Contributed By Jeantet
In recent years, the main trends and developments in the IT outsourcing market include the following:
The emergence of new services/developments in the market has led to a flurry of new regulations and/or recommendations to govern this trend in a number of sectors, in particular highly regulated sectors such as the finance industry. New certification standards for technological products have also flourished, such as ISO certification and AFNOR (“The French Standards Association”) certification. These market trends and developments in IT outsourcing, involving the worldwide sharing of an exponential amount of personal data, have also highlighted the importance of complying with the General Data Protection Regulation (GDPR) requirements.
COVID-19 had at least the benefit of accelerating and democratising the use of new outsourcing technologies, in particular within companies. The most revealing examples are the development of teleworking for employees and intra- and extra-company collaboration tools (eg, Teams, Zoom, Google Meet). Today, these trends are standard practice for a large number of employees in France.
The business process outsourcing (BPO) market is a fast-growing industry that has become an integral part of the global economy, and France is no exception.
In recent years, several factors have been driving the increasing adoption of BPO services, as outlined below.
COVID-19 has encouraged the use of BPO services to ensure business continuity in crisis situations. Indeed, outsourcing was a security measure in a complicated health context where employees were confined and forced to telework.
However, it is important to note that the first major disadvantage of BPO is the loss of control, in particular related to the sharing of data for the provision of services. Indeed, there is no direct control over the outsourcing of services provided or over the service providers. This can result in difficulties in controlling quality and ensuring compliance with legal requirements (in particular, data protection laws and security requirements). It is therefore essential to ensure (through contractual provisions, regular audits) that the service providers have robust cybersecurity measures in place before committing to outsourced activities.
The impact of new technology on the outsourcing market is as follows:
Such new technologies are accompanied by increasingly demanding safety requirements, which means that the market has to adapt, from both a technical and legal point of view, in order to comply with the new legal safety requirements and consumer demands in terms of security and transparency.
The most commonly outsourced services in France are:
In France, there is no general law governing technology transactions or outsourcing.
However, the rise of IT outsourcing has resulted in the adoption of various legal frameworks (at a local and EU level) in order to govern IT outsourcing or technology transactions in specific sectors or for specific categories of services.
The main developments of the last few years are from the following legal/administrative frameworks.
Main Legal Applicable Frameworks
Additionally, because the issue of personal and non-personal data has taken on paramount importance in recent years, particularly with the rise of digital technology (including outsourcing and cloud services), the EU has decided to put in place a legal framework to make the most of its economic potential, in particular:
Upcoming Legal Framework
A proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act (CRA), was published on 15 September 2022. The text was adopted by the European Parliament at first reading on 12 March 2024. It must now be formally adopted by the Council. It relates to the European cybersecurity strategy.
Main Administrative Framework
On a voluntary basis, companies can submit their products for international certification with ISO, represented in France by AFNOR. For example, Standard 42001 for AI was published in 2023, specifying requirements for establishing, implementing, maintaining and continuously improving an artificial intelligence system within an organisation.
The banking and insurance sectors are particularly regulated with regard to technology transactions and outsourcing.
When a banking institution outsources services considered “essential” or “significant”, it is subject to a certain number of obligations laid down by the EBA’s Guidelines on Outsourcing. Some of the obligations shall be provided in the contract the banking institution entered into with its IT provider (eg, specific provisions related to security, reversibility, audit, termination, sub-processing).
The recent DORA Regulation provides requirements for financial institutions which apply, among other things, to the management of risks associated with third-party providers, in particular the management of outsourcing risks. Moreover, the DORA Regulation also lists the minimum contractual provisions to be included in outsourcing contracts, and this list is further extended by additional clauses where significant ICT services are outsourced. DORA will become the main digital security regulation for the financial sector.
The health sector is also regulated. As set out in Article L.1111-8 of the French Public Health Code, modified by the French Law SREN of 21 May 2024: “Any natural or legal person who hosts personal health data collected during prevention, diagnosis, care or medico-social monitoring activities on behalf of natural or legal persons at the origin of the production or collection of this data or on behalf of the patients themselves, must be approved or certified for this purpose”. Thus, health data hosts (HDS) have been required to obtain HDS certification. The HDS certification aims to guarantee the quality of service of healthcare hosting providers.
The French Data Protection Act (FDPA) establishes restrictions on technology transactions and outsourcing related to data processing and data security.
There is no standard contract model for outsourcing transactions in France.
Most of the time, the outsourcing agreement takes the form of a master service agreement which can, if relevant, be completed by application/transaction agreements and modified by amendment. Specific appendices can also be joined to the outsourcing agreement, such as those related to the service levels, the financial modalities, the schedules, the security measures, etc.
The joint venture (JV) contract or multi-sourcing contract may be used in France, but the bilateral outsourcing contract is the most common structure.
Digital transformation has, to a certain extent, affected the following contract models for outsourcing transactions:
There is a trend towards contractual guarantees for security measures in IT and cloud contracts, which is justified both by the ever-increasing cybersecurity risks and by increasingly strict legislation on IT suppliers and certain sectors (eg, financial).
As a preliminary basis, IT or outsourcing agreements are ordinary contracts subject to the general and common rules of contract and civil law. There are no specific legal rules related to such agreements. The specific features found in these contracts relate to contractual freedom and business practices.
The main customer protections and remedies in technology transactions and outsourcing are:
The terms of contract termination are typically governed contractually. In most cases, a contract can be terminated for the following reasons:
Before terminating a contract, it is common practice for the customer to issue a formal notice, with a contractually defined notice period that is reasonable and not excessively short, allowing the other party time to remedy the breach.
The consequences of contract termination are also governed by the contract. In particular, in outsourcing agreements, the “reversibility” of data – ensuring its return or transfer – can be a critical issue, which the customer must negotiate with caution.
Distinction Between Direct Loss and Indirect Loss
According to Article 1240 of the French Civil Code, the loss must be “direct” (in addition to being certain and legitimate) to be eligible for compensation.
In accordance with this article, the French doctrine makes a distinction between direct loss (the damage must be the direct result of the breach) and indirect loss (the damage is not the direct result of the breach).
Legal/Market Practice Regarding Loss of Profit, Goodwill, Business, Etc
In practice, most outsourcing contracts contain a clause excluding compensation for indirect losses (such indirect losses are usually listed in the contract): eg, loss of customers, image and reputation loss, operating loss, commercial loss, loss of earnings, business loss and profit loss. Such list is often negotiated between the parties. The service provider will usually seek the broadest possible definition of indirect loss and may attempt to include loss of data or breaches of data protection laws within the scope of exclusions.
Categories of Losses Not Subject to Limitation of Liability
There is no applicable information in this jurisdiction. The expression “implied term” seems to be specific to common law.
The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing are the following.
On the technical side, most French clients also aim to host their data with providers offering hosting services based within the EEA.
The most common contractual clauses that help the customer manage and measure the supplier’s performance in technology transactions and outsourcing are the following.
Generally speaking, the terms do not differ significantly and remain more or less the same. In the case of cloud-based outsourcing, particular attention will be paid to:
In this very specific situation, the application of the requirements of the GDPR must be ensured, particularly in terms of security, transparency and use of appropriate safeguards (SCCs).
Article L. 1124-1 of the French Labour Code stipulates that “when there is a change in the legal situation of the employer, in particular by succession, sale, merger, transformation of the business and incorporation of the company, all employment contracts in force on the date of the change continue to exist between the new employer and the company’s employees”.
In accordance with well-established case law, Article L. 1224-1 of the Labour Code applies if the following two conditions are both met:
The business must comprise several elements necessary for the operation of its activity, ie:
The legal definition of a transfer of business activity determines the application of Article L. 1224-1 of the French Labour Code. Thus, if the transfer is legally a sale of a business or a partial transfer of assets, it is generally accepted that Article L. 1224-1 applies.
Subject to compliance with these conditions, in the event of the transfer of an activity in accordance with Article L. 1224-1 of the Labour Code, the employment contracts of the employees dedicated to the activity are automatically transferred. The consent of the employees is then not required, and each employee retains, after the automatic transfer of their employment contract, all the applicable contractual provisions (eg, remuneration, seniority, place of work and working hours).
This applies to all employees holding an employment contract at the time of the legal transfer, whether the contract is open-ended or fixed-term, part-time or full-time, even if the employment contract is suspended at the time of the transfer.
Persons whose employment contracts are suspended on the date of the transfer (in particular for maternity leave, parental leave or unpaid leave) will have their employment contracts transferred under the same conditions and on the same date as other employees.
When a company employs more than 50 people, it is required to establish a works council with comprehensive responsibilities or adapt the existing one to undertake more extensive tasks. The works council serves as a platform for employees’ collective expression on various aspects of the company’s operations, including economic and financial development, working conditions, job training, and production techniques. It must also be consulted on matters concerning the organisation and overall functioning of the business, as well as redundancies. However, it is important to note that the opinions of the works council are not binding on the company. The outsourcing of certain activities or services, particularly those related to employees, may also require consultation with the works council.
In the last few months, French companies have been keen to relocate their IT providers to France or other EU countries due to: (i) the adoption of the US Cloud Act enacted on 23 March 2018; and (ii) the adoption of the FDPA and the GDPR, which provide a strict framework for international transfers of personal data outside EU countries. Such transfers are only possible if the recipient country ensures an adequate and sufficient level of protection. If this is not the case, appropriate safeguards, such as SCCs, shall be implemented, and a TIA shall be performed.
These legal constraints discourage companies from opting for offshore resources in outsourcing transactions, particularly where client or employee personal data, including sensitive information such as social security numbers or health data, is involved.
Moreover, while offshore outsourcing may offer financial advantages, it can introduce additional challenges beyond the legal domain. These challenges include language and cultural differences, varying working habits, and time zone disparities, which can be particularly problematic during emergencies. As a result, French companies often view onshore and nearshore outsourcing as solutions that mitigate these difficulties and complexities.
Under French legal rules, teleworking can be implemented either by a company-wide agreement, a charter or a mutual agreement with the employer.
In any case, it is recommended to sign an addendum to the employment contract defining the contours of teleworking (number of days, reversibility, teleworking rights, insurance, etc). In the case of litigation, it is always better to have a written agreement specifying the teleworking conditions.
From a French perspective, the obligations raised by remote working are as follows:
The main fear for clients is the workload of employees who telework. On the one hand, certain employers fear that the employee will not work enough hours, whereas others fear that employees will work too many hours and will not alert the employer of any difficulties they are encountering. Consequently, it is important to find the balance between both situations. Moreover, clients want employees to continue to be mobile and be available for professional travel when required, even if they are teleworking.
Clients generally seek legal advice on how to implement teleworking, while ensuring that the arrangement can be reversed if the employee does not perform their duties properly or does not want to continue teleworking. They also consult lawyers regarding compensation for teleworking, such as reimbursement for home office use and professional expenses, which is generally mandatory and regulated by specific French laws.
One difficulty can be raised when the employee does not want to perform their duties remotely or from home, whereas the company (ie, a foreign company) does not have an office in France. In such cases, it is important to have an open discussion with the employee to identify the best solution, ensuring they have appropriate working conditions and an optimal work environment.
It is important to underline that the rise in remote working has led to new legal disputes.
Many employees who were able to telework during the COVID-19 pandemic have decided to move away from their place of work. However, when they were asked to return to their place of work, they refused, claiming that teleworking was a right they were entitled to. However, under French law, telecommuting is not a right and remains subject to employer approval.
11 rue Galilée
75116
Paris
France
+33 014 505 8008
+33 014 704 2041
info@jeantet.fr www.jeantet.fr/en/