If you are a business transactional attorney working on technology transactions, you have likely seen enterprise customer agreements (like master services agreements or software-as-a-service agreements) with something else called a Data Protection Addendum (DPA) attached to it.
These days, DPAs are attached to most technology transactions because most technology relies on some level of personal data. This article provides an outline to guide you on why it is important for business transactional attorneys to understand what DPAs are, what they are required to have, and how the requirements have changed since 2021.
What is a DPA?
A DPA is the written agreement that governs the transfer or export of personal data from the EU to the US under the General Data Protection Regulation (GDPR). There have been some significant changes to the DPA starting last year in 2021.
Let’s consider ABC Corp, a SaaS vendor, who is negotiating a commercial agreement with a prospective customer, XYZ Inc. XYZ Inc is a US-based multinational company with employees and customers in the EU. XYZ Inc will be uploading employee and customer personal data on to ABC Corp’s software-as-a-service platform in order to benefit from ABC Corp’s services.
“Personal data” has a broad definition under GDPR, and includes generally a) direct identifiers like name, email, contact information and b) indirect identifiers like IP addresses or device identifiers. In this scenario, XYZ Inc is a “data controller” and ABC Corp is a “data processor” under GDPR. XYZ Inc’s employees and customers who are also residents of the EU are called “data subjects” under GDPR, and their personal data processed by ABC Corp includes names, emails, and IP addresses.
DPA Phase I (May 2018-Summer 2021)
The DPA was born in 2018 when GDPR came into force. GDPR superseded the EU Directive. Under the EU Directive, there were the Standard Contractual Clauses (SCCs) that governed the transfer of personal data from the EU to countries like the US that were deemed “not adequate.”
Adequacy means that the EU has determined that the third-party country’s data privacy laws are adequate to protect the rights and freedoms of the EU residents’ personal data. Some non-EU countries, like Japan and Israel, have adequacy. The US does not.
At this time there were two mechanisms for the legitimate transfer of personal data from the EU to the US: a) the SCCs (with additional provisions contained in the DPA) or b) the Privacy Shield – a kind of whitelist of US companies maintained by the US Commerce Department confirming that those companies adhered to the Privacy Shield requirements.
Standard Contractual Clauses
SCCs contain boiler plate provisions that the data exporter and data importer agree to for the benefit of the EU data subjects. GDPR added additional requirements to the transfer of personal data that the pre-GDPR SCCs did not contain. So business attorneys created a new post-GDPR contractual document—the DPA—to include new confidentiality and audit requirements between the data controller and data processor. The DPA also included specific information about the categories of personal data being exported, the purpose of the processing of the personal data, and information about the subprocessors engaged by the data processor.
This worked pretty well until the summer of 2020, when the European Court of Justice handed down a ruling referred to as Schrems II. Schrems II found that the Privacy Shield was invalid. Although it did not find the SCCs invalid, it challenged the SCCs as a valid transfer mechanism in the absence of sufficient due diligence and scrutiny by the data controller. In response to Schrems II, the EU revised the SCCs and published new SCCs in the summer of 2021.
DPA Phase 2 (Summer 2021 to present)
In 2021, the UK left Brexit, which created two GDPR regimes: the UK one and the EU one. The UK did not follow lock step with the new SCCs. It took time to review the new SCCs and the UK’s ICO (its Data Protection Authority) decided earlier this year to recommend two vehicles for data export of UK personal data to third-party jurisdictions like the US, as discussed in the next section.
EU personal data transfers to the US
For these data transfers, data controllers, can use the new SCCs stand-alone although many companies are still using a DPA document that includes the new SCCs. Often, this is to provide additional or clearer obligations for the data processor than those required under the SCCs. For example, they may want to specify a timeframe like 24 hours or 48 hours that a data processor must notify them of an actual or suspected security incident. Under GDPR, the data processor must notify the data controller “without undue delay” but a specific timeframe is not required.
UK personal data transfers to the US
The Data Protection Authority in the UK, called ICO, has recently published its recommendations for two vehicles (or as it refers to them “Tools”) to legitimately transfer or export personal data from the UK to a third country like the US. Assuming parliamentary approval they will become official in the spring 2022.
For business transactions where there are both EU personal data and UK personal data being transferred then ICO has a Tool called the International Data Transfer Addendum that accompanies the EU SCC’s. Where there is only UK personal data being transferred then a stand-alone document called the International Data Transfer Agreement can be used.
New SCC annexes
The significant change with the new SCCs are the three new annexes. Annex 1 is similar to the old DPA schedule and describes the categories of personal data, processing activity, and details of the data exporter and importer. The third annex requires more specific detail about the subprocessors than the earlier DPA.
The second annex requires significant disclosure about the actual technical and organizational measures used to protect the privacy and security of the personal data. This will likely take significant time by ABC’s internal IT/security team to complete. Often in B2B transactions, the customer XYZ will provide ABC with their Annex 2 of technical and organization measures that it expects ABC to have in place. ABC will need to carefully review it and edit it to the extent it does not reflect its actual practices.
Tips for Drafting and Negotiating DPAs
- It is important to understand the history of and keep up with the changes to data privacy laws and regulations.
- As counsel for a SaaS company like ABC Corp, work with your internal IT/security team to draft your own Annex 2 so that you can provide it to the data processor. This will help streamline your contract negotiation process.
- When reviewing a DPA, compare it against the applicable data privacy law(s) to understand what the DPA is adding or changing.
 Schrems I was the decision that the Privacy Shield’s predecessor, called the Safe Harbor, was invalid.
 For the ABC-XYZ scenario here, they would use Module 2 – controller to processor transfer.