Trends in information technology law: looking ahead to 2012

Going into 2012, we’re now a decent enough distance away from September 2008 to know that the world changed and that the next few years will continue to be, well, different or the new normal, depending on your point of view. 2008-09 more or less coincided with the generational shifts that the internet is bringing about hitting the mainstream: the rise of the cloud and social media and the growing maturity of the internet in meeting more and more of the consumer’s requirements.

This year there are two sets of themes for IT law going into 2012. The first, more strategic, set is around the cloud and the internet, two journeys that will continue over the rest of this decade. The second, more tactical, is about the specific policy developments we’ll see in 2012, around data, privacy, intellectual property, e-money, social media in the enterprise and sector-specific regulation of technology. At each level, the legal developments are likely to keep IT lawyers busy.


The cloud is that rarest of things, a genuine paradigm shift – from processing at the desktop to processing on the banks of the Columbia River. The public sector and large enterprise IT users recognise the scale of the shift: the government has set a goal1 that: ‘50% of central government departments’ new ICT spending will be transitioned to public cloud computing services by December 2015’ in its October 2011 strategy review, subtitled ‘moving from the what to the how’.

The debate about the ‘how’ – what do you need to do now to have the right policies, processes and business and contract structures in place to be ready for the cloud – has started and will pick up intensity in 2012. On 14 December 2011 for example, the European Commission announced2 that it had been asked by industry leaders ‘to provide a coherent legal framework for cloud computing services’ as part of a broader set of industry recommendations. The focus for the public and enterprise private sector is on a number of key things:

  1. First, find your low hanging fruit. On the demand side, e-mail, messaging, office productivity and internal social networking solutions are already going into the cloud. Next up are things like customer relationship management and trouble ticket management. Issues arise around smooth transitioning and avoiding ‘cream skimming’, with suppliers taking the easy profitable work and leaving the rest.
  2. Then find other reachable fruit: towards a shared understanding of the sensitivity of data. Just because your ‘crown jewels’ need to be inside the building doesn’t mean you can’t move other data to the cloud. Putting more complex work out to the cloud will need a common approach to understanding the relative sensitivity of data around international standards and taxonomies and separating data content from the criteria applied to it.
  3. Understanding the supply side3: cost savings and value add. On the supply side, as the world evolves towards 100,000 server data centres (DCs) close to hydro-electric power sources, the cost savings become significant – perhaps the key driver on the whole journey. Very large DCs enable: (i) automation of maintenance tasks; (ii) pay-as-you-go pricing; (iii) lower server and power costs; (iv) improved server utilisation through demand smoothing; and (v) multi-tenancy efficiencies. Each element contributes to cost reductions, which become remarkable as you approach 100,000 server DCs. In addition, for governments, greater control over their information estates that cloud aggregation provides will generate public licensing income – for example, in the area of medical data collections for predictive outcome modelling.
  4. There is a need for a candid and frank policy assessment. Trust and security are perceived as the main inhibitors to cloud take up. The two main areas that emerge as critical policy review areas are data protection – where there is a recognition in principle that large service providers in the world of giant DCs will need to move data around, but also a regulatory environment characterised at the global level by disjuncture, flux and lack of harmonisation; and concerns about non-transparent, potentially capricious law enforcement access 
to data.
  5. What do you need to do when buying dial tone? In contractual terms, buying cloud services is a lot about buying dial tone, and the move here is away from licensing and integration agreements towards grown up services contracts, with the accent on performance, reliability and service-level agreements; efficiencies, most favoured nation and cost reduction; the usual services deal lifecycle issues like change control, governance, audit; and exit assistance.

All these areas are stressing government and enterprise users and suppliers alike as they adapt to the new paradigm, not least in the area of organisational change in the provision of internal and external IT services, and the debate and policy discussions on all fronts will intensify as 
we move through 2012.


In 2000, the internet accounted for £1bn of UK sales. In 2011, the e-retailing industry association IMRG estimated that UK online sales will reach £68bn, approaching £1 for every £5 spent on the high street. Deloitte predicts that in December 2011, some 50% (£9bn) of non-food retail sales will be ordered or reserved online. Writing on the tenth anniversary of the IMRG/Capgemini e-Retail Sales Index in July 2010, James Roper CEO of UK predicted that ‘by 2020 the internet will account for half of all retail sales and influence the other half’. So, as in the cloud, we go into 2012 part way along the journey with the course ahead increasingly clearly mapped out.

In retail, digital media and consumer services, the internet is a digital river in full spate. But the rate and scale of changes in 2012 and for the rest of next decade will dwarf those over the last. What does this 
all mean for lawyers and professionals advising in the fast-growing internet space? What do we need to be looking out for in 2012 and beyond?

In the area of analytics and consumer targeting, McKinsey, noting that search was at an ‘early stage of its evolution’ in its July 2011 report ‘The Impact of Search’, estimated that ‘the amount of digital information will grow by a factor of 44 between 2009 and 2020’. In the enterprise, it’s now generally accepted that social media will lead to whole industries ‘being rethought in a social way’, as Mark Zuckerberg, Facebook CEO said recently.

The policy themes here, which will of course need new law, are all about regulatory intervention to protect the individual (data protection, privacy, jurisdiction, consumer protection), and the battle to protect intellectual property and other rights as digital media and content continue to generate new types of content, demand and distribution and to displace traditional media.


The data-centric world is a place where it’s not the pipes but what flows through them that’s the critical thing and key differentiator; and businesses and consumers alike are focusing on their, and others’ data as never before. In legal terms, this means looking at information, and the rights and obligations that arise in relation to it, in a new holistic, rather than the traditional piecemeal, way. The ‘stack of rights’ in the figure below is a convenient way to see this – what it means is that you need to look at data protection, data IP and competition law all of a piece to see the links and join up the dots.

This will be best observed in 2012 in 
relation to IP and competition law in the financial services area where the Commission, fresh from its settlement in November 2011 with Standard & Poor’s over its licensing policy for CUSIPs (Committee on Uniform Security Identification Procedures – securities identifiers), is continuing its investigations into Reuters Instrument Codes (RICs), Thomson Reuters’ securities identifiers; Markit’s role as the leading provider of credit default swaps (CDS) information; and ICE ClearEurope’s role as a CDS clearing house. These will all progress in 2012, showing that the Directorate-General for Competition getting its teeth into information markets and the underlying intellectual property rights and regulatory structures involved.



Although part of the data-centric world, it’s worth calling out data protection separately as perhaps the most important tactical theme for 2012. Sensitised by the continuing presence in the public mind of the Leveson inquiry into the hacking scandal, privacy and data protection are at the epicentre of policy debates around the cloud (moving data around internationally), social media (use of personal data without consent) and internet (behavioural advertising and consumer targeting). Since April 2010, UK data protection law has teeth, with the Information Commissioner’s Office’s (ICO) power to fine up to £500,000, and we may expect to see regulatory action from ICO intensify and fines increase in 2012. The picture for 2012 becomes more confused when the amnesty for cookies (data sent from a website to a user’s browser for identification and return to the website of origin) expires on 26 May 2012. After this time, the consent level for cookies – whether opt-in, pop-ups, personalisation setting or ‘specific’, ‘informed’ consent each time – will attract attention, perhaps even through high-profile enforcement action by the ICO.

In December 2011, we got a sneak preview4 of the draft ‘General Data Protection Regulation’, which, along with a new ‘Police and Criminal Justice Data Protection Directive’ is intended to replace the current regime. Official publication of the new draft legislation is set for the end of January 2012 but it’s unlikely to come into force much before 2014. Key areas of change look likely to be:

  • the type of legislative instrument – as a regulation, it will have direct effect (and unlike a directive will not need specific transformation into national law);
  • a new fines regime, with a ceiling of 5% of annual worldwide turnover for intentional or negligent breaches (akin to competition law, where fines can be up to 10%);
  • substantively, new data subject rights ‘to be forgotten’, to have personal data erased and on data portability;
  • administratively, registers of compliance for both data controllers and processors and rules about data protection officers; procedurally, new rules on mandatory notification of data and security breaches; and
  • internationally, developments on binding corporate rules.

Intense and sustained lobbying in Brussels will be the order of the day in 2012.


There’s also a lot on the cards in the IP world for 2012. In the area of copyright, we’re likely in 2012 to see Hollywood and other rights owners making more claims against ISPs and other intermediaries to block access to infringing content that they host or transmit. This follows Twentieth Century Fox Film Corp & ors v British Telecommunications Plc [2011] where Arnold J ordered BT to block access to the Newzbin2 website as BT:

‘… knows that the users of Newzbin2 include BT subscribers, and it knows those users use its service to receive infringing copies of copyright works made available to them by Newzbin2’.

In Luxembourg, the European Court of Justice will continue with their painstaking task of splicing together Anglo-Saxon and civil law approaches to copyright, and we may see judgments in 2012 in a number of important cases referred to them, including around the interpretation of copyright protection of databases and the place where the ‘making available’ restricted act takes place5; and the extent of the permitted acts or defences to copyright infringement that the information society directive attempted to harmonise.

The smartphone patent wars are also hotting up as we go into 2012. The 
Financial Times reported on 19 December 2011 that BT was suing Google for 
patent infringement in areas including location-based services, navigation, mobile services and content access and the Android platform6. The case joins the ranks of a series of broad, interlocking patent infringement actions involving two dozen or so of the largest players in mobile communications (including Amazon, Apple, Microsoft, Motorola, Nokia, Qualcomm and Sony, and as well as BT and Google) as they jostle for the best seats at the table7. These cases will likely play out over the rest of the decade and will occasionally hit the headlines in 2012.


The release on 19 September 2011 of the Google Wallet app heralds the coming of age of e-money in the mobile space: mobile or m-money will really take off in 2012 as banks, mobile operators and technology vendors invest in this fast-growing area of e-commerce. The use of Near Field Communication technology (NFC) enables a number of different secure payment mechanisms, whether storing e-money in the mobile ‘wallet’ to spend or using the wallet as a virtual credit, loyalty or gift card. The financial regulatory regime behind the development of e-money, based on the Electronic Money Regulations (EMR) 2011 and the Payment Services Regulations (PSR) 2009, will see IT lawyers grapple with yet more regulation in 2012.


In the enterprise, price reductions in laptops, the ubiquity of smartphones and the growing reach of social media will continue to blur the boundaries between ‘home’ and ‘work’ and lead to more work 
for employment lawyers in 2012 as they 
get to grips with policies on working from home and use of social media. In due course we can expect to see more cases before the courts about when and where employers’ duties to their staff and the employee’s duty to the organisation stop and start. As in other areas, data protection law will continue to rise up the agenda in the workplace – one of the provisions of 
the new Draft General Data Protection Directive proposes that consent cannot 
be automatically implied for processing 
of employee data, raising the question 
of the extent of employee consent that 
will be needed.


Finally, as technology continues to get to the heart of business – in many cases becoming the business – so the ‘edge’ along which technology and sector-specific regulation impact each other becomes extended. This has been the case in the financial services sector for a while now, with IT systems and outsourcing coming under the regulator’s watch, but the list here gets ever longer: the draft Markets in Financial Instruments Directive and Regulation (MiFID II) published on 20 October 
2011 prefigures a much more prescriptive regime about transparency information 
(pre- and post-trade data) and the systems that underpin it than was the case with 
the original MiFID. The interface between EMR 2011 and PSD 2009 on the one hand and technology platforms and systems 
on the other will be central to the roll 
out of m-money in 2012. And even in our own sector, we can see the Solicitors Regulation Authority becoming more interested in and concerned about the security of client data as law firms start seriously to spool out IT work and data to the cloud.

As ever, the technology developments now under way will bring interesting and unexpected challenges, opportunities and new perspectives for technology lawyers 
in 2012.


  1. Government ICT Strategy – Strategic Implementation Plan (moving from the ‘what’ to the ‘how’), October 2011, Table 1, p13 (

  3. See for example ‘The Economics of the Cloud’ (Microsoft, November 2010).
  4. See /in-house-lawyer/wp-content/uploads/sites/9/2012/02/eu-com-draft-dp-reg-inter-service-consultation-1.pdf; General Data Protection Regulation, Version 56 (29 November 2011).
  5. Football Dataco Ltd & ors v Yahoo! UK Ltd & ors [2010] was referred to the European Cort of Justice on 9 December 2010 – see In December 2011, advocate general Mengozzi in his Opinion stated ‘I must also observe that, in the present case, the very idea of using copyright to protect football fixture lists seems peculiar, to say the least’.
  6. See
  7. See the Financial Times’ graphic at