The legal implications of new technologies have been making headlines recently, with a group of more than 100 specialists in robotics submitting an open letter to the United Nations urging a ban on the use of machine learning and artificial intelligence in weapon systems. But on the commercial side the change capturing lawyers’ attention is not cutting-edge tech but the creeping maturity of IT systems that have been around for years. As Louise Pentland, general counsel of PayPal, comments: ‘The disruptive trends that are likely to shape business in the coming months are existing technologies becoming more capable.’
One of the best examples of a disruptive trend developing from technology that most businesses are already familiar with is the sudden ubiquity of cloud computing. Although moving business processes to the cloud is technologically passé – remote processing through application service providers (ASPs) has been around for nearly 20 years – internet speeds were, until recently, too slow to allow for anything beyond simple processes to be migrated. Now it is entering the mainstream. In early June 2017 Lloyds Bank finally signed its long-planned outsourcing contract with IBM, a £1.3bn deal that will see a large number of staff, along with core business processes, move over to IBM. Many large organisations are likely to follow.
Kit Burden, global co-head of technology sector at DLA Piper, says the impending mass migration to the cloud will change the way businesses think about the relationship between their core and support processes.
‘Concerns around security and data protection that have traditionally inhibited engagement with the cloud seem to be ebbing, and cloud providers are working out how to handle business-critical processes in a seamless way. We are seeing a demonstrable uptick in both take-up and deal sizes and it is having a very interesting domino effect in the market. The next 12 months will see cloud providers take over large parts of many businesses’ operations and it will lead to a big change in how global organisations operate.’
Baker McKenzie IT partner Harry Small echoes the point. ‘Lawyers like to highlight the dangers surrounding data protection and security in the cloud but for clients the economics are overwhelming and increased use of cloud services is inevitable. Security concerns aside, it is essential to do thorough diligence on a provider before migrating business processes. Cloud contracts tend to be very short term and can be switched off at will, but the danger, from the customer’s point of view, is that it remains difficult to get your data out in a manageable way.’
One result of this move toward outsourcing business-critical processes, says Chris Fowler, GC UK Commercial Legal Services at BT Group, is that in-house teams are increasingly likely to oversee the work themselves. ‘Outsourcing has become such an important part of business efficiency that you have to understand a lot of internal processes to get it right. In-house lawyers are, very generally, expected to know a lot more about outsourcing than previously. Contracts also tend to be shorter in duration and divided between different providers. As a result, managing various providers and making them work together has become more important than understanding the underlying laws.’
That comes as a threat to outside counsel specialising in outsourcing work. Robert Shooter, head of technology, outsourcing and privacy at Fieldfisher, the largest technology and outsourcing team in Europe, comments: ‘We are seeing a lot of the traditional big deals staying in-house now with clients sending only very specialised pieces of an outsourcing or the high-volume, low-cost aspects of it to firms. We see it as an opportunity to ask ourselves what our clients want from their external lawyers.’ Mitigating this loss of revenue, a growing focus on data privacy is leading to a big uptick in work. Fieldfisher has taken on ten new hires in the last 12 months, and Shooter says the firm expects client demand for data protection expertise to remain strong well into 2018.
Lawyers highlight the dangers surrounding data protection in the cloud but for clients the economics are overwhelming.
Harry Small – Baker McKenzie
Indeed, the big trend of the coming 12 months, says Richard Kemp of Kemp IT Law, is that legal aspects of data – from data rights and sovereignty to security and protection – will become even more important to in-house teams. ‘Data protection has gone from one of those slightly geeky areas that you’d occasionally see one or two lawyers specialise in at the larger firms to the in-demand skill that clients are looking for.’
Whose data is it anyway?
Simply taking the UK’s example, it is easy to see why data protection is no longer an afterthought for GCs. Under the 1998 Data Protection Act, the largest fine that the ICO (Information Commissioner’s Office) could levy was £500,000. The largest fine it had ever levied before 2017 was £250,000. That has now changed, and the ICO is becoming more robust. This year alone it has levied two £400,000 fines. But the big change is the General Data Protection Regulation (GDPR), which comes into force across the EU, including the UK, on 25 May 2018 and introduces a maximum fine of 4% of global turnover for data security breaches.
With the growing interest in outsourcing to the cloud, the shadow of GDPR-related fines for misuse of data looms large. ‘Five years ago, most outsourcing contracts allowed for data protection to be an unlimited loss,’ says Burden. ‘Data loss may have been a big worry for customers but it was economically a relatively trivial issue for suppliers. With the ramping up of national data regulators and the introduction of GDPR, the way contracts get scrutinised will fundamentally change.’
Kemp is seeing a similar shift in the way contracts are approached. ‘Trade-offs with security, the kind of indemnity protection the provider gives, and the liability position they are prepared to adopt will change, but the precise outcome is hard to predict at this stage. Cloud services are commoditised, which means there is not sufficient margin for providers to give the type of liability protection a customer would need in the event of misuse.’
Not only are the potential losses through fines much larger, but the introduction, under GDPR, of processor liability will also change the dynamics of contracts. As things stand, if a business outsources its customer relationship management system to a provider in the EU, the entity outsourcing its data is the only one liable to be fined (usually not very much). After GDPR takes effect the processor (ie outsourcer) will equally be regulated. As a result, any contract between controller and processor will have a different balance of power.
Of course, any law that restricts businesses’ ability to monetise data will cause friction, and it looks certain that the European principles of data protection and privacy will come into conflict with the tech giants of Silicon Valley. The Trump administration has signalled that it will take a more lenient approach to data protection, which does not bode well in the face of the EU’s increasingly stringent requirements.
Every GC is going to spend a lot of time looking at data protection. There will be a huge wave of work for law firms. Richard Kemp – Kemp IT Law
Ruth Boardman of Bird & Bird notes: ‘When companies come to trade in the EU from other jurisdictions they can find it difficult to get their heads around the fact that we don’t see data as an asset. From their perspective they have sweated blood and tears to generate data and they should be able to monetise it.’
It is likely that battles that have traditionally been fought in the arena of competition law, where fines can reach up to 10% of turnover, will be revisited in data protection cases. However, Kemp takes a more circumspect view of the risks to business. ‘Every GC is going to spend a lot of time looking at data protection before May next year and there will be a huge wave of work for law firms, but I would caution against listening to some of the hype coming from the service supplier community about how challenging it will be to comply. I take a fairly pragmatic view, which is that companies should comply but not over-invest in their compliance strategy. Knowing what to do is as much a project type approach as a legal analysis.’
Rachel Jacobs, GC of Springer Nature, picks up the theme: ‘Increasingly we are facing the sort of regulations that link legal analysis, IT specialists and questions of what the business is trying to achieve. These are no longer regulations that can be approached from a legal silo, though there are fundamentally important legal questions associated with them.’
Away from outsourcing and data protection, a notable trend across the TMT sector – driven by the pace of technological change and poor economic conditions – is the relative lack of litigation. While there have been some major cases in the High Court and the Technology and Construction Court involving technology and communications contracts, Harry Small says these represent only a small fraction of the general disputes in the sector. ‘TMT today is best characterised as contentious but not litigious. The really large amounts of work we get are contracts that have gone wrong but are never going to reach the courts. There is a growing tendency to re-evaluate contracts and enter into structured renegotiation.’
A bigger legal change, says Small, is yet to come. ‘Automated or artificial intelligence will fundamentally change IP law in the sector. A computer programme now does a lot of the work that a human might formerly do, even such things as drafting contracts and credit scoring. The question that arises is twofold: who owns the output and, more particularly, who owns the algorithms and decision processes made by the software?’
UK law has a small provision covering this question, which Small himself helped insert in the Copyright, Designs and Patents Act of 1988. The provision states: ‘In the case of a literary, dramatic, musical or artistic work which is computer-generated, the author shall be taken to be the person by whom the arrangements necessary for the creation of the work are undertaken.’ It is a vague provision, says Small, but one which the EU was not prepared to follow at the time. ‘The harmonisation of copyright law across the EU, quite wrongly in my opinion, took the view that copyright works must have a human author. This is almost certainly a linguistic reflection of the Droit d’auteur or Urheberrecht, but we are in a world that is rapidly moving away from humans as the sole authors of output. When Brexit gives us the freedom to look at our intellectual property laws again, we will have a great opportunity to make laws that reflect the world we live in.’
Such laws may reshape the sector entirely, but in the coming months GCs are more likely to focus on less cutting-edge technologies. As Pentland concludes: ‘It is tempting to say there is nothing new about digital transformation – almost every company has moved to online and digital offerings – but implementing a proper digital transformation strategy means ripping up what you have done previously and doing it all in a different way, enabled through technology. That is doing something new in response to something not quite so new, but that is what being a lawyer in the TMT space is all about. Software licences, open-source and outsourcing were all once at the leading edge of law, but the real question for in-house lawyers comes when they stop being at the leading edge and start to become something that impacts the way your business is structured.’