This article published in the newsletter for the Charlotte Chapter of the Association of Corporate Counsel.

Following the European Union’s implementation of the General Data Protection Regulation (GDPR) in May 2018, a mosaic of data privacy statutes, regulations, and court rulings has emerged. This landscape is constantly changing and has important implications for companies seeking to download software or use software-as-a-service (SaaS). Similarly, as technology continues to evolve, regulations once intended to address tangible items, such as the export of goods, do not neatly translate in the virtual world with data as a commodity. This creates uncertainty and complicates commercial transactions related to technology and data sharing.

For U.S. companies that transfer personal data as a main or incidental aspect of their business, we frequently encounter three commonly misunderstood concepts tied to international data privacy. We will offer practical tips for companies and their in-house teams to address each of these areas: (1) a reminder of how the Schrems II decision affects international sharing of data via the U.S. Privacy Shield Framework and standard contractual clauses; (2) whether export control laws apply to SaaS and other intangible products; and (3) how using website cookies could inadvertently make a U.S. company subject to GDPR. All three are critical for companies to know about because even accidental violations can result in hefty fines.

1. So Much for the Privacy Shield

Before this past summer, U.S. companies could rely on the U.S. Privacy Shield Framework as a means to comply with European data privacy laws applicable to the transfer of personal information from the EU to the United States in connection with transatlantic commerce. Many companies had completed the program’s self-certification process administered by the U.S. Department of Commerce, publicly committed to comply with the Privacy Shield Framework principles, and included related provisions in their internal and customer-facing data privacy policies.

However, on July 16, 2020, the Court of Justice of the European Union issued its decision in Data Protection Commission v. Facebook Ireland, Schrems, commonly called Schrems II. It held that the U.S. Privacy Shield is no longer a lawful basis for transferring personal data from the EU to the United States. Instead, companies must establish an alternate basis for that transfer.

Many companies that used the Privacy Shield were already executing the European Commission’s standard contractual clauses (SCCs) as an alternate legal basis for data transfers, as were other companies that did not participate in the Privacy Shield. Although the Schrems II decision did not squarely address the adequacy of the SCCs, it did call them into question.

Practical Tips

Since the Court of Justice of the European Union determined the U.S. fails to provide adequate data protection under the Privacy Shield, companies receiving EU data now have to make up the difference with their own, additional protections.

Companies should review any standard contractual clauses they have included in their data processing agreements and determine whether these clauses need to be updated to provide stronger protection for data subjects in light of the Schrems II decision. Companies also should determine whether they need to implement additional security measures to comply with European data privacy laws, such as using stronger encryption methods designed to minimize the risk of unauthorized government surveillance of a European data subject.

As a general practice, companies should regularly review all contracts with software vendors, subprocessors, and other third parties accessing personal data. These agreements should be specifically reviewed to verify that all counterparties to those contracts are aware of the Schrems II decision and have updated their data policies accordingly. Each company that processes personal data out of the EU is responsible for ensuring that its subprocessors implement equally stringent security measures to preserve a data subject’s privacy. The EU will view lack of protection anywhere in the processing chain as a statutory breach.

2. Export Control Laws May Apply to Your Software Too

When most people think about export control risk, the first thing that comes to mind is shipping a tangible product. To determine whether export control laws apply, the conventional inquiry is where that product originates and where it is received and used. However, export control laws also apply to intangible products, including downloadable software and hosted solutions.

Contrary to conventional wisdom, knowing that the software is hosted in, or originates from, the U.S. and is used by individuals physically located within the U.S. does not get you off the hook. Even where end users are located within the U.S. and the licensor is also located within the U.S., export control laws may nonetheless apply – with strict liability consequences for each violation. When negotiating a license agreement, both licensors and end users of on-premise software or SaaS should be aware of how export control might affect the transaction.

Practical Tips

Whether your company is the licensor or end user of on-premise software or any hosted services, be aware of whether the material you are providing is subject to any export or trade control laws. For example, does the software or cloud product include any embedded data that would be subject to the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR)? Similarly, does the data being uploaded or transmitted to the software fall within those definitions? Companies should also consider whether the level of encryption is sufficient to satisfy export control regulations.

Do not rely on the counterparty to clarify whether export control laws apply to the transaction; always verify this with your own counsel and consult a subject-matter expert if ambiguity remains. Companies should also include provisions related to each party’s export control responsibilities in the contract itself.

3. Don’t Forget the (Website) Cookies

Many companies based in the U.S. underestimate the broad territorial scope of GDPR. One common pitfall for U.S.-based companies is to assume that GDPR does not apply because the company does not ship products or perform services in the EU. However, GDPR may nonetheless apply in certain instances if the company maintains a website that is accessible from Europe and uses cookies to track end-user behavior.

Practical Tips

Companies should maintain detailed records regarding the types of cookies and tracking technologies used and the types of information collected by those cookies. If the cookies or tracking technologies collect IP addresses or monitor the behavior of website visitors, those cookies are deemed to collect “personal data” as defined under GDPR. Companies should only utilize cookies where the data is actually used and needed.

In order to comply with the statute, the company could either: (1) work with outside counsel to implement operational updates to comply with the statute to the same extent that a company based in the EU would, or (2) avoid collecting personal information from European residents altogether. The latter option would likely be the most cost-effective for companies that do not actually ship tangible goods to Europe, perform services within the EU, or intend to do business in Europe. This could include using an IP-address detecting technology on the website to “block” IP addresses originating in Europe from accessing the website or collecting data from these IP addresses.

In order for the IP-blocking approach to be successful, however, this also requires the company to include relevant provisions in its contracts with third-party software and SaaS providers to make sure that those providers are not placing cookies in violation of the company’s compliance strategy.

Final Note

The data privacy compliance requirements that companies face are evolving quickly as a result of court rulings and regulatory activity. While the EU has been a major driver of that activity so far as discussed above, American lawmakers at the state and federal levels are increasingly turning their attention to data privacy as well. It’s natural for there to be some misconceptions in this fast-moving environment. That’s why it can be especially valuable to partner with outside counsel who focus on this area of the law to ensure that companies are properly managing risks tied to their software, technology, and related contracts.

For more information, please contact us or your regular Parker Poe contact.