When it comes to information protection, the use of property rights – including patents, trademarks, and copyrights – is not necessarily the best choice. To some extent, it is even not permitted by law. Protecting the access to know-how and commercial business information is therefore sometimes preferable to businesses, particularly for small and medium-sized enterprises that tend to rely on trade secrets in order to reduce the costs of property rights protection.
However, no particular law regulates the protection of these business assets. Indeed, the legal protection of confidential information overall in Austria is currently rather limited to the prohibition in Austrian unfair competition law against employees disclosing trade secrets to third parties without authorization, for the purpose of competition. As a consequence, the disclosure of trade secrets for purposes other than for competition is not prohibited under unfair competition law.
Austrian data protection law currently also protects data relating to legal persons, giving corporations limited remedies under Data Protection Act 2000 against the misappropriation of corporate information. However, this may change in May 2018 with the start of the application of the General Data Protection Regulation, which is only applicable to data relating to natural persons.
In view of this limited scope of trade secret protection in Austria – and the uneven protection in other EU Member States – the European Commission proposed the Directive on the Protection of Trade Secrets (the “Directive”) which was formerly adopted by the European Parliament on April 14, 2016, and will enter into force two years after its publication in the Official Journal. The Directive regulates the protection against the unlawful acquisition, use, and disclosure of trade secrets.
According to the Directive, trade secrets are business information, technological information and know-how that: (i) is not generally known or readily accessible to persons who normally deal with the kind of information in question; (ii) has commercial value because it is secret; and (iii) has been subject to reasonable steps to keep it secret. Contrary to most other legally protected IP rights, novelty is not required.
Trade secrets should exclude trivial information and should not extend to the knowledge and skills gained by employees in the normal course of their employment and which are generally known among persons that normally deal with the kind of information in question. Also, the acquisition of trade secrets is considered lawful particularly when they are independently discovered or created.
Based on the Directive, there are certain remedies available against the unauthorized acquisition, use, and disclosure of trade secrets such as theft, unauthorized copying, economic espionage, or breach of confidentiality requirements. These remedies include injunctions, compensation for damages including lost profits, and the publication of judicial decisions. Considering the intangible nature of trade secrets, it would be difficult to determine the amount of the actual damages suffered. Therefore, the amount of the damages might be derived from the appropriate royalties or fees for the use of the trade secrets in question. However, the Directive does not provide for criminal penalties to be imposed on trade secrets infringers.
Given that trade secrets, once compromised, are often unlawfully used to design, manufacture, develop, or market services or goods, or components thereof, the above-mentioned remedies also include production prohibition, seizure, withdrawal from the market, and destruction of trade secrets infringing goods.
In view of the above, to enjoy protection under the Directive, implementing an effective information security regime for the maintenance of the confidentiality of trade secrets and the monitoring of its use may be necessary. This security regime may consist of a broad variety of security measures, including: (i) identifying information for which legal protection is desired; (ii) issuing an information security policy and a policy that specifically addresses the handling of confidential information; and (iii) implementing adequate physical, technical, and administrative security measures, such as (a) implementing a confidentiality labeling system, (b) restricting access to information, (c) concluding and enforcing non-disclosure and confidentiality agreements, and (c) installing physical and virtual barriers against unauthorized access to information.
The Directive introduces a minimum standard of trade secret protection within the EU. Therefore, the national implementation of the Directive may lead to an even higher protection of trade secrets in some Member States. It remains to be seen whether the Austrian legislature will provide sufficient and effective protection for confidential information/trade secrets with its national implementation of the Directive and how the other EU Member States will deal with it.
By Martina Grama and Lukas Feiler, Heads of IP Practice, Baker & McKenzie Austria
This Article was originally published in Issue 3.3 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.