In Part I of this series on big data, we offered a brief review of intellectual property issues related to big data. Part II will focus on contracting and big data.
Contracting and Big Data
In addition to IP rights and regulatory processes, an important part of the legal landscape when it comes to Big Data is contract law. When entering into a contract dealing with data – whether it be licensing, ownership, or risk allocation – parties can add both flexibility and certainty to their data management processes that goes beyond the confines of legislation such as the Copyright Act and PIPEDA. This includes the ability to determine who owns the data, who it can be shared with, and to what extent it can be used.
Contracts, however, are limited in that they only provide rights that are enforceable against the other parties to the contract, not third parties. So while contracts can play an important role in managing risk and ensuring compliance with various regulatory regimes, parties cannot simply contract-away obligations in jurisdictions where they fall under the application of data and privacy laws.
For example, where personal information is transferred to a foreign third party, that information is subject to the laws of the foreign country and no contract or contractual provision can override those laws. Of some concern has been the U.S. Patriot Act1 that would give the U.S. government access to data stored in the U.S. For this reason, the Privacy Commissioner of Canada issued the following guidelines:
- Canadian-based organizations are obliged to ensure a comparable level or protection when storing or transferring data outside of Canada. This means generally having a contract or contractual provision in place to protect to the extent possible the confidentiality and security of the personal information while in the hands of the foreign service provider;
- Depending on the sensitivity of the personal information, organizations should notify individuals, that their information may be stored or accessed outside of Canada and of the potential impact this may have on privacy rights; and
- Organizations should be transparent about their handling and security policies and practices involving personal information stored or transferred outside of Canada.
Ensuring adequate contractual provisions are in place to protect both the information and the organization should play an important part in any business transaction that involves personal information and privacy legislation.
In light of the above, some of the things to consider when drafting an agreement include:
- Covenants to comply with applicable data privacy legislation, regulations, and related policies;
- The agreement should contain fulsome records management provisions in respect of retaining, storing, and disposing of particular records;
- The agreement should include express, positive obligations to promptly provide the other party with incident notifications – including for data security breaches and privacy breaches;
- Background checks ought to be considered for personnel who will, or are reasonably anticipated to have access (including remote access) to any sensitive information;
- The agreement’s governance framework must contain a very clear accountability framework for the management and escalation of data integrity and security concerns and incidents. Building in preventative and anticipatory response mechanisms will be paramount;
- Although privacy obligations are, to an extent, mandated by legislation, the agreement can and should impose comparatively greater obligations – and should be quite prescriptive;
- The agreement should consider cyber-insurance, if appropriate, that includes privacy liability coverage and cyber liability coverage; and
- Risk allocation provisions will be very important. The interplay of representations, warranties, indemnities and liability is generally hotly contested in the area of cyber-security because the jurisprudence is emerging.
The consequences for failure to comply with data privacy legislation can impact all aspects of a business, and can lead to regulatory fines and penalties, class actions, and shareholder actions. Ensuring contracts limit exposure to these types of consequences should be a priority when it comes to transactions that include personal information.
As authors of an oft-cited Foreign Affairs article put it:
“Big data is poised to reshape the way we live, work, and think. A worldview built on the importance of causation is being challenged by a preponderance of correlations. The possession of knowledge, which once meant an understanding of the past, is coming to mean an ability to predict the future. The challenges posed by big data will not be easy to resolve.”2
From understanding their customers, to targeting advertisements, opportunistic companies are seeking out ways to monetize the vast amounts of data being generated today. This will have major ramifications not only for privacy and the information that exists about individuals in databases, but also the legal mechanisms that must protect and regulate an entire industry some have called the “oil” of the next generation.