TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

As 2018 comes to a close, we have once again compiled all the links to our Contract Corner blog posts, a regular feature of Tech & Sourcing @ Morgan Lewis. In these posts, members of our global technology, outsourcing, and commercial transactions practice highlight particular contract provisions, review the issues, and propose negotiating and drafting tips. If you don’t see a topic you are interested in below, please let us know, and we may feature it in a future Contract Corner.

In Part 1 of this series, we looked at the prevalence of standalone data processing addendums (DPAs) as a means to comply with rules on engaging third-party outsourcers under the EU General Data Protection Regulation (GDPR). In particular, we focused on the risks associated with “one size fits all” precedence clauses. In this Part 2, we take a detailed look at some of the commercial issues arising from DPAs, the GDPR’s mandated contract requirements.

What’s the Issue?

Article 28 of the GDPR includes a set of mandated data processing clauses that are broader in scope than the contract requirements under previous EU data protection laws. In addition, despite the GDPR having been in force for more than six months now, it is still uncertain how regulators will interpret and enforce Article 28.

As a result, parties to outsourcing agreements can find themselves in protracted discussions around which party bears the cost of implementing Article 28. Below are some key areas of focus in the context of outsourcing agreements.

In Part 1 of this series, we provided an overview of data (or knowledge) commons and some key issues to consider, but how does one actually create and manage a data commons? To find your feet in this budding field, build on the theoretical foundation; address the specific context (including perceived objectives and constraints); deal with the thorny issues (including control and change); establish a core set of principles and rules; and, perhaps most importantly, plan for and enable change.

Although the EU’s General Data Protection Regulation (GDPR) has been in force for more than six months, many organizations are still getting to grips with some of the practical requirements, including ensuring that their contracts comply with Article 28, which mandates a number of key clauses if personal data is being processed under the service agreement.

With potentially hundreds of in-scope contracts, customers and suppliers alike have developed standard-form data processing addendums (DPAs) or similar contract documents in order to address these Article 28 requirements. DPAs are fast becoming the preferred approach for both new agreements and existing contracts.

You may have heard of the “tragedy of the commons,” where a resource is depleted through collective action, but knowledge is different from other resources—knowledge can be duplicated, aggregated, integrated, analyzed, stored, shared, and disseminated in countless ways. Given that knowledge is a critical resource for seemingly intractable problems, the opportunity of the commons (or the tragedy of the lack of commons) is worth thoughtful consideration.

Imagine that you or a loved one is suffering from a terminal or debilitating disease and that data and knowledge are out there, waiting to be combined and harnessed for a cure or a transformational treatment. Imagine that self-interest (including attribution), legal restrictions (including intellectual property protections), inertia, complexity and difficulty of collective action, and other weighty forces are between you and that breakthrough discovery. Though not a new concept, commons have been garnering attention lately as an alternative framework for catalyzing groundbreaking research and development, particularly when relevant data and knowledge are scattered and particularly in the life sciences community. But before we all throw away our patents and data-dump our trade secrets, there are some thorny aspects to governing a data (or knowledge) commons. For example:

  • A commons is essentially its own society. Anyone who has been part of a homeowners’ association knows that collective governance is almost always muddy. Aligning incentives, objectives, and values can be challenging.
  • Founders may have trouble relinquishing control or enabling change. Participants may become confused or upset if rules or priorities change.
  • Commons are not as well understood and tested. They must coexist with, and within, other systems that may be more rigid and rules-based. Participants may be logistically, intellectually, and otherwise tied to traditional methods and may prefer semi-exclusive zones rather than open collaboration.
  • It may be difficult to measure the effectiveness or value of commons.
  • Policing activities (e.g., authentications or restrictions) may be burdensome. And once the cat is out of the bag, it’s difficult to undo uses or disclosures.
  • Commons managers may not be willing to take on certain responsibilities or liabilities that would make participants more comfortable.
  • Different types of information and tools have different levels of sensitivity and protection. Certain information, like personal data, is highly regulated.

Scholars have taken theoretical frameworks built for natural resources and adapted them to the data commons setting. Key findings include that data commons must be designed to evolve and that communities with high levels of shared trust and values are most likely to succeed. Whereas governance through exclusivity (e.g., patents) is useful when trust levels are low, a resource sharing governance model (e.g., commons) can be effective when trust levels are high.

If you’d like to know more:

  • We will be hosting a webinar with one of the aforementioned scholars—Professor Michael J. Madison, faculty director at PittLaw—on Tuesday, December 18, 2018, from 12:00 pm to 1:00 pm ET. Register and join us for the discussion.
  • In a subsequent post, we will provide some tips and considerations with respect to drafting policies, standard terms, data contribution agreements, and other governing documents for data commons.

Knowledge sharing has long been an important element of academic research. And now collective sharing and governance of data assets throughout the scientific community, including for-profit participants, is gaining momentum. During their webinar, Out in the Open: The Knowledge Commons Framework, Emily Lowe, Ben Klaber, and Professor Michael J. Madison, faculty director at PittLaw, will discuss issues related to knowledge commons. Topics will include the following:

  • A fundamental overview of knowledge commons, including the framework’s strengths and weaknesses
  • Standard requirements regarding data contribution, access, use, sharing, protection, and attribution
  • How to decide if a knowledge commons framework is right for your business, and if so, how to implement it successfully

The United Kingdom government’s Cabinet Office (the central procurement department for central government) is requiring major government suppliers to draft “living wills.” These are intended to safeguard the provision of services to the public sector in the event of the collapse of a supplier.

This measure follows the insolvency of outsourcing provider, and major government supplier, Carillion in January 2018. The well-documented Carillion collapse led to significant debate about the role of outsourcing within the UK public sector, with pronouncements about the extent to which outsourcing for the public sector has “fallen out of fashion.”

Picking up where we left off last week, we continue our refresher on common issues to consider when entering into a transaction that will include royalties. Today’s entry focuses on timing and reporting considerations for the calculation and payment of royalties.

During their webinar, Hot Topics in Data Privacy Regulation in Russia, Moscow partners Ksenia Andreeva, Anastasia Dergacheva, and Vasilisa Strizh will discuss trends in data privacy regulations in Russia for the upcoming year.

Topics include:

  • News from the Russian data protection regulator (Roskomnadzor)
  • New laws and legislative initiatives in the data privacy field
  • Obtaining data subjects’ consents: views of the regulator
  • Formalizing cross-border transfers from Russia and to Russia
  • Localization rules: view from Roskomnadzor

The webinar will be held on Tuesday, November 27 from 9:00 to 10:00 am eastern time. You can register here.

It's one of the most commonly utilized commercial structures in various technology and intellectual property licensing deals: the royalty. As everyone's go-to payment mechanism for licensing deals, you may think that the nuances of royalty calculation and payment are well-defined and understood universally. But, time and again, we find that walking through a list of potential royalty "pain points" uncovers certain components of a contemplated royalty-based deal that have neither been considered nor agreed by the parties.

For that reason, we think it's a good time for a refresher on common points to be considered when entering into a transaction that will include royalties. While the specific terms governing a royalty will vary based on numerous factors, including the nature of the products and the underlying licensed materials and the contemplated commercialization structure, many concepts are useful across the board. Today’s entry focuses on issues related to defining the relevant scope of royalty calculations, while a forthcoming post will address issues related to royalty timing and reporting considerations.