Research Trends and Conclusions: Internet, e-Commerce and Data Protection 2012
With the benefit of over 14 years of research and thousands of votes from clients and private practitioners, Who’s Who Legal takes a closer look at developing trends in the internet legal marketplace worldwide.
It would have been difficult, a few years ago, to predict just how integral this area of law would become to corporations across the world. Data protection was barely an afterthought in business, and the rise and rise of electronic and mobile commerce and the internet in commercial activity has been staggering, with the technology wildly outpacing the laws and regulations introduced in its wake. A strong online presence has become an absolute necessity for businesses of all types, and lawyers who have quietly gained expert status in this area are an invaluable resource.
Below we will take a look at some of the key areas that are driving and shaping practice for lawyers in this space:
DATA PROTECTION: THIS TIME IT MEANS BUSINESS
Research for this edition began with clicking past the new “consent for cookies” banners that had suddenly and conspicuously materialised on virtually every London law firm’s website. The so-called e-Privacy Directive came into force on 26 May 2012 and many organisations in the UK were scrambling to comply with (and interpret) its terms. The directive has been widely criticised for its lack of clarity, to the extent that lawyers described clients who were firmly of the “head in the sand” persuasion, given the perceived impact of compliance on their services. As it transpires, its provisions may not be as onerous as its legal letter would suggest, and subsequent guidance has expanded on the concept of “implied consent”, to the relief of many. That said, it is still a relevant indicator of a sea change in data protection regulation which is beginning to demand it be taken seriously.
The EU Regulation, which was introduced by the European Commission in January, is a potential game-changer, driving data protection up the corporate agenda. Its provisions include penalties of up to 2 per cent of annual revenue, representing massive sums to large, multinational corporations. It also contains “the right to be forgotten” as well as further positive requirements, such as for an office for data protection where an organisation has more than 250 employees. Crucially, this regulation would apply to all data controllers who are storing data of EU citizens, ie, most US and multinational corporate entities, wherever they are based.
The lobbying window for this regulation will have closed by the time this edition goes to press and activity will begin on interpretation and pre-emptive compliance for when it comes into effect (likely 2015 or 2016).
This effect of this regulation is emblematic of a wider issue in data protection: when data is collected from many countries, stored in yet others, and moved between them all, with which state’s regulatory requirements should an organisation comply? Attempting to comply with the strictest applicable rule with respect to each aspect of operation will often disproportionally hinder business efficacy and service provision, and so a certain degree of finesse by lawyers is crucial. This is effectively a process of risk management: our research indicated that lawyers and clients in continental Europe are far more risk-averse in this area than their counterparts in the United States, with lawyers in the UK operating somewhere in the middle.
There are varying levels of regulation across Europe but there are, on the whole, strong systems of requirements. To take the example of the cookie directive: several lawyers on the continent explain that most of their clients had complied already and it did not present any major problems getting the others up to speed. In the UK, however, there was greater confusion, with many failing to comply at all, despite it being brought in a year later than in other parts of Europe. To use another example, in Germany it is illegal to publish employee details in a profile on a company website without their explicit consent. This is in sharp contrast with the US where, for the most part, industry is self-regulated. It had once been thought that the US would lead the way on data protection given its economic clout but it has, to an extent, come to pass rather the other way round, with US companies regulating in line with European standards. There are robust systems of regulation in the Asia-Pacific region and, in emerging markets, increasing internet access and activity has led to new bodies of primary and secondary legislation coming into play, largely emulating that of near neighbours. India is an important market for IT, with major international companies having moved in, and this practice area is likely to become far more energetic once government investment in broadband trickles down and the planned data protection legislation comes in next year. Latin America, taking its lead from Spain and Portugal, has a strong regulatory framework in place. There is some question as to where the line should be drawn between business interests and data protection, and some concern with regards to inhibiting commercial activity but, in a broader sense, a strong/safe data environment tends to encourage businesses to enter markets.
Social media in law, as in life, has had a transformative effect. The unspoken agreement that saw users effectively selling their personal information to Facebook and other sites is no longer unspoken and consumers are becoming increasingly “privacy literate”: they know how their data is used and, increasingly, what it is worth. Therefore the traditional dissonance between business concerns (we want as much information as possible) and privacy concerns (the opposite) is becoming more nuanced (we want as much information as we can get without it discouraging you from using our service). Another impact of the social networking phenomenon is businesses becoming “friendly”; creating Facebook profiles, for example, or tweeting. Lawyers, and this is particularly the case in the US, take on a role which combines PR with legal advice as they devise social networking and interaction strategies and manage the online presence of their clients.
Lawyers in the UK have also reported a crossover with media as top dollar is being spent on market research and advertising (the Olympics is a good example). Audience segmentation is particularly valuable. The question to lawyers will often be: “If we do this, can we use the data?” Lawyers report the need for becoming familiar with parallel, not always law-related, areas. Lawyers also described a growing demand for advice on online gambling and gaming.
The storage and communication of sensitive data throws up issues of its own. In the UK, several National Health Service trusts have had penalties issued against them by the Information Commissioner for the misuse of such information. As the global economy has yet to regain its footing and states look to save money, technology is a key tool, and efficiency measures, such as e-prescriptions, are gaining traction. As the same time, continued innovation in technology has increased the importance of e-health and m-health and this is a trend that is predicted by many to become more prominent. This creates a sub-specialism of pharmacovigilance, in which there is an increasing interest.
In addition to the factors above, as large corporate entities handle ever more, and ever more meaningful, data the potential implications of a data breach become seismic: nobody wants to suffer the same issues that have recently afflicted companies such as Sony and LinkedIn. The combination of the regulatory changes and the risk of brand damage has been enough to take data protection considerations all the way to the boardroom.
HEAD IN THE CLOUD
Cloud computing has been one of the most frequently mentioned topics in the course of our research: most lawyers report that it is has been one of the most influential factors in shaping their research practice; others dissent, explaining that its impact is not as great as had been predicted. Certainly, whatever “it” may be, a version of it can be found in the cloud. Cloud services and platforms offer such a cost-effective solution to businesses that its use is often a no-brainer. Smaller businesses are able to get to market quicker with existing cloud services and then customise them as they go along. The effect has been an incredibly vibrant business environment and many law firms specialise solely in advising these start-ups.
The cloud has thrown up a number of legal issues, many of which remain untested, and lawyers are busily untangling the various liabilities that exist between parties. The “internet ecosystem” is evolving and one website experience might use the service of many others which makes the deals more complicated. Information is being shared between all of these providers and each is vying to own a part of the data/customer experience and for the right to reuse that information.
It is predicted that, as the system develops, bigger players will start to utilise the cloud and, when they do, the legal framework will develop at pace. In particular, when they throw their weight behind contract negotiations, the cloud providers will be forced to stray from the standard terms and conditions on which basis they currently operate.
E AND M-COMMERCE
This is clearly a crucial area for internet-based companies. Once the app or website is developed and has a platform, the next step is to consider how to monetise it and once that is achieved how to obtain payment. Since the “Apple revolution”, lawyers report a growing trend for e-commerce to merge with m-commerce, with some organisations skipping straight to mobile phone payment, as smart phone uptake increases alongside confidence in remote transactions. E-wallets are also back on the agenda and innovations such as Barclays’ Pingit will continue to appear and expand and require the services of e-commerce specialists.
One of the key roles for an e-commerce lawyer will be awareness of the various legislative and regulatory frameworks and requirements that will apply to the given model of payment/exchange: in this regard, there is a strong crossover with regulatory and contract law. As one lawyer put it, “I was a specialist until I became an e-commerce lawyer and then I needed to become a generalist again.”
As a result, lawyers may have established their practice in one of a range of areas before switching to e-commerce, for example media and advertising, gaming, traditional publishing or regulatory communications. Another key aspect of e-commerce practice is identifying any potential legal pitfalls and guarding against them so far as possible and in this respect, as in many other in this practice area, experience of having “been there, done that” is highly prized.
LEGAL MARKETPLACE SUMMARY
As a result of the foregoing, corporations are allocating an increasing proportion of their budgets to internet, e-commerce and data protection law, and law firms, in turn, are pursuing this business. At the highest level there is fierce headhunting and some movement but, at the same time, lawyers show some reluctance to move into firms who do not list this area among their core services and where, therefore, they are unlikely to get in on the most important cases. Law firms have also had to contend with specialists departing in order to set up boutique practices. In-house counsel have, in the past, taken on a lot of this work themselves and a few of them have now been lured into private practice. This movement has also been noted in the other direction, leaving gaps in private practice for specialists which is further fuelling the demand for those at the top of the ladder. It was widely communicated that, while many may have the technical and legal ability to operate in this area, substantial experience is crucial, as lawyers will ground a lot of their advice on risk assessment and predicting the scope of any potential fallout. That said, there is room for more lawyers in this area and talent is finding its way into the ranks, especially in providing good-value services to smaller businesses. In this respect, the practice area can be unusually open to new firms; in certain cases, there is a symbiosis between some law firms and their clients, both of which may be start-ups, new to the market and growing up together.
This is likely to be an exciting year for lawyers operating in this field, and the shape of practice looks set to continue its evolution, with more litigation being involved as class actions and regulator fines become more recurrent. We are likely to see more lateral hires as firms jostle for position and compete with smaller, niche outfits for their share in this enticing market.