Sourcing

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.
Continue Reading GDPR Contracts and Liabilities Between Controllers and Processors

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.
Continue Reading Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper.  In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.  

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. Continue Reading Implications of the FTC Report and DOC Green Paper for IT Contracts