Protecting trade secrets in the European Union

June 2014  |  TALKINGPOINT  | INTELLECTUAL PROPERTY

financierworldwide.com

 

FW moderates a discussion on protecting trade secrets in the European Union between Warren Wayne, Robert Williams and Simon Shooter at Bird & Bird.

FW: To what extent does existing trade secret protection vary between member states?

Wayne: The European Commission’s statistics indicate that only two thirds of EU member states have specific legislation which protects trade secrets and trade secret protection varies widely between the EU member states. For example, in the UK we have one of the strongest systems in the EU for trade secret protection that doesn’t rely on national or international legislation. This is achieved by a combination of contractual liability and long-standing common law protections that has evolved through case law. Elsewhere, Sweden has specific legislation; France has legislation to protect against trade secret misappropriation in an employment relationship–- but not in the context of intellectual property rights; Germany protects trade secrets through provisions in employment law and competition law; and Finland has criminal law protection. Furthermore, in the UK, Germany, Poland and Hungary there is currently no requirement for a protectable trade secret to have commercial value generated due by the secrecy of the information. However, under the wording of TRIPs there is such a requirement, which is reflected in the current position in Denmark, Italy and Spain. The varying approach towards the protection and enforcement of trade secrets across Europe has created much disparity and uncertainty, which the draft Directive seeks to redress.

FW: What difficulties do these inconsistencies pose with regard to protecting and enforcing trade secrets through the courts?

Williams: The disparity of trade secret protection is a significant barrier to legal and commercial certainty across Europe. At the most basic level, there is no statutory definition of what a ‘trade secret’ is across Europe and no consistency of the limitation periods within which legal action has to be started. This has led to legal systems evolving their own sets of protections and tests as part of intellectual property, employment, confidential information and unfair competition laws. While this can be workable for businesses that only trade in one member state, international businesses have found it much more difficult to find effective remedies to protect their trade secrets across international operations.

FW: In your opinion, does the fragmentation of EU trade secret law damage business and enterprise? What risks and costs arise as a result, and how might a more harmonised approach improve business confidence?

Wayne: The European Commission’s impact assessment on the Directive found that 40 percent of companies in the EU said they would refrain from sharing trade secrets with business partners because of a fear of losing the confidentiality of the information, due to it being misused or released without their authorisation. This lack of business confidence in the European Community’s ability to predictably protect trade secrets has arguably restricted innovation and exploitation of trade secrets across the European market. The Directive represents an active step with the admirable aim of harmonising the protection of trade secrets across the EU. This will, in turn, enable businesses to monetise and protect their trade secrets across member states in a more uniform way.

The disparity of trade secret protection is a significant barrier to legal and commercial certainty across Europe. At the most basic level, there is no statutory definition of what a ‘trade secret’ is across Europe and no consistency of the limitation periods within which legal action has to be started.
— Robert Williams

FW: What is the significance of the EU’s proposed Directive on the protection of trade secrets? How has the proposal been received by the business community?

Williams: Although the impact of the Directive will vary across member states, its existence is largely welcomed by the business community – particularly as it has the potential to generate new business streams and a new class of exploitable assets. The proposed Directive is a positive step towards effective harmonisation across the EU member states. For the first time it will establish a recognised framework of minimum protections regarding abuse of trade secrets. The draft Directive will also allow member states to provide additional protections in many areas, provided that the basic principles contained within it are safeguarded.

FW: How would the new trade secret regime operate, and what rights and protections would it provide?

Williams: The Directive will protect against the unlawful acquisition, use and disclosure of trade secrets. ‘Trade Secrets’ are those which have commercial value because they are secret and subject to reasonable steps to keep them secret. The Directive will provide a minimum framework which includes legal remedies such as injunctions and delivery up or destruction orders, as well as damages. It also ensures that confidentiality is protected throughout any Court process. The aim is to protect commercially valuable information where its unlawful use will undermine business or financial interests, ability to compete, strategic positions or scientific and technical potential.

FW: How will the proposed Trade Secrets Directive integrate itself alongside existing regulation and practices? In what ways will the rights provided by the Directive interact with employment laws and confidentiality agreements, for example?

Wayne: The level of integration will vary according to the previous practices across member states. In the UK, for example, it is not yet known how the Directive will impact upon the established common law tests and protections when the new definition of trade secrets is adopted. In an employment law context, the Directive does not properly address the problem of employees who retain information but say that they are not ‘using’ it. This therefore reinforces the need for effective contractual confidentiality agreements across international organisations. Additionally, the Article 10 ECHR right to freedom of expression permits use of information that is not subject to contractual protection or local laws. This also puts the onus on employers to ensure their employee documentation effectively fills the gaps in the various local implementations of the Directive.

In an employment law context, the Directive does not properly address the problem of employees who retain information but say that they are not ‘using’ it. This therefore reinforces the need for effective contractual confidentiality agreements across international organisations.
— Warren Wayne

FW: The adoption of the proposed Trade Secrets Directive is not guaranteed, particularly in its current form. What provisions do you expect to see in the final draft?

Wayne: The consultation process has led to some quite significant variations to subsequent drafts of the Directive, up to and including the latest iteration which was published on 26 May 2014. It will now be submitted to the European parliament for further review. Significant changes have already been made to the draft Directive, such as extending the limitation period from the original two years, to the more usual six years. Due to a large number of amendments made to the latest iteration of the draft, it is doubtful that there will be significant changes made from now until publication of the final draft.

FW: How can current legislation assist when trade secrets are stolen as a result of cybersecurity breaches and deliberate attacks on information systems? Will the proposed Directive help companies deal with these attacks?

Shooter: Many cybersecurity breaches are perpetrated by those within a company; it has been reported that over 70 percent of trade secret theft cases committed by employees take place within 30 days of them announcing their resignation. In these circumstances, employment law and the law of confidential information, as well as IP rights, such as copyright, can form the basis of emergency civil injunctions and can potently be used alongside the threat of criminal prosecution, for example under the Computer Misuse Act in the UK. However external cyber attacks frequently originate from jurisdictions where the political or legal environment prevents effective enforcement of trade secret protections, assuming the source of the attack can be traced in the first place. The draft trade secrets Directive’s provision on infringing goods, for instance goods which significantly benefit from unlawfully acquired trade secrets, are promising in this context as they could potentially be used to ban imports into the EU of goods which incorporate trade secrets stolen in a cyber-attack.

FW: Do you expect the EU’s proposed cybersecurity Directive to improve information security within Europe? What concerns have been raised about the cybersecurity Directive’s breach reporting obligations?

Shooter: The draft cybersecurity Directive aims to improve information security in the EU by facilitating information sharing on cyber threats between Member States and also between the public and private sectors. More controversially, the draft cyber Directive also requires providers of critical infrastructure to ensure the security of their information systems and notify local regulators of information security incidents having a significant impact on the continuity of their core services. Those failing to do so will face sanctions. Many are concerned that this notification requirement will be inconsistently applied by national regulators and will add to the regulatory burden already imposed by data protection legislation and sector specific rules, for example security breach reporting for public communication service providers. The interaction with listed companies’ obligations to disclose price sensitive information, for instance under the FCA’s Disclosure and Transparency Rules, is also as yet unclear.

The first step to managing cyber risk is a thorough assessment of an organisation’s cyber risk profile. This requires input from all sectors of the business to identify high risk categories of information including trade secrets.
— Simon Shooter

FW: Do you believe the Trade Secrets Directive, if adopted, will improve a company’s ability to protect valuable commercial information in the EU? What advice do you have for companies wanting to protect their trade secrets in the meantime?

Williams: Much will depend upon how each member state implements the Directive, the extent to which minimum levels of protection survive through to the final version and the resulting affect this will have on the member states. For example, in the UK, existing common law tests may need to be brought in line with the Directive. Although member states are required to ensure that measures such as injunctions, seizures and delivery up orders are available, the current draft envisages a more limited enforcement system than applies to traditional intellectual property rights. This remains a contested topic and may change. Until the final text of the Directive is published, businesses should review the contractual protections they have in place with employees, JV partners and their supply chain and consider whether they are still fit for purpose given the changing practicalities around the handling and dissemination of information.

FW: Is there anything businesses should additionally be doing now to address cyber risk in relation to their trade secrets?

Shooter: The first step to managing cyber risk is a thorough assessment of an organisation’s cyber risk profile. This requires input from all sectors of the business to identify high risk categories of information including trade secrets. The next step is to develop a cyber risk policy which deals with the different categories of information based on their risk profile. This policy will need to cover issues such as access controls within the organisation, home and mobile working, removable media controls, user education and awareness and an incident management planning. While the IT department will play a crucial role in implementing a cyber risk policy, the policy itself needs to be developed with input from those in the business who understand the risk profile of the different categories of information being protected. These individuals will also need to be points of contact during a cyber incident so they can co-ordinate between the technical, legal, business and public relations issues that are likely to arise.

 

Warren Wayne is a partner in Bird & Bird’s Employment Group and jointly leads the International Trade Secrets Protection Group. He is a leading international lawyer known for handling complex and sensitive disputes and his commercial guidance. Specialising in a range of employment issues, Mr Wayne is known for his experience in dealing with complex and high value disputes, trade secret/confidentiality issues and employee competition disputes, international restructures, executive severances, data protection issues and complex Employment Tribunal claims. He can be contacted on +44 (0)20 7415 6000 or by email: warren.wayne@twobirds.com.

Robert Williams is a partner in the Intellectual Property Group at Bird & Bird. Mr Williams is one of the firm’s most prominent litigators, with particular experience of complex IP disputes and advising clients from a range of IP rich industries. He has significant experience in both contentious and non-contentious IP work, advising clients on the full range of issues relating to patents, copyright, trademarks, designs and trade secrets/confidential information, across a range of industries including life sciences, energy and utilities, speciality chemicals, mechanical engineering and electronics. Mr Williams can be contacted on +44 (0)20 7415 6000 or by email: robert.williams@twobirds.com.

Simon Shooter is a partner at Bird & Bird, based in London. He is joint-head of our International Commercial Group and also heads the firm’s London Cyber Group. He is actively engaged with tracking and advising on the development of Cyber-related policy and legislation and its impact on commercial entities. Mr Shooter also leads Bird & Bird’s Cybersecurity Policy Forum, a cross-sector client discussion group formed of leading individuals from across industry. He can be contacted on +44 (0)20 7415 6000 or by email: simon.shooter@twobirds.com.

© Financier Worldwide


THE PANELLISTS

 

Warren Wayne

Bird & Bird

 

Robert Williams

Bird & Bird

 

Simon Shooter

Bird & Bird


©2001-2016 Financier Worldwide Ltd. All rights reserved.