FUTURE LAW AND THE FUTURE OF LAW

Ashley Winton,Data Privacy and Cyber Security, Partner

2AGENDA

Has existing law been fit for purpose? Hacking Electronic Signatures

What new laws and developments are on the horizon?

How will current and new law cope with new technological developments? Strong Authentication Breach Notification for financial services Artificial Intelligence Bitcoin/Blockchain

What is the future of law, can technology help?

HAS EXISTING LAW BEEN FIT FOR PURPOSE?

4HAS EXISTING LAW BEEN FIT FOR PURPOSE?

How did the law cope with hacking?

R v Robert Schifreen and Steve Gold arrested in 1985 for using the password “1234” against account “2222222222” on Prestel, which gave them root access and allowed them to access certain accounts.

No specific law on hacking, attempts to use the Forgery and Counterfeiting Act 1981 failed on appeal “the Procrustean attempt to force the facts into the language of an Act not designed to fit them” should not be repeated

Introduction of the Computer Misuse Act 1990

5COMPUTER MISUSE LAW

Computer Misuse Act 1990 (“CMA”):

Criminal offences:

Unauthorised access to computer material (section 1(1), CMA).

Unauthorised access to computer materials with intent to commit or facilitate commission of further offences (section 2(1), CMA).

Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer (section 3, CMA). (Including circulation of malware).

Making, supplying or obtaining articles for use in offences under section 1 or section 3 of the CMA (I.e. hacking tools).

Even modifying a URL could be an offence

6WAS THE COMPUTER MISUSE ACT FIT FOR PURPOSE?

Denial of service arguably not covered Specific office introduced by the Police and Justice Act 2006NB DPP v Lennon [2006]

But the Police and Justice Act also introduced:

“3A(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3.”

“3A(3) A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.”

Kali / Backtrack ?

7WAS THE COMPUTER MISUSE ACT FIT FOR PURPOSE?

“The Computer Misuse Act does not prevent individuals from obtaining tools such as malware with the intention to personally commit a cyber crime.” Home Office Impact Assessment 2014

Specific offence introduced by the Serious Crime Act 2015

“3A(3) A person is guilty of an offence if he obtains any article with a view article –(a) intending to use it to commit, or to assist in the commission of,an offence under section 1, 3 or 3ZA, or(b) with a view to” its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.”

8HAS EXISTING LAW BEEN FIT FOR PURPOSE?

How did the law cope with Electronic Signatures?

UNCITRAL Model Law on Electronic Commerce – June 1996 Established accepted rules for electronic commerce, including defining the role of

electronic signatures

US Uniform Electronic Transactions Act (UETA) – July 1999 Permitting electronic legal documents and allowing electronic signature in evidence

EU Directive for Electronic Signatures (1999/93/EC) - December 1999 Defines two different kinds of electronic signatures: a “simple electronic signature”,

and an “advanced electronic signature” Technical standards were introduced in Commission Decision (2009/767/EC)

US Electronic Signatures in Global and National Commerce Act (E-Sign) – June 2000 Electronic signatures, records and contracts are not denied validity by being in

electronic form

UNICTRAL Model Law on Electronic Signatures – July 2001 Introduced support for certification and digital authentication for electronic

signatures

9HAS EXISTING LAW BEEN FIT FOR PURPOSE?

How did the law cope with Electronic Signatures?

UNCITRAL Model Law on Electronic Commerce – June 1996 Established accepted rules for electronic commerce, including defining the role of

electronic signatures

US Uniform Electronic Transactions Act (UETA) – July 1999 Permitting electronic legal documents and allowing electronic signature in evidence

EU Directive for Electronic Signatures (1999/93/EC) - December 1999 Defines two different kinds of electronic signatures: a “simple electronic

signature”, and an “advanced electronic signature” Technical standards were introduced in Commission Decision (2009/767/EC)

US Electronic Signatures in Global and National Commerce Act (E-Sign) – June 2000 Electronic signatures, records and contracts are not denied validity by being in

electronic form

UNICTRAL Model Law on Electronic Signatures – July 2001 Introduced support for certification and digital authentication for electronic

signatures

10EU DIRECTIVE FOR ELECTRONIC SIGNATURES (1999/93/EC)

Simple electronic signature: “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication” They will not be denied legal effectiveness solely on the grounds that

they are: “in electronic form, not based upon a qualified certificate, not based upon a qualified certificate issued by an accredited certification service provider, or not created by a secure signature creation device”

NB But national law may deny legal effectiveness for other reasons

Advanced electronic signature: “An electronic signature, which a) is uniquely linked to the signatory; b) is capable of identifying the signatory; c) is created using means that the signatory can maintain under his sole control; and it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable” Advanced electronic signatures which are “based on a qualified

certificate and created by secure signature creation device” such as digital signatures are fully legally equivalent to handwritten signatures

11EU DIRECTIVE FOR ELECTRONIC SIGNATURES (1999/93/EC) II

This Directive contemplated the growth of a complex network of PKI’s providing electronic certificates for the recognition and development of advanced electronic signatures

The Directive provided that national law should require that certification authorities are liable, up to certain limits, for the damage caused to their customers who rely on a qualified certificate issued by them

A voluntary accreditation scheme was introduced and the Directive aimed to ensure that electronic signatures were not to hinder free trade across the European Union

Then:

12EU DIRECTIVE FOR ELECTRONIC SIGNATURES (1999/93/EC) III

13ELECTRONIC WRITING – CURRENT DEVELOPMENTS

Digital Agenda for Europe COM(2010) 245 Recommended a revision of the Electronic Signature

Directive and legal measures to ensure mutual recognition of e-Identification (e-ID) and e-Authentication as an objective

The Single Market Act identified the need for a Digital Single Market and the need for legislation to guarantee mutual recognition of electronic identification and authentication across the EU

On 4 June 2012, the European Commission adopted a proposal for a new Regulation "on electronic identification and trust services for electronic transactions in the internal market“ (the “e-ID and e-Signature Regulation”)

On 23 July 2014, Regulation 910/2014 (“eIDAS”) was passed!

14REGULATION 910/2014 (“EIDAS”)

eIDAS will:

Repeal the Electronic Signature Directive (1999/99/EC) Introduce “electronic identification” and “electronic identification

schemes” so that there is a consistent basis for identifying individuals allowing access to public services in other Member States

Introduce the concept of “trust services” and “trust service providers” who will be used to create, verify, validate and support electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services, website authentication and electronic certificates. There will be a new internal market for these services.

Re-introduce “electronic signatures” and “advanced electronic signatures”

Introduce “electronic seals” which are used to authenticate the origin and integrity of particular data

Introduce “electronic time stamps” which are used to authenticate the time and integrity of particular data

Introduce “electronic documents” which are to be equivalent to paper documents and “electronic delivery services” to assure the delivery of data.

15REGULATION 910/2014 (“EIDAS”) II

However,

eIDAS will not harmonise the position as to existing forms of electronic signature

eIDAS does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form

A qualified electronic signature shall have the equivalent legal effect of a handwritten signature

But, …. it is for national law to define the legal effect of electronic signatures unless they are qualified electronic signatures

16ELECTRONIC SIGNATURES – ENGLISH LAW

Ashley|

APW|

X|

WHAT NEW LAWS AND DEVELOPMENTS ARE ON THE HORIZON?

18NEW LAWS AND DEVELOPMENTS ON THE HORIZON

The text of the General Data Protection Regulation (‘GDPR’) has finally been formally adopted (14 April 2016). It will come into force on 25 May 2018.

e-Privacy Directive (2002/58/EC) which regulates, amongst other things the use of cookies on websites and consent for the use of location data on smartphones will be reviewed.

The Network and Information Security Directive ((EU) 2016/1148)introduces an information security obligation and data breach notification obligation on certain market operators.

The Payment Services Directive 2 (2013/0264(COD)) will introduce security obligations, data breach obligations and data access obligations in relation to payment services

The Trade Secret Directive ((EU) 2016/943) will standardise national laws against the unlawful acquisition, disclosure and use of trade secrets

The EU Charter of Fundamental Rights has gained prominence since the ECJ “Schrems” case

EU – U.S. Privacy Shield – has replaced the Safe Harbour but it is under review by the Article 29 Working Party and under challenge in the Courts

Brexit will take the EU out of Europe in 2019 and the GDPR will be replaced by a UK version pursuant to the Great Repeal Bill.

19GENERAL DATA PROTECTION REGULATION

Expanded scope Changes to the way you engage with individuals

- Transparency (Privacy Notices) and Consents- Additional Rights: Data portability, objections to ‘profiling’, ‘right

to be forgotten’, the right to restrict processing Changes to the way you run your business

- Data Protection Governance- Accountability and record keeping

- New rules for controllers and processors- and the impact on Supply and Customer agreements

- Security Requirements and Breach Notification Enhanced sanctions and litigation risk

- The level of fines will be increased to a maximum of 4% of worldwide turnover or 20,000,00 EUR, whichever is greater

- Much greater chance of litigation including quasi class actions

HOW WILL CURRENT AND NEW LAW COPE WITH NEW TECHNOLOGICAL DEVELOPMENTS?

Strong AuthenticationBreach Notification for financial services

Artificial IntelligenceBitcoin/Blockchain

21STRONG AUTHENTICATION

January 2013 SecurePay Recommendations on the security of internet payments (effective 1 February 2015) http://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html

December 2014 EBA Final guidelines on the security of internet payments (effective 1 August 2015) http://www.eba.europa.eu/regulation-and-policy/consumer-protection-and-

financial-innovation/guidelines-on-the-security-of-internet-payments Compliance table: http://www.eba.europa.eu/documents/10180/934179/EBA-

GL-2014-12+Compliance+Table-GL+security+of+internet+payments.pdf/34be3c3e-5521-4036-9805-3ee97162c4db

February 2017 EBA Final Report on Draft RTS on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2) (effective November 2018 or later) https://www.eba.europa.eu/regulation-and-policy/payment-services-and-

electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2

22STRONG CUSTOMER AUTHENTICATION II

Strong customer authentication (article 4(3)) A procedure based on the use of two or more of the following

elements categorised as knowledge, ownership and inherence: something only the user knows e.g. static password, code,

personal identification number something only the user possesses, e.g. token, smart card,

mobile phone something the user is, e.g. biometric characteristic, such as a

fingerprint Elements selected must be mutually independent

so that breach of one does not compromise the other(s) The strong authentication procedure should be designed in such

a way as to protect the confidentiality of the authentication data

Has this been implemented in a technology neutral way?

23STRONG CUSTOMER AUTHENTICATION III

The Authentication Code generated by the two elements: Can only be used once Is one way (i.e. the underlying elements cannot be determined) Cannot be used to generate a further authentication code Cannot be forged

For remote access: You cannot tell the user which element is wrong You must block after 5 or less attempts Sessions must time out after 5 minutes or less

Dynamic Linking: The payer must be aware of the amount The Authentication Code must be specific to the amount and the payee The amount and the payee must not be determinable from the authentication

process Personalised Security Credentials

Must be protected at all stages Must be masked when input by users Must be associated with the payment service user in a secure manner Must be delivered to securely and authentication software or devices must be

activated securely and using SCA if via the internet For smartphones or other multi-purpose devices

Separate secure execution environments must be used Mechanisms must be in place to mitigate the effect of the device being rooted

24BREACH NOTIFICATION FOR FINANCIAL SERVICESTitle Breach NotificationData Protection / Information Security Regulation

GDPR • Proposed requirement to notify the regulatory authority within 72 hours of breach, and affected individuals without undue delay.

• Processors to notify controllers.• No need to notify DPA where unlikely to result in a risk to the rights

and freedoms of natural persons.• Need to notify individuals where breach is likely to result in high risk

to rights and freedoms …

NIS • Providers must notify without undue delay their competent authority of any incidents having a significant impact on the security of essential services they provide.

Financial Services RegulationMarkets in Financial Instruments Directive 2014/65/EU (“MiFiDII)

• Implemented in national legislation: Broad notification requirements in respect of failure of systems and procedures.

PSD 2 • A PSP is required to notify regulators of a major operational security incident.

• A PSP is also required to notify a user if the incident has or may have an impact on that user’s financial interests.

25BREACH NOTIFICATION FOR FINANCIAL SERVICES II

“In the case of a major operational or security incident, PSPs shall, without undue delay, notify the competent authority. Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider shall, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.” (article 96)

December 2016 EBA Consultation on draft Guidelines on major incidents reporting under the PSD 2 (effective 14 January 2018) https://www.eba.europa.eu/regulation-and-policy/payment-services-and-

electronic-money/guidelines-on-major-incidents-reporting-under-psd2 “A singular event or a series of linked events which have or may have a

material adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services.” (RTS article 13)

Initial notification to the Competent Authority – within 2 hours of initial detection or on categorisation as a major incident

Reports to be updated at least every 3 business days Final report, with a full root cause analysis within 2 weeks of the business

being back to normal

26ARTIFICIAL INTELLIGENCE

Intellectual Property The Copyright, Designs and Patents Act 1988 already provides for

the copyright in computer generated works - the author of that work will be the person that commissions the work.

Liability and Insurance The Vehicle Technology and Aviation Bill 2017 provides that car

insurance must cover the cost of self driving cars

Financial Products Financial Conduct Authority now has a division which will assist

companies who wish to provide “robo advice” or AI assisted financial recommendations

Commercial Contracts Lawyers are still wrestling with how to draft agreements for AI and

machine learning

27ARTIFICIAL INTELLIGENCE II

General Data Protection Regulation

“Every data subject should therefore have the right to know … the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.”

28BITCOIN/BLOCKCHAIN

UK Government https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/

414040/digital_currencies_response_to_call_for_information_final_changes.pdf

ESMA http://www.esma.europa.eu/system/files/2015-

532_call_for_evidence_on_virtual_currency_investment.pdf NY BitLicence

http://www.dfs.ny.gov/about/press2014/pr1407171-vc.pdf EBA

https://www.eba.europa.eu/documents/10180/657547/EBA-Op-2014-08+Opinion+on+Virtual+Currencies.pdf

Parliament briefing paper www.parliament.uk/briefing-papers/POST-PN-475.pdf

HMT Consultation https://www.gov.uk/government/consultations/digital-currencies-call-for-

information/digital-currencies-call-for-information The 5th Anti Money Laundering Directive

http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2016/0450/COM_COM(2016)0450_EN.pdf

The General Data Protection Regulation

29BITCOIN/BLOCKCHAIN II

The effect of the 5th AMLD

Virtual currency exchange platforms as well as custodian wallet providers will now be brought within the scope of Anti Money Laundering Legislation.

They will have to be registered They will need to track transactions They will need to do due diligence on their customers They will need to report suspicious transactions

The effect of the General Data Protection Regulation The right to be forgotten?

WHAT IS THE FUTURE OF LAW, CAN TECHNOLOGY HELP?

31ONLINE DISPUTE RESOLUTION

European Commission Online Dispute Resolution https://ec.europa.eu/consumers/odr/main/index.cfm?event=main.

home.show&lng=EN

32ONLINE DISPUTE RESOLUTION AND AI

Researchers from the University of Sheffield, the University of Pennsylvania and University College London used advances in Natural Language Processing and Machine Learning to analyse text from cases heard at the European Court of Human Rights (ECtHR) and predict the outcome of the judicial decision.

During tests, machine learning algorithm made predictions with 79 per cent accuracy. https://peerj.com/articles/cs-93/

33SMART CONTRACTS

Source: PwChttp://www.pwc.com/us/en/technology-forecast/blockchain/digital-business.html

34A SMART BONDcontract SimpleBond {

// An object to hold investor detailsobject Investor() {

string nameaddress walletAddress

}

// The term sheetfunction Setup() {

term = 5 years;coupon = 5%;Investors = return each Investor;

}

// Operative provisionsfunction PayCoupon() {

uint bal= this.balance;Investors.send((bal * percentageDistribution[Investor] / 100) * coupon);

function Redeem() {uint bal= this.balance;Investors.send((bal * percentageDistribution[Investor] / 100));terminate;

}

// Main loopon each new year {

if year < term { PayCoupon(); } else { Redeem(); }

}}

Pseudocode, but inspired by https://github.com/blockapps/bloc

35AI AND REPLACING THE LAWYER ENTIRELY

Artificial Intelligence in legal research (based on IBM’s Watson) http://www.rossintelligence.com/

Artificial Intelligence in e-discovery http://www.nexlp.com/

Artificial Intelligence in GDPR compliance https://www.exonar.com/gdpr/

Artificial Intelligence to review contracts https://www.lawgeex.com/

39% of jobs (114,000) in the legal sector stand to be automated in 10 years as the profession feels the impact of more “radical changes.” https://www2.deloitte.com/uk/en/pages/audit/articles/developing-

legal-talent.html

LAWYER BIO 36

Data Privacy and Cyber Security, London

Formerly a microelectronics engineer, Mr. Winton advises technology and IT companies, global financial institutions, large utility companies, multinational corporations and government and non-government agencies on technology, telecommunications, cyber security, intellectual property and antitrust matters with particular emphasis on European regulatory issues such as electronic money, payment systems, encryption and export control, data protection and privacy, technology transfer and e-commerce. He is a Fellow of the Ponemon Institute and the Chairman of the Data Protection Forum.

ASHLEY WINTON

ashleywinton@paulhastings.comDirect: +44 (0)20.3023.5121Mobile: +44 (0) 7788 676663

21 OfficesACROSS THE AMERICAS, ASIA,

AND EUROPE

1 Legal TeamTO INTEGRATE WITH THE STRATEGIC

GOALS OF YOUR BUSINESS

THE AMERICAS

AtlantaChicagoHouston

Los AngelesNew York

Orange County

Palo AltoSan Diego

San FranciscoSão Paulo

Washington, D.C.

ASIA

BeijingHong Kong

SeoulShanghai

Tokyo

EUROPE

BrusselsFrankfurtLondonMilanParis

37

www.paulhastings.com ©2016 Paul Hastings (Europe) LLP

OUR OFFICES 38

THE AMERICAS ASIA EUROPEAtlanta1170 Peachtree Street, N.E.Suite 100Atlanta, GA 30309t: +1.404.815.2400f: +1.404.815.2424

Chicago71 S. Wacker DriveForty-fifth FloorChicago, IL 60606t: +1.312.499.6000f: +1.312.499.6100

Houston600 Travis StreetFifty-Eighth FloorHouston, TX 77002t: +1.713.860.7300f: +1.713.353.3100

Los Angeles515 South Flower StreetTwenty-Fifth FloorLos Angeles, CA 90071t: +1.213.683.6000f: +1.213.627.0705

New York200 Park AvenueNew York, NY 10166t: +1.212.318.6000f: +1.212.319.4090

Orange County695 Town Center DriveSeventeenth FloorCosta Mesa, CA 92626t: +1.714.668.6200f: +1.714.979.1921

Palo Alto1117 S. California AvenuePalo Alto, CA 94304t: +1.650.320.1800f: +1.650.320.1900

San Diego4747 Executive DriveTwelfth FloorSan Diego, CA 92121t: +1.858.458.3000f: +1.858.458.3005

San Francisco55 Second StreetTwenty-Fourth FloorSan Francisco, CA 94105 t: +1.415.856.7000f: +1.415.856.7100

São Paulo Rua Funchal, 418, 34º andar Vila OlímpiaSão Paulo - SPBrazil 04551-060

Washington, D.C.875 15th Street, N.W.Washington, D.C. 20005t: +1.202.551.1700f: +1.202.551.1705

Beijing19/F Yintai Center Office Tower2 Jianguomenwai AvenueChaoyang DistrictBeijing 100022, PRCt: +86.10.8567.5300f: +86.10.8567.5400

Hong Kong21-22/F Bank of China Tower1 Garden RoadCentral Hong Kongt: +852.2867.1288f: +852.2526.2119

Seoul33/F West Tower Mirae Asset Center126, Eulji-ro 5-gil, Jung-gu, Seoul, 04539, Koreat: +82.2.6321.3800f: +82.2.6321.3900

Shanghai43/F Jing An Kerry Center Tower II1539 Nanjing West RoadShanghai 200040, PRCt: +86.21.6103.2900f: +86.21.6103.2990

TokyoArk Hills Sengokuyama Mori Tower40th Floor, 1-9-10 Roppongi Minato-ku, Tokyo 106-0032 Japant: +81.3.6229.6100f: +81.3.6229.7100

BrusselsAvenue Louise 480-5B1050 BrusselsBelgiumt: +32.2.641.7460f: +32.2.641.7461

FrankfurtSiesmayerstrasse 21D-60323 Frankfurt am MainGermanyt: +49.69.907485.0f: +49.69.907485.499

LondonTen Bishops SquareEighth FloorLondon E1 6EGUnited Kingdomt: +44.20.3023.5100f: +44.20.3023.5109

MilanVia Rovello, 120121 MilanoItalyt: +39.02.30414.000f: +39.02.30414.005

Paris96, boulevard Haussmann75008 ParisFrancet: +33.1.42.99.04.50f: +33.1.45.63.91.49

For further information, you may visit our home page atwww.paulhastings.com or email us at info@paulhastings.com