Schadenfreude doesn’t feature much between in-house legal departments, so many general counsel would have winced when TalkTalk chief executive Baroness Harding admitted last year that she didn’t know all the technical details of the cyber breach that could ultimately cost the company £60m and contribute to the loss of 101,000 customers.
‘In the abstract, data protection doesn’t mean a great deal, but there have been many recent examples where large corporates have been hacked, and their senior executives are being questioned on TV and do not necessarily seem to know what data has gone. That’s not a great situation for any senior executive to be in,’ says Chris Holder, an IT partner at Bristows. ‘If I were a general counsel and my chief executive was on TV being grilled, then I would make sure that they were fully briefed with as much information about the hack, the missing data and the security situation as was possible.’
Holder says that many GCs would have looked on and thought: ‘I need to know what our IT estate looks like; where our data is; how we go about protecting it; and ensure that we have robust continuity plans in place if something goes wrong.’
If a business is using technology to face the consumer market, it is crucial in-house counsel get a seat at the table at the right point in the process.
Charlotte Walker-Osborn – Eversheds
Data protection and cyber security were the headline technology, media and telecoms (TMT) trends for in-house legal teams in 2015. Nicola Phillips, head of legal for ITV Interactive & Consumer, says: ‘TalkTalk and Ashley Madison made cyber security a much higher profile issue.’
With these incidents bringing the legal and regulatory aspects of data protection and cyber crime into sharper focus last year, it is little surprise that the most frequently cited TMT priority for in-house teams for 2016 is getting to grips with two pieces of EU legislation: the much-heralded General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Directive. Stewart Room, global head of cyber security and data protection at PwC Legal, makes a call for GCs to acquaint themselves with the GDPR framework quickly or risk a few violent collisions in 2018, when the regime goes live.
There are practical steps GCs should be taking. Knut Mager, head of group legal country organisations at Novartis, says that with a two-year process for implementing GDPR, it is important that the company takes the lead on shaping regulation in practice at local and EU level. ‘We have to make sure the organisation is fully prepared for the new requirements and also make sure that we understand the domestic requirements, but to a certain extent we also help shape the requirements and implementation. That’s
a key priority.’
Paul Mussenden, GC, company secretary and head of strategic affairs at pharma group BTG, says there has been a perceptible knock-on effect from changes to data protection rules. ‘Last year, with the ongoing changes to the data protection requirements, we’ve seen significant enforcement from a regulatory healthcare marketing perspective in our sector. Even where the underlying requirements haven’t necessarily changed, there’s been additional enforcement, which means it’s been at the centre of what we’re doing to ensure we’re meeting those requirements.’
There is also a need for prevention, according to the head of Eversheds’ UK TMT sector group Charlotte Walker-Osborn, covering so-called ‘ethical’ hacking, where a company hires an expert who systematically attempts to penetrate a computer system or network on behalf of its owners for the purpose of finding vulnerabilities that a malicious hacker could potentially exploit.
‘What we’ve always seen, but it’s really been increasing, is how much more in-house counsel have to consider ethical hacking,’ she says. ‘The technology teams in businesses may have been doing ethical hacking penetration testing to test the robustness of their systems for many years, but because it’s more high profile, that type of contract is hitting counsel’s desk.’
The big four: key TMT cases of 2015/16
Google v Vidal-Hall
Three key findings against Google emerged from this Court of Appeal judgment last summer, after three individuals brought tort claims in the UK against the company after Google had agreed to pay a record $22.5m penalty to the US Federal Trade Commission for circumventing the Safari browser’s privacy settings in 2012. The UK court held that the claimants could serve proceedings on Google in the US for the misuse of their private information and for breach of the Data Protection Act 1998; that browser-generated information constitutes personal data, bringing a whole swathe of Google’s online activities under the scope of European data protection laws; and finally, and perhaps most importantly, the court found that the claimants can claim for distress without having to prove pecuniary loss, greatly increasing the scope for compensation claims in the future as data subjects no longer need to prove monetary loss in a claim against a business for the misuse of their personal data.
Warner-Lambert v Actavis
Dubbed the patent case of the year, this complex dispute saw pharma company Actavis prevail in the High Court against Warner-Lambert (part of Pfizer), in an important decision for second medical use patents. The patent for primary use on the active ingredient in Pfizer’s blockbuster drug, Lyrica, had already expired. Actavis launched a competing generic drug, with a so-called ‘skinny label’, aimed at the non-pain market. Litigation ensued as Pfizer sued Actavis, alleging it was inevitable that the drug would be dispensed for treating pain as well as for other, non-pain disorders. Pfizer also secured an initial court order against NHS England, compelling it to issue guidance that Pfizer’s product alone should be prescribed for pain. The High Court resoundingly rejected the claim by Pfizer, finding no infringement by Actavis. The court also urged the Department of Health to put in place a system that minimises the potential for these types of disputes. Taken together, the implications of the judgment in terms of industry practice are significant.
Starbucks (HK) & anor v British Sky Broadcasting Group & ors
For the first time in 25 years, the UK’s highest court had to consider the law of passing off. The Supreme Court ruled in favour of Sky, ending its long-running dispute with media company PCCW over Sky’s TV service NOW TV, which PCCW claimed passed off its own NOW TV internet service in Hong Kong. The case sets an important precedent in confirming that, in order to succeed in a passing-off action, a claimant has to prove goodwill in the form of customers in the UK. An alternative outcome could have created an environment where clearing brands for use and registration in the UK would become significantly more challenging.
Unwired Planet v Huawei, Samsung, Google & ors
This huge ongoing case, with many constituent parts, means telecoms companies need to consider the possibility of non-practising entity (NPE – or patent trolls as they are less favourably known) litigation becoming much more of a feature in Europe after taking off in the US. For this complex and high-budget dispute in the UK courts, Unwired Planet, which acquired several patents as assets from Ericsson, alleged that the defendants have infringed several standard essential patents relevant to mobile telecommunications standards. A number of defences have been put forward based on FRAND (fair, reasonable, and non-discriminatory) principles and competition law. This case has important implications for what is fair and reasonable use of standard industry patents, specifically the interplay between patent law and competition law.
It is a calculated risk that the GC has to consider because the fallout from a malicious hack or self-perpetuated data protection infringement is overlooked. ‘The thing that is missed often with data security breaches, is that if you talk to a privacy lawyer they will say it’s the regulatory fines that are the big deal,’ says James Hyde, head of TMT disputes at Eversheds. ‘Actually when you talk to the corporates, the big deal is the cost of remediation, the cost of response, losing customers and customer compensation.’
Another issue that has percolated for years, culminating in a head-in-the-sand approach from many in-house teams, is the launch of the Unified Patent Court (UPC) in Europe. Simmons & Simmons IP partner Rowan Freeland captures the internal conflict in a fictitious exchange on page 70; the UPC is happening for real in 2017, which means a lot of housekeeping will be needed this year.
Tim Powell, partner at IP boutique Powell Gilbert, comments: ‘In-house lawyers do need to start thinking about this even though it’s coming through in 2017. Patent lawyers need to go through their portfolios, which can be quite substantial in some industries, and work out what they are going to do with their existing European patents – are they going to opt those out of this new court system or not? There are various patent prosecution and management issues that they should really be thinking about.’
One of the major preparatory areas will be around patent licensing, where advisers and in-house legal teams will need to think about who should have responsibility for deciding which court system a particular patent should be subjected to. There are also questions over nationality, so decisions will have to be made about which company within a group should be holding the patents.
The new fundamentals
But wrestling with the minutiae of EU legislation will not be dominating the agendas of clients from a TMT perspective. In terms of technology generally, or cyber policy in particular, making sense of a company’s IT strategy is the one area where GCs should position themselves with boards increasingly focused on high-impact risks.
James Walsh, a TMT partner at King & Wood Mallesons, argues 2015 saw the emergence of cyber security as a true board-level issue. ‘These are not issues for the IT team to stave off as there are reputational consequences and legal consequences that need to be dealt with effectively.’
Holder picks up the point: ‘Most large corporates these days are technology businesses. They run on technology, both from an in-house, back-office perspective and more often than not they have a front-end technology piece to it all. It didn’t use to be: 20 years ago the IT folk were normally in the basement doing the invoice run. Today it’s a front-line role in any organisation – like GCs, chief technology officers and chief information officers have been brought out of the basement to the top table.’
Hyde argues that the fundamental issue for in-house legal teams is to determine how involved they become in technology issues at a gestation stage to prevent problems later in the process.
At the moment, he argues, they are not involved enough, so the IT or procurement departments are creating issues; they are not going through the change control, the governance, and are potentially prejudicing the position.
It’s about understanding the technologists in your business: what are they doing? What is the impact of disruptive industries?
Chris Holder – Bristows
He gives one example: ‘For in-house counsel, the key issue is the software licensing terms are often dealt with by IT and procurement and it doesn’t feel like there’s sufficient thought going into what they’re getting, what they’re being licensed – getting into the detail.’
One barrier is that legislation cannot keep pace with technology. By the time a directive or regulation has been negotiated at EU level, it takes years to come up with the appropriate text. By the time that text has passed, there is a lag of 12 months or even two years before that comes into effect. The time between identifying a need for change and having a new legal framework in place can be years. The main requirement of a lawyer from a TMT perspective is understanding the industry and the technology and being able to apply that in a regulated environment.
‘Law and regulation does need to catch up. In an area like robotics, it’s all about whether the legislators pay attention to new tech and take it into account specifically,’ says Holder. ‘But it’s also about understanding the technologists in your business: what are they doing? What is the impact of them buying stuff? What do you think is the impact of disruptive industries coming on board and affecting your core business? That’s another headache for GCs alongside those relating to the current state of data protection law around the world. It’s the implications of technological change on businesses that is going to increase in importance.’
The continued movement of large pieces of a company’s infrastructure to the cloud is in itself a significant area of focus for in-house legal teams – in 2016 and well beyond. While that is old news to an extent, it does affect a lot of important areas such as data protection and the effect of digital disruption as a result.
The way blue-chip companies are moving large pieces of their infrastructure to the cloud creates practical concerns about how infrastructure links with other systems being run on machines using code dating back decades. For GCs, this is an operational issue around analysing who the new suppliers are and how they interact with legacy system suppliers. This is important contractually in dealing with the availability of services – down time caused because new infrastructure doesn’t work with legacy systems. In-house legal teams need to take into account the integration between applications/service providers and what the company has already.
Walker-Osborn points out that increased mobility supported by technology raises knotty legal issues. ‘Increasing use of cloud means data is housed in disparate locations. In-house legal counsel are spending a lot more time working with the businesses to understand what the data flows are for the technology they’re buying to support their businesses, particularly personal data.’
It is not just cloud computing where the use of data is having substantive legal implications and technology is moving fast. One area that will have an impact on many in-house teams is the much-hyped Internet of Things (IoT) – where everyday physical objects, like a fridge freezer or a boiler, can be connected to the internet and are able to identify themselves to other devices. The turning of traditional appliances into wireless devices that will be regulated in a different way will be an issue that a lot of in-house lawyers will have to face.
There are clear links between IoT and the emergence of automation and artificial intelligence – another area where in-house teams will be kept increasingly busy – dealing with the input, collation and manipulation of unstructured data without human beings being involved, for example, trading systems in the City. Automation is being put into existing outsourced IT arrangements, which could have a significant effect on the offshore industry, because once the human element is removed with automation, the wage arbitrage element with offshoring is gone, leading to full-time staff being removed from a lot of outsourced areas like finance and accounting, creating opportunity, savings and contractual issues around liability. The GCs will need to look into what they are buying and from whom, and who owns what as regards intellectual property when machines are developing it.
Says Walker-Osborn: ‘If a business is using technology to face the consumer market, it is crucial in-house counsel get a seat at the table at the right point in the technology process. There are just such disparate consumer and privacy laws that the way the apps are built, the websites are built, mobile platforms are built, means the legal rules have to be thought through to get the steps right to allow that technology compliance. That is something we’re helping clients a lot with.’
Churning and cherrypicking
One more familiar issue that will keep many in-house legal teams busy throughout 2016 is corporate activity in its various guises: M&A, consolidation, convergence. 2015 saw a surge in corporate activity across the TMT spectrum. In Deloitte’s ‘M&A Index 2016: Opportunities amidst divergence’, it noted: ‘TMT companies have accounted for 30% of the mega deals announced this year. So far this year, $928bn worth of deals have been announced, significantly higher than the $581bn announced during the whole of 2014.’
In some industries you’re seeing consolidation. People try to bring in skills they don’t have to compete.
Carolyn Jameson – Skyscanner
ITV’s Phillips says simply: ‘Corporate activity is going to continue. The more successful a sector is, the more activity you’re likely to see.’
‘It’s coming from the fact that the people are feeling more confident financially than perhaps they were in previous years,’ says Carolyn Jameson, chief legal officer at travel and tourism search engine Skyscanner. ‘In some industries where it’s very competitive – including in our industry, for example – you’re seeing consolidation a lot. People try to bring in skills that they don’t have in order to compete most effectively.’
Telecoms deals feature heavily, with BT’s £12.5bn acquisition of EE from Deutsche Telekom and Orange recently gaining competition clearance, while Three’s proposed takeover of O2 is still awaiting approval.
Deals of this nature are changing the shape and definitions of industries. Comparing the market now to a few years ago there are companies that are operating fixed networks, wireless networks and also providing a great deal of content, either through broadcasting or internet-based television services. That convergence is going to fundamentally change the market in terms of how packages are bought and sold, which will affect most businesses, even those that haven’t been subject to consolidation because they need to figure out how they are going to compete with those players that can offer bundles.
Walsh argues that the emergence of new technologies – like blockchain – will have a disruptive influence on TMT businesses and will give rise to a number of practical questions for in-house lawyers to consider this year. ‘The in-house lawyers who understand the technology and can apply the law to it will be better placed to navigate through those projects, which really test the boundaries of in-house lawyers’ capabilities.’
It is a familiar refrain for in-house counsel – understand the technology and the business. In the TMT sector, fast-evolving industries are even harder to keep up with than regulators.