Privacy and Cyber Law and IT contracts
IT services are designed for individuals and businesses, who in turn make such services available to their employees, which means that the end users of the IT services are individuals, whether they act on their own behalf, or on behalf of their employers. So it is necessary for IT businesses to collect and process personal data (e.g. biometric data, email address, location data, etc.) of end users in order to provide their services since virtually every company providing IT services gets access to personal data of persons residing in different jurisdictions.
It is worth noting that such jurisdictions develop increasingly strict regulations that are aimed at controlling what personal data is collected/processed, where this data flows, and what measures are taken in order to prevent unlawful disclosure of such personal data. In light of the widespread digitalization of procedures for providing vital services and the unprecedented increase of cybercrimes in Armenia, the Ministry of High-Tech Industry has taken decisive steps to create a cyber-safe environment in the country through legislative mechanisms. The Ministry presented a draft law called "On Cyber Security" for public discussion from December 19, 2023 to January 4, 2024. The proposed law aims to protect all digital infrastructures, including electronic trading platforms, online search systems, electronic communication services, and Internet access services, by providing legal mechanisms. This is a significant development as cybercrimes in Armenia have been on the rise, with the number of cybercrimes doubling from 614 to 1229 between 2021 and 2023. The proposed law seeks to create a comprehensive legal framework to address the increasing threat of cybercrimes in the country. Its provisions include measures to protect personal data, secure electronic communications, prevent unauthorized access to digital systems, and provide for the investigation and prosecution of cybercrimes. In addition to these legal mechanisms, the Ministry of High-Tech Industry has also worked closely with relevant stakeholders to raise awareness about cyber security and promote best practices for protecting against cyber threats. This includes partnering with private sector organizations to enhance their cyber security measures and conducting training and educational programs for individuals and organizations. Overall, the Ministry's efforts to create a cyber-safe environment in Armenia demonstrate the government's commitment to protecting the country's digital infrastructure and ensuring the safety and security of its citizens in the digital age.
The most prominent data protection regulation is the European Union’s General Data Protection Regulation (GDPR). There are also many other local regulations, including the California Consumer Privacy Act (CCPA), or in the case of Armenia, the Law of RA on Protection of Personal Data, and each IT business that provides its services to end users in jurisdictions that have personal data protection regulations, need to be in compliance with each applicable regulation.
Since the GDPR is the strictest regulation and the personal data of EU residents is used extensively, it is applicable to a very wide range of IT services, so let’s briefly talk about the requirements that need to be followed by software providers who get access to personal data of EU residents. The main requirements of GDPR are listed below.
Key takeaways
Considering the importance of ensuring the confidentiality of personal data of individuals, every process related to the collection, processing and transfer of such data is subject to special control in accordance with the law.
Make sure companies collect and process personal data lawfully.
Personal data may be collected/processed only if it serves the lawful purposes of providing IT services. Companies must request minimum required data. No excessive data shall be requested if such data does not serve the purpose of providing the IT services.
Key takeaways
Personal data may be collected and/or processed only if it serves the legitimate purposes of providing IT services.
If personal data is being transferred outside of the EU, sign necessary Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs)
Companies providing IT services should be ready to execute Data Processing Agreements where they undertake to comply with GDPR. In general, DPA’s include the text of the SCCs adopted by the European Commission for personal data transfers between EU and non-EU countries. However, signing the SCCs only is not in violation of the GDPR as starting from June 2021, it is not mandatory to sign DPA if SCCs are signed and in effect. Since most of the personal data processing is done in the U.S. (in datacenters of Amazon Web Services (AWS), Google, and other tech giants), SCCs are almost always required to be signed. However, currently signing the SCCs without taking some supplemental security measures is not enough. And that’s when we need to think about technical and organizational measures.
Key takeaways
The largest volume of personal data traffic in the world takes place in the databases of Amazon Web Services (AWS), Google and other technology giants.
Undertake technical and organizational security measures
In order to comply with the GDPR, tech companies who are subject to GDPR requirements, need to have technical and organizational security measures in place. This is where Privacy Law and Cyber Law intertwine. Such measures shall ensure the security of personal data transfer from EU to non-EU countries and the lawful processing of such data. Some examples of technical measures include:
Encryption and pseudonymization of personal data,
Physical security of the premises,
Passwords,
Access controls, etc.
Some examples of organizational measures include:
Having information security policies in place,
Training of personnel responsible for the security of personal data,
Security reviews and audits, etc.
These and other measures are required to make sure that personal data of EU residents is safeguarded and to ensure that no unauthorized disclosure of such personal data may take place.
It is worth noting that the above mentioned information is what is seen on the surface and there are many more requirements that require deeper understanding so it is worth consulting with privacy and cybersecurity experts who can guide you through this process of GDPR compliance.
Key takeaways
Companies involved in the processing of personal data must have appropriate technical and organizational security measures in place, such as password creation and verification.
Contract Law and IT contracts
IT contracts are governed by the agreed upon provisions of the parties. Such provisions may be directly connected to the subject matter of the IT contract, or may be general provisions. Such provisions are not indispensable and may not be included in the contract, however, parties include them to allocate risks between them and such allocation is an essential element of the basis of the bargain between the contracting parties. IT contracts usually include the following type of general clauses.
Confidentiality/Non-Disclosure
Parties agree not to disclose the other party’s confidential information since it may contain:
Trade secrets,
Financial data,
Know-how,
Processes,
Software source code etc.
They also need to decide on what should happen if a party breaches its confidentiality obligations.
Key takeaways
Contracts in the IT industry usually include general confidentiality or non-disclosure clauses, such as an agreement between the parties not to disclose the other party's confidential information.
Payment
Should the payment be one-time, or recurring?
Who shall bear the responsibility of paying applicable taxes?
Will there be royalty payments?
Will the parties share the revenue generated from the use of the software?
These are some of the questions that need to be addressed in an IT contract.
Indemnification
If a third party brings a claim against the Licensee/Purchaser alleging that the software infringes on their IP rights, will the Licensor/Vendor be obliged to indemnify, defend and hold harmless the Licensee/Purchaser?
Limitation of Liability
The parties generally agree to limit the amount of liability which can be limited by law to a certain amount. Such limitations generally don’t apply to breaches of confidentiality, breaches of personal data, gross negligence or willful misconduct of a party. Some parties explicitly provide indemnification obligations as an exception to this limitation.
Key takeaways
It is important to consider whether there is a problem of protection of the object of intellectual property in the contract concluded in the IT sector.
Export control
Export control regulations are applicable to IT contracts if the jurisdiction where such software is deemed to be developed requires its residents not to export their software to certain jurisdictions or requires businesses to obtain licenses in order to be able to export them. If this is applicable, the parties need to consider adding relevant provisions to the IT contract.
To conclude, it is worth noting that IT contracts have many specificities that other types of contracts do not, and in order to understand such specifications, it is important to know the purposes of licensing/assigning a software, what data will the software have access to, how secure is the software, what contractual obligations the parties will undertake and what regulatory obligations may arise when signing an IT contract.
Key takeaways
In order to formulate the contracts concluded in the IT sector correctly from a legal point of view, it is necessary to understand not only the goals of using the software, but also what data the software will have access to.