Friday, 27 April 2018

Onko väite “cookiet käsitellään vasta ePrivacy Regulationissa” totta ja mitkä ovat 5 keskeisintä korjauskohtaa?

Yllä mainittu väite tulee usein esille yrityksien kanssa keskustellessa. Lähtökohtaisesti väite sisältää kaksi erillistä kysymystä: a) millä edellytyksillä cookie tai kotimaisesti eväste on tietosuoja-asetuksen mukaan henkilötieto itsessään tai yhdessä muiden tietojen kanssa; ja b) miten cookieihin tulisi GDPR:n aikana suhtautua vai tarvitseeko? Tässä käsitellään jälkimmäistä eli tulisiko evästeitä koskevat ohjeistukset uusia jo nyt vai voiko asian käsittelemisen siirtää tulevaisuuteen noin vuoteen 2020, kun ePrivacy ehkä tulee voimaan? 

Mitä cookiet ylipäänsä ovat ja miten ne toimivat? Teknisenä johdatuksen aiheeseen ohessa eräs verkosta löytynyt sitaatti:

"Cookies allow a Web site to store information on a user's machine and later retrieve it. The pieces of information are stored as name-value pairs.

For example, a Web site might generate a unique ID number for each visitor and store the ID number on each user's machine using a cookie file.

If you type the URL of a Web site into your browser, your browser sends a request to the Web site for the page (see How Web Servers Work for a discussion). For example, if you type the URL into your browser, your browser will contact Amazon's server and request its home page."

Evästeet alun perin kuuluivat sähköisen viestinnän tietosuojadirektiivin alaan (direktiivi 2002/58 / EY ja vuoden 2009 päivityksestä, direktiivi 2009/136 eli ns. "ePD"). Siitä tuli EU: n jäsenvaltioissa kansallista lainsäädäntöä asteittaisella täytäntöönpanolla johtaen kansallisiin eroihin ja toisin sanoen melko epäyhtenäiseen täytäntöönpanoon eri maissa. Tietoyhteiskuntakaaren 205§:n mukaan: 

"Evästeiden tai muiden palvelun käyttöä kuvaavien tietojen tallentaminen käyttäjän päätelaitteelle ja näiden tietojen käyttö on sallittua palvelun tarjoajalle, jos käyttäjä on antanut siihen suostumuksensa ja palvelun tarjoaja antaa käyttäjälle ymmärrettävät ja kattavat tiedot tallentamisen tai käytön tarkoituksesta. Edellä säädetty ei koske tietojen sellaista tallentamista tai käyttöä, jonka ainoana tarkoituksena on toteuttaa viestin välittämistä viestintäverkoissa tai joka on välttämätöntä palvelun tarjoajalle sellaisen palvelun tarjoamiseksi, jota tilaaja tai palvelun käyttäjä on nimenomaisesti pyytänyt. Edellä tässä pykälässä tarkoitettu tallentaminen ja käyttö on sallittua ainoastaan palvelun vaatimassa laajuudessa ja sillä ei saa rajoittaa yksityisyyden suojaa enempää kuin on välttämätöntä."

On olemassa useita aloja, joilla nykyinen ePrivacy Regulation luonnos ja GDPR ovat epäjohdonmukaisia ja aiheuttavat näin sivustojen omistajille monimutkaisuutta. Cookiet ovat yksi näistä. Teoriassa GDPR korvaa evästeiden kansalliset lait, mutta se koskee vain evästeiden osajoukkoa, joka käsittelee henkilötietoja, joten muut evästeet kuuluvat edelleen ePrivacy-direktiivin piiriin. GDPR:n soveltamisalaan kuuluvat evästeet voisivat vedota oikeusperustaan, joka ei ole suostumus, josta ilmeisimmin oikeutetut edut. Koska suostumus on ainoa oikeusperusta voimassa olevan ePD:n sisällä välttämättömiä evästeitä lukuun ottamatta, syntyy mielenkiintoinen tilanne, jossa ei-henkilötietointensiivisellä evästeellä, esimerkiksi eväste tallentaen tietoja näytön koosta, voi olla GDPR:ää tiukempia suostumusvaatimuksia. Tämäntyyppinen eväste ei tallenna riittävästi tietoja, jotta sitä pidettäisiin henkilötietoina, joten GDPR ei sovellu, mutta se ei myöskään todennäköisesti ole "ehdottoman välttämätöntä", sillä sivuston tarvitsisi vain nämä tiedot yhteen istuntoon. Se voi olla hyvä optimointia ja suorituskykyä varten, mutta se ei ole "välttämätön eväste".

Miten käytännössä GDPR:n voidaan arvioida vaikuttavan henkilötietointensiivisiin evästeisiin käytännössä ja mitkä viisi asiaa tulisi huomioida evästepolicyjä mietittäessä:

1) Implied consent eli "käytökseen perustuva suostumus" ei riittävä
2) Suostumuksen tapauksessa oltava oikeus peruuttaa
3) Peruutuskeinon oltava yhtä helppo kuin suostumuksen antamisen
4) Evästepolicyjen uusiminen huomioiden edellä kuvatut lainsäädännön jaon mukaiset erityyppiset cookiet tuntuu perustelluimmalta vaihtoehdolta
5) No track – asetuksia kunnioitettava

Nyt ei muuta kuin uusimaan cookie policyjä ja samalla erinomaista Wappua kaikille! Lisätietoja cookie policyistä ja niiden uusimisesta tästä linkistä!



Tuesday, 27 March 2018

On the role of M&A and transactional lawyer: what is most important for customers?

Having led multiple M&A transactions and IT project negotiations as well as had lengthy discussions with clients representing a variety of industries, I thought that I would share some ideas which, according to my experience, seem to be distinctive features of a good transactional lawyer and what will be required from us lawyers in the future.

It is always a good thing to keep in mind your focus as a lawyer, and a transactional one in particular. As Coates puts it, “[we] advise, negotiate, document and process” and, if possible, we do it in advance by contractual means. The main points:
  • In practice, this means advising clients about risks, how, for example, contract law allocates risks, and then modifying the setup to allocate those risks to reflect the requirements of the case.
  • There is no such thing as a perfect contract and there are always some risks that are not seen in advance and in some cases the best option is to leave certain risks to be handled by law.
  • Moreover, even if you foresee a risk, it might be very simple to allocate it, yet very difficult to enforce, so you need to understand both allocation and enforcement in order to give solid advice.
At its best, a contract is, however, a magnificent tool to add value to the customer and, as Gilson refines it, “what business lawyers do has value only if the transaction on which the lawyer works is more valuable as a result”. Simple and easy to agree. This will be even more so when artificial intelligence will develop and expand to new territories and starts to replace us lawyers in routine document reviews.
The future lawyer must be closer to the business and be truly a trusted advisor of the customer rather than carrying out different independent assignments from client to client. That is our focus at TRUST as well, to be more intensive with our clients and use extra effort to understand their business to show and create measurable value!
Splendid continuation for your spring and happy Easter!

Monday, 11 December 2017

Negotiating Enterprise Cloud Agreements — 3 Key Points

In essence, purchasing cloud solutions is a simple process: just go to the site of your choice, place an order and pay by credit card. Businesses, however, often prefer a higher level of customisation in the solution, and another the key element is that these enterprise level agreements give the group better overall visibility to ‘cloud spend’ and capacity optimisation.

Personally, I also call for a cloud strategy in which an organisation identifies the solutions that utilise cloud technology and combines these under a single umbrella, creating a consistent approach to public cloud while creating cost efficiency. As an additional benefit, this reduces compliance risks relating to personal data. This can be achieved if, for example, all solutions or at least the maximum possible proportion of the solutions are within one clearly identified scheme as opposed to having bits and pieces of the data spread across the world in data centres run by various third parties.

What are the top three points to keep in mind when starting the negotiation on cloud services?

1. There is usually no minimum payment commitment. You can always buy as much or little as you want. Also even if there is a ‘risk’ that vendors often retain the right to introduce fees or change prices, you typically have the right to terminate for convenience so it is not truly a risk that you would have “lock-in problem” with higher fees. Also as the largest players are in any case in dominant market position so they treat you equally with others which also gives comfort to you.

2. Service levels are standardized and there is typically zero flexibility. This is an obvious downside but, similarly, if you wish to have a bag of concrete from your local hardware store, you always have certain limitations. You can choose a small bag or a big one but you cannot go in there saying you would like to have exactly 3,700 grams and a quarter-ounce of concrete. There are different vendors for these.

3. What, then, can be negotiated? To exaggerate just a bit, the answer is ‘everything else.’ In any case, these enterprise agreements contain several points that can be negotiated while keeping in mind the above, such as, termination periods if you are afraid of business continuity in case more business-critical data is put into cloud environment.

We have at TRUST made cloud negotiation packages under which we have standard comments for AWS, Azure and similar cloud solutions most often considered by large corporations - feel free to drop us an e-mail if you are interested.



Thursday, 6 July 2017

Three issues how Finnish financial and insurance sector is changing from IT strategy perspective

Sunny July,

Just before heading towards well-earned vacation after closing our latest M&A and outsourcing deals including representing A-Katsastus in their infra outsourcing to Atos (see press release from here) and representing K & T Neutech in their business purchase with  Internet Planeetta Oy (press release here), I think there is enough time for one more post. I was asked this question last week and I thought it might be a good idea to share some thoughts on this. This is not really a topic I have thoroughly though through but more like some views I have on the situation and what I remember reading somewhere, so feel free to contribute if you have additional viewpoints or if you agree or disagree:

In the banking and financial sector, there seems to be three points driving changes:
  • First, particularly in the Nordic countries, cost-efficiency is obviously just one of the main concerns, causing constant changes.
  • Second, regulatory changes create another source of changes and, while the financial sector alone already has a rather heavy regulatory burden on its shoulders, this is an area where also other regulatory changes, such as privacy, cause additional work.
  • Third, as the most interesting one, come digitalisation and new services. All users, me included, create a demand for enhanced user experience and we, too, wish to utilise new channels. 
Well, what could come out of this? I would say there are several interesting new questions to ask which are more strategic in nature:
  • Regarding the first point, there might be a need for more BPO-based models to drive costs down. In addition, one could say that large and small banks are in slightly different positions in this respect: while larger banks are able to create more of their proprietary solutions, the smaller and medium-size banks are under more pressure to adopt standardised solutions. Anyway, my estimate is that the difference between large and small banks will grow while in both cases the unifying factor is the utilisation of cloud architecture.
  • Consumer behaviour has changed and, as said, we all require more; I would expect to see more customised offers based on increased usage of customer data, perhaps increased SLAs? And naturally omni-channelism, as mentioned above, is an element, as well as time-to-market. In the world of IT projects, this might mean adoption of more bimodal approaches in order to be more responsive to market needs.
  • Banking as a service—are the leading banking software solutions sufficiently good? Are these enough to create strategic advantage?
Because of the above reasons, I would claim that strategic partner fit is increased and obviously data conversion remains one of the focus areas and an issue to be solved in any contract (and this is not really specific for banking sector). In any case, to conclude, I would say that in any IT acquisition process all these issues need to be carefully considered and already taken into account in the RFIs and RFPs and as a lawyer also to truly understand the business to create additional value!

For those who are already on vacation or soon leaving for one like me, I hope relaxing times and next time I will write the second part of those cloud services as I promised in one of my earlier posting!



Wednesday, 31 May 2017

How cloud and digitalisation change outsourcing and IT contracting - part 1?


As you may remember, I earlier promised to write about the practical issues surrounding IT agreements in the digital era, and cover certain misunderstood concepts and principles in the IT world that are, in principle, "simple" but nowadays too often subject to lengthy negotiations. Cloud is definitely the mainstream solution today, even in heavily regulated sectors such as banking and insurance as outlined, e.g., in Temenos & Capgemini 2015, according to which 89% of banks globally use at least one cloud application, while the figure was 57% in 2009.

Standard IT procurement templates won't work

According to our recent experience, most of the standard contractual templates used by many large corporate customers in their procurements, as well as most IT agreement models currently generally available, fail to address the latest delivery and operational models applied by cloud capacity providers. Even though the principles remain the same—and yes, from a legal point of view, there are still services, licenses, hardware, etc.—cloud capacity for example requires a different approach to these due to the various characteristics that separate it from traditional IT deliveries. This implies that one must also go deeper into the world of cloud and understand how cloud brokerage and service integrators work to create a reasonable balance between the interests of the different parties involved, and to truly gain business benefits from the new service models (as opposed to relying on standard "one-size-fits-all" -type of ICT procurement frame agreements). In addition, there are certain new elements that need to be added to the above legal framework, such as the above mentioned capacity, which is still a relatively unknown concept for many lawyers even if they might otherwise be very experienced in IT contracting. 

Modern outsourcing requires less transactional elements

It is probably already a decade since the Amazon Web Service (or AWS) started offering these services, and still we seem to be missing the core understanding of what this is actually all about. Essentially it is about using resources over a network which may include just space, software (SaaS), computational power (IaaS) or hosting platforms, for example, as a service (PaaS). Under the SaaS heading, we have plenty of alternatives from traditional systems like HR, accounting/financials (Workday), CRM (Salesforce), e-mail and office (Office 365) to data storage providers (Dropbox), or photos (Flick) or social network applications (Facebook) which are most well-known for everyone. New digital services differ from (and affect) traditional outsourcing in many ways. Perhaps most importantly, they may remove the need to outsource in the traditional sense completely, i.e. “Less infra, personnel & software, less to outsource".

Digitalization requires a more subtle liability allocation

Furthermore, modern digital services often are not offered by one vendor alone but, instead, there is often a network of different players involved with varying roles, which means that also liability allocation is subtler than it was in the past. In this new environment, different deliveries, personal data and related liabilities alike move from vendor to vendor, vendor to customer or vice versa, unlike in traditional IT contracts of the time when it was still possible to reduce the whole delivery model to a simple "projects and on-going services” format. In my view, this should not be seen as an increased risk but rather as an inherent characteristic of the new way of providing services. Consequently, the liabilities and their allocation should also be different, as in this example that outlines a simplified contractual network of a company engaged into a digital marketing campaign.

Technology lawyers need to create new core competences

As I see it, if one should use the time to really understand how this world works, it would give strategic advantages or costs savings, depending on the strategy. In other words, "too many cooks do not spoil the broth". Instead, they enable a more agile IT environment for you if you select the right partners and know how to use them! Also lawyers need to understand in detail how these different systems communicate at technical and legal level, how personal data is transferred around the environment and I must say, it is not a simple task and it is made even more difficult due to the fact that one often operates in cross-border environment of internet where compliance requirements are still many times based on local legislation. Here I promise to raise 5 top issues how contracting practices are changing at the practical level that I wish someone would have told me before I started drafting my first cloud-era IT agreement or spider-webs like one above, and then I hope to hear your views on this issue as well!