By Shevonne Linton
Shevonne Linton (slinton2@stu.edu) is a JD candidate at St. Thomas University School of Law based in Miramar, Florida, USA.
When a company has to review or update existing contracts, the cost-effective norm has been to outsource work to other countries. Outsourcing is defined as ‘‘the practice of taking a specific task or function previously performed within a firm or entity and, for reasons including cost and efficiency, having it performed by an outside service provider.”[1] There are certain risks that can be created by outsourcing contract review to some vendors, especially outside the country/jurisdiction. When partaking in this practice, many companies and firms fail to consider confidentiality issues, data residency, American Bar Association (ABA) rules, and data protection laws such as the General Data Protection Regulation (GDPR).
Data protection legislation oversees the control of data and outlines the parameters in safeguarding personal identifiable information (PII). PII is defined as “information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification.”[2] Outsourced contracts often contain PII, and without proper authorization or vetting of third parties, you can subject yourself to a confidentiality breach or violation of data privacy laws.
PII has become more accessible, and when a few identifying factors are compromised, it can subject someone to irreparable harm. Companies are responsible for handling their client’s information, so if the client has a multimillion-dollar contract or is handling common personal injury agreements, there is a duty to safeguard PII.[3]
GDPR liability
There are several requirements under the GDPR that you have to comply with if you decide to offshore contracts. If you have a contract with a European entity or person and that has PII within it, you have to abide by GDPR standards. If you are a company that outsources review of those contracts with PII to an organization leveraging labor in a different jurisdiction, the GDPR is still applicable in that situation.[4] The GDPR requires that the holder of contracts with PII must first ask permission of the person whose PII is shared (i.e., the counterparties of each of the contracts being outsourced). Said counterparty also has the right to deny the sharing of their information even if they consented in a prior agreement. After consent is granted, you must enter into a subsequent agreement with the third party you outsourced the contracts to, with the stipulation that the standards of their practice are sufficient to satisfy GDPR’s requirements.
If all of these steps are not taken before you outsource your contracts, you will be in violation of the GDPR. A data breach defined by the GDPR is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”[5] Outsourcing review of contracts that contain PII without obtaining your client’s consent can constitute an unauthorized disclosure of personal data, especially if the organization used for outsourcing sends them to a different jurisdiction.
In the event of breach, there are several consequences that may arise, which include, but are not limited to, administrative fines that can vary depending on the situation and up to €20 million or 4% of the company’s total global turnover, whichever of the two amounts is higher. Companies can also avail themselves to civil claims brought on by owners of the personal data as well as consumer protection agencies.[6]
