In recent years, the main trends and developments in the IT outsourcing market include the following:

• cloud computing, including outsourcing IT services such as software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS);
• internet of things (IoT);
• artificial intelligence (AI) and machine learning;
• tokenisation of assets through blockchain technology; and
• big data.

The emergence of new services/developments in the market has led to a flurry of new regulations and/or recommendations to govern this trend in a number of sectors, in particular the highly regulated sectors such as the finance industry. These market trends and developments in IT outsourcing, involving the worldwide sharing of an exponential amount of personal data, have also highlighted the importance of complying with the General Data Protection Regulation (GDPR) requirements.

COVID-19 had at least the benefit of accelerating and democratising the use of new outsourcing technologies, in particular within companies. The most revealing examples are the development of teleworking for employees and intra- and extra-company collaboration tools (eg, Teams, Zoom, Google Meet). Today, these trends are standard practice for a large number of employees in France.

The BPO market is a fast-growing industry that has become an integral part of the global economy, and France is no exception. 

In recent years, the trend of using business process outsourcing is motivated, in particular, by the following.

• Financial benefits: organisations that use BPO services are well aware that this practice enables cost savings and the reduction of the operating costs while benefiting from the expertise and infrastructure of an external service provider.

• Flexibility: BPO outsourcing can give organisations greater flexibility to adjust the way the management of the outsourced business is processed, facilitate a better adaptation with the market dynamics and gain greater agility and adaptability.
• Focus on key functions: organisations that use BPO services can delegate business functions that are not directly related to their core activities to another company. This allows such organisations to focus on their core business.
• Increased productivity: specialist service providers are experts in their fields, so they help to ensure the quality of the tasks to be carried out (such service providers generally benefit from best practices and cutting-edge technologies).

COVID-19 has encouraged the use of BPO services to ensure business continuity in crisis situations. Indeed, outsourcing was a security measure in a complicated health context where employees were confined and forced to telework.

However, it is important to note that the first major disadvantage of BPO is the loss of control, in particular related to the sharing of data for the provision of the services. Indeed, there is no direct control over the outsourcing of services provided and over the service providers. This can result in difficulties in controlling the quality and ensuring compliance with legal requirements (in particular, data protection laws and security requirements). It is therefore essential to ensure (through contractual provisions, regular audits) that the service providers have robust cybersecurity measures in place before committing to outsourced activities. 

The impact of new technology on the outsourcing market is as follows.

• Chatbots: ChatGPT has had a meteoric rise, with more than 100 million users by the start of 2023. This tool has already marked a turning point in the digital transformation of numerous sectors including the legal business.
• AI/machine learning: in France, many start-ups are betting on their AI or machine learning AI systems to stand out in many fields, including legaltech, fintech and greentech.
• Fintechs: France has seen the emergence of a number of successful fintechs in a wide range of business such as fundraising apps, insurance apps, mobile payment apps, neobank apps and crowdfunding apps. These fintechs compete directly with traditional banks and insurance companies.

Such new technologies are accompanied by increasingly demanding safety requirements, which means that the market has to adapt, from both a technical and legal point of view, in order to comply with the new legal safety requirements and consumer demands in terms of security and transparency.

The most commonly outsourced services in France are:

• outsourced IT services;
• data hosting;
• HR management; and
• finance (accounting/billing).

Under French Law, there is no general law which governs technology transactions or outsourcing. 

However, the rise of IT outsourcing has resulted in the adoption of various legal frameworks (at a local and EU level) in order to govern IT outsourcing or technology transactions in specific sectors or for specific categories of services.

The main developments of the last few years are from the following legal/administrative frameworks.

Main Legal Applicable Frameworks

• The Digital Service Act (DSA) governing intermediary services and online platforms is progressively replacing the Digital Economy Act No 2004-575 of 21 June 2004 (which transposed the EU Directive on electronic commerce into French law).
• Act No 2018-133 of 26 February 2018, containing various provisions adapting French law to EU law in line with the secure implementation of the NIS1 Directive, provides cybersecurity obligations (in particular, the notification obligation to relevant regulators in the case of an IT incident) for specific actors (ie, essential service operators and digital service providers).
• The French Data Protection Act No 78-17, as amended by Act No 2018-493 of 20 June 2018 and Ordinance No 2018-1125 of 12 December 2018 (FDPA), implementing the GPDR to govern the data protection issues resulting from, notably, the technology transactions or outsourcing (eg, drafting of a data processing agreement, implementation of standard contractual clauses for on-board data processing).

Additionally, because the issue of personal and non-personal data has taken on paramount importance in recent years, particularly with the rise of digital technology (including outsourcing and cloud), the EU has decided to put in place a legal framework to make the most of its economic potential, in particular:

• the Data Governance Act (DGA), which governs the sharing of personal and non-personal data by setting up intermediation structures; and
• the Data Act governing, in particular, the protection and the sharing of IoT data (personal and non-personal) between the companies and the users and facilitating data portability and interoperability of services between cloud providers (in connection with the Data Act, the French Competition Authority issued its opinion on competition in the cloud sector).

Main Legal Framework To Come

• The Digital Operational Resilience Act (DORA), which governs the operational resilience for the financial sector, provided cybersecurity obligations for the financial institutions related in particular with the outsourcing to third-party providers of information and communication technology (ICT) services.
• The NIS2 Directive, which extends the scope of the NIS1 Directive and provides measures for a high common level of cybersecurity across the EU, was published in the Official Journal of the European Union in December 2022 and is currently being transposed into French law.
• EU Cyber Resilience Act (CRA) will aim to improve the cybersecurity of products containing digital components, particularly for the IoT.

Main Administrative Framework

• The National Cybersecurity Agency for France (ANSSI) published an updated version of its certification framework for cloud service providers (SecNumCloud).
• The European Banking Authority (EBA) adopted guidelines on outsourcing for the banking industry, which have been approved by the French Bank and Insurance Authority (ACPR).

The banking sector is particularly regulated with regard to technology transactions and outsourcing.

When a banking institution outsources services considered as "essential" or “significant”, it is subject to a certain number of obligations laid down by the EBA’s Guidelines on outsourcing. Some of the obligations shall be provided in the contract the banking institution entered into with its IT provider (eg, specific provisions related to security, reversibility, audit, termination, sub-processing). 

The recent DORA Regulation, which came into force on 16 January 2023 and will take effect on 17 January 2025, provides requirements for financial institutions which apply, among other things, to the management of risks associated with third-party providers, in particular the management of outsourcing risks. Moreover, the DORA Regulation also lists the minimum contractual provisions to be included in outsourcing contracts, and this list is further extended by additional clauses where significant ICT services are outsourced. DORA will become the main digital security regulation for the financial sector. 

The health sector is also regulated. As set out in Article L.1111-8 of the French Public Health Code: “Any natural or legal person who hosts personal health data collected during prevention, diagnosis, care or medico-social monitoring activities on behalf of natural or legal persons at the origin of the production or collection of this data or on behalf of the patients themselves, must be approved or certified for this purpose”. Thus, health data hosts (HDS) have been required to obtain HDS certification. The HDS certification aims to guarantee the quality of service of healthcare hosting providers.

The FDPA provides restrictions for technology transactions and outsourcing related to data processing and data security.

• The data processing, to be lawful, shall respect the main principals of the GDPR such as purpose limitation, lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality.
• The data processing shall ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Such security measures shall be particularly detailed in the agreement with data processors (eg, IT or cloud providers).
• In the case of personal data breach (ie, breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed), the French Data Supervisory Authority (the CNIL) shall be notified without undue delay and not later than 72 hours of the breach.
• In the case of use of a data processor (eg, IT or cloud providers), a contractual framework (listing all the requirements provided by Article 28 of the GDPR) shall be put in place between the provider and the client.
• In the case of data transfers to a third-party based outside the EEA, the use of Standard Contractual Clauses (SCCs) can be used. However, since the Schrems II ruling, the use of SCCs is not enough to ensure secure data transfers. A transfer impact assessment (TIA) shall be performed in order to ensure that the legislation applicable to the data importer (in particular on interference by public authorities in access to personal data) allows the level of protection required by EU law and the guarantees provided by the SCCs to be respected.
• On 10 July 2023, the European Commission adopted a new adequacy decision concerning the USA. Personal data can therefore be transferred freely to the USA, but only to companies on the list published by the US Department of Commerce. Thus, the data transfers to the USA performed by a company which is not on the list are still subject to SCCs provided such transfers have been subject to a positive TIA.

There is no standard contract model for outsourcing transactions in France. 

Most of the time, the outsourcing agreement takes the form of a master service agreement which can, if relevant, be completed by application agreements. Specific appendices can also be joined to the outsourcing agreement such as related to the service levels, the financial modalities, the schedules, the security measures, etc.

The joint venture (JV) contract or multi-sourcing contract may be used in France, but the bilateral outsourcing contract is the most common structure. 

The digital transformation affected, to a certain extent, the following contract models for outsourcing transactions:

• the GDPR requires the contractual provision of certain mandatory information in the case of data processing by data processors (eg, IT or cloud providers) or in the case of on-board data processing (implementation of SCCs);
• the EBA Guidelines on outsourcing require the contractual provision of certain mandatory information in the case of outsourcing of “essential” services (for the banking sector);
• the increase in the sharing and flow of data (both personal and non-personal) means that contractual obligations relating to security, portability, interoperability and reversibility need to be strengthened ‒ this is reflected in the addition of a number of technical appendices; and
• the liability clause increasingly provides a framework for contractual failures relating to security breaches, security incidents, data leaks, breaches of data protection requirements, etc.

There is a trend towards contractual guarantees for security measures in IT and cloud contracts, which is justified both by the ever-increasing cybersecurity risks and by increasingly strict legislation on IT suppliers and certain sectors (eg, financial).

As a preliminary basis, IT or outsourcing agreements are ordinary contracts subject to the general and common rules of contract and civil law. There are no specific legal rules related to such agreements. The specific features found in these contracts relate to contractual freedom and business practices.

The main customer protections and remedies in technology transactions and outsourcing are:

• technical appendix including service level agreement (SLA), business continuity plans, disaster recovery plan, reversibility plan, safety insurance plan and quality assurance plan;
• calendar with binding dates;
• payment of financial compensation (“penalties”) in the event of non-compliance with the SLA and timeframes;
• imposing an obligation of results (obligation de résultat) on the service provider instead of an obligation of means (obligation de moyens); 
• possibility to audit the service provider; 
• GDPR requirements provided by Article 28 in the case of use of a data processor;
• acceptance testing (provisional and final acceptance);
• strong contractual warranties (on the security and the outsource service provided);
• significant compensation in the case of breach of substantial contractual obligation (eg, breach of data protection laws, security incidents);
• protective termination clause (involving reversibility and the right to terminate for cause and for convenience for the customer);
• duty of advice, of warning and of collaboration of the service provider to the customer (because of the technical aspect of the IT agreements); and
• intellectual property clause ensuring the peaceful enjoyment of the use of the provided outsourced service and the defence against counterfeiting.

The modalities of the contract termination are widely managed contractually. Most of the time, the contract may be terminated for the following reasons:

• for cause (material contractual breach of a party, eg, security incidents, repetitive breaches of the SLA and the calendar);
• for convenience (an exit fee can be negotiated) at any time (i) by mutual consent of both parties or (ii) unilaterally by one party (if the other party expressly agrees to such possibility in the agreement);
• in the case of force majeure;
• in the case of a fixed-term contract upon the expiry of the contract.

Usually, before terminating the contract, the customer is subject to prior formal notice, with a period of notice (contractually fixed and which must not be derisory) to correct any such breach.

The consequences of the termination are also managed contractually. Specifically, in an outsourcing contract, the “reversibility” modalities of the data may be an issue which must be negotiated with caution by the customer.

Distinction Between Direct Loss and Indirect Loss

According to the French Civil Code, the loss shall be “direct” (in addition to being certain and legitimate) to be eligible for compensation (Article 1240). 

In accordance with this Article, the French doctrine makes a distinction between direct loss (the damage must be the direct result of the breach) and indirect loss (the damage is not the direct result of the breach). 

Legal/Market Practice Regarding Loss of Profit, Goodwill, Business, Etc

In practice, most outsourcing contracts contain a clause excluding compensation for indirect loss (such indirect loss are usually listed in the contract): eg, loss of customers, image and reputation loss, operating loss, commercial loss, loss of earnings, business loss and profit loss. Such list is often negotiated between the parties. The provider will try to have the broadest definition possible and try to include loss of data as well as breach of data protection law included in the exclusion scope.

Categories of Losses  Not Subject To Limitation of Liability

• Personal injury: it is impossible to contractually limit or exonerate the liability in the event of bodily injury caused to one's co-contractor or a third party.
• Voluntary non-performance of the contractual obligation (intentional misconduct) or gross misconduct make null and void the clause limiting liability (Article 1231-3 of the Civil Code).
• Moreover, under French law, the exemption from liability must not affect an essential obligation of the contract. Article 1170 of the Civil Code provides that "any clause which deprives the debtor's essential obligation of its substance shall be deemed unwritten".

There is no applicable information in this jurisdiction. The expression “implied term” seems to be specific to common law.

The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing are the following.

• The provision of a data processing addendum or agreement (DPA) in the contract where the service providers act as a data processor. The DPA lists all the mandatory obligations provided by Article 28 of the GDPR that the service providers shall meet. In particular, such provisions concern the obligations to implement appropriate security measures to protect personal data.
• The contractual provision of certain mandatory information in the case of outsourcing of “essential” services by a bank institution as required by the EBA Guidelines on outsourcing (mostly related to security and audit). The respect of the EBA Guidelines is, in particular, reflected in the contractual commitment and implementation by the supplier of internal security procedures such as business continuity plans, disaster recovery plan, reversibility plan, safety insurance plan and quality assurance plan.

On the technical side, most French clients also aim to host their data with providers offering hosting services based within the EEA. 

The most common contractual clauses that help the customer manage and measure the supplier’s performance in technology transactions and outsourcing are the following.

• The SLA: the criteria of the performance of the service levels are assessed and measured. In the case of a breach of the key performance indicators (KPIs) by the provider, usually, the client negotiates the payment of “penalties” by the provider (which the service provider will try to limit or cap). The goal is to force/encourage the supplier to provide its services in compliance with the KPIs (timeframe, quality indicators, service levels indicators: availability, responsiveness, etc) which have been negotiated and validated by both parties.
• The audit clause: auditing is an extremely important task when it comes to controlling the provider’s IT system and adhering to its contractual obligations and performance. Such a clause ensures transparency between the parties bound by the IT contract, notably in the event of important/confidential/sensitive information being transferred to the provider.

Generally speaking, the terms do not differ significantly and remain more or less the same. In the case of cloud-based outsourcing, particular attention will be paid to:

• the safety of the transfer and the location of the data centre;
• the reversibility provisions; and
• security provisions.

In this very specific situation, the application of the requirements of the GDPR must be ensured, particularly in terms of security, transparency and use of appropriate safeguards (SCCs). 

Article L. 1124-1 of the French Labour Code stipulates that "when there is a change in the legal situation of the employer, in particular by succession, sale, merger, transformation of the business and incorporation of the company, all employment contracts in force on the date of the change continue to exist between the new employer and the company’s employees". 

In accordance with well-established case law, Article L. 1224-1 of the Labour Code applies if the following two conditions are both met: 

• the activity transferred must constitute an autonomous economic entity, ie, an organised group of tangible and intangible assets allocated to the exercise of an economic activity with its own economic purpose (which may be characterised in particular by autonomous accounting, its own means of operating resources dedicated to the activity in question, or management autonomy); and 
• the business must be continued by the transferee and its identity maintained by the transferee.

The business must comprise several elements necessary for the operation of its activity, ie: 

• tangible assets (in particular equipment, tools and goods) and/or intangible assets (customer base, patents, licences, industrial designs and models, industrial, literary or artistic property rights, etc); and
• personnel specific to the business transferred, ie, dedicated to that business. 

The legal definition of a transfer of business activity determines the application of Article L. 1224-1 of the French Labour Code. Thus, if the transfer is legally a sale of a business or a partial transfer of assets, it is generally accepted that Article L. 1224-1 applies. 

Subject to compliance with these conditions, in the event of the transfer of an activity in accordance with Article L. 1224-1 of the Labour Code, the employment contracts of the employees dedicated to the activity are automatically transferred. The consent of the employees is then not required, and each employee retains, after the automatic transfer of their employment contract, all the applicable contractual provisions (eg, remuneration, seniority, place of work and working hours).

This applies to all employees holding an employment contract at the time of the legal transfer, whether the contract is open-ended or fixed-term, part-time or full-time, even if the employment contract is suspended at the time of the transfer. 

Persons whose employment contracts are suspended on the date of the transfer (in particular for maternity leave, parental leave and unpaid leave) will have their employment contracts transferred under the same conditions and on the same date as other employees.

When the company hires more than 50 employees, the works council must be implemented with complete attributions or needs to be adapted with more extensive tasks. Indeed, the works council oversees the employees’ collective expression on projects of the company related to economic and financial development, working conditions of the employees, job training and production techniques. The works council is also consulted on subjects regarding the organisation and the general running of the business and redundancies, keeping in mind that the works council’s opinions are never binding on the company. Thus, the outsourcing of certain activities, services of the business or related to the employees may be subject to the works council’s consultation.

In the last few months, French companies have been keen to relocate their IT providers in France or within the EU due to: (i) the adoption of the US Cloud Act enacted on 23 March 2018; and (ii) the adoption of the FDPA and the GDPR, which provide a strict framework for international transfers of personal data outside EU countries. Such transfers are only possible if the recipient country ensures an adequate and sufficient level of protection. If this is not the case, appropriate safeguards, such as SCCs shall be implemented, and a TIA shall be performed. 

These legal constraints do not favour the customer to opt for offshore resources in outsourcing transactions, especially if they concern clients’ or employees’ personal data (which can include sensitive data, eg, NIR number, health data). 

Moreover, despite a certain financial benefit, the use of offshore outsourcing may lead to other difficulties and complexities beyond the legal aspect, such as, the language and cultural differences, different working habits, as well as the time difference, which can be particularly inconvenient in an emergency. Onshore and nearshore outsourcing are often seen by French companies as a means of allowing the overcoming of these difficulties and complexities.

Under French legal rules, teleworking can be implemented either by a company-wide agreement, by a charter or by a mutual agreement with the employer. 

In any case, it is recommended to sign an addendum to the employment contract defining the contours of teleworking (number of days, reversibility, teleworking rights, insurance, etc). In the case of litigation, it is always better to have a written agreement specifying the teleworking conditions.

From a French perspective, the obligations raised by remote working are as follows.

• The employee must ensure that their accommodation is suitable for teleworking (provide insurance to the employer in this regard) and meet their usual contractual obligations (working hours, availability, workload, etc).
• The  employer must ensure compliance with working time rules and employee workload monitoring. In addition, teleworkers must enjoy the same rights as if they were working on-site (ie, lunch vouchers). 

The main fear for clients is the workload of employees who telework. On the one hand, certain employers fear that the employee will not work enough hours, whereas others fear that employees will work too many hours and will not alert the employer of any difficulties they are encountering. Consequently, it is important to find the balance between both situations. Moreover, clients want  employees to continue to be mobile and able to do professional travel when necessary, regardless of the teleworking situation. 

Clients generally seek legal advice on how to implement teleworking, while ensuring that the situation can be reversed if the employee does not perform their duties properly or does not want to continue teleworking. Clients also consult lawyers about the compensation due to an employee who teleworks (compensation for the use of the home, reimbursement of professional expenses), which is normally compulsory and governed by specific French rules.

One difficulty can be raised when the employee does not want to perform their duties remotely or from home whereas the company (ie, a foreign company) does not have an office in France. In such a case, it is important to have a discussion with the employee to find the most appropriate solution to ensure them the best working conditions and environment. 

It is important to underline that the development of remote working has brought new litigations. 

Many employees who were able to telework during the COVID-19 pandemic have decided to move away from their place of work. However, when they were asked to return to their place of work, they refused, claiming that teleworking was a right they were entitled to. However, under French law, telecommuting is not a right and remains subject to employer approval.