Confidently confidential

This article considers two recent developments relating to data protection and trade secrets: two sides of the same coin perhaps.

Cloud computing and extra-territoriality

The first development concerns the recent spat between the United States and Microsoft, not as previously an issue of antitrust compliance, but rather a question of privacy and data protection in the cloud.

The ruling is from the Court of Appeals for the Second Circuit (Case 14-2985 – pdf) in which Microsoft appealed from orders of the US District Court for the Southern District of New York (1) denying Microsoft’s motion to quash a warrant (“Warrant”) issued under the Stored Communications Act, 18 U.S.C. §§ 2701 et seq, to the extent that the orders required Microsoft to produce the contents of a customer’s email account stored on a server located outside the United States, and (2) holding Microsoft in civil contempt of court for its failure to comply with the Warrant.

The facts were largely undisputed and, in brief, were as follows: Microsoft offers web-mail services to its customers worldwide; this data is held in data centres throughout the world – for reasons of reduced latency and disaster recovery protection. Many of these data centres were situated outside the US. In the case in question, it was agreed that the email of the Microsoft customer in question was physically located in a data centre in Ireland. The data destination is largely determined by information provided by the customer; if the user claims to be in the UK, the data would be stored in a data centre close to the UK; if the user were in the Far East, the data would be held there.

The magistrate judge in New York issued a warrant under the (US) Stored Communication Act (SCA) ordering Microsoft “to the extent that the information … is within the possession, custody or control of MSN” to produce the contents of all emails stored in the account and various other records and meta information relating to the account.

Microsoft disclosed all information in the US but requested the judge to quash the warrant with respect to the user content stored in Dublin. That order was denied by the magistrate judge who determined that the SCA allowed the issue of a warrant to cover data stored abroad if it was under the possession, custody or control of Microsoft irrespective of the location of that information.

Thereafter the Chief Judge, on appeal, adopted the magistrate judge’s reasoning and affirmed his ruling. Microsoft appealed and shortly afterwards the District Court on joint motion of the parties found Microsoft in civil contempt for failing to comply fully with the warrant. Microsoft amended its appeal and the Second Circuit decided the appeal in July 2016.

In reversing the earlier decisions and granting Microsoft’s appeal, the Second Circuit considered the terms of the SCA (part of the Electronic Communications Privacy Act of 1986) and noted that a lot had happened in technology since 1986 and that the SCA did not envisage the present position.

The real issue was whether the warrant provisions of the SCA could have extraterritorial effect. The court then proceeded to analyse the provisions of the SCA, its meaning, the meaning of an SCA warrant, and of a subpoena before determining that the SCA focused on user privacy and therefore that the execution of the Warrant would constitute an unlawful extraterritorial application of the Act.

Stating that the citizenship and location of the customer was irrelevant as the invasion of the customer’s privacy took place under the SCA where the customer’s protected content was accessed – in this case Dublin – the conduct that falls within the focus of the SCA would occur outside of the USA. If as the US government contended, the inability to access data abroad would impede law enforcement, there was a process under a series of Mutual Legal Assistance Treaties between the US and other countries. (The US has entered into an MLAT with all member states of the EU.)

In short, the court was not going to order Microsoft to take information situated outside the US and import it into the US without regard to the laws and processes of that foreign state.

A very important decision for cloud computing – particularly for US-based cloud providers who were all concerned as to what a contrary finding would have done to their businesses.

Trade secrets

On 14 April 2016 the European Parliament voted to adopt the text of a draft Directive on the protection of undisclosed know-how and business secrets (Trade Secrets) and on 15 June, the Directive was published in the Official Journal.
The purpose of the Directive is to harmonise the law relating to the misappropriation of Trade Secrets and provide a base level of protection (although Member States may go further) in three main areas:

  • introducing an EU-wide definition of Trade Secret (Article 2);
  • setting out the remedies in the event there is a misuse of a trade secret (Articles 12, 13, 14 and 16); and
  • ensuring that national courts can prevent disclosure of trade secrets during legal proceedings.

Article 2(1) defines “trade secret” as information which:

(a) is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;

(b) has commercial value because it is secret; and

(c) has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

The Directive does not make very many changes in the existing position under English or Scots law so the impact for UK lawyers may be minimal. There will, however, be some changes, including the granting of greater protection to whistle-blowers and some drafting changes to reflect the new definitions.

Trade secrets, of course, are not a form of IP, although they are often a precursor to such. The difficulty, I suspect, will be in that fact – because trade secrets are by their nature secret, it may be difficult for a party to know whether information which he acquires from a third party is indeed a “trade secret” per the definition, or some lesser interest. If the former, it will be protected and sanctions will flow from its disclosure or use; if the latter, it probably won’t.

Arguably, the definition in Article 2 is the most important part of the Directive as it is the cornerstone upon which everything else rests. Much will depend on the steps the holder of the trade secret has taken to protect it; use of NDAs and the like will be a positive sign in this regard; the test of commercial value is slightly ephemeral as in an early stage, really valuable (ultimately) information may not be seen as such – should then all information, however apparently trivial, be protected as much as the business’s crown jewels? How is a person who discovers something to decide whether it is a trade secret or just something he doesn’t know?

Merely labelling something as a trade secret may not be enough – if it is not so; the directive only applies to “secrets” having some commercial value so the tabloid papers and celebrity magazines will not be prevented from reporting their lurid claims about some actress or other – although such information, though not a trade secret, may still obtain some protection under the developing rules on privacy or data protection. If a celebrity has made their name on the basis of some particular character trait, would disclosure of that trait as untrue (and thereby destroying that brand) be a breach of the trade secret directive? Very possibly, but it is difficult to draw the dividing lines.

How the trade secret is obtained will be relevant under Article 4. Obviously, unlawful access such as hacking or phishing would be a clear breach, but how are the courts to determine the other test of “any other conduct which is considered contrary to honest commercial practices”?

Looking at the continental model of “unfair competition” or “concurrence deloyal” or breach of the German Gesetz gegen den unlauteren Wettbewerb (UWG), is that sufficient to meet the test? Probably not in the UK, but elsewhere?

Article 4 states that “the acquisition, use or disclosure of a trade secret shall also be considered unlawful whenever a person, at the time of the acquisition, use or disclosure, knew or ought, under the circumstances, to have known that the trade secret had been obtained directly or indirectly from another person who was using or disclosing the trade secret unlawfully.”

The possibility of this secondary liability should cause employers to look carefully at what knowledge a new start is bringing with them. Client list? Prices? Another avenue for employers to sanction leaving employees and inhibit new employers perhaps?

Whilst the Directive does prevent disclosure of trade secrets, there is an exception for whistle-blowers under Recital (20) and Article 5(b) “for revealing misconduct, wrongdoing or illegal activity, provided that the respondent acted for the purpose of protecting the general public interest” – a difficult test perhaps to meet, and if one were a whistle-blower, would one wish to rely on the subsequent determination of whether the disclosure was for the purpose of protecting the general public interest or not?

With the codification of the law on trade secrets, it is a reminder of what businesses should be doing to protect their most valuable assets; by June 2018 when the Directive comes into force, commercial lawyers throughout the Union should be looking at their contracts to determine what needs to be done to protect trade secrets and employment lawyers in particular should be considering what new opportunities and challenges the new rules will bring.

David Flint is Senior Partner at Scottish law firm MacRoberts LLP and Head of their IP, Technology and Commercial Group. He chairs the ABA Business Section International Committee, IP Subcommittee and the ABA Cyberspace Law Non-US Cyber Laws Task Force. Email Twitter @dfscot.

Image cc by Alex Wellerstein on Flickr.

2 thoughts on “Confidently confidential

  1. This is an excellent overview of these two important topics. Thank you. I do want to point out one important issue that may merit a deeper discussion. In the above post, you write “Obviously, unlawful access such as hacking or phishing would be a clear breach…” However, reverse engineering (both in the EU directive and in the USA DTSA) is explicitly carved out as a lawful act. Many would assume that reverse engineering an application to peer inside to see algorithms, methods of securing data, credentials for authentication, etc. would fall into the broad category of “hacking” – but there is no reason whatsoever to draw that conclusion. However, there are well understood mechanisms (technologies and practices) to prevent reverse engineering and tampering. Question: if an app owner applies reasonable, well-understood mechanisms to prevent reverse engineering – will that make reverse engineering “unlawful?” There are many who would argue that it does – and many that would take the opposite view. I don’t think there is any case law that settles this one way or the other.

Comments are closed.