TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

The US Department of Homeland Security (DHS) hosted the first National Security Summit on July 31 in New York City. In attendance were US Vice President Mike Pence, senior members of the DHS and other federal agencies, as well as industry leaders from sectors including telecom, finance, and energy. One of the major announcements to come out of this summit was the formation of the National Risk Management Center, including a new supply chain risk management task force.

A frequent point of contention between parties negotiating the allocation of risk related to intellectual property rights in connection with the acquisition of intellectual property is the interplay between the warranty and indemnification sections. Below we break down what to look for in these sections and how minor changes in the language can significantly change the rights a party is granting or receiving.

Intellectual Property Warranties

An intellectual property warranty generally provides that the intellectual property rights being licensed or assigned constitute all intellectual property rights owned or controlled by a party prior to the effective date of the transaction, and that those rights are all the rights necessary for the conduct of the business (as it is currently conducted) after the effective date of the transaction. A warranty may also go on to say such intellectual property does not infringe third-party intellectual property rights. The following versions of this clause demonstrate how this clause can be worded to strengthen or weaken the warranty.

The World Bank announced on August 10 that 70 years after its first bond transaction, it will be issuing the first bond to use entirely blockchain technology, in part to help the bank gain experience in the use of blockchain. The World Bank’s innovation lab partnered with the Commonwealth Bank of Australia (CBAUF) and Microsoft on this endeavor almost a year in the making.

Blockchain is a growing list of records, or “blocks” linked using cryptography and resistant to modification since it is essentially an open, distributed ledger that can record transactions between two parties efficiently and verifiable in a permanent way. This means that once data is recorded, the data in a block cannot be altered without altering all later blocks, which requires majority consensus of the network. Just imagine all the people around the world agreeing to verify a single block and all subsequent blocks!

This July, the 2018 Cost of Data Breach Study: A Global Overview was released as an independent study by Ponemon Institute, LLC, sponsored by IBM Security. The study breaks down the rising costs of data breaches and the likelihood of an organization experiencing a future data breach, with information derived through interviews with more than 2,200 professionals from 477 organizations that have experienced a breach in the last 12 months.

The study does not focus on “mega breaches,” which are breaches that exceed 1 million records. However, for the first time this year the annual study offers separate insights into data breaches that resulted in the exposure of more than 1 million compromised records:

  • Mega breaches of 1 million records yield an average total cost of $40 million
  • Mega breaches of 50 million records yield an average total cost of $350 million

European financial institutions (competent authorities, credit institutions, and investment firms as defined in EU Regulation No. 575/2013, collectively Institutions) have been instructed to comply with the European Banking Authority’s (EBA’s) recommendations when outsourcing to cloud service providers (Recommendations) as of July 1, 2018.

With cloud-based solutions offering new products geared to potentially reduce infrastructure costs and improve services, outsourcing to cloud-based services providers is becoming progressively more popular by Institutions. This trend has prompted the EBA to issue the Recommendations, with the expectation that Institutions will use their best efforts to comply.

We are seeing more merger and acquisition activity among technology services companies as European companies are seeking to expand their presence in US markets. Just this week, another acquisition of a growing US-based technology company by a global technology services leader headquartered in France was announced.

On July 22, French multinational company Atos—a global leader in technology services and digital transformation—announced that it entered into a definitive merger agreement with US-based Syntel. The acquisition, subject to regulatory approval, is scheduled to close by the end of 2018. Syntel, based in Michigan, is a global IT company specializing in cloud, mobile, analytics, and automation services. The purchase of Syntel is intended to strengthen Atos’s presence in the banking, financial services, and insurance (BFSI) industries, with Syntel generating a substantial portion of its revenue from BFSI and large global banks. The acquisition also will increase the North America presence of Atos and expand Atos’s workforce in India, adding 23,000 employees—18,000 of which are based in India—to Atos’s current headcount of about 97,000.

The European Court of Justice (ECJ) in Luxembourg rendered a judgment on July 12 that explains, among other things, what a (joint) data controller is. The judgment is on the “old” EU Data Protection Directive 95/46/EC, but the relevant provisions in the General Data Protection Regulation (GDPR), Art. 4 and 26, are very similar.

1) Background

The case is about Jehovah’s Witnesses Community and whether taking notes in the course of their door-to-door preaching falls under the GDPR. The ECJ states that (a) their activities don’t fall under the exemptions for religious communities, and that (b) the community is a data controller jointly with its members who engage in this preaching activity.

2) Quotes from the Judgment (emphasis added)

65 “As expressly provided in Article 2(d) of Directive 95/46, the concept of ‘controller’ refers to the natural or legal person who ‘alone or jointly with others determines the purposes and means of the processing of personal data’. Therefore, that concept does not necessarily refer to a single natural or legal person and may concern several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 29).

Alphabet Inc.’s Google has taken advantage of the European Union's General Data Protection Regulation (GDPR) to gain a larger share of digital marketing spending in Europe. On the first day that the GDPR took effect, approximately 95% of European advertising spend went to Google. The company’s example is a case study in how regulatory preparedness can have a tangible impact on market advantage.

Google spent over a year preparing for the GDPR by updating more than 12 million contracts, with the end result being Google’s ability to gather user consent for targeted advertising at a much quicker pace than competitors. A Google spokesperson stated, “over the last year, we’ve engaged with over 10,000 of our publishers, advertisers and agencies across nearly 60 countries through events, workshops and conversations around the changes we’re making to be compliant with the GDPR,” as reported by Bloomberg. While many other companies have been caught flat-footed and are still scrambling to comply with GDPR privacy rules, Google seized the opportunity and has emerged an early winner.

Based on the flood of updated privacy policies that have inundated email boxes throughout the world, it is clear that the European Union's General Data Protection Regulation (GDPR) is now in full effect. The EU's new European Data Protection Board (EDPB) has already provided guidance to one area where member states have the ability to issue additional guidance ("Derogations"): transferring personal data outside of the European Union.

During its first plenary meeting on May 25, 2018 (the same day the GDPR became effective), the EDPB adopted the final version of the Guidelines 2/2018 providing general guidance applicable to international transfers under Article 49. The predecessor to the EDPB, the Article 29 Working Party, conducted a public consultation on a draft of these guidelines. The EDPB took into consideration the replies received and integrated the appropriate changes into this adopted version.

The Russian Parliament on April 12 approved at a first hearing a new draft law aimed at owners of public networks. This latest bill in a series of legislation on internet-related activities and services would create new obligations on any internet resources with more than 100,000 users in Russia per day that allow enrolled users to post or exchange electronic messages.

For more details on this new proposed legislation, read the LawFlash here.