What’s Keeping Us Busy in 2018?
We sat down with a group of our associates from across the Linklaters network to find out what’s keeping them busy and what topics have piqued their interest so far this year.
It was a bit of a free for all, but we hope you find their observations as interesting as we have!
Almost D-Day for GDPR!
Work on GDPR has now reached fever-pitch, as expected. But there are some truths that our clients sometimes find surprising…
- Although data enforcement activity has been ramping up slowly over the last year, under-resourced privacy regulators will struggle to step things up again come May. Their focus will (rightly) be on making sure businesses understand what they need to do. The Bavarian regulator has even tried to make it fun. Check our blog [hyperlink] for details of GDPR guidance released by other regulators.
- Although it’s March, we still haven’t seen final drafts of all the national legislation required to support GDPR. For example, the Polish legislation is unlikely to be adopted until the end of April 2018. The updated French data protection law has been published at the end of December 2017 and is currently being reviewed by the French Parliament for a contemplated adoption at the end of April. This leaves businesses with very little time in which to recognise and address national derogations (e.g. French draft law retains requirements for notifications to be made to the French regulator regarding health-related processing). For an overview of GDPR implementation and local privacy laws in 53 jurisdictions, follow this link.
- One of the most common questions we get asked is how well a client organisation benchmarks against its peers. It’s an open secret that many large global businesses will not be perfectly ready for GDPR in time. Some are only now finalising plans for compliance: prioritising high-risk areas to triage prior to May will be key.
Watching and waiting: the ePrivacy Regulation
Although businesses have found GDPR challenging, the final ePrivacy Regulation is likely to be even more so. At a time where regulatory scrutiny of cookies compliance is already on the (see, for example, the CNIL’s approach), the ePrivacy Regulation will make it necessary for those using any cookies that aren’t strictly necessary for the functioning of websites to obtain user consent. Post GDPR, this means an opt-in consent, where users will actively have to click to confirm their consent before any unnecessary cookies are served. This will lead to significant technical change across websites, as well as challenging businesses to come up with accurate a transparent, yet short, consent language and mechanisms. Much easier said than done.
Similarly, targeted online direct marketing (e.g. website banner adverts) seems set to be permitted only where an end-user provides a GDPR-compliant consent or the “similar products and services exemption” applies.
With the rise in consents required under the ePrivacy Regulation, the question is, how businesses can obtain these in a way that doesn't diminish both user experience and their desire to receive cookies and targeted marketing.
Fintech and the future
Investment in fintech by both start-ups and more traditional players continues to increase, as opportunities to exploit it are identified. Most people associate fintech with blockchain (a technology that allows peer-to-peer transactions that are tracked via a decentralised ledger, so that there is no need for an intermediary). The assets transferred by these transactions need not just be money – they might also be properties and vehicles, for example. In addition, the concept of general ledger can be used to create reliable records of more than just commercial transactions (e.g. health records, identity records, etc.). The potential for blockchain technology to be expanded beyond finance is significant.
Some financial regulators have also begun to update and consolidate their legislation to address the financial technologies of the future. For example, in November 2017 the Monetary Authority of Singapore published a guide to digital token offerings to address the application of securities laws to digital tokens marketed, offered or issued in Singapore. It is also consulting on legislation to implement a single streamlined regulatory framework for payments, and this is expected to be introduced in 2018.
This year, we expect to see fintech continue to be used in more diverse manners and enhanced by the use of AI, robotics and advanced authentication technologies. Regulators will struggle to keep up with the evolution of fintech, but will nevertheless continue efforts to ensure that innovation is supported and properly regulated. In December 2017, the French Government published an ordinance (n° 2017-1674) to enable blockchain to serve as a valid record of the issuance or assignment of securities. The Monetary Authority of Singapore announced on 15 November 2017 details of the new SGD27 million Artificial Intelligence and Data Analytics Grant under the Financial Sector Technology and Innovation Scheme. This new grant aims to promote the adoption and integration of AI and data analytics in financial institutions by co-funding up to 50% of project costs for Singapore-based financial institutions which leverage AI and data analytics techniques to generate insights, formulate strategy, and assist in their decision making, and co-funding research institutions’ AI or data analytics projects which have clear applications for Singapore’s financial sector.
The French Minister of Economy has entrusted the former governor of the Banque de France with a mission on cryptocurrencies. The related report will contain recommendations regarding the evolution of the French legal framework in order to better control the development of cryptocurrencies and avoid their use for illegal purposes.
Connected cars continue to be a hot topic that require multi-disciplinary legal input. Features like car-to-car communication, the ability to unlock additional functionality on-demand and in-car shopping, give rise to ever-more questions, for example:
- How quickly can we put in place a European standard for car-to-car communications and set up a royalty-free European wide frequency band for such communications?
- To what extent will Competition laws require large investors to open up car-to-car communication consortiums to all new entrants? Will there be restrictions on the minimum requirements for message validation?
- How will information linked to specifically identified vehicles or passengers be treated? With the advent of big data, will it ever be possible to truly anonymise data being shared by connected cars?
- Will there be a duty to share information that can prevent harm, and who will be liable if it’s wrong?
- Which laws apply when a connected car is purchased in one country, but an add-on is activated in another? When is the warranty period and the protection of consumer laws triggered?
The rise of the robots and AI
In France, the Prime Minister has set up a mission to define the nation’s strategy for artificial intelligence. The objective of such mission is to set out for the government an action plan to: (i) encourage the development of the AI industry in France while; (ii) ensuring that there are reasonable boundaries around the use of AI, in particular as regards ethics and personal data protection. The final report will be presented shortly will pave the way for a French artificial intelligence policy.
The National Research Foundation of Singapore will be investing up to SGD 150 million into a new national programme aimed at boosting Singapore’s AI capabilities over the next five years. Called AI.SG, the initiative will see Singapore-based research institutes partner AI start-ups and companies developing AI products to grow knowledge in the space, create tools and develop talent to power the country’s AI efforts.
On 18 December 2017, the Chinese Ministry of Industry and Information Technology released its action plan on driving growth and development of AI in China over the next three years. The action plan sets out key targets for research breakthroughs in AI, which are to be achieved by 2020. These developments are to be integrated across various industries, including autonomous intelligent vehicles, AI-supported medical diagnosis and facial and speech recognition.
Getting to grips with the tangled landscape of regulation affecting digital devices is endlessly interesting. For example, the full impact of the EU medical devices and vitro diagnostic medical devices regulations, which will begin to apply on 26 May 2020 and 2022 respectively, is still being worked through. These regulations will replace the current directive-based regime and, among other things, reinforce controls on certain high-risk devices, and impose more transparency and stricter post-market surveillance.
Privacy laws can often be viewed as a threat to progress in the digital health space, so in Europe it’s been helpful to see the Article 29 Working party welcome an open and constructive dialogue with the healthcare industry. However, their reaction to the draft Code of Conduct on Privacy for mobile health applications published by the European Commission showed that there is still much work to be done to bridge the gap between the views of industry and the views of privacy regulators.
Although the GDPR confirms and strengthens the protection of health data as one of the special categories being granted more protection - and has extended this protection to biometric and genetic data – it does at least allow for some derogations for the processing of personal data for scientific research purposes, subject to the implementation of appropriate safeguards. The fact that the draft ePrivacy Regulation covers the transmission of communications between machines means that it is likely to impact on connected medical devices.
Cybersecurity and data breach management in Asia
We have also seen the introduction of industry-agnostic cybersecurity regulation and more regulatory emphasis on data breach notification obligations recently across several countries in Asia. This comes at a time when large scale, system-debilitating cyber-attacks are becoming frequent and sophisticated. While organisations in Asia have responded to these incidents by improving their cybersecurity measures to protect their IT systems, these regulations will add another layer of regulatory compliance for these organisations.
The Chinese Cyber Security Law came into effect in June 2017. Key features of the Law include obligations to notify data breaches, restrictions on the cross-border transfer of personal information and important data, and the expansion of the scope of personal data by judicial interpretation to include behavioural patterns. There have also been some early concerns about the enforcement of the Law by the regulator, and this is something we will continue to monitor going into 2018.
The Singapore Cybersecurity Agency (CSA) also released a draft Cybersecurity Bill on 10 July 2017. The Cybersecurity Bill is an omnibus, sector-agnostic, cybersecurity law which applies equally to public and private sectors. The intention is to ensure that all sectors in Singapore subscribe to and implement a coordinated, consistent cybersecurity framework, and that the CSA may address cybersecurity threats across all sectors, and not just the more critical and highly regulated ones. The Bill also facilitates a pro-active approach to cybersecurity, requiring measures to be taken to enhance the cybersecurity of computer systems before cybersecurity threats and incidents happen. Following a round of public consultation on the Bill, the Bill will be discussed in Parliament in early 2018 and is expected to come into force within the year.
Several countries have also recently introduced, or are considering introducing, mandatory data breach notification requirements. For example, the Federal Government of Australia introduced a mandatory data breach notification scheme. From February 2018, agencies and other entities will need to notify the Australian Information Commissioner and affected individuals if certain data breaches occur. In July 2017, the Singapore privacy regulator also proposed amendments (as part of a public consultation exercise) to the privacy regulation that would make data breach notifications mandatory in most cases.