection measures, logging of calls, and contractual safeguards. In case of doubt, the owner of the secret must be able to prove that protective measures have been taken and that they are appropriate. This will only be possible on a regular basis if a functioning compliance system is implemented. The compliance system should be designed in such a way that it is also ensured that no third-party trade secrets are used unlawfully from within the university or research institution itself, so as not to run the risk of being held liable.

Consequences of non-compliance
Those who do not fully implement the new legal requirements of the Secrets Protection Act run the risk that their secrets are not effectively protected and are legally subject to free use and exploitation by others. However, this may not remain the only negative consequence – universities and research institutions that fail to act run the risk of becoming the addressees of claims by any competitors or future corporate penalties. The consequence can be considerable claims for damages against universities and research institutions, which should definitely be avoided by acting in time regarding the new legal regulations.