August 2023 Newsletter
A message from Michelle Eisenberg, Managing Director & General Counsel (Private Sector)
Welcome to our August Private Sector newsletter. We hope that you managed to get some time off this summer and whether it was sunbathing on a remote beach or climbing mountains, that you returned feeling energised and refreshed. In fact, the KC model is set up in a way that allows our clients to take well-deserved time off, safely in the knowledge that our team will ensure matters don’t grind to a halt.
Exciting progress is continuing at KC. As described in the New Joiners section, we are bolstering our capabilities in the areas of corporate, commercial and privacy, where we see an increased need. We are also growing our international legal panel in the US and APAC.
In this newsletter, you will be able to learn more on data protection updates, the growing importance of Legal Ops and how to ensure your organisation is ready for an M&A or similar transaction (‘Reverse Due Diligence’). You will also find a piece on Artificial Intelligence - the critical legal considerations each business or organisation, from all sectors must consider. Even if you are not in the tech space, staff members are starting to use AI to increase their productivity. Therefore, at a minimum, it is critical that you consider implementing a policy for AI usage. Finally, the importance of addressing AI at an early stage, to future proof the business, cannot be overstated.
If you wish to learn more on any topic featured in this Newsletter, do not hesitate to contact us.
Thank you for your continued partnership.
Exciting progress is continuing at KC. As described in the New Joiners section, we are bolstering our capabilities in the areas of corporate, commercial and privacy, where we see an increased need. We are also growing our international legal panel in the US and APAC.
In this newsletter, you will be able to learn more on data protection updates, the growing importance of Legal Ops and how to ensure your organisation is ready for an M&A or similar transaction (‘Reverse Due Diligence’). You will also find a piece on Artificial Intelligence - the critical legal considerations each business or organisation, from all sectors must consider. Even if you are not in the tech space, staff members are starting to use AI to increase their productivity. Therefore, at a minimum, it is critical that you consider implementing a policy for AI usage. Finally, the importance of addressing AI at an early stage, to future proof the business, cannot be overstated.
If you wish to learn more on any topic featured in this Newsletter, do not hesitate to contact us.
Thank you for your continued partnership.
With best wishes
Michelle Eisenberg
New Joiners – in the corporate, commercial and privacy space!
In addition to the new joiners announced in our last newsletter we are thrilled to announce further expansion.
Steve Janes returned to Kennedy Cater early this Summer which is a welcome announcement particularly for those KC clients who Steve has helped in the past. Steve is an ex-magic circle partner and has extensive experience in-house including in a General Counsel role. Steve specialises in corporate/commercial, financial services and public-private projects. We are thrilled to welcome him back to the team.
In early September we are also being joined by Callum Lyons who is a privacy specialist who is extremely well-versed in building and maintaining privacy frameworks and advising on all aspects of a company’s privacy compliance journey from initial gap analysis and prioritisation through to maintaining compliance in his capacity as an outsourced Data Protection Officer (DPO).
Please check out our website here for more details on the Kennedy Cater team.
Steve Janes returned to Kennedy Cater early this Summer which is a welcome announcement particularly for those KC clients who Steve has helped in the past. Steve is an ex-magic circle partner and has extensive experience in-house including in a General Counsel role. Steve specialises in corporate/commercial, financial services and public-private projects. We are thrilled to welcome him back to the team.
In early September we are also being joined by Callum Lyons who is a privacy specialist who is extremely well-versed in building and maintaining privacy frameworks and advising on all aspects of a company’s privacy compliance journey from initial gap analysis and prioritisation through to maintaining compliance in his capacity as an outsourced Data Protection Officer (DPO).
Please check out our website here for more details on the Kennedy Cater team.
New hope for EU-US personal data transfers?
On 10th July 2023, the EU-US Data Privacy Framework (DPF) became effective, and on the same day the European Commission adopted an Adequacy Decision for it. The DPF facilitates the transfer of EU personal data to participating organisations in the US and is the successor of the ill-fated EU-US Privacy Shield which was invalidated on 16th July 2020 by the ECJ’s “Schrems II” ruling.
So, what does this mean?
Eligible organisations in the US can self-certify (and publicly commit to) compliance with the DPF principles, that commitment is then enforceable under US law. Not all organisations in the US are eligible to self-certify, but the criteria for eligibility are expected to be expanded. A list of the participating organisations can be found here: Participant Search (dataprivacyframework.gov).
If you are transferring EU personal data to an organisation participating in the DPF then, technically, there is no longer a need for Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
This decision does not impact transfers of personal data from the UK to the US, however the US and UK agreed in June 2023 to establish a “data bridge” for the UK extension to the EU-US DPF and so this is expected imminently.
Organisations should proceed with caution however as Max Schrems has already announced that he will make a legal challenge in respect of the new DPF, so we could already be on our way to Schrems III! The advice, at least for now, is to continue to consider other transfer mechanisms such as the SCCs in conjunction with Transfer Impact Assessments (TIAs) while we see how this plays out, or otherwise build in a layered approach with other appropriate transfer mechanisms automatically applying in the event of future invalidation.
So, what does this mean?
Eligible organisations in the US can self-certify (and publicly commit to) compliance with the DPF principles, that commitment is then enforceable under US law. Not all organisations in the US are eligible to self-certify, but the criteria for eligibility are expected to be expanded. A list of the participating organisations can be found here: Participant Search (dataprivacyframework.gov).
If you are transferring EU personal data to an organisation participating in the DPF then, technically, there is no longer a need for Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
This decision does not impact transfers of personal data from the UK to the US, however the US and UK agreed in June 2023 to establish a “data bridge” for the UK extension to the EU-US DPF and so this is expected imminently.
Organisations should proceed with caution however as Max Schrems has already announced that he will make a legal challenge in respect of the new DPF, so we could already be on our way to Schrems III! The advice, at least for now, is to continue to consider other transfer mechanisms such as the SCCs in conjunction with Transfer Impact Assessments (TIAs) while we see how this plays out, or otherwise build in a layered approach with other appropriate transfer mechanisms automatically applying in the event of future invalidation.
What are the key legal considerations for introducing AI into my business?
The unprecedented advances in AI tech such as machine learning and generative AI and their impact on driving business benefits are pushing AI to the top of the agenda. Companies around the world do not want to be the last to adopt and be overtaken by their competitors, but equally, are wary about the risks, particularly in a regulatory landscape which is in a state of flux.
There are many considerations before taking a decision to implement AI into your business, but whether you are considering using AI for productivity purposes or embedding it in your customer facing solutions/deliverables, there are important factors to consider and these are some of the key ones from a legal perspective:
There are many considerations before taking a decision to implement AI into your business, but whether you are considering using AI for productivity purposes or embedding it in your customer facing solutions/deliverables, there are important factors to consider and these are some of the key ones from a legal perspective:
1) DATA, DATA, DATA: AI is computer software which simulates human intelligence, typically useful to analyse huge data sets to establish patterns and reach conclusions/predict outcomes. It is vital you understand the data sets the AI will be utilising, that they are high-quality and that you have the legal right to use them for your intended purpose.
a. Privacy: It is highly likely that personal data will be involved in the data sets used. If so, you should consider:
i. Are you a Data Controller or a Data Processor? With AI it is not always immediately obvious as AI vendors may well be directing the processing activities rather than simply acting on the controllers’ instructions.
ii. Data Mapping. You need to understand what data is involved, how was it collected, from whom, from where, for what purpose, who has access to it and are any cross-border transfers involved? Even if the data is being provided by a 3rd party vendor, a data controller is responsible for, and must be able to demonstrate compliance with applicable privacy laws. Are you confident you have a clear grasp of this, if not it is time to investigate!
iii. Data Protection Impact Assessment? If you are acting as a data controller, then it is highly likely that you will need to assess the impact of the envisaged processing operations on the protection of personal data before implementing AI (a DPIA). If you are a processor, then you will have an obligation to assist the controller in their obligation to perform such DPIA.
iv. Privacy by Design. A data controller is required to protect personal data by default, effectively structuring their systems/services to meet the concept of data minimisation. The vendor who can show privacy by design by embedding the best possible data privacy settings and organisational measures such as pseudonymisation and anonymisation in their AI tools will help their customers meet their privacy obligations and retain a huge competitive advantage!
b. Security: Given the enormous quantities of data being processed, which is often sensitive or confidential, AI systems are likely to be targeted for cyber-attacks. Similarly, collecting such data sets may involve data sharing between parties which also opens possibilities for security breaches and unauthorised access. Accordingly, a full review into security practices (internally and with any proposed vendor/partner) must be extremely high on the agenda.
c. Ethical Considerations: Poor data sets can lead to inaccurate and biased results which may potentially lead to claims of discrimination. Be aware of the impact AI generated decisions can have on individuals, from short-listing applicants for job vacancies through to calculating insurance premiums or credit scoring. The black-box nature of AI may make it difficult to understand how or why certain decisions or outcomes are made which makes challenging the decision tricky. Consider building in processes for systematic monitoring and review.
2) IP ownership of AI generated content: Careful consideration needs to be had regarding ownership of any AI generated content. Many of the intellectual property laws around the world give ownership to the “author” but in the case of AI it is not always clear who the author is and, in some cases, there is a requirement for the author to be an individual. It is critical you therefore consider and clearly define IP ownership in your contracts with vendors and customers.
3) Regulatory compliance: The regulatory landscape is running to catch up with the technology and different countries are taking, in some cases, wildly different approaches, with some countries actually banning the use of AI tools such as ChatGPT for privacy concerns (as was the case in Italy) or through fears the US will use it to spread misinformation (as was the reported reason for the ban in countries like Russia and China). You should consider where you plan to implement AI and take appropriate and regular advice to ensure that implementation is compliant with all applicable laws and regulations in your industry and region. Like with GDPR, AI regimes are likely to have extra-territorial effect and this advice therefore needs to be aligned with your strategies such as go-to-market plans.
4) Commercial Transactions: The presence of AI in software or services raises some unique contractual questions, notably around those provisions used to allocate risk, for example limitation of liability and warranties as well as privacy, security, and IP ownership. Your teams responsible for drafting and commercial negotiations, including legal, need to be well-versed in these topics to ensure that the contractual nuances AI bring to the table are appropriately dealt with.
Developments in AI has been described as representative of the fourth industrial revolution, it is here to stay, it just needs to be carefully considered and thoughtfully introduced.
Even if you are not actively looking to implement AI in your business at a corporate level, we would always recommend the introduction of an AI usage policy, because you can guarantee at some point (if not already) your staff will be using popular tools like ChatGPT, Bart and Mid-journey to aid with their duties and that usage could well bring unexpected risk to your organisation.
If you would like assistance in any of the areas discussed here, please reach out to your usual contact at Kennedy Cater.
Even if you are not actively looking to implement AI in your business at a corporate level, we would always recommend the introduction of an AI usage policy, because you can guarantee at some point (if not already) your staff will be using popular tools like ChatGPT, Bart and Mid-journey to aid with their duties and that usage could well bring unexpected risk to your organisation.
If you would like assistance in any of the areas discussed here, please reach out to your usual contact at Kennedy Cater.
Reverse Due Diligence
A purchaser to an acquisition will typically perform appropriate due diligence on the target company in order to assess its value and worth and to identify any areas of risk which can be mitigated or result in reduced price. The diligence required will depend on the target market but will be at the very least financial, operational and regulatory.
Reverse due diligence (also called vendor/seller/sell-side due diligence) is when a company performs due diligence on itself to assess the company's readiness for sale before being presented to prospective buyers. This 'self' due diligence is usually performed by a third party on behalf of the company with the required data being provided by the company’s management.
Reverse due diligence can also refer to when a seller performs an analysis of a potential buyer to assess their ability to close the transaction and if they are suitable partners/investors/buyers. Just as potential buyers conduct careful evaluations of a selling firm and a target company's operations, selling firms also initiate due diligence for potential buyers and offers.
In both cases, such due diligence can speed up the transaction as vulnerabilities can be identified earlier rather than later and corrected or mitigated accordingly.
Insofar as timing is concerned, due diligence always takes longer than anticipated. It is advisable to allow 2 to 3 months to perform vendor due diligence prior to receiving interested bidders. A good vendor due diligence file or data room helps preserve or improve negotiations around your sale price. Additionally, it will inevitably improve your business’s governance and will lead to increased efficiency.
Most businesses find that the cost of sound vendor due diligence actually pays for itself.
We at Kennedy Cater have expansive experience of business sales and have performed all types of due diligence on numerous occasions, helping our clients maximise their financial returns.
If you would like to discuss the benefits of performing reverse due diligence for your organisation please do not hesitate to contact us.
Reverse due diligence (also called vendor/seller/sell-side due diligence) is when a company performs due diligence on itself to assess the company's readiness for sale before being presented to prospective buyers. This 'self' due diligence is usually performed by a third party on behalf of the company with the required data being provided by the company’s management.
Reverse due diligence can also refer to when a seller performs an analysis of a potential buyer to assess their ability to close the transaction and if they are suitable partners/investors/buyers. Just as potential buyers conduct careful evaluations of a selling firm and a target company's operations, selling firms also initiate due diligence for potential buyers and offers.
In both cases, such due diligence can speed up the transaction as vulnerabilities can be identified earlier rather than later and corrected or mitigated accordingly.
Insofar as timing is concerned, due diligence always takes longer than anticipated. It is advisable to allow 2 to 3 months to perform vendor due diligence prior to receiving interested bidders. A good vendor due diligence file or data room helps preserve or improve negotiations around your sale price. Additionally, it will inevitably improve your business’s governance and will lead to increased efficiency.
Most businesses find that the cost of sound vendor due diligence actually pays for itself.
We at Kennedy Cater have expansive experience of business sales and have performed all types of due diligence on numerous occasions, helping our clients maximise their financial returns.
If you would like to discuss the benefits of performing reverse due diligence for your organisation please do not hesitate to contact us.
Understanding GDPR Fines - Key Take Aways
Navigating the complex terrain of the General Data Protection Regulation (GDPR) can be daunting, but it's crucial for businesses to stay compliant to avoid heavy penalties. The European Data Protection Board (EDPB) shed more light on this area by finalising its guidelines for calculating administrative fines. Aimed at bringing consistency to GDPR fines imposed across the EU, these guidelines were adopted in May 2023, after a public consultation, and set out how supervisory authorities should calculate fines. Here's what you should be aware of:
Fines are More Than Just Numbers: The EDPB has outlined a five-step methodology for calculating fines:
1. Identification: Distinguish processing operations and evaluate application of Art. 83 (3) GDPR, assessing singular or multiple sanctionable conducts.
2. Starting Point: Calculate fines by considering:
3. Aggravating/Mitigating Factors: Consider actions taken to lessen damage, the entity's responsibility, cooperation level and any previous infringements are taken into account.
4. Legal Maximums: Identify caps for fines, focusing on "dynamic maximum" amounts (2% or 4% of annual turnover).
5. Assessment: Ensure fines are effective, dissuasive, and proportionate. External factors, like economic conditions, can influence adjustments as well.
Data Sensitivity Matters: The type of data breached plays a significant role in determining fines. For instance, data that requires special protection under the GDPR, such as health or biometric data, can attract heftier penalties.
Proactiveness Helps: The manner in which an infringement is reported to the supervisory authority can influence the value of the fine. If your organisation discovers a breach and proactively reports it, before it becomes public or is discovered by authorities, it might act in your favour, potentially reducing the penalty.
Size Doesn't Always Matter: Both small businesses and large corporations must adhere to the GDPR. While turnover is a factor in determining fines, even public entities like municipalities are not exempt. Moreover, the way "turnover" is defined and interpreted can have significant implications for potential fines.
Earlier this year, Meta (Ireland) faced a record fine of €1.2 billion following a significant inquiry into Facebook's data practices. This monumental penalty stems from the systematic, repetitive and ongoing nature of its unauthorised data transfers to the US (based on the invalidated US/EU Privacy Shield Framework), coupled with the vast number of European Facebook users affected, since July 2020. The EDPB proposed that the fine should be between 20% and 100% of the applicable legal maximum. This approach highlights the board's intent to hold companies accountable for large-scale data breaches.
With the largest 10 GPRR fines imposed by supervisory authorities in the EU to date totalling over €3.49 billion*, it’s about time that the EU agreed a harmonised approach to calculating fines.
* Meta (Facebook) - €1.2 billion (2023), Amazon - €746 million (2021), Meta (Instagram) - €405 million (2022), Meta (Facebook and Instagram) - €390 million (2023), Meta (Facebook) - €265 million (2022), Meta (WhatsApp) - €225 million (2021), Google LLC - €90 million (2021), Google Ireland - €60 million (2021), Meta (Facebook) - €60 million (2021), Google - €50 million (2019).
The importance of Legal Ops in your organisation
Legal Ops takes a data driven approach to legal management which is designed to enhance the efficiency, effectiveness and overall performance of the legal function whilst, of course, aligning to the business strategy and priorities. Legal are consistently asked to “do more with less” which is why Legal Ops are becoming increasingly critical and the below is just a snapshot of some of their key priorities:
Kennedy Cater has its roots in legal spend management and our partnership with Lawcadia, an Australian-based technology company, to create the Kennedy Cater Spend Management Platform puts us in a unique position to be able to help guide our clients through a number of the areas listed above. If you want to find out more, please contact us.
Stock pictures supplied by Freepik