We live on a rising tide of technology – a time of increasing ‘tech intensity’ in the words of Microsoft CEO Satya Nadella, when an organisation’s development will increasingly be linked to its tech adoption rate and tech capability. This intensification was a key characteristic of 2021 – not just in the tech world, but also in the climate (Canada’s summer heat wave saw temperatures hit 49.6 °C, 4°C higher than before) and covid (165m people – I in 50 in the world – were infected in the first 10 months of 2021, twice 2020’s 85m).
The cloud’s tidal pull
Driven by competitive pressure, tech intensity is a feedback loop where cloud service providers build out their own tools and platforms that fuel, and in turn are fuelled by, their customers’ digital transformation and cloud adoption.
Big wins need big bets, and Google, Amazon and Microsoft – who together operate more than half the world’s 600+ hyperscale data centres – are reaping returns on their cumulative infrastructure investments of many $00bn over the last 15 years: in the year to mid-2021 they saw cloud revenue growth of 54% (Google, to $4.6bn), 30% (AWS, to $14.8bn) and 37% (Microsoft, to $17.4bn).
Research consultancy Gartner is forecasting total global cloud spending to grow even faster and to reach $482bn in 2022, up 54% from $313bn in 2020.The Economist has identified a group of 42 ‘tier-two tech’ firms set up since 1999 with a market value of $20bn or more (including Snap, Twilio, Zoom, Shopify, Pinterest and PayPal) that are growing even faster than the ‘GAFAM’ (Google, Amazon and Microsoft plus Apple and Facebook): in February 2020 ‘tier-two tech’s market capitalisation was 22% of GAFAM’s, and by October 2021 it had risen by almost half to 31%.
That the cloud’s growth rate is increasing and hasn’t succumbed to the law of large numbers shows how much further it has to go. This is particularly the case in the combinations of ‘cloud + AI’ – still in its early days, but where general, cloud-enabled ‘background’ AI is adding quickly to the specialist AI applications that have characterised AI over the last few years; and ‘cloud + digital reality’ – where the cloud is setting the scene for the next big shift that we’re hearing such a lot about, the metaverse.
The metaverse (or mixed physical and digital reality) replaces the flat screen with immersion, embedding the real world into computing and computing into the real world. As Meta’s (formerly Facebook’s) recent announcement of a $10bn investment in its Reality Labs unit makes clear, realising the metaverse is a vast undertaking. As the enterprise (rather than the consumer) metaverse, it’s well explained in the graphic below, drawn from Microsoft’s metaverse technology stack.
Level 1 wires up the physical space (anything from a conference room to a factory) to the cloud with IoT sensors and monitors. Levels 2 models digital twins (or representations) of real world people, things and places. Level 3 maps the digital twins to the digital copy of the physical space.
Level 4 collects and stores the vast amounts of data generated so that, first, any change in the physical space – or movement of a person or something in it – is reflected in its digital twin; and second, all that data and its history can be analysed to predict future states. Level 5 is the AI layer – insights through self-improving machine learning and autonomous systems. Level 6 is the reporting and querying mechanism for decision making based on data from the warehouse and insights from the AI – does a part in the factory line needs replacing? can we speed up the conveyor belt?
Level 7 is Mesh, Microsoft’s communication platform – think turbocharged Teams – that unifies physical, virtual and holographic collaboration from any space, on any device. Finally, level 8 is HoloLens 2, Microsoft’s immersive mixed reality headset.
2022 will see steps along the path to the metaverse, but its full realisation is some way off.
What does this all mean for tech law for UK practitioners next year? Looked at through the lenses of AI, digital assets, data protection, digital regulation and intellectual property, a key feature for 2022 will be the extent to which the UK diverges from EU rules that it adhered to pre-Brexit (in the area of data protection for example) and how different UK and EU rules will be in new legislative areas (like digital regulation and AI).
Organisations are tending to ditch over-elaborate AI frameworks, and concentrate on key practical questions – avoiding discrimination and bias, ensuring transparency through reproducible outcomes to enable remediation and improvement, and accountability through practical processes.
But the question of how far to regulate AI is still wide open.
The UK Government – whose laissez faire instincts in this space have become more pronounced this year – is watching the progress of the EU’s April 2021 draft AI regulation closely, particularly its characterisation of risk (as unacceptable, high, limited or minimal). With the US also starting to signal that a ‘risk based’ approach is the way to go, we expect the UK to get to crunch time in this area in 2022. The next thing to look out for is the UK Government’s AI White Paper, expected early 2022 – any significant changes in course are likely to be signposted there.
That the proliferation and adoption of digital assets will continue to gather pace in 2022 seems certain, even as they are brought more within the regulatory net. We are becoming more familiar with what they are and their status as property. HM Treasury and the Law Tech Delivery panel have defined cryptoassets as:
‘digital representations of value or contractual rights that can be transferred, stored or traded electronically and may (but do not need to) use cryptography or distributed ledger or similar technology’ including include exchange tokens (such as Bitcoin, Ether, XRP and any other cryptocurrency), e-money tokens, securitytokens and utility tokens; and
‘any intangible thing, thing in action or information that is (a) uniquely identifiable, (b) capable of constituting value and (c) represented in digital data’.
Although 2022 is likely to see more regulation around cryptoassets, quite where the boundary lies between crypto as property rights and crypto as personal (non-property) rights is likely to have to await being decided under insolvency law, the testing ground for new property interests.
Besides the ‘What type of property are they?’ question, other fundamental legal issues about digital assets are still to be worked through: How are they transferred? Are they ‘Goods’? How do security interests work? A number of high-profile consultations on these topics will spur developments in this area in 2022.
Data protection will continue to dominate the tech law landscape in 2022. Although the UK gained adequacy status from the EU in June 2021, the EU’s allusions to premature review ahead of the 27 June 2025 sunset date mean that practitioners will need to bear in mind the possible consequences of the decision expiring without renewal.
This question will likely be linked to the broader UK/EU relationship, but the UK Government’s murmurings on wider reforms to technology regulation, including the DCMS public data protection consultation for an ‘ambitious, pro-growth and innovation-friendly data protection regime’ indicate an appetite for less regulation. For privacy practitioners, it is noteworthy that the UK Government are considering repealing the restrictions on profiling and automated decision making under Article 22, including the right to human intervention, and reducing the restrictions on collateral use of personal data.
Practitioners will also need to be mindful of transfers beyond the UK-EU as the ramifications of Schrems II continue, including the ongoing negotiations for a ‘Privacy Shield 2.0’, even more Standard Contractual Clauses, developing practices for those vexing Transfer Impact Assessments and the final versions of the UK SCCs (together with a UK Addendum for the EU SCCs), transfer risk assessment and associated ICO guidance.
We’ll also be keeping an eye on the anticipated developments at the ICO, including a new Information Commissioner in John Edwards, former New Zealand Privacy Commissioner and the DCMS’ preferred pick, potential reform to the independence of the ICO under the National Data Strategy and the final Clearview AI decision expected in mid-2022 – the current “provisional view to fine” perhaps indicating a softening of approach. Questions left by the Supreme Court’s judgment on the defeated class action in Lloyd v Google, and final versions of the ICO’s AI and data protection risk toolkit and guidance on Employment Practices and Privacy Enhancing Technologies will also be of note next year.
Other international developments likely to call on practitioners’ time in 2022 include the interaction between the EU GDPR and the EU Digital Services Package and Data Strategy, the decline of the “one stop shop” mechanism, rising fines and questions over the future of the Irish Data Protection Commissioner. Businesses transferring data on a global scale will also need to keep an eye on a growing number of local laws, including the US, China and India.
At the same time as we’re seeing increasing tech intensity, societal calls for greater digital regulation are also intensifying.
In May 2021, the UK Government published its widely anticipated Online Safety Bill (‘OSB’). Part of the UK’s response to recalibrating Big Tech’s responsibilities, the OSB aims to prevent harm to individuals by imposing duties of care on internet search and social media services providers to prevent and restrict proliferation and exposure to illegal (on the one hand) and harmful but not illegal (on the other) content online. The passage of this legislation through Parliament will be a key focus for tech law in 2022.
Whilst the EU’s Digital Service Act package – also going through the law making process in 2022 – is looking to reset the EU’s intermediary liability regime set out in the EU e-commerce directive of 2000, the UK’s preference expressed in 2020 to maintain them ‘as is’ looks to be watered down in the draft OSB.
Watching how this develops will be key for the new generation of ‘Web 3.0’ service providers, combining [peer to peer apps] + [decentralised data storage] + [encrypted identity verification] + [third party service integration].
The UK Government consulted in autumn 2021 on its plans for the new pro-competition regime for digital markets. These focus on a bigger role for the Digital Markets Unit of the main Competition and Markets Authority in regulating digital businesses with ‘strategic market status’ (‘SMS’). SMS designation will give rise to a special merger control regime and code of conduct compliance. This legislation will progress in 2022, but the CMA’s £50.5m fine imposed on Facebook in October 2021 over its 2020 acquisition of video file search engine Giphy looks like heralding a more muscular UK regulatory approach.
The mixed reality world of the metaverse will stretch even further the concepts of ownership and permissioning in the digital world. The traditional concepts of copyright and confidentiality, and more recently database and trade secrets, have stuck reasonably well to software and data so far in the fourth industrial revolution. But as the metaverse builds layer upon layer of AI, software and data in a constantly changing kaleidoscope of new and derived content, will these concepts still work?
Although the courts have found it challenging to apply the communication to the public right to the internet world, the answer is probably yes: the traditional UK judicial approach of ‘what is worth copying is worth protecting’ is still likely to apply; and this, coupled with a structured contracting approach to asserting / acknowledging IP ownership and licensing its use precisely, would appear to chart a path in this new environment.
The UK Court of Appeal has recently confirmed that that a machine is not an inventor for the purposes of the UK Patents Act 1977. However, the underlying copyright and patent positions on ownership of computer generated works (which will vary from country to country as IP rights are essentially national) are sufficiently lacking in clarity to make it advisable to regulate the parties’ positions by express contract terms.
The key theme is control – specifying permissions and restrictions contractually should reduce the likelihood of disputes by bringing clarity to complex questions and grey areas. And it’s equally important for creators and consumers alike: rightsholders will be able to leverage their content to potentially generate new revenue streams and consumers will have clear rules of engagement around what they can and can’t do.
Rules of engagement and standards – akin to existing treaties or FRAND licensing regimes – are also likely to be relevant as the metaverse coalesces. Clear rules based expansions, backed/supplemented by contracts will ultimately allow the integration of existing proto-metaverses to occur organically and with minimal disruption to rights, creating a truly all en-compassing metaverse.
 For the best analysis see the judgment of Arnold LJ on March 26, 2021 in TuneIn v Warner Music and Sony Music, Here, TuneIn ran an internet music service that aggregated links to audio streams. It was found to infringe Warner Music’s and Sony Music’s communication to the public right.
Thaler v Comptroller General of Patents, Trade Marks and Designs, Judgment of the Court of Appeal, September 21, 2021.