Skip to content
Thomson Reuters
Risk

Data privacy, drones and corporate espionage—keeping up with legislation

REUTERS/Jason Lee

As technology advances at an unprecedented rate, how well placed are our global and domestic regulations to deal with rapid change? Drones are taking to the skies in increasing numbers, companies across Europe are trying to interpret new data regulation, and hackers are upping their attacks on businesses large and small. Innovation in technology and moral progress continually inform—and are informed by—the legal framework. But does the pace of technological development, along with public debate, risk making existing legislation redundant?

The drones are on the rise

Drones are used for policing, search and rescue, photography and surveying, but will red tape keep them grounded for wider use? Accountancy firm PwC expects the UK drone industry to be worth £42bn by 2030, with 76,000 of these vehicles in use across UK skies. To keep those plans aloft, Joseph Raczynski, Technologist and Futurist at Thomson Reuters, says the UK has to walk a careful balance with regulation. In doing so, it hopes to encourage drone use by letting the likes of Amazon run delivery trials, while avoiding safety issues raised by foolish behaviour from flying fanatics, such as flying over football stadiums during games or into the path of aeroplanes.

New UK legislation, by way of an amendment to Air Navigation Order 2016 which went into force on 30 July 2018, means enthusiast and consumer drones must be kept in line of sight, and will be banned from being flown above 400ft (122 metres). They must also be kept 50 metres from people and property, 150 metres from crowds, and 1km from airport limits. Taking effect on 30 November 2019, it will be a legal requirement for all drone operators to register and complete an online pilot competency test.

Raczynski expects such rules to ease as the technology improves and no-fly restrictions can be built in. “A handful of drone producers have software that means if you try to take off next to Big Ben, for example, the drone won’t even move”, Raczynski says.

Manufacturers tend to back safety precautions, not least because it keeps their products from being banned, says Nigel King, Director of QuestUAV. “We don’t see it as any kind of problem”, King says. His firm makes larger fixed-wing craft—not consumer toys—and says clients are often surprised by the regulations they face but are quick to learn. “It’s a process of education”, King adds.

As new features are developed—such as autonomous flights and the ability to carry passengers—regulators and manufacturers will need to keep working together, says Rupert Dent, Regulation Director at the Association of Remotely Piloted Aircraft Systems (ARPAS-UK). “Legislation will need to be continuously updated”, Dent says. “This innovation is happening.”

Indeed, airborne delivery flights are already being trialled in the UK by Amazon and, Dent believes, drones will eventually be used in every industry—for everything from delivering medical supplies in congested areas to taking selfies for tourists. Raczynski thinks this will lead to landing pads being installed on roofs and balconies, while parking drones could help drivers find an empty spot. Compliance drones may hunt for decks and outbuildings built without permits, while firefighters could monitor forests for potential hotspots. Lifeguards have already used drones to more quickly deliver life preservers to drowning swimmers. “The next few years are going to be a mix of tech pushing the boundaries and regulators having to make new decisions”, says Raczynski. So long as the industry and regulators continue to work together, the future of drones looks promising.

Data done decently

Europe’s General Data Protection Regulation (GDPR) came into force at the end of May 2018. To date, the two most significant fines levied have been British Airways for £183m by the Information Commissioner’s Office (ICO), in the UK, for not protecting customer data, and a £99m fine by the ICO on Marriott for not protecting guest data.

“The transparency requirements of GDPR—including the right to be told about security breaches in some cases—along with the increased publicity about [the regulation] mean that more data subjects are aware of their rights and how to exercise them”, say Louise Townsend, Senior Editor for data protection at Thomson Reuters.

That will likely lead to more privacy complaints, but Townsend says it doesn’t mean courts need to batten down the hatches. Instead, says Townsend, “regulators will be the first port of call”, with the ICO as the UK the mediator and authority on the issue, rather than the courts. Jon Baines, Data Protection Adviser at UK law firm Mishcon de Reya, notes that the ICO now empowered to “take serious and punitive action” against data lawbreakers.

There is one aspect of GDPR that could lead to more legal action. The law allows an individual to ask specific types of non-profit bodies to represent them legally, and “[EU] member states can extend this to allow for such a body to take action even without a mandate from the individual”, says Townsend.

The new law, paired with high-profile media coverage of privacy stories, means people are waking up to the possibility of risks and abuses with their private data. “The signs are that individuals are becoming more aware of the extent to which their personal information is routinely gathered and used”, Baines says. Knowledge, as they say, is power.

The spy who hacked you

What’s the impact of corporate hacking? According to research and policy thinktank Chatham House, digital espionage is on the rise. “There’s no question it’s growing”, says Joyce Hakmeh, senior research fellow in cyber policy at the institute’s International Security Department. “And digitisation has transformed the way espionage is done.” No longer do spooks sneak into buildings to steal documents from filing cabinets, Hahmeh says. “Today, it’s done digitally and from distance.”

“But the prevalence of corporate espionage is hard to quantify exactly”, says F-Secure principal security consultant Tom Van de Wiele. Such attacks often go unnoticed by victims, or are spotted but their reason is unclear: was this done in the name of hacker kudos, or was it a secret stealing mission by the competition? “We often only hear about the big attacks”, says Van de Wiele, pointing to the Aurora attack against Google and other corporations, likely aimed at stealing source code, as well as the ‘Shady Rat’ case, which targeted company data over many years.

Preventing digital corporate espionage isn’t much different to battling back against hackers, Van De Wiele notes. “The security precautions and controls to detect and to some extent thwart these kinds of leaks should be part of a company’s threat model, but for the most part the security strategy is not much different from trying to detect and defend yourself against other threat actors,” Van De Wiele says, noting corporate spies will use standard hacking techniques such as phishing and searching for network holes to gain access.

Beefing up systems to avoid being hacked may be the best solution at the moment, as it’s difficult to fight back or prosecute corporate spies. There’s the attribution problem, Hakmeh says. “It isn’t easy to know where an attack originates, but even when victims or authorities can confidently point to their attackers, international law isn’t clear on such attacks”, says Hakmeh.

Because of that, pushing back against corporate espionage can often take the form of high-level diplomacy. In 2014, the US indicted five Chinese nationals for targeting American companies. As the accused weren’t actually in US custody, the case wasn’t very practical, but it successfully sent a message. Shortly thereafter, the US and China signed an agreement to stop targeting each other’s companies, and China soon signed such bilateral agreements with the UK and Germany. Of course, that won’t stop financially motivated criminals from targeting a company, but it’s a start.

Practical Law survey: risk and compliance training programmes Report: Cost of Compliance 2019—after 10 years of regulatory change, expect more change Compliance, financial crime teams merged at Deutsche Bank during restructure Cybersecurity at the centre—competing globally with different rules Automated legal advice: rules, responsibility and risk allocation Effective discharge of risk professionals’ responsibilities using AI Corporate legal departments should draw on the direction and insights found in a new report Risk and compliance function continues to grow in profile and sophistication ‘No-deal’ Brexit could result in significant decline in UK legal sector turnover—report  “Compliance by design” critical for financial advice-based technology