Typically, it is important that the parties agree that the customer material stored within the ICT systems and produced by them clearly belongs to the customer. However, for example, solutions utilising artificial intelligence require a more nuanced approach to agreeing on the allocation of rights. Artificial intelligence typically involves a larger variety of components in this respect, and the ownership and intellectual property rights related to such components require sufficiently clear contractual provisions. In this context, key components to address include, at least, the AI solution running in the background, the data that is fed into the AI and used during the development, validation and testing of the AI, the results produced by the AI, and the evolution of the AI achieved through the customer’s requirements, data and use.
☑️ Ensuring a sufficient level of liability
The liability level of the service provider must always be determined so that the customer’s rights are secured in case the service does not meet the agreed requirements or if disruptions arise, taking into account that such events could have significant adverse impacts on the customer’s business processes. Therefore, it is important that the customer ensures that the relevant agreement contains appropriate provisions on service levels, the seller’s liabilities and the seller’s warranties, which, in turn, vendors typically aim to restrict in their standard terms.
When assessing the acceptability of restrictions on the provider’s liabilities proposed for the agreement, the customer must, especially, recognise the potential adverse effects that disruptions in the relevant service or system might have on the customer’s business. Furthermore, the damage types and situations, where the liability restrictions may not apply must be specifically identified and reflected in the agreement (such as liabilities related to breaches of confidentiality or data protection obligations).
For services that rely on artificial intelligence it is important to note that the object of the agreement is typically rather dynamic in the sense that the traditional way of tying the supplier’s performance obligations to certain technical criteria and documentation at the time of concluding the agreement might not be the best solution. Instead, emphasis should be placed on, for example, the end results and impacts pursued by the relevant solution.
Aspects relating to liabilities and responsibilities should be observed already when selecting a service provider. For example, a service provider operating on a strict ‘take it or leave it’ basis as regards its own standard terms may be a poor alternative in situations where a highly restricted vendor liability level, with limited or no room for negotiation, is not in line with the criticality of the service in the customer’s business.
☑️ Compliance with laws
The increasing level of legal regulation, typical to the 21st century, has also directly affected the field of ICT services. Legislation concerning data protection, cyber security, electronic communications, consumer protection and artificial intelligence may create inevitable uncertainties, especially when planning the procurement of a large-scale and long-term ICT system. Key questions include who is responsible (and to what extent) for ensuring that the service or system meets applicable regulatory requirements in force from time to time. Even before selecting the service provider, it is beneficial to investigate the extent, to which the vendor candidates can provide readily available material on the relevant compliance requirements affecting the service.
Additionally, the allocation of responsibilities concerning compliance requirements should be specified during the contract negotiations as clearly as possible and separately for the different elements of the service, if necessary. The agreement should also contain clear change management processes, under which the service or system can be adjusted or even discontinued if amendments to the relevant regulatory framework so require.
“Selecting a reliable vendor that understands the various data protection requirements applicable to its customer is a key step in managing data protection risks.”
☑️ Identifying the service provider’s data protection profile
Data protection issues constitute a significant source of compliance risks for almost every modern organisation. ICT solutions all but inevitably involve the processing of personal data, which necessitates the due consideration of data protection aspects already in the selection of the service provider. Indeed, selecting a reliable vendor that understands the various data protection requirements applicable to its customer is a key step in managing data protection risks . Therefore, it is important, when preparing a procurement, to review the potential providers’ approaches and existing arrangements in relation to data protection requirements. For example, a service provider’s privacy policies, possible data protection impact assessments or data security certificates are a good starting point.
Following the so-called Schrems II ruling of the Court of Justice of the EU (C-311/18, 16 July 2020), European companies have been required to identify and assess the geographic location of their data processing. The Schrems II ruling brought about significant requirements that must be observed when personal data is stored outside the EEA, including situations where data inside the EEA is made accessible to outside the EEA, which is extremely likely, for example, in the context of established global cloud services. When selecting a service provider, the customer should identify the location of the service data and ensure, in practice, that the service provider has clear and sufficient mechanisms and contractual liabilities required to address the Schrems II requirements (e.g. the so-called transfer impact assessment documentation).
In our view, the ability to address the challenges related to the location of data is becoming a central competitive advantage among ICT service providers.
“The infrastructure of modern data processing has, in the last few years, proven to be a concerning environmental challenge.”
☑️ Sustainability first
It may be tempting to think that sustainability requirements would not represent a significant challenge for businesses operating in a digital environment. However, the infrastructure of modern data processing has, in the last few years, proven to be a concerning environmental challenge , which has been especially apparent through the data processing capacities required by blockchain technologies. If the current progress continues, data centres are expected to represent over 3% of global carbon dioxide emissions by 2025.
As the amount of data in the world grows, environmentally friendly data storing solutions will become an important tool for many companies as they work to limit their carbon footprints. Additionally, energy-efficient servers may prove an excellent means for creating cost savings. Environmentally friendly data management can also become a company’s competitive advantage as consumers’ environmental awareness and values evolve.
When planning the procurement of a long-term and large scale ICT system, the due assessment of environmental issues should, in fact, be a crucial stage in terms of an organisation’s sustainability requirements. The ‘greenness’ of a potential service provider should, moreover, form a key selection criterion in choosing a vendor. Contractual terms can also be used to create incentives for environmentally responsible operations. We predict that pricing mechanisms and novel contractual terms concerning the validity and termination of the agreement, linking to environmental factors and requirements, will become more common also in ICT agreements in the coming years.
The focus areas identified in this article go to show that the procurement of ICT solutions is connected to a highly diverse set of requirements. The comprehensive assessment of all such factors may feel overly time-consuming in the midst of a rapidly progressing ICT procurement project. However, the magnitude of applicable requirements requires ensuring an adequate schedule and seamless cooperation between the procuring organisation’s technical and legal experts to ensure that all relevant requirements are observed. Accepting the supplier’s terms ‘as is’ may seem like an attractive solution when operating under a tight schedule, but doing so may create unexpected and long-term contractual risks. Additionally, we have noticed, in practice, that even where the supplier has initially indicated its own standard terms as being ‘non-negotiable’, there may nevertheless be room for negotiating the terms to be more favourable for the customer.
Special thanks also to Roi Rantanen who participated in the writing of this article and works as an Associate Trainee at Dittmar & Indrenius in autumn 2021.