Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

24 privacy authorities worldwide call for more mobile app privacy

Posted in E-Commerce and Social Media, International Privacy, Privacy and Data Security

By Patrick Van Eecke & Julie De Bruyn

Last week, the increased focus of national data protection authorities on the processing of personal data through mobile apps was again confirmed in an open letter from a group of data protection authorities.

Earlier this year, the Global Privacy Enforcement Network (GPEN, consisting of 40 national and regional data protection authorities) carried out a ‘mobile app privacy sweep’ to scrutinize organisations’ collection and use of personal data on mobile apps. The privacy sweep offered an insight into the types of permissions sought by over 1,200 of the most popular apps, and the extent to which users of the apps were informed about the privacy practices of each such app. As a result of this sweep, it was found that the information obligation in particular is rarely complied with, and that numerous instances of apps which appeared to collect personal data did not have a privacy policy or offered other up-front privacy information. It was found that not providing users with up-front information about the processing of their personal data, removes the ability for such users to make decisions about the collection, use and disclosure of their personal data.

In view thereof, an open letter addressed to operators of app marketplaces (such as Google Play, Apple App Store, Samsung, Microsoft, Nokia, Amazon and Blackberry) has been drafted by the Canadian and Hong Kong data protection authorities, and was signed by data protection authorities from 22 other countries including Australia, Belgium, France, Germany, Colombia, Ireland, Israel, Italy, the Netherlands, South Korea, and the UK. In the letter, published on 10 December, app marketplaces are specifically targeted and asked to ensure that privacy policy links should consistently and mandatorily be included in app marketplace listings. It is found that such links to privacy policies provide a simple and user friendly manner for users to obtain more information about how their personal data will be processed if they were to use the app, and allows them to make informed decisions before deciding to download the app.

Although some operators of app marketplaces are explicitly mentioned in the letter, other stakeholders that operate an app marketplace are also addressed in the letter. These stakeholders are asked to play an exemplary role and make the commitment to require each app which allows for access to or collection of personal data, to provide users with timely access to the privacy policy of the app. Such commitment will contribute to the creation of more privacy transparency for users in the app marketplace.

The full letter can be consulted here: https://www.priv.gc.ca/media/nr-c/2014/let_141210_e.asp

For further information, please contact Patrick.VanEecke@dlapiper.com or Julie.DeBruyn@dlapiper.com

DIVERTED PROFITS TAX – FIRST THOUGHTS

Posted in Licensing, Technology and Commercial, Telecoms

By Paul Rutherford, partner, London

The UK Government intends to introduce a 25% “diverted profits tax” (DPT) from 1 April 2015.

The tax is designed to catch the artificial erosion of the UK corporate tax base by multi-nationals that avoid establishing a fixed place of business here in the UK (a “permanent establishment” or “PE”) or that divert UK profits to related parties in lower-tax jurisdictions. In its current form, the DPT could catch multi-nationals which implement conduit arrangements (such as the “double Irish” structure) or supply chain management structures that shift profits out of the UK. Certain sectors are most likely to be impacted, including multi-national groups operating in the technology, distribution, media & entertainment, advertising, gaming, retail and hospitality sectors. Many of those groups will ultimately be owned in the USA. Existing structures will need to be reviewed before 1 April 2015 and where appropriate, corrective action taken.

The draft legislation has been released for public consultation, so multi-nationals should take the opportunity to make representations to the UK Government. For further information, please click here.

To discuss this topic with a member of the DLA Piper Tax Team, please contact:

Paul Rutherford, Mark Burgess or David Thompson

FCC Forges New Ground on Enforcement of Data Security Duties under Communications Act

Posted in Mobile Privacy, Privacy and Data Security, US Federal Law

Written by Sydney White

On October 24, 2014, in its first data security enforcement action outside of the CPNI context, the Federal Communications Commission (“FCC” or the “Commission”) issued a Notice of Apparent Liability for Forfeiture of $10,000,000 against two telecommunications providers TerraCom, Inc. and YourTel America, Inc. (the “Companies”) providing telecom services to low-income consumers pursuant to the Lifeline program overseen by the FCC.  The FCC based the enforcement action on two sections of the Communications Act of 1934 (the “Act”) — Section 201(b), which establishes a general requirement that practices in conjunction with communication service must be “just and reasonable”, making unlawful any practice that is “unjust or unreasonable” and Section 222(a), which establishes a duty to protect customer “proprietary information”.

The FCC’s enforcement action is the first based upon each of these provisions and we expect that the Commission will bring more enforcement with regard to carriers data going forward.

The Commission found that the Companies’ failure to employ basic and readily available technology and security to protect customers information was unjust and unreasonable.  The Companies stored customers’ personal information on servers that were publically accessible via the Internet.  Although the FCC indicated that encryption alone would not satisfy a carrier’s obligation under Section 222(a), the Commission found that given current technology, a lack of encryption is evidence of unjust and unreasonable data security practices.  Second, the FCC determined that placing a consumer’s name in a URL in plain text may under certain circumstances amount to a breach of the duty under Section 222(a) and when linked to other personal information, it definitively constitutes a violation.

With respect to Section 201(b), the Commission found that lack of data security and the potential harm to customers (identity theft) to be an apparent violation of Section 201(b).  Further, the FCC found that the Companies’ misrepresentation of their data security practices in their privacy policies, including misrepresenting that their security measures were being continuously updated, was a violation of Section 201(b).

Although the Companies’ lax data security and misrepresentations were egregious, the FCC NAL does forge new ground in terms of the categories of violations that may trigger enforcement actions and should be a warning to other telecommunications providers.

Planning for the Inevitable – Tips for Planning for Disagreements in Outsourcing and Other Commercial Contracts

Posted in Commercial Contracting, Technology and Commercial

Written by David Messerschmitt

Disagreements over the course of a commercial relationship are inevitable.  A pitfall of many commercial contracts is that the parties often incorporate “boilerplate” dispute resolution clauses that simply state that all disputes will be resolved in a court of law and do not include a process for resolving disagreements prior to taking formal legal action.  In the absence of such informal dispute resolution process, customers and vendors tend to engage in whatever tactics they deem appropriate in order to grab the other party’s attention and resolve the dispute prior to litigation.  For example, a vendor may withhold providing certain services or a customer may withhold an entire payment when only a portion of the payment is at issue.  These tactics may be counterproductive to resolving the disagreement and could cause a minor disagreement to escalate into a costly, relationship-damaging dispute.  To avoid this, customers should consider including the following tools in their commercial contracts:

Tailored Process – Avoid “boilerplate” or “off-the-shelf” dispute resolution clauses and instead include a tailored dispute resolution process that encourages structured informal dispute resolution in alignment with the customer’s governance organization.

2.  Regular Meetings – Require regular governance committee meetings of the customer and vendor for purposes of discussing any issues in the relationship.  Regular meetings may prevent minor disagreements from escalating into major disputes merely due to a lack of communication between the parties.

3.  Assign Individuals to Address Disagreements –Name individuals who are responsible for addressing disagreements and who have the authority to change contract if conflict resolution so requires.  Naming the decision-makers brings structure and clarity to the process and ensures that only individuals with an understanding of the broader customer-vendor relationship have the authority to make decisions.

4.  Informal Dispute Resolution Process – Include an informal dispute resolution process that requires both parties to attempt to resolve disputes among several tiers of management prior to pursuing litigation/arbitration.

5.  Time Parameters –Include the maximum number of  days that may lapse between provision of a notice to invoke the informal dispute resolution process and the occurrence meeting between the parties’ management (and how many days may lapse between each subsequent meeting) in order to avoid disagreements becoming stale or bubbling up over time merely because the parties are not communicating with each other.

6.  Encourage Clear Communication – Require each party to submit a written statement to the other party describing its position on the disagreement to avoid misunderstandings about what caused the disagreement and the issues at hand.

7.  Intermediary Step Between Informal and Formal Dispute Resolution – Include an intermediary step prior to engaging in litigation or arbitration if the informal dispute resolution process does not resolve the disagreement.  For example, include an option for the customer to submit disputes involving financial (e.g., invoicing disputes) or technical (e.g., disagreements over specifications or deliverables) matters for expedited resolution by a panel of experts selected from a major arbitration association.  This option could provide a cheaper, quicker alternative to litigation or arbitration.  The contract should be clear about how the experts are selected, the time period for onboarding the experts, the set of rules the experts must follow, and the time period that each party receives to develop and deliver its position.

 

 

Europe’s Right to be forgotten: update on implementation guidelines

Posted in EU Data Protection, Privacy and Data Security

By Patrick Van Eecke and Mathieu Le Boudec

Last week we wrote that the Article 29 Working Party (“Working Party 29″) has adopted guidelines relating to the implementation of the European Court of Justice’s Google ruling on the right to be forgotten. Click here for a previous blog post on this ruling.

These guidelines have now been published and can be consulted here.

The guidelines are important for several reasons. Not only do they clarify the scope of the ruling but they also introduce an harmonized approach by the different national Data Protection Authorities of the EU member states (“DPAs”) when handling de-listing requests. It has been an issue in Europe before that DPA’s have divergent approaches to similar problems. With these guidelines, the DPA’s will at least all follow the same criteria when handling a complaint.

In its Google ruling, the European Court of Justice held that individuals can request search engines, under certain conditions, to de-list certain links from the results for searches based on their names. Where a search engine refuses such a request, the data subject can file a complaint with the DPAs. Based on the complaints they received during the past six months, the DPAs have drafted a non-exhaustive list with thirteen common criteria which can be used as “a flexible working tool” when evaluating such complaints.

Generally more than one criterion will need to be taken into account when taking such decisions and each criterion has to be applied in the light of the principles established by the Court of Justice and in particular in the light of the “the interest of the general public in having access to [the] information”. Even when they are directed towards the DPAs, these criteria will also be very useful for search engines when handling de-listing requests.

Below we give a quick overview of these criteria.

1. Does the search result relate to a natural person – i.e. an individual? And does the search result come up against a search on the data subject’s name?

European data protection rules only apply to natural persons. It is interesting to note that the Working Party also considers pseudonyms and nicknames as relevant search terms.

2. Does the data subject play a role in public life? Is the data subject a public figure?

The Court of Justice has made an exception for de-listing requests from data subjects that play a role in public life, where there is an interest of the public in having access to information about them.

Whilst the Working Party 29 is of the opinion that it not possible to establish with certainty the type of role in public life which is required to justify public access to information about them via searches based on their name, it states by way of example that politicians, senior public officials, business-people and members of the (regulated) professions can usually be considered to fulfill such a role.

However this criterion seems to be broader than those examples suggest since it encompasses all situations “where the public having access to the particular information would protect them against improper public or professional conduct.

Note that this criterion is certainly broader than “public figures” which can be defined as individuals who, due to their functions or commitments, have a degree of media exposure. If applicants for de-listing are public figures, and the information in question does not constitute genuinely private information, it is likely that de-listing will be refused.

3. Is the data subject a minor?

As a general rule, if a data subject is still a minor at the time of the publication of the information, de-listing of the relevant results will be more likely.

4. Is the data accurate?

De-listing of a search result will more likely be considered appropriate where there is inaccuracy as to a matter of fact and where this presents an inaccurate, inadequate or misleading impression of an individual.

5. Is the data relevant and not excessive?

On the basis of these criteria is assessed whether the information contained in a search result is relevant or not according to the interest of the general public in having access to the information. Relevance is also closely related to the data’s age.

6. Is the information sensitive within the meaning of Article 8 of the Directive 95/46/EC?

Because of the greater impact sensitive data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health or sex life) have on the private life of individuals, it is more likely that de-listing will be granted in respect of search results that reveal such information.

7. Is the data up to date? Is the data being made available for longer than is necessary for the purpose of the processing?

The purpose of this criterion is to ensure that information that has become inaccurate because it is out-of-date, is de-listed.

8. Is the data processing causing prejudice to the data subject? Does the data have a disproportionately negative privacy impact on the data subject?

Although there is no obligation for the data subject to demonstrate prejudice in order to request de-listing, this would be a strong factor in favor of de-listing.

9. Does the search result link to information that puts the data subject at risk?

In cases where the risks (e.g. identity theft or stalking) are substantive, DPAs are likely to consider that the de-listing of a search result is appropriate.

10. In what context was the information published?

a. Was the content voluntarily made public by the data subject?

b. Was the content intended to be made public? Could the data subject have reasonably known that the content would be made public?

Personal data can only be processed on a few legal grounds. If the only legal basis for the original publication on the internet is consent and the individual subsequently revokes his or her consent, the publishing lacks a legal basis and must therefore cease. This has also an influence on de-listing requests of results which contain links to such information. The Working Party states that, if in such cases the individual concerned is unable to revoke his or her consent, and a de-listing request is refused, the DPAs will generally consider that de-listing of the search result is appropriate.

11. Was the original content published in the context of journalistic purposes?

European data protection rules contain some exceptions for the processing (such as publishing) of personal data in the context of journalistic purposes. However the Google ruling clearly distinguishes between the legal basis for (i) the original publication by the media, and the legal basis for (ii) search engines to organise search results based on a person’s name. Hence search engines cannot rely on these exceptions.

Nevertheless the DPAs will take into account the fact that journalists have to be able to inform the general public. At this moment it is not very clear what the precise influence of this criterion will be on de-listing requests. Note that the Google case itself concerned the de-listing of a link to a newspaper.

12. Does the publisher of the data have a legal power – or a legal obligation – to make the personal data publicly available?

Where this is the case, de-listing may not be considered appropriate. However DPAs may consider that de-listing is appropriate even if there is a legal obligation to make the content available on the original website.

13. Does the data relate to a criminal offence?

As a general rule, de-listing of search results relating to minor offences that happened a long time ago is more likely to be obtained than de-listing of results relating to more serious ones that happened more recently. However, these issues will be handled on a case-by-case basis taking into account the applicable national laws.

 For more information, please contact patrick.vaneecke@dlapiper.com or mathieu.leboudec@dlapiper.com.

What happens in the cloud stays in the cloud: BIS reinforces export control insulation for cloud-based computing and processing

Posted in Cloud Computing, Technology and Commercial

Written by Thomas M. DeButts

The US Department of Commerce, Bureau of Industry and Security (BIS) recently released a redacted Advisory Opinion dated November 13, 2014 that confirms for cloud-based software vendors (or Software as a Service providers) that allowing access to export controlled software for use only in the cloud (or on servers) does not constitute an export of that software to the user.

This completes the picture of how SaaS providers can legally deliver cloud-based computing and storage services to parties outside the borders of the country where the servers are located without triggering export authorization requirements.

This is the third Advisory Opinion from BIS clarifying the application of the Export Administration Regulations (EAR) to SaaS providers and cloud-based service and storage solution providers.  These opinions include the following:

January 13, 2009Application of the EAR to Grid and Cloud Computing Services

  • Grid and cloud computing services, including the provision of computational capacity, are not themselves subject to the EAR as long the service provider does not actually export controlled software or technology.
  • The service provider is not the exporter of any transfers of technology or software that are initiated by the user of the grid and cloud computing services.  This means the SaaS provider does not have to police the activity that is occurring on its servers; however, it will still be held to the “knowledge” that it does have.
January 11, 2011Cloud Computing and Deemed Exports

  • Building on the above opinion, BIS confirmed that permitting a foreign national to monitor and maintain a cloud service provider’s servers and software does not constitute a “deemed export” to the foreign national of the customer/user content present on the cloud servers.
  • Access by a foreign national to controlled software or technology (“deemed export”) other than the user content would still be subject to the EAR and could require an export license.

November 13, 2014Cloud-based Storefronts

  • This opinion confirms the concept that providing user access to SaaS services, where the user of the services does not download executable software, but merely operates the software as a service “in the cloud” or on a server, does not constitute an export of the software to the user.
  • BIS confirmed that “[b]ecause there is no export of software, there is no basis for a license requirement.”

These interpretations offer cloud computing and SaaS providers an effective safe harbor in which to conduct activities without export licenses for the software provided for use to customers or for the content that users may export from its servers.  Cloud computing and SaaS providers still must screen the parties with which they do business and ensure that they are not making exports on their own account (“deemed” or otherwise) without a license when required.

The above summary is greatly simplified to convey a general understanding of the EAR and agency interpretations.  Specific application of these interpretations to a service provider should incorporate careful analysis of the EAR and the advisory opinions in light of the specific activities contemplated. To learn more, please contact Tom deButts or Rick Newcomb.

Storing IP addresses – German referal to the ECJ

Posted in E-Commerce and Social Media, EU Data Protection, Telecoms

By Jan Pohle, Partner, Cologne

(Decision of 28 October 2014, VI ZR 135/13)

The German Federal Supreme Court had to decide whether the Federal Republic of Germany may save the IP address of a visitor to their websites beyond the termination of the respective user activity. The Supreme Court decided first to suspend the proceedings and refer two questions on Directive 95/46/EC (the so-called EC Data Protection Directive) to the European Court of Justice (ECJ).

 Facts

The plaintiff, a member of the state parliament of Schleswig Holstein and a member of the Pirate Party, applied for an order for the defendant to refrain from using its assigned IP to store addresses beyond the end of the respective user activity in an action against the Federal Republic of Germany. The defendant contends that storing the IP addresses is necessary to prevent attacks on online deals and pursue prosecution of those involved. For this purpose, the defendant not only stores the dynamic IP addresses of visitors but also the particular time of the visit to the respective website.

 While the district court dismissed the action, the Court of Appeal upheld the complaint in part. Thus, the district court awarded the plaintiff the injunction insofar as it relates to the storage of IP addresses in conjunction with the time of each visit to the site and to the extent specified by the applicant during the process of his personal use. Both the plaintiff and the defendant have appealed that decision.

 Decision

The Supreme Court decided to stay the proceedings and refer two questions on the interpretation of the EC Data Protection Directive to the ECJ for a preliminary ruling.

The plaintiff’s claim for injunctive relief requires, first, that the disputed dynamic IP addresses in the specific case are “personal data” that enjoy the protection of the data protection law harmonized by the Directive. The Supreme Court considers it doubtful whether this can be the case if the applicant does not indicate his personal details during the process. Thus, in this specific case, the responsible entity would have had no information that permitted the identification of the applicant based solely on the IP address. The plaintiff’s access provider is also expected not to provide information about the plaintiff’s identity to the responsible authorities of the defendant. For this reason, the Supreme Court has referred to the ECJ the question of whether Article 2a of the EC Data Protection Directive should be interpreted as meaning that an IP address that a service provider stores in connection with a visit to his website will already constitute a piece of personal data only if a third party has the additional knowledge necessary to identify the relevant person.

If it is concluded that the aforementioned data is “personal data,” statutory permission is required for storage (§ 12 para. 1 TMG), if, as in this case, user consent is missing. According to the defendant, it is necessary for him to store the IP addresses to ensure and maintain the safety and functionality of its telemedia. However, it is questionable whether this is sufficient for a permit pursuant to § 15 para. 1 TMG. Under this provision, the provider may collect and use a user’s personal information to the extent necessary to permit the use of the telemedia and for billing purposes. In the Supreme Court’s view, systematic considerations suggest that this provision only permits data collection and use in order to enable a specific usage relationship and that the data must be deleted at the end of the respective user activity if they are not needed for billing purposes. The Supreme Court considers it possible that nature of Article 7f of the EC Data Protection Directive could demand a broader interpretation. For this reason, the Supreme Court has referred to the ECJ the question of whether the EC Data Protection Directive precludes the content of § 15 para. 1 TMG, a provision of national law.

Relevance of the Decision

The order of the Supreme Court is to be welcomed. It offers the Court the opportunity to clarify the issue of whether dynamic IP addresses are considered “personal data” under the provisions of data protection law. This is currently very controversial. Some argue that dynamic IP addresses in the server log files of telemedia services providers are not personal data because the information that is required to identify the persons concerned is only available to the access provider. Others take the opposite view and justify this by saying that all the information that is theoretically available must be taken into account when considering whether data qualify as “personal data”. It remains to be seen whether the ECJ will use the questions referred to it in order to make a fundamental decision regarding the legal questions that have been raised.

Spain – Competition Authority orders 4G operators to give MVNOs access

Posted in E-Commerce and Social Media, Telecoms

Author: Ceyhun Pehlivan, Associate, Madrid

Spain’s Competition Supervision Authority (CNMC), currently in charge of both competition and regulatory matters has ordered the main Mobile Network Operators (MNO) in Spain, namely Telefónica (Movistar), Vodafone and Orange, to ensure wholesale 4G network access for the Mobile Virtual Network Operators (MVNO).

This decision is made in response to the consultation filed by the Spanish MVNOs’ association on 1 July 2014 following a number of allegedly unattended requests from the MVNOs to access the 4G network of the MNOs.

In its recent decision, the CNMC states that the MNOs are generally required to provide, at reasonable prices, access to the Spanish wholesale market for mobile access and call origination, so that the MVNOs may compete at retail level.

Moreover, the CNMC points out that, according to the Resolution of the former Telecommunications Market Commission (whose powers are currently vested in the CNMC) dated 2 February 2006, the wholesale market for mobile access and call origination includes all those wholesale services which allow the MVNOs to offer mobile communication services, voice calls as well as data services, to the final users. In other words, that decision did not refer to a specific technology, but rather to the whole mobile communication services.

Thus, this also implies that the MNOs shall give third parties a right of access to any element and specific resources of their network, and negotiate in good faith with the authorized access seekers, among others the MVNOs existing in the Spanish market.

Furthermore, the CNMC confirms in its decision that the MNOs shall ensure reasonable prices for the provision of such access services pursuant to the recently passed Spanish General Telecommunications Act 9/2014.

According to the CNMC, the current legal framework is adequate to allow the MVNOs to request from any of the MNOs to have access to their 4G networks, provided that the MNOs have been offering such 4G services to their final retail clients for a reasonable time period and that the access to 4G is now a differentiating element of the offerings and appreciated by the final users.

In this respect, the CNMC considers also that the reasonableness of an access request shall be assessed in concrete terms on the basis of the negotiations of the MNO and the MVNO, in view of the abovementioned principles, general objectives of the Spanish General Telecommunications Act 9/2014 as well as the existing agreements executed between the operators.

If no agreement is reached between the mobile network operators, the CNMC would be entitled to intervene in order to settle the conflict, owing to its power of intervention in the relations between the operators, either upon the request of the operators or on its own initiative when justified, to promote and to ensure adequate access, interconnection and interoperability of services, pursuant to the Spanish General Telecommunications Act 9/2014.

The decision of the CNMC may be consulted here (in Spanish).

Europe: Right to be forgotten guidelines adopted by WP29

Posted in E-Commerce and Social Media, EU Data Protection, International Privacy

Article 29 Working Party adopts guidelines on the implementation on the Right to be Forgotten judgment of the CJEU

By Patrick Van Eecke & Julie De Bruyn

The Article 29 Working Party, the European data protection advisory body existing of representatives of the national data protection authorities of the EU Member States, announced yesterday to have adopted guidelines – for national data protection authorities – on the implementation of the Court of Justice’s ruling on the right to be forgotten.

Continue Reading

Innovation in Outsourcing – the Legal View

Posted in Technology and Commercial

Written by Kit Burden

“Innovation” is a word that is heard with increasing frequency in outsourcing circles, despite the concept being not exactly new. This begs the question why it has now crept its way up the list of topics for consideration in respect of outsourcing engagements, and what it actually consists of in practice.

The Oxford English Dictionary defines “to innovate” as to make changes in something established, especially by introducing new methods, ideas or products, but I doubt that most participants in the outsourcing market would classify “change” per se as being commensurate with innovation.

Change in the context of outsourcing is (to borrow from Benjamin Franklin) as certain as death and taxes, and will usually, if not invariably, be the subject of a detailed change control regime and/or schedule in the contract in any event.

So clearly there is more to innovation than simply doing things differently than how they were done before. Customers (and for that matter service providers too!) would no doubt immediately add the requirement that things be also “better”. But better how?

While there are honourable exceptions, “better” in recent times has been invariably synonymous with “cheaper”. In other words, to innovate becomes code for finding ways to provide greater volume without charging more, or to provide the same volumes but charging less. This may be (but is not necessarily) enabled by investments in new technologies or processes, or it could be a result of increased efficiencies or productivity on the part of the personnel engaged in the provision of the services.

Given the impact of the recent recession and in particular the pressure placed on corporate budgets, the intimate connection between innovation and cost reduction is understandable, and perhaps even inevitable.

However, it is also unnecessarily limiting from a customer perspective; having a service provider innovate in a way that will ultimately augment its own services to its end customers may have a far greater pay-off than simply finding a way to strip out some proportion of the fixed or recurring charges otherwise payable under the outsourcing agreement. On the other hand, such projects or changes can be harder to articulate and/or to track in terms of success or impact, and accordingly somewhat harder to create a business case for.

Regardless of what the drivers for innovation might be, the market statistics suggest a degree of scepticism as to whether it is actually being delivered as part of “normal” outsource services. In a recent survey conducted by HfS Research in conjunction with KPMG, it was noticeable that the areas classified as having evidenced “mediocre” performance were significantly aligned with activities that one might associate with innovation, such as:

  • improved analytics to improve operations;
  • transformed/reconfigured processes;
  • access to new technologies; and
  • better cloud-based delivery of services.

So is innovation a will-o’-the-wisp, never to be achieved in practice? Clearly this should not be (and is not in fact) the case. However, there must be a recognition that several factors will need to be aligned if innovation is to become a reality as opposed to mere aspiration, as follows:

A business need

It may seem trite to state, but the customer must genuinely want or need to innovate. Why? Because innovation may very well involve additional cost, potential disruption, degrees of risk with regard to implementation, and the uncertainty which is inevitably associated with any kind of change…. all of which go contrary to the concept of a “no noise” transition of service responsibility and ongoing provision of an outsourced service!

Executive buy-In

Linked to the business need on the customer side is a requirement for executive-level buy-in, particularly if there is a need to hold firm against short-term gripes from end users as the underlying transformational activities are effected (e.g., if service levels are being impacted in the meantime).

However, one must not overlook the requirement for executive-level support on the service provider side too. Innovation may involve embracing new technology or service delivery models or undertaking new kinds of activity, which carry delivery/implementation risks (and potential contract sanctions), which may not be immediately attractive for the service provider. It may therefore need a more senior executive to take a longer term view vis-a-vis the wider long-term relationship with a particular customer, and/or investments in the service provider’s wider service delivery capabilities and competitiveness.

An appropriate contract framework

Many outsourcing contracts contain provisions that touch upon innovation in some way, even if not directly. For example, a contract may include:

  • obligations upon the service provider to seek out opportunities for “continuous improvement” of the services;
  • technology refresh obligations;
  • automatic SLA adjustments to reflect improvements in service level performance evidenced as having been achieved over a set period; and
  • price/service level adjustment provisions following the undertaking of a benchmark review.

However, these provisions do not really have innovation at their core, nor do they truly create an incentive for either party to get behind an innovation agenda.

Other contracts pay additional lip service to innovation by including “gainshare” provisions. A typical provision might then invite the service provider to submit proposals as to how the services might be improved/made cheaper, on the basis that the parties would then agree (perhaps on the basis of a pre-set mechanism) how any associated costs and any downstream benefit would be shared between them.

While such clauses can look good on paper, they rarely seem to achieve much in the way of innovation in practice. One can speculate as to why this appears to be the case, but a large part of the reason is likely to be that the average customer is simply seeing the result of its own contracting approach; it will likely have negotiated hard to get the best price and service levels it can, and the comfort blanket of robust contractual remedies if the contract is not performed in accordance with its requirements.

So far so good. However, the customer should not then be surprised to find that the typical service provider will focus hard on delivering the “business-as-usual” services as required and so as to both avoid the contract sanctions and to maintain its required profit margins, rather than “chasing the rainbow” of potential innovation projects which (a) the customer might not approve anyway, and (b) may involve additional implementation risk.

How then might this be addressed? Clearly the contract would need to provide some additional incentivisation for the service provider to make innovation more of a priority rather than an afterthought. The “stick” element of such an incentive may therefore include an actual commitment on the part of the service provider to identify and thereafter deliver a minimum value in terms of innovation-related cost savings in a given period (e.g., over a calendar year), on the basis that if it fails to do so, some or all of the delta between the target and the savings actually achieved must be paid to the customer by the service provider.

This obviously looks great from a customer perspective, but may then be difficult to negotiate in vanilla form with the service provider. This is then where the “carrot” side of the incentive regime will likely need to come in. Put simply, the greater the potential risk to the service provider for any underperformance against the target, the greater in turn that it will expect to receive in terms of a percentage share of any upside. So, there will likely be cases where the majority of any benefit will remain with the service provider rather than flowing back to the customer.

Regardless of the model chosen, the contract will then need to address a number of other potential issues; including:

  • how will the “benefit” be determined? In an ideal world this may be a simple question of maths (e.g., the cost of five FTEs when previously there had been seven) but this will not always be the case;
  • how can the parties ensure that initial benefits are not just delivered in the short term but then maintained thereafter? For example, if a gainshare benefit is tied to the adoption of a (cheaper) cloud-based solution, what happens if the cost of that solution increases in an uncontrolled matter thereafter, or the solution fails/provider goes out of business?;
  • what happens if the service provider comes up with an innovation proposal which – if successfully implemented – would enable it to meet or even exceed its minimum target, but the customer then declines to approve it? The service provider might then argue that it should be “deemed” to have delivered a substantive proportion (or all) of the associated benefits, but the customer will wish to argue hard against that (i.e,. on the basis that the targets might otherwise be too easily circumvented by the service provider bringing forward proposals with massive potential benefits, but with far too much attendant change and/or risk);
  • what happens if the customer fails to support the implementation of the activities necessary to effect the transformation/innovation in question? e.g., is this a contract breach, or is it brought within the “relief notice” mechanism, which is now common in major outsourcing transactions?; and
  • what is the governance process to be followed in terms of the submission, consideration and approval/rejection of innovation proposals?

It should also be noted that the structure above works best when innovation remains synonymous with cost reduction. Additional thought and process would need to be given to any innovation proposals that would not reduce cost but would instead improve service.

Overall, therefore, one should not write off innovation in outsourcing simply because of the somewhat rocky record of delivery of true innovation to date.

Technology is changing with ever increasing rapidity and the growing sophistication of cloud-based solutions in particular will undoubtedly lead to replacement of ever greater proportions of “traditional” outsourced services and related infrastructure, with related opportunities to innovate in the ways in which such cloud solutions are incorporated into service delivery models.

The key then will be to ensure that the “building blocks” for a proper innovation strategy as set out above are in place, and that the parties have created a contract structure that will genuinely facilitate innovation, rather than just pay lip service to it.

Kit Burden is partner and global co-chair of technology sector at law firm DLA Piper.

Back to Top of Page