To-Do in 2022: Top 5 Data Protection Contracting Tasks

Since 2018, a consistent stream of newly adopted privacy laws and other regulatory developments (such as GDPR, CCPA, Schrems II, and the new EU Standard Contractual Clauses) has required companies to make regular updates to their data processing agreements with customers and vendors. 2022 will bring more of the same, thanks to new state privacy laws that will become effective in 2023 and continuing developments from the EU on cross-border transfers.

To help ring in the New Year and provide a roadmap for what lies ahead, this post offers five to-dos that we recommend organizations consider this year as they revisit (yet again), their DPAs and other data protection contract terms.

  1. Update CCPA terms to align with the CPRA’s requirements for “Service Providers” and “Contractors”

The California Privacy Rights Act (CPRA) becomes operative on January 1, 2023 and will bring with it some key changes to the contract terms that a business subject to that law must enter into with vendors that access or receive personal information as part of the services they provide to the business, but that don’t act as “third parties.”  Those changes include:

  • A distinction between two categories of non-third-party recipients: “service providers” and “contractors.” A service provider “processes” personal information on behalf of the business, and may receive personal information “from or on behalf of” the business. A contractor, by contrast, is a person “to whom the business makes available a consumer’s personal information for a business purpose.”[1]
  • A core set of provisions that seek to ensure personal information is processed in accordance with the CPRA and that must be included in contracts with both service providers and contractors. Those core provisions, which are new and unlikely to appear in DPA terms designed to address the CCPA, are listed in Civ. Code § 1798.100(d)(1)-(5).
  • An expanded set of terms that must be included in contracts with “service providers,” and that are listed in Civ. Code § 1798.140(ag)(1). Some of those provisions duplicate the CCPA’s requirements for contracts with service providers, but CPRA introduces new elements that may not appear in existing DPAs, including a prohibition on “sharing” personal information, as that term is defined in CPRA, and a prohibition on combining personal information that the service provider receives from other sources, subject to certain exceptions.
  • A list of mandatory terms that must appear in contracts with “contractors,” which are listed in Civ. Code § 1798.140(j)(1). Those terms include all the elements required for contracts with service providers, plus two other elements: (1) a certification from the contractor that it understands the limitations imposed on its handling of personal information and will comply with them, and (2) permission for the business, “subject to agreement with the contractor,” to “monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.”

Businesses subject to the CCPA, and the vendors that work with them, will need to update their agreements to incorporate the applicable terms by January 1, 2023 in order to avoid those vendors being characterized as “third parties” under CPRA, and the businesses’ disclosure of personal information to them being characterized as a “sale.”

  1. Add CPRA-required terms to contracts that involve the disclosure of California personal information by businesses to vendors acting as “Third Parties”

CPRA also introduces a brand-new requirement for businesses to enter into contracts when they disclose California consumers’ personal information to a “third party,” meaning any person other than:

  • the business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business;
  • a service provider to the business, or
  • a contractor.

Recipients falling within that category would include, for example, vendors to whom a business “sells” personal information, and vendors that receive personal information for cross-context behavioral advertising that cannot be classified as service providers or contractors.

For disclosures to those vendors, the CPRA will require the business to sign a contract that includes the same aforementioned core provisions listed in Cal. Civ. Code § 1798.100(d)(1)-(5).  Businesses and their vendors will need to carefully evaluate which engagements implicate this requirement, which does not exist under the CCPA, and implement the required terms in the contracts for those engagements by January 1, 2023.

  1. Confirm that contracts with “Processors” of Virginia and Colorado residents’ Personal Data include VCDPA- and CPA-required terms.

The Virginia Consumer Data Protection Act takes effect on January 1, 2023, followed soon after by the Colorado Privacy Act on July 1, 2023. Both laws, when the apply, impose requirements for contracts between “controllers” and “processors” of personal data of consumers in those states.  Those contracting requirements, which appear in  § 59.1-579(B) of the VCDPA and in § 6-1-1305(5) of the CPA, are inspired by Article 28 of the GDPR.

If an organization’s DPAs already include terms that comply with Article 28 of the GDPR, those terms should be sufficient to address the VCDPA’s and CPA’s contracting requirements so long as those terms extend to personal data relating to Virginia and Colorado consumers (instead of just individuals in the EU).  But for organizations that conduct business primarily or exclusively in the United States and that have been able to avoid the GDPR’s reach, those terms will likely be new and will need to be added to their vendor and customer agreements.

  1. Update pre-September 2021 DPAs that contemplate the transfer of EU personal data to non-adequate countries under the old SCCs to rely on the new SCCs.

Organizations that rely on Standard Contractual Clauses to transfer personal data from the EU to non-adequate jurisdictions will recall that in its July 2021 implementing decision adopting new Standard Contractual Clauses for the transfer of personal data to third countries, the Commission “grandfathered in” agreements that relied on the old SCCs that were signed before September 27, 2021. But that reprieve was only temporary: the same implementing decision requires these legacy contracts to be updated with the new SCCs by December 27, 2022.

Thus, organizations that spent the summer and fall of 2021 updating their DPA templates and ensuring that new agreements incorporated the new SCCs will now need to turn their attention to legacy vendor and customer DPAs that relied on the old SCCs. If the engagements that necessitated those DPAs will continue past December 27, 2022, the DPAs will need to be amended to incorporate the new SCCs before that date.

  1. Develop a plan to address “transfers” of EU personal data that involve organizations without EU establishments whose processing is subject to GDPR under Article 3(2) in light of recent statements by the EU Commission and EDPB.

The EU Commission’s SCC implementing decision, along with the EDPB’s recently issued Guidelines on the interplay between the application of Article 3 and Chapter V of the GDPR, could also require some adjustments by organizations without EU establishments that transmit or receive EU personal data, and are subject to the GDPR’s extraterritorial reach under Article 3(2). For simplicity’s sake, we’ll call these organizations “Article 3(2) Parties.”  For contracts that involve the transmission or receipt of EU personal data by Article 3(2) Parties, there are two key considerations.

First, both the Commission’s SCC implementing decision and the EDPB Guidelines state that when an Article 3(2) Party transmits or makes EU personal data available to another recipient that is also located in a third country, that transmission qualifies as a “transfer” for which Chapter V of the GDPR requires appropriate safeguards. Thus, for example, if a business located in the United States qualifies as an Article 3(2) Party with respect to its processing of EU personal data, and engages a cloud hosting provider that is also located in the United States, the businesses’ transmission of EU personal data to the cloud hosting provider will be considered a “transfer” of personal data to a third country, even though both parties are located within the United States.  Organizations that have assumed that “transfers” to a third country under the GDPR arise only when the exporter is in the EU may need to revisit their DPAs to account for this broader conception of “transfers” under the GDPR.

Second, the Commission’s implementing decision and the EDPB Guidelines take the position that when the recipient of a transfer of EU personal data is subject to the GDPR under Article 3(2), the new SCCs cannot be relied on as a transfer tool.  That’s because, as the Commission’s implementing decision explains, the new SCCs are designed to be used “only to the extent that the processing by the importer does not fall within the scope of [the GDPR].” (emphasis added). The EDPB Guidelines note that limitation, and explain that the EDPB “encourages and stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2).”

This position that the new SCCs cannot be used for transfers of EU personal data when the data importer is an Article 3(2) Party leaves businesses with limited options for conducting those transfers in compliance with Chapter V of the GDPR.  Until the EU Commission and/or the EDPB offer more guidance or a set of SCCs for transfers to Article 3(2) Parties, those businesses will need to evaluate transfer tools other than SCCs, and may need to make risk-based decisions that focus on compliance with the spirit, if not the strict letter, of the GDPR’s transfer restrictions as interpreted by the Commission and the EDPB.

* * * *

If your organization needs help formulating a plan to execute this to-do list before the next wave of privacy laws inevitably introduces new and different vendor contracting requirements, our team stands ready to assist, to commiserate, or both.

[1] If anyone can explain why it makes sense to differentiate between these two separate categories, we’re all ears.