Inauspicious start for the UK Trade Secrets Regulations at IPEC

Image by Sang Hyun Cho from Pixabay

Trailfinders v Travel Counsellors [2020] EWHC 591 (IPEC) represented the first opportunity for judicial scrutiny of the UK Trade Secrets (Enforcement, etc.) Regulations 2018 (SI 2018/597).

The approach adopted by HH Judge Hacon was provisions of the EU Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (EU Dir. 2016/943), especially Chapter II and Articles 6, 7 and 16, had already been implemented – without the need for these Regulations – into our law under common law and equity. Hacon J accordingly, “assumed that the substantive principles governing the protection of confidential information under English law, including that afforded by terms implied into contracts of employment and by equitable obligations of confidence, are unaffected by the Directive. However, the Directive shines an occasional light on those principles.[para.9]

In particular, Hacon J found,”the best guide to the distinction between information which is confidential and that which is not is now to be found in the definition of ‘trade secret’ in Article 2(1) of the Directive 2016/943.[para.29]

This would imply that the established three stage common law test for confidentiality of: (1) the information itself must have the necessary quality of confidence; (2) the information must have been imparted in circumstances importing an obligation of confidence (either expressly, or which ought reasonably to have been understood by the recipient) and; (3) there must be an unauthorised use of that information to the detriment of the rights holder; now needs to be updated in line with the new statutory definition of a ‘trade secret’ being information which: (1) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question; (2) has commercial value because it is secret, and; (3) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

However, the difficulties inherent within this interplay between the new statutory definition of a ‘trade secret’ and the old common principles of confidentiality can be illustrated by Hacon J’s legal treatment of the two terms, ‘secret’ and ‘reasonable steps’.

Secret

The preamble to the EU Trade Secrets Directive makes clear that its definition, “excludes trivial information and the experience and skills gained by employees in the normal course of their employment, and also excludes information which is generally known among, or is readily accessible to, persons within the circles that normally deal with the kind of information in question.” [para.14]

Mr La Gette and Mr Bishop as the defendants in this case had argued that Trailfinder’s information on clients’ names, nationalities, interests, contact details and past bookings was already in the public domain and was therefore ‘readily accessible’ to them. Trailfinders held this client information on two systems: Viewtrail was an online portal used to record booking details and Superfacts was a software system which recorded information about clients. Bishop had admitted using the Superfacts system to assemble, for about six months before he left Trailfinders, a ‘contact book’ about clients and both he and La Gette admitted accessing Viewtrail after they had left Trailfinders.

Hacon J took the view that the Trailfinder information had met the statutory threshold for being ‘secret’ but went further adding, “Lewison LJ observed in Force India Formula One Team Ltd v Aerolab Srl [2013] EWCA Civ 780; [2013] RPC 36 (with whom Briggs LJ and Sir Stanley Burton agreed): It is certainly not a defence [to an allegation of breach of confidence] that the person in breach of confidence could have obtained the information elsewhere if he did not in fact do so.(at [72]) [para.35]

Reasonable Steps

Wearing the ‘clean hands’ spectacles demanded of equity Hacon J felt able to find that although, “[T]he protection may not have been as rigorous as it should have been [but] Trailfinders clearly took steps to ensure that the Client Information was not openly available to anyone by requiring the use of a password or, in the case of Viewtrail, limiting access to information to clients only if their name and booking reference was known”. [para.73]

Image by Zach Dulli from Pixabay

This approach would appear to be at variance with that adopted by judicial counterparts in the USA, who, whilst not requiring of perfection, on the whole would take a dim view of any failure on the part of a holder of trade secrets not to identify and label confidential information as such, nor take any steps to restrict ex-employee online access. It is worthy of note that the origins for the broad definition for a ‘trade secret’ under the UK Regulations ultimately lies within American jurisprudence, where State and now Federal Courts have had decades of experience in its interpretation.

The issue may lay in the fact that Hacon J categorised the confidential information at play in this case as class 2 information acquired during the normal course of employment which remains in the employee’s head and becomes part of his own experience and skills (not class 3 information, namely specific ‘trade secrets’ requiring of a higher degree of confidentiality) – see Goulding J’s classification in Faccenda Chicken Ltd v Fowler [1985] 1 All ER 724, albeit the Court of Appeal ultimately differed with Goulding J’s analysis of where to draw the line between classes 2 and 3. This begs the unanswered question, would Hacon J have demanded more in the way of ‘reasonable steps’ from Trailfinders had he categorised the confidential information as class 3?

Given the EU Trade Secrets Directive does not replace English common law, the overall effect was said to be that a UK trade secret holder could apply for remedies under the common law of confidentiality either in addition, or as an alternative, to the remedies provided under the Trade Secrets Regulations (i.e. in instances where the English common law provided for ‘wider remedies’ – Regulation 3). It will be interesting to see in the future whether our more senior judicial brethren continue to follow Hacon J’s approach of an interplay between the two. But for the time being at least the new Trade Secrets Regulations, and Regulation 2 in particular, can (merely) be viewed as an aid to common law interpretation, illuminating what information now has ‘the necessary quality of confidence’ under both classes 2 and 3, as categorised in the Faccenda Chicken case.

“Chinese suitor stole trade secrets”

Yesterday’s headline (above) in the Sunday Times is a timely reminder to UK business about the importance of “trade secrets data” as an intellectual asset and the need for clarity as to its meaning.

Image by PublicDomainPictures from Pixabay

Up until the Trade Secrets (Enforcement, etc.) Regulations 2018 [the new Regulations] the UK had no statutory definition for what constitutes “trade secrets data”. The common law had previously used the term in one of two ways, either for post-employment restraints legitimately imposed on former employees or meaning technical/business data imparted to the recipient under an express or implied obligation of confidentiality.

Image by Jai79 from Pixabay

In an attempt to catch-up with legislative protection in the USA and Japan, the EU Commission introduced Directive 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. This Directive used the definition for “trade secrets data” provided for under Article 39.2 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPs), implementing which the new Regulations state at Section 2 that a “trade secret” constitutes data which:-

“(a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question,
(b) has commercial value because it is secret, and
(c) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret;” (emphasis added)

The preamble to the Directive makes clear secret “excludes trivial information and the experience and skills gained by employees in the normal course of their employment, and also excludes information which is generally known among, or is readily accessible to, persons within the circles that normally deal with the kind of information in question.” Further, that data has a commercial value, “where its unlawful acquisition, use or disclosure is likely to harm the interests of the person lawfully controlling it, in that it undermines that person’s scientific and technical potential, business or financial interests, strategic positions or ability to compete.”

However, there is no definitive guidance on what constitutes reasonable steps under the circumstances, although there would seem to be an expectation within the wider legal community that SMEs will not be put to the same legal standard as larger more resourceful corporations (see Trade Secrets – reasonable steps, published in the Journal of the Chartered Institute of Patent Attorneys October 2019 / Volume 48 / Number 10 at 18).

Image by skeeze from Pixabay

What is clear, however, is the new Regulations offer no protection to UK businesses under the criminal law. Whereas the U.S. Defend Trade Secrets Act 2016 may make it a federal offence to steal trade secrets data, such data is unlikely to even be considered as “property” within the meaning of the UK Theft Act 1968.

Cambridge International Law Journal

I am indebted to the Cambridge International Law Journal for publishing my article ‘A Right to Bear Cyber Arms?‘ on its blog http://cilj.co.uk/2019/11/19/a-right-to-bear-cyber-arms/

Image by Pete Linforth from Pixabay

The article addresses the reintroduction of the Active Cyber Defense Certainty Act (ACDC) to the 116th U.S. Congress in June 2019 and concludes with the call for a common platform to be agreed on the more aggressive defensive cyber actions (hacking back/Offensive Cyber/legal right to bear cyber arms) that SMEs should and should not be permitted to conduct in defence of trade secrets.

How much longer can Europe afford to ignore cyber-enabled ‘trade secret theft’ as a form of IP Crime?

The latest report from the EUIPO and Europol on IP Crime threats assessment makes clear that such threats are viewed as limited to instances of piracy and counterfeiting. Important as these criminal activities may be to threaten the health of our economy such a limited approach is at odds with American jurisprudence where, ”the threat of trade secrets theft to U.S. corporations conducting business internationally is a well-recognized and extensively documented phenomenon”, and “top intellectual property priority” for investigation by the FBI. The United States Trade Representative’s Special 301 Report (2018) goes further by identifying a failure to adequately protect trade secrets by trading partners as a key area of concern, given U.S. government recognition that “trade secrets may constitute the most critical intellectual property assets” for U.S. corporations.

It was for this reason that the U.S. government reported it had been, “extremely active in Brussels in support of the EU trade secrets directive” (2016), using its co-chairmanship of the Transatlantic IPR Working Group to push ”this topic to the forefront on EU action on intellectual property matters”, albeit this legislative initiative was ultimately only limited to the civil law domain.

Work undertaken by the OECD in 2014 recognises that the U.S. leads the world in the legal protection of trade secrets, with the UK struggling to stay above the average – behind the legal jurisdictions of Canada, Lithuania, Spain, Japan, Netherlands, Ireland, Israel, New Zealand, Hong Kong (China), Singapore and Australia. A UN Conference on Trade and Development Report (2011) confirmed over 50% of global trade in services is now undertaken online, with a global fraud report (2010) recording incidents of data theft now surpassing that of physical theft. One area of primary concern highlighted by U.S. Secretary of State Hillary Rodham Clinton in 2012 was,”emerging powers are putting economics at the centre of their foreign policies” and making commercial cyber espionage a central part of their policy toolbox.

During his presidential campaign candidate Trump highlighted the blue-ribbon panel report into the Theft of American Intellectual Property, the updated version of which cites estimates of the value of trade secret theft as between 1% to 3% of GDP. It is sobering to note the Director of the European Centre for International Political Economy would point out, “there is no evidence or indication that cyber espionage against European firms is any lesser in scale than against other countries,” offering an estimation of “the cost of cyber espionage to Europe at 55 billion euros annually (and placing) 289,000 jobs at risk.”

Whereas the UK government would advocate that the solution lies with firms enhancing their own cybersecurity protection, such an approach is likely to become increasingly unrealistic as a holistic solution in the emerging 5G/Industry 4 era, where decades of R&D are susceptible to being ‘hacked’ at the click of the mouse.  Calls for parity of criminal law protection with SME counterparts in the U.S. can only be expected to grow within the UK.

With the UK providing notice to leave the EU and looking to build upon its current trading position with the U.S. a parity of criminal law protection against trade secret theft can only offer some reassurance to the U.S., with a trading partner which is currently said to offer better criminal law protection for the boardroom table than the theft of boardroom secrets (Alan Campbell QC 1967).

Welcome though such a legislative initiative might be for our vulnerable SMEs, Europol has already reported that national criminal legislation cannot of itself provide a unilateral solution. With TRIPS now nearing a quarter of a century of operation there are reassuring signs that the U.S., Japan and EU are starting to form a ‘coalition of the willing’ to work together on the margins of the TRIPS Council to elaborate upon the nature of the legal protection to be afforded under Article 39, with a special emphasis on SMEs (side event 9th November 2016).

Europe has been at the vanguard of developments for the legal protection of personal data, the question is whether the appetite now exists to extend the legal protection for valuable commercial data by using the criminal law.

EU takes action against cyber-enabled ‘IP theft’ perpetrated from outside the EU

In the first EU measure of its type, Council Regulation (EU) 2019/796 concerning restrictive measures against cyberattacks threatening the Union or its Member States [17th May 2019] contains targeted sanctions against online “external threats” to IP. This Regulation is aimed at threats which originate from outside the EU, use infrastructure from outside the EU, or otherwise the person(s) instrumental in such a cyberattack are established abroad (Article 1).

Amongst other criteria, Article 2 of the Regulation targets an actual or attempted cyberattack on IP which has a, potentially, “significant effect”, on the “loss of commercially sensitive data”. Such commercially sensitive data will fall within the definition of a ‘trade secret’ under Council Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure [8 June 2016] if that data: 1. is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; 2. has commercial value because it is secret; 3. has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Article 3 of this new Regulation imposes an asset freeze on natural or legal persons, entities or bodies who are responsible for the actual or attempted cyberattack; provide financial, technical or material support for or are otherwise involved in the cyberattack; or are associated with the natural or legal person, or bodies involved. As a result of such an asset freeze, all funds and economic resources belonging to, or controlled by, such listed persons and that fall under EU jurisdiction (e.g. held by EU banks) will be frozen. In addition, no funds or economic resources may be made available to or for the benefit of the said listed person by parties falling under EU jurisdiction.

This latest EU Regulation should serve to remind us that the “big international question” of cyberspace governance still remains to be resolved, albeit Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) would note that the major private sector providers are more receptive than ever to its resolution (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).

In his article Jurisdiction In Cyberspace: A Theory of International Spaces Darrel Menthe asserts that, “unless it is conceived of as an international space, cyberspace takes all of the traditional principles of conflicts-of-law and reduces them to absurdity.” Akin to the “law of the flag” on the high seas, nationality of a vessel (manned or unmanned) in outer space or the nationality of the base in Antarctica, Menthe advocates, even in the absence of such a sui generis treaty regime as regulates the other three international spaces, that jurisdictional analysis requires cyberspace should be treated as a fourth international space governed by a comparable set of default legal rules (see Darrel Menthe, Jurisdiction In Cyberspace: A Theory of International Spaces 4 MICH.TELECOMM.TECH.L.REV 69 (1998)).