TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

From time to time, data controllers are confronted with the question of whether data subjects can raise claims for specific security measures against the controller under Article 32 of the EU General Data Protection Regulation (GDPR). These measures can be costly and cumbersome for the controller.

The Austrian Data Protection Authority (DPA) has decided that there is no such claim. In the relevant case (AZ: DSB-D123.070 / 0005-DSB / 2018), the DPA ruled on a claim by a data subject to pseudonymize personal data. The complainant had filed two complaints with the DPA alleging a violation of the fundamental right to data protection (Section 1 of the Austrian Data Protection Act) for an alleged failure to delete data or pseudonymize personal data. The respondents were two Austrian public authorities: the Federal Ministry for Europe, Integration and Foreign Affairs and the Federal Chancellery.

A significant fine imposed by the UK’s Financial Conduct Authority (FCA) on an established UK insurer is further evidence of the increased scrutiny being placed on outsourcing arrangements by the financial services regulator, and also of the importance the regulator places on issues that directly impact retail customers.

The FCA is the UK’s “conduct” regulator, with a focus primarily on the regular business conduct of financial services businesses, as compared to the “macro” focus (safety and soundness) of the Prudential Regulatory Authority (PRA) – although there is overlap between the stated remits of the FCA and the PRA, and outsourcing arrangements are subject to scrutiny by both bodies.

Earlier this week, the US Supreme Court rejected requests from the telecommunications industry to hear an appeal seeking to throw out a 2016 lower court ruling in favor of the “net neutrality” rules. Recent action by the Federal Communications Commission (FCC) has rolled back the rules, but the industry participants also wanted to overturn the lower court decision.

A shrinking in traditional outsourcing deal volumes since the United Kingdom's EU membership referendum vote on June 23, 2016, is being partially attributed to business caution following the “Brexit” decision.

According to consultants ISG, the traditional sourcing market in the UK pre-Brexit referendum had a deal volume of circa $900 million per quarter. However, the UK outsourcing market has only achieved this level of activity in one quarter since the referendum.

Washington, DC partners Giovanna M Cinelli, Kenneth J. Nunnenkamp, and Stephen Paul Mahinka and Boston partner Carl A. Valenstein recently published a LawFlash on the recent action taken by the Committee on Foreign Investment in the United States (CFIUS) to implement a pilot program under the Foreign Investment Risk Review and Modernization Act (FIRRMA). FIRRMA, which was enacted in August 2018, reformed the CFIUS screening process for foreign investment in the United States and, among other things, permits CFIUS to establish pilot programs to test the viability of certain of its provisions. The LawFlash addresses the objectives and the scope of the announced pilot program, including the countries and types of investments covered by the program. It also describes the new requirement for mandatory declarations "for certain transactions involving investments by foreign persons in certain U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies" implemented by the pilot program. The pilot program becomes effective November 10, 2018.

For more information on the pilot program, please read the LawFlash.

There is no “one size fits all” solution when drafting and negotiating the liability provisions relating to data protection obligations and security incidents. Every contract has unique business drivers that will shape the appropriate allocation of liability, such as financial risk and the sensitivity of the data involved. There are, however, common issues that the legal, sourcing, and business teams should carefully consider when structuring the liability framework as it applies to data safeguards. Below we identify some of these key issues.

In Part 1 and Part 2 of this Contract Corner, we discussed the importance of assessing and defining the types of data involved in a services agreement, and highlighted issues to consider with respect to the ownership and control of company and personal data.

In this Part 3, we discuss key drafting points regarding the operational security requirements typically addressed in services agreements.

In Part 1 of this Contract Corner, we discussed the importance of evaluating the types of data to be processed or accessed by a service provider at the beginning of the contracting process and key considerations to address when defining the types of data in the services contract.

This Part 2 highlights issues to consider with respect to the ownership and control of company data.

Morgan Lewis partner Barbara Melby, the leader of our technology, outsourcing, and commercial transactions practice, has been invited to present at an upcoming Practising Law Institute (PLI) event, Outsourcing 2018: ITO, BPO and Cloud, in New York City. Barbara’s one-hour presentation will take place Friday, November 2, at 11:15 am. She will discuss intellectual property issues in outsourcing, including the following topics:

  • Recognizing and avoiding common IP pitfalls
  • Copyright, patent, and trade secret issues from vendors’ and customers’ perspectives
  • IP representations, warranties, and indemnities in outsourcing transactions
  • Open-source considerations
  • IP issues in cloud deals

The presentation is part of a two-day PLI outsourcing event November 1–2 at the PLI New York Center, 1177 Avenue of the Americas (2nd floor), New York. You can also access the event via webcast and various groupcast locations.

To register, visit the Outsourcing 2018: ITO, BPO, and Cloud event page.

Drafting and negotiating the data protection provisions in services agreements can be one of the trickier and more time-consuming aspects of the contracting process. One of our prior Contract Corner series from 2014 discussed the importance of documenting security requirements and monitoring security commitments, addressing security incidents, and key issues to consider when drafting liability provisions. In this Contract Corner, we revisit some of these issues based on the latest contracting trends that we are seeing for services agreements and dive into additional considerations when addressing key data safeguard provisions.

Assess and Define the Data

At the outset of the contracting process, it is important for the deal team and the key stakeholders to evaluate and properly define the types of data that the service provider will access or process as part of the services. A sound understanding of the scope of data involved in a services transaction helps establish expectations up front and will drive a contract that contains the right level of security requirements and an appropriate allocation of liability for security breaches. The contract should then reflect the output of this internal assessment through carefully crafted defined terms that will flow throughout the data safeguard provisions.