WIXLIB

TeleScope TMT 2020 outlookTeleScope TMT 2020 outlookHow to guardthe galaxyVast increase in adoption of IoT solutions forceslegislators to increase focus on security guidanceThere are many differing projections for the sizeof the Internet of Things (IoT) market in thecoming years. Whichever report you read, IoTis booming and a key part of the globalinfrastructure for the future. Statista predictsthat the total installed base of IoT connected devised isprojected to reach 75.44 billion worldwide by 2025which is a fivefold increase in ten years. Gartner hasstated that there were 14.2 billion connected things inuse in 2019 with certain forecasts stating the enterpriseand automotive IoT market will grow to 5.8 billionendpoints in 2020, which is a 21% increase from 2019.Gartner has provided an interesting breakdown of the2018-2020 real and projected figures for various sectors,showcasing utilities as the number one area butunsurprisingly building automation, manufacturing andnatural responses, automotive, government, healthcareproviders, retail and IT and transportation are also keysectors. Interestingly, Fortune Business Insightsforecasts that the Banking and Financial servicesindustry will be the largest segment of that market share.Forbes has also stated a similar view in a survey whichfound that the FS sector and healthcare sector were wellforward with initiatives. This would resonate with thework we are helping our clients with too.The laws which touch IoT are wide in nature. They bring alegally-complaint solution to market and take a lot ofpre-thinking as well as just-in-time thinking on the projectaround the legal ramifications. For example, the dataprivacy (including around use of biometrics, whereintegrated into the solution), intellectual property,confidentiality, data-sharing, telecoms, cyber-security andconsumer (where relevant) ramifications alone take muchforethought. Particularly where there is an interconnectedeco-system wishing to utilize the underlying data insome way.For those working in IoT (either as a supplier or as anadopter of IoT for your business), the key focus forlegislators is undoubtedly security, with various guidanceand reports coming out and more likely to follow. This isagainst the back drop of a focus on privacy, cyber andtransparency generally for IoT, AI and other techcompanies.8By way of example, in November 2019 ENISA, theEuropean Union Agency for Cybersecurity, released areport on its study into “Good Practices for Security of IoT”.In the context of the growing prevalence and importanceof IoT solutions across many sectors, the study aimed toidentify the main threats to IoT security and to developguidelines and recommendations for avoiding andmitigating those threats. Acknowledging that software is atthe heart of all IoT systems and services, the report isintended for IoT software developers, integrators andplatform and system engineers. It seeks to promotesecurity by design for IoT devices and their ecosystems(communications, networks, etc) by setting out goodpractice guidelines for the full Software Development LifeCycle (“SDLC”). This comprises defining concepts andrequirements, software design, development andimplementation, testing and acceptance, deployment andintegration, maintenance and disposal.The report includes:–analysis of security threats and vulnerabilities in allphases of the SDLC–detailed asset and threat taxonomies–good practices to enhance cybersecurity brokendown into practices relating to people (training andawareness, roles and privileges, security culture),processes (third party management, operationsmanagement, SDLC methodology, securedeployment, security design, internal policies) andtechnologies (access control, third party software,secure communication, secure code, securityreviews, security of SDLC infrastructure, secureimplementation)–mapping of ENISA good practices to related existingstandards, guidelines and schemesWe also reported in 2019 on a consultation fromthe UK government on its proposals to regulate thesecurity of IOT.–The government has now published its response tothat consultation.The consultation proposed the introduction of a securitylabelling scheme for consumer IoT products to assistconsumers in making informed purchasing decisions.Following a range of concerns raised by respondents tothe consultation, the government has decided not to goahead with a labelling scheme at this time.ConsultationThe current UK Code of Practice relies on self-regulationby industry, but the government is concerned that, despitethe introduction of the UK Code of Practice, there are stillsignificant security flaws in many products on the market.This situation needs to be addressed urgently in order toprotect consumer security, privacy and safety and tomitigate the increasing threat of cyber-attacks launchedfrom insecure IoT devices. As part of its policy objective ofmoving away from consumers being responsible forsecuring their own devices towards ensuring that allconsumer IoT products are secure by design, the UKgovernment intends to introduce legislation to regulatethis area and ensure that all consumer IoT devices meetbasic security standards.Following the consultation, the government hasconcluded that it will implement legislation that mandatesthe following three principles:–all IoT device passwords to be unique and notresettable to any universal factory default value–each manufacturer to provide a public point ofcontact as part of a vulnerability disclosure policy toenable security researchers and others to reportissueseach manufacturer to explicitly state the minimumlength of time for which the product will receivesecurity updatesThe government will now carry out further policydevelopment on the detail of this first phase stage ofregulation, in particular considering how those selling intothe UK can best evidence security information toconsumers at the point of sale whilst ensuring minimumdisruption to the supply chain. It is intended that this willonly be the first phase of regulation in this sector.The report also emphasizes that as part of its approach toregulation, the government is committed to collaboratingat an international level to achieve global alignment acrossthe IoT supply chain. For example, producing a jointministerial statement by the UK, US, Australia, Canada andNew Zealand committing to align approach to enhancingthe security of IoT devices was signed in July 2019.We will be closely monitoring developments in this area.In terms of IoT going forwards, businesses need to watchfor new laws and guidance as it comes in and ideally addto the debate where there is consultation. No doubt thecontinuing focuses this year will be around security as wellas protecting the consumer, building on the above. It willbe interesting to see the extent to which there is anyinternational consensus. As ever the issue for technologysuppliers, complying with differing requirements addsburden and time. With the current backdrop of Brexit,there is likely to be more divergence in laws between theEU and the UK over time (albeit hopefully complimentarywhere it makes sense). While it is important we get thisright given the phenomenal access to data IoT can bring, itis also important we build rules and guidance that workacross continents and which ideally do not meancompletely new solutions are needed as the solution isdeployed internationally.AuthorCharlotte Walker-OsbornInternational Head of Artificial Intelligence,International Head of Technology comIn October 2018, the UK government published avoluntary Code of Practice for Consumer IoT Security (“UKCode of Practice”) which brought together 13 guidelinesthat are widely considered good practice in IoT security.They are intended to support all stakeholders involved indevelopment, manufacturing and sale of consumer IoTdevices.9

TeleScope TMT 2020 outlookTeleScope TMT 2020 outlookMay the consent bewith you - Biometricsand data centersThe use of biometric security and access controls is a commonfeature of data centers. This security process relies on scanning andverifying the unique biometric characteristics of individuals to entersecure areas of a data center or access key IT assets. Biometricsecurity technology is often used to manage access to facilities, andcan also be incorporated into server cabinets as part of physicalsecurity measures.Inherent in the operation of these security controls isthe collection of biometric data. This term refers tobiological features that can identify an individual,such as their face, fingerprints, iris, voice and facialexpressions. Under GDPR, and in the UK, the DataProtection Act 2018 (Data Protection Law), wherebiometric data is used to uniquely identify an individual,it becomes a special category of personal data. Thismeans that it benefits from additional protections,including a limited number of purposes for which it canbe used.Although data center operators will often be deployingthese technologies in order to meet a requirement of theircustomers, they will be the controller in respect of thisdata. This is because they will be defining the purposes, forexample in the case of any security breach to carry out aninvestigation, they will be the controller in respect of thisdata.In practice, this means data center operators deployingbiometric access controls for visitors and employees needto overcome a number of legal challenges in order to10process it lawfully, including having an appropriate lawfulbasis for its use.The lawful basis often favored by data centers to processbiometrics tends to be a person’s explicit consent. Thechallenge here is that consent cannot be lawful underData Protection Laws if it is not freely given. In many cases,if a real alternative to the collection of biometric data isnot offered, for example using a key card for accessinstead of fingerprint scanning, consent will not beconsidered freely given. With biometric access controlsbeing standard practice in the industry, alternatives areoften not operationally possible, which means that it isvery difficult to obtain valid consent. For employees, theconsent challenge is doubly difficult as the starting pointunder GDPR and European guidance is that “consent ishighly unlikely to be a lawful basis for data processing atwork, unless employees can refuse without adverseconsequence1”, as a result of the power dynamic betweenemployee and employer.Finding an alternative lawful basis is tricky. A potentialsolution in some circumstances may be to argue that theprocessing is necessary for reasons of substantial publicinterest, for example, that they are necessary for thesecurity and integrity of the data housed by the datacenter. In addition to being necessary, the processing ofbiometrics must be proportionate to the risks it is beingdeployed to protect. Operators should work with theirlegal team to assess whether this could be appropriate intheir case and document their analysis.In reality, this creates a commercial and legal tension fordata center operators: a need to deploy biometrics tosatisfy customer requirements and maintain competitiveadvantage, but risking a breach of Data Protection Laws.Part of the solution is ensuring that companies havestringent cyber security procedures built into thetechnology to limit risk in the event of security breach,such as fingerprint and face hashing where the data isencoded in a way that can’t readily be reversed. Otheroptions, such as two factor authentication using, forexample card reader data and biometric templates beingheld on separate servers, add further layers of security.However, the segregation of data does not mean that thedata is no longer personal data and/or biometric data,which means that attention still needs to be given to lawfulbasis.AuthorsRebecca SherrySenior le d.com1 Paragraph 1 (Executive summary (page 3)): Article 29 Working Party Opinion 2/2017on data processing at work11

TeleScope TMT 2020 outlookTeleScope TMT 2020 outlookOECD reformsThe OECD is currently attempting to achieve internationalconsensus on proposed tax reform measures forbusinesses operating digitally. These reforms seek toreflect the global reach and scale available to businessesthrough digitization. Fundamentally, these reformspropose a reallocation of taxable profits from the “home”jurisdiction of digital businesses to customer or marketjurisdictions. This represents a radical shift in internationaltax rights that will expose consumer-facing businesses totaxation in many more countries, increasing tax andadministration costs and potentially requiring thereorganization of current corporate structures.Interim digital tax measuresThe OECD is seeking to deliver consensus on thesereforms by the end of 2020. However, this process hasbeen ongoing for nearly a decade and many countries areconcerned that consensus will not be reached this year, ifat all. Therefore, to address lost tax revenue and localpolitical imperatives, many countries are introducing theirown digital tax measures such as digital services taxes(DSTs), withholding taxes (for example, on digitaladvertising revenues) and VAT-type taxes on digitalservices. These take many different forms but often seekto tax the same income producing activity, giving rise tosignificant additional tax burdens for digital businesses.Taxation of thedigital economy2020 could be the year in which agreement is reachedon one of the most fundamental and widescalerewrites of international tax law in over 100 years.Alternatively 2020 could usher in a period of tax chaosas countries pursue individual and different taxpolicies for the digital economy. Everything dependsupon the OECD and its key participants.12Spotlight on 2020Many of the interim digital tax measures are expressed tobe subject to international consensus on the OECDapproach. If consensus is reached, these local measureswill either not be introduced or will be repealed. Therefore,the OECD’s work in this area in 2020 is key. If consensuscan be reached in 2020 there could be huge globalchange to international business taxation. If consensus isnot reached, 2020 could see a plethora of separate digitaltax measures creating confusion and tax cost forbusinesses operating globally. For updates pleasesubscribe to our weekly Digital Tax Bytes.The tax impact of BrexitFollowing the UK’s exit from the EU, 2020 will be the yearin which the future relationship between the UK and theEU becomes clearer. From a tax perspective, the key issuewill be the border between the UK and EU and theapplication of tariffs and import VAT. Will a customs unionbe preserved or will taxes begin to be applied on goodspassing between the UK and EU?–application of EU law – EU law has historically beenvery influential on UK tax law, requiring changes notonly to UK VAT law but also to a much wider spectrumof UK tax laws. A key question going forward will bewhat role, if any, will EU law have in respect of the UKand how UK tax law might change and diverge fromits current state during 2020 and beyond–state aid rules – in recent years, the EU’s anticompetition State Aid rules have increasingly beenused to challenge tax matters, particularly taxauthority rulings or local tax exemptions perceived tobe selective and anti-competitive. Challenges madeunder these rules sit outside the usual tax courtsystem and can overturn tax statute and settledgovernment ruling procedures. Tax can also bereclaimed for up to a ten year period, a period inexcess of most domestic tax assessment periods.State Aid challenges have added great uncertainty forEU based taxpayers and there is every indication thatthe EU will continue to use State Aid to challenge taxmatters. The key question to be resolved in 2020 iswhether the UK will continue to be subject to EU StateAid rules after the transition period?Tax information sharing andcoordinated audits2020 will see a continued increase in demands upontaxpayers to provide information about their tax affairs totax authorities, which will then be shared and used by taxauthorities around the world to instigate enquires and taxchallenges, increasingly on a multi-jurisdictional basis.DAC6One particular milestone in this area in 2020 will be thecommencement of the reporting requirements of DAC6 inthe EU. Commencing on 1 July 2020, DAC6 requirestaxpayers and intermediaries to report a wide range ofcross-border transactions with an EU element to theirrelevant tax authorities. This reporting requirement isdesigned to flag potentially abusive transactions to taxauthorities to enable challenges or legislative change.These rules are particularly burdensome as they requiredisclosure of relevant transactions dating back to 25 June2018, and preparations for this new reporting requirementand ensuring compliance for the initial months post-Julywill be a key area of tax focus throughout 2020 formulti-nationals with an EU presence.AuthorsOther tax issues dependent upon the future UK/EUrelationship include:–taxation of dividends, interest and royalties – EUdirectives (which continue in force for the transitionperiod through to the end of 2020) removewithholding taxes from certain dividend, interest androyalty payments between EU residents. Withoutfurther agreement, these directives will cease to applyat the end of 2020 which could lead to increased taxcost and administrative burden for EU corporategroups. Developments over 2020, both between theUK and EU but also within each EU member stateshould be monitored. Restructuring may be requiredto mitigate the impact of the loss of these directivesand future investment decisions should take any suchloss into accountBen JonesPartnerbenjones@eversheds-sutherland.comRobb ChasePartnerrobbchase@eversheds-sutherland.com13

TeleScope TMT 2020 outlookTeleScope TMT 2020 outlookWhat candecarbonizationdo for you?With the increasing emphasis on decarbonization, many technologycompanies and other large corporates are looking to source their(often substantial) energy requirements from renewable sources.Many have signed up to voluntary schemes like the RE100 (http://there100.org/), a group of (more than 100) highly influentialcompanies who have committed to 100% renewable electricity. Inaddition to boosting their ‘green credentials’, sourcing power directlyfrom generators can make good economic sense.The dual-catalysts of the drive to decarbonize and the endto subsidized renewable energy means that renewableenergy generators and technology companies areincreasingly looking to each other to enter into mutuallybeneficially “corporate power purchase agreements(PPAs)”. For tech companies, they can secure pricecertainty for their long-term electricity costs – this couldbe by fixing a price in the PPA, or by agreeing price floors/caps. For generators, they can secure long term pricecertainty which enables them to outlay the capitalrequired to construct and operate their renewablegenerating station. The result is that both are supportingthe construction of new sources of low carbongeneration. Demand for these arrangements from largeenergy users such as tech companies is critical if theenergy system is to continue decarbonizing.Certain conditions can make or break these endeavors,one of which is a healthy long-term demand from acreditworthy corporate, and high levels of predictabledemand certainly helps. For this reason, technologycompanies (such as data centers) are an attractive targetfor electricity generators.There are a multitude of ways you can decarbonize yourelectricity, ranging from opting for a green tariff to having14a generator construct a station on one of your sites. Weare familiar with all models, and their pros and cons, andwould be very happy to discuss with you. We understandthat as electricity procurement is unlikely to be your corebusiness, the process, technicalities and legalities can allbe daunting – not least the prospect of entering into suchlong term contracts (many PPAs have terms of around tenyears, for instance).Despite these challenges and complexities, manycorporate PPAs are being explored by large energyconsumers, and an ever increasing number are beingsuccessfully closed. This is a welcome trend for an energygrid which must continue to decarbonize at record pace,without subsidies, if we are to meet our ambitious legallybinding “Net Zero” target.AuthorBen BrownSenior Associatebenbrown3@eversheds-sutherland.com15

TeleScope TMT 2020 outlookTeleScope TMT 2020 outlookEU and UK TMThot topicsAuthorsImplementationof the copyrightdirectiveThe Directive on Copyright in theDigital Single Market came into force on7 June 2019 and is to be implemented byEU Member States into national law by 7June 2021.Article 15 creates a new right for presspublishers to receive payment fromonline platforms which aggregate theirnews stories. Article 17 imposes variousobligations on ‘online content-sharingservice providers’ which govern the useof copyright-protected content by usersof online sharing services. For furtherinformation please visit our article here.The UK Government announced on 21January 2020 that it has “no plans” toimplement the Directive. However,remaining member states are likely tobegin to interpret and implement theDirective into national law in the laterpart of 2020.16Adtechactivity–In a critical report, the view of theInformation Commissioner’s Office(‘ICO’) is that the adtech industry isprocessing personal data unlawfully.In 2020, it is likely that regulators willbegin to crack down on suchunlawful activity within the adtechindustry and will impose obligationson organizations to be moretransparent.–Advertising is becoming increasinglypersonalized and in order to targetindividuals accurately, companiesrequire intimate and personalinformation. It is likely that highlyinvasive, personalized data-drivenadverts will become more prevalentin the future, however individualsexpect their data to be secure andused transparently. Finding thisbalance will be a challenge in 2020.OnlineharmThe UK Government’s Online Harms WhitePaper of last year proposed a new approachto online safety. The White Paper proposedimplementation of a new regulatoryframework setting clear standards to protectindividuals from harmful and illegal onlinecontent whilst pr

practice guidelines for the full Software Development Life Cycle ("SDLC"). This comprises defining concepts and requirements, software design, development and implementation, testing and acceptance, deployment and integration, maintenance and disposal. The report includes: - analysis of security threats and vulnerabilities in all