Data is increasingly considered one of the most important assets for the modern business enterprise, both as a marketable commodity and as a raw material for advanced analytics.1 Yet, data's opportunities are not without risks, especially when such data is considered "personal data" under applicable data security and privacy laws.2 Such laws have expanded in recent years, with the European Union's General Data Protection Regulation (GDPR)3and the California Consumer Privacy Act (CCPA)4 being among the most discussed examples. This expansion presents new compliance challenges for businesses seeking to leverage personal data and, in some cases, may increase a business's exposure to liability for breach incidents. When considered in light of the fact that businesses frequently turn to outside service providers for their data processing needs, it is no wonder that these developments have accelerated the proliferation of a specialized type of agreement – the data processing agreement.
Data Processing Agreements Basics
A "data processing agreement" is a contract used to allocate rights and obligations between parties that share personal data for specified purposes.5Typically, such agreements are between a "data controller" (i.e., a person who determines why and how personal data is processed)6 and a "data processor" (i.e., a person who processes personal data at the controller's direction).7However, the parties' roles may be more complex, such as when a multinational company structures an agreement to allow personal data to flow freely among affiliates in different jurisdictions.8 As a result, a data processing agreement can take different forms depending on the parties' relationship and related requirements.9
A data processing agreement may be required by contracts with third-parties10 or under applicable law (assuming failure to utilize alternative compliance mechanisms, such as binding corporate rules, where applicable).11 For example, GDPR article 28 requires data processing agreements in certain contexts and lists content requirements for such agreements.12 Jurisdictions may require data processing agreements to contain specific contractual provisions and provide suggested language to ease compliance, known as "standard contract clauses."13
In addition to such standard contract clauses, a data processing agreement often contains other important provisions. To name a few examples, such provisions may include: additional representations and warranties regarding data security; data controller audit rights; limitations of liability; indemnities; insurance provisions; and standards for administrative or technical assistance.14
Importance of Due Diligence
Despite a data processing agreement's apparent comprehensiveness, such an agreement, standing alone, is not a substitute for adequate due diligence.15 Although a data processing agreement will often contain provisions regarding data security, parties should be cautious about relying on contractual remedies when faced with data breach and incident risk, especially if there are not adequate risk mitigation measures in place (e.g., cybersecurity insurance).16 Thus, data controllers should be take steps to determine whether data processors are using adequate administrative, physical and technical safeguards to protect personal data from unauthorized access, accidental loss, damage, and the like.17 In fact, reasonable measures may be required.18
Importance of Understanding Technology
In addition to adequate due diligence, contracting parties (and their attorneys) should become familiar with the technical aspects of the proposed processing activities.19 If an employed technology's default functions are not fully considered, unintended consequences may follow, such as when someone's use of a cloud-based service triggers cross-border transfer restrictions or when background digital tagging causes a company to inadvertently collect information governed by unfamiliar laws. Such unintended consequences and associated risks should be addressed in the data processing agreement.
Key Drafting Considerations
The technical and other challenges associated with drafting data processing agreements that address the relevant issues—not to mention the relative novelty of such agreements here in the United States—may make negotiations between the parties difficult to forecast. However, the parties' attorneys may find it helpful to focus on a few key points:
1. The Parties' Roles: Data processing agreements should identify which party is a data controller and which party is the data processor, and under what circumstances their respective roles may change.
2. Processing Purpose: Data processing agreements should specify the purpose(s) of covered processing activities, both to inform the agreement's scope and to confirm compliance with governing law.
3. Scope of Processing Activities: Data processing agreements should specify the processor's permitted processing activities, and applicable restrictions, either by listing broad categories or providing more specific instructions. Both business and technical input will be necessary to ensure the specified scope meets the parties' expectations.
4. Data Subject Rights: Data processing agreements should allocate responsibility for dealing with data subject inquiries and requests, especially if some data subjects may have rights under applicable law to information disclosure, access, rectification, erasure, portability, and the like.20
5. Security Standards: Although a data processing agreement should clarify minimum security standards, a controller should conduct appropriate due diligence regarding a potential processor's security measures prior to executing the agreement and may seek audit rights to confirm compliance throughout the term.21
6. Sub-Processors: Data processing agreements should clarify requirements for and restrictions on the processor's use of sub-processors, including affiliates and personnel.
7. General Risk Allocation: Data processing agreements should allocate responsibility for assuming and mitigating risks associated with processing personal data, including legal compliance, responses to breach incidents, and defending against third-party claims.
8. Responding to a "Breach": The parties should clarify expectations regarding what constitutes a "breach" and their respective obligations if such a breach occurs. That clarity will help the parties to avoid being bogged down by ambiguity when (not if)22 such a breach occurs.
9. Other Definitions: Other important defined terms—such as "personal data" and "processing"—may need to mirror the defined terms under governing law, if applicable.
10. Conflicts: Data processing agreements are often addendums to more general services agreements, and, for this reason, should specify that the data processing agreement controls in the event of a conflict between its terms and the terms of any other agreement between the parties.23
11. Compliance: Data processing agreements should not be treated as mere boilerplate, and the parties should keep in mind the importance of actual compliance with such agreements. For this reason, parties should attempt to promote simplicity and consistency in their data processing agreements.
1 Bernard Marr, Data Strategy: How to Profit from a World of Big Data, Analytics and the Internet of Things (2017).
2A threshold issue for determining whether specific data security and privacy laws apply to a given scenario is whether the information at issue falls within the defined scope of covered information. Compare La. Rev. Stat. § 51:3073 (defining "personal information"), with 42 U.S.C. § 1320d(6) (defining "individually identifiable health information").
3Regulation 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Advancement of Such Data, and repealing Directive 95/46/EC, 2016 O.J. L 119/1 [herein "GDPR"].
4California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100, et seq.
5See International Association of Privacy Professionals (IAPP), Data Processing Agreements: Coordination, Drafting & Negotiation 1 (Justin B. Weiss ed., 2019). Data processing agreements can be contrasted with confidentiality agreements and non-disclosure agreements, which are both broader in scope (applying to non-public information beyond just personal data) and usually less specific with regard to prohibited and/or required processing activities. Id. at 3.
6GDPR, art. 4(7) ("'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; . . .").
7See id. art. 4 ("'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; . . .").
8In such a case, different parties may be simultaneously joint controllers, controllers, processors and/or sub-processors of personal data shared throughout the organization.
9See generally IAPP, supra note 5, at 11-18
10For example, a data processor may, under its data processing agreement with a data controller, be required to enter into data processing agreements with its own vendors (i.e., "sub-processors").
11Laws requiring data processing agreements generally seek to cause data processors to incur contractual obligations that mirror the data controller's obligations to data subjects that arise by operation of law. See, e.g., 45 CFR § 164.504(e) (requirements for contracts between a covered entities and business associates under Health Insurance Portability and Accountability Act of 1996 (HIPAA)). However, some jurisdictions may provide for alternative compliance mechanisms in certain situations, such as when personal data is being shared among affiliates. See, e.g., GDPR arts. 46(2)(b), 47 (binding corporate rules).
12GDPR art. 28.
13See, e.g., Standard Contractual Clauses (SCC): Standard Contractual Clauses for Data Transfers between EU and Non-EU Countries, European Commission (last visited Aug 8, 2019), https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
14The IAPP recently released a model data processing agreement for controller-to-processor transfers, which is available in IAPP, supra note 5, app'x A.
15See generally Roland L. Trope, The Importance of Cybersecurity Due Diligence for an M&A Deal, in Guide to Cybersecurity Due Diligence in M&A Transactions 9-41 (Thomas J. Smedinghoff & Roland L. Trope eds., 2017).
16There are two particular concerns when relying on contractual remedies in such circumstances. First, the time and energy needed to enforce contractual rights against any uncooperative data processor often means the data controller must front significant initial costs, especially when the data controller is facing a tight timeline for complying with breach notification laws and responding to a public relations crisis. Second, the potential liability associated with a data breach may render the responsible data processor judgement proof.
17For helpful resources regarding cybersecurity, see Cybersecurity Framework, NIST (last updated Aug. 13, 2019), https://www.nist.gov/cyberframework.
18See La. Rev. Stat. § 51:3074(A).
19An attorney should acquire, at minimum, a sufficient understanding of the subject technology to meet her ethical duty to provide competent representation to her client. LSBA, Pub. Op. 19-RPCC-021 (2019), available at http://files.lsba.org/documents/Ethics/EthicsOpinionLawyersUseTech02062019.pdf.
20See, e.g., California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100(d), 1798.105, 1798.110, 1798.115; GDPR arts. 12 to 21.
21For an example of a due diligence checklist, see Security, ico (last visited Aug. 1, 2019), https://ico.org.uk/for-organisations/guide-to-data-protection /guide-to-the-general-data-protection-regulation-gdpr/ security/.
22For the purposes of drafting and negotiating data processing agreements, attorneys should assume breach incidents are inevitable or, at least, highly likely. John Chambers, What Does the Internet of Everything Mean for Security?, World Econ. Forum (Jan. 21, 2015) ("There are two types of companies: those who have been hacked, and those who don't yet know they have been hacked.").
23This approach is often preferred, because the necessary language may crowd out the primary agreement and data processing provisions may need to be amended from time to time to comply with changing laws. IAPP, supra note 5, at 2-3.
| Authored by Parker Smith
Ochsner Health System
Technology Law Committee Chair