Peter G Leonard of Gilbert + Tobin Lawyers looks at significant developments in technology contract law around the globe.
"Lawyers are risk evaluators and managers. Many lawyers are now required to take a lead in designing and implementing an integrated risk management approach when considering technology contracting."
Technology and telecommunications contracting is undergoing radical change. These changes are requiring technology lawyers to develop new skills. They are also fundamentally reshaping legal practice.
The first change is now well recognised: it is the shift of data to external data warehouses and of software applications to the cloud. This shift is driven by many factors that include: factorial growth in data collection and storage; concerns as to information security; decline in cost of data transport; demands for operating budget efficiencies in most businesses and in government; mainstreaming of storage, pipes, data aggregation and core technologies in most businesses; commoditisation of many application platforms and user interfaces, and, of course, globalisation. Data warehousing and cloud services are often associated with vendor-written “take it as it is” contractual terms that afford little customer protection. Additionally, many corporations allocate a limited legal budget to negotiate more balanced terms. As a result, vendor terms are often accepted with relatively light touch amendments.
However, this is also changing. External data warehouses and cloud services are increasingly used for provision of significant business critical services by large corporations that are subject to prudential regulation, and by government. Vendor terms are now sometimes extensively negotiated and supplemented by service levels, transparency related provisions and sophisticated disengagement mechanisms. Competition between service providers – including competition that is stage managed by customers through tender processes – is leading to providers being compelled to differentiate their offerings in various ways, including negotiated service level commitments and flexibility in negotiation of contract terms. Often prudential regulators of customers require a level of transparency as to cloud deployment, data management operation of shared data centres and service level guarantees that leave regulated customers with no alternative than to require all prospective providers to commit to particular contract terms. The cloud is maturing and first-tier vendors are now more accommodating of individual customer requirements for larger, committed term deployments.
The second change is inexorable regionalisation and globalisation. This is bringing new complexity in contracting and in regulatory compliance. The contract and regulatory issues associated with cloud deployments have been well ventilated. In sharp contrast to the many papers and analyses about cloud contracting, other issues of globalisation have received remarkably little attention. But although the trend towards common global contractual terms continues, underlying regulatory requirements and contract law in national jurisdictions demonstrate remarkable diversity. In some areas, including privacy and data protection, consumer protection, surveillance, gaming, payments and financial services regulation and health services, divergence of laws and regulation is more common than convergence. For example, privacy laws recently enacted in a number of jurisdictions in the Asia-Pacific region differ markedly in nexus provisions, scope of entities covered and relevant requirements and enforcement. Many statutes or regulatory instruments or guidelines from prudential regulators impose barriers upon holding of regulated data offshore or by particular entities. The effectiveness of choice of law and choice of jurisdiction provisions has always been a concern for contracting parties. But this has been, for some time now, a lesser issue, supplanted by interpretation of laws that are vague or unclear as to their intended application to cross-border services or in-house technology deployments.
As a result there is frequently uncertainty as to which country’s laws apply when, how, to what and whom. Many national laws have poorly drafted territorial nexus or connecting factors provisions, leaving the lawyers to answer complex questions of private international law and markedly divergent national approaches to statutory interpretation, and to make difficult judgements as to regulatory enforcement priorities. Conflict of laws (private international law), constitutional competence to regulate, and interpretation as to intended application of laws that are silent or vague as to territorial nexus remain arcane fields of law. And it is not just a problem of old statutes. Even newer statutes that one might expect would anticipate and address territorial nexus simply fail to do so, either through oversight, or because it is too hard, or for other reasons of political or regulatory expediency. Of course, one such expediency is leaving room for a regulator to argue that a law has coverage when coverage is sought, but to retreat when asserted coverage leads to other nations voicing concerns. An increasing number of jurisdictions have consumer protection and other statutory requirements that apply in relation to particular classes of transactions regardless of contract terms or choice of law. Often national prudential regulators will prescribe particular requirements as to end-to-end accountability and assessment and mitigation of risk that are inconsistent with requirements of other regulators and sometimes simply irreconcilable. Technology lawyers are becoming international lawyers, managing uncertainty and working in teams to deliver the right mix of skills and analysis to address these issues.
The next change is working within still escalating value disruption and disintermediation driven by the internet, by internet searchable and available contract forms and legal analyses, and by the influx of law graduates into all streams of business. In the 21st century, most educated business persons have some level of familiarity with contract law, with negotiation of contract terms, and as to principles of project management. The tools to negotiate many technology contracts are readily available to many non-lawyers. They are used by them to varying effect. Often these contracts will be good enough to address basic contract issues, even for cross-border deals, and allow the deal to struggle through without any review or any detailed input by specialist technology lawyers. Sometimes these contracts will be robust and adaptable. Sometimes they will work well enough until a dispute or regulatory issue arises, at which point unravelling some of the issues discussed above will become necessary. Some technology lawyers have elected to become specialist mediators and arbitrators, often acting as triage providers for the victims of these commoditised contract deals. There is every indication that commoditisation of contracts will continue, whether through pressure on legal budgets or failure by customers to recognise deals that require individual negotiation or inclusion of particular terms.
The next major development is the increasing velocity of business change. This velocity creates economic value from the ability to address that velocity. Direct ordering by customers from factories, manufacture to order capabilities, internet transparency of geo-location based pricing and of feedback from other purchasers as to their buying experience, new payments and payment escrow mechanisms, new logistics and fulfilment options, and lessening barriers to market entry and exit, are all driving disintermediation, shortening product life cycles and increasing brand substitutability. Brand is often now not the best guarantee of quality or reliability or repeatability.
The velocity of business change should also inform how any contract for a major technology or business transformation project is written. One reason that so many government technology contracts fail is that government contracting practices are remarkably inflexible. They typically involve long lead-in times, early lockdown of specification and hundreds of pages of contract terms that through length seek to be exhaustive but instead lock the government client to particular processes or outcomes even where these are superseded by subsequent technologies or evolving customer needs. Often key stakeholders can see these changes occurring, but they are divorced from the project execution through the requirements of prudential overseers or by poor project management practices. Change management processes are themselves often so cumbersome and slow that change orders are discouraged - or the parties develop processes that simply by pass the contract requirements and have no adequate control points at all.
Change is the only constant in contracting for major technology or business transformation projects. Contracts need to be flexible and facilitate active governance rather than lock down, able to cater for appropriate go/no-go decision points, reviews of road-maps, suspension and step-in rights, regulatory compliance and change, personnel replacement, co-operative defect resolution and knowledge capture and transfer. Flexibility in software licence scope terms means that customers can avoid prolonged licensing restrictions in relation to issues such as location and country of installation, and retain an ability to outsource facilities management, IT operations and software development. Upfront flexibility by broad licence scope also avoids renegotiation when the customer no longer has sufficient leverage to facilitate it obtaining the desired outcome.
Transition-out is often poorly addressed in technology contracts. Transition-out occurs when a customer is most vulnerable to an incumbent vendor. Most customers recognise that data centres enhance information security but create vulnerability if the customer cannot readily get its data back. Thorough mechanisms to deal with the issue of transition-out require regular revisiting during the term of the contract, for example by having the vendor provide on a regular basis updated information needed to transition-out, such as asset and personnel inventories and procedures manuals. This also ensures that the customer has access to information to help inform their decision whether to renew a contract or go back to market. The contract should also deal with important IP and confidentiality issues which arise in transition-out. For example, the contract should permit the customer to include relevant information in tender documents so that other vendors can properly bid for work being performed by an incumbent vendor.
The velocity of change affects technology lawyers in many ways. First, businesses evolve and come and go more quickly, and seek to be lean and flexible as they try different business models. Sometimes this leads to decisions that less and faster lawyering is good enough. Second, velocity of change drives outsourcing and teaming to enable leanness and flexibility and mix and match in buying in of services, rather than the big, bespoke technology in-house builds of the past.
Third, and perhaps least recognised, velocity of change places an increasing premium upon tacit information and knowledge, as compared to traditional intellectual property protection. Put simply, in many industries the value of what is in human heads is rapidly escalating, and the real or perceived value of more traditional types of intellectual property protection – patents, trademarks and copyright – is declining. Data is particularly valuable, and yet copyright protection of databases in many jurisdictions is limited and uncertain, particularly where the database is computer generated and not transformed through data analysis. This is not to assert that traditional intellectual property protection is dying or deceased. Far from it, traditional IP protection forms the foundation for some industries such as premium retail brands, pharmaceuticals, biochemicals and agricultural technologies. But in many other industries, including the law, tacit knowledge is increasingly valuable and portable. The law as to trade secrets or confidential information, employee no-competes and contractual restraint of trade is more relevant than ever, yet not well understood. Old concepts of geographical constraints are often useless when faced with highly mobile workforces where an ex-employee can sometimes effectively compete with a former employer in one country from a new place of business in another country. Line of business contractual restrictions often do not work as businesses evolve and employee responsibilities change, without the employment contracts catching up. Off-the-shelf employment or consultancy contracts frequently contain overly broad restraint, non-solicitation or grant-back provisions which are unreasonable and unenforceable in many jurisdictions. Specialist human resources lawyers often don’t know enough about the business, the business technologies or the specific skills and responsibilities of the employee or consultant to draft an appropriate restraint of trade. Protection of tacit information without imposing unreasonable restraints of trade will become critical for many businesses. Many businesses and their lawyers are just starting to think about how to effectively address these issues.
The last major change challenging technology lawyers is the rapid rise in analytical use of “Big Data” in many industry sectors. Contracting for Big Data analytics requires new skills, including as to ownership and protection of data transformations undertaken to facilitate analytics and the algorithms and processes that are then used to derive valuable insights from that transformed data. Ownership questions are often tricky to address because the aggregation of data sets from disparate data sources makes a composite work that may be valuable and confidential to each contributor of data sets as well as the data analytics provider. Privacy and data protection and information security regulation affects use of information that is now routinely collected and used about individuals, their preferences and lives and their use of devices of all kinds. At the heart of the current global debate as to how privacy regulation should address Big Data lie key questions:
•Can national privacy laws and regulation facilitate socially beneficial uses and applications of Big Data while also precluding “spooky”, “creepy” or otherwise socially or culturally unacceptable practices?
•Can diverse national privacy laws and regulation, including markedly different constructs as to what is personally identifying information and sensitive information, be applied or adapted so as to accommodate socially beneficial uses and applications of Big Data, or is a more fundamental overhaul of law and regulation required?
•Can any adaptation or changes be made quickly enough to address growing citizen concerns about unacceptable or hidden Big Data practices?
The commonality of concerns around overly intrusive or “bad” Big Data practices has been partly obscured by regional and national differences in privacy regulation and in the detail of technical legal analysis as to the interpretation of privacy law. There is an engaged and continuing global debate as to how fundamental privacy concepts of notice and consent should be adapted to apply in a fully networked world of individuals and of interworking devices (the so-called “internet of things”). There has also been an active debate as to the continuing differences in national regulatory approaches to personally identifying information and particularly sensitive information such as health data and how these differences may affect implementation of now common transnational services such as global or regional data centres and software applications delivered as cloud services.
Fundamental failings of many data analytics projects today include unnecessary use of personally identifying information in many applications where anonymised or de-identified transaction information would suffice and omission of technical, operational and contractual safeguards to ensure that risk of re-identification of individuals is appropriately risk managed. Both good privacy compliance and sound customer relations require planning of operational processes to embed, in particular, safeguards against re-identification of anonymised information, in how an organisation conducts its business, manages its contractors, offers its products and services and engages with customers. Privacy by design and security by design are sometimes implemented through a binary characterisation of data as personal and therefore regulated, or not personally identifying and therefore unregulated. Developing privacy theory adopts a more nuanced, graduated approach. This graduated approach puts re-identification into a continuum between certainty of complete anonymisation and manifestly identifying information and to apply appropriate regulation for where re-identification risk sits in this continuum for a particular application or project.
This article has outlined changes that are occurring concurrently around the globe. We noted earlier how velocity of business change creates economic value from ability to address that velocity. Lawyers are risk evaluators and managers. Many lawyers are now required to take a lead in designing and implementing an integrated risk management approach when considering technology contracting. For example, evaluation of cloud deployments requires recognition that the impact of risk is affected by the nature and characteristics of the cloud delivery model being considered (including the geographic location from which it will be deployed). Appropriate consideration of risk likelihood, consequence, tolerance, and potential mitigation, can ultimately result in a decision which allows the expected value of cloud arrangements to be effectively realised. Technology lawyers that are adaptable and embrace change in how they draft and negotiate contracts and counsel their clients will differentiate their offerings from commoditised technology contracts. Survival requires adaptation and many lawyers will feel uncomfortable with the cross-disciplinary teams and mix of business, contracting and regulatory skills that are required to counsel on international technology based deals. The changes are profound. It may be a bad time to be in the business of law, but the business of technology lawyering remains exciting, unpredictable and challenging.