Data: a day-to-day issue
It is sometimes said that ‘all companies are tech companies now’ – and certainly many businesses are looking at how they can get a competitive advantage from new technology. Some are choosing to build their own innovative tech, some to collaborate with others and some to buy in the know-how they need. But for any business trying to get the most return from its tech investment, a key issue will be data: gaining access to data, gaining the rights to use and protect data, and avoiding the gaze of the regulators. And for multinational businesses, these factors need to be addressed across many different legal jurisdictions – at a time when technology and the law are both changing fast.
All of this means that businesses – and particularly their in-house lawyers – are having to get up to speed quickly with any data laws that might affect their strategy. This handbook aims to help them do that.
Data law: a many-headed hydra
A quick glance at this handbook shows the wide range of laws that can affect how businesses may obtain, store and exploit data. While data protection will already be a familiar concept for most lawyers, there are many other areas of law that touch on (personal and non-personal) data. For example:
- Businesses that buy or develop large data sets will need to know who owns any intellectual property rights in those data sets. This issue will become more critical as artificial intelligence develops, given that AI generates its own data outputs – this raises interesting new legal questions around IP ownership.
- As businesses start to become more interconnected and share more data, they will need to think carefully about contractual issues that might limit what they and others can do with that data.
- Those acquiring large or specialised data sets – or pooling them with others – will need to check any antitrust restrictions. This issue is only going to grow in importance, particularly given antitrust regulators’ new focus on data – and the potentially severe penalties they can impose.
- For all businesses, cybersecurity continues to be a key boardroom issue. Globally, we are seeing new laws demanding greater cyber-readiness and stricter rules on what to do if a cyber breach occurs.
As well as these general legal areas, some industries need to comply with sector-specific data laws – particularly in financial services and healthcare businesses, and those that deal with children’s data.
And we are just starting to see new laws aimed at regulating the use of AI. For example, the United States has recently seen new rules on how businesses may use chatbots to communicate with customers, and on using AI in the hiring process – as well as laws regulating driverless vehicles.
Data around the world
For global businesses that want to roll out products or services internationally, data laws pose a particular challenge. We have seen some harmonisation in EU data protection law with the EU General Data Protection Regulation, but the laws in other jurisdictions diverge considerably – even just in the United States, there is a whole patchwork of federal and state privacy laws that businesses may need to consider. Some businesses might choose to adopt a ‘gold standard’ approach to their data protection strategy, ensuring they comply with the strictest national laws right across the global business – but this can mean losing a competitive advantage in some markets.
And any multi-jurisdictional business needs to think carefully about data localisation laws when structuring its data assets. Many readers will be familiar with the GDPR’s restrictions on sending personal data out of the European Union, but we are also seeing strict data localisation rules in other jurisdictions, including China and Russia.
The cybersecurity threat raises its own compliance challenge for multinational businesses, who need to work out who they must notify of any cyber breach, and when – while also navigating differing and ambiguous standards for IT security. An effective cyber incident-response plan needs to include a strategy for notifying customers, regulators, insurers, auditors, suppliers and the market. The European Union is well known for its race against the GDPR’s 72-hour clock and, again, the United States offers its own challenges, with different breach notification regimes in each of the 50 states. Meanwhile, businesses in some industries need to think about sector-specific rules on notifying breaches – like the European Union’s rules for digital and other businesses, and Mexico’s new rules for the fintech sector. These regimes differ in their notification triggers, content requirements and deadlines, creating a huge challenge for any business hit by a data breach. But all businesses should devote considerable resources to planning for the worst – not least because, if a breach does occur, regulators will look closely at the amount of pre-planning when deciding any penalties.
Data deals: due diligence and the cyber threat
Any business that decides to buy in new data assets needs to make data due diligence a priority – or at least be alive to the risks of not doing so. A buyer will want to know that it is getting the rights to use and exploit the data, and also that it is not taking on any hidden data protection compliance problems. And on acquisitions of all kinds, the cybersecurity risk means that thorough cyber-diligence is now vital, either before closing or as part of integration. We have seen several high-profile cyber-breach cases resulting from legacy IT systems that were acquired as part of a previous deal. It is unsurprising that cyber issues that arise on M&A due diligence can now affect deal value hugely – or even be deal-breakers.
Data in business
In all of this, the most effective (and valuable) lawyers will be those who can work closely with the relevant technologists. Complying with data protection and cybersecurity laws requires businesses to implement a host of policies, procedures, systems and controls (referred to in the GDPR as technical and organisational measures, or TOMs). This means in-house lawyers need to work closely with other business teams. The best-prepared businesses will have IT, legal, public relations, compliance, insurance and human resources staff – and external advisers – working together to ensure a holistic approach to data protection and cybersecurity.
We are also seeing a new trend for cyber regulators conducting enforcement actions to require IT or cyber certifications at board level – so a wise business would implement those certifications in advance of any problems.
What does the future hold?
This is the first edition of this handbook. By the time we bring you the second edition, we expect there will have been further steps in innovation, particularly in AI. For example, facial recognition technology is particularly likely to become a greater part of our daily lives, with the huge privacy implication that will entail. Widespread use of AI by businesses might also cause antitrust regulators to scrutinise new kinds of cartels, where algorithms monitor and adjust prices automatically. We are also likely to see a big shift towards greater interconnectivity, and perhaps even advances in quantum computing – which might require a whole new approach to cybersecurity technology and regulation.
We can also expect to see a blurring of legal and ethical rules, including progress towards codes of ‘data ethics’ – something that is just starting to occupy the minds of lawyers, regulators, technologists and philosophers. And we will no doubt see developments in legal practice, perhaps including more frequent class actions involving those affected by cyber breaches.
For now, we hope that this handbook will be a useful reference tool for in-house lawyers and anyone else seeking to get to grips with this fast-changing area of law.
The author would like to thank Melonie Atraghji for her contributions and assistance in bringing this publication together.