Articles Posted in Regulatory and Compliance

Why do you need to act urgently even if you feel your data handling is compliant?

If you are a US headquartered company do you need to bother with these new EU laws and significant changes proposed?

2013 has already seen the frenetic pace of change from last year continue regarding new data laws and fines that will affect how all companies, regardless of business sector, use employee or customer data. The European Union, confirmed in the January 2013 Albrecht report, is indeed planning to dramatically amend its EU Data Protection Directive with a new Regulation.

The UK government has issued a consultation on proposed changes to the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) (TUPE).

TUPE is the UK’s implementation of the Acquired Rights Directive (2001/23/EC) (ARD) and, broadly speaking, protects employees when the business or undertaking for which they work transfers to a new employer. Critics of TUPE (which revoked the 1981 TUPE regulations) have raised concerns that it ‘gold plates’ the ARD (i.e. it does more than is strictly required by the Directive) and is too bureaucratic. They also cite a number of practical difficulties. In November 2011, the UK government responded by publishing a Call for evidence on the effectiveness of TUPE, subsequently concluding that the gold plating aspects of TUPE should be removed and the operation of the regulation be made more practical.

What does this mean for outsourcing and other long-term service arrangements? The most significant change being proposed is the repeal of the regulations relating to “service provision changes.” The “service provision changes” provisions were introduced in 2006 in an attempt to avoid uncertainty as to when TUPE applied. The 2006 Regulation expressly states that TUPE applies at the end of a services relationship in the same way that it already applied under the earlier TUPE regulation to a “relevant transfer” at the outset. Thus, in certain circumstances (which have had to be clarified recently by a number of employment tribunal and decisions and appeals), an automatic transfer of the staff working on delivering outsourced services would take place under TUPE at the end of an outsourcing deal, regardless of whether the work is taken on by another third party as a successor to the original supplier or is brought back in-house by the customer.

We have written before on this blog about the visa issues that offshore service providers face when bringing talented resourced to the U.S. from other countries. Since there are a finite number of H1-B visas that can be issued each year, some service providers have sidestepped the limit by obtaining B-1 visas, which contemplate a more short term engagement than most outsourcing contracts envision.

In response to a host of immigration issues, the Senate has recently introduced a bill that would not only increase the number of H1-B visas that can be issued each year, but would also include an automatic increase to a maximum of 300,000 visas annually if there is sufficient demand. Currently, the United States has an H-1B visa cap of 65,000, and the proposed legislation would increase the cap to 115,000, with the potential to rise to 300,000.

The proposed legislation would certainly ease the visa restrictions on offshore service providers that are seeking to bring top talent to the United States. A recent report in the Economist has noted that there is an increasing trend in customers bringing offshored services closer to home in the United States, and this proposed legislation would make it easier for offshore suppliers to staff in the U.S. using foreign workers. In particular, the Economist noted that Infosys has opened new offices in the U.S. in order to accommodate its customer’s requirements for on-shore offices. With the trend of customers moving IT services back closer to home, the relaxed visa restrictions will put offshore service providers in a better position to win business with their top talent located in the U.S.

On 1 January 2013, over 4 years after the idea was first discussed, new Binding Corporate Rules (BCRs) for data processors were launched following a meeting of European data protection authorities.

BCRs are internal codes of conduct which companies within a group can “sign up to” regarding data privacy and security to ensure that transfers of personal data outside of Europe will meet European rules on data protection. Whilst BCRs have been an option for data controllers to ensure compliant transfers from Europe for some time, the introduction of BCRs for processors have been welcomed with open arms by both data controllers and data processors alike.

As a result of this change, processors, such as IT outsourcing providers, cloud providers and data centre providers, who implement BCRs will be able to receive data in Europe from their controller clients and then transfer that data within their group, outside of Europe, whilst complying with European privacy rules. For processors who choose BCRs to ensure compliance, this development could significantly reduce managerial time (and paper) spent negotiating often complicated, data protection safeguards for each and every data processing activity they carry out, whilst also doing away with the supervision associated with such contracts once they are up and running. At the same time, this development offers controllers’ clients comfort in the sense that controllers will be able to more simply demonstrate that their processing activities comply with European laws by pointing to an approved set of BCRs.

The FSA has written a ‘Dear CEO Letter’ expressing concern that the asset management industry may not have “effective recovery and resolution plans” in place should an outsourcing provider face financial distress or severe operational disruption which could lead to client detriment. The full text of the 11 December 2012 letter appears here.

The FSA states that firms’ Boards must consider the implications of outsourcing to a third party supplier and the regulatory requirements that apply. The FSA calls on firms to exercise “due skill and care and diligence” whenever they enter into, manage or terminate any outsourcing arrangement.

The FSA’s letter highlights its growing concern about the risks associated with asset management firms which outsource operational activities to third party providers. The FSA has been looking at firms’ contingency plans and has concerns about a number of them. These concerns include asset managers relying on the fact that an outsourcing firm is part of a financial institution that is deemed too big to fail. The FSA says that this approach is imprudent, as the FSA might actually allow such institutions to fail.

The Federal Communications Commission (FCC) is considering whether to make fundamental changes to how carriers (and ultimately their customers) pay for federal programs that provide greater access to telecommunications and Internet services. The dilemma facing the FCC is that Universal Service Fund (USF) program expenses are increasing, while interstate and international telecommunications revenues, the source of the funding, are on the decline. Facing a carrier contribution rate that is now 17.4 percent – a hefty rate in any economy – the FCC is looking at alternatives to revenues, including assessments based on telephone numbers or network connections.

No one disputes the laudable goals of USF. These include funding for: a) carriers who provide free or low cost telecommunications services to the poor; b) high cost telephone companies so that customers in rural and remote areas can access telecommunications at rates similar to customers in the cities; c) schools and libraries to get discounted rates for essential telecommunications services; and d) telecommunications services for rural health care providers. In 1998, these programs cost about $3.9 billion. In 2012 the cost will be more than $9.5 billion. The FCC has taken steps recently to cap or slow the growth of these programs, and put in place rules and regulations to reduce fraud, waste and abuse.

The growth on the expense side has put added pressure on the revenue side – all of which comes from carriers providing interstate and international telecommunications and VoIP services. As a result of the declining cost of telecommunications services combined with reduced demand because of email and free voice services, there has been a reduction in assessable revenues from 1998 to 2012, from $80 billion to about $66 billion. Accordingly, the contribution factor has risen from 3.19 percent in 1998 to 17.4 percent today. The FCC adjusts the contribution factor quarterly.

It has been six weeks since the SEC issued final rules relating to the reporting of conflict minerals. The rules apply to public companies that are subject to reporting requirements under the Securities Exchange Act of 1934 (so-called “issuers”). Issuers must report on the use of conflict minerals in their products. You can read a summary of the rules and an outline of how they are to operate in our Client Alert: SEC Adopts Final Rules on Conflict Minerals Reporting.

In a nutshell, the rules require issuers to examine their supply chains for conflict minerals and to disclose their use in public filings with the SEC. Conflict minerals are certain minerals (including gold and ores from which tin, tantalum and tungsten are extracted) that originate from the Democratic Republic of Congo and adjoining countries. These minerals are used in electronics such as mobile phones, computers and digital cameras, in jewelry, and a wide range of other consumer and industrial products.

The rules are mandated by Section 1502 of the Dodd Frank Wall Street Reform and Consumer Protection Act. As with many gifts from Washington, the complexity of the original legislative directive has mushroomed: the Dodd Frank provision runs for five pages. The SEC’s final ruling, with explanatory memoranda, runs to 356 pages. Consultants, lawyers and solution providers have been monitoring and lobbying for the development of the rules since Dodd Frank was passed. The rules have spawned a mini-industry to advise on compliance and navigate the due diligence and reporting requirements.