In the realm of IT sourcing, significant market trends and developments have fundamentally transformed the industry. Foremost among these trends is the integration of cutting-edge technologies such as AI, machine learning and robotic process automation (RPA), which have evolved into indispensable components of IT outsourcing practices. These technologies have played a pivotal role in ushering in greater levels of automation, operational efficiency, and cost-effectiveness across various IT functions.
The emergence and persistence of the COVID-19 pandemic have brought about a profound and lasting impact on IT outsourcing. What initially began as a response to the pandemic’s disruptions has now become ingrained in the fabric of IT outsourcing strategies. Remote work arrangements – necessitated by lockdowns and social distancing measures – have become the new norm. Consequently, this shift has prompted organisations to prioritise and fortify their cybersecurity measures to protect sensitive data and ensure uninterrupted service delivery in a decentralised working environment.
Furthermore, the pandemic has acted as a catalyst for the widespread adoption of cloud computing and software as a service (SaaS) solutions within IT outsourcing operations. These technologies have facilitated seamless remote access to IT resources, empowering organisations to scale their operations efficiently while reducing reliance on physical infrastructure.
During the past few years companies have tended to outsource selected process-related IT functionalities to IT companies for cost-saving purposes, especially following the economic downturn due to COVID-19. The cost savings mostly relate to hiring dedicated functional specialists.
In the BPO industry, key market trends and developments are reshaping the landscape. One significant trend is the widespread adoption of remote work models, especially with many BPO employees working from home. This shift has proven successful and cost-effective for businesses and is likely to continue in the long term.
BPO outsourcing has notably impacted industries with administrative processes, such as the legal sector. BPO services have allowed law firms to delegate time-consuming tasks, freeing up legal professionals for more strategic work such as complex case analysis and client consultations. This shift enhances overall efficiency, increases firms’ capacity, and offers flexibility in operations, while also enabling cost savings and competitive pricing.
The economic downturn following COVID-19 provided opportunities for IT companies to develop standardised business processes, which can be tailored to suit different clients. These include:
Such standard solutions are affordable and readily available, especially for SMEs. Further standardised and widely used solutions for specific business processes are generally easy to dovetail with financial and accounting systems.
The impact of new technology on the market is profound and diverse. Emerging technologies such as AI, machine learning, and chatbots have streamlined operations and improved customer experiences by providing personalised support and automation. In fields such as law, AI and machine learning tools have become essential, aiding lawyers in tasks such as legal research, document review, and contract analysis.
The rush to use AI tools is currently generating relatively higher demand in the sales, marketing and advertising sector. Consumer analysis and tracking will provide insights into preferences and emerging trends. Media monitoring tools will also see some drastic development. However, the issues of privacy will raise new legal questions and hasten developments in the legislation.
Additionally, blockchain technologies (such as cryptocurrencies, non-fungible tokens, and smart contracts) have disrupted the legal sector, giving rise to specialised blockchain lawyers. These technologies have transformed contract management, identity verification, asset security, and IP handling. However, they also bring regulatory and compliance challenges, necessitating specialised legal expertise.
In Pakistan, outsourcing primarily centres on three key domains.
The legal and regulatory framework for technology transactions and outsourcing in Pakistan is currently evolving, particularly in the areas of data protection and cybersecurity. The Prevention of Electronic Crimes Act 2016 (PECA) provides some provisions for compliance. A significant development is the pending passage of the Personal Data Protection Bill 2023 (the “PDP Bill”), which is still in draft form but will establish comprehensive data protection and privacy laws in Pakistan. While it will introduce additional compliance requirements for fintech and outsourcing firms, it is a crucial step in safeguarding consumer interests.
Financial institutions follow State Bank of Pakistan (SBP) guidelines for material outsourcing, restricted activities, and requirements for outsourcing. The SBP has also published a framework for risk management in outsourcing arrangements by financial institutions through the Banking Policy and Regulations Department (BPRD) Circular No 06 of 2019 in this regard. One of the examples is restrictions on cloud computing and outsourcing of electronic accounting by the financial institutions.
Navigating Pakistan’s regulatory landscape presents unique considerations for fintech companies entering the market. The regulatory framework, defined primarily by the Electronic Fund Transfer Act (the “EFT Act”) and the Non-Banking Financial Company (NBFC) Regulations of 2008, includes licensing and minimum equity requirements. While these requirements can be challenging for some fintech firms, it is important to note that a few international players have adjusted their strategies accordingly.
The process of obtaining licences from the SBP or the Securities and Exchange Commission of Pakistan (SECP) typically spans several months to years and may involve substantial capital equity requirements. Consequently, some international fintech firms (eg, Checkout.com) have made strategic adaptations in light of these timelines.
These extended waiting periods come with explicit and implicit costs, including businesses operating without revenue for extended periods and the need to meet rigorous regulatory standards, including the recruitment of specialised personnel. Currently, four fintechs hold Electronic Money Institution (EMI) licenses from the SBP, which suggests that there is potential for improvements in Pakistan’s financial licensing framework to support fintech sector growth.
The General Data Protection Regulation (GDPR), implemented in the EU in May 2018, has had a profound impact on data processing, security, and cross-border data flows in technology transactions and outsourcing. It applies globally to entities handling personal data of EU residents and sets rigorous standards for data protection.
Key aspects of the GDPR encompass consent requirements, individual rights, stringent data security measures, mandatory breach notifications, and regulations governing cross-border data transfers. Organisations are mandated to demonstrate accountability, appoint data protection officers (DPOs) when necessary, and may face substantial fines for non-compliance.
Recent developments within the GDPR landscape include proposals aimed at streamlining co-operation among data protection authorities (DPAs) in cross-border cases. These efforts seek to clarify complaint procedures, extend rights to parties under investigation, and improve overall collaboration among DPAs. These changes are geared toward enhancing the GDPR’s enforcement mechanisms, ultimately leading to swifter case resolution, bolstering protection for individuals, and increased legal certainty for businesses. However, organisations involved in technology transactions and outsourcing must remain vigilant in keeping up with evolving data protection regulations to ensure compliance when handling consumers’ personal data.
The companies operating in Pakistan as affiliates of multinational corporations (MNCs) or as suppliers to MNCs have started to comply with GDPR and data privacy requirements, as part of their compliant operations.
In Pakistan, specific standard contract models for outsourcing transactions are not formally mandated. Instead, various contract types are commonly used to tailor agreements to project needs and client preferences. The following three primary approaches are prevalent.
In Pakistan, when standard contract models prove to be less suitable, businesses have explored alternative approaches. Two notable alternative models include joint ventures and multi-sourcing arrangements.
In some outsourcing partnerships within Pakistan, joint ventures are formed. Here, two or more organisations collaborate to establish a separate entity for a specific project or initiative. This model enables shared ownership, control, risks, and rewards. Joint ventures are often chosen when the outsourcing project demands close integration and collaboration between the client and the outsourcing service provider. This approach is particularly beneficial when both parties bring unique expertise to the project and aim to leverage their combined capabilities.
Multi-sourcing is a strategy in which a client organisation divides its outsourcing needs among multiple service providers rather than relying on a single vendor. In Pakistan, certain businesses outsourcing various processes have adopted multi-sourcing to diversify their access to specialised expertise and ensure that each process is entrusted to firms with high proficiency in that area. This approach proves valuable, especially when an organisation’s outsourcing requirements are complex and diverse.
Digital transformation has significantly reshaped outsourcing contract models, particularly in Pakistan. In this respect, the Ministry of Information Technology and Telecommunications (MOITT) introduced the Pakistan Cloud First Policy (the “Cloud Policy”) on 18 February 2022 to promote cloud adoption and guide cloud policy regulation in Pakistan. The Cloud Policy outlines minimum contract requirements, including adherence to due diligence processes, service descriptions, contract duration, data handling rules, customer data retrieval rights, and limitations on cloud service providers’ liability. This highlights the fact that the Cloud Policy serves as an essential guide for regulated sectors and private organisations undergoing digital transformation.
Another significant transformation is the growing adoption of SaaS solutions, enabling effective monitoring of remote workforce engaged in outsourced processes. This shift necessitates a more meticulous approach to crafting service-level agreements (SLAs), which are a critical element of any outsourcing contract.
As per the existing applicable law of Pakistan, there is no provision in law that provides for protections specific to technology and outsourcing. The provisions of the Contract Act 1872 and the protections provided therein are applicable to technology and outsourcing transactions/contracts.
Remedies are available to customers under Chapter VI of the Contract Act 1872, which states that a party who suffers a breach of contract shall be entitled to receive compensation for any loss or damage. Under Sections 74 and 75, the party can rightfully rescind the contract and be entitled to the compensation for which the penalty laid down in the contract will be stipulated on the breaching party.
However, scenarios where data breaches or unauthorised collection and use of data may occur, the laws on electronic transactions, consumer protection and defamation will come into play. These laws have been enacted and reformed during the past two decades.
In addition to this, Pakistan’s consumer protection laws (each province has its own enactment) provide for protections and mechanisms to safeguard customers from deceptive/unfair practices, misleading advertisement and defective services. The aforementioned laws also provide for penalties, in the form of fines and sanctions, to be imposed on service providers for violation of consumer protection laws and regulations. The Consumer Rights Commission of Pakistan (CRCP) has its own complaint and resolution mechanism.
Pakistan has no specific law that regulates the minimum or maximum notice period that needs to be served for terminating a contract for the supply of technology-related services. As with other operational decisions, the parties to the contract are free to negotiate the termination of the contract and stipulate any notice period as they deem reasonable, keeping in mind the sensitivity of the contract. The notice period depends on the circumstances and service(s) being provided. More often than not, the notice period and termination – as well as the resulting effects – differ for with and without cause termination.
A party can terminate a contract without giving rise to a claim for damages by the other party in the following circumstances:
The relevant contract between the parties usually provides for resolving of issues upon termination. Termination of a contract usually results in the parties fulfilling their respective obligations and handing over the remaining ones. If the termination has been caused by a party’s breach of contract (ie, termination for cause), then the breaching party is subject to penalties as provided in the contract. Furthermore, Section 75 of the Contract Act 1872 allows for compensation to be granted to a party rightfully rescinding a contract owing to non-fulfilment of the other party.
Depending on the nature of the contract, the parties are free to include and exclude additional termination rights. Parties may agree on additional termination rights – for example, a non-breaching party being entitled to liquidated damages, subject to positive evidence demonstrating that actual loss was suffered by the party claiming the damages (Saudi Pak Industrial & Agricultural Investment Company (Pvt) Ltd v Allied Bank of Pakistan 2003 PLD 215 SC) in addition to requisite payments otherwise due under the contract.
Distinction Between Direct and Indirect Loss
According to Section 73 of the Contract Act 1872, the non-breaching party is entitled to receive compensation from the breaching party for any loss or damage caused. While the Contract Act 1872 or any other enactment does not specifically provide definitions of “direct loss” and “indirect loss”, Section 73 does state that “loss or damage caused to [the non-breaching party] thereby, which naturally arose in the usual course of things from such breach, or which the parties knew – when they made the contract – to be likely to result from the breach of it”. Section 73 goes on to state that a party will not be entitled to remote or indirect loss arising from the breach.
There is no yardstick or definite principle for assessing damages. However, the courts of Pakistan over the course of many years and various judgments have determined what constitutes direct and indirect loss. One distinction that has been highlighted by the Pakistani courts is the difference between “general” and “special” losses. In cases such as Abdul Majeed Khan v Tawseen Abdul Haleem (2012 PLC (CS) 571) and Habib Bank Limited v Mehmoob Rabbani (2023 SCMR 1189), it has been established that:
By virtue of the aforementioned definitions, applicable law and standard practice, general and special damages are recoverable in contract and at law. However special damages need to be specially pleaded and the onus is on the aggrieved person to prove each item of the loss.
Loss of Profit, Goodwill and Business
In Pakistan, the recoverability of damages such as loss of profit, goodwill and business can depend on the specific terms of the contract and the circumstances of the case. Loss of profit may be recoverable if it is a direct and foreseeable consequence of the breach and can be proven with reasonable certainty. Goodwill and business losses can also be recoverable if they result directly from the breach and were foreseeable when the contract was made.
Market practice in Pakistan often involves parties negotiating specific clauses in contracts that address the recoverability of these types of losses. It is common to include limitations of liability clauses that specify the types of losses that are recoverable and those that are excluded.
Categories of Losses Not Subject to Limitation of Liability
Parties to a contract cannot usually limit liability for losses arising from fraudulent representation, personal injury or death, statutory violations, gross negligence or wilful misconduct, infringement of IP, breach of confidential information, and defamation.
The legal system in Pakistan is based on common law. Therefore, implied terms such as reasonableness, equity, implied conditions and warranties have developed over time in precedent law. The development of implied terms in other significant common law jurisdictions influences the Pakistan legal system.
The MOITT proposed the Personal Data Protection Bill 2023 to protect personal data of the natural person to whom the data relates (“data subject(s)”) from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration, or destruction. The bill focuses on transparency, accountability, and individual rights by implementing regulations for data controllers managing personal data. Through the establishment of the commission and provisions on data collection, consent, disclosure and processing, this legislation not only addresses the growing challenges of personal data privacy in the digital era but also grants data subjects greater control over their personal data.
Apart from the 2023 bill on data protection, the current legislation in force is the Prevention of Electronic Crimes Act 2016 (PECA), which governs all matters related to data protection, cybersecurity and information systems, especially in regards to matters such as unauthorised access to data, electronic forgery, and unauthorised use of confidential information. The Federal Investigation Agency (FIA) has been designated as the investigating agency under the PECA and the FIA’s cybercrime wing is the forum for complaints from citizens in the event that their data has been accessed or transmitted without authorisation in violation of the PECA.
It has now become standard practice in Pakistan to incorporate contractual clauses for protection of confidential and personal information.
Service-level agreements are essential in technology and outsourcing transactions. These agreements often include clauses that clearly stipulate the performance benchmarks, response times, availability and other key metrics that the supplier is expected to meet.
Service credit clauses are often included in SLAs to establish consequences for failing to meet the SLA targets. If the supplier fails to meet the targets, the customer is often entitled to service credits, which can result in financial penalties or credits against future services.
Other clauses which are commonly found and have become standard practice are:
With the MOITT focusing increasingly on digital transformation and cloud-based solutions and services, there has been increased focus on information security. As mentioned in 3.3 Digital Transformation, the Cloud Policy proposed by the MOITT states and proposes minimum requirements for “cloud contracts”, including:
Employee transfers in the context of outsourcing in Pakistan are governed by labour laws, policy directives, contractual rights and obligations under employment contracts, secondment contracts and employee transfer contracts, as well as by contractual agreements between the parties involved. For employee transfers, parties opt to enter into:
With an employment contract, companies usually stipulate the governing law and the employer must provide for benefits and salaries as per that jurisdiction. On the other hand, with an independent contractual agreement, companies can still procure the services but are not obliged to pay the required legal benefits and allowances.
Apart from when it comes to previously established labour and employment matters in Pakistan, trade unions and workers councils are not quick to act and provide for specific remote and outsourcing contract models. Further, IT departments generally employ staff from the managerial cadre – meaning that IT employees will only occasionally be in the labour cadre.
The Government of Pakistan included the IT and telecommunication sector in its Economic Survey 2022–23 and cited that Kearney’s Global Services Location Index (2021) has ranked Pakistan as the second most financially attractive location in the world for offshore outsourcing of IT and Information Technology-enabled Services (ITeS). Similarly, the International Labor Organization (ILO) has ranked Pakistan as the second largest supplier of digital labour services.
In the July–March Financial Year 2023, Pakistan IT and ITeS sector had the largest trade surplus among all services. More than half of these services are exported to more than 170 countries and territories.
Nearshore outsourcing, which involves outsourcing to neighbouring countries or regions with closer geographical proximity, has not been prevalent in Pakistan’s outsourcing landscape. This is because Pakistan’s immediate neighbours, such as India, are in themselves developed hubs for outsourcing services.
Onshore outsourcing, where services are sourced within the client’s own country, is often chosen when clients prioritise proximity and ease of communication. Given the increasing international and national economic tensions, companies in Pakistan rarely seek to outsource their services outside Pakistan, as such services from abroad come at a higher cost compared with local labour.
Although there has been an increased flow of individuals working remotely or adopting a hybrid model of working from home and in the office, no specific legal or regulatory compliance requirements have been passed in Pakistan. The MOITT has passed its initial draft of the National Freelancing Facilitation Policy 2023, which has proposed that Pakistan Software Export Board develops legislation in collaboration with the SBP concerning banking, foreign exchange, online marketplace and cross-border payment platform matters. The policy further proposes that freelancers and remote workers should be included in IP policies in consultation with all associated stakeholders.
Companies and regulated entities in Pakistan – for example, the Pakistan Telecommunication Authority (PTA) – have readily adopted remote working policies in order to better facilitate employees working from home.