1. OUTSOURCING MARKET
1.1 IT Outsourcing
The IT outsourcing market in Luxembourg is assessed to be around EUR448 million, which represents 30% of the total ICT services in Luxembourg (worth EUR1.5 billion) and appears to be one of the most common types of outsourcing activities and continues to increase every year.
Key market developments in IT outsourcing relate to the increasing use of cloud computing infrastructures. The Luxembourg regulatory authority in the financial sector, the CSSF ("Commission de Surveillance du Secteur Financier") released in 2017 a specific Cloud Circular, Circular 17/654, regarding IT outsourcing relying on a cloud computing infrastructure. In light of the release of the revised Guidelines on outsourcing arrangements by the European Banking Authority ("EBA") in February 2019, the Cloud Circular was updated by the CSSF in March 2019 with the release of Circular 19/714. The Guidelines on outsourcing arrangements from the EBA will certainly trigger a change in the CSSF regulations on (non-cloud based) outsourcing.
Furthermore, a recent survey on IT outsourcing in Luxembourg has shown that not only do IT contracts tend to be implemented for a shorter period of time, usually for a maximum of three years whereas the standard length for these contracts used to be five or seven years, but also that the average contract value of IT outsourcing agreements is decreasing and customers tend to replace single-sourcing contracts with multi-sourcing engagements.
It should be pointed out that cybersecurity and data protection are major concerns in the context of IT outsourcing. The Luxembourg government issued a National Cybersecurity Strategy in 2012 of which the latest version has been published for the 2018-2020 period.
1.2 BP Outsourcing
In connection to the recent increase in outsourcing options permitted in the financial sector, we note that there is an increasing belief in and use of BP outsourcing in this sector. The BP outsourcing is mostly targeted at back-office operations, such as IT.
1.3 New Technology
The Luxembourg government launched, in 2014, the Digital Lëtzebuerg programme, aiming to establish Luxembourg as a "smart nation" ready to deal with a digital society. In April 2015, the World Economic Forum awarded Luxembourg the ninth overall ranking in the Global Information Technology Report. In this context, Luxembourg established inter alia a strategic vision for artificial intelligence (AI). It acknowledges the speed at which AI technologies deliver new services and it has been based on Luxembourg's ambitions to become a digital front-runner. AI is considered to be the facilitator between data and society's most valuable products and services. However, especially if AI services rely on personal data, data privacy and cybersecurity are of critical importance and ever increasingly need to be taken into account in the context of outsourcing activities.
Furthermore, AI could facilitate internal business processes, for example in companies or hospitals. The increasing use of AI by companies can lead to the insourcing of technologies; currently the same services are outsourced. It is part of the Luxembourg's strategic vision to take efforts to connect with relevant AI solutions and to insource technology and service providers from abroad, which already occurs in the context of financial services. In this respect, the CSSF released a white paper at the end of 2018 setting forth the trends of AI in the financial sector and highlighting detected points of attention from a (financial) regulatory perspective.
In the field of blockchain and smart contracts, especially in the financial and fund sectors, are engaged in proof of concepts, some of them within the relevant professional associations. On a more general note, the Luxembourg State is also actively looking into the matter and examining which use cases can run on blockchain technology. The State has been a driver for the Infrachain project, a State sponsored non-profit organisation including service, consultancy and law firms as well as potential blockchain service clients and which builds a trustworthy infrastructure layer for blockchain applications.
2. REGULATORY AND LEGAL ENVIRONMENT
2.1 Legal and Regulatory Restrictions on Outsourcing
There are no rules that specifically relate to outsourcing in a general manner, ie, that apply to any type of outsourcing, irrespective of the sector. That being said, for any type of outsourcing, it is strongly recommended to verify whether:
- outsourcing is likely to lead to a transfer of undertakings pursuant to Article L. 127-1 et seq. of the Luxembourg Labour Code, based on the EU Directive 2001/23/EC of 12 March 2001, and, if so, to contractually allocate the consequences thereof (refer to 5.1 Rules Governing Employee Transfers);
- outsourcing could constitute illegal lending of workers which is prohibited pursuant to Article L. 133 of the Luxembourg Labour Code (refer to 5.1 Rules Governing Employee Transfers); and/or
- outsourcing will result in the processing of personal data by the outsourcee and if so, whether or not this will mean a transfer of personal data outside of the EU/EEA to a country that is not deemed by the European Commission to offer an adequate level of protection. Depending on whether the response to one or both of these questions is positive, the EU General Data Protection Regulation 2016/679 ("GDPR") will come into play and a contract must be entered into between the data controller (typically the outsourcing party) and the data processor (typically the outsourcee) which must contain a mandatory set of clauses (Article 28 of the GDPR) and/or additional safeguards must be put in place (eg, conclusion of EC standard contractual clauses, Articles 46-49 of the GDPR, etc).
2.2 Industry Specific Restrictions
Outsourcing in the financial sector has traditionally been highly restricted due to the criminally sanctioned Luxembourg banking secrecy, ie, the obligation for Luxembourg financial institutions and their management and employees to "keep secret any information confided to them in the context of their professional activities or mandate" (Article 41(1) of the Act of 5 April 1993 on the financial sector, as amended ("the Financial Sector Act") and Article 458 of the Luxembourg Criminal Code).
By means of the recent Luxembourg Act of 27 February 2018 ("the Financial and Insurance Sector Outsourcing Act"), which amended Article 41 of the Financial Sector Act, the outsourcing options have been significantly increased in the sense that any outsourcing (external and intra-group) to non-regulated Luxembourg companies and foreign companies is now also (explicitly) allowed, provided there is a service contract in place and there is acceptance of the clients in accordance with the law or the modalities agreed upon between the parties.
Such acceptance should extend to the outsourcing of the relevant services, the type of information transmitted within the context of such outsourcing and the country of establishment of the provider of the outsourced services. Furthermore, the persons having access to confidential information covered by the professional secrecy obligation must be subject to a professional secrecy obligation or be bound by a non-disclosure agreement.
The new rules allow for some flexibility in relation to the prior acceptance of the concerned clients which may be obtained – if there is no specific legal requirement – pursuant to the methods contractually agreed between the parties and, hence, implied acceptance could, under certain circumstances, be allowed. The new rules give a legal basis to the existing legal theory and position of the CSSF that outsourcing is possible if the clients of the outsourcing financial institutions have consented to the outsourcing and have thus waived the benefit of the professional secrecy.
Stakeholders in the financial sector should further pay close attention to the different CSSF Circular provisions dealing with or having an impact on (IT) outsourcing, such as:
- Circular 17/655 updating the outsourcing provisions in Circular 12/552 on the central administration, internal governance and risk management that are applicable to credit institutions and investment firms.
- Circular 17/656 on the outsourcing by other FSPs, payment institutions and e-money institutions (ie, alignment of the rules set out in the now repealed Circular 05/178 with the outsourcing provisions of Circular 12/552 plus specific rules on outsourcing by authorised support FSPs).
- Circulars 17/655 and 17/656 contain similar provisions, yet Circular 17/656 in addition foresees in more specific IT outsourcing requirements regarding IT system management and operation services, consulting, development and maintenance services, hosting services and infrastructure ownership.
- Circular 17/654 regarding IT outsourcing relying on a cloud computing infrastructure, as amended by Circular 19/714 ("Cloud Circular"), which applies instead of the above-mentioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met. This Cloud Circular reproduces many principles of former Circulars 12/552 and 05/178, yet adapts them to the cloud context and adds several important obligations in terms of governance, client information/consent, CSSF notification/authorisation, audit rights, obligatory contract clauses, etc.
The above-mentioned CSSF Outsourcing Circulars set out specific requirements of central administration and internal governance that must be met in the event of an outsourcing, such as making sure that the outsourcing:
- is based on a risk assessment and is consistent with a predefined policy based on a risk assessment and validated by the board of directors;
- is formalised in an agreement including service levels and specifications; and
- is strictly controlled by a professional of the financial sector which ensures its quality and guarantees the protection of the customer's confidential information.
At EU level, the above-mentioned CSSF Outsourcing Circulars are complemented by the revised Guidelines on outsourcing arrangements of the EBA which were released on 25 February 2019 and which revise and replace both the current guidelines on outsourcing arrangements, which date back to 2006, and the EBA guidelines for the use of cloud service providers by financial institutions dating back to 2017. The EBA outsourcing guidelines form a significant layer of requirements on top of the CSSF Outsourcing Circulars requirements.
For reasons of completeness, we lastly point out that companies in the financial sector must also comply with Directive 2014/65/EU of 15 May 2014 (MiFID II) and its Luxembourg implementation law of 30 May 2018 when outsourcing call-recording.
A similar, criminally sanctioned, professional secrecy obligation exists for insurance companies (Article 300 of the Luxembourg Act of 7 December 2015 on the insurance sector, as amended ("the Insurance Sector Act") and Article 458 of the Luxembourg Criminal Code). The Financial and Insurance Sector Outsourcing Act foresees a similar enlargement of the exceptions to the professional secrecy obligation for insurance companies. Contrary to the CSSF, the Commissariat aux Assurances ("CAA") which supervises and regulates the insurance sector, has not, however, issued any outsourcing regulations. This might change in the near future as the European Insurance and Occupational Pension Authority (EIOPA) launched a consultation on guidelines on outsourcing to cloud service providers in July 2019, which may result in more detailed regulations.
2.3 Legal or Regulatory Restrictions on Data Processing or Data Security
Firstly, to the extent that the outsourcing results in the processing of personal data, meaning any information relating to an identified or identifiable natural person, by the outsourcee, the GDPR will come into play and a contract must be entered into between the data controller (typically the outsourcing party) and the data processor (typically the outsourcee) which must contain a mandatory set of clauses (Article 28 of the GDPR). The mandatory set of clauses includes a clause that requires the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as set out in Article 32 of the GDPR. Measures should, as appropriate, include:
- pseudonymisation and encryption;
- measures ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- measures ensuring the timely restoration of availability and access to personal data after an incident; and
- measures ensuring a process for regularly auditing the effectiveness of the security measures.
In this context, it is commendable to adhere to the norms of the ISO27000 family.
To the extent that outsourcing implies a transfer of personal data outside of the EU/EEA to a country that is not deemed by the European Commission to offer an adequate level of protection, the third country transfer will, in principle, be prohibited unless adequate safeguards are provided (Articles 44 to 50 of the GDPR), such as:
- the use of the so-called "standard contractual clauses" issued by the European Commission;
- the conclusion of intra-group binding corporate rules (which requires a prior authorisation from the Luxembourg Data Protection Authority); or
- for recipients situated in the United States, the Privacy Shield certification (Article 46 of the GDPR).
A number of exceptions can also be relied upon to justify a third country transfer, including, without limitation:
- the unambiguous, explicit consent of the data subject;
- the transfer being necessary for the execution of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject's request;
- the conclusion or execution of a contract concluded in the interest of the data subject between the data controller and a third party; or
- the establishment, exercise or defence of legal claims (Article 49 of the GDPR).
Secondly, in respect of outsourcing in the financial sector in particular, we point out that the following CSSF (Outsourcing) Circulars contain specific requirements on data processing and security:
- Circulars 17/655 and 17/656 which have a different personal scope but contain similar provisions, with Circular 17/656 foreseeing more specific IT outsourcing requirements. These Circulars, for instance, require that institutions implement both a security monitoring process allowing them to be informed promptly of new vulnerabilities and a patch management procedure allowing timely correction of significant vulnerabilities. Furthermore, they require that the outsourcing contract contains a set of mandatory clauses in respect to data processing and security, such as relevant provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data with a particular requirement that access to data and systems shall fulfil the principles of "need to know" and "least privilege".
- The Cloud Circular, which applies instead of the abovementioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met. The Cloud Circular contains even more stringent conditions and, for instance, also requires that all data and systems of the outsourcee have to be erased definitively if the contract is terminated and that the financial institution must always be able to recover its data and systems in order to be able to continue its activities for reasons of business continuity in case of exceptional events or crisis.
- Circular 11/504 regarding fraud and incidents due to external computer attacks. This Circular requires all establishments supervised by the CSSF to report as soon as possible to the CSSF any frauds and any incidents due to external computer attacks.
For reasons of completeness, we lastly point out that, in respect of operators of so-called "essential services" such as providers of digital infrastructures, credit institutions and entities active in the transport, health and energy sector, the Luxembourg NIS Act of 28 May 2019 ("the NIS Act"), implementing the EU Directive 2016/1148 on the Security of Network and Information Systems, sets out requirements in terms of security measures (for preventing risk, ensuring security of network and information systems and handling incidents) and mandatory notification of serious incidents to the relevant authorities.
2.4 Penalties for Breach of Such Laws
Penalties for Breaches of Financial and Insurance Sector Outsourcing Regulations
Infringements of Luxembourg banking secrecy and professional secrecy in the insurance sector are criminally sanctioned with imprisonment of eight days to six months and with a fine of EUR500 to EUR5,000, whereby such fine is to be doubled for legal persons (Article 458 of the Luxembourg Criminal Code).
Furthermore, breaches of the outsourcing laws and regulations of the CSSF may be sanctioned by the CSSF with the following penalties (Article 63(2) of the Financial Sector Act:
- a warning;
- a reprimand;
- a fine between EUR250 and EUR250,000; and/or
- one or more of the following measures: a temporary or definitive prohibition on the execution of any number of operations or activities, as well as any other restrictions on the activities of the person or entity or a temporary or definitive prohibition on the participation in the profession by the de iure or de facto directors or senior management of persons or entities subject to the CSSF supervision.
Similarly, breaches of the outsourcing laws and regulations and regulations of the CAA may be sanctioned by the CAA with an administrative fine which shall not exceed EUR250,000 for insurance and reinsurance undertakings and EUR50,000 for executives of insurance and reinsurance undertakings. Furthermore, the CAA may impose the following sanctions instead of or on top of such administrative fine (Article 303 of the Insurance Sector Act):
- a warning;
- a reprimand;
- prohibition to carry out certain transactions and any other limitation on the conduct of business; and/or
- the temporary suspension of one or more of the undertaking's executives.
Penalties for Breaches of the GDPR
Breaches of the obligations contained in the GDPR may be sanctioned by the competent data protection authority with fines up to 4% of the total worldwide turnover of the undertaking, which according to the French Data Protection Authority is to be calculated at group level (Article 83(2) of the GDPR).
Such administrative fines can be imposed on top of or instead of the following measures (Article 58(2) of the GDPR):
- a warning;
- a reprimand;
- an order of compliance with data subject's requests to exercise their rights under the GDPR;
- an order to bring a processing operation in line with the GDPR, where appropriate, in a specified manner and within a specified time frame;
- an order of communication of a personal data breach to the concerned data subject;
- an order to rectify or erase certain personal data or to restrict their processing; and/or
- an order of suspension of data flows to a recipient in a third country or to an international organisation.
Penalties for Breaches of the NIS Act
Breaches of the data security obligations contained in the NIS Act may be sanctioned with one or more of the following:
- a warning;
- a reprimand; and/or
- a fine which cannot exceed EUR125,000.
Penalties for Breaches of the Luxembourg Labour Code
In the context of transfer of undertaking, breaches of the information and consultation obligations towards the legal representatives of the employees may be sanctioned with a fine between EUR251 and EUR15,000 pursuant to Article L. 417-5 of the Luxembourg Labour Code, and up to EUR30,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code.
Breach of the prohibition of illegal lending of workers may be sanctioned with:
- a fine between EUR500 and EUR10,000 pursuant to Article L. 134-3 of the Luxembourg Labour Code, and up to EUR20,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code; and/or
- in case of recidivism, imprisonment of two to six months and/or a fine between EUR1,250 and EUR12,500 pursuant to Article L. 134-3 of the Luxembourg Labour Code, and up to EUR25,000 for legal persons pursuant to Article 36 of the Luxembourg Criminal Code.
2.5 Contractual Protections on Data and Security
To the extent that outsourcing results in the processing of personal data by the outsourcee, meaning any information relating to an identified or identifiable natural person, the contract will at least impose upon the outsourcee, as processor, the obligations set out in Article 28 of the GDPR and detail the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller/outsourcing party.
In the event that personal data is intrinsic to the outsourcing, the outsourcing party may even want to consider contractually imposing further data security requirements such as a detailed list of security measures to be respected by the outsourcee, a data recovery plan, an unlimited liability for data protection breaches, etc.
Additional contractual clauses might be mandatory in the context of outsourcing in the financial sector. The following Circulars of the CSSF, read together with the 2019 Guidelines on outsourcing arrangements of the EBA, require the inclusion of mandatory clauses on data processing and security.
The Circulars 17/655 and 17/656 which have a different personal scope but contain similar provisions, with Circular 17/656 foreseeing more specific IT outsourcing requirements and includes the following mandatory clauses:
- security of data and systems: where relevant provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data with a particular requirement that access to data and systems shall fulfil the principles of "need to know" and "least privilege";
- access to data: provisions that ensure that the data that are owned by the outsourcing institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the outsourcee;
- transfer of outsourced function specification of the treatment of data by the current outsourcee in the event of transfer of the outsourced function; and
- data location: in the event of outsourcing of a critical or important function, the location(s) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the outsourcing party if the outsourcee proposes to change the location(s).
The Cloud Circular 17/654 which applies instead of the above-mentioned Circulars 17/655 or 17/656 if the criteria mentioned in the Cloud Circular for the qualification as an outsourcing based on a cloud computing infrastructure are met, and includes the following mandatory clauses:
- data location: contract must provide for a resiliency of the cloud services in the EU (limited derogation options); and
- termination: commitment of the outsourcee to definitively erase all data and systems within a reasonable time.
Originally published by Chambers and Partners Outsourcing Guide.