A decision of the Italian privacy authority on the illegal collection of data on criminal convictions of employees raised the issue on a practice that is quite common. Continue Reading
Virtual currency for the 1st time falls under Italian anti-money laundering law with the decree implementing the European 4th AML Directive. Continue Reading
Privacy risks can arise from the usage of new technologies by employees at work and require a deep assessment especially in the light of the General Data Protection Regulation. Continue Reading
The Digital Economy Act finally became law prior to the dissolution of parliament at the start of the general election campaign. The Act contains within its pages the new Electronic Communications Code, which has been awaited for years and which many argue is essential to ensure the law is equipped to deal with advances in technology.
However, not all of Act’s provisions have come into force immediately and indeed, the new Code will only start to operate once it is brought into effect by regulations made by the Secretary of State. Some regulations (The Digital Economy Act 2017 (Commencement) Regulations 2017) have recently been made, but these do not bring into force the new Code.
In that respect, our recent enquires with the Department for Culture, Media & Sport as to when the Code will become law elicited these responses:
“There are a number of factors to consider, including supporting regulations, Codes of Practice etc. We are considering all aspects of implementation in order to achieve the most swift and appropriate approach, and will update stakeholders on commencement in due course.
We are … bringing into force measures to improve digital connectivity across the UK, starting the implementation of the new electronic communications code to assist operators to develop new infrastructure…in summary we have commenced the code for the purpose of making regulations over the autumn. Once we have those in place full commencement will follow.”
Given the turmoil thrown up by the election result and the more immediate issues the government is facing, including Brexit, the new Code could still be some way off, meaning that the existing Code continues to regulate arrangements for the installation of telecoms equipment.
The new Code introduces (whenever it finally becomes law), inter alia:
- Rents/compensation: it is thought that the new Code is likely to decrease the rents/compensation received by landowners from telecoms operators as the rents/compensation will be based on the land’s value to the landowner not the operator.
- Site sharing and assigning: operators will have rights to assign agreements and to share or upgrade apparatus without requiring the consent of the landowner, thus reducing the landowner’s control.
- Security of tenure: the new Code contains provisions to ensure there is no overlap between the security of tenure rights granted to business occupiers by the Landlord and Tenant Act 1954 and similar protection that telecoms operators can claim under the Code.
- Dispute resolution: the new Code can provide for a more specific dispute resolution procedure where the parties cannot agree terms.
- Conferral of Code rights: An operator will be able to apply to the Court for the grant of interim code rights for a certain period of time or until a certain event takes place.
- Termination: new, more lengthy, notice procedures for terminating Code agreements.
- Retrospectivity: existing agreements will not be covered by the new Code.
We will report further once the new Code finally comes into force…..
Rob Shaw, Senior Associate and Ben Rogers, Legal Director
Outsourcing agreements might considerably change with the usage of IoT and artificial intelligence technologies. Continue Reading
With the meteoric proliferation of “Internet of Things” (IOT) devices, there are an increasing number of innovators and inventors bringing “smart” products to market that capitalize on connectivity in ways never before imagined. While a great deal of resources are typically applied to research and development, marketing, production, distribution and customer awareness, the essence of most IOT devices is wireless communications so attention must be given to the Federal Communications Commission (FCC) regulations on radio emissions. Each year the FCC levies tens of millions of dollars in penalties for violations of its rules—rules that encompass activities and devices in ways that may not be immediately obvious. We have set forth some basic guidelines to help start-ups, investors, and even established manufacturers make sense of the FCC’s requirements.
Without further ado, ten things the FCC cares about:
Things that intentionally emit radiofrequency (“RF”) energy.
This may seem obvious, but the FCC regulates devices that use RF intentionally, such as cellphones, walkie-talkies, and Wi-Fi, Bluetooth and Zigbee transmitters. Such devices must comply with the FCC’s equipment authorization procedures that ensure that the device conforms with specified technical standards that help limit the potential for interference to other spectrum users. Compliance with the FCC’s equipment authorization rules is most often demonstrated by a permanent label affixed to the device showing the FCC’s mark and the products FCC identifying number.
Things that unintentionally emit RF.
It’s fairly obvious that the FCC would have jurisdiction over the manufacture and marketing of wireless communications devices. Less obvious is its authority to control the importation and marketing of devices that emit RF energy unintentionally. Nearly all devices with digital componentry are implicated – computing devices, smart appliances, video monitors, power supplies, and similar products. These devices must be tested by an accredited test lab facility to ensure compliance with applicable technical standards before they can be imported and marketed in the United States.
Things that incidentally emit RF.
There’s even a third category of devices that fall within the FCC’s purview. Incidental radiators include devices that are not designed to intentionally use, generate or emit RF energy over 9 kHz. Devices such as AC motors and fluorescent lighting are exempt from FCC test requirements but manufacturers must still use good engineering practices to limit, to the extent possible, the interference effects from such devices.
Importation of RF devices.
While it is tempting to assume that someone else in the supply chain has ensured conformity with the FCC’s rules, companies need to be proactive regarding FCC compliance when importing radio products. With only very limited exceptions, the FCC rules require that devices brought into the U.S. have appropriate FCC equipment approvals. Failure to do so may result in critical components being seized at the border. Even if the products are not stuck in a customs warehouse–with the amount of offshore manufacturing that is done today, there may be instances where products without appropriate approvals are delivered in the U.S. and escape customs notice–the subsequent sale of those devices in the U.S. will violate FCC regulations and may subject the seller to fines.
Modification of OEM RF devices (triggering new approvals).
Even where a company has obtained an equipment authorization from the FCC, appropriate attention has to be paid to the evolution of the product over time, since certain changes can require the manufacturer or seller to obtain a new authorization. As a rule of thumb, changes that alter the physics of the RF emissions should be carefully reviewed under the FCC’s rules, as they often trigger the need to seek new approvals. Complicating matters even further is the practice of integrating components that have received their equipment authorization as stand-alone modules. The final assembled product may have its own testing and labeling requirements even though it is comprised of approved parts.
Marketing of RF devices.
Today, speed to market often means that companies would like to pre-market products—whether to support a crowd-funding initiative or as a means to capture market share. In general, however, the FCC greatly restricts the marketing of RF devices before they complete the approval process. The FCC has been known to walk the floors at trade shows to inspect whether new products are being displayed to potential customers impermissibly prior to receiving proper approvals.
Experimenting with RF devices.
Development of new products invariably requires experimentation, and when that experimentation involves radiation of radio energy, an FCC license is typically required. While the FCC generally freely grants experimental licenses for private testing, the experimental rules impose added limitations on what can be done with experimental products when it comes to market tests and trials, which require special authorizations.
Most innovators today would like to capitalize on a global product market, but RF regulations differ from country to country. That being said, there are radio bands that are more or less standardized from region to region, and considering global regulatory issues at the initial stages of product development may save headaches down the road. With its global telecommunications capabilities, DLA Piper’s telecom practice is able to assist with international compatibility and market entry surveys.
Transfer of RF manufacturing assets.
Whether you are an investor looking to fund a IOT venture, a business acquiring a start-up, or an innovator looking for equity backers, FCC regulated companies require special considerations. To the extent a company has licenses, FCC consent or notice may be required—in some cases prior to closing—for transactions that involve transfers of control or assignment of assets. In addition, FCC regulated companies implicate specialized due diligence in transactional scenarios.
Devices that create networks.
As a final matter, even if the RF components of a device are not FCC regulated—or are FCC regulated but the company taken appropriate actions—the FCC might be implicated in other ways. Specifically, in addition to regulating radio, the FCC also regulates telecommunications—communications networks and network providers. This becomes important because if IOT or connected products are sold bundled with communications capabilities acquired from third parties, the seller may be subjecting itself to regulation as a carrier—that may result in the need to obtain special authorizations, to pay into carrier-funded social programs like the Universal Service Fund, or other regulations. DLA Piper’s telecommunications team routinely advises companies on structuring communications activities in ways that avoid carrier regulation by the FCC.
The Colorado Division of Securities has adopted new cybersecurity rules applicable to broker-dealers purchasing securities in the state and investment advisers who do business in the state.
The rules, which are substantially less prescriptive than the NYDFS Cybersecurity Regulations came into effect on July 15. The rules establish general guidelines for reasonable cybersecurity practices and mandate a number of specific practices. Here are a few key features of the Colorado rules:
“Confidential Personal Information.” The Colorado rules require cybersecurity procedures to protect “Confidential Personal Information,” which is defined as first name or first initial and last name in combination with one or more of the following data elements: 1) Social Security number; 2) driver’s license number or other identification card number; 3) account number or credit or debit card number in combination a security code, access code or password allowing access to a Colorado resident’s financial account; 4) digitized or electronic signature of an individual; 5) user name, unique identifier or email address combined with a password, an access code, security questions or other authentication information for accessing an online account. Publicly available information, lawfully made available to the public from government records or widely distributed media, are not Confidential Personal Information.
Reasonable cybersecurity practices. Broker-dealers and investment advisers are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” Factors that the Colorado Division of Securities may consider to determine whether a broker-dealer’s or investment adviser’s cybersecurity procedures are reasonable include the firm’s size; its relationship with third parties; its policies, procedures and employee training about cybersecurity practices; its authentication practices; its use of electronic communications; whether it automatically locks devices that have access to Confidential Personal Information; and its process for reporting lost or stolen devices.
Specific practices. In addition to these factors, broker-dealers’ and investment advisers’ cybersecurity procedures must include several specific practices:
Annual assessment. Broker-dealers and investment advisers must incorporate cybersecurity into their risk assessments. Additionally, broker-dealers and investment advisers must conduct an annual assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information. The rules do not require that the risk assessment be conducted using an independent third party.
Secure email. Broker-dealers’ and investment advisers’ cybersecurity procedures must provide for the use of secure email, including encryption and digital signatures, for any email containing Confidential Personal Information.
Authentication. Broker-dealers and investment advisers must adopt practices to authenticate both client instructions received via electronic communications, and employee access to electronic communications, data and media. The rules do not specify what type of authentication must be used.
Disclosure. Finally, broker-dealers and investment advisers must disclose to clients the risks of using electronic communications, though no specific language is prescribed.
Comparison to the New York financial services cybersecurity rule
Overall, the Colorado cybersecurity rules represent a less prescriptive approach to cybersecurity regulation than the New York Department of Financial Services (NYDFS) cybersecurity rule, the only other broadly applicable state cybersecurity rule to date. Whereas the NYFDS prescribes detailed, rigorous cybersecurity practices, Colorado requires that cybersecurity practices be “reasonable” and establishes only a handful of higher-level requirements. The NYFDS rule, for example, requires conducting penetration testing and vulnerability assessments, whereas Colorado instead simply requires a broker-dealer or investment advisor to include cybersecurity in its risk assessment. While New York requires multi-factor authentication or risk-based authentication, Colorado, as noted above, simply requires authentication, without further parameters.
The reasonableness standard under the Colorado rules is consistent with FTC guidance on reasonable security, an approach which provides the flexibility to both innovate and adapt the requirements to the entity’s specific circumstances.
“Covered Entities.” Whereas the NYFDS rules apply to a wide range of regulated banking, insurance, and financial services companies (“Covered Entities”), the Colorado cybersecurity rules apply only to broker-dealers and investment advisers. Additionally, the Colorado rules do not include requirements for third party vendor management.
Nonpublic Information vs. Confidential Personal Information. The NYFDS rule requires companies’ cybersecurity practices to protect all nonpublic information, which includes not only the kinds of “breach notice” personal data protected as Confidential Personal Information by the Colorado rules, but also certain health information and any nonpublic information that could affect a Covered Entity’s business, operations, or security in the event of a breach, which is a far greater universe of information.
Breach notification. Covered Entities must notify NYFDS within 72 hours of a breach. After soliciting comments from the public and holding a hearing, Colorado removed the breach notification requirement originally included in the rules proposed in April.
Encryption. NYFDS requires nonpublic information to be encrypted both in transit and at rest. The Colorado rules only explicitly require encryption when Confidential Personal Information is transmitted by email.
The Colorado cybersecurity rules should not present broker-dealers and investment advisors with overly costly, detailed or burdensome changes. There is ample flexibility under the rules allowing these entities to tailor their compliance based upon their business. Finally, the overall approach under the rules does not deviate significantly from existing obligations pursuant to rules and guidance issued by federal functional financial regulators and the FTC.
 The rules do not limit the “identification card number” to government issued IDs.
This note consolidates information we have available on the current (July 2017) status of telecoms regulator’s considerations of zero-rated offers in Europe. See also our other posts on zero-rating.
- Many European regulators are yet to consider the issue of net neutrality and zero-rated services following the 2015 Regulations. For those who have reached decisions since the introduction of the 2015 Regulations, most seem to have concluded that as long as the service provider does not discriminate between zero-rated services and non-zero-rated services once a user’s data cap is reached, the service provider’s zero-rated offerings will be found to be in compliance with the 2015 Regulations. If, however, the user is permitted to continue using the zero-rated services after reaching a data cap, the BEREC guidelines (which say that allowing a zero-rated service to continue when others are blocked is an automatic per se breach) have been followed.
- So far it appears that only Belgium has conducted a full “multi-factor analysis” as required under the 2015 Regulation.
- Regulation (EU) 2015/2120 on open internet access (“2015 Regulation”) introduced EU-wide provisions on net neutrality with application from 30 April 2016. Article 3(1) says: “End-users shall have the right to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice, irrespective of the end-user’s or provider’s location or the location, origin or destination of the information, content, application or service, via their internet access service”. More information.
- The 2015 Regulation does not expressly prohibit “zero rating” services (ie the practice of not depleting a customer’s data bundle when they use certain services) , but Recital 7 and Article 3(2) of the 2015 Regulation state that national regulators “should be empowered to intervene against agreements or commercial practices which by reason of their scale, lead to situations where end users’ choice is materially reduced in practice”.
- Also, Article 3(3) states that “providers of internet access services shall treat all traffic equally, when providing internet access services, without discrimination, restriction or inference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used”
- The Body of European Regulators for Electronic Communication (“BEREC”) published guidelines on 30 August 2016 which state (at paragraph 46) that regulators should conduct a “comprehensive assessment ” before determining if a commercial practice limits the exercise by end users of their rights under Article 3(1). More information.
- These guidelines also say (at paragraph 41) that if a service provider blocks all applications once a data cap is reached except for the zero-rated ones this would be a per se infringement.
- The table below shows how the issue of zero-rating has been treated in practice, so far, in the EU.
|Treatment of zero-rated service by the regulator / Outcome|
The mobile operator’s own TV streaming service (3MobileTV). The zero rating did not apply to other TV streaming services.
|· On 5 October 2016, Epicenter.works (an NGO set up with the aim of combating data retention and safeguarding human rights) filed a complaint to the RTR against mobile operator Hutchison Drei Austria GmbH (commonly known as the mobile network 3) (“3”).
· Epicenter.works complained that 3’s plans, which allowed users to access zero-rated services operated by 3 after reaching their monthly cap, violated net neutrality principles. 3 subsequently amended its offerings so that the zero-rated services cannot be used once the user has reached their monthly data cap, and as a result it appears that the RTR will not need to make a decision. We have confirmed this via contacts with 3 in Austria.
· Outcome: Unclear, as 3 amended its offerings before the RTR began its investigation.
Users choose one of Facebook, WhatsApp, Snapchat, Instagram, Twitter and Pokemon Go to be a zero-rated app.
|· On 30 January 2017, the BIPT published a report containing its “multi-factor analysis” of the zero rating offers provided by Proximus (a Belgian telecoms company) and found that Proximus’ zero rating offers comply with EU net neutrality laws. Note, Proximus do not treat access to zero-rated apps differently from general internet access once a user reaches their monthly data cap.
· The BIPT emphasised the fact that by comparison to cases in Hungary and Sweden, Proximus’ offer allows users to choose an app that will be zero-rated until the user’s monthly data cap is reached, but once the cap is reached, access to all apps is restricted. For this reason, Proximus’ offering was found not to be discriminatory with regards to its treatment of data traffic.
· Outcome: In this case, Proximus’ zero rating offers were deemed to be compliant with the 2015 Regulation.
(NMHH)Magyar Telekom: OTT internet video
services (eg mobile/OTT TV Go and
HBO Go), and in particular its
‘unlimited TV and film’ monthly fee option.Telenor Hungary: social media apps, including its ‘MyChat’ IM app, its ‘MyMusic’ service and online radio stations.
· Magyar Telekom: in December 2016, following an investigation that was concluded on 21 November 2016, NMHH ordered Magyar Telekom (Hungary’s largest telecoms company) to suspend its zero-rated offers because it found it to be discriminatory. It is unclear whether Magyar Telekom has suspended its zero-rated offers.
· Telenor Hungary: in December 2016, NMHH concluded that the zero rating offer provided by Telenor Hungary (Hungary’s second largest mobile phone operator) of certain social media, music and radio apps infringes net neutrality rules. NMHH said that Telenor’s offers created a disadvantage for other competing apps because users would be encouraged to choose the zero-rated apps selected by Telenor rather than competing ones, as a supplement would be payable for competing apps once the users’ monthly data cap was exhausted. It is unclear whether Telenor Hungary has suspended its zero-rated offers.
· Outcome: The zero-rated services offered by both Magyar Telekom and Telenor Hungary were found to infringe EU net neutrality principles.
(NPT) n/a. .
· The NPT’s third principle in its 2009 Guidelines for Internet neutrality state that “Internet users are entitled to an Internet connection that is free of discrimination with regard to type of application, service or content orbased on sender or receiver address“, with the guidance to this principle stating that there must be no unreasonable manipulation or degradation of traffic for individual data streams. The 2009 Guidelines do not, however, directly address the issue of zero-rated services.
· In November 2014, the Norwegian Communications Authority published an article clarifying its stance to zero-rated services. The article states as follows: “The Norwegian guidelines on net neutrality state quite clearly that ‘Internet users are entitled to an Internet connection that is free of discrimination with regard to type of application, service or content or based on sender or receiver address.’ This means that in the Norwegian market zero-rating would constitute a violation of the guidelines … The Norwegian Post and Telecommunications Authority (NPT) has long been working actively for net neutrality for the benefit of Norwegian consumers, organisations and businesses. The Internet is important to economy, cultural diversity, social life and democracy, and NPT therefore works to preserve the Internet as an open platform. Internet service providers should use methods other than discrimination of content and/or applications to differentiate their products. One possibility is differentiation on the basis of speed, in line with the Norwegian guidelines on net neutrality.“This suggests that zero-rated services would be held to violate the 2015 Regulations, although it is not clear whether the NPT would find all zero-rated services to be in violation, or, for example, only those services which discriminated data traffic after a user reached their data cap.
· Outcome: no specific cases considered under the 2015 Regulation
Si.mobil: the cloud storage service Hangar Mapa.
· In January 2015, AKOS prohibited the zero rating offers provided by Telkom Slovenije (Slovenian telecoms company) and Si.mobil (Slovenia’s second largest mobile operator), which permitted the use of the music app Deezer and cloud storage service Hangar Mapa, respectively.
· Administrative court decision: following Telkom Slovenije and Si.mobil’s appeal against AKOS’ decision of January 2015 (see above), in July 2016, the administrative court annulled AKOS’ decision and returned the matter back to them. The court held that the Slovenian Electronic Communications Act does not prohibit zero rating outright and that the regulator had not based its decision on any determination of harm to end-users, but on an incorrectly assumed legislative prohibition of positive price discrimination.
· In November 2016, AKOS reissued its decision on Telkom Slovenije and Si.mobil, deciding that offers which throttle all traffic except zero-rated traffic once users reach their monthly limit violate the provisions of Slovenian net neutrality rules.
· Outcome: By contrast to the administrative court, AKOS found that the zero-rated services offered by both Telekom Slovenije and Si.mobil violated net neutrality laws.
Telia: ‘free surf on social media’ service and ‘free surf listening’ music service.
|· Telia: in January 2017, the PTS found the zero rating offers provided by Telia (a large Swedish telephone company and mobile network operator) violated the 2015 Regulation because they did not treat internet access equally and failed to comply with BEREC guidelines by blocking competing apps when the monthly cap was reached.
· Telia court decision: on 8 March 2017, the court suspended the PTS’ decision of January 2017 (see above) on the basis that it is uncertain whether an immediate discontinuance of Telia’s services would have substantial negative effects for Telia’s end users. The court did not, however, assess the question of net neutrality and the application of the 2015 Regulation.
· Hi3G: the PTS also opened an investigation into a zero rating offer from Hi3G (a Swedish telecoms operator) for music streaming services, which did not block the zero-rated services when the user’s data cap was reached. In December 2016, Hi3G informed the PTS that it would change its zero rating offer to comply with the 2015 Regulation. No further action appears to have been taken by the PTS in this case.
· Outcome: The services offered by Telia was found by the PTS to infringe EU net neutrality principles but the focus appears to be on traffic management not zero-rating.
Vodafone: streaming of the app HBO Go.
· Vodafone: in January 2015, the ACM issued a fine against Vodafone, stating that its zero-rated app HBO Go infringed national laws on network neutrality.· Further information on the ACM’s Vodafone decision. / Further information on the ACM’s Vodafone decision (2).
Post-2015 Regulation:· T-Mobile: in October 2016, the ACM requested that T-Mobile stop its zero rating offer on music streaming services. This was despite the fact that T-Mobile’s zero rating offer includes any music streaming services, and is not restricted to selected apps.· Further information on the ACM’s T-Mobile decision and T-Mobile’s response to the ACM’s decision (Dutch only).· T-Mobile court decision: on 20 April 2017, the Dutch court ruled that the Netherlands law was not consistent with, and has been superseded by, the 2015 EU Regulation. This meant that the T-Mobile service can continue until such time as ACM re-opens the matter and conducts a thorough analysis of the service under the 2015 Regulation. Report of the outcome of the T-Mobile appeal.· On 23 May 2017 ACM said that it had begun a new investigation under the 2015 Regulation. This is ongoing.· Outcome: In both cases, the ACM blocked zero rating offers on the basis of a Dutch law pre-dating the 2015 Regulation. T-Mobile’s appeal makes clear that the 2015 Regulation supersedes Dutch law and so the regulator mustconduct a specific analysis before banning a service. The new ACM investigation is ongoing.
Wind Tre: “Music 3” music service; and the Veon app (customer care and messaging)
|· On 15th March 2017 AGCOM launched an investigation into these 2 services offered by WIND Tre, both of which work so as to allow the zero-rated application .to continue even after a data bundle is used up.
· Outcome: Zero-rated apps (which continue after data cap is used) currently appear to be considered unlawful by AGCOM. Awaiting news of Wind Tre’s next steps and possible appeal.
Deutsche Telekom: StreamOn (zero rated music and also video for some customers)
|· On 16 May 2017 the German regulator Bundesnetzagentur opened an investigation into whether this service infringes the 2015 Regulation. It applies to a wide range of music and video services.
· Outcome: pending the result of the investigation StreamOn continues and has expended (as of July 2017) to around 50 content partners.
Top 20 Do’s and Don’ts for Outsourcing Deals- the Customer Perspective
|Do allow enough time for the procurement and negotiation process
If you run out of time, you will have to compromise on detail and thoroughness….which you will likely end up paying for many times over further on down the track.
|Don’t hide known service issues or defects
Service providers don’t have a magic wand to wave; while they may be able to plan for dealing with known issues, anything which is hidden from them will likely trip them up, but then impact upon service quality…and ultimately you should want good service delivery, not a contractual remedy.
|Do remember that there are two sides to every business case
While you obviously have savings targets to deliver, the service provider also has to make a profit; if it is squeezed too hard, it will inevitably either end up looking to cut corners/compromise on quality, or else look to recover margin by an inflexible attitude to change control.
|Don’t negotiate to “win” every point
Of course, the contract needs to protect your vital interests, and not every contract can be entirely “win-win” on every single point (the size of the liability cap being a good example!). However, pushing the service provider to accept unnecessarily onerous provisions can lead to the loading into the price of excessive risk premium, and may force the service provider to “manage to the word of the contract” in future, for fear of falling foul of the sanctions which have been imposed.
|Do treat DD seriously and provide detailed information
It is inevitable that the service provider will want to have detailed information concerning the services it is being asked to take on; rather than scrabble around later, it is best to invest the effort in gathering this information up front.
|Don’t forget about the people aspects
If there are staff implications (e.g., redundancies or TUPE/ARD transfers), do you really want to be announcing them in the run up to Christmas….? How you deal with transferring personnel will inevitably influence how you are seen by your retained employees (and their Unions, where relevant).
|Do undertake “stress test/destruction test” sessions prior to contract signature
No matter how well drafted or negotiated, there is a near inevitability that some points or potential scenarios will have been missed; by having Q and A sessions with people who have NOT been involved with the negotiations before and who will be involved with its operation in practice, you stand a chance of flushing some out prior to signature.
|Don’t allow for the opportunity of “executive side bars/unstructured escalations”
You’ve sweated blood to negotiate a key point…and then get a memo from a senior exec who has had a briefing from his equivalent from the service provider as to how “unreasonable” the customer negotiation team is being, and how you should “show some more flexibility/stop being so hard”. Even if the perception can be reversed, the effect is both dis-spiriting and diverting.
|Do get key contract provisions (and ideally the main proposed contract terms) out to bidders as early as possible
A customer’s bargaining leverage is never better than at the outset of the process, when there are multiple bidders “in play” who will be keen to differentiate themselves as against the other bidders; getting detailed contract responses also enables an early view to be taken as to what points can be fairly pushed for, and what might be beyond the boundaries of current market practice.
|Don’t forget that even the best deals will eventually come to an end
The old analogy of outsourcing projects being like a marriage is a good one (i.e., they are – or at least should be! – long term, and both sides need to work hard at them). However, they then need to be marriages with a pre-nup, as all outsourcing projects must eventually come to an end, even if that ending may be an amicable one at the end of the day.
|Do plan to make effective use of executive inputs and escalations
The core negotiation team should obviously look to resolve and agree as much of the contract as possible; however, once the outstanding points have been reduced to a manageable shortlist, there is a lot of merit in involving the executive stakeholders to gain an early resolution of them so that they don’t remain simply “parked”, and potentially slow down progress on the remainder of the negotiations.
|Don’t duck difficult issues by deferring them to later discussion/agreement
Having some level of “agreements to agree” is probably inevitable in any large scale project. However, one should be wary of leaving any key points still to be determined on this basis, post contract signature (when the customer’s bargaining leverage can only be less than it would have been, pre-signature). In any event, one has to ask the question of what will happen if agreement CANNOT then be reached; will for example there then be a termination right or an ability to defer to an independent third party, or will there simply be a risk of deadlock?
|Do allow for as much flexibility as possible
Nobody has a crystal ball, and much will change over the lifetime of an outsourcing deal. The contract should accordingly provide mechanisms for dealing with change as simply and transparently as possible; pricing regimes in particular are prime candidates to be set up to flex in line with volumes of demand.
|Don’t forget that prevention is better than cure
Whilst having robust contractual remedies against a service provider will provide comfort and a level of assurance that the service provider will keep trying really hard, nonetheless investing in the services (and contract drafting) to make sure that problems are less likely to arise in the first place is always going to pay dividends; this ranges from taking the time to develop clear divisions of responsibilities in the Services Schedule, through to making sure that the business continuity services have been fully scoped (and funded).
|Do ensure that you fully understand the supply chain and subcontractor dependencies
Having the prime contractor “on the hook” contractually is one thing, but from a business continuity perspective, it is much better to understand where the potential vulnerabilities and dependencies lie, and what the contingency plans are to deal with them (e.g., if a smaller – but key – subcontractor were to go broke).
|Don’t refuse to accept/close your eyes to your own ongoing responsibilities
It genuinely does take two to tango; even though you may have outsourced the core delivery responsibility, the service provider will inevitably still have dependencies upon the customer, if only for the provision of information or direction. If you would not have refused such assistance to a colleague, why refuse it your service provider?
|Do ensure that there is a robust (but not unnecessarily complex) governance structure
Management of both the contract AND the wider relationship is key; it is almost inevitable that some issues will arise, and the contract should help ensure that there is sufficient transparency for them to be surfaced early, and to the right people.
|Don’t put the contract in the bottom draw
Living to the letter of the contract can be destructive and unnecessary. However, even worse is simply setting the contract to one side and forgetting what it contains (and which may have taken months to negotiate). You may think that you will be able to manage through any issues on a “relationship” basis, but you will likely then have an unpleasant surprise if this doesn’t work out in practice, and you then find that you have effectively lost rights you would otherwise have had, simply by not following a contractual process.
|Do ensure that you have sufficient skills and resource to manage the contract once signed
It is a mistake to assume that just because you had people who were performing the outsourced tasks previously, then logically they would be the best people to manage it post outsourcing. In fact, vendor and contract management is a much under-rated (and rare) skill.
|Don’t slavishly live to the exact word of the contract without exception
The flip side of the equation. If you keep the contract at your right hand and quote from it every day so as to keep the service provider tied to the strict letter of its every sentence, then do not be surprised if the service provider responds in kind, and your relationship becomes one of conflict rather than collaboration. If you know what is in the contract, then you can decide when to enforce, when to defer, and when to simply waive.
Top 20 Do’s and Don’ts for Outsourcing Deals- the Supplier Perspective
|Do ensure that you have a properly constituted deal team from day one
This will mean people who understand the numbers, those that grasp the wider commercial arrangements, the right technical people, legal people, a really good “deal lead” who will face off to the customer….and don’t forget the actual delivery team!
|Don’t ever say that a deal is “must win”
Obviously there are projects that would be extremely good to win and also extremely painful to lose….but a bad deal will be bad news for years to come.
|Do understand the customer perspectives and objectives
If you keep on trying to sell something that the customer doesn’t really want to buy, the process will inevitably be longer and harder. By the same token, if you have a better grasp of the customer’s “hot buttons”, you’ll be better able to fashion your solution to show how you will address them.
|Don’t forget that the negotiation process is still part of sales
The negotiation approach needs to be tailored to the overall dynamic; an aggressive or un-coordinated approach may worry or off-put the customer, or do damage to the longer term relationship or changes of winning the bid.
|Do say “no” when you need to
You may feel pressured to agree to positions during negotiations, but agreeing to obligations which will be difficult or costly to comply with further down the line is a considerable risk. Remember that it is not always about what you say, but how you say it.
|Don’t give in to “deal fatigue” and forget that some deals SHOULD be walked away from
When negotiations have been dragging on for weeks or even months, there is a tendency for both service providers and customers to get to the point where they just “want to make the pain go away” (!); at that late stage, poorly thought through concessions may be made.
|Do insist on full DD or else consequential assumptions
Many contracts will try to pass the due diligence risk on to the service provider; however, even the best run process won’t be able to make up for information which is simply missing or even wrong. If you need to explain the basis of assumptions, then do so clearly and invite the customer to provide the relevant information so as to remove the need for the assumptions, if possible.
|Don’t kick known issues into post contract discussions
Tempting though it may be to try to push through to finalization of negotiations and signature, what would make you think that it will be any easier to revolve a tricky issue later on, if it can’t be resolved up front? The risk is that the parties then get into the “deadly embrace” of deadlock.
|Do ensure that there is proper customer sponsorship for/engagement with the project
We have seen projects go all the way through to finalization of the contract documentation, but then fail to be ratified at Board level simply because senior decision makers had not been properly involved in the process.
|Don’t agree to contract risk provisions simply as a means of trying to increase a procurement score
If the bidding process is perceived to be close, it may be tempting to make contract concessions as a means of improving the overall “score” for your bid. However, the reality is that in most processes, the degree of weighting given to the legal provisions is much less than for price, technical capability etc., but concessions made on the contract can carry disproportionate risk, once services are underway.
|Do ensure that your key subcontractors have bought a ticket for the full journey
If you are dependent upon a particular subcontractor, are you sure that you have their contractual commitment to do what you need from them, at the price you can afford, and for the duration of the contract term? Just assuming that they will be willing to sign up to a deal once you have committed to your own contract with the customer is fraught with risk.
|Don’t allow emotion to get the better of you
If negotiations get heated, emotions can run high. However, antagonizing or alienating customer representatives with rash words or emotive behaviors will rarely work out well.
|Do realize the power of having executive endorsement and involvement
The customer may take a great deal of comfort from a level of personal involvement and commitment from senior executives from within your organization; quite rightly, they may surmise that directives from your own chief executive may carry more weight than a warranty provision in a contract
|Don’t forget to have an independent review of your proposed solution and risk profile
It can get difficult to see the woods for the trees after a while, or to appreciate the cumulative salami slicing of risk and reward that can occur over the course of a long negotiation. Having an independent review and sense check is worth its weight in gold
|Do focus on the strengths and weaknesses of your key competition
Ask “what would we need to do to offset their strengths and capitalize on their weaknesses”? Your bid can then be tweaked accordingly.
|Don’t lightly agree to exclusivity or surrendering IP
It will often be argued that the creation of new IP is not “core” to an outsourcing transaction and so this can easily be given up to the client/customer. However, at the very least you may want to consider whether to reserve some form of reverse licensing or independent rights of use, so as to make sure that new developments can be applied for the benefit of future customers.
|Do ensure that you have appropriate sponsors/supporters within the customer business
At the end of the day, it helps tremendously to have someone senior within the customer organization who is acting as your champion/supporter, and who will promulgate positive messages about you and also help to prevent any false or derogatory impressions from gaining purchase.
|Don’t backslide from previous commitments UNLESS there is a correlation that can be drawn to a change in facts/customer positions
Customers will usually (and understandably) react very negatively to any perceived reversal of positions which were agreed earlier in the negotiation process (especially if they were part of the reason for an original down-selection decision). If changes ARE to be made however, it may be legitimate if they can be linked to changes in the customer’s own position, or new data which can justifiably be said to have not previously been available.
|Do ensure that the delivery team have a full involvement in the solution design/negotiation
Possibly one of the MOST important practical bits of advice. Sales teams inevitably have closing of the deal as their prime driver; as such, there is a natural risk that they might over commit. As the delivery team will need to live with the contract for the duration of its term, it is essential that they are aware of – and sign up for.
|Don’t make commitments which you will need subcontractors to comply with unless you know in advance that they will do so
There is a difference here between being willing to take on the liability “gap” (e.g., where you are agreeing to a higher service level than the subcontractor is willing to step up to, or accepting a higher liability cap), and being actually dependent upon the subcontractor (e.g., where you can only comply with customer security policies if the subcontractor does as well). You may find that they are a lot less willing to agree to such provisions if you have already signed up with the customer and have little if any bargaining leverage!
The Internet of Things is going to change the models of business of the financial services sector, unveiling new legal issues. Continue Reading