Bird & Bird’s recent Annual IT Law Update gave attendees an overview of developments in this field, with a focus on the consequences of the Edward Snowden disclosures and other high profile online security incidents.
"There is an increasing sense of realism associated with the implementation of new technologies", Roger Bickerstaff told delegates in his introduction. "Organisations are now coming to terms with the risk implications, particularly around state surveillance and other personal privacy concerns". This was a theme running through many of the presentations at the Update.
“It used to be a mantra of English law that there was no such thing as an obligation of good faith,” said Andrew White, in his update on contract law. “This is changing – it’s a paradigm shift,” with ‘good faith’ principles – such as an implied term that parties act honestly – starting to take hold in commercial contracting. The judgement in the 2013 ITC v. Yam Seng case is steadily becoming more influential.
Lessons from the Fujitsu v IBM case are also important, Andrew told the conference, where there had been an allegation that IBM were in breach of a written ‘good faith’ clause. However, this was expressed in the context of a professional standard to be achieved by staff. IBM was found not to be in breach of this requirement. Another area of development has been the precedence clause, with a "flurry of court cases" indicating that the courts will attempt to find cons consistency between the multiple documents wherever possible.
The impact of the Edward Snowden revelations on the implementation of cloud services has been profound, said Barry Jennings. The reality was that “for a long time, it has been generally understood that if the US government wanted to get hold of your data, they could. It was the scale of the surveillance and the perceived participation of IT suppliers in these activities that was the big surprise. Many US providers are now finding it increasingly difficult to win business in Europe as a result. “There’s an element of politics and marketing at play here – it’s not just a legal issue. People are seizing the opportunities presented by this crisis.”
Even so, while the driver behind cloud implementations had previously been cost savings, security is now a major factor. “A lot of clients – especially the smaller ones – are using cloud computing because it tends to be more secure than anything they could implement themselves.” Flexibility was also a key driver, he stressed, alongside innovation. “Europe desperately needs growth, and there’s a depleting number of industries where EU companies are the leaders. The opportunities for growth are heavily tilted towards the knowledge and information economies, and that means cloud will be a large part of any EU growth strategy.”
In terms of internet and e-commerce legislation, Graham Smith predicted that the coming year would see the application of the R-18 classification to online videos, a separate category under the Consumer Rights Act applying specifically to digital goods and an ongoing EU copyright review. 2016 would see a new EU Regulation replace the current Directive on electronic signatures.
Recent years have also seen open source software – software made available on open-license terms – become mainstream, said Martin von Haller Grønbæk, a Danish-based Bird & Bird partner and open source licensing expert. "Open source now has total dominance of the software stack. It’s everywhere, and used by everybody. Almost all cloud solutions are based on open source software.” At its heart open source is a licensing model - "if you use it you should comply with the license”. The licensing aspect that had been discussed “out of all proportion”, however, is copyleft, where modifications must be made available under compatible license terms.
He argues that “open source is mainstream, and that means that in a mixed environment it exists alongside proprietary software”. “In a lot of situations you’ll have closed source software running alongside open source software. If you have your own proprietary code and own open source code it’s not really a problem,” but under the GPL-open source terms “if you distribute a whole work then all parts of that work need to come under the same licence". There’s very little case law on the enforcement of copyleft software. The key in a mixed environment is that you should comply with the license, do the due diligence and come up with a good open source policy. "There are a lot of opportunities, particularly around collaborations and joint solutions, and you should reach out for them.”
Treena Dunlea-Peatross, described the crucial differences between UK and US IT contracts, as lawyers navigated an increasingly complex global economy. “US law is better understood as 50 different states operating under a common system – there are common principles, but only federal laws apply uniformly. The bottom line is that a US lawyer will tend to try to cover every possible eventuality when drafting IT contracts, which is why they can come across as very, very wordy.
“In the US they get a lot of bad press after Snowden, but is it all deserved?” she continued. “To say that the US doesn’t have any data protection laws that meet the standards of the EU is a little unfair. Rather than having a general, uniform regulation at the federal level what they tend to do is regulate on the nature of the data and the potential harm – medical data, for example.”
The role of individual states when regulating was also significant, she stressed, such as California – home of Apple – driving the requirement for privacy policies in all mobile apps. “So don’t underestimate the power of individual states, and the power of commerce when regulating this. The bottom line on data privacy in the US is that there are laws there, but they’re a patchwork of federal and state laws – different to what we’re used to in the EU, and the concept of personal data is different.”
According to McAfee, the likely annual cost to the global economy from cyber-security breaches was around $400bn, said Simon Shooter. “Clearly they have some interest in scaring you into their arms, but this is undoubtedly a huge issue with an enormous financial impact.” It was estimated that around 800m individual records were accessed worldwide in 2013, he continued, with Britain attracting 17% of all European cyber-attacks. “If you’re one of those institutions where it would be considered a national impact if a cyber attack occurs then get your house in order quickly, because you’ll be regulated.”
All in all, the presentations at the Update reflected the increased recognition of risk in this environment. Even so, the attendees enjoyed the hospitality of the British Library Conference Centre, with discussions continuing well into the evening after the end of the formal proceedings.