Data Protection in Boilerplate Clauses
In a contract, there are often some clauses that are common and standardised, called the ‘boilerplate’ clauses. Typically, these short clauses that are contained at the end of a contract. Boilerplate clauses have a standard meaning, i.e., they do not require special interpretation to suit a specific contract. However, not all types of boilerplate clauses are appropriate for all types of contracts. They are equally integral to a contract as any other operative part of a contract is since it effects rights and obligations of the parties.
The term ‘Boilerplate’ originally was associated with steel wraps wrapped around boiler frames to hold it together. Similarly, boilerplate clauses in a contract wrap around the contract, holding it together to ensure it works in the order it was intended to.[i]
Boilerplate clauses can be found in forms of clauses referring to indemnity, jurisdiction, termination, choice of law, warranties, confidentiality, arbitration, etc. The standardised language of these clauses saves time and effort while drafting a contract. Though they are standard clauses, they help meet specific requirements of the parties involved in a contract.
Often termed as ‘Miscellaneous’, boilerplate clauses usually address concerns which are general in nature. There arises tendency of quick glance, overlooking the significance of these clauses. While drafting a contract, it important to recognise an often-overlooked concept, i.e., which standard clause applies to which type of contract. Hence, while using the boilerplate clauses to draft a contract, it is essential to ensure they are coherent with the operative terms suiting the circumstances and justifying the meaning and purpose of the contract.
A contract is an agreement enforceable by law.[ii] Commercial contracts refer to contracts that include aspects of wages, loans, leases, hiring, renting/selling/buying movable or immovable properties, etc. These types of contracts are essential to legally determine and create rights and liabilities for the parties entering into the contract.[iii]
Some Important Clauses
1. Data Protection
More often than not, a commercial contract requires divulging confidential information that leaves the disclosure with very little possibility for recourse. There usually lies no clause that reflects nature or purpose or security measures the controller uses to ensure data safety. The disclosure lands on thin ice when personal information is asked for, not aware of the purpose or legal obligations regarding the same. Such types of dilemmas generally arise when one decides to become a party to commercial contracts with a bank, merchant processor or cloud agreements.[iv]
With significant changes brought in to protect probable exploitation of data and increase practice of data minimization, an issue regarding clauses pertaining to data protection and revision of boilerplate clauses arises.
GDPR regulations have been a recent development in this regard having global ramifications.
Article 6 of GDPR elicits conditions for lawful processing of data, including sound consent[v] of the parties. Therefore, according to this, the commercial contracts binding any or all of the parties to disclose information will need to furnish requirement of the same in order for the parties to make an informed decision about the consent. The conditions laid down for data processing to be legal are:
Data subject has consented to processing personal data for specific purpose(s).
For performance of the contract.
Necessary to comply with the legal obligation, as necessary.
Necessary in order to protect the vital interests of the data subject.
Necessary to carry out the task in public interest or through official authority vested in the data controller.
Necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.[vi]
This can be further understood through an example- Commercial contracts pertaining to employment. With GDPR in force, the employers cannot ask the employees to disclose information that are not under necessity to be processed by them. The employees are at a better position through this regulation, to refuse divulging information they do not want employer to know unless necessity of it has been stated or if it falls under any other condition aforementioned. The commercial contracts will have to strictly abide to GDPR, especially for organisations engaging third parties.[vii]
Processing by a controller must be governed by a contract or any other law in force in Union of Member State law.[viii] Apart from mentioning purpose to obtain information, a contract must also insert a clause mentioning duration of processing, nature, categories of data subject, rights and obligations of the controller, security measures, inspection and auditing by controller, duty of confidence, as suitable to the usage of contract. These requirements are stated under Article 28(3) of the GDPR. This Article also mandates documentations to explicitly mention the aforementioned provisions when the data subject is called upon to transfer personal data.
Furthermore, Article 32 adds a precautionary provision for who can and when may data be accessed and processed. It requires data controller/processor to ensure any natural person who may have access to personal data, does not process the same unless instructions to the otherwise are provided. It obligates the data controller to ensure confidentiality and ability to restore availability and accessibility to personal data. Hence, the commercial contracts are required to lay down clauses that pertain to this requirement, conferring liability on itself and right on the other party to take action in case this provision is violated.
Apart from GDPR, commercial contracts across the globe may be subject to various other local laws that require data protection clauses. Some of them have been discussed below:
In India, the Information Technology Act, 2000 elicits compensation and punishment in case a wrongful disclosure or unauthorised use of personal data takes place. Section 43 of this Act holds liable body corporate that is negligent in implementing and maintaining reasonable security practices for protecting and processing the data it holds. Section 72 holds one liable for breach of confidentiality and privacy. Moreover, Article 21 of the Indian Constitution entails privacy as a fundamental right. The Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017 mandates confidentiality and security measures to be undertaken by the insurers while outsourcing its services.[ix] Therefore, commercial contracts in India are required to abide by the data protection and security provisions as mandated by law.
The data protection clauses in respect to boilerplate clauses refer to confidentiality, escrow (trade secrets) majorly.
As the trend continues to change with various countries enforcing data protection laws, trends in India are also set to change. The Personal Data Protection Bill, 2018 in India, on being passed as a law will lead boilerplate clauses to change accordingly.
With legislative leaps taken to protect data, boilerplate clauses have to be analysed in order for commercial contracts to effectively abide by the governing laws on data protection. For the same, some may be made negotiable while others non-negotiable so as to leave as little possibility for exploitation.
It shall by no means be made negotiable. Utmost measures of confidentiality shall, as per the law in force for data protection, be prescribed. Not only for Data protection, even overall confidentiality falling outside its ambit should be ensured. Confidentiality may be said to be a mandatory clause to be present in the contact. This also applies to the escrow clauses.
The notice clause shall be mandated for each contract so that all conditions for data are mentioned explicitly and for which sound consent is obtained.
This clause may be inserted as suitable to the commercial contract. Since some commercial contracts specify limitation on damages to be paid, indemnity may not always be required. This provision shall become mandatory for small enterprises to insert so that in case of violation of data protection provisions, the liability and penalty arising are paid off. However, for large companies, indemnity as a clause may not be a standard clause in commercial contracts.
As long as manner to disclose information is understandable and provides full information to the other party to make a sound decision, announcement clause may not be termed to be mandatory for every contract.
6. Force Majeure
This clause may also not be mandatorily required for commercial contracts. However, parties may choose to not let this clause be operative with regards to data processing and protection measures.
7. Choice of Law and Jurisdiction
These clauses cannot be dispensed with in any contract. In case one deals with Member of European Union, then the choice of law and jurisdiction have to be in accordance with the GDPR and EU regulations. The recourse of arbitration or to a Court may also not be dispensed but shall be in accordance to the data protection law in the country.
When it comes to data controllers, warranty becomes an important aspect. Therefore, it should be mandated for commercial contracts that include collection of personal data.
The exposure for breaches should be explicitly mandatorily mentioned in commercial contracts. The absence of it may lead the data subjects to not have recourse to justice smoothly nor establish liability of the data controller or processor if both are not the same.
Suggestions for Boilerplate Clauses
The boilerplate clauses are said to be standard clauses due to their standard meanings, understood by all alike. However, with the data protection laws and regulations, these boilerplate clauses may have to undergo changes in their language and meanings to suit the local laws. Moreover, they may have to be separately framed for areas where personal data is involved.
While US implements quasi-contractual law, India does not practice the same. Some suggestions for boilerplate clauses concerning data protection are:
The clause for waiver for rights in case breach of data protection as warrantied or local law occurs should not be allowed. And this no-waiver clause shall be made mandatory to be included in the commercial contract.
The Personal Data Protection Bill, 2018 as and when passed would specify the liability of firms/ controller in case a breach occurs. Hence, in order to be able to abide by the same, indemnity clause should be made mandatory for small firms.
Moreover, boilerplate clauses in India be also made similar to EU decision where data subjects are allowed to claim compensation if breach occurs between data exporter and importer. Moreover, data subjects be allowed to be represented by an association or body, as per the law.
In cases where personal data is required to be divulged, notice clause shall be mandated to be inserted in the contract so that the other party is aware of the purpose data is required for and a sound consent be given.
Similarly, where personal data information is involved, the entire agreement clause that mandates parties be governed by rights and obligations only mentioned in the contract be conferred, shall not be allowed. The parties will then have recourse to data protection laws that confer additional rights and obligations on them that may not be mentioned in the contract.
[i] Breaking down boilerplate clauses and why they’re important, Elite Franchise, (18 January, 2018), available at http://elitefranchisemagazine.co.uk/legal/item/breaking-down-boilerplate-clauses-and-why-they-re-important.
[ii] Section 2(h), The Indian Contract Act, 1872.
[iii] See- Commercial Agreements and Contract Law in India, S.S. Rana & Co. Advocates, available at https://www.ssrana.in/Intellectual%20Property/Commercial%20Agreements%20and%20Contracts%20Law/Commercial-Agreements-and-Contracts-Law-in-India.aspx.
[iv] See- Data Privacy Provisions In Commercial Vendor Agreements, Association of Corporate Counsel, America, (3 April, 2014), available at https://www.acc.com/chapters/del/upload/2014-04-03_stevens-lee_data_privacy_presentation.pdf.
[v] Sound consent refers to freely-given consent which also is specific, informed and revocable.
[vii] GDPR compliance – impacts for commercial contracts, PilipLee, (15 February, 2018), available at https://www.philiplee.ie/gdpr-compliance-impacts-for-commercial-contracts/.
[ix] Regulation 12, The Insurance Regulatory and Development Authority of India (Outsourcing of Activities by Indian Insurers) Regulations, 2017.
By- Bhumesh Verma, Managing Partner- Corp Comm Legal, Delhi
(The author has been assisted by Anandita Bhargava, Junior Editor, RSRR)