Technology disputes and arbitration

In summary

Technology is fundamentally shifting the way in which individuals, businesses and governments interact with one another – bringing both opportunities and risks, including the increased risk of disputes. We see the most notable developments being the (continued) explosive growth of artificial intelligence (AI) and the EU’s ambitious efforts to serve as the vanguard of tech regulation. These developments are poised to give rise to new disputes –in both the investor–state and the commercial spheres. Finally, we observe that the arbitration and legal community has begun to actively manage the risks of using new technology, such as AI, and impacts on technology-related disputes.

Discussion points

• AI and other digital regulations in Europe
• Implications of digital regulations on investor–state disputes
• New technology and implications on commercial disputes
• Guidelines on the use of artificial intelligence in arbitration

Referenced in this article

• New and upcoming EU digital regulations
• SVAMC Guidelines on the Use of Artificial Intelligence in Arbitration
• UNCITRAL Working Group II Model Clauses
• Einarsson v Canada (ICSID Case No. UNCT/20/6)

Introduction

While much has changed in the world – and the world of technology – the fundamental dynamics and trends set out in our previous chapters continue to apply.

Globally, the dominant development has been the explosive growth and adoption of AI in the marketplace, posing new opportunities and challenges for businesses of all kinds.^[1] In Europe, in particular, governmental authorities have been consequently pursuing their ambition to regulate AI and other technologies, especially in relation to online platforms, data, the internet of things (IoT) and augmented and virtual reality technology. These developments have far-reaching implications for all companies based or operating in Europe and across all areas of law.

This article focuses on exploring the potential impact of these changes, highlighting four issues that we believe may be of particular interest to tech companies and dispute resolution practitioners operating in this space.

In Part I, we outline the EU’s role as a tech regulatory vanguard and its ambition to set global standards for regulating the digital space, most recently underscored by the entry into force of the AI Act.

In Part II, we outline how the EU’s digital regulations could lead to future investor–state dispute settlement (ISDS) claims by tech investors and explore specific challenges for investors looking to bring such claims.

In Part III, we discuss the impact of compliance with some of these new digital regulations on M&A deal structures and, in turn, post-M&A disputes.

In Part IV, we look at the arbitration community’s efforts to adapt to the emergence of new technologies and to court tech disputes.

Part I: Europe as the vanguard of digital regulations

Since February 2020, the European Commission has been working on a European Digital and Data Strategy, with the aim of expanding the EU’s digital sovereignty and setting global standards in the digital economy. Since then, the EU has rolled out an unprecedented number of new flagship digital regulations (with more to come) and is expected to update the existing General Data Protection Regulation (GDPR) framework in respect of personal data. These changes introduce novel and complex compliance challenges and create legal uncertainty, particularly in areas where they overlap, and are thus likely to give rise to disputes.

Below, we outline some of the essential building blocks of the EU digital regulations, including key regulations and directives and further laws under consideration. In 2024, numerous EU regulations have entered into force, with several more on the horizon.^[2] These new laws set a common legal framework for the European digital and data market, with significant implications for digital service providers, platforms and all companies offering connected products in the EU:

• the EU Data and Cyber Strategy: this includes the Data Governance Act (DGA) (in force), the Data Act (DA) (entered into force in 2024), the Cyber Resilience Act (CSA) (draft), the NIS2 Directive (in force) and European Data Spaces (draft). Perhaps most notable is the DA, which is intended to foster data-sharing in the IoT, implement broad data access rights in relation to IoT data and impose new requirements for cloud providers to make it easier for customers to switch between providers;^[3]
• the Digital Platform and Services Package: this includes the Digital Services Act (DSA) (in force) and the Digital Markets Act (DMA) (in force). The DSA introduces (1) new horizontal and technology-neutral frameworks for intermediaries, based on the principle that ‘what is illegal offline must also be illegal online’ and (2) various transparency and due diligence obligations tailored to the complexities of the different providers’ business models, with more onerous obligations for larger companies. The DMA introduces restrictions relating to interoperability, data portability, data collection and the use of and access to data for ‘gatekeepers’ (ie, large and established platforms, of which the EU is also expected to ramp up enforcement);^[4]
• the legal framework for AI: this includes the AI Act (entered in force on 1 August 2024) and the contemplated AI Liability Directive (in draft).^[5] The AI Act introduces uniform minimum requirements and obligations across the EU for the development, offering and use of AI systems, including a comprehensive set of product safety and governance obligations targeting high-risk AI systems, which are required to undergo a pre-launch conformity assessment, as well as provisions aimed at providers of general-purpose AI models (such as Open AI’s GPT platform) and transparency provisions (eg, regarding deep fakes). This is further accompanied by a planned AI Liability Directive, which is set to introduce new rights and procedural facilitation for users of AI systems so that they can more easily assert claims for damages against AI system providers; and
• content-related and other regulations: this includes the Digital Single Market (DSM) Directive (in force), the European Media Freedom Act (EMFA) (in force) and eIDAS 2.0 (in force).^[6]

Taken together, these multi-layered regulations reflect the European legislator’s ambition to set a global standard for regulating the digital world and also mark the start of a new era of data regulations, similar to the time when the adoption of the GDPR was just around the corner. Most of the new rules apply not only to tech companies but also to companies across any sector to the extent that they utilise, for example, data, connected products, AI applications or intermediary services respectively. Their impact will reach beyond the EU, as the new rules affect any global businesses operating in the EU or targeting European customers and might influence legislative efforts in other key markets outside the EU.

The current wave of digital regulations has an imminent and practical business impact on many companies. They are required to deal with new legal requirements at an early stage in order to bring products and processes in line with new and upcoming digital regulations. In particular, taking into account the high complexity of the various existing and upcoming legislative instruments, their overlaps in scope and the risk of significant fines for non-compliance (up to 20 per cent of the total annual worldwide revenue), companies need to approach compliance as comprehensive strategic projects and anchor the new principles in product development processes at an early stage (also known as ‘compliance by design’). But this is easier said than done. Against this background, we expect disputes centred around new digital regulatory rules to increase in the years to come. This is likely to include mass claims by consumers regarding businesses and regulatory proceedings. We believe, however, that this trend will increase the likelihood of disputes between businesses, for example, in the M&A context where tech regulation compliance is becoming increasingly relevant or via ‘private enforcement’ of regulatory compliance in unfair competition disputes.

Part II: tech ISDS claims on the horizon

While past ISDS claims have most often arisen out of the energy and mining sectors in relation to the use of natural resources,^[7] the emerging primacy of the digital economy means that new tech ISDS claims should appear with increasing frequency on the horizon. As demonstrated above, the existing and upcoming regulatory legal framework will have a significant impact on the tech companies and require substantial changes to certain business models. In this section, we outline potential ISDS claims and remedies of legal tech companies with respect to the aforementioned new regulatory developments and where the legal difficulties may lie.

Potential bases for tech ISDS claims

As outlined, in the past year, common bases for ISDS claims include unlawful expropriation, a breach of fair and equitable treatment (FET) and a failure to accord full protection and security. The changing EU digital regulatory landscape may lend itself to a potential FET claim. Any FET claim would have to be extremely fact-specific, with the extent, speed and impact of such regulatory changes being key.

The EU’s ambition to become a regulatory trendsetter, coupled with new digital regulations such as the DA, DSA and DMA and the AI Act, may bolster investors’ claims that the regulatory environment in the EU has not only changed significantly over time but also unfairly undermined the value of their investments. For example, in relation to the DSA, in April 2023, the European Commission designated 19 tech companies as very large online platforms (VLOPs) or very large online service engines (VLOSEs) and has further opened investigations into some of these companies.^[8] Given that these designations are made based on online platforms or engines that operate with at least 45 million monthly active users, they disproportionately affect big tech.^[9] From February 2024, the EU Commission has financial powers to apply fines for breaches of the DSA (up to 6 per cent of worldwide annual turnover) and penalties (up to 5 per cent of average daily worldwide turnover) for failure to remedy breaches of the DSA. Big tech companies that have been designated would also have to comply with more onerous obligations, including by moderating content on their platforms, providing enhanced transparency also in respect of advertising, as well as granting free access to data for researchers. Given that the implementation of the DSA as well as other new digital regulations is still in its early stages, the impact on affected companies’ business models and bottom lines are to be determined and may also contribute to complexities with potential future claims.^[10]

Future claims that are based on data may also give rise to difficult questions about its legal status as there is no ISDS jurisprudence on whether data in and of itself can amount to a protected investment. In relation to the legal status of data, the ongoing case of Einarsson v Canada (Einarsson) may be tangentially relevant as it concerns the legal protection of data in seismic works and whether data-sharing obligations in Canada violate investor protections (including against illegal expropriation).

In Einarsson, the claimants are shareholders of the company known as GSI, which surveys, maps and collects raw data on the geology of the earth’s surface. This initial raw data was processed and converted into digital images that were licensed to companies in the hydrocarbons industry, which could then use them to explore and exploit natural resources.^[11] Notably in their ISDS claim, the claimants did not argue that data in and of itself amounted to a protected investment as prior decisions of the Canadian Alberta court had already decided that both GSI’s raw and processed data qualified for copyright protection.^[12] While the case remains pending, we do not expect Einarsson to pronounce on the legal protections available for data in and of itself.

The claimants in Einarsson argue that the Canadian regulatory regime and judicial decisions ‘confiscated’ GSI’s data in seismic work and thereby undermined the fair market value of the company, which had derived significant revenues from licensing such non-exclusive seismic data^[13] to third parties. Specifically, the claimants allege that (1) GSI has been subject to increasingly extensive disclosure and data-sharing obligations under Canadian law to obtain permits for their surveying works, (2) Canada has significantly altered previous confidentiality protections accorded to such data (including by allegedly allowing third parties to access GSI’s data)^[14] and (3) Canadian courts have upheld the regulatory regime that ‘confiscated’ GSI’s data without any compensation.^[15]

One can thus observe some parallels with the nascent data-sharing obligations in the EU. Taken together, the DA, DSA and DMA also impose obligations on tech companies to share data with both private and public bodies, for little to no compensation.^[16] Mandatory data-sharing and disclosure obligations, especially when made without fair market compensation, could lead an investor to claim that the host state has unlawfully expropriated its investment that is based in its data. However, as with any ISDS claim, potential claimants would need to carefully evaluate their specific factual circumstances and the relevant regulatory regime. While some parallels between the EU digital regulations and the Canadian regulations in Einarsson can be seen, some differences are also apparent with the implementation of the new EU digital regulations at a relatively early stage and subject to changes.

Any assessment of a breach of FET or unlawful expropriation may also depend on tribunals’ weighing of policy choices. For instance, new EU data-sharing regulations often include built-in caveats to take into account legitimate interests of data holders, such as the protection of trade secrets. Some disclosure obligations are only triggered when a public purpose is at stake (eg, ‘public emergency’ under the DA or for the ‘sole purpose of conducting research’ under the DSA). This shows that there is an inherent tension between the public interest to widespread access to data (which is, in principle, not protected by property-like rights) and the legitimate interests of companies in their data-driven business models. Against this background, while states are bound to raise various objections to oppose such ISDS claims, it is expected that they will advocate for more tribunal deference to their right to regulate in the public interest, and the enhanced language in new EU data-sharing regulations may bolster states’ claims. Some ISDS tribunals have suggested that such scrutiny of regulatory powers may also be sector-specific; for example, investors in the banking and finance sector should expect and be prepared to comply with a myriad of regulations.^[17] As there has been no examination of regulations in the tech sector to date, it will be interesting to see how tribunals seek to balance investors’ rights against states’ right to regulate technology.

Jurisdictional challenges – avenues after Achmea

A tech company looking to bring an ISDS claim against a state must constitute a protected investor under a bilateral investment treaty (BIT) or an international investment agreement (IIA) between the host state for the investment and the home state of the investor.

Since the Court of Justice of the European Union’s (CJEU) decision in Slovak Republic v Achmea (Achmea) that BITs between two EU member states (also known as intra-EU BITs) are incompatible with EU law and the subsequent termination of these BITs,^[18] EU-based companies face an uphill battle when seeking to bring claims. Non-EU investors have more promising prospects, with several potential options. The US, for instance, continues to have older-generation BITs with some EU member states, which expressly protect intellectual property rights (IPRs) as investments.^[19] Moreover, in recent years, the EU has also concluded new IIAs.^[20] However, tech investors seeking to rely on these new instruments would need to undertake a careful review, given that these agreements (1) may not always welcome arbitration as a means of dispute resolution;^[21] (2) may contain complex provisions and carve-outs involving IPRs, telecommunications and data;^[22] and (3) may also enhance the host state’s right and discretion to regulate out of its public interests.^[23]

Quantification complexities

Claims based on data may also give rise to new and difficult questions about the assessment of its value. In Einarsson, the claimants argued that the unlawful expropriation of their data and disclosure by the Canadian authorities undermined the fair market value of their investment in GSI due to loss of revenues from licensing fees. In quantifying their losses, the claimants, with the help of experts, (1) used their previous licensing fees to companies as a basis and (2) applied a multiplier depending on the number of times a licence would have been required for the particular group of third parties accessing the data.^[24]

The claimants’ approach may be workable where a business licenses its data directly and there is already a long-standing method of proving that its data has an assigned and accepted economic value on the market. However, it is not entirely clear if businesses that use data in other ways (eg, to train internal business models) can rely on the same methodology. Data-driven business models are being developed dynamically and data markets and valuation models are still nascent.^[25] Given that the full value of data is often not known until put to a specific use, including in future business models and inventions that do not yet exist, these may be difficult to measure directly.^[26] Much will depend on the historical usage of data in each business and whether sufficient evidence of its commercial value can be proven.

Part III: new fronts in the tech commercial arbitration space

The tightening regulatory framework in Europe is also bound to impact the way in which M&A deals are structured and the types of post-M&A disputes that arise.

Take the DSA, for example, which, as explained above, is aimed at all providers of digital services that act as intermediaries. The DSA sets out a series of responsibilities, with stricter rules and compliance requirements applying to large companies (in particular those designated as VLOPs or VLOSEs). As a result of this and other new acts, digital business models will need to be reviewed and may need to be adapted and designed to the new set of rules. Considerable resources must be dedicated to achieving compliance with the new rules, which provide for strict enforcement regimes that establish interaction between the European Commission and national authorities with fines measured by a percentage of a business’s global annual turnover.

In the context of an M&A transaction, the risk of non-compliance with these new rules needs to be identified and allocated. In light of the complexity and significance of the DSA, as well as the high risk in cases of non-compliance, this is no easy task. The sell-side in the context of M&A transactions will usually attach great importance to not providing broad warranty or guarantee catalogues for these laws (but limit warranties, for example, through ‘knowledge qualifiers’); equally, the buy-side faces the risk that it can only assess compliance to a limited extent and thus has an interest in broad warranty protection.

It remains to be seen which ‘best practices’ will emerge to address these risks. We may see new or expanded digital and data ‘warranty catalogues’, which, in turn, could result in considerable potential for disputes because of the high risks resulting from non-compliance and thus a high appetite for post-M&A claims. It is also conceivable that buyers will start to conduct broader regulatory digital and data regulatory readiness exercises post-closing (not only focused on GDPR topics as has often been the case so far).

In sum, we see clear signs that regulatory digital and data compliance will be high on the agenda in M&A deals and disputes in the future, indicating that issues arising in this regard will shape the disputes landscape more prominently than in the past.

Part IV: arbitration adapts to tech developments and disputes

The advent of AI in the marketplace has affected not only businesses but also the way dispute resolution operates. Infamously, in the US, lawyers have been sanctioned for submitting fictitious case citations generated by ChatGPT to the court.^[27] Some jurisdictions have required lawyers to disclose their use of AI^[28] but no uniform standard for regulating such uses exists. In the EU, the AI Act may lead to AI systems (including research tools) that are used in arbitration being classified as ‘high-risk’, which would have to meet stringent requirements.^[29] It is not yet clear what the consequences of non-compliance with the EU AI Act would be for an arbitral award or the involved arbitration practitioners. For now, popular research tools, such as Jus Mundi, have already begun seeking to clarify why their AI-powered functionalities would not fall under the EU AI Act.^[30]

While these uncertainties remain, the arbitration community has begun to come up with some answers.

For example, on 30 April 2024, the Silicon Valley Arbitration and Mediation Center (SVAMC) has released the first set of guidelines on the use of AI in international arbitration (SVAMC AI Guidelines) following its previous public consultation process. Of note, a previous proposal encouraging parties to disclose their use of AI in arbitral proceedings was met with some discomfort and pushback. The final version of Guideline 3 therefore established, as a general matter, that the disclosure of the use of AI tools was not a requirement for arbitration proceedings. However, Guideline 6 of the SVAMC AI Guidelines clarifies that arbitrators’ use of AI tools shall not replace their personal mandate and duty of non-delegation with respect to deciding the case. The new Guidelines also introduce some ‘soft’ standards with respect to the use of AI in arbitration proceedings, which are non-binding. In its current form, the SVAMC AI Guidelines strike a balance by safeguarding the fundamentals of the arbitral process (the integrity of the arbitrators’ decision-making process) but leave room for party representatives to use AI in an efficient manner that would also streamline legal costs for parties.

On the inter-governmental plain, the United Nations Commission on International Trade Law (UNCITRAL) Working Group (WG II) has prepared model arbitration agreements, provisionally titled specialised express dispute resolution (SPEDR) (SPEDR clauses), that companies can adopt and incorporate into their contracts. Given that most arbitral institutions offer some recommended language when adopting their procedures, the use of such tailored model clauses may be most relevant when companies are looking at ad hoc arbitration, where there is no involvement of an arbitral institution.

There are four SPEDR clauses, on highly expedited arbitration, adjudication, technical advisers and confidentiality. While these clauses are prepared for all users of arbitration, some clauses lend themselves particularly useful to the tech sector and in light of the original mandate of WG II to consider technology-related dispute resolution. The clauses will eventually be issued with accompanying explanatory notes, which are still being discussed at UNCITRAL WG II.^[31]

The model clause on highly expedited arbitration provides for highly expedited time frames for the period in which parties can agree to the appointment of a sole arbitrator (a suggested period of seven days), the arbitral tribunal can consult the parties on the manner in which it will conduct the arbitration (a suggested period of seven days), and the issuance of the award (a suggested period of 45 days). Of note, these time frames can be adjusted by the parties in their contractual documents. This model clause may be particularly suitable for start-up tech companies, which often prefer for their disputes to be resolved expeditiously to minimise disruptions to their cash flow or business operations.

The model clause on adjudication introduces the use of expert determination procedures commonly used in disputes involving the construction sector. The model clause envisages that parties may submit a dispute to an adjudicator for binding determination. Should the parties fail to comply with the adjudicator’s determination, the parties have further recourse to arbitration, during which the arbitral tribunal is not bound by any previous adjudicator determination. As the model clause envisages that both adjudication and arbitration can proceed concurrently, parties would need to be cautious and consider having additional suggested language to exclude any concurrent proceedings.

Other model clauses, such as the use of technical advisers by arbitral tribunals for technical matters and confidentiality, would also be useful for tech disputes when highly technical and commercially sensitive information is involved. When issued, the SPEDR clauses may complement existing options for tech companies to tailor their arbitration agreements as they see fit.

When devising their arbitration clauses, tech companies will therefore have a myriad of options. They should consider not only the type of tech dispute they have (eg, IPRs or purely contractual issues) but also whether there may be benefit in adopting model clauses or abiding by institutional arbitration rules. In choosing the latter, they should carefully select the framework (whether general arbitration, expedited arbitration or expert determination) that best suits their dispute and consider any additional offering such as recommendations for possible arbitrator candidates.

Conclusion

In our analysis above, we have outlined the different changes affecting tech companies, ranging from the EU’s regulatory ambitions and digital regulations to its effect on ISDS claims and commercial M&A disputes. Moving into 2025, these changes continue to pose opportunities and risks for tech companies and mark potential hot spots for arbitration practitioners.

Endnotes