For many years, the liability provisions regarding data protection issues have been something of a “negotiation backwater” in the context of outsourcing transactions. From a customer perspective, there has been a sensitivity about such provisions from a brand/customer relations perspective which has led them to seek to attach unlimited liability to any breach of such provisions; whilst service providers are understandably nervous about any provision which does not shelter under the protection of a limitation of liability, many of them have taken the view that the quantum of claims likely to arise vis a vis breaches of such provisions are unlikely to be such as to give rise to a “catastrophe” level exposure, and as such, have been willing to let data protection-related breaches be included alongside the likes of IP infringements and breaches of confidentiality in the list of losses which will be outside the scope of the limits of liability.
Might this now be about to change…?
In the EU, the new proposed Data Protection Regulation is inching its way towards ratification. In its present incarnation, it would dramatically change the potential quantum of fines which might be imposed in the event of a breach of the data protection legislation, now potentially up to the greater of €1 million or 5% of global turnover (whichever is the greater). Given the potential concentration of data handling in the hands of an outsource service provider, one can immediately see the risk that mishandling of personal data in the context of the outsourced services could leave the customer (as Data Controller) exposed to such fines, which would then – pursuant to the terms of the outsource contract – flow down in turn to the service provider itself. The larger the client, the greater the exposure would then be to a fine based upon the client’s global turnover.
In the light of this, one can anticipate that the days of data protection related liability provisions simply being “nodded through” during the outsourcing negotiation process are likely to rapidly come to an end (at least if the Regulation maintains its current form – which seems likely, but is not yet certain). Service Providers will need to more carefully assess the extent of liability that they are willing to take on, whilst customers might equally have to consider whether they will be willing to bear the additional risk contingency that a service provider may wish to add (either simply through its pricing or by reason of the engineering of its delivery model), in return for still accepting unlimited liability.
As the famous phrase says…..we live in interesting times.