Q: Whenever we receive a prospective corporate client's Master Service Agreement (MSA) these days, it has hundreds of words about safeguarding personal information and responsibility for data breaches. We have no problem with promising to take all the measures that the contract requires, but MSAs typically also state that we must require "subcontractors" to take similar measures. The contracts also require us to be responsible for data breaches by subcontractors. Could subcontractors include airlines, hotels and car rental companies? What about our GDS and our online booking system vendor?
A: Extra emphasis on data protection appears to be the latest fad in corporate travel procurement, superseding other recent concerns such as duty of care, service level agreements and quality assurance.
To a large extent, the new emphasis appears to be due to the influence of the EU's General Data Protection Regulation (GDPR), which requires data "processors" to handle data securely and to pass similar requirements onto "subprocessors," which are businesses chosen by processors to handle some of the processor's work.
The trouble with using GDPR as a model or guideline is that the processor-subprocessor relationship envisioned by the GDPR is akin to a company's retention of a marketing firm to communicate with customers. That model does not fit the agency-supplier relationship at all.
For example, it is nearly inconceivable that a typical agency could get a major airline to agree to data-protection standards required by a corporate account. Further, making the agency responsible for the airline's data breaches is obviously unfair.
With a GDS, adding data-protection standards to your vendor's contract is probably equally difficult, and you would also need to overcome the data-related disclaimers in the vendors' standard contracts. For example, the standard Travelport contract disclaims all liability related to "loss of or damage to records or data." The standard Sabre contract makes no commitment at all concerning protection of client data and disclaims "liability to customer for any loss, claim or damage caused in whole or in part by the negligence (excluding gross negligence or willful misconduct) of Sabre."
The latest Concur online booking engine (OBE) agreement that I have seen contains no assurances whatsoever concerning data protection. While OBE vendors may be willing to add data-protection commitments to its contracts, I still think it would be unfair to hold the agency responsible for data breaches suffered by your vendor.
Your best bet is probably to try to amend the MSA in two ways. First, clarify that travel suppliers and GDS and OBE vendors are not deemed to be your subcontractors and that their systems are not your systems for purposes of the data-breach requirements.
Finally, if the MSA requires you to follow the requirements of GDPR, clarify that this duty applies only to the extent that GDPR applies; i.e., only if you handle personal data of EU residents.