TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The EU Council Presidency on September 18 put forward to member states an 88-page compromise proposal on the Eprivacy Regulation with considerable changes and amendments. There are several proposed changes to the provisions on email marketing and cookie use that we think readers may find relevant. Here is the proposal of the Finnish Presidency. The main areas that were modified by the current proposal are:

  • Email marketing
  • The definition of direct marketing
  • Procedures around direct marketing calls
  • End user consent for cookies

The Pittsburgh session of the annual Cyberlaw Update for the Pennsylvania Bar Institute (PBI) will take place on Tuesday, July 17. Moderated by Morgan Lewis partner Peter Watt-Morse, the update enters its 21st year and this year’s seminar will focus on current hot-button issues including blockchain and cryptocurrency and security and privacy concerns related to social media, IOT, GDPR, and the Dark Web.

Speakers at the all-day event include Mr. Watt-Morse and of counsel Emily Lowe, who will be speaking on privacy and security concerns regarding social media from both a policy and regulatory standpoint in the wake of the disclosures related to Cambridge Analytics; and associate Ben Klaber who will be reviewing such concerns as they apply to the burgeoning market of Internet of Things (IoT) devices.

The Hamburg Data Protection Agency (DPA) recently fined three companies for not having appropriate replacements for the Safe Harbor in place after the expiration of the permitted grace period. While the amounts of these fines are not particularly concerning, the precedent and potential for future, more burdensome fines is significant.

As we discussed in a previous post, in the landmark case Maximillian Schrems v. Data Protection Commissioner, the European Court of Justice (ECJ) ruled that the Safe Harbor program (which had dictated the conditions of the transfer of personal data from the European Union to the United States since 2000) is invalid. The European DPAs granted companies a transitory period to migrate from the Safe Harbor to other legal tools for their international data transfers, in particular by implementing Binding Corporate Rules (BCRs) or the Model Contractual Clauses. This transitory period expired in February. Since that time, some proactive DPAs, including the Hamburg DPA in Germany, have launched their own inquiries to ensure that the companies under their jurisdiction are in compliance.

In a press conference on April 13, the chair of the EU Article 29 Data Protection Working Party (WP), Isabelle Falque-Pierrotin (also president of France’s Data Protection Authority [DPA], the CNIL) expressed concern regarding the Privacy Shield. Specifically, her concerns involved the (1) continued bulk collection of data for surveillance purposes that includes data associated with EU citizens, (2) lack of recognition of the data-retention principle in the Privacy Shield, and (3) independence and authority of the US Privacy Shield ombudsman who would deal with EU complaints.

The WP is still concerned about the possibility of a “massive and indiscriminate” bulk collection of EU citizens’ data. In addition, the DPAs still have various questions about onward data transfers, even though progress has been made on this topic. Chair Falque-Pierrotin said that the EU DPAs have raised several points with the EU Commission and the US administration. Some of these concerns have been met with informal unwritten assurances, but they cannot form an integral part of an adequacy decision.

In some circles, lawyers have a bad reputation for being tricky little buggers who use tools like precision wording and careful drafting to “lawyer up” simple tried-and-true business concepts, such as “the parties will work together to . . . ” Whether or not trickery is ever intended, it is always very important to pay attention to not only what concepts appear in an agreement but also where concepts appear.

Limitations of liability are big-ticket review items for all types of transactions. In most sectors, a limitation on damage types (e.g., consequential damages) and a limitation on damage amounts (e.g., damage caps) are market provisions. The real battleground, however, is on the exclusions to such limitations. For many service providers, no matter the starting position, the first round of revisions will typically include customary carve-outs for breaches of confidentiality and third-party indemnification claims. Aggressive or ill-tempered negotiators may ask for more, or agree to less, but we find that most lawyers who routinely work in this space will agree to the above two carve-outs, even if they grumble about it a bit.

Keeping the above in mind, it is also important to note that many form agreements, especially those that come from a vendor, do not initially include robust data privacy and security provisions. At most, there may be a reference to a website detailing security terms or an obligation to use “commercially reasonable” protective efforts in the warranty section, but it is also exceedingly common for a vendor to omit the concept entirely. Thus, the onus is on the customer to insert protective information security provisions that are appropriate for the proposed transaction.