Legal Issues in Offshore Outsourcing Contracts
Recent research published by industry analyst Gartner shows that the business process outsourcing sector will expand by 5 per cent in 2012, with multinational companies leading the charge. Business process outsourcing is seen by many companies as a means of reducing costs. Companies have been engaging in outsourcing (both information technology and business process services) for many years. Use of foreign-based third party service providers is also not new. While many of the issues are not unique to offshore outsourcing engagements, offshoring highlights the importance of some of the challenges.
Companies have been outsourcing various types of business processes to offshore service providers, including employee benefit administration, payroll processing, customer support, insurance claim review, credit card processing, mortgage servicing, or tax return administration. Sometimes outsourcing arrangements involve disclosing large volumes of personal or sensitive information to service providers. There have been incidents where employees of offshore suppliers misused the personal or sensitive information entrusted to them as part of the outsourcing arrangement. While data privacy incident may occur anywhere, customers have less control when service providers are located in another country. Privacy and security requirements are key consideration in any offshore outsourcing arrangements. It is important for customers to include provisions that require service providers to implement and maintain security measures that are designed to safeguard customer information.
Offshore outsourcing also involves the risk of potential applicability of foreign jurisdictional law to the outsourced activities. A company located in Canada may decide to outsource its back office processing function to a service provider at an offshore location. The arrangement may involve sending personal information of Canadian customers to the service provider’s data centre in the United States. The data may be backed up in Europe and processed by the service provider in Asia. Since different countries have different approaches to privacy, the requirements of each jurisdiction must be considered. Companies that engage in offshore outsourcing should consider how foreign data privacy laws or regulatory requirements may interact with the domestic privacy laws and regulations and how any possible conflicts can be managed.
There are also country risks (social, economic and political instability) involved in doing business in certain countries. For example, escalation of the India/Pakistan conflict, potential terrorist attacks, civilian unrest, acts of war which could prevent the offshore service provider from delivering the services. If the outsourced function involves critical business operation, customer needs to develop plans to actively monitor the country risk, develop its own contingency or resource backup plan, and build in mechanism in the outsourcing contract to deal with the contingency plans and exit strategies. While service providers always have business continuity plan, customer needs to examine the plan to determine how it works with customer’s continuity planning and to assess the likelihood that the service provider will be able to implement its plan when required. For example, a contingency plan that moves workers from one region to another (or even from one country to another) may be difficult to implement. The contingency plan needs to be tailored according to the nature and criticality of the work being performed at the offshore location, the complexity of the work, and the onsite/offshore staffing ratio.
What is actually even more important is enforcement. We repeatedly see cases where there are laws on the books but the lack of regulatory compliance & enforcement goes virtually unattended to. From this unstable base it’s difficult to enforce contracts and operating agreements if there is no means of attaining attention. This condition will cause difficulties at both the local and foreign courts levels.