Most businesses will have a standard form of Non-Disclosure Agreement (NDA) which they have used for many years. Those agreements are designed to play a crucial role in allowing sensitive data to be provided to another party, while safeguarding it from disclosure to the world at large.
However, many traditional forms of NDA are likely to leave businesses exposed, as many ‘standard terms’ won’t adequately protect against the use of disclosed information in an AI environment.
We are all well aware that with the rapid adoption of artificial intelligence (AI), and data tools across enterprise and Government, businesses must be vigilant about protecting their confidential information and continually review their current operations to ensure they are covered. Ensuring that core documents, such as NDAs, remain contemporary and address current issues is just one example.
Consider a scenario where two businesses want to explore whether they can work together on a project and wish to provide confidential information to one another. The information disclosed is used in a working model and the data created is uploaded to an AI platform to provide a summary and insights. The AI platform produces the summary and may also create or suggest derivate works. One of the businesses wants to use or further develop those works for their own benefit. They argue that the derivate work is not covered by the NDA and that the works, or the parts of it which they want to use, were AI generated.
Parties may also use an AI platform to upload confidential data in order to produce a summary or assist in a document review. Most people understand that uploading data to an open source could amount to an infringement of confidentiality (even where the information is desensitised). However, even where a closed source model is used, in most cases, the AI tool will manipulate and retain some or all of the source data, often combining that with additional information.
The use of confidential data (or the works produced) in those circumstances may not be contemplated or restricted by many existing NDAs.
Many NDAs may also require information to be returned or destroyed on request or at the end of a term. If an AI platform does not retain a verbatim copy, but has used the data to ‘train’ or ‘model’ its response, is the recipient in breach of the NDA and is that use fair?
It may be difficult to argue after the event that an NDA should be interpreted to restrict the (mis)use of confidential information in those scenarios, when those matters could be addressed up front.
So what should businesses consider?
- Definition of Confidential Information
It is vital to clearly define what constitutes confidential information in current NDAs. This should include not only the traditional categories of business, financial, and technical data but also AI-specific elements such as:
- Training Data: The datasets used to train AI models, which may contain proprietary or sensitive information.
- AI Models and Algorithms: The structure, architecture, and parameters of machine learning models.
- Derived Insights: Patterns, insights, and optimizations generated from AI processing
The NDA should explicitly address the creation of new intellectual property and the ownership of and rights to any IP developed during the collaboration. This includes:
- Ownership of AI Models: Clearly stating who owns any AI models and any modifications or improvements made to them.
- Rights to Training Data: Defining the rights to use and distribute any training data.
- Protection of Derived Outputs: Ensuring that any outputs generated by the AI, such as predictions, analyses or derivative works are also protected.
3. Duration of Confidentiality
Many standard NDAs (particularly from the USA), contain a confidentiality period of up to five years. NDAs relating to AI may require longer or even indefinite durations because AI models may retain data in their memory for longer periods. The NDA should specify:
- Confidentiality Period: The duration for which the information must be kept confidential.
- Conditions for Extension: Circumstances under which the confidentiality period can be extended by the disclosing party, if the agreement has an expiry.
4. Third-Party Involvement
To address the involvement of third-party AI providers, the NDA should cover:
- Vendor Agreements: Ensuring that any third-party vendors are also bound by confidentiality obligations.
- Data Anonymization: If any data shared with third parties is to be desensitized to protect sensitive information.
5. Breach of Confidentiality
The NDA should outline the consequences of a breach of confidentiality, which should address potential legal remedies (damages and/or injunction) as well as dispute resolution mechanisms for resolving disputes, such as arbitration or mediation.
If any personal information might be contained in the data then Privacy risks and breaches should also be addressed.
6. Exclusions from Confidentiality
Agreements should now address whether any work which is independently developed through the use of AI tools should be excluded from the definition of confidential information.
7. Future-Proofing the NDA
Given the rapid pace of AI development, NDAs should look to future advancements, by addressing matters such as:
- Regular Reviews: Periodically reviewing and updating any longstanding NDAs to reflect new technologies and business practices.
- Flexible Clauses: Including clauses that allow for technically based modifications to the agreement as needed.
Summary
For most businesses, NDAs are an essential tool for protecting confidential information.
However, the unique challenges posed by AI mean that businesses must review their current practices and the documents which support those to ensure that they are adequately covered. Having a contemporary NDA is the tip of the iceberg, and although only one example, is an important piece of the puzzle.
Don’t delay – review your processes and documents now to avoid losing valuable rights.
