Reasonable confidentiality measures 

posted on March 3, 2022

Reasonable confidentiality measures

 

In July, 2016, the Directive on the protection of trade secrets [1] (referred to below as "Trade Secrets Directive”) has become effective and was transposed into Austrian law by means of the amendment to the Act against Unfair Competition 2018 [Bundesgesetz gegen den unlauteren Wettbewerb – UWG] in Secs. 26a et seqq.

This protection regime for trade secrets provides proprietors of certain confidential information with a number of useful mechanisms for the prosecution and enforcement of rights – provided that a trade secret in the legal sense is concerned, namely information, which

  • is secret because it is not generally known or readily available to the people in those circles which usually deal with this type of information – neither in its entirety nor in the specific arrangement and composition of its parts, and
  • is of economic value because it is secret, and
  • is the subject of confidentiality measures, appropriate to the circumstances, carried out by the person holding the power of disposal over this information. [2]

 

At the beginning of last year, the Austrian Supreme Court discussed the criterion of "commercial value” and, in the decision dated January 26, 2021 [3], has denied the existence of a trade secret due to a lack of a corresponding value. [4] In the mentioned decision, the Austrian Supreme Court has additionally made statements on when information is assumed to be "confidential”.

However, to date there is no case law established by the Supreme Court in Austria as to what "reasonable confidentiality measures” refers to specifically. As the establishment and maintenance of a suitable access control, however, is the fundamental condition for the protection of secrets, this objective criterion should in any case be attributed crucial importance if one is to draw on the tools for the prosecution and enforcement of laws provided by the Trade Secrets Directive. That is because even if only one of the three legal prerequisites mentioned above is absent and/or cancelled, the presence of a trade secret within the meaning of the Trade Secrets Directive and/or Secs. 26a et seqq. is to be denied.

In a decision issued prior to the effective date of the Trade Secrets Directive, the Austrian Supreme Court stated [5] that the password protection of a file may constitute a suitable measure. [6] The Austrian Supreme Court then unfortunately failed to use the legal matter 4 Ob 182/20y for addressing the question of the presence of reasonable protective measures, although the facts of the case would have absolutely had the potential for this: On the one hand, the defendant was not subjected to an explicit confidentiality obligation although, on the other hand, he had evidently kept a copy of the contested source code (despite the obligation to hand the same over). [7]

Surely, the possible reasonable measures mentioned in the ministerial draft for the transposition of the Trade Secrets Directive into the Federal Act against Unfair Competition, such as the disclosure of trade secrets only to selected trustworthy people, or IT security measures, can serve as a point of reference.[8] A higher degree of legal security, however, will only be brought about by a corresponding decision by the Austrian Supreme Court.

In Germany, however, the courts have already addressed the question of reasonable confidentiality measures in several decisions. [9] As a result, German case law assumes that neither "optimal protection” nor "extreme security” can be demanded. Instead, the question of reasonability of the confidentiality measures is to be assessed according to objective standards and in an overall view of the measures concerned,[10] and the entirety of the business safety plan should be coherent and reasonable[11].[12]

However, the Higher Regional Court of Stuttgart, for example, has determined as a minimum standard "that relevant information can be entrusted only to people who (potentially) require the information for carrying out their role and who are bound to maintain confidentiality”[13] (so-called "need to know principle”[14]).[15]

The German courts are also critical of data leaks not being followed up on,[16] the storage of data on personal data carriers being permitted,[17] businesses not actively reclaiming official confidential documents after termination of an employment contract,[18] and/or only general or blanket confidentiality obligations ("catch-all clauses”) being included in contracts of employment[19]. Each one of these circumstances – in the overall context of the other adopted measures, of course – may lead to the presence of reasonable confidentiality measures being denied.

In a recently (January 2022) reached decision, the Labor Court of Aachen additionally declares that "a globally operating company [can] be expected to provide [...] more comprehensive and more cost-intensive security measures than a handicraft business with only a few employees could provide”.[20] The plaintiff in this case claimed an unlawful disclosure of such trade secrets, which, in their own opinion, are of crucial significance to their economic success.

According to the Labor Court of Aachen[21] "[the plaintiff] is to describe in particular which specific confidentiality management the plaintiff applies overall, which specific data and/or specifications are to be kept secret in business operations. Since the effective date of the Law on the Protection of Trade Secrets, this ultimately means that a specified confidentiality management especially geared to the individual secrets must be implemented in order to prove which secrets were under which protection and for how long, and which individuals came into contact therewith and in doing so, were obliged to protect the defendant’s secrets.” As the plaintiff, however, was not able to specify and detail which specific technical security measures and access control systems were in place, which trainings were held, and what the wording, extent, and type of the confidentiality agreements entered into with the employees was, the court declared that a presentation by the plaintiff of confidentiality measures appropriate to the circumstances was lacking and denied the presence of a trade secret.

In order to avoid losses of rights, businesses should, in any case, critically analyze and, if necessary, adapt the existing systems and confidentiality measures taken, and create a clear and detailed confidentiality management. That is because whoever wishes to base their claims due to unlawful acquisition, use, and/or disclosure on the protection regime harmonized in the EU by the Trade Secrets Directive, must prove that reasonable confidentiality measures were in place by no later than the date of the respective transposition of the Trade Secrets Directive into national law[22], which is December 29, 2018 in Austria and April 26, 2019 in Germany.

In this, it is also important to take into account the exceptional challenges of the current developments in a working world shaped by the Covid-19 pandemic, namely securing reasonable confidentiality even in a home office, where the employer naturally has less insight into and control over their employees’ activities.

In this context, one should keep in mind a component of liability law of the new protection of secrets ("Geheimnisschutz neu”):  Sec. 25 (1) of the Austrian Limited Liability Company Act (Gesetz betreffend die Gesellschaften mit beschränkter Haftung – GmbHG) standardizes: The managing directors have a duty towards the company to apply the due diligence of a prudent manager in its business management. At least since the transposition of the Trade Secrets Directive into national law, the correct handling of trade secrets, and thus the adherence to the Trade Secrets Directive or Sec. 26a et seqq. of the Austrian Act Against Unfair Competition for the purpose of protecting intangible company properties, constitutes part of the management board’s duties. If there is a lack of this due diligence required by law, the managing director of the company is personally liable for any resulting consequences.


--------------------------------

[1] DIRECTIVE (EU) 2016/943 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.

[2] Sec. 26b (1) of the Austrian Federal Act against Unfair Competition 1984 – [Gesetz gegen den unlauteren Wettbewerb – UWG]

[3] Austrian Supreme Court 4 Ob 188/20f, dated January 26, 2021.

[4] See also https://www.abp-ip.at/inside-raat/richtlinien-zum-schutz-von-geschaeftsgeheimnissen.

[5] in view of the fact that achieving the objective set forth by the 2016/943/EU directive must not be seriously threatened.

[6] 4 Ob 165/ 16t, dated October 25, 2016.

[7] 4 Ob 182/20y, dated December 10, 2020, the Defendant sued due to unlawful use of trade secrets evidently continued to possess the contested software source code, although the defendant granted the plaintiff the exclusive rights to the code and was obliged to hand over the source code. On the other hand, the defendant was evidently not subjected to an explicit confidentiality obligation as the Austrian Supreme Court inferred such an obligation only implicitly, based on the granting of the exclusive copyright license for the software and/or based on legally imposed fiduciary duties of managing directors.

[8]  58/ME of the 26th legislation period – ministerial draft – explanations regarding Sec. 26b; mentioned therein: Disclosure of trade secrets only to selected trustworthy people; compiling a list of the trade secrets; corporate policy relating to trade secrets and their transparent documentation; IT security measures; staff interviews; applied practice that, for example, certain process steps are executed only by specific people.

[9] cf. for example GRUR-Prax 2021, 615 with an overview of relevant decisions.

[10] cf. Higher Regional Court of Stuttgart, November 19, 2020, 2 U 575/19

[11] cf. Hauck in the Munich commentary on the unfair competition law [Münchener Kommentar zum Lauterkeitsrecht], 3rd edition 2022, Law on the Protection of Trade Secrets, Sec. 2, marginal no. 21.

[12] In this respect, particularly the type of the trade secret, the specific conditions of use, the value and development cost of the trade secret, the nature of the information, the significance for the company, the size of the company, the usual confidentiality measures within the company, the type of identification of the information, and contractual provisions agreed upon with employees and business partners are to be considered, Higher Regional Court of Düsseldorf, March 11, 2021, I-15 U 6/20, WRP 2021, 1080.

[13] Higher Regional Court of Stuttgart, 2 U 575/19, marginal no. 169. (translated from the German original)

[14] cf. Hauck in the Munich commentary on the unfair competition law [Münchener Kommentar zum Lauterkeitsrecht], 3rd edition 2022, Law on the Protection of Trade Secrets, Sec. 2, marginal no. 44.

[15] Recently also confirmed by the Labor Court of Aachen, 8 Ca 1229/20, January 13, 2022.

[16] ibidem marginal no. 170.

[17] ibidem marginal no. 170.

[18] Higher Labor Court of Düsseldorf, June 03, 2020, 12 SaGa 4/20, marginal no. 82.

[19] Higher Labor Court of Düsseldorf, June 03, 2020, 12 SaGa 4/20, marginal no. 80 et seq.; Hofmarcher, Das Geschäftsgeheimnis (2020), margin number 2.43

[20] Labor Court of Aachen, 8 Ca 1229/20, January 13, 2022, marginal no. 81. (translated from the German original)

[21] Labor Court of Aachen, 8 Ca 1229/20, January 13, 2022, marginal no. 79 et seqq. (translated from the German original)

[22] Higher Regional Court of Düsseldorf, March 11, 2021, 15 U 6/20. headnote no. 3.

 

 

Dr. Casals Ide Katarina