Jan Bredehöft, head of legal, Germany, Huawei Technologies
The German legal head of the Chinese network, telecoms and services equipment company chats to GC
about data protection, cybersecurity, and tech developments affecting GCs.
GC: Tell us about yourself and your role in Huawei.
Jan Bredehöft (JB): I started my career at Shearman &amnp; Sterling here in Düsseldorf, focusing on competition law, and then moved to an M&A outfit in Cologne. That’s when I took the adventure to come on board on Huawei – back then, almost seven years ago, I was betting on the future, to a certain degree.
I started as legal counsel, then became head of legal in Germany in the beginning of 2015. I’m also responsible for competition law, and I interface with the EU Commission and support also other important domains like, recently, GDPR implementation.
We also have our West-EU legal director here in Düsseldorf, who is normally Chinese, and we work very closely. The Western Europe Legal Department has about 30 lawyers all across the region.
GC: How much of your work is cross-border?
JB: My focus is on Germany for the moment, but of course, many topics these days have a European scale. The law is developed 60% from Brussels and is then implemented in different countries, so that’s where we are looking into different areas. The new domains are where we are most involved from the cross-European perspective – cybersecurity, data protection, competition law.
The business in Germany is quite substantial, and we have three business domains – three and a half, actually. The bread and butter business is ‘carrier network’ – the infrastructure part. That means large-scale projects, involving contract negotiations, sometimes outsourcing projects, and also some M&A elements.
The second domain is our consumer business – our Huawei handsets. This is much more channel driven, it’s a little faster in terms of consumer interaction, marketing, and it’s much more in the public focus.
Then the third domain is our enterprise business – which is the least known for Huawei and the most recent – where Huawei is selling ICT solutions to various vertical industries and organisations. This part of the business is much more diverse in terms of the customers, how the contracts are structured and the different industries. For example, in the transport industry, we have a big project with Deutsche Bahn, which involved moving into a public bidding situation – which is very interesting from a legal perspective. We also are dealing with the automotive sector in Germany; Huawei produces the telecommunication core of connected cars – the chipset behind it. Even from the global perspective, the German customers are very much in focus in this regard.
More recent, is our cloud business. Huawei has been active in this area for some time, but has reorganised the department, so you can feel the company is investing to become stronger in this domain. For instance, we have a big project with Deutsche Telekom – the technology behind the Open Telekom Cloud is basically Huawei.
Enterprise is the business stream that is evolving most. Every six months, you have something entirely new. Last year, Huawei even started some collaborations in video platforms, even sometimes providing content – not producing the content itself, but being in the content-providing business. Huawei is also establishing a CBG [consumer business group] Cloud – basically something similar to the Apple cloud – which is now gradually being launched. So you can say every six months you engage in some exciting and new activity.
GC: With Huawei having such a presence in the cloud, data protection and cybersecurity are big issues. Do these areas fall under your purview?
JB: We have a cybersecurity officer and a data protection officer plus team. They do not directly report into Legal; but we work closely together and provide legal advice. The company substantially ramped up our internal data protection organisation in the past 12 to 18 months, and the legal department played a vital role to help wrap this up. That’s one element. And then you have very new legal developments, both in cybersecurity and for GDPR, which is coming into effect as we speak.
GC: What has gone into the GDPR piece so far?
JB: Huawei has been working on GDPR for 18 months at least. Many of the elements of GDPR already were required in certain countries. You have requirements to maintain data inventories, PIAs (or prior checks) [privacy impact assessments], data subject rights and other requirements in one or the other country, but now you have them applicable across the whole EU. This of course is a major challenge for a diverse, informational and multicultural organisation like Huawei – we have people with such different backgrounds. I think many of the basic elements already existed somewhere in the organisation, but now is really the time to put them together and make sure there is a comprehensive control and follow up, and also to create a data protection culture. That is probably the biggest challenge for multinational organisations.
Also, for Huawei, there is an ongoing fluctuation of Chinese expatriates, so this is one of the challenges – you cannot just put in place a data protection organisation once and then hope for the best. It’s an on-going effort. To put the processes in place is one big piece of the work, and a lot of resources go into this, but equally as important is to have the ambassadors internally who help to create this data protection and compliance culture. For Huawei, this is driven directly from headquarters. It is absolutely paramount to be on the right side of history with GDPR. It’s not only the potential fines; Huawei needs to be seen as a corporate citizen, both when we talk to governments but also for our customers on the B2B side and our consumers. So this is a very keen focus that I can see internally.
GC: With all the work that is going into meeting the standard set by GDPR in the EU, has the rest of the business outside Europe taken the opportunity to elevate to the same standards, and are the processes going to be transplanted to other areas not covered by GDPR?
JB: Of course, it depends a bit on the domain. For instance, if you look at the CBG Cloud, you need a global solution for that. Probably this is why GDPR is so interesting, because it sets a standard, and if you have a global organisation to run, it will become almost a global standard. The DPO organization is very strongly anchored here in the region but they also have a close collaboration with, partner with and are supported by headquarters, so whatever is being developed in terms of GDPR, there’s a great awareness and influence towards the headquarters’ side. It has a huge impact on how we organise data privacy on a global level.
GC: For a company like yours, which holds masses of personal data, what are your thoughts on this move toward people being super-conscious of their data?
JB: I think it’s a natural reflection of the importance, value and impact that data has on people’s lives. If you talk about what is the value of data for Huawei, we are not a company that is monetising their customer data like the big five American Silicon Valley companies. That’s due to the business model. The mission statement from Huawei used to be ‘To connect all people and all things’, it has now been upgraded to – ‘Bring digital to every person, home, and organisation for a connected intelligent world.’ What is behind it is actually quite concrete, as the original mission statement indicates Huawei does not intend to be the company that owns the data, but to be rather the pipeline. Huawei is the company building the technology behind it. As such Huawei, however, is required to enable our customers to be able to comply with data protection requirements, where we are expected to be always on top of things.
From a consumer perspective, it does not come as a surprise that people pay more attention to data, and personal data in particular, as this domain is growing exponentially in importance. Also from a cybersecurity impact perspective, if you look back to incidents like WannaCry last year, you could see the first indications that cybersecurity incidents can have a direct impact on life or death. Hospitals were impacted. For this kind of attack, Huawei was not at the core where we would suffer direct impact, but these are things that will come, and increasingly have to be taken into account.
GC: Can you characterise the regulatory environment that you are operating in as head of legal for Germany?
JB: In terms of data protection, I think GDPR is heavily influenced by German legislation. To a certain degree that makes life easier, because there are many elements you have seen before. For instance, you have to have data processing agreements in place, and that is very similar to what is required under GDPR, whereas in other countries, you need to create these from scratch. On the other hand, it is clear that data protection is seen by our regulatory environment as something that is very important and this will have some considerable challenges.
I believe that for governments to make the right rules, they absolutely and increasingly depend on the knowhow of companies working on the technological frontier. In Germany, for instance, the grand coalition has the discussion about digitisation – so of course there will be interaction between whoever is in government and the companies, who provide the relevant technology. And this will not only be German companies – they will also speak to international companies.
GC: Are there any other trends in your industry that have affected you and the work you do?
JB: Compliance is not a new development, but you can see, if you look into recent court decisions, that it absolutely requires more professionalisation. We have also undergone this process in Huawei, and this brings its own challenges. We have our compliance officers and from the legal side we work very closely together with them – overall this is a general development, where the focus is slightly shifting from legally advising to a legal risk management approach.
Then, a big topic is cybersecurity. For Huawei, it is absolutely on top of the agenda – if you look at the global level, the highest ranking non-Chinese person in the company is the global security and privacy officer. In Germany, another interesting development is the IT Security Act, which came into effect in 2015. To start with, the focus is on critical infrastructure, and as a telecommunications technology provider, we have to provide compliant technology to our customers.
GC: Could you elaborate on the IT Security Act?
JB: It has been adopted in the context of the NIS Directive [security of network and information systems] on an EU level – the German IT Security Act is more or less reflecting what has been adopted at the EU level subsequently. One of the key elements is that each company operating critical infrastructure needs to have state-of-the-art cybersecurity systems. What is a state-of-the-art cybersecurity system? This of course wasn’t described to the last bit in the law, but nevertheless you can see that cybersecurity used to be ‘a technology thing’ – IT people were dealing with this. Then standards evolved to include not only IT people, but people who know how these standards work. With the new legislation you move one level further, and it becomes also part of the legal domain. This is why the legal department is involved – to see what does this mean for us, what measures do we need to take? It requires cooperation across different departments: as a legal person, you are not always an IT expert, and as an IT expert you don’t necessarily understand the implications of the law.
This domain is crucially important for our customers, and that is why it’s crucial for us.
GC: Has that changed what companies look for when hiring legal professionals?
JB: I don’t think it’s necessary to know how to code, but understanding the industry is absolutely important. When I’m hiring team members, if somebody brings industry expertise, this can be a key advantage, but it’s also possible to adapt when you’re coming from other industries, as long as you have an open mind and you follow key discussions currently taking place. Whatever industry you’re in, many discussions revolve around technology – if I work in pharma, I would still have to know about GDPR, I would still be interested in artificial intelligence, and cybersecurity will also be of a certain degree of importance. Nowadays, to have at least a basic understanding of data protection issues and maybe a certain level of cybersecurity – at least a common understanding – this belongs in the legal toolkit. And also to have a basic understanding of how a compliance organisation may work, so the toolkit is evolving in this regard.
GC: Looking at the next five-to-ten years, is there a trend you have one eye on?
JB: I think you need to look at Huawei on the one hand, and the legal profession on the other.
For Huawei, you would think about many areas that have a connection to the technological frontier – and Huawei is absolutely a technologically driven company. We have 180,000 employees, and 80,000 work in R&D. Huawei has invested in artificial intelligence. I think for the next smartphone generation it will play a bigger role, but it looks like artificial intelligence is also entering other business domains. Wherever high complexity needs to be managed, artificial intelligence can play a role – although the term is probably now a bit hyped, so maybe there are things that are called AI that aren’t as advanced as it sounds. For the legal profession, this is also a very interesting development, and I think AI is one of the hot topics in legal tech. Sometimes we meet young legal tech companies at exchanges with the big law firms, some of which are investing in this already themselves.
But in terms of artificial intelligence, what I have seen there so far, the role for my daily work is really very limited. If I had a big transaction, probably for some of the due diligence tasks I could use programmes, but my feeling is that before real AI applications have the scale, accuracy, and maybe the cost efficiency and practicability that would make them feasible for me to use them on a wider scale in-house, there are probably still a few years to go.
But of course, once it comes, it could come quickly, and it could cause large-scale change. I would expect that there could be really substantial impact for in-house legal counsel, because part of our role is to take very complex, messy, grey-zone situations and assessments, and translate them into a language that the business understands. That is exactly what some of these legal tech applications will try to do – to reduce the complexity and have a very customer-friendly interface. That’s the job description of an in-house counsel! So I think there will be an impact, and I think it can help, and it will be very interesting to see.
GC: Is there much buzz around it?
JB: Many people are talking about it, definitely. But, of course, such hype also goes in waves. First you read about it, and you think it’s coming tomorrow. Then you meet with some people and you realise it may be the day after tomorrow. But a second wave will come.
Legal tech could have a very centralising effect, both in terms of how many people I need, but also because if I have an intelligent legal tech/AI application, I’m very much interested in data from all over the world. It’s possible that it could be governed from one, two or maybe three places – but possibly not so many.
Currently, legal tech is driven predominantly from the US. And if you speak about artificial intelligence in general the US and also China seem to be on the forefront.
GC: Have you noticed any other trends?
JB: I think a continuous trend is that legal work is becoming more and more international. If you look at German lawyers, many already work internationally, but if you look at practicing German law, it’s still a very ‘German’ thing – it’s very technical. But I would expect that over time there will be some kind of convergence between different jurisdictions. We are already seeing this happening for contract negotiations, where you can choose an applicable jurisdiction while creating more of a level playing field.
GC: Huawei is a renowned Chinese company, with Chinese leadership, based in China. Is that something you feel on the ground?
JB: Yes. The legal counsel is someone who needs to translate complexity and make it understandable, so we have a double challenge. As legal, we start off from a complex legal environment, we translate it to the business, and they say ‘Wait, I have a totally different cultural background – can you explain?’ It’s been a learning process for me and everyone in my team to understand how Chinese organisations work – it’s almost like learning another language. It can be very enriching, but there will always be situations where there is a misunderstanding, or things take more time because you need to take a different path than you are used to.
And also it is an opportunity to challenge yourself because, particularly as lawyers, we are so trained to follow a certain way; the German legal education system takes many, many years and you are very much focused on German law. The law is based on certain cultural values. Now the challenge comes, when you bring this to a totally different environment in an international organisation like Huawei. Anyway, I have many Chinese colleagues and friends, and we all make it work! So far, it is a lot of fun.
GC: What are the specific differences?
JB: Decision-making is very different than within a German company. From my experience, a Chinese company can be more collective in a way – the highest ranking members will have the final say, but there is more sharing of responsibility within the group. In Germany, it is more common for one person to take the responsibility and then take an individualistic approach. Both have their benefits.
I think also another difference is that if you look at German culture, it’s very matter of fact. Your private life is very separate and even if you go for a drink with a colleague it may actually be seen as work time. Chinese culture can be warmer in a sense and more personal even in the working place. It is more common to go out for dinner for team building and it is highly valued to meet in person; so travelling can be more essential.
What I very much appreciate in Huawei as a company is it’s very dynamic. Things are fast. Legal is not always the best friend of fast, so you have to adapt, and making sure things work fast is and always will be a challenge. But this mindset, I think, this is also part of what makes us successful as a company.