The Norwegian IT outsourcing market continues to grow and has matured considerably over the past decade. The trigger for sourcing projects is usually digital innovation in combination with cost reduction. The cloudification of both infrastructure and applications remains an important trend in Norway.
The degree of outsourcing is quite high in respect of IT services, particularly with regard to IT infrastructure and application maintenance, as well as the full suite of services (including application development) captured in Software-as-a-Service offerings. Almost all large Norwegian companies have most of their IT outsourced, the main exceptions being the larger health organisations, the armed forces and the main power distributors. However, the occasional first-generation outsourcing project still occurs.
The most prominent impact caused by COVID-19 was service providers' ability to provide support services with personnel forced to work from home. Due to the information security issues surrounding such a set-up, many service providers have struggled to maintain agreed service levels. This issue created some debate as to whether force majeure relief grounds came into play in the contracts between customers and service providers.
BP outsourcing typically involves back-office functions, such as payroll, accounting, customer services and claims handling, as well as facility management, administrative services (secretarial functions) and procurement. Digitalisation is an increasingly important reason for BP outsourcing, including in particular the use of cloud-based services and robotic process automation.
Although the Norwegian BP outsourcing market has grown during the recent years, BPO providers faced challenges during the COVID-19 crisis as they were forced to integrate work-from-home arrangements into their business operations. However, these challenges triggered a shift towards a more adaptable and scalable environment that will benefit both the BPO industry and its customers in the long term.
Digitalisation and cloudification are important drivers for outsourcing projects. As for much talked about technology such as AI, robotics and blockchain, our impression is that they are still too immature to be used in any business-critical systems. The number of providers of for instance AI are increasing rapidly, but the technology is often still in a pilot project phase. Such pilot projects, in collaboration between a customer and a supplier, can be challenging from an intellectual property rights perspective. Testing new technology often involves close co-operation between technologists of the customer and the supplier, and customer data is often a key input factor. Ownership to intellectual property rights and data must be clearly regulated.
That being said, AI components are becoming a more common tool for automation, for instance in larger ERP systems.
Under Norwegian law, outsourcing transactions as such are not regulated on a non-sector basis.
Certain general statutory requirements may affect a companies' opportunity to outsource. The Accounting Act (Act No 73 of 19 November 2004) is applicable to all entities obliged to submit annual accounts in Norway, and sets out requirements regarding storage and access to accounting material relevant when offshoring accounting systems. Furthermore, an outsourcing transaction almost always involves transfer of personal data from a customer to a supplier, in which case the EU General Data Protection Regulation (2016/679) (GDPR) applies, supplemented by the Norwegian Data Protection Act (Act No 38 of 15 June 2018). See 2.3 Legal or Regulatory Restrictions on Data Processing or Data Security and 2.5 Contractual Protections on Data and Security.
Public sector outsourcings may be subject to rules on public procurement, see 2.2 Industry-Specific Restrictions.
Seeing that regulatory requirements may have a bearing on the design of the customers' sourcing strategy, compliance considerations should be made at an early stage of the sourcing process.
Financial Services Sector
Outsourcing transactions in the financial services sector are subject to a number of sector-specific regulations. The Norwegian Financial Supervisory Authority (NFSA) is responsible for supervision and enforcement of such regulations.
The NFSA has issued a circular ("RFT 2020-3") that provides an overview of the relevant sources of law for outsourcing by regulated entities, as well as compliance guidelines. Said circular also reference the outsourcing guidelines adopted by the European financial supervisory authorities EBA, EIOPA and ESMA. The NFSA explicitly state that it will take the European guidelines into account in its enforcement activities. However, the NFSA has reminded Norwegian market participants that Norway has a gold-plating regime; including stricter notification requirements for outsourcing arrangements to the NFSA and the prohibition for financial institutions to outsource "core tasks".
In summary, the NFSA circular describes certain requirements in respect of:
Both the Norwegian ICT Regulation (Regulation No 630 of 21 May 2003) and the Risk Management and Internal Controls Regulation (Regulation No 1080 of 22 September 2008) requires the parties to enter into a written outsourcing agreement, and sets out certain requirements for the provisions of such an agreement. The agreement shall include a right for both the institution and the NFSA to inspect and audit the outsourced activities, as well as to ensure that the supplier possess adequate resources to maintain the outsourcing agreement. The audit right is challenging in respect of global cloud infrastructure providers, where it is unpracticable and unacceptable from a risk perspective to open up for audit rights for all customers and authorities. However, many service providers perform independent third-party audits and offer customers and authorities access to reports from such audits. This approach is generally accepted by the authorities.
Pursuant to the Norwegian Financial Institutions Act (Act No 17 of 10 April 2015) Section 13-4, financial institutions (including without limitation banks and insurance companies) may not outsource parts of its business that constitute "core tasks" except as otherwise provided in provisions made in or pursuant to law. By way of example, a bank's credit assessment as such cannot be outsourced.
Notification of outsourcing arrangements
Certain financial institutions (banks, credit institutions, payment institutions, e-money providers, insurance companies, pension schemes, regulated markets, CSDs) are obligated to notify the NFSA when entering into an outsourcing agreement, and of any subsequent changes to such an agreement and any change of contractor. However, in the event of IT outsourcing, said notification obligation only applies to ICT activities comprised by the Norwegian ICT Regulation. Please note that the NFSA has adopted a new regulation regarding notification of outsourcing agreements that enters into force in 2022. The new regulation, amongst other things, extends the scope of the notification obligation to a larger group of regulated entities and specifies what information to be provided in the notification.
Various additional regulations apply to outsourcing by specific regulated entities, such as the Norwegian Financial Companies and Financial Groups Act, Norwegian Securities Trading Act and Regulation, Norwegian Securities Fund Manager Regulation, Norwegian Alternative Fund Manager Act and Regulation, Norwegian Central Depositaries Act.
The public sector's procurement of outsourcing services must comply with mandatory public procurement legislation (Act No 69 of 16 July 1999 and Regulation No 402 of 07 April 2006). The Main principle under Norwegian procurement legislation is that all public procurement shall be based on competitive bidding.
The contracts are subject to public procurement legislation if the estimated value is equal to or exceeds NOK100,000, excluding VAT. An outsourcing transaction would normally exceed the threshold. When it comes to establishing what part of the Public Procurement Regulation applies to an individual contract, it depends on the estimated value of the contract.
The choice of tender procedure, other than the open and restricted procedure, is subject to the fulfilment of certain conditions as stipulated in the Public Procurement Regulation. For example, the negotiated procedure may be used if the procurements character, complexity, legal or financial composition or inherent risk makes it necessary to negotiate. In addition, the choice of tender procedure depends on the estimated value of the contract.
The Public Procurement Act is accompanied by several regulations that set out more detailed, sector-specific rules, such as the Utilities Regulation, the Defence and Security Regulation, and the Regulation on Concessions Procurement.
Outsourcing arrangements usually require the supplier to process personal data on behalf of the customer. The GDPR was incorporated into the EEA agreement and became applicable in Norway on 20 July 2018. Thus, Norway is bound by the GDPR in the same manner as EU Member States. The GDPR was incorporated into national law by means of the new "Personal Data Act" (Act No 38 of 15 June 2018).
In addition to the Personal Data Act and the GDPR, there are several sector specific regulations that impact data protection, such as the Personal Health Data Filing System Act (Act No 43 of 20 June 2014), the Act on Patient Medical Records (Act No 42 of 20 June 2014), the Health Research Act (Act No 44 of 20 June 2008), the Health Personnel Act (Act No 64 of 2 July 1999), the Act on Police Records (Act No 16 of 28 May 2010), and the Schengen Information Systems Act (Act No 66 of 16 July 1999).
The Roles of the Parties
In the context of an outsourcing agreement, the customer will normally determine the purposes and means of processing personal data. Therefore, the customer will be the controller pursuant to the GDPR, and the supplier the processor. As a controller, the customer is obligated to assess each processor to determine if such processor will implement the appropriate technical and organisational measure to ensure that its processing will comply with the applicable data protection legislation. Further, the processor must be appointed under a binding agreement in writing, and the contractual terms must as a minimum include the obligations set out in Article 28 of the GDPR. See 2.5 Contractual Protections on Data and Security.
Transfer of Personal Data
In many cases, the supplier or its sub-suppliers (sub-processors) will transfer personal data outside the EU/EEA. Remote access, for instance through the provisioning of support services from a third country, is considered a transfer out of the EU/EEA. Such transfer is prohibited unless the parties ensure that appropriate safeguards as prescribed by the GDPR Chapter V have been put in place.
In its judgment of 16 July 2020 (C-311/18 – "Schrems II"), the Court of Justice of the European Union (CJEU) held that the data subjects whose personal data are transferred to third countries must be afforded a level of protection essentially equivalent to that guaranteed within the EU/EEA by the GDPR. Further, the CJEU found that the EU-US Privacy Shield could no longer be relied on as a safeguarding mechanism for transferring personal data to the organisations in the USA that had signed up to it, partly because it did not prevent access to personal data by surveillance authorities.
Finally, the CJEU found that use of standard contractual clauses (SCCs) must be combined with a documented risk assessment of the measures implemented by the data importer to ensure the security of the data, as well as the data protection legislation in the country of the importer. The new SCCs was published on 7 June 2021, which implement some of the requirements of Schrems II and adapt the clauses to the specifications of the GDPR. From 27 September 2021 on, only the new SCCs can be concluded, and from 27 December 2022 onwards, all data transfers must be switched to the new SCCs.
The EDPB Guidelines adopted on 18 June 2021 (01/2020) prescribes a six-step roadmap for data transfers:
Ideally, this stepwise process should be initiated at the outset of a sourcing process, as it might affect the composition and location of sub-suppliers.
The Norwegian Data Protection Authority (NDPA) has a wide range of powers, including to issue warnings or reprimands for non-compliance, to order the controller to disclose a personal data breach to the affected data subjects, to impose a permanent or temporary ban on processing, to withdraw a certification and to impose an administrative fine.
Pursuant to the GDPR, administrative fines can be up to MEUR 20 or up to 4 % of the business' worldwide annual turnover from the preceding financial year, whichever is higher. Additionally, pursuant to the Personal Data Act Section 29, the NDPA can impose a daily fine which runs for each day following the expiry of the time limit set for compliance with the NDPA's order until the order has been complied with.
Pursuant to Article 28 of the GDPR, the data processing agreement (or similar arrangement) must include certain minimum provisions. These include requirements that the processor shall ensure the security of the personal data, only process personal data in accordance with the documented instructions from the controller, assist the controller with specific obligations of the controller pursuant to the GDPR, and that the obligations towards the controller shall be mirrored in any agreements with sub-processors. Further, the processor shall make available to the controller any necessary information to demonstrate compliance with the GDPR, including by contributing to audits and inspections. The data processing agreement usually includes provisions on the allocation of costs incurred in relation to such audits, and to what extent the customer is allowed inspections of the suppliers' sub-processors' premises.
The EDPB Guidelines on the concepts of controller and processor (07/2020) provide further guidance on the regulations of data processing agreements. Said guidelines warn that a data processing agreement should not merely restate Article 28 of the GDPR, but include specific, concrete information as to how the requirements in Article 28 will be met. In particular, the agreement should include specific details of the security measures that the processor must put in place to safeguard the data.
Data processing agreements with suppliers usually include specific liability provisions for economic losses resulting from a breach of contractual obligations related to data protection. Negotiations typically revolve around the question if the liability cap for direct damages in the contract shall apply to administrative fines and economic loss inflicted on the customer due to the vendor's breach of its data processing obligations as a processor. Customers will typically want to rely on the allocation of liability between the controller and processor as set out in Article 82 of the GDPR, while vendors will try to limit the liability in line with other economic losses, but frequently offer a so-called "super cap", which is a higher liability cap than agreed for other economic losses under the contract.
The contractual structure of outsourcing agreements varies from project to project, but in a direct outsourcing agreement the main elements are usually as follows:
Additionally, a first-generation outsourcing will typically involve transfer of employees and assets from the customer to the vendor – either as an asset transaction or through a sale of the shares in a separate legal entity established by the customer for the internal IT services.
In the event that group companies of the customer shall benefit from the services from the supplier, the complexity of the contractual structure increases. The master service agreement can be signed by a centralised legal entity in combination with accession agreements for any group companies that want to make use of the outsourced services. Alternatively, to increase standardisation, a third-party rights clause may enable group companies to have directly enforceable rights.
For global customer groups, tax considerations might determine whether or not the agreement shall be executed by a central or local unit. Where the vendor provides services to a foreign customer entity, withholding tax may apply in certain jurisdictions. This may be avoided if the vendor has a local entity in that jurisdiction and provides services directly from that entity to the customer's local entity.
Outsourcing arrangements in Norway are most commonly structured as direct sourcing agreements, see 3.1 Standard Supplier Customer Model. Alternative contractual models are multi-sourcing, joint ventures, or outsourcing via a captive entity (see 3.3 Captives and Shared Services Centres).
Multi-sourcing refers to procuring services of different suppliers for separate elements of a customer's service requirements, a contract model which rose to popularity about a decade ago. Until this point, customers typically outsourced their entire service requirement to one supplier. However, multi-sourcing requires complex regulations of the allocation of responsibilities, supervision, acceptance and non-performance across multiple suppliers. Further, it requires a robust and disciplined organisation on both the customer and the supplier(s) side to be able to properly administer the service delivery. With this background, the trend has shown a moving away from multi-sourcing.
Joint ventures are an unusual model for outsourcing in Norway. Outsourcing transactions are usually carried out as either a sale of assets or shares.
The trend that supersedes multi-sourcing is perhaps single-sourcing for each application, which is caused by cloudification. Cloud service providers typically assume all of the capabilities (operation, management, development, etc) related to an application. By contrast, a service portfolio might previously have one supplier responsible for each specific capability for all of the applications in the portfolio.
The trend recently has been against setting up captives and shared services centres. The few that are left are to an increasing extent being sold to third party service providers as part of an outsourcing deal where the assets or shares in the shared service centre is sold to the service provider.
Background Contractual Law Principles
In the event of non-performance from the supplier, pursuant to Norwegian contractual law principles, the customer may have the right to:
Any remedy and/or relief can be excluded by contract, typically by use of an "entire agreement" clause. However, rights and remedies under Norwegian law are usually not excluded in outsourcing contracts.
Customary Contractual Protections
Traditional statutory remedies or relief such as withholding payment, price reduction, damages or termination can be impractical in a long-term collaborative relationship and is often not utilised during the term of outsourcing contracts. Consequently, specific customer protections and supplier incentive mechanisms have been designed, of which the following are typically included depending on the scope and size of the relevant outsourcing contract:
In outsourcing agreements with cloud service providers the available customer protections are usually more limited. By way of example, sole remedy-clauses commonly limit the customer's contractual remedies in the event of breach to an obligation on part of the supplier to rectify, alternatively to issue a refund.
Usually, the customer may terminate for convenience with a six to 12-month notice period, against payment of termination fees. However, the parties frequently agree that the agreement shall not be terminated for convenience during an initial term of 12 to 24 months. Additionally, outsourcing agreements typically allow for termination in the event of material default (usually if the supplier has failed to remedy the material default within reasonable time), change of control, and in the event of filing for bankruptcy or composition proceeding, or the appointment of an administrator over the supplier.
Finally, the outsourcing agreement should spell out detailed termination management arrangement. The service provisioning must continue in order to allow the customer to conduct its business, while both parties prepare to disengage and either repatriate operations to the customer or transfer to another supplier. Termination management resembles the initial transition project, and commonly includes the following:
Most often, the termination fee is an agreed lump sum which decreases over the term of the agreement. In some cases the termination fee is calculated from different commercial components related to the suppliers shutdown costs, transitional expenses and possibly part of the anticipated profit from the remainder of the term.
The parties to an outsourcing agreement are generally free to limit and/or exclude any liabilities with the exception of liability for gross negligence or wilful misconduct. In addition, the parties normally agree not to be liable for loss of profits, business, revenue, goodwill or for any other indirect loss of the other party.
The supplier's liability is usually limited to an agreed monetary cap at a fixed amount or more often the accrued or paid charges during an agreed number of months (typically the 12 months preceding the event giving rise to liability).
Please note that cloud service providers usually limit their liability to a greater extent than other service providers. Their application is often made available to a significant number of customers, and incidents usually affect all or most of such customers. With this background, they commonly insist on sole remedy clauses excluding liability for the customer's economic loss, or a lower monetary liability cap.
General Norwegian contractual principles apply unless the parties have agreed otherwise. It is not common to exclude such implied terms in outsourcing agreements, but rather specify their application in the context of the specific contract. As an example, there is a general principle under Norwegian law that a party can terminate the contract if the other party has materially breached its contractual obligations. Without more, this generic principle will typically leave doubt as to what level of breach is required to meet the materiality test.
A good outsourcing contract will address this by setting forth non-exhaustive examples of typically encountered situations that will be considered a material breach. An example can be the number of days of delay (typically 100 days), or a defined level of SLA breach.
In Norway, employees transfer to a supplier by law if the transfer falls under Chapter 16 of the Norwegian Working Environment Act (the "TUPE regulations"), which implements EU Directive 2001/23 in Norway. The TUPE regulations apply when the following key conditions are fulfilled:
The question of whether a specific outsourcing will be compromised by the TUPE regulations will depend on a concrete and overall assessment, where the following are normally key:
By law, an employee may oppose the transfer of the employment to the supplier. If an employee exercises this right, the employment relationship will not transfer to the supplier. Employees who have been employed for a total of 12 months over the last two years before the date of transfer, and who object to the transfer of employment, have the right to new employment with the former employer for one year from the date of transfer, unless the employee is not qualified for the position. The right to new employment lapses if the employee has not accepted an offer of employment in a suitable position within 14 days after receiving the offer.
If an outsourcing is regarded as a transfer of undertaking, the rights and obligations of the former employer, ensuing from the employment agreements in force at the date of the transfer, will be transferred to the supplier. The supplier is also bound by any collective pay agreement that was binding upon the former employer. This does not apply if the supplier, within three weeks after the date of transfer, declares in writing to the trade union that the supplier does not wish to be bound. The transferred employees have, however, the right to retain the individual working conditions that follow from a collective pay agreement that was binding upon the former employer. This shall apply until the collective pay agreement expires or until a new collective pay agreement is concluded that is binding upon the supplier and the transferred employees.
The employee’s right to earn further entitlement to retirement pension, survivor’s pension and disability pension in accordance with a collective service pension scheme shall also be transferred to the supplier. The supplier may, however, decide to make existing pension schemes applicable to the transferred employees.
The previous employer and the new employer (ie, the supplier) are obliged to discuss the transfer of the undertaking with the employees’ elected representatives as early as possible. This information shall include reasons for the transfer, date or proposed date of the transfer, the legal, economic and social implications for the employees, changes in circumstances relating to collective pay agreements, measures planned in relation to the employees, rights of reservation and preference and the time limit for exercising such rights. The same information shall also be given to the affected employees as early as possible.
The parties to an outsourcing contract cannot contract out of employees' TUPE rights. Outsourcing contracts will therefore typically address the financial consequences of employees utilising their right to transfer to the (new) supplier. A new supplier may not need these additional employees to provide the services, and have not calculated the additional cost for such employees in its pricing towards the customer. The new vendor may, for example, rely on a global delivery model, or it is able to scale its delivery capabilities without adding more human resources (eg, though robotic process automation). In such cases, the new vendor will therefore typically insist on a price adjustment clause or an indemnity from the customer to offset such potential additional costs.
Where the customer needs to get buy-in for the outsourcing initiative from union or other employee representatives, additional employee protections, such as rights to continue the employment with the (new) supplier during a certain period of time, and minimum salary increase commitments, are typical.
To the extent an outsourcing arrangement involves asset transfer, the parties may enter into a separate asset transfer agreement. Traditionally, the assets in questions are servers and may also include some operational licenses. The asset transfer agreement governs the transfer as such assets and expire once the transfer has been completed. In the event that the assets are organised in a separate legal entity, the transfer is typically done through a sale of the legal entity altogether through a share purchase agreement.
While early generation outsourcings in Norway involved quite extensive transfers of assets from the customer to the supplier, asset transfer agreements in modern outsourcings are increasingly rare. Modern outsourcing arrangements usually do not necessitate the transfer of assets, because the new vendor will establish new infrastructure – typically by utilising public cloud infrastructure.
Postboks 1484 Vika
+47 23 11 11 11
+47 23 11 10 10www.thommessen.no
Developments in the Norwegian Outsourcing Industry
This article will highlight the following five trends of the Norwegian outsourcing industry:
Digitalisation and new technology
Digital transformation continues to integrate technology into all areas of a business, fundamentally changing how businesses operate and deliver value to customers. As a part of this development, mature organisations are increasingly outsourcing their application development work. The traditional first-generation outsourcing projects began with infrastructure, and continued with application maintenance. For a long time, companies were hesitant to outsource application development, presumably because of its proximity to their core business. Now, however, the quality of the selection of standard software has led to a shift in this stance. Application development sourcing involves licensing standard products from a supplier that can tailor such products to the customers need and develop the necessary integrations with the rest of the stack.
Although a lot of new technology is still too young to be used for business-critical purposes, the Norwegian market has an appetite for disruption and taking part in the new digital value chain. Further, although international comparisons still indicate that Oslo and Norway are lagging behind the other Scandinavian countries in terms of the number of start-ups, Oslo's attractiveness as a start-up destination is increasing and the amount of tech start-ups and scaleups continue to grow.
One of the specific technology trends that we see is gamification. A lot of business-to-business applications look increasingly similar to consumer facing applications. The Norwegian ed-tech unicorn Kahoot is a relevant example of this trend. The company, who provide a game-based online learning service that lets players create and engage in multiple-choice quizzes, has grown rapidly since its foundation in 2012 and started trading on the Oslo Stock Exchange main list in 2021.
In addition to the purely technological changes, digitalisation often requires organisational and cultural changes to enable proper administration and use of the new technology. In other words, the customer might be relatively new to both the services and how to best utilise such services. From a legal perspective, this requires clear and detailed regulations of the parties' obligations and deliverables.
In summary, there is a significant increase in the amount of application implementation and development projects in the Norwegian outsourcing market.
Cloudification and re-sourcing
"Cloudification" – meaning IT resources increasingly being sourced from cloud-based services – is a major trend in Norway as well as globally. Most organisations look to re-source their current on-premises solutions to cloud-based solutions. This was originally driven by a perceived cost benefit (which often proves not to be the case) but more and more driven by the need to move to more modern solutions using cloud technology.
One cloudification trend is the increasing supply and adoption of Software-as-a-Service (SaaS) solutions, where the software provider offers its standard functionality to multiple end-users through a mobile app or a web browser. The SaaS vendor's service includes a fully integrated solution comprising hosting, maintenance and development of the solution. The SaaS vendor typically hosts its solution using public cloud infrastructure service from Amazon Web Services (AWS), Microsoft Azure or Google Cloud. Typically, the more consumer-oriented applications, and increasingly enterprise software, is delivered as SaaS solutions.
A second cloudification trend is that suppliers of more complex business solutions, such as enterprise resource planning systems (ERP), increasingly offer customer implementation and hosting of the implemented solution on dedicated public cloud infrastructure installations from AWS or Azure. However, the supplier does not assume any responsibility for the offered infrastructure beyond the guarantees and remedies offered by the cloud provider, and is therefore usually careful to flow down the public cloud infrastructure provider's terms and conditions. In many re-sourcing projects during the last couple of years, businesses have bought new, cloud-based software solutions in substitution for their outdated on-premise solutions.
A third cloudification trend is the move of IT infrastructure components such as servers and storage facilities from dedicated, on-premises solutions to cloud-based solutions such as AWS and Azure. During the last couple of years, we struggle to find entities without any infrastructure cloud transformation agenda or plans. In practice, such plans are typically executed in connection with the expiry of their traditional IT infrastructure outsourcing contracts, where the same capabilities are re-sourced as cloud-based solutions. Such re-sourcing usually reduces the scope of the originally large outsourcing arrangements because much of the IT infrastructure is now delivered with the new cloud-based applications. The similar trend is seen in respect of the traditional large application services contracts for the same reason.
Data protection following the Schrems II judgment
In its judgment of 16 July 2020 (C-311/18 – "Schrems II"), the Court of Justice of the European Union (CJEU) held that the EU-US Privacy Shield was invalid and that the standard contractual clauses (SCCs) must be supplemented by a documented risk assessment and possibly additional measures and to ensure an adequate level of protection. This came as a shock to the vast number of companies using public cloud providers based outside the EEA – Azure and AWS in particular.
Several supervisory authorities throughout Europe took initiatives to enforce the CJEU's decision, and the European Data Protection Supervisor (EDPS), which oversees the protection of personal data and privacy by EU institutions, launched two investigations into the use of cloud services by EU institutions. Many suppliers were taken aback by the rather complex "transfer impact assessment" necessary for transfer of personal data outside the EEA.
Public cloud providers such as Azure and AWS offer their customer the option to select a data centre located in the EEA. However, while this option does mitigate some data protection-related risks, it does not mean that there is no transfer of personal data outside the EEA in the sense of the GDPR. A data transfer occurs when access to the cloud data is required from outside the EEA through the delivery of support and maintenance services, for instance. As a result, use of the majority of the international cloud providers entails a transfer of personal data outside the EEA. If this is the case, the company needs to rely on a compliant data transfer mechanism pursuant to the GDPR chapter V, and perform a data transfer risk assessment.
In the aftermath of the Schrems II decision, both the public cloud providers and suppliers delivering hosted solutions have been forced to invest in data protection compliance and information security. Following the initial panic, our impression is that the suppliers are now maturing. Partly helped by the guidelines on transfer of personal data published by the European Data Protection Board on 18 June 2021, they are beginning to establish appropriate measures and implement compliant SCC's.
The increased complexity of the EU and national regulatory regime affects most, if not all, outsourced customers. The responsibility and liability for changes in regulatory requirements must be clearly regulated in the outsourcing agreement, as changes in regulatory requirements often necessitates new IT functionality.
Particularly, the regulatory regime applicable to the financial sector has grown significantly, both in terms of scale and complexity. Recent studies show that the costs of compliance for the financial sector increase rapidly. In the European Commissions' own study on the costs of compliance published in 2020, they highlight the use of "regtech" as a key tool for compliance cost saving. Regtech is defined as the use of technology in relation to regulatory monitoring, reporting and compliance.
Roughly put, most EU regulations apply in Norway through the EEA agreement. Experience shows that the possibility of automating and standardising compliance and monitoring processes is a key driver for outsourcing.
In this respect, it is worth mentioning that Norway has a gold-plating regime, ie, several additional and stricter requirements than the requirements set out in the EU regulatory regime. A relevant example is the notification obligation for certain financial institutions to notify the Norwegian Financial Supervisory Authority (NFSA) prior to entering into an outsourcing agreement, as well as for any subsequent changes to such an agreement and any change of contractor. In order to enable the NFSA to object to or propose amendments to the outsourcing agreement, there is a 60-day standstill period following notification to implementation of the agreement.
Further, the NFSA recently adopted a new regulation regarding such notification that enters into force in 2022. The new regulation, amongst other things, extends the scope of the notification obligation to a larger group of regulated entities and specifies what information to be provided in the notification.
Social media platforms under pressure
Traditionally, a business marketed its on-line presence through its website. Developments over the last few years have moved this marketing to social media platforms. However, social media platforms have recently been put under great pressure. Pressure has been exercised both through sanctions from competition and data protection authorities, as well as through new proposed legislation that threaten to revolutionise the governance of digital platforms.
This trend is also clear in Norway. A recent example is the Norwegian Data Protection Authority's (NDPA) decision to stop its own use of Facebook as its communications platform. In September 2021, the NDPA published a statement and a DPIA to explain their decision not to use a Facebook Page in their communication activities. Their press release states that the original objective of their assessment was to enable the NDPA to make an informed decision. However, when the NDPA concluded that they should not use Facebook due to the risks to the users' rights and freedoms, they decided to also publish the DPIA to enable organisations in Norway to benefit from their risk assessment. Although the NDPA emphasises that its assessment has been performed in its role as a data controller, not as a supervisory authority, the decision to publish its assessment has gained a lot of attention.
Postboks 1484 Vika
+47 23 11 11 11
+47 23 11 10 10www.thommessen.no