The core of franchising as a commercial strategy is its use of a business format – a format that is usually a matrix of commercial know-how, which although perhaps not entirely novel in its individual elements, is commercially distinctive and valuable as a composite. This know-how is generally kept confidential and is what distinguishes the franchise format from its competitors.

As this know-how is not patentable, it can only be protected by way of contract and trying to ensure that it is shared only on a need-to-know basis. The problem with this, however, is that once this confidential know-how is shared with a franchisee or its employees, it is impossible to take it back again.

Historically, each jurisdiction has a different way of dealing with the protection of this valuable secret know-how, which makes adapting a homogenised approach to its protection by franchisors something of a challenge. Franchisors have therefore welcomed recent reforms to trade secret protection laws in the major economic regions.

In the EU, the European Parliament and Council adopted Directive (EU) 2016/9432 on 8 June 2016, aimed at standardising the national laws of EU Member States against the unlawful acquisition, disclosure and use of trade secrets. This followed almost immediately the enactment by the US Congress of the Defend Trade Secrets Act of 20163 in May of that year, introducing federal-level trade secret protection. Protection has also been strengthened in China, and the countries of the ASEAN Free Trade Area have taken steps to harmonise trade secret laws in that region too.

Directive 2016/943 was required to be implemented in all EU Member States by 9 June 2018. Franchisors therefore need to understand how they can take best advantage of this new regime.

I THE NEED FOR A TRADE SECRETS DIRECTIVE

The primary driver for an EU Directive was an economic one. As part of the 'EU 2020 Strategy' the European Commission is obligated to create an innovation-friendly environment for business as part of its commitment to ensuring the smooth functioning of a single European market.4

As intangible assets such as trade secrets and confidential information are estimated to have grown to account for more than 80 per cent of the market value of publicly traded companies, Europe was increasingly at risk of becoming an unattractive environment for innovative businesses to locate themselves in. Extensive fact-finding work by the European Commission revealed that companies of all sizes, in almost every sector of the economy, reported that trade secrets are very important to them. Alongside this, however, it was found that misappropriation of trade secrets is on the rise.

Unfortunately, trade secrets law in the EU at that time could be best described as 'patchwork', with different approaches and different levels of protection in Member States creating uncertainty among businesses as to the type of information protectable as a trade secret and with, at times, inadequate enforcement mechanisms.

In part, this inconsistency in trade secrets regulation reflects both the permeation of trade secrets across a wide range of business activities and the fact that different countries have approached the issue from different starting points without any overarching coordination. For example, in France there was legislation to protect against misappropriation of trade secrets in the employment relationship – but not in an intellectual property context, which instead relied on principles derived through case law.5 Likewise, in Germany trade secrets are regulated through both competition law and employment law, but enforcement relies on a system that does not provide for mutual disclosure of evidence, which is often critical in such cases. This picture is complicated further by the fact that this ad hoc development of the law has led some countries to have more than one definition of a trade secret, depending on the legal context. In France, the United Kingdom and Germany, for example, the means of identifying a trade secret has varied, depending on whether the information is disclosed in the context of the employment relationship. This is clearly unhelpful for businesses.

It was against this backdrop that the EU Commission proposed the new Directive, concluding that there was an obvious public interest in securing fair competition standards and, at the same time, providing a business environment that encourages and rewards investment in research and innovation.

The Directive aims to harmonise laws across the EU in three main areas:

  1. the definition of 'trade secret', and the means by which holders will be protected throughout Europe;
  2. the remedies available to trade secret holders when they suffer a theft or unauthorised use of their trade secrets; and
  3. the measures the court can use to prevent trade secrets leaking during legal proceedings.

II DEFINING TRADE SECRETS

The Directive adopts the 1994 WTO TRIPS definition of a trade secret, which is also reflected in the definition adopted by the United States in the Uniform Trade Secrets Act and the federal Defend Trade Secrets Act.

Article 2 of the draft Directive defines a trade secret as:

[i]nformation which meets all of the following requirements:

a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;

b) has commercial value because it is secret;

c) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information to keep it secret.

This definition is consistent with already existing definitions in Member States such as Denmark, Spain and Italy, but it will mark a change in countries such as the United Kingdom, Germany, Poland and Hungary, where this prescribed approach to identifying a trade secret would seem to shift the emphasis adopted by historical approaches.

The classic definition of confidential information under English law is founded in equity and requires that the information (1) has the necessary quality of confidence and (2) is disclosed in circumstances importing an obligation of confidence. English law does not currently require information to have 'commercial value because it is secret' for it to be classed as confidential, although that is a factor the courts would take into account when evaluating whether confidential information may be treated as a trade secret.

In the context of confidential information in the employment relationship under English common law, a trade secret is information that an employee is obliged to keep confidential, even after the termination of employment and without any post-termination restrictions. In this context, 'trade secret' means information of a sufficiently high degree of confidentiality based on all the circumstances. These include its importance to the business and the measures taken to protect it. Typically, examples of this category have included the legendary 'Coca-Cola formula' as a pure trade secret that is protected regardless of any contractual agreement. This is distinguishable from 'valuable business information', which only remains protected after the end of employment if it is covered by express contractual wording.

Various issues come to light as a result of this.

  1. The requirement that the information be 'secret in the sense that it is not . . . generally known or readily accessible' applies not only to single pieces of information, but also to collections of information. This will ensure that manuals, processes and recipes can all be protected, as long their precise configuration is not generally known outside the business or its contractual supply chain. It also means that it will become easier to enforce confidentiality over customer service data and software features and functionality across Europe.
  2. The requirement for 'commercial value' raises questions, such as 'does the information have to have value to the original holder or is it sufficient that it would have value in the hands of another?' For example, confidential information that is damaging to a company might not have 'commercial value' to that company; although it is likely they would take steps to keep the information secret, they cannot exploit it for value. In the hands of a competitor, however, or a newspaper, the information may have commercial value as it could improve the relative reputation or activities of the competitor or prompt people to buy newspapers.
  3. The requirement that the information 'has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information to keep it secret' means that as long as a businesses' supply chain, licensees, franchise holders and other business partners are required to observe its security requirements for the information, then it remains 'secret' and protectable.
  4. In an employment law context, the Directive may be seen to broaden the definition of 'trade secret' under English common law rules. This would appear to present an opportunity for employers to capture a wider range of confidential information within the trade secret classification.
  5. The issue above highlights an important question for Member States: whether implementation of the Directive should come in addition to – or instead of – their national legislation and common law rules. In the United Kingdom, the regulations6 implementing the Directive make clear that they are to sit alongside the existing legal framework. Accordingly, in so far as the measures, procedures and remedies available in an action for breach of confidence provide wider protection to a trade secret holder than that provided under these regulations, the trade secret holder may apply for those (wider) measures, procedures and remedies in addition or as an alternative to those provided for in the regulations.
  6. The similarities between the European definition and that adopted in the United States should help promote the confidence of international businesses to expand their operations in Europe.

III NEW HEADS OF LIABILITY AND REMEDIES

i Unlawful use of trade secrets

Article 4 of the Directive sets out the types of liability for infringement of rights in qualifying trade secrets. These relate to the acquisition, use and disclosure of trade secrets and infringing goods. Infringing goods will be those that significantly benefit from trade secrets that have been unlawfully acquired, used or disclosed.

This means that the use or disclosure of a trade secret will be unlawful (1) where the user knows (or should know) that it was obtained unlawfully or (2) where the infringing activity is carried out intentionally or with gross negligence by a person who obtained the information unlawfully or in breach of some other duty of confidence. Where a trade secret is obtained from a third party, its use or disclosure may still be unlawful if the user knew or should have known that the person from whom it was obtained was using or disclosing the trade secret unlawfully.

Article 4(2): The acquisition of a trade secret without the consent of the trade secret holder shall be considered unlawful, whenever carried out by:

(a) unauthorised access to, appropriation of, or copying of any documents, objects, materials, substances or electronic files, lawfully under the control of the trade secret holder, containing the trade secret or from which the trade secret can be deduced;

(b) any other conduct which, under the circumstances, is considered contrary to honest commercial practices.

Article 4(3): The use or disclosure of a trade secret shall be considered unlawful whenever carried out, without the consent of the trade secret holder, by a person who is found to meet any of the following conditions:

(a) having acquired the trade secret unlawfully;

(b) being in breach of a confidentiality agreement or any other duty not to disclose the trade secret;

(c) being in breach of a contractual or any other duty to limit the use of the trade secret.

Article 4(4): The acquisition, use or disclosure of a trade secret shall also be considered unlawful whenever a person, at the time of the acquisition, use or disclosure, knew or ought, under the circumstances, to have known that the trade secret had been obtained directly or indirectly from another person who was using or disclosing the trade secret unlawfully within the meaning of paragraph 3.

The issue that has drawn most attention is the potential for liability for conduct that is considered contrary to 'honest commercial practices'.7 While some conduct will clearly contravene this standard, the potential for differing and inconsistent interpretations across Member States will be high until such time as the Court of Justice of the EU decides a case in which it can give guidance on interpretation.8

The Directive also makes it unlawful to produce infringing goods or place them on the market. In effect, this will be a strict-liability offence, as no particular state of mind is required and liability will follow even if the manufacturer did not know that the goods were infringing.

One aspect of liability that the EU did not insist on, however, is the criminalisation of trade secret misuse. Although some states, such as Germany, France and Finland, already have varying degrees of criminal sanctions in this area, the EU has not compelled or encouraged Member States to follow suit.9

Interestingly, reverse engineering does not attract any remedy, as is clear from Article 3 of the Directive, which concerns the lawful acquisition, use and disclosure of trade secrets:

The acquisition of a trade secret shall be considered lawful when the trade secret is obtained by any of the following means: . . . [a] . . . [b] observation, study, disassembly or testing of a product or object that has been made available to the public or that is lawfully in the possession of the acquirer of the information who is free from any legally valid duty to limit the acquisition of the trade secret;

This allowance has created concern in some industries, as highlighted by the Max Planck Institute:

the use without restrictions of trade secrets obtained through reverse engineering appears problematic, in particular in sectors where . . . considerable investments are made in the development of new products. Notable examples include the cosmetic industry, which regularly invests quite heavily in the development of perfumes, but where the know-how generated thereby can be decoded with relative ease through reverse engineering. The unrestricted use of such know-how raises concerns that it could pose a substantial threat to the companies concerned, eventually leading to market failure whereby such goods would no longer be produced.10

ii Limitation periods

The Directive sets down at Article 8 that Member States may determine their own rules on limitation periods, up to a maximum duration of six years.

iii Remedies

If a trade secret is used, copied or disclosed in breach of the Article 4 standards (including breaches of contractual restrictions in licences, franchise agreements, or non-disclosure agreements (NDAs)), the remedies will include:11

    1. injunctions to prevent further use or disclosure of the information;
    2. court orders prohibiting infringing goods from being produced, marketed, sold, stored, imported or exported;
    3. seizure or delivery up of infringing goods (including imported goods) to stop them being circulated in the market;
    4. delivery up of electronic information, even where it is part of a larger file or materials;
    5. court orders compelling product recalls;
    6. orders requiring alteration to the products, so that infringing characteristics are removed (this includes software and electronic data, such as customer databases);
    7. destruction of infringing goods;
    8. publication of judgments in appropriate cases; and

i damages.

Use in this context also includes using the information to 'significantly benefit' the design, functioning or processes used in other products.

IV HARMONISATION OF COURT MEASURES TO PROTECT TRADE SECRETS DURING LEGAL PROCEEDINGS

Article 9 of the Directive requires Member States to introduce measures to preserve the confidentiality of trade secrets during legal proceedings. This includes, at least, the option to restrict parties' access to hearings and order them to be carried out solely in the presence of legal representatives and authorised experts.

This requirement has the potential to cause a significant change in the law in some Member States, notably Denmark, Poland, France and Belgium. In particular, the potential for hearings to be held in the absence of the parties to the action is unfamiliar to many legal systems and could foreseeably be challenged on human rights grounds.

The introduction of 'confidentiality clubs' to control the dissemination of confidential evidence in trade secrets disputes will also be a novel development in many countries. A confidentiality club is an agreement made by parties in litigation that limits access to confidential documents, so that they are only available to specified people. The upheaval to court procedure in countries such as Germany is likely to be dramatic.

V PRACTICAL ISSUES

i Insider threat

Franchisees and their employees and contractors, as well as the franchisor's own employees and contractors, can be a particular threat to trade secret security, even if they are not malicious. According to the FBI, just under a quarter of insider incidents each year are due to employee mistakes.12

Staff are also often more vulnerable to malicious attacks than they realise. In a 2007 study, Sophos found that phishing attacks from online social networks had a 72 per cent success rate, as opposed to other methods, which only had an average success rate of 15 per cent.13

The threat is even greater from staff with malicious intent, with some estimates placing 85 per cent of data losses at the door of employees. These activities are generally achieved with normal levels of access to company data and systems:

You're dealing with authorized users doing authorized things for malicious purposes. In fact, going over 20 years of espionage cases, none of those involve people having to do something like run hacking tools or escalate their privileges for purposes of espionage.14

In this regard, note that Article 14 of the Directive gives Member States the option of effectively forcing employers to prove intent in employee cases to recover damages. If that is adopted, it will reduce the effectiveness of the Directive to properly compensate businesses in cases of employee trade secret theft. This will compel employers to rely more on the employee contract to ensure they are properly protected.

The requirement to take 'reasonable steps' to protect trade secrets will introduce a greater legal impetus for businesses to take more interest in, and place better controls on, the security around their commercially valuable information throughout their supply chains. It will focus similar attention on licensees, franchise holders and other business partners, who will also need to be required to observe mandated security arrangements for the information. This is not always taken seriously by international businesses, however, as confirmed by PwC in its report 'Key Findings from the 2013 US State of Cybercrime Survey' (June 2013):

Previous PwC surveys support the view that the supply chain is a potential weak link in cybersecurity – both in the United States and globally . . . Companies often struggle to get their suppliers to comply with privacy policies – a baseline indicator of data protection capabilities.

The Directive also abstains from limiting works council representatives in their use of confidential information, leaving that to local laws, the rules of the specific works council and the employers' contractual rules with the staff representatives.

ii Supply chain problems

As it is often practically necessary for franchisors to share some of their trade secrets with third parties to enable them to operate an effective international supply chain to their franchisees, it is critical to ensure those arrangements adequately protect trade secrets.

The obvious starting point is through the use of suitable confidentiality or NDAs, but it is clear that a one-size-fits-all approach will not be a safe solution. Practical steps to take in preparing appropriate documents include:

      1. properly investigating the requirements of the arrangement – ascertaining with precision what trade secrets will need to be disclosed, and to whom; and
      2. carrying out due diligence on the proposed third party:
        • to determine whether it is an established or well-respected business with a track record of previous similar relationships known to have been successful; and
        • to determine its corporate status: whether additional NDAs with individual subcontractors, partners or other third parties are required.

It will also be important to monitor the way in which the relationship with any third party develops or changes while it is in possession of trade secrets. Arrangements may need to be refreshed and reinforced, particularly as its personnel changes. Once a third-party arrangement concludes, it will be vitally important to ensure that the post-termination obligations are actually complied with – especially those governing the return of confidential documents and data.

VI IMPLICATIONS FOR FRANCHISING

The advent of this new approach to protecting trade secrets is having both a reactive and proactive impact upon franchising.

On the reactive front, it is essential that franchise agreements are drafted so as to optimise the protection of the franchisor's trade secrets within the context of the relevant jurisdiction – this is, of course nothing new. The need, however, to ensure that new trade secret laws are central to the way that the franchise agreement deals with the issue is novel. On the proactive front, a result of the new trade secret laws is that the information will likely become commercially exploitable in its own right. For example, some franchises are already exploring new charging structures based on their new ability to classify specific sets of data as 'trade secrets'. Franchisors and their advisers need to be alive to the opportunities to exploit previously private processes, recipes or datasets in ways that will generate new income streams.


Footnotes

1 James Froud and Mark Abell are partners at Bird & Bird LLP.

2 Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.

3 Public Law 114-153, 130 Stat. 376 enacted May 11, 2016, codified at 18 U.S.C. § 1836, et seq.

4 EC 9870/14, Section I, paragraph 2.

5 Article L 621-1 of the Industrial Property Code, which protects 'manufacturing secrets' in the context of the employer–employee relationship. The definition included in the draft directive does, however, correspond to that developed by French case law under (1) Article L 621-1 of the Intellectual Property Code and (2) disputes involving contractual matters or unfair competition in which violation of a 'secret de fabrique' or trade secret was alleged.

6 The Trade Secrets (Enforcement, etc.) Regulations 2018 [2018 No. 597].

7 Directive (EU) 2016/943, Chapter II, Article 4(2)(b).

8 Comments of the Max Planck Institute for Innovation and Competition of 3 June 2014 on the Proposal of the European Commission for a Directive on the protection of undisclosed know how and business information (trade secrets) against their unlawful acquisition, use and disclosure of 28 November 2013, COM(2013) 813 final.

9 EC 9870/14, Section II, paragraph 6: 'Member States agreed that the draft directive should not interfere with their national prerogatives regarding criminal law.'

10 Comments of the Max Planck Institute for Innovation and Competition of 3 June 2014 on the Proposal of the European Commission for a Directive on the protection of undisclosed know how and business information (trade secrets) against their unlawful acquisition, use and disclosure of 28 November 2013, COM(2013) 813 final.

11 Directive (EU) 2016/943, Section 2, Articles 10 to 15.

12 www.darkreading.com/insider-threat/5-lessons-from-the-fbi-insider-threat-pr/240149745.

13 See 'Good Practice Guide: Online Social Networking', www.cpni.gov.uk/Documents/Publications/2010/2010032-GPG_Online_social_networking.pdf.

14 www.darkreading.com/insider-threat/5-lessons-from-the-fbi-insider-threat-pr/240149745.