Strategic Alliance Magazine Q2 2020 - 46

DATA DILEMMAS

generally house, organize, and/or manage the data provided
by the controller. For instance, an academic research team
developing algorithms on IBM's Watson would be a controller, while Big Blue would be classified as a processor, assuming it was just hosting the work on its platform and not jointly
selling it or creating a service with the researchers, in which
case both entities would be considered controllers.

"If I'm giving you all of this hot
data with private information
in it, your reassurances
about how secure it will
be and your limitations on
access are going to be more
important than ever."
To comply with the California Consumer Protection Act
(CCPA), a company with over $25 million in revenue that
buys, receives, sells, or shares the personal information of
more than 50,000 California consumers, households, or
devices, and derives half of those revenues from selling that
personal information to others, must be labeled a "business"
in the contract. If a company has a contract with a business
to process consumer personal information for specific purposes and is forbidden to use that data in ways not specified
in the contract, that organization is labeled a "service provider." Entities that collect data directly from consumers-
including internet service providers, data analytics providers, government entities, operating systems and platforms,
social networks, and consumer data resellers-are considered "third parties."

Hot Data Requires Cool Handling
This sets up an interesting push-pull between the parties contributing data to dedicated hosts. The former should protect
themselves by demanding representations, warranties, indemnifications, and similar language around the data they are
sharing, in Heimes's view.
"[If] I'm giving you all of this hot data with private information in it, your reassurances about how secure it will be and
your limitations on access are going to be more important
than ever. I, having collected the data from the person in the
first place, am ultimately responsible to that person. If I pass
along that data to you, I'm going to want you to make me
whole again should there be a breach on your end and I have
to make good on behalf of my data subjects. These things
46

Strategic Alliance QUARTERLY

| Q2 2020

ultimately flow down to the party that collected the data in
the first place. It's really their responsibility to conduct transparency properly with the data subject and take care of that
data once it's in their possession," explained Heimes. "The
way they can transfer liability is through the contract."
In return, the processor or host should limit its liability
vis-à-vis the individuals who have granted the controller
consent to use their PII.
"If I'm the data host, I'm most concerned with not getting
overexposed in terms of my liability to the ultimate data
subject. I don't want to be overexposed in a data breach
beyond what I can afford to pay. I don't want to be responsible
for having breached promises to the data subject that I never
had a chance to communicate with in the first place," said
Heimes. "If I'm the host, I probably own security. I can't help
it, but that's the risk I take by being willing to host the data.
However, I shouldn't bear the privacy responsibility if I had
no chance to communicate with the data subject, so I'm going
to want to push that back to the party contributing the data."

Before You Gather Data,
Collect Your Thoughts
Once the project begins, the alliance must thoroughly
think through the initial collection of potential PII if the
subjects of the data are California or EU residents. The
collector must clearly spell out how it is going to use this
information and obtain a concrete consent from the subjects. To comply with GDPR, this acknowledgment cannot
be obtained by simply having the end user click a checkbox at the end of several paragraphs of legalese, a form
of consent that is common to Web browsers in North
America. Rather, the language must be clear and simple
to an average citizen (i.e., you don't need a lawyer or a law
degree to understand what you are agreeing to).

"Alliance managers should ensure
that they know what the enterprise
is looking for from both a technical
and a business standpoint."
This undertaking is probably a little easier when personal
contact with the subjects is a natural part of the process-for
instance, when interfacing with patients as part of a clinical
trial. Tech companies releasing an app to thousands via a
public digital marketplace, however, must carefully craft forms
that explain in plain English-again, not lawyer-speak-for
Strategic Alliance Magazine Q2 2020

Table of Contents for the Digital Edition of Strategic Alliance Magazine Q2 2020
