LAWFUL BY DESIGN In a highly connected, digital tech-driven business landscape, staying within the perimeters of legal requirements has become more crucial than ever before For Mark Zuckerberg, it wasn’t a good day. In late May the beleaguered Facebook founder appeared before the European Parliament in Brussels. With the deadline to implement the European internet privacy rule known as the General Data Protection Regulation (GDPR) approaching, EU lawmakers were understandably edgy about digital privacy issues. Centrist MEP Guy Verhofstadt was particularly direct: ‘Every year you have one or other wrongdoing or problem with Facebook and you have to face the reality and to say sorry and to say that you are going to fix it,’ Verhofstadt told Zuckerberg. ‘Are you capable to fix it?[sic]’ The exchange – testy as it was – laid bare two of the key issues faced by modern businesses. Technology and the law don’t always make easy bedfellows. And while digital technologies are driving previously undreamed-of innovations, there’s a sense (to borrow a line from Jurassic Park) that tech disruptors are so preoccupied with whether or not they can do something, they seldom stop to think if they should. ‘Technology and the law have always been closely related,’ says Webber Wentzel partner Alexia Christie. ‘In South Africa – as in other jurisdictions – technology pushes the way in which our society progresses. So it goes without saying that with technology you’re able to deliver new products better, quicker, faster, and you’re able to access customers better, quicker, faster. It brings about new business models that perhaps didn’t exist before. So we have this tension between what can be done with technology, versus what the law will allow.’ Christie adds that as a ‘tech’ lawyer, her practice is built on change. ‘We have to keep one eye on what’s happening in the tech space, and another on what’s happening in the legal space. We have to map the two, and see where they are likely to bump heads or where new opportunities exist,’ she says. ‘We have clients who are trying to grapple with all these changes in technology and how it impacts on their business. We have to give legal advice in this context. It’s a permanently changing landscape, which is what makes it so exciting.’ Yet while tech continues to push the bounds of what can be done in the world of business, it’s also pushing the bounds of what should be done in terms of the law. And with every disruptive, Facebook-like technology that enters the market, lawyers are forced to consider whether the existing laws are adequate. ‘The South African legal system has done fairly well,’ says Christie. ‘It’s broadly keeping pace with technological change, but that can only work if the laws we have are technology-neutral.’ Ironically, that is one of the most common criticisms of the recent Electronic Communications Amendment Bill, which some commentators believe is too broad – opening up the possibilities of overreach and unintended consequences. Therein lies the delicate balance between crafting a law that has space for growth and will remain relevant as technology changes; but is neither too vague nor too limited. That notion, of making sure that the law is crafted correctly at its earliest stages, also applies to technology. ‘We need to ensure that when we embrace new technologies, we’re doing so in a manner that gives effect to our legal obligations,’ says Christie. ‘The only way we can do that is if we seek appropriate legal advice, right at the outset. ‘The best results I’ve seen are where clients are considering a new business model or a new product, and we brainstorm together with them,’ she says, adding that the law firm will go to the client’s offices and strategise with their technical, business as well as their marketing teams. ‘We’ll engage at the outset of that process to help them develop a solution that will allow them to do what they want to do – while making sure that it is done in a manner that is still going to give effect to their compliance and regulatory obligations.’ According to research by Deloitte Legal Management Consulting (CLM), technology is playing an increasingly important role in the delivery of legal services. ‘In the near future, machines will take on more and more legal tasks – initially the routine work and, in due course, some more complex tasks.’ As the environment shifts from human labour to technology use, adds Deloitte CLM, both law firms and legal tech startups are realising the value of big data (benchmarking, knowledge management) and data science (risk management), as well as predictive analytics and machine learning. Clients have also become increasingly concerned about understanding their compliance obligations when employing new technology as part of their business, especially the rapidly expanding regulatory framework relating to data protection, data communication and cybersecurity, says Juanita van Zyl, associate in the commercial department of Phatshoane Henney Attorneys. ‘With the enhanced accessibility and availability of businesses on the internet, our clients have been forced to rethink and adapt their marketing strategies to counter the effects of a growing demand for online differentiation. We regularly receive enquiries pertaining to direct marketing, the Consumer Protection Act, the Electronic Communications and Transactions Act, and the Protection of Personal Information Act [POPIA], with queries frequently relating to determining the fair playing field between compliance and allowable marketing strategies.’ This is especially true in the fintech space, where emerging technologies – from the internet of things to blockchain, to artificial intelligence and anything in between – is constantly enabling businesses to provide new, better, faster services. ‘We’re seeing huge disruption in this space,’ says Christie. ‘The financial services sector is a heavily regulated environment, and it’s a good case study for where technology and regulation need to be aligned.’ She adds that businesses in the financial services sector need to be particularly careful about the deployment of new technology to ensure it satisfies the necessary legal requirements and gives effect to regulatory compliance. Increasingly, legal services are being seen as a constructive part of that dialogue. ‘With appropriate legal input early on, we’re able to help clients develop products from the ground up, with a long-term view to where the technology and the business model are likely to take them,’ she says. ‘It’s so important to get it right, from the start.’ This approach should apply to cybersecurity – or, as Christie prefers to call it, ‘cyber resilience’. Citing the King IV Report on Corporate Governance, she says that businesses need to manage technology with an eye to pre-empting cybersecurity incidents. ‘Any business that manages very sensitive data will likely be subject to a higher standard than a business that doesn’t. We’re moving away from a one-size-fits-all approach. With the changes in legislation and the regulatory requirement, we’re seeing an increasingly complex layering of obligations. This changes what is reasonable in terms of how you run your business,’ she says. ‘The bar of reasonableness is being raised.’ In the data privacy space, for example, there is the principle of ‘privacy by design’ – which is highlighted in the EU’s new GDPR. ‘In order to be able to demonstrate compliance with this regulation, the controller should adopt internal policies and implement measures that meet, in particular, the principles of data protection by design,’ states European law. SA’s data protection law, POPIA, while not yet in force, will have a similar effect. Van Zyl adds that once POPIA comes fully into operation, it will align SA with the international community, but its adequacy to deal with constantly evolving technology and privacy challenges will have to be judged in time. However, as Christie points out, privacy is not a new thing. ‘We have a constitutional right to privacy, and common law protections that protect privacy,’ she says. ‘Clients are often concerned that POPIA will fundamentally change how they have to run their business. ‘Our advice is that you’re likely already implementing a lot of these measures, because most of them make business sense. It’s the right thing to do to look after your customer data, so you’re likely already doing a lot of what this legislation requires of you.’ Ultimately, it’s about making sure that business is lawful by design. ‘Build your business and your business offering so that it’s lawful,’ says Christie. ‘Build it right, first time. It makes business sense.’ By Mark van Dijk Images: Gallo/Getty images