Morgan Lewis recently published an article on the 2019 Novel Coronavirus (COVID-19) outbreak and its effect on General Data Protection Regulation (GDPR) in the European Union. This article discusses the nature of the temporary suspension of some data-protection rights in times of crisis, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.
The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.
Check out this recent LawFlash by Morgan Lewis partners Michael Pierides and Simon Lightman discussing the groundbreaking fines the United Kingdom’s Information Commissioner’s Office (ICO) proposed against two global organizations pursuant to the EU General Data Protection Regulation (GDPR). Under the GDPR, which seeks to promote transparent and responsible collection and maintenance of consumers’ personal information, applicable regulatory agencies can impose fines on organizations that do not comply with the strict GDPR standards.
Recently, the ICO issued fines to two companies following data breaches of their respective consumers in 2018. Under previous data protection laws, fines were limited to hundreds of thousands of dollars, but in the new era of the GDPR, the companies are facing fines of $227.5 million and $123.1 million, respectively. The issuance of these massive fines puts global companies on notice that the GDPR should be taken seriously, and that the ICO, in particular, will not hesitate to dispense unprecedented consequences for noncompliance.
The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.
Additional Information to Include
- Directions for customers to access and update data (e.g., password resets, contact information updates, and mechanisms for unsubscribing)
- Contact details or other means of reaching persons in your organization that can address user queries or concerns
Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.
Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.
Topics to be discussed include:
- Social Media Ethics – Its Use and Impact on the Practice of Law
- IP in the Age of Cloud Computing and Artificial Intelligence
- Responding to Data Breaches – Legal Update and Practical Counsel
The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.
Towards the end of 2018 we ran a series of Contract Corner blog posts on the GDPR and Data Processing Addendums. (See here and here.) December brought detailed guidance from the UK Information Commission’s Office (ICO) on contracts and GDPR compliance (the New Guidance), which replaces draft guidance previously issued as part of a consultation by the ICO in 2017 (the Draft Guidance).
As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.
In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.
What’s the Issue?
Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.
As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.