The Legal View: Changes in Law and Risk Allocation – Are You Prepared?
Framework agreements have often been touted as a way for parties to contract in a commercially efficient manner, particularly for large companies doing repeat business with a vendor and frequently, which is often the case in the ICT/sourcing space. The structure generally provides a mechanism for parties to facilitate further similar transactions, achieve economies of scale and avoid repeated procurement processes. The benefits of this approach are that discussions on general legal principles and risk allocation for further call offs have already been pre-agreed in the framework agreement, meaning that resources (including legal costs) are not duplicated on those issues and parties can concentrate on the technical and commercial aspects for any renegotiation or new call off under the framework agreement.
However, while it is tempting to focus primarily on the technical and commercial aspects relating to the new scope of services and the pricing model, the changing regulatory landscape applicable to technology transactions means that the change in law provisions at the framework level and at the call off should also be carefully considered. Particularly in light of the pending amendments to data protection regulations and the introduction of the new EU Network Information Security Directive, parties need to be aware that relatively standard boilerplate change of law provisions may now contain very real commercial and legal risks and issues for parties.
Changes in law and allocation of risk
The apportionment of risk between the customer and the supplier in relation to changes in law within outsourcing agreements can occur through various mechanisms. Examples of these include:
- express regulatory obligations: where parties may be subject to particular obligations, such as the supplier committing to comply with applicable law – something that could be subject to or sit outside of any agreed liability cap;
- indemnities: where a supplier may be required to indemnify the customer for a breach of applicable law; and
- apportionment of cost mechanisms between the customer and supplier: sometimes parties may also separately agree a process to manage changes in law which occur during the course of the agreement and how the parties should address the cost implications arising out of any mandatory changes – for example if the change relates only to the customer, the customer might bear the cost unless it was already factored into the pricing; if the change relates only to the supplier, the supplier might bear the cost of the change; and in other circumstances, the parties might in good faith discuss and agree the allocation of costs arising from the change via the change control procedure.
In some contracts, the above can be interlinked such that one party carries the risk of a change in law. For example, a customer may require the supplier to indemnify it for a breach of the obligation to comply, and ensure the services, comply with the law. In this instance, a change in the regulatory framework would mean that the supplier would need to pick up additional costs for compliance derived from that change.
However, with imminent changes to the current regulatory framework as discussed further below, parties are again beginning to look closely at current provisions in order to be able to understand how these changes are addressed by existing provisions, whether the changes presents a real risk under the contract, what the actual cost implications for the businesses might be and whether/how the costs arising out of any change should be split.
Amendments to Data Protection Regulation
The European Union plans to harmonise European data protection laws with the introduction of the General Data Protection Regulation (“GDPR”). Although still in draft form, the EU plans to adopt the GDPR by the beginning of 2015, to be in force as early as 2017. The GDPR aims to bring data protection legislation up to date in light of the technological changes that have taken place since the Data Protection Directive (Directive 95/46/EC) (the “Directive”) was adopted approximately 20 years ago and a recognition that many businesses rely on service providers to help them manage their personal data.
Under the current Directive, the customer has responsibility for any data protection breaches, even if they were committed by the supplier to whom the customer has outsourced the management of its data. This is because the customer is classed as a Data Controller who has the direct obligations under the Directive as they decide for what purpose personal data is being processed. The supplier, who is a Data Processor under the Directive, currently carries no direct legislative obligations in respect of its handling of the customer’s personal data. Given this, the customer generally seeks to protect itself by placing contractual obligations on the supplier in the framework outsourcing arrangement to ensure that the supplier has adequate technical and security measures in place to securely process personal data.
However, under the new GDPR, Data Processors as well as Data Controllers can be held liable for data protection breaches and potential monetary fines that a company could suffer for a breach could be up to 2% of worldwide annual turnover. This is quite a change; for example, under the existing DPA, the maximum fine that can be imposed by the ICO on a Data Controller is £500,000. Parties may therefore wish to consider whether there are any caps on liability in current agreements which may not protect adequately against this change in law, what might be appropriate going forward, particularly in what circumstances each of them might be directly responsible for a data protection breach to the Information Commissioner’s Officer (ICO) and how best to allocate this risk – for example, is it the customer or the supplier that has a higher turnover?
The upcoming National Information & Security Directive 2013/0027 (NISD), as released by the Commission, aims to ensure that businesses in the European Union which are involved in the operation of certain markets (generally companies deemed important to national infrastructure – such as energy companies, banking and financial services companies and companies operating within the telecommunications, health and transport sectors) maintain sufficiently secure systems to address growth in cyber attacks. While still in draft form, the aim is for the European Union to adopt the NISD by the end of 2014 and to set up a co-operation network through various government agencies to prevent, handle and respond to network information security risks and incidents with Member States having a further 18 months to incorporate the NISD into national law to ensure a common minimum approach across the EU.
Accordingly, once the NISD is implemented, ‘market operator’ businesses will need to respond by putting in place appropriate technical and organisational measures to detect and effectively manage the risks related to the network and information security of the core services that they provide or receive.
As with data processing, it is likely that customers will seek to allocate this responsibility – and risk – to their suppliers where the suppliers are managing these core services, or have control over security. At this stage, the specific sanctions for infringement are unknown as these are still only set out in the draft to be “effective, proportionate and dissuasive” but it is possible that a similar approach to the turnover test in the GDPR could be adopted.
Market operator customers may also require additional audit provisions if not already sufficiently dealt with in existing outsourcing arrangements as they will be subject to cyber audits and have to comply with binding instructions from the relevant competent authority, including providing evidence of effective implementation of security policies.
Given the above developments in relation to the GPDR and NISD legislation, businesses need to consider whether their current contracts cope with the impending changes in law and, going forward, how compliance is achieved and where the risk of non-compliance best sits – particularly given the significant change in the quantum of the penalties that can be applied by the competent authority. Otherwise, parties may be caught unaware once these legislative changes come into effect as to whether their contract presents the same level of risk as it does today.
We may not have a crystal ball available to predict how laws will be implemented, but careful consideration today over how your contract allocates risk will help ensure that you are better prepared for the ever-changing regulatory landscape of the future.
This article was first published in Outsource #37 (Autumn 2014)
About the Authors
Charlene Ko is a lawyer in the technology and sourcing team at CMS Cameron McKenna, with a particular interest in outsourcing transactions. She has substantial private practice and in-house experience, acting for a variety of suppliers and customers in a range of industries in the UK and Australia.