Information Technology 2017: Roundtable
Who’s Who Legal brings together José Ramón Morales of Garrigues, Peter Bräutigam of Noerr and Yoshifumi Onodera of Mori Hamada & Matsumoto to discuss the current state of outsourcing work, the growing importance of the fintech space and how to remain up-to-date in such a fast-paced environment.
Have there been any significant regulatory or legislative developments in your jurisdiction? If so, how have these changes impacted the services that you provide to clients?
José Ramón Morales: An important regulatory change in Spain is the adoption of new corporate governance rules for listed companies on December 2014. An amendment to the Spanish Capital Companies Law expressly declares the relevance of the role of the board of directors of listed companies in the supervision of the company’s information systems, by stating that such supervisory role cannot be delegated by the board. This new rule provoked an increase in the degree of direct involvement and awareness of the board members of such companies in all aspects related to the management of the corporate information systems (with specific attention to such topics as outsourcing policies, cybersecurity, business continuity and contingency plans, among others).
In addition, the resolution of October 2015 of the Court of Justice of the European Union (CJEU) – which declared the EU-US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US – had a severe impact in Spain. It is important to note that under Spanish data protection legislation, in most cases international data transfers to countries outside the European Economic Area must undergo an administrative authorisation procedure at the Spanish Data Protection Authority (DPA) prior to the transfer; signing Model Contract Clauses (issued by the European Commission pursuant to Article 26(2) of EU Data Protection Directive 95/46/EC) is not enough itself as to comply with the data protection legislation. Consequently, after the Safe Harbour decision the Spanish DPA started to scrutinise data flows between Spain and the US, and to ask companies carrying out exports from Spain to the US (especially clients of outsourcing companies processing data in the US) to file for an authorisation or to notify the Authority if the transfer was to be performed under any other valid legal basis.
Other significant milestones in the privacy rules with a relevant impact on Spain include the decision issued by the CJEU, in 2014, on the Google-Costeja case (followed by the Weltimmo decision and other subsequent rulings), which consolidated an interpretation of the EU Directive considering that the legislation of an EU country shall be applicable to a data controller located outside that country if there are processing activities carried out inside the country, “in the framework of the activities” of that data controller. This interpretation has been applied by the Spanish DPA and the Spanish courts, and it means in practice an additional regulatory burden for data controllers located outside Spain who have any type of linked or connected activities in Spain that can be considered to be carried out “in the framework” of the main activities of the controller.
Peter Bräutigam: There are also remarkable regulatory and legislative developments in the legal field in Germany.
Of particular importance for German enterprises is the introduction of the EU General Data Protection Regulation (EU-DSGVO (the Regulation)), which is due to enter into effect in 2018. This will lead to a unification of European data protection law. The Regulation will be directly applicable law in all Member States, thus eliminating the existing differences in national legislation. The aim of the Regulation is the protection of the basic liberties and fundamental freedoms of natural persons and their right to the protection of personal data (Article 1(2) DSGVO). Although the Regulation will only come into force in 2018, it already impacts our daily work at Noerr LLP since the enterprises have to change their processes and compliance framework in order to comply with the Regulation.
In addition there was a strong reaction of the industry to the Safe Harbour decision of the CJEU in October 2015. Many clients have approached us seeking advice on how to proceed in this uncertain environment. According to the present position of German Data Protection Authorities, the use of model contract clauses (issued by the European Commission pursuant to Article 26(2) of EU Data Protection Directive 95/46/EC) is sufficient to comply with the European data protection prerequisites in the case of data transfers to the US.
Furthermore, two important decisions have to be noted. Firstly, the Faber decision of the CJEU of 4 June 2015 (C-497/13 (Faber)), which contains important information on the reversal of evidence in accordance with Article 5(3) of the Consumer Goods Directive 1999/44/EC. This is especially relevant for (German) consumers. If a product shows a defect within six months of purchase, the consumer must only prove that it is deficient. It is then up to the manufacturer to prove that the deficiency is not its fault. The European Court of Justice has thus established a reversal of evidence in favour of consumers.
Another important development for international cloud services in Germany is marked by the decision of a US court of appeal (the 2nd Circuit New York, judgment of 14 July 2016; No. 14- 2985). In the Microsoft case a New York federal district court sentenced Microsoft to hand over data of a customer which was stored in Ireland, neglecting national sovereignty. This case has been closely observed by the IT industry. Now, the court of appeals has rejected such a far-reaching possibility.
Finally the new MaRisk amendment 2016, an amendment to the Regulatory Framework for Financial Services has also created work for lawyers in Germany. The revision of the principles of the aggregation of risk data and risk reporting (BCBS 239 - Risk Data Aggregation) is particularly noteworthy.
Yoshifumi Onodera: The most significant regulatory development in this field in Japan is that the first bill regulating virtual currencies as the Amendment to the Payment Services Act was passed on 25 May 2016 and that the new regulations will be scheduled to be enforced early next year.
The amended act defines “virtual currency”, “virtual currency exchange services”, and other important concepts and will require virtual currency exchange service providers to register virtual currency exchange services. Moreover, the amended act will impose several obligations including customer identification obligations on virtual currency exchange service providers.
The newly defined “virtual currency” will cover various forms of virtual currencies including Bitcoin, Litecoin, Dogecoin, Ether and XCP.
Based on the newly amended act, virtual currency exchange service providers will have various obligations such as: taking the necessary measures to ensure the safe management of relevant information; providing designated information to users; segregating the property of users from its own property; regularly undergoing audits of such segregated management by an authorised third party; and seeking dispute resolutions with customers through specific ADR proceedings.
In addition, the existing penal provisions of the Payment Services Act will apply to virtual currency exchange service providers.
Outsourcing work was traditionally the bread and butter of an IT lawyer’s practice. Is this still the case? What type of work do you anticipate will become more prevalent in the coming years?
José Ramón Morales: Companies in most sectors of the Spanish market continue to adopt outsourcing as a strategy for cost-reduction purposes and for increasing flexibility and efficiencies; in particular, the process of dramatic consolidation in the banking industry (from 43 entities to approximately 10) has increased the necessity to implement outsourcing solutions in the financial arena.
The results of a recent survey of different companies in several sectors, carried out in Spain by Whitelane Research & Quint Wellington Redwood (published December 2015), show how most of the participants (78 per cent) expressed an intention to keep their current IT outsourcing plans; of these, 37 per cent foresee an increase in outsourcing.
Outsourcing deals related to cloud environments, security management and mobile platforms, and those related to other digital transformation strategies, are probably the most common work for IT lawyers in the next few years.
Peter Bräutigam: Of course, outsourcing work is still the bread and butter of an IT lawyer in Germany. However, it is important to note the developments and trends in this area that will become more relevant in the coming years: business process outsourcing (BPO); multi-sourcing, sourcing of managed services, service integration and management (SIAM); and cloud computing.
Multi-sourcing is gaining importance. More and more companies do not want to commit themselves to an IT service provider for many years, but use the opportunity to choose the most competent provider in every sector. The sourcing of managed services should also be mentioned. In contrast to pure outsourcing, no operative departments are outsourced. The management of assets (software and hardware) and the service will remain with the client. The purpose of managed services is to always keep the company up to date and provide the necessary know-how on a continuous basis.
BPO, the outsourcing of business processes (for example, HR administration or payment services) to external service providers is also increasing in importance. In this context not only the underlying IT, but entire processes are outsourced.
Finally the automation of processes is also heavily impacting the outsourcing arena (catchword: industry 4.0/digitalisation). Automation is more and more substituting outsourcing services delivered by the staff of the providers. This leads and will lead to increasing cost reductions.
This holds true also for cloud computing, which as a standardised service helps to reduce costs for the clients in comparison to tailor-made outsourcing solutions.
Yoshifumi Onodera: Yes, this is still the case in Japan. A market for outsourcing work has been growing steadily and may continue in the future. My view is that the most relevant work in the Japanese market in the coming years will be related to business sectors such as fintech, the internet of things, virtual currency, big data and life science. In fact, I am currently handling the very first case to introduce one of the major virtual currency systems in the world to the Japanese market. The issues in this case span many legal areas including financial regulations, information technology, media, and licensing of IPs.
The advent of big data analytics has thrown up interesting questions in terms of data protection and privacy issues. Is this an issue that you’ve encountered in your practice? If so, what advice have you given to clients?
José Ramón Morales: Our firm is increasingly involved in legal advice to companies and projects having as a key element big data analytics, mainly in the health, financial and telecoms industries. Special mention has to be made to fintech environment, where it is quite common to find lenders using big data for speeding up the credit scoring process.
In our advice to clients in such projects, particular attention is paid to the consent to be obtained from the affected person (not only for the data processing activities, but also for the assignment of the data to the different players of the value chain); as well as to the necessity to carefully evaluate the proportionality in the use of the data collected or generated.
Peter Bräutigam: Big data, big data analytics and the related tools of software form a significant part of our legal practice. The most pressing issue of big data analytics is the conflict between the limited use of personal data being bound by the exact consent on the one hand and the business interest to exploit and analyse data in the broadest way possible on the other hand. In order to resolve this conflict, anonymisation and pseudonymisation are used in many cases.
Yoshifumi Onodera: Yes, definitely. Big data analytics frequently conflicts with personal data protection and privacy issues in Japan. I am repeatedly called upon by my clients to advise on these issues – particularly, revisions to data privacy policies and form agreements from the perspective of the era of big data, and occasionally dispute resolutions related to significant leaks of personal data.
A number of respondents noted that there had been an exponential increase in the amount of work related to the fintech industry, is that something that you’ve seen in your own practice? How do you see demand in this space evolving over the coming year?
José Ramón Morales: During the last couple of years, we have been instructed by a growing number of clients in connection with fintech and insurtech projects. This includes not only start-up companies and large technology companies launching disruptive initiatives, but also traditional players (banks, other credit institutions, insurance companies) designing and deploying new tools, processes and commercial offers to compete with the value proposition of the new competitors.
The regulatory challenges that fintech and insurtech projects represent to the financial authorities is one of the areas we understand will generate a lot of legal work in the next few months (with special attention to those services addressed to end-consumers). Use of big data analytics by fintech and insurtech companies and projects and its implications on data privacy shall also be a hot topic for IT lawyers.
Peter Bräutigam: Through the digitalisation of the banking and insurance world, more specialised advice is now required in this sector. We advise both fintech and insurtech companies and also well-established large insurance companies and banks seeking legal advice in the digital arena, eg, in the context of establishing electronic mailboxes for their customers. A special challenge for young start-ups is to deal with the regulatory framework for the banking and insurance industry, eg, credit law (KWG), insurance law (VAG) and the MaRisk amendment they are not familiar with.
Yoshifumi Onodera: Demand from most of our clients for fintech-related work has been rapidly increasing within the past few years and I firmly believe this trend will continue for the next few years. Adapting to this trend, our firm launched its “FinTech Platform Project” in September in which over 40 attorneys are currently involved. Using our years of experience advising on start-ups, and wealth of legal expertise in the fields of finance, dispute resolution, IT, investment funds, and M&A, the goal of the project is to establish a platform upon which the firm can support the development and advancement of the fintech ecosystem on a legal and transactional basis. The project is very important to us because it enables us to better support start-ups, financial institutions and other fintech players with their enterprise strategies. We can provide clients with comprehensive, integrated services: business start-up, investment counselling, open innovation initiatives, fundraising, compliance, licensing, documentation, auditing support and crisis management.
Given that information technology is such a fast-paced environment, how important do you consider it to be to anticipate market trends and technological developments?
José Ramón Morales: As a law firm fully committed to the quality of service to our clients, it is unavoidable for us to make a continuous effort to understand the evolution of the market in which our clients operate. This includes the necessity to follow and keep permanently up to date not only with technology developments, but also with the new business models and service models that arise as a consequence of technology innovation.
In a number of areas that represent the cutting edge of innovation (fintech, blockchain technologies, robotics, AI, industry 4.0, sharing economy), we are taking part in working groups and expert discussions on the legal implications of such technologies and new business models.
Peter Bräutigam: I believe it is extremely important to always be up to date in the field of technology development and to closely follows market trends. This is the only way to provide excellent legal advice to the client.
Against this background, in November 2015 we drew up a 240-page expert assessment on digitalisation called “The Digital Economy/Industry 4.0” commissioned by the Confederation of German Industry. It is freely available at https://www.noerr.com/en/landingpages/anmeldung/rechtsgutachten-digitalisierung-EN.
The topics covered in this expert legal opinion range from rights to data, data privacy, know-how protection in the context of industry 4.0, open innovation and liability, IT security and the cloud.
Yoshifumi Onodera: New types of IT-related works are entering the market very rapidly; moreover, commoditisation of these works is also proceeding at the same brisk pace. Therefore, TMT attorneys practising in this field are compelled to continually keep their knowledge and skills up to date, so it is exciting for us to help advance such wonderful future technologies. In fact, I frequently hold meetings not only with colleagues that include young associates and trainees, but also with authorities in related fields in order to discuss and study evolutions and revolutions in technologies as well as the relevant laws, regulations and case law. In addition, our firm frequently seconds young attorneys to Japanese governmental organisations such as the Financial Services Agency and the Ministry of Economy, Trade and Industry, as well as to private sectors such as venture capital firms, in order to gain more practical knowledge and experience. I believe these efforts have also made my own work in this field that much stronger.