TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

When an inventor of technology who is also a university employee wants to commercialize university-developed technology, it is customary for the university and the inventor to “spin out” the technology via a license agreement to a newly created company (a licensee company) that sets forth the terms of the license, including any necessary milestones for advancing the technology, restrictions on the use of the technology, and the royalties and other financial terms applicable to the licensing and commercialization of the technology.

Executive Order 13873 was issued on May 15 with the goal of “Securing the Information and Communications Technology and Services Supply Chain.” The order ultimately seeks to manage the national security risk that can exist in information and communications technology (ICT) transactions between those subject to US jurisdiction and those subject to the jurisdictions of foreign adversaries. The order defines “information and communications technology or services” as “any hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” A “foreign adversary” is defined in the order as “any foreign government or foreign non-government person engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or security and safety of United States persons.”

In this Contract Corner, we are highlighting considerations for drafting sublicense provisions in the context of an Intellectual Property License.

  • Definition of Sublicense. A sublicense in the context of an IP license is any agreement where the licensee grants a third party rights to any of the licensed IP. This provision is often overly broad, but can be tailored to include standard exceptions (e.g., ordinary course agreements with End Users, distributors, etc.) in order to avoid an overly broad definition and to make sure that the royalty calculations are clear. It is also important to clarify the definition of End User in the sublicensing context, and to note that the sublicensee (or one of its affiliates) could be an End User if it uses the licensed IP for its own internal purposes.

Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.

The European General Data Protection Regulation (GDPR) took effect in May 2018, requiring companies that handle or process EU residents’ personal information to conform to practices that seek to more fully protect consumer sensitive information. Companies that fall under this category, known as data controllers, must secure consumer consent or another legally acceptable method of gathering personal information, notify individuals of the personal information that is collected and how it will be used, and limit the collection and maintenance to necessary information for a limited period of time. The individuals whose personal information is gathered also have a right to access the information, limit its use, and withdraw their consent from data controllers for such use.

In this month’s Contract Corner, we are highlighting considerations for drafting an up-to-date privacy policy. In Part 1 of this series, we provided background on the general legal landscape for privacy policies in the United States and general issues that need to be addressed for an up-to-date policy. In this Part 2, we will provide some specific pointers on drafting, updating, and disclosing such policies.

Additional Information to Include

In addition to the list of items that should generally be covered in every privacy policy we provided in Part 1, the following are additional items you may need to set out in your specific privacy policy:

  • Directions for customers to access and update data (e.g., password resets, contact information updates, and mechanisms for unsubscribing)
  • Contact details or other means of reaching persons in your organization that can address user queries or concerns
  • Information regarding notifications when the privacy policy is updated (see below for considerations when reviewing and updating your policy)
  • Mechanisms for users to agree to and accept the terms of the privacy policy, as well as means for users to opt out

Drafting and posting a clear, concise, and accurate privacy policy is one of the most important tasks when creating a company’s website, particularly given today’s legal and regulatory environment. Privacy policy legal requirements are becoming more stringent and shortcomings less tolerated, and consumer sensitivity to privacy concerns are at an all-time high.

Despite these concerns, many companies’ policies are seemingly insufficient. A recent opinion piece published as part of the New York Times’ Privacy Project assessed 150 privacy policies from various companies and found that the vast majority of them were incomprehensible for the average person. At best, these seem to have been “created by lawyers, for lawyers” rather than as a tool for consumers to understand a company’s practices.

In this month’s Contract Corner, we will highlight considerations for drafting an up-to-date privacy policy. Part 1 of this month’s Contract Corner will provide background on the current legal landscape for privacy policies in the United States and general issues that need to be addressed.

Complexity in sourcing transactions relates to the interdependence between the parties executing a program. However, “complexity” can be a surprisingly nuanced concept whose meaning can vary under different circumstances. Here are a couple of these nuances.

What Is Complexity?

If you are buying a physical product, the transaction is not truly “complex” if it can be described completely in the contract, although the product itself may be complicated. For example, a rocket ship is a complicated product, but with specifications that can (and probably should) be described in perfect detail, there is no requirement for an overly complicated contract structure, and the relationship between the parties may not be complex. Contrast this with an engagement that involves business process redesign accompanied by software development and implementation like an enterprise resource planning (ERP) implementation, or a large-scale robotic process automation (RPA) initiative. Although the contract can specify the desired result, in many cases the results will depend on both parties working together to realize that result. This interdependency makes the relationship complex and requires a more nuanced procurement and contracting process.

Even with the standard independent contractor provision in a Master Services Agreement, when employees of the contractor work at a client's site, there can be a heightened risk for joint employment liability, especially where such employees were hired by the contractor as part of an outsourcing arrangement. The US Department of Labor (DOL) recently issued a Notice of Proposed Rulemaking (NPRM) to update its interpretation of the standard for establishing joint-employer liability under the Fair Labor Standards Act (FLSA). The proposal is “designed to promote certainty for employers and employees, reduce litigation, promote greater uniformity among court decisions, and encourage innovation in the economy” by making clear employers’ and joint employers’ respective obligations to pay the appropriate employee wages and overtime for a workweek.