Photo: Shutterstock

For many years, outsourcing has provided an efficient, cost-effective way to perform many of a business’ data processing functions, including communications, internet hosting and website management, network and systems operations, software development and services, application development and maintenance, desktop management and field services, data management, customer support, and much more. Especially with increasing robotics and process automation expanding so quickly, the growth of outsourcing is likely to continue into the future.

Two Missing Pieces

Until recently, most outsourcing processes have paid little attention to two components. One is the privacy of individuals’ personal information. Except in certain sectors like health care, finances or education, and with various limits on techniques like background searches, telemarketing and so on, the U.S. attitude has mostly thought that contact information, purchase histories and preference, demographics, and much other personal data should be widely available—not exactly for “theft,” but perhaps for “creative monetizing,” especially through direct advertising.

Subcontractors or “sub-processors” have also been overlooked. Businesses have always focused on making sure the lead outsourcing provider delivers results, but have more rarely considered how it would do so. For example, details like which subcontractors would participate or what else they might do with the personal information entrusted to them isn't always thought about. Instead, outsourcing businesses have customarily relied on warranties and confidentiality agreements from the lead outsource provider, expecting to hold it entirely responsible for failures to accomplish the main purpose. This, in effect, often leaves sub-contractors or undisclosed sub-subcontractors free to make ancillary use of personal information so long as the main purpose of the outsourcing was achieved.

Now, however, global privacy laws are requiring businesses that outsource to track and control individuals’ personal information “all the way back,” and to keep a tight grip on each subcontractor and other link of the entire chain of the outsourcing process. The threatened penalties are ferocious, reaching up to 4 percent of a business’ entire global revenue.

New Regulatory Expectations

The new European General Data Protection Regulation (the GDPR), as well as similarly inspired legislative efforts in the United States including the California Consumer Privacy Act of 2018 (CCPA), have caused a ruckus, a reckoning and a reshaping of how risk is addressed in outsourcing. Now, regulatory expectations are newly and sharply focused and positively require—especially in outsourcing—that data privacy be made a high priority.

The sharpened focus on data privacy differs from the prevailing U.S. view of privacy because both the European Union and the state of California recognize privacy as a fundamental right. In those jurisdictions, therefore, concepts of “personal data” and “data processing” are far more expansive than what have traditionally been recognized in the U.S.

"Personal data" is broadly defined as any information relating to an “identified or identifiable” individual. "Processing" is similarly broadly defined as “any operation or set of operations,” whether manual or automated, including but not limited to “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” By contrast, in most of the U.S., the term "processing" generally relates only to technical actions, such as conversion from one format to another.

These strikingly different meanings for the same words reflect profound differences in basic concepts of privacy, and, in practice, are forcing privacy considerations to become a critical issue in practically every outsourcing transaction—even in those not entirely subject to the GDPR or CCPA, as companies find it cheaper and easier to apply the same procedures across the enterprise than to have different practices for European or Californian data.

The GDPR and Outsourcing

Articles 24 to 43 of the GDPR impose strict, detailed requirements on both data “controllers” (who can determine the manner or means in which personal data is used) and data “processors” (who will carry out the controller’s instructions). Article 28 requires a data processing agreement where personal data is involved. Whenever a controller engages a processor, it must do so in writing. The contract must state the subject matter, nature, purpose and duration of the processing; the type of personal data and categories of “data subjects” (individuals whose data it is) involved; and the obligations and rights of the data controller. It must also impose at least nine additional privacy-related obligations on the processor—including, significantly, that the processor cannot subcontract out to any other processor without the prior written consent of the data controller.

The GDPR further imposes obligations directly on data processors, who, among other things, must only act on the written instructions of the controller; not use a sub-processor without prior, written authorization; ensure the security of its processing; and provide notice of any personal-data breaches to the controller.

California Is Coming

The CCPA uses different terminology than the GDPR, and is somewhat stricter in some aspects and looser in others. In their basic direction, priorities and emphases, however, the CCPA and the GDPR have much in common. Both require explicit, careful, strict attention to every link in the outsourcing chain, with severe penalties expected for noncompliance. The GDPR took effect May 25, 2018; the CCPA is set to take effect Jan. 1, 2020, with enforcement expected to begin on or before July 1, 2020.

For the most part, the new privacy laws are based on familiar privacy principles: have a lawful purpose for any personal data you collect; collect only what you need for that purpose and (especially) use it only for that purpose and no other; provide good notice to the individual and get consent; keep the data secure; allow individuals to access and correct it as appropriate; keep it only so long as you need it for the original purpose; and then destroy it responsibly.

What is new is the extraordinary depth, detail and precision in which data privacy issues must be addressed. This is at every level of the outsourcing chain and has penalties that may ensue if it is not.

Is a Comprehensive US Privacy Law Next?

All 50 states now require that businesses take reasonable and appropriate steps to protect the security of various definitions of personal information. The range and variety of different state requirements—especially when added to the new requirements of the GDPR and California—are making the task almost unmanageably tedious, and leading to louder calls for an omnibus federal privacy law in the U.S.

Recommendations

It is time to embrace “privacy by design” in outsourcing agreements, making privacy protection an integral part of all outsourcing contracts. Existing contracts should be revisited and updated according to the new requirements. Privacy impact assessments should be conducted before new tools and functionality are introduced, especially when a third-party provider is involved. The basic privacy principles described above should be implemented. And perhaps most importantly, all entities engaged in outsourcing should insist that their providers use personal data only for the stated purpose for which it was collected in the first place.

Kathryne “Kate” M. Morris and Charles M. Hosch are privacy and technology lawyers in Dallas. Their practices focus on data deals, technology transactions, e-commerce, trade secrets and compliance with privacy and data-protection laws. Morris and Hosch are both members of Clark Hill Strasburger, and are each triple certified by the International Association of Privacy Professionals as Certified Information Privacy Professional—United States (CIPP/US) and Europe (CIPP/E) and as Certified Information Privacy Manager (CIPM).