Over the past several years, the use of non-disclosure agreements (“NDAs”) has received significant public scrutiny following their controversial use in a number of high profile harassment claims.
NDAs were back in the headlines earlier this year following the leak to the Telegraph of around 100,000 Whatsapp messages belonging to the former UK Health Secretary Matt Hancock. The messages, which revealed Mr Hancock’s communications with other members of the government during the COVID-19 pandemic, were disclosed by a journalist who had access to the material through her work on Mr Hancock’s memoirs. The journalist’s actions reportedly breached the terms of an NDA that had been agreed between the parties.
NDAs play a critical role in many walks of commercial life and this article reviews their utility and some of the issues which can arise with their enforcement. Awareness of the risks of disclosure of information, even under a tightly drafted NDA, is essential to avoid being caught out, as perhaps Mr Hancock discovered.
What is Meant by an “NDA”?
Whilst it is clear the aim of an NDA is to keep sensitive or valuable information confidential, the term is used very flexibly and can apply in a number of contexts. An NDA may be a standalone agreement imposing obligations of confidentiality, or a clause or number of clauses with similar effect within a broader agreement. NDAs are thus a feature of many different types of contract including agreements to promote business between parties such as investors and prospective parties to a M&A deal, agreements to protect intellectual property or other commercially sensitive information, employment contracts which seek to prevent the disclosure of confidential information during and after employment, or settlement agreements which attempt to keep private details of a settlement and/or the dispute.
Several years ago the #Metoo movement triggered the publication of a number of official inquiries, consultations and pieces of guidance which were aimed at reforming the unethical use of NDAs in the context of harassment and discrimination claims in the workplace. Whilst ensuring NDAs are used ethically in this context is a highly important topic and deserved of the attention it has received, this article focuses on NDAs in a more commercial context.
SRA’s Warning Notice
Perhaps the starting point is the Solicitors Regulation Authority’s (the “SRA’s”) Warning Notice (originally published in 2018 and updated in 2020) regarding the use of NDAs. It is of broad application and stated as being relevant to all NDAs regardless of the context in which they arise, and adopts a wide definition of NDA, being “any form of agreement or contract, or a clause within a wider agreement or contract, under which it is agreed that certain information will be kept confidential”. The notice sets out that the SRA will consider an NDA has been improperly used where:
- it prevents, or seeks to impede or deter, a person from:
- co-operating with a criminal investigation or prosecution;
- reporting an offence to a law enforcement agency;
- reporting misconduct, or a serious breach of regulatory requirements to a regulatory or supervisory body;
- making a protected disclosure under the Public Interest Disclosure Act 1998;
- it is intended to influence the substance of such a report, disclosure or co-operation;
- it prevents any disclosure required by law;
- it prevents proper disclosure about the agreement or circumstances surrounding the agreement to professional advisers, such as legal or tax advisers and/or medical professionals and counsellors, who are bound by a duty of confidentiality;
- it includes or proposes clauses known to be unenforceable; or
- it uses warranties, indemnities and clawback clauses in a way which inhibits permitted reporting or disclosures being made (e.g., asking a person to warrant that they are not aware of any reason why they would make a permitted disclosure in circumstances where a breach of warranty would activate a clawback clause).
The notice also states that taking unfair advantage of an opposing party (e.g., capitalising on a party’s lack of legal knowledge or representation), applying undue pressure or oppressive tactics, or preventing a party from keeping a copy of the NDA, would be a breach of a solicitor’s regulatory obligations. Practitioners should note that failure to comply with the warning notice may lead to disciplinary action by the SRA.
The Enforcement of NDAs
NDAs are subject to standard contractual principles which must be met for the contract to be enforceable (i.e. there must be an offer and acceptance, the terms must be sufficiently certain, there must be consideration etc.). In certain situations, there may also be vitiating factors to take into consideration which could affect a contract’s enforceability (such as misrepresentation, mistake, unconscionability, undue influence or duress). To the extent that contractual obligations are unenforceable, equitable obligations in relation to confidentiality may still survive.
As a matter of law, NDAs cannot be used to prevent protected disclosures being made to relevant bodies by a “worker” (a point also emphasised in the SRA Warning Notice discussed above).
Whistleblowing is only protected by law if the content and reporting meets the requirements of Public Interest Disclosure Act 1998 (“PIDA”). Qualifying disclosures are disclosures of information which the worker reasonably believes are in the public interest and that show one or more of the following is either happening, has taken place, or is likely to happen in the future:
- a criminal offence;
- a breach of a legal obligation;
- a miscarriage of justice;
- danger posed to the health and safety of any individual;
- damage to the environment; or
- a deliberate attempt to conceal any of the above.
Qualifying disclosures are protected where made to an appropriate person. PIDA encourages workers to make “internal” disclosures to their employer. Disclosures to third parties may also qualify as “protected disclosures” but in more limited circumstances which vary according to the category of third party the disclosure is made to. Wide disclosures, such as those to the media, will only be protected in narrow circumstances, and must be shown to be reasonable and not made for personal gain, amongst other things. For this reason, leaks to the media are rarely protected under PIDA.
Causes of Action
Where confidential information is disclosed in breach of the terms of an NDA, the disclosing party may be subject to claims for breach of contract and/or a free-standing equitable claim for breach of confidence (the scope of which will fall to be determined by reference to the contract agreed between the parties). The recipient may also be under an equitable duty of confidence as a third party recipient of information disclosed in breach of confidentiality obligations.
If the disclosure contained personal or private information about which there was a reasonable expectation of privacy there may also be tortious claims for the misuse of private information. Whether there was a reasonable expectation of privacy, is a broad question which takes account of all the circumstances.
Public Interest Defense
The law of confidentiality is based on the principle that people who are entrusted with confidential information ought, as a general rule, to respect it. However, disclosures of confidential information which are made in the public interest may avoid liability where a court considers the public interest in maintaining confidence is outweighed by the countervailing public interest in disclosure. This appears to have been the ground used to justify the disclosure of Mr Hancock’s Whatsapp messages.
There is a broad range of circumstances in which such a defence might apply, but a summary of the general principles arising from caselaw which relate to its application are below:
- Respect for confidentiality is itself a matter of public interest.
- To justify disclosure of otherwise confidential information on the grounds of public interest, it is not enough that the information is a matter of public interest. Its importance must be such that the duty otherwise owed to respect its confidentiality should be overridden.
- The matter must either relate to serious misconduct, or it must otherwise be important for safeguarding the public welfare in matters of health and safety (or of comparable public importance) that the information should be known to whom it is disclosed.
- Even if the information meets the test, it does not necessarily follow that it would be proper for the defendant to disclose it. The court must consider the relationship between the parties and the risks of harm which may be caused (or avoided) by permitting or prohibiting disclosure, both in the particular case and more generally.
- Ultimately the court has to decide what is conscionable or unconscionable, which will depend on its view of what would be acceptable to the community as a fair and proper standard of behaviour.
A party owed a duty of confidence (or a party to a contract) may seek an injunction to prevent a breach. However, this remedy may not be available or may be of little practical use, if the relevant information has already been disclosed or misused (for example, where confidential information has been leaked to and published by the media). In general, the remedy for past misuse of confidential information will be financial rather than an injunction.
Where a party is seeking to obtain an interim injunction, the court will generally apply the test derived from the American Cyanamid guideline of whether there is a “serious question to be tried” or a “real prospect” of success at trial. Where, however, a party seeks to restrain publication of information before trial, it faces a higher threshold. In those circumstances the court will have particular regard to the importance of a party’s right to freedom of expression under Article 10 of the European Convention of Human Rights, and the court must be satisfied the applicant is likely to establish that it would succeed at trial and that publication would not be allowed. In these circumstances, factors which may be relevant to the court’s determination include whether:
- any third party publisher (e.g., a media outlet) is aware that it obtained the relevant material in breach of confidentiality obligations;
- a considerable amount of the information which is intended to be published is already in the public domain;
- there is an express contractual obligation of confidence. The courts recognise the public policy considerations relevant to upholding NDAs. Where an NDA had been entered into with legal advice, a court would be slow to refuse to enforce it as disproportionate in an Article 10 case other than on ordinary contractual and equitable principles;
- private information is included in the breach of confidence;
- the applicant would be left to challenge allegations through the media if no injunction is granted, while at the same time being bound by an NDA relating to the allegations;
- there is clear cut evidence as to the credibility of the information being disclosed;
- immediate, irreversible and substantial harm may result to a party if the injunction is not granted;
- any confidentiality obligations were procured by bullying, harassment or undue pressure by the appellants;
- an NDA contains provisions limiting disclosure to regulatory and statutory bodies;
- there is a real risk of disclosure of the confidential material;
- the injunction is intended to prevent (i) accidental or inadvertent loss or leakage of confidential data, or (ii) deliberate wrongdoing. A court is likely to reject an injunction sought on the former basis; and
- where the proceedings relate to journalistic, literary or artistic material:
- the material has (or is about to) become available to the public; or
- it would be in the public interest for the material to be published.
The fact-sensitive nature of this exercise in any given case means there is often considerable uncertainty as to whether an injunction will be granted.
Damages and Account of Profits
Where confidential information is divulged in breach of a non-disclosure agreement, usually damages for the loss suffered by the innocent party will be a more appropriate remedy than an account of profits. In a commercial context, such damages might often be assessed by reference to a notional reasonable price to buy release from the claimant’s rights. In other words, damages may be assessed by reference to the commercial value of the information which has been misused.
In determining whether the case is sufficiently exceptional for an account of profits to be preferred to damages, the court will ask whether the claimant’s interest in the performance of the obligation of confidence made it just and equitable that the defendant should receive no benefit from his conduct. Where the obligation in question is similar to a fiduciary obligation,it may be appropriate for remedies to be similar to those in respect of a breach of fiduciary duty (so as to allow for an account of profits). Where the obligation arises from an arm’s-length contract, or circumstances similar to a contractual relationship, in the absence of exceptional circumstances, the appropriate remedy is likely to be similar to those available for breach of contract.
Additional Consequences of a Breach
Where a contractual confidentiality obligation is breached which is of sufficient importance to be a condition of the contract, the innocent party may repudiate the contract (in addition to seeking damages). An NDA may also stipulate the consequence of a breach will be the repayment of any sums paid under the agreement and/or other costs. Such sums will be recoverable if considered liquidated damages and not a penalty.
The effectiveness of any given NDA will depend to a large extent on the nature of the contract and the circumstances in which the confidential information has been shared. Where ethically used, NDAs remain a useful tool to protect sensitive information, but they cannot necessarily prevent unauthorised disclosures from being made. Sharing confidential information with another party, even where there is an NDA in place, necessarily involves a degree of risk and a reliance that the sensitive material will not be misused.
Even where a party can enforce an NDA after a breach, there may remain practical problems to doing so. Once confidential information has been made public, much of the damage may already be done — it may be impossible to “unring the bell” —and the innocent party may be restricted to seeking compensation for any harm caused. Pursuing a claim may also risk exacerbating any reputational damage and adverse publicity arising from the breach. If a party’s claim lies against a newspaper or large media outlet, any remedy is likely to be expensive to obtain.
Commercial parties should therefore be careful to balance the risks when deciding whether to share confidential information under an NDA. On one side of the scales are the opportunities that may be created from sharing confidential information with a counterparty. On the other side of the scales, is the real risk that valuable information is misused in breach of the NDA, the potential difficulties in securing an injunction and the limits placed by the courts on financial recoveries.
Disclosing parties should seek to manage these risks where possible, both through the terms of the NDA and in practice. The steps taken to manage the risk will depend on the circumstances in which the confidential information is being shared but may include:
- choice of counterparty: the disclosing party should consider carefully whether it is appropriate to share confidential information with any counterparty and share confidential information only to the extent necessary for the particular purpose for which it is being shared. The receiving party should be permitted to use the confidential information only for that particular purpose;
- restricting access to confidential information: if the circumstances permit, confidential information should be shared in a secure environment where access can be monitored by the disclosing party (e.g., through a virtual data room). Where practicable, sensitive information should not be capable of download or reproduction and access should be limited to those individuals who need to view the confidential information. In particular, certain categories of confidential information (e.g., competitively sensitive information) should be shared only with approved individuals (e.g., who are subject to clean team arrangements);
- consequences of breach: a disclosing party may seek to stipulate particular consequences of breach of the NDA, such as:
- an indemnity in favour of the disclosing party in respect of all claims, losses and costs arising from the receiving party’s breach;
- a liquidated damages provision under which the receiving party is required to pay the disclosing party a fixed amount for a breach of the receiving party’s undertakings (which should be enforceable if the level of compensation is proportionate to the legitimate interest of the disclosing party in the enforcement of the receiving party’s undertakings);
- an obligation for the receiving party to repay any sums paid under the relevant agreement, which (as above) should be enforceable if considered liquidated damages and not a penalty; or
- material breach of a confidentiality provision may be treated as an event of default under the relevant agreement or result in specific financial consequences (e.g., treatment as a “bad leaver” in an employment context);
- restrictive covenants: in certain contexts (e.g., an M&A transaction), an NDA may contain covenants restricting the receiving party’s solicitation of, and contact with, employees, customers and/or suppliers of the disclosing party and its affiliates. These covenants are designed to mitigate the risk that the receiving party uses the confidential information that it has obtained to interfere with the business of the disclosing party if the transaction does not proceed;
- equitable remedies: a disclosing party will typically reserve its right to pursue equitable remedies (including an injunction) and specify that its right to damages or other monetary remedies for any breach by the receiving party is without prejudice to any other remedy to which it may be entitled; and
- security measures: aside from a confidentiality obligation, an NDA will often include certain security measures designed to safeguard confidential information. These may include record-keeping obligations for the receiving party (e.g., details of persons with whom confidential information has been shared and the means by which confidential information was shared), requirements to make all recipients of confidential information aware of the terms of the NDA (and to procure their compliance with its terms), an obligation to notify the disclosing party of any actual or suspected breach of the NDA and an obligation to return or destroy confidential information at the disclosing party’s request (e.g., when the receiving party no longer has any need to access the confidential information).
 See for example the Equality and Human Rights Commission’s March 2018 report “Ending Sexual Harassment at Work”, the House of Commons Women’s Committee’s July 2018 report “Sexual Harassment in the Workplace” and its June 2019 report “The use of non-disclosure agreements in discrimination cases”, the Law Society’s December 2019 Practice Note “Non-disclosure agreements and confidentiality clauses in an employment law context” and the UK Government’s July 2019 response to its consultation on proposals to prevent the misuse of confidentiality clauses in situations of workplace harassment or discrimination.
 Force India Formula One Team Ltd v Aerolab SL 2013 EWCA Civ 1374
 A “protected disclosure” may for example be made to a list of “prescribed persons” (available here), which includes the National Crime Agency, the Serious Fraud Office, the Competition and Markets Authority, His Majesty’s Revenue & Customs and the Health and Safety Executive.
 Attorney General v Guardian Newspapers Ltd (No 2) 1990 1 AC 109
 Toulson & Phipps On Confidentiality (4th ed., 2020), p.135
 Vestergaard Frandsen A/S v Bestnet  EWHC 1456 (Ch)
 Cream Holdings Ltd v Bannerjee  UKHL 44
 ABC v Telegraph Media Group Ltd  EWCA Civ 2329
 Mionis v Democratic Press SA & Ors  EWCA Civ 1194
 ABC v Telegraph Media Group Ltd
 The Bank of London Group Ltd v Simmons & Simmons LLP  EWHC 2617 (Ch)
 Rafael Advanced Defense Systems Ltd v Mectron Engenharia, Industria e Comercio SA  EWHC 597 (Comm)
 s12(4)(a)(i) Human Rights Act 1998
Wrotham Park Estate Co. Ltd v Parkside Homes Ltd  1 WLR 798; Seager v Copydex Ltd  1 WLR 923
as in the special context of obligations imposed on officers of the Secret Intelligence Service in A-G v Blake  1 AC 268
 Vercoe v Rutland Fund Management Ltd  EWHC 424
This post comes to us from Cleary Gottlieb Steen & Hamilton LLP. It is based on the firm’s memorandum, “RIP NDA? How Effective Are Non- Disclosure Agreements?” dated April 25, 2023, and available here.