Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.

Topics to be discussed include:

  • Social Media Ethics – Its Use and Impact on the Practice of Law
  • IP in the Age of Cloud Computing and Artificial Intelligence
  • Responding to Data Breaches – Legal Update and Practical Counsel

The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.

Register for Event

Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.

Although the EU’s General Data Protection Regulation (GDPR) has been in force for more than six months, many organizations are still getting to grips with some of the practical requirements, including ensuring that their contracts comply with Article 28, which mandates a number of key clauses if personal data is being processed under the service agreement.

With potentially hundreds of in-scope contracts, customers and suppliers alike have developed standard-form data processing addendums (DPAs) or similar contract documents in order to address these Article 28 requirements. DPAs are fast becoming the preferred approach for both new agreements and existing contracts.

From time to time, data controllers are confronted with the question of whether data subjects can raise claims for specific security measures against the controller under Article 32 of the EU General Data Protection Regulation (GDPR). These measures can be costly and cumbersome for the controller.

The Austrian Data Protection Authority (DPA) has decided that there is no such claim. In the relevant case (AZ: DSB-D123.070 / 0005-DSB / 2018), the DPA ruled on a claim by a data subject to pseudonymize personal data. The complainant had filed two complaints with the DPA alleging a violation of the fundamental right to data protection (Section 1 of the Austrian Data Protection Act) for an alleged failure to delete data or pseudonymize personal data. The respondents were two Austrian public authorities: the Federal Ministry for Europe, Integration and Foreign Affairs and the Federal Chancellery.

The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar.

1) Background

The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity.

2) Quotes from the Judgment (emphasis added)

65 “As expressly provided in Article 2(d) of Directive 95/46, the concept of ‘controller’ refers to the natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’. Therefore, that concept does not necessarily refer to a single natural or legal person and may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 29).

Alphabet Inc.’s Google has taken advantage of the European Union's General Data Protection Regulation (GDPR) to gain a larger share of digital marketing spending in Europe. On the first day that the GDPR took effect, approximately 95% of European advertising spend went to Google. The company’s example is a case study in how regulatory preparedness can have a tangible impact on market advantage.

Google spent over a year preparing for the GDPR by updating more than 12 million contracts, with the end result being Google’s ability to gather user consent for targeted advertising at a much quicker pace than competitors. A Google spokesperson stated, “over the last year, we’ve engaged with over 10,000 of our publishers, advertisers and agencies across nearly 60 countries through events, workshops and conversations around the changes we’re making to be compliant with the GDPR,” as reported by Bloomberg. While many other companies have been caught flat-footed and are still scrambling to comply with GDPR privacy rules, Google seized the opportunity and has emerged an early winner.

Based on the flood of updated privacy policies that have inundated email boxes throughout the world, it is clear that the European Union's General Data Protection Regulation (GDPR) is now in full effect. The EU's new European Data Protection Board (EDPB) has already provided guidance to one area where member states have the ability to issue additional guidance ("Derogations"): transferring personal data outside of the European Union.

During its first plenary meeting on May 25, 2018 (the same day the GDPR became effective), the EDPB adopted the final version of the Guidelines 2/2018 providing general guidance applicable to international transfers under Article 49. The predecessor to the EDPB, the Article 29 Working Party, conducted a public consultation on a draft of these guidelines. The EDPB took into consideration the replies received and integrated the appropriate changes into this adopted version.

Reserve your spot for the annual Technology, Outsourcing, and Commercial Transactions Networking Roundtable on April 26, 2018, from 3:00 pm to 5:30 pm at the Morgan Lewis Philadelphia office.

Leaders in the industry will present on this year’s hot topics and key ethical considerations for a total of two-and-a-half hours of CLE credit (including one hour of ethics credit). A networking and cocktail reception will follow the presentations on these significant and developing areas of law.