In our previous "Conversation on Compliance" blog, we talked about some of the numerous high-profile data protection laws that have emerged in recent years and their implications on contracts.
In this blog, we dig even deeper into data privacy and share the latest developments on two specific regulations: the American Data Privacy and Protection Act (ADPPA) and the General Data Protection Regulation (GDPR).
Here's what to expect in 2023 and how you can keep your contracts — and your entire company — one step ahead in a complex compliance landscape:
ADPPA: Fighting for Federal Data Privacy Regulation
While it seems unlikely that the ADPPA will pass in a lame-duck session of congress, the proposed data privacy law makes one thing clear: comprehensive federal privacy regulation isn't a matter of "if" but "when."
Similar to the GDPR, the ADPPA would be a major step forward in protecting individual privacy rights and governing how enterprises gather, store, and use consumer data. If passed, the ADPPA would grant individuals the right to access, correct, erase, and obtain a portable copy of their covered data, as well as require their consent before collecting or processing sensitive covered data. It would also permit individuals to opt-out of transfers of covered data (e.g., targeted advertising).
For businesses confused by the growing patchwork of industry and state-specific privacy laws, the ADPPA is a promising solution for streamlining compliance obligations. However, uncertainty around preemption and enforcement could still kill the bill.
Under the proposed bill, the ADPPA would overwrite stronger state privacy laws — like the California Consumer Privacy Act (CCPA) — and be enforced by the Federal Trade Commission (FTC), which has historically struggled with privacy enforcement. Once the new congressional session begins in January, two important questions will need to be answered: Will preemption and enforcement be adjusted to pass the bill? And if the bill doesn’t pass, what new proposed federal privacy law will take its place?
What this means for contract management:
Regardless of the ADPPA outcome, the writing is on the wall: data privacy is top of mind for lawmakers, and a federal law will take effect eventually. Now is the time for general counsel to consider its impact on contract templates, negotiations, and amending vendor and customer contracts. If passed, the ADPPA would affect clauses pertaining to data, such as Data Owner, Data Residency, Data Processing, and Data Breach Provision — so we recommend auditing your contracts to determine whether you need to update your templates and/or send amendments to comply with the new law.
GDPR: Decision Time for the Data Privacy Framework
In October, President Biden signed an Executive Order to implement the new EU-U.S. Data Privacy Framework (DPF) — a historic step toward restoring transatlantic data flows that comply with GDPR requirements and are "critical to enabling the $7.1 trillion EU-U.S. economic relationship," according to a fact sheet released by the White House.
Once approved, the EU-U.S. DPF will replace the EU-U.S. Privacy Shield, which the Court of Justice of the European Union (CJEU) declared invalid in part because of inadequate redress rights for individuals. The new DPF will create an "independent and binding mechanism" for individuals in the EU to seek redress if they believe their personal data was collected through U.S. signals intelligence unlawfully.
The European Commission is set to publish its draft adequacy decision as early as December 12, then launch its adoption procedure which includes obtaining an opinion by the European Data Protection Board and gaining approval from EU member states. The formal adoption process is anticipated to take about six months so, once approved, the new framework could be in place as early as March 2023.
What this means for contract management:
While it's unlikely that the adequacy decision will affect contract templates immediately, now is a good time to reevaluate your compliance protocols. A few questions to consider:
- Does this affect how we store data?
- How can I partner with the CISO?
- How will this affect our contract templates and, more specifically, our Data Processing Agreement?
Three Steps to Stay Current on Compliance
The biggest lesson for this quarter is that inaction isn't an option for general counsel. From continuing education to adopting CLM software, here are three ways to stay one step ahead of compliance:
- Keep learning. Since data privacy laws are dynamic and always changing, it's worth investing time and effort into getting the most recent updates. The International Association of Privacy Professionals offers training to non-members, and the National Academy of Continuing Legal Education can help you find CLE courses available in your state. Plus, if you're a member of professional organizations like the Association of Corporate Counsel (ACC) or the Corporate Legal Operations Consortium (CLOC), you can sign up for regulatory updates and get real-time updates in forums, feeds, and chatrooms.
- Seek outside expertise. If you don't have a privacy expert in your organization or have an existing relationship with a firm specializing in this subject area, we recommend seeking an external opinion. Building a relationship with a data privacy expert not only helps you stay current on regulatory updates, but also provides clarity into how these updates affect your organization.
- Invest in AI-based CLM software. Unlike traditional CLM tools, AI-based CLM platforms turn static agreements into searchable assets. You can search for specific attributes across all contracts — like data privacy clauses, for example — and pinpoint which contracts need to be amended, then bulk create and send amendments to customers and/or vendors.
With the new congressional session starting and the DPF adequacy decision on the horizon, 2023 will likely be a major turning point for data privacy. Stay tuned for our next quarterly installment of “Conversation on Compliance” and, in the meantime, check out our blog for more contract management trends and tips.