Outsourcing Dos and Don’ts

By Kit Burden on July 12, 2017

Top 20 Do’s and Don’ts for Outsourcing Deals- the Customer Perspective

Do allow enough time for the procurement and negotiation process

If you run out of time, you will have to compromise on detail and thoroughness….which you will likely end up paying for many times over further on down the track.

Don’t hide known service issues or defects

Service providers don’t have a magic wand to wave; while they may be able to plan for dealing with known issues, anything which is hidden from them will likely trip them up, but then impact upon service quality…and ultimately you should want good service delivery, not a contractual remedy.

Do remember that there are two sides to every business case

While you obviously have savings targets to deliver, the service provider also has to make a profit; if it is squeezed too hard, it will inevitably either end up looking to cut corners/compromise on quality, or else look to recover margin by an inflexible attitude to change control.

Don’t negotiate to “win” every point

Of course, the contract needs to protect your vital interests, and not every contract can be entirely “win-win” on every single point (the size of the liability cap being a good example!). However, pushing the service provider to accept unnecessarily onerous provisions can lead to the loading into the price of excessive risk premium, and may force the service provider to “manage to the word of the contract” in future, for fear of falling foul of the sanctions which have been imposed.

Do treat DD seriously and provide detailed information

It is inevitable that the service provider will want to have detailed information concerning the services it is being asked to take on; rather than scrabble around later, it is best to invest the effort in gathering this information up front.

Don’t forget about the people aspects

If there are staff implications (e.g., redundancies or TUPE/ARD transfers), do you really want to be announcing them in the run up to Christmas….? How you deal with transferring personnel will inevitably influence how you are seen by your retained employees (and their Unions, where relevant).

Do undertake “stress test/destruction test” sessions prior to contract signature

No matter how well drafted or negotiated, there is a near inevitability that some points or potential scenarios will have been missed; by having Q and A sessions with people who have NOT been involved with the negotiations before and who will be involved with its operation in practice, you stand a chance of flushing some out prior to signature.

Don’t allow for the opportunity of “executive side bars/unstructured escalations”

You’ve sweated blood to negotiate a key point…and then get a memo from a senior exec who has had a briefing from his equivalent from the service provider as to how “unreasonable” the customer negotiation team is being, and how you should “show some more flexibility/stop being so hard”. Even if the perception can be reversed, the effect is both dis-spiriting and diverting.

Do get key contract provisions (and ideally the main proposed contract terms) out to bidders as early as possible

A customer’s bargaining leverage is never better than at the outset of the process, when there are multiple bidders “in play” who will be keen to differentiate themselves as against the other bidders; getting detailed contract responses also enables an early view to be taken as to what points can be fairly pushed for, and what might be beyond the boundaries of current market practice.

Don’t forget that even the best deals will eventually come to an end

The old analogy of outsourcing projects being like a marriage is a good one (i.e., they are – or at least should be! – long term, and both sides need to work hard at them). However, they then need to be marriages with a pre-nup, as all outsourcing projects must eventually come to an end, even if that ending may be an amicable one at the end of the day.

Do plan to make effective use of executive inputs and escalations

The core negotiation team should obviously look to resolve and agree as much of the contract as possible; however, once the outstanding points have been reduced to a manageable shortlist, there is a lot of merit in involving the executive stakeholders to gain an early resolution of them so that they don’t remain simply “parked”, and potentially slow down progress on the remainder of the negotiations.

Don’t duck difficult issues by deferring them to later discussion/agreement

Having some level of “agreements to agree” is probably inevitable in any large scale project. However, one should be wary of leaving any key points still to be determined on this basis, post contract signature (when the customer’s bargaining leverage can only be less than it would have been, pre-signature). In any event, one has to ask the question of what will happen if agreement CANNOT then be reached; will for example there then be a termination right or an ability to defer to an independent third party, or will there simply be a risk of deadlock?

Do allow for as much flexibility as possible

Nobody has a crystal ball, and much will change over the lifetime of an outsourcing deal. The contract should accordingly provide mechanisms for dealing with change as simply and transparently as possible; pricing regimes in particular are prime candidates to be set up to flex in line with volumes of demand.

Don’t forget that prevention is better than cure

Whilst having robust contractual remedies against a service provider will provide comfort and a level of assurance that the service provider will keep trying really hard, nonetheless investing in the services (and contract drafting) to make sure that problems are less likely to arise in the first place is always going to pay dividends; this ranges from taking the time to develop clear divisions of responsibilities in the Services Schedule, through to making sure that the business continuity services have been fully scoped (and funded).

Do ensure that you fully understand the supply chain and subcontractor dependencies

Having the prime contractor “on the hook” contractually is one thing, but from a business continuity perspective, it is much better to understand where the potential vulnerabilities and dependencies lie, and what the contingency plans are to deal with them (e.g., if a smaller – but key – subcontractor were to go broke).

Don’t refuse to accept/close your eyes to your own ongoing responsibilities

It genuinely does take two to tango; even though you may have outsourced the core delivery responsibility, the service provider will inevitably still have dependencies upon the customer, if only for the provision of information or direction. If you would not have refused such assistance to a colleague, why refuse it your service provider?

Do ensure that there is a robust (but not unnecessarily complex) governance structure

Management of both the contract AND the wider relationship is key; it is almost inevitable that some issues will arise, and the contract should help ensure that there is sufficient transparency for them to be surfaced early, and to the right people.

Don’t put the contract in the bottom draw

Living to the letter of the contract can be destructive and unnecessary. However, even worse is simply setting the contract to one side and forgetting what it contains (and which may have taken months to negotiate). You may think that you will be able to manage through any issues on a “relationship” basis, but you will likely then have an unpleasant surprise if this doesn’t work out in practice, and you then find that you have effectively lost rights you would otherwise have had, simply by not following a contractual process.

Do ensure that you have sufficient skills and resource to manage the contract once signed

It is a mistake to assume that just because you had people who were performing the outsourced tasks previously, then logically they would be the best people to manage it post outsourcing. In fact, vendor and contract management is a much under-rated (and rare) skill.

Don’t slavishly live to the exact word of the contract without exception

The flip side of the equation. If you keep the contract at your right hand and quote from it every day so as to keep the service provider tied to the strict letter of its every sentence, then do not be surprised if the service provider responds in kind, and your relationship becomes one of conflict rather than collaboration. If you know what is in the contract, then you can decide when to enforce, when to defer, and when to simply waive.

Top 20 Do’s and Don’ts for Outsourcing Deals- the Supplier Perspective

Do ensure that you have a properly constituted deal team from day one

This will mean people who understand the numbers, those that grasp the wider commercial arrangements, the right technical people, legal people, a really good “deal lead” who will face off to the customer….and don’t forget the actual delivery team!

Don’t ever say that a deal is “must win”

Obviously there are projects that would be extremely good to win and also extremely painful to lose….but a bad deal will be bad news for years to come.

Do understand the customer perspectives and objectives

If you keep on trying to sell something that the customer doesn’t really want to buy, the process will inevitably be longer and harder. By the same token, if you have a better grasp of the customer’s “hot buttons”, you’ll be better able to fashion your solution to show how you will address them.

Don’t forget that the negotiation process is still part of sales

The negotiation approach needs to be tailored to the overall dynamic; an aggressive or un-coordinated approach may worry or off-put the customer, or do damage to the longer term relationship or changes of winning the bid.

Do say “no” when you need to

You may feel pressured to agree to positions during negotiations, but agreeing to obligations which will be difficult or costly to comply with further down the line is a considerable risk. Remember that it is not always about what you say, but how you say it.

Don’t give in to “deal fatigue” and forget that some deals SHOULD be walked away from

When negotiations have been dragging on for weeks or even months, there is a tendency for both service providers and customers to get to the point where they just “want to make the pain go away” (!); at that late stage, poorly thought through concessions may be made.

Do insist on full DD or else consequential assumptions

Many contracts will try to pass the due diligence risk on to the service provider; however, even the best run process won’t be able to make up for information which is simply missing or even wrong. If you need to explain the basis of assumptions, then do so clearly and invite the customer to provide the relevant information so as to remove the need for the assumptions, if possible.

Don’t kick known issues into post contract discussions

Tempting though it may be to try to push through to finalization of negotiations and signature, what would make you think that it will be any easier to revolve a tricky issue later on, if it can’t be resolved up front? The risk is that the parties then get into the “deadly embrace” of deadlock.

Do ensure that there is proper customer sponsorship for/engagement with the project

We have seen projects go all the way through to finalization of the contract documentation, but then fail to be ratified at Board level simply because senior decision makers had not been properly involved in the process.

Don’t agree to contract risk provisions simply as a means of trying to increase a procurement score

If the bidding process is perceived to be close, it may be tempting to make contract concessions as a means of improving the overall “score” for your bid. However, the reality is that in most processes, the degree of weighting given to the legal provisions is much less than for price, technical capability etc., but concessions made on the contract can carry disproportionate risk, once services are underway.

Do ensure that your key subcontractors have bought a ticket for the full journey

If you are dependent upon a particular subcontractor, are you sure that you have their contractual commitment to do what you need from them, at the price you can afford, and for the duration of the contract term? Just assuming that they will be willing to sign up to a deal once you have committed to your own contract with the customer is fraught with risk.

Don’t allow emotion to get the better of you

If negotiations get heated, emotions can run high. However, antagonizing or alienating customer representatives with rash words or emotive behaviors will rarely work out well.

Do realize the power of having executive endorsement and involvement

The customer may take a great deal of comfort from a level of personal involvement and commitment from senior executives from within your organization; quite rightly, they may surmise that directives from your own chief executive may carry more weight than a warranty provision in a contract

Don’t forget to have an independent review of your proposed solution and risk profile

It can get difficult to see the woods for the trees after a while, or to appreciate the cumulative salami slicing of risk and reward that can occur over the course of a long negotiation. Having an independent review and sense check is worth its weight in gold

Do focus on the strengths and weaknesses of your key competition

Ask “what would we need to do to offset their strengths and capitalize on their weaknesses”? Your bid can then be tweaked accordingly.

Don’t lightly agree to exclusivity or surrendering IP

It will often be argued that the creation of new IP is not “core” to an outsourcing transaction and so this can easily be given up to the client/customer. However, at the very least you may want to consider whether to reserve some form of reverse licensing or independent rights of use, so as to make sure that new developments can be applied for the benefit of future customers.

Do ensure that you have appropriate sponsors/supporters within the customer business

At the end of the day, it helps tremendously to have someone senior within the customer organization who is acting as your champion/supporter, and who will promulgate positive messages about you and also help to prevent any false or derogatory impressions from gaining purchase.

Don’t backslide from previous commitments UNLESS there is a correlation that can be drawn to a change in facts/customer positions

Customers will usually (and understandably) react very negatively to any perceived reversal of positions which were agreed earlier in the negotiation process (especially if they were part of the reason for an original down-selection decision). If changes ARE to be made however, it may be legitimate if they can be linked to changes in the customer’s own position, or new data which can justifiably be said to have not previously been available.

Do ensure that the delivery team have a full involvement in the solution design/negotiation

Possibly one of the MOST important practical bits of advice. Sales teams inevitably have closing of the deal as their prime driver; as such, there is a natural risk that they might over commit. As the delivery team will need to live with the contract for the duration of its term, it is essential that they are aware of – and sign up for.

Don’t make commitments which you will need subcontractors to comply with unless you know in advance that they will do so

There is a difference here between being willing to take on the liability “gap” (e.g., where you are agreeing to a higher service level than the subcontractor is willing to step up to, or accepting a higher liability cap), and being actually dependent upon the subcontractor (e.g., where you can only comply with customer security policies if the subcontractor does as well). You may find that they are a lot less willing to agree to such provisions if you have already signed up with the customer and have little if any bargaining leverage!

Posted in Internet of Things

How the Internet of Things changes banks and financial services

By Giulio Coraggio on July 5, 2017

The Internet of Things is going to change the models of business of the financial services sector, unveiling new legal issues. Continue Reading

Posted in EU Data Protection International Privacy Privacy and Data Security

UK: Commitment to introduce new Data Protection Bill in line with GDPR principles

By Jim Halpert on June 22, 2017

Yesterday the UK Government set out its legislative programme for the next Parliamentary term, through the Queen’s Speech. Whilst Brexit will dominate the legislative agenda, data protection received special mention with a commitment to introduce a new Data Protection Bill.

The Bill will reiterate the UK’s commitment to implementation of the principles of privacy enshrined in the GDPR, regardless of Brexit. It will also add further clarity on how the UK intends to apply statutory controls to those areas of the GDPR where Member States have flexibility to develop complementary legal requirements or derogations.

The speech is an important message for anyone who may have had doubt about the UKs commitment to the GDPR after Brexit. It is a clear steer to UK business to get ready for the new privacy regime and a strong sign to any detractors, whether in Europe or the wider global community, that the UK remains focussed on maintaining a robustly regulated digital environment, at the forefront of emerging global standards.

Whilst we await with interest details of the specific regulatory controls within the Bill itself, this is a welcome message of clarity in otherwise uncertain political times.

Posted in Cybersecurity

EXECUTIVE ORDER ESCALATES CYBERSECURITY TO GREATER PRIORITY – Top Points About Critical Infrastructure

By Sydney M. White and Jim Halpert on June 22, 2017

President Donald Trump recently signed an Executive Order on cybersecurity, “Strengthening the Cybersecurity Federal Networks and Critical Infrastructure.” The EO is divided into sections on:

cybersecurity of federal networks
cybersecurity of critical infrastructure (CI) to support CI at greatest risk
cybersecurity risks to the defense industrial base
strategic options for deterrence and protection of the nation
international cooperation and
workforce development.

The EO escalates CI cybersecurity to a greater priority in federal policy, tasking cabinet-level departments and sector specific agencies with identifying and utilizing capabilities to support the cybersecurity risk management efforts of CI at greatest risk. It also addresses particular sectorial cybersecurity risks and capabilities concerning the communications and information technology sectors, the defense industrial base and the electricity subsector. Additionally, the EO contains an ambitious plan for updating and upgrading federal networks, which will ultimately be subject to Congressional oversight and appropriations. See the top points about the EO and its implications for businesses that are categorized as critical infrastructure.

Posted in Cybersecurity

NTIA Request for Comment on Resilience Against Botnets

By Sydney M. White on June 22, 2017

President Trump recently issued Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which included a section on Resilience Against Botnets and Other Automated, Distributed Threats. The Executive Order requires the Departments of Commerce and Homeland Security to produce a report on Botnets based on industry and other stakeholder input. As part of this effort, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comment, which included seven broad questions about potential solutions and approaches to the challenge of automated, distributed attacks. Comments are due by July 13, 2017.

NTIA has asked for input from all interested stakeholders – including private industry, academia, civil society, and other security experts – on ways to improve industry’s ability to reduce threats perpetuated by automated distributed attacks, such as botnets, and what role, if any, the U.S. Government should play in this area. NTIA is particularly interested in how these attacks can be mitigated, and how the endpoint sources of these attacks, especially IoT devices, can be better secured. NTIA asks:

What works in dealing with these attacks and what are the gaps in existing approaches?
Are there incentives or other public policies that can drive change?
How can solutions explicitly address the international aspects of the issue?

The Department of Commerce’s National Institute of Standards and Technology (NIST) has also announced a related cross-sector, participatory workshop to accompany the RFC on July 11-12. The workshop titled Enhancing Resilience of the Internet and Communications Ecosystem will allow stakeholders to explore a range of current and emerging solutions to improve the resiliency of the Internet against automated, distributed threats. NIST will produce a document summarizing the workshop, findings, and opportunities for next steps.

The comments submitted to NTIA and the NIST workshop and summary document present an excellent opportunity for the private sector to weigh in on evolving Internet security policies as this public record will be used to inform implementation activities related to the Cybersecurity Executive Order.

Posted in Cybersecurity Privacy and Data Security

FTC Updates COPPA Guidance: Six-Step Compliance Plan for Your Business

By Michelle Anderson on June 22, 2017

Written by Michelle Anderson and Samantha Glazer

In a June 21, 2017 blog post, the FTC announced updates to its Six-Step Compliance Plan for Your Business under the Children’s Online Privacy Protection Act (COPPA). The revisions make clear that the FTC considers new business models (e.g., voice-activated devices) and products (e.g., connected toys) to be covered under COPPA. The changes also reflect two methods for obtaining parental consent that the FTC approved in the past few years: (1) asking knowledge-based authentication questions and (2) using the Face Match to Verified Photo Identification method.

In December 2013, the FTC approved use of knowledge-based authentication (KBA) questions as a verifiable parental consent (VPC) method. KBA involves the use of dynamic multiple-choice questions with a “reasonable” number of questions and an “adequate” number of possible answers to lower the probability of another individual guessing the correct answers. The level of difficulty of these questions should be such that a child 12 years or younger “could not reasonably ascertain the answers.”

In November 2015, the FTC approved the use of Face Match to Verified Photo Identification (FMVPI). This method involves a two-step process using facial recognition technology. The first step is for a parent to take a photo of his/her government issued identification using a phone’s camera or a webcam. The FMVPI system then verifies the authenticity and legitimacy of the identification document. Upon verification, the system prompts the parent to use the same phone camera or webcam to take a photo of his/her own face. The system then matches that photo with the verified government ID photo. If the photos match, consent is deemed given, and the identification information submitted by the parent should be deleted within five minutes.

Posted in EU Data Protection Uncategorized

Global reach of the GDPR: What is at stake?

By Michelle Anderson on June 21, 2017

This article was originally published in Privacy Laws & Business International Report, June 2017, www.privacylaws.com.

Written by Meredith Jankowski and Michelle Anderson

Companies that target EU residents must comply with the GDPR — even if they are not established in the EU.

In less than a year — on 25 May 2018 — the European Union (EU) General Data Protection Regulation (GDPR) will go into effect[1], replacing the current Data Protection Directive (the Directive).[2] Global companies and companies based in the EU are generally well-acquainted with the GDPR and are currently undertaking efforts to bring themselves into compliance within the next year. However, companies that are not established in the EU but that target EU residents should also be focusing on such compliance efforts.

Companies that are not established in the EU but that offer goods or services to EU data subjects or monitor the behaviour of EU data subjects are required to comply with the requirements of the GDPR. In this article, we explain the territorial scope of the GDPR, provide background and context on the territorial applicability of data protection law in Europe, and dis-cuss the unique requirement for companies not established in the EU to designate a representative.

WHEN THE GDPR APPLIES TO COMPANIES OUTSIDE THE EU

The broad territorial scope of the GDPR is enshrined in Article 3. Under Article 3, the GDPR applies to the processing of personal data of EU data subjects where:

The controller or processor is established in the EU (even if the processing does not take place in the EU) or
The controller or processor is not established in the EU but a) Offers goods or services to EU data subjects (irrespective of whether payment is required) or b) Monitors the behaviour of data subjects in the EU.

When a company is seeking to determine whether it offers goods or services to EU data subjects, the company must consider factors that would indicate that it envisages offering goods or services to EU data subjects. Such factors include the language it uses to offer goods or services to data subjects, the type of currency used in the offer of goods or services, and mention of customers or users in the EU.

Also, it should consider whether it tracks the online behaviour of EU data subjects, including whether it uses pro-filing techniques that analyse or predict the individual’s personal preferences, behaviours, or attitudes.

EXTRATERRITORIAL APPLICABILITY OF EU DP LAWS

The GDPR’s broad territorial applicability stems in part from Jurisdictional differences in implementing the Directive. The Directive — which currently governs the processing of personal data of EU data subjects — was adopted in 1995 to facilitate the free flow of personal data within the EU, while also ensuring that the fundamental rights of individuals, particularly the right to privacy, were safeguarded. Because it was a Directive, rather than a Regulation, each EU Member State implemented its own data protection law, which led to inconsistencies and fragmentation in the protections for personal data across the EU.

One way in which the Directive is inconsistent is how each jurisdiction determines when its data protection law applies. Under the Directive’s Article 4, the Directive applies to the processing of personal data where “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.” However, how to determine when a company is “established” in a particular country varies depending on each jurisdiction’s interpretation of the term “established,” meaning the analysis of when a country’s data protection law applies can vary by country.

The European Parliament and Council of the EU sought to patch such discrepancies by ensuring that under the GDPR the personal data of EU data subjects would be protected more consistently and broadly (i.e., not only by controllers or processors established in the EU). In Recitals 23 and 24, the Parliament and Council stated:

“In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.”

WHAT DO NON-EU COMPANIES NEED TO DO?

Comply with the GDPR broadly: In line with Article 3, companies that are not established in the EU, but that nonetheless target EU data subjects by offering them goods or services or by monitoring their behaviour, must comply with all of the GDPR’s provisions. This means that they are required to comply with the GDPR’s data breach notification requirement, appoint a Data Protection Officer, update their privacy notices, implement measures to address expanded individual rights, document the bases for their processing of personal data, and ensure that appropriate contractual provisions are in place with vendors, among many other obligations. While companies may opt to take a risk-based approach and not comply with the GDPR altogether (or only implement compliance measures that address certain requirements) they are nonetheless technically subject to the GDPR as to all EU personal data they receive, including to its heightened sanction provisions.

Select and appoint a representative: In addition to complying with the GDPR’s broad requirements, companies that are not established in the EU are subject to one additional and unique provision: under Article 27, except in certain circumstances, companies must designate in writing a representative in the EU.

A “representative” is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under [the GDPR].” The GDPR’s requirements for representatives differ from those for Data Protection Officers: most notably, DPOs must perform duties such as advising on data protection impact assessments and monitoring compliance with the GDPR, but the GDPR assigns no substantive responsibilities to representatives. Rather, the requirement to appoint a representative appears to be more form than function. Under Article 27, the representative must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. In addition, the company must appoint the representative without prejudice to legal actions that could be initiated against the company itself — and the representative must be subject to enforcement proceedings in the event of non-compliance by the company (i.e., both the company and the representative could be subject to enforcement proceedings). By focusing on form for the representative and function for the DPO, the GDPR seems to contemplate that the representative and DPO will be separate persons.

One potential area of overlap between representatives and DPOs, however, appears in Article 27, which says that the representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities. This is similar to requirements in various Articles that the DPO be listed as a company’s point of contact (see Article 14) and interface with supervisory authorities (see Article 39). These points suggest that companies may want to consider having the representative and the DPO be the same person, to ensure a consistent point of contact.

A representative is not required when a company’s processing of EU personal data is (1) “occasional,” (2) does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and (3) is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR’s wording is vague, and thus far no regulators have offered guidance as to what is considered “occasional” processing, but this exception likely means that companies that do not target EU data subjects are not required to designate a representative. For example, a company that has one global marketing website (e.g., www.company.com) that is accessible by EU data subjects but does not specifically direct goods or services to EU data subjects (e.g., does not have country-specific websites such as www.company.fr) and whose customer base is 98 percent from the United States and only 2 percent from Europe may not be required to designate a representative.

Consider these key points: A company that is not established in the EU but that offers goods or services to, and/or monitors the behaviour of, EU data subjects must therefore consider the following:

The best jurisdiction for its representative, which may be the jurisdiction in which it has the most EU data subjects, where it focuses its targeting of EU data subjects, or where it conducts the most extensive monitoring;
The person that would be the most appropriate EU-facing representative for the company, considering the person’s understanding of data protection laws, legal or compliance background, and experience inter-facing with regulatory authorities;
If that person is not a company employee but a third party, the appropriate contractual arrangement for engaging a third party to serve as the company’s representative;
Whether the company will or should appoint a DPO and, if so, who the company has identified as the DPO; and
The company’s potential liabilities in the EU.

REFERENCES

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (L 119/1, 4.5.2016), available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2 016.119.01.0001.01.ENG&toc=OJ L: 2016:119;TOC
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of Individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995), available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L 0046

Posted in Internet of Things US Federal Law

IOT Devices: Just Hardware or FCC Powder Keg?

By Anne Friedman on June 19, 2017

Written by Eric W. DeSilva and Michael A. Lewis

With the meteoric proliferation of “Internet of Things” (IOT) devices, there are an increasing number of innovators and inventors bringing “smart” products to market that capitalize on connectivity in ways never before imagined. While a great deal of resources are typically applied to research and development, marketing, production, distribution and customer awareness, the essence of most IOT devices is wireless communications so attention must be given to the Federal Communications Commission (FCC) regulations on radio emissions. Each year the FCC levies tens of millions of dollars in penalties for violations of its rules—rules that encompass activities and devices in ways that may not be immediately obvious. We have set forth some basic guidelines to help start-ups, investors, and even established manufacturers make sense of the FCC’s requirements.

Without further ado, ten things the FCC cares about:

Things that intentionally emit radiofrequency (“RF”) energy. This may seem obvious, but the FCC regulates devices that use RF intentionally, such as cellphones, walkie-talkies, and Wi-Fi, Bluetooth and Zigbee transmitters. Such devices must comply with the FCC’s equipment authorization procedures that ensure that the device conforms with specified technical standards that help limit the potential for interference to other spectrum users. Compliance with the FCC’s equipment authorization rules is most often demonstrated by a permanent label affixed to the device showing the FCC’s mark and the products FCC identifying number.

Things that unintentionally emit RF. It’s fairly obvious that the FCC would have jurisdiction over the manufacture and marketing of wireless communications devices. Less obvious is its authority to control the importation and marketing of devices that emit RF energy unintentionally. Nearly all devices with digital componentry are implicated – computing devices, smart appliances, video monitors, power supplies, and similar products. These devices must be tested by an accredited test lab facility to ensure compliance with applicable technical standards before they can be imported and marketed in the United States.

Things that incidentally emit RF. There’s even a third category of devices that fall within the FCC’s purview. Incidental radiators include devices that are not designed to intentionally use, generate or emit RF energy over 9 kHz. Devices such as AC motors and fluorescent lighting are exempt from FCC test requirements but manufacturers must still use good engineering practices to limit, to the extent possible, the interference effects from such devices.

Importation of RF devices. While it is tempting to assume that someone else in the supply chain has ensured conformity with the FCC’s rules, companies need to be proactive regarding FCC compliance when importing radio products. With only very limited exceptions, the FCC rules require that devices brought into the U.S. have appropriate FCC equipment approvals. Failure to do so may result in critical components being seized at the border. Even if the products are not stuck in a customs warehouse–with the amount of offshore manufacturing that is done today, there may be instances where products without appropriate approvals are delivered in the U.S. and escape customs notice–the subsequent sale of those devices in the U.S. will violate FCC regulations and may subject the seller to fines.

Modification of OEM RF devices (triggering new approvals). Even where a company has obtained an equipment authorization from the FCC, appropriate attention has to be paid to the evolution of the product over time, since certain changes can require the manufacturer or seller to obtain a new authorization. As a rule of thumb, changes that alter the physics of the RF emissions should be carefully reviewed under the FCC’s rules, as they often trigger the need to seek new approvals. Complicating matters even further is the practice of integrating components that have received their equipment authorization as stand-alone modules. The final assembled product may have its own testing and labeling requirements even though it is comprised of approved parts.

Marketing of RF devices. Today, speed to market often means that companies would like to pre-market products—whether to support a crowd-funding initiative or as a means to capture market share. In general, however, the FCC greatly restricts the marketing of RF devices before they complete the approval process. The FCC has been known to walk the floors at trade shows to inspect whether new products are being displayed to potential customers impermissibly prior to receiving proper approvals.

Experimenting with RF devices. Development of new products invariably requires experimentation, and when that experimentation involves radiation of radio energy, an FCC license is typically required. While the FCC generally freely grants experimental licenses for private testing, the experimental rules impose added limitations on what can be done with experimental products when it comes to market tests and trials, which require special authorizations.

Spectrum compatibility. Most innovators today would like to capitalize on a global product market, but RF regulations differ from country to country. That being said, there are radio bands that are more or less standardized from region to region, and considering global regulatory issues at the initial stages of product development may save headaches down the road. With its global telecommunications capabilities, DLA Piper’s telecom practice is able to assist with international compatibility and market entry surveys.

Transfer of RF manufacturing assets. Whether you are an investor looking to fund a IOT venture, a business acquiring a start-up, or an innovator looking for equity backers, FCC regulated companies require special considerations. To the extent a company has licenses, FCC consent or notice may be required—in some cases prior to closing—for transactions that involve transfers of control or assignment of assets. In addition, FCC regulated companies implicate specialized due diligence in transactional scenarios.

Devices that create networks. As a final matter, even if the RF components of a device are not FCC regulated—or are FCC regulated but the company taken appropriate actions—the FCC might be implicated in other ways. Specifically, in addition to regulating radio, the FCC also regulates telecommunications—communications networks and network providers. This becomes important because if IOT or connected products are sold bundled with communications capabilities acquired from third parties, the seller may be subjecting itself to regulation as a carrier—that may result in the need to obtain special authorizations, to pay into carrier-funded social programs like the Universal Service Fund, or other regulations.

Posted in EU Data Protection International Privacy New Privacy Laws Privacy and Data Security

AUSTRALIA: Increased focus on global privacy and data protection for Australian organizations

By Jennifer Kashatus on June 14, 2017

By GSC Marketing

Authors: Sinead Lynch and Jessica Noakesmith

Regulators around the world are, and will be, taking a much closer look at rules on the protection of individual personal data and the security of their citizen’s information. The onslaught of the new and arduous General Data Protection Regulation (GDPR) regime in Europe, the recent ‘protectionist’ changes to the PRC Cybersecurity Laws in China on 1 June 2017, anticipated changes in Singapore’s data privacy regime, as well as rumblings from other Asia-Pac countries in this area, all confirm that these are issues where national regulators are sitting up and taking action. Recent cyber events, including the much-reported ‘Wannacry’ cyber-attack, add to global unrest in this area.

Traditionally to date, Australia has adopted a more transparent and conciliatory approach to privacy and security. However, this is a position that is likely to face challenge now in light of international developments in this area. The introduction in Australia of the long awaited new mandatory Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in February 2017 commencing from, at the latest, February 2018, as well as the Government’s budget confirmation of the Productivity Commission’s new law on personal data sharing and release go some way to support Australia’s renewed focus in this area.

The Office of the Australian Information Commissioner (OAIC) has also just released their updated resource, General Data Protection Regulation Guidance for Australian Businesses (the Guide) to confirm that Australian businesses should, as a matter of priority, review the extent of their compliance obligations under the GDPR and take steps now to ensure their handling practices comply, prior to its commencement from 25 May 2018. At a conference hosted last month by the OAIC, the Privacy Commissioner, Timothy Pilgrim, expressly underlined the importance of GDPR for Australian businesses, and advised that the OAIC will be taking a closer look at compliance in this area.

Therefore, to the extent that an Australian company handles or processes EU individual data in the course of its operations and this processing falls within the scope of the extra-territorial reach of the GDPR (as described further below), this company will be required to comply with the onerous requirements of GDPR and may be subject to its sanctions.

The Guide

The Guide confirms that Australian businesses “of any size” may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The guide helpfully compares the GDPR and Privacy Act 1988 (Cth) principles in an easy to read comparison table. Certain similarities are highlighted and both laws contain a shared focus on fostering transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.

However, there are notable differences in the GDPR. In addition to the myriad of broadly defined terms and wide scope of personal data, there are enhanced rights for individuals to their data, data portability obligations, a right “to be forgotten”, enhanced consent requirements and a 72 hour mandatory data breach requirement in certain cases, not to mention the unwieldly fines and sanctions.

While some Australian businesses may already have certain measures in place that will be required under the GDPR, the Guide recommends that all organizations should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes well before commencement of the GDPR.

We take a closer look here at the GDPR and its implication for Australian businesses processing EU personal data / global organizations operating in Australia with the required relationship to the EU, who handle personal information of EU/UK citizens.

So, what is GDPR?

You will no doubt have read multitudes of reports and analysis on this new legislation and what it may mean for both European and global organizations. In brief, the GDPR is a wide-ranging piece of (directly applicable) privacy legislation recently adopted by the EU institutions, which mandates a significant rise in personal data protection compliance obligations for all organizations coming within its reach – both inside and outside the EU.

Notably, due to its new extra-territorial effect, a large number of global organizations operating across borders who were not previously caught by the existing regime will be affected. This will also be directly applicable in the UK for a period, despite Brexit considerations. It is widely accepted that the same / a similar regime will apply in the UK post-separation.

The GDPR was adopted on 26 April 2016 and is due to come into effect on 25 May 2018. As the legislation took over five years of intense lobbying and debate (inside & outside the EU) prior to its adoption, there are a number of interpretative issues and unanswered questions (including extra-territorial issues). Although only less than a year to go, guidance to date has been relatively sporadic from the EU.

Why is GDPR so important?

There are some key reasons:

The significantly increased fines for personal data breach for all organizations caught by GDPR (of up to €10-20mil or 2-4% of global annual group turnover) means that it is a group board-level issue for many organizations. Non-compliance in even smaller companies in a group may lead to significant ramifications where GDPR applies to that group / company within the group
A host of new obligations on data controllers and data processors (for the first time) are introduced, which include enhanced rights for individuals to their data, data portability obligations, the right to be forgotten, enhanced consent requirements to name only a few
Underpinning the GDPR are ‘accountability’ and ‘transparency’ obligations which require a holistic approach to be taken to privacy compliance – around the world. Getting prepared may require internal re-organization of each group member business activities and procedures – on a wholesale group basis
Even where a group / company may not currently fall within the scope of GDPR, continuous review and re-organization may still be required so as to avoid company activities falling under its scope in the future
A group / company’s partners and third party suppliers and customers may be caught by the GDPR and additional compliance requirements / contractual obligations on companies may be forthcoming from such organizations
Fundamentally, protecting the reputation and brand of the wider group where any breach or suspected data breach / security / information governance issues arise remains an ever-present and key driver

Why does GDPR concern Australian operations?

In determining whether activities fall within its geographical reach, the GDPR considers not only the location of where information is being processed (as was the case under the old EU Data Protection Directive), but now also the location of the individual whose data is being processed.

Under the existing regime, non-EU businesses only fall within the scope of the Directive if processing took place using equipment in the EU (e.g., using servers/ employees located in the EU). This will no longer be the test, and the ambit of the GDPR seeks to capture all processing of EU individual data, regardless of where such processing takes place.

The GDPR will apply to any Australian business who processes personal data:

“In the context of the activities of an establishment of any organization in the EU”
“Of EU individuals where the processing activities relate to the:
- Offering of goods or services to individuals in the EU (including where no payment is required); or
- Monitoring the behavior of individuals in the EU (where such behavior takes place in the EU)”

Both “personal data” and “processing” under GDPR are broadly interpreted and go much further than the analogous definitions of “personal information” and “handling” under the Privacy Act /APPs in Australia.

A review of your existing use, handling and processing of EU individual personal data and the targeting of services outside of Australia to the EU is recommended. Reviewing both existing and anticipated data flows (e.g., which may arise as a result of group company acquisitions, disposals or new third party contracts) is also recommended.

Referencing specific GDPR recitals, the OAIC provides some examples of GDPR application on Australian businesses that may fall under this test in its recently published Guide .

To determine if GDPR impacts your business, the fundamental question to ask at the outset is “Do you target EU individuals or organizations and if so, what percentage of personal information is processed related to such activities?” If you are likely to be at risk, the time to act to ensure compliance is now.

Enforceability?

This extra-territorial effect of GDPR has been well publicized (and criticized) and organizations outside of the EU are now taking stock to review their privacy compliance obligations.

While there are still question marks over the practical enforceability of the GDPR regime and its sanctions outside of the EU (with ongoing discussion of extra-territorial cooperation agreements with EU supervisory authorities), the OAIC has confirmed that it will continue to use its enforcement powers under the Australian Privacy Principles (APPs) where a privacy breach arises.

It has also recently confirmed that it is committed to internationally coordinated approaches to privacy regulation, recognizing that APP entities carry on their business globally and that personal information is regularly disclosed, handled and stored overseas. The OAIC also participates in several international forums and arrangements to promote best privacy practice internationally, address emerging privacy issues in Australia and cooperate on cross-border privacy regulation and enforcement matters.

As such, if an Australian business is found to contravene the GDPR in respect of data / security breach (for example) this may be sufficient to bring it to the attention of the OAIC, who may take action under the APPs in respect of that data / security breach (without prejudice to any EU enforcement capability).

While we have yet to see the full impact that GDPR will have on non-EU businesses, for market-leading organizations operating in Australia, reviewing your privacy compliance obligations with the GDPR will be crucial to ensure the protection of your reputation and brand and to minimize any risks of exposure to exponential fines and sanctions for breach.

As the Privacy Commissioner has confirmed, privacy and data protection is an area that is likely to see further change in the coming years for Australian companies. This is one area where organizations can get ahead of the game by applying additional measures under the GDPR (even where not mandatory / required) to enhance privacy practices, engage consumer trust and ensure consistent internal privacy practices, procedures and systems across all businesses.

We are currently completing GDPR gap analysis, data flow mapping and risk compliance audits for our clients and would be delighted to answer any questions you may have on this area and on whether GDPR is likely to impact your business in Australia.

Please see our resources which include key requirements and some practical tasks for implementation which can assist you to understand and comply with this new and significant impending legislation.

Posted in Uncategorized

Breach of Credit Card Numbers and CVV Numbers

By Jim Halpert on June 14, 2017

Written by Anne Kierig and Jim Halpert

In a move that affects businesses that suffer breaches of credit card data, 15 State Attorneys General took the position in a letter released Monday that a data breach of state resident name plus payment card number alone without acquisition of the card’s CVV number is “personal information” sufficient to trigger a notification obligation in their states. This clarification by the 15 state AGs may affect the way companies secure financial account number data.

In the letter to Aptos, Inc., in response to a “FAQ” circulated by the company, the AGs of New York, Connecticut, Colorado, Pennsylvania, Virginia, Mississippi, Illinois, North Carolina, Kentucky, Oregon, Iowa, Arkansas, Washington, Maryland, and Minnesota wrote that Aptos was incorrect in its view that “there is no obligation to notify in those states – ‘the account number plus CVV’ states – if your customers’ CVV data was not exposed”. The AGs clarified unequivocally, “The CVV number does not have to be disclosed to trigger our states’ notification obligations.”

As an example, the Attorneys General cited New York data breach law, which provides for notice when personal information plus an “account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account” is acquired by a unauthorized third party.[1] The AGs stated, “A CVV code is not ‘any required security code’ because a credit card owner, and thus an identity thief, can use a credit card without it.” While this is typically not true of remote transactions in the U.S., the AGs provided examples of several popular websites that they say do not require a CVV to make a purchase.

Many businesses have held the view that identity theft or fraud could not occur absent acquisition of the credit card number and the CVV. Accordingly, if the CVV was not acquired, they had thought a notification obligation would not be triggered. Companies expend substantial resources securing personal information that could potentially cause harm if acquired by a bad actor. The AGs’ letter may change the way companies protect payment card data elements without CCV code with regard to customers in these 15 states and elsewhere.

[1] N.Y. Gen. Bus. Law § 899-aa(1)(b)(3) (emphasis added). The fourteen other states whose AGs signed the letter have virtually identical language in their data breach statutes.

Technology's Legal Edge^® is a blog about global technology, sourcing and privacy issues facing companies across the globe. We offer timely legal perspectives on cutting-edge issues in these dynamic areas of law. The blog is managed by DLA Piper lawyers Jennifer Kashatus and Anne Friedman.

Contributing authors to the blog include members of DLA Piper's leading global Technology Transactions and Strategic Sourcing practice. We also offer some country specific blogs (see blog links below). Many of the blog's contributors have been recognized by prominent legal directories such as Chambers Global, Chambers USA and Legal 500 USA. The co-chairs of DLA Piper's global Technology, Sourcing and Commercial group are Vinny Sanchez (based in the US) and Kit Burden (based in London).