Who’s Who Legal brings together Bradley Joslove at Franklin, Laura Liguoriat Portolano Cavallo Studio Legale and John Beardwood at Fasken Martineau DuMoulin to discuss recent developments in the field of data, including the effects of the GDPR, the increasing amount of fintech-related work, the legal challenges posed by cloud solutions and the future of the practice.
Bradley Joslove: The GDPR has had a profound effect on our data privacy practice, which has grown exponentially and required us to recruit a new lawyer in this area. We are carrying out GDPR compliance projects for French and international clients. In addition, the huge increase in sanctions, and the media buzz around it, have focused the minds of many clients, who now ask about the data privacy implications of their practices that impact on personal data (transfers of going businesses, introduction of new HR processes, CRM software, etc). There is, as a result, a general increase in the types and volume of data privacy questions we field on a daily basis.
Laura Liguori: The GDPR has highly affected my practice and the type of questions that we have received from clients over the past year. This occurred mainly in two ways: first, the GDPR significantly increased the demand for assistance from clients (either multinationals or entities established in Italy); second, the GDPR has increased the request for consultancy on compliance. Compliance has always been a significant part of our work, but the implementation of compliance programmes has become the main request we are receiving from clients.
John Beardwood: The GDPR has had a significant impact. While it has led our controller clients to “refresh” as to their privacy compliance, the impact has been even more significant on the processor side, in the past the European legislative focus on the controller, rather than the processor, has led a tendency for the processor to look more to its negotiated contractual privacy obligations with the controller, and perhaps less to the statutory obligations. The GDPR focus on imposing privacy obligations directly on the processor has therefore led to a wake-up call for providers.
Bradley Joslove: Yes, we have experienced a growth of work related to the fintech space and handle these issues in close coordination with our bank-finance department. This work involves issues of electronic money; BPO and automation; cloud-based solutions; cybersecurity; and data protection.
Laura Liguori: This is true in Italy as well. The fintech industry is at its early stages but it is fast-growing and demanding assistance on several different aspects. We see a great number of start-ups approaching fintech, but also well-established banking, financial and insurance groups approaching new business models based on digital. With the implementation of the second Payment Services Directive (PSD2) it is likely that new actors will enter the payments market, and the open-banking model will propose interesting legal challenges in the relationships between all the players involved in the ecosystem.
John Beardwood: In my experience, “fintech” is a term that is overused. Practitioners have been advising financial companies and their providers for years on the development, procurement and implementation of technology to support or enable banking and financial services – ie, on fintech. Nevertheless, while not new (we were advising on bitcoin exchanges years ago), cryptocurrencies are becoming more pervasive and therefore increasingly the subject of our legal advice, and actual practical applications of blockchain are also emerging that also require advice, in particular in the start-up space.
Bradley Joslove: We have experienced two main types of legal challenges posed by cloud-delivered solutions. First, personal data: issues of security, liability and compliance with the increasingly restrictive legal environment. Second, standard American T&Cs: many of the major suppliers are very large American companies, who insist upon using their standard contracts that are not very client-friendly, and who do not easily accept modification of the terms of those contracts. Our experience has shown, however, that significant amendments can be made to those contracts if the negotiations are handled correctly.
Laura Liguori: The main legal challenges posed by cloud technology concern both contractual aspects and regulatory aspects. From a contractual point of view, one of the main challenges for customers implementing cloud solutions is to obtain a good level of transparency and assistance by cloud providers. The challenge is increased by the fact that, typically, the company outsourcing part of its services to a cloud solution might have little or no capacity in dealing with complex IT systems (this is particularly true for small and medium-sized enterprises). The regulatory challenge is due to the fact that any cloud solution providing services to customers belonging to a highly regulated industry must take into account the peculiarities of the industry and ensure customers can deal with these peculiarities while using the cloud service. In the data protection field, the lack of transparency and the existence of local regulations can make it challenging for companies to migrate to cloud-delivered solutions.
John Beardwood: Software as a service (SaaS) providers face challenges when their solution’s platform – as is increasingly the case – is based on a large cloud provider such as AWS, as they find themselves stuck between customers requiring certain specific security protections, audit rights and service levels, and cloud providers that refuse to customise their offerings to allow those rights. Customers, on the other hand, often face challenges in moving from a hard infrastructure-based solution, with specifically negotiated security protections, audit rights and service levels, to a cloud solution that often cannot provide those elements. For example, we have had multiple experiences where a client’s provider (IBM) tried to persuade the client to move from the provider’s infrastructure solution to the provider’s cloud solution (SoftLayer), where the client refused as the cloud provider – notwithstanding that it was part of the provider’s enterprise – could not step up to the same service levels, etc.
Bradley Joslove: Data privacy and security will continue to be a major challenge over the next few years. We also expect that artificial intelligence, blockchain and digital transformation will raise a myriad of issues for IT lawyers in the coming years.
Laura Liguori: I believe fintech will remain a fast-growing industry in the next few years. I also think that the life sciences industry will continue its growth and development. I see many challenges here, for several reasons. First, this is a highly regulated field where the protection of data (either personal data or non-personal data) is crucial. There is an overlapping of different laws and regulations that should converge towards a common direction. Second, in many cases public bodies are the main entities engaged in the development or use of new solutions involving complex technologies: this means that public bodies must face the regulatory challenges and in many cases (at least in Italy) change substantially the way they have worked in recent decades.
John Beardwood: One of the fascinating dynamics has been tracking the evolution of the customer-vendor discussion regarding liability for confidential information (CI) and personal information (PI). In the past, the industry standard was uncapped liability for confidentiality breaches, to avoid parties engaging in cost-benefit analyses as to whether unauthorised use/disclosure would be worth it. PI started out as a subcategory of CI, but with the explosion of statutory obligations and an increasing public focus, it has been increasingly treated as its own category, and the market has diverged on how it should be treated. This has been complicated by a number of factors.
First, in some jurisdictions, potential damages from a PI breach, whether in the form of fines or damages, are very limited, while in others the exposure is much greater. Second, there is an increasingly nuanced understanding as to what responsibilities the data controller should have versus the processor. Finally, there is increasing complexity as to discussions regarding responsibility for security breaches – the discussion of which is further complicated by providers whose solution is backed by a cloud provider such as AWS. Increasingly, providers are: asking for direction from customers as to what specific security measures the customer wishes to be in place, rather than being required to guess what measures would not only meet an ambiguous “appropriate” or “in compliance with applicable law” standard (which is also largely amorphous), but are also congruent with the customer’s own security policies; noting that different levels of security come at different costs; and refusing to take responsibility for security breaches where the provider is otherwise in compliance with its contractual security obligations – ie, refusing to act as an insurer for all cyber-risk, irrespective of fault.
Bradley Joslove: The only constant in the IT environment is that it is constantly changing. IT lawyers know that they cannot rest on their laurels; they must keep up with the changes in this environment. What I was doing three years ago, I no longer do today; and what I will be doing three years from now will be radically different from what I do today. As a result, IT lawyers have to attend many conferences and do a great deal of reading, to keep up with developments of a business, technical and legal nature in the IT sphere.
Laura Liguori: Attending and speaking at sector-focused conferences is of great help: it requires a lot of work to stay up to date and be aware of the recent developments in the IT and data sector. Being a member of international associations focusing on technology/data protection is also essential: it gives us not only an idea of what the main hot topics in the different jurisdictions are, but it also allows us to constantly exchange opinions and experiences with colleagues from all over the world.
John Beardwood: In addition to being fortunate enough to have clients that are involved in bleeding-edge technology developments, I also frequently speak and publish on these topics. In addition, as past president, I consistently attend the conferences of the International Technology Lawyers Association (ITechLaw) in order to keep myself abreast of developments; it is by far the best organisation in this regard.