In-House Counsel

Don't Get SaaS'd: Contractual Tips For In-House Counsel Regarding GDPR Compliance (Part II)

Service provider contracts need to be revisited and, in certain cases, even renegotiated as a result of the GDPR.

By  
on

In my previous column, I provided some tips on a technology-oriented, systemic approach to set the foundation for GDPR compliance.  As you know, the GDPR became effective on May 25, 2018, so for companies obtaining “personal data” from EU “data subjects,” such compliance is mandatory.  As a result, U.S. companies obtaining such information from such data subjects are best advised to reassess their systems and processes to address GDPR requirements.  With this basic foundation in place, it’s time to turn attention to specific contractual considerations (especially for SaaS services) that should be considered for GDPR compliance.

Before diving into such contractual considerations, some additional definitions under the GDPR must be understood — more specifically, the roles of a data “controller” and a “processor” of such data. Under Article 4 of the GDPR, a “controller” is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” (emphasis added). In essence, a controller determines the “why” and “how” for processing personal data.  Even though it is common for controllers to use “processors” to process personal data, controllers remain responsible for ensuring its processors comply with GDPR requirements. As a practical matter, U.S. companies seeking personal data from customers almost always act as “controllers” under the GDPR construct because they are determining what they are collecting and directing the means for doing so.

With respect to “processors,” the GDPR defines them as a ” natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller” (emphasis added).  So processors essentially handle the processing of personal data as required by a controller.  The GDPR places specific legal obligations upon processors regarding such processing as a result, including but not limited to maintaining records of the processing for such personal data.  Of course, processors also shoulder liability for personal data breaches.  Although there are many more aspects to controllers and processors under the GDPR, the important point here is that the GDPR requires controllers to enter into written contracts with its processors under Article 28. This is more than merely demonstrating compliance on its face — it operates as a means of properly outlining duties and responsibilities under the GDPR.

There are a number of specific terms required in these contracts, which is designed to ensure the processor meets all the GDPR requirements (not just personal data security requirements).  In fact, these terms can help guide the behaviors between the controller and processor for compliance (a good thing).  That said, things become a lot murkier when dealing with the inter operation between U.S. companies (acting as controllers) and their providers (operating as processors) because there are existing contracts in place that, in all likelihood, do not fulfill the requirements for GDPR compliance. What companies need to understand is that these terms affect existing contractual relationships between the company and its service providers (i.e., hosting service providers), supporting services for those providers (which may be subprocessors) as well as their customers (which may be data subjects).

As discussed previously, the GDPR may only apply to EU data subjects, but the services that U.S. companies provide through its providers to its customers are most likely not segmented — the data flows through the provider to the US company regardless of whether it flows from an EU citizen or a U.S. customer.  Unfortunately, ignorance is no excuse, and existing contractual relationships will need to be modified to address GDPR requirements.  With this in mind, here are a few specific contractual considerations that every U.S. company struggling with GDPR compliance should assess:

Definitions Are Not Created Equal.  In all likelihood, your existing contracts contain definitions that either do not correlate with the GDPR or fail to contain relevant ones altogether.  For example, the U.S. approach to privacy generally focuses on the “personal information” (or “personally identifiable information”) of an individual.  The definition of “personal data” under the GDPR, however, is far broader, potentially encompassing anything from biometric identifiers to email addresses and internet protocol addressing for individual mobile devices. More importantly, the underlying concepts of “controller,” “processor,” and event “subprocessor,” among other terms, will likely need to be introduced into existing contractual constructs.  Although there is no definitive guidance from enforcement (yet), companies that ignore these challenges do so at their own (potentially significant) risk.

All Breaches Aren’t Created Equal Either. By this point it should come as no surprise that the U.S. and GDPR approaches to data breaches are very different.  Unlike the GDPR, the U.S. does not have a federal data breach notification law in place, relying instead on a patchwork of state laws covering data breach notification.  Further, the GDPR covers all “personal data,” as opposed to certain sensitive personal information that most state data breach notification laws cover. Worse, Article 33 of the GDPR expressly lists a 72-hour personal data breach notification period for controllers to notify the appropriate supervising authority (that is, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”), while processors are only required to notify such authority “without undue delay after becoming aware of a personal data breach.”   Needless to say, there are significant disparities between the U.S. approach and the GDPR that merit, indeed mandate, extra attention.

Sponsored

All’s Fair in Liability and Damages.  The penalties that can be assessed for failure to comply with the GDPR are substantial — if up to 4 percent of gross annual turnover or $20M euros does not get a company’s attention, I don’t know what will.  That said, there are hidden dangers within agreements with service providers that cannot be ignored.  For example, most SaaS agreements with customers effectively “pass through” specific risks from service providers providing the hosting platform, such as certain limitations of liability and damages. Insurance companies have definitely been preparing for GDPR implementation as well, with coverages (and exclusions) being molded to minimize exposure, forcing a rethink of insurance coverage and risk allocation between parties. Needless to say, there is a lot of risk now at more risk due to the GDPR.

The above points truly only scratch the surface, but the point is that service provider contracts need to be revisited and, in certain cases, even renegotiated as a result of the GDPR.  Of course, not every contractual relationship will require structural changes, but in almost all cases, every such relationship will absolutely require some level of clarification, revised representations, and risk re-allocation.  If your company (or client) is not taking steps to address these challenges, they need to know that they actually are taking steps by default… just in the wrong direction.

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored

Topics

, , , ,