Digital meetings, cloud, anonymity and CCPA
Companies and people react very differently to the Corona-situation. Some companies face drastic loss in turn-over, others flourish. Digital co-operation have rocketed.
Even though employees work from home, meetings are held through various digital solutions. Vendors of cloud-solutions experience that their services are much sought-after. To many, it now seems quite sensible not having to administer technical ICT-questions and to out-source those to experts.
However, one should take care to make sure that the agreements will uphold scrutiny even after the Corona-period is over and it may be time well spent to read the agreements properly.
One often discussed issue in such agreements, is how the processor may use aggregated data or de-identified data belonging to the controller. As you will know, aggregated data may be personal information or it may be aggregated to such a level that it is anonymous. Truly anonymous data fall outside the scope of the GDPR. De-identified or pseudonomized data fall within the scope of GDPR.
European countries have a stricter view of what is personal data than e.g. the US. This regularly pose a contractual challenge, when the agreement allows for the vendor to process aggregated or de-identified personal data for their own purpose. In some contracts, one actually see vendors claiming the right to sell and commercialize such aggregated and de-identified data.
Such contractual clauses must be addressed. As a very minimum, one must be able to identify them. If one decide to accept them, one must know why the company risk is considered acceptable and why the potential consequences for the relevant Personal Data is low (enough).
At the same time, there is now emerging privacy regulations in the US. The best known example is the CCPA (the Californian Consumer Privacy Act). The CCPA has gained a lot of attention and is so far the strongest privacy regulation in the US. It does not apply to all states, only to consumers in California. Interestingly, even though being considered to be the strongest privacy regulation in the US, the CCPA definition of Personal Data does not include aggregated or de-identified data. The same data will, however, be considered to be within the scope of GDPR. This means that even when complying with the strictest US privacy laws, a company is not necessarily GDPR-compliant.
Another important issue is that for the Processor even the use of truly anonymized data requires a permission from the owner of that data. For lawful use of anonymized data, this must also be addressed in the agreement. For the Controller, in many cases it may be absolutely fine to grant the Processor such a right. This will typically be the situation where the derived data has little commercial value for the Controller, but large for the Processor. In other cases, if the derived data have a economical value for the Controller, they will not want to grant that right to the Processor. In some cases, we also see that this gives rise to a discussion of pricing between the parties. The use of anonymized, derived data, have a value for both parties.
When Covid-19 is over, the world will hopefully return to normal again. It will then most certainly be important to get quickly back to business as usual. Even though vendor audits may not be the highest priority right now, we will all in due time receive questions from our customers and clients on our processing of their personal data. And it's not only about personal data, they will ask how other commercial data is processed too. Do make sure you do not hurry into agreements now that will bring new problems later on.