I wonder if UC Berkeley is confusing "confidential obligations" with "confidential data".
It doesn't seem like google is saying, "if we lose an email, and it costs you a million dollars, we're liable for it".
From this section:
"Confidential Information.
5.1 Obligations. Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates, employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates, employees and agents in violation of this Section.
5.2 Exceptions. Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party. "
It sounds like what Google is really saying is, "If we make some kind of secret deal with your organization, you better protect that secrecy as well as you protect all of your confidential information, or there is no limit to how much we can sue you for the breach."
But see the definitions: "Confidential Information" means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer's Confidential Information.
Does anyone know what this switch implies for Patriot Act information requests? I had heard that the UC puts up some resistance to the FBI when asked for user data, and that Google does less so.
It is talking about "confidentiality obligations", not "confidential obligations." That is, obligations to keep information confidential, not obligations that are themselves confidential.
And below, they define confidential information clearly:
'"Confidential Information" means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer's Confidential Information.'
They explicitly state that "Customer Data is Customer's Confidential Information." They are indeed saying that if they release the contents of an email, and it costs you a million dollars, then they are liable for that.
IAAL, and I deal with this stuff all day every day. The language you quote above is a very standard mutual confidentiality provision.
You left out the definition of "Confidential Information", but I'll bet you it's along the lines of "stuff one party gives to another that by its nature and under the circumstances would reasonably be considered to be confidential in nature".
Also, unlimited liability doesn't mean an automatic jackpot for the side whose secrets were leaked. It just means that the contract doesn't impose a ceiling on how much can theoretically be recovered in a worst-case scenario.
So, what's this really all about? Theoretically speaking, the fairest contract in the universe would not include any limits on liability at all. In other words, each party would and should be fully responsible for all of the harm that it causes.
However...by convention, it's very common for Party A to shift at least some of the risk of its screw-ups onto Party B. (If I had a dime for every sales person who told me "mistakes happen", I'd have thousands of dimes.)
One popular way to shift risk is to say "I'll be responsible for harm that I cause you, but only up to $X MM".
Another popular way to shift risk is to say "I'll be responsible for harm that I cause you, but only to the extent that I was the direct, proximate cause of it". (This rather vague standard gives the lawyers plenty to fight about in court.)
Anyway, imagine you gave me an important secret on a piece of paper to hold in safe keeping for you, and you asked me not to share it with anyone. Now, imagine that I lose the paper, and someone finds it, and your secret gets out.
What are your damages in that case? Well, we know you lost a piece of paper, so it's easy to measure your "direct" loss. Will you be happy if I just give you the price of a loose sheet of paper? No! You've just been dragged through the mud because I leaked your humiliating secret to the world. You're going to want compensation for losses that can't be so directly connected to my screw-up. You're going to want to hold me accountable for harm to your reputation, lost opportunities, etc. Maybe the secret on your piece of paper was the key to your company's whole competitive advantage! Now you're going to want to hold me responsible for ruining your entire business...just because I lost a piece of paper.
But you know what? You're not wrong. It's important to make both parties liable for losses that are both directly and indirectly caused by a breach of confidentiality, because the losses associated with leaked secrets can be quite severe indeed.
* The usual disclaimers apply. IAAL, but I'm not your lawyer. Don't treat this verbose, but fatally incomplete, post on HN as legal advice. ;)
It doesn't seem like google is saying, "if we lose an email, and it costs you a million dollars, we're liable for it".
From this section: "Confidential Information.
5.1 Obligations. Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates, employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates, employees and agents in violation of this Section.
5.2 Exceptions. Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party. "
It sounds like what Google is really saying is, "If we make some kind of secret deal with your organization, you better protect that secrecy as well as you protect all of your confidential information, or there is no limit to how much we can sue you for the breach."