Legal issues around AI, big data, cloud, DLT and e-payment

Adrian Lawrence, partner, Baker & McKenzie (Sydney)As more organizations explore and savor the benefits of various digitization technologies like artificial intelligence (AI), big data analytics, cloud computing, distributed ledger technology (DLT) and electronic payment (e-payment), business and IT leaders should also appreciate their legal implications on their organizations.

In a recent legal technology conference hosted by international law firm Baker & McKenzie, titled "The Age of Digital Transformation -- risks and opportunities," law veterans discussed the legal issues around the latest technology trends that are specific to this Asia Pacific (APAC) region.

Artificial intelligence -- Who bears liability?

Artificial intelligence (AI) involves the feeding of big data sets into a system to produce results. According to Adrian Lawrence (pictured above), partner, Baker & McKenzie (Sydney), the top three legal issues with AI are liability, discrimination and legal personality.

Concerning AI's liability, one should ask who is responsible for automatically made decisions. "This is a current issue, and is the most prominently considered in the context of a self-driving car that leads to an adverse outcome, such as the injury of someone," he said. "How do we think about the liability issues in an environment where the decision making is not entirely undertaken by humans?"

Another emerging but relevant legal issue of AI concerns discrimination. According to Lawrence, AI-made decisions that are based on the input of large scale information may tend to skew opportunities towards one section of the society, he added.

In the US, the Federal Trade Commission is now considering the above problem in the context of financial services, such as loan opportunities that might be driven towards one part of the society, as opposed to another.

The third legal issue around AI, but is "a little bit down the track," according to Lawrence, is the question of legal personality.

"Do we think at some point, AI, robotics, machine learning will get to such an extent that we think legal personality should be given to a computer or a system?" he asked.

Although sounding fictional, there are already examples of us giving legal personality to non-human beings: corporations. With a legal personality, a corporation can own property, bear responsibilities and be given rights. Should this be extended to a computer system or a robot?

"This question is a little bit in front of us, but it's starting to become more relevant when we think about, for example, the creation of new works by AI systems," Lawrence suggested.

Under a normal intellectual property analysis, if a robot or an AI system comes up with an entirely new work, the legal questions to ask are: Who might own the IPR or the copyright in that work? Does anybody own it? Does copyright even exist in that work?

"One answer to these questions might be that the controller or the owner of that AI system should be the owner of the work. But that has some real questions under current intellectual property laws in many jurisdictions," he suggested.

Big data analytics -- Extent of data protection obligation

The two key legal issues around the practice of big data analytics are: the protection of personal data privacy and the restriction of data movement.

It is currently a challenge for organizations to map back the use of big data applications to privacy and data protection obligations, Lawrence said.

"One key question to ask is what we are actually trying to do with the data that we are collecting," he suggested. This covers big data sets, analytics, and the AI system that is running on top of the big data sets.

Under the current data privacy laws, there is a dividing line between the use of personal information/ data, and the use of such data but which are anonymized in some way.

"In our [APAC] region, you can use data sets without necessarily needing to know that the data belongs to a particular individual," he said. "In this case, one's ability to use and share that data with his partners to run data analytics can be dramatically enhanced."

"However, if what you are really interested in are the characteristics or the behavior of that particular person, then by inputting your data sets to run your analytics, you still need to think about your data protection obligations."

Even if the data sets have been anonymized in some way, personal data protection will remain a relevant legal issue if and when data privacy regulators seek to disable regions from running data analytics across data sets. After all, organizations need to be fully compliant with the relevant data protection laws that apply, he suggested. 

The second legal issue that concerns big data applications is data movement around jurisdictions, as data are often shared cross-border to run such applications in multiple jurisdictions.

To the extent that an organization shares personal information, there are restrictions on its ability to offshore data out of that jurisdiction.

"Perhaps adversely, we are starting to see those obligations tightened rather than loosened," Lawrence suggested. "From a business perspective, even though there has been more data sharing across jurisdictions, individual jurisdictions are coming up with laws that make it more difficult rather than less difficult."

Lawrence cited the PRC Cybersecurity Law that has just been implemented in mainland China, plus other examples of data localization obligations around the world. For example, data sovereignty obligations are also coming out of jurisdictions like Russia and Indonesia which require an organization to maintain an instance of a data set onshore. "Perhaps you might be able to share as well, but you must at least retain a local data set," he suggested.

"That concept, to the extent that it takes hold, is starting to multiply across jurisdictions. It is going to become a real issue for companies trying to run big data applications."

Cloud computing -- Data movement rules vary

The proposition that "large scale computing and data are the father and mother of artificial intelligence" sums up the interrelationship between AI, big data and cloud computing.

In the last two years, Hong Kong has reached a tipping point where it has become a trend for organizations to use cloud computing to handle vast amounts of data which are necessary for businesses to run data analytics.

Today, the key legal issues around cloud adoption are data movement, data localization, and regulatory and compliance issues.

Concerning data movement around jurisdictions, Lawrence noted that there has been "a real reticence" to move data to the cloud, particularly for highly regulated sectors like the financial sector. Such regulatory concerns largely revolve around personal data privacy, and the ability to offshore data out of data protection regimes around the world.

According to Lawrence, there is a growing recognition that the underlying compliance with legal obligations under a cloud implementation is in many cases as good as, if not better than, what a non-cloud environment provides.

"As such, this concern about data location, and the obligation to explain to one's customer base, is now starting to be overcome by the recognition of the benefits of cloud adoption."

As for the next legal issue, data localization, Lawrence said it is important to acknowledge that most of the data localization requirements do not restrict the offshoring of data. "They just say one must keep an instance of the data onshore," he said.

"That would obviously start to raise practical financial questions about how we are going to get the benefits of cloud storage if we are required to have that data still onshore, be it in China, Russia, Indonesia or whichever jurisdiction it might be."

Finally, cloud users should also pay attention to regulatory and compliance issues.

"We have moved forward in the last few years from a position where as you sought to negotiate that contract with your cloud provider, there was real tension around those sort of questions: how you are going to agree to comply with my local privacy act, for example," said Lawrence.

Today, more cloud providers understand the required level of compliance and security, and are able to apply that to their data. "Where there is an overarching umbrella level of compliance that enables them to say, 'Yes, I can comply with your local [data localization] requirements' depends on exactly what obligations are coming out of each jurisdiction you might have in respect of offshoring data."

The good news is, some of the sectors that have previously been really quite concerned about the offshoring of data are now embracing it, according to Lawrence.

Distributed ledger technology -- Data retention versus privacy protection

Distributed ledger technology (DLT) provides a record of all the transactions in crypto currencies such as bitcoin. Collectively maintained by the participants in the system instead of a central authority, DLT serves as a record book that everyone can see but no one can alter.

According to Dominic Edmondson (pictured, below), associate, Baker & McKenzie (Hong Kong), the key legal issues around DLT usage are data retention and the enforcement of smart contracts.

As DLT and blockchain applications rely on data encryption, all personal data that identify individual people need to be scrubbed off. However, such data will still be tied to a hash value. This enables the network to verify whether a person who is transferring money to someone else actually has the funds to do so, for example.

"When the recipient does actually receive those funds, it won't allow double spend whereby the transferor of the money transfers 100 bitcoins, they actually keep the bitcoin to themselves instead of using it — DLT does not allow such a situation to occur," said Edmondson.

In a DLT, what one will get is a pool of data which is kept in an indelible format – it cannot be erased.

"The legal problem with this is, under most decryption regimes, data and personal data can only be retained for as long as it is needed for its function," he said. "So if you have a system where personal data going back decades is maintained on a ledger of integrity in every single computer in the world that is connected to that ledger that you can see, you will have an issue with compliance with [data privacy rules], which brings us to the issue with how you approach the regulation of technology compliance."

Regulators worldwide adopt different approaches to this, said Edmondson. In Hong Kong, for example, the Hong Kong Monetary Authority (HKMA) has stated its position of technology-neutral stance, but is being very proactive regarding the adoption of blockchain technology.

"In Singapore, they say regulation should never front run innovation. They say that let's just react to technology as it develops, and as these use cases multiply, we will see what the regulations have to do."

"And in London, the Ministry in charge of science recently said there was a need to regulate distributed ledgers as a mixture of legal currency and technical currency. The rules that build into the coding on which distributed ledgers are based prevents certain mischiefs, they say, are taking place."

Finally, Edmondson advised DLT users to pay attention to the enforcement of smart contracts. Smart contracts are coding that is embedded to a DLT system that could automatically trigger the shift of value on the occurrence of a cyber event that might be an objectively determined event. For example, share trade will occur if the share price of a particular entity hits a pre-determined level.

"How do you enforce these things? How do you enforce the contracts if you buy something say with bitcoin, a crypto currency? How do you enforce that when something goes wrong? For example, when a wrong product is delivered? Or one that is delivered with a scratch? These are all huge issues."

e-payment -- Interoperability of payment platforms

Finally, one should also pay attention to the legal issues of some of the electronic payment forms which are rising in popularity, such as the scanning of QR codes.

QR code scanning is popular in mainland China. And it may gain popularity in Hong Kong very soon, Edmondson suggested.

"One of the legal issues with QR code scanning, as a form of e-payment, is the difference in regulation across all the different jurisdictions, and the difference in cultural biases that people have."

The issue will become more prominent where cross border payments occur, as they involve a multiplicity of different payment platforms. "The question is, can these payment platforms talk to each other?"

"What consumers really want is the ability to pay for these services quickly without any hassle. For example, in a situation where the Chinese tourists come to Thailand or Australia looking for the ability to pay with QR codes, because this is the accepted method for Chinese consumers nowadays. So that is driving change across the region."