Technology & Outsourcing 2022 Comparisons

Last Updated October 27, 2022

Law and Practice

Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,500 attorneys serving clients from 43 offices in the United States, Latin America, Europe, Asia and the Middle East. The firm’s dedicated technology and outsourcing team advises on a full range of legal issues impacting outsourcing situations, including tax implications, employment, real property and intellectual property issues. The global team consists of more than 75 lawyers, six of whom are located in Amsterdam. The team handles and negotiates the full spectrum of services for clients, from standard transactions to highly complex multinational transactions. Recent transactions include cross-border business process outsourcing (BPO) projects for multinational banks, insurance companies and asset managers.

The key market developments in IT outsourcing are:

  • significantly heightened awareness of, and focus on, privacy and data security; 
  • increasing focus on “as a service” contracts to replace traditional models;
  • the transition to the cloud, including service providers themselves moving to Infrastructure as a Service (IaaS); 
  • the increasing importance of service integration and architecture integration, since customers work with a larger number of service providers;
  • pressure on IT departments as service providers to work directly within the business of the customer; and
  • the development of new ways of contracting service levels and pricing models, through Xperience Level Agreements (XLA) and pricing based on (business) value creation.

COVID-19 has had a huge and lasting impact on the use of technology. Videoconferencing and virtual collaboration have replaced at least 75% of telephone conversations. Employees have also continued to work partly from home since COVID-19 and employers have generally been supportive. Moreover, the Dutch government passed into law a bill which provides employees with a statutory right to work from home, except in such cases where working from home would seriously harm the company’s interests or the employee’s performance of their duties. This law does not apply to companies smaller than ten employees.

The key market developments in BPO are:

  • BPO is becoming less about labour arbitration and costs savings, and more about technology transformation and automation, as well as adding value to the business;
  • TUPE staff transfers under the Acquired Rights Directive are becoming less common because the parties (including the employees) arrange otherwise (which quite often means that the employees are offered an attractive redundancy package); and
  • companies implementing Robotic Processing Automation (RPA) as an alternative to BPO, although most programmes are not yet yielding the intended results.

A development that may potentially prove relevant is the ongoing high labour shortage in the Netherlands. To the extent the Dutch economy continues to experience this shortage, companies may elect to start outsourcing business processes that can effectively no longer be staffed in the Netherlands. In any case, this trend is likely to be relevant in the mid-to-long term as the Dutch population ages.

The impact of new technology on the outsourcing market is as follows:

  • the permanent increase in the use of videoconferencing and other virtual collaboration tools (thanks to COVID-19) and companies' increased facility with these tools should simplify working with offshore counterparts, increasing the potential scope for BPO; 
  • customers are struggling to build up internal capabilities to address new technologies and are therefore relying more on IT providers to provide these capabilities, which may drive an increase in IT service operators (ITSOs);
  • AI and robotics are heavily impacting service providers in their delivery centres, which were traditionally built around labour arbitration, enabling increased automation; and
  • blockchain/smart contracts are typically applied in a larger ecosystem that requires a different mode of co-operation from traditional client-service provider relationships (however, the importance of these technologies is currently negligible, and the current cool-down of crypto markets is likely to slow development there). 

Rules and restrictions on outsourcing apply only in some regulated markets, primarily the financial, insurance, asset management and pensions industries. In other markets, freedom of contract rules.

With respect to technology transactions, the Dutch government has been implementing policies and laws aimed at reducing strategic dependence on foreign powers for vital technologies and knowledge, as well as preventing the acquisition of specific technologies, companies, infrastructure or know-how that are considered vital to the security of the Netherlands. Investment screening and approval is currently required for acquisitions in the power and telecommunications industries and a similar sectoral act is being crafted for the defence industry, with a consultation on this act expected to take place in 2023.

Act Implementing the EU FDI Screening Regulation

Additionally, a non sector-specific piece of legislation that will apply where no sector-specific act exists was also adopted to implement the EU FDI Screening Regulation. This "act on investment screening in respect of national security risks" will enter into force in 2023. Under this act, any transaction (broadly defined), whether initiated by a foreign or Dutch person, that poses a risk to Dutch national security interests will be subject to screening and approval by the Dutch Ministry of Economic Affairs and Climate. Such a risk may be deemed to exist where the transaction could create a strategically relevant dependency of foreign powers; pose a risk to the continuity of vital processes; or impair the integrity and exclusivity of knowledge or information of vital or strategic relevance to the Netherlands. Note that in most cases, control is not a requirement for a transaction to be deemed relevant (eg, obtaining just 10% of the votes in a general meeting or the ability to appoint a director may also trigger the requirement for investment screening). If the transaction is deemed to pose a risk to Dutch national security, conditions may be applied to the transaction or the transaction may be prohibited. 

Note also that the act will have retrospective effect starting from 8 September 2020. In other words, a transaction performed prior to the law’s enactment but after 8 September 2020 may still be reviewed, so companies need to take this into consideration.

With respect to technology transactions, approvals are currently required for acquisitions in the power and telecommunications industries and a similar sectoral act is being crafted for the defence industry, with a consultation on this act expected to take place in 2023. 

From a compliance perspective, other than in respect of data protection regulation, industry-specific restrictions mainly exist in the financial, insurance, asset management and pensions industries and the regulations are, mostly, based on EU legislation. The regulations concerned include the Dutch Financial Supervision Act (FSA) and a number of directives and resolutions under that Act, the Solvency II Directive and the Solvency II Regulations, the AIFMD, the Pension Act, the Dutch Central Bank’s (DNB's) Good Practices for insurers and separate practices for other sectors, and the EBA guidelines on outsourcing to cloud service providers. The main principles of these regulations boil down to the following: 

  • responsibility cannot be outsourced;
  • a written agreement that contains sufficient means for the customer to monitor performance is required;
  • mandatory disclosure by the service provider of circumstances that may affect continuity is required;
  • the customer should be granted sufficient audit rights;
  • a risk analysis is required;
  • in some sectors, the customer must be able to terminate at will (against a termination fee); 
  • there must be restrictions on the further subcontracting of obligations by the service provider, and where such further subcontracting does take place, control and transparency must be retained by the service provider in respect of the outsourced services; and
  • notice of the intended outsourcing to supervisors is often required.

DORA

The most important sector-specific development in the last year has been the approval of the final legislative text for the regulation on digital operational resilience for the financial sector (DORA). 

DORA defines binding standards for ensuring operational security when outsourcing to third-party service providers. These standards impose binding requirements with respect to governance mechanisms, security reviews and resilience testing, incident reporting, and the contract language employed with third parties, with the aim of ensuring that the client remains fully in control of, and accountable for, IT security and risk management. 

From a content perspective, many of the requirements set out in DORA are already part of the EBA end EIOPA guidelines relating to ICT Security and risk management. Nonetheless, some requirements have become stricter or more specific, and a full review of existing practices, processes and contract language is advisable to ensure full compliance. 

A highly significant change for service providers is that DORA brings them under the direct supervision of the relevant European Supervisory Authorities. Supervisory authorities will be able to assess compliance, require changes to non-compliant practices, and penalise service providers for non-compliance. 

Publication of DORA is expected in late 2022, after which, firms will have two years to become compliant, ie, all outsourcing agreements being negotiated at this time should already take DORA into consideration. 

The restrictions on data processing and data security are based on the EU General Data Protection Regulation (GDPR). The GDPR restricts cross-border personal data flows to countries that do not offer an adequate level of protection (most countries do, with only a few exceptions). Standard Contractual Clauses (SCC) and binding corporate rules continue to be the data transfer mechanisms that are generally most relied upon by organisations when transferring personal data.

The Dutch Government's Cloud Policy

From the perspective of data protection, the Dutch government is highly pragmatic and, compared to other European countries, quite progressive in its embrace of the cloud, evident in the landmark agreement between the Dutch State and Microsoft in 2019, and its agreement with Google in 2022. This stance was also demonstrated by the risk-based assessment of data transfers, adopted by the Dutch Ministry of Justice and Security (the "Ministry") in the Data Protection Impact Assessment (DPIA) on Microsoft Teams. In February 2022, the Ministry published a DPIA on Microsoft Teams, OneDrive and SharePoint. As part of this DPIA, the Ministry also published a data transfer impact assessment (DTIA), based on the Rosenthal format for DTIAs. The outcome of the DTIA was, in summary, that it is extremely unlikely that personal data from Dutch government customers is unlawfully accessed by US authorities, or by authorities in other countries where Microsoft uses subprocessors. Therefore, the risk was assessed as low and the use of Teams could continue. In Austria and Germany, some decisions have been made that point in the direction of rejecting the risk-based approach, so it remains to be seen what the European Data Protection Board (EDPB) and the local supervisory authorities will say about this, if anything (soon).The recent cloud policy of the Dutch government states that most classified government data may be stored in the cloud, as long as certain requirements are met.

The Schrems II Ruling and EDPB Guidance

The Schrems II ruling and the guidance provided by the EDPB continue to keep data controllers who use SCC busy, as under this ruling, controllers must assess whether, given their use of SCC, there is an adequate level of protection in the third country. That is, data controllers cannot simply assume this to be the case, as SCC may, for instance, not be effectively enforceable in said country. Although the EDPB provides six-step recommendations on measures that data controllers and processors can take to simplify the task of enabling compliant data transfers through SCC, the task at hand is not that simple. Step 3, in particular, the rule of law test, is complex to perform. Note that, as part of the data protection impact assessment the Ministry performed in respect of Microsoft Teams, the Ministry has published an analysis of Step 3 (the rule of law test) for the US, so this can be used by companies. The conclusion is (of course) that the US legislation does not meet the rule of law test. Binding corporate rules provide multinational companies with a framework for international data transfers, but it should be noted that the Dutch Data Protection Authority has a significant backlog on approving binding corporate rules.

The NIS and NIS2 Directives

Data security is currently mainly governed by the law on the security of network and information systems (the "Cyber Security Act"), which implements the EU Directive on the security of network and information systems (the "NIS Directive") and consolidates other relevant legislation into one act. The Cyber Security Act establishes a certification framework for IT digital products, services and processes. The NIS Directive identifies sectors which are vital for the aspects of economy and society which rely heavily on IT, such as energy, transport, banking and healthcare. These sectors have to take appropriate security measures and ensure swift notification of any incidents to the relevant authorities. In addition, in keeping with the NIS Directive, the Cybersecurity Act also obliges providers of digital services (other than small enterprises) under Dutch jurisdiction to notify material data breaches in respect of their services to the National Computer Security Incident Response Team and the Minister of Economic and Environmental Affairs. Additionally, a variety of sector-specific laws directly or indirectly govern cybersecurity relating to, among others, energy production and distribution, water, telecommunications, seaports, airports, rail, financial services, healthcare, government bodies and other critical infrastructure.

A key development that is starting to become relevant is the progress on NIS2, which will replace the NIS Directive. The European Council and European Commission reached a provisional agreement on a draft of NIS2 on 13 May 2022 and the European Parliament is expected to vote on it in the course of 2022. The NIS2 Directive will have significantly broader scope than NIS. The NIS2 Directive will cover all medium-to-large enterprises and public organisations that perform important functions for the economy or society as a whole. For example, the new directive will also cover social media service providers and the public administration. The NIS2 Directive should also increase the level of harmonisation across member states in respect of scope, security and incident reporting, national supervision and enforcement powers and sanctions, as well as improve the pan-European collaboration of competent authorities.

Although NIS2 is not yet in force, clients and service providers entering into long-term agreements should consider taking stock of the requirements imposed by NIS2 to ensure future compliance.

There is no standard outsourcing agreement in the Netherlands.

The association of IT service providers, NL Digital, has standard terms but these do not, generally, apply to outsourcing. Sourcing Netherlands, the association for outsourcing, has developed a fairly balanced standard form for an outsourcing agreement, which is sometimes implemented. Sophisticated customers will contract on the basis of their own tailored agreement. These agreements are similar to the market standard agreements in the UK and USA. They are very detailed and contain approximately 20 schedules. 

The usual model consists of an asset transfer agreement and a separate services agreement. For large cross-border projects, a framework structure is used, comprising a framework asset transfer agreement and a separate framework services agreement, under which local-to-local asset transfer agreements and services agreements are concluded.

Although alternative models are sometimes used, 95% of outsourcing will be contracted, one-to-one, with an asset transfer agreement and a separate services agreement. Multi-vendor agreements (between the customer and a number of service providers) are also common. Joint ventures (JVs) are rare, mainly because a JV structure is rather complicated and expensive. This will only be used where the customer and service providers wish jointly to set up a new business. 

A new development that is getting underway is a shift towards contracting on customer experience, business outcomes and value creation, rather than contracting only or primarily on a fixed cost, fixed service level basis.

Digital transformations have not, as yet, led to significant changes in contract models for sophisticated customers with sufficient clout. Some smaller changes that have been noted are as follows:

  • where IaaS or PaaS are used as part of the services, it is not uncommon to see part of these terms being passed through to the customer back to back (ie, restricting the claims against the service provider to the extent allowed by the pass-through terms), depending on how much clout the customer has to shift the discrepancy in liabilities to the service provider;
  • where digital transformations are part of the scope it is common to see more complex schedules describing digital transformation plans and expected results, ways of working and governance employed in the transformation;
  • where digital transformations include AI and/or machine learning as part of the scope, there has been an increase in specific terms relating to data protection, transparency of algorithms and data governance aspects of AI;
  • where digital transformations include AI and/or machine learning as part of the scope, there is also a trend towards clients setting up and enforcing formal AI principles and codes of conduct (which may in some cases be more stringent than any current applicable law) so as to provide additional guidance to suppliers on the ethical use of AI; and
  • where digital transformations are part of the scope there has also been an increase in "pseudo-agile" terms, ie, service providers and customers will attempt to include obligations in the contract and project governance to employ agile ways of working, while still also incorporating obligations on the outcome. 

The main customer protections are the following:

  • no exclusivity for the service provider;
  • no volume commitment on the customer;
  • a detailed service description;
  • appropriate service levels;
  • tailored service credits;
  • an appropriate governance and contract change structure;
  • a benchmark clause (like-for-like comparison of pricing and service levels);
  • a step-in right;
  • GDPR compliance; and
  • an audit clause.

By the Customer

The customer can terminate the contract for cause. Significant breaches of service levels and serious regulatory compliance or data security and privacy incidents are often specifically mentioned as providing cause for termination. Sometimes, outsourcing or services agreements provide a termination right to the customer where there has been a change of control in the service provider, especially in contracts relating to mission-critical services or services provided to regulated financial institutions. 

Customers can also, almost always, terminate for convenience. In the case of termination for convenience, the customer must pay termination compensation. There is no fixed formula for calculating this compensation as this is a matter of freedom of contract. In general, the compensation consists of unrecovered costs and a small lost-margin component. Furthermore, in the financial industry, the customer may terminate the agreement if a regulator requires a termination.

By the Service Provider

The service provider can usually only terminate for material breach (most notably, prolonged non-payment of invoices). It is highly unusual to allow a service provider to terminate for convenience. 

Dutch statutory law does not define the difference between direct and indirect loss. Under the influence of Anglo-American contracts and terms, the concept is often used in Dutch law agreements. In such an event, it is wise to exactly define the damages considered direct and those considered indirect. However, it can be hard to reach agreement on these distinctions, as the customer will try to include as much as possible under the definition of direct damages while the service provider wishes to exclude as much as possible from this definition. 

It may, therefore, be better practice to refer to the statutory definition of damages and leave the decision to the courts. This means that damages that are reasonably attributable to the event that caused the damages, and to the party that caused the damages, must be paid. In addition, pure loss of profit and turnover can be excluded.

The liability of both parties must always be capped. The market standard caps vary between 12 and 36 months of fees.

Dutch law provides for certain implied terms in relation to the quality of goods sold and the provision of services. However, these implied terms are typically not mandatory in B2B contracts and are usually explicitly excluded or superseded by the contents of the contract.

Contracts commonly include, in addition to contractual obligations under Article 28 of the GDPR:

  • requirements for the service provider to take appropriate technical and organisational security measures and continuously improve these requirements to remain in line with relevant state-of-the-art measures; 
  • requirements for the service provider to materially comply with the customer’s security policies and standards, or the service provider’s own policies if they are equivalent or better; 
  • requirements for the service provider to test its security regularly using scenarios that are appropriate to the particular services and improve the security as required;
  • requirements for the service provider to meet obligations incumbent on it under data protection law, and not to act so as to cause the customer to breach its obligations under data protection law; 
  • requirements for the service provider to support the customer in meeting its obligations vis-à-vis its regulator and its data subjects;
  • restrictions on the ability of the service provider to export data or employ subcontractors without the explicit consent of the customer; 
  • restrictions on the ability of the service provider to use data for its own purposes;
  • requirements to support the remediation of data breaches, regardless of whether the service provider is at fault for the relevant data breach;
  • a governance set-up for joint response to data breaches and other cybersecurity incidents; 
  • a contractual indemnity with an elevated cap for the benefit of the customer with respect to damages suffered by the customer resulting from breaches of data protection legislation caused by the actions of the service provider;
  • a requirement for the service provider to insure itself appropriately in respect of cybersecurity incidents; 
  • a step-in right for the customer, where required, to safeguard the security and integrity of data or services; and
  • audit rights in respect of data and cybersecurity.

Should the technology or outsourcing be cloud based, the contract terms will basically remain the same as the terms are generally drafted in a technology-agnostic manner. However, there may be additional detail in respect of data security and the processing location, depending on the jurisdictions involved. In other words, specific requirements in relation to encryption may be included for some types of data. 

The rules governing employee transfers in outsourcing are based on the EU Acquired Rights Directive (ARD). Under the ARD, employees who are predominantly working on the activities that are to be transferred will, where the ARD (as implemented in the Netherlands) applies, transfer to the service provider together with their applicable employment terms and conditions, by operation of law. In general, the ARD will apply if significant assets are to be transferred to continue the economic activity or, in the case of labour-intensive activities, the majority of the employees (considering number and expertise) will be offered employment by the new service provider. EU and Dutch case law on ARD/TUPE is numerous and granular, but at essence is based on ever-increasing protection of employment/employees, which should ensure that employees "follow their work".

Works council consultation (ie, the right to advice prior to implementing the proposed decision) is almost always required (under Article 25 of the Dutch Works Councils Act).

Trade union consultation is required if control in (part of) the "undertaking" is transferred or if this requirement follows from the applicable collective labour agreement. 

Trade union consultation is also required where it is anticipated that 20 or more employees will be made redundant within a timeframe of three months.

Market practice on employee transfers in the Netherlands is:

  • application of the principles of the ARD, as described in 5.1 Rules Governing Employee Transfers; and
  • staff transfers under the ARD are becoming less common because the parties (including the employees) arrange otherwise, which quite often means that the employees are offered an attractive redundancy package.

Where remote work is still performed in the Netherlands, requirements in respect of worker safety will also apply to the remote work location. 

Where remote work is performed outside the EEA, the GDPR’s restrictions on the transfer of personal data will come into play to the extent that EU personal data is used by the remote worker, as it will then by necessity have been processed outside the EEA by being transmitted to the remote location.

Greenberg Traurig, LLP

Beethovenstraat 545
1083 HK Amsterdam
The Netherlands

+31 651 289 224

+31 20 301 7350

Herald.Jongen@gtlaw.com www.gtlaw.com
Author Business Card

Law and Practice in Netherlands

Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,500 attorneys serving clients from 43 offices in the United States, Latin America, Europe, Asia and the Middle East. The firm’s dedicated technology and outsourcing team advises on a full range of legal issues impacting outsourcing situations, including tax implications, employment, real property and intellectual property issues. The global team consists of more than 75 lawyers, six of whom are located in Amsterdam. The team handles and negotiates the full spectrum of services for clients, from standard transactions to highly complex multinational transactions. Recent transactions include cross-border business process outsourcing (BPO) projects for multinational banks, insurance companies and asset managers.