03 cio summit 2017 24

Embracing emerging technology helps CIOs ensure their organisation disrupt before they're disrupted, but choosing what to adopt and when to implement it are decisions fraught with risk. Legal issues around deployment are a constant concern, particularly as the implications for transformative technologies can often be unclear.

Legal systems in general deal badly with technology, as technology lawyer Alistair Maughan explained at the 2017 CIO Summit at the May Fair Hotel in London. This shouldn't prevent CIOs from embracing digital disruption, but it does mean they should be aware of potential issues.

The last 20 years have witnessed the emergence of e-commerce, mobile phones, social media, cloud computing, sharing economy platforms, the Internet of Things (IoT), big data, robotics and AI. All have fundamentally transformed the markets they serve, but only e-commerce has had a legal regime applied to it until now

Digital disruption accelerated exponentially in the late Noughties and beginning of the current decade as online platforms from Airbnb to Instagram became household names. The backlash against Uber is a striking example of the legal and regulatory ambiguities inherent in emerging technologies.

Alistair Maughan at the 2017 CIO Summit

"Uber operates not really within the existing legal and regulatory regimes that apply to that particular sector," says Maughan, a partner in the London office of international law firm Morrison & Foerster whose work is focused on outsourcing and technology-based projects for major companies and public sector organisations.

"The lawyers and the regulators don't really know what to make of it. Clearly, there's market pressure from incumbents who are driving the decisions around the way Uber is treated."

The slow arm of the law

Lawyers and regulators have never been renowned for moving at speed, and still struggle to keep up with the evolution of technology. Maughan points to the Gutenberg printing press as a historical example of their sluggishness. The device was invented in 1440, but the first copyright act wasn't printed until 1710.

Contemporary laws tend to thankfully be far faster to develop, but still slow enough to cause a dilemma. Some of the most relevant of them to the technology of today were established centuries ago.

For example, principles that form the basis of e-commerce transaction terms and conditions developed from a line of cases in the late nineteenth century around the operators of Victorian cloakrooms, who had to tell customers in advance in order to disclaim liability.

The underpinning of today's English contract law has lasted for a similar length of time. It emerged from a landmark 1854 case involving Victorian water mills. The Hadley v Baxendale case resulted in the ruling that liability for breach of contract should be limited to foreseeable damage.

"If I am putting in place a contractual ecosystem to support an Internet of Things roll out for a client, then all the contractual terms up and down the ecosystem will be based upon exclusion of liability on Hadley and Baxendale principles," says Maughan. "Same principles are applied in the US, the main common law jurisdiction and in Australia an even the civil law countries in Europe."

His final example of a ruling made long ago that remains applicable today involves a snail in a bottle of ginger beer. In 1928, in the town of Paisley in Scotland, a Mrs Donoghue drank an ice cream involved mixed with ginger that contained a decomposed snail. She was admitted to hospital for emergency treatment as a result and received an out-of-court settlement as a result.

The case set out the principles for the contemporary concept of negligence based on the duty of care owed by one person to another. They still apply today to any new technology that's rolled out.

Modern legislation developed specifically for new technology remains a rarity. Rules are more likely to be laid out by regulators of specific sectors, particularly those responsible for financial services. CIOs should pay close attention to any regulations relevant to their businesses.

"I've long ago given up on expecting a new legal regime to suddenly be created that will help us analyse the legal implications of the Internet Things or robotics or AI. I just don't think that's going to happen. The question is, can we come to some sort of consensus as a group of lawyers that will help you as a group of technology implementers determine, well what do we need to do to implement what we want to do safely, in a legally compliant way?"

Global barriers

"There is continual market pressure in the technology sphere to continue to innovate and to do so faster and faster," says Maughan. "Whereas the market pressure, if there is any, within the legal sphere, is actually not to innovate.

"The courts operate, as you know, within a very succinct precedent. You can't diverge material from what a previous court decision has done. The courts are there to interpret existing laws, not to make new laws. Making new laws is there for different parliaments around the world to do."

Global platforms want to operate on a standard model around the world, but most laws and statues are determined and applied nationally. This makes international compliance complex.

"It's not great from a perspective of someone trying to adopt a global technology platform because the question is, well what do we have to comply with?" asks Maughn. "Which countries' laws should we be looking at?"

Politicians in the UK and EU are responsible for making new laws, but their lawmaking system isn't designed to react as quickly as the developers of emerging technology platforms.

Brexit could provide an opportunity to make the UK more legally tech-friendly, but any appeals would need to be balanced against the risks of lowering safety and quality standards, and any decision about this remains years from being made.

The implementation of the Digital Single Market legislation across the EU will present further challenges. It's designed to bring cohesion to a fragmented legislative landscape and break down regulatory barriers, but sceptics suggest that it will promote European technology companies over their international competitors.

The EU has recently tried to put forward standardisation frameworks around cloud services. These tend to take the forms of guidelines, but as they're difficult to officially implement, private companies are often content to ignore them.

Regulation over legislation

Market pressure provides more of a push to obey principles around matters such as privacy than governmental bodies do.

The lack of any legal regime that applies to cloud hasn't slowed down its adoption, and the risks can be mitigated by more general legislation and regulation, such as antitrust laws and the forthcoming General Data Protection Regulation (GDPR).

"The danger is that if there's no imposition of a legal regime, then the regime that applies will be that dictated by the dominant players within any given industry," Maughan suggests.

"Your cloud industry for example is more likely to be dictated by what's good for them than by what necessarily is good for their customers, by the buyers of technology. So at the moment, it's the providers of technology platforms that are shouting louder than those that are buying technology platforms."

Maughan regards IoT as "no more than a contractual hierarchy", extending from those who set up the network of sensors to the collectors, processors and providers of the output from the data. Anyone in that chain could have liabilities involving intellectual property and data privacy. Their responsibilities need to be clear and the appropriate protections in place.

The same sort of liability issues will apply numerous emerging technologies, from AI to blockchain. The owner of the IP of a robotic system or the individual responsible when a driverless car goes wrong isn't easy to establish, and the pathways to such decisions and liabilities are difficult to audit.

Removing legal risks

The law copes fairly well gradually with evolving technology, which is why it has developed an effective set of rules for e-commerce businesses. However, it is less effective in dealing with transformative changes.

"Pinning our hopes on new targeted legal regimes to deal with new technology revolutions is probably unrealistic," says Maughan. "I just don't think it's going to happen. The best that we can do it look to existing principles and try and apply them as best we can within the scale of what's happening. The law needs to be flexible. I don't think it can be prescriptive about the dos and don'ts."

Regulatory bodies provide more flexible guidance and are more likely to globally converge than national legislatures. Maughan believes that the best option for CIOs is to concentrate on following these core principles and making the necessary adjustments as they change.

"Proceed with caution," he advises. "Have some backup plans but be aware of these key areas of regulation you might be affected by. I think the law needs to try to keep up to date with technology, it's just the pressures on lawmakers and regulators to do so is getting ever more difficult."