We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  We have also published client alerts on the FTC report and the DOC green paper.  In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.  

My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners. 

The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations.  As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider. 

The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance.  In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider.  IT contracts also need to require that the provider comply with the customer’s policies on FIPPs. 

So although neither document focuses on how these frameworks would be implemented within companies, the implications from both are that IT contracts would be on the front line of making privacy by design and FIPP a reality.  This is by no means easy.  Current negotiations over commercial terms regarding privacy and security are often difficult.  Many service providers are largely silent on such topics in their standard contracts, or offer general statements regarding their security standards without any contractual commitments to back them up.  Audit rights can be particularly difficult to obtain because service providers argue that exercise of such audit rights creates operational and security issues.  These concerns seem to be particularly common in relation to cloud computing service terms and conditions, which are often positioned as non-negotiable. 

One aspect of the DOC green paper that I like is the idea of a safe harbor for companies that do implement FTC-approved codes of conduct.  Perhaps one of these codes of conduct could be a set of baseline principles for contracts with IT service providers.  Creating an optional, but enforceable and standard set of principles on privacy and security would create some new efficiencies in contract negotiations.  It is unrealistic to create a one-size-fits-all set of security standards and mechanisms, as IT contracts are so diverse and cover so many different types of environments.  But a code of conduct could create some baselines for IT contracts.  For example, basic principles could include a requirement for reasonable security measures, a prohibition on any use of customer data beyond what is necessary for service delivery and a right to conduct reasonable audits and assessments or a right to receive regular shared audit reports conducted by an independent third party. 

The safe harbor protection would offer the “carrot” necessary to encourage the market to adopt these as standard principles and dispense with some of the threshold quibbling as to whether it is appropriate for the contract to include such terms.  Such a code of conduct would directly support consumer privacy, because companies can only provide assurances to consumers regarding privacy and security if they have sufficient control over the consumers’ data, including control over the data when it is in the hands of third parties such as IT service providers.  Even if no new legislation materializes as a result of the FTC and DOC documents, it is clear that companies simply cannot take a passive approach to these issues in relation to IT contracts. 

In my next post I provide observations on some changes to consider for form contracts based on  the FTC report’s commentary on the PII vs non-PII distinction and re-indentification of data. 

 

 

Tags: Cloud Computing, DOC green paper, FTC privacy report, IT contracts
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Nigel Howard Nigel Howard

For over 30 years Nigel Howard has specialized in technology transactions such as M&A, strategic alliances, licensing, distribution agreements and outsourcing. Clients range from start-ups and emerging companies to international corporations. He has led negotiations of billion dollar service agreements that were critical…

For over 30 years Nigel Howard has specialized in technology transactions such as M&A, strategic alliances, licensing, distribution agreements and outsourcing. Clients range from start-ups and emerging companies to international corporations. He has led negotiations of billion dollar service agreements that were critical to his client, and successfully handled the intellectual property and data issues on over 250 venture capital and M&A transactions.

Nigel is a “tremendous attorney” singled out for his detail-oriented approach, according to clients interviewed by Chambers and Partners. Peer commentators note his admirable commercial awareness, which achieves business-focused results, often in the most challenging of circumstances. He uses his extensive experience with IP and technology to advise on the commercial imperatives underlying these agreements.

Nigel has been ranked by Chambers Global, Chambers USA, Legal 500, Best Lawyers in America, and Who’s Who in American Law. He is frequent speaker on AI, data, distribution, and technology legal issues. His past and current clients include American Airlines, the American Bankers Association, American Express, AstraZeneca, British Airways, Brown Brothers Harriman, Cathay Pacific, Cisco, CoBank, DoubleClick, Etihad, HPE, Farelogix, Iberia, Mars, Merck, Merrill Lynch, Microsoft, NCR, the NFL, Novartis, P&G, Philippine Airlines, Promontory Financial, Singapore Airlines, Teva, TouchTunes, UBS, and Wyeth.

Read more about Nigel HowardEmail
Show more Show less