Mandatory Changes Proposed to UK Government Contracts’ Data Privacy Terms

brexitThe UK government has announced that it intends to write to all government contractors in order to make unilateral changes to all UK government contracts to comply with impending changes in EU data privacy law.

It’s not clear how the UK government intends to implement these contractual changes given that, in almost every case, the terms of the relevant government contracts don’t allow for unilateral contract variation.  But the official policy is that all costs of compliance with the new rules should be borne by the contractor and not passed through to the government.

The planned changes to EU privacy law have been known for some time.  The EU’s new General Data Protection Regulation (GDPR) will come into force in May 2018 and could potentially affect companies worldwide.  The GDPR imposes far-reaching obligations for companies operating in the EU that collect, use, or otherwise process personal information.  MoFo has a GDPR Readiness Center providing details about the changes.

In UK terms, because GDPR comes into force before Brexit, the UK government will be subject to the new legislation.  While, in some cases, GDPR repeats established key principles of data privacy, there are also a number of changes that will affect commercial arrangements, both existing and new, between data owners and data processors (and their sub-processors).

In the light of the imminent effect of GDPR, the UK government’s Crown Commercial Service has written to all government departments instructing them to begin work immediately to make contract amendments to all UK government contracts with effect from 25 May 2018 (the effective date of GDPR) – and, additionally, to ensure that updated GDPR-compliant provisions are applied to all new government contracts awarded after 25 May 2018.

Government departments will now have to go through the process of identifying existing contracts that involve the processing of personal data and then write to all government contractors notifying them of the changes that are intended to be made to relevant contracts to bring them in line with the new data privacy rules.  Additionally, government departments will be expected to conduct due diligence on existing contracts to ensure that contractors can implement the appropriate technical and organisational measures necessary to comply with GDPR (i.e., to provide guarantees of their ability to comply with the new regulations).  As well as updating relevant contract terms, it may also be necessary to modify service specifications, statements of work, and service delivery schedules to set out clearly the roles and responsibilities of data controller and data processor.

The Crown Commercial Service has not indicated how government departments should address the issue of unilaterally mandating new contract terms in bilaterally negotiated contracts.  As in most EU countries, the UK has no equivalent to the U.S. Code of Federal Regulations, so each UK contract will have been separately negotiated.

Notably, the Crown Commercial Service takes the view that, because any organisation operating in the EU will be required to comply with the new legislation anyway, any costs incurred in doing so are attributable to the general overhead of conducting business in the EU and not to supplying the UK public sector.  Hence, the UK government expects contractors to manage their own costs in relation to GDPR compliance and not seek to pass those back to the government.  The UK government position is that it will not accept contract price increases from government contractors as a result of work associated with compliance with the new legislation.

One of the more well-known parts of GDPR is that the potential scope for fines and penalties for non-compliance with the new laws could be up to €20 million or 4% of worldwide annual turnover of an undertaking.  The Crown Commercial Service guidance does not make it clear how that increased potential exposure should be addressed.  The guidance does, however, contain a set of new standard GDPR clauses to be incorporated into contracts in substitution for whatever exists at the moment.

Any entity in current possession of a contract with a UK government authority or department ought to examine its existing contract terms, compare them to the new proposed contract terms and identify a strategy for negotiation and/or discussion with the authority when it sends through an instruction to make unilateral variation to those terms.  Organisations also ought to be identifying what further technical and organisational measures are necessary to ensure continued compliance with GDPR as it is implemented in the UK and right across the EU.