All posts in Legal Developments

Big data: high financials rewards, high regulatory risks?

big data

In a 2013 survey of 400 companies, management consultancy Bain & Company, found that companies using data analytics were:

  • Twice as likely to be in the top quartile of financial performance within their industries
  • Three times more likely to execute decisions as intended
  • Five times more likely to make decisions faster

Fast forward to 2018 and data analytics is firmly entrenched within many companies to the extent that it has attracted the attention of the regulatory authorities. The European Commission, the Competition and Markets Authority and the French Authorite de la Concurrence have all stated that big data and the competitive advantage it can give is a top investigative priority for 2017 and beyond.

How can big data give unfair competitive advantage?

Big data as an asset

Margrethe Vestager, the European Commissioner for Competition is currently considering revising merger control thresholds to include a threshold pertaining to non-turnover related big data holdings. Although the Commission previously incorporated the value of data into previous merger control investigations, this has largely involved companies where big data generates significant revenue. However, a company could acquire a business with a small turnover and large amount of user data, the new owner could exploit this data and reduce competitiveness that market place.

Big data pooling

Although sharing data is not forbidden per se, the way companies share data can breach competition rules. Companies can use big data to place themselves in dominant position over competitors. For example, if a company wants to diversify its offering and move into new areas, it can use data held on current customers to promote the new business.  For instance, Uber’s access to users of its lift-sharing service can be used to promote other ventures such as UberEats. This gives Uber an unfair advantage over other providers offering a similar takeaway food business but lacking the data from such a large customer base.

The regulatory authorities take these violations seriously and are imposing significant fines. Most recently, the Belgian Lottery was fined €1 million  for using a data base of customer contacts to promote a new sports lottery game.

A new form of white collar crime?

The formation of so-called digital cartels is predicted to be one of the biggest challenges regulators will face in the future. Digital cartels arise from companies using automated pricing systems. These digital tools automatically calculate prices according to a set of criteria such as supply versus demand, profit targets and so forth. Increasingly, these systems use machine learning technology. This can lead to the situation where two rival companies use the same pricing technology and react identically to changing market conditions. This results in prices being unintentionally fixed and the law being violated.

Getting value from big data without incurring fines

When it comes to the formation of digital cartels, prevention is complicated. Automated pricing systems are widespread and manual pricing models are unlikely to make a comeback. For regulatory authorities, who are reliant on laws written in the pre-digital age, enforcement is a greater challenge.  However, Vestager has suggested a new directive might follow later in 2017 which may bring clearer rules and stricter enforcement.

Other streams of revenue enabled by the collection and analysis of big data are more easily policed.  For companies who rely on sharing information for product development, Vestager recommends referring to the Commission’s guidelines on horizontal cooperation which shows companies how to share data in a way that doesn’t reduce competition.

She also discussed ways for companies to share information with competitors anonymously in a way that doesn’t harm their own business interests such as sending information to a platform anonymously. In return, they would receive aggregate data with no indication of which company it comes from.

In conclusion, competition enforcement is changing, and fast. Companies who use big data and smaller companies who hold big data should but don’t actively use it should closely monitor the Commissions announcements over the next few months in order to prepare for any changes.  Watch this space!

[1] http://www.theregister.co.uk/2015/08/21/forget_big_data_hype_says_gartner_as_it_cans_its_hype_cycle/

[2] https://ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/big-data-and-competition_en

Brexit and data protection

As the world contemplates the ramifications of the EU referendum, we’ve speculated as to how Brexit might change the way our clients handle data transfers in litigation and investigations.

What legislative regime would govern the UK?

The UK currently operates under the Data Protection Act 1998, which was enacted to bring British law in line with the EU Data Protection Directive (DPD). Since Britain has voted to leave the EU it is likely that the Data Protection Act 1998 will remain unchanged at least during the transition period.

For businesses operating solely within the UK, this means business as usual. However, things become complicated when a business needs to transfer data to or from another European country.

The EU is currently in the midst of replacing the General Data Protection Directive with the General Data Protection Regulation (GDPR) and had Britain voted to remain, British businesses would have had to comply with this new, tougher legislation which includes:

  • Increased fines, up to 4% of the annual global turnover
  • A “Privacy by design” provision requiring that data protection is designed into business services. Companies will need to ensure they are adopting measures to protect data right from the start of a client engagement.
  • Explicit consent being obtained for the collection and processing of data.
  • The appointment of an independent Data Protection Officer.
  • A “Right to be forgotten”. A client has the right to request the erasing of personal data. Companies will need to take steps to understand how they can comply with such a request.
  • A prohibition on data being transferred outside the EU without approval from the relevant supervisory body.

However, Brexit is not simply a case of “in” or “out” and much of the potential consequences of leaving depend on whether or not Britain becomes part of the European Economic Area (EEA) or completely severs ties.

If Britain becomes part of the EEA, this would afford Britain the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR.  In business terms, this would make data transfers somewhat easier, assuming the EU found the UK’s safeguards to be appropriate.  However, this would mean that the UK would still be subject to the DPD and from May 2018, the GDPR, when transferring data across borders to comply with legal obligations in other countries.

An EU-UK Privacy Shield?

If the UK does not become part of the EEA, the UK would probably have to negotiate an agreement similar to the EU-US Privacy Shield in order for UK companies to continue to transfer data between the UK and countries in the EU.

In this scenario it is likely the Article 29 Working Party would suggest similar terms to the US:

  • An ombudsman to handle complaints from EU citizens about the UK security services accessing their data.
  • UK Security services / the Home Office to provide written commitments that Europeans’ personal data will not be subject to mass surveillance.
  • An annual review or audit to check the new system is working properly.

The Upshot

Data protection legislation is changing regardless of the outcome of the referendum and British businesses need to be prepared for these changes. Until the UK finalises its data protection regime and comes to an agreement with the EU, companies need to think carefully about the risks of transferring data across European borders. However, business does not have to come to standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices and data centres to continue to process and transfer data in Europe in a compliant and cost-effective manner. We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.

Brexit: Our position

Although the results of the referendum are clear, the full impact of Brexit on data transfers in litigation and investigations is dependent on whether or not Britain becomes part of the European Economic Area (EEA) or the European Free Trade Association.

If the UK becomes part of the EEA and the EU finds the UK’s data protection safeguards to be appropriate this would make transferring data outside of the UK easier. However, it is likely that businesses will still have to comply with the new requirements to be implemented under the forthcoming General Data Protection Regulation, when transferring data across borders to comply with legal obligations in other countries.  Both legal mechanisms and technology solutions are relied upon in these situations to safeguard the personal data of European citizens.

If Britain does not become part of the EEA, the situation is more complicated and it is likely that an arrangement similar to the EU-US Privacy Shield would need to be agreed.  This will provide a safe passage for the transfer of data between the UK and other countries in Europe

Until the UK finalises its data protection regime and comes to an agreement with the EU companies need to think carefully about the risks of transferring data across European borders.  Business does not have to come to a standstill; law firms and companies can rely on Kroll Ontrack’s mobile ediscovery solution and network of European offices to continue processing and transferring data in Europe in a compliant and cost-effective manner.   We have always catered for the data protection needs of our clients as they take all laws and regulations into consideration.

 

Kroll Ontrack’s Canine Forensics Team: Sniffing out the evidence and cutting costs

Kroll Ontrack is pleased to announce our latest weapon against data theft; our Canine Data Defenders. This new service, believed to be the first of its kind in the UK, will enable clients to reduce initial data forensics costs and speed up computer forensics investigations.

How does it work?

A dog’s sense of smell is unbelievably powerful, between 10,000 and 100,000 times as acute as humans, depending on the breed. A useful way of imagining this is to think of the difference in terms of vision; if a human can see an object one third of a mile away, a dog can see the same object 3,000 miles away. It is because of this ability that the dog’s sense of smell has long been utilised in the medical, military and law enforcement fields to detect cancer cells, explosives and drugs.

What do Kroll Ontrack’s dogs look for?

cf dogThe human endocrine system is extremely complex and to a trained nose, compounds found in sweat can reveal much about the human in question’s behaviour and mental state. Someone using a device for illegal activity, for example, is likely to release a greater amount of stress hormone into their sweat which in turn is transferred onto the device via touch. Kroll Ontrack’s canine team has been trained to pick up on these scents and lead handlers to devices that have been used for nefarious purposes. The process is simple and a team of two dogs can check 100 devices within an hour, which is a marked improvement on a human team handling and scanning each device.

After a successful pilot study, the Canine Data Defenders will be available to clients from 31st June 2016.

Kroll Ontrack Head of Computer Forensics , John Perro, commented “This is not about substituting human knowledge but about saving our clients’ time and money. Our dogs can pinpoint a machine used for suspect activity within seconds, allowing our human team to get straight into a type 2 data analysis.  We can also see applications in internal compliance investigations.  A quick sweep of an office using our dogs will provide compliance officers with a quick and accurate spot check of the company’s activities.”

A second team of dogs is currently in the final stage of training to provide early-evidence services for our ediscovery team, further cementing the role of dogs at Kroll Ontrack.

How can banks reduce litigation and investigation-related legal costs?

How can banks reduce legal costs?

Last week over 50 corporate in-house counsel and lawyers working in the financial sector gathered in the rather glamorous surroundings of the Banking Hall to join Kroll Ontrack  for our breakfast seminar, ‘Banks or Law Firms: Who holds the purse strings’

After a delicious breakfast, our illustrious panel tackled the complex and often, controversial topic of managing legal costs for banking-related investigations and litigations. The key themes up for debate were:

  • How recent ‘big ticket’ regulatory investigations have affected the banking world
  • Using the latest predictive coding technology to reduce legal costs
  • Leveraging corporate buying power when using law firms and other professional service providers
  • Discussing alternative pricing structures
  • Examining the pros and cons of unbundling legal services

The debate was moderated by Ben Fielding of Kroll Ontrack and our speakers included Elizabeth Meekison a Senior Lawyer in Commercial Litigation atLloyds Banking Group,  Mark Humphries – Senior Partner at Humphries Kerstetter, Thomas Leyland, Partner at Dentons and,  Orion Wisness, Discovery Consultant at Kroll Ontrack. With representation from in-house counsel from banks, senior partners from top law firms and a technology provider, each brought their own experiences and opinions to what was an eloquent, wide-ranging, and informative discussion.

The key points that emerged were:

Priorities for banks:

  • Banks value accuracy, defensibility of process and not necessarily lower costs when it comes to ediscovery
  • Working collaboratively with law firms and technology providers and ensuring regular and effective communication

The benefits of proactivity:

  • The importance of involving an ediscovery provider from the beginning of the disclosure process or investigation.
  • How implementing information governance strategies and managing the quantity and location of your data can reduce costs.
  • How fixed fee modelling could be implemented (and why this might not be a possibility in certain cases.)

Legislative concerns:

  • Are the standard disclosure rules too broad?
  • In light of spiralling data volumes, should the disclosure rules be modified so they are closer to the arbitration model?

The importance of predictive coding technology

With the recent judgement (Pyrrho Investments v MWB Property [2016] EWHC 256 (Ch)) approving the use of predictive coding still hot news, much of the debate and audience’s questions were focused on:

  • How technology such as predictive coding can be used to reduce the burden of big data in litigation and investigations
  • The implications of the recent judgement approving use of predictive coding technology in the UK
  • The need for both corporations and law firms to fully understand exactly what predictive coding entails in terms of both its capabilities and its limitations

We would like to thank speakers for taking the time out of their busy schedules to take part in the debate and share their expertise. We’d also like to thank our guests for joining us and further enlivening the discussion with their considered questions.

 

UK High Court approves use of Predictive Coding in litigation

Last week legal technology providers in the UK had a lot to celebrate as the English High Court approved the use of predictive coding for disclosure in litigation.

The judgement, handed down by Master Matthews, gave official judicial authorisation for the use of predictive coding in High Court proceedings. Summing up his decision, Master Matthews stated that predictive coding is just as accurate, if not more so than a manual review using keyword searches. He also estimated that predictive coding would offer significant cost savings in this particular case and that the possible disclosure of over 3 million documents done via traditional manual review would be disproportionate and ‘unreasonable’.

To read the judgement in full, please click here.

How does predictive coding work?

Predictive coding is an advanced machine-learning technology which allows computers to predict how documents should be coded (i.e., should a document be tagged ‘responsive’ or ‘privileged’) based on decisions made by human subject matter experts. Put simply, an experienced lawyer trains the computer by coding a sample set of documents, and the computer then learns what to look for based on this training. In the context of edisclosure and other investigative exercises involving electronic evidence, this technology can find key documents faster and with fewer human reviewers, thereby saving on cost and review time.

Who uses predictive coding?

Other jurisdictions, such as the USA and Ireland, have led the way in giving judicial approval to predictive coding, and the UK judgement references these cases in detail. Despite these cases as well as the ever-increasing sophistication of the technology itself, the UK law community has been somewhat reluctant to make use of the technology, as explored in this study by Kroll Ontrack Legal Consultant and former litigation lawyer, Hitesh Chowdhry.

In Chowdhry’s white paper, ‘Rage Against the Machine; Attitudes to Predictive Coding Amongst UK Lawyers’, he notes that his study revealed that the main barriers to adopting predictive coding technology were:

  • Risk aversion and mistrust of the technology’s accuracy
  • Belief that predictive coding would have a negative effect on revenue
  • Satisfaction with existing methods and a belief that existing practices offered more accuracy than studies have suggested
  • Insufficient understanding and knowledge of the complex predictive coding process
  • Diffusion amongst professionals

The UK judgement counters much of the fears uncovered in Chowdhry’s study by stating that the technology is accurate and offers cost savings.

Predictive coding and the Civil Procedure Rules

As data volumes continue to grow and traditional manual reviews using keyword searches become less feasible, predictive coding may be the best path toward complying with the Civil Procedure Rules.

Jeff Shapiro, a lawyer who has written frequently on costs in edisclosure, offered this comment:  “The judgementapproving predictive coding for the disclosure of documents highlights the judiciary’s continued march to proportionate costs in litigation via application of the overriding objective. Review amounts to approximately 70% of total disclosure costs. With the ubiquity of electronic document creation and storage, litigators have an ever-increasing costs’ burden in order to fulfil their CPR disclosure obligations. The judiciary, recognising the realities of modern disclosure where millions upon millions of documents may need ‘to be considered for relevance and possible disclosure’, has proclaimed that predictive coding may be used as a substitute for manual review.”

The cost savings offered by predictive coding will undoubtedly be popular with clients and potentially will give a competitive edge in winning work.

We hope that this judgement will encourage more UK firms to take advantage of the benefits offered by predictive coding.

For more information about this technology, please click here.

No more EU-US Safe Harbor. What are the implications for citizens and businesses?

Introduction

On 6th October 2015, the Court of Justice of the European Union declared in the case Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) that the “Safe Harbor Agreement” between the EU and the US is invalid.

Until now, the so called “Safe Harbor Agreement” was an agreement signed in 2000 between the US Department of Commerce and the European Union that allowed US-based companies to transfer data from EU to the US and to thus comply with the EU Data Protection Directive of 1995. In 2000, the European Commission had declared that the US provides for adequate safeguards for data protection. The “Safe Harbor Agreement” consisted of data protection principles to which to which US undertakings may subscribe voluntarily. Up to date, 4400 companies transferred data to the US under the “Safe Harbor Agreement”.

The online version of the Court judgment is available online here and the press release of the Court of Justice concerning this case is available here.

What is the background of the case?

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by US public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 2002 the European Commission considered that, under the ‘safe harbor’ scheme, the United States ensures an adequate level of protection of the personal data transferred.

Mr. Schrems appealed the decision of the Data Protection Commissioner before the Irish High Court. The Court decided to stay the proceedings and to refer questions to the European Court of Justice for a preliminary ruling.

The European Court of Justice ruled that the so-called “Safe Harbor Agreement” was invalid because it allowed US government authorities to gain routine access to Europeans’ online information. The court also explained leaks from Edward J. Snowden, the former contractor for the National Security Agency, made it clear that American intelligence agencies had almost unfettered access to the data, infringing on Europeans’ rights to privacy.

What are the next steps following this judgment?

The Court of Justice ruling is effective immediately and declares the current “Safe Harbor Agreement” invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the EU Data Protection Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

What are the practical implications of this judgment for US-based companies who used to transfer personal data from EU citizens to the US under the “Safe Harbor Agreement”?  

As we know, the recent Court of Justice judgment declared the “Safe Harbor Agreement” invalid. This means, under a strict interpretation, data transfers concerning personal data from EU citizens to the US cannot rely on the “Safe Harbor” anymore since it has been declared invalid.

Nevertheless, US-based companies should still be able to transfer data from EU citizens to the US by using alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations.  Standard contractual clauses are model clauses that have been issued by the European Commission and are designed to facilitate transfers of personal data from the European Economic Area (EEA) to third countries that are not designated to be ”adequate” for the processing of personal data by the European Commission. The model clauses  provide sufficient safeguards for the protection of the privacy of individuals.

“BCR” are internal rules such as a Code of Conduct adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. To that extent, “BCR” ensure that all transfers are made within a group benefit from an adequate level of protection. Once approved under the EU cooperation procedure, “BCR” provide a sufficient level of protection to companies to obtain authorisation of transfers by national data protection authorities. It should be noted that the “BCR” do not provide a basis for transfers made outside the company group.

As to derogations, the EU Data protection rules include derogations under which personal data can be legitimately transferred to the US on the basis inter alia of[1]:

  • performance of a contract [e.g. If you book a hotel in the U.S., my personal data are transferred there in order to fulfil the contract];
  • Important public interest grounds [e.g. cooperation between authorities in the fight against fraud, cartels, etc.];
  • The vital interest of the data subject [e.g. it means in urgent life or death situations, personal data such as medical records can be transferred internationally in the person’s own interest];
  • Or if there is no other ground, the free and informed consent of the individual;

From a pragmatic standpoint, although there is no official “grace period” following the invalidity of the Safe Harbor, US-based companies that transfer personal data from EU citizens to the US cannot be expected to cease such transfers immediately since this would affect numerous business operations.

Frans Timmermans, the First Vice-President for the European Commission, who will be charged with carrying out the ruling, and Vera Jourová, EU Commissioner, tried to ease the concerns of companies. Their official press release is available here. They said businesses could still move European personal data to the United States through other mechanisms including standard contractual clauses, binding corporate rules (“BCR”) and derogations.

How will this judgment affect the ongoing discussions concerning the new Safe Harbor Agreement, the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector?

Frans Timmermans, the First Vice-President for the European Commission and Vera Jourová, EU Commissioner, explained that the European Commission has been in discussions with the US over the past two years to revise the existing Safe Harbor. Negotiations are still ongoing but the aim is “to step up discussions with the US towards a renewed and safe framework for the transfer of personal data across the Atlantic”.

As to the EU Data Protection Reform and the EU-US Umbrella Agreement for the law enforcement sector, they explained that both are well on track and will most likely be finalised this year. The Data Protection Reform which will see the passing of a new EU Regulation to replace the Data Protection Directive aims amongst other things to strengthen the powers of national data protection authorities, which have an essential role in upholding individuals’ rights to data protection. In their view, this is fully in line with the recent Schrems’ ruling.

The EU-US Umbrella agreement differs from the Safe Harbor. It does not itself enable data transfers. Rather, it sets high data protection standards in the area of police and criminal justice cooperation. They explain that the Umbrella agreement will improve the protection of personal data of Europeans in the U.S. as it will make sure that citizens will have recourse to judicial redress possibilities in the U.S. in case of privacy breaches, once the US Congress has adopted the respective draft Bill.

Finally, Mr. Timmermans and Ms. Jourová explained that the European Commission would work with national data protection authorities to ensure that the court’s decision (Schrems’ recent judgment) is carried out in a uniform fashion across the European Union. They concluded saying “As citizens need robust safeguards and businesses need legal certainty; the guidance should help avoid a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike”.

What should companies do while the current legal situation is being clarified?

  While the new Safe Harbor Agreement is being discussed between the EU and the US and the EU Data Protection Reform is finalised, companies that used to transfer personal data from the EU to the US under the Safe Harbor Agreement should now use alternative mechanisms such as standard contractual clauses, binding corporate rules (“BCR”) and derogations described above.  We also suggest that companies seek guidance and approval from the respective national data protection authorities in the countries in which they have business operations.

In addition, if companies, for example, are in litigation in the EU that requires the services of an ediscovery provider or at least they need to process and host EU citizen’s personal data, we recommend that they opt for in-country solutions within the EU so as to comply with EU data protection regulations. In practice, this means for example, that if a German company has to collect data from their employees based in several locations in Germany with the assistance of an ediscovery provider, that data should be processed and hosted in a German data centre so as to comply with strict German and EU data protection regulations. The data should thus not leave the German borders. In our view, the Schrems’ recent judgment reinforces the need to use local solutions so that when data is processed and hosted to carry out electronic searches, data remains within the respective countries of the custodians concerned and above all remains within the EU. If data from the European custodians does have to leave the European Union and needs to be transferred to the US then it will have to be within the framework of the alternative mechanisms described above.

[1] For further derogations please refer to Article 26 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

About Thomas Cavro Dupont

Thomas Cavro Dupont is a Discovery Services Consultant at Kroll Ontrack in the EMEA region and is based in Germany. He advises lawyers around Europe and their clients on how to effectively manage electronically stored documents in matters such as competition, litigation and internal or regulatory investigations. Before joining Kroll Ontrack in 2014, he worked as an Associate in leading international law firms in Brussels, Paris and Madrid advising clients on competition law issues. Thomas also worked as a Project Manager for a major ediscovery provider in London specialising in ediscovery projects in the antitrust and finance areas. Thomas, who is legally qualified in Spain and France, obtained his Law Degree from the Universidad Pontificia Comillas in Madrid and received an LL.M. in European Legal Studies from the College of Europe in 2009. His native languages are Spanish and French and he is fluent in German and English.

New Frontiers in Ediscovery

We are very excited to be launching the inaugural edition of our report entitled: ‘New Frontiers: An Insight into the global expansion of ediscovery.’    The report contains a compendium of 15 articles focusing on how ediscovery is being carried out in various countries around the world.  We have also have included a series of feature articles examining:

  • how ediscovery technology is being used to detect cartels
  • what uses are being found for ediscovery technology in the financial services sector
  • the latest trends in computer forensics
  • new technologies in ediscovery.

Ediscovery has evolved from its origins as a legal procedure used primarily in the USA and UK in litigation matters. Kroll Ontrack’s global expansion over the past ten years has shown there is demand across Europe and Asia for ediscovery technology to search for and review electronic evidence, particularly for competition matters and internal investigations. Download the full report here >>

What does ediscovery look like in 2015?

We asked our global network of legal consultants to report in depth on the state of ediscovery in their respective countries, providing insight into global trends around ediscovery adoption, uses and advances in technology.

The New Frontiers report documents how ediscovery is becoming an important element of the business landscape, even for countries that do not have an obligation to provide ediscovery as part of their legal framework. The important drivers for these countries, including Germany, France, the Netherlands, China and Singapore are more likely to be related to increased scrutiny by regulators, the transparency and compliance agenda, the need to manage mountains of big data and the overriding requirement to reduce legal cost.

Tim Phillips, Managing Director of Kroll Ontrack International Legal Technologies, commented:

“As a leader in the global industry, we believe it is important to document these changes and to highlight ediscovery’s rapid growth as a problem-solver for everything from regulatory compliance to dealing with dawn raids, and from unbundling legal services to forensic investigations.”

The New Frontiers report is available in full here.

Are we ready for the drone revolution?

In 2014, over ten thousand civilian drones were sold in the UK and future sales are predicted to increase rapidly. Despite recent legislation regarding privacy and aviation safety, there could still be unintended consequences should drones use become widespread, particularly around data theft and the use of data collected on drones as evidence in court.

Are drones secure?

As with any wireless device, drones can be commandeered or made uncontrollable by third parties. Data can be intercepted by third parties such as data thieves, authorities and hackers. According to white hat hacker Samy Kamkar, hijacking a drone is relatively simple. To prove his point, he adapted a Parrot AR drone, which is commonly used for taking aerial photographs and has video recording capability, and combined it with a Raspberry Pi system. By running his customised software, Kamkar was able to use his hacked drone to track down and control other Parrot drones.

Kamkar has since shared his software with the manufacturers so they can take steps to patch the security holes exploited but the exercise highlighted that drones are vulnerable and the data collected by a drone can be stolen. Until drone security develops and improves, commercial drone users should be cautious of collecting sensitive data via a drone.

Extracting evidence from drones

Should legal action result from the use of drones, for example, when data is stolen and a damages action follows or sensitive personal data is captured and penalties for breaching data protection law ensue, then the data captured by drones may need to be analysed and disclosed in legal proceedings

When faced with a drone a computer forensic expert called upon to extract data from it, would need to consider how the data is stored, whether or not it is encrypted and if it is hard to get to what other sources of the data can be tracked down. There is sometimes a lag between the release of a new device and the development of the tools able to access the data stored on them but often computer forensic experts are able to locate electronic evidence from new devices to support legal proceedings.

A changing legal climate

As drones grow in popularity, so too will the number of disputes regarding their use. Undoubtedly, drone guidelines, which are currently in their infancy, are likely to develop as the legislation evolves to encompass technological advancements. Any organisation, whose business can be affected by drones, whether positively or negatively, should make it a priority to keep abreast of legislation to best protect themselves from future legal action.

Technology, big data and the regulatory arms race

In 2010, the then Office of Fair Trading (OFT) launched an investigation into a suspected price-fixing cartel between aviation giants, British Airways and Virgin Atlantic. The airlines were alleged to have conspired to fix fuel surcharge prices. However, the case collapsed following the discovery of 70,000 emails that had not been disclosed to the prosecution until the last minute due to a technical error.

The collapse of the case caused the OFT to be universally criticised, with commentators describing the investigation as a “fiasco” and the OFT exhibiting “incompetence on a monumental scale”.

Fast-forward four years and both the OFT and the Competition Commission (CC) have been dissolved and replaced by the Competition and Markets Authority. Thanks to the technological failings seen in cases such as the Virgin-British Airways price-fixing case, the two authorities may have created the impression that competition authorities lack technological prowess when it comes to investigations. Yet corporations hoping that this new authority will follow in the footsteps of its predecessors in the handling of electronic evidence should take heed; the CMA has a completely different approach .

How does the CMA differ from its predecessors?

More funding

The Treasury has granted funds which have allowed the CMA to invest further in the capacity it needs to increase the number of cartel cases it can pursue and the speed with which it can do so.

Increased quality and quantity of staff

According to Stephen Blake, Senior Director of the Cartels and Criminal Group at the CMA, the CMA has doubled the size of its Cartels and Criminal Group. In addition to doubling the size of that team, the CMA has also focused on building a team with the ability to work proactively and follow an intelligence-led investigation strategy. With this in mind, the CMA have hired a coterie of senior investigators and experienced intelligence officers.

Sophisticated technology

According to an experienced competition expert in London, “Enforcement authorities have learnt a lot over the past few years. They will have seen a change in the volume of documentation that needs to be collated and reviewed and this will have driven the change in approach which is now becoming apparent in their approach to information requests and general case management. The CMA has had the benefit of the hard lessons learned by the OFT, and will be far more engaged on this topic and cautious in planning how to manage an investigation, not just in terms of adhering to best practice but also in managing an investigation to criminal standards.”

To avoid repeating incident such as the Virgin-British Airways data mishandling, the CMA has adopted the same ediscovery and investigatory tools used by law firms and corporations undergoing scrutiny. In a dawn raid scenario, this means they are now able to process very large volumes of data quickly, scan entire corporate IT landscapes and drill down and forensically examine or analyse specific trails of evidence, in detail.

More collaboration

As part of the CMA’s commitment to implementing intelligence-led detection and enforcement strategies, leadership at the CMA has promised to foster closer partnerships with the police and other criminal enforcement agencies.

What will these changes mean for corporate compliance officers and in-house counsel?

The CMA has more funding, highly-trained and motivated staff and is actively pursuing investigations, as well as addressing the cases inherited from the OFT and CC. With the technological gap between authorities, law firms and companies now closed, the best way for corporations to prepare is to take a proactive approach to compliance. This can take the form of conducting regular internal investigations, streamlining and understanding data estates and for the ultimate in preparedness, arranging a mock dawn raid.

About Tracey Stretton

Tracey Stretton is a legal Consultant at Kroll Ontrack in the UK. Her role is to advise lawyers and their clients on the use of technology in legal practice. Her experience in legal technologies has evolved from exposure to its use as a lawyer and consultant on a large number of cases in a variety of international jurisdictions.