Negotiating Data Privacy Agreements

I am curious… Last week, our team spent time in a workshop with a potential partner. During the session, someone used ChatGPT to summarise our ideas in real time and make suggestions for improvement. It sparked great discussion, but it also raised an awkward question. For the AI to generate meaningful suggestions, it needed the context we had just shared, including technical details, strategic direction, and confidential roadmap items. Later, in a conversation with a legal advisor, we realised our NDAs did not explicitly cover this. They were written for a time when “sharing” meant emailing a document or handing over a printout, not pasting confidential information into a model you do not control. We ended up updating our docs to include an AI-specific clause: No Confidential Information may be uploaded to, processed by, or disclosed to any publicly available AI/ML system, model, or dataset without prior written consent. Apparently, this is starting to appear in some contracts as legal teams and AI law specialists are recommending clauses that: - Ban feeding confidential data into public models without written consent. - Require proof that approved tools will not train on the data. - Bind contractors and sub processors to the same rules. Some even provide model language allowing AI use only with “commercially reasonable assurances” the model will not train on the information and is isolated from other customers. Has anyone else encountered this or started updating their own NDAs and agreements? #AIGovernance #DataPrivacy #LegalTech #AICompliance #Contracts

Two Nigerian Court of Appeal decisions clash over the enforceability of arbitral awards arising from registrable but unregistered technology transfer agreements under the National Office for Technology Acquisition and Promotion (NOTAP) Act. In Limak Yatirim v. Sahelian Energy [2021] LPELR-58182(CA), the Court held that non-registration renders a contract, and any arbitral award based on it, unenforceable, treating registration as a statutory necessity rooted in public policy. Conversely, in the recent case of Champion Breweries Plc v. Brauerei Beck GmbH & Co. KG [2025] LPELR-81422(CA), the Court held that non-registration does not void a contract or violate public policy; it merely bars foreign exchange remittances through Nigerian banks, leaving the agreement and arbitral award enforceable. In summary, Champion Breweries entered into a licensing and manufacturing agreement with Germany’s Brauerei Beck GmbH & Co. KG ("Beck's") in 2005, which required NOTAP registration within 60 days. Champion applied 18 months late, and NOTAP rejected the application, citing the inclusion of a foreign jurisdiction clause. Despite this, Champion brewed and sold beer under the agreement, reaping significant profits. When royalty payments became due, Champion refused to pay, claiming the unregistered contract was illegal. Beck’s terminated the agreement, secured an ICC arbitral award in Geneva for unpaid royalties and damages, and sought enforcement in Nigeria. Champion resisted enforcement and argued illegality before the Federal High Court, but the Court upheld the award. On appeal, the Court of Appeal affirmed, holding that non-registration restricts only the use of Nigerian banks for foreign exchange remittances; it does not affect the enforceability of the contract itself. Relying on equitable principles, the Court also held that Champion could not benefit from the agreement and then evade its obligations by citing illegality. In other words,  you can’t drink your beer and still have it too! The Champion Breweries decision raises significant concerns by enforcing an arbitral award based on an unregistered agreement, as it: - weakens NOTAP’s statutory mandate to scrutinise and approve foreign technology contracts, a process designed to protect Nigerian entities from exploitative terms. - dilutes Nigeria’s efforts to preserve scarce foreign exchange by enforcing financial obligations from unregistered agreements, potentially allowing outflows through questionable contracts. - undermines NOTAP’s authority by upholding an agreement it rejected. In Champion Breweries, contractual fairness overshadowed statutory intent, diminishing NOTAP’s public policy objectives and its gatekeeping role. By contrast, Limak’s Case treated registration as an essential statutory safeguard for broader national interests.

As a veteran SaaS lawyer, I've watched Data Processing Agreements (DPAs) evolve from afterthoughts to deal-breakers. Let's dive into why they're now non-negotiable and what you need to know: A) DPA Essentials Often Overlooked: -Subprocessor Management: DPAs should detail how and when clients are notified of new subprocessors. This isn't just courteous - it's often legally required. -Cross-Border Transfers: Post-Schrems II, mechanisms for lawful data transfers are crucial. Standard Contractual Clauses aren't a silver bullet anymore. -Data Minimization: Concrete steps to ensure only necessary data is processed. Vague promises don't cut it. -Audit Rights: Specific procedures for controller-initiated audits. Without these, you're flying blind on compliance. -Breach Notification: Clear timelines and processes for reporting data breaches. Every minute counts in a crisis. B) Why Cookie-Cutter DPAs Fall Short: -Industry-Specific Risks: Healthcare DPAs need HIPAA provisions; fintech needs PCI-DSS compliance clauses. One size does not fit all. -AI/ML Considerations: Special clauses for automated decision-making and profiling are essential as AI becomes ubiquitous. -IoT Challenges: Addressing data collection from connected devices. The 'Internet of Things' is a privacy minefield. -Data Portability: Clear processes for returning data in usable formats post-termination. Don't let your data become a hostage. -Privacy by Design: Embedding privacy considerations into every aspect of data processing. It's not just good practice - it's the law. In 2024, with GDPR fines hitting €1.4 billion, generic DPAs are a liability, not a safeguard. As AI and IoT reshape data landscapes, DPAs must evolve beyond checkbox exercises to become strategic tools. Remember, in the fast-paced tech industry, knowledge of these agreements isn't just useful – it's essential. They're not just legal documents – they're the foundation for innovation and collaboration in our digital age. Pro tip: Review your DPAs quarterly. The data world moves fast - your agreements should keep pace. Pay special attention to changes in data protection laws, new technologies you're adopting, and shifts in your data processing activities. Clear, well-structured DPAs prevent disputes and protect all parties' interests. What's the trickiest DPA clause you've negotiated? Share your war stories below. #legaltech #innovation #law #business #learning

Renewing vendor contracts? Don't forget to add in AI terms! Your vendors have likely incorporated AI somewhere in their products since the last time you reviewed their agreement. Make sure to include these terms— 1️⃣ Data Protection: Ensure vendors can't use your data to train AI models or share it with others. 2️⃣ Confidentiality: Include clauses that guarantee your data stays secure and is not used for other clients. 3️⃣ Monitor Scope Creep: Require vendors to notify you about any AI-related updates or new features added post-contract. 4️⃣ Audit Logging: Secure the right to review data handling practices, especially for sensitive information. 5️⃣ Retention Policies: Define clear guidelines for how long data can be retained by the vendor, aligning with your internal standards. Here's some vendor MSAs for inspirations in the comments 👇

NDAs, like most other agreements, generally have a term. 1-2 years tends to be typical. I don't have any problem with that. But if that's the only time period mentioned, that's often a #ContractTrap. There are 2 key time periods for an NDA (or any other agreement with confidentiality obligatoins). There's the disclosing period (which is often defined as the "Term" of the NDA), which identifies the period over which covered information shared would be entitled to the protections of the NDA. And there's a confidentiality period (which is often missing), which identifies the period for which such covered information must be kept confidential. Why is a separate confidentiality period important? Because without it, confidentiality obligations will expire simultaneously with the term. So if you have an NDA with a 2 year term, and exchange confidential information throughout the term, some of that information will only be protected for a day. Sure, you could build in some processes to make sure that you would amend and extend that NDA if you were in that situation. But it's far simpler and less error prone to define a separate confidentiality period at the outset. Depending on your NDA, it could be as simple as: "The term of this Agreement shall be 2 years (the "Term"). The obligations of [Sections specifying confidentiality obligation] shall survive for [1] year following conclusion of the Term."

I was recently tasked with addressing a deceptively simple, yet legally intricate question: Can parties, by agreement alone, approach a court and request that their privately negotiated terms be made an order of court purely for ease of enforcement? The context was practical. The parties wished to settle their dispute amicably, without embarking on protracted litigation. They were prepared to reduce their agreement to writing. A binding contract was certainly possible. But that was not enough. What they truly wanted was speedy and effective enforcement. The idea was straightforward: if the agreement could be made an order of court, compliance would carry the weight of judicial authority. So the real question became: Can parties simply draft terms and have them stamped with judicial authority for convenience? I had the privilege of preparing a comprehensive note on this nuanced issue. And in my view, no authority addresses it more clearly than Eke v Parsons. That decision reminds us of an important principle: Courts are not mere rubber stamps for private agreements. For a settlement to be made an order of court, it must: • Relate directly to a dispute between the parties that is before court; • Be competent and proper for a court to order; • Be clear and enforceable; and • Not be contrary to public policy. A court order is an exercise of judicial power, and judicial power cannot be invoked merely for administrative convenience. The distinction matters: A contract binds the parties. A court order binds with the authority of the state. Happy reading!⚖️ Junior Counsel, I remain! ✍

I am pretty strict about deleting these five provisions from any NDA I review. 1. Indemnification provisions - Indemnification is too big a burden to impose on a counterparty at this preliminary point in the relationship. The parties do not yet have a deal in most cases. In fact, they may never sign any other contracts or do business together. This minimal relationship established by the NDA is disproportionate to the risks of agreeing to indemnify a counterparty. 2. Limitation of liability provisions - We shouldn’t waive consequential damages in NDAs because they are the primary remedy for breach of confidentiality remedies. We also shouldn’t set a maximum liability cap because essentially that is the price tag to use and disclose the information covered by the NDA. And that cap is unlikely to be the value of that info to the company. 3. IP licenses and assignments - NDAs are not the right place to grant intellectual property licenses or assign ownership in those assets. We need a robust agreement with all the real protections. If a party needs a license at this preliminary stage, then the better approach is to sign a stand-alone license to cover those concepts. 4. Privacy and data security terms - NDAs are designed and used to protect trade secrets and other information from unauthorized use and distribution. They are not designed to comply with GDPR and other privacy and data security regulations or priorities. Use a data protection agreement if that is needed with your counterparty at this stage. 5. Non-solicitation provisions - Non-solicitation provisions are not appropriate in standard commercial NDAs. The company could find itself in breach or paying liquidated damages despite having minimal discussions with a counterparty. The only exception I have to this approach is when we’re engaging vendors specifically for their talent teams to do design or other similar work. One qualification on this advice. I work exclusively on commercial contracts. Some of these provisions may be completely appropriate in corporate, employment, or strategic partnerships. But these shouldn't be in the everyday NDA with vendors and customers in typical commercial transactions. #contracts

Over 1,000 customers of retailer M&S are now suing the company following the massive data breach in April 2025. This situation significantly raises the stakes for all companies handling personal data — not just those storing financial information. Here’s how I think it changes things: 1. Legal Burden of Proof Now Falls on Companies: Lawyers now argue that M&S is legally responsible unless they can prove their cybersecurity met industry standards. That flips the dynamic — companies are guilty until proven secure when data is lost. “Unless M&S can show they had absolutely nothing to do with the loss… they are liable.” 2. “No Financial Data Stolen” Is No Longer a Defence: Even though no payment details or passwords were taken, M&S still faces a potential £300 million fallout. Why? Because personal data — names, emails, addresses, birth dates — is valuable to criminals and legally protected. Phishing, identity theft, and impersonation risks are real — and courts now recognise that. 3. “Human Error” Is Not a Legal Excuse: M&S admitted the breach came from human error. But under current data protection laws (like the GDPR), that’s still the company’s responsibility. It highlights the need for better security training, access controls, and incident response planning. 4. Cybersecurity Is Now a Legal Shield — Not Just a Technical Concern: Adequate security means more than antivirus software. It includes: • Strong encryption • Routine audits • Staff awareness programs • 24/7 threat monitoring Companies without these layers face serious legal exposure — even if no money is stolen. 5. This Sets a New Legal Precedent: If successful, the M&S class action could inspire more collective legal actions and regulatory crackdowns. Companies will need to view data protection as a core business risk, not just a back-office function. The bottom line? This case signals a shift — companies must now prove they did everything reasonably possible to prevent a breach. Anything less could mean massive compensation claims and lasting brand damage.

🇪🇺‼️The Der Gerichtshof der Europäischen Union has just issued its Grand Chamber judgment in Russmedia Digital (C-492/23), and it is in my humble opinion one of the most significant #GDPR rulings this year concerning on the responsibilities of online platforms under data #privacy law. ⚖️The Court concludes that an operator of an online marketplace is a data controller for the personal data contained in user-generated advertisements published on its platform. This applies even where the platform does not create or select the content and even where the advertiser is anonymous. The decisive factor is that the ad becomes public only because the platform chooses to make it accessible, and the operator can commercially exploit the published data. 💡On that basis, the Court examines the operator’s obligations through Articles 5(2), 24–26 and 32 GDPR. It holds that marketplace operators are joint controllers with users who upload advertisements, and that they must ensure compliance with the GDPR before an ad is published. The Court interprets data protection by design and the accountability principle broadly, leading to clear ex ante duties. The operator must identify whether an ad contains sensitive data in the sense of Article 9(1) GDPR, verify whether the advertiser is the data subject, and, if not, verify whether the data subject has given explicit consent. If explicit consent is not demonstrated and no other Article 9(2) exception applies, the platform must refuse publication. The judgment therefore establishes that controller obligations include proactive verification of identity and the lawfulness of sensitive-data processing. 💡The Court then links this preventive approach with Article 32 GDPR. Because once-sensitive data are online they can be copied widely and become difficult to erase, the platform must adopt appropriate technical and organisational measures to prevent or limit copying and unlawful re-publication by third parties. While GDPR does not require absolute security, it obliges controllers to consider tools that can technically hinder copying or automated extraction of content. This significantly expands the expected security posture of platforms hosting sensitive data. 📍The Court clearly departed from the Advocate General’s Opinion. AG Szpunar had proposed that marketplace operators act merely as processors and should not be subject to proactive identity or content verification duties. Instead, the Court adopted a far more expansive interpretation of controller responsibility, rejecting the AG’s narrower approach and imposing full ex ante obligations on platforms.

The most dangerous clauses in vendor contracts aren’t the ones you fight over. They’re the ones you skim past—(em dash mine 😑) the “standard” terms that seem harmless until they explode. Just ask Morgan Stanley. Overlooked contractual gaps turned a vendor’s mishandling of client-data-bearing equipment into hundreds of millions in fines, settlements, and penalties for Morgan Stanley. I have identified some top of mind examples: #1: The Subcontracting Black Hole Most vendor contracts include innocent-looking language like: "Vendor may engage subcontractors as necessary to perform services." The problem: You have zero visibility into who's actually handling your sensitive data or critical operations. What Morgan Stanley missed: Their vendor subcontracted the actual data destruction to an unqualified third party. The fix: • Require prior written approval for all subcontractors • Mandate the same security/compliance standards flow down • Include right to audit subcontractors directly • Cap subcontracting to specific, pre-approved functions #2: The Liability Cap Loophole Standard cap: "Vendor's liability limited to fees paid in preceding 12 months." The hidden trap: This covers the vendor's mistakes but not the regulatory fines, customer lawsuits, and reputational damage you'll face. What to negotiate: • Separate caps for different types of damages • Higher caps for data breaches and regulatory violations • Unlimited liability for gross negligence and willful misconduct • Minimum insurance requirements that match your actual risk exposure #3: The Termination Cost Surprise Innocent clause: "Upon termination, vendor will assist with transition for 30 days." The trap: No mention of data extraction, migration costs, or knowledge transfer requirements. Real example: A SaaS company switching CRM vendors discovered "transition assistance" meant read-only access to export screens. Manual data extraction cost $47K in consulting fees. Protection strategies: • Define data export formats and timelines • Cap termination assistance fees • Require knowledge transfer documentation • Include escrow provisions for critical operational data #4: The Change Order Cash Grab Standard language: "Any modifications require mutual written agreement." The hidden cost: No controls on pricing for change orders or scope creep. Pattern I see: Vendors lowball initial proposals then recover margins through change orders priced at 200-400% markup. The armor: • Cap change order pricing as percentage of original contract value • Require detailed justification for scope changes above set thresholds • Include right to third-party validation for major change orders • Build in quarterly spend reviews with automatic triggers The point is, most "standard" vendor contracts are written to protect vendors, not you. Don't let your "standard" vendor agreement become someone else's cautionary tale. Dig deep. #VendorManagement #ContractReview #RiskManagement