Posted
By

As many who have struggled to find a clear way to comply will know, an important change to the EU E-Privacy Directive (implemented by many EU states late 2011/2012) meant that, in summary, websites which target/monitor/profile Europeans have been obliged to seek consent to use cookies via an opt in mechanism. However, given each member state was left to its own devices to implement this change at a national level and given some fierce lobbying by business to try to avoid strict “I agree” mechanisms, this has meant that a range of approaches have been taken to what precisely constitutes opt in consent, with some regulators (e.g. the Dutch) taking a more literal interpretation of the Directive, whilst others (e.g. the English) taking a much more liberal approach.

This patchwork approach across Europe has caused serious headaches for those conducting e-business in multiple EU countries., A compliance mechanism could be acceptable for one country, only to be slapped down (or worse, risk a fine) in another.

In an attempt to clear up some of the confusing and often contradictory views, the Article 29 Working Party, a body made up of the EU’s data protection regulators, released a new guidance note on 14th October 2013.

Continue reading

Posted
By

We previously reported on the Massachusetts computer services tax that became effective on July 31st after the legislature overturned Governor Deval Patrick’s veto of An Act Relative to Transportation Finance. Facing strong opposition from the state’s technology sector the Massachusetts legislature retroactively repealed the tax by passing An Act Repealing the Computer and Software Services Tax, which was signed into law on September 27th. Now, customers who paid the repealed tax should take steps to ensure they are promptly repaid or credited the appropriate amount by their vendors.

The Massachusetts Department of Revenue (DOR) has issued guidance to vendors regarding how to address the repeal. If a vendor collected but did not remit the taxes to the Massachusetts DOR, it is required to make reasonable efforts to return the taxes to the customers from whom they were collected. If a vendor collected and remitted the taxes to the Massachusetts DOR, the vendor may file an abatement application. Vendors should be keenly aware that abatement applications related to the repealed computer services tax are due by December 31, 2013. Furthermore, although Vendors may repay or credit customers prior to receiving an abatement, they must do so “within 30 days of receiving said abatement.” Although the Massachusetts DOR guidance is helpful, Vendors should consult their tax attorneys to determine their particular obligations.

Customers may consider reviewing applicable invoices for periods (a) from July 31, 2013 through September 27, 2013 to determine the repayment or credit amount they are owed, if any, and (b) after September 27th to ensure the vendors have updated their invoicing practices to account for the repeal. Customers should then contact their applicable vendors to ensure they are promptly repaid or credited the appropriate amount. If a vendor already remitted the taxes to the Massachusetts DOR, the customer should encourage the vendor to promptly file an abatement application. If the vendor resists, the customer may want to review the agreement between the parties to determine whether the vendor has a contractual duty to comply with the request. Last, customers should be aware that if (i) a vendor repays or credits a customer after filing an abatement application and (ii) the government’s refund to the vendor is delinquent, then the customer is entitled to any interest earned from the government.

Posted
By

October 1st marked the beginning of open enrollment for the federal and state health care exchanges (“Exchanges”) created to comply with the Affordable Care Act (“ACA”) of 2010, commonly referred to as Obamacare. The creation of the state and federal exchanges was and is a massive undertaking, involving the “unprecedented task of linking databases maintained by insurance companies, [and] states and federal agencies, including the Internal Revenue Service.” (“Obamacare Web sites see much interest, some glitches”, The Washington Post, October 2, 2013).

As anyone who has been involved in large scale IT projects knows, these types of projects invariably encounter glitches before they work smoothly, and the health insurance Exchanges are no exception. Many users of these Web sites encountered error messages or experienced significant delays when they tried to access the Exchanges to research their health insurance options.

Federal and state health officials initially blamed the delays on higher-than expected site traffic, and pointed out that any new technology is going to have errors at first that need to be corrected. But the Exchanges have been up and running for over three weeks now and issues remain, particularly with the federal exchange HealthCare.gov. Some specialists have suggested that extensive changes are required before the site will operate properly and that the repairs could take months. (“Contractors See Weeks of Work on Health Site“, The New York Times, October 20, 2013) The problems have created mounting pressure on the current administration, including plans for a congressional hearing later this month and calls for senior administration officials to lose their jobs. (“HealthCare.gov launched despite warning signs”, The Washington Post, October 22, 2013).

Continue reading

Posted
By

Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.

  • Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.
  • Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer’s onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.
Continue reading

Posted
By and

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) is in the spotlight as part of the UK Government’s Employment Law Review.  Launched in 2011, the purpose of the review is to reform employment law in order to achieve a fair, effective and flexible labour market in the UK[1].  The Government says that these reforms will support better relationships between workers and employers and are aimed at making evolutionary improvements to the labour market which will retain flexibility and dynamism and benefit individuals, employers and the economy.

TUPE implements the EU Acquired Rights Directive (“ARD”) in the United Kingdom.  It protects employees’ terms and conditions of employment when a business is transferred from one owner to another.  Where TUPE applies, there is an automatic transfer – for the affected employees it is as if their employment contracts had originally been made with the new employer, with their continuity of service and, subject to a few exceptions, other employment rights all preserved.

In an outsourcing context, TUPE will often apply because of the service provision change (“SPC”) rules. A SPC will usually occur where there is a change of service providers or a contracting in or out of services.  TUPE is complex and is viewed by many as overly bureaucratic, leaving little room for new employers to make post-transfer changes to an employee’s contract or to dismiss them fairly.  Critics say the SPC provisions, which were introduced in 2006, went beyond the requirements of the ARD- so called “gold plating.”  Taken in the round, the impact of TUPE, in its current formulation, may constrain the incoming service provider’s ability to restructure the inherited work practices, thereby impeding innovation and cost reduction.  TUPE has also spawned complex indemnity and post-contract verification provisions in outsourcing agreements, reflecting the additional complexity associated with personnel transfers. 

Continue reading

Posted
By

Google has figured out that I shop for a lot of children’s clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have purchased. That is Big Data at work, as it is being used to identify other brands that I might be interested in purchasing based on shoppers with similar consumer profiles to mine. But let’s say that the next banner ad I receive isn’t for children’s clothing, but is instead for an all-inclusive Caribbean vacation. Well, I have never searched for Caribbean vacations, why would this be turning up? Again, this is Big Data at work, because patterns in human behavior have informed Google that people with small children are likely good targets for a quick getaway vacation. This is an example of the value of Big Data in predicting individual consumer behavior based on the behavior of many.

“Big Data” is the somewhat uncreative but accurate term for the process of collecting, culling, and categorizing of data from diverse sources on a massive scale. Through the application of algorithms, companies are analyzing Big Data in order to see patterns in human behavior, and (most commonly) using it to develop targeted, individualized marketing. The primary goal of Big Data is to learn from a large body of information things that we could not comprehend when we used only smaller amounts. Recent trends point to an increase in the use of Big Data, but there are several cautionary points from a legal and privacy perspective to consider.

What are the uses of Big Data, and who uses it? The potential benefits are wide ranging, but can be categorized as follows:

Continue reading

Posted
By

In addition to the consumer hoopla over iOS 7, companies managing BYOD programs also have reason to rejoice. As reported on CIO.com, iOS 7 brings about a new level of control for companies through expanded app-level MDM Capabilities. MDM, or Mobile Device Management, is the technology that companies use to try to segregate the corporate and the personal realms on mobile devices.

Of course, the trick is not in having the coolest technology, but it how you use it. For app-level MDM to work, the company takes control over the app (including the ability to wipe the app and its data). For some apps that themselves share personal and corporate activities (e.g., the address book), the company’s use of MDM to protect its corporate assets will also sweep in personal assets. One can debate whether this is good or bad, but it does exacerbate challenges in balancing personal versus corporate interests. The tool makes it easier to protect the corporate assets, but exposes the personal assets to greater risk.

As we have outlined in prior posts, courts have striven to protect the individual’s interest in their personal data stored on mobile devices from over-reaching companies. Again, as we have previously discussed, the best way for the company to protect itself is by being very clear in its BYOD policies as to what it will and will not do. This requires the manager of the BYOD policy to understand clearly the technical implications of the new iOS 7 capabilities–including both the intended and unintended consequences of leveraging those capabilities–and to make those implications clear to company employees.

Continue reading

Posted
By

As the U.S. moves toward full implementation of the Federal Affordable Care Act (ACA, also known as Obamacare), employers are seeing new challenges and opportunities in the provision of health coverage and other benefits to their employees.
Some predict that ACA will lead to cheaper, better, universal health care. Others predict a calamity. But most agree that the law will drive significant change in the way health care is delivered, paid for and insured in this country. Employers are left wondering how to plan for and manage those changes while containing costs and meeting their employees’ expectations.
Human resource consultants and product vendors are responding by aggressively promoting their services as an answer to the complexity and administrative headaches created by the legislation.  Outsourcing benefits administration functions to these specialists is one approach. Another approach is to engage one of several service providers that have launched private health insurance exchanges in the two years since the ACA legislation passed.
These exchanges promise to address two critical challenges facing employers -1) ensuring compliance with the ACA’s complex rules, in addition to any applicable state and local laws, and 2) securing appropriate coverage benefits for employees at an affordable cost.

What Are the New Private Health Exchange Options?
Individuals and small businesses may use public, government-run exchanges like Covered California to compare and purchase insurance plans.
Larger employers can continue to arrange their own health care programs. As an alternative, some will direct their employees to the public exchanges if the exchanges deliver better pricing, better service and greater options for their employees.  Sixteen states and the federal government will have such exchanges operating come January 2014. This constitutes a threat to existing payors, who may see their business migrating to commoditized public exchanges. Private exchanges recently launched by health insurers, brokers, and human resources and administration consultancies, including major players like Aon Hewitt, Mercer, and Towers Watson, offer individuals and businesses an alternative to the government-run exchanges and traditional payor health care plans. At a minimum, these exchanges generally offer:

· An online self-service portal for covered individuals

Continue reading
By
Posted In: Industry Trends
Posted
Updated:

Posted
By

Most outsourcing contracts that I see contain a step-in right for the customer. Generally, a step-in right allows the customer to take over the outsourced operations if the supplier cannot or does not perform, and then “step out” when the supplier demonstrates that it will meet its contractual obligations.

How realistic is it that a customer can ever exercise those rights, and are they worth the additional time and angst to negotiate?

Outsourcing contracts are not the only type of agreements in which you will find step-in rights. They are used in many other commercial agreements, including construction, project finance and development agreements. In those relationships, step-in rights are generally more straightforward and easier to exercise than in an outsourcing relationship, where it may be impossible to “step-in” and perform the supplier’s obligations.

Continue reading

Posted
By

It has been said for some time that data is the new oil, but many global organizations continue to struggle to comply with regulatory requirements when it comes to the exploitation of this valuable resource.

A recent worldwide audit of over 2,000 websites, coordinated by the Global Privacy Enforcement Network (“GPEN”), has revealed “significant shortcomings” at many organizations. In particular, approximately half of the websites “swept” failed to display a complete, coherent and compliant privacy policy, or worse still, any policy at all.

The audit, the first of its kind, was conducted in May of this year by 19 different data protection authorities around the world, including the UK’s Information Commissioner’s Office (“ICO”).”The results reveal significant shortcomings” reports Adam Stevens, Intelligence Officer at the ICO, on 16 August, stating that 23% of the 250 websites it reviewed had no privacy policy at all and that a third of those that did have policies ” were considered to be difficult to read, and many weren’t sufficiently tailored to the actual website”.

Continue reading