Contributed By Travers Smith LLP
Continued growth is expected in the USD92.5 billion IT outsourcing industry as digital innovations develop. Although the desire to reduce costs remains a key driver, the focus is shifting from price-oriented to quality-oriented, with a growing emphasis on forming strategic partnerships and improved customer experience. Outsourcing companies are also responding to an increased demand for disruptive technologies, such as artificial intelligence and smart algorithms, by providing a more extensive range of services and technological solutions. Investment in innovative technologies remains strong (the European Commission has proposed to invest EUR9.2 billion in innovative technologies between 2021–27 under the Digital Europe Program), with growth expected in areas such as cloud computing and machine learning.
In response to the COVID-19 pandemic and the uncertain global climate, the outsourcing market has shown increased demand for agile working solutions to assist communication and multicultural outsourcing strategies to minimise the risk of service disruption. These are all indicators of the market becoming increasingly sophisticated and responding well to the challenges currently faced across all industries.
Business process (BP) outsourcing has grown at a rapid rate in recent years and is projected to continue to do so, with leading industry reports expecting the market to grow by USD105.49 billion between 2020–24. There has been significant growth in the range of potential outsourcing destinations available to customers, notably in Eastern Europe and South America, which has increased competition in the sector. Aside from cost-cutting pressures on businesses, the shift from the traditional datacentre to a cloud-based service and the exploitation of new technologies such as robotic process automation and AI to replace or reduce human labour, new areas of growth are also emerging (such as social media management services) which continue to drive growth in BP outsourcing. At the same time, increasing demand from smaller businesses and growing competition in the BP outsourcing market has prompted BPO providers to increase transparency in relation to their policies, contracts and pricing in order to remain competitive.
Robotic process automation and AI continue to have a major impact on the outsourcing sector. Despite high initial set-up costs, automation is being widely adopted by outsourcers to improve productivity, increase employee satisfaction and enhance customer experience. Businesses in diverse sectors, such as insurance and hospitality, are looking to AI to optimise business processes and operational efficiency through automated hiring processes, training and data analysis.
Although consumers are becoming increasingly digital, it appears that many businesses are shifting their practices towards "people-centric" smart workplaces. In response, interactions with service providers are changing to become more flexible, user-friendly and dynamic. Many BP outsourcers are now investing in dedicated social media service teams and analytics units to address this demand for multi-channel bilateral communications. Social media monitoring and business intelligence are being seen as increasingly effective ways of gathering and analysing the vast quantities of consumer data and feedback in the public domain.
As regards cloud computing, the current climate has led to customers looking to apply it more widely in their businesses and are therefore investing in more ambitious outsourced arrangements, attracted by the potential for this model to reduce costs, improve efficiency and ensure universal access and instant computing support whilst working remotely. Recent research has shown that 94% of enterprises are now using at least one cloud service, with some businesses leveraging up to five or more cloud-based systems. However, customer concerns about security and the rising number of cyberattacks are requiring outsourcing providers to invest heavily in cybersecurity in order to provide appropriate levels of assurance to their customers.
The outsourcing sector has been significantly impacted by COVID-19 and it is clear that the pandemic will test the financial robustness of many outsourcing providers. A large number of SMEs in developing countries provide outsourcing services to business in Europe, however, due to a lack of infrastructure and equipment to enable their staff to work from home, many providers have been unable to deliver work at the speed and scale previously met, if at all.
Nevertheless, with many businesses now facing the challenge of a workforce now largely working from home, the demand for cloud-based systems and automated processes has boomed. It is expected that, when recovery begins, the need for outsourcing services in the areas of security, digital working environments, cloud services and AI will be greater than ever.
The UK left the EU on 31 January 2020, but entered a transition period lasting until 11 pm UK time on 31 December 2020. During that period, the UK continues to be treated as if it were still a member state of the EU and EU law continues to apply, with the result that, for most businesses, nothing material changed on 1 February 2020. However, material changes are expected to occur when the transition period ends, as the UK will then be treated by the EU as a third country for most purposes. This is likely to have a particularly significant impact on outsourcings involving transfers of personal data between the UK and the EU (see 2.3 Legal or Regulatory Restrictions on Data Processing or Data Security). It will also make it more difficult to deliver services which involve staff who are UK citizens travelling to the EU in order to provide those services.
In some sectors, Brexit may make EU businesses more reluctant to contract with UK firms. Indeed, it has already prompted some businesses to restructure their arrangements in anticipation of the effect which Brexit may have on them. For example, a number of businesses which have historically used the UK as a hub for distributing to the rest of the EU have shifted those operations to the continent, driven primarily by a desire to avoid disruption at Channel ports which could be caused by the introduction of customs controls and other border formalities. Meanwhile, other businesses and the public sector have held back from investing in new outsourcing projects because of the general level of uncertainty. That said, Brexit may provide opportunities in some areas; for example, there is likely to be increased demand for outsourced customs/logistics services to help businesses manage new border processes for UK-EU goods trade.
Lastly, the introduction (as a result of Brexit) of a new UK points-based immigration system is likely to make it more difficult and costly for UK outsourcing providers to recruit staff from the EEA. This may have an impact across a wide range of sectors, from hospitality and leisure through to services requiring technically skilled staff such as computer programmers.
Other Key Market Trends
Although IT and BP outsourcing continue to account for a large proportion of outsourcing transactions in the UK (in particular, via an “as a service” model), in recent years there has been considerable growth in the outsourcing of other activities, including logistics/warehousing and financial services. Many businesses looking to focus on their core activities are increasingly willing to outsource major, business-critical activities to third-party suppliers. Such contracts typically require a more tailored approach than IT or BP transactions, reflecting the customer's particular needs and/or the regulatory environment in which they operate. They also typically involve longer contract durations, eg, five to ten years (as opposed to five years or less).
Although the UK regulates the employment aspects of most outsourcing and M&A transactions (see 5 HR), it does not have any other overarching legislation which seeks to regulate outsourcing transactions on a non-sector-specific basis. That said:
The UK left the EU on 31 January 2020, but as stated above, during the current transition period, the UK continues to be treated as if it were still a member state of the EU and EU law continues to apply. However, the UK's departure from the EU may lead to changes in regulation after the transition period has come to an end, as the UK may decide to diverge from the EU in some areas. In the majority of cases, this is expected to be an evolutionary process which will take time to implement (requiring consultation with industry and the passing of new legislation). Much will depend on the nature of the UK's future relationship with the EU; the more distant it is, the greater the scope for changes in future.
Outsourcing transactions relating to financial services are subject to sector-specific regulation.
The majority of financial services firms in the UK are regulated by the Financial Conduct Authority (FCA). Some of those firms (such as banks, large investment firms, insurers, building societies and credit unions) are also subject to prudential supervision by the Prudential Regulation Authority (PRA). The FCA and the PRA have each published specific and detailed rules governing outsourcing arrangements entered into by regulated firms, although the provisions vary depending on the type of financial services business undertaken. Firms that are regulated only by the FCA will need to comply with the FCA outsourcing rules relevant to their type of firm, while firms that are regulated by both the FCA and PRA must also comply with the relevant PRA outsourcing rules. However, note that since a number of rules in this area are derived from EU law, such provisions may be subject to future changes following the UK's departure from the EU.
It is a key principle that a firm remains responsible for compliance with any applicable regulatory rules in connection with any outsourced services. This means that the firm will need to exercise proper oversight and monitor the performance of outsourced service providers to verify that any relevant regulatory requirements are being satisfied. Where the firm fails to do so, it may be subject to enforcement action. The FCA and PRA outsourcing rules typically require the firm to carry out due diligence on any proposed service provider to ensure that the provider has the capacity to provide the necessary services effectively. In addition, the firm will normally be required to ensure that the outsourcing contract contains certain mandatory provisions such as those relating to ongoing co-operation and/or enhanced termination rights.
Where a firm proposes to enter into, or to make material changes to, an outsourcing arrangement which is considered critical or important (such that any failure in the performance of the outsourced services might materially impair the firm's compliance with regulatory rules or affect the continuity of its business), it is normally required to provide advance notification to the relevant regulator.
Public Sector Outsourcings
Depending on the nature of the contract and its value, a public-sector outsourcing can be subject to UK and EU public procurement rules (although these apply to a wide range of contracts, not just outsourcing transactions). For example, the awarding authority can be required to advertise the contract, observe certain timings with regard to responses to tender etc., and ensure that all bidders are treated equally and without discrimination. Public procurement rules are most likely to have a significant effect on the timing of the pre-contract procedure, the criteria for selection of successful tenderers, and the duration of the outsourcing contract.
It is possible that the UK's public procurement rules may change following its withdrawal from the EU, although it is unlikely that the UK will cease to regulate this area in future. In particular, the World Trade Organisation has approved the UK’s accession to the WTO General Procurement Agreement once it leaves the EU; this will require the UK to maintain at least some of the rules which currently apply to the award of contracts by the public sector and, in the short term at least, the substance of the UK rules is likely to remain largely unchanged.
Organisations which supply critical national infrastructure (for example, in sectors such as electricity supply, oil and gas, water, transportation, healthcare and digital infrastructure, including cloud computing storage providers) and meet certain size thresholds are subject to the Network and Information Systems Regulations (the "NIS Regulations"). In brief, the NIS Regulations require them to take appropriate and proportionate technical and organisational measures to manage the security risks posed to them (eg, by taking appropriate measures to protect against cyber-attacks).
Where organisations are outsourcing the provision, management or maintenance of any element of the systems on which they rely to provide such infrastructure, they will need to consider how to ensure that the outsourced activities continue to meet the standards required by the NIS Regulations.
The parties to an outsourcing will also need to consider any relevant sector-specific regulations, such as requirements for licences or authorisations. These are not normally intended to regulate outsourcing per se, but more to regulate the activity which is covered by the outsourcing. In the UK, the sectors listed below are subject to industry-specific regulation by the regulator listed in brackets:
This list is not exhaustive and the activities covered by the outsourcing may mean that there is a need for licences, permits or approvals from other bodies such as local authorities, the Health and Safety Executive or government departments (for example, certain defence or security-related activities may require Ministry of Defence approval).
The regulation of a number of the sectors listed above is likely to be affected by the UK's departure from the EU.
Data protection laws are likely to apply where the outsourced services require the supplier to process personal data on behalf of the customer. "Personal data" includes any data such as names, contact details, or other data which relates to an identified or identifiable natural person. In the UK, at the time of writing, the relevant laws are the EU General Data Protection Regulation (2016/679) (GDPR) supplemented by the Data Protection Act 2018 (Data Protection Laws), although this will change after expiry of the transition period, when a UK version of GDPR and the Data Protection Act will apply to personal data processed about UK data subjects, and EU GDPR will continue to apply to those organisations which fall within its territorial scope.
Many outsourcing arrangements, in particular business process outsourcings and IT outsourcings, are likely to result in the handling by the supplier of personal data on behalf of and in respect of which the customer is the data controller – ie, the entity which determines the purposes and means of processing of such data. The supplier will be a processor in such situations, and where this is the case, as well as the supplier having a number of direct obligations to comply with under the Data Protection Laws, the customer must also be satisfied that the supplier will implement appropriate technical and organisational measures to ensure that the supplier's processing of such data will meet the requirements of the Data Protection Laws –in particular, to keep the data safe and secure. The customer must carry out due diligence on the supplier to be satisfied of this. In addition, the Data Protection Laws also stipulate that if the supplier is processing personal data on behalf of the customer and in its capacity as a data processor, the contract between the customer and the supplier must address certain issues (see 2.5 Contractual Protections on Data and Security), namely, requiring the supplier to keep the data safe and secure, and to help the customer with complying with its own obligations, for example, when data subjects seek to enforce their rights in respect of data held by the supplier on behalf of the customer. In some outsourcing arrangements, in particular some business process outsourcings such as pensions administration, it may well be the case that the nature and manner of the outsourced services requires the supplier to effectively act as a data controller in respect of any data it processes, and if this is the case, then the supplier will have to comply with obligations placed on it by Data Protection Laws in its capacity as a data controller.
Personal Data Exported Outside the EEA
Personal data which is exported for the supplier to process outside the EEA must be exported in a way which complies with the Data Protection Laws. This issue will need to be addressed, for example, where the outsourcing involves "offshoring" of service provision to a territory outside the EEA. The most commonly used mechanism to ensure compliant transfers to territories outside the EEA is to incorporate a set of "model clauses" pre-approved by the European Commission into the outsourcing arrangement. These essentially require the supplier to put measures in place to make sure that they keep personal data safe. In some cases, alternative mechanisms or specific derogations may be available; for example, some non-EEA countries are regarded as "safe destinations" for personal data because their own national law offers an equivalent level of protection to that available in the EEA. In other cases, suppliers may have obtained approval from European data protection regulators for binding corporate rules which allow them to export data to other group companies based outside the EEA, without the need for specific contractual arrangements governing the transfer.
The UK is still subject to these rules under Data Protection Laws at the time of writing and during the transition period, and this section has been written on that basis. However, data protection is another area of law that will be affected by the UK leaving the EU. In the short term, and as referred to above, the UK will retain much of its existing regime for data protection, via UK GDPR. However, no deal with the EU on data protection, in particular, if the EU does not reach an adequacy decision in respect of the UK, will cause difficulties for the free flow of personal data from the EEA after expiry of the transition period, and once the UK is officially treated as a "third country". In this event, where personal data is transferred from an EEA-based customer to a UK-based outsourcing supplier, this will need to be done using one of the non-EEA transfer gateways outlined above. Proposed legislation states that UK personal data can, for the time being, continue to flow freely to the EU post Brexit, so that no such additional measures would need to be put in place where, for example, a UK based customer is transferring personal data to an EU based outsourcing supplier.
The issue is further complicated by the Court of Justice of the European Union (CJEU)'s recent (at the time of writing) judgment in Schrems II. This not only impacts data flows from the EEA to the UK, but also, potentially to other countries, in particular the USA, which would affect those outsourcings of services from suppliers based outside the UK (for the time being) or the EEA. The upshot of the judgment, is that the use of model clauses as a safeguarding mechanism must be supported by the parties using them, by meaningful due diligence and risk assessment, not only into the measures taken by the data importer (in this case the outsourcing supplier/processor) to keep the data safe and secure, but into the wider data protection regime of the country in which the importer is located, including access by surveillance authorities to the data, and adequate judicial redress for EU data subjects where necessary. In certain cases such due diligence might result in the parties having to suspend the transfer. In a no deal/no adequacy decision situation, EEA based customers would have to go through this exercise when relying on model clauses to transfer personal data to UK based outsourcing suppliers.
The same judgement also found that the EU-US Privacy Shield could no longer be relied on as a safeguarding mechanism for transferring personal data to those US-based organisations which had signed up to it, partly because it did not prevent access to data by US surveillance authorities. For the same reason, and given the guidelines laid down by the CJEU for use of model clauses, use of model clauses with processors based in the USA as a fallback mechanism, may not work. Further guidance is awaited at the time of writing from the European Data Protection Board as to what additional measures could be put in place for data transfers to the USA (and other jurisdictions with data protection standards which fall below those of the EEA) to support the use of model clauses. The European Commission has also indicated that it is intending to agree a new set of standard contractual clauses by the end of 2020, which would address some of these issues.
The Data Protection Laws also potentially have an impact at the point when an outsourcing contract is being negotiated, as personal data will be transferred in respect of employees who are transferring over from the customer to the supplier. In these circumstances, care needs to be taken to ensure that personal data is shared and transferred in a lawful manner, with a clear legal basis under the Data Protection Laws for such a transfer. Any personal data transferred outside the EEA will again need to be transferred using one of the transfer gateways or derogations outlined above.
As outlined in 2.2 Industry-Specific Regulations, organisations which supply critical national infrastructure (eg, electricity, oil and gas, water, transportation, healthcare and digital infrastructure, including cloud computing storage providers) and meet certain size thresholds are subject to the Network and Information Systems Regulations. These regulations may have an impact on the outsourcing of activities relevant to the provision of such infrastructure. For example, where handling of data is outsourced, even if it is not "personal data", the customer will be required to ensure that the supplier takes appropriate measures to protect against cyberattacks.
The UK Information Commissioner (IC) can impose civil fines of up to EUR20 million, or 4% of the breaching undertaking's annual worldwide turnover in the preceding year, for the most serious breaches of the Data Protection Laws. In the case of breach, the IC can also issue an enforcement notice against a business requiring it to take (or refrain from taking) specified steps in order to comply with the Data Protection Laws.
The Data Protection Laws contain a number of criminal offences, notably offences relating to the unlawful obtaining of personal data, and selling or offering to sell such data.
It should be noted that individuals can lodge complaints with the IC in respect of alleged breaches of the Data Protection Laws, and bring an action for damages against the relevant business. Fines may also be imposed for data breaches under sectoral regulatory regimes, eg, financial services firms have been fined substantial sums for failure to keep customer data secure.
The maximum penalty for breach of the Network and Information Systems Regulations is GBP17 million, again for the most serious breaches. As with the Data Protection Laws, competent authorities under the NIS Regulations can issue enforcement notices, and also have powers to investigate and audit compliance of organisations which fall within the scope of the regulations.
The Data Protection Laws require that certain prescribed provisions are included in contracts with suppliers which process personal data on behalf of the customer, to ensure that minimum security levels are met in respect of any personal data which is processed. These include requirements that the supplier only process data in accordance with instructions from the customer, to assist the customer with achieving compliance with its own obligations to take appropriate measures to ensure security of processing, and to back up its obligations with subcontractors to the extent that they process personal data. Following changes introduced by the GDPR, data processors are now directly liable for some infringements. As a result, it is not uncommon to see provisions included in contracts to protect their position; also, given the far higher penalties which can now be imposed, specific liability apportionment for losses resulting from a breach of contractual provisions (and statutory obligations) is becoming more common.
In some cases, the supplier may be processing personal data as a standalone data controller rather than as a data processor on behalf of the customer (for example, in some contracts for the outsourcing of pension fund administration). In these situations, the contract will usually include clauses requiring the supplier to keep personal data safe and secure, and to comply with its obligations as a data controller under the Data Protection Laws, particularly in respect of any personal data that the customer may transfer to it or vice versa.
Outsourcing can take a number of forms in the UK. Although there is no "standard" model, a direct outsourcing is the most common structure adopted by the parties. This allows a customer to streamline its operations to focus on its core activities, taking advantage of economies of scale available to the supplier as well as the supplier's expertise.
A direct outsourcing is the simplest of the outsourcing structures, with the contract(s) being directly between the customer and the supplier. However, the outsourcing will become more complex if the customer procures the outsourced services on behalf of itself and group companies. In this case, an "agency" model is often adopted, or a third-party rights clause may enable group companies to have directly enforceable rights.
Direct outsourcings typically comprise a single contract (or sometimes multiple contracts) dealing with the core issues (eg, service standards, price, duration, limitations on liability and subcontracting) with schedules which set out (amongst other things) a description of the services provided, services levels, the consequences of failing to meet service levels, governance arrangements and any transferred assets and staff. If the supplier does not have sufficient assets to meet its contractual liabilities or is not the main trading entity in the group, the customer may require a parent company guarantee.
Other contractual models commonly used for outsourcing include indirect outsourcing, multi-sourcing, joint ventures or partnerships, outsourcing via a captive entity and build-operate-transfer structures.
An indirect outsourcing is similar to a direct outsourcing, except that the customer appoints a supplier (which is usually domiciled in the UK) that immediately subcontracts the services to a different supplier (which is usually domiciled in a foreign jurisdiction). The principal reasons why a customer may choose this model is that it will wish to interface with, monitor, and enforce its rights against a UK-based supplier, rather than a foreign supplier.
Multi-sourcing is where the customer enters into contracts with different suppliers for separate elements of its service requirements. An advantage of this model (in addition to those achieved with a direct outsourcing) is to avoid being over-reliant on a single supplier, although this only applies where identical services are sourced from several different suppliers. However, maintaining an effective interfacing between the various suppliers to ensure a seamless overall service (ie, "Service Integration and Management" or SIAM) can add additional cost and complexity. The outsourcing contract will typically impose contractual obligations on suppliers to co-operate with one another and to participate in a common governance process, involving regular meetings between all of the parties.
Joint Venture or Partnership
The setting up of a joint-venture company, contractual joint venture or partnership to provide services enables the customer to maintain a greater degree of control than the other legal outsourcing structures, to benefit from the supplier's expertise and to share in the profits generated by the third-party business of the joint venture. Joint ventures can take many forms and are usually complicated (and expensive) to set up and maintain.
A captive entity model is where the customer outsources its processes to a wholly owned subsidiary to provide the outsourced services exclusively to it and takes advice from local suppliers on a consultancy basis. This model is sometimes known as a "shared services division" if the captive entity is servicing different divisions of the same conglomerate company. Whilst this structure will give the customer greater operational control, possible tax benefits and integration with the supplier/group company, the customer will not be passing the risk of performing the services to a third-party provider, and the upfront set-up costs and ongoing costs are likely to be significant.
A build-operate-transfer model of outsourcing is where the customer contracts a third-party supplier to build and operate a facility, which is then transferred to the customer. It is possible that the customer may ask the supplier to operate the facility for the longer term. Whilst this model is low-risk, it can be expensive.
There has been a trend away from customers, particularly in the financial services sector, setting up new captive entities or shared service centres, in favour of a direct or multi-sourcing model (notably, in respect of IT and BP outsourcing). There has also been a recent trend for captive or shared service centres to be sold to a third party in order to recoup investment, divest a non-core operation and to achieve competitive pricing.
Common protections for the customer in an outsourcing contract include service levels or key performance indicators (KPIs) in relation to the standard of performance of the services. These are typically set out either in the outsourcing contract itself or in a separate "service level contract" appended to the contract. They will generally be linked to obligations on the supplier in respect of monitoring and reporting on service levels, often combined with audit rights for the customer.
If the supplier does not meet the specified service levels set out in the contract, the contract may provide that the customer is entitled to financial compensation in the form of service credits or liquidated damages. From the customer's perspective, the effectiveness of a service credits/liquidated damages regime depends on two main factors. First, the customer must ensure that the service levels/KPIs measure those aspects of performance which it is most concerned about – otherwise it may have no meaningful remedy at all under the service credits/liquidated damages regime. Second, the service levels/KPIs need to reflect a satisfactory standard of performance; if they can still be met even when the practical outcomes, from the customer's perspective, are sub-standard, then they will not provide a meaningful level of contractual protection.
Additional Contractual Protection
Given the potential weaknesses in any service credits/liquidated damages regime, customers will usually want to consider additional forms of contractual protection. These will typically include undertakings given by the supplier, including an undertaking that it will provide the services with reasonable care and skill, in accordance with good industry practice and all applicable laws and regulations. The supplier could also be required to warrant the accuracy of information provided by it as part of the tender process, that it has particular accreditations or that it operates in accordance with a particular quality assurance system. If these undertakings or warranties are breached by the supplier, the customer would then be entitled to pursue a claim for damages.
The customer could also seek indemnities from the supplier in respect of specified loss, such as loss suffered by the customer as a result of the supplier's breach of applicable laws, including data protection laws, or against future liability in respect of employees transferred to the supplier as part of the outsourcing (see 5 HR). Additionally, the customer may require a supplier of outsourced services to hold certain insurance, including in respect of damage to persons or property, and to note the customer's interest on its policy. It is also important for obligations to be imposed on the supplier to maintain a "business continuity plan" and make adequate back-up and disaster recovery arrangements.
Whilst these contractual protections will allow the customer to seek compensation from the supplier for failure to comply with the contract, they do not specifically address under-performance. As a result, it is not uncommon for a customer to seek "step-in" rights, allowing it to take over the management of an under-performing service or to appoint a third party to manage the service on its behalf. Less serious problems with under-performance can sometimes be resolved through use of rectification plans, contract management and governance provisions, which typically require the supplier to appoint a contract manager who will meet regularly with the customer's representative to discuss and seek to resolve issues in accordance with a rectification plan. These provisions may also include a right for the customer to veto proposals from the supplier to dispose of key assets or re-deploy key staff involved in the provision of the services – thereby preventing any deterioration in performance that might be caused by such disposal/re-deployment.
Rights of termination in a variety of circumstances should also be included to protect the customer (see 4.2 Termination). In addition, customers should ensure that, in the event of termination, the supplier remains under an obligation to provide assistance to the customer in migrating the service to a new provider. As part of this, the supplier should be required to draw up an "exit plan" at the outset of the contract and update it on a regular basis (at least annually) in consultation with and/or the consent of the customer.
Under English law, parties have considerable freedom to decide in what circumstances a contract can be terminated. For example, a customer may seek a right to terminate a long-term outsourcing contract on notice prior to expiry of its term without any compensation being payable (often called a termination for convenience). However, the supplier may not be prepared to grant such a termination right, or may insist on financial compensation being payable by the customer in the event of early termination for convenience (which will be enforceable provided that the level of compensation is not out of proportion to the supplier's loss arising from early termination, rather than a contractual penalty).
Basic Termination Rights
In most outsourcing contracts, both parties will have express contractual rights to terminate the contract if the other party commits a material breach of its terms (typically after the expiry of a cure period) or undergoes an insolvency-related event. However, the introduction of the Corporate Insolvency and Governance Act 2020 (CIGA) on 26 June 2020 introduces a number of new measures into the Insolvency Act 1986, including in relation to contracts for the supply of good or services. Under the CIGA, clauses which enable a supplier to terminate a supply contract (or change other terms) upon an insolvency or formal restructuring procedure are ineffective. The GIGA also introduced a prohibition on terminating a supply contract based on past breaches of the contract once the company enters an insolvency process or restructuring procedure. This will mean that (subject to certain exclusions – eg, suppliers who provide financial services and those who are covered by the existing continuation of essential supplies provisions), suppliers will be obliged under the outsourced supply contracts to continue to supply to a customer once it enters an insolvency or restructuring process, even where there are pre-insolvency arrears.
Suppliers will also be prevented from making the payment of such arrears a condition of continued supply. The relevant outsourcing contract may only be terminated if the customer or the appointed insolvency practitioner (eg, if the customer is in administration or liquidation) consents, or with the leave of the Court if the Court is satisfied that the continuation of the contract would cause the supplier hardship. If the supplier's right to terminate arises after the insolvency or formal restructuring process begins (eg, for non-payment of goods supplied after that time), then there is no prohibition on termination.
Force Majeure Termination
In addition to the above termination rights, the contract may also contain termination rights in circumstances where a party is prevented from carrying out its obligations under the contract for a specified period due to a "force majeure" event. Whether the impact of the COVID-19 pandemic or government action or restrictions relating thereto would be considered a "force majeure event" in a contract, depends on the precise drafting of the force majeure clause.
The customer may also seek to include a right to terminate where the supplier commits specified service failures and may insist that such termination rights can be exercised in respect of the affected services only, or in respect of the contract as a whole. Another termination right commonly requested by the customer is a right for the customer to terminate upon a change of control or ownership of the supplier.
In addition to the express termination rights set out in the contract, under English common law, an innocent party will normally have a right to terminate a contract for "repudiatory breach", where the other party breaches a condition of a contract. A condition of a contract is a term that goes to the essence of the contract – whether or not a term is to be categorised as a condition will be a matter of contractual interpretation in each case.
Under English law, only loss which was in the reasonable contemplation of the parties at the time the contract was entered into (as a probable result of a breach of it) is recoverable. Outsourcing contracts will typically distinguish between direct loss, which means any loss arising naturally and directly from the breach according to the usual course of things or "ordinary circumstances", and indirect or consequential loss, which refers to loss that which does not arise naturally but that could have reasonably been in the contemplation of the parties because of special circumstances made known at the time of entering into the contract.
If a supplier breaches the terms of an outsourcing contract and the breach directly results in loss to the customer (including loss of business or profits), or if the customer incurs expenses in remedying the breach or obtaining replacement services, such loss is likely to be recoverable by the customer as direct loss. If, however, the supplier's breach results in the customer incurring liability towards a third party under a separate contract, the terms of which were brought specifically to the supplier's attention during a tender process or during pre-contractual negotiations (but which would not otherwise have been in the reasonable contemplation of the supplier upon entering into the contract), the loss incurred by the customer under the third-party contract is likely to be categorised as indirect loss.
Whether a loss is a direct loss or an indirect loss is ultimately a question of fact which has important implications for both customers and suppliers, as set out below.
The customer in an outsourcing arrangement will usually try to ensure that it is able, under the contract, to recover all direct loss incurred by it (including direct loss of profit, business and revenue). It is often sensible to expressly set out particular heads of loss that are recoverable, to evidence that these are agreed to constitute direct loss.
The supplier, however, will usually seek to exclude liability for indirect, special or consequential loss, and for loss of business, profit or revenue (including where these constitute a direct loss). Market practice by suppliers is to list specific types of loss which are wholly excluded, with the most common being loss of revenue, loss of actual or anticipated profit and loss of reputation or goodwill.
Loss of Profits
It is important to note that loss of profits (together with the other categories of loss discussed above) can amount to a direct or indirect loss. Therefore, if a contract excludes the right to recover indirect, special or consequential loss, the innocent party may still be entitled to recover loss of profits that arise naturally and directly from the breach (ie, direct loss). As such, if a supplier wishes to exclude its liability for loss of profits, this should be done expressly and separately from any exclusion of indirect, special or consequential loss.
In practice, the types of loss recoverable under the contract will typically be a matter for negotiation between the parties.
Under English law, a contract (including any outsourcing contract) will consist of the express terms agreed between the parties together with any terms that are deemed to be implied, either by usage or custom, the parties' previous course of dealings, common law or by statute.
The most relevant statutory implied terms in relation to outsourcing contracts are those set out in the Supply of Goods and Services Act 1982. These include an implied obligation on a supplier of services to carry out such services with reasonable care and skill, an implied term that the supplier will carry out the service within a reasonable time and an implied term that the party contracting with the supplier will pay a reasonable charge (where the contract is silent on such matters or timing/charges are left to be determined by the parties). However, the outsourcing contract often specifically excludes these terms and replaces them with specific provisions, with the intention that all relevant obligations are set out expressly in the written contract.
Where assets are being transferred, a term will be implied by statute that the party transferring the asset has title to it and is able to transfer it. Where the outsourcing involves supply of goods (eg, an IT outsourcing which includes the supply of hardware to the customer), then terms will be implied that the goods are of satisfactory quality and fit for their purpose.
Implied terms as to title to assets cannot be excluded or restricted. Those relating to satisfactory quality, fitness for purpose and certain other matters can only be restricted where this meets the reasonableness requirement set out in the Unfair Contract Terms Act 1977. Typically, however, most suppliers will seek to exclude these terms and substitute their own, alternative warranties.
Beyond these statutory terms, it is comparatively rare for terms to be implied into outsourcing contracts. This is because they are generally documented in a reasonable level of detail and the English courts will therefore have regard primarily to the express terms of the contract. However, there are circumstances in which additional terms could still be implied. The most common of these is where the parties have failed to address certain issues in their written contract; a term may be implied where it is necessary to give the contract "business efficacy". Such interventions tend to be used sparingly by the English courts, which are generally reluctant to be drawn into "writing the parties' contract for them".
It is also possible for terms to be implied based on "custom and usage", ie, normal market practice or where there has been previous course of dealing between the parties. However, these would typically only be relevant where the express terms of the contract do not address the relevant issue in sufficient detail. For example, if an outsourcing contract had expired, but the parties continued to deal with one another without having agreed a new contract, an English court might imply terms similar to those which were contained in the expired contract (based on the parties' previous course of dealing).
Impact of Brexit on English Contract Law
The UK left the EU on 31 January 2020, although at the time of writing (September 2020), this had not resulted in significant changes for businesses because of the transition period provided for in the UK-EU Withdrawal Agreement, please refer to 1.4 Other Key Market Trends (Brexit). Although the end of the transition period on 31 December 2020 will bring about material change in many regulatory areas (see 2 Regulatory and Legal Environment), English contract law is expected to remain largely unaffected. This is mainly because the EU has made relatively few inroads into the area of national contract law.
That said, Brexit may make it somewhat more difficult to enforce certain provisions of contracts governed by English law (such as exclusive jurisdiction clauses) in the courts of other EU member states. Similarly, Brexit may make it more difficult to enforce judgments obtained from UK courts in the national courts of the EU. It is possible that these developments may make some parties to outsourcing contracts elect to have their contracts governed by the law of other jurisdictions. However, the use of English law for international contracts is well established and it is likely to remain a popular choice as a governing law. Similarly, the English courts are likely to remain a popular choice of forum, based on their long-established reputation for fairness and extensive experience of handling complex disputes.
In the UK, most arrangements are governed by the Transfer of Undertakings (Protection of Employment) Regulations 2006 (the "TUPE regulations"). The effect of the TUPE regulations is that employees who are wholly or mainly assigned to the services being outsourced automatically transfer by operation of law to the new provider of the services.
The TUPE regulations apply to an initial outsourcing, where the customer's employees that are wholly or mainly assigned to the activity being outsourced will transfer to the supplier. They will also apply on a change in supplier, where employees of the outgoing supplier which are wholly or mainly assigned to the services will automatically transfer to the incoming supplier. The TUPE regulations also apply to an insourcing, where the outsourcing is terminated and the activities are brought back in-house. In this situation, the relevant employees would transfer from the incumbent supplier back to the customer.
Where the TUPE regulations apply, the relevant employees will transfer on their existing terms and conditions, with continuity of employment preserved. All accrued employment rights and historic liabilities in connection with the transferring employees will also transfer.
Where the TUPE regulations apply, the outgoing employer (the "transferor") must inform and consult with employee representatives about the transfer. Where the employer recognises a trade union, the appropriate employee representatives will be trade union representatives. If no trade union is recognised, the employer must either arrange for the election of representatives from the affected employees or consult with existing employee representatives where these are in place, for example, where there is a works' council or other employee forum.
The transferor must inform the employee representatives about the fact of the transfer, its timing, the reasons for it and the consequences for employees. Where the outgoing employer envisages taking any "measures", it must also consult the employee representatives about those measures. The term "measures" covers any changes to employees' day-to-day working lives, including changes to terms and conditions or working practices, or plans to make redundancies.
To assist with the transferor's consultation duty, if the transferee proposes any measures that would affect the transferred employees after the transfer, it must notify the transferor of the measures before the transfer. If any of the transferee's existing employees will be affected by the transfer, the transferee must also consult employee representatives of its own workforce.
The TUPE regulations apply by operation of law and it is not possible to contract out of them. However, in practice, the parties to an outsourcing arrangement will typically allocate the employment risks through warranties and indemnities in the outsourcing contract. It is usual for the parties to allocate the risks on both entry and exit. It is often market practice for the indemnities on entry to mirror those on exit so that, for example, if the supplier has been indemnified for employment risks on entry into the outsourcing, they will agree to indemnify an incoming supplier against the same risks on exit. It is also very common for the outsourcing contract to include provisions regarding matters relating to employees during the term of the contract, including any restrictions on changes to terms by the supplier, requirements to provide a list of employees working on the services, and restrictions on changing the personnel assigned to the services.
Impact of Brexit
Despite the fact that the TUPE regulations and a number of other areas of UK employment law reflect EU law, it is not expected that the UK's withdrawal from the EU will lead to any changes to the HR aspects of outsourcings, certainly not in the short-term. The UK will have the freedom to make changes in these areas if it wishes to do so in future but has not indicated any intention to do so at this stage. That said, as noted in 1.4 Other Key Market Trends, the introduction of the new UK points-based immigration system is likely to make recruitment of EEA staff more difficult and costly for UK outsourcing providers.
Where assets are being transferred to the outsourcing provider, the latter will typically seek warranties and/or indemnities designed to provide contractual protections relating to the transferor's ownership and ability to transfer the asset, together with the quality and condition of the asset. The extent of such protections will be a matter for negotiation. Transfers of assets may also have tax implications, which the parties may wish to address in the outsourcing contract. In the case of the various assets listed below, certain formalities must also be complied with if the transfer is to be valid, which may be reflected in the terms of the outsourcing contract. In a number of these cases, the consent of third parties may also be required.
The transfer of ownership of premises in England and Wales must be in writing. It is usually effected by deed and will also normally require registration at the Land Registry. The same requirements apply to the transfer of a lease of premises where, additionally, the consent of the landlord is likely to be required.
IP Rights and Licences
The transfer of ownership of UK intellectual property (IP) rights must also be in writing. In the case of registered rights, such as UK trade marks, the transfer will also require registration at the UK Intellectual Property Office. IP licences can normally be transferred subject to obtaining the written consent of the licensor. It should be noted that IP is an area of law that may be affected by the UK leaving the EU.
Movable Property, eg, Plant and Equipment
The transfer of ownership of movable property such as plant and equipment is not generally subject to any formalities but a written assignment is advisable for evidential purposes. Where assets have been leased or charged, the counterparty's and/or lender's consent to the transfer may be required.
Rights under key contracts can normally be assigned provided the contract is in writing and signed by the assignor (although some contracts contain an express prohibition on assignment and others may require the counterparty's consent). The other party (or parties) to the contract must also be given notice of the assignment. However, it is only possible to assign rights under a contract, not obligations. If the parties wish to transfer the obligations under the contract, a novation of the relevant contract is required whereby the counterparty to the contract being transferred is a party to the relevant novation to give its consent to the transferor to release it from its obligations and to the transfer of those obligations to the transferee.