The following article discusses session two in the IR Global Virtual Series on ‘GDPR Live: Troubleshooting the EU’s New Data Protection Legislation’
California – JSZ It’s been an interesting experience. What we’re seeing are template processor agreements sent to us in PDF form that are purportedly non-negotiable. They are being presented as having been created just to comply with GDPR and, given the proclivity of software as a service (SaaS) marketplaces here, there’s been a cascading effect.
For instance, every SaaS platform I see is hooked into a myriad of other platforms behind it. Everyone is pushing their PDF version of purportedly non-negotiable GDPR-compliant clauses. As lawyers, we read these clauses and often see names of companies that shouldn’t be included, dates that have no relevance whatsoever, and wonderful grabs at unlimited indemnification.
Basically, we are seeing back-door attempts to renegotiate risk allocation that was settled during the master agreement negotiations through the use of processor addendum. In fact, it is now commonplace for an in-house counsel at a large company, wishing to know as little about GDPR as possible, to send the addendum and say their privacy lawyers insist it is signed as-is and on a non-negotiable basis. But what is presented as being “merely GDPR compliant” is often much more than that upon review.
So that’s where the fun begins because most companies with SaaS platforms are trying to market their systems to bigger companies. That’s how you grow. Those bigger companies often have more exposure than the smaller SaaS platforms and also have more resources. So, when we’re talking about the 4 percent fine on turnover, that’s a huge exposure even for a start-up that might have raised one hundred million dollars as a unicorn in Silicon Valley. These locked .pdf addendums, if not reconciled with the risk allocations previously agreed upon at the master agreement stage, create giant risks to the start-up.
To try to mitigate these issues, we’ve advised people to try to be proactive through unilaterally updating their data security policies to be GDPR compliant and then instituting opt-in click-throughs with their customers accepting these changes. We’ve also advised clients to put a GDPR-compliant processor default agreement in contracts, to try to grab that land back before it gets thrust upon them.
We also see GDPR as a huge strategic advantage for European start-ups. Five years ago, European start-ups would have to reincorporate in Delaware in order to take on the US marketplace, because big companies would only want to contract with US companies here in the US.
We’re now seeing a diametrical shift. If you are a well vetted, privacy by design company from the ground up in France, then you may actually have a better chance of closing a deal with a big company in the US because there is an understanding developing that European companies have GDPR in their DNA. Bigger companies here in the US know that Silicon Valley companies are racing to catch up and, often, spinning their wheels in doing so.
Germany – KS Many of our clients have updated their data processing agreements at the beginning of the year. The new DPAs are more specific and comprehensive in comparison to the old ones. Most companies did not anticipate that the GDPR could affect control of data.
In German data protection law, joint control has been widely overlooked by companies and data protection authorities. The German data protection law did not include provisions specifically addressing joint control. Although the GDPR mentions joint control most consultants only considered joint control for cloud applications or jointly operated big data applications etc. That changed however with the judgement of the ECJ concerning Facebook fan pages that specifically stated that Facebook and the company maintaining the fan page can be joint controllers.
Many companies that previously assumed that they process data only on behalf are now considering joint control. Specifically, in groups of companies, a rethinking is currently taking place, particularly with regard to the transfer of data within corporate groups. This is a development that is in the early stages and that we will have to observe in the months to come.
England – JS There was a mass push in the run-up to the GDPR implementation date in May when everybody just sent out template processing agreements. Some got signed, and some didn’t and I just thought it was complete madness because these agreements were sitting outside commercial terms. I’ve got clients who have 9,000 contracts which say something different about data protection under the old regime, so how do you go through all of that in order to try and establish what the parties are going to do under GDPR?
There was a significant overkill by lawyers in terms of advising clients on what they needed to do.
We found a lot of resistance from clients who were getting these agreements or sending them out, saying do we really need to do this.
Over time we have managed to create much shorter versions because unfortunately, you have got to deal with articles 32-36 if data is being shared, but we moved into what we call our short form terms.
They sit on order acknowledgement forms or order issue forms and have a very simply follow the GDPR requirement lifted from the article. They simply state what will happen to data when an order is processed, there are no massive indemnifications included unless absolutely necessary.
It has been a real problem, and I don’t think anybody has come up with a really good solution to get around it yet. I think it’s just something that’s going to work through as parties renegotiate or enter into new contracts with customers. They’re just going to update the provisions to incorporate GDPR at that stage.
I’ll conclude with what the UK government is saying to UK businesses about Brexit and data protection. If there’s no deal, the UK will be considered as a third party, like our American colleagues, for the purposes of data protection and data transfer.
This needs to be in accordance with GDPR terms and we’ve been told that the European Commission will not consider an adequacy decision until we leave, so there may be a gap. The advice the government’s giving to UK businesses is to put some model agreements in place, with model terms for any data transfers coming out of the EU into the UK and vice versa.
As we get close to May, depending on how the negotiations go, another circle of template agreement will be produced and sent out to partner companies in the EU saying we now need to have something in place in order to comply with GDPR on cross-border transfers. We shall see though because I don’t think anybody really knows how the Brexit negotiations will play out.
Luxembourg – VK The definition of the controller is more or less difficult depending on the structure of the organisation and of the group of companies concerned. For instance, an investment fund structure (often used a structure in Luxembourg businesses) involves a lot of different entities and agents, such as management companies and brokers, which combine a lot of different activities implying a huge amount of data processed. This structure can create complex issues in terms of liability around the control of data.
The situation would be more or less the same when international groups, comprising EU and non-EU companies, are concerned, with a lot of data sharing under different forms (common IT system, sub-contracting, service agreement, etc.). In these complex situations, once the controller has been defined, another issue comes to a discussion is how to formalise the compliance obligations of each entity within GDPR.
In this respect, we generally advise our clients to draw up separate contracts dedicated to GDPR obligations, rather than to add additional clauses or to try to renegotiate existing commercial agreements. Psychologically, this seems to be better accepted.
Another topic is about raising awareness of the employees and agents of all the companies involved in their own responsibility about compliance with the GDPR, especially in terms of confidentially.
Sweden – AFS What is discussed a lot in Sweden, is perhaps a very simple question, but the discussion around it is very intense.
It concerns who is actually a controller of data and who is a processor. Around May 2018, everyone wanted to have their data processor agreement (DPA) signed, and there were just so many agreements to be signed. Then, after a while, people started to wonder whether the DPA was really needed.
I am a member of a Nordic data protection organisation called Forum för Dataskydd, and we have written a long list to the Swedish Data Protection Authority, asking them to come up with an explanation with guidelines on this subject.
We need to know when a DPA is, in fact, needed and I think the answer will be that the guidelines will be very general. The UK Information Commissioner’s Office (ICO) has written some guidelines, as has the Danish Data Protection Agency, Datatilsynet.
So, at the moment in Sweden, we use these two sets of guidelines to try to find out when a DPA is really needed. Some clients try to renegotiate the commercial terms and put in more or less anything in the DPA, but there is a difference if you compare Sweden with the UK. We normally have simpler agreements, which are much shorter with many references to GDPR. We do not have the Anglo-American style with very long agreements and a lot of text.
France – AMP We have created some practical tools to help clients with their information processor roles, depending upon the size of the organization and what is at stake. When possible, we try not to renegotiate all the agreements but offer practical methodology including several levels of service instead.
First, we provide the clients with a letter to be sent to their processors in order to inform the latter about these new rules which have increased their responsibilities. This first tool allows the clients to show their co-contractors that they are aware of this new distribution of roles.
We also have some standard terms that we propose to our clients as an alternative allowing to be compliant while saving time and costs.
In addition, we can engage with the different processors, and ask them to answer a list of questions we have established about security and their other commitments. Sometimes, to reassure our clients, we even propose to meet some of their processors so that we can check the level of compliance and help them to aid compliance with GDPR if needed.
Finally, we rewrite the standard terms, we work on the agreements and we explain to all stakeholders how GDPR works.
We emphasise that GDPR directly regulates the processors for the first time, meaning they have to comply with a lot of specific obligations. Therefore, the GDPR implies a change of philosophy because, before, with the French law of 1978, we experienced a lot of debates around who processes data, and who is the controller. The main difference is that before the GDPR, the controller was fully liable and the processor stayed in the background.
Now, we must be ready for a change of culture and to approach data processing with a fresh perspective. Indeed, since the GDPR has been applicable, it appears that the CNIL has published a lot of formal notices against companies which did not respect the provisions of the European regulation. Most of these publications from the CNIL pointed the finger at practices which do not protect effectively data subjects and mainly a lack of express consent. However, relating to controller/processor status and potential disputes that could arise, it appears that it’s a little early to fully measure the impact of this change. At the moment, we have noted that in most cases, both controller and processor are showing a serious commitment to their participation in the compliance process and try to collaborate with each other.
There is an impact on their insurance policies and the costs and risks are very different. The economic impact of GDPR is difficult to fully assess.
Belgium – MVS What we’ve seen in Belgium, is some contractual parties trying to abuse this type of GDPR contract to renegotiate commercial terms.
That is obviously something which we are very focused on, when we read this type of contract and so we try to keep it as simple as possible, drawing up a ‘civil law’ contract, not a US-style document. Obviously, we still need to tick all the boxes that GDPR requires, so we try to tell our clients in terms of the agreement, what they have to do to be GDPR compliant.
I think it was James or Jake that referred to very heavy indemnification clauses. That is also something that we see here in Belgium and we try to advise our clients to avoid taking on that kind of responsibility. These clauses are combined with an effort to shift liability or responsibility from one party to the other, even though that sometimes is against GDPR regulation.
Turkey – EB There was disarray at the beginning regarding the roles of a controller and a processor, but after long discussions, it’s clear in the minds of all lawyers who deal with GDPR. As of now, there is not much discussion on the roles of a processor and controller in Turkey.
GDPR and the Turkish Data Protection legislation have some differences. GDPR allows the DPO role to be outsourced, whereas the Turkish Personal Data Protection Law No.6698 (“TPDPL”) does not. In accordance with the TPDPL, controllers have to take all necessary technical and organisational measures by themselves. The reason for this is that the authorities have been concerned that companies would try to transfer their liabilities to third parties and avoid lawsuits and penalties. As a further result, the liability and responsibility of controllers and processors are stipulated as a joint liability by the TPDPL.
Another difference between GDPR and the TPDPL is the conditions applicable to children’s consent in relation to information society services. GDPR deems the processing of the personal data of a child lawful where the child is at least 16 years old. On the other hand, TPDPL only deems a consent lawful if it is given by someone over the age of 18.
Turkey also has a data controller registry system to which controllers must be registered prior to the commencement of the data processing activity. Processing activity has to be explained in detail, including reasons and purposes for personal data processing.
This must include details on the maximum duration for which the personal data will be kept and whether or not it is going to be transferred to a foreign country.
With regard to contract negotiation, they are not generally being renegotiated from scratch, although there are of some abusers of this re-negotiation issue. However, it is not effective, because the law is clear on the responsibilities of each party. It is in the best interests of both parties to finalize the additional clauses and move forward.
Although some try to impose template agreements, articles that burden unfair responsibilities in such agreements are considered malicious and courts deem them invalid especially in B2C relations. Whereas in B2B relations, it is less likely for courts to do so. We do see these template agreements, but not with big reputable companies, rather aggressive companies who try to get the most out of an undigested issue when they come across uninformed companies.
Bulgaria – PD When defining the roles within an organisation, we use the opinion of WP 29 from 2010, ICO’s guidelines and any other valuable recommendations by reputable authorities, in addition to our own professional opinion.
In everyday practice, we face considerable misunderstanding of these role issues by organisations and their legal advisors. We see this locally, but in many cases, problems come from the headquarters of big corporations. An example is the strange trend of controllers to request signing of a controller-processor agreement with an organisation which, in fact, also has the role of a controller as well.
It is also hard for organisations to realise that there is not only one label that they should choose – controller or processor – and that there are many hybrid and complex situations between two parties.
In this respect my advice is organisations to look deeper, using a granulated approach on every single processing operation performed by a party. Organisations have been in an urgent rush to sign processing agreements corresponding to the requirements of GDPR, and in many cases, this was done formally. That’s why I foresee a new wave of renegotiations in a coming couple of years, with a better understanding of the issues, based on practical experience.
James Simpson (JS) Blaser Mills Law – England www.irglobal.com/advisor/james-simpson
Petya Dobrenova (PD) Karastoyanov, Mitkov & Associates Law Office – Bulgaria www.lawyers-bg.net/en/page/5
Valérie Kopéra (VK) Bonn Steichen & Partners – Luxembourg www.bsp.lu/professionals/counsel/valerie-kopera
Erdem Balkan (EB) Guzeldere & Balkan Law Firm –Turkey www.irglobal.com/advisor/erdem-balkan
Anna Fernqvist Svensson (AFS) Hellström advokatbyrå kb – Sweden www.irglobal.com/advisor/anna-fernqvist-svensson
Kathrin Schürmann (KS) Schürmann Rosenthal Dreyer Rechtsanwälte – Germany www.irglobal.com/advisor/kathrin-schurmann
Maarten Van Staeyen (MVS) QUORUM – Belgium www.irglobal.com/advisor/maarten-van-staeyen
Anne-Marie Pecoraro (AMP) ATurquoise – France www.irglobal.com/advisor/anne-marie-pecoraro
Jake Schwarz (JSZ) Pacific Crest Law Partners – U.S. – California www.irglobal.com/advisor/jake-schwarz