Law and Information

My colleague Daniel Haeusermann and I just released a new paper entitled “E-Compliance: Towards a Roadmap for Effective Risk Management.” In the article, which is largely based on consulting work we’ve been doing, we argue that the widespread use of digital communication technology on the part of business organizations leads to new types of challenges when it comes to the management of risks at the intersection of law, technology, and the marketplace. In order to effectively manage these challenges and associated risks in diverse areas such as security, privacy, consumer protection, IP, and content governance, we call for an integrated and comprehensive compliance concept in response to the structural and substantive peculiarities of the digital environment in which corporations – both in and outside the dot-com industry – operate today. See also this post. The conclusion section of the paper reads as follows:

Through significant efforts, the legal system has adjusted to the changes in the information and communications technology of daily corporate life—changes at the intersection of the market, technology, and law. Organizations must make adjustments on their part as well in order to deal with the consequences resulting from these changes in the legal system. The observation that led to this essay was that these adjustments represent a greater challenge than the already decreasing entropy surrounding concepts such as “e-commerce law” or “cyberlaw” would suggest. Our initial foray into the concept, characteristics, responsibilities and organizational guiding principles of e-Compliance confirms this observation.

E-Compliance, as discussed in this article, is confronted with the phenomenon of a close interconnection between law and technology, a prominent dynamization of the law, massive internationalization of issues and legal problems, as well as a strong increase in the significance of soft law. These characteristics, which in part may also apply to traditional areas of compliance such as financial market regulation, call in their interplay for the further development of compliance concepts as well as adaptation of the affected aspects of corporate organization. Due to the increasing amalgamation of corporate organizational nexus and ICT, the symbiotic relations between traditional compliance and e-Compliance will be increasingly amplified. The view that e-Compliance represents merely a single risk area among the many of compliance is therefore outdated in our opinion. E-Compliance is actually a multidimensional and multidisciplinary task, although there are certainly areas of law that are particularly affected by digitization (or also which particularly impact digitization) and therefore are of particular importance for the field of e-Compliance.

Thus, in conclusion, the authors do not posit a special “e-Sphere” within or without existing compliance departments. Rather, we argue for an integrated and comprehensive compliance concept that appropriately makes allowance for the structural and substantive peculiarities of e-Compliance as outlined in this essay and stays abreast with the pace of digitization.

Please contact Daniel or me if you have comments.

Earlier today, I attended a conference organized by Oliver Arter and Florian S. Joerg on Internet and e-Commerce Law in Zurich. I was invited to speak about e-Compliance in general and the implications of e-Business on compliance and corporate organization in particular. E-Compliance can be understood as a set of institutional arrangements and processes aimed at managing the legal and regulatory risks resulting from the transition from an offline/analog to an online/digital corporate information environment. My colleague Daniel Haeusermann and I have come up with the following theses – intended as discussion points and “food for thought.”

The main thesis is that e-Compliance, in important regards, is qualitatively distinct from traditional compliance. We argue that four trends support this key thesis.

Law and digital technology are closely intertwined. The compliance-relevant interactions are hereby bi-directional. Digital technology leads to legal problems that have not emerged in the paper world. Consider, for example, the use of email in a corporation as a partial replacement of oral communications and the set of legal problems associated with email usage and storage (ranging from data privacy/monitoring issues to e-Discovery exposure.) However, digital technology can also help to ensure a company’s compliance with the law. Software that can be used to enforce a “litigation hold” might be a good example in this context. At the organizational level, the suggested interplay between law and technology calls for a close collaboration between lawyers and IT-staff.

E-Compliance is risk management in a quicksilver environment and under conditions of legal uncertainty. The speed of ICT innovation has put the legal system under enormous pressure. The legal system’s answer, essentially, is either the application of existing rules (“old law”) to the new phenomena, or legal innovation (e.g. by formulating new rules or introducing new doctrines.) Typically, both processes create uncertainty, because the legal system is forced to synchronize its relatively slow adaptation processes with the speed of technological change. A nice illustration of the increased pace of change in law that creates uncertainty are legal regimes that govern online intermediaries such as access providers, search engines, and hosting providers. Up to the year 2000 legislators around the world have enacted laws (such as the CDA or the E-Commerce Directive) to limit the liability of online intermediaries, or to “immunize” them entirely. Only few years later we now face a global trend towards stronger regulation of online intermediaries, including a reconsideration of the respective liability regimes. From an organizational perspective, this increased speed of change requires that companies in the IT-business (this includes, e.g., banks) establish “early warning systems” – for example in collaboration with academic partners – aimed at tracking trends and developments at the intersection of law, ICT, and markets.

Digitization in tandem with the emergence of electronic communication networks has internationalized (old and new) legal problems in an unprecedented way. The first driver of internationalization of e-Compliance is straightforward: it’s the global medium “Internet” itself. The second source is related to the first one, but less obvious: In our view, the digitally networked environment creates a notion of proximity that leads to an increased relevance of foreign national law for corporations being incorporated and/or operating in another jurisdiction. Good examples are cross-border e-Discoveries, where U.S. plaintiffs seek to use American procedure and evidence laws to access information stored in different jurisdictions, e.g. in Europe, usually without following the procedures set forth in respective international treaties such as the Hague Convention on Evidence. It follows from this trend that it is a necessity for successful e-Compliance to apply a global perspective. In the case of multinational enterprises this requires, for instance, that the legal and compliance departments of the entities located in different countries collaborate closely on e-Compliance issues.

The rapid evolution of digital technologies on the one hand and the increased legal uncertainty with regard to the interpretation of old and new laws on the other hand further increase the relevance of industry self-regulation, for instance in form of codes of conducts or best practice models. Again, the regulation of online intermediaries is illustrative for this trend. In Germany, for example, content regulation of online intermediaries such as search engines is largely based upon a self-regulatory approach. In the light of this development, sustainable e-Compliance increasingly includes involvement in standard-setting bodies and industry best practice-groups – both as an expression of “good corporate citizenship” and based on the acknowledgment that “soft law”, in turn, can improve a company’s e-Compliance with the increasingly complex network of legal, quasi-legal, pre-legal and ethical obligations.

Some weeks ago, the Berkman Center and the Research Center for Information Law at the Univ. of St. Gallen organized an off-the-record workshop in partnership with Credit Suisse Group on the “Law & Technology of Digital Information Management: Promises, Challenges, and Perspectives.” Professor Charles Nesson was among our most distinguished participants and commented on hot topics such as eDiscovery and corporate privacy. The following write-up is the draft of the chairmen’s public summary of the workshop. As always, I’m interested in your feedback.

“This report expands on some of the themes explored in an interdisciplinary expert workshop on the Law and Technology of Digital Information Management that was organized by the Research Center for Information Law at the University of St. Gallen in collaboration with the Credit Suisse Group (CSG), Zurich, and was aimed at discussing the organizational, technological, and legal problems associated with the transition from analog/offline to digital/online information management systems in the corporate world. The following text includes some of the key findings of the workshop, but is not intended as a verbatim summary. Instead, it offers a personal memoir of the chairmen of the workshop, Urs Gasser (University of St. Gallen) and Domino Burki (Credit Suisse Group).

The private sector’s transition from the “paper world” to a digitally networked information environment has been accompanied by a number of complex challenges at the intersection of technology, business practices, and the law. These challenges take place at different management levels. At the level of strategic management, for instance, corporations face the challenge of designing coherent records management and data retention polices—as important building blocks of the corporate governance system—vis-�-vis heterogeneous legal requirements, while maintaining efficient commercial operations in data storage. In this context, the workshop participants explored some of the key issues that need to be addressed in document retention policies, such as their interaction with other policies (e.g. data protection policies, web and email policies) as well as substantive issues like ownership of data, responsibility, and security. Focusing on the particularly sensitive issues to be decided at the level of strategic management, the participants put emphasis on two areas.
The first aspect concerns the allocation of control over data within an internationally operating corporation. Most participants agreed with the analysis that custody of data—as opposed to the place of data storage or the physical location of the servers—is increasingly the decisive factor in cases where stakeholders (e.g. law enforcement authorities; plaintiffs) seek access to information stored in corporate information systems. According to U.S. discovery rules, for instance, custody of data is the essential criterion for obtaining access to data, while the place of data storage and the physical location of the server, respectively, have become almost irrelevant. Against this backdrop, the management may be well advised to consider decentralized information management systems, where data is stored in closed, geographically segmented electronic networks.
The second area of concern discussed at the workshop relates to what one might call the ecology of the corporate information system, i.e., the tension between data retention versus data destruction. On the one hand, laws and regulations require that data processing, including data retention and archiving activities, must not be excessive and therefore require the destruction of dispensable data. On the other hand, destruction bans or litigation holds, usually relatively vague in their scope, force multinational companies to retain such data. An analogous tension between retention and destruction interests also exists with regard to data as potential evidence: On the one side, companies may have an interest in extended data preservation in order to provide evidence in court proceedings—destruction of data, in fact, could even be considered a frustration of evidence—while extensive data retention practices on the other side may motivate extended inquires by third parties or law enforcement authorities.
Although clear-cut safe harbor rules for cases in which data has been destroyed in accordance with a company’s internal data retention policy have not yet been enacted (but are considered in at least some jurisdictions, including the U.S.), the workshop participants agreed on the importance and promise of a systematic, “best practice”-oriented approach to records retention and destruction. A key element of such a systematic approach is software that enables deletion of data and metadata, but allows tracking the responsibility for the decision to delete data.

A corporate policy aimed at structuring the transition from an analog to a digital corporate information environment and regulating digital data management practices, as any other policy, needs to be implemented. The implementation of the data policy decisions taken at the strategic level requires important decisions at the level of operative management where technological, organizational, behavioral and financial elements interact. The workshop participants explored several areas that deserve special attention by the operative management. One of the key challenges is providing and coordinating the necessary resources to keep pace with the exponential growth of corporate information and to appropriately manage digital records throughout their life-cycle. A second challenge relates to the development and application of intra-organizational enforcement tools and practices aimed at enforcing records management policies and procedures across the enterprise. It has also become clear that it is increasingly important to master the interactions between human decisions and the technology of information management. From a technological viewpoint, for instance, it is possible (as mentioned above) to implement software that is able to retrieve all documents subject to a destruction ban, to mark them and thus to exclude them from destruction. From a behavioral perspective, however, one has to manage the phenomenon that not all documents are labeled correctly (e.g. typos, indexing errors) and, as a consequence, that human decisions are still necessary.

At the center of the digitally networked corporate environment are nearly perfect information systems in which almost all actions are systematically recorded and stored, leading to complete data trails. As the private sector is gathering more and more data on customers, suppliers, competitors, etc., various stakeholders such as potential plaintiffs or law enforcement authorities intensify their efforts to gain access to corporate digital information systems for their respective purposes. The resulting conflict between interests in disclosure of data versus privacy interests (including, among other things, banking secrecy) has not yet been balanced by an advanced legal and regulatory framework, neither at the national nor at the international level. In fact, the possibility of global access to corporate information systems (e.g. law enforcement authorities in one country may require a subsidiary to grant access via electronic network to data “belonging” to the headquarters operating in a different country) are in sharp contrast to the heterogeneous local laws and practices regulating access to data. Against this backdrop, the workshop participants explored two specific questions in greater detail.
First, practical and theoretical problems in cross-border litigation (e.g. considering the Hague Convention) were discussed by analyzing an actual example of a foreign plaintiff who sued a Swiss company before a Swiss court after gaining access to data from the US subsidiary based on a provision regarding assistance to foreign tribunals, and sought to use the so collected data in the relevant Swiss procedure.
Second, the practical significance of Art. 271 of the Swiss Penal Code (illicit acts on behalf of a foreign State) and Art. 273 Swiss Penal Code (economic espionage) is up for discussion in an environment where data hosted in Switzerland can be accessed from abroad. In fact, anecdotal evidence suggests that local authorities in foreign countries—as well as plaintiffs in civil litigation (eDiscovery)—seek to gain direct electronic access to data in cases where, under a “paper world scenario,” access would usually require compliance with well-balanced legal or administrative assistance procedures. In this area, the workshop participants identified both the need for further in-depth legal research where theory and practice work hand in hand and may lead to policy recommendations as well as a cross-industry approach aimed at raising the awareness of foreign judicial authorities as to the existence of comparatively strict privacy laws in Switzerland.

In conclusion, the workshop participants agreed that multinational corporations, regardless of the products and services they offer, are increasingly also in the IT business in the sense that the design of digital information systems becomes an important management issue that no longer can be left to the discretion of IT departments, but must be understood as an integrative element of corporate governance and strategy that requires the attention of the top management. The need for an advanced ”cyber-strategy” was particularly emphasized by Professor Charles Nesson, Harvard Law School. The workshop also made specific suggestions as to how to deal proactively with some of the key problems outlined in the previous paragraphs. At the core is the idea to organize abroad a cross-industry summit of multinational corporations headquartered in Switzerland in order to further explore—in dialogue with foreign judges, government authorities, private sector representatives, etc.—the challenges and promises of corporate digital information systems in a globalized world with its heterogeneous legal frameworks.”