This year marks the fifth anniversary of the European Union’s General Data Protection Regulation (GDPR) – the toughest privacy and security law in the world.
With GDPR, Europe ushered in a new era of far-reaching data privacy and security expectations, forcing organizations everywhere to reassess how they collect and store data. Since then, a medley of ambitious privacy laws surfaced: From Lei Geral de Protecao de Dados (LGPD) in Brazil to the California Privacy Rights Act (CPRA), jurisdictions all over the globe are boosting data privacy efforts in unique ways.
As enterprises take on evolving data privacy obligations, legal teams play a central role in ensuring compliance.
This report highlights what’s next concerning data privacy across Europe and the United States. While exploring these, we highlight ways Contract Lifecycle Management (CLM) technology helps legal teams run simple, comprehensive contract compliance.
Where things stand with data privacy rules: Stricter regulations are sweeping the globe.
The EU’s GDPR set off a flurry of data privacy regulations, with countries and jurisdictions worldwide establishing local and international rules and mandates.
Today, about 100 countries have some form of data privacy or security controls. Gartner reports that by 2024, 75% of the global population will have its personal data covered under privacy regulations. While companies continue to navigate GDPR, proposed reforms and entirely new data privacy regimes are advancing. We explore a few of the latest regulatory headlines below:
Data privacy developments in Europe: The year of ePrivacy Regulation
2023 may be the year that an EU ePrivacy Regulation comes to fruition. To date, proposals have focused on cookies and consent – putting the responsibility for obtaining consent to store cookies “on the entity that makes use of processing and storage capabilities of terminal equipment or collects information from end-users’ terminal equipment, such as an information society service provider or ad network provider.” The proposed regulation is highly contentious, and one of the most lobbied proposals in the history of the EU.
Dabbling in data governance
The EU is targeting the use of data beyond just “personal data,” through the Data Governance Act (DGA) and the proposed Data Act (DA). The DGA is due to apply in September 2023. Apparent goals are to increase trust in data sharing, create new rules on the neutrality of data marketplaces, and facilitate public sector data use.
Monitoring the monitors in the EU
The European Commission announced it was cracking down on data protection authorities at the EU individual member state level. The goal is to ensure that EU members genuinely enforce data protection rules. According to some reports, major GDPR cases too often “languish in regulatory limbo.” Moving forward, the Commission will perform large scale checks on GDPR cases and demand frequent procedural updates from member states.
Untangling transatlantic data transfer
Businesses seeking more straightforward EU-U.S. data flows hope the recent EU-US Data Privacy Framework will be finalized by mid-2023. A White House Executive Order emphasizes that the DPF restores an “important legal basis for transatlantic data flows” and addresses concerns that the Court of Justice of the EU raised when “striking down the prior EU-U.S. Privacy Shield Framework as a valid data transfer mechanism under EU law.”
Member countries flexing enforcement
Perhaps in response to the above-noted scrutiny, EU member country regulators are ramping up enforcement activity – what TechCrunch calls an “important adjunct to slower-paced cross-border GDPR enforcement.” French regulators aren’t wasting time and have already hit Amazon, Google, Facebook, and Microsoft with cookie infringement enforcements.
Shifts in Standard Contractual Clauses (SCCs)
According to the GDPR, contractual clauses establishing appropriate data protection safeguards can be used as a method for data transfers from the European Union to third countries. This has included SCCs that have been “pre-approved by the European Commission.” In June 2021, the European Commission issued modernized SCCs that replaced the three sets of SCCs. As of December 27, 2022, organizations can no longer lawfully rely on prior SCCs to transfer data to the United States (and other countries) without an adequacy decision.
Big changes from Brexit
On the heels of Brexit, UK officials recently revealed a plan to “rethink its data protection regime” and create a “bespoke data privacy system” that diverges from the EU’s protection regime. As expected, enterprises are raising concerns over a daunting GDPR replacement – and expressing apprehension on how to comply with fractured, varied legislation.
“Despite the UK government’s emphasis on making things simpler for businesses, the more regulations diverge from the EU and other geographies, the more costly and difficult it becomes for global brands to rationalize their approach across borders.”
- Andrew Frank, Gartner’s research vice president and distinguished analyst
THE STAT(US) OF THE UNION:
Data Privacy Developments in the United States
Progress on Federal Data Privacy Framework
U.S. President Joe Biden recently argued for the U.S. Congress to pass comprehensive federal privacy legislation. The President’s push comes on the heels of promising traction last year for the American Data Privacy Protection Act (ADPPA). While federal lawmakers failed to pass the privacy law last year, the bill advanced out of committee in the House of Representatives with bi-partisan support around data privacy, competition, and protecting children online.
The bill was resisted by California lawmakers who believed it would preempt the CPRA (which they argue offers stronger protections to state residents.) Early traction suggests that regulatory muscle at a national
level may be coming soon.
States filling the federal void
In the absence of Congressional action on federal privacy legislation, at least 35 U.S. states have evaluated privacy legislation, and five have enacted their laws: California, Virginia, Colorado, Utah, and Connecticut. In these five states, enforcement of new GDPR-inspired statutes begins this year. Included here is a list of the privacy legislation coming online in 2023:
- Most of the provisions of the California Privacy Rights Act (CPRA) became effective on Jan. 1, 2023. CPRA amended the California Consumer Privacy Act (CCPA), which had already created a number of individual rights modeled after the GDPR. CPRA created a new state agency, similar to data protection agencies in the EU countries charged with enforcing the GDPR.
- The Colorado Privacy Act (CPA) becomes effective on July 1, 2023. In addition to creating rights patterned after the individual rights under GDPR, CPA requires data security and contract provisions for vendors and assessments for “high-risk” processing.
- The Connecticut Data Privacy Act (CDPA) goes into effect on July 1, 2023. CDPA creates a suite of GDPR-like individual rights and requires data minimization, security, and assessments for “high-risk” processing.
- The Utah Consumer Privacy Act (UCPA) becomes effective on Dec. 31, 2023. It provides for certain GDPR-like individual rights and also requires data security and contract provisions. UCPA does not include expressly required risk assessments.
- The Virginia Consumer Data Privacy Act (VCDPA) became effective on Jan. 1, 2023. It provides for certain GDPR-like individual rights. But in 2022, the “right-to-delete” was replaced with a right to opt-out from certain processing.
Lawmakers in Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee are also pushing proposals to bolster company disclosure and consumer consent standards.
“The growing number of comprehensive and increasingly specific privacy bills in state legislatures carry the potential of new compliance and liability risks.”
Bloomberg Law
Navigating these varied (sometimes overlapping) frameworks will likely exacerbate compliance difficulties. Because laws may have different models, businesses cannot simply comply with the most restrictive one and assume they’re good to go.
Cato Institute argues that the patchwork approach will generate “additional costs and require additional time for each law rather than developing the best privacy and security options for their product’s intended audience more generally.”
Agencies want a piece of privacy
In 2022, the US Federal Trade Commission began exploring new rulemaking processes, including trade regulation rules or other regulatory alternatives surrounding “Commercial Surveillance and Data Security.”
The agency is actively looking at the ways in which companies collect, aggregate, protect, use, analyze, and retain consumer data. Importantly, the rulemaking initiative was included as part of a published regulatory activity report in the Biden Administration’s recent Unified Agenda. As of early 2023, the FTC is reviewing public comments on the initiative.
The Role of Contract Lifecycle Management in Maintaining Contract Compliance
New rules and regulations mean legal teams must grow more vigilant in how they support collecting and protecting customer data.
“With regulatory complexity mounting on all sides, compliance with the GDPR isn’t enough for organizations to avoid data protection violations; they need to be compliant with every regulation they’re exposed to.”
VentureBeat The State of GDPR
With contract lifecycle management (CLM), legal teams have a cost-effective and efficient tool to adapt to regulatory shifts. Contract automation tools simplify critical activities, including managing privacy clauses, managing updates, identifying at-risk contracts, and creating compliance reporting for regulators or executive stakeholders.
Here are a few of the ways LinkSquares’ AI-powered contract management platform helps legal teams quickly respond to an ever-changing regulatory environment.
DATA PRIVACY & SMART VALUES:
Isolate (then eliminate) contract compliance risks.
LinkSquares Analyze uses cutting-edge artificial intelligence to “read” legal documents and extract key “Smart Values” within contracts. As data privacy laws evolve, legal can identify existing contracts that contain specific values or related terms.
With LinkSquares, reporting across the entire legal portfolio is a matter of a few clicks. As needed, legal teams can revisit or revise contracts en masse to maintain compliance if/when relevant regulatory requirements change.
We’ve rounded up some essential compliance Smart Values to fast-track agreement updates:
| SMART VALUE DESCRIPTION | DESCRIPTION |
|---|---|
| Customer Data Clause | A Customer Data Clause defines both parties’ abilities to collect and use information pertaining to the other. The data may be used for providing services or improving existing services, or - in some cases - to detect security incidents. |
| Customer Data Consent Required | Does the customer have to provide consent in order for their data to be used? |
| Customer Data Instructions | Does the customer require another type of authorization other than consent? For example, “Instruct,” “authorized in writing,” “at customer request,” or “in writing.” |
| Data Breach Clause | A Data Breach Clause details what actions the parties must take upon the occurrence of any unauthorized access or theft of online data. |
| Data Breach Notification Period (days) | A Data Breach Notification Period is when a party that has suffered a data breach has to notify the other party of such occurrence within a certain time frame. |
| Data Breach Notify Immediately | Is there a word or phrase that defines the period that a party must notify the other of the data breach? Many times, this is wording such as “immediately notify,” “without undue delay,” or “promptly notify.” |
| Data Retention Clause | A Data Retention Clause describes a party’s process for continuing to store the other party’s data for compliance or business reasons. |
| Data Security - HIPAA | Is there any mention of HIPAA in the document? |
| Data Security - HITRUST | Is there any mention of HITRUST in the document? |
| Data Security - ISO | Is there any mention of ISO in the document? |
| Data Security - PCI-DSS | Is there any mention of PCI DSS in the document? |
| Data Security - SOC | Is there any mention of “SOC” in the document? SOC is a System and Organization Controls Report. SOC reports are Audits governed by the American Institute of Certified Public Accountants (AICPA). There are four main types: SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity, with subsets of each (Type I, II). |
| Data Security - SOC 1 Type 1 | Is there any mention of “SOC 1 Type 1” in the document? |
| Data Security - SOC 1 Type 2 | Is there any mention of “SOC 1 Type 2” in the document? |
| Data Security - SOC 2 Type 1 | Is there any mention of “SOC 2 Type 1” in the document? |
| Data Security - SOC 2 Type 2 | Is there any mention of “SOC 2 Type 2” in the document? |
| Data Security - SOC 3 | Is there any mention of “SOC 3” in the document? |
| Data Security Audit and Certification | Are there any mentions of certifications or third- party audits? The Data Security Clause can include provisions regarding audits such as SOC or certifications such as ISO. |
| Data Security Clause | Data Security refers to the measures taken by a company to protect the customer data that it processes. |
DATA PRIVACY & CLAUSE LIBRARY:
How capturing common language adds extraordinary benefits.
The LinkSquares Clause Library lets users build a repository of standard contract clauses from existing documents, store preferred clauses from third-party contracts, and draft new contracts from saved clauses.
The clause library is useful for managing an organization’s key clauses and establishing a “single source of truth” for approved language. These authorized snippets can then support pre-signature processes and efficiently update existing agreements at scale.
As compliance mandates change, legal can edit relevant, standard contract clauses once–then find and replace them in existing documents. This helps ensure that new contracts get built from the ground-up with compliant language.
“Legal teams often save standard data privacy compliance language in offline systems or email folders. But, a central, secure, and accessible place for approved language improves the odds that data-privacy relevant terms make it into every contract you create.”
Jessica Bicknell
VP, Customer Success - LinkSquares
With a clause library, legal doesn’t just draft contracts; it assembles them using authorized language. This minimizes turnaround time between drafting, approval, and execution – even as compliance requirements morph.
To save legal teams even more time during the drafting process, the LinkSquares Clause Library is built directly into our Microsoft Word integration. Legal teams can find and insert their standard clauses in seconds — without leaving their preferred drafting tool.
REGULATORY COMPLIANCE ALWAYS TAKES WORK. CLM MAKES IT MANAGEABLE.
Departments are handling more–not fewer–contracts. As volumes jump, regulatory sprawl also forces leaders to revisit old contracts.
These factors are pushing some legal teams to the brink. Savvy leaders recognize the time is now to sunset one-off contract management and introduce technology to support growing compliance needs. As they do, they learn that CLM is the cornerstone of a sustainable strategy to bring privacy compliance into contract management and maintenance processes.
LINKSQUARES CAN HELP
LinkSquares uses natural language processing (NLP) and AI to parse and analyze your legal agreements, allowing you to identify any contracts that are out of compliance with speed and ease. By taking the drudge work out
of contract analysis, you can perform regular reviews of your entire legal portfolio, so you can keep pace with data privacy and regulatory evolution. If you’re ready to get and stay in compliance with U.S. and international
rule-making, now and in the future, then contact LinkSquares today.