10 minute read 28 Feb 2023
make it clear

Make IT Clear - 02/2023

Authors
Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law

Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law

Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.

10 minute read 28 Feb 2023

 

Here is the Make IT clear special materials 02/2023

 

Topics discussed:

  • Intellectual property - ChatGPT is taking popularity by storm! 
  • IT - The European Union wants to develop the semiconductor market - a few words about the Chip Act
  • Cybersecurity - What is the DORA Regulation? 
  • Data protection - Datatilsynet has published a report and checklist on informing users about the use of artificial intelligence (AI)
  • E-commerce - UOKiK examines how entrepreneurs have complied with regulations arising from the Omnibus Directive
  • Legal Alert – GDPR - Sectoral control plan 2023
ChatGPT is taking popularity by storm!
(Chapter breaker)
1

Chapter

Intellectual property

ChatGPT is taking popularity by storm!

What is ChatGPT? 

The OpenAI organization has created ChatGPT, i.e. an advanced chatbot using artificial intelligence, based on the Generative Pre-trained Transformer 3 (GPT-3) machine learning model.

ChatGPT can generate a natural-sounding answer to a user's question in real time. ChatGPT works in multiple languages (including Polish) and uses 'knowledge' extracted from Internet resources. It is capable of answering user-submitted questions in an accessible manner and of holding a conversation with the user on any topic, and is also capable of generating text according to user-specified instructions.

ChatGPT was launched on 30 November 2022 and has been a global success, with more than one million users within the first five days of its launch.

Example use of ChatGPT

First of all, ChatGPT can be used to generate answers to questions, create articles, reports or social media posts, as well as other textual content within customer service systems. ChatGPT can also be used to help write a computer programme, as it is familiar with programming languages.

According to the Fishbowl survey (available at link: fishbowlapp.com), marketing professionals (37% of respondents) and IT professionals (35% of respondents) are the most likely to use ChatGPT. This was followed by professionals from the financial sector and lawyers. 

ChatGPT and intellectual property law

The emergence of such advanced tools based on artificial intelligence poses challenges that require appropriate regulation to ensure the protection of intellectual property rights and to set a framework for the use of such tools in specific sectors, e.g. education.

Doubts should also be raised about the possibility of granting protection to content (text, graphics or video material) created using artificial intelligence-based systems.

There are different approaches to this problem around the world, but the prevailing view today is that only man-made works can be protected under copyright law and, given the high creative autonomy of artificial intelligence systems, there is no human connection between the generated work and humans. The inability to grant copyright protection to content generated by artificial intelligence systems, according to some, points to the need for separate legislation under which such works would be protected.

Another challenge for regulation is the issue of infringement of intellectual property rights by artificial intelligence systems. This is because there is a risk that these systems may (unintentionally or intentionally) generate content that infringes the intellectual property rights of others.

The European Union wants to develop the semiconductor market - a few words about the Chip Act
(Chapter breaker)
2

Chapter

IT

The European Union wants to develop the semiconductor market - a few words about the Chip Act

On 1 December 2022. The Council adopted its position (general approach) on the proposed regulation establishing a framework for measures to strengthen the European semiconductor ecosystem - known as the „Chip Act”.

Purpose of the new regulation 

  • Strengthen Europe's leadership in research and technology and work on smaller and faster chips.
  • Introduce a framework to increase EU production capacity to 20% of the global market by 2030.
  • Building and increasing innovation capacity in the design, manufacture and packaging of advanced chips.
  • In-depth understanding of global semiconductor supply chains.
  • Addressing skills shortages, attracting new talent and supporting the education of a skilled workforce.

What is a chip? 

The planned regulation defines a chip as an electronic device comprising various functional elements on a single piece of semiconductor material, typically taking the form of memory, logic, processor and analogue devices, also referred to as ‘integrated circuit’.

Chips are used in almost every IT, mobile device and critical infrastructure used in the health, energy, communications and automation sectors, through to most other industries. 

  • Investments to support the development of the semiconductor market

    The planned regulation sets out a number of initiatives to fund the development of the semiconductor market in the EU, including initiatives for chip supply chain monitoring mechanisms.

    The Chip Act is expected to allocate €43 billion in public and private investment.

  • European Chips Infrastructure Consortium (ECIC)

    The regulation proposes the possibility of introducing a new legal instrument, the European Chip Infrastructure Consortium (ECIC). The ECIC would be the legal entity that could carry out the activities and other tasks funded under the 'Chips for Europe' initiative. 

  • Why is this regulation important?

    Recent global semiconductor shortages have forced the closure of factories in various sectors of the economy. This has shown that the entire global economy is dependent on a semiconductor supply chain involving a small number of players in a complex geopolitical context. The Chip Act is intended to address the current shortage of semiconductors in Europe and reduce the Union's vulnerability and dependence on foreign players. 

  • Continuation of activities

    The next step is the adoption of the position by the European Parliament. Once this is done, the Council and the European Parliament will start discussions. 

What is the DORA Regulation?
(Chapter breaker)
3

Chapter

Cybersecurity

What is the DORA Regulation?

On 27 December 2022, the regulation on digital operational resilience for the financial sector, the so-called DORA, was published in the Official Journal of the EU. DORA has the rank of an EU regulation which means that it is a legal act directly applicable in individual EU countries. The regulation entered into force on 16 January 2023. DORA addressees have until 17 January 2025 to prepare for the new regulation. 

Purpose of regulation

DORA is designed to guarantee the continuity and quality of financial sector service delivery despite disruptions affecting information and communications technology (ICT). Digital operational resilience is defined as the ability to build, test and continuously improve the technological and operational integrity of an organization. Additionally, DORA aims to create a harmonized regulatory environment that includes not only the financial sector, but also public administrations and entities recognized as key technology providers.

  • Addressees of the DORA Regulation

    The following entities are required to comply with DORA:

    • Financial institutions, including but not limited to: credit and payment institutions, electronic money institutions;
    • Managers of alternative investment fundsZarządzający alternatywnymi funduszami inwestycyjnymi;
    • Management companies;
    • ICT third-party service providers.

    Definitions of the above entities can be found in the DORA and related legislation. 

  • Scope of the DORA

    DORA regulates:

    • ICT risk management inter alia the appointment of a person or function responsible for monitoring arrangements with external ICT service providers, staff and management training, systems register and identification of ICT processes.
    • ICT incident reporting e.g. classification of ICT incidents and determination of their impact on the organization, rules for informing customers and service users of incidents, implementation and execution of a comprehensive ICT business continuity policy.
    • Digital operational resilience testing, e.g. frequency of testing of key ICT systems and applications, scope and frequency of penetration testing of IT systems supporting critical processes in the organization, comprehensive risk-based digital operational resilience testing programme, requirements for a digital resilience test provider.
    • Risk monitoring from external ICT service providers, inter alia, contractual requirements between the bank and the ICT provider, contract inventory, risk assessment of external ICT providers before signing a contract, right of financial entities to audit ICT providers.
    • Inter-bank exchange of information on cyber threats and results of analyses of such cyber threats. 
  • Administrative penalties

    DORA gives Member States the power to prescribe administrative penalties or remedial measures of DORA, including at least:

    • issuing orders involving the cessation or refraining from engaging in specified activities;
    • ordering the temporary or permanent cessation of a specific action;
    • adopting all types of measures, including those of a monetary nature, to ensure that financial entities continue to comply with legal requirements;
    • requesting the issuance of telecommunications records;
    • issuing public notices, including making public information indicating the identity of the natural or legal person and the nature of the breach.
  • Would you like to know more?

    We invite you to read the Report by EY Poland and the Polish Banks Association "The DORA Regulation - revolution or evolution in the Polish banking sector? Analysis of the maturity of the banking sector in terms of digital operational resilience and a survey on the state of digital resilience of Polish banks".

    The report contains the results and conclusions of a survey conducted by EY Poland and the Polish Bank Association among institutions in the Polish banking sector. In addition, a number of assumptions and obligations arising from DORA are presented, as well as the challenges posed by the new regulation.

    The report can be downloaded at the link: EY and ZBP report: DORA Regulation

Datatilsynet has published a report and checklist on informing users about the use of artificial intelligence (AI)
(Chapter breaker)
4

Chapter

Data protection

Datatilsynet has published a report and checklist on informing users about the use of artificial intelligence (AI)

Datatilsynet has published a report to assist data controllers who process data using artificial intelligence (AI).

The report sets out what information on the use of AI should be made available to data subjects, as well as in which cases and how data subjects should be informed about the use of AI. Although the report is in the form of a recommendation and is not binding, it can also serve as a reference for controllers and supervisory authorities from other EU Member States.

  • Transparency in the use of AI according to Datatilsynet

    Datatilsynet makes the manner and extent of compliance with the obligation under Article 13 or 14 GDPR dependent on the stage of development in which the AI used is located.

    For example, during the development stage of AI, the exception in Article 14(5) GDPR, which exempts the controller from the information obligation when personal data is not obtained directly from the data subject and providing information about the processing proves impossible or would require a disproportionate effort, could apply.

    According to Datatilsynet, the aforementioned provision could be applicable as AI systems often require huge amounts of data, which could impose a heavy burden in terms of effort to inform each individual about the processing of their data. However, Datatilsynet recommends providing a minimum of information about the processing, e.g. through publicly available channels (e.g. websites).

    During the application phase of AI, it will be important to determine whether the model will be used only as a decision support or for full decision automation.

    In the latter case, the GDPR requires the controller to provide not only information that such automated decision-making will take place, but also about the right not to be subject to such processes, relevant information about the modalities of such decision-making, as well as the significance and anticipated consequences of such processing for data subjects. Datatilsynet, on the other hand, recommends that similar information should also be provided for AI used only as decision support. Similar requirements will apply to AI systems in the post-learning phase of the system.

  • Confidence in Artificial Intelligence

    Datatilsynet emphasized the role of user trust in artificial intelligence systems.

    Doubts may arise particularly in relation to the misuse of personal data, e.g. an employee's fear that their data will be used by their employer for purposes other than those presented to them. This may result in incorrect information being provided and, consequently, the system generating incorrect results.

    The Authority suggests presenting the information obligation related to the use of AI to the test group in the first instance, thus exploring the reaction of the target group in terms of, among other things, what data they will be reluctant to share, thus highlighting the importance of the vocabulary used by the controller in complying with the GDPR information obligation.

  • Checklist of AI transparency

    The report also includes a list of issues to consider when complying with the GDPR transparency obligations, which can be read here.

UOKiK examines how entrepreneurs have complied with regulations arising from the Omnibus Directive
(Chapter breaker)
5

Chapter

E-commerce

UOKiK examines how entrepreneurs have complied with regulations arising from the Omnibus Directive

As of 1 January 2023, new rules resulting from the implementation of Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernization of Union consumer protection rules (the so-called Omnibus Directive) into national law are in force.

The UOKiK checked whether and how entrepreneurs complied with the new rules on making the lowest price visible from the 30 days preceding the announcement of a promotion. For this purpose, the UOKiK checked around 40 websites of e-commerce entrepreneurs in various industries. 

  • UOKiK President's reservations

    The President of the UOKiK drew attention to the following irregularities:

    • Provision of the current sales price and crossed out price without specifying what the crossed out price actually is.
    • Provision of the current sales price and crossed out price, where the explanation that the crossed out price is the lowest price of the item in 30 days before the discount is shown only after it is expanded.
    • Calculating the amount of discount (e.g. 20%, PLN 150) in connection to the last standard price of an item and not the lowest one from the last 30 days.
    • Using phrases other than “lowest price in 30 days before the discount”, i.e. “reference price”.
    • Presenting information on the lowest price in place within 30 days before the discount in an illegible manner: font, colours, contrast. 
  • Call for clarification and change of inappropriate practices

    The President of UOKiK called entrepreneurs to provide explanations and change questionable practices. The President of the UOKiK called on the inspected entrepreneurs to provide explanations and change the questioned practices. If they do not comply, the President of the UOKiK announced further possible actions, including bringing charges of violating collective consumer interests.

    The President of UOKiK, in case of ascertaining the breach of collective consumer interests may impose a penalty of up to 10% of turnover per company and up to PLN 2 million per manager.

  • Recommendations of the President of the UOKiK

    • The seller should display the lowest price of the 30 days prior to the discount in a way that is clear and unambiguous to the consumer. The lowest price may be crossed out (as long as it is still legible).
    • The seller should indicate next to the price displayed as the reference price that it is the lowest price of the last 30 days before the reduction. It is bad practice to present this message only after the link has been expanded or in a much smaller font than the reduced price, using illegible colour or low contrast. The information about the lowest price should be presented in close proximity to the current price.
    • If the seller sells goods via different channels (e.g. in stationary shops and online shop) and advertises a price reduction in these channels, he must indicate the lowest price applicable in the 30 days prior to the reduction, relevant to each sales channel.
  • Announcement of further actions by the UOKiK

    The Authority will also soon be looking into:

    • whether and how do entrepreneurs operating online, who provide consumer opinions, inform consumers on the manner of verifying their reliability (if they do not conduct such verification, they should also inform the consumers of the same);
    • whether and how retail platforms provide information on the main parameters deciding on the order the products appear in search results, as well as whether and how they disclose which offers are paid advertisements or were placed higher due to a payment;
    • whether and how the platforms provide information on the status of the person offering goods or services - whether it is an entrepreneur or private individual;
    • whether entrepreneurs operating online provide a phone number allowing consumers to effectively contact them.
  • Would you like to know more?

Alert GDPR

Sectoral control plan 2023

The Personal Data Protection Office has adopted the sectoral control plan for 2023. In the current year, the Office will focus on the control of mobile and internet (web) applications. In particular, the Personal Data Protection Office intends to control how personal data processed in connection with the use of such applications is secured and shared.

The Personal Data Protection Office detailed sectoral audit plan for 2023 promises to cover the following categories of entities:

1.Authorities processing personal data in the Schengen Information System and the Visa Information System - processing of SIS/VIS personal data on the basis of the provisions of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System, implementing acts and European Union regulations.

2.Entities processing personal data using mobile apps - how to secure and share personal data processed in connection with the use of apps.

3.Entities processing personal data using online (web) applications - how to secure and share personal data processed in connection with the use of the application.

Bearing in mind the control plan adopted by the Personal Data Protection Office, we encourage you to perform a compliance audit of your mobile and web applications with data protection regulations.

Source: The Personal Data Protection Office

As each year begins, hundreds of works enter the public domain. The works of authors who died more than 70 years ago become public domain, which means that they can be freely copied, modified and distributed, including for commercial purposes.

With the beginning of 2023, original versions of works by authors who died in 1952 entered the public domain. It should be emphasized that translations of these works, i.e. dependent works, are protected as independent objects of copyright. This means that they will only enter the public domain 70 years after the death of their creators, i.e. the authors of the translation.

On 1 January 2023, works by authors such as:

  • Waldemar Bonsels – author of the world-famous children's book "Pszczółka Maja i jej przygody„
  • Maria Montessori – author of the Montessori philosophy of children's education
  • Ferenc Molnár – author of the novel „Chłopcy z Placu Broni”
  • Adama Półtawski – graphic artist and typographer, author of the typeface "Antykwa Polska" popular from the times of the Second Polish Republic to the present day
  • Stefan Norblin – artist, painter and architect

You can find a full list of authors who died in 1952 and whose work has passed into the public domain at the link: 2023 in public domain - Wikipedia

Summary

Here is the next study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us

Interested in the changes we have made here,

contact us to find out more.