10 minute read 31 Jan 2023
make it clear

Make IT Clear - 01/2023

Authors
Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law

Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law

Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.

10 minute read 31 Jan 2023

 

Here is the Make IT clear special materials 01/2023

 

Topics discussed:

  • Intellectual property - Copyright infringement of computer games
  • IT - European Union regulates artificial intelligence
  • Cybersecurity - New challenges in IT compliance - an overview of NIS 2 obligations
  • Data protection - On 13 December 2022, the European Commission has published a draft decision to recognize an adequate level of protection for personal data in the US
  • E-commerce - Consumer protection - what is changing from 1 January 2023?
  • Alert E-commerce - Review of the UOKiK's December activities
Copyright infringement of computer games
(Chapter breaker)
1

Chapter

Intellectual property

Copyright infringement of computer games

Factual state

Riot Games is a well-known video game developer. It created, among other things, the game League of Legends, which is the most popular e-sports game in the world. The company's success has sparked the creation of many copycats trying to profit from the popularity of Riot Games.

Against this background, a dispute arose between Riot Games and Chinese game developer NetEase, which released the mobile game Hyper Front in 2022. It resembles in many ways the computer game Valorant, developed by Riot Games.

Players could get familiar with Valorant in April 2020. The game is currently only available on computers, but a mobile version has been announced in 2021.

Riot Games lawsuit

Riot Games has deemed that the similarities of the Hyper Front game to Valorant cause infringement of Riot Games' copyrights. As a result, the developer decided to sue NetEase in several countries. Among the claims raised in the lawsuit were:

  • similarities in gameplay - 5v5 teams, focus on the abilities of individual characters, walking pace, short time to kill the enemy, game modes;
  • graphic design style similarities - character type and color scheme, weapon designs and colors, interface, maps;
  • Hyper Front's release coincided with Riot Games' announcement of the development of the mobile version of Valorant;
  • NetEase began work on its game shortly after Riot Games released Valorant.

Link to source:  Riot Games vs. NetEase 

Riot Games has decided to file a lawsuit in the UK, Germany, Brazil and Singapore. We have not yet learned the court decision in any of these countries. We can wonder what the court's decision might be if such a situation happened in Poland.

The state of computer games in Polish copyright law

Computer games are a unique form of work. The legislator has not chosen to regulate their legal situation separately, which causes many problems in determining the protection to which they are entitled under the Law of February 4, 1994 on Copyright and Related Rights.

Although some elements indicate that they can be considered a specific form of computer program, one can also find arguments for applying the provisions on the protection of audiovisual works to their protection. Currently, this is an unresolved issue in Polish jurisprudence. 

The dominant voice in the doctrine is the recognition of computer games as a mixed work and the respective application of provisions on audiovisual works and computer programs to their specific elements.

The Riot Games case in the perspective of the Polish legal order

The circumstances are complicated. We can assume that similarities in gameplay would not be protected under Polish copyright law, since ideas and rules of operation are excluded from copyright protection.

It is likely, however, that the court could grant the applications regarding the similarity of character models or maps, as such elements can be considered works if they meet the requirements of the Copyright Act. 

European Union regulates artificial intelligence
(Chapter breaker)
2

Chapter

IT

European Union regulates artificial intelligence

On 6 December 2022, the Council adopted another common position on the Artificial Intelligence Act - the planned regulation on artificial intelligence systems.

General objectives

The upcoming regulation primarily aims to ensure that artificial intelligence systems marketed and used in the EU are safe and comply with European law, as well as with EU values. In addition, the regulation is expected to facilitate investment and innovation in the field of artificial intelligence. The planned regulation is also intended to facilitate the development of a single market for legitimate, safe and reliable artificial intelligence applications, while preventing market fragmentation.

Specific objectives

  • Harmonize member states' regulations on the introduction, commissioning and use of artificial intelligence systems in the EU;
  • Introduce prohibitions on practices inconsistent with EU values on artificial intelligence;
  • Regulate the specific requirements for high-risk artificial intelligence systems and the obligations of entities that operate such systems;
  • Harmonize European and Member State regulations on transparency for certain artificial intelligence systems;
  • Introduce legal provisions for after-market monitoring of artificial intelligence systems.

We present selected provisions from the current version of the draft Artificial Intelligence Regulation.

  • Definition of artificial intelligence system

    The key problem the Council had to solve was defining an artificial intelligence system. The adopted project assumed that an "artificial intelligence system" is a system that is designed to operate in a partially autonomous manner and that, based on machine- or human-provided data and information, infers how to achieve a preset set of goals - using machine learning technologies or logic- and knowledge-based methods that generate results, such as content, predictions, recommendations or decisions, that affect the environments with which the system interacts.

  • Selected prohibitions on the use of AI systems

    Among the prohibitions, the adopted approach includes:

    • for the purpose of scoring citizens' social behaviour (social scoring), which leads to discrimination;
    • which use subliminal techniques and have the purpose or effect of altering a person's behaviour to the detriment of that or another person;
    • which exploit the vulnerability of a specific group of people; it now also includes people who are disadvantaged by their social or economic situation;
    • by law enforcement agencies for remote 'real-time' biometric identification in public places for law enforcement purposes (with some exceptions)
  • Further works

    Once the European Parliament adopts its position, negotiations between the Council and Parliament can begin.

New challenges in IT compliance - an overview of NIS 2 obligations
(Chapter breaker)
3

Chapter

Cybersecurity

New challenges in IT compliance - an overview of NIS 2 obligations

Introduction

On 27 December 2022, Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (hereinafter: NIS 2 Directive) was published in the Official Journal of the European Union.

The NIS 2 Directive will require implementation into national law. Implementation into the national orders of the EU Member States should be carried out by 17 October 2024. In Poland, the implementation of NIS 2 may take place through the amendment of the Act of 5 July 2018 on the National Cybersecurity System or through the enactment of a new law or laws implementing NIS 2.

The directive will have a significant impact on the essential and important entities defined in NIS 2.

The NIS 2 Directive will replace the current Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (hereinafter: NIS Directive).

  • Selected obligations

    • Risk analysis and IT system security policy - a multi-stage analysis will be required, including both analysis of actual security (buildings, equipment, etc.) and cyber security understood as the security of the networks in which the organisation operates, as well as individual employees;
    • Incident handling (prevention, detection and response, reporting) - an entity covered by NIS 2 will be required to set up internal structures responsible for cyber security, and will be required to inform both the competent authority and the dedicated CSIRT.
    • Business continuity and crisis management - business continuity will be understood here as a sub-type of risk management focusing on ensuring the continuity of the business despite a security incident.
    • Supply chain security - key and important actors will be required to consider (and take appropriate measures for) supply chain security, including the security aspects of the relationship between each actor and its suppliers or service providers, such as providers of data storage and processing or managed security services.
    • Security in Network and Information Systems - NIS 2 identifies two international standards that should be used by network and information system developers as guidelines for vulnerability handling and disclosure: ISO/IEC 30111 and ISO/IEC 29417.
    • Testing and auditing - mandatory audits should cover both physical and cyber security.
  • When to start the process of alignment with NIS 2 regulations?

    As NIS 2 is a directive, Member States must implement it into their national legal order. It is currently unclear how individual member states will approach the implementation of NIS 2 into their legal orders. However, as the NIS 2 Directive imposes obligations on IT providers to implement new technological and organizational processes, these entities may already be looking at their critical processes, services and resources so that they can more nimbly comply with their obligations once NIS 2 is implemented into the Polish legal order.

On 13 December 2022, the European Commission has published a draft decision to recognize an adequate level of protection for personal data in the US
(Chapter breaker)
4

Chapter

Data protection

On 13 December 2022, the European Commission has published a draft decision to recognize an adequate level of protection for personal data in the US

The General Data Protection Regulation 2016/679 of 27 April 2016. (hereinafter: GDPR) contains significant restrictions on the transfer of personal data to a third country or international organization. The Regulation contains a closed catalogue of conditions which, if met, allow the transfer of personal data to a specific country without risking breach of the personal data protection under the GDPR.

  • Adequacy decision

    The adequacy decision is one way to legally transfer personal data outside the European Union.

    The adequacy decision is, from the data exporter's point of view, the most convenient protection mechanism when transferring data outside the EU.

    A decision is issued for an entire country, territory, sector or organization when the European Commission determines that adequate protection for personal data, adequate to the EU level, is provided thereby. In such case, the Commission adopts a decision by means of an implementing act, which ensures that no special authorization is required for the transfer of personal data to a particular country/sector in a third country or international organization.

    The transfer of data to such a country can be treated as a transfer to an EU country.

    To date, 14 valid adequacy decisions have been issued.

  • Draft decision concerning the US

    On 13 December 2022, the European Commission has published a draft decision to recognize an adequate level of protection for personal data in the US.

    The draft decision follows US President Joe Biden's signing of an executive order in October 2022 to put in place safeguards for the personal data of EU residents, in particular by limiting access to US intelligence agencies' data and introducing an independent redress mechanism.

    If the draft decision is approved and signed, this will facilitate transfers of personal data to the US and exempt the use of additional safeguards under either Article 46 or 49 of the GDPR.

    You may recall that on 16 July 2020. CJEU issued its judgment in the Schrems II case (C-3111/18), in which it questioned the mechanisms for the transfer of personal data between the EU and the US. In this judgment, the CJEU indicated that US law does not provide equivalent protection to that required by EU data protection standards. Accordingly, the CJEU declared Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield to be invalid.

    For more information on the transfer of personal data outside the EU, please follow the link: Transfers of personal data outside the EEA - challenges in 2022 | EY Poland

Consumer protection - what is changing from 1 January 2023?
(Chapter breaker)
5

Chapter

E-commerce

Consumer protection - what is changing from 1 January 2023?

Legal basis for change

  • DIRECTIVE (EU) 2019/2161 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernization of Union consumer protection rules (so-called Omnibus Directive).
  • DIRECTIVE (EU) 2019/770 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (so-called Digital Directive)
  • DIRECTIVE (EU) 2019/771 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 May 2019 on certain aspects concerning contracts for the sale of goods, amending Regulation (EU) 2017/2394 and Directive 2009/22/EC, and repealing Directive 1999/44/EC (so-called Goods Directive)
  • By way of introduction

    As the above regulations have been adopted by the EU in the form of a directive, each Member State must implement the directive in its national order. The Omnibus, Digital and Goods Directives are implemented by two laws in Poland. The Act of 1 December 2022 amending the Consumer Rights Act and certain other acts implements the Omnibus Directive, while the Act of 4 November 2022 amending the Consumer Rights Act, the Civil Code Act and the Private International Law Act implements the Digital Directive and the Goods Directive.

    The legislator rightly assumed that the changes introduced by the three aforementioned directives enter into force at the same time, i.e. on 1 January 2023. 

  • Selected changes concerning physical products

    • Longer time limit for making a complaint, i.e. 6 years from the date on which the product defect was discovered;
    • A longer period for the seller's liability for product defects because it covers the entire shelf-life, e.g. if the shelf-life is 3 years, the warranty will also last for 3 years, and if the shelf-life is less than 3 years, then the warranty will last for 2 years. 
  • Selected developments concerning electronic products

    • New requirements to exclude the 'right to return' of electronic products within 14 days. As many as 3 conditions must be fulfilled, i.e.: the customer's prior consent to the delivery of the digital product before the expiry of the 14 days, information about the loss of the right of withdrawal and the customer's acknowledgement of this information, and the sending of an acknowledgement of receipt of the consent to the customer.
  • Selected changes concerning contact details

    • The retailer is obliged to make its contact number available to customers. Under the old legislation, this was voluntary;
    • Obligation to inform about other online means of communication for continuity of correspondence, if available in the shop.
  • Selected price developments

    • Obligation to indicate next to the current price the lowest price for the product in question applicable in the last 30 days before the reduction was introduced;
    • Obligation to inform about the individual adjustment of the price for the consumer if it has been set based on automated decision-making.
  • Selected changes concerning product opinions

    • Obligation to inform consumers whether product reviews made available have been verified by the trader. Verification of an opinion is limited only to establishing whether the author of the opinion has used or purchased the product. A trader may publish unverified opinions, but must inform customers of the lack of verification.
    • A trader who will allow access to consumer reviews will have to indicate how he controls and verifies the reviews issued to him.
  • Responsibilities of marketplaces

    • Providers of an online trading platform will be required to inform the consumer whether the seller offering goods, services or digital content on the platform is a trader or selling as another consumer;
    • Informing consumers of the main parameters determining the placement of offers presented to the consumer as a result of a search;
    • Obligation to inform about the non-application of consumer legislation to a contract concluded on an online platform when the party offering the good or service is not a trader;
    • Information about the division of responsibilities between the owner of the online platform and a third party who offers its products on the platform, when this contract is concluded with a consumer.
  • What do the above changes mean for businesses?

    It is imperative that traders review their existing online sales regulations, withdrawal and complaint forms and update them. In addition, they should make changes to the interface of the online shop and also analyze the purchase process in the online shop.

  • How can we help you?

    The EY Law Digital team can help you identify whether the new obligations apply to you and to what extent. Our team can also help you make the necessary changes to your terms and conditions, privacy policies and other clauses.

Alert E-commerce

Review of the UOKiK's December activities

First companies fined by President of UOKiK for trading in false reviews and ratings posted online 

The President of the Office of Competition and Consumer Protection (UOKiK) punished two companies providing services related to online opinions, i.e. the company Opinie.pro from Lubartow and the company SN Marketing from Krakow. In the decisions issued, the President of the UOKiK found the actions of the two companies mentioned above to be in breach of collective consumer interests. The opinions they offered were fictitious and misled consumers about products or services. In the case of Opin.pro, the fine is PLN 40,000 and the company must also abandon the questioned practice. On the other hand, SN Marketing, which has already ceased creating false opinions, was sanctioned by the President of UOKiK with PLN 30 thousand. Both companies must inform about the decisions of the President of the Office in the services they use.

According to social research conducted in 2020 on behalf of the OCCP, 93 per cent of people shopping online are guided by product reviews posted by other consumers. This is why it is so important that they are genuine and credible. In a press release dated 15 December 2022. The President of the Office of Competition and Consumer Protection (UOKiK) pointed out that publishing false opinions on the Internet is a particularly reprehensible phenomenon. In this way, consumers are misled and their purchasing decisions are distorted. It is also not fair to the competition - honest entrepreneurs who do not buy ratings, so that they may, for example, be positioned less well in search engines.

For more information follow the link: UOKiK - About us - About us - News - Fines for false opinions on the internet

On-line ad tagging - popular websites under the President of UOKiK's scrutiny

The President of the Office of Competition and Consumer Protection (UOKiK) initiated proceedings against Ringier Axel Springer Polska and Wirtualna Polska Media. Some of the commercial materials of the companies analysed by the Office did not have any marking. In other cases, the markings used by the services raised doubts about their transparency and readability.

If the allegations are confirmed, Ringier Axel Springer Polska and Wirtualna Polska Media may incur a fine of up to 10 per cent of their turnover. The President of the Office of Competition and Consumer Protection is also investigating Agora and the Interia.pl Group regarding the correct labelling of commercial content.

For more information follow the link: UOKiK - About us - About us - News - On-line ad tagging

Control of toys and cosmetics

The UOKiK inspected a total of 85 models of various toys: sound toys for babies, projectile toys and manipulative boards - whether they are well labelled and their design does not endanger the youngest consumers. There were significant differences in the results in the different categories of toys - the highest percentage of irregularities was detected by the UOKiK when examining the manipulative boards.

In addition, the inspectors verified whether the cosmetics contained all the information required by the regulations, e.g. concerning functions, list of ingredients, special precautions. They also analyzed whether the products contained any prohibited substances in their composition descriptions and checked the veracity of marketing claims. The inspectors checked 255 wholesalers and shops - both small drugstores and those belonging to large chains.

For more information follow the link: UOKiK - About us - About us - News - toy inspection

Unfair practices in photovoltaics

The President of the Office of Competition and Consumer Protection (UOKiK) has issued a decision imposing a fine of more than PLN 28 million on BO Energy (formerly FG Energy). The disputed practices include making it difficult for consumers to withdraw from the contract at no cost, misleading them about the cooperation with the Ministry of Climate and about the free of charge audit. The company will have to refund consumers who have withdrawn from the contract. 

For more information follow the link: UOKiK - About us - About us - News - Unfair practices in photovoltaics

Summary

Here is the next study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us

Interested in the changes we have made here,

contact us to find out more.