In the coming weeks, the European Parliament will pass a Europe-wide Trade Secrets Directive (the "Directive"). Within two years, all 28 member states of the EU will pass laws implementing the Directive, significantly altering the European approach to protecting sensitive business information. Many organisations are now planning to exploit the opportunities it creates.
What Will The Trade Secrets Directive Do?
The aim of the Directive is to harmonise the protection of trade secrets across the EU, to create an innovation friendly environment for business. It will harmonise laws across the EU in three main areas:
- the definition of a "trade secret" and the ways in which they can be protected;
- the remedies available to trade secret holders after theft or unauthorised use; and
- the measures available in litigation to prevent trade secrets leaking during proceedings.
Certainty at Last
When the Directive is implemented, businesses will have certainty for the first time that their sensitive or confidential information can be protected throughout Europe – as long as they make sure they keep it within the following definition:
- that it is "secret" in the sense that it is not generally known by, or readily accessible to, people in the wider community who normally deal with that kind of information. This applies to single pieces of information, as well as to collections of information such as manuals, processes and recipes; and
- it has commercial value because it is "secret"; and
- it has been subject to reasonable steps to keep it "secret" by those who lawfully hold it.
This means that as long as a businesses' supply chain, licensees, franchise holders and other business partners are required to observe its security requirements for the information (and do so), then it will remain "secret" and protectable.
Employees and contractors can be a particular threat to trade secret security, even if they are not malicious. According to the FBI, just under a quarter of insider incidents each year are due to employee mistakes. When it comes to staff that are malicious, they usually only need their normal levels of access to company data and systems.
Even where employees have deliberately taken trade secrets, the EU Council has proposed a looser regime in comparison to other cases of unlawful trade secret acquisition. If that is adopted, it will reduce the effectiveness of the Directive to properly compensate businesses for employee trade secret theft.
As a result, there is now a greater imperative for international organisations to plan for a harmonised European approach to their employment contracts and rules around confidential materials.
Under the latest draft of the Directive, any unlawful acquisition, use or disclosure of trade secrets without the consent of the holder will be "infringement" where it is considered contrary to honest commercial practices. Note here, that the holder of the trade secret can take action and enforcement is not limited to the information's ultimate owner.
The Directive does not propose to create exclusive rights, however, so competitors will stay free to conduct independent research. This can include reverse engineering, so long as it doesn't infringe the Directive. Some commentators, such as the Max Planck Institute, have taken issue with this relaxed approach to reverse engineering. They see it as a move which will eventually kill innovation in industries that rely on research to arrive at formulas and recipes for relatively low cost consumer products.
Whilst contractual provisions can protect trade secrets from disclosure by former business partners or staff, protection against abuse by third parties has presented difficulties in the past.
The Directive offers considerable advancement in this area. The concept of unlawful use will make it possible to enforce the protection of trade secrets against unlawful use by third parties, including passive receivers of a trade secret, even if they initially acted in good faith.
We have already seen signs in the UK of the Court's emerging willingness to restrict ex-franchisees in cases such as Oven Clean Domestic –v- Read (QBD 23/1/15), in which we acted. In that case, a non-competition obligation was enforced against an ex-franchisee for 12 months by an injunction.
If a trade secret is used, copied or disclosed unlawfully, or in breach of an agreement (such as a licence, franchise agreement, staff contract or NDA), then the remedies include:
- Injunctions to prevent further use or disclosure;
- Court orders prohibiting infringing goods from being produced, marketed, sold, stored, imported or exported;
- Seizure and/or destruction of goods and imports; and
- Product recalls.
A New Asset Class
An additional consequence of keeping any type of commercial information "secret" in this way, is that information can become commercially exploitable in its own right. Some businesses are already exploring new charging structures based on their new ability to classify specific sets of data as "trade secrets". There is clear potential for the exploitation of previously private processes, recipes or datasets in similar ways or through licensing or franchising.
What Does This Mean for Food and Beverage Companies?
The Directive undoubtedly creates new protections and opportunities for companies that need to protect recipes, formulas and production methods. Apart from increasing the range of protective steps available across Europe and increased business certainty, both the exploitation of new product lines and increased leverage from existing products will now definitely be possible in future.
The key to taking advantage of these possibilities lies in satisfying the two core requirements: that the information stays "secret" and is subject to reasonable steps to keep it "secret" throughout the supply chain. This is not always taken seriously by international businesses, however, as reported by PwC: "the supply chain is a potential weak link in cybersecurity… Companies often struggle to get their suppliers to comply with privacy policies – a baseline indicator of data protection capabilities."1
In preparation for the new legal framework, it is now a good time to start to introduce measures to show that "reasonable steps" are in place to protect manuals, processes, formulas, recipes, software and CRM data at all levels:
- Identify any trade secrets within the business. This may entail an IP audit as well.
- Focus on the steps to protect those secrets:
- Security arrangements across Europe should be reviewed and updated to ensure that effective and consistent measures are implemented all the way from employees, contractors and freelancers through to suppliers and franchisees.
- Measures should range from making sure that documents are appropriately marked as "confidential" to pre-employment vetting of R&D staff (in compliance with local data protection rules) and physical and electronic segregation of the information you need to protect.
- What will be a "reasonable step" will depend upon the nature of the secret, but will necessarily involve positive steps to create and maintain secrecy. For a recipe, for example, this may include separating components of the process, so that knowledge of the entire recipe is limited to a very small number of people and is not entirely revealed to third parties.
• Contractual confidentiality and security obligations with staff and throughout the supply chain need to be updated and applied consistently across business units and jurisdictions:
- Ensure that franchise agreements and licences are appropriately drafted and also include positive obligations on franchisees and licensees to use the trade secrets only for their permitted use. There should also be a clear mechanism for the return of the trade secrets upon termination of the agreement. Those arrangements should then be diligently followed on termination.
- Effective post-employment restrictions and staff confidentiality agreements are important in helping protect not only the trade secret, but also the use of the know-how generated from using those secrets for a period of time after termination of the agreement. These will remain protectable and enforceable through existing restraint of trade laws, so contractual protections remain important here.
The Near Future
The EU Council plans to meet again on 28 April 2015, at which point it is hoped that the Directive will be in its final form for implementation by Member States. Now is a good opportunity to assess the steps needed to protect trade secrets, given that the text of the Directive is unlikely to change significantly from its latest draft.
For more information on protecting or exploiting your trade secrets in the 28 member states of the EU, please contact the authors.
 "Key Findings from the 2013 US State of Cybercrime Survey", PwC, June 2013.