TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The Financial Stability Board (FSB) published on December 9, 2019, its report on financial institutions’ increasing reliance on third parties to provide cloud computing services (the Report). Established by the G-20 in April 2009 to promote international financial stability, the FSB is an international body that assesses vulnerabilities in the global financial system and coordinates the work of national financial authorities and international standard-setting organizations to develop and promote appropriate regulatory and supervisory policies.

The Report outlines the benefits from the increasing use of third-party cloud computing services, focusing primarily on cost savings, improved competition and cybersecurity, and increased operational resilience. It notes, though, the new challenges that the current scale of use may pose, such as the significant and systemic effects that an operational failure of critical third-party infrastructure could have. This is due to the highly concentrated cloud computing sector and the increasingly complex network of third-party suppliers and dependencies.

Morgan Lewis recently published an article on the 2019 Novel Coronavirus (COVID-19) outbreak and its effect on General Data Protection Regulation (GDPR) in the European Union. This article discusses the nature of the temporary suspension of some data-protection rights in times of crisis, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.

Read the full article.

Trainee associate Valeria Gaikovich contributed to this post.

Following adoption of the law on the preinstallation of Russian software on electronic devices in December 2019, the Russian Federal Antimonopoly Service (FAS) has developed draft guidelines to determine the types of electronic devices that will be subject to the new regulations, as well as the deadlines and procedures for the preinstallation of domestic software. The draft guidelines will not apply to electronic devices manufactured or released into circulation in Russia before July 1, 2020.

According to the draft guidelines, as of the dates set forth below, all touchscreen electronic devices with two or more functions (e.g., smartphones, tablets, smart watches) must have the following apps preinstalled:

The UK government has indicated that the UK’s approach to public procurement will fundamentally change post-Brexit. While it remains to be seen whether such a fundamental change will be possible in practice, the UK government’s pronouncements clearly suggest that change is on the way, which will most likely provide a less prescriptive framework for UK contracting authorities to follow.

These changes will almost certainly have a significant impact on how outsourcing and technology providers interact with the UK government, both in the context of their current agreements and also in respect of future contract bids and awards.

Current Regime

The laws that govern the UK’s public procurement regime are largely based on EU rules found in several EU directives and the Treaty on the Functioning of the European Union. Broadly speaking, these rules aim to open up public procurement to EU-wide competition. Public bodies must, for example, award public contracts without discrimination on grounds of nationality and advertise their contracts EU-wide via the Official Journal of the European Union ( OJEU).

Washington may be the next state to enact its own data privacy law after a bill was introduced into the Washington State Senate earlier this month. Known as the Washington Privacy Act, the bill’s sponsor, Sen. Reuven Carlyle, stated at a press conference that lawmakers had reached “95 percent agreement in principle on the core elements of the bill.” If enacted, the act would add to the complex regulatory framework governing data privacy, including the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020.

The act would apply to legal entities conducting business or producing products targeted to Washington State residents and that (1) control or process personal data of more than 100,000 consumers or (2) derive 50% of gross revenue from the sale of personal data and process or control the personal data of more than 25,000 consumers.

The United States and the United Kingdom entered into the world’s first ever Clarifying Lawful Overseas Use of Data Act (CLOUD Act) agreement on October 3, 2019 (the Agreement). The Agreement, which will enter into force later this year after review by lawmakers in both countries, allows each country’s law enforcement agencies to demand, with proper authorization, electronic data regarding serious crime (defined in Article 1 of the Agreement as an offense punishable by a maximum term of imprisonment of at least three years) directly from technology companies based in the other country.

Open Banking is an initiative mandated by the UK’s Competition and Markets Authority (CMA) in 2017. It is intended to facilitate better competition in the banking sector by mandating protocols that facilitate the secure sharing of customer-related data of the nine largest banks in the United Kingdom (CMA9) with third-party providers (TPPs).

Open Banking is developed and delivered in the United Kingdom by the Open Banking Implementation Entity (OBIE). The OBIE was established by the CMA and is funded by the CMA9. The CMA’s UK Retail Banking Market Investigation Order 2017 (Order), which applies only to the CMA9, requires the CMA9 to provide their customers with the ability to access and share their account data on an ongoing basis with TPPs through the use of specified application programme interfaces (APIs). This compliments the reforms under the EU’s Second Payment Directive (as transposed in the United Kingdom primarily by the Payment Services Regulations 2017), which requires all payment account providers to permit open access to payment accounts for authorized TPPs, but which does not specify the means of access or prescribe the scope of access in any detail.

The Clearing House (the oldest banking association and payments company in the United States) recently released a model agreement as a voluntary starting point to facilitate data sharing between financial institutions and fintech companies.

The model agreement is intended to provide a standardized foundation that speeds up data access agreement negotiations; as the Clearing House notes, “[L]egal agreements between banks and fintechs have sometimes taken 12 months or more to be developed and finalized and have become a significant bottleneck to API adoption.” Additionally, the model agreement is designed to reflect the Consumer Financial Protection Bureau’s consumer protection principles on data sharing and aggregation, providing confidence to the contracting parties that the terms address key regulatory issues.

The EU Commission issued its report on the third annual review of the functioning of the EU-US Privacy Shield (Privacy Shield) on October 23. The annual review and corresponding report is required of the Commission by the its July 2016 adequacy decision in which it found that the Privacy Shield ensures an adequate level of protection for personal data that has been transferred from the European Union (EU) to the United States. The goal of the review is to evaluate and publicly report on all aspects of the functioning of the Privacy Shield Framework.

The Outsourcing Accountability Act of 2019, which was introduced in July and would effectively require some public companies to report their outsourcing of jobs, passed the US House of Peoples Representatives on October 18.

The bill includes an amendment to the Securities Exchange Act of 1934 to “require the disclosure of the total number of domestic and foreign employees of certain public companies.” Specifically, the amendment would require public companies that are subject to the new requirements to include in their annual reports the number of employees domiciled in the United States and abroad, broken down by jurisdiction (e.g. states, countries, etc.), and a comparison to the corresponding figures in the company’s prior annual report calculated as a percentage change. The companies’ annual reports would therefore indicate outsourcing efforts of the company through these reported figures.