Our previous articles addressed copyright infringement and patents. This article turns to the protection mechanism most likely to be of practical importance: trade secrets and confidential information.
Patents require disclosure. Copyright protects expression, not underlying methods or processes. For much of what is genuinely valuable about an AI system, including training methodology, proprietary datasets, model architecture and fine-tuning techniques, neither right offers reliable protection. Trade secrets have emerged as the most appropriate form of IP protection for many AI assets, particularly where attaching traditional IP rights to data and processes is inherently difficult.
For financial services firms whose competitive advantage lies in proprietary models and data-driven processes, this is not a theoretical point. It is a live governance question.
The South African framework
South Africa has no dedicated statutory trade secrets regime. Protection relies on the ability to maintain confidentiality.
The Supreme Court of Appeal confirmed the applicable three-part test in Pexmart CC v H Mocke Construction (Pty) Ltd (2018) - the information must be capable of application in trade or industry; it must be of economic value to the plaintiff; and it must be secret or confidential, meaning reasonable measures must have been taken by the holder to maintain secrecy.
That third requirement is where many firms fall short, particularly as AI tools make inadvertent disclosure easier than ever.
The AI-specific risk
One of the most immediate practical concerns is what happens when employees input proprietary or confidential information into commercial AI tools. If confidential information is transferred to an AI provider, there is a risk of it entering the public domain. Where the information originates from a client or counterparty, there is the additional exposure of a third-party claim.
The principles of confidentiality law do not change because the recipient is an AI system rather than a human. What matters is whether the information retains the necessary quality of confidence after it has been shared, and whether adequate contractual and practical measures have been taken to preserve that quality.
What to do now
Firms should begin by conducting an audit to identify their trade secrets and by maintaining a clear and up-to-date register of those assets. Understanding what information constitutes a trade secret is the foundation for protecting it effectively.
Appropriate technical controls should then be implemented. These may include password protection, encryption, and access restrictions applied on a strict need-to-know basis to reduce the risk of unauthorised use or disclosure.
Contracts with AI providers should be reviewed carefully. These agreements need to address how confidential data entered into AI systems is handled, whether such data is used to train models, and what rights the provider claims over the resulting outputs.
Employee training is equally important. Staff must understand which categories of information should never be entered into external AI tools and the reasons for these restrictions. Regular awareness training is as critical as contractual and technical protections.
Finally, firms should plan their incident response in advance. An organisation that can act quickly and decisively when confidential information may have been misappropriated is far better positioned than one that responds only after the fact.
