ChatGPT: How to protect your trade secrets

Large Language Models (LLM) such as ChatGPT can be used, inter alia, in order to generate automated texts or efficiently structure one’s research; many more applications are possible. Consequently, it is to be expected that a company’s employees might use such programs – partly in a considerate and reasonable manner, but partly thoughtless and without any real benefit – and thereby, consciously or unconsciously, integrating trade secrets into prompts provided to the AI.

In order for a business secret to be protected, the German Act on the Protection of Trade Secrets (“GeschGehG”) requires, among other things, that the information in question must be “subject to secrecy measures that are reasonable under the circumstances”. The owner of the trade secret must therefore actively take measures to protect the secret from any third-party access. These measures must be documented in order to be able to prove them if necessary.

Trade secrets can include a wide variety of information, from specific customer data to design drawings, work instructions, recipes, etc., to calculatory bases for pricing strategies or background information for marketing campaigns.

Entering trade secrets (or even only parts of such) into Large Language Model AI regularly results in the trade secret in question being usable by the AI. For example, OpenAI explicitly explains that data entered in a (non-API) use of ChatGPT or DALL-E may be used by OpenAI unless the user opts-out. In the context of an API use of ChatGPT, an opt-in is provided according to the terms of use. While Open AI claims at the same time to use only parts of the data and to take great care in securing customer data, this ultimately does not change the fact that a trade secret entered into ChatGPT can be used by OpenAI if no opt-out is declared. For this reason alone, there is a considerable risk that entering a trade secret in ChatGPT will cause the trade secret to lose its protection under the GeschGehG.

This is due to the fact that the explicit opt-out is in any case deemed to be an appropriate measure to protect the secret; indeed “appropriate secrecy measures” as defined by the GeschGehG might even require to completely refrain from entering trade secrets into third-party software products that are allowed to use these secrets (even only in parts). This in turn means that such “reasonable secrecy measures” also include taking organizational measures preventing such entries.

Check secrecy protection
In light of the above, companies should review their employment contracts, internal guidelines and work instructions on the protection of secrets as well as on the permitted use of the Internet (AUP). At the same time and in addition, it should be questioned whether, to what extent and by which employees the use of ChatGPT or other AI applications makes sense for the company. Based on the result of this evaluation, the use of such AI tools can be generally prohibited for certain groups of employees as a supplementary measure for the protection of secrets, and access to these tools can also be technically restricted or excluded.