Data and digital business

We predict in 2022 there will be 5-10 legal challenges resulting in fines or other legal sanctions against organisations using Artificial Intelligence (AI) without sufficient transparency, in breach of the GDPR.

Why?

• We expect to see an increase in these sorts of challenges because AI adoption continues to grow at an almost exponential rate. Research by Gartner found that a third of organisations will invest at least $1 million in AI technology by 2023.

• At the same time, AI systems are becoming increasingly complex. The decision-making processes of many AI systems cannot be understood by humans.

• Despite an increasing focus on AI transparency or “explainability” in ethical AI frameworks and regulatory proposals, many organisations will continue to use opaque AI systems without sufficient transparency.

• Under Articles 13-15 GDPR, data subjects have the right to “meaningful information about the logic involved” in an automated decision-making process (which will include AI) which uses their personal data i.e. a right to understand how the technology works.

• In 2021, Uber and Ola Cabs were challenged in the Dutch courts for a lack of transparency in their automated decision-making, and Foodinho, an Italian company, was fined by the Italian data protection authority for the same reason.

• The combination of an increase in AI adoption, an increasing focus on explainable or transparent AI, and these cases, is likely to prompt further similar challenges.

Prediction author: Minesh Tanna

We predict in 2022 the volume of ransomware attacks against UK organisations will double, leading to increased pressure for the criminalisation of ransom payments.

Why?

The threat to organisations around the world from cybercrime has been increasing rapidly and was accelerated further by the pandemic. All types of cybercrime have been prevalent in 2021, including denial of service attacks, phishing, cyber-enabled frauds (including authorised push payment fraud), identity fraud and malware. But ransomware, a form of malware that encrypts users’ information pending the payment of a ransom, usually in cryptocurrency, has been and will continue to be the “most immediate danger” faced by UK companies.

Ransomware attacks doubled in 2021 and are having an increasing effect on the financial system (see our article here). Attacks are becoming increasingly sophisticated. Organisations have generally improved their information management processes, including regular backups which reduce organisations’ vulnerability to threats to permanently encrypt data. But ransomware threatening to use that encrypted data, for instance leaking personal data (with all the regulatory consequences – see also our data litigation prediction) or commercially sensitive data, has become more common.

There is no indication that the proliferation of online threats will slow down. Such crime is, to a degree, “uncontested” given the difficulties involved in investigating and prosecuting the relevant criminal groups, which operate cross border and from jurisdictions that do not typically cooperate with European and American law enforcement agencies. It is also incredibly lucrative and increasingly easy: the technical barriers to entry are falling on account of the deployment of AI by criminal gangs and the emergence of ransomware-as-a-service operators.

The cost of cybercrime to businesses is vast: over $1 trillion a year worldwide and $27 billion in the UK alone. We expect that companies will face increased regulatory oversight to ensure appropriate systems and controls are in place and that pressure for a crackdown on the ransom payments that are driving the ransomware industry’s profitability will grow.

At the same time there is a hardening of the cyber insurance market, meaning that it is becoming more difficult for organisations to obtain affordable comprehensive cyber cover for first and third party losses arising from ransomware attacks.

Prediction authors: Robert Allen, Emily Agnoli, Thomas Bowen

We predict in 2022 the Competition and Markets Authority (CMA) will circulate requests for information and launch one subsequent competition investigation into how AI and algorithms are used and their impact on competition.

Why?

Competition authorities, and to some extent industry, are behind the curve in understanding the competitive impact of the latest and upcoming AI and algorithms.

In January 2021 the CMA published its Algorithms paper which gave fair warning to those using AI / algorithms as part of their competitive offerings of upcoming competition law scrutiny.

The CMA’s Digital Markets Unit has since been established in shadow form and is considering feedback from its consultation on proposals for a new regime for digital markets. We anticipate the DMU will become fully functional and active in 2022.

We see two competition concerns likely to be probed by the CMA:

a) Do these systems result in tacit coordination between competitors? i.e. are firms able to explain fully their systems’ impact (or lack of) on competition?;

b) Are firms using AI or algorithms to abuse their position of market power?

See also our AI prediction above.

Prediction author: David Trapp

We predict in 2022 the Competition and Markets Authority (CMA) will open two further data investigations into “big tech” and one market study of the use of data by ‘smaller’ tech.

Why?

Following the opening of CMA probes into Facebook’s use of ad data, Google’s ‘privacy sandbox’ and the EU’s continued investigation into Amazon, we expect the CMA to continue its scrutiny in this area – potentially mirroring the EU Amazon investigation.

As mentioned in the above prediction, 2021 saw the CMA establish its Digital Markets Unit in shadow form and is considering feedback from its consultation on proposals for a new regime for digital markets. We anticipate the DMU will become fully functional and active in 2022.

The regulator’s upskilling in this area and regulatory empowerment with the upcoming regime is not only a sign that it intends to continue taking on ‘big tech’, but a precursor to a wider casting of its investigatory net. This will also capture the practices of smaller tech that arguably handles / uses vast amounts of data relative to the market in which it operates.

Prediction author: David Trapp

We predict in 2022 we will see the first decision of the Upper Tribunal on the FCA’s rejection of an application by a crypto business for registration.

Why?

Since January 2020, cryptoasset businesses have been required to register with the Financial Conduct Authority (“FCA”) under the Money Laundering Regulations 2017 (“MLRs”). Existing cryptoasset businesses could join a temporary regime, allowing them to continue business while their applications are pending. If a business’s registration application is refused by the FCA, it must cease business in the UK.

The FCA’s criteria for refusing applications are found in the MLRs. They relate principally to anti-money laundering controls. The FCA has acknowledged that the registration standards it is permitted to apply under the MLRs are “far less demanding” than those applicable to firms carrying on regulated activities under FSMA, and that this is a source of concern.

In the light of this, the FCA has adopted what it refers to as an “assertive” approach towards registering crypto businesses. 90% of applications assessed to date have been refused or withdrawn following “robust” engagement. This assertive approach might, in our experience, lead to the FCA straying beyond its remit under the MLRs and improperly rejecting an application on irrelevant grounds.

A crypto business may challenge the FCA’s rejection of its application. The route of challenge is ultimately to the Upper Tribunal, a Court which will consider the application afresh. Firms rarely challenge FCA decisions before the Upper Tribunal. However, given the severity of the consequences of rejection, it is our view that at least one crypto business will challenge the FCA’s rejection of its application before the Upper Tribunal in 2022.

Listen to our podcast which examines the FCA’s oversight of crypto businesses in the UK.

Prediction author: Douglas Robinson

We predict in 2022 we will see the first case brought in England against a crypto custody provider for having failed to prevent one of its customers falling victim to a fraud.

Why?

In the traditional economy, banks act as gatekeepers for transactions. Parties wishing to make or receive payments must generally hold a bank account and instruct their bank to execute transactions on their behalf. In the crypto economy, wallet and exchange providers play a similar role, allowing parties to hold assets and effect transactions between one another.

It has long been common for fraud victims to pursue their bank, as the party with “deep pockets”, in circumstances where the perpetrator cannot be identified or is impecunious. In such cases the bank is often accused of having failed to prevent the loss suffered by the victim, on the basis that it owes a duty of care to its customer and is in a position to identify and prevent suspicious transactions. Victims also often seek Court orders requiring banks to divulge information concerning transactions and accounts, where it is necessary to pursue the fraudster.

Crypto-related fraud and hacking can leave victims with little chance of recovering their lost cryptoassets. However, since the transactions by which fraud is effected are likely to involve large crypto exchange or wallet providers, victims may look to those providers to divulge information about transactions and reimburse their losses. In so doing, the victims may rely on similar arguments to those that have been used against banks, alleging that the providers failed to prevent the loss. Given the rapid expansion of the crypto market, we think 2022 will be the year when these claims start to reach trial.

Listen to our podcast “Litigation risks for crypto exchanges and custodians”.

Prediction author: Douglas Robinson