Photo of Mark Rasdale

Last week MoneyConf firmly put Dublin in the Fintech spotlight. The pressure on financial services firms to make better use of technology to reduce costs and improve customer service shows no sign of relenting. At the same time they need to carefully navigate the related regulatory challenges around technology outsourcing. A member of the ECB Supervisory Board recently observed that banks are not “technological houses” and said that the fragmentation of banks’ services across a range of external providers creates a “challenge” for banks’ leaders, who retain responsibility. This statement will resonate, in particular, with financial institutions looking to understand how much they are currently using, and how they can make more and better use of, cloud based technology solutions.

Worth noting then that with effect from the 1st July 2018, there will be another set regulatory guidelines for financial institutions to consider when outsourcing.

The European Banking Authority Recommendations on Outsourcing to Cloud Service Providers (the Recommendations) confirm that executives and managing bodies of financial institutions must ensure that they have a real understanding of the risks associated with using technology to outsource any aspect of their operations. The Recommendations apply to both competent authorities, such as the Ireland’s Central Bank, and “financial institutions” which are credit institutions and investment firms as defined in EU Regulation No 575/2013.

These Recommendations supplement the Committee of European Banking Supervisors Guidelines on Outsourcing (the CEBS Guidelines). They provide more detail on the practical steps that should be taken by financial institutions when outsourcing to cloud service providers.

1. Materiality Assessment

Outsourcing institutions should, prior to any outsourcing to the cloud, assess which activities should be considered as “material”. Assessments of what amounts to a “material activity” should be performed on the basis of existing CEBS Guidelines and take into account:

  • whether the activities are critical to business continuity/ viability;
  • what the impact of outages would be from an operational, legal and reputational perspective;
  • how significantly revenue would be affected by any disruption to the activity; and
  • what the potential impact of a confidentiality breach or failure of data integrity would be.

Therefore, a detailed risk assessment should form part of any policy for procurement of cloud services and the regulator may look to see that assessment.

2. Duty to Adequately Inform Supervisors

If it is material outsourcing it will need to be notified to the relevant regulator. The Recommendations require that the outsourcing institution should maintain a register of all its material and non-material activities outsourced to cloud service providers. This may require a change in procurement and contract management processes for some financial institutions. A detailed list of the information to be compiled in the register is provided and includes:

  • general information on the type of outsourcing and the parties involved;
  • evidence of the approval for outsourcing by the management body or its delegated committees;
  • an assessment of the cloud service provider’s substitutability; and
  • identification of an alternate service provider, where possible.

This can only be done if an institution is proactively approving, managing and monitoring its use of cloud services. Many are not doing so and certainly not to the same extent as they would for more traditional outsourcing arrangements.

3. Access and Audit Rights

The Recommendations state that outsourcing institutions should obtain a contractual undertaking from cloud service providers to provide:

  • full access to business premises, including the full range of devices, systems, networks and data used for providing services outsourced (right of access); and
  • unrestricted rights of inspection and auditing relating to outsourced services (right of audit)

to the outsourcing institution, its auditors and the relevant competent authorities.

There are real challenges with the negotiation and exercise of access and audit rights when it comes to cloud services. The Recommendations are helpful in that they confirm the outsourcing institution should exercise its rights to audit and access in a risk-based manner. Pooled audits, third-party certifications or internal audit reports may be considered, provided sufficient safeguards are in place.  The outsourcing institution must ensure that the staff performing the audit have the right skills and knowledge to perform effective and relevant audits and/or assessments of cloud solutions.

This puts the onus on the outsourcing institution to ensure its staff properly understand cloud services, negotiate cloud contracts in an informed way to secure meaningful alternatives to traditional audit rights and are organised internally such that it can ensure those rights are put to effective use.

4. Security of Data and Systems

The Recommendations build on existing CEBS Guidelines in relation to security and require that prior to entering a cloud service agreement, the outsourcing institution should:

  • Classify the relevant data and activities involved on the basis of sensitivity and required protections;
  • Conduct a thorough risk based assessment of subject matter of the proposed outsourcing; and
  • Decide on (and build into the contract) appropriate levels of confidentiality, service continuity and data integrity and traceability.

The Recommendations note that the outsourcing institutions must also monitor the agreed standards, ensure the security measures are met and promptly take any necessary corrective actions. Again, this points to the need to proactively manage engagement with cloud service providers.

5. Location of Data and Data Processing

Outsourcing institutions must take special care when entering into and managing outsourcing agreements undertaken outside the EEA because of possible data protection risks. The Recommendations state that a risk assessment should be completed addressing the potential risk impacts, including legal risks and compliance issues, and oversight limitations related to the countries where the outsourced services are or are likely to be provided and where the data are or are likely to be stored, to ensure that any risks are kept within acceptable limits commensurate with the materiality of the outsourced activity.

Here, GDPR and more general regulatory requirements overlap and we think that consideration ought to be given to GDPR Privacy Impact Assessments for current and future cloud deals which involve the processing of personal data.

6. Chain Outsourcing

Chain outsourcing remains a key focus in these Recommendations. The Recommendations builds on this requirement, noting that the cloud outsourcing agreement should:

  • specify any types of activities that are excluded from potential subcontracting;
  • indicate that the cloud service provider retains full responsibility for services that it has subcontracted; and
  • include an obligation for the cloud service provider to inform the outsourcing institution of any planned significant changes to the subcontractors and include a right for the outsourcing institution to terminate the agreement if a change of subcontractor would have an adverse effect on the risk assessment of the agreed services.

These are not provisions that will feature in many standard cloud contracts (the supply chain may not even be known by the customer) and so will need to be negotiated.

7. Contingency Plans and Exit Strategies

The Recommendations state that outsourcing institutions should make arrangements to avoid service disruption in the event that the provision of cloud services by a service provider fails or deteriorates to an unacceptable degree. To achieve this outsourcing institutions should:

  • develop and implement comprehensive and sufficiently tested exit plans;
  • identify alternative solutions and develop transition plans to enable it to remove and transfer existing activities and data from the cloud service provider; and
  • ensure the outsourcing agreement requires the cloud service provider to provide sufficient support to the outsourcing institution to allow the orderly transfer of the cloud activity or to the to another provider or to be reincorporated into the outsourcing institution.

Agreeing the detail around exit plans is often challenging in outsourcing transactions. Many cloud contracts don’t deal with exit plans other than to provide for the termination of access to the service and/or to confirm that responsibility for taking back data sits with the customer and ought to be done during the contract and/or within a short time period following termination. The Recommendations suggest that financial institutions should perform a business impact analysis commensurate with the activities outsourced to identify what human and material resources would be required to implement the exit plan and how much time it would take. Failure to be able to demonstrate that this has been done may create difficulties where moving away from a cloud provider in the future doesn’t go as smoothly as was suggested at the outset.

Photo of Daniel Harrington

The Minister for Communications, Denis Naughten, has confirmed that plans to appoint a Digital Safety Commissioner for Ireland (DSC) will go ahead in 2018. The DSC will act as an ‘Internet regulator’, with powers of enforcement and responsibility for a ‘notice and takedown’ regime, to ensure the online safety of Internet users.

The proposal for a DSC is contained in a Report from the Law Reform Commission (LRC) on Harmful Communications and Digital Safety, which also contains a draft legislative proposal. The LRC has recommended that the scope of regulation by the DSC should include all ‘digital service undertakings’, which would be defined very broadly to cover intermediary service providers, internet service providers, internet intermediaries, online intermediaries, online service providers, search engines, social media platforms and websites and telecommunications undertakings.

The DSC mechanism is partially inspired by the systems in place in Australia and New Zealand, which have specific timelines linked to the obligation to unlawful material, with removal generally being required within 48 hours. In Ireland, under the current LRC proposals, the DSC will be mandated to develop a national Code of Practice for Take Down procedure, which would contain detailed and practical guidance on the procedure for ‘takedowns’, a requirement that the takedown procedure is made available free of charge and timelines within which offending materials should be removed.

It should be noted that the Australian and New Zealand regimes were implemented on a somewhat blank legislative canvas. Any proposal in Ireland must be compliant with the overarching requirements of the eCommerce Directive (which does not contain mandatory timelines, but requires internet intermediaries to ‘act expeditiously’ or risk losing its legal immunity). It remains to be seen whether an additional layer of Irish regulation on tech and Internet companies would have any impact on Ireland’s international reputation as an attractive place to do business.

An Taoiseach Leo Varadkar had previously indicated that Government plans to appoint a DSC were ‘on hold’, however, he has since clarified that he may have ‘mis-spoken’.

The Department of Communications has organised an open digital safety forum on March 8 at the Royal Hospital Kilmainham involving Gardaí, Interpol, NGOs, state bodies and parents groups. We await further detail on this proposal.

Photo of Davinia Brennan

The EU Court of Justice (CJEU) has ruled that a supplier of luxury goods can, by contract, prohibit its authorised distributors from selling those goods on third-party internet platforms such as Amazon. The CJEU held that such a prohibition is appropriate; does not in principle go beyond what is necessary to preserve the luxury image of the goods; and is not necessarily an unlawful restriction of competition (Coty Germany GmbH v Parfümerie Akzente GmbH (Case C-230/16)).

Continue Reading CJEU rules suppliers of luxury brands can lawfully prohibit resale via third party internet platforms

Photo of Eoghan O'Keeffe

Heading into the Christmas period, festive shoppers may notice an increasing number of retailers are offering receipts via email (e-receipts) rather than the traditional paper docket. Providing a receipt through email has a number of advantages for retailers and consumers. There is the obvious environmental benefit and it provides an easier means for customers to store and find receipts than an over-stuffed wallet.

However, new guidance from the Data Protection Commissioner (DPC) has stressed the need for retailers to ensure that when customers provide their details for the purpose of receiving e-receipts, they should be fully informed and consent to how that data may be used. Of central concern is the retailers’ use of email addresses for subsequent direct marketing.

Continue Reading DPC publishes guidance on e-receipts

Photo of Neasa Ni Ghrada

The European Commission (EC) has opened an online public consultation on the targeted revision of EU consumer law (the Consultation). The Consultation follows the EC’s publication of the results of its Fitness Check on consumer and marketing law and of the evaluation of the Consumer Rights Directive (Directive 2011/83/EU) (the CRD).

Background

Both the Consultation and the Fitness Check form part of the EC’s Regulatory Fitness and Performance (REFIT) programme, which aims to make EU law simpler, less costly and identify any inconsistencies and/or obsolete measures which may have appeared over time.

The Fitness Check carried out a comprehensive evaluation of six directives:

– the Unfair Commercial Practices Directive 2005/29/EC;

– the Unfair Contract Terms Directive 93/13/EEC;

– the Price Indication Directive 98/6/EC;

– the Consumer Sales and Guarantees Directive 1999/44/EC;

– the Injunctions Directive 2009/22/EC; and

– the Misleading and Comparative Advertising Directive 2006/114/EC.

In late May, the EC published its findings of its analysis of these six directives and its separate parallel review of the CRD. In brief, the EC found that “[t]he evaluations confirm that in general consumer law remains fit for purpose.” It did identify, however, the need to improve awareness, enforcement of the rules and redress opportunities to make the best of the existing legislation. It also stated that targeted legislative changes to address certain identified shortcomings of the directives could be beneficial.

Free Online/Digital Services

One of the shortcomings that the EC identified is that the CRD does not currently apply to the provision of ‘free’ online/digital services. ‘Free’ in this context means that the consumer does not pay with money for the service but instead provides data. Examples of this are cloud storage, social media or webmail, where the main contractual obligation of the trader is not to provide digital content but rather a service allowing the creation, processing, storing or sharing of data that is produced by the consumer.

The EC has stated that it will examine extending the scope of the CRD to include such contracts for ‘free’ digital services. This would extend traders’ pre-contractual information requirements and consumers’ 14 days right of withdrawal to any digital services. This singling out of the providers of ‘free’ digital services, demonstrates the EC’s continued focus on the digital economy and protecting consumers rights online.

The Consultation offers all citizens and organisations the opportunity to have their say on this matter along with other consumer law matters such as banning doorstop selling and better individual remedies for consumers harmed by unfair commercial practices including misleading “green” claims.

Timing

The Consultation will run for 14 weeks (June – October 2017). Click here for more details.

Photo of Alison Quinn

The European Council has finalised its position on the directive setting out new rules relating to the supply of digital content and digital services, acknowledging it as a priority for the Digital Single Market. The makings of the proposed directive were initially presented by the European Commission in late 2015 as part of the move towards a connected digital single market.  On 8 June 2017, the European Council adopted its position on the scope of the proposed directive, the remedies for lack of supply and non-conformity, supplier liability and burden of proof restrictions.

Continue Reading Digital Single Market- Digital Content

Photo of Davinia Brennan

In Case C-375/15 (the BAWAG case), the CJEU examined the scope of a payment service provider’s obligation to communicate changes to information and conditions, and to framework contracts, to e-banking customers.  In particular, the CJEU considered whether a bank may notify its customers of account information and contractual changes via an electronic banking mailbox.  The CJEU clarified the conditions that must be met for information to be “provided” to customers on a “durable medium”, as required by the Payment Services Directive (PSD) (2007/64/EC).

Continue Reading Communicating with online banking customers

Photo of Davinia Brennan

In Muwema v Facebook Ireland Ltd [2017] IEHC 69, the Irish High Court refused to grant a Norwich Pharmacal order against Facebook, requiring disclosure of the identity and location of an anonymous third party operating a Facebook page containing defamatory content. The Court found that if Facebook disclosed such information it would endanger the life of the third party.  The Court held that the right to a good name must give way to the right to life and bodily integrity in the event of a conflict.

Continue Reading Court refuses Norwich Pharmacal order where compliance would threaten a person’s safety

Photo of Davinia Brennan

The High Court in Muwema v Facebook Ireland Ltd [2016] IEHC 519 held that Facebook had no duty to remove defamatory content posted by an anonymous third party. Justice Binchy did, however, make a Norwich Pharmacal order requiring Facebook to disclose the identity and location of the person operating the page involved.

Continue Reading ISP not required to remove defamatory statements

Photo of Davinia Brennan

In GS Media v Sanoma Media Netherlands and Others (C-160/15), the CJEU held that the posting of a hyperlink on a website, giving access to copyright-protected work on another website, will not constitute a "communication to the public" under Article 3(1) of the Copyright Directive 2001/29/EC, if the person posting the link did not do so to seek financial gain, and did not know that the hyperlink was published illegally without the consent of the copyright holder.  In contrast, if a hyperlink is provided for profit, knowledge of the illegality of the publication on the other website must be presumed.

Continue Reading CJEU finds linking to freely available but unauthorised content may not constitute copyright infringement