GDPR Considerations in European – American University Research Contracts

Negotiating R&D contracts with European partners over the past 20 years has always been my favorite type of transaction work. You have the cultural differences, the time zone issue, language issues, IPR issues, liability and indemnification issues, currency issues, and other issues that add complexity to the negotiation (and ultimately management) of such transatlantic research contracts.

Since May 25, 2018, the date that the GDPR came into force, the exporting of European personal data to America via research contracts has assumed more importance in the international contracts realm. In this brief post I want to point out several of the large buckets that university contract negotiators need to consider in negotiating and managing such contracts (and ultimately the relationship between the parties).

The scenario covered by this article is a European sponsor (government, foundation, private company, etc.) who wants to provide money to an American university for specific research work, such work often involving the private information of European data subjects and requiring its exporting to the U.S. partner. For example, such a scenario could involve funding from the European Commission to Harvard University. Now onto the buckets.

Bucket 1: Ascertaining Important Data Protection / Privacy Information Parameters at the Beginning

This bucket includes the information that should be ascertained at the beginning: the pre – award / proposal development / Scope of Work (SOW) stage of the research partnership. Here are some questions that should arise from the American side: Is there a European address? Where is the corporate headquarters? Why does your partner want to include GDPR terms in the contract?

At this stage, it is also important to determine what type of data is being transferred and if the data meets one of the three standards for GDPR application to U.S. – based organizations: 1) physically present in the EEA; 2) offering goods / services in the EEA; or 3) monitoring behavior in the EEA. These questions – and their follow on ones – really are part of the partnership building process at the beginning. This should happen well before the issuance of a research contract for negotiation and signature.

Bucket 2: Who is the Controller? Who is the Processor?

This is Privacy 101, but these questions are foundational. Who determines the purposes and means of the processing of European personal data of data subjects? (Controller) Who acts on behalf of the Controller pursuant to a data processing agreement? (Processor) These roles need to be determined as the project is conceptualized and developed.

Once again, it is useful to look at the Scope of Work (SOW) to determine what role is best suited for each party given the proposed research activities.

While for most European – American projects it would be the European Sponsor / Funder of research activities as the controller and the American university as the processor, it is still theoretically possible that either contracting party could be either a controller, processor, or joint controller. Once again, it depends on project scope and what each party is doing during the project.


This relatively short post is meant as an introduction to the GDPR dimensions of transatlantic university research contracts. Data protection / GDPR considerations have joined a multitude of programmatic and contractual issues for these international contracts. A future post will focus on contract negotiation. Please feel free to leave comments below.

The Well – Being of Privacy Professionals: A Critical Component for Success

The fields of privacy and data protection are fairly new areas of professional activity. Certainly the last generation+ has seen an explosion in job growth. The question naturally arises, then, as to whether individuals working in the area are happy and professionally satisfied. Do they derive professional satisfaction? Are they thriving? Is stress in the workplace too much? Are they supported by their leadership? Do they have a satisfactory work – home balance? Does job stress cause privacy pros to seek relief by turning to alcohol, drugs, and other substances? These are all critical questions that need to be asked as the areas of privacy and data protection continue to develop on a global level.

Another field, law, has been grappling with the topic of lawyer well – being for a number of years now. In fact, the topic of lawyer well – being is being addressed by a number of state bar associations in the United States. In 2017 the National Task Force on Lawyer Well – Being released a report, which was based on a 2016 survey of 13,000 practicing attorneys. That survey found that too many lawyers are not thriving. The reader is encouraged to check out this material at:

I was honored to be appointed to the Wisconsin Lawyer Well – Being Task Force, which is an example of a state bar association addressing the critical importance of lawyer well – being. The 2017 National Task Force Report serves as a guide for our work in Wisconsin (for a number of years the State Bar of Wisconsin has had the Wisconsin Lawyer Assistance Program (WisLAP) but we are looking at the program consistent with the National Task Force report). While the Wisconsin Task Force has just started its work, it naturally got me thinking about the well – being of privacy professionals.

The National Task Force conceptualized a holistic approach that, in the privacy realm, begins with the question: How should we define well – being for privacy professionals?

This holistic approach, courtesy of the National Task Force, considers the following dimensions:

  • Emotional: Value emotions. Develop ability to identify and manage our emotions to support mental health, achieve goals, and inform decisions. Seek help for mental health when needed.
  • Intellectual: Engage in continuous learning. Pursue creative or intellectually challenging activities that foster ongoing development. Monitor cognitive wellness.
  • Occupational: Cultivate personal satisfaction, growth, and enrichment in work. Strive to maintain financial stability.
  • Physical: Strive for regular activity, good diet & nutrition, enough sleep, and recovery. Limit addictive substances. Seek help for physical health when needed.
  • Spiritual: Develop a sense of meaningfulness and purpose in all aspects of life.
  • Social: Develop connections, a sense of belonging, and a reliable support network. Contribute to groups and communities.

This is an impressive list. At one level, the reader will think they are generic enough to apply to any occupation or field. But, what unique dimensions may be teased out for the areas of privacy and data protection?

One common fact situation that I see discussed on social media platforms is when data protection officers (DPOs) are not fully supported by company leadership and / or not being fully integrated into the culture of the company / entity / institution. These problems, in a generic sense, are common to other jobs and areas in the professional world. But, the difference is that the modern world of privacy and data protection is slightly more than one generation old and are coupled with rapid technological development and change. That combination makes privacy + data protection a bit unique at this space in time. And given the way things are right now in the world, change will not be slowing down anytime soon.

So, the discussion comes back to enhancing the well – being of privacy professionals. What can companies and institutions do to enhance their well – being? What can professional associations do? How may a holistic approach be applied so that privacy and data protection professionals thrive?

This post is, for me and hopefully others, the start of a larger discussion about enhancing the well – being of privacy professionals. I’m sold on the holistic approach, but the key is making sure that any approach meets the needs of the target audience. These are exciting times for privacy professionals, and their well – being is a critical component to facilitate their success.

A Conversation with Sonia Intonti: Schrems II and the Way Forward

We said it to ourselves, and we heard it repeated many times, that this year 2020 will certainly have no place in the annals as a lucky year. The beginning of this new decade has seen the life or at best the activity of many of us bending due to the pandemic crisis caused by the Coronavirus, which, among others, has also led to the closure of every border between countries. But while none of us could physically move, thanks to the current state of technology we had the chance to experience the “power of ubiquity” that allows us to sit in our European living rooms and be virtually to the other side of the ocean through our personal data.

But 2020 didn’t wait before it surprised us again, and so just when our physical borders were beginning to slowly reopen, on 16 July the Court of Justice of the European Union (“CJEU”) effectively declared invalid one of the main transatlantic data transfer corridors, by invalidating Decision 2016/1250 on the adequacy of protection provided by the “EU-US Privacy Shield.” Consequently, international data transfers, which are so vital for the global economy, suddenly became open to question: the CJEU has confirmed that EU standards of data protection must travel with the data when it goes overseas, which means that Case C-311/18 – Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (known as “Schrems II”), has wider implications than just the invalidation of the EU-US Privacy Shield (see UK Information’s Commissioner Office, Updated ICO statement on the judgment of the European Court of Justice in the Schrems II case, 27th July 2020 Besides invalidating Privacy Shield, the Court examined the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses (“SCCs”) and considered it to be valid. Schrems II is a judgment that confirms the importance of safeguards for personal data transferred out of the EU.

This article digs into the interplay between the decision on the validity of one route (SCCs) and the invalidity of the other (Privacy Shield) from both the European and American points of view.

Question 1: What do you think is the most interesting aspect of Schrems II with respect to the Privacy Shield discussion?

European Perspective: As I further explain in my answer to question 4, the aspect which in my opinion equals in interest to the one identified by my colleague Jim, is the position of the Court with regard to the two decisions which are concerned here: the ‘Privacy Shield’ adequacy decision and the European Commission decision on standard contractual clauses. On the one hand, the Court found that the requirements of US domestic law entail restrictions on the protection of personal data which are not designed to meet requirements substantially equivalent to those of EU law and that such legislation doesn’t grant data subjects enforceable rights vis-à-vis the US authorities, thus invalidating the adequacy decision “Privacy Shield.” On the other hand, however, the court confirmed the validity of the so-called standard contractual clauses which, de facto, recognize the burden and the honour of the parties to establish the adequacy of the transfer but in the light of the arguments that led to the invalidation of the decision on Privacy Shield.

American Perspective: The most intriguing aspect of the case from my perspective was the Court’s factual findings of U.S. law. Several of the broad themes I see impacting on that discussion are the  increase in the U.S. surveillance state since the 9/11 attack and the fact that the U.S. political system is a representative democracy coupled with concepts of federalism (where the federal and state governments have fairly delineated rights and responsibilities). The current president, unlike most recent ones, has a broad conception of the scope of executive power. That is not an item that is endearing to most Europeans.

It is imperative that a balance be found between the European conception of privacy as a fundamental human right, and the need for some measure of a surveillance state (in the U.S. and Europe). There is a fundamental tension between a privacy right and the proper need for some surveillance. Given the large volume of data flows between Europe and the United States and given the large amount of transatlantic trade between the two partners, it is imperative that an accommodation be found between both “partners.” That last word needs to be remembered and acted upon by U.S. and EU leaders.

And one final note. In this time of the pandemic, it is even more important to maintain transatlantic data flows in the areas of individual health information and public health information.

Question 2: Given the basic governmental structures of the EU and the U.S., do you think that enough changes can be made to the U.S. intelligence and law enforcement functions to allow for the necessary protection of EU personal data?

European Perspective: As I’ve already said to my colleague Jim, I’m not in the position to discuss American law, but what I could say it’s that dialogues like this one, but at higher levels, are needed to ensure efficient interaction between countries with different backgrounds but which have similar perspectives. In times like this one where the economy is global and based upon Big Data, I believe these two important partners have, or should have, similar perspectives.

American Perspective: It will take some time for U.S. changes to be made. I say that primarily because of the upcoming U.S. elections. With the pandemic and social issues taking precedence, I find it hard to see any legislative changes happening this Fall. On top of that, President Trump has now positioned himself as the “law and order” president. While he strongly compliments the military and local law enforcement, he has shown a tendency to undercut the U.S. intelligence agencies. But I do not think the latter is enough for him to take executive action on data protection in the context of the activities of the intelligence agencies and federal law enforcement. But he could surprise us. He always does.

Question 3: It is clear from the court opinion that SCCs are valid, but are on “thin ice.” What are your thoughts on improving the SCCs so that they exist on stronger legal ground?

European Perspective: The core of this question recalls my answer to the first one too. In fact, I believe this is one of the most interesting, as well as confusing, points which the Court touched on within its judgement. “SCCs confer only contractual rights on data subjects against the data exporter and importer, without, however, binding the United States authorities.”, and this constitutes the perimeter of that “thin ice” where the SCCs laid down, at the moment not supported by the suggestion of any additional measure able to guarantee an effective protection by the American data importer of Europeans’ data and / or any perspective of legislative changes in US law. In particular, the Court notes that the SCCs impose an obligation on the data exporter and the recipient of the data (“the data importer”) to verify, prior to any transfer, in the light of the circumstances of that transfer, whether that level of protection is respected in the third country concerned. Given that, we can only wait for the EDPB to give guidance on how these guarantees can be provided by the importer which falls within the definition of “electronic communication service provider” which outlines the scope of Section 702 FISA, in order for it to receive data from EU partners without contravening local law.

American Perspective: I look forward to the European Commission releasing upgraded SCCs. As someone who has negotiated several thousand contracts in my career – many global – I have always had a dim view of “standard contracts,” because many need to be negotiated to fit the particular circumstances of the parties and subject matter. The current SCCs are critical to the European privacy regime and they are necessary (along with other tools) to protect European data protection rights. These are exciting times to be a contract professional.

Question 4: The U.S. Ombudsman, established to help EU citizens, was faulted by the CJEU for having insufficient authority over U.S. intelligence and law enforcement agencies. What are your thoughts about that component of the decision?

European Perspective: I like to believe that in this judgment European citizens were regarded as individuals rather than as citizens of a certain country. It is therefore the underlying concern about human rights and cultural protection that in my opinion has stimulated this very CJEU’s reaction to American government interference on European citizens’ data. For this reason, issues relating to national security and access to personal data by public authorities must be provided for by law and this law must lay down precise limitations to access to data by authorities, as well as clear and precise rules governing the measures able to ensure ‘effective and enforceable rights of data subjects.’

American Perspective: The Ombudsman role is a useful and necessary one. I would love to see that role exist in the next U.S. – EU agreement. Perhaps the U.S. needs a specialized Privacy Court. For instance, there is a U.S. Tax Court – so there is precedent. But that possibility needs an overarching U.S. Privacy Law, clearer articulation of a U.S. privacy right, and the money and political will to make a specialized court a reality.

Question 5: This decision illustrates the tension between the right to privacy and the role of intelligence and law enforcement agencies in a global economy. Considering the opinion, how is that balance best met?

European Perspective: Whenever I’m faced with a balance between different rights or interests, I feel grateful for the great Charter that the constituent fathers of my country (Italy) gave birth to in 1947, thus giving us the most important lesson on balancing fundamental principles: these principles, depending on the context, do not eclipse one another, but they always coexist in different declensions. And this is how I believe it must be between the right to privacy and the public security, as a prerogative of intelligence and law enforcement agencies, within an economic system that is now global. The only duty to guarantee public security and public order, at any level, cannot allow any kind of intrusion by government authorities, thus contradicting the principle of proportion, which is at the basis of the rationality that informs the principle of equality.

American Perspective: The tri – sector tension as articulated (right to privacy, role of intelligence and law enforcement agencies, and a global economy with massive data flows) is the most fascinating aspect of privacy (well, next to the clear articulation of “rights” in both the U.S. and EU). I believe that all three tensions may be managed (though probably not always eliminated) within the context of global economic growth. Post – pandemic, both the U.S. and EU need a long period of economic growth to get out of this hole we find ourselves in. The “pie” needs to grow. If it does not, there will continue to be economic and social unrest. But yes, I believe that privacy, security, and economic growth can exist concurrently. How that comes about is not clear at the moment.


Our conversation regarding the Schrems II decision and the way forward illustrates, in a small way, the similarities and differences between the partners to this transatlantic partnership. Or, perhaps, these differences and similarities are more borne out of different recent experiences on the global stage. As privacy is now a central component of global living, it will be interesting to see how events on the global stage have an impact on privacy, and vice versa.

The GDPR and U.S. Universities

The Future of Privacy Forum released a fantastic report in May 2020 entitled, “The General Data Protection Regulation: Analysis and Guidance for U.S. Higher Education Institutions.” As someone who has worked in U.S. university research management for over 25 years, this document was a welcomed addition covering a big sector of the U.S. economy. The author, Dr. Gabriela Zanfir – Fortuna, did an excellent job with this piece.

For those privacy professionals who work in U.S. higher education institutions, the most common university functions covered by the GDPR include: 1) The admission and enrollment of students; 2) Students studying abroad in formalized programs (for instance, “Semester Abroad” programs); 3) American universities having physical campuses outside the U.S.; 4) Online classes; 5) Alumni; and 6) Vendors.

Another area at many universities – research / grants & contracts – is not given extensive separate treatment but mention is made of the “Archiving, Scientific, and Historical Research” exception against the processing of special categories of personal data (p. 9). Research agreements requiring many students’ personal data is discussed on pp. 17 – 18.

In terms of legitimate grounds most likely applicable to U.S. universities outside the EU as controllers, the author notes these: 1) Consent; 2) Contractual Necessity (entry or performance); 3) Legitimate Interests; and 4) A Vital Interest of the Data Subject or of Someone Else (p. 18).

Whether you are new to the privacy realm or to higher education more generally, this report is a handy useful guide for technical and context reasons.

Observations on Office Re – Engineering: Privacy Offices and Research Offices

Earlier today I had the opportunity to watch the highly useful IAPP webinar entitled What Works: Benchmarking and Improving your Privacy Program. I was particularly intrigued by the comments directed at improving / re – engineering a privacy office. The presenters emphasized the constant evolution of privacy regimes on a global scale, and that today adaptability and flexibility are key for people and structures (such as a privacy office).

That got me thinking about a large part of my career to date – the establishment and re – engineering of research offices at American universities. By “research” I mean the administration of grants, contracts, and other legal instruments that support faculty research. International grants and contracts are a large component in this area. For instance, the NIH (National Institutes of Health) in Washington, D.C., funds research undertaken by European scientists. That global dimension will only continue to increase in a post – pandemic world, although it appears that a robust European posture towards research is in question as I write this.

My own involvement with the establishment and re – engineering of research offices began at Northwestern University in Evanston, Illinois. We had a major challenge at NU as we were re – engineering operations while maintaining the administration of $165M USD in research funding. Subsequent to that, I established two research offices at smaller universities and then established a contracts / industrial agreements office at a larger university in Texas. While at the latter institution I oversaw two additional re – organizations that built upon the original office.

Those universities provided me with a lifetime of unique and challenging experiences. So, here are my thoughts and observations on best practices for building and re – engineering offices, along with specific comments to the privacy office context:

  1. Every university research office was designed to be public facing, client (faculty) – oriented, and collegial with other university offices. It was critical that the research office work effectively with other university offices. What is the parallel situation in privacy? A privacy office that works collaboratively with a security office (or any other office, for that matter).
  2. No research office was meant to operate as an “island” or a “silo.” A privacy office should not be its own island or silo within a company or other organization.
  3. One particular aspect of these offices was that they were designed for staff to “get out” into the greater community of the university – and beyond. It seems to me that privacy office personnel serve in a similar capacity within in their environment.
  4. When re – engineering an office, particular attention must be paid to client satisfaction and “upping your game.” What does your office do well in Version 1.0, and what do you want to do well in Version 2.0? What pressure points need to be eliminated?
  5. Professional development opportunities for staff must be plentiful. I see this as a common thread between the privacy and research worlds. When you think about it, both areas are intellectually vibrant and subject to rapid change. While it is important to stay abreast of such change, getting ahead of said change is more preferable.
  6. How are you going to measure office success? What are the metrics or KPIs? In the realm of research contracting, for instance, one such measure is the length of time to get a contract negotiated and signed. In privacy, one such metric is the length of time it takes to respond to DSARs.
  7. Lastly, the human / interpersonal dimension of an office is just as important as the technical / legally satisfying dimension. Not only must the office be enjoyable for the staff to work in, but it must be viewed – and in reality – as an enjoyable partner within the environment(s) within which it operates. Research management and privacy management are truly Art + Science.

Research offices and privacy offices have more in common than probably many people would have thought. Both operate in a rapidly changing global environment and are intellectually vibrant. It will be quite interesting to see how these offices function and change over the next few years.

Contract Negotiation Best Practices and SCCs

Given the recent CJEU decision in Schrems II with respect to standard contractual clauses (SCCs), it struck me as a good time to revisit best practices in contract negotiation. The suggestions below are the result of 18+ years’ negotiating contracts in law, local government, and academia, including many with colleagues in Europe and beyond.

Whether these suggestions apply to your particular role in the privacy universe, especially in light of the Schrems II decision, I will leave that up to you. So, these practical suggestions and observations *may* be applicable in the privacy realm, but they are certainly applicable in the larger professional world. These are presented in no particular order of importance:

  1. Gather as much information from your negotiating partner as early in the negotiation as possible.
  2. Avoid using texts and certain software programs such as WhatsApp to negotiate, except in rare / emergency situations.
  3. Have an Offer – Concession Strategy: What is important to your organization or company? What are you willing to compromise on and what are non – negotiable issues?
  4. Do more listening than talking. TRULY LISTEN.
  5. Negotiate for the long term. Build a long term relationship, if that is what both parties want. You never know what the future will bring.
  6. The parties’ missions should mesh together. That builds long – term partnerships. No meshing of missions = less chance of success.
  7. Have empathy for your negotiating partner. Understand where they are coming from and then work toward to a mutually satisfying result. This is even more important given the pandemic.

Utilize these in your negotiations – including in privacy – related matters – and you are in good stead for the future. Remember, contract negotiation is art + science, so you need both the technical skills / aptitude AND the interpersonal skills to work in a civil manner with your colleague(s).

One last point. Contract professionals need to be flexible. This was quite true before the pandemic, and it is even more important given the pandemic and the uncertainty unleashed by Schrems II. We are in uncertain times for several reasons, but I suspect that privacy professionals will rise to the occasion when it comes to SCCs and contract negotiation.

The Aftermath of Schrems II

Much has been written about the Schrems II case since its publication 9 days ago. Rather than simply repeat what many others have said on various privacy sites, I want to provide my own take on it within the broader context of what is going on in the world today.

While Schrems II invalidated the EU – US Privacy Shield, the decision cannot help but have implications for other countries throughout the world. What happens when European personal data flows to countries where government commitment and judicial systems are not strong enough to enforce EU personal data protections?

As an experienced contract negotiator & attorney, I have always been fascinated with standard contract clauses – regardless of the subject matter. The evolution of the European Commission SCCs remains a subject of high interest.

With regards to the EU – United States relationship, it is important to remember that there is $7.1B USD of annual trade between the two partners. It is my hope (and confidence) that adjustments may be made on the U.S. side so that this mutually important relationship remains strong and prosperous. Sometimes it helps to be reminded that Europeans and Americans have more in common than in difference.

The pandemic and the situation in Hong Kong may yet play out in ways that many people in Europe and America cannot predict presently.

I close by saying that these are exciting times to be an ethical privacy practitioner, whether in Europe, America, or beyond, and the best way to add value to governments, businesses, and clients of all stripes is through continual and thoughtful professional development.

At the Nexus of Privacy and Antitrust

The IAPP Privacy Advisor published an excellent article on 23 June entitled “The thin line between privacy and antitrust.” In particular, the three scenarios presented by the authors are concise introductions to the important ways that privacy issues may arise in antitrust matters / investigations. And how the areas of privacy and antitrust are more linked as a way forward in the future.

As someone who has worked at the nexus of antitrust and privacy for the past couple years – and involved in 10 such U.S. matters (involving the U.S. Federal Trade Commission and the U.S. Department of Justice) – I have the following general observations to share:

  1. It is important to be extremely careful in internal corporate communications when it comes to privacy issues as discussed by those “in the know.” That may sound like an obvious piece of common sense, but I have been shocked by how corporate leaders (from the CEO on down) are inappropriate and sloppy when it comes to privacy discussions in antitrust matters. Email is an easy mode to fire off one’s thoughts, but discipline of thought and tact are incredibly important.
  2. I have been pleased by the awareness of company personnel when it comes to personal sensitive information, PHI – PII, etc. Very impressed.
  3. I have seen little discussion of privacy as a basic human right. Much more work needs to be done in the U.S. in terms of cultural change. As privacy pros know, they are excellent ambassadors for that point of view.
  4. In some situations, discussions of privacy issues were subtly couched in ways to restrain competition in the industry. As everyone here knows, never say that. As well versed antitrust lawyers also know, sometimes corporate leaders and counsel cease writing emails on a topic and continue the discussion on the phone.
  5. Some of the situations I have been involved with involved mergers where getting the data from the acquired company is one proposed benefit of the merger. The discussion by the authors in their section entitled, “Sharing data raises privacy concerns” is spot on and bears multiple reading. Once again, if you view data protection & privacy as a basic human right, there should be no question that a more rigorous conception of those topics is necessary from Day One. Privacy should be baked into the company’s DNA – and a newly merged entity is an excellent opportunity to make that a reality.

The section in the IAPP article focusing on nascent competition is especially pertinent for the future, though now with the pandemic in full force it remains to be seen what the final damage inflicted upon the U.S. economy will be. And how that will ultimately change corporate leadership in the future – especially with regards to the privacy / antitrust relationship.

Contract Negotiation Best Practices

If you are interested in contract negotiation best practices, check out my discussion in the latest installment of NCURA YouTube Tuesday (National Council of University Research Administrators). Not exactly concerned with privacy per se, but I would consider the topic to be within the larger universe of privacy issues.

Culture Change During this Momentous Time

I watched the congressional testimony on Capitol Hill today regarding the pandemic, and listened to the medical experts from NIH/NIAID, CDC, FDA, and the Administration. Their observations got me thinking about the concept of culture change and how much we are hearing about how the pandemic is changing (or going to change) cultural norms and expectations. We all know that the pandemic is having an impact on the field of privacy and how that has been operationalized in the past few years (GDPR, etc.).

Changing a corporate culture so that it is (more) privacy – centric is one thing. Changing a corporate culture as a result of the pandemic and what that is going to mean across many countries is another. Accomplishing both simultaneously is a tall order, but I think it is possible if people remember that change has both technical and interpersonal / humane components.

These times require much more human understanding and flexibility than we are used to. But if people remember what the goal is, and work together, it will get done.