It’s a commercial agreement – services for (usually) payment. Of course the data needs to be kept confidential. But the fact that certain data processing is being outsourced, the methods and the costs might be things that neither of us wants others to know.
Enter GDPR. If we look at the information we must give to data subjects before processing their data (GDPR Articles 13 and 14 for those who like to memorize those things), then we see the “recipients or categories of recipients”. This is actually not so different from what we see today under the Directive (to the extent “necessary…to guarantee fair processing”). But there it is, and the practical reality is that if we were to have to name every single one of our processors, co-controllers, group companies, maintenance providers, cloud service providers, advertising partners, or even parties interested in acquiring our business, not only would our privacy notice move into tens of pages and so fail in its user friendliness, but we would also most likely be looking at regular updates which give serious problems with knowing and recording who has consented to what on what basis.
So “categories of recipients” is an important nuance and ought to be sufficient to ensure fairness. If we disclose that we are using third party re-targeting partners, does the user really care which DMP the data goes to? At the risk of effectively making this “opt out”, if they don’t want to accept cookies or permit data processing for these purposes then they have been sufficiently informed and setting those options is simple enough to do. And until we have any E-PR then we’ll still have a dual consent regime for setting cookies/trackers on the one hand and processing of personal data generally under GDPR on the other.
Not everyone agrees. The UK’s ICO in particular in its draft guidance on ‘consent’ states very boldly: “even precisely defined categories of third-party organisations will not be acceptable under the GDPR”. So we will need to enumerate each one? Perhaps this is really aimed at joint/co-controllers. But this is not what the GDPR says, nor is it really practical. We’ll wait to see the final guidance says and what best practices emerge in the market. Coming back to the question, if the law and practice do actually come out of the side of naming the recipients – or if we decide that this is good practice as more transparent for our users – then we’ll clearly not be able to agree that the existence of the relationship is confidential (though its terms may be).
Reading further, we come to international transfers (outside the EEA). As before we’ll need a legal basis for ensuring our transfer has sufficient safeguards in order to protect users’ data as in the EU/EEA. But here’s the crunch: where there’s no “adequacy” decision (see list of countries here – and remembering that the EU US Privacy Shield is – still – authorised under an adequacy decision), i.e., where we are relying on safeguards such as Binding Corporate Rules, EU or Member State model clauses, codes or conduct, certifications, “ad hoc” contractual clauses or legitimate interests (Articles 46, 47, or Article 49(1) 2nd para), we also need to inform data subjects where they can find or obtain a copy of those safeguards.
Binding corporate rules, codes of conduct or even certifications don’t present much of a problem. But EU model clauses, national model clauses or even ad hoc clauses will all need to be viewable by the public (not to mention the authorities). This being the case, we may be limited to asking where the line is between what needs to be public and what could be kept confidential. Pricing seems like nobody else’s business and certainly doesn’t affect data subject rights and freedoms. Perhaps we could also claim that for some proprietary IP or techniques or even detailed security measures. But it seems harder to justify withholding the categories and purposes of data processed (as these should have been clearly explained to the data subject anyway).
It might seem odd that for intra-EU processing we aren’t obliged to release anything while for international transfers we are, but a little like data breach notifications, the prospect of these becoming public knowledge may be a major incentive to getting them right. And data subjects arguably have a greater interest in understanding international transfers to places that don’t automatically offer an ‘adequate’ legal regime.
So if we were tempted to include in any of our contracts the typical NDA style clause that relates to answering subpoenas, regulatory requests etc. (which of course the standard model clauses don’t), then perhaps this should be extended to take account of data subject requests. If we are the processor. If we are the data controller we might want more discretion regarding what we do or don’t release.
And finally, in all of this, let us not forget that there are Freedom of Information Acts (e.g. this one in the UK) which can enable almost anyone to get access to records held by the authorities. So if we are ever inspected or required to provide our national or international DPAs to our Supervisory Authority then after a request by a competitor or maybe a journalist, the authority might have to release them publicly. There are some limits to this e.g. trade secrets or where disclosures would prejudice our “commercial interests”. So we’ll want to identify the passages in our data processing agreements that fall into that category, possibly moving them into an annex to help manage this.
So the answer to the title question will very often be “no”. Still time for some smart thinking. For example, a great reason not to hide our new, GDPR-compliant data protection clauses deep in other commercial agreements. Is this on your GDPR compliance program list?