Digitalisation of Companies: What an in-house counsel needs to know

Size: px

Start display at page:

Download "Digitalisation of Companies: What an in-house counsel needs to know"

Darlene Boone
5 years ago
Views:

1 Digitalisation of Companies: What an in-house counsel needs to know Christopher Götz, Simmons & Simmons Roderick Kirwan, VEON 18 May 2017

2 Digitalisation of Companies Automatisation of production processes along the entire value creation chain, e.g. - Industry 4.0 : Production & marketing process - FinTech : Robo advisor, SmartContracts, Blockchain - InsurTech : mere online insurance broker Taking advantage of opportunities offered by the internet, e.g. - Use of storage space in the cloud - Use of SaaS tools (e.g. MS Office 365, Salesforce, Workday) - Coffee machine connected to internet (IoT) 2 / L_LIVE_EMEA2: v1

3 Legal challenges IT contract law Data protection law Rights in respect of company data IT security 3 / L_LIVE_EMEA2: v1

4 Legal challenges 1. IT contract law Data processing requires modern and efficient IT systems and infrastructure Establish own infrastructure Use of third-party systems Commissioning external service provider with Establishment of IT infrastructure Software development Maintenance of IT systems Regular upgrades IT-Outsourcing: Cloud computing & hosting by external service provider Internet connection is sufficient Scalability 4 / L_LIVE_EMEA2: v1

5 Status quo: Company owned IT infrastructure Lack of investments in modernising IT infrastructure in the past Companies currently use extremely outdated IT systems ( legacy systems ): historically grown IT systems with the following hallmarks: - insufficient documentation - outdated operating environment - security gaps / vulnerabilities increasing problems in case of company mergers As regards software: Open Source Software non-compliance with license requirements* dangerous security gaps / vulnerabilities (in particular with FinTechs*) * Open source security and risk analysis 2017 of Black Duck Software 5 / L_LIVE_EMEA2: v1

6 Example: German finance and insurance industry Newspaper article, 5 April 2017 Devastating findings : Director of German Federal Financial Supervisory Authority ( BaFin ) criticizes IT security gaps of German banks and insurers 6 / L_LIVE_EMEA2: v1

7 IT contract law Establishment of modern and efficient IT systems and IT infrastructure is essential! Conclusion of adequate agreements with service providers is crucial! Cloud computing & hosting: Contract for work? Service contract? Lease contract! 7 / L_LIVE_EMEA2: v1

8 IT contract law Cloud computing & Hosting (amongst others): Availability Back ups (Who carries out back ups? How often?) Data protection related particularities: Commissioned data processing agreement Cross-border data transfer IT security Exit management: What happens to data after termination of the agreement? 8 / L_LIVE_EMEA2: v1

9 IT contract law Cloud computing & hosting: Availability of systems Examples for availability ( Service levels ) Availability 365 days / year 24h /day Availability 99,99% Availability 99,9 % Availability 99,18% Availability 91,78% = 100% Availability No downtime Permitted downtime: 52 minutes per year Permitted downtime: 8h 46 minutes per year Permitted downtime: 3 days per year Permitted downtime: 30 days per year 9 / L_LIVE_EMEA2: v1

10 Contractual particularities of IT outsourcing Security trader companies / Finance sector / Stock exchange Question: material / non-material outsourcing? Risk analysis! Material outsourcing Outsourcing agreement - audit rights, data protection, exit management, IT security - audit rights of BaFin / German Central Bank / European Central Bank Insurances Outsourcing agreement important: sectors health, accident, life Sec. 203 para 1 no. 6 German Criminal Code! 10 / L_LIVE_EMEA2: v1

11 Example: German finance and insurance industry Newspaper articles of December 2016: Waves of audits by Supervisory Authorities reveals long list of deficiencies with German regional banks ( Landesbanken ) 11 / L_LIVE_EMEA2: v1

12 Legal challenges 2. Data protection law Applicable, if personal data is collected, processed or used - processing = transfer of data and access to data - customer, supplier and employee data (name, address, etc.) - unique device ID - dynamic IP address (Breyer./. BRD, European Court of Justice - C-582/14) Digitalisation without processing of personal data is impossible Important: processing of personal data is only permitted, if a statutory permission is applicable or if the data subject validly consented to it Exceptions from requirement of a statutory permission or consent? 12 / L_LIVE_EMEA2: v1

13 Data protection law No group company privilege Commissioned data processing: Data transfer / data processing is privileged, if 1. Commissioned data processing agreement is concluded, Sec. 11 German Federal Data Protection Act ( BDSG ) / Art. 28 EU General Data Protection Regulation ( GDPR ) 2. Data processor = acting on behalf of data controller ( puppet) - data processor entirely bound by data controller s instructions! - data processor not having any discretion! Issue: affiliate outsources its IT to parent company (HR) 13 / L_LIVE_EMEA2: v1

14 Data protection law Characteristics of cross-border transfer of personal data within EU / EEA outside EU / EEA requires statutory permission; or consent Exception: privileged commissioned data processing (Sec. 11 BDSG / Art. 28 EU GDPR) requires 1. statutory permission; or consent (even in case of commissioned data processing!) and 2. adequate level of data protection EU Standard Contractual Clauses 14 / L_LIVE_EMEA2: v1

15 Data protection law Applicability of GDPR as of 25 May 2018 as of 25 May 2018 the GDPR replaces the BDSG and any other national data protection laws of the EU Member States Basic principle: statutory permission or consent Marketplace principle (if EU citizens are envisaged)! Privacy by design further documentation obligations Reporting obligation for data breaches (72h) in case of violations, companies may be subject to fines of up to 4% of the company s annual turnover or EUR 20 Mio the higher amount is relevant 15 / L_LIVE_EMEA2: v1

16 Legal challenges 3. Rights in respect of company data Possibilities to protect company data? Ownership in data? currently: no data property in the sense of German civil law but: Protection of data through Contract law Unfair Competition law Criminal law Database law 16 / L_LIVE_EMEA2: v1

Rights in respect of company data Database law Database : collection of existing data or other independent works or materials, which are arranged in a systematic or methodical way; and are

17 Rights in respect of company data Database law Database : collection of existing data or other independent works or materials, which are arranged in a systematic or methodical way; and are individually accessible by electronic or other means Sec. 87a et seq. German Copyright Act ( UrhG ) includes data which is stored on a storage medium without order, if the data is connected to an index system 17 / L_LIVE_EMEA2: v1

18 Rights in respect of company data Database sui generis Database is protected, if a significant investment is made in the acquisition, review; or display of the database content Right owner: The person bearing the economic risk of creating the database (may also be a legal person!) 18 / L_LIVE_EMEA2: v1

19 Rights in respect of company data Scope of protection Protection against extraction or re-utilization of the whole content or a substantial part of it (evaluated qualitatively or quantitatively) or a non-substantial part in case of - repeated and systematic extraction; and - no regular use of the database - no unreasonable impairment of affected interest of the creator of the database Data extraction : temporary or permanent transfer of (at least) a part of the database content to another data carrier 19 / L_LIVE_EMEA2: v1

20 Legal challenges 4. IT Security Newspaper article in 2016: Assessment of Cyber Risk Management of Companies 77% of the companies do not assess the cyber risks relating to them, their suppliers or customers 68% of the companies are not aware of the financial consequences of a cyber attack 20 / L_LIVE_EMEA2: v1

21 IT Security Implementation of adequate technical and organizational measures Purpose: Ensuring Secrecy of company data Integrity of IT systems permanent availability of IT systems Contractual arrangements (commissioned data processing agreement) Statutory requirements for IT standards and risk management procedures, e.g. Sec. 9 BDSG (and its Annex), Sec. 11 BDSG Sec. 28, 32, 35, 44 et seq. GDPR Sec. 109 TKG (incl. catalogue) Sec. 11 para 1a EnWG (incl. catalogue) Sec. 13 TMG MaRisk German Cyber Security Act Non-compliance may lead to contractual penalties or sanctions by supervisory authorities 21 / L_LIVE_EMEA2: v1

22 German Cyber Security Act German Cyber Security Act in force since 25 July 2015 Content Addressees: Amendments to existing legislation: BSIG (= Law on the Federal Agency for Security in Information Technology) TKG (German Telecommunications Act) EnWG (German Energy Act) TMG (German Telemedia Act) Operators of critical infrastructures, Sec. 2 para 10 BSIG 22 / L_LIVE_EMEA2: v1

23 German Cyber Security Act Critical Infrastructures according to Sec. 2 para 10 BSIG Systems, plants or parts thereof operating in the following sectors: Energy, Information technology and telecommunication, Transport and traffic, Health, Water, Nutrition or Finance and insurance of particular importance for the functioning of the community Impairment / failure would lead to substantial shortage of supply or danger for public safety 23 / L_LIVE_EMEA2: v1

24 German Cyber Security Act Specification of critical infrastructures for the above sectors subsequently by regulations Regulation for sectors energy, water, nutrition, information technology and telecommunication ( BSI-Kritis-Regulation ) in force since 3 May 2016 basis for assessment whether a critical infrastructure is at hand: - minimum of 500,000 citizens depend on the services - Determination of measurable thresholds: 24 / L_LIVE_EMEA2: v1

25 German IT Security Act Measurable thresholds for sectors energy, water, IT and telecom Operators of processing facilities with a minimum amount of 22 Mio. m 3 processed drinking water / year; Operators of (electricity) transmission grids with a minimum extracted output of 3,700 GWh / year; Housing (operator of a data center) with a contractually agreed output of 5 MW / year Content Delivery Networks (e.g. MS Azure, Amazon Web Services) with a minimum amount of 75,000 TByte delivered data volume / year 25 / L_LIVE_EMEA2: v1

26 German IT Security Act Sector finance and insurance? Draft bill of German Federal Ministry of the Interior ( 1 st Regulation relating to the amendment of the BSI-Kritis Regulation ) dated 23 February 2017: Cash supply: System to connect to an interbanking payment system (Clearing and settlement):18 Mio. service related transactions / year Card-based payments: Clearing and settlement system with minimum of 21 Mio. transactions / year Conventional payments: Clearing and settlement system with minimum amount of 100 Mio. transactions / year 26 / L_LIVE_EMEA2: v1

27 German IT Security Act Clearing and settlement of securities and derivates: Security clearing house / settlement system: 850,000 transactions / year Depot-keeping system: 850,000 transactions / year Insurance services: Contract management system (life insurance): 500,000 insured events / year Contract management system (health insurance): 2 Mio. insured events / year Contract management system (non-life insurance): 500,000 damage claims / year The regulation shall be passed shortly (probably May 2017) 27 / L_LIVE_EMEA2: v1

28 German Cyber Security Act Obligations under the German Cyber Security Act, Sec. 8a, 8b BSIG Within six months following the regulation adoption date: Designation of a contact person, with whom the Federal Office for Information Security ( BSI ) is able to interact anytime Important: No transition periods for energy suppliers, operators of telemedia services and telecommunications network provders, Sec. 8c para 2 and 3 BSIG Within two years following the regulation adoption date: Implementation of TOMs to avoid malfunction of IT infrastructure Protection of systems in accordance with state-ofthe-art technology Security audits / certifications every 2 years Reporting obligation for any (potential) substantial malfunction Any violation may lead to sanctions of up to EUR 100,000 / reputational damage! 28 / L_LIVE_EMEA2: v1

29 BE TRULY FREE Roderick Kirwan, Head of Legal Digital Digitalisation of Companies: What an in-house counsel needs to know Simmons & Simmons, 18 May 2017 VEON Ltd 2017

30 +200M MOBILE CUSTOMERS

31 VEON IS ACTIVE IN RUSSIA 12 COUNTRIES UKRAINE KAZAKHSTAN ITALY GEORGIA UZBEKISTAN TAJIKISTAN KYRGYZSTAN ALGEIRA ARMENIA PAKISTAN BANGLADESH

32 OUR BRANDS Bangladesh Armenia Georgia Kazakhstan Russia Uzbekistan Tajikistan Kyrgystan Algeria Ukraine Pakistan Italy

33 DIGITAL REINVENTION

34 VEON is leading the personal internet revolution by bringing contextual entertainment and services to the mobile phones of frontier markets

35 TELCO TECH Slow Bureaucratic Vendor dependent Asset Heavy Passive Data Agile Entrepreneurial Internal Developers Asset Light Active Data

36 Culture eats Strategy You Chat, We Pay To Be Truly Free

37 CULTURE & RELATIONSHIPS

38 FULL SUITE PLATFORM BE FREE ON VEON Account Management Chat & Communicate Identity & Payments Marketplace Content

39 CONTEXTUA L INTERNET App eco-system is broken Notification screen is the new frontier Mindshare is the new currency Smart concierge service

40 LEGAL CHALLANGES VEON s experience illustrates Christopher s challenges I will look at two: Platform ecosystem and IT contracts Data Privacy VEON Ltd 2017

41 BEING A PLATFORM Is it a TelCo, OTT or both? TelCo partnership Platform ecosystem and IT contracts Asset light, service rich Presentation title Client name 41

42 ON DATA LAKES All data is not equal All data is not free (to share) Consent, validity & purpose Black letter law v Black arts 42

Key Contacts Christopher Götz Rechtsanwalt T +49 89208077 63 32

com Roderick Kirwan Head of Legal - Digital T +44(0) 7464540

43 Key Contacts Christopher Götz Rechtsanwalt T E christopher.goetz@simmons-simmons.com Roderick Kirwan Head of Legal - Digital T +44(0) E Roderick.Kirwan@veon.com Follow us on 43 / L_LIVE_EMEA2: v1

44 Digitalisation of Companies: What an in-house counsel needs to know 18 May 2017

45 simmons-simmons.com elexica.com This document is for general guidance only. It does not contain definitive advice. SIMMONS & SIMMONS and S&S are registered trade marks of Simmons & Simmons LLP. Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated practices. Accordingly, references to Simmons & Simmons mean Simmons & Simmons LLP and the other partnerships and other entities or practices authorised to use the name Simmons & Simmons or one or more of those practices as the context requires. The word partner refers to a member of Simmons & Simmons LLP or an employee or consultant with equivalent standing and qualifications or to an individual with equivalent status in one of Simmons & Simmons LLP s affiliated practices. For further information on the international entities and practices, refer to simmonssimmons.com/legalresp. Simmons & Simmons LLP is a limited liability partnership registered in England & Wales with number OC and with its registered office at CityPoint, One Ropemaker Street, London EC2Y 9SS. It is authorised and regulated by the Solicitors Regulation Authority. A list of members and other partners together with their professional qualifications is available for inspection at the above address. Simmons & Simmons LLP Simmons & Simmons is an international legal practice carried on by Simmons & Simmons LLP and its affiliated partnerships and other entities. 0 / B_LIVE_EMEA1: v1

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology 8 December 2016 The Matrix (1999) 1 / L_LIVE_APAC1:5433168v1 World Internet