This interview was conducted as part of the 2020 Edition of The Best Lawyers in Germany “Law Firm of the Year” award recognitions. Our partner Handelsblatt, also published these awards on June 27, 2019, online and in print in their June 2019 edition.
For Isabell Conrad of SSW Schneider Schiffer Weihermüller—Germany’s 2020 “Law Firm of the Year” in Information Technology Law—the rapidly evolving technology industries hold exciting prospects for the future. She joins Phillip Greer, CEO of Best Lawyers, to discuss how A.I., blockchain technology, and self-driving cars are just a few of the technologies people should be prepared for.
One of the appeals of blockchain technologies is the ability to conduct smart contracts, what do you think of their potential and could this be a threat to certain legal specialties?
Isabell Conrad: In my opinion, AI and blockchain could be a combination of both. For example, legal tech applications will be something widely spread and fundamentally changing our work as they are very likely to cover standard legal work. To my knowledge, most large companies are conducting big digitalization projects. I don't call it a threat, but it will definitely change the legal market. On the other hand, complex legal opinions or complex legal questions and solutions will become more and more valuable to the client and this is something that cannot be covered by any kind of legal tech and blockchain. Regarding blockchain, to my knowledge, the banking and insurance sector they're all aware of blockchain and observing the market development very, very closely.
Furthermore, there are universities in Germany and technology institutes such as Fraunhofer which are involved in the development of blockchain applications and projects. I'm not sure whether blockchain in connection with banking is the most prosperous way it is going to evolve. However, what blockchain will be used for is as a trust solution for any business relying on truthful documentation and audit-compliant archive (such as supply chain management, IP licensing, etc.). For example licenses. For ensuring that a license is valid, or for dealing with issues regarding open-source software. Has a certain license been granted for a particular use? I think that in this area, the blockchain technology will be very helpful in the future. Blockchain has its biggest potential in the virtual world and concerning digital goods/content.
In more of a broad sense, as it relates to technology, where do you see areas of growth and where might we be headed over the next decade?
A.I. and everything connected to A.I., from smart algorithms and chatbots to neuronal networks and fully autonomous decision making systems. For Germany A.I. in connection with support for the health care sector or support for doctors in diagnosis, in therapy or support for elderly people is a fundamental development.
I think the same is happening in the U.S., as people are getting older, A.I. supports them in their daily life, e.g. by recognizing when they have not taken their medication or if they have fallen and need support by a doctor. This is one big area of development and another one is, of course, any kind of self-driving car functionality. I think these will evolve very, very rapidly.
How do you advise your clients to protect themselves from numerous threats, including extortion and data?
This is indeed a huge problem because most of modern technology, in particular, A.I., is fundamentally based on systems that are deeply interconnected. So many things are connected to the internet and then it is that kind of connection that makes them vulnerable regarding malware attacks.
One solution used in high-risk areas is cutting any connection to the internet. There are black-box systems that are not connected to anything. In high-risk areas that definitely makes sense. However, most of our clients are investing in business continuity concepts, so that if there are malware threats or attacks they can disconnect the servers or any infected computers or systems and continue their business. This kind of IT security concept is evolving. Then there is also detection of malware or any kind of irregularities by A.I. and by methods like the QRadar by IBM. These are huge systems that are screening and scanning the traffic and which can very quickly detect irregularities. Of course, with this kind of I.T. security measures, there is a natural conflict between privacy and not being scanned and not being supervised all the time and having a very good I.T. security concept in place.
There is this contradiction that we have here. But we have to start somewhere.
Regarding data protection and privacy, the EU General Data Protection Regulation and German Privacy Act went into effect two years ago. What has the compliance process been like for your clients? Has it been easy, difficult?
Actually, most companies—and the public sector too—are still struggling with state-of-the-art security and data protection, in particular with the fulfillment of accountability obligations. They already spent and are still spending d a lot of time and effort in gap-analysis and updating of documentation. The changes in legislation by the GDPR, are not dramatic but in detail very relevant. For example, regarding the information obligations and regulation of special categories of data such as biometric data. This is a burden e.g. for profitable use of A.I. in Robo Recruiting etc.
Of course, we already had data protection provisions in Germany. There were some companies that had to make some effort to fulfill at least the minimum requested by the GDPR until the day of the GDPR becoming applicable. It came into effect in 2016 but the two-year period until all the companies had to fulfill the GDPR requirements was nevertheless very short. Now we have the situation that the GDPR is an abstract regulatory set of rules, in parts not very specific and not self-explanatory, and can be interpreted in many different ways. In order to be able to provide the client with some concrete advice, we require European court decisions. We are in the position to tell our clients what is forbidden by the GDPR. That is made pretty clear. But what we can’t tell them precisely is what they are actually allowed to do. In this evolving field of IT and artificial intelligence it is difficult for us to advise on legal boundaries for example in new projects that are based on the question whether data is securely, and definitely, anonymized and whether the data which is anonymized can be processed by the AI/neuronal network for other purposes.
This article has been edited length and clarity.