Arve Foyen_ IT sourcing outside EU

IT sourcing outside EU
- legal challenges

Arve Føyen
Partner FØYEN Advokatfirma DA
1

Background –Commercial drivers

• Effective use of ICT is fundamental to promote
economic growth, and to promote high rate of
employment in Norway
• The globalization of the economy makes it possible for
high-cost countries to take advantage of resources in
low-cost countries
• Delivery models based on a combination of domestic
and offshore resources
– have proven to be cost-effective
– helps keep IT costs lower than using purely national
resources
while maintaining a local touch based on the
supplier/customer relationship
Copyright © 2010 Foyen All Rights Reserved. 2

Challenging framework conditions

• National legislation regarding
– Protection of privacy, confidential information and
data security
– Requirements for local storage e.g. accounting
information and accounting vouchers for inspection
purposes, or for archive purposes
often cause significant barriers to sourcing outside
Norway, for offshoring, and for use of Cloud services
• Preparation for effective international sourcing and
delivery models require that such obstacles can be
identified
• Thereby delivery models may be adjusted and
adapted, the required framework established, and
relevant legislation complied with

Cloud and sourcing – what are the
roles?
• Companies which source their
 Where are data
processing of data outside their
own entity are ”Data controllers”  Who controls data
• They are responsible for  Who has the rights to the
compliance with privacy data
legislation  How well protected is the
– Which countries legislation data
– How to comply with restrictive  Is the transfer of the data
and fragmented European to the «cloud» in
privacy regime accordance with the
– The contractor will often be privacy legislation, or
other relevant legislation?
«Data Processor», or «Sub-
Processor»

A Spectrum of Cloud-Computing Providers

Software
as a Service

Application Services

Application Infrastructure Services

Platform
System Infrastructure Services
as a Service

Infrastructure
as a Service

V-Cloud
Peter Hidas – Gartner February © 2010 Foyen
Copyright 2010 All Rights Reserved. 5

.

Cloud delivery –
Geographically limited
• Data processor
agreement between
the Data controller
in each country and
the centrally located
data processor

• Separate and
different agreement
regarding transfer of
data if the receiver
also shall act as a
Data controller

7

Fog in the cloud

Chain of suppliers and subcontractors – can be unclear:
• Where data is stored
• How the access to data is secured
• Who has access to data
• How the legislation and the stability is in the storing country (security,
access, audit access etc.)

The risk will vary depending on whether the deliveries are
• Application development;
• Application maintenance, or
• Application operation

Separate checklists should be developed for each type of
delivery 9
Copyright © 2010 Foyen All Rights Reserved.

Legislation - examples

Data Protection and Data security

Banking and Financial Data

Accounting data and Accounting vouchers
Archive legislation and legislation regarding journal og
archives
Confidentiality and secrecy legislation

Protection of proprietary information and business secrets
Legislation regarding information security in public and private
sector
Legislation regarding information security vis a vis vendors to
public and private sector
Legislation regarding choice of law and legal venue

Privacy – legislation and policy

Clarification of roles • “Data controller” is responsible according to POL
and responsibility • “Data processor” instructs the Data controller

Data processor
agreement is required • Legal requirements for data security must be
included in the agreement with the offshore or
for sourcing offshore cloud supplier
and in the “Cloud”!

• The Data Controller must know in which
Transfer of data jurisdiction the data physically is stored
abroad • What about access from abroad to data physically
stored in Norway?


Government access

Legislation giving government access to information
varies from jurisdiction to jurisdictiion

• FRA (Försvarets Radioanstalt) legislation in Sweden
• US patriot Act
• Legal discovery processes in litigation – both in civil and
criminal cases
• Control and audit rights for the authorities

National legislation and national courts in the
country where the data is physically located, will
decide the issue of access for the authorities


Information Security

• Legislation regarding security requirements for storage
of information varies, is complex and fragmented
– The Protective Security Services act applies to
• Graded material
• Cloud and offshore sourcing services is not allowed
– Regulations regarding electronic communication in and
with Public administration, sections 3, 4 and 5
– The Accounting Act requires storage of accounts and
vouchers in Norway or certain listed countries
– The ICT regulation (finance sector) regarding outsourcing
and documentation
– The Health Register legislation
– Tax information


Choice of Law and venue

• Which country’s law shall apply
If breach • Arbitration or ordinary courts
of • Legal venue (which court and court district)
agreement • Where shall a potential case be heard and what
shall be the language (if Arbitration)

Execution • Is there a bilateral agreement or a convention
in the regarding mutual recognition of judgments (EEA:
home Lugano Convention Arbitration: New York
country of Convention)
the other • No mutual recognition with important countries,
party? e.g. the US, China or Russia


Lack of compliance – big risk
Exposes the • E.g. delayed implementation and
business of additional costs of having to make
financial risk solution compliant retrospectively

May harm the • Regulators/inspectors are quick to
publish breach in the media, which
reputation may damage the reputation

May lead to orders • The project may be stopped, or
from the control changes to the delivery model etc. may
authority be required

Can expose the • Fines may be imposed by the DPA
business for • Criminal proceedings may be brought
punishment by the police/prosecutors

08.06.2012 Copyright © 2010 Foyen All Rights Reserved. 15

International cooperation is key

Sourcing, offshoring and cloud sourcing of services are of a true
international character

Privacy, data security and legal obstacles for the development of
flexible and forward looking sourcing strategies must be
facilitated through international cooperation

ICT-Norway has established good working relationship with its
sister organization in the UK, and with similar organizations in
other countries to sort out the international aspects based on best
practice solutions in order to lower the threshold for use of cloud
and offshore sourced services


Why the need for checklists
Increased use of services sourced outside of
Norway and outside EU

Fragmented legislation – no one has a
comprehensive overview

Significant uncertainty in the market about the use
of offshore delivery models

Checklists and templates for policy documentation
will help both customer and supplier with risk
management and mitigation

Vision for the guideline
• A neutral and practical
guide
• International co-operation A practical guide
with key countries
• Main focus on privacy, with Based on domestic
modules for special areas legislation
such as
– Banking and finance law Banking
and Public Personal
– Areas of public financial administration data
administration data
– Archive legislation
– Legislation relating to
accounting and auditing
08.06.2012 Copyright © 2010 Foyen All Rights Reserved. 18

End
Arve Føyen
Advokat - Partner

Mobile: +47 91 81 99 62
E-mail: arve.foyen@foyen.no
Internet: www.foyen.no

19

Arve Foyen_ IT sourcing outside EU

More Related Content

What's hot

Viewers also liked

Similar to Arve Foyen_ IT sourcing outside EU

Recently uploaded

Arve Foyen_ IT sourcing outside EU