Data protection and privacy obligations may limit business options in response to Russia’s invasion of Ukraine
In light of current U.S. sanctions in response to Russia’s invasion of Ukraine, the list of corporations taking action either as an act of corporate social responsibility in support of Ukraine or because of the reputational risk of being on the wrong side of Western sanctions continues to grow. As U.S. companies consider whether to voluntarily¹ cease business operations in or with individuals and/or entities in Russia and/or Belarus, one of the many factors to be taken into consideration is the entity’s data protection and privacy obligations.
If a company is primarily a processor or service provider – meaning that it provides a service or product which processes data and information on behalf of its clients – the company’s options for action may be limited by the written agreements with its clients.
Inevitably, a company that is a processor has written contracts with its clients (e.g. Data Processing Agreements or Data Protection Addendums, etc.) that impose restrictions and obligations on the company with regards to the company’s processing of personal data and information. Most, if not all, controller to processor contracts will include a provision that requires the processor to only process data and information on and in accordance with the controller’s instructions. This provision is included – and often required depending on the applicable data protection laws – because, in general, the controller is the entity that is responsible for determining the purposes and means of processing personal data and information. Thus, the decision of whether to block users in Russia or Belarus from a company’s services, may be up to the company’s clients as the controller depending on the scope and specific language of the company’s data processing agreements.
For example, if a company provides a service that processes personal data to facilitate sales through its clients’ websites or apps, the decision of whether to block users in Russia or Belarus from making such purchases through the clients’ websites and apps may belong solely to the clients as controllers depending on the scope and specific language of data processing agreement. While the company’s client can decide to block individuals in Russia and Belarus and the company must follow the client’s instructions to implement such blocking, the data processing agreement may prohibit the company as a processor from making such decisions.