As we look around in the mid part of 2018, the outsourcing industry is in something of a state of flux. There are certainly plenty of challenges. In the UK at least (and particularly vis-à-vis the public sector), a harsh spotlight is being shone on outsourcing. Similarly, the wider global movement towards protectionism and national insularity is also affecting outsourcing (with visas for workers becoming ever more difficult to come by). The technical foundations for many outsourced services have also shifted, with automation and AI making far-reaching changes to the mode of service delivery, and cloud-based offerings increasingly competing with more traditional managed service models.
On a more positive note (and it is good to keep a sense of balance!), the capabilities of these new technologies are also opening new doors and making outsourcing viable in relation to organizations and types of services which previously might not have been considered as potential outsourcing candidates. At the same time, the potential returns are increasing for providers and customers alike; the scope of BPO offerings continues to expand, and there are more geographic options available than ever before (not just because of the growth of service capabilities in places like South Africa, but also because the move towards digital rather than carbon labor means that labor arbitrage – and the bias toward such locations as the Philippines or India – is less of a factor than it used to be.
At the same time, we are seeing some interesting challenges in the negotiation of contract terms for such deals.
Perhaps the most obvious candidate is the apportionment of responsibility and risk associated with data and data privacy. This is at its most acute in the EU owing to the arrival of the General Data Protection Regulation (GDPR) and its much publicized 4 percent/2 percent of global turnover fines. It would be a mistake to consider just the GDPR: laws and regulations around cybersecurity and protection of both personal and non-personal data are also high on the scale as board-level concerns. We are seeing far greater levels of attention being given to data breaches that attack prominent companies, and inevitably such breaches make people ask who has the means to help guard against such breaches, and who should bear responsibility if they arise.
This is a particularly difficult issue, because no system is ever 100 percent secure. Unfortunately, during such a stressful time, hindsight has its attractions; it is easy to look back and claim that if a breach of security occurred, then the steps taken to prevent it must have been defective or insufficient.
While customers are looking to raise their levels of protection in this regard (eg, arguing for unlimited liability, and potentially on an indemnity basis), the service provider community has understandably been moving in the opposite direction. Even though data protection losses might historically have featured in some of the lists of unlimited liabilities, they now tend to be either lumped with the more general limit of liability, or (more frequently) proposed to be subject to a separate data-specific cap.
There are a number of aspects of this separate cap which remain to be worked out in terms of what might ultimately become a market norm, including:
- How does the cap deal with other interlinked liabilities (eg, does it cover just claims from data protection regulators, claims from data subjects, internal rectification and remediation costs? Does it cut across the confidentiality obligations? And does it cover solely personal data, or other data related liabilities as well?)|
- What should the cap’s quantum be? Is it to be set as an absolute figure, or by reference to some multiple of the contract charges?
- Would the cap then be separate and free standing, or operate as an uplift to the normal limit of liability, which would have to be exhausted first?
Another key challenge: the impact of the cloud, not so much in terms of cloud offerings taking the place of traditional outsourcing arrangements, but more in the context of the use of cloud-based services as part of the supply chain (such as where an outsourced service provider uses the services of a third party to provide IaaS or PaaS capacity and flexibility as part of the foundation for the end-to-end outsourced service).
The issue in this regard is that the providers of such services – and they are becoming ever more prominent and powerful – tend to be very restrictive in their contract terms, not just regarding liability-related provisions such as limits of liabilities, warranties and service levels (on which an outsource service provider could in any event take a view as to what degree of “prime contractor risk” it is willing to bear), but also regarding the kinds of provisions that the outsource service provider might actually need to flow down, if it is to be able to strictly comply with its own obligations to its end customer (with audit rights being a particular example).
We increasingly see outsource service providers trying to limit their liabilities and obligations in this regard to apply only to the extent that they have in fact been able to flow them down to the relevant cloud provider. This is clearly a somewhat unpalatable position for the customer. Resolving the related negotiations will be a matter of bargaining leverage as opposed to whether one party is “right” or “wrong” regarding the way the issue should be addressed. This trend, however, also is giving rise to an increase in more multi-source style arrangements, whereby the customer itself may enter into the contract with the cloud service provider rather than having the main outsource service provider acting as prime contractor in relation to those services (ie, on the principle that if the customer gets no additional contractual benefit from having the outsource service provider in the contract chain, it might as well retain the flexibility of having a direct link to the cloud provider and also avoid any potential margin on costs that the outsource service provider might otherwise have levied).
And so we come to liability provisions. From one point of view, and with the possible exception of data-related liabilities as referred to earlier, one could argue that there is no particular reason why the contractual approach to liability provisions in outsourcing agreements should be subject to any substantial revisionist thinking. However, there are solid reasons why one should keep an open mind in this regard. After all, the setting of liability limits has historically always been (at heart) about balancing risk and reward, and that balance is certainly shifting, not least in the light of some of the factors mentioned in this post. Just as outsource service providers might be looking to reduce or limit more of their potential liabilities, sophisticated customers are also reviewing their approaches. Blanket exclusions of loss of profit, for example, while still very common, are more often challenged. Customers with operations in both civil and common law jurisdictions are also inclined to ask why they can potentially recover uncapped liabilities when due to “gross negligence” in one country, but not another, even though the services are the same and are even potentially provided by the same supplier. As a further step, one might imagine that a similar challenge might be made in respect of absolute exclusions of indirect loss (a common law concept which is not similarly viewed in civil law jurisdictions).
So, this is all good news for those of us engaged in the negotiation of outsourcing contracts (for both supply and buy sides) – after all, coming up with solutions for new problems and challenges is how we keep our minds young!