Good morning. Welcome to Edition 3 of Profiles in Legal. Our aim stays simple: help you make clearer calls with the business, spot regulatory drift before it hardens into risk and borrow judgment where it’s cheaper than learning the hard way. This week: Australia as a test case for digital public health regulation; why EU SaaS revenues are less locked-in than finance decks assume; and a data protection fine levied for access design failures, not broken encryption.
— Philip
BRIEFING ROOM
Australia child-locks scrolling
Photo by Vitaly Gariev on Unsplash
Last week, Australia’s world-first social media ban for children came into force. Government messaging focussed on harmful content and addiction to scrolling and the benefits for teens of building IRL skills.
Platforms including Instagram, TikTok, YouTube, Snapchat, X and Reddit must take “reasonable steps” to prevent under 16s from holding accounts. That could range from inferences from online behaviour, to facial analysis, to checking government ID. Expect both market innovation and scrutiny over which methods are actually reliable.
The move is a test case for a new style of digital governance, regulating online content as a public health concern.
Tech’s response was swift:
📼 YouTube argued that removing children’s accounts means removing parental controls in those accounts, with children simply switching to logged-out viewing.
🧑⚖️ Reddit filed a constitutional challenge citing political communication interference, “intrusive and potentially insecure verification processes” and querying its inclusion in the ban.
Other concerns include the ease of VPN workaround and that the age verification requirement necessitates collecting vastly more personal data from all users - data that could be exploited commercially or more nefariously.
Australia is no stranger to regulatory leadership. Alongside famous first moves such as seatbelt laws and cigarette plain packaging, it has a track record of pioneering enforceable duties on tech and consumer-facing businesses: regulator-enforced, time-limited content removal powers under the Online Safety Act; civil penalties for unfair terms in standard-form B2C small business contracts; and compulsory bargaining and payment obligations for dominant platforms under the News Media Bargaining Code.
They might be the canary once again. France, Spain, Germany, Denmark, Norway and Malaysia are amongst countries with similar age restrictions in the pipeline.
RISK RADAR
🎄 Festive lights aren’t the only switching occasions in town this month. Since autumn, the EU Data Act’s mandatory switching right means new cloud and SaaS contracts for EU customers must allow short-notice switching, cap exit friction; and treat a completed switch as termination, minimum term or not. That quietly hollows out many standard lock-in and early-termination clauses.
What to do: Frame this to your CFO as minimum-term EU SaaS revenue being softer than it looks on paper. Prep sales teams for customers spotting a leverage opportunity at renewal. Fix templates and year-end renewals with the urgency and precision of a last-minute Christmas shopping dash.
Should vendors panic? No, but don’t relax. Switching fees are allowed during the transition period to 2027, but only for genuine migration costs, not lost revenues.
🇬🇧 80/20 Vision TheCityUK dropped its 2025 report into legal services. Here’s why it’s useful:
Drafting leverage. Pushing for English governing law and jurisdiction is more than patriotism. London remains the default venue for cross-border disputes, with specialist judges and English law widely accepted as neutral ground. English court judgments and London arbitration awards also remain among the easiest to enforce internationally.
GenAI is everywhere, returns are not. Adoption is near-universal, but value creation lags far behind. Only 19% report productivity gains and just 2% report monetised benefits. On your next AI rollout, sound smarter by naming the gap explicitly and close it through deliberate workflow redesign.
The top 25 firms now account for roughly 80% of the revenue of the top 100. That level of concentration can weaken price tension and slow turnaround as demand spikes. Using premium firms for mid-ticket work increasingly looks like habit rather than judgement. This strengthens the case for keeping commercially critical decision-making in-house, rather than defaulting to premium firms for mid-ticket decisions.
In-house is no longer an edge case. Around 25% of solicitors now work in-house, with numbers up ~8% year on year. GCs have scale; the risk is under-using it.
🔐 Fine of the week. The UK ICO fined password manager LastPass £1.2m for failing to implement appropriate technical and organisational security measures under UK GDPR. The fine stems from two 2022 incidents: a corporate laptop compromise, followed by a personal device breach exploiting a known vulnerability that captured credentials and enabled an MFA bypass.
Sound smarter: The ICO took aim at engineers having privileged access from unmanaged personal devices, even with MFA. That was a design choice, not an edge case, and one the ICO clearly expects controllers to get right.
The fine was imposed even though attackers could not decrypt customer passwords thanks to LastPass’s “zero-knowledge” encryption, where master passwords stay on user devices. Encryption wasn’t the issue - access, privilege and exfiltration were.
POLL OF THE WEEK
How firm are your Legal team's KPIs?
FROM THE SIDEBAR
🎅🏼 “Santa, define good” Christmas jumper. For anyone whose December bonus depends on subjective criteria.
🎤 Life of a Showgirl, translated into legalese. Proof that no text is safe once lawyers get involved.
⏮️ Missed last week? Here’s the previous issue. Same format, same intent, fewer baubles.
Enjoying Profiles in Legal?
Our readers are curious, commercially sharp and allergic to legalese. If that’s you - welcome.
💬 Forward to a fellow innovator in Legal
ABOUT THE EDITOR
I work with start-ups and scale-ups as a fractional GC, covering commercial, regulatory and AI governance. Fixed days per month, fixed fee. Typical work includes contract strategy, regulatory triage, and board-level risk decisions.
- Philip
Too much legal content is dull and jargon-filled. Profiles in Legal is for lawyers who want to think clearly, sound credible in the room and get promoted.
🪃 Reply to this email with what you think we should cover
📣 Request to partner with us
This newsletter is for general information only and does not constitute legal advice. Seek professional advice for specific situations.