In this episode of the Contract Teardown, privacy consultant Avishai Ostrin explains the Data Processing Agreement, or DPA. The DPA protects companies from privacy breaches on third party sites and data storage tools like Amazon Web Services or Slack. Watch as Ostrin details the crucial elements of a DPA and what red flags to look out for when drafting.
THE GUEST: Avishai is a privacy consultant who works for Israeli-based privacy consultancy PrivacyTeam. Avishai started out his career as an Israeli lawyer. When he realized he wanted to expand his horizons beyond Israeli privacy compliance he moved to a UK firm based in Tel-Aviv and qualified as a UK lawyer. At PrivacyTeam Avishai advises clients not as a lawyer but as a consultant and external data protection officer (DPO). Avishai’s love for the interplay between technology and the law are what made him choose a career in privacy. Avishai lives in Raanana, Israel (a sleepy suburb of Tel Aviv) with his wife, three kids and dog, Brownie. He loves spinning and listening to podcasts (sometimes simultaneously :))
THE HOST: Mike Whelan is the author of Lawyer Forward: Finding Your Place in the Future of Law and host of the Lawyer Forward community. Learn more about his work for attorneys at www.lawyerforward.com.
If you are interested in being a guest on Contract Teardown, please email us at community@lawinsider.com.
Episode Links
The Contract: Data Processing Agreement
Guest’s Links: LinkedIn
Interview Transcript
Mike Whelan In this episode, privacy expert Avishai Ostrin tears down Slack’s data processing addendum. So let’s tear it down. Avishai Ostrin, welcome to the Contract Teardown Show. How are you today, sir?
Avishai Ostrin I’m doing great, Thanks for having me.
Mike Whelan I’m excited because we are talking about maybe my least favorite software tool right behind Twitter. Okay, I’m not going to rant about Twitter because I don’t emotionally need to go through that. We are talking about Slack, specifically this data processing addendum. I’m going to show this to the folks at home. Avishai, what is this thing that we’re looking at?
Avishai Ostrin Okay, so in order to understand what a data processing addendum is, we need to understand two basic concepts in privacy. Number one is the data controller. Number two is the data processor. So the data controller will be your company that’s using Slack. The data processor will be Slack. And basically the company is saying to Slack, we are putting information into the platform, we’re entrusting you with this information and the data processing addendum, or as we call it in the industry, the DPA will say what Slack is allowed to do with that data, how they can use it, what their responsibilities are towards me, the company, what they have to do when contract is over, etc..
Mike Whelan Yeah, we’re third-partying responsibilities, which is always sticky. So as we dig into this, tell us about you Avishai, What’s your background? What brings you to documents like this?
Avishai Ostrin Yeah, so my background, I’m a lawyer by training. I actually qualified both in Israel and in the UK, and I work for a company called Privacy Team. And what we offer is a very, very unique service to the technology sector. We offer a service called DPO, so, data protection officer. Some companies are required by regulation to appoint a DPO. Others choose to do it in order to sort of get their compliance in order. And basically what that means is that we’re in charge of everything privacy related within the company. So anything that has to do with personal data, how it’s used, where it’s stored, very, very sort of involved in the technology aspects. And one of the things that we do quite frequently is draft review, comment on, negotiate whatever verb you want to put in there. DPA, data processing agreements.
Mike Whelan Perfect. That makes you the right kind of nerd for this thing. So let’s dig into it. I’m looking at this document, and for those who are not familiar, somehow Slack is a place where you could do interoffice communications. There are ways that it can. It’s been used in other ways for like communities and things like that. But the point is there’s a lot of company information going on to this software tool. And so if I’m understanding correctly, and I want to get you to give me some feedback on the background of this thing, but if I’m understanding correctly, the idea here is I as a company, I’ve hired Slack, but I have responsibilities in Europe and in California and around the world to protect data. I have a bunch of rules, but now I’m trusting these weirdos in Silicon Valley, with my responsibility. It this, it seems to me, is trying to sort, you know, lay out the rules for that kind of a relationship – my understanding what a DPA is correctly. Give me the background on the thing.
Avishai Ostrin Right. So yeah, that’s exactly right. If you think about, for example, you have a bunch of money laying around and you go to an institution called the bank, Right. And we want to make sure is we want to make sure that when you give the bank this money, they’re holding it properly. They’re not misusing it. They’re not giving it to people they shouldn’t be giving it to. They’re holding it on your behalf and doing with it what you would want them to do with it. And that’s basically the equivalent of what we have here just with data. So they’re holding your data and they need to do what you require them to do through this this contract, this DPA.
Mike Whelan Perfect. So let’s talk about it. I, I sort of like the way they do this layout. I don’t know if the folks at home are going to be able to see this, but they have sort of a data entry. They do it almost like a document automation tool that you can go and you can sign it. So to be clear, they are creating the data processing addendum that you are going to sign as the company owner, that they’ve got good background, a bunch of definitions, but we’re going to slide down to personal data. Let’s go. Yeah, there we go. We’re in one in the conversation about personal data and also into two into how they process it. Give us some of the language in here that you’re looking at. And do you like how they’re referring to personal data and the ideas about how they’re processing it?
Avishai Ostrin Yeah, that’s exactly right, Mike. I think what you said is it’s important to note here that that Slack is, in fact, as do many large companies, right, they’re going to be dictating the terms on which they are processing data on your behalf. So sort of the scale is they’re a little bit tipped, I would say, in the in big Tech’s favor, as it often is. And that’s why we need to take a look at this critically and say, okay, are they drafted too much in their favor and make sure that we’re you know, we’re getting into the weeds on that and making sure that we’re protecting our interests appropriately. So as you said, the first thing we’re going to get into is the definition of personal data. So if you look at the definition section, so they talk about customer data that relates to an identified or identifiable natural person. So very, very, very broad. Any data that relates to an individual. If we then sort of scroll down the connected clause would be 2.4, which is the details of processing. And basically what we’re trying our goal here when we approach this part of the DPA is to understand what it applies to. Okay, so we know it applies to personal data, which is, roughly speaking, any data that relates to an individual. So Mike Whelan, obviously Avishai Ostrin, not company Inc. Okay. So that’s differentiation there. And then the details of processing in 2.4 and then complete, which have completed that in schedule three will tell us sorry, schedule two will tell us what type of information they are processing. So if we scroll all the way down to page number 15, we’ll see what categories. So the first thing we have is categories of data subjects whose personal data is transferred. So if you think about the Slack platform, what you’re saying to yourself, what type of personal data will Slack be processing? Well, it’s any information about the people who are communicating via Slack plus any information that they input about other people. So, for example, if Mike and Avishai are communicating via Slack, they’ll have obviously it’s information and they’ll have Mike’s information. And so if you look at the categories of data, subjects, they’ll have, you know, the authorized users, which are people who are authorized to use the system, the employers, the consultants, the contractors, the agents, etc., etc. all of those types of individual data will be processed within the system. The categories of the personal data is, you know, as it says here, any personal data comprised in customer data as defined in the agreement. So that’s sort of a very broad definition to say it’s anything that you guys decide to put in the system. And that’s very common. We see that a lot, particularly with SaaS Technologies, software as a service technology, where they’re saying, here’s the platform, do with it whatever you want. We have no control over what data you put into the platform. It’s whatever you use the platform for. And so that’s why there are these broad definitions. Um, and then we can sort of go through this as well as whether there are any special categories of data, frequency of the transfer nature of the processing, etc., etc.. And so just to summarize.
Mike Whelan I want to take you back to kind of ask a dumb question. When I look back at personal data, you know, it in the definitions, it says it means any customer data and customer data is capitalized as if that’s a defined term. It sounds like what you’re saying is let’s assume if you’ve got an addendum, all right, like by definition, then there’s another document and presumably customer data is defined in that other document. So am I right in understanding that you’re not this will never live on its own. It’s going to live as part of a a separate agreement that Slack probably wrote as well.
Avishai Ostrin Correct. That’s 100% correct. You’ll usually have a main agreement. Whether you’re talking about a services agreement, you’ll have Ts and Cs. If in the case of Slack, which is sort of an auto sign up kind of situation, but absolutely right, it’ll always refer back to the agreement and oftentimes you’ll see it also refers back to when it talks about what processing activity Slack is going to be doing. They’re going to be doing the services that they agreed to in the agreement. So there’s a lot of cross-referencing between there’ll be a lot of cross-referencing between those two documents. And I think that you pointed to you made a point about something that I think is also very important to make sure that we sort of emphasize here, which is that one of the things that you need to make sure if you’re reviewing these types of documents is we need to make sure that the data that that Slack says that it’s processing on your behalf is, in fact, the data that makes sense to you. So if there’s something in here that looks like, hey, wait a second, if you’re if you’re you know, you’re saying to yourself, hmm, they talk about racial and ethnic origin, political opinions, religious, philosophical beliefs, things like, you know, very, very sensitive type of data. Then you might say to yourself, well, you know, Slack says we have no control over whether someone, you know, says, you know, my political opinion is X, but then you might want to take if that’s something that’s an issue for you, you might want to take sort of mitigating steps to say, hey, wait a second, don’t put any of that. You might want to instruct your workforce. For example, you might want to say, Hey, guys, let’s just make sure not to put any sensitive data in the system, because then they’ll be they’ll be processing it on our behalf and that might be an issue.
Mike Whelan So interesting because sorry, it’s so interesting to my earlier point, like I’ve seen this used not just for companies, I’ve seen it used for community is for like social groups who are getting together. And so whatever the context is, if you’re trying to optimize for a work context, it’s an interesting decision for Slack. But you mentioned the word processing. I again define term. The word processing means something. They’re referring to in their definitions: Any operation or set of operations which is performed upon the personal data, whether or not by Automattic or if somebody actually did something. So I’m looking down at 2.3. It gives some of the guidelines for processing the personal data. Again, feels very broad. We’re going to do the thing with the thing and all the things that we do. It’s ours to do the thing with. What do you think about the language in 2.3?
Avishai Ostrin Yeah, so I agree that oftentimes, again, with these SaaS platforms where, you know, Slack is saying to you, to the customers, saying to you, listen, I don’t know what you’re going to do with this system. Right? You could take it. You could, you know, be running the, you know, the next I don’t know, you could you could be running a plot of some sort, a criminal enterprise on Slack. I have no control. You know, that’s completely obtuse. So we’ll process whatever data you input there. But interestingly, if you look at 2.3, there’s some very interesting language in here. And in fact, what’s interesting is something that I believe is missing in here. So if you look at 2.3, it says they’re going to process the data in accordance with the agreement. Okay. They’re providing you the services that’s laid out in the agreement. So in accordance with the agreement or the applicable order form processing initiated by authorized users in the use of the service. So if you, Mike, are entering a message into Slack, that’s you know, you’re inputting the personal data and then number three, processing to comply with other reasonable instructions provided by customer. Okay. So if, your company is using Slack says, hey, give me all of the copies of all of my data, then that would be an instruction provided by the customer that they have to comply with. What I feel that’s missing in this clause that we often see in DPAs and I don’t see here are two very important additional sort of purposes. Number one is what’s missing here is processing in accordance with the legal obligation. So there might be an instance where law enforcement comes in. It’s like, Hey, guys, we had a suspicion that Mike’s running a criminal enterprise through Slack. Can you give me all of his communications? You know, we’ll set that the legality and all the legal issues around that aside. But that would be a form of processing, and I’m surprised that it’s not here. And then the other one that’s a little bit more on the commercial side is. Slack and any other technology platform will want to use insights from its platform in order to improve its platform. Right. Slack wants to say, Hey, I see that people are, you know, connecting in this way, using Slack in a different way. I see that this type of chat, this type of group chat is more, you know, more used more or this type of prompts actually, you know, causes a certain type of behavior. And if you want to use those insights in order to improve the system, that’s obviously processing or at least anonymizing that data. So they can use it as a form of processing. And I’m surprised that they don’t have that in here because oftentimes we’ll see processing in order to gain insights to improve the software. So I’m actually surprised that that’s not in here. But, you know, that’s generally that’s what we’re looking for in that type of a clause.
Mike Whelan Gotcha. Well, you see, you company are trusting Slack with data that you are responsible for. Slack also trusts other companies with the data that you are responsible for. This is down in section four subprocessors and 4.1. They note they’re going to use other companies. There’s going to be other companies involved. And it says at the end of the that section, if you enter into the standard contractual clauses, then you grant a general written authorization to Slack to appoint subprocessors in accordance with Section nine. What do you think of this section in Section four, talking about the appointment of subprocessors and the use of suppressors? Are they handling this well?
Avishai Ostrin Yeah. So as you said, it’s it’s pretty much impossible to have this type of a a service like Slack without having subprocessors. You know, the most basic one that we’re used to seeing is the cloud service provider, right? They’re hosting it in the cloud somewhere, whether it’s Google or Amazon or whatever, you know, that’s your basic one that we’re used to seeing everywhere. But just as you say, like your company is entrusting Slack. Slack is entrusting a third party ultimately company will be responsible if something happens with the data once it’s entrusted to that third party. And therefore Slack must notify company about the appointment of the subprocessors. What’s often the game or the issue, I would say that that often comes up with drafting these types of clauses that are very often sort of meticulously drafted, is that on the one hand, Slack has an obligation to notify companies, hey, we’re using a new subprocessor, we’re changing our list, whatever, and gain the authorization. But on the other hand, you can’t really build a technology platform when if you’re going to appoint a new subprocessor, you’re going to have to come right to your hundreds, thousands of clients, of customers and say to them, hey, we’re we’re going to appoint this subprocessor, is that okay with you? And so that’s where because that’s just not a scalable option. So there’s that obligation on the one hand, but the scalability sort of clashes with that a little bit on the other hand. And so what we see here is very common where they say, okay, we’re going to give you notification, okay? And they will always the lawyers love to sort of argue it’s going to be ten days. Is it going to be 15 days? Is it going to be 30 days? We all love to get into the minutia, but the principle remains the same. We’re going to give you notification and the right to object if you object to the appointment of a specific subprocessor. And that’s exactly what they have here. Some more sophisticated actors like Slack will actually have a subscription option. You can subscribe on their website to receive any updates for subprocessor appointments and that’s it. And that makes it even easier for them to do that. And then the question is, once they notify if you object, what happens then? What’s the recourse? Usually what they’ll do is they’ll say, you know what? We’ll try to find a solution for you without using that subprocessor where you’re objecting to. And if not, you’ll have the right to terminate the agreement. Obviously, fees can be argued about whether they do have to pay a fee and the fees up until the date of termination don’t have to pay fees up. Date of termination. But generally speaking, the way they’ll do it is they’ll say if you’re silent on it after a certain time that’s deemed acceptance, and then you’re, you know, we’re good to use that subprocessor. So very, very standard. What I’m saying here in terms of notification, right to object within a certain amount of time. And then what happens? Termination, right. In case objection can’t be remedied.
Mike Whelan Got it. Well, eventually you’re going to cancel Slack. Theoretically, your company might, and you might move to some other platform. Section eight talks about that. The return and deletion of personal data, pretty short paragraph basically says you leave, we kill the data, have a nice life. What do you think about the way they’re handling this? Is this is this the right way to handle the end of the relationship as regards to as it pertains to the data?
Avishai Ostrin Yeah. So, this is a pretty standard clause. And actually, you know, there’s always a debate sort of in our industry in terms of what does it mean to return data. And I’m just going to like send you a huge file with PDFs there as how exactly you’re.
Mike Whelan Going to get the floppy disk. We got to go back to the site.
Avishai Ostrin Right?
Mike Whelan Somebody just listening to this, don’t remember, don’t know why the save symbol looks like it does, but there used to be a thing called disks. Let’s just send those around the people.
Avishai Ostrin Exactly. Exactly. Or you’ll just get a hard drive with all of your with all of your information on it. But again, the issue that we talked about with the subprocessor clause comes up here again, which is scalability, right? We need to be able to build a product where as many where we have as many self-serve functions as possible, which is why what Slack is saying is is built general and services like Slack will say, okay, at the end of the contract, if you want your data back, we’ll give you like a self-serve option that says, okay, export all my data to a CSP, file something like that, and you can download it. If you wanted to leave it, you can give us a notification and we’ll delete it from our system. But again, that’s sort of one that is oftentimes we’ll see a negotiation of it. Is it within a certain time period, within the termination of the agreement, who bears the cost? So you see here, for example, Slack put in a clarification for clarification, depending on the service plan purchased by the customer, access to export functionality may incur additional charges and the require purchase of a service upgrade. So they’re saying within company, we’re happy to let you export your data, but that costs money and that’s something that you’re going to have to pay for. And that’s, you know, we see that with a lot of the obligations throughout the DPA is that there’s sort of this play between the legal obligation. They’ll say, yes, we have an obligation to let you, for example, audit us. We have an obligation to assist you with anything. But, hey, if that’s going to cost us a lot of money, then, you know, you’re going to have to pay for it. And it’s no different here. And so, yeah, this is pretty standard language here, I would say. You know, you might you might have the security team wanting to ask them how they’re going to destroy the data, how they’re going to delete it, whether they have, you know, policies in place for that may be in their security documentation. But that’s generally what we’ll see with the return the deletion clause.
Mike Whelan You’re going to light those floppy disks on fire. Let me tell you, Avishai, why Slack bugs me and because it’s actually relevant to the bigger picture that we’re talking about with this kind of documents, this kind of transaction. I have often said that Slack combines the inefficiency of email with the pressure of social media, and that’s actually its strength, right? It takes business communications and turns it into the kind of communications that we do in our daily lives in hopes that it will build more collaboration across teams. But the fact that it bridges both those contexts means you got all kinds of weird users on there. They have a product led growth strategy, which means they want people just to use the free version of it, start building something and eventually get there. What’s interesting then is, you know, just to make a fake number, 80% of their users are not larger businesses, but probably 80% of their revenue comes from those remaining customers who in fact are large businesses. So they’re sort of being a platform means that they’re serving these kind of two masters at the same time. One, is this okay, we’re going to be very structured. We’re going to have an onboarding team. We’re going to do we’re going to have a long sales process. You’re going to know exactly what you’re doing is going to and then there’s going to be a bunch of other weirdos like us who just have a tiny company, or we’re in a Dungeons and Dragons gaming group or something, and we’re on Slack to communicate. As a drafting exercise that seems really hard because you don’t know if I’m doing a DPA, Do I have to worry about, you know, ExxonMobil getting on here and having some corporate secrets, or do I have to worry about these Dungeons and Dragons lurking people get on their end turning into a coup that’s going to take over their South American government. Li ke drafting seems really difficult in this context. How do you draft as a platform knowing all kinds of weirdos are going to be playing with this thing?
Avishai Ostrin Okay, so that’s an excellent question. I do actually have a word to say in defense of Slack, but I’ll keep it to the end. I promise. I promise I will retort, but I’ll keep that to the end. I’ll answer your question first. I think it’s a very, very good question. And we always have this we always have this sort of debate about how, you know, how do you draft to try to cover all scenarios. And I think that there’s something in some ways there’s something very liberating about just saying, you know, I don’t need to cover all scenarios. Let me cover you know, let me sort of think of the basics. And I think that actually the the regulation we didn’t really talk about the privacy regulations here that I’m sure the listeners are familiar with. If I say the words out of GDPR, they won’t think that I’m yelling, you know, for it for a foreign language event or CCPA or things like that. But the regulations actually prescribe what types of sections need to be here in the DPA. And so, you know, they’ll say, okay, you need to deal with deletion, you need to deal with what data is is applicable. So they’ll give you the structure, they’ll give you sort of the skeleton of what the DPA needs to include. And then you just need to say, okay, you know, in the same way you’re drafting any other contract, how am I going to make sure that I’m protecting my client’s interests while still complying with the regulatory requirements?
Mike Whelan You know, actually, I want to put a pin in that because that’s super interesting, because what a lot of these technology companies, if they’re seeking this platform space, will do is they’ll say, we know there’s a legal risk, but we’re going to roll with it because winning in this space is such a huge win and we’re pretty confident that regulators are going to come figure stuff out later. So to a degree, I feel like they’re kind of drafting broadly and running with their business and doing their thing and accepting more risk than you might if you only had five clients and you know, you’re just trying to survive out there.
Avishai Ostrin I think that’s probably accurate. I think also, you know, these types of companies, you know, SaaS platforms will always have acceptable use policies. They’ll tell you, you know, don’t put the data on our system, don’t abuse our system to use it for, you know, for nefarious things. And they’ll have that policy. And as we know in, you know, I was a contract lawyer before and a commercial lawyer before. I was even I even got into privacy many, many years ago. And, you know, oftentimes in contract drafting, it is about it’s about allocating risk. It’s about saying, wait a second, I’m going to draft this in a way so that if someone abuses it, I may not be able to technically prevent them from abusing the product, but I will be able to mitigate some of my liability by saying, you know, I told them that this isn’t what the platform was meant for and here are my terms. They’re very clearly laid out. Also, you know, the other thing to remember here is that Slack is very clearly intended. There are individuals that use it, but it’s very clearly branded and intended for business use. That’s their, you know, their entire branding is around that. And this actually brings me to my defense of Slack, which is you’re going to have in your employees are going to communicate about work-related issues outside of email. That’s just a given an email to something that the organization you know, if it’s a work email the organization have control over and can you know, within reason can, can monitor and can you know, if an employee leaves, they can, you know, access the historical correspondence if they need it for, you know, for in order to do the business. So if it’s a given that your employees are going to be talking about work-related issues outside of emails and outside of, you know, face-to-face conversations, you need a platform that will allow you to allow them that simplicity, but also give you as a business the ability to sort of control that access to that information. Now, not talking about sort of surveillance and tracking users and things like that, I’m not talking about that. What I am talking about is and I’ve even seen this in the time that I’ve worked at Privacy Team. We’ve had team members who’ve left and if we were communicating over a text message or over WhatsApp, which is very commonly used here, here in in Tel Aviv, then you know, we wouldn’t have access to that to that information. And we do because it’s on a work-managed environment. So maybe not such so much of defensive slack workers like because I understand what you’re saying but sort of in defense of keeping work in the work environment and, you know, healthy also for sort of the separation of the work-life balance, I think.
Mike Whelan Yeah. And I think I mean, I think the larger point here is it is the nature of platforms both contractually and administratively, that if you create a broad playspace which is kind of required for platforms as a product and then let people use it and deal with the risk, you know, it’s not going to go perfectly but designed for somebody they are designing for businesses, they are contracting for businesses, but they’re also allowing for some space, both contractually. In the end, it’s probably as good as what you put into it. And I just maybe you just don’t have the time… I’m too ADHD maybe for the learning curve. That’s probably. Avishai I appreciate you hanging out with us. For people who want to learn more about your privacy practice, what you do, what’s the best way to connect with you?
Avishai Ostrin LinkedIn. Just look me up in LinkedIn. I’m very active there. You follow me, send me a connection, and send me a message. Very active on LinkedIn. Happy always, happy to chat. If anyone has any questions, I’m happy to answer that as well. So that’s the best.
Mike Whelan Well, we will be sure to include a link to your profile over at lawinsider.com/resources under the show notes for this, as well as a link to this document so that you can look at it. And if you want to be a guest on a Contract Teardown Show, just email us. We are at community@lawinsider.com. Avishai thank you and we’ll see you all on the next tear down.
Avishai Ostrin Thanks. Thanks very much, Mike.