Earlier today, I attended a conference organized by Oliver Arter and Florian S. Joerg on Internet and e-Commerce Law in Zurich. I was invited to speak about e-Compliance in general and the implications of e-Business on compliance and corporate organization in particular. E-Compliance can be understood as a set of institutional arrangements and processes aimed at managing the legal and regulatory risks resulting from the transition from an offline/analog to an online/digital corporate information environment. My colleague Daniel Haeusermann and I have come up with the following theses – intended as discussion points and “food for thought.”
The main thesis is that e-Compliance, in important regards, is qualitatively distinct from traditional compliance. We argue that four trends support this key thesis.
Law and digital technology are closely intertwined. The compliance-relevant interactions are hereby bi-directional. Digital technology leads to legal problems that have not emerged in the paper world. Consider, for example, the use of email in a corporation as a partial replacement of oral communications and the set of legal problems associated with email usage and storage (ranging from data privacy/monitoring issues to e-Discovery exposure.) However, digital technology can also help to ensure a company’s compliance with the law. Software that can be used to enforce a “litigation hold” might be a good example in this context. At the organizational level, the suggested interplay between law and technology calls for a close collaboration between lawyers and IT-staff.
E-Compliance is risk management in a quicksilver environment and under conditions of legal uncertainty. The speed of ICT innovation has put the legal system under enormous pressure. The legal system’s answer, essentially, is either the application of existing rules (“old law”) to the new phenomena, or legal innovation (e.g. by formulating new rules or introducing new doctrines.) Typically, both processes create uncertainty, because the legal system is forced to synchronize its relatively slow adaptation processes with the speed of technological change. A nice illustration of the increased pace of change in law that creates uncertainty are legal regimes that govern online intermediaries such as access providers, search engines, and hosting providers. Up to the year 2000 legislators around the world have enacted laws (such as the CDA or the E-Commerce Directive) to limit the liability of online intermediaries, or to “immunize” them entirely. Only few years later we now face a global trend towards stronger regulation of online intermediaries, including a reconsideration of the respective liability regimes. From an organizational perspective, this increased speed of change requires that companies in the IT-business (this includes, e.g., banks) establish “early warning systems” – for example in collaboration with academic partners – aimed at tracking trends and developments at the intersection of law, ICT, and markets.
Digitization in tandem with the emergence of electronic communication networks has internationalized (old and new) legal problems in an unprecedented way. The first driver of internationalization of e-Compliance is straightforward: it’s the global medium “Internet” itself. The second source is related to the first one, but less obvious: In our view, the digitally networked environment creates a notion of proximity that leads to an increased relevance of foreign national law for corporations being incorporated and/or operating in another jurisdiction. Good examples are cross-border e-Discoveries, where U.S. plaintiffs seek to use American procedure and evidence laws to access information stored in different jurisdictions, e.g. in Europe, usually without following the procedures set forth in respective international treaties such as the Hague Convention on Evidence. It follows from this trend that it is a necessity for successful e-Compliance to apply a global perspective. In the case of multinational enterprises this requires, for instance, that the legal and compliance departments of the entities located in different countries collaborate closely on e-Compliance issues.
The rapid evolution of digital technologies on the one hand and the increased legal uncertainty with regard to the interpretation of old and new laws on the other hand further increase the relevance of industry self-regulation, for instance in form of codes of conducts or best practice models. Again, the regulation of online intermediaries is illustrative for this trend. In Germany, for example, content regulation of online intermediaries such as search engines is largely based upon a self-regulatory approach. In the light of this development, sustainable e-Compliance increasingly includes involvement in standard-setting bodies and industry best practice-groups – both as an expression of “good corporate citizenship” and based on the acknowledgment that “soft law”, in turn, can improve a company’s e-Compliance with the increasingly complex network of legal, quasi-legal, pre-legal and ethical obligations.