We have previously blogged on the FTC’s privacy report on “Protecting Consumer Privacy in an Era of Rapid Change” and the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” We have also published client alerts on the FTC report and the DOC green paper. In this and two subsequent blog posts, I will share some observations on themes in these proposed frameworks that have implications for how companies approach their IT contracts.
My first observation is that both the report and the green paper emphasize the need for a coordinated and well managed set of policies with respect to privacy and security arrangements in contracts with third party business partners.
The FTC’s framework advocates for “privacy by design” where companies promote consumer privacy throughout their organizations. As companies’ operations are supported by a complex mix of internal and external IT resources, privacy by design necessitates that privacy and security considerations be addressed in every contract with an external IT service provider.
The DOC focus is on broader adoption of better Fair Information Practice Principles (FIPP) backed up by the ability to assess and audit compliance. In relation to external IT resources, that ability to assess and audit is wholly dependent on the terms of the contract between the customer and the provider. IT contracts also need to require that the provider comply with the customer’s policies on FIPPs.
So although neither document focuses on how these frameworks would be implemented within companies, the implications from both are that IT contracts would be on the front line of making privacy by design and FIPP a reality. This is by no means easy. Current negotiations over commercial terms regarding privacy and security are often difficult. Many service providers are largely silent on such topics in their standard contracts, or offer general statements regarding their security standards without any contractual commitments to back them up. Audit rights can be particularly difficult to obtain because service providers argue that exercise of such audit rights creates operational and security issues. These concerns seem to be particularly common in relation to cloud computing service terms and conditions, which are often positioned as non-negotiable.
One aspect of the DOC green paper that I like is the idea of a safe harbor for companies that do implement FTC-approved codes of conduct. Perhaps one of these codes of conduct could be a set of baseline principles for contracts with IT service providers. Creating an optional, but enforceable and standard set of principles on privacy and security would create some new efficiencies in contract negotiations. It is unrealistic to create a one-size-fits-all set of security standards and mechanisms, as IT contracts are so diverse and cover so many different types of environments. But a code of conduct could create some baselines for IT contracts. For example, basic principles could include a requirement for reasonable security measures, a prohibition on any use of customer data beyond what is necessary for service delivery and a right to conduct reasonable audits and assessments or a right to receive regular shared audit reports conducted by an independent third party.
The safe harbor protection would offer the “carrot” necessary to encourage the market to adopt these as standard principles and dispense with some of the threshold quibbling as to whether it is appropriate for the contract to include such terms. Such a code of conduct would directly support consumer privacy, because companies can only provide assurances to consumers regarding privacy and security if they have sufficient control over the consumers’ data, including control over the data when it is in the hands of third parties such as IT service providers. Even if no new legislation materializes as a result of the FTC and DOC documents, it is clear that companies simply cannot take a passive approach to these issues in relation to IT contracts.
In my next post I provide observations on some changes to consider for form contracts based on the FTC report’s commentary on the PII vs non-PII distinction and re-indentification of data.