Search Results for: NS0-404 Schulungsunterlagen đŸ©± NS0-404 Fragen&Antworten 🍕 NS0-404 Zertifikatsfragen 🚋 ➠ www.itzert.com 🠰 ist die beste Webseite um den kostenlosen Download von ⼆ NS0-404 ⼄ zu erhalten 🩗NS0-404 Fragen Antworten

Posted

Toll-free telephone numbers celebrated their 50th birthday this year (frankly, without much fanfare). These numbers allow callers to reach businesses without being charged for the call. When long distance calling was expensive, these numbers were enticing marketing tools used by businesses to encourage customer calls and provide a single number for nationwide customer service—for example, hotel, airline or car rental reservations.

Toll-free numbers are most valuable to businesses when they are easy to remember because they spell a word (1-877-DENTIST) or have a simple dialing pattern (1-855-222-2222). Like all telephone numbers, however, the FCC considers toll-free numbers to be a public resource, not owned by any single person, business or telephone company. Toll-free numbers are assigned on a first-come, first-served basis, primarily by telecommunications carriers known as Responsible Organizations. The FCC even has rules that prohibit hoarding (keeping more than you need) or selling toll-free numbers.

But the rules will change if the FCC adopts its recent proposal to assign toll-free numbers by auction as it prepares to open access to its new “833” toll-free numbers. The Notice of Proposed Rulemaking issued last week proposes to auction off approximately 17,000 toll-free numbers for which there have been competing requests. The proceeds of these auctions would then be used to reduce the costs of administering toll-free numbers.

The NPRM also contemplates revising the current rules to promote the development of a secondary market for toll-free numbers. This would allow subscribers to reassign toll-free numbers to other businesses for a fee (think 1-800-STUBHUB!). The FCC suggests this would promote economic efficiencies, as the number would presumably be better utilized by a business owner willing to pay for it than by the company that merely happened to claim it first.

The proposed rules are not without controversy. Some toll-free numbers are used to promote health, safety and other public interest goals (e.g., 1-800-SUICIDE). The NPRM seeks comments on whether toll-free numbers used by governmental or certain nonprofit organizations should be exempt from the auction process. There are also questions about whether the expected demand for the 17,000 new numbers will erode if claiming a number is no longer free.

Comments in this proceeding will be due 30 days after the NPRM is published in the Federal Register, with replies due 30 days after that. If you are interested in filing comments, you can reach us at 1-888-387-5714.  After all, it’s a toll-free call.

Posted

Imagine dialing 911 and hearing an automated voice tell you that what you have dialed is not a valid number; or reaching a 911 call center only to have emergency personnel dispatched to the wrong location. In response to such problems, the FCC yesterday released a Notice of Inquiry (NOI) asking a broad range of questions about the capability of enterprise-based communications systems (ECS)—internal phone systems used in places like office buildings, campuses and hotels—to provide access for 911 calls.

According to the FCC, certain of these systems may not support direct 911 dialing, may not have the capability to route calls to the appropriate 911 call center, or may not provide accurate information on the caller’s location. The NOI seeks public comment on consumer expectations regarding the ability to access 911 call centers when calling from an ECS, and seeks ways, including regulation if needed, to improve the capabilities of ECS to provide direct access for 911 calls.

The FCC generally requires telephone service providers to offer enhanced 911 service, which basically means that the provider will forward the caller’s telephone number and registered location to the appropriate public safety answering point (PSAP), which should be the 911 call center closest to the caller. Call takers at the PSAP are then responsible for dispatching the appropriate emergency responder—police, fire or ambulance.

ECS equipment, which supports multiple users with individual handsets and unique extensions across a company, for example, have historically presented challenges for 911 service because the location information and phone numbers transmitted to the PSAP may not be the same as that of the actual calling party or may fail to provide the level of detail (floor or office number) required to locate the caller in an office building with multiple floors.

Another lingering problem has been the requirement to dial a digit (typically 9) to inform the ECS that the call is to go outside the organization (or hotel) and not to another employee extension (or another room). There have been tragic cases where someone needing help has dialed “911” only to have the ECS think that the caller is dialing 9 to reach an outside number, and then dialing “11,” which is not a valid phone number. The result is not even reaching a wrong number (certainly a problem in an emergency), but having the system fail to make any call at all. The result is at best a delay in getting emergency services, and at worst the caller giving up on reaching emergency personnel as they struggle to deal with the emergency itself.

This problem has been amplified by changes in technology that now favor internet-protocol or cloud-based technologies, both of which encourage mobility by end users. In particular, employees can now access ECS not just through traditional desk phones, but through applications on mobile phones or through software on laptops and tablets. Employees can also log into handsets in offices in different cities that give the appearance that the employee is in his or her home office. In all of these cases, unless the user takes steps to update their location for 911 purposes, it’s likely that a call to 911 will be routed to the PSAP associated with the home office, and not the PSAP closest to the calling party.

The NOI recognizes that a number of states have adopted requirements for 911 service provided by ECS operators. These include laws mandating direct 911 dialing and location accuracy, including ECS delivery of more precise location information (e.g., an apartment number or floor). Moreover, Congress is considering legislation that requires ECS equipment to have a configuration that permits users to call 911 without dialing any code or prefix.

The NOI does not propose any immediate solutions but asks broad questions including:

  • ECS marketplace: What are the number and types of ECS vendors and equipment; how are 911 calls typically handled and equipment’s existing capabilities, the number of subscribers using ECS and the percentage of 911 calls originating from ECS, the ability to support more than voice communications (e.g., video and text), whether there are technical barriers to providing a more reliable or accurate 911 service, how often calls are routed to the wrong PSAP, and the capabilities of misrouted calls to be re-routed to the correct PSAP;
  • VoIP: The capabilities of Voice over IP providers to support 911; whether the 911 registered location is for the enterprise owner or the end user, and whether VoIP providers can provide location information automatically without relying on customer-provided information;
  • Cost considerations: The cost of adapting ECS equipment to support 911 calling; who bears those costs; whether costs have been impacted by new technology; the costs for complying with state 911 laws, and whether insurers provide incentives for enterprise owners to implement 911;
  • Consumer expectations: Whether consumers expect 911 calls from an ECS will be quickly routed to the correct PSAP, whether consumers are aware of disparate dialing arrangements to reach 911 from certain ECS; and whether the ubiquity of wireless phones make it less likely that a caller will use a hotel or business phone to call 911; and
  • Options: Whether states are best positioned to devise rules for ECS in their jurisdiction; whether 911 capabilities of ECS should be uniform on a nationwide basis; whether there is any action the FCC should consider to encourage voluntary implementation of 911 for ECS; whether additional voluntary best practices, technical or operational standards should be established and who should monitor implementation; and what role, if any, the FCC should take and whether it should adopt new rules requiring ECS implementation of 911 or update its existing rules for VoIP, wireless and telecom carriers to better support implementation of 911 for ECS.

Comments on the NOI are due November 15, and replies are due December 15. As demonstrated by the unprecedented number of destructive hurricanes this month, reliably reaching 911 in any circumstance can be critical. The changes that may result from this proceeding will be important for both communications service providers and users of enterprise communications systems.

Posted

The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.

The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.

Why is a UK bill needed?
The GDPR is an EU regulation and therefore will have direct effect in all EU Member States (including currently the UK) without the need for implementation at the national level. The Data Protection Bill aims to ensure that, post-Brexit, UK data protection law will remain in-step with its EU trading partners.

The change is necessary because after the UK leaves the European Union, it will become a “third country” for data protection purposes. EU data protection law prohibits the transfer of EU personal data to third countries which do not ensure an adequate level of protection. Adequacy does not require identical laws but the third country must provide ‘essentially equivalent’ protection. The implementation of GDPR-style legislation in the UK makes it more likely that the EU Commission will make an adequacy decision in favour of the UK under Article 45 of the GDPR.

What does the statement say?
The statement of intent suggests that UK data protection law will align with the requirements of the GDPR meaning severe penalties for breach (€20 million or 4% of global turnover) will be applied to UK-based companies. The content of the statement does not mark a significant departure from the language of the GDPR and, on the face of it, would not require companies to take alternative compliance steps in the UK.

However, the statement does set out three new offences to be contained in the Bill.  In particular, it:

  1. Creates a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. Offenders who knowingly handle or process such data will also be guilty of an offence. The maximum penalty would be an unlimited fine.
  2. Creates a new offence of altering records with intent to prevent disclosure following a subject access request. The offence would use section 77 of the Freedom of Information Act 2000 as a template. The scope of the offence would apply not only to public authorities, but to all data controllers and processors. The maximum penalty would be an unlimited fine in England and Wales or a Level 5 fine in Scotland and Northern Ireland.
  3. Widens the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if the they initially obtained it lawfully).

The details of the first offence will be interesting to see.

The UK Government also states that “default reliance on the use of default opt-out or pre-selected “tick boxes”
will become a thing of the past.” It is not clear whether the exception for consent to e-marketing by existing customers, contained in the e-Privacy Directive, will be included in the Bill. Indeed, the statement does not mention the current e-Privacy Directive or the proposed e-Privacy Regulation which will also require similar implementation post-Brexit.

There also seems to be some confusion as to the meaning of “privacy by design and default.” It suggests the principle can be achieved by “giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and also by offering them a clearer right of redress.” The concept of privacy by design and default promotes compliance with data protection laws and regulations from the earliest stages of initiatives involving personal data and does not necessarily relate to notification and redress.

What should businesses be doing?

Although companies with a UK footprint will need to familiarise themselves with the Bill when it is published, it is unlikely to represent a major departure from the requirements of the GDPR in the authors’ view.

In order to be compliant under both the GDPR and the Bill, companies will need to ensure that they have robust policies and procedures in place. With the risk of heavy fines under the GDPR and the Bill, not to mention the reputational damage and potential loss of consumer confidence caused by noncompliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum in order to comply with both pieces of legislation:

  • Review privacy notices and policies—ensure these are compliant. Do they provide for the new rights individuals have?
  • Prepare/update the data security breach plan—to ensure new rules can be met if needed.
  • Audit your consents—are you lawfully processing data?
  • Set up an accountability framework—e.g., monitor processes, procedures, train staff.
  • Appoint a DPO where required.
  • Consider if you have new obligations as a processor – is your contractual documentation adequate? Review contracts and consider what changes will be required.
  • Audit your international transfers—do you have a lawful basis to transfer data?

For those businesses who have yet to consider their obligations, the advice is to start thinking about compliance under the GDPR as soon as possible and the Bill once it is published. Not only will compliance be crucial for retaining customer trust it will also avoid being made an example of in a way that will not only hurt your reputation, but also your bottom line.

Posted

Financial Institutions may need to revise consumer contracts to remove class action waivers in preparation for a March 2018 federal rule.

On July 19, the U.S. Consumer Financial Protection Bureau, the federal regulator for a sweeping range of depository and non-depository consumer financial services companies (including the largest of U.S. banks), published a final rule that makes it illegal for many of the CFPB’s regulated entities to include consumer class action waivers in pre-dispute arbitration agreements. The Rule’s effective date is September 18, 2017, and applies to contracts entered into after March 19, 2018. (The Rule does not apply to pre-existing contracts.)

As a result, covered consumer contracts entered into after March 19, 2018, will need to: (a) remove language in pre-dispute arbitration provisions that bars consumers from participating in class actions; and (b) add language informing consumers of their rights to participate in class actions. The Rule will also require such companies to provide information on individual arbitration awards to the CFPB for publication in a public database (redacting consumers’ private financial information). Although the Rule does not outright prohibit pre-dispute arbitration agreements themselves (as many expected the CFPB might), companies will need to reconsider the economics behind offering consumers a full arbitration program in light of a future reality of increased class actions.

Unlike the majority of the CFPB’s regulations, which cover specific financial products or services, the Rule applies across a wide swath of traditional and online consumer financial products and services, including among other things deposit accounts, credit cards and consumer reporting products. (Arbitration agreements, themselves, are already prohibited in residential mortgage transactions, so the Rule does not cover those.)

Although the Rule was issued as “final” (as opposed to a mere proposal), the Rule is currently subject to fierce political headwinds from Congressional Republicans, the White House and industry trade groups, all of whom strongly oppose the CFPB’s current director, Richard Cordray, an Obama appointee.

Indeed, the House of Representatives has already passed a resolution that, if adopted by the Senate and signed by the President, would nullify the Rule and bar the CFPB from issuing a similar rule in the future without an express Congressional directive. The catch is that the procedure Congress would invoke to nullify the Rule, the Congressional Review Act, must be used within 60 legislative days of the Rule’s publication of the Federal Register. While the House of Representatives has taken the first step, it remains to be seen if the Senate will have opportunity to act in light of other legislative priorities.

Notwithstanding these potential threats to the Rule from Congress, as of the time of this writing, the CFPB appears to be moving full steam ahead. As a result, companies that fall within the Rule’s coverage are well advised to begin reviewing their consumer agreements and dispute resolution procedures in preparation for the distinct possibility that prohibitions on consumer class action waivers become the law in March 2018.

 

Posted

Pharmaceutical and Life Sciences companies operate in a demanding environment and face diverse challenges such as pricing pressure, increased regulatory requirements and mounting costs. With this backdrop, they have, starting with non-core functions, such as IT, facilities management, finance and human resources, before moving to secondary core functions, such as research and development, manufacturing, logistics, warehousing and brokerage, increasingly looked to outsourcing so as to better focus on core competencies, access specialized expertise and achieve cost-saving benefits.

In this blog post, a closer look at some of the key challenges faced by those operating in the Pharmaceutical and Life Sciences sector is taken from an outsourcing perspective.

Regulatory Environment
As might be expected, the Pharmaceutical and Life Sciences sector is subject to an extensive network of rules and regulations. At EU-level, there are a number of European Directives such as Directive 2001/83/EC relating to medicinal products for human use, Directive 2001/20/EC relating to the implementation of good clinical practice in the conduct of clinical trials on medicinal products for human use, and Commission Directive 2003/94/EC laying down the principles and guidelines of good manufacturing practice in respect of medicinal products for human use and investigational medicinal products for human use.

In the UK, the Medicines & Healthcare products Regulatory Agency (MHRA) regulates medicines, medical devices and blood components for transfusion. Its responsibilities include ensuring that medicines etc. meet applicable standards of safety, quality and efficacy and that the supply chain for medicines, medical devices and blood components is safe and secure.

The EU operates a mutual recognition system intended to allow products to move unhindered between national markets—each other member state has an equivalent national competent authority to the MHRA, such as France’s National Agency for the Safety of Medicine and Health Products and Germany’s Federal Institute for Drugs and Medical Devices. The national competent authorities work closely with the European Medicines Agency (EMA) and the European Commission—the Commission’s principal role in the European medicines regulatory system is to make binding decisions based on the scientific recommendations delivered by the EMA and publish guidance defining required good practices.

Consequently, outsourcing and other commercial agreements made by Pharmaceutical and Life Sciences companies must reflect the heavy regulatory burden to which they are subject and will include provisions dealing with topics such as audits and inspections, retention of documents, protection of sensitive and other confidential information and data, adherence to company policies, and compliance with laws and regulations, in addition to schedules which detail the scope of service, the system of performance management (i.e., service levels and service credits) and the applicable commercial model and charging structures. The third party provider’s adherence to and compliance with GxPs (see below) is another key area.

Good X Practice (GxP)
GxP is a general term for good (anything…) practice and refers to applicable quality guidelines and regulations. These guidelines are used in many sectors including pharmaceutical, medical devices/software and food industries—their overall intent is to ensure that products are safe for consumers and to ensure the integrity of data used to make product-related safety decisions. In this context “X” can mean Manufacturing (GMP), Clinical (GCP), Laboratory (GLP), Storage (GSP), Distribution (GDP), Pharmacovigilence Practice (GVP) etc.

Organisations needing to comply with GMP and/or GDP include those holding a manufacturer’s licence, a wholesale dealer licence or a blood establishment authorisation, as well as non-UK sites employed by UK marketing authorisation (MA) holders.

In the context of Pharmaceutical and Life Sciences outsourcing generally, two of the most common good practices are GMP and GDP, as they can apply across a range of outsourced activities and functions such as contract manufacturing, integrated facilities management, logistics, brokerage and warehousing:

  • GMP is the minimum standard that a medicines manufacturer’s production processes must meet. Products must (a) be of consistent high quality, (b) be appropriate to their intended use, and (c) meet the requirements of the MA or product specification.
  • GDP requires that medicines are obtained from the licensed supply chain and are consistently stored, transported and handled under suitable conditions, as required by the MA or product specification.

In addition to the good practice guides published by the European Commission (see footnotes 1 and 2), the MHRA—as the UK’s national competent authority—publishes its own guidance.  As with most regulators, the MHRA updates its guidance from time to time—most recently on 23 May 2017 (an update to the GDP compliance report form).

Inspection and Audit
The MHRA inspects manufacturing and distribution sites for GxP compliance as part of the initial licensing/authorisation process and then periodically. Each manufacturer and wholesaler is given a risk rating or score by the MHRA based on the organisation’s compliance report, previous inspection history and organisational changes. No appeal is permitted, although reasons for the risk rating/score are provided once the inspection has taken place. Inspections of organisations with the highest rating or score are prioritised. The MHRA usually gives prior notice although the short-notice inspection programme means that little or no notification can be given, especially in cases of possible breach (e.g., where a report is received from a whistleblower or another MHRA department or regulator). Usually, however, the likely date of the next inspection is known as the MHRA includes this in its inspection reports.

At the inspection, the inspectors examine the systems used to manufacture and/or distribute medicines. Unless it is a short-notice inspection, the organisation will have completed and submitted to the MHRA a compliance report beforehand. The inspection team will interview relevant personnel, review documents and conduct site visits. Site visits may cover any facility or process involved in the production, purchase and distribution of medicines. Key areas likely to be inspected include:

  • manufacturing areas;
  • quality control (QC) laboratories;
  • stock and stock management;
  • storage areas;
  • temperature monitoring;
  • returns areas;
  • purchasing and sales functions; and
  • transportation arrangements.

Inspections can sometimes be carried out with other MHRA inspections such as good clinical practice or good pharmacovigilance practice. Product-related inspections can also be requested by the EMA. Where any function covered by the above scope has been outsourced to a third party provider, it is vitally important that the MHRA has the exact same access to the provider and its facilities and personnel.

Types of deficiencies
Deficiencies found during inspections are graded at 3 levels—critical, major and other. These are defined in the “Compilation of Community Procedures on Inspections and Exchange of Information” published by the EMA. (See page 47.)

Type of Deficiency Definition Example
Critical Deficiency Any departure from Guidelines on Good Distribution Practice resulting in a medicinal product causing a significant risk to the patient and public health. This includes an activity increasing the risk of falsified medicines reaching the patients.

 

A combination of a number of major deficiencies that indicates a serious systems failure.

Examples given by the EMA:

Purchase from or supply of medicinal products to a non-authorised person.

Storage of products requiring refrigeration at ambient temperatures.

Rejected or recalled products found in sellable stock.

Major Deficiency A non-critical deficiency which:

– a major deviation from Good Distribution Practice;

– has caused or may cause a medicinal product not to comply with its marketing authorisation in particular its storage and transport conditions; or

– indicates a major deviation from the terms and provisions of the wholesale distribution authorisation.

A combination of several other deficiencies, none of which on their own may be major, but which may together represent a major deficiency.

No examples of major deficiencies are given by the EMA. However, the MHRA report on 2016 GMP inspections cited 449 major deficiencies in quality systems (in this category there were 38 critical and 772 other deficiencies). The next highest number of major deficiencies were in the categories of sterility assurance and production (also the second and third highest categories for critical deficiencies).

 

Other Deficiency A deficiency which cannot be classified as either critical or major, but which indicates a departure from Guidelines on Good Distribution Practice. No examples of other deficiencies are given by the EMA. However, a deficiency may be classified as “other” because it is judged as minor or because there is insufficient information to classify it as major or critical.

Pharmaceutical and Life Sciences companies contemplating outsourcing should design their performance management systems in the light of the above, with robust processes and remedies particularly in the event of any Critical or Major Deficiency attributable to the third party provider. Remedies may include service credits, corrective action and other remediation, and ultimately termination.

Technical/Quality Agreements
Technical Agreements—also known as Quality Agreements—are required wherever an outsourced activity is covered by applicable good practice Guides (e.g., GMP or GDP). In the case of GMP, the applicable EU rules relating to outsourcing are found in Chapter 7 of the EU GMP Guide which provides:

“Outsourced activities must be correctly defined, agreed and controlled in order to avoid misunderstandings which could result in a product or operation of unsatisfactory quality. There must be a written contract between the Contract Giver and the Contract Acceptor which clearly establishes the duties of each party
”

“Technical aspects of the contract should be drawn up by competent persons suitably knowledgeable in related outsourced activities and Good Manufacturing Practice.”

Other requirements include:

  • a contract which covers all technical and other arrangements for the outsourced activities (and the related products or operations);
  • adherence to applicable regulations and the Marketing Authorisation for the in-scope product(s);
  • ultimate responsibility of the Contract Giver (i.e., the customer) for ensuring that its pharmaceutical quality system covers control and review of the outsourced activities and that adequate processes are in force;
  • clear definition of the responsibilities of both parties (i.e., the Contract Giver and the Contract Acceptor (i.e., the third party provider)), clearly stating who undertakes each step of the outsourced activity:
    • knowledge management;
    • technology transfer;
    • supply chain and subcontracting;
    • quality and purchasing of materials;
    • testing and releasing materials; and
    • undertaking production and quality controls (including in-process controls, sampling and analysis);
  • documented communication processes between the parties relating to the outsourced activities;
  • access to records (including in case of invocation of the documented defect procedures) and applicable document retention requirements; and
  • rights to audit the Contract Acceptor and any approved subcontractors.

Getting the Technical Agreement right
This is important. The Technical Agreement spells out the GxP responsibilities of each of the parties, their communication and assurance processes and will nearly always be reviewed by the MHRA (or indeed any other applicable regulator such as the U.S. Food and Drug Administration). The MHRA’s 2016 deficiency report gives the following example of deficiencies related to Technical Agreements sampled by them in the period.

Similar rules are set out in Chapter 7 of the GDP Guide. The ICH Good Manufacturing Practice Guide also requires a Technical Agreement in the context of the contract manufacture of APIs (active pharmaceutical ingredients).

Deficiency MHRA Example
Insufficiently detailed The Technical Agreement between Company A and Company B was insufficiently detailed. It only contained a series of bullet points covering Company B’s activities, and did not describe the responsibilities of Company A.
Unclear lines of responsibility The Technical Agreement between Company A and Company C contained conflicting statements regarding the responsibility for customer verification.
Scope not described The Technical Agreement with Company D did not identify the products that were to be within the scope of the agreement.
Status of parties unclear The Technical Agreement with Company E did not identify which party was the Contract Acceptor and which was the Contract Giver.
No express requirements There was no explicit requirement in the Technical Agreement for temperature monitoring devices to be used for shipment of goods to Company F.

Relationship with outsourcing and other commercial agreements
GxP compliance requires clear, accurate and detailed Technical Agreements to ensure that the Contract Acceptor complies with applicable standards and technical requirements such as storage conditions, stock control and temperature monitoring. In the context of an outsourcing transaction or other commercial arrangement (such as a long term supply agreement), the Technical Agreement will sit alongside the outsourcing/commercial agreement. They are not standalone documents—each should reference the other since they relate to the same set of activities but address different aspects of the relationship between the Contract Giver and the Contract Acceptor. It is important to ensure that the two documents work in concert with and are consistent with each other, and the relationship between the two agreements is clear (i.e., what happens if there is a contract breach and how are any limits on liability determined). Since template Technical Agreements often contain provisions which would typically be contained in the outsourcing / commercial agreement such as dispute resolution, change control and audit/inspection, care needs to be taken so that there is no overlap or conflict between them, ideally by removing any duplication or overlap.

Other points to watch include ensuring that the parties to the outsourcing/commercial agreement are the same as those to the Technical Agreement—if they are not (i.e., the third party provider’s function undertaking the quality-related aspects of an outsourced service resides in a different group entity to the primary provider, then address this through appropriate subcontracting provisions in the outsourcing/commercial agreement. The two agreements should also be co-terminous—the Technical Agreement doesn’t need to contain termination provisions, but should simply come to an end at the same time as the outsourcing/commercial agreement. Finally, the Technical Agreement should not contain any of the commercial terms (service levels, pricing, etc.) nor should it deal with legal terms such as confidentiality, warranty, indemnity and liability—all of which should be handled in the outsourcing/commercial agreement and its schedules.

Brexit
It seems unlikely Brexit will have significant impact on outsourcing of GxP activities by UK-headquartered Pharmaceutical and Life Sciences companies from a GxP compliance perspective—in other words the need to comply will continue, albeit additional requirements will entail since technical speaking, from an EU viewpoint, the UK will become a third country from the stroke of midnight on 30 March 2019 (unless an extension is agreed by the UK and the EU27 in the forthcoming negotiations).

In a recently published Q&A, the European Commission made clear the UK-based manufacturers of APIs will be treated just the same as Chinese, Indian and other third country based manufacturers. For example, the export of APIs from the UK to the EU will require written confirmation from the “competent authority of the exporting third country” in order to verify a plant has been inspected and that its processes are up to the EMA standards.  Alternatively, the UK may be able to negotiate an exception (Switzerland has had one since 2012) based on an equivalency finding by the European Commission.

Posted

The European Banking Authority (EBA) has opened a consultation on its draft recommendations for financial institutions outsourcing to cloud service providers across all cloud-related domains including infrastructure as a service, platform as a service and software as a service. The recommendations are intended “to clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed.” A public hearing will take place at the EBA’s Canary Wharf, London premises on 20 June 2017 and the consultation will close on 18 August 2017.

Continue reading

Posted

The European Commission has published its Brexit mandate with a clear focus on “citizens’ rights, the financial settlement and new external borders,” with the Commission’s chief Brexit negotiator, Michel Barnier, planning to “pay great attention to Ireland during the first phase of negotiations.” In his Next Steps toward Brexit Client Alert, Pillsbury partner Tim Wright explores some key issues including safeguarding of EU citizens, settlement of UK financial obligations, and sorting out the Irish border situation.

 

Posted

Software giant’s victory in “indirect use” case is cause for concern for companies worldwide.

On February 16, 2017, the High Court of Justice in the United Kingdom held that Diageo plc, a global drinks company, was liable for unauthorized use of SAP software as a result of failing to secure “Named User” licenses for its customers and sales representatives who used certain third party applications running on a Salesforce platform that accessed and exchanged data with SAP systems. While the decision does not have direct application outside the United Kingdom and may be appealed by Diageo, it is an important win by SAP and a significant cause for concern for companies licensing SAP software. The decision may embolden SAP to be even more aggressive in attempting to extract additional license and support fees from customers—which could potentially run into tens of millions of dollars for many companies—based on alleged “indirect” uses of SAP software. We encourage licensees of SAP software to get in front of this issue by undertaking an assessment of whether they are at risk for claims of indirect use by SAP.

 

To read the full alert on the Pillsbury site click here


Posted

Recently, governments and rule-making bodies across Europe, the UK and globally, appear to be paying increasing attention to the need for the development of legislative and regulatory frameworks in the expanding field of artificial intelligence (AI) and robotics. With the growing use of these technologies across a wide range of industry sectors, we expect to see new laws and regulations being introduced in this area in the coming years, across a broad spectrum of legal disciplines including intellectual property rights and product liability.  Discussed below are some recent developments in this area in the European Union, the United Kingdom, the United States and Japan.

European Union

The European Commission’s Legal Affairs Committee recently published a report calling for EU-wide rules governing AI and robotics[1]. Rapporteur Mady Delvaux (S&D, LU) said: “A growing number of areas of our daily lives are increasingly affected by robotics. In order to address this reality and to ensure that robots are and will remain in the service of humans, we urgently need to create a robust European legal framework”.

The Committee makes certain suggestions and recommendations including:

  • Regulator – a new pan-European agency to regulate AI and robotics, with mandatory registration of “smart autonomous robots”.
  • Legal status or personhood – the creation of a distinct legal status for AI and robots.
  • Social Impact – recognising the potential of “big societal changes” resulting from AI and robotics, especially in the labour markets, the Committee urges the Commission to closely follow such trends, and to examine new employment models as well as the viability of current tax and social systems for robotics.
  • Insurance – a mandatory insurance scheme to cover harm and damage caused by AI and robots. Further, a fund should be set up to ensure that victims are compensated in cases of accidents caused by driverless cars.
  • Code of Conduct – guidance for engineers covering the ethical design, production and use of robots, including incorporation of “kill” switches so that robots can be turned off in emergencies.

The Committee singles out driverless vehicles as in “urgent need” of a new rule book, ideally a global one, since a fragmented regulatory approach is likely to “hinder implementation and jeopardise European competiveness.”

The United Kingdom

The UK’s Commons Select Committee for Science and Technology also issued a report, in October last year, on AI and robotics[2]. The report concludes that, whilst robotics and AI hold the potential to fundamentally reshape the way we live and work, the Government does not yet have an adequate strategy, and calls for a commission to be established in order to examine social, ethical and legal implications in this developing area.

Dr Tania Mathias, interim Chair of the Committee, said:  “Government leadership in the fields of robotics and AI has been lacking. Some major technology companies — including Google and Amazon — have recently come together to form the ‘Partnership on AI’. While it is encouraging that the sector is thinking about the risks and benefits of AI, this does not absolve the Government of its responsibilities. It should establish a ‘Commission on Artificial Intelligence’ to identify principles for governing the development and application of AI, and to foster public debate.

The United States

The United States does not have and is not currently contemplating a comprehensive national approach to artificial intelligence and related technologies. Both public and private sectors are researching, developing and implementing artificial intelligence, robotics and automation at rates that far outpace law that addresses the same.

The bulk of federal agency guidance, state legislation, and court decisions are focused on two technologies: unmanned aerial vehicles (UAVs), also referred to as drones, and more recently, autonomous vehicles (i.e., self-driving cars). UAVs are of particular interest for their military and law enforcement use.

  • As of January 2017, thirty-three states have enacted laws about UAVs[3] and twenty states have considered laws on autonomous vehicles.[4]
  • The Federal Aviation Administration issued a regulation on UAVs in June 2016, which set parameters on where, when and how UAVs may be operated. Among other restrictions, the FAA requires a visual line of sight between the remote pilot and the UAV at all times.[5]
  • The Department of Transportation and National Highway Traffic Safety Administration jointly issued non-binding guidance in September 2016 on autonomous vehicles, including considerations for developers and a model state policy.[6]
  • Finally, the Obama administration, near the end of its tenure in 2016, issued a report titled “Preparing for the Future of Artificial Intelligence”[7] and a corresponding national strategic plan on research and development of artificial intelligence.[8] The plans were drafted based on five workshops held during the year and contemplate avenues of further research, as well as how artificial intelligence may allow the government to improve its services delivery. It remains to be seen if the Trump administration will take action on this topic, which has since been removed from the White House website.

As other robotics products saturate the market, and until a tipping point is reached due to the increasing use and capabilities of artificial intelligence, U.S. lawmakers will likely continue to address related legal concerns in a piecemeal manner similar to that of UAVs and autonomous vehicles.

Japan

The Japanese Government recognizes the need for robot regulatory reform and has devised “Japan’s Robot Strategy” and introduced a Robot Revolution Initiative (RRI) in 2015.

“Japan’s Robot Strategy”, devised by the Japanese Ministry of Economy, Trade and Industry (METI), is a series of policies for regulating robotics over a five-year strategic plan. It aims to ensure that Japan continues to maintain its reputation as a robotics superpower via regulation and deregulation methodologies that are well-balanced and promote safety standards for consumer protection. In that plan, METI encourages the use of core technologies such as artificial intelligence to develop “Next Generation Robots” in a variety of sectors. There is also a Robot Revolution Realization Council responsible for reviewing existing Japanese laws in light of these rapidly advancing robotic technologies. These laws include the Radio Law, Pharmaceuticals and Medical Devices Law, Industrial Safety and Health Act, Road TrafïŹc Law, Road Transport Vehicle Act, Civil Aeronautics Act, Consumer Products Safety Act and ISO 13482 Safety Standard for Life-supporting Robots, amongst others.  Like the United States, Japan is also looking at measures to regulate the operation of uninhabited airborne type robots (UAVs).

As a result of its studies, the Robot Revolution Realization Council has recommended regulatory reform pursuant to its guidelines known as the “Implementation of Robot Regulatory Reform”. These guidelines call for the following (i) a legal framework for consumer protection and, at the same time, (ii) a new legal system or easing of current regulations (“deregulation”) to make effective use of robots. So, for example, field testing for robots is to be promoted and is a form of deregulation designed to enable regulators and manufacturers to uncover unanticipated robotic risks prior to actual implementation.

Research studies are also being conducted by Japanese universities and recommendations for robot laws have been proposed. The joint research of Waseda University Humanoid Robotics Institute and Peking University Law School, for example, proposes a three-level hierarchy of “Robot Law” comprising (i) “The Robot Safety Governance Act” to extend machine safety regulations to robotics, (ii) “The Humanoid Morality Act” to regulate the relationship between humans and robots, and (iii) “Revisions”, being necessary modifications to existing Japanese laws to ensure that they do not conflict with these advanced robotics technologies.

According to a Government estimate published in the Japan Times in April 2016, “AI technologies are expected to generate an economic return of around „121 trillion in Japan by 2045”.[9] As a result of this anticipated rapid growth, the Japanese Government also plans to introduce some basic rules for AI research and development which will focus on privacy protection and developer accountability.

All of the above is consistent with Prime Minister Shinzo Abe’s efforts to revitalise the Japanese economy through so-called “Abenomics” which promotes the use of robotics and AI, amongst other things.  No doubt it will take some time for Japan to implement a sophisticated robotics legal regime, but will this be the saving grace of “Abenomics” which, to date, has arguably  decelerated economic growth and fuelled the continuance of deflation.

 

[1]  http://www.europarl.europa.eu/news/en/news-room/20170110IPR57613/robots-legal-affairs-committee-calls-for-eu-wide-rules

[2] https://www.publications.parliament.uk/pa/cm201617/cmselect/cmsctech/145/145.pdf

[3] http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx

[4] http://www.ncsl.org/research/transportation/autonomous-vehicles-self-driving-vehicles-enacted-legislation.aspx

[5] https://www.faa.gov/uas/media/Part_107_Summary.pdf

[6] https://www.transportation.gov/sites/dot.gov/files/docs/AV%20policy%20guidance%20PDF.pdf

[7]https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/microsites/ostp/NSTC/preparing_for_the_future_of_ai.pdf

[8]https://obamawhitehouse.archives.gov/sites/default/files/whitehouse_files/microsites/ostp/NSTC/national_ai_rd_strategic_plan.pdf

[9] http://www.japantimes.co.jp/news/2016/04/15/national/japan-propose-basic-rules-ai-research-g-7-meeting/#.WLPLtU1PonV

Posted

Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services (New York DFS) will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutions’ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.

Who Is Covered?
The new regulations will specifically apply to “Covered Entities,” meaning any financial services firm that operates (or is required to operate) under a “license, registration, charter, certificate, permit, accreditation or similar authorization” by the New York DFS. Just to name a few, this includes banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New York’s new virtual currency license.

What Do The Regulations Do?
Certain aspects of the regulations legally formalize what most financial institutions are most likely already doing—for example, maintaining a written cybersecurity policy tailored to the findings of periodic risk assessments. Other aspects of the regulations, however, enter into a new territory of granularity that will seem striking for many financial services firms that may have at best considered these to be informal best practices.

Among other things, the new regulations will formally require Covered Entities to protect not only sensitive customer information (the prevailing standard under federal data security regulations), but crucial business-related information, as well. Covered Entities will also be required to appoint a specifically designated Chief Information Security Officer (although such person may be outsourced to a third party), and must report certain “Cybersecurity Events”—which term even extends to unsuccessful attempts to access an information system—to the New York DFS within 72 hours of occurrence.

Unlike prevailing cybersecurity regulations, which tend to be technology-agnostic, the regulations will require Covered Entities to adopt certain specified controls including multi-factor authentication systems and encryption technologies (or suitable alternatives) in specified circumstances.

The regulations formally make cybersecurity a C-suite level priority, requiring senior management to certify compliance with the regulations to the New York DFS on an annual basis.

How are Vendor Relationships Impacted?
Cognizant of the fact that most financial services firms operate through a diverse web of outsourced technology relationships, the new regulations require Covered Entities to adopt written policies and procedures designed to ensure the security of information systems and nonpublic information (again, including not just consumer information, but important business information, as well) that are accessible to, or held by, third-party service providers. Such policies and procedures must be based on a Covered Entity’s required risk assessment, and must address, to the extent applicable:

  1. Identification and risk assessment of third-party service providers;
  2. Minimum cybersecurity practices required for such third-party service providers to do business with the Covered Entity;
  3. Due diligence processes used to evaluate the adequacy of such third-party service providers’ cybersecurity practices; and
  4. Periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.

These policies and procedures must include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including, to the extent applicable, guidelines addressing the regulations’ required compliance with multi-factor authentication and encryption requirements, as well as the third-party service providers’ obligations to notify the Covered Entity of a Cybersecurity Event impacting information systems or nonpublic information.

Concluding Thoughts
The compliance obligations under the new regulations will roll out on a staggered basis, over a two-year period, beginning March 1. Although Covered Entities will technically have until March 1, 2019, to have adopted the required third-party service provider oversight and contractual requirements indicated above, implementing these policies and conforming third-party contracts will necessarily be a lengthy process requiring a great deal of buy-in both from the Covered Entity itself and the third party on the other end of the vendor relationship.

With the two-year clock ticking effective March 1, financial institutions subject to the new regulations are advised to begin taking a careful look at their vendor relationships, and begin conforming their policies, procedures and third party agreements as soon as possible. The New York DFS itself has underscored this point, stating in the regulation that “it is critical for regulated institutions that have not yet done so to move swiftly and urgently 
 Adoption of the program outlined in these regulations is a priority for New York State.”