← Blog

The confidentiality that ran out before the secret did

Published 8 June 2026 · 5 min read · By GD · LexCodex

Two companies open talks about working together. To get anywhere, one has to show the other how its manufacturing process actually works, so they sign a non-disclosure agreement before the drawings change hands. The collaboration never happens. Four years later the process turns up at the former counterparty, lightly reworked. The company reaches for its NDA, turns to the confidentiality clause — and finds that the obligation expired after three years. The secret was still a secret. The protection was not.

It is the dullest line in the whole agreement that catches people out: the term. Everyone reads the definition of confidential information. Few read how long the duty of secrecy actually lasts, and fewer still stop to think that the term ought to match how long the information is worth protecting.

Two safety nets, not one

A secret is, in fact, protected twice over, and the two protections expire at different moments. The first is the agreement itself: a contractual duty of confidence that lasts exactly as long as — and only as long as — the parties agreed. The second is trade-secret law, which protects the information independently of any contract, for as long as it is in fact secret, has commercial value precisely because it is secret, and has been kept secret through reasonable steps.

And here the question of time becomes interesting. A genuine trade secret is protected by statute for as long as it stays secret — which may be decades. But information that does not reach the trade-secret threshold — ordinary commercially sensitive material, a customer list that is not really hard to reconstruct — is protected only by the contract. When the confidentiality clause lapses, that information is free. Anyone who put a three-year term on their NDA has therefore, often without realising it, stamped a use-by date on everything that was not a trade secret, and perhaps shortened the protection for what was.

The Nordic floor

The fortunate part, for anyone working across the Nordic borders, is that the statutory floor now looks much the same everywhere. The EU Trade Secrets Directive of 2016 harmonised protection across the Union and, through the EEA Agreement, across Norway too. Sweden adopted its trade-secrets act (lag om företagshemligheter) in 2018, Denmark its lov om forretningshemmeligheder the same year, Finland its liikesalaisuuslaki, and Norway its forretningshemmelighetslov in 2021. The same definition, the same baseline protection. A trade secret that deserves protection in Stockholm deserves essentially the same protection in Oslo and Copenhagen — which means an NDA between Nordic parties need not carry the whole load alone. It should supplement the statutory floor, not replace it.

What the agreement is actually for

Why sign an NDA at all, then, if the law protects the secret anyway? Three reasons, chiefly. The agreement extends protection to things that are not trade secrets but that you nonetheless want kept quiet. It is itself one of those "reasonable steps" the statute demands — a party who never asked for confidence will struggle to argue the information was protected. And it provides remedies you can rely on: proving the financial loss from a leak is notoriously hard, and without a liquidated-damages clause, a clear-cut breach can end in a victory with no money attached.

Read the dull line

By all means put a shorter, fixed term on ordinary confidential information, but let obligations covering true trade secrets last as long as the information stays secret — not an arbitrary number of years that happened to feel about right at the negotiating table. Separate the two categories in the agreement, so that the one does not drag the other down with it. An NDA whose protection ends while the secret lives on is not a mediocre protection. It is a timed opening.

For the two companies, what remains is to test whether the process reaches the trade-secret threshold after all — because if it does, the statutory protection is still there, whatever the agreement said. That is a better question than the one they started with. But it would have been unnecessary had someone read through to the last paragraph before signing.