The Italian Government with Legislative Decree No. 63/2018 (the “Decree“) implemented the EU Directive No. 2016/943 (the “Directive“) on the protection of the so-called “undisclosed know-how” and business information (trade secrets) against their unlawful acquisition, use and disclosure.
The Directive
The Directive falls in an economic-production context such as the current one, continuously more prone to the stealing of trade secrets and offences of various kinds, with losses often significant, typically estimated in the range of 10 to 30 billion euros per year in each of the various Member States.
The reason behind the Directive is specifically that of providing greater and more effective protection – by implementing effective, proportionate and dissuasive criminal, administrative and penalty measures – to “undisclosed know-how” and to business information (trade secrets) against their unlawful acquisition, use and disclosure.
In this context, the Directive, in its Article 2 provides a definition of “trade secret”, meaning information that is (i) secret (therefore they must not be generally known or easily accessible to persons who normally deal with this type of information), (ii) have commercial value given that they are secret and (iii) that have been subject – by the entity exercising control over them – to steps, as the case may be, that are reasonable in order to keep them secret.
The novelties introduced by the Decree
The Decree made some significant changes to the Italian Industrial Property Code (the “CPI”; Articles 1, 2, 98, 99, 121ter, 124, 126 and 132) and to the Criminal Code (Articles 388 and 623).
- Industrial Property
While the first two articles of the CPI only deal with wording – “confidential corporate information” becomes “trade secrets” – the most important changes are to be found, above all, in Art. 99.
If, in fact, Article 98 has been amended in a non-substantial manner – having in fact included the definition in Article 2 of the Directive as set out above – it is Article 99 that significantly extends the protection against certain phenomena defined as “negligent disclosure”.
The article in question, in fact, defines as unlawful the conduct – in addition to that of the subject stealing trade secrets – of any third party who uses such information; this, if said party is aware or, depending on the circumstances, should have been aware of the illegal origins of such information.
Furthermore, in the first paragraph of Article 99, it is established that the legitimate holder of trade secrets (the company) has the right to prohibit third parties from acquiring, disclosing or using them in an abusive manner, unless they were obtained independently from the third party. It is then established that the rights and actions deriving from the unlawful conduct described above have a time frame of five years.
The Decree also introduced into the CPI Art. 121 ter, which grants new and more restrictive “secreting powers” to judges. In particular, the courts may prohibit a wide range of subjects (consultants, defence counsels, representatives of the parties to the proceedings as well as witnesses and administrative staff) from using or disclosing trade secrets that are the subject of the proceedings and deemed to be confidential, by taking any measures they may deem appropriate to this end. This secrecy remains effective even after the end of the proceedings, except in the case of a final judgment which proves that the secrets in question did not meet the requirements of Article 98 of the CPI (and Article 2 of the Directive) or if the secrets become generally known and easily accessible.
Moreover, on the CPI, Article 124 establishes more clearly the parameters of the “indemnity protection”. “Guidelines” are established to support the judge in defining the measures to be adopted – clarification of no minor importance – even in light of the complexity of the “secrecy measures” adopted by the legitimate holder in order to protect its trade secrets.
Lastly, of lesser importance, are the amendments made to Art. 126, with reference to the methods of publication of the judgement, as well as to Art. 132, concerning precautionary protection measures and the relationship between them and the applicable judgment.
- The Criminal Code
Concerning the changes made to the Criminal Code, apart from the amendments – less significant – to Article 388 concerning the intentional non-implementation of a court order, the most interesting news apply to Article 623.
Also in this case, in accordance with the provisions of Art. 99 of the CPI, not only the trade secrets thief, but also any person who, having acquired said secrets unlawfully uses them to its own benefit or that of others, becomes criminally liable for the disclosure of scientific or trade secrets. Furthermore, committing said offences through the use of IT tools is qualified as an aggravating circumstance.
Conclusions
In light of the above, personnel management (as user and holder of specific information) and the security/secrecy measures that a company can (and must) put in place to protect its assets, becomes paramount.
Therefore, it is of fundamental importance to govern and classify corporate documents appropriately, since not all documents or information can be considered secrets by default (keeping in mind the “measures” mentioned multiple times above). It is becoming increasingly important to organise one’s own structure in an effective and proactive way, paying particular attention to “logical and physical” measures (furthermore referred to in EU Regulation 2016/679, “General Data Protection Regulation“) and perhaps specifying the “level of secrecy” of each document circulating in the workplace. It will no longer be sufficient, in the course of legal proceedings, to state in general terms that firewall or anti-virus software had been adopted, it will be necessary to prove that all appropriate protective measures were taken.
Finally, with specific reference to IT tools – which are becoming increasingly important – it is truly essential to have valid and effective regulations on their use, so as to be perfectly compliant with the General Data Protection Regulation and with Article 4 of the Workers’ Statute regarding remote monitoring of the work activity.