Businesses have become used to reviewing commercial agreements that cover issues such as warranties, indemnities, liquidated damages, and complicated pricing stipulations. However, two clauses that have been appearing in the majority of new contracts since after 2018 (from simple non-disclosure agreements to longer-term supply or services agreements) will continue to impact how businesses handle information. Most if not all cross-border agreements now include clauses specifying the parties’ stipulations regarding data privacy and export controls. Ultimately, both of these clauses increase the importance of any business’s internal data controls.
Between 2018 and 2020, businesses slowly adjusted to significant changes to the data privacy laws of the major trading nations, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and Japan’s Act on the Protection of Personal Information (APPI). However, at the same time, the major trading nations also tightened their controls on strategic exports, including the exporting of technical information. This has pushed compliance departments in many companies to include both personal data protection clauses and export control compliance clauses in all or most major contract forms.
Businesses should be mindful of the types of data that they will be receiving from their business partners. Traditionally, after signing a non-disclosure agreement, a business would designate certain information as “confidential,” and sequester that information from most employees. However, companies continue to sign agreements that require them to abide by other countries’ laws concerning the handling of both personal information regarding individuals, and technical information regarding commercial products (which can be subject to varying levels of export control). For this reason, internal compliance personnel should be careful before agreeing to be bound by other countries’ data standards, since foreign standards can be much stricter than domestic businesses expect. Further, as information is obtained from business partners and customers, businesses should be careful to categorize incoming information as (1) confidential business information, (2) personal information subject to data privacy laws, or (3) technical data that may be subject to export controls. Each category of information will have different requirements under national laws, and under the boilerplate clauses that are becoming standard in new agreements. This initial categorization of information will greatly assist in-house legal and compliance departments as an important first step in their efforts to ensure regulatory compliance and compliance with business-to-business agreements.
.
©2024 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. This publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended solely for informational purposes and you should not act or rely upon information contained herein without consulting a lawyer for advice. This publication may constitute Advertising Material.