TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

During their webinar, Hot Topics in Data Privacy Regulation in Russia, Moscow partners Ksenia Andreeva, Anastasia Dergacheva, and Vasilisa Strizh will discuss trends in data privacy regulations in Russia for the upcoming year.

Topics include:

  • News from the Russian data protection regulator (Roskomnadzor)
  • New laws and legislative initiatives in the data privacy field
  • Obtaining data subjects’ consents: views of the regulator
  • Formalizing cross-border transfers from Russia and to Russia
  • Localization rules: view from Roskomnadzor

The webinar will be held on Tuesday, November 27 from 9:00 to 10:00 am eastern time. You can register here.

From time to time, data controllers are confronted with the question of whether data subjects can raise claims for specific security measures against the controller under Article 32 of the EU General Data Protection Regulation (GDPR). These measures can be costly and cumbersome for the controller.

The Austrian Data Protection Authority (DPA) has decided that there is no such claim. In the relevant case (AZ: DSB-D123.070 / 0005-DSB / 2018), the DPA ruled on a claim by a data subject to pseudonymize personal data. The complainant had filed two complaints with the DPA alleging a violation of the fundamental right to data protection (Section 1 of the Austrian Data Protection Act) for an alleged failure to delete data or pseudonymize personal data. The respondents were two Austrian public authorities: the Federal Ministry for Europe, Integration and Foreign Affairs and the Federal Chancellery.

There is no “one size fits all” solution when drafting and negotiating the liability provisions relating to data protection obligations and security incidents. Every contract has unique business drivers that will shape the appropriate allocation of liability, such as financial risk and the sensitivity of the data involved. There are, however, common issues that the legal, sourcing, and business teams should carefully consider when structuring the liability framework as it applies to data safeguards. Below we identify some of these key issues.

In Part 1 and Part 2 of this Contract Corner, we discussed the importance of assessing and defining the types of data involved in a services agreement, and highlighted issues to consider with respect to the ownership and control of company and personal data.

In this Part 3, we discuss key drafting points regarding the operational security requirements typically addressed in services agreements.

In Part 1 of this Contract Corner, we discussed the importance of evaluating the types of data to be processed or accessed by a service provider at the beginning of the contracting process and key considerations to address when defining the types of data in the services contract.

This Part 2 highlights issues to consider with respect to the ownership and control of company data.

In Part 1 of this Contract Corner, we discussed the importance of evaluating the types of data to be processed or accessed by a service provider at the beginning of the contracting process and key considerations to address when defining the types of data in the services contract.

This Part 2 highlights issues to consider with respect to the ownership and control of company data.

Drafting and negotiating the data protection provisions in services agreements can be one of the trickier and more time-consuming aspects of the contracting process. One of our prior Contract Corner series from 2014 discussed the importance of documenting security requirements and monitoring security commitments, addressing security incidents, and key issues to consider when drafting liability provisions. In this Contract Corner, we revisit some of these issues based on the latest contracting trends that we are seeing for services agreements and dive into additional considerations when addressing key data safeguard provisions.

Assess and Define the Data

At the outset of the contracting process, it is important for the deal team and the key stakeholders to evaluate and properly define the types of data that the service provider will access or process as part of the services. A sound understanding of the scope of data involved in a services transaction helps establish expectations up front and will drive a contract that contains the right level of security requirements and an appropriate allocation of liability for security breaches. The contract should then reflect the output of this internal assessment through carefully crafted defined terms that will flow throughout the data safeguard provisions.

The seventh edition of Data Protection & Privacy, published annually by Getting the Deal Through, provides answers from practitioners around the globe regarding key questions in international privacy and data protection laws and regulations.

Our colleagues Ksenia Andreeva, Anastasia Dergacheva, Anastasia Kiseleva, Vasilisa Strizh, and Brian Zimbler contributed this year’s Russia chapter, providing insight on a wide variety of issues under Federal Law No. 152-FZ on Personal Data dated 27 July 2006, the main law governing the protection of personal data in Russia. This comprehensive chapter is a go-to resource for understanding the legislative framework for data protection and privacy in Russia, including the obligations of data controllers and data processors and the rights of data subjects.

The full edition is available online with additional chapters covering various jurisdictions around the world.

This week we welcome new partners to our outsourcing and commercial transactions practice, Mike Pierides and Simon Lightman. The arrival of Mike and Simon, along with associate Sarah Bryan, adds further strength to our outsourcing and commercial transactions team and brings our capabilities to the firm’s London office. Mike and Simon will lead the expansion of our practice in Europe, the Middle East, and Asia, where both have extensive experience representing a wide range of clients on major outsourcing and complex commercial transactions.

The California Consumer Privacy Act (CCPA) was signed into law this summer, as described in our prior post and this LawFlash. The CCPA creates a variety of new consumer privacy rights and will require many companies to reassess and modify their business processes in the collection and use of personal information. This comprehensive new privacy law, similar in some ways to the EU’s General Data Protection Regulation (GDPR), will therefore require many organizations doing business in California to implement new policies and procedures to be in compliance by the January 1, 2020, deadline.

The landmark CCPA is also a work in progress. To help guide companies and institutions through the challenges presented by the CCPA, Morgan Lewis has set up a CCPA resource center that will be continuously updated with content as new developments arise.

One such development is a recent set of amendments passed by the California Legislature. To help explain the current state of the CCPA, the recent amendments, and issues that remain to be debated and clarified, our colleagues Reece Hirsch, Mark Krotoski, and Carla Oakley will be hosting a webinar on October 16 at 1:00–2:00 pm ET.

We hope you register for this webinar and visit the CCPA resource center to stay up to date on important developments in this new regulatory environment.