The technology sector is facing legal and regulatory challenges on a number of fronts.
Many are being driven by software, mobile and cloud computing technologies transforming and becoming critical in almost every industry. This creates friction with existing laws and regulations and highlights the fact that many of these have not kept pace with the technology and industries that they are regulating and need to be updated.
It’s all about the data
One of the key areas of regulation in the IT industry is privacy and data security. For larger technology companies, securing and protecting data are key competitive differentiators and privacy and data security are now standing items on the corporate risk agenda.
Privacy and data security breaches are headline makers. Last year alone, Evernote, Facebook, Microsoft and Sony were all forced to announce security breaches, with Adobe experiencing the largest ever data breach (152 million records) and Target and Pinterest each taking positions in the top ten largest data breaches (by volume of data lost) in history.
>See also: Law and order: How big data is professionalising the legal sector
On top of this, compliance issues need to be considered on a country-by-country basis with many of the laws and regulations increasingly out of date.
In Europe, the key European regulation governing privacy and data security (the 1995 EU Data Protection Directive), on which the UK Data Protection Act 1998 is based, is now nearly 20 years old.
The regulation is in fact older than many of the technology businesses it regulates. Against this background, EU lawmakers are at work on a new directly applicable EU privacy regulation.
However, this directive has become the most lobbied piece of legislation ever on this side of the Atlantic, and the terms of the regulation are still not clear – making it difficult for technology businesses operating in the UK and Europe to assess the full impact or when the regulation will come into force.
When the regulation comes into force, technology businesses will face new and more onerous obligations, coupled with the risk of fines from anywhere between two and five percent of their global revenues.
Technology business are investing and will need to continue to invest significant resources to ensure compliance.
Alongside this, in light of the revelations involving Edward Snowden, the ability of governments to access data has become an increasingly important issue for technology businesses, particularly those headquartered in the USA.
The most recent example of this is Microsoft’s challenge of a warrant issued by a judge in a New York court, following an application from the US government under the United States Stored Communication Act, authorising the disclosure of data related to a web-based email account hosted by Microsoft in Dublin.
The basis for this challenge is that the courts of one country cannot exercise their power unilaterally outside of their territorial jurisdiction – and where they wish to do so, they must follow established international agreements involving the jurisdiction in question, known as Mutual Legal Assistance Treaties.
If internationally operating US businesses complied with these types of orders, they would breach foreign data-protection laws, and refusing to comply would breach domestic US law, placing these businesses in an impossible position.
To date, Microsoft’s challenge has not been successful. It may well be that if the warrant is ultimately upheld, there could be serious ramifications for technology companies with global cloud models and the emergence of country or region specific clouds.
The edge of regulation
Increasingly fast-growth disruptive businesses are operating in saturated and highly regulated markets.
They look to achieve a competitive advantage by challenging existing business models and taking advantage of gaps in legal and regulatory cover in the relevant market.
One current high profile example of this is Uber. Courts in Berlin and Hamburg have recently upheld bans on this company on the basis that the company did not comply with German laws on the carriage of passengers.
Whether such a ban will remain in place remains to be seen. The benefits to the consumer (and the efficiency) of Uber’s business model are clear to see. However, as ever, this has to be balanced against the underlying consumer benefit of regulations in ensuring the safety and security of passengers.
>See also: How to comply with the new EU Data Protection Regulation
What is clear is that existing regulations were not designed to address the challenges created by this business model, and new regulations are and will continue to be required to deal with these types of business.
Critical technology services
Both regulators and the government are taking an increasing interest in how businesses are engaging and contracting with providers of technology services that are critical to ongoing business operations.
This regulatory interest is particularly evident in the financial services space, where the FCA is increasingly interested in the extent to which regulated businesses comply with the outsourcing requirement in the FCA Handbook at SYSC 8.
The aim of these obligations is that businesses appropriately manage the operational risk associated with their use of third parties and that such arrangements do not impair the FCA’s ability to regulate.
The FCA has recently published a list of the questions that such businesses should have asked themselves and addressed in ensuring compliance.
At a government level, examples of this include The Enterprise and Regulatory Reform Act 2013, which gives the government the power to ensure that if a business in any sector suffers certain types of insolvency event, it will have security of supply of certain critical IT services.
These and other development will over time impact how technology businesses engage with their customers and the underlying contractual terms.
On another front, the European Commission is investigating and challenging the tax treatment of international business, particularly in the European Union.
In particular, they are investigating whether the tax rulings practices of a number of states (where tax authorities give businesses advance notice of how specific tax provisions will be applied and corporation tax will be calculated), and whether they constitute state aid.
In fact, President-Elect Juncker has recently instructed the Commissioner-Designate for Competition to “mobili[ze] competition policy tools and market expertise so that they contribute [to…] the fight against tax evasion”.
Alongside this, the OECD’s Center for Tax Policy and Administration is looking closely at Base Erosion and Profit Shifting given the widely held view that existing tax legislation is no longer able to deal with current business models and structures.
>See also: How IT is changing the legal sector
On September 16, it released its first recommendations for a co-ordinate international approach to combat tax avoidance for multinational enterprises.
The outcome of these investigations and recommendations remains to be seen, but larger technology businesses are tracking them carefully as they are likely to have a significant impact, over the medium and longer term, on how international technology businesses structure themselves and hold and exploit their IP and other intangible assets.
What is clear is that lawmakers and regulators will need to invest time and resources to ensure that laws and regulations are fit for purpose for the ever-increasing level of innovation in the technology and digital space.
Sourced from Charles Claisse, Kemp Little