Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

FCA guidance for firms thinking of using third-party technology (off-the-shelf) banking solutions

Posted in Cloud Computing, Commercial Contracting, Security Breaches, Strategic Sourcing, Technology and Commercial

Written by Nichola Prescott, Associate, London

The Financial Conduct Authority has published a document setting out a list of points for financial services firms to consider when preparing for and evaluating third-party technology banking solutions.

Where a third-party provides services which are critical to a regulated firm’s business operation, it will be considered an outsource service provider (“OSP“) and the firm will be subject to certain regulatory obligations as a result.

Primarily firms must meet the FCA’s “appropriate resource” and “suitability” threshold requirements set out in COND 2.4 and 2.5 respectively, and comply with the general outsourcing requirements set out at SYSC 8.1.  The FCA document reminds firms of the overall aim of the regulatory objectives with regards to outsourcing, namely that:

  • firms must appropriately manage and remain responsible for the operational risk associated with its use of third-parties; and
  • the arrangements with third-parties must not impair the regulator’s ability to regulate the firm.

The publication addresses six main areas for assessment by firms considering the use of third party technology, each of which is then further defined by reference to a series of questions for firms to ask themselves as a checklist of their own “thinking” in connection with satisfying their regulatory objectives.  The six principal areas cover:

  • the rationale behind the decision to outsource the delivery of critical technology services;
  • the selection of the OSP and the solution;
  • oversight and governance of the OSP, including service levels;
  • operational elements, including support and maintenance, quality and incident management;
  • service protection, including security, disaster recovery and testing; and
  • data protection.

The document makes clear that the questions are not-exhaustive (either of the points that firms should consider in preparing third party arrangements, or of the points that the regulator(s) will consider when assessing an application for the delivery of regulated services), so of course each firm will need to consider its own specific requirements, internal operation and other relevant issues.  However, the document will be helpful in structuring that process, and also potentially useful in identifying the “right” terms to be included in any relevant contract.

The document is available at http://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf

New – Agile Software Development Contract Template

Posted in Technology and Commercial

Written by Callum Sinclair

The DLA Piper IPT team in Edinburgh has developed an innovative new contract template which they are piloting with selected clients.  The template is an agile software development contract.

Agile methodologies (such as Scrum) are an alternative to more traditional “waterfall” means of software development.  They are based around iterative stages of development with a high degree of customer collaboration throughout and offer flexibility and an ability to deal with evolving customer requirements where projects are managed well.  Whilst some agile methodologies have been around for 20 years or more, they have been slow to gain traction, in part due to a lack of well-developed contract forms.

Development of our template has involved a substantial investment in time and application of combined know-how and experience from a range of our fee-earners across the world. By “crowd-sourcing” feedback from our internal teams and selected clients beta-testing the template, we will continue to improve the template and develop other useful variants.

If you would be interested in receiving an early copy of the template and providing your input, please get in touch with Callum Sinclair.

Callum Sinclair also presented a recent global client webinar on agile alongside Scott Thiel (Hong Kong) – click here for a link to the webinar slides and recording.

The Internet of Things: Ofcom call for input

Posted in EU Data Protection, Mobile Privacy, Telecoms

Written by Nichola Prescott, Associate, London

Ofcom has issued a call for stakeholder input on the emerging Internet of Things.  The Internet of Things describes the inter-connection of multiple “things”, be they devices or sensors, that are able to communicate and share data with one another.  It is set to enable the collection and analysis of data, from many different types of connected devices, in ways that were previously far out of reach.  The predicted growth in the number of interconnected devices is almost 370 million in the UK by 2022 (M2M Application Requirements and Their Implications for Spectrum, April 2014, http://stakeholders.ofcom.org.uk/market-data-research/other/technology-research/2014/M2MSpectrum).

Ofcom highlights the potential benefits across the healthcare, transport and energy sectors in particular, including by way of example: the ability to monitor and manage a patient’s condition remotely rather than in hospital, thus reducing healthcare cost; managing traffic flow by tracking vehicles; and connecting household, office and industrial equipment to enable their use of energy to be monitored and changed accordingly (e.g. to a cheaper tariff).  More generally, the Internet of Things has the ability to enable businesses to collect data from the things most important to it, and to use that data for the benefit of its business.

Ofcom wants to gain a better understanding of the actions needed in order to ensure that the UK takes a leading role in driving the development of the Internet of Things.  It asks for views on a number of matters, including spectrum and network requirements, network security and resilience, data privacy, and the type of address (telephone number or IP) that could be used to allow devices to communicate.  It also recognises the potential for new policy issues that might arise.  Citing its duty (under Article 13a of the European Framework Directive) to ensure that measures are taken to prevent and minimise the impact of security incidents, it is not surprising that many of the policy issues identified are security-focussed.  Some of the potential policy issues are: the vulnerability of devices to cyber threats and malware; the security and privacy of data collected, stored and processed by devices; and the ability of applications to be able to access and utilise “big-data” generated and shared by connected devices.

Submissions are requested by 1 October 2014, following which Ofcom expects to develop a view on next steps during the last quarter of this year.  The call for input was published on 23 July and is available at http://stakeholders.ofcom.org.uk/binaries/consultations/iot/summary/iot-cfi.pdf

UK Government Consults on Mandatory Supply of IT Services to Insolvent Customers

Posted in Technology and Commercial

Written by Duncan Pithouse, Tim Dawson and Annabel Ashby

The UK Government has released a long awaited consultation document proposing new controls on IT suppliers’ dealings with customers facing insolvency.

To a degree this brings the termination provisions of the UK’s insolvency rescue regimes (administration and company voluntary arrangements) in line with some other jurisdictions, such as the US, which, broadly, do not allow supplier termination for customer insolvency.

In context

For many years the Insolvency Act 1986 has provided that suppliers of utilities such as gas, electricity, water and telecommunications (those that were formerly publicly owned, but not their on-sellers) may not demand payment of all arrears built up before the commencement of the insolvency proceeding before agreeing to make further supplies to the insolvent business.  However they can require insolvency practitioners to give a personal guarantee for future supplies.

The Government now seeks views on proposed amendments to that legislation. It is proposed that:

  • certain IT goods and services will join utilities in being essential supplies – so that the suppliers of these IT goods and services will no longer be able to demand, as preconditions to continued supply, payment of accrued but not yet paid charges in arrears and / or increase their charges to bring about the same effect;
  • suppliers’ contractual rights to terminate essential supplies will cease to have effect where customers enter the insolvency process.

Proposed essential supplies

The proposed new sections to the Insolvency Act extend the meaning of “essential supplies” to supplies that fall into one of the following categories and are for the purpose of enabling or facilitating anything to be done by electronic means:

  • IT hardware and software
  • point of sale terminals
  • data storage and processing
  • website hosts
  • those who supply IT advice and technical assistance
  • any service enabling the making of payments.

Unlike the current regime, the proposed new approach will also apply to “on-sellers” of such services (meaning the parties that directly supply the customer).  On-sellers fall outside of the existing regime because it was implemented before they were commonplace.

Controls on termination

The draft legislation goes further than merely categorising certain IT supplies as essential supplies. It is also proposed that an essential supply provider will not be able to operate some common contractual clauses which are, ordinarily, triggered by customer insolvency.

The proposed controls would override “insolvency related terms” (see box).

The proposal describes an “insolvency related term” as:

  • a term where the customer’s administration or voluntary arrangement automatically terminates the supply or contract, or automatically triggers “any other thing”
  • a term where the customer’s administration / voluntary arrangement triggers the right to        terminate the supply, the contract, or triggers “any other thing”;
  • a term allowing the supplier to terminate the contract or the supply because of an event that occurred before the administration / voluntary arrangement.

It is proposed that, where a customer is in administration or enters voluntary arrangement (but not in other instances, e.g., liquidation), the insolvency related contract terms will be replaced with the statutory process described below.

To terminate a supply the supplier will need, within 14 days of the insolvency event, to serve a notice upon the insolvency practitioner. If the insolvency practitioner fails to personally guarantee payment for the supplies within 14 days of receiving the notice, supplies can then stop.

A contract can be terminated in one of three ways. The court can consent (but it will only do so where the supplier will otherwise suffer undue hardship); the insolvency practitioner can consent; or the supplier must wait for its charges incurred after the insolvency event to have remained unpaid for 28 days.  

Key points

The following points are key:

  • The changes are proposals, not in final form.
  • Only contracts entered into after the new legislation comes into force will be affected.
  • The amendment potentially provides a short term procedural lock-in of suppliers in the event of customer insolvency;
  • It is currently unclear whether parties will be able to contract out of the provisions.

Comment and next steps

The proposals in question cover a broad range of contractual terms, which could impact a range of supplier rights under the agreement.

In real terms, assuming the insolvency practitioner refuses to give a personal guarantee, it seems as if the supplier’s exposure is 14 days plus whatever charges may have been accrued up to the administration or voluntary arrangement.  (14 days does assume that the supplier is immediately aware of the customer’s insolvency, which might not be the case.)  This short term “lock in” of the supplier could clearly represent a significant amount of money depending on the deal.  However, bear in mind that for most large scale on-going IT outsourcing deals, supplier termination rights are linked only to persistent and material non-payment and so the proposed law probably does not change the supplier’s position in real / practical terms too much.  In fact, it could even serve to generate a better position for suppliers by allowing termination under the statutory new regime before the contractual right would have taken effect. (Unless it is possible to contract out of the provisions.)

For smaller IT deals with more “standard” contractual termination rights triggered by insolvency events, and in respect of smaller suppliers who cannot sustain customer insolvency, the proposed provisions will obviously have a much more significant impact.

The consultation closes 8 October.

Our Technology & Sourcing team and our Restructuring Group are analysing and monitoring this proposal together.  For specific advice or assistance with any formal response please get in touch with a member of either team or your usual DLA Piper contact:

Duncan Pithouse, partner Technology & Sourcing;

Tim Dawson, partner Restructuring;

Annabel Ashby, Senior Professional Support Lawyer, Technology & Sourcing.

Posted in Licensing, Privacy and Data Security, Technology and Commercial, US Federal Law

Written by Andrew L. Deutsch, Marc E. Miller and Melissa A. Reinckens

FOLLOWING LOSS BEFORE THE SUPREME COURT, AEREO
“ASTONISHES” BROADCASTERS WITH NEW LEGAL STRATEGY

Shortly after its highly publicized loss before the US Supreme Court, which appeared to doom its over-the-air television Internet streaming business, New York-based Aereo shifted to a new legal strategy which it hopes will save its business from extinction.

Aereo has asserted in federal district court that it is entitled to a compulsory license to carry over-the-air broadcasts under § 111 of the Copyright Act. Such a license, which is available to cable systems, could be a complete defense to copyright infringement claims by broadcasters. Aereo bases its claim on the Supreme Court’s ruling that the Aereo service is “highly similar” to that of a cable system.

The Copyright Office has since rejected Aereo’s theory, reaffirming its view that § 111 does not apply to Internet retransmission services. Nonetheless, Aereo’s strategy presents interesting new issues, which may substantially prolong its litigation, and which may mean that the case ultimately returns to the Supreme Court.

Find out more about these new developments.

FTC Publishes revised COPPA FAQs, clarifies parental consent methods

Posted in Children, Privacy and Data Security, US Federal Law

The FTC has issued three new FAQs clarifying the “verifiable parental consent” requirements under the COPPA Rule.

In one of the revised FAQs, the FTC reiterates that the COPPA Rule’s list of parental consent methods is not exhaustive and that operators are free to use other “reasonably calculated methods” to obtain consent.  According the revised FAQ, another “reasonably calculated” form of consent, under certain circumstances, could include collection of a credit card number without an accompanying monetary transaction, if other steps are taken as well (such as asking questions that only parents would know the answers to and finding a “supplemental way”to contact the parent).  The FTC also amended two other FAQs that address the interplay between app stores and app developers in the COPPA context , explaining when an app developer may rely on app stores and other third parties to get verifiable parental consent, and whether an app store may be liable for app developers’ COPPA violations.

The amended FAQs are included below, and can be found here:

H.5.    I would like to get consent by collecting a credit card or debit card number from the parent, but I don’t want to engage in a monetary transaction.  Is this ok?

It depends.  The general rule is that any parental consent mechanism “must be reasonably calculated, in light of available technology, to ensure that the parent providing consent is the child’s parent.”  The Rule lists several methods that automatically meet this standard, one of which is the use of a credit card, debit card, or other online payment system in connection with a monetary transaction.  However, the listed methods aren’t exhaustive; you may use other methods as long as they are “reasonably calculated” to ensure that the consent is being provided by the parent.  Although collecting a 16-digit credit or debit card number alone would not satisfy this standard, there may be circumstances in which collection of the card number – in conjunction with implementing other safeguards – would suffice.  For example, you could supplement the request for credit card information with special questions to which only parents would know the answer and find supplemental ways to contact the parent.

H.10.    I am the developer of an app directed to kids.  Can I use a third party, such as one of the app stores, to get parental consent on my behalf?

Yes, as long as you ensure that COPPA requirements are being met.  For example, you must make sure that the third party is obtaining consent in a way that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent.  The mere entry of an app store account number or password, without other indicia of reliability (e.g., knowledge-based authentication questions or verification of government identification), does not provide sufficient assurance that the person entering the account or password information is the parent, and not the child.  You must also provide parents with a direct notice outlining your information collection practices before the parent provides his or her consent.

H.16.   I run an app store, and would like to help app developers that operate on my platform by providing a verifiable parental consent mechanism for them to use.  Under what circumstances will this expose me to liability under COPPA?

Because you are not an “operator” under COPPA in this circumstance, you will not be liable under COPPA for failing to investigate the privacy practices of the operators for whom you obtain consent.  As the Commission stated in the Statement of Basis and Purpose accompanying the final COPPA Rule, the term “operator” is not intended to encompass platforms, “such as Google Play or the App Store, when such stores merely offer the public access to someone else’s child-directed content.”   At the same time, you should also evaluate your potential liability under Section 5 of the FTC Act.  For example, it could be a deceptive practice to misrepresent the level of oversight you provide for a child-directed app.

Florida Information Protection Act of 2014 Goes Into Effect; Regulator Notification Required

Posted in Privacy and Data Security, Security Breaches, US State Law

Effective July 1, 2014, Florida has repealed its existing data breach law in favor of a new, more stringent, law. Florida has joined the list of states requiring notice to regulators:  specifically, an entity must notify the Department of Legal Affairs of any breach affecting 500 or more Florida residents as soon as possible, but no later than 30 days after determining that a breach has occurred or having reason to believe that a breach has occurred. The new law also specifies the content of that notification (e.g., description of the breach, number of Florida residents affected, services offered to individuals, copy of the notice to be provided to the individual, and contact person to field questions regarding the breach).

Florida also has expanded the definition of personal information. Under the prior law, Florida had defined personal information to include name plus a social security number, a driver’s license (or other government identification number), or certain financial account information. The new Florida law also includes the following in the definition of personal information:  (1) name plus an individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify an individual; and (2) user name or email address, plus a password or answer to security question that would enable access to an online account.

 

DLA Piper Sourcing Reference Guide

Posted in Commercial Contracting, Strategic Sourcing, Technology and Commercial

NEW RELEASE: CHAPTERS 11 AND 12 COMPLIANCE AND DATA PROTECTION

DLA Piper’s award-winning global Technology and Sourcing team is pleased to release the 11th and 12th chapters of the Sourcing Reference Guide, our handbook to conducting successful sourcing transactions.

Chapter 11 looks at Compliance and Chapter 12 looks at Data Protection.

The complimentary Sourcing Reference Guide combines best practices from our leading global team, covering a range of sourcing transactions – ITO, AD/AM, BPO, F&A, HRO, FM, infrastructure, networks and more.

Following are the chapters included to date – the newest chapters are in bold face:

1. Sourcing Structures
2. Sourcing Agreement Structures
3. The Services Description
4. Offshoring
5. Timing, Delivery and Delay
6. Service Levels
7. Service Credits
8. Charging Models
9. Tax
10. Benchmarking
11. Compliance
12. Data Protection

We will be adding additional chapters to the Sourcing Reference Guide throughout the year and will keep you abreast of new updates.

For more information, please contact sourcingreferenceguide@dlapiper.com.

Access the Guide Here:  http://www.dlapiperoutsourcing.com/tools/sourcing-reference-guide.html

Doping Tests and Privacy Rights in Spain: a Key Court Decision

Posted in EU Data Protection, International Privacy, Privacy and Data Security

By Diego Ramos

No one can deny that, over the last decade, Spain has taken the fight against Sports’ doping networks very seriously. In 2006 and 2013, two demanding laws for the health protection of federated sportsmen and the prosecution of fraud in sports competition have been passed by the Spanish Parliament. New and stringent regulations developing both laws were rapidly drafted by the local Sports authorities. Enforcement of the laws and the regulations has been particularly tough. In fact a bit too much, as one Spanish court recently ruled.

The facts are simple. The Spanish High Council for Sports (CSD) issued a regulation requiring certain federated sportsmen (e.g. the ones recovering from injuries) to be available to undergo doping tests “permanently”. This meant at any time, workdays or weekends, holidays or working periods, day or night, in public or private life. They need to report where they are at all times (hence the term “permanently”). The Spanish Association of Professional Cyclists (ACP) filed a claim against that regulation for this and other legal grounds in front of Spanish Audiencia Nacional, a central court based in Madrid that handles serious crime like terrorism, the lawfulness checking of regulations and other matters like privacy rights.

The Audiencia Nacional, in a decision that has just been made public, dismissed most of the arguments of the claim, supporting strongly the views of CSD against doping. The Audiencia Nacional even ruled that, since doping in sports is a matter of public concern, sports professionals are obliged to accept regular doping tests at unusual periods of time. However, the Audiencia Nacional also found that the Regulation went too far when requiring some federated sportsmen to report “permanently” where they are. They shall report where they can be “usually” found for undergoing a test (the law actually employs the term “usually”, rather than “permanently”, the court says, so the CSD went too far extending the scope of the legal authorization, especially when a constitutional right like privacy is at stake). The court could have stopped there. However, it went into detail on the merits of the case, analyzing whether the duty to report “permanently” the whereabouts of an individual breaches the constitutional right to privacy. It does, according to Audiencia Nacional. Every individual, also federated sportsmen, has the right to a minimum quality of life and a minimum of dignity. By making privacy zero that goal is not achieved.

The decision could still be appealed in front of the Spanish Supreme Court. Reporting where someone is “usually” may be only slightly different from reporting where s/he is at every single second. However, the decision is important, and not only because it shall improve slightly the lives of Spanish federated sportsmen and sportswomen. First of all, the court that issued this decision handles normally the legal review of the decisions made by the Spanish Data Protection Commissioner. So it is likely to have a very strong impact on any future court decision on privacy in Spain. Second, the court used for deciding a sports’ case arguments borrowed from the Spanish data protection practice, the Spanish Data Protection Commissioner and the European Data Protection Authorities (Art 29 Working Party) in geo-localization cases (i.a. AEPD reports of 28 June 2012 and 25 May 2009, AEPD Resolution of 6 June 2013, WP Art 29 Opinion of 16 May 2011). The special legal concept of “proportionality” that made up the core of privacy authorities’ and experts’ position in all these instances is the one that also boasts the new court decision. People like policemen and sportsmen can be obliged, for different reasons, to be geo-localized on a regular basis. Personal safety, public security, personal health and sports’ cleanness entail risks that justify such burden. Nevertheless, forcing them to surrender their privacy at all times in all contexts is probably not proportional to those risks that the law tries to mitigate. A life that shall be worth living requires a minimum of dignity, and privacy is a key part of it.

For further information, please contact Diego Ramos (diego.ramos@dlapiper.com).

 

MVNO – trends and contracts

Posted in Telecoms

By Amanda Pilkington, Legal Director (UK) and Mike Conradi, Partner (UK)

Today’s news that the Post Office is to launch a Mobile Virtual Network Operator (MVNO) in partnership with EE has led us to put together a few thoughts about the market and about MVNO contracts.

Market trends

Recent months have seen perhaps an increasing number of smaller MVNOs ceasing trading – often citing the prohibitive tariffs offered by wholesale providers as the key determining factor (eg the ad-funded networks Ovivo Mobile and Samba Mobile). Similarly Vodafone’s MVNA partner Cognatel announced recently they would focus only on larger-scale MVNOs going forward.

Interestingly this trend is against a back drop of more new MVNO joint ventures between larger established players such as the Post Office one referred-to at the start of this blog and also the BT and EE MVNO (albeit that BT’s focus has not been on the consumer mobile market since the days of BT Cellnet). Other larger MVNOs, especially those with a clear cost advantage in terms of distribution (such as Lebara or Tesco Mobile) seem to be continuing their success and growth.

We also note the emergence of new entrants utilising new innovative platforms. For example, Now Mobile has launched a new MVNO service in the UK based on the prepaid mobile solution from DIGITALK, a global vendor of prepaid service platforms.

In the press release about its new MVNO BT outlined details of the basis on which EE will provide various MVNO services to BT’s customers and employees based in the UK, strengthening the existing relationship between the companies.  The arrangement will see BT’s mobile customers accessing 2G, 3G and 4G services via the EE network. We think it likely that BT may also be planning to combine its EE MVNO with its newly-acquired slice of high-frequency 2.6GHz spectrum, which it won for £186m in the auction last year, and which is suitable for high bandwidth but low range services -so may be especially useful in urban areas.

It seems, then, that whilst smaller MVNOS may struggle there is no shortage of innovation and interest in the sector, and larger players with established brands in other areas, like the Post Office, continue to see possibilities in the MVNO business model.

It will be interesting to see whether these trends continue for the remainder of 2014 in light of the race to provide 4G offerings.

Introducing flexibility in MVNO contracts

The MVNO market is constantly changing and evolving with new technologies, platforms and service propositions. The contract between the MVNO and its Mobile Network Operator (MNO) can at times be a blunt tool in the race to adapt to and remain competitive in the face of these changes and the MVNOs can be in the weaker position because of the difficulties they would face in switching from one MNO to another. However, there are ways in which a degree of flexibility can be introduced into the contractual terms (assuming a convention wholesale-priced model for the arrangement with the MNO).

One of the most commonly used tool is a benchmarking mechanism. This enables the wholesale prices in the contract to be tested at regular intervals against what is market practice, with the ability to adjust prices should the wholesale prices be found to be out of kilter (usually within agreed parameters). The contract can even provide that the benchmarker can look at retail prices offered by competitors to the MVNO as a likely indicator of their underlying wholesale prices. Although, of course, retail prices could be offered below cost as some kind of “loss leader” if, in the long term, retail prices offered by the MVNO’s competitors are below the wholesale prices in the contract this would seem to suggest that the wholesale prices in the contract are too high.

The appropriateness of benchmarking provisions will of course vary as between jurisdictions. In heavily regulated markets with strict controls on wholesale pricing benchmarking provisions may be less important. Likewise in countries where the MNO has a monopoly there is effectively no market to benchmark. However, it is prudent to include the right to benchmark in any event should the in territory’s circumstances changes; benchmarking is a right but not an obligation, this right does not need to be exercised.

To keep pace with the changing technologies and capabilities, the MVNO needs to have sight of the MNO’s roadmap plans for its network so that it can adapt its customer products accordingly. This can be achieved in the commercial terms by including a requirement on the MNO to produce and provide to the MVNO a technical development plan to allow the MVNO to plan its retail offerings and market campaigns

Finally there is often a discussion about service levels in MVNO contracts. The MNO may argue that since customers of the MVNO are on the same network as their own customers there is no reason to agree specific service levels and service credits. This may be so but in many cases the profile of the MVNO’s customers will be different from those of the underlying MNO – they may for example be more concentrated geographically, or make more international calls. If so then it may not be sufficient for the MVNO simply to rely on the MNOs general interest in fixing their own network if it breaks – the MVNO may instead want some sort of specific reassurance about the areas which are especially important to it. This could take the form of a specific service level regime or else could be something simpler like a right to be informed and consulted on decisions or issues having a particular impact in the critical areas.

See also Mike’s blog piece Top 6 Issues to Consider for an MVNO access contract

Back to Top of Page