Key Data and Privacy Clauses in Technology Contracts
In the first post of this series, we learned that properly conducted due diligence is crucial to ensure compliance with privacy requirements because it allows you to create a risk profile for the vendor and, as a result, to justify business decisions.
This article lists some clauses pertaining to privacy that are found in technology agreements and that need special attention. In the upcoming posts, we will analyze some of these clauses thoroughly.
Language and Definitions: The Very Basics
Things you must be aware of:
- To start, it is important that you understand that contracts are all about language. The way things are written may have a serious impact on the interpretation of your contract in any case of dispute; for example, verbs used may change how a provision can be applied.
- Many articles online discuss generic rules of contract interpretation; alongside considering those, pay extremely careful attention to the definitions in the contract. While people often overlook that section, its content may modify the interpretation of your agreement. When you find a capitalized term in the text of the agreement, it should be defined and that definition may not be exactly what you would assume.
- When analyzing a contract, consider your role in the transaction (buyer/vendor) to identify the type of language you need.
You may have noticed when reading Terms and Conditions to use certain software, that there are links to other documentation. Service provider agreements usually go beyond the document you are asked to sign and include additional terms, many of which can be found online.
Certain sections in the contract may alter your position in relation to the data you will disclose to the service provider. Below are some important factors:
License Clause: You may find that the contract says the data you provide belongs to you. Even in that case, look for modifiers or sections that indicate that you agree that the service provider may use the data for purposes other than providing the service.
Personal Information Clause: Oftentimes, this clause includes language indicating that you are responsible for obtaining consent from your clients for the processing of the information that your service provider will undertake.
- While there is an exception to consent that may be used under these circumstances, that may not be applicable in all cases.
- Establish whether you are relying on consent or otherwise employing an exception when disclosing information to the service provider.
- You also need to know every use that, according to the agreement, the service provider (or subcontractors) may give to the data.
Confidentiality Clause: It’s useful to have the definition of confidential information include the personal information you are sharing as it provides a different protection mechanism in case of undue disclosure of your data (breach of confidentiality).
Aggregation Clause: A data aggregation clause allows service providers to anonymize your data and combine it with other data sets for purposes such as “improving” the services.
With frequency, people assume that this is an analytics clause. Depending on how the clause is written, it is possible that it is used for analytics purposes; that being said, this clause could allow the service provider to use the data to create its own products (which could be, for example, a compilation of data to be commercialized or simply a totally new product).
Data aggregation clauses may have consequences for your company if the data isn’t properly anonymized before aggregating it. Remember that when you obtain consent, it is granted for specific purposes. Only under very specific circumstances, you are allowed to use your clients’ personal information without their consent.
Intellectual Property Clause: This clause could be relevant, for example, if new datasets are produced from the original that you are sharing. Depending on the nature of the agreement and the direct identifiers that remain from that original data, this could be a privacy risk.
Subcontracting Rights: Ideally, subcontracting should be approved by you (among other reasons, because it may impact your data map). If your service provider is allowed to subcontract:
- The service provider and the subcontractor must be subject to the same obligations and restrictions in relation to the use of the data (only for the purpose of providing the service).
- The subcontractor must be able to abide by the same standards you demanded from the service provider.
- There must be limitations related to where they can store your data (based on data localization restrictions),
- Like the service provider, their subcontractors should only be allowed to access information on a need-to-know basis.
- The confidentiality agreements executed by the subcontractor should provide at least the same level of protection contained in the one you signed with the provider.
Liability for Data Breach/Loss: Read carefully the limitation of liability clause to confirm whether the service provider expressly assumes liability for events where data is lost or where they have suffered an attack impacting your data. For licensing agreements where you receive a copy of the software, confirm if the service provider is liable for any issues related to vulnerabilities, defects, or failures in their software that put your data at risk.
Data Localization: Ensure that the contract and applicable statements of work (SOW) specify where your data will be kept and make sure that region works for your particular needs. If the personal information is leaving Canada, it is your responsibility to verify that the other country provides a similar level of protection to the one the information would be subject to at home.
Security Measures: The contract/agreement states what are their security standards and how they will protect your data. What we often find is a clause referencing a schedule attached to the agreement that contains a set of applicable security measures. We will cover the security measures schedule later in the series.
Commitments That Need User Consent: Read carefully what you are committing to. Some commitments may require you to request consent from your clients for things that may only benefit the service provider.
In conclusion, take your time to go through the contract, try to understand what are the particular obligations of your company in relation to personal information, and make a conscious attempt to reasonably share risks with your service provider.