Guarding the crown jewels: legal strategies to prevent strategic data leaks post‑employment

Alison Leroy
UGGC Avocats, Paris
a.leroy@uggc.com

Marine Lamotte
UGGC Avocats, Paris
m.lamotte@uggc.com

The metaphor embedded in this article’s title is not decorative. It captures what is at stake. A sales specialist spent six years, from 2009 to 2015, managing the defence‑sector accounts of a Paris‑based technology company. He knew its clients, contracts, pricing and exclusive distribution relationship in that most sensitive of markets. After his resignation, he became a shareholder and manager of a competing firm, which was sued for misappropriation of confidential files and unfair competition. The case, decided by the Cour de Cassation^[1] in 2026, confirmed that while moral prejudice is necessarily inferred from an act of unfair competition by appropriation of confidential information, an employer who invokes material damages must separately prove them.^[2] The legal battleground is real and the rules governing both have grown sharper since 2018.

French law No. 2018‑670 of 30 July 2018, transposing European Union Directive 2016/943, created within the French Commercial Code a framework devoted to the protection of trade secrets.^[3] The statute contains carefully crafted exceptions for freedom of expression, good‑faith whistleblowing in the public interest and the protection of legitimate interests recognised by law. For the corporate lawyer advising employers on protecting sensitive assets when a key employee departs, the 2018 law has reshaped what is possible.

What makes a secret a trade secret?

Article 39.2 of the Agreement on Trade-Related Aspects of Intellectual Property Rights, otherwise known as the TRIPS Agreement, established three cumulative conditions for protection: the information must remain secret, possess commercial value by virtue of its confidentiality and be subject to reasonable measures to maintain its secrecy.^[4] Under Article L151‑1 of the French Commercial Code, information qualifies for protection as a trade secret when it is not generally known or readily accessible to persons familiar with the relevant sector; it has actual or potential commercial value by reason of its secret nature; and it has been the object of reasonable protective measures taken by its legitimate holder.^[5]

The range of qualifying information is broad: industrial processes, commercial strategies, customer lists, non‑patented manufacturing methods, patient databases and internal protocols. Trade secrets law fills the gap left by classical intellectual property regimes, which generally require formalisation and disclosure, offering a level of flexibility those regimes cannot match.

The third condition, reasonable protective measures, carries weight in the employment context. A company that has neglected to classify its sensitive information, restrict access to confidential systems or train its workforce on confidentiality obligations may find that the courts decline to recognise trade secret status for the data it is seeking to protect. The law rewards diligence and punishes complacency.

The departing employee as the primary vector

Internal threats represent a major risk for the security of strategic data within organisations. When a collaborator occupying a strategic position leaves the company, he or she may take with them knowledge, processes or confidential information that can be exploited by a competitor. Unlike external cyberattacks, which typically leave forensic traces that security teams can detect, the knowledge carried in the mind of a departing scientist, sales director or financial strategist is intangible. Remote work and the intensive use of collaborative digital tools amplify the risk.

The most dangerous scenarios involve employees who act while still on the payroll. Several courts of appeal have characterised as gross misconduct the transmission, prior to departure, of project and pricing information to a future employer, and have ordered the employee and the receiving company to compensate the former employer.

The contractual toolkit: confidentiality and non‑compete clauses

French employment law provides two principal contractual instruments for guarding against post‑employment data leakage. They operate along distinct axes and function best as complements to each other.

The confidentiality clause is the first line of defence. During the employment relationship, confidentiality is implied by the duty of good faith. It is essential to stipulate that the obligation survives termination, since the general duty ceases when the contract ends. A notable ruling by the Cour de Cassation found that an employee who, after the cessation of his contract and in violation of a confidentiality clause, had disclosed a doctoral thesis containing information obtained during their employment, had caused a manifestly unlawful disturbance. The Cour de Cassation quashed the Court of Appeal's decision, which had refused to grant a provision on damages, thereby affirming the summary judge’s power to order such relief.^[6] Unlike non‑compete clauses, confidentiality clauses require no financial consideration and are not subject to a fixed temporal limit. Their post-termination duration may be tied to the information’s confidential or trade secret nature, provided the clause does not amount to a perpetual undertaking.

Non‑compete clauses represent the second tier. Such a clause is valid only if it is indispensable to the company’s legitimate interests, limited in time and geographic scope, tailored to the employee’s functions and accompanied by a financial consideration compliant with the applicable collective bargaining agreement or, in the absence of such stipulation, proportionate to the burden imposed by the clause (notably its duration and territorial scope). Liability can extend beyond the departing employee: an employer who knowingly hires a former employee bound by a valid non‑compete clause may be held liable for unfair competition.

Liability without use: the mere possession rule

The most consequential development in French jurisprudence is the crystallisation of a fault‑based presumption for mere possession. In 2025, the Cour de Cassation reversed an appellate decision that had rejected a claim for unfair competition on the ground that a financial document transmitted by a former vice‑president of an association was succinct and contained no strategic information. The Court held that the mere fact that a company, in the creation of which a former employee or officer participated, holds confidential information relating to a competitor’s activity and obtained during the performance of their employment contract or mandate, constitutes an act of unfair competition.^[7] The substantive weight of the document is irrelevant. Possession alone establishes the wrong.

While this standard lowers the evidentiary threshold, the cause of action remains grounded in Article 1240 of the French Civil Code, a fault‑based regime, not strict liability.

Yet, the damages calculus is not automatic. In 2026, the Cour de Cassation confirmed that while moral prejudice is necessarily inferred from an act of unfair competition by appropriation of confidential information under the French Civil Code, a party who invokes material damages must prove them. The Court also clarified that denigration requires publicity and is not characterised by internal emails absent communication to third parties.^[8]

When suspicion is enough to start the clock

One of the most treacherous aspects of post‑employment trade secret litigation is the statute of limitations and identifying which legal route controls the clock. Under Article L1471‑1 of the French Labour Code, any action concerning the performance of an employment contract is time barred after two years when the claimant knew or should have known the facts allowing the claim.^[9] In practice, however, claims are rarely framed under the Labour Code, even if technically possible. They are usually brought as unfair competition, trade secret protection, misappropriation or ordinary civil liability claims, allowing reliance on a five‑year period, including under Article L152‑2 of the French Commercial Code, starting when the legitimate holder knew or should have known about the last act giving rise to the claim.^[10]

Recent case law shows how unforgiving these rules can be. In 2025, the Cour de Cassation held that the limitation period may start once the employer has sufficiently concrete elements to act and that subsequent information that merely confirms earlier suspicions does not postpone the starting point.^[11] The lesson is clear: the limitation period runs once credible suspicion crystallises around a named individual, even if the proof remains incomplete. The strategic issue is not only when time starts, but which cause of action starts it.

Enforcement remedies and procedural strategy

Any infringement of a trade secret gives rise to civil liability. Courts may order the prohibition of use or disclosure of the secret, the destruction of infringing documents and, in summary proceedings, emergency measures before the misappropriated information enters circulation.^[12] In 2024, the Cour de Cassation delivered a significant ruling at the intersection of trade secret protection and the right to evidence, holding that a party accused of unfair competition may produce documents covered by trade secrets if such production is indispensable to proving the alleged facts and the resulting interference is strictly proportionate to the objective pursued.^[13]

Outside intellectual property‑specific seizures, the appropriate evidentiary route is Article 145 of the French Code of Civil Procedure (pre‑trial evidentiary measures), and the French Commercial Code provides for restricted access and non‑confidential versions of sensitive exhibits.^[14]

The effective protection of trade secrets faces a further procedural challenge: the risk of disclosing sensitive information in court can deter companies from taking legal action. In response, French law favours targeted confidentiality mechanisms over blanket closed‑door hearings, which are strictly limited. Accordingly, many companies frame cases in unfair competition terms under Article 1240 of the Civil Code. The relief is comparable and, since September 2025, the possession‑based standard strengthens those actions.

Data protection, monitoring and admissibility of evidence

The intersection with data protection law adds complexity. Under the EU’s General Data Protection Regulation (GDPR) and French labour law, the monitoring measures used to detect pre‑departure data exfiltration must be proportionate, disclosed and grounded on a valid legal basis. A decision by the Cour de Cassation^[15] illustrates this tension. The employer relied on a bailiff’s report exploiting log files and IP addresses. The Court held that IP addresses constitute personal data under the GDPR, and that an employer who repurposes network log files, originally collected for technical administration, to monitor an individual employee’s activity commits a diversion of purpose, rendering the evidence illicit. The illegality lay not in the initial collection, but in its reuse for an incompatible purpose.

Conclusion

The legal framework must be supported by preventive architecture: IT charters and confidentiality policies, systematic training programmes, rigorous management of access rights and data traceability and structured exit procedures requiring the return of all devices and files upon departure.

France possesses one of the EU’s most complete frameworks for protecting trade secrets against post‑employment misappropriation. Mere possession constitutes an actionable wrong; prescription starts from the crystallisation of suspicion; liability can fall in solidum on the disloyal employee and the receiving employer. But the law protects only what has been identified, classified and actively secured. The crown jewels require a vault and the combination must be set before the heist.