Interested in training for your team? Click here to learn more

Drafting Agreements With Vendors and Other Data Recipients: Complying With U.S. State Consumer Privacy and GDPR Requirements

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, December 3, 2024

Recorded event now available

or call 1-800-926-7926

This CLE webinar will guide business and technology counsel on drafting and updating technology vendor and other data transfer agreements to meet the privacy requirements of the California Consumer Privacy Act (CCPA) (as amended by the California Privacy Rights Act (CPRA)) and consumer privacy laws in other U.S. states, as well as under the UK and EU General Data Protection Regulation (GDPR). The panel will discuss the evolving privacy landscape and the differences between the U.S. and European approaches and tactics for multi-jurisdictional technology vendor and data transfer agreements, including those involving cross-border transfers.

Description

The past few years have seen an updating of the GDPR’s “Standard Contractual Clauses” (SCCs) and an agreement for an alternative EU to US personal data transfer adequacy mechanism, the EU-US Data Protection Framework (“DPF”), versions of which have also been adopted by the UK and Switzerland. During this time GDPR inspired the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively “CCPA”), and it in turn inspired nineteen other US states to pass consumer privacy laws. However, the US laws differ materially from GDPR as well as each other, making global compliance challenging. The US has also taken a different direction than the Europeans on personal data exports. In February 2024, President Biden issued Executive Order 14117 Preventing Access to American’s Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (“EO”), further to which the Department of Justice on October 21, 2024, issued proposed regulations. On the heels of the EO, and at urging of the President, in April 2024, Congress passed the Protecting Americans’ Data from Foreign Adversaries Act (“PADFA”) as well as the so-called Tik Tok ban – the Protecting Americans from Foreign Adversary Controlled Applications Act.

Adoption of the DPF and updating of the SCCs have gone some way towards addressing the concerns of EU data protection authorities, even if not those of privacy campaigners such as Max Schrems. However, barriers remain from a European and UK perspective. Transfers made directly to US participants in DPF benefit from the “adequacy decision”, but further compliance steps are required if there is an onward transfer of that data, whether within the USA or to a third country. Where DPF is not available, European data exporters must determine whether GDPR applies to the US data importer and, if so, find a way to overcome the difficulty that the existing SCCs cannot be relied upon in those circumstances. The EU Commission is consulting on an additional set of SCCs to fill that gap, but for the moment it remains necessary to take a risk-based approach.

This webinar will compare and contrast the European and American approaches to the processing and transfer of personal data, as well as best practices for data processing and transfer arrangement due diligence and terms and conditions and how to streamline the procurement and contracting process.

Listen as our authoritative panel of attorneys clarifies the CPRA requirements and best practices to modify policies to ensure compliance.

READ MORE

Outline

  1. Overview of GDPR
  2. Overview Of CCPA/ CPRA
  3. Overview of Privacy Laws in other U.S. states
  4. Cross-border transfers
    1. UK/EU
      1. SCCs and TRA/TIAs
      2. DPF and onward transfers
    2. US
      1. Focus on China
  5. Performing due diligence on existing vendor and transfer arrangements
  6. Understanding roles and limitations
    1. UK/EU controller and processor distinctions
    2. US
      1. service provider / contractor / processor / third-party
      2. business / controller
      3. sale / share
  7. Drafting new vendor contracts or amending existing contracts: language to include
  8. Tips for implementing an effective vendor and data transfer risk management program

Benefits

The panel will review these and other relevant topics:

  • Which is better for you, SCCs, DPF or both?
  • When is a company caught up under the new US data export restrictions?
  • What can a processor do in the US but not do under GDPR?
  • What does California require for sales and sharing for cross-context behavioral advertising?
  • How do data minimization, purpose limitation and retention restrictions impact vendor and other data transfer arrangements?
  • What are the implications of, and exceptions to, sale and share and how does GDPR condition such transfers under its regime (i.e., lawful basis)?
  • What are the California service provider / contractor safe harbors and how to maintain them?
  • How to address data integrity, security and incident response?
  • How to consider vendor use of AI and use of company data to train AI?
  • Ways to streamline the diligence and contracting process.

Faculty

Dowden, Malcolm
Malcolm Dowden

Senior Practice Development Lawyer
Pinsent Masons

Mr. Dowden is an experienced lawyer, and also an internationally accredited legal training provider focusing on...  |  Read More

Friel, Alan
Alan L. Friel

Partner
Squire Patton Boggs

Mr. Friel is co-Chair of the firm’s Global Data Privacy, Cybersecurity & Digital Assets Practice. BTI has...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video