Source: Getting The Deal Through / Lexology
Authors: Robert Nešpůrek, Štěpán Štarha, Richard Otevřel, Dalibor Kovář
One of the most important laws adopted this year is Act on the Right to Digital Service, the so-called digital constitution. The Act was drafted by the private sector as its engagement has been beyond doubt the key to the digitalisation progress of (not only) public administration, but was further endorsed by the administrator of the respective area, the Ministry of Interior of the Czech Republic.
The Act will provide for gradual digitalisation of all partial steps (digital services) carried out by public administration and those that can be theoretically carried out digitally. The administration must come up with a list of their obligations and types of actions with the outward impacts, i.e. to make a “service catalogue” until February 2021.
In the following four years, the Government together with other public authorities and bodies will digitalise all non-digital agendas, primarily those that could be of benefit to the wide public as well as those generating the highest value added and will be greeted by the public with general acceptance. It is thus about transforming processes that were non digital or manual to digital processes.
The service catalogue will be updated regularly, and it will be available on-line in order to allow digitalisation of not only certain actions but also of entire agendas and dependencies of comprehensive life situations. The open catalogue will thus throw the digital service into an unknown perspective from which the private sector should benefit. This would help the digitalisation also from the bottom to the top. The Act will allow attaching distant certified signature from 1 February 2022 that will be the final farewell to the paper documents for which people had to personally collect the certification of their own wet signature.
Further, eGovernment cloud has been introduced into Czech law also this year based on three years of preparatory works. Government is now newly and expressly allowed to use cloud computing solutions that will allow major savings and simplification of state IT infrastructure once used in a coordinated way. The cloud computing will also have its own service catalogue (offer and demand) that will directly influence the use of the cloud solutions. Existing solutions must be entered in the catalogue within three years from the force of the act, otherwise the public authority should disconnect such solution. In fact, the cloud is now poorly used by the government in IT vendors feel an opportunity to build their business on existing private sector solutions.
There have been few modifications into Act on Cybersecurity and recently governmental bodies started to be very active in education and preventive measures within the Czech market (in reaction to e.g. cyber attacks on public hospitals). This meets with clearer focus of organisations, particularly the biggest private and almost all public, on cybersecurity.
Bank identification described in more detail in the next question also became a key feature of Czech digitisation laws as further developed in the following point.
The recent development in digital transformation in the Czech Republic is led rather by the private industry than by the governmental policies.
The most noteworthy development in the Czech Republic is by all means the upcoming electronic identification via Czech banks. The BankID will enhance mainly the scope of activities carried out by banks, namely by providing electronic identification, authentication, and trust services as well as other related services. The basic element of provided services will be the means for electronic identification such as log-in tools to internet banking for bank clients. Probably everyone has such tools and knows how to use them. This is the basic difference as compared to national means for electronic identification (ID card with electronic chip); using them requires chip card reader, servicing application and knowledge of several numeric codes.
No wonder that the existing means have not been used widely. The bank means should allow both logging-in to national digital services and (in synergy with the above mentioned Act on the Right to Digital Service) concluding and signing a distant contract, view an electronic file or verify own identity with all online services providers and using these service from back home.
From 1 January 2021, the upcoming BankID offers the Government and private sector up to 5.5M potential users who already have and know in detail their means of access. Along with the above, the connected legislation will allow banks and insurance companies to access basic registers and other selected public administration IT systems and to verify the up-to-datedness of clients’ data in order to comply with their obligations stipulated by legal regulations. This development represents a digital transformation as to the sense of invention of new digital business models.
Besides the above, organisations might benefit from more frequent technology partnerships built between Czech banks and technology (incl. start-up) companies – e.g. wider facilitation of payments, use of AI within interaction with the clients and focusing on their (eventual) needs or building reliable platforms for various legal acts for the public.
It is very important to assess what data / processes are to be operated within Cloud or a data centre, particularly whether they are critical or non-critical for the organization and whether a public or a private Cloud is in question.
Many organizations in the Czech Republic rely on a public cloud but private cloud is not an exception as well. In the Czech Republic, the main focus is usually on the areas (among others) of
Despite there being many specialized providers of various services, Amazon, Google and Microsoft are the key players in the Czech Republic cloud services. There is a high number of providers specializing particularly on helping organizations with their migration to Cloud.
When negotiating contract with a Czech provider (and thus it is expected such a contract will be governed by the Czech law unlike in cases of the international players mentioned before), it’s good for organizations to know that a liability for damages cannot be fully excluded, although providers are keen to do so in their standard contract documents.
The Czech law forbids to limit liability for damage caused to a person's natural rights, intentionally or by a gross negligence. More importantly, it does not allow a limitation of liability towards a weaker party. The weaker party is a concept brought to the Czech law by the Civil Code effective from 2014 and on of its definitions says that it is any person in a business relationship with another party whereas the business relationship does not relate to the (weaker) party’s own business (e.g. a company buying a laptop from an e-shop for its employee) but it may also include situations when adhesion contracts (standard contracts with no possibility of any negotiation whatsoever) are concluded. A clause in such a contract which refers outside of the contract text (website etc.), may only be valid if the weaker party was acquainted with the clause and its meaning by the provider or the party must have known the meaning of such a clause. It is quite often that personal data processing matters are excluded from any limitation of liability.
If we focus on the specifics of Cloud, the key factors to consider include
These areas have an effect deep within the factual and contractual characteristics internally and externally towards respective suppliers. Organizations should also consider any specific regulations having effect on their business. Such legislation may include data protection regulation (GDPR and local laws – in the Czech Republic, there is Act on Personal Data Processing), cybersecurity laws (Act on Cybersecurity, implementing the Directive (EU) 2016/1148 of the European parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union but be aware, there’s more in the Act on Cybersecurity than in the directive) or perhaps financial sector regulations.
Anything extra required from the supplier may affect the service price. That’s why organizations should consider very well the scope of services they need to avoid paying for a cool feature that no one in the organization uses.
The market has gone through a vast development in recent years. There are many more providers who believe a subscription-based Software as a Service solution is the key to success. Therefore, before contracting with any new provider and giving it your valuable data for processing, the provider should be checked to avoid any unwanted effects on the organization’s business.
Providers usually tend to push their own template documentation. This is quite understandable since it keeps the legal costs per contract at minimum. But organizations should review these documents thoroughly as they often miss some key assuring points.
To describe a common practice, usually an NDA (with a penalty for its breach) is signed before the provider is allowed anywhere near any internal information of an organization. We may often see a provider assessment process is initiated before or after signing the NDA. When personal data is in question, the providers usually tend to accept clients’ own data processing agreement (DPA) particularly in cases if organizations are high profile with regard to data processing (such as in the e-commerce sector).
A liability always has been and still is a big topic. Providers tend to limit their liability as much as possible and organisations tend to avoid it which creates certain level of friction. But in general the limitation of liability is a standard. GDPR, however, made a big change and higher liability of the provider is required, it is often unlimited.
Each level of the cloud stack requires a specific approach. With regard to the hardware part of Cloud (data centre), the main concerns are maintenance and physical security (access to data centre etc.) but this doesn’t always have to be the case particularly if your contractual party offers you a service without anything related to a specific data centre.
The connectivity layer (networking, firewalls, security) usually require regular updates to the security infrastructure (software, firmware) and organizations should carefully assess necessary reaction times and require the provider to perform proactive monitoring of risks and their mitigating tools.
With regard to servers, storage, virtualisation and operating systems as well as development and analytic tools as well as databases, a proper licence structure should be established and managed to allow future changes with no unnecessary risks. A provider should advise with the proper licence model and guarantee that such a model was duly assessed. The main topic regarding storage is a backup. Reaction times and fix times are often the main parts of any service level agreement (SLA) since they affect the organizations ability avoid major data losses. Organizations should specifically agree on who’s responsible for backups as this is not a typical part of the service.
The main part visible to regular users, hosted applications and data, should have a proper licence acquired. Also, do not forget to add a technical specification of the applications (or a service, as often described in contracts) to the contract to be able to enforce the application quality at any time. Organizations should make sure that their data is encrypted, accessible at any time (including their backup) and always (or at least some time before the contract expires) ready for a migration.
Despite this being rather a general rather then cloud-specific matter, organizations should care about the governing law and setting up courts’ jurisdiction since SaaS or other digital services are very often cross-border services and thus the governing law is often an important point for negotiations. If parties cannot agree, it is often recommended to settle with a neutral legal system which is close to both systems. For the Czech Republic, this is typically Germany or Netherlands. Organizations should also push the provider to implement certain contractual penalties for breach of the most important obligations in the contract.
It is probably not surprising that even in the environment of Czech law the typical points of contention in contract discussions include
The area of liability for damage and the possibility of its limitation has undergone fundamental development in Czech law over the last 10 years. While 10 years ago under Czech law the exclusion of the right to compensation for damage and even its limitation was, to the surprise of foreign suppliers, considered inadmissible and therefore invalid, the situation is completely different today.
Czech law allows validly negotiating not only on a limitation on the amount of compensation for damage, but also its complete exclusion (while respecting statutory restrictions that do not allow regretting the right to compensation for damage, for example in cases of an intentional breach of an obligation or interference with natural human rights).
In this legislative situation, suppliers in the Czech Republic usually try to limit the compensation for actual damage and to exclude any other types of damage. At the same time, suppliers often exclude in their model documentation any indirect, consequential and similar types of damage that Czech law does not even explicitly recognise.
On the other hand, clients (especially those in the public sector) are often reluctant to accept any restrictions on the right to compensation for damage, despite this being a common standard abroad. The first step in discussions that should be taken in the environment of Czech law is to think about the wording of the clause on limitation of compensation for damage from the viewpoint of Czech law and revise the wording of contractual documentation, which was often created under the influence of foreign law and contains references to various indirect or consequential damage, which is not clearly defined in Czech law.
Either the parties will remove these ‘monuments’ of foreign model contracts or, on the contrary, they will define them more clearly, thus removing the first stumbling block. In further discussions, it is appropriate to attempt to agree on the limitation of compensation for actual damage and the amount of lost profit by a specific amount (usually through the amount of the agreed price or a percentage thereof).
Clients in the Czech environment will finally agree to such a limitation if there are exclusions from the agreed limit that address the most pressing risks for clients. Such exclusions typically include possible penalties for breaches of personal data protection, or other penalties by the regulator (for example, the Czech National Bank in the case of clients falling under its supervision).
In our opinion, in Czech practice an agreement constructed in this way, which is a compromise between the interests and objectives of the client and of the supplier, can be reached. And contracting authorities are gradually becoming more willing to do so when preparing tender documents for a public contract as well, when they realize (it is explained to them by advisers) that unlimited liability may only discourage responsible suppliers and support those who are not serious enough.
The second typical area in which discussions arise in the Czech Republic is the definition and scope of the client’s cooperation during the delivery. Unfortunately, it is a standard (and negative) practice in the Czech Republic that the client’s cooperation is not clearly defined and its entire arrangement is summarized in one sentence saying that the client shall provide all necessary cooperation.
It is clear that such a reflection in the contract leads to the supplier and the client having diametrically opposed ideas about the extent to which the client and its employees should be involved in the entire delivery process. Therefore, in the Czech Republic, disputes concerning the delivery of IT solutions mostly end in disputes over whether or not the client has provided the agreed cooperation.
In practice, when addressing this problem, we have found greater interconnection between the lawyers preparing the contracts and the IT staff, and consistency on the part of the lawyers in defining the requirements for cooperation and obtaining the necessary information from factual sponsors to be useful. The solution then differs depending on whether the delivery is executed through the traditional Waterfall model or through the Agile or even DevOps model. In any case, however, it is necessary to define the capacities and roles that the client will provide, which is something that is still not standard on the Czech market.
Another area in which discussions often arise is the licensing arrangement and/or regulation of intellectual property rights. In the Czech Republic, from our experience, clients, whether from the public or private sector, often cling to the fact that they will have an exclusive licence to the delivered solution. This is, of course, something that is problematic for suppliers, and if it is accepted, it leads to an increase in the delivery price.
However, this requirement is deeply rooted in the heads of Czech clients, despite it not often being preceded by any in-depth consideration. In practice, we have found it worth opening this business question with clients and encouraging them to explain why they actually insist on an exclusive licence.
Often, the client is able, with a quiet heart, to easily accept a non-exclusive licence and request an exclusive licence only for those parts of the delivery that are custom-made and, at the same time, the exclusive licence makes sense in relation to them. Sometimes in practice, the solution for the client is to bind the supplier with a specific non-compete clause and confidentiality agreement and at the same time acquire only a non-exclusive licence. In addition to the issue of licence exclusivity, it is worth noting that there is still a debate in Czech law as to whether or not a SaaS solution contract should also include a licencing arrangement. For the avoidance of doubt, most lawyers in the market are inclined to include the licencing arrangement in the SaaS contracts for prudential reasons.
The last of the main areas we would like to mention is data rights (both personal and non-personal data). Here, in our experience, disputes between the client and the supplier do not necessarily arise during negotiations, but, surprisingly, the parties often do not pay enough attention to this area. They often just prepare a general NDA or data processing agreement without a deeper analysis of business needs, which, however, do not correspond to the actual setting of the business case.
Despite cybersecurity in general is a topic, particularly in the COVID-19 era, cybersecurity laws do not affect most organizations at all. The cybersecurity laws affect only a minor group of companies within the private sector (typically telecommunication providers) and thus all measures are usually implemented due to other requirements (personal data protection laws, compliance programs, company group rules etc.).
Cybersecurity may, however, affect organizations when they provide services to the public sector. In such a case, they may be identified as an obliged entity under the cybersecurity laws. Even in such a case, the requirements more or less correspond to obtaining an ISO certification (ISO/IEC 27000 family).
Luckily, the GDPR brought at least some uniformity to what limits a local legislation may impose on data processing. On the other hand, Czech laws did not include any unpleasant rules such as localisation requirements even before 2018 and, interestingly, have been treating both paper and electronic document equally (the only practical issue, not relevant to electronic data, is readiness of documents – producing paper evidence upon request of authorities may delay the whole process if kept in another country, for instance).
We experienced some tendency of governmental agencies to include provisions requiring storage of personal data within the Czech territory, but this has never become an official strategy due to being clearly against the EU law.
But even without explicit localisation requirements the recent CJEU’s decision in the Schrems II case revealed how fragile the business cooperation concerning processing of personal data outside of the EU could be. The only functional and flexible measure remains the using of Standard Contractual Clauses (SCC), although having its own caveats.
First, everyone wishing to use the SCCs, must reinforce those clauses when exporting personal data to a country where the SCCs themselves do not suffice, but it remains unclear how the private company should assess such risks and what the reinforcement should look like – we are still waiting for an official guidance at the EU level since the Czech Data Protection Authority does not seem to develop its own recommendation beyond what has been just mentioned above.
Second, not all scenarios are covered by the approved SCCs – for example, processor located in the EU may not use sub-processor outside the EU without making a formal arrangement with the controller. And finally, customers started to perceive any extra-EU processing as a sign of risk, thus the requirement to localise data at least within the EU is more frequent from the businesses themselves than legislators already.
In our experience, the problem of transition from the traditional Waterfall model through Agile (continuous improvement) to DevOps (continuous delivery) is mainly in the heads of lawyers and managers and not in the legislation.
First of all, it is therefore necessary to change the reasoning of lawyers and managers in order to move away from the automatic requirements to define a fixed price for a specific predefined performance in each contract. This approach is incompatible with moving to Agile or DevOps.
In Czech practice, clients are either not willing to agree with the change of this paradigm or, on the contrary, they approach it nihilistically, not providing for Agile and DevOps formally in contracts at all, and operating only on the basis of orders and payments for the use of the supplier’s staff’s capacity without further contractual arrangement. Obviously, neither approach is correct and even deliveries executed through the Agile or DevOps model deserve proper providing for in contracts.
One specific area is the use of Agile and DevOps in the public sector, where the situation is more complicated than in the private sector due to public procurement law. Even here, however, in our opinion, in the environment of Czech law, it is possible to award a contract to a supplier for deliveries executed through Agile or DevOps.
In order to use such a supplier, it is only necessary to go into the depth of the public procurement rules and not automatically announce a tender procedure only for services (the supplier’s capacity), as is happening in the Czech Republic today. As for the market practice, however, we have unfortunately not yet come across a tender procedure for awarding a contract for delivery through the Agile or DevOps model.
We are dealing with the common understanding that every organisation should shape up to the new reality which was present even prior to COVID. The pandemic speeded up the processes and drive to adopt digital solutions. I believe that almost each organisation is now somehow facing the dilemma how to digitise and transform itself to be more effective, efficient and at the same time relevant on the market.
It is very fortunate to see that the biggest organisations do not hesitate to pay top-tier advisors to help with their digital transformation projects and share the relevant information throughout the market (including the impact on end customers and negative steps within the project). Further, the knowledge base and technical preparedness of the organisations’ advisers has increased tremendously in the past years. Therefore, we experience rather detailed and well-built digitisation plans based on automatization, robotization, access management and overall hardening of the environment to be safe and sound without limitation of user’s comfort.
Without doubts, the best (and most necessary) practice of digital transformation is switching from on-premise solutions to cloud to provide organisations, their workers, and clients more flexibility.
An effective transformation should benefit from cross-functional co-operation of executive directors with CIOs and other senior managers of the organisation by connecting approaches focused on business with fast development models (agile and DevOps). E.g. all major Czech banks switched to agile method of organisation in the past years giving an example to other sectors with the aim to align transformation goals with business goals.
Despite technologies represent a necessary essence of digital transformation and are already present, we perceive a new standard in development of digital competencies of employees and other workers within organisations and sharing of a defined strategy. The digital transformation requires change of thinking, new competencies, discipline, and personal courage to be implemented in everyday life. This approach is vital but has been neglected in the past. Defining a compelling communication strategy and vision to sell the transformation story to the organisation can thus also be perceived as a best practice in digital transformation in the Czech Republic.
It is the unprecedented growth of the ecosystem of IT solutions providers and emergence of new players. We have worked on digital transformation projects with large multinational IT companies as well as medium companies both local and from around the work and start-ups. Customers’ options have multiplied. Digital transformation is transforming not only the corporate world but also the IT sector in the Czech Republic potentially delivering greater value to customers for their money and flexibility thus addressing some of the issues carried by the “old” IT world.
Advising on digital transformation requires a new approach to defining legal solutions for clients that reflect clients’ practical requirements and demand multi-disciplinary, multi-faceted perspective. We have reorganized our teams across our commercial, IT and regulatory practices to provide fresh understanding of what digital transformation means for our clients and how we can best contribute to clients’ digitalisation efforts. It is exciting to be drafting new legislation enabling digitalisation on one day, the next day discussing with a progressive IT provider how best to tap the newly emerging market around BankID and the day after helping a major corporates to adopt paperless processes involving an integration of a digital signature solution into a SaaS-based DMS.
Clients have a major challenge of managing digital transformation that is not only technically sound but also contributes to the success of their business. It is crucial that besides technical legal excellence we help to find the best business partners, weigh the benefits of digitalisation against the costs and possible business disruptions, provide markets insights and approach a project with open mind to mitigate risks and achieve key goals.
