Christopher Sparre-Enger Clausen heads Thommessen’s technology and data protection practice group and specialises within technology and data protection law, as well as technology M&A. He has extensive experience from both domestic and international digitalisation projects and provides clients with legal and strategic advice within a broad range of areas relating to digitalisation and technology, such as data protection, cybersecurity, outsourcing, licensing, Cloud computing, software development, as well as IP and regulatory matters pertaining to IT and telecommunications.
Key clients include Kahoot! AS, which Christopher is assisting in a wide range of contractual, e-commerce and transactional matters, and Microsoft Norway, which he regularly assists in matters concerning Cloud agreements, privacy, cybersecurity, regulatory matters and public procurements.
Christopher is ranked for 2021 by Chambers and Partners Europe and was named as a ‘Next Generation Partner’ in The Legal 500 EMEA for 2021 within TMT. Thommessen’s TMT department is ranked Band 1 by Chambers and Partners Europe and Tier 1 in The Legal 500 EMEA for 2021.
Stian Fredrik Karlsen is part of Thommessen’s technology and data protection practice group, specialising in contractual and regulatory matters in the fields of IT, cybersecurity and data protection law. He has experience in assisting organisations with major privacy-compliance projects, technology-focused due diligence processes and developing contractual frameworks for complex digital collaborations, and is regularly called upon to assist clients in connection with cybersecurity incidents and personal data breaches.
1 What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?
For most Norwegian organisations, digital transformation is mainly affected by the same general technology-centric laws and regulations that apply in other European jurisdictions. This includes the General Data Protection Regulation (GDPR), the e-privacy directive and the web accessibility directive. The emergence of big data cooperations between Norwegian businesses has also increasingly put an emphasis on the competition law implications of such synergies in digital transformation projects.
For organisations belonging to a specific industry or business sector, for example, finance, health, telecommunications or industries of particular national interest, additional sector-specific national laws and regulations must also be taken into account. These laws and regulations may, for example, place increased importance on reviewing and assessing the cybersecurity implications of any planned transformation, by penalising an organisation’s failure to implement adequate information security measures. They may also place restrictions on an organisation’s ability to outsource IT operations or business functions.
For the most part, these regulations emphasise self-governance, placing the onus of compliance on the organisations themselves. This means that they are generally left to conduct their own assurance of compliance with their sector-specific requirements, rather than being able to attain and rely on governmental approvals. Failure to conduct the required diligence operations in a responsible manner, may subsequently be penalised in the form of fines or, in particularly egregious circumstances, imprisonment. Some exceptions to the self-governance features do apply, for example, with respect to government approvals or notification procedures with for outsourcing in certain sectors. Organisations affected by these national requirements may also need to be aware of, and take into account, sector-specific notification requirements, for example, cybersecurity breaches that apply in addition to the general requirements under the GDPR.
New laws implementing the 2018 Electronic Communications Directive (Directive 2018/1972) are currently in the preparatory phase, and appear likely to be implemented during 2022. When implemented, this may have implications for certain providers in respect of digital transformation.2 What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?
As with most other jurisdictions, the ongoing pandemic situation has had various implications for most organisations. In particular, many organisations have had to rethink and evolve their work setup to maintain productivity and a healthy working environment, while doing their part to comply with the various government restrictions. While such restrictions have now eased in Norway going into 2022, the events and developments of the past few years continue to put their mark on digital transformation trends.
Transitioning from a traditional office-based infrastructure to a more flexible and ‘remote-first’ approach means that existing solutions, primarily intended as secondary or provisional options, have been put under increased strain. This, in turn, has required investment in new and improved digital tools and infrastructure. Although Norwegian organisations in some ways have been somewhat ahead of the curve in terms of transitioning to a more flexible and decentralised working environment, many saw need for further improvement when the time came to ‘flip the switch’ in the spring of 2020. In this respect, the current environment has been an accelerator within digitisation, as many organisations have had to speed up and expand their ongoing digital transformation initiatives. We have seen this in maintained and increased activity within digital transformation projects and technology procurements, both on the customer and supplier side. Our impression has been that already planned and ongoing transformation projects have been maintained throughout this period, and that technology procurements have been prioritised by organisations despite the general uncertainties regarding the economic outlook in most markets. It is interesting to see that many of the measures taken and processes commenced in this respect have been kept in place as the Norwegian society has begun its transition back to normality. Studies have shown that many people have appreciated the more flexible work set-up that had become the norm and, consequently, many organisations see the value in having the necessary infrastructure to permit a more flexible working environment on a permanent basis.
The prevalence of cyberattacks on Norwegian organisations have continued to increase. The attacks primarily exploit what is often the weakest link in any information security setup − human error. This has demonstrated the importance of taking a more holistic approach to transformation projects, and highlighted that a successful digital transformation goes beyond mere technology procurement. Employee training and awareness building has had a revived focus, as organisations have developed increased awareness that this is and remains the first line of defence against cyberattacks, regardless of how substantial and advanced the technological security mechanisms may be.
GDPR enforcement and European data protection developments over the past year has brought increased awareness to the data protection implications of digital transformation. Innovative and advanced digital solutions often involve new and increased personal data processing operations, which organisations are increasingly addressing and assessing prior to implementations rather than after the fact (as has often been the case previously). The implications of the Schrems II judgement from the Court of Justice of the European Union (ECJ), as well as the Recommendations on international transfers of personal data from the European Data Protection Board (EDPB), have in particular begun to make their mark. Due to the wide-reaching implications of these developments for using Cloud infrastructure and software-as-a-service (SaaS), we have seen a dramatic increase in the focus on data centre locations, and where these may be accessed from, in connection with both new and ongoing digital transformation projects. This increase in awareness has put increased demands on the suppliers in digital transformation projects to demonstrate GDPR compliance and how they can help organisations meet their own compliance requirements. A risk associated with the latter observation, as perceived from the supplier side, is that some organisations may seek to overly rely on their suppliers for their own compliance measures.
A trend that continues to be prevalent in Norway the expansion of digital partnerships between organisations, both vertical and among peers, in more traditional market segments and innovative technology specialists to enter into new markets and business sectors. This includes major actors within insurance, finance and real estate leveraging market insight and data in partnerships with technology specialists to develop and offer new products and services within data analytics.3 What are the key legal and practical factors that organisations should consider for a successful Cloud and data centre strategy?
The migration from on-premise and legacy based systems to Cloud environments and SaaS continue to dominate IT strategies in most Norwegian organisations.
Key drivers for this continuous shift remain the same; businesses seek to achieve lower operational and capital costs, access to better, more modern technology and accelerate the development and rollout of new products and services in response to constantly changing external and internal demands.
However, certain operations require a closer proximity and better control over the computing resources than public Cloud services typically offer. Such requirements may stem from regulatory requirements and business-driven requirements. In those circumstances, a more traditional data centre strategy may be required. The push towards more Cloud solutions and the pull towards more traditional data centre solutions therefore typically calls for a diversified computing and data storage strategy in most organisations.
In highly regulated sectors, we have traditionally seen a reluctance to use public Cloud services. However, as Cloud service providers mature and develop more tailored services to various sectors, we see an increasing adoption of Cloud services even in highly regulated sectors such as financial services and insurance. From a practical perspective, considering the demands of the business will be key in establishing a successful Cloud and data centre strategy. Some typical and important considerations to be made include: suitability for the public Cloud, including whether legacy systems can be supported by modern Cloud platforms; support and managed services capabilities of the Cloud provider; information security and business criticality may intuitively drive a data centre strategy, but may actually be better served by a Cloud provider; the need for proximity to the computing resource may dictate an on-premise solution rather than Cloud; and hidden costs: the Cloud comes with a promise of reduced costs and utility pricing models, while the reality often reveals establishment costs and long-term volume commitments sometimes rendering the Cloud service equally (or more) expensive than traditional models.
From a legal standpoint, Cloud migration and data centre strategies will be impacted by the regulatory landscape in which the business operates. Norwegian financial institutions and other regulated entities will typically have to observe both local and European regulatory guidelines and requirements pertaining to outsourcing and Cloud migration, including local requirements set out in the Norwegian ICT regulations, sector-specific EU law as well as guidelines laid down by industrial bodies such as European Banking Association and European Insurance and Occupational Pensions Authority to mention a few.
Similarly, certain Norwegian data storage requirements may impact what type of data is being processed and stored in data centres outside of Norway or the European Economic Area (EEA). Data protection and cybersecurity laws remain important factors to consider in any company’s Cloud and data centre strategies. Assessments regarding data location should be made as to whether certain data should be stored within Norway (due to, for example, regulatory requirements, sector guidelines or contractual commitments) and whether the Cloud provider relies on data processors outside the EEA. The above-mentioned Schrems II judgment from the ECJ has put an increased focus on the latter, requiring additional assessments of the privacy risk level in the country where the processing takes place, despite using EU’s standard contract clauses for transfer of data. The Norwegian Data Protection Authority has largely adopted the same guidance on international transfers as the EDPB, although, as in other European countries, precisely what requirements this imposes remains in flux. Many organisations, in particular those in traditionally heavily regulated sectors, have expended significant resources attempting to pinpoint for example the required level of diligence, the scope expected of the organisation’s assessments, which and how many measures are necessary and what residual risks (if any) may be accepted. This creates a significant amount of uncertainty with regard to how Norwegian businesses can continue to use Cloud providers with data centres or support functions outside the EEA. However, the real-world market conditions of Cloud infrastructure often mean that some degree of international transfers are unavoidable for most organisations in connection with digital transformations.
Other elements of importance for implementing a successful Cloud and data centre strategy include having a well-considered view on the use of subcontractors. The inclusion of customer and third-party audit rights have been a source of controversy in negotiations with Cloud providers for quite some time, particularly as Norwegian financial regulations traditionally have not been accommodating to more restrictive audit rights. As both data centre providers and regulators mature, this is now normally an issue that is resolved between the parties.4 What contracting points, techniques and best practices should organisations be aware of when procuring digital transformation services at each level of the Cloud ‘stack’? How have these evolved over the past five years and what is the direction of travel?
Procurement of digital transformation services, irrespective of which level of the Cloud stack, raises several similar challenges.
A common challenge relates to the existence of incompatible interests between the transformation partner and the customer, which causes friction in the execution of the project. In order to address this, it is key that the contract is drafted to ensure that both parties’ interests are addressed and aligned to the extent possible. Ideally, common incentives to achieve the intended business goals in the transformation project should be explored, for example, by using charging models geared towards achievement of certain business goals (eg, achieving a defined business case for the transformation). While this is a tempting proposition, reality often shows that such models are difficult to use in practice as they require a level of control by the vendor over the customer’s value chain, priorities and ability to execute on the transformation enablers (such as staff reductions). The commercial model and the delivery model (methodology) should also be carefully aligned. Almost every transformation project uses Agile project methodologies, simply because the development of the requirements forms a central part of the transformation process. At the same time, most businesses want budget certainty for the transformation initiative. However, the scope of flexibility required in an Agile development model is not necessarily compatible with the rigidity of a fixed-price commercial model. While flexibility in the project execution is certainly necessary for the successful execution of most transformation projects, it does not necessarily warrant a complete lack of risk-sharing (eg, by using a 100 per cent time and material price model). A more tailored approach is often needed, containing a mix of time and material work (for the least predictable workloads), target-pricing or risk-sharing and fixed-price components.
Traditional project challenges, such as routines for ensuring continuity of personnel, routines for allocating project responsibility from the vendor to the customer, sanctions for delays, the process of defining requirements for the end result, etc, are still highly relevant when business transformation leverages Cloud. Still, Cloud services raise specific challenges pertaining to handling multivendor landscapes. SaaS vendors are known for invoking broad reservations on the basis of the ‘business model’. Scalability is typically invoked for broad waivers and responsibility carve-outs. Ensuring key contracting points such as scope, price, time and responsibility is equally important for transformation services that leverage different Cloud stacks, as for traditional IT services.
The demand for digital transformation leveraging Cloud services has dramatically increased in recent years. Traditional industries continue to seek renewal by leveraging hyper-scalable infrastructure, standard software and platforms from multinational vendors. Local integrators are maturing and increasingly offer standardised and proven service offerings. Anecdotally, we have witnessed greater willingness for vendors to assume responsibility for the customer’s achievement of transformation business cases. The direction of travel seems to be increasing maturity on the local Cloud service market, catering the demand for customer specific adaptations and integrations to standardised Cloud services.5 In your experience, what are the typical points of contention in contract discussions and how are they best resolved?
The ‘usual suspects’ continue to be the most common points of contention in supplier or customer contract discussions, as much of the contract discussions often revolve around topics such as price, liability and remedies.
The shift towards increased standardisation of service offerings and contracts in connection with increased adoption of Cloud-based solutions often creates less room for negotiations, for example, with respect to the technical infrastructure of the service in question (eg, data centre localisation) and the degree to which the suppliers are able or willing to accept liability for third-party components of the services.
The increased standardisation is also generally reflected in the sanctions and remedies suppliers are willing to offer (increasingly restricted to service credit regimes) and the liability limitations they are willing to accept. The topic of liability under data processing agreements has, in particular, become a recurring point of contention in contract discussions, as many customer organisations demand uncapped liability that the suppliers are unwilling to accept.
From the supplier’s side, a recurring theme is that these considerations are often a reflection of risk factors underpinning the supplier’s pricing strategy, and a precondition for being able to offer the services in question at the quoted price point. Many Norwegian customers, however, are accustomed to a more broad and general scope of the supplier’s responsibilities, and the customer’s access to remedies. This creates a tension between the interests of the supplier and customer side of the negotiations that is not always easy to reconcile.
However, most customer and supplier organisations are reasonable, and willing to make concessions in the interest of supporting a good cooperative relationship going forward. Our experience is that most points of contention may be resolved by addressing the concerns underlying each party’s positions through pinpointed contractual measures.
As an example, customer organisations are often understanding of the fact that modern digital solutions are multifaceted, and often reliant on contributions and services from third parties over which the supplier will have little actual control (eg, Cloud platform providers). They will therefore often accept that the supplier is unwilling to insure the customer with respect to deficiencies in such third-party components or services by accepting liability beyond what the supplier may enforce itself towards the third-party provider in question. Conversely, suppliers may often be willing to accommodate a more expansive sanctions regime with respect to service elements where there are fewer third-party dependencies (albeit often subject to adjustments in the contract price reflecting the supplier’s perceived risk increase).
A final and more general source of some contention in contract discussions, are disagreements concerning the contract format, structure and language itself. Many Norwegian organisations are now contracting using contractual templates originating from, or inspired by contractual traditions in, other jurisdictions. Norwegian contracts have traditionally been more general and simpler in construction and language, relying on background law to safeguard the interests of the parties under circumstances that are not explicitly regulated in the contract. Internationally inspired, and more comprehensive, contracts may therefore be met with some scepticism and require some additional rounds of negotiations before both parties are comfortable and content with the final product. This latter point should, however, not be exaggerated.6 How do your jurisdiction’s cybersecurity laws affect organisations on their digital transformation journey?
As Norway does not currently have any cybersecurity laws that apply generally, most Norwegian organisations’ digital transformations are not affected by statutory cybersecurity requirements. However, certain exceptions do apply within specific industries and business sectors, as discussed above.
Both generally, and for those organisations subject to sector-specific regulations, we are increasingly seeing a trend towards using standardised tools and certifications to substantiate cybersecurity credentials and demonstrate contractual or statutory cybersecurity requirements.7 How do your jurisdiction’s data protection laws affect organisations as they undergo digital transformation?
Norway has implemented the GDPR, and the Norwegian Data Protection Authority have generally aligned its application of the GDPR with the EDPB and the supervisory authorities in the other Nordic countries. Norwegian data protection law is therefore generally aligned with, and poses few additional restrictions compared to, the data protection law in other European countries.
With respect to data localisation requirements and export restrictions, there are some national laws that may affect organisations’ ability to leverage a decentralised technical infrastructure (eg, Cloud solutions), which involve transmitting, storing and processing data outside Norway.
While Norway has comparatively few data localisation requirements and restrictions, there are some laws and regulations that require local data storage. These restrictions are primarily intended to protect the tax authority’s access to certain financial information. The Bookkeeping Act and bookkeeping regulations include requirements for local storage with respect to accounting materials and electronic cash register journals as the main rule, although exceptions do apply. There is also a requirement to store tax documentation within Norway for a period of five years pursuant to the tax payment regulations.
One other, and more general data localisation requirement follows from the Norwegian Archiving Act, which requires that all public bodies must store data subject to their archiving duties within Norway. As with the accounting materials, exceptions may be made in certain circumstances. Private organisations are not subject to this requirement.
We should note that there is some uncertainty with respect to whether the data localisation requirements and restrictions that Norway have will remain in place, and in what form. Norway implements EU directives and regulations through the EEA, and is assessing the need to amend the data localisation provisions we do have in order to implement Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union (FFD). The Regulation is still under consideration by Norway and the other EFTA countries with respect to EEA implementation, and the provisions discussed above in this part are among those being reviewed as a part of this process.
Of course, the developments with respect to transfers of personal data outside the EEA under the GDPR are also highly relevant, as discussed above.8 What do organisations in your jurisdiction need to do from a legal standpoint to move software development from (traditional) waterfall through Agile (continuous improvement) to DevOps (continuous delivery)?
An organisation moving from waterfall development, employing a vendor to provide a fixed outcome against a fixed price, through Agile development and DevOps needs to rethink and recalibrate its entire risk approach. While we rarely see true waterfall development projects these days, most organisations in Norway run multiple Agile projects, employing experts from specialised vendors. However, while vendors employ Agile development models, many customers still expect the cost predictability offered by traditional Waterfall models. An unspecified scope coupled with a fixed price or risk sharing price model often creates conflicting interests between the vendor and the customer and tension in these projects, and we have seen a quite substantial increase in litigation over failed Agile projects in the past few years due to this phenomenon.
Businesses embracing true Agile and DevOps development models with incremental development, prototyping and frequent change (and frequent deployment in DevOps) to accommodate frequently shifting business need to reconsider their mindset and rather think of these as in-house activities, despite engaging external expertise. These businesses may use Agile and DevOps internally already, but we often see that as soon as they need external experts, they view the relationship as a vendor−customer relationship, using traditional IT contract templates. However, if they contract these experts under augmentation contracts, they will probably get most value for their money.
With respect to DevOps in particular, we are seeing a shift from more traditional application management contracts distinguishing between application operation services, application maintenance services and application development service to contracts combining these service elements and changing service management service descriptions and service level measurements.9 What constitutes effective governance and best practice for digital transformation in your jurisdiction?
Unfortunately, traditional technology sourcing models and contracts still seem to be most frequently used in digital transformation projects in our jurisdiction. While this seems to be the prevailing practice, it is in our view not necessarily the best practice. In our view, digital transformation projects are less about technology than people and business processes. Any digital transformation process must take this into consideration. When a business runs a digital transformation project, it is of key importance that the project staff understand the business, its people and associated opportunities and challenges. To cater for this understanding, the digital transformation project must be governed in a manner where this insight is
obtained, processed and the digital transformation solutions are validated with key stakeholders in the business. This applies for any digital transformation initiative, whether it is being run by internal or external project members.
When employing an external vendor to participate in, run, or manage the digital transformation initiative, effective governance also requires identification of potential diverging interests between the vendor and the customer and addressing and managing these in the relationship. These diverging interests almost invariably revolve around the topic of commercial risk. We have found that using the contract negotiation process to identify, address and structure these diverging interests is the most effective way to manage this. In our experience, capturing governance mechanisms suited to the specific relationship in the contract, including the proper commercial model, is the key to success.
The Inside Track What aspects of and trends in digital transformation do you find most interesting and why?
Over the past few years, we have seen an increasing number of clients resorting to a hybrid approach, combining public Cloud, single tenant and more traditional infrastructure solutions to achieve a balance of accessibility, simplicity, compliance and control. This, in particular, applies to larger organisations with existing, complex digital infrastructures, and clients in regulated business sectors such as banking and finance. This trend highlights that more ‘traditional’ and mature solutions still have a role to play in digital transformation projects.What challenges have you faced as a practitioner in this area and how have you navigated them?
In negotiations, particularly involving larger organisations, certain fixed contracting principles and policies may often result in the parties assuming somewhat confrontational positions. Approaching these negotiations with a degree of pragmatism is often required to help the client make progress in difficult negotiations. This, in turn, requires a clear view of the client’s goals to practise a correct prioritisation of positions and ensuring that positions achieved in one area do not come at the cost of concessions that are ultimately detrimental to other important interests of the client.What do you see as the essential qualities and skill sets of an adviser in this area?
The most essential skill set is being able to identify the key interests of the client and understanding its business objectives. This enables devising a tailored legal strategy with a clear prioritisation of positions and a focus on ensuring that these interests are protected.
Having experience in assisting both supplier and customer organisations in digital transformation projects, coupled with a proactive approach, this is often essential in guiding the client in the process of understanding the counterparty’s position and prioritising one’s own.