Technology & Outsourcing 2022

Last Updated October 27, 2022

Netherlands

Law and Practice

Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,500 attorneys serving clients from 43 offices in the United States, Latin America, Europe, Asia and the Middle East. The firm’s dedicated technology and outsourcing team advises on a full range of legal issues impacting outsourcing situations, including tax implications, employment, real property and intellectual property issues. The global team consists of more than 75 lawyers, six of whom are located in Amsterdam. The team handles and negotiates the full spectrum of services for clients, from standard transactions to highly complex multinational transactions. Recent transactions include cross-border business process outsourcing (BPO) projects for multinational banks, insurance companies and asset managers.

The key market developments in IT outsourcing are:

  • significantly heightened awareness of, and focus on, privacy and data security; 
  • increasing focus on “as a service” contracts to replace traditional models;
  • the transition to the cloud, including service providers themselves moving to Infrastructure as a Service (IaaS); 
  • the increasing importance of service integration and architecture integration, since customers work with a larger number of service providers;
  • pressure on IT departments as service providers to work directly within the business of the customer; and
  • the development of new ways of contracting service levels and pricing models, through Xperience Level Agreements (XLA) and pricing based on (business) value creation.

COVID-19 has had a huge and lasting impact on the use of technology. Videoconferencing and virtual collaboration have replaced at least 75% of telephone conversations. Employees have also continued to work partly from home since COVID-19 and employers have generally been supportive. Moreover, the Dutch government passed into law a bill which provides employees with a statutory right to work from home, except in such cases where working from home would seriously harm the company’s interests or the employee’s performance of their duties. This law does not apply to companies smaller than ten employees.

The key market developments in BPO are:

  • BPO is becoming less about labour arbitration and costs savings, and more about technology transformation and automation, as well as adding value to the business;
  • TUPE staff transfers under the Acquired Rights Directive are becoming less common because the parties (including the employees) arrange otherwise (which quite often means that the employees are offered an attractive redundancy package); and
  • companies implementing Robotic Processing Automation (RPA) as an alternative to BPO, although most programmes are not yet yielding the intended results.

A development that may potentially prove relevant is the ongoing high labour shortage in the Netherlands. To the extent the Dutch economy continues to experience this shortage, companies may elect to start outsourcing business processes that can effectively no longer be staffed in the Netherlands. In any case, this trend is likely to be relevant in the mid-to-long term as the Dutch population ages.

The impact of new technology on the outsourcing market is as follows:

  • the permanent increase in the use of videoconferencing and other virtual collaboration tools (thanks to COVID-19) and companies' increased facility with these tools should simplify working with offshore counterparts, increasing the potential scope for BPO; 
  • customers are struggling to build up internal capabilities to address new technologies and are therefore relying more on IT providers to provide these capabilities, which may drive an increase in IT service operators (ITSOs);
  • AI and robotics are heavily impacting service providers in their delivery centres, which were traditionally built around labour arbitration, enabling increased automation; and
  • blockchain/smart contracts are typically applied in a larger ecosystem that requires a different mode of co-operation from traditional client-service provider relationships (however, the importance of these technologies is currently negligible, and the current cool-down of crypto markets is likely to slow development there). 

Rules and restrictions on outsourcing apply only in some regulated markets, primarily the financial, insurance, asset management and pensions industries. In other markets, freedom of contract rules.

With respect to technology transactions, the Dutch government has been implementing policies and laws aimed at reducing strategic dependence on foreign powers for vital technologies and knowledge, as well as preventing the acquisition of specific technologies, companies, infrastructure or know-how that are considered vital to the security of the Netherlands. Investment screening and approval is currently required for acquisitions in the power and telecommunications industries and a similar sectoral act is being crafted for the defence industry, with a consultation on this act expected to take place in 2023.

Act Implementing the EU FDI Screening Regulation

Additionally, a non sector-specific piece of legislation that will apply where no sector-specific act exists was also adopted to implement the EU FDI Screening Regulation. This "act on investment screening in respect of national security risks" will enter into force in 2023. Under this act, any transaction (broadly defined), whether initiated by a foreign or Dutch person, that poses a risk to Dutch national security interests will be subject to screening and approval by the Dutch Ministry of Economic Affairs and Climate. Such a risk may be deemed to exist where the transaction could create a strategically relevant dependency of foreign powers; pose a risk to the continuity of vital processes; or impair the integrity and exclusivity of knowledge or information of vital or strategic relevance to the Netherlands. Note that in most cases, control is not a requirement for a transaction to be deemed relevant (eg, obtaining just 10% of the votes in a general meeting or the ability to appoint a director may also trigger the requirement for investment screening). If the transaction is deemed to pose a risk to Dutch national security, conditions may be applied to the transaction or the transaction may be prohibited. 

Note also that the act will have retrospective effect starting from 8 September 2020. In other words, a transaction performed prior to the law’s enactment but after 8 September 2020 may still be reviewed, so companies need to take this into consideration.

With respect to technology transactions, approvals are currently required for acquisitions in the power and telecommunications industries and a similar sectoral act is being crafted for the defence industry, with a consultation on this act expected to take place in 2023. 

From a compliance perspective, other than in respect of data protection regulation, industry-specific restrictions mainly exist in the financial, insurance, asset management and pensions industries and the regulations are, mostly, based on EU legislation. The regulations concerned include the Dutch Financial Supervision Act (FSA) and a number of directives and resolutions under that Act, the Solvency II Directive and the Solvency II Regulations, the AIFMD, the Pension Act, the Dutch Central Bank’s (DNB's) Good Practices for insurers and separate practices for other sectors, and the EBA guidelines on outsourcing to cloud service providers. The main principles of these regulations boil down to the following: 

  • responsibility cannot be outsourced;
  • a written agreement that contains sufficient means for the customer to monitor performance is required;
  • mandatory disclosure by the service provider of circumstances that may affect continuity is required;
  • the customer should be granted sufficient audit rights;
  • a risk analysis is required;
  • in some sectors, the customer must be able to terminate at will (against a termination fee); 
  • there must be restrictions on the further subcontracting of obligations by the service provider, and where such further subcontracting does take place, control and transparency must be retained by the service provider in respect of the outsourced services; and
  • notice of the intended outsourcing to supervisors is often required.

DORA

The most important sector-specific development in the last year has been the approval of the final legislative text for the regulation on digital operational resilience for the financial sector (DORA). 

DORA defines binding standards for ensuring operational security when outsourcing to third-party service providers. These standards impose binding requirements with respect to governance mechanisms, security reviews and resilience testing, incident reporting, and the contract language employed with third parties, with the aim of ensuring that the client remains fully in control of, and accountable for, IT security and risk management. 

From a content perspective, many of the requirements set out in DORA are already part of the EBA end EIOPA guidelines relating to ICT Security and risk management. Nonetheless, some requirements have become stricter or more specific, and a full review of existing practices, processes and contract language is advisable to ensure full compliance. 

A highly significant change for service providers is that DORA brings them under the direct supervision of the relevant European Supervisory Authorities. Supervisory authorities will be able to assess compliance, require changes to non-compliant practices, and penalise service providers for non-compliance. 

Publication of DORA is expected in late 2022, after which, firms will have two years to become compliant, ie, all outsourcing agreements being negotiated at this time should already take DORA into consideration. 

The restrictions on data processing and data security are based on the EU General Data Protection Regulation (GDPR). The GDPR restricts cross-border personal data flows to countries that do not offer an adequate level of protection (most countries do, with only a few exceptions). Standard Contractual Clauses (SCC) and binding corporate rules continue to be the data transfer mechanisms that are generally most relied upon by organisations when transferring personal data.

The Dutch Government's Cloud Policy

From the perspective of data protection, the Dutch government is highly pragmatic and, compared to other European countries, quite progressive in its embrace of the cloud, evident in the landmark agreement between the Dutch State and Microsoft in 2019, and its agreement with Google in 2022. This stance was also demonstrated by the risk-based assessment of data transfers, adopted by the Dutch Ministry of Justice and Security (the "Ministry") in the Data Protection Impact Assessment (DPIA) on Microsoft Teams. In February 2022, the Ministry published a DPIA on Microsoft Teams, OneDrive and SharePoint. As part of this DPIA, the Ministry also published a data transfer impact assessment (DTIA), based on the Rosenthal format for DTIAs. The outcome of the DTIA was, in summary, that it is extremely unlikely that personal data from Dutch government customers is unlawfully accessed by US authorities, or by authorities in other countries where Microsoft uses subprocessors. Therefore, the risk was assessed as low and the use of Teams could continue. In Austria and Germany, some decisions have been made that point in the direction of rejecting the risk-based approach, so it remains to be seen what the European Data Protection Board (EDPB) and the local supervisory authorities will say about this, if anything (soon).The recent cloud policy of the Dutch government states that most classified government data may be stored in the cloud, as long as certain requirements are met.

The Schrems II Ruling and EDPB Guidance

The Schrems II ruling and the guidance provided by the EDPB continue to keep data controllers who use SCC busy, as under this ruling, controllers must assess whether, given their use of SCC, there is an adequate level of protection in the third country. That is, data controllers cannot simply assume this to be the case, as SCC may, for instance, not be effectively enforceable in said country. Although the EDPB provides six-step recommendations on measures that data controllers and processors can take to simplify the task of enabling compliant data transfers through SCC, the task at hand is not that simple. Step 3, in particular, the rule of law test, is complex to perform. Note that, as part of the data protection impact assessment the Ministry performed in respect of Microsoft Teams, the Ministry has published an analysis of Step 3 (the rule of law test) for the US, so this can be used by companies. The conclusion is (of course) that the US legislation does not meet the rule of law test. Binding corporate rules provide multinational companies with a framework for international data transfers, but it should be noted that the Dutch Data Protection Authority has a significant backlog on approving binding corporate rules.

The NIS and NIS2 Directives

Data security is currently mainly governed by the law on the security of network and information systems (the "Cyber Security Act"), which implements the EU Directive on the security of network and information systems (the "NIS Directive") and consolidates other relevant legislation into one act. The Cyber Security Act establishes a certification framework for IT digital products, services and processes. The NIS Directive identifies sectors which are vital for the aspects of economy and society which rely heavily on IT, such as energy, transport, banking and healthcare. These sectors have to take appropriate security measures and ensure swift notification of any incidents to the relevant authorities. In addition, in keeping with the NIS Directive, the Cybersecurity Act also obliges providers of digital services (other than small enterprises) under Dutch jurisdiction to notify material data breaches in respect of their services to the National Computer Security Incident Response Team and the Minister of Economic and Environmental Affairs. Additionally, a variety of sector-specific laws directly or indirectly govern cybersecurity relating to, among others, energy production and distribution, water, telecommunications, seaports, airports, rail, financial services, healthcare, government bodies and other critical infrastructure.

A key development that is starting to become relevant is the progress on NIS2, which will replace the NIS Directive. The European Council and European Commission reached a provisional agreement on a draft of NIS2 on 13 May 2022 and the European Parliament is expected to vote on it in the course of 2022. The NIS2 Directive will have significantly broader scope than NIS. The NIS2 Directive will cover all medium-to-large enterprises and public organisations that perform important functions for the economy or society as a whole. For example, the new directive will also cover social media service providers and the public administration. The NIS2 Directive should also increase the level of harmonisation across member states in respect of scope, security and incident reporting, national supervision and enforcement powers and sanctions, as well as improve the pan-European collaboration of competent authorities.

Although NIS2 is not yet in force, clients and service providers entering into long-term agreements should consider taking stock of the requirements imposed by NIS2 to ensure future compliance.

There is no standard outsourcing agreement in the Netherlands.

The association of IT service providers, NL Digital, has standard terms but these do not, generally, apply to outsourcing. Sourcing Netherlands, the association for outsourcing, has developed a fairly balanced standard form for an outsourcing agreement, which is sometimes implemented. Sophisticated customers will contract on the basis of their own tailored agreement. These agreements are similar to the market standard agreements in the UK and USA. They are very detailed and contain approximately 20 schedules. 

The usual model consists of an asset transfer agreement and a separate services agreement. For large cross-border projects, a framework structure is used, comprising a framework asset transfer agreement and a separate framework services agreement, under which local-to-local asset transfer agreements and services agreements are concluded.

Although alternative models are sometimes used, 95% of outsourcing will be contracted, one-to-one, with an asset transfer agreement and a separate services agreement. Multi-vendor agreements (between the customer and a number of service providers) are also common. Joint ventures (JVs) are rare, mainly because a JV structure is rather complicated and expensive. This will only be used where the customer and service providers wish jointly to set up a new business. 

A new development that is getting underway is a shift towards contracting on customer experience, business outcomes and value creation, rather than contracting only or primarily on a fixed cost, fixed service level basis.

Digital transformations have not, as yet, led to significant changes in contract models for sophisticated customers with sufficient clout. Some smaller changes that have been noted are as follows:

  • where IaaS or PaaS are used as part of the services, it is not uncommon to see part of these terms being passed through to the customer back to back (ie, restricting the claims against the service provider to the extent allowed by the pass-through terms), depending on how much clout the customer has to shift the discrepancy in liabilities to the service provider;
  • where digital transformations are part of the scope it is common to see more complex schedules describing digital transformation plans and expected results, ways of working and governance employed in the transformation;
  • where digital transformations include AI and/or machine learning as part of the scope, there has been an increase in specific terms relating to data protection, transparency of algorithms and data governance aspects of AI;
  • where digital transformations include AI and/or machine learning as part of the scope, there is also a trend towards clients setting up and enforcing formal AI principles and codes of conduct (which may in some cases be more stringent than any current applicable law) so as to provide additional guidance to suppliers on the ethical use of AI; and
  • where digital transformations are part of the scope there has also been an increase in "pseudo-agile" terms, ie, service providers and customers will attempt to include obligations in the contract and project governance to employ agile ways of working, while still also incorporating obligations on the outcome. 

The main customer protections are the following:

  • no exclusivity for the service provider;
  • no volume commitment on the customer;
  • a detailed service description;
  • appropriate service levels;
  • tailored service credits;
  • an appropriate governance and contract change structure;
  • a benchmark clause (like-for-like comparison of pricing and service levels);
  • a step-in right;
  • GDPR compliance; and
  • an audit clause.

By the Customer

The customer can terminate the contract for cause. Significant breaches of service levels and serious regulatory compliance or data security and privacy incidents are often specifically mentioned as providing cause for termination. Sometimes, outsourcing or services agreements provide a termination right to the customer where there has been a change of control in the service provider, especially in contracts relating to mission-critical services or services provided to regulated financial institutions. 

Customers can also, almost always, terminate for convenience. In the case of termination for convenience, the customer must pay termination compensation. There is no fixed formula for calculating this compensation as this is a matter of freedom of contract. In general, the compensation consists of unrecovered costs and a small lost-margin component. Furthermore, in the financial industry, the customer may terminate the agreement if a regulator requires a termination.

By the Service Provider

The service provider can usually only terminate for material breach (most notably, prolonged non-payment of invoices). It is highly unusual to allow a service provider to terminate for convenience. 

Dutch statutory law does not define the difference between direct and indirect loss. Under the influence of Anglo-American contracts and terms, the concept is often used in Dutch law agreements. In such an event, it is wise to exactly define the damages considered direct and those considered indirect. However, it can be hard to reach agreement on these distinctions, as the customer will try to include as much as possible under the definition of direct damages while the service provider wishes to exclude as much as possible from this definition. 

It may, therefore, be better practice to refer to the statutory definition of damages and leave the decision to the courts. This means that damages that are reasonably attributable to the event that caused the damages, and to the party that caused the damages, must be paid. In addition, pure loss of profit and turnover can be excluded.

The liability of both parties must always be capped. The market standard caps vary between 12 and 36 months of fees.

Dutch law provides for certain implied terms in relation to the quality of goods sold and the provision of services. However, these implied terms are typically not mandatory in B2B contracts and are usually explicitly excluded or superseded by the contents of the contract.

Contracts commonly include, in addition to contractual obligations under Article 28 of the GDPR:

  • requirements for the service provider to take appropriate technical and organisational security measures and continuously improve these requirements to remain in line with relevant state-of-the-art measures; 
  • requirements for the service provider to materially comply with the customer’s security policies and standards, or the service provider’s own policies if they are equivalent or better; 
  • requirements for the service provider to test its security regularly using scenarios that are appropriate to the particular services and improve the security as required;
  • requirements for the service provider to meet obligations incumbent on it under data protection law, and not to act so as to cause the customer to breach its obligations under data protection law; 
  • requirements for the service provider to support the customer in meeting its obligations vis-à-vis its regulator and its data subjects;
  • restrictions on the ability of the service provider to export data or employ subcontractors without the explicit consent of the customer; 
  • restrictions on the ability of the service provider to use data for its own purposes;
  • requirements to support the remediation of data breaches, regardless of whether the service provider is at fault for the relevant data breach;
  • a governance set-up for joint response to data breaches and other cybersecurity incidents; 
  • a contractual indemnity with an elevated cap for the benefit of the customer with respect to damages suffered by the customer resulting from breaches of data protection legislation caused by the actions of the service provider;
  • a requirement for the service provider to insure itself appropriately in respect of cybersecurity incidents; 
  • a step-in right for the customer, where required, to safeguard the security and integrity of data or services; and
  • audit rights in respect of data and cybersecurity.

Should the technology or outsourcing be cloud based, the contract terms will basically remain the same as the terms are generally drafted in a technology-agnostic manner. However, there may be additional detail in respect of data security and the processing location, depending on the jurisdictions involved. In other words, specific requirements in relation to encryption may be included for some types of data. 

The rules governing employee transfers in outsourcing are based on the EU Acquired Rights Directive (ARD). Under the ARD, employees who are predominantly working on the activities that are to be transferred will, where the ARD (as implemented in the Netherlands) applies, transfer to the service provider together with their applicable employment terms and conditions, by operation of law. In general, the ARD will apply if significant assets are to be transferred to continue the economic activity or, in the case of labour-intensive activities, the majority of the employees (considering number and expertise) will be offered employment by the new service provider. EU and Dutch case law on ARD/TUPE is numerous and granular, but at essence is based on ever-increasing protection of employment/employees, which should ensure that employees "follow their work".

Works council consultation (ie, the right to advice prior to implementing the proposed decision) is almost always required (under Article 25 of the Dutch Works Councils Act).

Trade union consultation is required if control in (part of) the "undertaking" is transferred or if this requirement follows from the applicable collective labour agreement. 

Trade union consultation is also required where it is anticipated that 20 or more employees will be made redundant within a timeframe of three months.

Market practice on employee transfers in the Netherlands is:

  • application of the principles of the ARD, as described in 5.1 Rules Governing Employee Transfers; and
  • staff transfers under the ARD are becoming less common because the parties (including the employees) arrange otherwise, which quite often means that the employees are offered an attractive redundancy package.

Where remote work is still performed in the Netherlands, requirements in respect of worker safety will also apply to the remote work location. 

Where remote work is performed outside the EEA, the GDPR’s restrictions on the transfer of personal data will come into play to the extent that EU personal data is used by the remote worker, as it will then by necessity have been processed outside the EEA by being transmitted to the remote location.

Greenberg Traurig, LLP

Beethovenstraat 545
1083 HK Amsterdam
The Netherlands

+31 651 289 224

+31 20 301 7350

Herald.Jongen@gtlaw.com www.gtlaw.com
Author Business Card

Trends and Developments


Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,500 attorneys serving clients from 43 offices in the United States, Latin America, Europe, Asia and the Middle East. The firm’s dedicated technology and outsourcing team advises on a full range of legal issues impacting outsourcing situations, including tax implications, employment, real property and intellectual property issues. The global team consists of more than 75 lawyers, six of whom are located in Amsterdam. The team handles and negotiates the full spectrum of services for clients, from standard transactions to highly complex multinational transactions. Recent transactions include cross-border business process outsourcing (BPO) projects for multinational banks, insurance companies and asset managers.

Outsourcing is a Net Positive for Most Organisations in the Dutch Market

The Netherlands is a mature market for both business process and IT outsourcing, with some form of outsourcing common across sectors. A recent government-commissioned study shows that approximately 70% of Dutch organisations have outsourced some activities. Of the cases studied, a significant fraction related to core activities (approximately 25%), and a significant fraction related to the outsourcing of complete business functions (approximately 10%). 

The key reasons Dutch organisations outsource activities (self-reported in a study by the Dutch sourcing platform) are to focus on core activities, and to access talent and skills they do not have access to internally. Cost reductions are not mentioned as a key driver, although creating greater flexibility and scalability in the cost structure was mentioned as a driver. A similar study by Whitelane Research in collaboration with Quint provided roughly equivalent results, although the scalability of business processes themselves was also mentioned as a key driver, and in this case, cost reduction was specified as a driver in and of itself. 

Generally speaking, Dutch organisations are satisfied with their outsourcing arrangements and service providers. The study by Whitelane and Quint indicates that approximately 67% of Dutch customers are "satisfied" with their service providers and approximately 24% are "somewhat satisfied". 

The rate of outsourcing is expected to remain stable or increase

Overall, the Dutch market for outsourcing is expected to remain stable, or grow, across most sectors (there is some variation per sector depending on whether the Whitelane and Quint study, or the Dutch sourcing platform study, is taken as a basis). In other words, companies expect they will continue outsourcing services at a similar rate or at a greater rate. Based on the study by the Dutch sourcing platform, the key services that organisations expect to outsource more are the usual suspects: IT, financial processes, customer service, supply chain and logistics services. 

A development that may potentially prove relevant in respect of the rate of outsourcing is the continued labour shortage in the Netherlands. To the extent the Dutch economy continues to experience this shortage, companies may elect to outsource business processes that can no longer be effectively staffed in the Netherlands. This dynamic is already visible to some extent in IT outsourcing, where a lack of skilled employees is driving many companies to turn to consultants. If, on the other hand, the economy were to tilt into recession, which is a distinct possibility, this could also lead to an increase in outsourcing as a cost-cutting measure, although arguably most of the low-hanging fruit in this respect will already have been picked. 

Insourcing remains a niche activity

Despite some hype around insourcing as a result of disrupted supply chains during COVID-19 and the deteriorating overall geopolitical situation, there appears to be only limited customer appetite for it. The Whitelane and Quint study cited earlier shows only 12% of respondents considering insourcing activities. Key considerations for insourcing, according to the report, are faster time to market, the ability to develop internal IP, and lower costs, which are mostly relevant for businesses that have outsourced some of their core product design – that is, considerations of security of supply do not appear top of mind at this time.

Customers and service providers expect a shift from offshoring to near-shoring, but practice does not bear this out

Research by the Dutch platform for sourcing shows that companies expect an increase in near-shoring in the EU or just outside the EU, while traditional offshoring is expected to decline. Although this fits well with the dominant view of a deglobalising world, in the absence of any legislation enforcing the same, it remains to be seen whether this will materialise. In practice, major global players mostly appear to be combining near-shoring and offshoring because cost advantages – as well as certain skill sets and processes – are more effectively captured through the use of at least one centralised offshore location. 

Service providers are increasingly providing and investing in full stack, high value-added services

Outsourcing service providers are seen to be investing heavily in robotics, IaaS and SaaS platforms, and high value-added services (analytics, AI, machine learning). This is driven partially by cost considerations (mainly with respect to robotics and cloud infrastructure). However, a significant part of this movement is driven by customer demand for high value-added services that most customers do not have the skill set to provide. For example, although many organisations have a unit devoted to analytics and business intelligence, this is a far cry from an industrialised machine learning and data analytics set-up, and realistically, most customers will not be able to create a solution of that kind in the near future. As such, outsourcing service providers are being called on to provide not only the requisite talent but also the architecture to facilitate these processes. 

A new development in line with this general trend is a shift towards contracting on customer experience, business outcomes and value creation. The aim here is to move away from contractual models where IT is managed mostly as a cost to be minimised. In that model, customers seek to progressively reduce IT service scope and service levels to whatever minimum an organisation can tolerate and pay as little as possible for that, whereas the service provider will aim to keep the scope of its contract steady or increase it while also consistently seeking ways to increase its margins, or at least avoid activities that might reduce them (such as effectively and permanently solving problems, discontinuing ineffective tools and services, etc). 

The alternative model to move towards is one where IT is managed as an investment opportunity that can drive business value. In this model, service providers are incentivised to collaborate closely with the customer to improve value creation in the business as a whole (eg, by improving the user experience of services and software to increase effectiveness, training users in ways to reduce time spent in common activities, suggesting alternative tools and processes that improve efficiency or enhance customer capabilities, and so forth). A key driver for enabling these improvements is experience measurement and management, which allows service providers and customers to measure performance that matters, and set activities, targets and incentives in line with this.

The political and legal environment in the Netherlands is expected to remain favourable

Generally, the Dutch government is pro-business. However, in the past few years labour conditions in the Netherlands have been carefully scrutinised and there is now clear political agreement that the Dutch labour market has become too flexible. Until now, these discussions have focused on temporary contracts, temp agencies and pseudo-independent contractors, and policies are being implemented to rebalance the labour market in these areas. As such, forthcoming legislation will not affect typical outsourcing arrangements. However, if a recession and a spate of additional outsourcing were to occur, outsourcing might also come under scrutiny, as the overall political opinion has shifted to a position that favours stronger worker protection. 

From the perspective of data protection, also very relevant to outsourcing, the Dutch government is highly pragmatic and, compared to other European countries, quite progressive in its embrace of the cloud, evident in the landmark agreement between the Dutch State and Microsoft in 2019, and the agreement with Google in 2022. This stance was also demonstrated by the risk-based assessment of data transfers, adopted by the Dutch Ministry of Justice and Security in the data protection impact assessment (DPIA) on Microsoft Teams. In February 2022, the Ministry published a DPIA on Microsoft Teams, OneDrive and SharePoint. As part of this DPIA, the Ministry also published a data transfer impact assessment (DTIA), based on the Rosenthal format for DTIAs. The outcome of the DTIA was, in summary, that it is extremely unlikely that personal data from Dutch government customers is unlawfully accessed by US authorities, or by authorities in other countries where Microsoft uses subprocessors. Therefore, the risk was assessed as low and the use of Teams could continue. In Austria and Germany, some decisions point in the direction of rejecting the risk-based approach, so it remains to be seen what the EDPB and the local supervisory authorities will say about it, if anything (soon).The recent cloud policy of the Dutch government states that most classified government data may be stored in the cloud, as long as certain requirements are met.

Expectations in respect of cybersecurity are increasing – EU regulation incoming

As cyber-attacks become more sophisticated, Dutch regulators have started signalling an increase in their expectations with respect to cybersecurity and incident response for outsourced services. Both the Dutch supervisory authority for financial markets, AFM, and the Dutch Central Bank, DNB, have issued press releases and guidelines urging regulated organisations to set their house in order. Pointing to the service provider is no longer likely to absolve a customer of responsibility if it has not at least laid the groundwork for acceptable cybersecurity measures and governance in both its contracts and in actual practice. 

This dovetails with forthcoming EU regulation on digital operational resilience for the financial sector ("DORA"). DORA imposes binding requirements with respect to governance mechanisms, security reviews and resilience testing, incident reporting, and the contract language employed with third parties, with the aim of ensuring that the client remains fully in control of, and accountable for, IT security and risk management. Another highly significant change for service providers is that DORA brings them under the direct supervision of the relevant European Supervisory Authorities. Supervisory authorities will be able to assess compliance, require changes to non-compliant practices, and penalise service providers for non-compliance. 

More generally, expectations of cybersecurity readiness are increasing, as awareness in broader society has grown. Service providers should note in this respect that where they provide a fully managed IT service, this will be understood to include adequate security under Dutch case law, if nothing specific has been agreed, and the requirements for "adequate" are ratcheting up. Customers, for their part, should realise that naïveté in these matters is becoming difficult to defend. 

Shift to the cloud continues unabated as GDPR concerns are slowly being addressed

The transition to cloud infrastructure is continuing unabated. Although the Schrems II ruling, which requires additional scrutiny when transferring personal data to most countries outside the EEA, is a cause for concern for many organisations, in practice there does not appear to have been any slowing down in the move towards the cloud. There has been an increase in requests to advise on the interpretation of Schrems II and also, increasingly, on the implications of data access laws with extraterritorial scope, such as the US CLOUD Act. In other words, data controllers are taking these matters seriously but not letting the complexity derail their plans.

As far as the GDPR goes, we expect most of the complications that were thrown up by Schrems II to be resolved within the next few years. Firstly, because major cloud service providers are seen to be taking steps to (putatively) ensure GDPR compliance despite the Schrems II ruling. Furthermore, new instruments to ensure safe data transfers and processing have been put in place, such as the new Trans-Atlantic Data Privacy Framework (agreed in principle between the European Commission and United States on 25 March 2022), as well as new guidelines on certifications for data importers that assure their operations are GDPR compliant (these guidelines have just been issued for public consultation). Although the certification instrument will not fully address the questions created by Schrems II – in particular, the rule of law test will remain relevant and data controllers will still need to consider whether their data transfer has particulars that need addressing – it will at least provide a solid proof point on basic GDPR compliance. The Trans-Atlantic Data Privacy Framework for its part, if and when it is officially adopted, would resolve the Schrems II issue in respect of data transfers to the US, which for many clients would legitimise a significant part of their data exports. 

A final trend worth discussing in this respect is the increase in the number of organisations attempting to ring-fence data as much as possible within the European Union, and the EU’s initiative to create an alternative to the US cloud infrastructure. Known as GAIA-X, the initiative was commenced to provide European organisations with a (standard for a) federated infrastructure to meet the desire for greater data sovereignty, and to be less dependent on the current offering (and terms) of hyperscalers. The GAIA-X initiative has, however, got off to a slow start, and continues to be sluggish in its progress, seemingly in part due to the large and varied stakeholder landscape. And, of course, it is not easy to catch up after 20 years. It should be noted that GAIA-X does not preclude hyperscalers from offering infrastructure as part of GAIA-X: in fact, most hyperscalers are members of GAIA-X. Hyperscalers will likely continue to play an important role in GAIA-X offerings, as they have a major head start in both infrastructure offerings and their security. It remains to be seen, however, whether the security of GAIA-X offerings can meet the level of security and related standards that hyperscalers offer today. This will especially be the case where hyperscalers only supply IaaS to GAIA-X providers, play no role in the software layer and do not have access to the data and trends relevant for monitoring global threats. The French initiative Bleu (under the cloud de confiance label), a joint venture between Capgemini and Orange, with Microsoft as a supplier of Azure technology but without any Microsoft involvement or access, is another example of this trend towards ring-fencing. 

Contrary to what is stated by some who would like to keep the data in the EU or to exclude US large tech, working with EU providers only to ring-fence against the US CLOUD Act, or other data access legislation with extraterritorial effects, is not a perfect solution. For instance, the Dutch National Cyber Security Center (NCSC) recently published an analysis of the CLOUD Act and stated in a cover note that European companies with data processing operations in Europe sometimes fall under the scope of the American CLOUD Act. A thorough risk analysis of the impact of data access is therefore required, as is the realisation that it is impossible to exclude extraterritorial influences completely. Therefore, according to the NCSC, “organisations and companies must always ask themselves against which extraterritorial legal regimes, and therefore countries, they will and can arm themselves and what that means in terms of supplier choice”. In other words, choose your friends and enemies wisely.

Summary

Overall, the market for outsourcing in the Netherlands looks to remain attractive for the foreseeable future. There appear to be no major upsets on the horizon and the predicted cooling down due to COVID-19 and the geopolitical moment does not appear to have materialised as yet.

Greenberg Traurig, LLP

Beethovenstraat 545
1083 HK Amsterdam
The Netherlands

+31 651 289 224

+31 20 301 7350

Herald.Jongen@gtlaw.com www.gtlaw.com
Author Business Card

Law and Practice

Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,500 attorneys serving clients from 43 offices in the United States, Latin America, Europe, Asia and the Middle East. The firm’s dedicated technology and outsourcing team advises on a full range of legal issues impacting outsourcing situations, including tax implications, employment, real property and intellectual property issues. The global team consists of more than 75 lawyers, six of whom are located in Amsterdam. The team handles and negotiates the full spectrum of services for clients, from standard transactions to highly complex multinational transactions. Recent transactions include cross-border business process outsourcing (BPO) projects for multinational banks, insurance companies and asset managers.

Trends and Development

Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,500 attorneys serving clients from 43 offices in the United States, Latin America, Europe, Asia and the Middle East. The firm’s dedicated technology and outsourcing team advises on a full range of legal issues impacting outsourcing situations, including tax implications, employment, real property and intellectual property issues. The global team consists of more than 75 lawyers, six of whom are located in Amsterdam. The team handles and negotiates the full spectrum of services for clients, from standard transactions to highly complex multinational transactions. Recent transactions include cross-border business process outsourcing (BPO) projects for multinational banks, insurance companies and asset managers.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.