Sneaking Things Inyes, lawyers actually do this
Shocking amounts of lawyer time get spent reviewing contract proposals for terms that clearly do not belong. A typical nondisclosure agreement shouldn’t license a customer’s logo, require any sale on the customer’s choice of law, or prohibit disparaging one side’s famous founder. The overwhelming majority of NDA proposals don’t. But sneaking things in is practically possible, and the tiny percentage of players who try keep the rest of us rubbing tired eyeballs.
There is, as of yet, no effective deterrent against this deviant spoilerism. Which accrues to the benefit of lawyers billing hourly, and against clients who pay that way.
Lately, the Schrems II decision, the release of the new “standard contractual clauses” for taking data out of the European Union, and further bureaucratic Brexit carnage had a bunch of orgs updating their contract terms for privacy compliance. The vast majority of proposals I saw stuck just to this business, getting compliance done at minimal admin cost. But a small handful included massive new privacy-compliance indemnities, often toward the end, often paired with explicit exemptions from prior-negotiated limits on liability.
These would be contentious, top-priority asks in any negotiation from scratch. Nothing in GDPR requires them.
They are there because customers want them, but couldn’t reliably get them on deals. They are there, I suspect, because privacy lawyers know counterparties might sign “compliance amendments” without scrutinizing. And that if they do pass along to their counsel, those lawyers will also have dozens of these to deal with, all under pressure of imminent regulatory deadline. In short, companies slip in big, one-sided risk shifting terms because they might get away with it.
The cost-benefit here is a fairly simple calculation. Every counterparty that capitulates—knowingly or not—offsets your rising regulatory risks by some marginal amount. On the other hand, every counterparty that notices and objects gums up the works a little bit, bleeding off more time and attention from admins, lawyers, and other contract wranglers. But perversely, the more annoying and time-consuming it is replacing transparent grabs with “[intentionally omitted]”, the more annoying and time-consuming it is for the counterparty who spotted them, too. A few might object but give in eventually. They also go in the wins column, albeit at some staff-time cost. Then there is the risk that delay puts relationships past the deadline. That risk is also mutually borne, affecting both vendor and customer.
The lessons here are hints about the general circumstances under which gamesmanship thrives. Routine contracts with well established content expectations. High volumes of transactions. Time pressure. Backlogs. Cover.
For the foreseeable future, this still describes NDAs. We will have to keep sweeping them for mines. It may come again soon in privacy, if-when the new EU-US privacy deal’s final. But not because of anything special about secrecy, security, or privacy. Quite the contrary.
As individual players, our risk of taking a knife with our guard down rises as we slip into associating this problem with the agreements in which we’ve spotted one before. This rot grows on process, whenever conditions are right, not particular subject matter. The problem is substance we do not expect.
Your thoughts and feedback are always welcome by e-mail.
back to top — edit on GitHub — revision history