April 2023- Privacy Rights & NDAs – What Contractors Need to Know

Historically, nondisclosure agreements have been limited in scope, purpose and length, making them a relatively easy function of contracting. But as organizations increasingly include data processing addenda or related privacy and security terms to their NDA templates, those agreements are becoming more complex.

Why the addition of the new language? Until recently, business contact details were considered publicly available, therefore not requiring a DPA for access or processing of that information. But the newly expanded definition of personal data now includes business contact information (such as company email addresses and phone numbers) across major global privacy laws. This may make it difficult for companies to exclude data protection terms from their NDAs.

But not everyone is ready to preemptively include a DPA with an NDA. As noted, these agreements historically had a limited scope that allowed for quick turnarounds, with their purpose being to protect nonpublic business information, so many aren’t ready to complicate them yet. And, since receiving personal data does not itself prompt the requirement of a DPA, further analysis will determine when and where a DPA is appropriate.

Most privacy regulations today require companies to enter into a DPA when they are processing the personal data of an applicable data subject. While each law defines terms like “processing,” “personal data,” and “data subject” a little differently, most require additional considerations such as the nature and duration of processing and balance that with the rights of the data subjects.

Some companies have contracting policies that allow for broader NDAs under which processing personal data might occur. For these, waiting for the negotiation of a master agreement exposes them to risk, including noncompliance fines and scrutiny from regulatory authorities. And if a DPA isn’t included in the NDA and a master agreement isn’t signed, any personal data processed under the NDA would be unprotected. But even where contracting policies cannot support limiting the processing under an NDA, there are still other considerations for why a DPA should be handled separately.

The arguments for and against inclusion of a DPA in an NDA are all compelling, but this can leave legal and privacy teams confused on how to proceed. One option is for the parties to simply agree to abide by all applicable privacy laws during the term of the NDA. Even though it is a hard statement to oppose, companies should still be prepared with alternative language that works for their organization’s processes and policies. Companies with limitations on how NDAs might be used by their business teams may also want to consider stating that any personal data received directly from a data subject will be processed in accordance with their public-facing policy and include a link to the same.

Ultimately, companies must decide which approach works best for their organization. Regardless of the approach, the goal is to protect the rights of data subjects without breaking the bank or the system.

Jennifer Kottler, Esq., CIPP/US, a senior commercial attorney at QuisLex, helps clients navigate the complexities of commercial contracting and privacy compliance. She recently explored this topic in greater depth in an article published last month by the National Law Journal, Adding Privacy Provisions to Your NDAs? Make sure you know the risks.