How Can We Help Our Clients Keep Up With Privacy Laws?

by

HOW CAN WE HELP OUR CLIENTS KEEP UP WITH PRIVACY LAWS?

Jay Parkhill
Parkhill Venture Counsel, P.C.

Privacy law is in a period of very rapid evolution. Even ten years ago the pace of change was incremental; it now seems constantly increasing. It’s difficult for practitioners to keep up with developments, and it’s an even bigger struggle for our clients to manage their obligations to their end users and business customers. This article will provide a brief overview of the state of flux in privacy law, and potential frameworks for managing business relationships.

A BRIEF HISTORY OF PRIVACY LAW UPDATES

The European Union led privacy law developments for decades. The first major EU privacy law was the Privacy Directive in 1995. It lasted for 23 years until it was replaced by GDPR in 2018, and that’s when the pace of activity really picked up. The internet, online advertising and SaaS have all dramatically changed how personal data is stored, collected and used, and GDPR was the first major privacy law of the internet era. As such it has had a big influence on legislation in other countries.

The United Kingdom was part of the EU until Brexit in January 2020. That means GDPR applied in the EU from 2018-2020. Post-Brexit the UK Parliament essentially cloned GDPR into UK law, so now we have [EU] GDPR and UK GDPR. As of now they are mostly identical, though we can expect them to diverge over time.

US law is also changing. Before the California Consumer Privacy Act (CCPA) went online in 2020 almost all US privacy laws regulated specific industries, e.g., Health Insurance Portability and Accountability Act (1996) (HIPAA) for health care and Gramm-Leach Bliley for financial transactions. CCPA was a milestone because it provides the broadest rights of any US law, and because it covers the most people by virtue of California’s size. CCPA itself will be superseded by the California Privacy Rights Act in 2023, and has been joined by the Colorado Privacy Act (2021), Connecticut Data Privacy Act (2023), Virginia Consumer Data Protection Act (2021) and Utah Consumer Privacy Protection Act (2022). Several bills have been introduced in the US Congress to create an equivalent federal-level privacy law, though none have passed yet.

[Page 57]

Finally, comprehensive privacy laws have also been enacted in other major markets including Brazil (the LGPD in 2020), and China (several laws enacted in 2022). The Indian Parliament has proposed and withdrawn several proposed laws in recent years.

Clearly then, privacy laws changed incrementally for several decades and are now in a period of rapid development.

STANDARD PRIVACY CONTRACTS, AND THEIR EVOLUTION

There are three principal categories of privacy related agreements, all of which need to keep pace with evolving laws, and so all of which must also change regularly to keep pace with the law.

Privacy Policies

Businesses use these to tell website visitors and service users how the business will manage their personal data. Privacy policies are not commonly negotiated and can be updated a bit more expediently than business-to-business agreements so this article won’t focus on them.

Data Processing Addenda (DPA)

When a business hires another business to provide SaaS or other services, DPAs explain how the vendor will handle the customer’s personal data and how the parties will work together to comply with applicable laws. DPAs existed before GDPR came online but were somewhat uncommon. In 2018 they became essential for companies that do business in the EEA, since CCPA went into force in 2020 they became required for businesses that touch personal data of California residents, and apparent consensus in 2022 is that DPAs should be near-globally applicable. DPAs are frequently negotiated however, so while laws are moving quickly, it’s a nontrivial endeavor for a company to change terms with all its customers and vendors.

Standard Contractual Clauses (SCC)

This privacy contract has been evolving even more quickly than DPAs over the last couple of years. SCCs are (or were, as noted below) an EU-specific contract that dictates the conditions under which a business in the European Economic Area can transfer personal data to a country whose laws don’t meet EU standards for data protection. The first SCCs were published in 2010 and they were completely rewritten in 2021 to track GDPR requirements. When the 2021 SCCs were published the EU set a deadline for all businesses to "upgrade" from the old SCCs and many businesses started that process in 2021.

The UK left the EU after GDPR but before the 2021 SCCs, which meant the UK adopted the 2021 SCCs as well but almost a year later, and using a slightly different format. In practical terms this means that companies who started the 2021 SCC update process in 2021 need to restart based on the UK changes.

Outside of Europe, Brazil’s LGPD requires the Brazilian data protection authority to adopt its own set of standard contractual clauses. That hasn’t happened yet so whenever it does businesses will need to determine whether, when and how to incorporate those. Similarly, in 2021 the Association of South East Asian Nations published a non-binding set of Model Contractual Clauses for Cross Border Data Flows from its member countries. If and when these become de rigeur, another round of updates will be needed.

Clearly then, privacy laws are moving quickly, such that changes in laws require changes in privacy-related contracts. A cynic might say this activity offers great job security for privacy lawyers, but still we need to figure out how to manage this. As practitioners then, what strategies can we adopt?

[Page 58]

COVER THE BIG PICTURE ITEMS

As noted above, many countries have adopted or are in the process of adopting comprehensive privacy laws. Every law will have unique attributes but most of them share a handful of core principles. One step toward future-proofing contracts is to decide which concepts can and should be applied globally and which are region-specific. For example, end user rights of access, portability, deletion, correction, etc., are broadly similar across jurisdictions and (as of now at least) we can expect to see those applied globally. On the other hand CCPA’s right to opt out of the "sale" of personal data is highly idiosyncratic and hard to generalize globally.

PLAN TO UPDATE TEMPLATES

Given the pace of change, contract templates will need to be updated over the next few years. In-house legal teams should build annual updates, if not more often, into their plans. This can be a harder task for outside counsel to manage but if nothing else it can be a good opportunity to reconnect with clients.

PLAN FOR MANAGING AT SCALE

Adjusting templates might be the easy part. How do we manage the fact that companies have dozens, hundreds or thousands of customer and vendor contracts in place, all of which need to be updated regularly? There won’t be a single solution that works in every case, but many vendors can streamline the workload by grouping customer contracts into minimally-negotiated, medium and bespoke buckets.

Customers

One option for the first group is to make documents evergreen, so that customers would be automatically updated to a vendor’s newest DPA and SCC versions when they renew their subscriptions every year. There are enforceability issues with contracts that can be amended unilaterally so this type of provision needs to be used carefully (and transparently), but an automatic-update process would likely bring privacy contracts up to date for a big portion of a vendor’s customer base.

The second group may reject the auto-update procedure, so a vendor could provide those customers a simple addendum, clearly labeled to address only the required update. Simpler is probably better here if the goal is merely to comply with updated rules.

With luck an efficient process for these first two groups will let us focus on the third complex group who cannot be addressed by either auto-updates or a simple addendum.

Vendors

Companies need to work through the same process with their vendors. The process here can be similar to that for Customers apart from the fact that auto-updates likely won’t be possible.

CONCLUSION

It’s a fascinating time for privacy law to be sure. Keeping up with new developments requires consistent attention; keeping our clients up to date and in compliance with laws takes even more effort. We can’t predict exactly how laws will continue to evolve but we can think strategically about how to manage changes as a regular process.

The views expressed in this article are personal to the author and do not necessarily represent or reflect the views of the author’s firm, the Executive Committee of the Intellectual Property Law Section, the California Lawyers Association, or any colleagues, organization, or client.

© 2022 Jay Parkhill.

Jay Parkhill is the founder of Parkhill Venture Counsel, P.C. He is a vice-chair of the IP Section’s Licensing and Technology Transactions Group. He has worked with early- and growth-stage technology clients for more than 20 years on licensing, commercial transactions, privacy law and other matters.

[Page 59]