Who’s Who Legal brings together eight leading experts from England, India, Finland, Hong Kong, Austria, Brazil, Germany and Israel to discuss issues facing IT lawyers and their clients in the industry today.
Richard Kemp: As data volumes explode (currently at the rate of 10 times every five years) and computing migrates to the cloud, data regulation continues to become more intrusive and onerous. In addition to all the changes we’re seeing around data protection (the progress of the new General Data Protection Regulation, fallout from the Schrems and Weltimmo cases), clients are getting to grips with what big data and the internet of things means for them in terms of the personal data that they control and process. Along with data protection, data sovereignty (when government or other agencies can access your data in the cloud without your knowing) and data security (the technical, legal, organisational and management steps an organisation takes to achieve its desired security outcomes) are becoming increasingly important to all our clients. These regulatory changes mean we’re looking at a whole new practice area around data law.
Akil Hirani: The information technology sector has emerged as one of the most significant growth catalysts to the Indian economy. In India, unlike in the US or the European Union, currently, there is no specific legislation dealing with data protection or privacy. The right to privacy has evolved out of article 21 of the Constitution of India (1950) and presently, data protection in India is achieved by enforcement of privacy rights as per the provisions of the Constitution of India, the Information Technology Act (2000) (the IT Act) (and the rules framed thereunder), the Indian Contract Act (1872), the Copyright Act (1957) and the Indian Penal Code (1860).
The IT Act, which regulates the use of computers, computer systems and computer networks as also data and information in the electronic format, was significantly amended in 2008. Further, in 2011, the Indian government notified various rules under the IT Act, including on certain security practices and safety standards to be adopted for exchange of information on a computer resource. Furthermore, in July 2013, the government of India released the National Cyber Security Policy, with a vision to build a secure and resilient cyberspace for citizens, businesses and the government. Although the policy has been viewed as a positive step in the right direction, India’s data protection laws are still at a nascent stage and not as developed as laws in the West. The Indian government has introduced the Right to Privacy Bill to cover wider aspects of data protection; however, this bill is still pending in Parliament. Having said that, there is an increased awareness of the importance of data protection and Indian companies are implementing various security measures.
Martin von Willebrand: Cyber-attacks and preventive actions by authorities have been a lively discussion subject in Finland during the last year. In fact, new legislation is being prepared to enable the military and law enforcement to monitor and respond to external and internal threats. There is tension between the interests of the individuals and organisations, and those of the government agencies. This tension is particularly clear regarding the monitoring and collection of data for the purposes of preventing internal threats. Individuals and organisations fear abuse possibilities, whereas government agencies would like to authorise mass collection of data. The data protection landscape is also changing with the upcoming EU Data Protection Regulation, and now with the recent safe harbour decision by the European Court of Justice.
In terms of law firm work, the importance of data protection has clearly risen on the radar of customers. That has meant an increasing amount of data protection work. Work in response to cyber-attacks has remained sporadic.
Gabriela Kennedy: There is no denying that cyber-security is now intrinsically linked with data protection. After a couple of years of new data privacy legislation being passed (Singapore, Malaysia Philippines, South Korea) or amended (Hong Kong, Taiwan), new regulations – whether at sectoral level or at national level – concerning cyber-security are now beginning to emerge. China’s draft cyber-security law with its data localisation effect has made headlines and elsewhere financial regulators have issued circulars regarding the IT systems of authorised institutions (Hong Kong and Singapore).
Thomas Höhne: There aren’t any regulatory changes in the past few years. Nevertheless there is an increase in work for us. People notice cyber-attacks and castigate companies for their poor security systems. This means that companies change their behaviour with IT companies, especially the data protection parts in contracts are getting more comprehensive.
Fabio Luiz Barboza Pereira: Although Brazil does not have a comprehensive data protection framework, Brazilian laws set forth that the protection of privacy and personal information is considered a fundamental individual guarantee. In general terms, the collection, recordation, access, transfer and use of personal information depend on the data subject’s prior and express consent.
A new version of a Bill of Law on personal data has been recently announced by the Ministry of Justice, which will now be forwarded for the approval of the Brazilian Civil Office and, subsequently, forwarded to the National Congress for voting. This Bill of Law aims at ensuring minimum standards for the use and processing of personal data by organisations, companies and by the government.
Additionally, Brazil has enacted Law No. 12,965/2014, the Brazilian Civil Rights Framework for the Internet. According to article 7 of this law, internet users shall be guaranteed, among other things, the non-violation of their intimacy and private life, as well as non-violation and secrecy of their communications over the internet and stored private communications.
Finally, another recent piece of legislation, Law No. 12,737/2012 (the Carolina Dieckmann Law), was aimed at protecting individuals against cybercrimes. The law established certain cybercrimes, such as cyber hacking, that threaten the safety of online transactions. Other online activities prohibited under the law include the counterfeiting of credit and debit cards, circumvention of security measures, and the intentional interruption of information technology.
Matthias Nordmann: Indeed, the risk of data breaches has kept legislators and management in most companies concerned over the past years. Recent legislative initiatives we have seen include cyber-security laws such as the obligation on internet services providers to implement state-of-the art technical and organisational measures against illicit access to their systems, such as for instance secure encryption. However, these new laws leave it up to the industry and the courts to define what can be considered a “secure” encryption. Furthermore, data breach and data loss regulations have been introduced. According to these rules, providers have to comply with a detailed process of reacting to illicit access to their systems including countermeasures and notification requirements, with information for the persons concerned as well as the competent authorities. As immediate action is required in the event of a breach or loss, companies have taken the initiative to set up predefined data breach and data loss procedures (partly as a reaction to these laws but also to protect their reputation as “security” has become a value of trust for their customers). As a consequence, we also see insurance products being created aimed at covering forensic damages, legal costs (also against class actions) as well as reputational damages and fines.
Yuval Horn: Israel has been aware of the need to protect its institutions from cyber-attacks, for the privacy of personal information and other confidential information. Laws and regulations protected these interests. In 2011 the government established the National Cyber Bureau (NCB), which is authorised to defend national infrastructures from cyber-attacks; advance Israel as a centre of information technology; and encourage research and development within the private and public sectors. Regulators guided by the NCB have been issuing regulations and best practice guidelines. The most recent have been “Information Risk Management in Institutional Entities” and “Cyber Defense Management in Banking Corporations and Credit Card Companies”.
We have advised on an increasing number of issues and agreements relating to the protection and privacy of personal data, governed by the Protection of Privacy Law, 5741-1981. The Israeli Law, Information and Technology Authority (ILITA) regulates databases containing private or sensitive information. Application and software developers regularly seek our advice with respect to database protection and registration, restrictions on transfer of information, and related allocation of resources.
Israel was considered to provide an adequate level of protection for personal data for the purposes of the European Directive 95/46/EC. Following the recent landmark judgment by the Court of Justice of the EU on 6 October, 2015 reverting the US-EU Safe Harbor programme, the ILITA adopted the decision, and has restricted transfers of certain data to the US, effective immediately. The authority has advised owners of databases to assess whether they may legitimise the transfer of personal data between Israel and the US under other exceptions listed in the 2001 Regulations. Clients are reviewing the implications of their current agreements and data protection standards.
Richard Kemp: Outsourcing continues to be a major cost and efficiency driver in the UK for a range of our clients, particularly as it becomes practical to do smaller, more granular outsourcing deals with a high degree of confidence. Another major trend is the third platform, a term coined by research consultancy IDC to describe the convergence of the cloud, big data and mobile. Cloud data centres are the engine room of the cloud, which is now the “new normal”, with cloud services growing at 25 per cent per year, and many clients are increasingly putting out their workloads to the cloud. Data volumes – 80 per cent unstructured from the internet – are growing at the rate of 10 times every five years and clients are starting enterprise-wide information governance and big data analytics projects to harness competitive advantage. Mobile has an impact in many ways – not least in reshaping the boundaries between work and home life, with mobiles and bring-your-own-device. All these trends generate work for IT lawyers.
Akil Hirani: Offshore outsourcing to India continues to be popular and is extremely advantageous because of reasonable pricing and a large pool of skilled manpower available in India. Indian BPOs provide a wide range of activities such as customer interaction, back-office operations, human resource services, medical transcription, data digitisation, etc. The trend we are now seeing is a move away from setting up captives to using third-party service providers. Another trend is foreign law firms and multinationals are outsourcing several types of legal work, including pre-litigation document review and advanced commercial contracts drafting, to legal process outsourcing entities based in India.
In this backdrop, data privacy and confidentiality, protection of intellectual property rights, employee-related concerns, dispute resolution mechanisms and choice of law, are the key areas on which clients seek advice from Indian law firms.
Martin von Willebrand: Outsourcing remains a strong driver of activity for ICT work. In fact, most of the corporate ICT are built on different type of supplier services, some of which clearly are outsourcing. The distinction between outsourcing and purchasing of ICT services based in the cloud is sometimes very vague. Traditional project work – which clearly is not outsourcing – is less frequent, but at times still plays a critical role in corporate ICT.
There are two more subtle, but important, trends in relation to outsourcing. As a background, ICT and process automation is extending to all fields of activity. But at the same time purchasers are less willing to purchase large-scale service deliveries from a single vendor due to the inherent risks of huge transition projects and the real or potential inflexibility of single-supplier settings. As a result the corporate ICT landscape is becoming more and more clearly a domain of management of multiple suppliers.
Gabriela Kennedy: Yes, though the trend is really cloud computing – there are region-wide outsourcing transactions but typically they are driven out of HQ in either the States or Europe. A significant piece of this work concerns localising agreements according to local data privacy and security practices and regulations. We have also seen an upturn in the number of data centre deals and some interesting new technology being developed by start-ups in the region.
Thomas Höhne: Outsourcing is the big thing. Due to the complexity of IT systems nowadays, the outsourcing contracts are getting more detailed and complicated, especially the technological part. Another major trend is – as we already mentioned – data security.
Fabio Luiz Barboza Pereira: Outsourcing continues to expand in Brazil on a large scale. According to the Institute of Applied Economics Research, the number of outsourced workers is increasing at a rate of 1 million per year, having reached 14 million outsourced workers in 2014, or 29.7 per cent of the total of approximately 47.4 million formal workers.
A recent hot topic in Brazil has been the Brazilian Congress’ approval of Bill of Law 4,330/2004, which aims at allowing the outsourcing of private companies’ core activities. Said Bill was sent for Senate’s approval and a vote is expected next year.
Another trend which directly affects our work is the fact that Brazil has reached maturity in relation to cloud computing outsourcing. Some of the world’s main cloud computing providers have local presence in the country, thereby raising the demand for specialised legal assistance in relation to information technology services agreements.
Matthias Nordmann: A lot can be discussed in outsourcing. But one aspect that has had a large influence on outsourcing products and deals lately has again been data protection. While the industry had just started to find secure, legal and cost-effective cloud-based outsourcing solutions, recent developments in data protection have caused new confusion and legal uncertainty. Just recently a decision by the ECJ killed the so-called Safe Harbour solution that had provided a practical solution for transferring personal data from Europe to the US for some time. Even more, the reasons provided by the ECJ in its decision indicate that even alternative legal means like the EU Standard Clauses or Corporate Binding Rules may no longer be considered a secure way of transferring personal data to the US.
Yuval Horn: Yes, we have also counseled our clients in the outsourcing of various IT-related functions and activities. These may encompass diverse aspects of the organisation’s operations, from internal, infrastructure-oriented activities such as migration projects and ongoing maintenance/support activities to the outsourcing of core assignments such as software programming, interface design and quality assurance. Outsourcing may take the form of a specific project (with or without follow-up support) or the ongoing consumption of third-party services from one or several service providers. The outsourcing of long-term services and core activities raises various business and legal considerations to address, such as employment law aspects of supervision and control over personnel, the adequate assignment of ownership of intellectual property, the applicability of non-competition and other restrictive provisions on service providers and their personnel, and the allocation of responsibility (and corresponding liability) for quality of services and for deliverables provided.
Richard Kemp: Yes, and we’re a case in point – when I set up my previous firm 20 years ago, we spent £200,000 on IT in the first 18 months. Eighteen months out at Kemp IT Law and with the cloud, we’ve spent £30,000 with significantly greater IT functionality and flexibility. IT running costs are negligible compared with on-premises IT. Working from home is now completely acceptable to all types of clients as they judge by service quality, so we no longer have rent, one of the largest law firm outgoings. All this make it easier and more attractive for niche and boutique firms, who are able to deliver an enhanced service at a better price for the client and margin for themselves, without the risk and bother of a larger practice. It’s all about the client at the end of the day and delivering the service they want, and as clients get more discerning about the range of provider options they have to choose from for particular kinds of work, I believe we’ll see more niche and boutique firms in the IT area.
Akil Hirani: There has been a rapid increase in the number of niche and boutique law firms targeting start-ups. Established law firms in India have also started offering special rates to start-ups and have set up start-up-focused teams offering specialised services. There are enough deals in the start-up market for both boutique and established law firms to share.
Martin von Willebrand: There are traditionally a lot of small law firms in Finland that apply clearly lower pricing schemes towards their clientele, including start-ups. And some larger law firms do not serve start-up customers at all. No significant change here. However, many start-ups prefer to be global. This means that they may be served by non-Finnish law firms, or non-Finnish start-ups may end up using Finnish law firms. The competition for these customers is therefore more global. And it seems that some London based law firms, for example, are in search of the “unicorn” start-ups – in line with venture capitalists – and offer very appealing fee schemes to such start-ups.
A related trend is the use of technology in the delivery and production of legal services. Small or new law firms have a greater appetite for new service models and the usage of technology. I believe that we will see a growing amount of pieces of traditional legal service moving to suppliers that strongly embrace technology, also legal tech start-ups.
Gabriela Kennedy: I guess you are talking about disruptors à la Axiom, as boutique firms have been around for a while and many have now morphed into rather traditional medium-sized if not large firms. Disruption is good; I would not be a true technology lawyer if I said I did not like change. Quite a few firms are dealing with this disruption by adopting the model themselves and creating wholly owned but differently branded disruptors themselves. Nobody has yet quite disrupted the disruptors – that would require a totally new business model. Now that is a challenge!
Thomas Höhne: We regard ourselves as boutique firm with highly specialised services and we offer our clients highly experienced experts in this specific legal area. The object of our efforts is to provide our clients with comprehensive legal assistance and professional advice. Niche and boutique law firms are for sure an issue in our jurisdiction – the effect on the legal market is in our point of view that law firms, as is the case with us, are obliged to bring clarity and consistency into complex situations with an eye on the costs of the services. Clients want eagerly to be able to foresee and fully understand what services they are paying for and why and they are well able to distinguish between real services and others and they are seeking for a constant partner in legal affairs whom they can trust also regarding their expenses.
Fabio Luiz Barboza Pereira: The increasing number of niche and boutique firms in the legal market is mainly related to the growing demand for specialised counselling and attorneys with certain expertise. Although most of those small firms tend to focus on the start-up market, most of the full-service firms have also developed specific practices to deal with and support start-ups, with a differentiated approach and special fee arrangements.
Nevertheless, this has not been an issue in Brazil. Contrary to the popular belief, boutique firms are not necessarily competitors of full-service firms, since small firms frequently assist full-service firms in certain cases or are selected to provide a second opinion on relevant and specific matters. The firms usually work as partners aiming to reduce costs and provide even more effective and tailor-made advice to clients.
Matthias Nordmann: It is true that the market has seen a recent increase in specialised spin-offs of larger firms and other boutique firms. However, start-ups often need a wider range of legal advice starting from IT, digital business and data protection advice to labour law, venture capital, tax structuring, regulatory, distribution, lease and commercial law. So often niche firms cannot provide the full range of advice needed. On the other hand, high standard hourly rates can often not be paid. As a consequence, we see larger firms reacting with flat-fee arrangements for certain modules like website compliance, employee incentive programmes, financing rounds or other. Alternatively, we see step-up models where hourly fees start on a low level in early rounds but increase in later financing rounds. Advice against equity is rarely a model offered by larger firms.
Yuval Horn: Clients (especially the tech-savvy, but also global companies) seek the advice of the specific experts in the field, and have access to the identity of these experts, regardless of their firm. They understand that setting up a start-up and entering into negotiations with large players (technology partners or financial backers) requires expertise that would assist them in unchartered territories, but also be efficient and decrease their legal fees. Therefore, while the Israeli market has witnessed the substantial growth of the top three firms, and an increase in the size of the others, we have also witnessed the increase in the number of quality niche and boutique firms. These firms operate mainly in the areas of litigation, capital markets, tax and (as would be expected in the “start-up nation”), high-tech. These firms are typically set up by former partners of larger firms, who run firms that are equivalent (or superior) in quality to any of the parallel departments of the larger firms. The growth of our firm, which is one of the largest high-tech “niche firms”, and of several others in Israel, in parallel to the significant growth of the largest firms (and despite attempts to decrease fees), proves the business case for highly specialised services by boutique firms.