What You’re Missing When You Copy Other Companies’ Privacy and Data Security Agreements
Many companies are guilty of copying other’s contracts as a shortcut to creating their own templates. While some companies do, in fact, have great technology contracts, one should be aware of the pitfalls in failing to cater the contract to the needs of their business.
These pitfalls can be especially tricky in privacy and data security agreements, which are often premised on convoluted and ever-changing laws. For example, as we approach the one-year mark until new E.U. laws come into effect, companies are stepping up their efforts to implement and improve their privacy and security programs in order to ensure compliance with both domestic and international laws, while simultaneously trying to balance risks with business interests.
Below are a few key factors for companies to contemplate when drafting, or signing, privacy and data security agreements.
A Few Considerations
1. Location and transfer of data affect applicability of laws.
The location of the data, both the region from which it is being transferred as well as the country where it will be stored, can affect which regions’ laws should be applied to the data.
Similarly, if a business has a presence in specific countries, or has users or customers there, it may be subject to the privacy laws of that country.
2. Regional laws and frameworks may expand contractual requirements.
Companies should carefully review privacy and data security laws as well as regulatory regimes for requirements concerning contract provisions.
For example, the E.U. Privacy Shield and Swiss Privacy Shield Frameworks are voluntary programs created “to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data.” These Frameworks require companies to have contracts in place with specific parties, and these contracts must require those parties to provide the same level of protection for information as is required by the Privacy Shield Framework, even if the party is not a participant in the program.
3. Industry-specific laws can limit data use.
In the United States, much of the privacy law landscape is based on a sectoral model, wherein specific privacy laws apply only to specific industries and verticals, such as the Health Insurance Portability and Accountability Act (HIPAA) for health information, and the Gramm-Leach-Bliley Act (GLBA) for financial institutions.
Many of these laws, as well as many international laws, require that service providers solely use data for the purposes specified by the customer, or only to extent required to provide services.
4. Security breach expenses differ.
Privacy and data security agreements often require the service provider to shoulder the customer’s costs in the event of a security breach-- costs that the agreement’s indemnification provisions may not fully address.
As a result, each party may consider, at minimum: (1) the sensitivity of the data at issue; (2) its willingness to pay/accept actual or reasonable costs; (3) the extent it must protect affected individuals; and, (4) its willingness to provide/accept alternative services to affected individuals.
5. Companies often have conflicting expectations post-termination of the contract.
Each party should consider how it expects company data to be handled once the the contract terminates.
This may include: data retrieval, format of data, data retention, and data destruction.
NOTE: These are general, non-exhaustive considerations that can surely be discussed in greater depth. For comprehensive information specific to your company’s needs, you should contact your legal counsel.
DISCLAIMER
This blog post is made available to provide education and general information on the law and legal trends, only. It does not provide any legal advice or represent the views of any specific person or entity. By visiting this page you understand that there is no attorney-client relationship between you and Anisha Mangalick. This blog should not be used as a substitute for competent legal advice from a licensed attorney in your state.
