A couple of years back, I was having a conversation with a client who said to me, "This feels like the first time in ages that the global privacy debate hasn't been dominated by what's happening in Europe." At that time, there was a lot of excitement about privacy developments in Australia, Canada, Mexico and Singapore. Europe was – by its standards – relatively calm; certain issues were simmering, but had not yet reached boiling point.
My, how things changed. Within a few months of that conversation, along came the CJEU's Right to be Forgotten (May 2014) and Weltimmo judgments; then Safe Harbor's collapse, the adoption of the GDPR, and launch of the EU-US Privacy Shield. The needle of the global privacy barometer once again swung firmly back towards the EU.
While each of these developments had a significant impact on organisational risk and compliance, none have attracted quite as much attention as the GDPR. In large part, this can be attributed to the breath-taking scope and liabilities it introduces. It has worldwide effect. It applies to processors, as well as controllers. And nothing excites executive imagination quite like a concern that the business could be fined up to four per cent of global turnover if found in breach.
It is therefore no surprise that many businesses are now rushing to ensure they are GDPR-ready before the new law comes into effect in May 2018. Many of these readiness activities take place behind-the-scenes, as organisations conduct data maps, implement new policies, create new compliance processes and appoint DPOs. However, some are more outward-facing, like updating privacy notices, and yet others require cooperation from third parties – cooperation that may not always be willingly given: specifically, when it comes to updating data processing contracts with third party service providers.
Data processing contracts under the GDPR
The GDPR sets out an ambitious and prescriptive list of requirements that must be included in data processing contracts. The list is significantly longer than that required by the current Directive, which requires only that a processor acts on its controller's instructions and maintains "appropriate" security for the data it processes.
Under the GDPR, there is a much longer list, all set out in Article 28. In addition to acting on instructions and maintaining appropriate security, processors must not subcontract without consent; they must ensure the persons they authorise to process data are under a contractual or statutory duty of confidence; they must flow down their own data protection commitments to any subprocessors they appoint; they must support the exercise of data subjects' rights; they must notify data breaches to their controller, and support the controller in conducting data protection impact assessments and consulting with DPAs (where necessary); they must commit to deleting or returning personal data upon completion of their services; and they must agree to submit to audits by their controller.
Maybe updating contractual templates to incorporate these requirements does not seem like that big of a deal – but what about when faced with the hard reality of contractual negotiations? How many service providers will agree to audits by their customers? How many will accept restrictions on their ability to appoint subprocessors? And what will service providers agree on liability caps? Customers will likely want unlimited liability (they'll have those 4% fines at the forefront of their minds) while their service providers will want to protect the business and limit their liability as best they can – perhaps by reference to amounts based on the pricing of their service or the extent of their insurance coverage.
How the global data processing market will adapt
Whichever way you look at it, data protection contracting is set to become significantly more complicated under the GDPR. It would be a mistake, though, to think that these effects will be felt in the EU alone. The reality is that the global data processing market as a whole will need to adapt. Large global customers will favour those service providers that offer them data protection terms that stand shoulder-to-shoulder with GDPR's requirements, regardless of whether the data processed originates from the EU or not.
Why? Because, these days, organisations process vast amounts of data, from all over the world – from data subjects inside and outside of the EU. In processing this data, they know that there is a high likelihood – in fact, virtual certainty – that they will be subject to the GDPR, given its expansive scope. With this knowledge, they will worry about the consequences of any non-compliance and the risk they might be exposed to the GDPR's enormous fines. In consequence of this, when passing data to service providers, they will look for service providers who make compliance easy for them – by offering a high standard of protections uniformly across all data, without divvying up protection for EU data one way and non-EU data another way. That would just make life too hard.
In response to this, service providers that want to attract business from the largest customers will compete to offer the "most" compliant service – and the GDPR, providing as it does, the single-most comprehensive piece of privacy legislation in the world, will become the benchmark for this compliance. And, as leading service providers start to apply GDPR standards across all data they process, so too will their competitors who benchmark their own compliance against that of their peers. Slowly but inevitably, the GDPR will become the standard for data protection contracts worldwide.
At least, that's my view. As I see things right now, service providers have a choice: they can start readiness activities now and offer GDPR-compliant data processing terms to their customers as soon as possible, increasing the likelihood of winning major, global customer accounts; or they can wait, putting some customer accounts at risk in the short term, until market forces push them into offering GDPR terms anyway.
Faced with a choice like that, why wait?