This Wisdom of the Crowd, compiled from responses posted on the ACC IT, Privacy & eCommerce Network forum* addresses personally identifiable information and considerations on the duty to protect that information.
*Permission was received from ACC members quoted below prior to publishing their eGroup Comments in this Wisdom of the Crowd Resource
Question
If Company A obtains personally identifiable information ("PII") from users of Company B's product, through Company B but with consent of the users, then isn't the duty to protect that data owed by Company A to the users directly? Company B may have a competitive interest in the data, but not a privacy interest?
Company B is attempting to negotiate a number of subrogation-like clauses into the purchase contract, and it seems to me there's no rational basis for including these clauses.
Response #1: Short answer: I don't see why a Customer would not be able to sue Company B, for the actions of Company A if there was a data breach. We don't know all the facts here but if Company A is providing a service to Company B, then I think a Customer who has a data breach relating to the use of Company B's product would sue both and to the extent the breach was caused by Company A, I think Company A would owe them indemnification.1Response #2: It depends on what jurisdiction you're in, the type of PII being transferred, the relationships of the different players, and the context of the transfer. But in most data protection regimes, company B is responsible for onward transfers. If I were company B, outside of very narrow circumstances I would insist on contractual protections shifting liability in case company A misuses or doesn't properly secure the PII.As for company A being directly responsible to the users, unless there is a specific regulatory or contractual mechanism in play based on the type of PII or relationship of the parties, I don't see how the users would have any recourse against company A directly.2Response #3: Depends on the role that Company A plays.If Company A is:a) only providing the technology, they do not collect, use, store the data (except momentarily/as needed to pass on) and just pass through their technology to collect for consumer-facing A, then A would likely have to get the opt-in consent and be fully responsible for the data and subrogation clauses would definitely make sense, especially for Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN SPAM") compliance.b) getting data from B, who is the consumer facing entity and B is responsible for the consent, then company B would be responsible for consumer permissions. Even still, B would probably have to get contractual reassurances from A for onward transfer, use limitation etc. limited to whatever B has user consent to share the data for and opt-out management.B definitely has a privacy interest either way. They can be sued for a number of things, such as data breach or passing data on to a third party in violation of industry requirements, international treaties, CAN SPAM, etc.3
1Response from: Anonymous (8/3/2016)
2Response from: Matthew Rudolph, Assistant General Counsel, Netrix, LLC (8/3/2016)
3Response from: Anonymous (8/3/2016)
Region:
Global
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.