Here’s a challenge for privacy practitioners everywhere. Laws, by their nature, are national (or in some cases, like the GDPR, regional) but the businesses we represent often consume, process and share data globally. When contracting with counterparties, how then does the privacy practitioner draft data protection terms that accommodate the vagaries of every applicable local privacy law while still producing a contract that both parties want to sign?
While there’s no magic bullet for this - unless you have a small army of privacy lawyers at your disposal, are willing to prepare a lengthy, Frankenstein’s monster of a contract, and have unusually accommodating counterparties - there are some simple drafting tips you can follow to make life simpler:
- Privacy laws may be national, but privacy principles are global
Research suggests there are more countries with data protection laws worldwide than without (120 countries, apparently - see here). No one, though, will thank you for drafting a data protection contract with some baseline terms and then 120 country-specific addenda attached to it!
Getting overly focussed on dotting every ‘i’ and crossing every ’t’ under local law creates a bigger risk too; you become so focussed on the law, you forget about the data. It’s worth remembering that all privacy regimes worldwide are essentially built off a few core privacy principles around notice, choice, purpose limitation, data quality, access and security - look, for example, to transnational guidelines or conventions, like the OECD guidelines (the OECD has 35 member countries around the world) or Council of Europe Convention 108 (the Council of Europe has 47 member countries) for example.
If you build your data protection terms against these core principles then, even if you don’t hit every note under every local law, you won’t go too far wrong - and, more importantly, you will be building a document that does what it is supposed to: ensure protection for the data.
- Don’t let the great be the enemy of the good
There’s a tendency, at least in many of the deals I’ve been involved with, for privacy practitioners to be so emotionally vested in their own data protection terms that they consider any deviation from them to be akin to a mortal sin; any variation to their preferred language so heinous as to inevitably expose the organisations they represent to unfathomable risk.
Don’t be that guy. There’s no such thing as zero risk in any contractual relationship, and there’s really very little point in having data protection terms that are so risk adverse and watertight that no one will sign them. Equally, if you’re in the fortunate position of being a business so greatly in demand that you can simply impose your terms on others anyway, then - again - bear in mind that there’s little value in terms that don’t represent what is either factually accurate or achievable by your counterparty. If you do this, you all but guarantee that your counterparty will be in breach from the moment they sign the contract and will be trying to hide this from your visibility.
Better to know what it is your counterparty can and can’t do, and then craft appropriate data protection terms that achieve robust, but realistic, protections.
- Choose your benchmark carefully
While keeping in mind core privacy principles, when drafting data protection agreements it is still helpful to benchmark your terms against a specific legal standard - not least because your counterparties will expect this.
The EU’s General Data Protection Regulation is a great benchmark to use for this purpose, being very prescriptive as to the level of detail that needs to be included within data processor terms (and data protection notices too, for that matter). Consider using the requirements of Art 28 as a checklist against which you can benchmark your data protection drafting. You may of course choose not to follow its requirements to the exact letter, but it will help you to identify the key issues that any decent set of data protection terms ought to address - and, given its prescriptive nature, even though GDPR terms won’t be a guarantee of compliance in non-EU territories, drafting against GDPR standards should help to get you 80% of the way there.
- Presentation is everything
Often, businesses don’t give enough thought as to how to present their data protection terms. This can make a significant difference both in terms of risk and in terms of counterparty willingness to sign your terms. In particular, you should consider whether to incorporate your data protection provisions within your main commercial terms, or in a standalone data processing addendum or agreement.
For very simple, high volume, clickwrap agreements, incorporation in the main commercial terms may be all that’s needed. For more complex, negotiated agreements, a standalone data protection addendum or agreement is often preferable. There are two key reasons for this: first, keeping the data protection terms in a standalone agreement focuses your counterparty’s data protection reviewer only on reading the data protection terms (and so minimises the risk that they read across and comment on wider commercial terms); second, if you ever need to disclose your data protection terms in response to a regulatory enquiry, keeping them in a standalone document helps to avoid disclosure of wider, commercially-sensitive terms.
- Make use of pre-signed, downloadable contracts
The goal of any business should be to increase deal volume and velocity and reduce elements that cause deal friction. Increasingly, protracted negotiations over data protection terms are one of the key factors in holding up commercial deals. One way to help reduce this friction is to provide your data protection terms in a pre-signed, self-serve downloadable format - so consider pre-signing your data protection terms (maybe using an e-signature) and then host them in PDF (or similar non-editable) format at a URL where they can be easily downloaded, signed and returned to you by your counterparty.
This helps reduce the likelihood of negotiation and so speeds up deals - but keep in mind this will only work if your terms are well-considered, well-drafted, and reasonable in the first place, so see the points above. You can’t post a dog’s dinner online and still expect your counterparties to sign - this will only invite negotiation.