Protecting AI as trade secrets

(Originally published on TopLegal FOCUS - AI - Dec 2021)

The development of artificial intelligence (AI) requires significant investment from companies, which have an urgent need to better protect the related intellectual property.

Depending on the specific case, the best form of protection can be through the use of a patent, copyright or trade secrets. The use of trade secrets is acquiring an increasingly important role given the limits of copyright protection, the difficulties in patenting AI, and the fact that some characteristics of the trade secrets protection are superior to the other options. I am referring, for example, to its potentially unlimited duration in time, i.e. for as long as the information remains secret; to the immediacy of protection which allows it to keep up with the rapid development of the sector; to its scope, which also covers material such as algorithms, training data and output data, including data on errors committed by AI; and to the absence of registration fees and the ensuing related costs.

However, the protection of trade secrets also has significant weaknesses: for example, it does not allow you to oppose the use of the same information if it has been developed independently by a third party or if it can be obtained through simple reverse engineering. Moreover, in court proceedings it is often difficult to demonstrate both the content of the trade secrets and the fact that they were subjected to "reasonably adequate measures to keep them secret".

This last requirement, posed by the cardinal rule of the civil protection of trade secrets (Article 98 of Legislative Decree 30/2005), is in fact the issue on which court proceedings typically focus: the alleged infringer claims that the petitioner’s trade secrets do not deserve protection precisely because the petitioner had not subjected them to adequate measures to keep them secret. It is therefore up to the petitioner to demonstrate that he has put in place the necessary technical and legal measures, e.g. blocking the copying of files and their outside transmission, granting access to files on a "need to know" basis, limiting access with a high level of security, implementing NDAs, internal policies, confidentiality clauses.

It is true that, even in the absence of stringent security measures, confidential company information can still be protected under the rules that sanction unfair competition. However, the latter applies exclusively to competitors and is not always possible to invoke. For example, it could not be applied against a dishonest employee unless they are acting in concert with a competitor company, reinforcing the importance of adopting serious cybersecurity practices from both the technical and legal sides.