Locking in the Language of Data Protection
Maintaining personal privacy and corporate data are increasingly difficult against the backdrop of the digital information era. The contractual language of data protection vis-à-vis commercial or civil agreements is critical, for both individuals and companies, to addressing possible breaches in a legal framework. In the United States, state and federal statutes provide the general guidelines for data protection. However, on May 25, 2018, additional regulations enacted by the European Union have the potential to affect global business interactions.
When contracts and legal documentation must include either confidential information or personal information, statutory regulations dictate a baseline for the scope and manner of reference in order to protect sensitive data that can compromise persons and businesses. Even before the dawn of cloud computing and mass capacity data transfer, government agencies in the U.S. were trying to address the issues of redaction and protection of information associated with consumer and organization based policies like HIPPA and FEPRA.
Data Loss is a Growing Liability
As legal obligations relating to personal information have evolved, and the consequential liability of data breaches has risen, so has the need to provide more clear and protective contractual agreements relating to this data. What each party may do with the data created or provided in an agreement as well as when data may be shared, transmitted, or stored with third parties and vendors have become increasingly a standard part of commercial agreements. In many of these agreements, a ‘security addendum’ has become standard to provide a heightened level of assurance about these issues. Security addenda may be invoked for a number of reasons:
· One party makes a specific request for an addendum.
· A direct need exists to protect personal and/or confidential information.
· Current laws, regulations, or best-practices policies and standards dictate the need.
While no security addendum is an absolute in the protection of personal and confidential data, for parties sharing data it does provide an added layer of defense in how data is handled. Enforcing best practices on your vendors can be the most effective safeguard against data mishaps that compromise individuals and companies. For service providers and vendors, carefully reviewing and analyzing the requirements of the security addenda in contracts that you sign is an important part of the contracting process. Security addenda often have specific company-wide obligations on how information is stored, and separate liability clauses in the event of a breach.
E.U. Laws Take the Lead in Protective Standards
In addition to U.S. laws that govern data protection and how information is utilized, shared, transferred, and stored, the E.U. General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018. Enacted in 2016, the GDPR provides sweeping changes for how personal data of E.U. residents is used and disseminated. The legislation carries profound impacts for businesses on a global scale.
As a general rule, pursuant to the GDPR companies need not be based in, or conduct business in the E.U. to be subject to the provisions of the law. Jurisdictional authority is invoked automatically when an organization collects personal data of an E.U. resident from a remote location. Most companies worldwide will have to be compliant with GDPR by the enforcement deadline in May of 2018.
Understanding and complying with both US and global laws is critical to the continued success of any online business. This (failure to comply with data security requirements) is one place where most companies do not want to be in the headlines.
Interpreting and complying with a number of data protection laws across many jurisdictions can be a complex maze that demands the assistance of legal counsel. Engage and trust the advice of attorneys on the forefront of data protection. Our specialists are experts in both stateside and E.U. laws, regulations, and the best practices to keep even the most sensitive data secure.
