Trade-Related aspects of Intellectual Property Rights (WTOÔÇ“TRIPs) Agreement, and
the Paris and Berne Conventions, establish minimum standards for IP protection in their
member states. The degree to which governments enforce these standards varies widely.
Most businesses rely on a combination of law and contract to protect their IP.
However, contract terms that work well in your country may not be enforced in the same
way in another country. There are no guarantees that your IP will be protected, even with
great contract provisions. Good contract terms help, but they are not the end of the story.
Consider the following example:
A UK manufacturer of consumer products, called Royal, engages an Indian
software company, called Ajit Software Writers, to create custom software for
Royal. Ajit has a sales of´¬üce in London, but no other operations or assets there.
Royal provides its software development agreement to Ajit, and Ajit signs. The
agreement states that all software written under contract for Royal is to be owned
by Royal. Ajit has no license rights to use the software, and the agreement
is governed by UK law. As is the typical practice with Ajit, an employee
located at RoyalÔÇ™s of´¬üces in London gathers the high-level requirements for the
software, and the software is developed entirely in India by Ajit personnel.
Three years pass and Royal learns that Ajit is licensing the software in India.
At this point, RoyalÔÇ™s enforcement of its rights in the software becomes quite
complicated. Royal may ´¬ürst attempt to enforce its contract by bringing legal
action against Ajit in the UK. Royal will want money damages (e.g. lost license
fees) and will want Ajit to cease use of the software. If Ajit has suf´¬ücient assets
in the UK, Royal may get money damages. If Ajit does not have suf´¬ücient
assets, Royal may be forced to bring actions in India to receive compensation.
But money compensation is only part of the story. What Royal really wants is
for Ajit to stop providing the software to others. Royal may get the UK court to
rule that Ajit must stop licensing the software in India. The UK courtÔÇ™s ability
to enforce that ruling, however, may be limited, especially if AjitÔÇ™s business
presence in the UK is still limited to a sales of´¬üce. If Ajit continues to use the
software in India, Royal may be forced to go to India to protect its software.
Enforcement of RoyalÔÇ™s rights may take years.
Enforcement of contract rights in a foreign country can be very dif´¬ücult. The local courts
and enforcement authorities are likely to apply local laws and favor the local company
(i.e. Ajit) over the foreign company. Different use rights, registration requirements for
114 Managerial competency
protection of IP and laws apply. Royal may spend a lot of time and money attempting to
get compensation and to end AjitÔÇ™s wrongful use of the software. There is no guarantee
that Royal will succeed at either objective. In the right cases, international arbitration
may be a better dispute resolution process for international disputes.
Labor and employment rights
Labor and employment laws play a huge part in the cost and practicality of offshoring.
Most countries have complex laws protecting workersÔÇ™ rights. They can affect not only
the customerÔÇ™s employees, but those of the provider as well. You should understand the
labor and employment issues in offshoring, especially where existing workersÔÇ™ jobs
may be eliminated or replaced. For example, in the US, the US WARN Act requires
employers with 100 or more employees to provide a 60-day notice to displaced work-
ers in certain circumstances.
In the European Union (EU), countries have enacted regulations that implement the
Acquired Rights Directive to protect workersÔÇ™ rights. The purpose of the Acquired Rights
Directive is to safeguard the rights of employees on the transfer of a business or a portion
of a business to a new employer. Under certain circumstances, the Directive and coun-
try regulations may apply to offshoring and/or outsourcing.
If the Directive applies, then the transfer or elimination of employees must comply
with various principles and regulations. These principles and regulations may require
that employees transfer with the entity, and that they get the same terms and conditions
that they enjoyed immediately prior to the transfer. Employees who are dismissed
before or after the transfer may have claims for unfair dismissal. Finally, representa-
tives of the employees affected by the transfer are entitled to be informed about the
transfer and to be consulted on measures which are proposed as a result of the transfer.
In offshoring, employees often do not transfer to the offshore provider. However, the
Directive may still apply to the affected employees. In such case, the employees may
be entitled to notice and counseling, if they are affected by job replacement, changes, or
release due to the offshoring. Severance payments and other rights may also be triggered.
Other countries impose stringent hiring and ´¬üring requirements on employers, requir-
ing government approval for layoffs and closures. For example, in India, if a company
employs over 100 employees, a government approval may be required to ´¬üre employees.
If such approval is denied, the company may be forced to implement voluntary retirement
schemes and pay the employees to resign. In Canada, some Eastern European and some
Latin American countries, workers who are transitioned to an outsourcing provider
may be entitled to severance payments even though they obtain a new position with the
Immigration laws also affect offshoring, particularly where foreign workers need to
be close to the customer. Under US immigration law, in September of 2003, the number
of H1-B work permits available was reduced from 195,000 to 65,000 annually. This
reduction of H1-B work permits may limit an offshore providerÔÇ™s ability to place staff
115 Offshore legal issues
onsite in the US. Outsourcing agreements should allocate responsibility to the provider
for managing such visa, immigration and quali´¬ücation to work issues. It is important
for the customer to know that provider personnel hold all appropriate work permits and
authorizations required under applicable laws.
Import and export issues
Various countries have export restrictions that affect the types of products and services that
may be sent across borders. For example, certain types of software may not be sent to or
from various countries. In the US, certain software products with strong encryption capa-
bilities are regulated as weapons by the Department of Defense. It is illegal to transport this
software outside of the US without ´¬ürst obtaining the appropriate approvals. Thus, a com-
pany in the US that desires to send regulated software offshore for maintenance and devel-
opment may not be able to do so without the appropriate approvals and licenses, or may
not be able to do so at all. Similarly, China regulates the import of encryption software.
Countries often have laws that restrict access to certain types of sensitive business
and government data. In the US, a company that sells products and services to the fed-
eral government may have sensitive data that is protected by regulations and agree-
ments with the federal government. In those cases, the sensitive data which may be part
of a larger database, may only be accessed and used by approved individuals in the
company. Access to such data, by foreign citizens inside or out of the company may be
a violation of the regulations and agreements.
Privacy and data transfer
Recent developments in privacy laws worldwide have created some complications for
offshoring transactions. Privacy and its close cousin, data security, are emerging as key
new topics that present both legal and business risks. Failure to consider and plan for
privacy issues can bring unwanted consequences, such as bad publicity, of´¬ücial enforce-
ment actions, ´¬ünes and penalties, and private lawsuits. Even more damaging is the loss
of public trust that can result from privacy problems.
US privacy landscape
The US historically has favored self-regulation for privacy protections. This meant that,
until recently, there was little US privacy law to consider in offshoring. Technology has
brought big changes ÔÇ“ robust databases, data mining, CRM tools, cookies, cross-matching
of data, Internet use, data sharing, offshoring and outsourcing. These changes are seen
as a threat to privacy rights. Consumer protection groups and governments are express-
ing privacy concerns.
The US Congress enacted the following privacy legislation in the areas of personal
´¬ünancial, health and medical information:
Ô—Ć The Gramm-Leach-Bliley Act governs personal ´¬ünancial information.
Ô—Ć Health Insurance Portability and Accountability Act (HIPAA) covers health and
116 Managerial competency
ChildrenÔÇ™s Online Privacy Protection Act (COPPA) governs information collected
online from children under the age of 13.
Apart from the recent laws and a few prior existing ones, many US businesses rely on
self-regulation, including voluntary industry guidelines, membership in privacy certi-
fication programs, such as TRUSTe, or compliance with a self-established privacy state-
ment and program. The Federal Trade Commission has taken an increasingly active role
in privacy matters.
States, too, are beginning to add to the growing body of privacy law and regulation. The
State of California has a tough data security law (effective July of 2003) that requires
noti´¬ücation to individuals of possible security breaches involving the compromise of
their personal data. Other states may follow CaliforniaÔÇ™s lead.
European Union Data Privacy Directive
The EU has been a leader in enacting and enforcing privacy regulation. Companies that
collect or process data in the EU, or that receive data from the EU, are most likely sub-
ject to the EU privacy regulations.
The European Union Data Privacy Directive (95/46/EU) was adopted by the European
Commission in 1995. It required the EU member states to enact legislation in accor-
dance with the Directive by late 1998. The Directive has been implemented in EU
countries through this national legislation. For our purposes, references to EU privacy
law means, both the Directive and the national legislation.
The EU privacy law applies to any business that collects and processes personal data
on EU residents. You do not have to be located in an EU country to be subject to the EU
privacy laws. The EU privacy laws regulate the collection and processing of employee
data, customer data, patient data, and other personal information. This affects many areas
of outsourcing, such as the outsourcing of human resource functions, ´¬ünancial func-
tions, and IT functions where personal data is involved.
A particularly critical area covered by EU privacy laws is the transfer of data to coun-
tries outside the EU, even if you (or your offshore provider) are just transferring your
own internal data from your EU operation to another operation. The EU privacy laws limit
the export of regulated data to countries that do not offer ÔÇťadequate protectionÔÇŁ. Only a
few countries that are not members of the EU have been approved by the EU to receive
this regulated data. They include Switzerland, and Canada. India, China, Malaysia, the
Philippines, Russia, and many other offshoring destinations are not yet deemed to have
adequate protection. You cannot send EU personal data to these countries unless you
use one of the approved methods of transfer.
There are several ways to accomplish these transfers legally, but none of them are
easy. For example, if you want to transfer data on your customers in France to India,
you could ask the French data privacy authorities for approval of the transfer. This
could be time consuming, and it may require you to keep going back to those authori-
ties for approval as facts or circumstances change. Alternatively, you could get each
117 Offshore legal issues
customerÔÇ™s consent, which could be an onerous task. In an offshoring context, the most
ef´¬ücient way to handle data transfers is likely through use of EU approved data trans-
fer contract clauses. These clauses require the data transferor and transferee to agree to
a set of contract provisions that are consistent with the data privacy laws, and that allow
enforcement by the EU authorities and the people that the data describe, referred to in
the EU privacy law as data subjects. Another alternative available for transfers of data
to the US, may be the US ÔÇťSafe HarborÔÇŁ arrangements. Under the ÔÇťSafe HarborÔÇŁ scheme,
a US company may self-certify to the US Department of Justice that the company is
in compliance with the Safe Harbor data protection principles. The EU has agreed to
permit transfers of EU data to companies that have self-certi´¬üed as to their Safe Harbor
Failure to comply may result in enforcement actions by the EU authorities in various
EU countries. Each country has the ability to enact and enforce its own sanctions. In
the UK, individuals and/or corporate bodies may be prosecuted and ´¬üned for violations.
SpainÔÇ™s laws carry high ´¬ünes, up to 600,000 USD per violation. Spain has already pur-
sued two well-known companies (Microsoft and Telefonica) for violation of its data
laws. In addition to ´¬ünes, enforcement actions can include interruption or shutdown of
your data collection, data processing and data transfers. Failure to comply can also
bring on private lawsuits from data subjects. All of these things can seriously damage
the reputation of your company or business.
Other international developments
Many other countries are following the EUÔÇ™s lead in regulating data privacy. Some
countries that would like to gain admission to the EU are considering laws similar to
those of the EU. Other countries such as Canada, Australia, Argentina, and Japan have
enacted or are considering their own new data privacy laws. India has not yet passed
data protection and privacy measures similar to those in the EU, although India is con-
sidering entering into an arrangement with the EU that would provide a means for data
to be transferred from the EU to India.
Offshoring and data privacy compliance
Privacy laws generally put the burden of compliance on the client, not the provider. If
you are the client, consider the following suggestions for managing privacy issues with
Ô—Ć Know the Privacy Laws, but make sure your provider knows them too. Usually the
customer will shoulder most of the direct obligations under the privacy laws.
Outsourcing providers will seek to shift responsibility and cost for tracking new
developments in the law to the client. This shift may not be appropriate in all
cases, especially when the provider has multiple clients who are subject to privacy
laws. You will need to negotiate the proper allocation of responsibility for staying
up to date on the changing privacy laws.
118 Managerial competency
DonÔÇ™t pay the providerÔÇ™s whole tab for compliance. Compliance with privacy laws
costs money. You and the provider may have to consider changes in technology
infrastructure, data handling procedures, security measures, data storage, locations
of data centers, information sharing policies, and many others. A good offshore
provider will already be familiar with the laws applicable to it and its clients and
will have taken action to comply. Resist provider attempts to present you with the
whole bill for compliance.
Get strong contractual assurances. Your outsourcing provider should agree to a
variety of provisions aimed at helping you to comply with privacy laws. These
include your control over and access to the data; the use of appropriate data
security measures; restrictions on data use, transfer, processing, and sharing; an
agreement to make changes as required by changes in privacy laws; facility audit
rights; and many other similar topics. In some cases, the privacy laws may require
use of speci´¬üc contractual provisions, as is the case with the EU privacy laws.
Government approval of outsourcing
Offshoring is a hot political topic in Europe and the US, as discussed in Chapter 12,
Offshore Politics. By 2004, in the US, the federal government and more than 30 states
had considered legislation to limit offshoring. These proposed laws re´¬‚ect a growing
trend toward regulation of offshoring. Some of the proposed measures require that
prior notice be given to affected employees. Others seek to prohibit offshore outsourc-
ing altogether. Similar developments have been taking place in Europe. Rapid devel-
opments in this area mean that organizations considering an offshore outsourcing
arrangement have no choice but to monitor these developments.
Aside from laws seeking to regulate offshoring, political relations with the target
country can be a factor as well. Political discord can lead to regulations that impact the
offshore services, such as the imposition of quotas, taxes and tariffs, restrictions on for-
eign ownership or control, embargoes and other similar measures. In 1998, the US
imposed sanctions against both India and Pakistan for nuclear testing. While these sanc-
tions did not directly affect offshore outsourcing arrangements, sudden actions like an
embargo may disrupt offshoring.
Offshoring services to a third party can have a tax impact. Applicable service taxes must
be considered to have a complete picture of the cost and potential savings of offshoring.
In addition, the contract and deal structure should provide for the minimization or
recovery of such taxes to the extent legally possible.
Some taxing authorities, including some states in the US, impose taxes on the pro-
vision of services. For example, when a company provides services for itself at a location
in the State of Texas, US, the company does not incur any service taxes in connection
119 Offshore legal issues
with those services. If the company outsources those services (whether domestically or
offshore), the services that are provided to the Texas location may be subject to a services
tax. Withholding taxes may apply in international transactions, and many EU and other
countries have VAT taxes which apply to goods and services provided or sold within
If payment will be made in the currency of one country and converted into the currency
of another country, there is the issue of ´¬‚uctuating currency conversion rates and the
risk that one or both parties take regarding the relative strength or weakness of their cur-
rencies. Also, there is the risk that it may be costly or impossible to convert currency at
all. Some governments recognize particular currencies for conversion and reporting
purposes. For example, the Chinese government regulates the ´¬‚ow of foreign currencies
in and out of China, and requires certain documentation evidencing the underlying
transaction. China also dictates the exchange rate and restricts use of Chinese currency
to pay obligations to foreign entities.
Sometimes it is advantageous to ´¬üx the particular currency of payment and the con-
version rate so that both parties understand the nature of the currency risk going into
the deal. This gives either party the opportunity to hedge or correct for that market risk.
Alternatively, it may be advantageous to let the currency conversion rates ´¬‚oat with the
market. It may also be advantageous to allow a party to dictate payment in a convert-
ible currency if regulations reduce convertability. In any event, it is important for both
customers and providers to understand the risk associated with payment in foreign cur-
rencies, and in particular, whether such risks create any additional costs.
Principal deal structures
Four basic deal structures are used when offshoring. Each of these four principal struc-
tures comes with various bene´¬üts and burdens. In some cases they involve balancing the
risk mitigation strategy against the anticipated bene´¬üts of the offshoring. In Chapter 5,
Offshore Strategy, these deal structures were discussed from a collaborative strategy
perspective, but the risks and bene´¬üts are worth re-visiting from a legal perspective.
Some companies create their own offshore service and development centers. Companies
that use this option must comply with local laws. For example, establishing a new busi-
ness location generally requires registration with various authorities (federal, provincial,
state, local, and often municipal). There may also be local corporation laws that dictate
who may own the company and according to what ownership structure and interests,
120 Managerial competency
who may control the board or management committee of the company, and a host of
other corporate governance considerations.
Special permits and operating licenses may be needed. Local employment laws may
impose wage and bene´¬üt requirements, collective bargaining agreements, and other simi-
lar requirements. There can also be signi´¬ücant tax implications to establishing a cap-
tive offshore facility. This is because returns from the captive entity may be subject to
tax in the offshore location as well as in the parent companyÔÇ™s location.
In this alternative, the customer and the provider form and own a joint venture in the
offshore country. The joint venture then services the needs of the customer. The joint
venture may also sell services to third parties.
A joint venture can align incentives and goals of the customer and the provider, in
part through sharing of pro´¬üts and losses. However, joint ventures can be complex to
establish and govern. They require initial investment, and they may be expensive to
exit. In addition, the parties establishing the joint venture still need to comply with
local laws for establishing and running the business, and they deal with the same issues
that companies have when they establish their own captive presence in the offshore
location. As with captive organizations, the tax implications of a joint venture must be
considered in looking at the total cost of the option.
Build Operate Transfer
In this model, the customer hires a provider to build and operate a service organization,
with an option or the obligation to purchase the established entity after a certain period of
time. A Build Operate Transfer (BOT) model may require a low to moderate initial
investment. Issues of legal compliance with local laws are generally left to the service
provider until the transfer occurs. The BOT model allows the customer to become famil-
iar with the legal requirements over time and well before the customer takes control of the
BOT service organization. In addition, since BOT models are usually viewed as a service
arrangement, they are unlikely to have some of the same tax disadvantages that may exist
with captive or joint venture models, at least prior to ownership of the BOT organization.
A great number of offshoring arrangements are completed through the traditional cus-
tomer and provider services agreement. In a traditional services arrangement, the cus-
tomer transfers responsibility for certain services to the provider. Often this process is
started with a request for proposal (RFP) to one or more providers. The providers respond
describing their service delivery solutions, their capabilities and their pricing, and the
customer selects one or more providers with whom to negotiate offshore agreements.
121 Offshore legal issues
Traditional offshore outsourcing arrangements have various advantages and disad-
vantages over captive arrangements and joint ventures, and in some cases, BOT models.
The opportunity to lower costs due to a competitive bidding structure is a major advan-
tage. Providers have a greater ability to maximize ef´¬üciencies and lower costs because
they are typically servicing many customers. Providers can usually provide higher ser-
vice levels due to their specialization and ef´¬üciencies. The disadvantages may include:
Ô—Ć loss of control,
Ô—Ć loss of ´¬‚exibility,
Ô—Ć the possibility of misaligned incentives between the customer and the provider,
Ô—Ć cost overruns.
Solid contractual provisions can secure some of the advantages and mitigate some of
the key disadvantages in offshoring to a provider. There are also different contract
structures that can minimize the risks as well. These structures and contractual terms
are discussed below in the next section.
Offshore outsourcing agreements take many forms. Below are some common approaches
used to offshore software development activity.
Pilots. Pilots are a means of testing offshore outsourcing. For example, a company may
decide to offshore maintenance for a limited set of non-core applications, and gradually
increase the scope to more critical applications, if the offshore arrangement proves suc-
cessful. A major American technology company used multiple pilot projects to begin
work with providers in India, and China. Through trial and error the company learned
that certain providers are better at providing resources for small jobs, while others are
more suited to longer and more complex ones. The company then expanded its outsourc-
ing relationships with those companies that had performed well in the pilot phases.
Short terms. Other companies commit the particular scope of the function or service
up front, but in an agreement with a short term, subject to options to extend. These
agreements contain more detail than a pilot program agreement based on the assump-
tion that the term will be extended.
Full-scale outsourcing. A third model is a more robust and de´¬üned outsourcing
arrangement, with a large de´¬üned list of services in scope, a detailed plan for transition
of the work to the service provider, detailed service level agreements (SLA), gover-
nance and relationship management provisions, policies and procedures manuals, and
many other typical outsourcing agreement terms. A global semiconductor company
used a pilot arrangement to assess an Indian providerÔÇ™s capabilities and then, when the
pilot succeeded, moved to full-scale outsourcing.
122 Managerial competency
Multiple suppliers. Some companies prefer to have multiple offshore providers to