This article looks ahead to what IT law developments we might expect to see in 2012. (Free access.)
This article outlines some of the main expected developments in 2012 in the field of IT law. It describes two sets of themes. The first, more strategic, set is around cloud computing and the internet. The second, more tactical, is about the specific policy developments around data, privacy, intellectual property, e-money, social media in the enterprise and sector-specific regulation of technology.Close speedread
Going into 2012, we are now far enough away from the economic crisis of September 2008 to know that the world has changed and that the next few years will continue to be different. The years 2008 to 2009 more or less coincide with the generational shifts that the internet is bringing about: the rise of the cloud and social media, and the growing maturity of the internet in meeting more and more of the consumer's requirements. There are two sets of themes for IT law going into 2012. The first, more strategic, set concerns the cloud and the internet; two journeys that will continue over the rest of this decade. The second, more tactical, is about the specific policy developments likely to be seen in 2012 around data, privacy, intellectual property, e-money, social media in the enterprise and sector-specific regulation of technology. At each level, the legal developments are likely to keep IT lawyers busy.
The cloud is that rarest of things; a genuine paradigm shift, from processing at the desktop to processing on the banks of the Columbia River. The public sector and large enterprise IT users recognise the scale of the shift. The UK government has set a goal in its October 2011 strategy review, subtitled "moving from the what to the how", that 50% of central government departments' new information communications technology (ICT) spending will be transitioned to public cloud computing services by December 2015 (see Cabinet Office: Government ICT Strategy).
The debate about the "how" (what do you need to do now to have the right policies, processes and business and contract structures in place to be ready for the cloud) has started and will pick up intensity in 2012. On 14 December 2011, for example, the EU Commission announced that it had been asked by industry leaders "to provide a coherent legal framework for cloud computing services" as part of a broader set of industry recommendations (see EU Commission: Industry calls for true Digital Single Market in recommendations on European Cloud Strategy). For the public and enterprise private sector the focus is on the following key issues.
On the demand side, e-mail, messaging, office productivity and internal social networking solutions are already going into the cloud. Next up are things like CRM and trouble-ticket management. Issues arise around smooth transitioning and avoiding "cream skimming", with suppliers taking the easy profitable work and leaving the rest.
Just because your "crown jewels" need to be inside the building does not mean you cannot move other data to the cloud. Putting more complex work out to the cloud will need a common approach to understanding the relative sensitivity of data around international standards and taxonomies and separating data content from the criteria applied to it.
On the supply side, as the world evolves towards 100,000 server data centres (DCs) close to hydro-electric power sources, the cost savings become significant; perhaps the key driver on the whole journey. Very large DCs enable:
Automation of maintenance tasks.
Lower server and power costs.
Improved server utilisation through demand smoothing.
Each element contributes to cost reductions that become remarkable as you approach 100,000 server DCs. In addition, for governments, greater control over their information estates that cloud aggregation provides will generate public licensing income, for example, in the area of medical data collections for predictive outcome modelling.
Trust is perceived as the main inhibitor to cloud take-up. The two main areas that emerge as critical policy review areas are:
Data protection. Here there is a recognition in principle that large service providers in the world of giant DCs will need to move data around, but there is also a regulatory environment characterised at the global level by disjuncture, flux and lack of harmonisation.
Concerns about non-transparent, potentially capricious law enforcement access to data.
In contractual terms, buying cloud services is a lot about buying dial tone, and the move here is away from licensing and integration agreements and towards:
Grown-up services contracts, with the accent on performance, reliability and SLAs.
Efficiencies, MFN and cost reduction.
The usual services deal lifecycle issues like change control, governance, audit.
All these areas are stressing government and enterprise users and suppliers alike as they adapt to the new paradigm, not least in the area of organisational change in the provision of internal and external IT services. The debate and policy discussions on all fronts will intensify as we move into 2012.
In 2000, the internet accounted for £1 billion of UK sales. In 2011, the e-retailing industry association IMRG estimates that UK online sales will reach £68 billion, approaching £1 for every £5 spent on the high street. Deloitte predicts that in December 2011, some 50% (£9 billion) of non-food retail sales will be ordered or reserved online. Writing in July 2010 on the tenth anniversary of the IMRG-Capgemini e-Retail Sales Index, James Roper, CEO of UK, predicted that "by 2020 the internet will account for half of all retail sales and influence the other half". So, as in the cloud, we go into 2012 part way along the journey with the course ahead increasingly clearly mapped out.
In retail, digital media and consumer services, the internet is a digital river in full spate. But the rate and scale of changes in 2012 and for the rest of next decade will dwarf those over the last. What this all means for lawyers and professionals advising in the fast-growing internet space and what they need to be looking out for in 2012 and beyond are explored below.
In the area of analytics and consumer targeting McKinsey noted in its July 2011 report, The Impact of Internet Technologies: Search, that search technology was at an "early stage of its evolution". The report estimated that the amount of digital information will grow by a factor of 44 between 2009 and 2020. In the enterprise, it is now generally accepted that social media will lead to whole industries "being rethought in a social way", as Mark Zuckerberg, CEO of Facebook, said recently.
The policy themes here, which will of course lead to new law, are all about regulatory intervention to protect the individual (data protection, privacy, jurisdiction, consumer protection) and the battle to protect intellectual property (IP) and other rights as digital media and content continue to generate new types of content, demand and distribution and to displace traditional media.
The data-centric world is a place where it is not the pipes but what flows through them that is the critical and key differentiator. Businesses and consumers alike are focusing on their, and others', data as never before. In legal terms, this means looking at information, and the rights and obligations that arise in relation to it, in a new holistic, rather than the traditional piecemeal, way. The stack of rights in the figure below is a convenient way to see this; you need to look at data protection, data IP and competition law as a whole to see the links and join up the dots.
This will be best observed in 2012 in relation to IP and competition law in the financial services area where the EU Commission, fresh from its settlement in November 2011 with Standard & Poors over its licensing policy for CUSIPs (securities identifiers), is continuing its investigations into:
RICs, Thomson Reuters' securities identifiers.
Markit's role as the leading provider of CDS (credit default swaps) information.
ICE ClearEurope's role as a CDS clearing house.
These will all progress in 2012, showing that the Directorate-General for Competition is getting its teeth into information markets and the underlying intellectual property rights and regulatory structures involved.
Although part of the data-centric world, it is worth viewing data protection separately as perhaps the most important tactical theme for 2012. Sensitised by the continuing presence in the public mind of the Leveson inquiry into the hacking scandal, privacy and data protection are at the epicentre of policy debates around the cloud (moving data around internationally), social media (use of personal data without consent) and internet (behavioural advertising and consumer targeting). Since April 2010, UK data protection law has teeth, with the Information Commissioner's Office's (ICO) power to fine up to £500,000, and we may expect to see regulatory action from the ICO intensify and fines increase in 2012. The picture for 2012 becomes more confused when the amnesty for cookies (data sent from a website to a user's browser for identification and return to the website of origin) expires on 26 May 2012. After this time, the consent level for cookies (whether opt-in, pop-ups, personalisation setting or specific or informed consent each time) will attract attention, perhaps even through high-profile enforcement action by the ICO.
In December 2011, the draft General Data Protection Regulation was made available unofficially and this, along with a new Police and Criminal Justice Data Protection Directive, is intended to replace the current regime. Official publication of the new draft legislation is set for the end of January 2012 but it is unlikely to come into force much before 2014. Key areas of change look likely to be:
The type of legislative instrument. As a Regulation, it will have direct effect (and unlike a Directive will not need specific transformation into national law).
A new fines regime, with a ceiling of 5% of annual worldwide turnover for intentional or negligent breaches (akin to competition law, where fines can be up to 10%).
Substantively, data portability and new data subject rights to have personal data erased.
Administratively, registers of compliance for both data controllers and processors and rules about data protection officers.
Procedurally, new rules on mandatory notification of data and security breaches.
Internationally, developments on binding corporate rules.
Intense and sustained lobbying in Brussels will be the order of the day in 2012.
There is also a lot on the cards in the IP world for 2012. In the area of copyright, we are likely to see Hollywood and other rights-owners making more claims against internet service providers and other intermediaries to block access to infringing content that they host or transmit. This follows the July 2011 Newzbin2 case where Arnold J ordered BT to block access to the Newzbin2 website as BT "knows that the users of Newzbin2 include BT subscribers, and it knows those users use its service to receive infringing copies of copyright works made available to them by Newzbin2" (see Legal update, High Court orders BT to block access to Newzbin website (www.practicallaw.com/8-507-0705)).
In Luxembourg, the European Court of Justice will continue with its painstaking task of splicing together Anglo-Saxon and civil law approaches to copyright. We may see judgments in a number of important cases referred to them, in particular concerning the interpretation of copyright protection of databases and the place where the "making available" restricted act takes place (see Legal update, Court of Appeal sends reference to ECJ on database rights and location of infringement (www.practicallaw.com/9-505-4696)), and the extent of the permitted acts or defences to copyright infringement that the Information Society Directive (2001/29/EC) attempted to harmonise.
The smartphone patent wars are also hotting up as we go into 2012. The Financial Times reported on 19 December 2011 that BT was suing Google for patent infringement in areas including location-based services, navigation, mobile services and content access and the Android platform. The case joins the ranks of a series of broad, interlocking patent infringement actions involving two dozen or so of the largest players in mobile (including Amazon, Apple, Microsoft, Motorola, Nokia, Qualcomm and Sony, as well as BT and Google) as they jostle for the best seats at the table. These cases will likely play out over the rest of the decade and will occasionally hit the headlines in 2012.
The release on 19 September 2011 of the Google Wallet app heralds the coming of age of e-money in the mobile space: mobile money, or m-money, will really take off in 2012 as banks, mobile operators and technology vendors invest in this fast growing area of e-commerce. The use of Near Field Technology (NFC) enables a number of different secure payment mechanisms, whether storing e-money in the mobile "wallet" to spend or using the wallet as a virtual credit, loyalty or gift card. The financial regulatory regime behind the development of e-money, based on the Electronic Money Regulations 2011 (EMR 2011) and the Payment Services Regulations 2009 (PSR 2009), will see IT lawyers grapple with yet more regulation in 2012.
In the enterprise, price reductions in laptops, the ubiquity of smartphones and the growing reach of social media will continue to blur the boundaries between home and work and lead to more work for employment lawyers in 2012 as they get to grips with policies on working from home and use of social media. In due course we can expect to see more cases before the courts about when and where employers' duties to their staff and the employee's duty to the organisation stop and start. As in other areas, data protection law will continue to rise up the agenda in the workplace. One of the provisions of the new draft General Data Protection Directive proposes that consent cannot be automatically implied for processing of employee data, raising the question of the extent of employee consent that will be needed.
Finally, as technology continues to get to the heart of business, in many cases becoming the business, so the edge along which technology and sector-specific regulation impact each other becomes extended. This has been the case in the financial services sector for a while now, with IT systems and outsourcing coming under the regulator's watch. However, the list here gets ever longer: the MiFID II package (the draft Markets in Financial Instruments Directive and Regulation published on 20 October 2011) envisages a much more prescriptive regime about transparency information (pre and post-trade data) and the systems that underpin it than was the case with the original MiFID. The interface between EMR 2011 and PSR 2009 on the one hand and technology platforms and systems on the other will be central to the roll out of m-money in 2012. And even in the legal services sector, it is likely that the SRA will become more interested in and concerned about the security of client data as law firms start seriously to spool out IT work and data to the cloud.
As ever, the technology developments now under way will bring interesting and unexpected challenges, opportunities and new perspectives for technology lawyers in 2012.