Strictly confidential

Date of publication

Skype or Google Hangouts are convenient tools for video conferences. But they are not legally a sensible choice for all projects. This is especially true if you have signed a confidentiality agreement.

For small projects, you usually have a carefree initial discussion with the client, go through the requirements and then submit an offer. For larger projects, on the other hand, especially when it comes to fresh ideas or new products, many clients first require a signed non-disclosure agreement (NDA). Only then do they send further documents on the project. The NDA is intended to ensure that confidential information remains between the contracting parties, for example business ideas, sales targets, product information, marketing strategies or know-how. A signed non-disclosure agreement gives rise to obligations that both contractual partners must take seriously.

Disclaimer: This text does not constitute legal advice. For this, please contact the lawyer of your confidence.

It's about protection and trust

An NDA is usually concluded in the context of an intended cooperation between two parties who wish to exchange information with each other that is not intended for the public. Among other things, it regulates:

  • Definition of the information to be kept secret
  • Naming of the contracting parties and extension of the contract to third parties (mostly employees of the company)
  • Penalties for breach of contract
  • Duration of secrecy
  • Dealing with the confidential information after the end of the cooperation

In principle, there is freedom of contract with an NDA, which enables the contracting parties to map out concrete requirements, needs and possibilities. With your signature, you have therefore promised confidentiality to the potential client.

The example of Skype is intended to shed more light on this commitment. Skype is an instant messaging service that was founded in 2003 by two Scandinavians and has changed hands several times since then. The current owner is Microsoft. Typically, Skype is used for text and voice-based communication. Since 2006, video conferencing has also been possible.

Skype is only to be understood as an example here, mind you. Also, only the terms of use and data protection conditions for the normal Skype version are considered. This is the version of Skype usually used in the webworker environment. The extent to which the business version can even be individually negotiated in individual cases was not considered in detail. Anyone who takes NDA obligations seriously should check all software used that is connected to external services.

Before installing the software

"PLEASE READ CAREFULLY BEFORE DOWNLOADING THE SOFTWARE OR USING THE SKYPE PRODUCT(S) OR WEBSITES".

How often have you seen such formulations? And how often have you stopped reading because the amount of text seemed overwhelming? In this case, we are talking about the Skype terms of use and privacy policy. In addition, there are the "fair use guidelines". The "Cookie Policy" offers a bit of a surprise because it would also require you to read the privacy policies of the eight(!) external third-party providers with their own privacy policies. Presumably, the almost 15,000 words (not including the data protection conditions of the third-party providers) are only read carefully by a vanishingly small percentage of users. And probably the software was installed a long time ago and never looked at the documents again since then.

However, if you have signed an NDA and are thus considered to be a confidential person, the attitude of "tick the box and move on" is dangerous from a contractual point of view. Because:

By using the Software, you grant Skype an intellectual property right licence that allows Skype to use the content of your communication to provide the Products, such as delivering your communication to the intended recipient.

(Privacy Policy of the Skype Terms of Use, point 5.7 Communication Content)

Even though it is quite understandable from a technical point of view that Skype needs a right of use for the transmission of messages, an intellectual property right licence for transmitted content is problematic. As a reminder, the signed NDA serves, among other things, to protect business ideas, and the NDA regulates the handling of content marked as secret. A licence for intellectual property rights that may be transferred to Skype would have to be explicitly regulated in the NDA.

Furthermore, the terms of use contain the following passage in the same paragraph:

Skype reserves the right to review Content entered into or through the Software, Products and Skype Websites for the purpose of enforcing these Terms.

This includes checking for the following undesirable content:

  • No illegal purposes
  • inappropriate images (e.g. nudity, brutality)
  • Send viruses
  • not infringe the rights of others

Of course, such a check can only take place if Skype can analyse the content. And Skype offers users no further options for individual settings beyond its own basic encryption. At the latest since the revelations of Edward Snowden, every internet user should be aware of the hunger for data of the secret services. The fact that this also involves industrial espionage has also been known in Germany since the BND/NSA affair with the selector lists.

And so you will also find a lengthy passage in Microsoft's privacy policy in the Skype/partner companies section that describes the situation quite clearly:

To give more people access to Skype, we partner with other companies so that Skype can be offered through their services. If you use Skype through a company other than Microsoft, your information will be handled in accordance with that company's privacy policy. In order to comply with applicable law, respond to legal process, or assist our partner company or local operator in such processes, we may access, share and retain your information. This data may include, for example, private content such as the content of your instant messages, stored video messages, voicemails or file transfers.

An (unintentional) breach of the confidentiality agreement cannot be ruled out and can only be prevented if you do not use Skype to communicate secret information or if you amend the NDA accordingly.

Storage periods

Have you signed in the NDA that you will delete all confidential information after termination (or failure) of the cooperation?

If you are not a Skype Premium subscriber, video messages are stored for at least 6 months from the date they are sent and may expire after this time.

(Skype Terms of Use Section 19.7 Skype Video Messaging)

Furthermore, you can find information on storage periods in the Microsoft privacy policy in the section Skype - translation functions:

To help you communicate with people in different languages, some Skype apps offer audio and/or text translation features. When you use translation features, your speech and text data is used to provide and improve Microsoft's speech recognition and translation services.

If information marked as confidential has been exchanged between communication partners via Skype translation functions, you must therefore assume that Microsoft can store and use this information for as long as it likes. You cannot therefore comply with an NDA that usually provides for the immediate deletion/issuance of information marked as confidential. Corresponding exceptions and impossibilities for deletion must therefore be recorded in the NDA.

To mention it again: Skype is only one example of many. With Evernote, for example, content marked for deletion is only permanently deleted after 12 months:

... but copies of your deleted content could remain on the Evernote service's backup and archiving systems for up to a year for operational reasons.

(Evernote Privacy Policy Section IV. Deleting Information)

Google, for example, does not provide sufficient information about the location of the data:

Google processes personal data on our servers, which are located in numerous countries around the world. Therefore, we may process your personal data on a server located outside the country where you live.

(Welcome to Google's privacy policy; section "How we use the information we collect").

Google also reserves the right to share stored information with third parties. You can read more about this in the section "Information we share":

We do not share personal information with companies, organisations or individuals outside of Google, except in one of the following circumstances ... (and surprise, surprise, there are a few)

Google informs about the obligation to provide information to US authorities on a separate page. Since Google declares its privacy policy to be valid for almost all services offered, the popular tools Gmail, Hangouts, Drive and Docs drop out for confidential communication in an unadjusted NDA.

In summary: Signing the NDA and then continuing to use the convenient free tools - it doesn't add up. You cannot ensure that you have done everything to protect the trade secrets you have been told in confidence. The comments about Skype can also be applied to any other software. You can make it easier for yourself to sift through the software terms of use (of Google services, for example) by looking for answers to the relevant limiters in the documents in particular:

  • Is it ensured that the information marked as secret is only exchanged between the contractually named parties and involved third parties?
  • If data is stored through the use of the software - how are the retention periods quantified and can you demand the deletion of the stored data?
  • Is the stored data on servers that provide for the stricter data protection regulations of the EU (keyword Safe-Harbor / Privacy Shield)?

If the customer does not want to agree to a customised NDA, you only have a few alternatives: The use of software on servers with an operating location in Germany; consistently from hosting companies that are not subsidiaries of US companies; ideally with the operation of free and open source software (FLOSS for short).

 

Image
Foto des Artikels in der Screenguide Ausgabe 30
Profile picture for user DeepL

DeepL is a deep learning company that develops AI systems for languages. The company, based in Cologne, Germany, was founded in 2009 as Linguee, and introduced the first internet search engine for translations. Linguee has answered over 10 billion queries from more than 1 billion users.

Profile picture for user luckow

Stephan Luckow

Stephan is an open source evangelist and constantly curious about technologies. Thematically, his blog posts can best be summarised as "curiosity satisfied".