The Impact of the updated Standard Contractual Clauses (SCC’s) on Contracts
On June 4, 2021, the European Commission published the final version of the decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). Watch this on-demand webinar with the Data Diva, Debbie Reynolds – a privacy and compliance expert, and Memme Onwudiwe, Executive Vice President at Evisort, for discussion on
I'm super excited. Just to everyone hopping on now, we will be jumping off just probably a couple minutes past the top of the hour just to give a chance for everyone to join in, but until then, we'll just be chatting a little bit in the meantime, but definitely sit tight. I see a good amount of folks who are coming in when we're very excited for this interactive session in which we'll also of course be talking about these issues around SCCs, privacy and otherwise, but also allowing for questions and engagement with the field of folks joining us today, so very excited.
Debbie Reynolds (00:01:34):
This is exciting. So, you were on my podcast, so I think this is the first... Since that then I think this is, or did we do another session since then? I can't remember. I think this is the first joint other thing that we've done since then. Is that right or wrong?
Memme Onwudiwe (00:01:55):
I believe so, we definitely do talk a lot-
Debbie Reynolds (00:01:58):
Memme Onwudiwe (00:01:58):
These cases are always changing and it's very interesting how AI is facilitating things and just the changing regulations and rules facing folks. As far as the events and going out and talking to folks, I think this is only the second time, and so I know last time we talked about a lot of different things. It was very interesting time in our history, but there wasn't the opportunity for folks to ask questions. I am excited for that interactive component again this time as they're flies on the wall in this conversation.
Debbie Reynolds (00:02:33):
Totally, well I think you can't know enough, I think, about this and so talking about them in theory is one thing, but just getting more information about how people are using them in day-to-day business I think would be helpful as well. So, I'm going to throw in here for people who don't know, I've had the pleasure of knowing Memme since his Harvard days actually. So, it's pretty cool to see you progress and succeed in your career and it's so much fun for me to be able to be a guest on this webinar to talk to you about these topics.
Memme Onwudiwe (00:03:18):
Thank you so much, and then let me say, from the time that we were students at the Harvard Innovation Lab and just training algorithms, it definitely was incredibly important to have experts such as yourself who would give the time to talk to us about the needs out there. So, as we're developing these algorithms and technology that's not in the vacuum, we're able to actually build things out that meet people where they are. And so, your collaborations supported even from small, when we were just a few guys in Innovation Lab, to now where we're backed by Microsoft with clients all across the globe. It's great to still have you on board as a supporter and friend, so really great avenue on today's podcast.
Debbie Reynolds (00:04:03):
That's going to be great.
Memme Onwudiwe (00:04:04):
Excellent, and for the folks trickling in now, we are scheduled to start at the top of the hour. We will probably give a minute or two at that point just for some more folks trickling. We're seeing a lot of folks coming in, we know a lot of folks signed up and we want to give everyone that full experience. When we're going, of course, for folks who've been in some of these webinars in the past, it's very interactive on both ends. We'll both be asking lots of poll questions to folks in the crowd as well as us opening up the chats for folks to be able to ask questions to Debbie, who's our expert here today, and I think maybe one other thing to note as we are waiting for these last few moments for folks to continue to jump in is this is a bit of a two part series and that today we're really diving into the standard contractual clauses, the SCCs, GDPR, also talking about changes in privacy regulations more generally.
Obviously, there's the patchwork of domestic regulation here at the United States that's worth talking a few words on, but we're really going to be focused on these trends and regulations. On Thursday of this week, we're actually doing a subsequent session. I'll be joined by actually our head of customer solutions internally on Riley Hawkins and that'll be a focused working session on how to take some of the issues we're talking about around privacy today and actually leverage every sorts of platforms to run those kinds of remediations, leveraging AI, so you don't have to go through the tedious manual work that typically accompanies that kind of project. And so for today, the focus really will be on that higher level. We're happy to answer any questions, of course, but I did want to do that framing and of course we'll send details for that Thursday session if there are folks who want to take some of the learnings today and try to actually attack them with our technology and see that in action.
Awesome, excellent. I know we've got a couple minutes left before we hit the top of the hour. Debbie, I guess maybe a fun question as we're waiting for folks to jump in. As we know, the United States right now, lots of different states are coming up with our own data privacy laws. California is a big one, New York's a big one, but lots of states are looking, any kind of interesting ones that maybe makes one maybe your favorite over the other? I know sometimes they can all be annoyingly similar enough, but annoyingly enough that you have to change things for, but there are any interesting ideas on this side of the pond that maybe even other folks might adopt?
Debbie Reynolds (00:07:01):
Good question, I think probably my favorite, I'm biased because I'm a Chicagoan, the Illinois BIPA law definitely. It's four pages and packs a heck of a punch I would say. So very straightforward, don't use people's biometric data without their notice or consent. Let them know about data retention, it has a private right of action. It's been interpreted in ways that some corporations don't like, for example, the per incidents, for example, calculation can be like every time someone, for example, maybe scans their thumbprint, so private right of action is several thousand dollars per incident, per capture.
The math can be astonishing and astounding, and so we're continuing to see cases come up where they're trying to really challenge that and it's not working very well. So, we've seen some big number settlements come out. There are some cases in the pipeline where they're trying to challenge that. I think that law snuck up on people and they didn't really think... Because it's so old, because a lot of people when they were talking about privacy laws didn't even think about it because it came out in 2008, so it was so long ago. It was before GDPR and all this type of stuff. So, I think it is actually the most stringent biometric privacy law in the world right now.
Memme Onwudiwe (00:08:38):
Wow, would you look at that? I'm just trying to have a nice pre-webinar, softball little fun question and you come at with so much content and information that I'm remiss not asking that during the full session. I think that just because I've learned my lesson that even the innocuous questions will come back with such a level of expertise and content that probably should just save them all for the session, so that is excellent.
Debbie Reynolds (00:09:08):
I'm not for play, Memme.
Memme Onwudiwe (00:09:11):
Fair enough, no, I've learned. So folks, when we do send the recording, we'll make sure to also include this pre-session, which as we are waiting for the last few folks, I see we're a minute past the top of the hour, so we'll be kicking off shortly, but what I thought was just some innocuous banter ended up of course with Debbie all things really substantive content.
So, we'll make sure that when we do share recording of this session later on to include some of these pre-event proceedings as well. Excellent, well it does seem like we've got a good amount of folks in here. We did want to give a couple minutes past the top of the hour for folks to join in. I guess let me do a little bit of housekeeping before we dive in, do introductions, and just dive into this content while folks are still coming in. Hello, my name's Memme Onwudiwe. I lead legal and business intelligence here at Evisort and we're super excited for today's session. I'm about to pass it over to Debbie to do a full introduction, but just to frame today's session, as you guys know, this is Clause & Effect, it's a series on contracting transformation.
Because of some of the time sensitive nature and just high importance of the issues that we're dealing with today, in addition to today's session, which is an interactive session, we're able to ask questions and speak with Debbie Reynolds, an expert in privacy law, we're also going to be doing another session on Thursday to which we'll actually put the information in the chat now, and what that session's going to be is actually deep dive with our customer solutions team talking about how to attack some of these use cases around privacy using our AI system, so you are able to address them, of course, without having to expend manual effort, but then in the future as new regulatory issues come up, you're able to leverage and attack those without having to do large amounts of manual effort every time. And so, we understand there's a lot to get to and we don't want too much of today's focus to be on that solution side because there's just a lot of content and issues to talk about.
And so, we do have both of these events happening this week, and so I did want to put that on the table, but without further ado, we are here with Debbie Reynolds who's a privacy and compliance expert at Debbie Reynolds Consulting. I'm happy to pass it over to her just to say a couple words about herself and her practice, and then from there we've got a lot of really good questions to dive into. And like we said, today is going to be an interactive session. So in addition to asking questions, which we would prefer that you did in the Q and A section as opposed to the chat section. We also are going to be asking a few polls on your side as well. And so without further ado, let me let Debbie say hello and then we'll dive into questions.
Debbie Reynolds (00:12:11):
Well, hi, thank you so much for the gracious introduction. So, I'm Debbie Reynolds, founder and CEO of Debbie Reynolds Consulting. I like to tell people I work at the intersection of technology and law. I'm definitely a tech geek, and I've worked with organizations over 20 years on data flows and data movements all around the world. So, I have been using standard contract clauses for over 20 years. So, this has been really interesting to see how things are playing out in Europe especially and in the US with data privacy regulations and how that impacts how we do our day-to-day work and how it impacts contracts.
Memme Onwudiwe (00:12:57):
Awesome, excellent, and I think even though there's a lot happening in the privacy world right now, what's really pressing to a lot of companies are these changes we've talked about to the standard contractual clauses, the SCCs. And so, I think the first question would just be what these regulations mean to folks and the obligations they now face, but then also just a timeline of, what are the key dates coming up? Because I know different dates have been passed around, they might be confusing for a few folks.
Debbie Reynolds (00:13:30):
So, basically the EU updated their standard contract clauses. So, standard contract clauses have been used since the two thousands and the purpose of standard contract clauses is to handle data transfers in which the country that the data is being transferred to doesn't have what is deemed adequate protection for data. So, that means that companies have to jump through other hoops to be able to create contracts and then put more detail on how they're going to handle the data transfer or how the data is going to be managed and what you should do if something happens to the data. So, standard contract clauses have been the most popular way that companies do these transfers. So, I think the last statistic that I saw said about 80% of companies that do these type of data flows outside of Europe use standard contract clauses.
So, it's a big deal in that regard. They hadn't been updated for quite some time. As a matter of fact they hadn't been updated before the GDPR. So, part of the reason why it's very important with this update is that the guidance has come out about how standard contract clauses plug into GDPR, where a lot of people are confused about how they connect it together because a lot of the older standard contract clauses reference the previous data directive that preceded GDPR. So, I think it has some clarity there. So big dates were in June, let's see, June 27th, the new clauses went into effect. So, companies that wanted to do new contracts had the option to use the new clauses that they wanted to. Up to September 27th of this year, companies can either use the new or old clauses, but for new contracts they should use the new clauses.
And then the next date is December, I think, 27th of 2022, and that is for companies that already have contracts in place using the old standard contract clauses where they need to update them by that date. So, there's a lot of stuff going on right now. I'm recommending that companies as soon as possible start using the new clauses and start understanding them, and then I think companies who have been in the habit of using them I think are excited because the new clauses get rid of some of the old limitations. There was a party to party and you couldn't do multi-party contracts using these clauses previously and now you can. So, there are a lot of different things, but then there are also some other more difficult hoops that you have to jump over and some of them haven't been fully resolved. So, that's what's going on.
Memme Onwudiwe (00:16:45):
Nice. Now, that was a great synopsis, also hitting over some of those nice and upcoming dates. I think would also love to dig into some of those new hoops that folks are going to need to jump through and maybe what hasn't yet been clarified, what's still yet to be clarified and described. I guess just to make sure though we're going in a path that's relevant to the audience, I do have a question for them. I'll put the poll up and it's really just about what your role is and we've got different options, legal operations, cybersecurity, compliance, contracts manager, different potential roles just to see who we've got on the line, so that as we're digging into the details of the SCCs, GDPR, even maybe domestic and American policies, we're hitting folks at a level that is adequate. Seeing these numbers come in now, it looks like we've got over 50% of folks in the legal side of the house and then it looks like a split of cybersecurity, compliance and contract managers is really making up that other 50%.
And so, definitely I think the right groups of people in so far as what we're looking at there, excellent. And, I guess one other question that we will dive into, well actually I guess we do have a question coming in right now and it's from Vikram and it's basically saying, "Will the SCCs change any master service agreement and data processing agreements?" I think really what he's getting at here is the scope. Is it every MSA we've ever done? Is it the only ones that have DPAs? Is it only ones with parties that are in Europe? What exactly does Vikram and his team need to be worried about when it comes to media?
Debbie Reynolds (00:18:50):
I think if you are using standard contract clauses previously, obviously that this would apply. If you're creating new contracts, you definitely want to get those in if they apply to what you're doing. I think that in terms of the way people go about explaining, especially if you're in a country or you're transferring data to a country that has an adequate protection, you need to fine tune your message. So, I think the thing with standard contract clauses, which is really different than say for instance the privacy shield where that was more of a data fire hose where you say, "Okay, we're going to do these 10 things, for example, and then we can just transfer data whenever." Where this is more particulars, more case by case based, and then you have to add those fine tuned details about what exactly you're going to do.
Also, a lot of companies in the past have created separate data processing agreements, and the guidance for the SCCs and something I've done over years is you don't necessarily need a separate agreement for that. You can add that as part of the contract that has SCCs, but it's just up to you. The important part is that the information about how the data's being processed is articulated in those documents and the reason for them is to make sure that the parties that are in the contract are trying to make sure that they can do whatever they can to make sure that the data has as adequate protection as they're able to provide. So, it has new responsibilities for the data importer and the data exporter or the controller or processor about what they're supposed to do with data and what remedies happen or what they need to do if they have situations where let's say a government asks for data. So, it has things in there about that which are still sort of controversial. I don't know if I answered your question, did I?
Memme Onwudiwe (00:21:21):
I believe so. His question was really, is it all the MSAs and all the DPAs? You talked about how it's not all of them and how the biggest indicator is, are you using SCCs today? Which I think actually triggers me a little bit in that I want to ask the group, as you said, these new SCCs have been promulgated since June of this year and so we are just going to ask a quick poll question to everyone of just, are you using the updated SCCs now as we reach that September date, which will be rules to use it moving forward and eventually December when all past data privacy language would need to adhere to the updated SCC language?
And so, it seems like this would also be an indicator for whether or not you'd need to make these updates as was a Vikram's last question. It looks like the answers here are generally no. It looks like about 65% of folks saying no and then about 20% splitting between I'm unsure and yes, which actually is a solid number for yes, frankly just knowing where a lot of folks are on these changes, but definitely it seems like something that folks are in the middle of thinking about or working on, getting this broader use of SCCs.
Debbie Reynolds (00:22:48):
It's challenging, especially for people who've never... Equally for people who are accustomed to the old clauses where they may not have fit the way that they wanted them to. Where for example, you may have done a party to party contract where now you can do multi-party contracts, so that could be a big change. You may not have had to address the technical organizational precautions that you're taking in the same way that maybe you're doing it now, and then obviously the standard contract clauses because of the involvement of Max Schrems in the cases against the Privacy Shield and Safe Harbor, one of the big issues that he had, which comes up in standard contract clauses and it isn't perfect, was indiscriminate data collection, especially in places like the US where we have a Patriot Act and stuff like that.
So, a business can't really... What's the word I'm looking for? They can't turn down a government if the FBI busts in or whatever wants to take data. You can't stop them, but one of the things that... And, the guy asked for the standard contract clauses is that they want parties to be able to fight. And so, that has a financial component too. So, to be able to take a case as far as you can if you have to protect this data. So, there are things in the standard contract clauses now that are saying you have obligations to try to protect this data as best as you can and describe how you're going to do it from a technical and organizational way.
Memme Onwudiwe (00:24:52):
Interesting. Well, I guess building on the idea of the financial side of the house here. I would love to talk a little bit about the consequences of non-compliance when it comes to some of these SCCs. I'm sure we've heard the large scale, the max GDPR fine of 4% of global revenue that keeps compliance officers up at night, but just when it comes to deeper level of what non-compliance can mean to different kinds of companies, I would love to talk a little bit about that.
Debbie Reynolds (00:25:30):
That's a perfect question actually. So beyond the fines, like I said, this plugs into GDPR and how that works, but probably one of the harsher fines or consequences is that some third party companies may not be able to comply. And so as the standard contract clauses are written or as the guidance goes, if a data exporter feels like the data importer can't comply with obligations of the contract and they have to cancel the contract or get a new third party supplier, so it's putting more responsibility on third parties and how they handle data, which means that the first party data holders are pushing more that responsibility down and they have to assess on a case by case basis if they should be working with certain parties. So, I think that's probably one of the more harsh things. So, I think maybe some third parties in the past were able to work with these first party companies ,but if they can't meet the obligations that are outlined in these new clauses, then they may not be able to work with these businesses.
Memme Onwudiwe (00:27:00):
No, that makes sense. That's really interesting, the effect of not on the people actually being directly regulated, but the changing relationship between those who are directly regulated and their existing vendors as they need to push some of those responsibilities over to companies who might not be able to hold up, just to summarize that a little bit.
Debbie Reynolds (00:27:22):
Totally, because the first party data holder is beholden as well to the regulator, so they have to answer to their regulator about how they're handling data. So, that due diligence is very important. And for example, even though this doesn't apply to every type of company, but one thing that's written into these standard contract clauses is that the first party data holder can do an audit of a sort. The way they described is you can go on a side, kick the tires, and make sure that the company is handling the data the way that they're supposed to.
We know that in theory doesn't work all the time, especially if you have a virtual business where there isn't an office or something like that. So, you have to find ways to be able to get that certainty. A lot of times it's through documentation. How do these third party companies that you're transferring data to, how do they describe their processes? What things are they going to put in place to protect the data? How are they going to articulate that, and then also be able to prove that they're walking their talk so to speak?
Memme Onwudiwe (00:28:44):
It makes sense. Well, I think that conversation led to a bit of curiosity. We have a question there from Erica, who's saying, "Hey, it actually looks like the new SCCs are modular, and one is asking if that's correct, and two-"
Memme Onwudiwe (00:29:01):
Excellent, and then I guess the follow up then is if so, can you recommend some good guidance on how to use them?
Debbie Reynolds (00:29:08):
Yeah, so the standard contract clauses are modular. You can use them for many, which I think is a huge deal where let's say for instance you had a process, you had 10 different suppliers or something that you had to work with. In the past, you would've had to have a different contract basically for each person. So, now they're combining it where you can do controller or controller, processor, controller. So, you have different flavors of how you do these contracts and you have multiple parties in these contracts and even if let's say for instance two of the eight parties in the contract can't comply, you can terminate those two parties out of the contract without having to do the whole thing over so to speak. So, they're trying to give people more tools and more avenues to be able to do these contracts and they have more guidance about the type of detail and specificity that they're requesting and it's quite a lot.
So it's not just like, "We'll make this widget, whatever." They want to say, "How are you handling your security? What privacy things do you have in place? Are you willing to comply with whatever, whether it be subjective or not?" There was actually one thing in a guidance for a standard contract clause, which is really interesting, also controversial, and that's about asking someone had the government ever busted their door down and taken data from them or whatever. It's subjective because if they have, I don't know what that means. If they haven't, I don't know if that means anything either, but it is in there because that's definitely a concern and that's one of the big central issues around the Schrems cases is about indiscriminate data collection, especially in the US, even though standard contract clauses are used around the world, so it's not just the US-based, but that was a big issue.
Memme Onwudiwe (00:31:20):
Interesting, and so I guess the idea is that these questions now need to be asked. There might not be negative ramifications for it yet, but since these are ever evolving potentially down the line, that's interesting, but I guess a lot of it though is asking these additional questions, but not yet having... And, I guess when we talked about the extra hoops to go through and how some of it isn't clarified yet, are those some of the aspects you're talking about where we don't quite know the significance of the answers to some of these questions yet? I'm wondering, what are still the unknown unknowns in these SCCs?
Debbie Reynolds (00:32:01):
Good question. I think to me, so the GDPR doesn't address surveillance or law enforcement in the way that SCCs is trying to hint at, and I think a lot of that is because of these Schrems cases where there really isn't a good answer right now for that, but I guess it doesn't hurt to ask the question and to be prepared and to do all that a business can do to protect data. So, I think that part is still controversial, I think, and there's a limit to what businesses can do. So, you can't really overthrow your own government or you can't stop certain types of data collection, especially in the law enforcement type of thing because those things that happen, especially related to things like the Patriot Act or whatever, they supersede our consumer laws. So, if I thought of the US laws as a layer cake, think of Constitution, Patriot Act, HIPAA, Gramm-Leach-Bliley, and the bottom of it will be consumer law.
So, it doesn't reach up that far. So, I think that's just an open question that is not yet answered, but in the meantime companies can, with confidence, enter into these agreements, get information. I think that companies should always want more detail about how their third parties are handling their data. It is just good practice anyway to have that information. So asking those questions, and I think also I want to add about standard contract clause clauses, a lot of people need to understand that you can't change the standard contract clauses, but you can add additional stuff to the contracts, but not contradict the clause. So, some people are afraid to add certain things to the contract, which they shouldn't be afraid to as long as they're not contradictory to the standard contract clauses.
Memme Onwudiwe (00:34:24):
No, those are excellent notes and especially as you know we are going to talk a little bit about some of the things happening domestically from a privacy law perspective and being able to potentially craft the privacy language that can work across multiple jurisdictions would be important there. I guess before diving there though, do you have a question just to the folks on the line around... A lot of the issues, certainly when we've worked with companies too, is they know these things are coming but they don't even have a view and a scope onto how big the problem is. They don't even know how many contracts need to be updated, let alone which versions they're at, and we've seen companies where these changes happen all the time. They might have seven different versions of data privacy examples going around and they can't even identify past templates, they just know they existed at some point.
And so, just to get a gauge of where different folks are at, here's a question to everyone just around if how many of your contracts need to be updated from the perspective of some of these SCCs, you've gotten to that level of handling or maybe you're still at the point where you're identifying gaps in compliance and you're still trying to build out that world of documents that may require remediation. And, on the smooth third it looks like with around 33% of people saying yes, they do know how many contracts need to be updated and about 66 and two-thirds of people saying, hey no, we're not quite sure of how many documents would need to be updated.
And so, I guess I would love to talk a little bit, Debbie, just about any practices and thoughts and strategies when it comes to quickly amending your SCCs. And then as I said to folks at the top, we will be doing a session on Thursday at Evisort about how leveraging AI in there too, but just things you've seen there, but I also want to touch upon the fact that Europe isn't the only country with data privacy laws. California and New York now have their own, and how is it that you deal with the standard SCCs while still making sure that you're compliant through the growing patchwork of domestic regulation?
Debbie Reynolds (00:36:47):
Wow, that's a loaded question.
Memme Onwudiwe (00:36:49):
Debbie Reynolds (00:36:50):
It's tough, so the whole thing is about where the data is or where the people reside the data belongs to and that is your roadmap or how you need to handle that. I'm seeing more and more over the years data transfers internationally just because I think things are in the cloud. Companies don't need brick and mortar operations to do business in different countries. So, it just makes the landscape a lot more complicated, and then the US is 50 different countries in terms of the way that we think about a lot of the privacy laws and our sector in specific. To me, privacy laws or regulations around the world fall into three buckets. So it's the government bucket, what the government says they want to happen, it's a consumer focus, and then there's a business focus.
So, I think of things like the GDPR or even the CCPA to some extent would be more consumer-focused. So, a person has a right, we want them to exercise their right or whatever. Where the US, we're in the middle I guess between... Actually, we have all three. So, it's a lot of business focus. So, we have a lot of sector-specific laws that are federal, not a lot but enough. HIPAA has a privacy part, stuff about handling people's data, their social security and their financial stuff that's federal, but then at the state level it seems like the states are trying to go more of a consumer route where they're like, "Look, we want the people in our state to have X, Y, Z rights," and then they're rolling in more consent.
So where the past, a lot of things were notice where someone put up a sign and say, "Don't fall in this pothole," or something like that. It was what the notice was before. Now they're saying, "Oh, you have to ask consent, especially for certain types or sensitive data." So, we're also seeing on the state level states trying to grade the severity of certain data misuse by the sensitivity of that data. So, that's a new thing I think in the US.
Memme Onwudiwe (00:39:32):
I really appreciate because that was a very difficult question about balancing those, but you're right definitely in there. And as you're asking that, and I was thinking of a follow up question, it seems like lots of other folks were too, and I'm going to ask these two questions in tandem as I do feel like they have an element of similarity and they can be taken a bit differently, but it's really one from Nathan around the new SCCs have been described as being able to replace a DPA. One, is that true? And two, is that advisable? And then I think two, there's a question from Shane which is on a similar note, which is basically saying, hey, can you speak to the new SCC's obviating the need for separate DPAs for controllers and processor transfers? So, basically both the idea of SCCs obviating the requirements of separate DPAs. Was one focused on control the processor transfers? But, if you could just talk a little bit about the relationship there as it looks like folks are thinking about maybe changing... Taking this as an opportunity to change their DPA strategy more holistically.
Debbie Reynolds (00:40:42):
So, basically the mechanics of what a DPA is supposed to achieve still exists. So, regardless of whether it's in part of the contract that has a standard contract clause or a separate is really up to the organization, and actually if you read the guidance that came out with the SCCs, they briefly just mention it almost in passing, which is funny because people take this super seriously, but for me I never had them separate, so I put them together in the contract. So, I think it's just based on the organization and what they feel more comfortable with, maybe because they've done them separately before and they don't want to combine them, people want to have them separate, they can, or they can add them in to the contract or the standard contract clause. So, I don't think there's any right or wrong answer there.
I personally would combine them, put them together because that's what I did. That's what I've always done because it was easier for me to have all that stuff, especially I don't know how you feel about... How I've always felt about contracts where in the past people would sign the last page and you can find the other version and all this type of stuff. So for me, it made sense to add all that stuff together when it made sense to do that. So maybe that works, maybe that doesn't work. Let's say if you have a lot of different suppliers and maybe the obligations that you have for them are different in some way, maybe it makes sense to have it separate or not. So, it's just up to the person. As long as you're checking the box and being able to fulfill the obligation or the reason why you did a DPA in the first place.
Memme Onwudiwe (00:42:42):
That's excellent. So, it looks like people have a little bit of flexibility on how they do it, but there's no due to SCC's, DPAs now have to be X or Y. It seems like some of that same flexibility still stands even after this change.
Debbie Reynolds (00:42:59):
Memme Onwudiwe (00:43:00):
Awesome. Excellent, and then I guess looking at the SCCs, but then also, as I was talking about before, looking at the different patchwork of American data privacy laws that seem to be growing, understanding that, as you said, it's like 50 different countries and they're all pretty different. But in general, I do see some themes of American ones versus European ones either be it based off who is implicated in it typically or the fine structure. And so, just for folks who are already dealing with SCCs, but just trying to learn a little bit about the nature of what could be coming in an American pipeline, I would love to hear some of those generalized thoughts and maybe we can touch the controversial subject of a potential federal data privacy law that would get rid of this complicating patchwork, but we'll see if there's other questions that pop up in the meantime. But, just if there's any elements that you think are pretty common across American ones that contrast against European ones, I think that'd be interesting for folks to see.
Debbie Reynolds (00:44:16):
I think a lot of the American state level laws have a lot more carve outs than probably some of the European laws have. So I tell people, let's say in California, you go into a grocery store, you give them your data, they're subject to CCPA and how they handle your data and then you walk across the street to a church and they don't. So you're still the same human, but your rights are different based on the types of organizations that you're dealing with. Whether it be the company may not meet for CCPA, for example, maybe not the financial threshold where they have to comply with CCPA or the number of customers and stuff like that. So, it gives people fragmented rights, and then not all states have consumer laws that are as comprehensive as CCPA, so there's kind of, I don't know, like you guys call, like a Frankenstein document.
There's like a Frankenstein patchwork of laws and gaps in different places where some states don't have any in that way in terms of comprehensive laws. Obviously, California is very progressive and has been for decades about privacy laws. So, they built their layer cake or privacy laws and are continuing to do that and they're the forerunner, but we're seeing other states like Virginia and Colorado try to pass comprehensive laws. So, if I think about the thread that runs through a lot of this, it is... Well, a couple things. It is bringing forward the idea of consent as opposed to just notice of individuals, this grading of data sensitivity or data types in some way where certain types of data have stronger protections or more fines or penalties and then it's a patchwork very much so in terms of things...
Probably the two most controversial things, and the reason why we don't have a federal data privacy law right now is because there are fights over preemption, having a preemptive federal law or having a law that may be too weak or weaker than some of the states, and then a private right of action. So, we're seeing some of the laws have private right of action, some of them don't. So, a lot of businesses don't want to see this private right of action. And so, we're just seeing all this play out, and then I think two states have state envy, so some of them want to have more bespoke privacy laws, different enough to be able to get more attention in some ways, which makes my job more difficult, your job more difficult. So, I think we're going to continue on that pace for now. It looks like states are stepping up to the plate and are trying to get these privacy laws passed at a state level and I think that's just going to continue for a while.
Memme Onwudiwe (00:47:38):
Wow, so you think all these... For lots of companies, it's one, difficult for them to really determine what states they operate in. I'm sure COVID didn't help that with everything being remote in addition too, and so I'm sure a lot of times folks just assume that they operate in all the states. I guess, how have you seen folks deal with this? I know we've talked about in the past of a Frankenstein clause that almost takes the most strict of all the states and puts it in there, so no matter what you're working under it. Is that what's advising? And maybe it's a brave new world, folks, maybe best practices haven't developed yet?
Debbie Reynolds (00:48:23):
It's a work in progress. I try not to focus too much on the laws as they're being made. So, I want to see them once they're passed. So once they're passed, I can look at them and go crazy over what's there, but I think there are some fundamental principles that companies really need to think about, what these laws are trying to accomplish. So, one of the biggest things is transparency. So, if you have customers and you can't be transparent with them about how their data is being handled, you're going to have problems.
So almost all those, the privacy laws at a state level are going towards transparency of a consumer of their data. They want security, so there are laws being passed about how companies need to secure the data, and even some states like... Is it Connecticut? And Ohio, where they're creating safe harbor provisions and data breach stuff where they're saying, "If you have a breach, but you can show in the past that you did some work to try to shore up your cybersecurity, maybe you'll be subject to lesser fines," or something like that. So, it's all over the board, but I tell my clients, "Don't pull your hair out about every new law that comes up." If you're thinking about being transparent with your customer, or protecting their data, understanding that they have rights and then you have new obligations to not only those individuals but also maybe your regulatory body, so if you keep those things in mind, I think those threads are woven throughout almost any privacy law you can think about."
Memme Onwudiwe (00:50:17):
Sound advice, going to go to the core, and as long as you're keeping up with the essence of what they're trying to do, despite the small differences, you should be on the right track. And of course, on Thursday at the Evisort session we'll show you how to identify all the varying language and bring them up to speed. But you're right, just from a company culture perspective, if you want to be on top of these things, you need to take and respect the issues that they're trying to address, you'll always be well-positioned for them. That's excellent. Well, one question I guess to the group is, where is everyone on that, when it comes to at least being well-versed with these different privacy regulations? I know the topic for today was on the SCCs, but we'd be remiss not to talk about some of the other important issues happening in privacy law today.
And, it looks like just about 50-50 with half of folks saying, hey, they're well versed in these different privacy regulations in the states that they operate, and another 50% on half of folks saying, hey, we are not yet well versed. And I think to your point, Debbie, it can be overwhelming and scary to see these headlines, but I do like really your advice of wait until it's actually agreed to and wait until it's actually been passed because you know can hear all these headlines about crazy things that never actually get passed. And so, I think that's probably the first step in maintaining sanity while trying to work on some of these issues. So, that's excellent there.
And, then I guess one piece I did want to make sure we touched upon, and you had discussed it a bit earlier, but it really is looking at some of the impact on third party vendors. And, I think what's interesting and we've talked about in the past is that... As we've talked about, the US system does have several different carve outs, but what it also does though is it doesn't really differentiate...
It basically tries to protect smaller companies by giving them lower amounts of requirements, but then as we've been talking about today, if I'm a first party person and team who has these smaller vendors, it's in my interest to make sure all of these smaller vendors are living up to the requirements I'm under, even if it might be onerous to a smaller company. And so, I know that this is a dance that we're living in, and once I said a lot of these issues are novel. There aren't really solutions to this yet, and I'm not going to ask you that provide the solution that things there aren't solutions for. But, how do you see this burgeoning issue as more and more of these requirements and different patchworks that these companies need to work under? Because these frameworks are so different, it just seems difficult to match them up.
Debbie Reynolds (00:53:26):
I think there's a huge thing going on now and we see it in a lot of different ways, but they describe it in different ways. So, it is basically to shift third party risk away from first party companies. So, a good example of this would be what Apple did with their privacy stuff where they're saying, "Me Apple, as a company, we have a first party relationship with consumers and then we're going to make marketers fend for themselves. We're going to make them get consent from an individual and create their own relationship with the individual." So, that is just an example of a shift in the mindset of third party risks where the first party company's like, "We have the business, we have the relationship. How does it benefit me to have this third party? So is it a risk? Is it a benefit?" So, I think companies are going to start to figure that out.
And then especially as it relates to contracts, what things can you shift to third parties if anything? We're seeing, which I think is good, we're seeing things like standard contract clauses or even the GDPR, the way that they describe processor or controller, and we're seeing that language show up in different privacy laws or even in the US where they're saying the main company and the first party data holder has more obligations than a third party, but the third party also still has obligations. So, I think those obligations may be growing and getting bigger, but I think that it will be a foundational change in the way that third parties think of their role and their responsibilities as it relates to data handling.
Memme Onwudiwe (00:55:26):
And, that's something that we're going to continue to see over the years of course, which is excellent. I think one question, and we actually did have a question come in a little bit more on the Evisort side of the house, asking about can Evisort's AI automate these processes. As discussed at the top of the video, we will be doing a separate session on Thursday when we'll actually just be diving in with our customer solutions team. I think that link should be in the chat and just focusing specifically on leveraging Evisort on these use cases and using that AI there to do so, but I do think I would like to ask a question just around best practices for folks to identify where there's potential gaps in their contracts even outside of AI ones. But I guess before that, we do have one more question for the crowd, which is just a question on how you plan on updating your contracts for the upcoming SCCs, what strategies your teams are using.
And so, that question is up now, responses being either leveraging outside council, maybe tackling it manually with your own team, maybe leveraging software, maybe it hasn't been decided yet. But, I'm definitely curious on that as I think one thing that... There's a lot of uncertainty in what we've talked about today, but one thing I think we can be certain on is that these will change again, and that upon each change, having assisted monetize the way of attacking those can be super helpful, important.
So as we're seeing the results come in, it looks like basically 40% haven't decided, 40% are doing it manually, and of the folks who aren't doing it manually, it looks like majority's using outside council and only 3% is using software. So for folks not using software, I highly suggest you show up Thursday just to see how this and other regulatory changes can be automated from a remediation perspective leveraging software and AI as opposed to human resources and outside council. But, Debbie, we just would love to hear strategies that companies have used either to stay ready, they'll always be in a constant state of readiness, or just to tackle these kinds of remediations because the fines are heavy and everything is always very uncertain. I'm sure folks would love any advice.
Debbie Reynolds (00:58:24):
I think probably some of the big advice I have is that if you have a process of how you handle data, write it down. I'm not being facetious. Some people don't do this, so write it down, be able to update it because some of that language or some of that information that you write down may end up in a contract, may end up as part of something in a contract with a standard contract clause because you may have to describe it in fine detail how you're handling certain types of data.
So, having documentation about that would be helpful to you. That would be helpful to you in a lot of ways. If a regulator ever called you up and asked you how you handle data, being able to have that documentation will help you a lot. Being able to talk to customers, that would give customers that you want to do business with, that would give them more confidence that you understand how important it is to be able to articulate that and be able to explain how you handle data. So, being more detailed about how you handle data, not have it be like a black box. You want to have transparency around that and you want those documents to be as updated as possible, so on a regular basis.
Memme Onwudiwe (00:59:43):
That's excellent. The process is everything, and I guess one more question, and this is something that we've... I know there's a lot of lawyers on the line too, and lawyers are the custodians of a company's contracts, and I think it is fair to... And, we'd love your thoughts on this, almost when we think about the management of a company's most confidential documents and of a company's contracts, do those ever fall under the auspices of SCC in itself? Because I know sometimes we think of it being on Facebook, someone's favorite color, but surely very important documents fall under that, especially if there's PII and personal information like email addresses and phone numbers inside of contracts. So I guess, do you notice that lawyers think about the contracts themselves as confidential information? I know there's practices around folks maybe leveraging outsourced teams and just your thoughts there.
Debbie Reynolds (01:00:49):
I guess it just depends on the contract. I guess I'll give you an example for the standard contract clauses where the guidance is they want a company to be able to explain their process, what their organizational technological means they're using to protect, what measures they're using to protect the data. And, then it was a situation where the thing that they're trying to explain, maybe let's say it's a trade secret or something like that if they could literally redact parts of that out of contract. But, I think that's the first time I saw someone in a contract say that. So, they really want serious details here, but they also don't want people to have to divulge their trade secret or their secret sauce or something proprietary in order to explain how they're doing it and what they're doing. So, I think it just depends on the contract, but I thought it was really interesting that they put this in here because if you go into this fine detail about how you're handling data, you could literally go into something that maybe shouldn't be in a contract at all.
Memme Onwudiwe (01:02:06):
That makes sense, and contracting about contracts is always can get a little bit more difficult. Well, I guess as we are winding down here, I would love just to hear about what you see on the horizon when it comes to these data privacy issues. It's twofold, one on the European side of, will this implementation and update of the SCCs just be followed by another update down the line? And I guess in the American perspective, do you think we're going to keep this trajectory of just splintering into smaller and smaller state level, diversified data privacy processes, or do you think that a federal one is potentially on the horizon? And we're not going to hold you to it as a prediction, but just your thoughts.
Debbie Reynolds (01:03:03):
Well, I guess let me start with the US side. I am not holding my breath on a federal data privacy anything. If we had anything federal, my suggestion, the lowest hanging fruit would be to create a federal data breach notification law and leave out private right of action and leave out preemption. That's what I think, but I think the train on the state level laws is not stopping. So, we're going to have a lot of those before we ever get anywhere with the federal law, so more ADA I guess in terms of just seeing all these state regulations that have it be very different.
What we're seeing in the EU, not necessarily any law changes, because the GDPR is their big thing there, and obviously different member states have some of their own things that they deal with, but what we are seeing is cases come about where they're trying to test the limits or the boundaries of GDPR and what it means from a practical level in terms of precedent in cases about how... Say for instance, the right to be forgotten, how far does that go? What are the parameters of that? Or, understanding things like privacy by design, what does that mean? What are the limits to that? So, I think over the years we're going to start to see more regulator action and more detail about how they perceive or what their perception is or their interpretation and application of these laws and the cases that come up. So, it'll be interesting.
Memme Onwudiwe (01:04:55):
Debbie Reynolds (01:05:22):
Well, thank you. It's always a pleasure to speak with you, Memme.
Memme Onwudiwe (01:05:26):
Awesome. Excellent, and then for those of you folks who might want to take the next step from the Evisort perspective and learn a little bit more about how our AI and technology can help automate and streamline some of the processes and then projects that we've touched upon today, and we will be having a session on Thursday, which is posted in the chat and can be posted again if necessary, where we will just be working with our solutions team in a format such as this, but actually going through how to leverage ever Evisort's technology to do some of these remediatory projects and processes. Awesome. Well, thank you-
Debbie Reynolds (01:06:06):
Memme Onwudiwe (01:06:06):
[inaudible 01:06:06] for your time [inaudible 01:06:08] everyone. Have a good week.
Debbie Reynolds (01:06:06):
Memme Onwudiwe (01:06:06):
Find out how
can help your team
Volutpat, id dignissim ornare rutrum. Amet urna diam sit praesent posuere netus. Non.