Introduction
What is a confidentiality agreement?
NDA duration: what is appropriate?
What constitutes confidential information?
Announcements: is it possbile go public?
Is a non-solicitation clause relevant?
Financing rounds – can there be exclusivity over approached financing sources?
What about processing of personal data?
Comment
There are several stages that precede the materialisation of an investment, including the stage of exchange of information, and due diligence, for properly evaluating the conditions surrounding an investment. From an investor's perspective, the most crucial stage is the due diligence stage, where the merits of the target (it could be investment in debt or equity securities, real estate or start-ups) are thoroughly examined. However, even before due diligence, an investor has to set the legal framework safeguarding the receipt and exchange of information while protecting the opportunity of the investment itself. It is at this stage that the investor either receives or sends out their own confidentiality agreement for the counterparty's consideration, review and comments so that the exchange of information can commence within acceptable legal boundaries. Under Cypriot law, confidentiality agreements are governed by chapter 149 of the Contracts Law and while there is no monetary consideration exchanged between the parties, the promise to keep the information confidential and reliance on that promise represent adequate consideration to render the agreement valid.
What is a confidentiality agreement?
A confidentiality (or non-disclosure) agreement (NDA) represents a contract between the party disclosing information (disclosing party) and the party receiving the information (recipient party). Depending on the nature of the investment, the flow of information between the two parties could be mutual, which means they could each be a disclosing and a recipient party simultaneously. The length of the NDA is often indicative of the:
- nature of the investment or project;
- number of potential investors;
- attention placed on the processing of private data as per the EU General Data Protection Regulation (GDPR) (or equivalent for non-EU regions);
- requirement to address anti-bribery rules; and
- volume and complexity of the information subject to be disclosed or exchanged.
The context in which an NDA is negotiated will set the tone of the freedoms and restrictions governing the disclosure or exchange of information. For example, the NDA between an angel investor and a start-up (such as in the context of Cyprus Business Angels Network) may have more flexibility in clauses such as non-solicitation of employees, or the definition of representatives or affiliates, given that the parties are specific and the risk of employees moving is minimal. An NDA between an institutional investor and several investment firms that will help finance a large-scale, long-term and specific project, such as one of infrastructure, will require more robust clauses concerning the departure of employees to other companies, deals with financing sources and the timing of receiving bids.
Considering this differing context, six key issues to bear in mind when negotiating NDAs are set out below.
NDA duration: what is appropriate?
The duration of an NDA can vary from a market standard two-year term to a more particular five-year term, depending on the volume, sensitivity and complexity of the information disclosed and the proposed investment. A few points to consider when evaluating the NDA's duration, include the:
- timeframe of materialising the proposed investment;
- possible exchange or disclosure of trade secrets;
- possibility of entering into a definitive agreement past the due diligence stage; and
- legal framework of the jurisdiction where the proposed investment will be taking place.
What constitutes confidential information?
The definition of confidential information is one of the most important terms of the NDA as it spells out what information is protected. On the disclosing side, parties prefer to have as wide a definition as possible, while on the receiving end, parties negotiate narrower, more specific definitions. A key point to consider is whether information exchanged leading up to the signing of the NDA (such as "click-through" acknowledgements or information uploaded in data rooms) will be included. The usual carve-outs from the definition relate to information that is publicly available, already in the recipient party's possession or information that is developed by the recipient, as in the case of tech start-ups or private equity firms that receive information from a variety of sources on the same proposed investment.
Announcements: is it possible go public?
Frequently an agreed term, but still worth highlighting is whether the parties can announce the fact that they have signed an NDA or that they're considering the proposed investment. A key point is that the parties' consent to any announcements is often the agreed way forward.
Is a non-solicitation clause relevant?
Yes, restrictions about approaching an NDA counterparty's employees or clients are more relevant in NDAs between institutional investors and investment firms as each will try to safeguard the know-how behind the development of a proposed investment. A prudent approach would be to always include a non-solicitation clause which reflects the nature of the proposed investment and the parties involved.
Financing rounds – can there be exclusivity over approached financing sources?
Depending on the scale of the proposed investment, it is likely that the investor may want to share information with other potential financing sources either in the form of co-investors (equity financing) or lenders. Depending on the facts of the proposed investment, it may be relevant for the disclosing party to have some kind of control in the form of a prior consent, as to the debt or equity financing sources that may be approached.
What about processing of personal data?
In the aftermath of the application of the GDPR in May 2018 throughout the European Union, there is a requirement to apply specific rules and processes that regulate, among others, the storing, processing and sharing of personal data. Personal data as per the GDPR includes any information that relates to an individual who can be directly or indirectly identified. Regulating GDPR in an NDA is crucial because:
- It applies to non-EU as well as EU residents, provided that the personal data processed or services/goods offered are to persons within the European Union.
- The fines for breaches of the GDPR are very high. There are two tiers of penalties, at a maximum of €20 million or 4% of global revenue (whichever is higher), while persons whose personal data has been processed in breach of GDPR, and data subjects, have the right to be compensated in damages.
The approach of "opting-out" of receiving personal data is often proposed in the course of negotiating the terms of an NDA. However, given the wide scope of GDPR, and the possible risk of breach, "opting-out" is almost impossible and certainly not advisable. The matter can be regulated by appropriate GDPR clauses taking into consideration the applicable law of the NDA, the jurisdiction of the proposed investment and the parties involved.
When evaluating investment opportunities, it is important to have certainty over the exchange and disclosure of information. Ultimately, it is this information that will allow investment analysts and advisors to determine all the risks and decide whether to go ahead with an investment or not. As far as Cyprus is concerned, this is more relevant now in light of the recent approval by the European Commission of tax incentives to both private and corporate investors for investments in early stage, innovative small- and medium-sized enterprises. The tax incentives include a tax relief of up to 30% of the amount invested capped at 50% of the investors' total taxable income, and up to a maximum of €150,000 per year and of €750,000 within five years from the investment.
For further information on this topic please contact Stella Koukounis or Chara Paraskeva at Solsidus Law by telephone (+357 22 007700) or email ([email protected] or [email protected]). The Solsidus Law website can be accessed at www.solsiduslaw.com.