Category: In-house

You load the picture from your recent gathering of friends on Facebook. Immediately, and by itself, the website defines all the persons who are in the photo: surnames, age, habits, personal life. Everything is in the social network.

On the first day of your employment you give your employer copies of all documents proving that you are a citizen of this country and this city and that you were educated somewhere and maybe even worked. And the company, in turn, transfers that data to the dozens of organs that calculate taxes, your salary, give you medical insurance, even render a visa for a journey to Europe, and so on.

Every day we hand out our private life of our own free will or within the frame of requirements of common practice. The most interesting thing in Russia is that, even if the initiative comes from your side, the party receiving the personal data (PD) is nevertheless obliged to ask for your consent prior to processing it. Employers, doctors, banks and shops, counterparties – in all these cases your data may be used only in accordance with the specific aims for which it was provided.

The consequences for breach of this rule are real, and severe. For instance, last year Russian society lost access to the two extremely popular web-resources, PornHub and LinkedIn; the latter specifically due to the site’s violation of PD legislation. 

LinkedIn was shut down in Russia following a ruling that it had violated two laws in its activity: (1) It did not obtain prior consent from users for PD collection and processing, and (2) because the processing that it did undertake was executed outside of Russia, it violated the law (the “PD Localization Law”) requiring that PD collected from Russian citizens must be collected, kept, and processed first in Russia, and only then may be transferred across borders. The PD Localization law is rather new – it was enacted in September 2015.

LinkedIn, in its defense, claimed that because the company had no representative office in Russia, Russian data protection legislation was inapplicable to it. The social network, it argued, had no “target by IP-address, location, and the Russian language switches automatically under browser settings.” 

In fact, the PD protection law does not contain specific clauses that regulate its jurisdiction by territory and persons. Usually Russian legislation is limited in application to the territory of Russia, but the Internet is boundless, and much of the information on it, here and there, is untraceable. Thus, Russian state organs have established criteria for determining whether resources are “oriented” towards the Russian Federation: 1) use of the “.ru” domain name; 2) presence of a Russian-language version of the site created by the owner; or 3) any other demonstration of interest of the site owner to Russian-speaking society and/or the Russian market (such as advertising in Russian). These criteria are mentioned on the control bodies’ websites, but are not stipulated directly by law. 

Similar criteria of “orientation” can be found in European legislation. For example, consumer law can be applied if a supplier on another market “by all means orients its activity to the consumer country” (p. 1 of Art. 6 of the Regulation No 593/2008 of the European Parliament and of the council on the law applicable to contractual obligations). 

Since 2013 Russia became a party of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data CETS No. 108. Based upon the dispositions of the Convention, the localization rules are not applicable to non-residents of the Russian Federation who are located and acting in another country. The Convention requires that PD be used within the frame of the aims for which it was collected and in accordance with the legislation of the country where the non-resident is located. The Regulation also prohibits the creation of barriers to the flow of PD among and between the countries that are parties to it. This contradicts the current version of the PD Localization Law.

Unfortunately, it is unclear whether this Convention could have assisted LinkedIn. Roskomnadzor (the Russian organ overseeing PD collection and processing) sued the US-based LinkedIn Corporation. Later LinkedIn, on the appellate stage, claimed that the LinkedIn Corporation was responsible only for the processing of US citizens’ PD and was therefore the wrong defendant, as the processing of all other PD was performed by the LinkedIn Ireland Unlimited Company, located in Dublin.

Roskomnadzor’s answer on the question regarding the conflict of provisions of the Convention and localization law was simple: The localization law is based on the Convention and there is no conflict. 

To this point, no party to any case after September 2015 has relied on the Convention. Partially this is connected with the fact that most of the biggest networks – including AliExpress, eBay, Booking.com, PayPal, Citibank, Lenovo, Samsung, and Uber – have agreed to transfer storage of PD to Russia. But not all; Twitter, Facebook, and Google have refused to do so. Roskomnadzor has announced in recent conferences that it will not check these companies this year but will return to the question next year.

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

As it is widely known, the General Data Protection Regulation (216/679 (EU)) (GDPR) was announced on April 27, 2016 and will be applicable as of May 25, 2018. Simultaneously the 95/46 EC directive (the “Directive”) will be set aside. Although the GDPR’s main concepts and principles are much the same as those of the Directive and thus the national data protection acts, the GDPR does prescribe certain new obligations (such as the DPO, the right to data portability, etc.) and a much higher limit of fines, suggesting that privacy will be taken more seriously in the future. 

As the effective date approaches, more and more companies are having to consider how to prepare for the new regulation. There are multiple memos, lectures, and professional events designed to draw the attention of general counsels and in-house lawyers to the rules which have to be implemented within their organizations in the coming year. In order not to be lost in this jungle of information and highlights, it is important to set up your own systematic plan for how you will carry out this task. In this article I would like to give you some tips and suggestions in this regard. 

The UK Information Commissioner’s Office (ICO) summarized in 12 points the main steps that have to be taken in order to be prepared for the end of the GDPR’s lead-in period (the “Preparatory Guidelines”). The Preparatory Guidelines may be a very good starting point and may help you to think over and plan your approach to GDPR compliance. It suggests, as a first step, raising awareness within your organization to the fact that the applicable law is changing to the GDPR, and considering what this change may mean for your organization, as it is immensely important for you to enjoy the support of the top management.

Beside communicating the relevance of the GDPR within the organization, it is also essential to assess the current status of data handling across the organization. This may be done by some kind of “internal privacy audit” or “data mapping,” which includes a review of the current privacy notices, and the way interviews are held in all particular business areas (e.g., HR, recruitment, marketing, customer care, etc.). As a result of this data mapping you will gain a clear picture of what kind of personal data the company holds, where the data come from, who the company shares it with, what the legal grounds and aims of data handling are, whether the methods of data handling are truly necessary to reach those aims, and what kind of technical measures need be taken to keep the data safe.  

Once you have the results of the data mapping, the necessary measures to rectify the revealed shortcomings should be carefully designed. The good news is that if you are complying properly with the currently applicable data protection law then most of your practice will remain valid under the GDPR, as the main principles are unchanged from those in the Directive. Nevertheless, there may be certain issues or areas where some kind of fine-tuning may be needed. Irrespective of the quantity of the actual work, it is practical to divide the steps necessary to be taken into three main areas: 1. Substantive requirements, 2. Procedural requirements, and 3. Technical requirements. 

Substantive Requirements

In terms of substantive requirements the most important thing is to make sure that all data processing being carried out has an appropriate legal basis that and that the data subject is appropriately notified of all those circumstances which are relevant from a privacy point of view (i.e., the legal basis is carefully selected and identified and a privacy notice is appropriately drafted). 

Furthermore, the GDPR sets out a new obligation for the data controller if the data processing is likely to result in a high risk to the data subject. In this case the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a “Privacy Impact Assessment” or “PIA”). Among the circumstances in which the PIA shall be carried out is when the data processing entails automated individual decision-making, including profiling processes. Although the obligatory PIA is a new acquis of the GDPR, it existed beforehand as a “best practice,” which entailed and facilitated the application of the privacy by design approach. So within the substantial requirements it is highly recommended to carry out and document the PIA appropriately, in case such documentation is required. The code of practice of the ICO may serve as a great help both for identifying when a PIA is needed and finding out how to produce a PIA report. 

Procedural Requirements

Compared to the current regulation, the GDPR places greater emphasis on the administration and documentation on the data controller side to serve as evidence that the controller is complying with the accountability and transparency principles. This means that data controllers should review and improve their internal governance and data handling processes. In this regard the first thing to be arranged is the revision or implementation (as the case may be) of an internal privacy policy, to ensure that the data handling procedure is fully in compliance with the GDPR across the entire company. 

It is necessary to implement procedures which ensure that the company handles the enforcement of the individual’s fundamental rights based on the GDPR appropriately (e.g., by implementing smooth procedures for when a data subject asks for data erasure or requests information regarding the data that has been processed). These rights are the same as those that already exist under the Directive: For example, the right to have information about all data handled, the right to have inaccuracies corrected, and the rights to have personal data erased and to prevent direct marketing. However, certain rights are broadened or introduced by the GDPR, such as the right to prevent automated decision-making and profiling, the right to be forgotten, and that of data portability. This last right is closely related to the right of access, but it differs in the sense that it ensures that the personal data be transmitted in a structured, commonly-used, and machine-readable format per the request of the data subject and thus facilitates the change between different service providers. The guideline on the right to data portability issued by the Article 29 Data Protection Working Party sets forth the main factors in this regard. 

The procedural requirements also pertain to the rules applicable in the event someone intends to launch a new service, tool, or application within the organization which entails or affects personal data handling. In this case, it should be determined how the IPA will be carried out and by whom, who will be in control of the implementation of the privacy by design principle, and so on. The procedural rules also have to regulate the documentation and filing method of all privacy-related documents (such as privacy notices, consent of the data subjects, test on legitimate interest, etc.) in order to be accurately presented in case of a contingent authority investigation. Moreover, the privacy policy has to consider also the technical requirements regarding data storage, processing, and transmission, and the steps to be followed in case of a privacy incident (with special regard to the mandatory notification to be sent to the competent authority or to the injured data subjects). And with this criterion, we have arrived the last requirement that I wish to mention in my article: The technical requirements. 

Technical Requirements

The GDPR obliges data controllers and processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, among others, the pseudonymization and encryption of personal data, ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, and the ability to restore the availability of the data in the event of a physical or technical incident. The effectiveness of these measures shall be regularly tested, reviewed, and evaluated. These requirements are primarily technical in nature and thus are mainly the responsibility of those colleagues who deal with technical issues for the company – presumably somewhere outside the legal department. However, these requirements can only be implemented and regularly reviewed with the effective assistance of the legal department and followed by the guidelines which entail the legal factors and requirements. Therefore, in this field the close cooperation of the technical and legal staffs is indispensable. 

With this short article I aimed to draw attention to the importance of setting up a plan to prepare for the GDPR and to tailor it to the specific circumstances and distinctive traits of your company, and to give some guidelines and assistance regarding the factors which should be taken into account when you are planning the milestones to lead to a fully compliant privacy practice within your organization by May 25, 2018. I wish you a very successful preparation!

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

As personal data privacy is increasingly considered an important human right deserving protection, and with the new EU Data Protection Regulation to become enforceable in Romania as of May 25, 2018, it is becoming more and more important for corporations not only to observe the general data protection rules on commercial transactions but also to ensure full internal legal and technical compliance for all employees having access to any personal data processed internally. 

It is thus necessary for Heads of Legal Departments to dedicate extensive time towards legal reviews and assessments in order to both establish and to ensure awareness of data protection rules and policies to be observed by each department of the company as part of the company’s daily activity. 

In view of compliance with data protection legislation, a Legal Director must know all the risks associated with the specific activities of the company, including those related to the transfer of personal data outside the EU. Also, holders of top legal positions need to be involved in the company’s business strategies to be able to understand the potential risks and to issue compliance guidelines. The Legal Director’s role increasingly requires extensive expertise in general IT technical & software operations, in the technical security measures to be placed on the company’s servers & computers storing the personal data, and in drafting and enforcing policies applicable to employee access to personal data.

The Legal Director, always working jointly with his/her IT Department, must create sound legal data protection polices and ensure permanent legal supervision of the data protection rules in relation to the activities of his/her company. As such, the subjects of the personal data protection policies are not only the clients or suppliers or other collaborators of the company but also the company’s own employees. One of the most sensitive areas related to processing of personal data relates to marketing campaigns, and special attention must be paid to obtaining the consent of targeted individuals in various marketing activities, whose personal data must be protected against unauthorized or accidental access, alteration, transfer, disclosure, or loss. 

In accordance with the latest data protection regulation adopted at the EU level and automatically enforceable under Romanian law, starting in May 2018 companies which process personal data will need to appoint a Data Protection Officer in certain cases, such as in processing operations which, by their nature, scope, and/or purpose require regular and systematic monitoring of the data subjects on a large-scale basis. Because of these corporate obligations, of course, a close and permanent collaboration between the Head of Legal and the Data Protection Officer is envisaged to ensure the observance of the data privacy rules and internal regulations and for solving various potential privacy issues.

Penalties for infringement of data protection obligations have been significantly increased, with sanctions rising as high as EUR 10 million or up to 2% of total annual worldwide turnover of the data collector. For infringements of basic processing principles (such as proportionality, legitimacy, consent, etc.), the rights of the data subject (such as access, the right to be forgotten, etc.), rules of internal data transfers, or noncompliance with an order of the Data Protection Agency, the fine is EUR 20 million or up to 4% of total annual worldwide turnover.

In addition to the penalties that may be imposed by the Data Protection Agency in case of breach of data privacy, companies that do not implement safe data protection policies can also face civil claims involving significant demands for compensation from individuals whose privacy rights were not observed during companies’ commercial activities. 

In consideration of all the above, a major task of the Legal Department is ensuring the ongoing observance of data privacy regulations in all areas of a company’s activity. 

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

In a world where technological innovation grows so fast, a need to transform banking services from the classic model in which the client’s presence is required in the bank’s premises leads us to the new form of selling of the classic bank’s products.

The basic principles for this new form should be: a) fast communication with potential clients; b) the ability to identify clients on-line; and c) the ability to conclude agreements with clients on-line. So, the final result will be digital customer acquisition and digital lending, by taking advantage of modern technology.

Knowing that legislation and court practice do not always keep pace with life in all segments, we as in-house legal counselors are challenged to establish the model for this new way of banking business.

Let’s start with the problems that we face, the targets that we want to reach, and the analysis of relevant market legislation in the Republic of Serbia.

Our targets are opening accounts on-line and on-line lending to both existing and new clients of the bank. They are physical persons, wanting to use electronic signatures, electronic documents, and/or any other alternative digital channels. We also need to provide on-line identification of the client, taking into account the relevant Know-Your-Client (KYC) procedure.

Opening an Account with the Bank

According to the Law on Payment Systems that is in force in the Republic of Serbia, an agreement to open an account with a bank has to be in written form. Further, the Financial Services Consumers Protection Law requires banks to inform potential clients in advance of all conditions of the relevant agreement as well as to provide all necessary documents which should be signed by the client including, without limitation, an example of the subject Agreement, the General Terms and Conditions, and the bank’s tariff. 

The Financial Services Consumers Protection Law allows documents to be rendered to the client on request in electronic form, by mail, or in a durable medium, but finally the Agreement has to be signed by the client in writing.

Conclusion of the Loan Agreement with Bank

In accordance with the Law on Contract and Torts and Financial Services Consumers Protection Law that are in force in Republic of Serbia, a loan agreement, agreement on credit card issuance, overdraft agreement, and other similar agreements regarding bank services must be concluded in written form. Further, the Financial Services Consumers Protection Law obliges the banks to inform potential clients in advance of all conditions for conclusion of the subject agreements as well as providing all necessary documents which should be signed by the client, including the subject agreement, the general terms and conditions, and the bank’s tariff. 

The bank is also obliged to inform potential clients in writing of all possible costs (current and future) related to the subject agreements. Those costs include the bank’s interest rate, all bank fees, and fees of external third persons (for example fees for collateral establishing, fees for collateral execution, etc.

The Financial Services Consumers Protection Law allows documents to be rendered to the client on request in electronic form by mail or in a durable medium, but finally the Agreement has to be signed by the client in written form.

The review of the legislation of the Republic of Serbia leads us to the main question: How to create a document that is recognized by law as a “document in written form?”

In principle, the Serbian Law on Electronic Documents prescribes that where a regulation required a legal act to be in writing to be valid, the relevant electronic document shall be signed with a qualified electronic signature. Theoretically this means that, if the agreements mentioned in points I and II above are made as electronic documents and are signed by the clients and the bank by qualified electronic signature, they can be treated as documents in “written form.”  

Nevertheless, neither the supervisor of the banking system in Serbia nor the protector of financial services consumers, in their interpretation of the relevant legislation, recognized electronic documents as documents in “written form” as required by the Financial Services Consumers Protection Law. And there is no court practice regarding this issue at all, specially not in respect of validity, legal binding and on execution of such document.

Thus, it appears that a new regulation is required to address this issue – to provide that agreements for banking services may be concluded on-line by means of electronic documents and qualified electronic signature. 

KYC Procedure and Identification of Clients Online 

The Serbian KYC legal framework is regulated by the Law on Prevention of Money Laundering and Financing of Terrorism and related by-laws. And under this Law, client identification is mandatory before any business relationship can be established. A “business relationship” between a customer and the bank based on a contract regarding the business activity of the bank that is expected, at the time the relationship is established, to have an element of duration.

Serbian law requires that data be determined from an inspection of a personal identity document in that person’s presence.  If it is not possible to obtain the required data from the document, missing data shall be obtained from another official document. Data that cannot be obtained from such documents for objective reasons shall be obtained directly from the customer.

If the bank is unable to act in concordance with the regulation, then it shall refuse the offer to establish a business relationship, as well as the carrying-out of a transaction, and it shall terminate the business relationship if a business relationship has already been established.

Under the conditions set out by the regulations, the bank may also identify and verify the identity of a customer who is a physical person, or his/her legal representative, based on a qualified electronic certificate issued by a certification body in the Republic of Serbia, or based on a foreign electronic certificate which is equal to its domestic counterpart, in accordance with the law governing electronic operations and electronic signature.

In addition, identification and verification of the client’s identity based on an electronic certificate obliges the bank to ensure that the customer’s first transaction be carried out from the account opened by the customer in his presence.

Data protection requirements are a separate issue for banks. The processing of personal data in the Republic of Serbia is regulated by the Law on Personal Data Protection, which defines “personal data” as any information relating to a physical person and “data processing” as any action taken in connection with data, including the collection, recording, transcription, multiplication, copying, transmission, searching, classification, storage, separation, crossing, merging, adaptation, modification, provision, use, granting access, disclosure, publication, dissemination, recording, organizing, keeping, editing, disclosure through transmission or otherwise, withholding, dislocation or other actions aimed at rendering the data inaccessible, as well as other actions carried out in connection with such data, regardless whether those actions are automated, semi-automated, or otherwise performed (hereinafter referred to as “processing”). 

Free movement of customer personal data is not possible according to local law, and it can only be communicated or transferred on the basis of the customer’s written consent.

A Data Protection Officer is not prescribed by local law as a mandatory function within the obligor’s organization. There are no obligations according to local law to prepare an internal act on personal data protection topic.

While we are waiting for new legislation to address all open issues and/or for court practice to resolve the same issues, the banks are running for new clients and acting to address client needs for something new. Therefore, banks’ in-house legal counselors are challenged to establish clear procedure for on-line identification of a potential client by taking advantage of smart mobile phones (such as identification via a client`s “selfy” pictures) and to find ways to sell their products without requiring their physical presence in bank premises.  This will be the “pioneer job” on Serbian banking market and will result in an immeasurable advantage for the first bank able to solve all open issues. We lawyers are called to run this “battle” from the “first battlefield`s line.”

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

“Software is eating the world,” observed entrepreneur and Hewlett Packard Enterprise Board member Marc Anderssen in his influential Wall Street Journal essay half a decade ago. Software’s appetite still seems insatiable as it continues to digitize bigger and bigger chunks of our analogue world. Hybrid cloud and edge computing, photonics and persistent memory, virtual and augmented reality, and artificial intelligence (AI) are the innovations that will harness the digital imprint of our reality for our benefit.

Ours is arguably among the most ancient of professions. Essentially, it is about telling right from wrong and conveying our judgment eloquently and subtly, mostly as advocates on behalf of others. Is software eating the legal profession? It has not yet done to law what it has, in conjunction with robotics, to assembly line work. Still, software has already made significant advances in transforming the way we work and as AI and the computing power behind it continue to gain in sophistication and strength, technology’s full impact on our profession is still ahead.

Three decades ago the legal profession was almost entirely analogue. Lawyers had to read and memorize the codes and court cases and mobilize this data with their brains while advising clients in face-to-face meetings or plead in court, correspondence was paper-based, and fax machines provided for speed. The legal education I went through (or had to endure, I should rather say) entirely mirrored this reality by valuing memory above all. We could say that this was the era of ultimate personal computing.

Digitized codes, laws and court practice, powerful search engines, the Internet, e-mail and MS Word, version control and comparison, and mobile communications have all quickly infiltrated lawyering with the same dramatic impacts as in other professional fields, and our lives in general. If you haven’t yet tried using Google when under time pressure for advice on a special topic, try it, and you will be pleasantly surprised at how much free, high-quality writing is out there by trustworthy authors.

The largest international law firms were probably the first to go beyond the use of these widely available innovations and implement information technology solutions tailored to law. They introduced firm-wide private cloud-based computerized filing and time keeping systems integrated to an extent with Outlook, MS Word, accounting and billing systems, as well as automated template creation. The benefits were obvious. Confidential information was now kept in secure datacenters, all digital information was tagged and organized, trackable and transparent, and the first drafts of complex financing or M&A contracts were drawn up for specific transactions in no time.

IT infrastructure, including the software behind these systems, required a very significant investment. It is therefore not surprising that only the legal departments of large multinationals were able to follow suit in implementing similar solutions. The challenge for in-house teams is to guarantee rapid and high quality service for business and other functions more cheaply than it would cost to outsourcing it, both around the world and across disciplines.

While usually disliked by in-house attorneys, time tracking gives leadership insight into how resources are deployed and reveals under-deployment or overstretching both regionally and by discipline. It can also serve as the basis for internal cross charging of costs, something that the consumers of in-house legal services probably don’t like, but which could nevertheless further improve the efficiency of resource use. In-house clients would not engage counsel for low value work or attempt to use them as administrative staff (e.g., for filling in tender forms). This would free up legal resources which could be saved, thus resulting in the reduction or more effective deployment of staff; i.e., higher value work would receive more attention.

The enhanced situational awareness that more accurate and rapidly accessible data can bring is achievable across the board.

Some CRM systems have modules for lawyers to upload and modify draft documents, create legal opinions, and keep copies of executed digital documents or scans of hard copies with wet ink signatures. Actually, hard copies and wet ink signatures are losing ground in contracting, not necessarily to cryptographic electronic signatures, but instead often to simple electronic quotes and purchase orders which usually refer to the general contracting and procurement terms and conditions of the parties. Therefore, when suppliers and customers negotiate a frame contract, they usually include a clause overriding any reference to both parties’ general terms and conditions to block out interference with the default settings of their quoting and purchase order-generating systems. 

A case management system provides case managers, leadership, and finance departments with up-to-date data on litigations including what is at stake for their companies legally and financially, as well as providing information about the actual and expected costs of defending or pursuing cases.

Corporate data such as authorized signatories, shareholders, tax numbers, and business addresses of companies belonging to the same international group are integrated into subsidiary management systems.

Internal investigations are overseen with similar tools, allowing for both digital record keeping and efficient management level coordination, while business amenities approval and tracking tools provide control over the implementation of corporate policy, as well as a transparent database for both internal and external audits.

While technology has decreased the need for qualified lawyers, administrative staff, and paralegal hours through streamlining and speeding up processes – allowing you now to do more with less – paradoxically, it has increased administrative tasks for attorneys. The fraction of a full-time administrative position that this work represents today has been taken over by lawyers.

Today’s widely available tools are good in capturing and presenting data and basic analytics but as AI offerings mature, we should expect to see more benefits from the captured data. The AI behind Google’s free online translator might seem humble based on the results it returns when compared to a skilled human translator, yet it is a valuable tool in the hands of a regional attorney for quickly assessing a foreign language document. AI is reported to efficiently process case law and provide useful analysis of outcomes.

I suspect that AI is a good solution for analyzing draft contracts and come up with suggestions for their approximation to client expectations based on pre-set preferences, drafting history, the economics of the given transaction, and so on. These capabilities would come in handy for processing lower risk and low-complexity contracting work in supporting human decision making. However, I remain skeptical as to whether we are willing to entirely relegate the human experience of deal making to machines, blindly trusting their judgment. I think we are now somewhere half-way in the digitization of the legal profession and the crossroads for deciding how much more fundamental machine interference we want to see are getting closer. In the future our profession, both in-house and in private practice, might need fewer people as a result of computers taking over more tasks and, and those tasks remaining in human hands may not be remunerated as highly as now. However, I think that lawyering will remain a fundamentally human activity based on human judgment, at least in the second instance.

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

The reasonable reduction of costs is deemed an obligatory tactic of doing business. In this paradigm, performance of legal work by program, instead of lawyers, is considered to be beneficial. Such an approach can be reasonable if the protection of the employer’s interests is guaranteed to stay at least at the same level. The methodology seems obvious: automation of legal work, use of online services and blockchain systems, and solutions based on artificial intellect.

The automation of legal work usually implies dismissal of lawyers and their replacement with software. However, it very seldom leads to the results experienced by Sberbank, the largest Russian bank. In 2016, Sberbank launched a robot lawyer making cases based on paper documents; this measure entailed the discharge of 3,000 lawyers. Sberbank says some of the discharged employees will undergo a retraining program; those who cannot be employed will be dismissed. They confirm the sense that the more actively these robots are developed, the more specialists will be retrained and/or dismissed.

This threat is mainly to legal employees performing unskilled activities. Now, individuals wishing to solve simple legal questions may electronically file claims (for instance, against an insurance company) or appeal violations in the sphere of state orders. They can also use e-assistance in business registration – checking the chosen company name and taxation system – and find online consulting on standard issues and the filing of a suit. 

Simultaneously, lawyers are provided more sophisticated tools as well, such as those providing an automated legal review of contracts. Lawyers provided with such technology can upload draft contracts, see them automatically analyzed by algorithm, which – with the help of machine learning and linguistic text recognition utilities – can identify weak points in the document (for example, to find excessive penalties for delayed payments).

The application of the advanced services in the confluence of jurisprudence and the smart economy are also of governmental interest. Thus, Russian Prime Minister Dmitry Medvedev recently instructed ministries to consider using blockchain technology in the Russian economy. Medvedev noted that large banks, corporations and some states already use the tool. “The technology is special, I remind you, as it excludes the presence of proxies,” he said. “The authenticity of operations is confirmed by the network participants themselves, since there is no single repository of information, it is all broken up into blocks, and it is impossible to rewrite this information without the knowledge of other persons.” Medvedev also added that blockchain could help “get rid of excessive bureaucratization.” As for labor productivity, there is a shortage of qualified personnel in Russia, he said, so the authorities will both help citizens to use their potential and engage specialists from other countries. Thus, in this case, the technology of blockchain is intended not to replace the dismissed, but to eliminate the shortage of expensive qualified specialists. 

Finally, an artificial intellect, promising in its legal scope, has begun its application.

Global law firm Baker & Hostetler announced the “hiring” of a robot lawyer created by ROSS Intelligence. The system – nicknamed “Ross” – will be employed in the law firm’s bankruptcy practice, which currently employs close to 50 lawyers. Ross can understand questions and respond with a hypothesis backed by references and citations. It improves on legal research by providing users with only the most highly relevant answers rather than thousands of results that would otherwise be needed to sift through. Additionally, it monitors current litigation so that it can provide notice of recent court decisions of potential relevance. It continues to learn from experience, gaining more knowledge and operating more quickly the more it is interacted with.

There is a tendency to automate legal work and reduce its cost in areas which do not require qualified specialists. However, the majority of consumers are not ready yet to pay for the services of robots, as there is a lack of confidence on their part. Still, everyone recognizes that it is coming in the future, and the market is waiting for the changes. There will be only a few law firms – legal boutiques – serving customers, while robots, automated banks of common solutions, remote services, and artificial intellect and specialized systems will occupy a significant share of the market.

There remains only one question: Will the hourly rates for robots differ from those for human lawyers, or will the robots conclude that unequal pay is discriminatory?

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

EY is one of the four largest professional services networks in the world, together known as the “Big Four.” For a long time, the professional services industry was viewed as traditional and conservative, with the first professional services provided by legacy firms more than 110 years ago. However, it is undergoing fundamental changes today – the digital disruption poses challenges to all industries, and the professional services sector is no different. 

We are expanding our service offerings to tap into new areas, and our support for clients is no longer limited to auditing financial statements or providing transaction and tax advice. Today, our services may include the development and licensing of sophisticated business software or the provision of web-based tools or smartphone applications. Data privacy and cybersecurity are also increasingly dominating our agenda. In the CIS region, Russia and Kazakhstan have recently adopted stricter regulations around data privacy. 

Both regulators and clients are becoming more and more concerned about data protection issues. The dramatic changes we can now see in both the business and regulatory landscape have a number of significant consequences for our in-house legal department, as we have to face new challenges together with our industry.

For example, our standard engagement agreements have become too “tight” to accommodate the specifics of our new services, and we have modified our templates to adapt them to our new digital offerings. Today, provisions related to software development, licensing, IT support, and other activities that used to be in the province of the IT industry, rather than professional services, are often embedded in our service agreements. We also now have to ensure that data privacy and information security concerns are taken into account in our contracts. 

Correspondingly, the new tasks set before in-house lawyers require a set of skills, experience, and knowledge that would be inconceivable in the past. If three years ago someone within the firm had asked me to draft a software license agreement or give advice on a cross-border data transfer, I would not have hesitated to refer the matter to a specialized external law firm. Today such an approach does not seem feasible, both from the operational and cost-saving perspective; we need to have the respective capabilities in-house. 

What should a General Counsel’s response to these challenges be to remain a trusted business advisor for our internal clients? First, it is crucial to have the right talent on the in-house team. Hiring lawyers from the professional services industry or financial sector would have been the right choice several years ago. Now I’d rather look at applicants with experience in the IT or FinTech spheres. Having at least basic knowledge of data privacy and IP laws has become an absolute must nowadays, so a Head of Legal should make sure new hires have it. 

Second, having just one subject-matter expert in IT, IP, or data privacy matters in your team is no longer sufficient – you should make sure the relevant expertise is shared with colleagues through practice groups and internal trainings. 

Third, regulations and business practices are constantly changing, so General Counsel should make sure that their teams keeps up with what is going on in the relevant field. We must be connected and insightful. For us in the EY CIS General Counsel’s Office this means that we make every effort to utilize the expertise available within and outside our global organization. In addition to external trainings, we communicate with and learn from knowledgeable and experienced colleagues across the entire EY network. We keep in touch with our IT and Information Security people. We monitor the briefings, memos, and other communications from regulators to understand the regulators’ opinions and to be able to anticipate changes in the relevant areas. It also helps a lot to maintain relations with colleagues in both our industry and other sectors – such cross-industry knowledge exchange can bring numerous fresh ideas. Last but not least we try to benefit from events held by reputable external law firms and bring external lawyers to speak at our internal trainings, which helps provide access to cutting edge expertise and knowledge. 

That being said, I must confess I am strongly convinced that today’s General Counsel should always look to the future: In the quickly changing times we live in, what may sound like science fiction today can land on your desk as a legal matter tomorrow.  It is our professional duty to be prepared for this.

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

More than 20 years ago, I was introduced to the Sophists Aristotle, Socrates, Euripides, Plato, and Protagoras: The first lawyers of the world.

“Man is the measure of all things,” remember? 

I was taught from early beginnings, that “it is equally possible to affirm and to deny anything of anything,” that “law and morality are themselves natural developments, necessary for human survival and the growth of civilization,” and the relativity of truth of all judgments.

Sophists used their considerable wealth of knowledge, making correct use of the language, to persuade, accuse, or defend people and ideas.

The use of this proper relationship between language and knowledge made the Sophists popular; Hated or loved, Sophists contributed to democracy the propositions that every person has the freedom of speech, the right to have his/her ideas heard, the right of defense, and the presumption of innocence. Such principles, which now form the base of our society, were created in Ancient Greece.

Yet, these days, it’s common to hear complaints about the contracts lawyers draft that: “It was all in legalese, with no spacing between paragraphs … It was just a huge wall of type.”

The Solution? Technology, of course. One of the useful tools is the Flesch–Kincaid Readability Test: A test developed over 30 years ago to indicate how difficult a passage in English is to understand. Although these tests were designed initially to assess the difficulty of technical manuals, they are now used extensively in the field of education. The Flesch–Kincaid Grade Level Formula presents a score as a U.S. grade level, making it easier for teachers, parents, librarians, and others to judge the readability level of various books and texts. It can also mean the number of years of education generally required to understand a text, relevant when the formula results in a number greater than 10. 

Contracts have adjusted to the new tool. Thus, one can read in some agreements, especially those involving consumers, variations on this: “Certificate of Readability and Acknowledgment: I certify that the information shown above is correct, and the enclosed contract submission: (1) is drafted in plain language; (2) meets the minimum font type and font size requirements and (3) has a Flesch-Kincaid score that does not exceed the maximum Flesch-Kincaid score for the type of contract shown below.” 

Moreover, we see more and more titles like this: “Lawyers Could Be the Next Profession to Be Replaced by Computers”; “Technology Will Replace Many Doctors, Lawyers, and Other Professionals”; “Lawyers are Being Replaced by Machines that Read”; “Why Hire Lawyers? Computers are Cheaper”; and “Will Lawyers Be Replaced by Robots?”

Put another way, I am reminded of an article that recently appeared in the online Quartz publication, reminding us that “lawyers are the professionals everyone loves to loathe. Jokes about attorneys abound, and Shakespeare’s line from Henry VI remains a cultural favorite: ‘The first thing we do, let’s kill all the lawyers.’ Soon, that dream may come true, and machines will be the ones to do it, as academically trained attorneys are increasingly being replaced by technology to analyze evidence and assess it for relevance in investigations, lawsuits, compliance efforts, and more.”

Survival in the battle with technology lies within us: We should go back to our roots, put our knowledge to use, and use technology as a tool, not as a replacement. Otherwise, as the author of the article on Quartz noted publication noted recently: “The better the world gets at simulating the outcome of your labors, the more redundant you start to appear.” One day then, the publication predicted, even John Roberts, Chief Justice in the US Supreme Court, may be replaced by Chief Justice Robot.”

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

You’ll read in this issue stories from other colleagues’ experience – that is, stories from the past. I will try a different approach and will give you instead a story from the future. This will be about how technology helps with resource optimization – which is what those with a less rich vocabulary mean when they say “doing more with less.”

In fact, if we want to see what success will look like for our legal departments in the field of resource optimization, we should probably take this expression to its logical conclusion: the pinnacle then would be to do “Everything with Nothing!”

So, here’s my suggestion for the next vision of the Legal Department: A Legal Department without Lawyers. 

For those of you laughing, need I remind you that we already have cars without drivers? I guess you are not laughing any more …

And maybe you have heard about ROSS? ROSS is the first artificially intelligent lawyer, hired last year by the BakerHostetler Law Firm. You ask questions in plain English and ROSS reads through the entire body of law before returning a cited answer, monitors the law around the clock to notify you of new court decisions that can affect your case, and narrows down to only the most highly relevant answers. He also excels in writing memos.

Wouldn’t that be fantastic? I can see how ROSS, or his cousins when they are ready, will be a perfect lawyer for our in-house legal departments: He (or is it She?) would be able to review thousands of contracts requiring approval at the blink of an eye, or go through the hundreds of daily emails, prioritize them, and respond in minutes (having of course gone through the full chain of previous emails on the subject). Or, even better, attend a full day’s meetings without a yawn, meticulously taking notes, checking for legal compliance of projects on the spot. And don’t get me started on what a piece of cake a due diligence assignment would be for ROSS.

Amazingly ROSS would do all these using a casual, understandable language – which is usually quite a challenge for any one of us…

And, wait, there’s more good news! ROSS would never ask for a salary increase, a promotion, or moral recognition. ROSS would not care about health insurance, childcare reimbursement, employee stock options, and couldn’t care less if the cafeteria offers free food or not. (Although he might be interested in a company-owned driverless car). Talk about resource optimization, right?

I am pretty sure that all CEOs will appreciate the warm friendliness of an artificially intelligent lawyer. Investors and Regulators will be extremely happy to know that legal advice is being provided not by fallible humans but by cost-efficient and all-knowing ROSSes. Our non-lawyer colleagues – our internal clients – will be excited to interact with cyber attorneys, tell them about their needs, and receive the most logical of answers. 

Certainly, no one will care that their most trusted business partner will not have what Richard Susskind, the author of a book titled The End of Lawyers?, calls “The Moral Capability”, where professionals take responsibility for what they do and are driven by a sense of right and wrong.

And what’s better, when you take risks that could even lead you to jail, than to consult a machine – sorry, an artificially intelligent counsel? ROSS will surely have a risk matrix assessment tool which would far exceed the capabilities of the thoughtful risk taking approach we use – and clients will just love this.

So, back to my vision: Let’s optimize the most precious of our resources – ourselves –  not by improving our technical and soft skills, not by employing better techniques, not by aligning with the business needs nor by working more efficiently with external counsel, but just by eliminating us altogether.

The only downside I see is that you can’t have a good joke about an artificially intelligent lawyer. But I’m sure we can manage with fewer lawyer jokes, right?

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

The rapid development of technology and its impact on our daily lives can be witnessed in everything we do. From e-commerce to remote control of the temperature at our homes, technology has changed the way that we manage our daily tasks. Similarly, in the legal industry, technological developments – from advancements in standard legal tasks to big data analytics – are all taking center stage in the work being done to improve the provision of legal services.

Nonetheless, the way lawyers operate has changed little in the last twenty years. Although we use new tools and devices, supported by information and communications technology, we often do so in a way that merely replaces the old functionality without truly embracing the power of technology in a bid to become industry leaders and to improve our professional lives. 

Being only responsive to the rapidly changing market landscape is no longer an option. Lawyers must play a vital role in the ongoing technological revolution, proactively supporting their clients, regardless whether they are working within a business structure or as outside counsels. Legal professionals cannot view themselves anymore as lone wolves (or members part of wolf packs), who seek, create, and deliver legal analysis. The time when one could render legal advice and shield it with disclaimers are definitely over. In today’s business environment, lawyers must be part of a project team, working hand in hand with other divisions to deliver a result. Clients want long-term solutions that best meet their needs and that help them to navigate changes. They want to have advisors on board who understand them. To achieve that we must align our actions with business and work at its pace – and in this process technology can be a blessing. 

Luckily for us, an array of technological tools and services designed to help improve legal services have emerged in recent years. These new software packages can save time for lawyers who are then able to focus on clients or business development rather than busywork that can be automated. These products include management software, dedicated document management systems, case preparation and litigation support tools, e-discovery tools, trial specific software, document encrypting tools, and cloud-based research products and services. We can already observe that this field is being explored by the big law firms and venture capitalists, working with early-stage legal tech companies. Capital providers are assuming a bigger role because, apart from financing, they bring to the table support for the venture that is being financed in various forms, from access to top legal minds to the provision of free office space on their premises. Connections between law firms and venture capitalists may thus be a key source of general institutional support for high-technology entrepreneurship in the legal technology industry. Recent studies show that in the future the business of law will require fewer general support staff members, junior lawyers, and generalists – and more legal technicians and project managers. Indeed, tech skills in the areas of digital communication and collaboration, computer and data science, and statistics will become the coin of the realm in our profession.

New technologies have also given rise to new legal outsourcing services, which are changing the legal industry. Clients are no longer willing to pay for high numbers of billable hours when they are aware that many tasks can be done faster and cheaper. Paralegals and associates who once devoted hours for document review can be now easily replaced by e-discovery processes. In a constant pursuit for efficiency and optimization, clients expect more for less, which has made the legal market even more competitive. Fresh players have entered the market, providing clients with automated and cost-cutting solutions. Many see automation as the way forward, making projects smarter and more efficient. Legal automation won’t be un-invented, and – eagerly or not – more and more firms will need to adopting it out of necessity. 

Unfortunately, those trends are not reflected by advancements in either the management models used or in management decision-making ability. Senior leadership is often at odds with innovation and creative thinking, which slows the progress of these trends. At the other extreme are younger lawyers who may very often bring to table the best combination – background in law along with tech savvy, making them perfect for the challenges of the modern economy. Therefore, this gap should be properly addressed, in order to implement innovative concepts. 

One cannot forget the other important aspect of technology to be dealt with by lawyers: The impact of technological advancement on society. Traditional rules of law and old legal institutions stay alive when they still have a purpose  – or, at least, when they do not interfere with the demands of current life. Due to these recent technology developments, however, we soon will face major changes in the legal framework. The law, realizing its integrative functions, should respond appropriately to the new socio-economic relations which are developing dynamically. Rapid and unstoppable scientific and technological development triggers urgency for new regulations to adapt to new times and lawyers have proved adept at turning old legal institutions to new purposes or creating new ones to address issues hitherto unknown to us. 

Nowadays, consumers expect high-tech companies to introduce new products frequently and to offer more choices as well. The product life cycle is shortened, demanding more engineering development efforts, so equipment must increase capabilities, becoming more powerful and intelligent. Based on Moore’s Law, the computing power in the Internet of Things (IoT) devices keeps growing and this increasing computational power enables a more complex running of algorithms and more autonomous IoT devices. 

Indeed, if one looks at the automotive industry, one will see that the future is already here. A car’s performance, for example, can be changed by altering the software settings. Cars communicate information between one another to avoid traffic jams. People consider just using cars, instead of owning them. And so on.

Although for some it might sound too far-fetched and speculative, in the near future we will share a world with robots. Given the state of development, if correct measures are not taken, then the future might not be much different from what has been depicted in the Terminator movie series. Therefore, we will need rules and procedures to address such issues as safety, liability, privacy, or legal personality for artificial intelligence (AI). This vision would need consideration at different levels, including the asking of difficult ethical questions. We cannot forget that at the end of the day we want to shape a better future that will expand our understanding of what is possible. The crucial role of lawyers in this endeavor will be to pave the way to “singularity,” where humans and robots will share spaces and collaborate closely. 

Certainly, the fascinating topic of robotics/AI, given the significant public attention currently devoted to it, will soon be covered by lawyers in order to fully exploit its economic potential and to guarantee a standard level of safety and security. 

We are already hearing about the concept of machines owning themselves. That would trigger yet more legal issues related to inheritance or insolvency law, to name just a few. Regulatory standards for robots must be meticulously planned – and legal professionals will need to take the lead on setting this legislation. To do that successfully, however, lawyers will need to have a much greater understanding of this fast-evolving field than they do at present. Only when equipped with knowledge and skills can we conclude how to move forward, especially as regards legislative measures. 

There is little doubt that technology is having a huge impact on how we live, work, and play –  and indeed, it blurs the lines between the three. Like many other sectors, the legal world – and how law is practiced – has been dramatically affected by the advances in technology. We can either embrace it or ignore it – in other words, embrace disruption or be disrupted. If we choose the latter, we may end up standing still while everyone goes forward. Legal professionals who want to thrive in modern business must lean towards technological transformation. 

The great news is that lawyers have the tools at their disposal to enable this change. The digital revolution offers us the chance to compete, and it provides law firms and legal departments with the ability to transform into something much more exciting. The legal profession will not disappear, but it will surely change due to technology. This shift will most probably trigger new forms of what being a lawyer means. The sooner we accept it as the new normal the better off we’re going to be! After all, wouldn’t it be nice to have an AI legal assistant around that operates within legal and ethical boundaries that have been set forth by the sovereign? There’s no doubt we are living in “interesting times,” as the Chinese used to say.

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.