Non Disclosure Agreements in India
When proprietary information leaves your control, it does not come back. The legal framework for protecting it exists. The question is whether your NDA is built on that framework or on assumptions.
What Is an NDA and Why It Matters in India
An NDA is a contract where one or more parties agree not to disclose specified information to unauthorised third parties. In India, it derives its legal force from the Indian Contract Act 1872.
But that definition misses the point. An NDA is a decision about what stays inside and what can never leave. It draws a boundary around the information that gives your business its competitive edge — trade secrets, financial models, customer databases, product roadmaps, pricing strategies, algorithms, vendor terms.
Without that boundary, every conversation with a potential investor, every engagement with a new vendor, every collaboration with a joint venture partner becomes a risk event. One conversation. One forwarded email. One screenshot. That is all it takes for proprietary information to reach a competitor, and once disclosed, confidentiality cannot be restored.
The question is not whether your business needs an NDA. Every business that shares sensitive information with any external party needs one. The question is whether your NDA is drafted to survive scrutiny under Indian law — or whether it is a template downloaded from the internet that no court will enforce.
Legal Framework: Indian Contract Act 1872 and IT Act 2000
NDAs in India stand on two statutory pillars.
Indian Contract Act 1872 — Section 10 establishes the essentials: free consent (not obtained through coercion, fraud, or misrepresentation), lawful consideration, lawful object, and parties competent to contract. If any element is missing, the NDA is void.
Section 27 is the constraint most NDA drafters ignore. It renders every agreement in restraint of trade void. An NDA that effectively prevents the recipient from working in an industry or using general skills will be struck down. The confidentiality obligation must be limited to the specific information disclosed, not an industry wide restraint.
Sections 73 and 74 govern damages. Section 73 allows recovery of loss directly arising from the breach. Section 74 applies where the NDA specifies a liquidated damages amount — but Indian courts retain discretion to award reasonable compensation even when liquidated damages are specified.
Information Technology Act 2000 — Section 43 penalises unauthorised access to computer systems, computer networks, or electronic data. Section 72 addresses breach of confidentiality by persons who have been granted lawful access to electronic records. Section 72A — added by the 2008 amendment — specifically targets disclosure of personal information obtained under a contract without the consent of the information owner, with imprisonment up to three years and fine up to ₹5 lakhs.
When confidential information is digital — which is almost always the case today — these IT Act provisions give the NDA teeth that the Contract Act alone does not provide. Criminal liability changes the calculus entirely.
Types of NDAs: Unilateral, Mutual, and Multilateral
Unilateral NDA — One party discloses, the other protects. Used in employer employee relationships, vendor onboarding, investor pitch meetings, consultant engagements, and outsourcing arrangements. The disclosing party defines what is confidential. The receiving party accepts obligations. Most NDAs in India are unilateral.
Mutual NDA (Bilateral) — Both parties disclose and both protect. Used in joint ventures, M&A due diligence, technology partnerships, co development agreements, and strategic alliances. Mutual NDAs require careful drafting because each party is simultaneously a discloser and a recipient with different risk profiles for different categories of information.
Multilateral NDA — Three or more parties. Used in consortium bids, multi party joint ventures, and complex transactions where multiple entities contribute proprietary information. Multilateral NDAs reduce the need for multiple bilateral agreements but increase drafting complexity around information segregation and attribution.
The mistake most businesses make is using a unilateral template in a mutual disclosure situation. When both parties share sensitive information but only one bears confidentiality obligations, the unprotected party has no contractual remedy if the other side leaks.
Essential Clauses Every Indian NDA Must Contain
1. Definition of Confidential Information — The most critical clause. Must be precise enough to be enforceable but broad enough to capture all sensitive material. Include tangible documents, digital records, oral disclosures (with a follow up written confirmation mechanism), technical data, financial information, business strategies, and customer information. Vague definitions like "all information shared" have been challenged in Indian courts.
2. Purpose Limitation — State precisely why the information is being disclosed and restrict the recipient from using it for any other purpose. Without this clause, the recipient can argue that the NDA only restricted disclosure, not use.
3. Exclusions — Publicly available information, previously known information, independently developed information, and information received from a third party without confidentiality restrictions. Without carve outs, the NDA becomes unreasonably broad and vulnerable to challenge.
4. Term and Survival — The NDA period and how long obligations continue after termination. Survival clauses are critical because most breaches happen after the relationship ends, not during it.
5. Return or Destruction — Upon termination, the recipient must return or destroy all confidential material, including copies, extracts, and derivatives. Include a certification requirement where the recipient confirms destruction in writing.
6. Remedies — Specify injunctive relief (courts can grant interim orders under Order XXXIX of the Code of Civil Procedure), compensatory damages, and indemnification. Consider including liquidated damages for calculable breaches.
7. Governing Law and Dispute Resolution — Specify Indian law as the governing law and choose between arbitration (faster, confidential) and court litigation (precedent setting, broader remedies). Specify the seat and venue.
8. DPDPA 2023 Compliance — If the shared information includes personal data, the NDA must address Data Fiduciary and Data Processor obligations, consent mechanisms, data breach notification requirements, and cross border transfer restrictions. This clause was unnecessary before 2023. It is now mandatory for any NDA involving personal data.
Enforcement and Breach Remedies
An NDA is only as strong as its enforceability. Three enforcement pathways exist under Indian law.
Injunctive Relief — The most immediate remedy. Under Order XXXIX of the Code of Civil Procedure, courts can grant temporary injunctions restraining the breaching party from further disclosure or use. This is the critical first step because confidential information, once disclosed, loses its character forever. Courts evaluate prima facie case, balance of convenience, and irreparable harm.
Compensatory Damages — Section 73 of the Indian Contract Act allows recovery of loss or damage caused by the breach that the parties knew, at the time of contracting, would likely result from the breach. Section 74 applies where liquidated damages are pre specified in the NDA — but Indian courts retain the power to award only "reasonable compensation" even if a higher amount is specified.
Criminal Prosecution — Under the IT Act 2000, Sections 43, 72, and 72A provide for criminal penalties including imprisonment and fines for unauthorised access to electronic data and breach of confidentiality. Section 72A specifically targets contractual breaches involving personal information. These are cognisable offences that the police can investigate.
The enforcement landscape changed with DPDPA 2023. If the breached information constitutes personal data, the Data Protection Board of India can independently impose penalties up to ₹250 crore — regardless of whether the NDA provides for damages or not. This creates a dual track enforcement regime that makes data related NDA breaches significantly more consequential.
Five Mistakes That Make NDAs Unenforceable
1. Vague Definition of Confidential Information — "All information shared between the parties" is not a definition. It is a hope. Courts require specificity. If the disclosing party cannot point to what exactly was confidential, the NDA fails at the threshold.
2. Overly Broad Non Compete Provisions — Embedding sweeping non compete clauses that prevent the recipient from working in an entire industry violates Section 27 of the Indian Contract Act. Courts will void the non compete clause and, depending on drafting, may void the entire NDA if it is not severable.
3. No Return or Destruction Mechanism — If the NDA does not specify what happens to confidential material after the relationship ends, the recipient retains it indefinitely. Without a destruction certification requirement, the disclosing party cannot even verify whether the material has been deleted.
4. Ignoring Digital Realities — NDAs drafted for a paper world do not account for screenshots, cloud storage, email forwards, messaging app shares, and AI tools that process uploaded documents. Modern NDAs must specifically address electronic reproduction, cloud storage restrictions, and AI processing limitations.
5. No DPDPA Compliance Layer — Since 2023, any NDA involving personal data of Indian residents without DPDPA compliance provisions creates regulatory exposure for both parties. The NDA may be enforceable as a contract, but the absence of data protection clauses exposes both parties to statutory penalties that dwarf contractual damages.
NDA and DPDPA 2023: The Intersection Most Businesses Miss
The DPDPA 2023 changed the NDA landscape in India fundamentally. Before DPDPA, an NDA was purely a contractual matter between private parties. After DPDPA, any NDA involving personal data of Indian residents triggers statutory obligations that exist independently of the contract.
When the confidential information shared under an NDA includes customer databases, employee records, patient information, student data, or any other dataset containing personal data — the receiving party becomes either a Data Processor or a Data Fiduciary under DPDPA. This triggers obligations that the NDA must address:
Consent Architecture — Was consent obtained from the Data Principals before sharing their data under the NDA? Does the consent cover the specific purpose for which the receiving party will process the data? DPDPA requires purpose specific consent.
Data Breach Notification — If the receiving party suffers a data breach, they must notify the Data Protection Board within 72 hours and inform affected Data Principals without delay. The NDA should specify breach notification obligations between the parties as well.
Cross Border Transfer — If the receiving party processes or stores data outside India, Section 16 of DPDPA applies. Currently, no restricted jurisdiction list has been published, but when it is, organisations without documented cross border mechanisms will face sudden compliance gaps.
Data Retention and Erasure — DPDPA requires that personal data be erased once the purpose is fulfilled. The NDA must align its return or destruction clause with DPDPA retention requirements.
NDAs drafted before August 2023 almost certainly do not address these issues. They need to be reviewed and amended.
What You Need to Know
Is Your NDA Built for Indian Law?
Most NDAs in circulation are templates. They may create a false sense of security without providing enforceable protection. A review takes less time than dealing with a breach.
[email protected]