Non-Disclosure Agreements (NDAs) in the new world of AI
Our recent article considered the protections that can exist for confidential information when it is disclosed but there is no non-disclosure or confidentiality agreement in place. The conclusion was that there can be protection for confidential information in these circumstances but that best practice is to put an NDA in place.
It’s fair to say NDAs are generally considered fairly standard and low risk for many businesses but the rapid adoption of new technologies, particularly AI, in a commercial context means we need to reconsider key NDA concepts to ensure they are still fit for purpose.
AI models are widely available now and confidential information can be inputted into AI in so many ways. For example a recipient could use an AI notetaker to minute your Teams calls, an employee of the recipient of your confidential information could feed your information into a chatbot or a tool like Chat GPT so that they can read a summary of it rather than the whole document or the recipient’s cloud storage provider could scan stored content (including your confidential information) for either training its AI model or offering enhanced functionality to its users.
So what do we need to consider now when reviewing an NDA?
1. Do you need to expand your NDA’s definition of confidential information to specifically include information like AI-generated outputs and proprietary algorithms or prompts which you consider confidential to you? In addition, should the definition also cover AI-generated outputs created by the recipient of your confidential information (like copies of confidential information as typically covered in NDAs today)?
2. Do you need to make it clear in your NDA that confidential information could include information shared in less formal ways like over WhatsApp, Slack or Teams messages? Consider also what your business’ policy should be regarding sharing of information in this way – should your policy be that confidential information is only shared with third parties via email so that you have an easy to recall audit trail of what has been disclosed, when and to whom.
3. In your NDAs, should you restrict the recipient of your confidential information (and its representatives) from feeding it into an AI model? They may do this, for example, so that they can get a summary of a large document you have provided rather than reading it line for line. The main concern with this being that the recipient could be using a public AI model (like ChatGPT) which will use your confidential information for training purposes meaning it could then form part of subsequent outputs for other users of the AI model. As a minimum, you should restrict processing to an enterprise grade or private AI models which do not train on input information and do not include input information in outputs. Consider also what your business’ policy should be regarding the processing of confidential information it receives using AI. Should your policy be that confidential information cannot be processed in this way or if you have an enterprise or private AI model the policy could be that only that model can be used to process confidential information.
What we can all takeaway from these considerations is that as AI models advance quickly, best practice needs to as well. And of course these same thought processes for NDAs also apply to confidentiality clauses in contracts as these often replace NDAs once the contracts are signed.
______________________________________________________________________________________________
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
