TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

Please join us for a dynamic webinar on hot issues impacting the structuring and negotiation of ecommerce contracts in 2020. Donald G. Shelkey and Eric Pennesi of our Technology, Outsourcing and Commercial Transactions practice will present and lead discussions on topics including:

  • Privacy and Security
  • Deals We Expect to See: An Integration Infection!
  • 2020 Market Positions

The webinar will take place on Wednesday, December 11, 2019, from 12:00–1:00 pm (Eastern Time). Register here.  

For years, there has been a persistent trend toward outsourcing retirement plan recordkeeping and other administrative responsibilities. Although historically more prevalent for defined contribution plans, this outsourcing trend has been accelerating for defined benefit plans thanks, in part, to the prevalence of frozen plans (i.e., no more benefit accruals) and the potential for administrative cost savings. But service providers will be quick to remind plan fiduciaries that lightening the administrative load does not include transferring fiduciary duties. When selecting and monitoring a service provider, one key issue facing retirement plan fiduciaries is their duty with respect to the privacy and security of plan participant data.

As we previously discussed, managing and administering retirement plans also mean managing and protecting an extensive trove of personal data. Although there is no overarching privacy law governing retirement plans, fiduciaries must adhere to the “prudent expert” standard of care in fulfilling their duties, and, in the current environment, it can be expected that courts will be sympathetic to assertions that privacy and security of plan participant data are within the scope of those duties. Given that fiduciaries are personally liable for their fiduciary breaches and considering the cost of a data breach can be in the millions of dollars, the sensible course of action for retirement plan fiduciaries is to be continuously diligent and attentive regarding data privacy and security. This extends to diligence and care in the structuring of the outsourcing agreement.

The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.

The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.

The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.

A recent ruling by the Court of Justice of the European Union (CJEU) established that companies seeking to store “cookies” that are used to track online browsing behavior must obtain “active consent.” The ruling is likely to cause angst among companies, which often maintain websites that are not set up to obtain active consent, as well as with internet users who are increasingly frustrated by having to continually provide consent while visiting websites.

Morgan Lewis partners Ksenia Andreeva, Anastasia Dergacheva, Vasilisa Strizh, and Brian Zimbler and associate Anastasia Kiseleva contributed the chapter on Russia for the recently released Data Protection & Privacy 2020, the eighth edition of the Lexology Getting the Deal Through publication.

Lexology Getting The Deal Through provides international expert analysis in key areas of law, practice, and regulation for corporate counsel, cross-border legal practitioners, and company directors and officers. The publication addresses many of the most important data protection and data privacy laws in force or in preparation throughout the globe, with a discussion of the same key data protection and privacy questions with analysis from leading practitioners in each of the featured jurisdictions.

As our loyal Tech & Sourcing readers know, we have been doing our best to keep you informed about the requirements of the California Consumer Privacy Act (CCPA) and what you can do to prepare as its January 1, 2020, effective date draws near. Continuing that vein, we invite you to an upcoming webinar wherein Morgan Lewis partners Reese Hirsch, Mark Krotoski, and Carla Oakley and associate Kristin Hadgis will provide an overview of the latest amendments to the CCPA, the state of the law and related regulations, and practical perspectives on CCPA compliance.

The Morgan Lewis team will discuss the following topics:

  • The new one-year exemption for employee data*
  • The new one-year exemption for B2B communications*
  • Other new amendments, including those related to the use of toll-free numbers and verifiable consumer requests*
  • Failed amendments and other issues to watch
  • Status of California attorney general regulations and a possible new ballot initiative
  • Other state laws influenced by the CCPA
  • Preparing for the January 1 effective date and 2020 enforcement date

We hope you will join us for the one-hour webinar on Tuesday, October 22 at 1:00 pm ET.

Register for the webinar now >

For a primer in advance of the webinar, catch up on our previous posts on the CCPA and recently proposed amendments, and check out the Morgan Lewis CCPA Resource Center for more.

*Indicates an amendment to the CCPA that has passed the California Legislature but, as of this writing, has not yet been signed into law by Governor Gavin Newsom.

The California legislature passed five bills on September 13 to amend and clarify the scope of the California Consumer Privacy Act (CCPA). If the amendments are signed by the California governor by the October 13 deadline, they will become part of the CCPA, set to take effect on January 1, 2020. A LawFlash by Morgan Lewis partner Reese Hirsch and associates Kristin Hadgis, Lauren Groebe, and Terese Schireson discusses the key proposals in each amendment, such as:

The EU Council Presidency on September 18 put forward to member states an 88-page compromise proposal on the Eprivacy Regulation with considerable changes and amendments. There are several proposed changes to the provisions on email marketing and cookie use that we think readers may find relevant. Here is the proposal of the Finnish Presidency. The main areas that were modified by the current proposal are:

  • Email marketing
  • The definition of direct marketing
  • Procedures around direct marketing calls
  • End user consent for cookies

A recent LawFlash by Morgan Lewis partners Ksenia Andreeva and Vasilisa Strizh and associate Anna Pirogova discusses a draft law proposed in Russia that would introduce heavy fines for violations of Russia’s data protection law and a variety of internet activity laws.

The primary federal data privacy law in Russia, On Personal Data, dated July 28, 2006 (the Personal Data Law), applies to “personal data operators,” which are entities that organize and carry out the processing of personal data and determine the purpose of individuals’ personal data processing. The proposed draft law, On Amending the Code of Administrative Offences of the Russian Federation, relates to the “localization requirement” of the Personal Data Law, which creates on obligation for personal data operators to collect, store, and otherwise process personal data of Russian citizens using databases and servers located in Russia.