30 October 2019

The changing trends in IT contracts

Changes in both the regulatory environment and the way in which IT services are delivered have led to the recent emergence of a number of trends in IT contract negotiations. Both users and suppliers are experiencing how new technology and legal guidance affect the contractual world in which they are operating.

The Shulmans Commercial team has many years of experience advising both suppliers and customers on IT issues. Our lawyers are well placed to advise on how to strike a balance that protects a client’s interests while giving consideration to the issues that are likely to be important to the other side.

Recent trends in the sector include:

  • A move to cloud provision which requires different risk issues to be considered. Suppliers who use documents originally drafted for a traditional licence model may not have appropriate coverage of these issues.
  • Standard GDPR clauses which were introduced in a hurry in May 2018 may not actually cover the specific issues arising from the data processing taking place. Organisations are taking a more considered view of these issues now that the pressure is off.
  • Liability for data issues being considered in more detail, moving on from the simple demands for uncapped indemnities which we saw in May 2018.
  • Liability discussions becoming more complex and taking account of the technical set up of the service being provided.
  • Business continuity issues taking on more importance, and cloud-based service provision means that traditional escrow models do not work as well as they could.
  • Fully negotiated contracts becoming less common, meaning that suppliers are increasingly starting from a more balanced position.

If your contracts are more than a couple of years old it may be worth revisiting them to see whether any updates are required to take account of these points. Below we look into the trends in more detail, exploring where they are most common and how businesses can address them.

Cloud provision

It is becoming more and more common for software and other services to be provided on a subscription basis. This is a move away from the traditional model of installing software to be operated under licence on hardware under the customer’s control. The two methods of delivering services require very different contracts as there are a number of issues relating to cloud provision which do not apply to licensed software, and vice versa. However, we still see some suppliers who have moved from a licence model to a subscription model without carrying out a full update of their contractual documents. This means that the documents may be missing provisions such as data protection clauses, provisions on service availability, and a different method of dealing with updates to the software. We would usually recommend a complete overhaul rather than trying to make a licence document fit a cloud solution.

Data - Going beyond the GDPR basics

Many contracts look at data simply from the point of view of the obligations relating to personal data set out in GDPR. Whilst these provide a good starting point, it is important to remember that non-personal commercial data can be just as valuable for a business and it is important to think about what level of contractual protection is appropriate for this data. Whilst there may not be a mandatory legal requirement to include contract clauses covering this data, this doesn’t mean that it’s not a good idea, although some of the provisions relating to personal data (such as facilitating access rights) may not be relevant for other types of data.

When GDPR was introduced, a number of organisations (on both the supplier and customer sides) put in place additional data protection agreements which replicated the GDPR requirements almost word for word. This was often done in the interests of updating large numbers of agreements quickly. However, as the dust has settled, some organisations are starting to realise that the formulaic approach does not always reflect the realities of how they operate their businesses and that a more nuanced approach is required.

For example, in May 2018 some organisations issued data processing agreements to almost every entity they exchanged personal data with. Some of these arrangements were better characterised as data sharing arrangements rather than data processing, and the documents issued were not always the most relevant to the situation. In addition, more recent case law interpreting GDPR has indicated that there are a number of situations where the parties may actually be joint controllers, which also requires a different contractual approach.

Additional issues where it is worth considering whether standard wording is appropriate include timescales for the return of personal data on termination. GDPR requires the return of data on termination, but some customers push back against particularly short timescales to request this transfer prior to the data being deleted. Suppliers, on the other hand, will want to delete data relatively quickly, particularly where they incur cost in continuing to store it. Some negotiation may be needed to find an appropriate balance. Sometimes there may also be issues around ensuring that the customer has appropriate hardware and licences to receive the returned data if it has been stored in a proprietary format or using a method of encryption which locks it to specific hardware. Working through the practicalities in this area will take you beyond the pro-forma clauses which simply replicate the wording of GDPR.

It is also worth thinking about how much support should be given to the customer to enable it to comply with its obligations under GDPR, and who bears the costs of this. While GDPR requires a data processor to give assistance with things like subject access requests, where a technology service is essentially “self-service” it is often reasonable for the supplier to expect the customer to carry out its own searches and obtain the relevant data rather than requiring the supplier to do it, and for the supplier to charge where its assistance is required.

Finally, while GDPR requires a degree of transparency around sub-processors, suppliers of cloud services tend not to want to give each customer the choice of which suppliers are used behind the scenes to provide hosting and other services. This has led to suppliers using mechanisms such as notifying the customer of changes and allowing the customer to terminate the contract within a specific period of time if it does not approve rather than opening the door to a customer requiring a bespoke (and possibly expensive) set up to accommodate its needs.

Risk allocation and liability

Liability for data loss has also become the subject of more complex negotiations in recent years. The larger potential fines under GDPR have led to customers being more concerned about the possibility of their suppliers putting them at risk of a regulatory fine. Meanwhile those suppliers whose product gives an element of choice to the customer as to what personal data they store on it, for example hosting or back up services, want to protect themselves against the risks arising from the storage of particularly sensitive or valuable data.

During preparations for GDPR it was common for customers to ask for uncapped indemnities in relation to GDPR issues. This was largely due to the fear of eye-watering fines. However, with over a year since the introduction of GDPR it has become clear that while fines can certainly be huge (as in the case of fines issued to BA and Marriott), fines are also relatively rare and tend to require an element of direct culpability on the part of the organisation being fined. As some of the hysteria dies down, it is becoming more possible to negotiate sensible caps on liability to reflect the risk profile of the arrangement.

Liability discussions have also become more nuanced around specific types of risk. For example, if the supplier is not intended to be the only repository of the data, as in the case of a back-up service, or a service which is also intended to be backed up elsewhere by the customer, then should the supplier bear all the risk of a loss of data? Whilst it may accept liability for unauthorised disclosure of the data, if data is lost it should be possible to restore it from another copy, and if the customer has failed to take those copies then the customer should share the responsibility for this. Likewise, if the customer has actively chosen a less resilient system (for example with fewer instances or copies of the data or with lower expectations around security), then the supplier will seek to limit its exposure in line with the lower fees charged for this service.

Limiting liability more tightly may also be relevant if the customer chooses to store particularly sensitive data on a system which does not have a level of security commensurate with the sensitivity of the data (and the associated costs). In this situation the supplier will want to be clear about what it does provide and expressly state that the customer is responsible for checking that the system and the security measures meet its needs, in order to argue that the liability caps and exclusions are reasonable on that basis. However, customers are still likely to push back on a complete exclusion of liability on the basis that where data storage is an integral part of the service, and what is being paid for, the supplier should have some responsibility if it fails to provide that service to the required level.

Business continuity planning

Contracts often contain force majeure provisions which relieve the supplier from a failure to perform arising from situations outside its reasonable control. However, for some services it is important to include a more detailed plan of how the parties will respond if a disaster happens, meaning that while the supplier may not be able to perform the “standard” service, it is not entirely relieved of its obligations and instead needs to take defined steps to provide a level of continuity.

A further point which gives rise to more complex issues in a cloud environment is how to deal with the potential failure of the supplier. In traditional software licence agreements an escrow agreement could be put in place. The software would be installed on hardware under the customer’s control, and an escrow release would give the customer the necessary access to code to be able to maintain it on an ongoing basis. In a cloud based solution, the customer never has control of the hardware, and the software and associated data is often hosted on servers operated by a third party with whom the customer has no direct contractual link. If the supplier fails it could stop paying the hosting bills, so the customer will need additional protection going beyond a simple release of source code.

Standardisation

Cloud solutions lend themselves to more of a “one-size-fits-all” solution rather than something which is set up and customised for each customer on a bespoke basis. This applies both to the set-up of the service and the contract terms applying to it. From a supplier’s point of view, while it may prefer to insist on standard terms it will still often receive requests from customers to amend or clarify them, particularly if they are one-sided, which means that it is easier to insist on the terms being non-negotiable if they are reasonable and cover sensible concerns of the customer.  Standard terms are also subject to restrictions on what liability can be excluded, as opposed to negotiated terms where there is no express requirement for the agreed position to be reasonable. As such, a set of standard terms may start from a less aggressively supplier-friendly position than a set of terms which is intended to be softened as part of a negotiation. It can also be useful for the supplier to have a set of standard responses to frequently asked questions on the contract in order to reduce the amount of time spent dealing with contract issues as part of the customer set up process.

If you would like more information on the topic covered above, or would like to discuss how this might affect your business in more detail, please contact any member of our Commercial team whose contact details can be found here.