Confidentiality Clauses in Tech-Agreements and Commercial Contracts in India

Confidentiality Clauses in Tech-Agreements and Commercial Contracts in India . Economists across the globe agree that data is the new oil. Companies are now being built on the strength of data and countries are increasingly protecting data of their citizens. The leakage of sensitive data on an average costs USD 4.45 million (IBM, 2023). Are you doing enough to protect your company’s price sensitive information, key financial data, marketing plans and technologies? 
In this post, Compliance Calendar assesses the importance of including confidentiality clauses in key commercial and technology agreements. We also discuss cases to cast light on judicial interpretations of upholding confidentiality agreements. 
Confidentiality and the rise of digital, tech and fin-tech industries in India
Technology agreements are frequently used when a company contracts with another technology, company services, such as engineering, proprietary software and hardware, service platforms etc. 
Obligations of the contracting parties under a confidentiality clause ensures that valuable information does not enter the public domain. While the law in India does not define confidentiality, it is determined on a case by case basis. it emerges when a duty of confidence exists between a “data collector” and a “data subject”. A confidential agreement for a fin-tech or technology company may improve access to trade secrets, source codes, hardware, software, technology, copyright, procedures involved in patents etc. 
Confidentiality clauses and their interpretation in Technology Industry  - Regulatory and Legal Framework for Breach of Confidence 
The Information Technology Act, 2000 that is based on the Model Law on Electronic Commerce of UNCITRAL defines data protection and privacy principles, while also imposing civil liabilities for unauthorized access to computer systems and networks.

Penalties for breach of confidentiality and privacy - Under Section 72, penalty for breach of confidentiality and privacy is specified. It  applies to any person who obtains access to electronic records, books, registers, information, other materials and documents without the consent of the person concerned and disclose such information. It provides a penalty of one lakh rupees and imprisonment up to 2 years.

Section 43 of the act also covers the following instances:

Computer trespass, violation of privacy, etc.

Unauthorized digital copying, downloading, and extraction of data, computer database, or information; theft of data held or stored in any media,

Unauthorized transmission of data or programme residing within a computer, computer system, or computer network (cookies, spyware, GUID, or digital profiling are not legally permissible),

Data loss, data corruption, etc.

Computer data/database disruption, spamming, etc.,

Denial of service attacks, data theft, fraud, forgery, etc.,

Unauthorized access to computer data/computer databases and

Instances of data theft (passwords, login IDs),

Protection of source codes, databases and illegal interception of data - Section 65 of the IT Act protects not only computer source code but also data and computer databases, while Section 66 that deals with hacking of computer systems covers cyber offenses related to illegal access, illegal interception, data interference, and system interference.

Misuse of Information of clients and suppliers by ex-employee not held to be confidential information : In Stellar Information Technology Private Ltd. v. Rakesh Kumar, Delhi High Court (2016) , the Plaintiff was a private company engaged in the business of Data Recovery, providing a wide range of Data Recovery, Data Migration and Data Erasure Solutions to its clients in India and abroad. Defendants were employees of the Plaintiff and had access to Plaintiff's confidential data, information, trade secrets and knowhow. The Plaintiff alleged that the Defendants were using the same to secure business from the Plaintiff's clients and are continuing to approach the Plaintiff's customers and solicit work from them.
The court held that the information available in public domain cannot be considered as confidential information and no injunction restraining the use of such information can be issued. The fact that the Defendants had approached some of the Plaintiff's customers does not in the given facts establish that the Defendants are using any proprietary information of the Plaintiff. 
Contentious issues in confidentiality breach for technology companies 
While the Indian law on enforcing confidentiality for technology agreements is still developing, there are contentious issues that legally speaking, may not be enforceable or winnable in a court of law. Some of these are: 
Privacy breach - Targeted cyber attacks, hacking, spoofing and installing malicious codes on hardware (such as the Pegasus controversy) by a third-party may also cause crucial confidential information leak and security issues. Due to inherent vulnerabilities in technology, and layers of encryption, use of dark web and VPNs, it may often be difficult to identify a potential attacker for filing a suit for breach of confidentiality. 
Reverse engineering of technology as a breach of confidentiality - Time and money are significant aspects of any business and often lead to creation of intellectual property. In cases of licensing, the exclusive owner of such technologies is still the producer. However, licensees may decompress the program and reverse engineer the technology resulting in financial loss to the owner.
Necessity of Confidentiality Clauses in Commercial Contracts 
In the landmark case, Zee Telefilms Ltd. v. Sundial Communications Pvt. Ltd. And Others, Bombay High Court (2003), involving the intersection of copyrights and confidentiality, the plaintiffs claimed that the defendants had infringed their copyright in the original work titled ‘Krish Kanhaiyya’ and were proceeding with broadcasting their television serial ‘Kanhaiyya’ by copying key sketches, characters etc, with only minor cosmetic changes. The plaintiffs filed a suit against the defendants for breach of copyright and misuse of confidential information.
The court held that while the law of confidence is different from the law of copyright, however, if the ideas or information have been acquired by a person under such circumstances that it would be a breach of good faith to publish them and he has no just case or excuses for doing so, the court may grant injunction against him. 
In this case, the plaintiffs had sent a detailed concept note, character sketches, and plots of the first episode and ten episodic plots of ‘Krish Kanhaiyya’ to the defendant. 
The court also held that there cannot be a copyright in an idea per se, but eventually decided that the plaintiffs' claim was not merely in an idea but in the embodiment of the idea in tangible form. The court held that the defendants had unlawfully copied the plaintiffs' original work, infringed their copyright and were also guilty of breaching confidentiality by misusing information. 
This case highlights the importance of including confidentiality clauses in all commercial agreements. 
Protecting and Drafting Confidentiality Clauses in your Agreements  
Drafting a mandatory confidentiality clause with all employees, stakeholders, developers, licensees is one such instrument that goes a long way in protecting confidential business information. Inclusion of such clauses in the contract is akin to a written promise not to reveal or use a business’s confidential information, both before and after employment. 
Companies can also use NDAs to establish a contractual obligation of confidentiality between parties involved in a business relationship. This agreement outlines the terms and conditions under which confidential information is shared and the consequences of any unauthorized disclosure. 
NDAs should typically be signed with:

New and old employees, probationers, interns

Workers under contract, independent contractors, consultants, developers who have access to key information

Business partners, service providers, suppliers

Sub-contractors or those working for your company via indirect, hired contracts

Keeping techno-commercial agreements broad-based and inclusive - With constant upgrades in technologies, it is highly advisable to include inclusive clauses in the technology agreements. It’s a good idea to discuss short-term and long-term demands like upgrades, improvements, future developments anticipated on the subject matter of the contract. 
Defining confidential information - While the contract may not possibly delineate all information which may be considered confidential, one of the most frequent provisions that can be useful for protecting sensitive information is as follows : 
The Executive shall hold in a fiduciary capacity for the benefit of the Company all secret or confidential information, knowledge or data relating to the Company or any of its affiliated companies, and their respective businesses, which shall have been obtained by the Executive during the Executive's employment by the Company or any of its affiliated companies and which shall not be or become public knowledge (other than by acts by the Executive or representatives of the Executive in violation of this agreement). After termination of the Executive's employment with the Company, the Executive shall not, without the prior written consent of the Company or as may otherwise be required by law or legal process,communicate or divulge any such information, knowledge, or data to anyone other than the Company and those designated by it. 
Limiting data copying and stricter data storage conditions - copying of data may allow plagiarism of source codes, sharing of client information and therefore it is a good idea to place limits on data copying. Further, data localisation and strong encryption, and allowing timed-access to data are good strategies to minimize the risk of a data leak. 
Penalty clause in NDA - While drafting NDA clauses, it is advisable to include hefty penalties upon its breach to dissuade third parties like employees from spilling secrets. While the legal jurisprudence in India tilts in favor of weaker parties (often the employees) and the penalty clauses may not be upheld by adjudicating courts in their entirety, it still serves as a valuable purpose of discouraging disclosure while also aiding in convincing courts of the seriousness with which the aggrieved company may view such information. 
Defining duration of the agreement and the term for exchanging data - In several cases, the term of the agreement may end sooner, but the term for not exchanging data can be lengthened by including clauses that specify a timeframe for maintaining confidentiality, even after the expiry of the original contract.
Alternate Dispute Resolution clause in NDA - Even though there are no specialized alternative dispute resolution methods for disputes arising out of trade secrets and confidentiality breaches in India, it is advisable that the NDA contain a clause for arbitration or mediation, so that the resolution is done outside the Courts by traditional ADR methods including mediation, conciliation and arbitration. These methods are not just  faster and often less expensive than judicial actions but also minimize the risk of information relating to trade secrets becoming public records in court proceedings. 
Injunction and indemnity for violation of confidentiality- The NDA must specifically address the costs of indemnifying the other party from loss, liability, damages, costs and legal fees arising from such breach, and must also bind all agents, representatives, employees of the disclosing party. It must also provide for immediate injunction, and the right of the aggrieved party to approach competent courts for other reliefs. 
Compliance Calendar’s tips on negotiating confidentiality clauses in the tech-related contracts 
It is important to do due diligence and determine the opposite party’s background , business outlook and goals. As a contracting party, it is advisable to initiate non-disclosure agreements even before the preliminary discussions on a final contract. One must also be mindful of keeping the NDA clauses extensive, expansive so that future upgrades are also covered without necessitating a revision in the NDA. 
However, any legal process is lengthy and may involve unnecessary costs. It is advisable to treat NDAs not merely as a formality, but rather a source establishing duties of all personnel associated with the company.  It is also advisable to explain duties to parties signing the NDA, while also labeling important information as trade secrets and reinforcing the idea of confidentiality in business practices.

Economists across the globe agree that data is the new oil. Companies are now being built on the strength of data and countries are increasingly protecting data of their citizens. The leakage of sensitive data on an average costs USD 4.45 million (IBM, 2023). Are you doing enough to protect your company’s price sensitive information, key financial data, marketing plans and technologies?

In this post, Compliance Calendar assesses the importance of including confidentiality clauses in key commercial and technology agreements. We also discuss cases to cast light on judicial interpretations of upholding confidentiality agreements.

Confidentiality and the rise of digital, tech and fin-tech industries in India

Technology agreements are frequently used when a company contracts with another technology, company services, such as engineering, proprietary software and hardware, service platforms etc.

Obligations of the contracting parties under a confidentiality clause ensures that valuable information does not enter the public domain. While the law in India does not define confidentiality, it is determined on a case by case basis. it emerges when a duty of confidence exists between a “data collector” and a “data subject”. A confidential agreement for a fin-tech or technology company may improve access to trade secrets, source codes, hardware, software, technology, copyright, procedures involved in patents etc.

Confidentiality clauses and their interpretation in Technology Industry - Regulatory and Legal Framework for Breach of Confidence

The Information Technology Act, 2000 that is based on the Model Law on Electronic Commerce of UNCITRAL defines data protection and privacy principles, while also imposing civil liabilities for unauthorized access to computer systems and networks.

Penalties for breach of confidentiality and privacy - Under Section 72, penalty for breach of confidentiality and privacy is specified. It applies to any person who obtains access to electronic records, books, registers, information, other materials and documents without the consent of the person concerned and disclose such information. It provides a penalty of one lakh rupees and imprisonment up to 2 years.
Section 43 of the act also covers the following instances:

Computer trespass, violation of privacy, etc.
Unauthorized digital copying, downloading, and extraction of data, computer database, or information; theft of data held or stored in any media,
Unauthorized transmission of data or programme residing within a computer, computer system, or computer network (cookies, spyware, GUID, or digital profiling are not legally permissible),
Data loss, data corruption, etc.
Computer data/database disruption, spamming, etc.,
Denial of service attacks, data theft, fraud, forgery, etc.,
Unauthorized access to computer data/computer databases and
Instances of data theft (passwords, login IDs),

Protection of source codes, databases and illegal interception of data - Section 65 of the IT Act protects not only computer source code but also data and computer databases, while Section 66 that deals with hacking of computer systems covers cyber offenses related to illegal access, illegal interception, data interference, and system interference.

Misuse of Information of clients and suppliers by ex-employee not held to be confidential information : In Stellar Information Technology Private Ltd. v. Rakesh Kumar, Delhi High Court (2016) , the Plaintiff was a private company engaged in the business of Data Recovery, providing a wide range of Data Recovery, Data Migration and Data Erasure Solutions to its clients in India and abroad. Defendants were employees of the Plaintiff and had access to Plaintiff's confidential data, information, trade secrets and knowhow. The Plaintiff alleged that the Defendants were using the same to secure business from the Plaintiff's clients and are continuing to approach the Plaintiff's customers and solicit work from them.

The court held that the information available in public domain cannot be considered as confidential information and no injunction restraining the use of such information can be issued. The fact that the Defendants had approached some of the Plaintiff's customers does not in the given facts establish that the Defendants are using any proprietary information of the Plaintiff.

Contentious issues in confidentiality breach for technology companies

While the Indian law on enforcing confidentiality for technology agreements is still developing, there are contentious issues that legally speaking, may not be enforceable or winnable in a court of law. Some of these are:

Privacy breach - Targeted cyber attacks, hacking, spoofing and installing malicious codes on hardware (such as the Pegasus controversy) by a third-party may also cause crucial confidential information leak and security issues. Due to inherent vulnerabilities in technology, and layers of encryption, use of dark web and VPNs, it may often be difficult to identify a potential attacker for filing a suit for breach of confidentiality.

Reverse engineering of technology as a breach of confidentiality - Time and money are significant aspects of any business and often lead to creation of intellectual property. In cases of licensing, the exclusive owner of such technologies is still the producer. However, licensees may decompress the program and reverse engineer the technology resulting in financial loss to the owner.

Necessity of Confidentiality Clauses in Commercial Contracts

In the landmark case, Zee Telefilms Ltd. v. Sundial Communications Pvt. Ltd. And Others, Bombay High Court (2003), involving the intersection of copyrights and confidentiality, the plaintiffs claimed that the defendants had infringed their copyright in the original work titled ‘Krish Kanhaiyya’ and were proceeding with broadcasting their television serial ‘Kanhaiyya’ by copying key sketches, characters etc, with only minor cosmetic changes. The plaintiffs filed a suit against the defendants for breach of copyright and misuse of confidential information.

The court held that while the law of confidence is different from the law of copyright, however, if the ideas or information have been acquired by a person under such circumstances that it would be a breach of good faith to publish them and he has no just case or excuses for doing so, the court may grant injunction against him.

In this case, the plaintiffs had sent a detailed concept note, character sketches, and plots of the first episode and ten episodic plots of ‘Krish Kanhaiyya’ to the defendant.

The court also held that there cannot be a copyright in an idea per se, but eventually decided that the plaintiffs' claim was not merely in an idea but in the embodiment of the idea in tangible form. The court held that the defendants had unlawfully copied the plaintiffs' original work, infringed their copyright and were also guilty of breaching confidentiality by misusing information.

This case highlights the importance of including confidentiality clauses in all commercial agreements.

Protecting and Drafting Confidentiality Clauses in your Agreements

Drafting a mandatory confidentiality clause with all employees, stakeholders, developers, licensees is one such instrument that goes a long way in protecting confidential business information. Inclusion of such clauses in the contract is akin to a written promise not to reveal or use a business’s confidential information, both before and after employment.

Companies can also use NDAs to establish a contractual obligation of confidentiality between parties involved in a business relationship. This agreement outlines the terms and conditions under which confidential information is shared and the consequences of any unauthorized disclosure.

NDAs should typically be signed with:

New and old employees, probationers, interns
Workers under contract, independent contractors, consultants, developers who have access to key information
Business partners, service providers, suppliers
Sub-contractors or those working for your company via indirect, hired contracts

Keeping techno-commercial agreements broad-based and inclusive - With constant upgrades in technologies, it is highly advisable to include inclusive clauses in the technology agreements. It’s a good idea to discuss short-term and long-term demands like upgrades, improvements, future developments anticipated on the subject matter of the contract.

Defining confidential information - While the contract may not possibly delineate all information which may be considered confidential, one of the most frequent provisions that can be useful for protecting sensitive information is as follows :

The Executive shall hold in a fiduciary capacity for the benefit of the Company all secret or confidential information, knowledge or data relating to the Company or any of its affiliated companies, and their respective businesses, which shall have been obtained by the Executive during the Executive's employment by the Company or any of its affiliated companies and which shall not be or become public knowledge (other than by acts by the Executive or representatives of the Executive in violation of this agreement). After termination of the Executive's employment with the Company, the Executive shall not, without the prior written consent of the Company or as may otherwise be required by law or legal process,communicate or divulge any such information, knowledge, or data to anyone other than the Company and those designated by it.

Limiting data copying and stricter data storage conditions - copying of data may allow plagiarism of source codes, sharing of client information and therefore it is a good idea to place limits on data copying. Further, data localisation and strong encryption, and allowing timed-access to data are good strategies to minimize the risk of a data leak.

Penalty clause in NDA - While drafting NDA clauses, it is advisable to include hefty penalties upon its breach to dissuade third parties like employees from spilling secrets. While the legal jurisprudence in India tilts in favor of weaker parties (often the employees) and the penalty clauses may not be upheld by adjudicating courts in their entirety, it still serves as a valuable purpose of discouraging disclosure while also aiding in convincing courts of the seriousness with which the aggrieved company may view such information.

Defining duration of the agreement and the term for exchanging data - In several cases, the term of the agreement may end sooner, but the term for not exchanging data can be lengthened by including clauses that specify a timeframe for maintaining confidentiality, even after the expiry of the original contract.

Alternate Dispute Resolution clause in NDA - Even though there are no specialized alternative dispute resolution methods for disputes arising out of trade secrets and confidentiality breaches in India, it is advisable that the NDA contain a clause for arbitration or mediation, so that the resolution is done outside the Courts by traditional ADR methods including mediation, conciliation and arbitration. These methods are not just faster and often less expensive than judicial actions but also minimize the risk of information relating to trade secrets becoming public records in court proceedings.

Injunction and indemnity for violation of confidentiality- The NDA must specifically address the costs of indemnifying the other party from loss, liability, damages, costs and legal fees arising from such breach, and must also bind all agents, representatives, employees of the disclosing party. It must also provide for immediate injunction, and the right of the aggrieved party to approach competent courts for other reliefs.

Compliance Calendar’s tips on negotiating confidentiality clauses in the tech-related contracts

It is important to do due diligence and determine the opposite party’s background , business outlook and goals. As a contracting party, it is advisable to initiate non-disclosure agreements even before the preliminary discussions on a final contract. One must also be mindful of keeping the NDA clauses extensive, expansive so that future upgrades are also covered without necessitating a revision in the NDA.

However, any legal process is lengthy and may involve unnecessary costs. It is advisable to treat NDAs not merely as a formality, but rather a source establishing duties of all personnel associated with the company. It is also advisable to explain duties to parties signing the NDA, while also labeling important information as trade secrets and reinforcing the idea of confidentiality in business practices.