contract

Drafting Big Data Contracts

Add Your Comments

The negotiation and formation of contracts requires an analysis of three issues. The first is data privacy. That analysis begins with an understanding of expectations of privacy, a topic that was addressed in the previous blog post. The second issue is regulatory compliance. The third issue concerns the underlying contracts and how they fit into the contract that is being negotiated.

Data Privacy

Any analysis of data privacy begins with privacy agreements. They are the foundation of big data contracts. To understand privacy agreements, you need to understand what is meant by personal information. You next need to identify how a privacy policy addresses personal information.

The National Institute of Standards and Technology describes personal information as information that can be used to describe or trade an individual’s identity. Examples of personal information include:

  • Names of individuals

  • Social Security numbers

  • Date and place of birth

  • Mother’s maiden name

  • Biometric indicators

  • Information that links to other records containing identifying information

Once you have confirmed the presence of personal information in a collection of data, you need to look at the privacy policy that governs that collection. A privacy policy is a contract between a data collector and the data originator — the individual or entity who provided the data to the collector. A lawyer examining the privacy policy will ask these questions:

  • How does the policy define personal information?

  • How can personal information be used and to whom can it be disclosed?

  • Do specific limitations govern disclosure or are limitations stated in general terms?

  • What consent has been given to the disclosure of personal information?

  • Does the policy contemplate disclosure to third parties?

  • In what form can personal information be disclosed?

  • Does the policy permit the kind of disclosure the data collector contemplates?

  • Would the person whose personal information is being disclosed reasonably anticipate the possibility of that disclosure?

  • Is permission required before an individual’s or entity’s personal information is transferred or processed?

A lawyer will keep those questions in mind when examining contracts between data collectors, data processors, and data users. Further, we’ll want to know how the contracts define personal information and how they describe or limit the transfers, uses, and further disclosures of personal information. Finally, we’ll also keep in mind the effect that the privacy policy will have on expectations of privacy in personal information.

Regulatory compliance

In addition to examining the contract between the data collector and the data originator, due diligence requires a lawyer to examine all the contracts between all the players. That examination will guide the lawyer’s understanding of a big data transaction. It will also begin to supply answers to two key questions.

First, is the data collector receiving a high degree of regulatory scrutiny? Contracts that make frequent reference to HIPAA or HHS regulations will alert the lawyer to the likelihood that regulatory bodies are concerned about the uses the data collector might make of the data that it has collected.

Second, what jurisdiction will govern the contract? This leads to two related questions. The first concerns state law. If the contract is between corporations in Massachusetts and Texas, for instance, which state law will apply? The choice of law question is significant because the privacy laws of those states are different and the application of different state laws to contracts can lead to different results. The other question is whether a particular regulatory agency has jurisdiction over the data covered by the contract in addition to that governing state law.

Whether or not the data in a big data transaction is subject to intense regulatory scrutiny, a lawyer will ask whether a regulatory body has promulgated rules or regulations that govern the uses of that data. The starting point is often the Federal Trade Commission (FTC). That agency tends to have the most input into big data transactions because big data transactions typically involve marketing, bringing them within the FTC’s regulatory ambit. A lawyer examining privacy issues will look for relevant guidance that the FTC has provided and will study enforcement actions that the FTC has initiated with regard to similar transactions.

Other laws and regulations that might be important include:

  • The Fair Credit Reporting Act. If the data transaction involves credit information, a contract might need to provide individuals with the ability to correct erroneous information.

  • The Gramm-Leach-Bliley Act, if the transaction involves securities or financial data.

  • HIPAA and the HITECH Act, if the transaction involves health care data. Those laws specify categories of personally identifying information that must be redacted before records are disclosed.

  • “Do Not Track” legislation as it evolves in federal and state legislatures.

  • State laws governing data breaches. It might be useful to define “data breach” in the contract (since the law often leaves that term undefined) and to assign responsibilities for a breach.

Drafters should also think about what happens to data if it leaves the United States. If data is being processed in another country, the laws of that country need to be considered.

In addition to complying with laws and regulations, contract drafters should keep in mind the need to comply with legal process, such as a warrant or a subpoena. The ability or desire of law enforcement agencies to acquire access to information covered by a big data transaction creates issues that may need to be addressed in contracts. If a warrant is served that requires the production of data, who is responsible for producing it — the end user, the processor, or the collector? It might be useful for a data processor, for instance, to contractually shift the burden of complying with the warrant to the data collector.

Additional considerations arise if a subpoena for data is served. Does a contract (particularly the privacy policy) require the data originator to be notified that someone is seeking to compel the production of personal information by means of a subpoena? If so, which player should be responsible for providing that notification?

Underlying contracts

Due diligence includes a review of all the contracts that underlie a data transaction. As noted above, an examination of underlying contracts will assist the drafting of a contract involving big data by identifying issues affecting the disclosure of personal information and issues concerning regulatory compliance. Underlying contracts will also provide important information about warranties. Contract drafters may need to consider warranties in contracts that cover:

  • The accuracy and completeness of data.

  • Compliance with privacy policies.

  • Compliance with privacy expectations.

  • Warranties required by law.

Indemnification is a related issue that contract drafters must consider. Indemnification agreements provide protection against breaches of warranties and of contract terms governing privacy and data security. They can also address intellectual property infringement and customer issues. Drafters also need to consider cross-indemnification by making indemnification agreements mutual, but only when it makes sense to do so in light of the issues that are important to each party to the contract.

Control of the data is another important consideration. Control might change as the data moves from player to player. Who is responsible for the data as it moves through the transaction and how are you going to ensure that the parties’ contractual obligations are balanced?

Finally, contract drafters need to think about contract termination. How will the contract end? What rights and obligations survive the termination of the contract? Who is responsible for the security of the data when a contract concerning that data terminates?

All of these issues are important to contract formation and negotiation. Understanding how lawyers think about them will help you as you consider the “big data” contracts that your business might need.

About the Author

David Snead is a lawyer whose practice is focused on internet infrastructure providers. In his eleven years in this practice, he has represented clients including multinationals, middle tier hosting companies, and two guys, a server, a T-1 and a huge MasterCard balance. David is a co-founder and vice-chair of the I2Coalition, and also head of its public policy group. The I2Coalition is a group of Internet infrastructure providers who work to advocate on behalf of the industry. A long-time WHIR contributor, David Snead is the Web hosting business's best-known legal expert. Through his WHIR blog, he offers a credible legal perspective on both specific actions in the Web hosting business and general developments in legislation.

Add Your Comments

  • (will not be published)