Why NDAs Should be Revised to Comply with DPDPA, 2023?
As the Digital Personal Data Protection Act,2023(DPDPA), is about to be in force in India, legal frameworks around data protection are expected to be undergoing significant changes. The impact of this landmark legislation on Non-Disclosure Agreements (NDAs) cannot be overstated.
Incongruencies in Pre-Existing NDAs
- Vagueness in Confidentiality: Traditional NDAs may contain overly broad or imprecise definitions of ‘confidential information,’ which could conflict with DPDPA’s specific data purpose driven processing.
- Lack of Consent Protocols: Traditional NDAs often lack detailed clauses around consent for data processing or sharing, thus being at odds with DPDPA’s stress on explicit consent in terms of Section 6 of DPDPA.
- Data Security Measures: Older NDAs may not have robust data security stipulations that align with DPDPA guidelines, presenting legal vulnerabilities.
- Global Data Transfers: Some NDAs may facilitate data transfers outside India, potentially conflicting with DPDPA’s data localization mandates.
Recommendations for Revising NDAs
- Revise Confidentiality Clauses: Align the definitions of Data Principal and its rights over her personal data.
- Incorporate Consent Mechanisms: Stipulate explicit and informed consent mechanisms that meet DPDPA requirements.
- Detail Data Handling: Lay down specific provisions on how data should be collected, stored, processed, and deleted.
- Localization Requirements: Introduce clauses that are aligned with DPDPA’s data localization mandates.
- Compliance Audits: Insert clauses permitting regular audits to ensure continual adherence to DPDPA.
- Penalty Provisions: Clearly define the consequences of failing to comply with the DPDPA, including potential legal penalties.
Retroactive vs Proactive Revision
- Future NDAs: All NDAs drafted post-DPDPA enactment should inherently be in compliance with the Act.It is easier to implement changes in future NDAs, ensuring they are designed to comply with DPDPA, 2023.
- Existing NDAs: A risk assessment should be conducted on existing NDAs. Where incongruencies are identified, renegotiation or addendums may be necessary.Modifying existing NDAs is more complex and may require renegotiation but is necessary to minimize legal risks. In some cases, an addendum can be added to align the NDA with DPDPA.
The complex landscape formed by the DPDPA, 2023, not only requires new NDAs to be meticulously crafted but also mandates existing ones to be examined, and if necessary, amended. Failure to do so may result in severe legal repercussions.
To interact or discuss further on Data Protection, connect on dataprivacy@amlegals.com.