Contractual language related to privacy and data protection — whether these are stand-alone agreements or additional provisions in the main agreements — is expanding rapidly and full of legal, convoluted language. It is also usually very generic and filled with conditional provisions. Discussing and negotiating such contracts takes time and may result in project delays. At the same time, specific obligations and requirements are often blurry for the people responsible for compliance and implementing controls.
It is obvious that reasonable standardization efforts could save time, money, efforts and business opportunities from being lost. Similarly, more clarity and defined types of relationships would mean better effectiveness when following the requirements and implementing specific controls. This, in turn, would mean less risk both for the individuals whose data is being processed, as well as for organizations responsible for privacy compliance.
One of the sources of inspiration could be International Commercial Terms, which are well known to contract and procurement specialists.
What are the Incoterms?
Incoterms are predefined commercial terms published by the International Chamber of Commerce. They relate to international commercial law and are widely used in international commercial transactions or procurement processes. Their use is accepted and encouraged by trade organizations, courts and legal experts.
In practice, a series of three-letter trade terms related to common contractual sales practices is used to communicate the tasks, costs, and risks associated with the global or international transportation and delivery of goods. This way obligations, costs and risks involved in the delivery of goods from the seller to the buyer, together with some other important rules, do not have to be literally written down each and every time. Instead, a three-letter code is sufficient and widely understood by all the parties involved.
How this could work for data transfers
When it comes to the data transfer agreements, we are increasingly dealing with a predefined set of types of relationships. Each type often involves similar provisions or even the same chunks of text. One example is the EU General Data Protection Regulation data-processing agreements, accepted by many to satisfy the California Consumer Privacy Act requirements for engaging service providers, as well. Also, EU model clauses, both controller-to-controller and controller-to-processor versions, are considered to provide a valid transfer mechanism also in some non-EU and European Economic Area countries, such as Switzerland.
All in all, most of the relationships would fall under just few categories, which are well known to privacy professionals working with the GDPR.
This includes controller-to-controller, joint controllers, controller-to-processor and processor-to-subprocessor setups. They can come in different shapes or forms, and most importantly, in case of transfers from countries or regions with higher level of data protection, similar level of privacy protection must be maintained and agreed through additional provisions. The most well known of these additional provisions would be obviously the EU model clauses, which currently are available only as controller-to-controller or controller-to-processor type. In case of subsequent transfers, the obligations would need to be further cascaded to other recipients. Notably, there are currently no EU-wide EU-processor-to-non-EU-subprocessor clauses. Still, the main idea behind such transfer mechanism is for the receiving party to handle data in accordance with the same basic principles and rules, as well as to make sure that the rights of individuals concerned are not hampered and they could still effectively enforce their claims and obtain sufficient remedies when needed.
When considering the structure of these agreements and pertinent obligations of both parties and comparing them with Incoterms rules, which relate to material goods instead of data, there would still be some similarities. All in all, this is about tasks, costs, risk allocation, and having a set of predefined terms and rules. Apart from personal data transfers only, something similar to Incoterms would sooner or later be needed for trading in data, as they are extremely important in all business relationships and, as with material goods, ways to simplify and organize trade are needed to ensure growth and sustainability.
Just like with Incoterms, apart from predefined set of rules expressed with few-letter codes, there would also be some provisions left out, which would normally be part of the contract, such as governing law, liability, rules for reimbursement for some additional services and other terms, often named simply as miscellaneous. The risks and corresponding responsibilities, on the other hand, including for information security, should be clearly defined and delineated within such rules, as, arguably, besides simplification this would be the greatest added value of using predefined rules.
With data protection laws already in place and ones being on the way, together with the prevalent practices for drafting data transfer agreements, standardization and simplification seems to be well beyond the reach. Examining the Incoterms, which relate to trading in material goods, something similar for transactions in data seems to be desirable yet unattainable and unrealistic. However, looking back at how Incoterms have been created in the first place and the demands from international business that made this possible, a different picture starts to emerge. Working in privacy and data protection, it is not possible not to observe certain patterns and alignments in data transfer contractual language. At the same time, there is a growing demand from people dealing with contract negotiations and procurement, as well as from teams responsible for implementing controls and compliance obligations for simplicity and clarity.
In my view, something similar to Incoterms for data transfers, in general, and agreements relating to personal data, in particular, will be necessary and would be very much welcomed by the business. Obviously, making this happen is not an easy task; there would be legal difficulties as laws differ and, of course, it is not clear which organization would need to draft and maintain such rules. Bringing this topic to light and discussing it is nevertheless very much on time.
Photo by Dylan Gillis on Unsplash
If you want to comment on this post, you need to login.