10 minute read 30 Mar 2023
make it clear

Make IT clear - 03/2023

Authors
Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law

Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.

Joanna Ostrowska (Gałajda)

EY Poland, EY Law, Senior Manager

Joanna Ostrowska is a Senior Manager in TMT an IP practice, responsible for cloud computing and cybersecurity projects.

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law

Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.

10 minute read 30 Mar 2023
Related topics Law

 

Here is the Make IT clear special materials 03/2023

 

Topics discussed:

  • Intellectual property - Unitary patent protection in Europe
  • IT - European Data Protection Board report on the use of cloud services by the public sector 
  • Cybersecurity - New rules on abuse of electronic communications
  • Data protection - Right of access to one's own data - obligation to indicate the exact identity of the data recipients 
  • E-commerce - Work continues on new directive on liability for defective products 
  • Legal Alert – Protection of business secrecy
Unitary patent protection in Europe
(Chapter breaker)
1

Chapter

Intellectual property

Unitary patent protection in Europe

European patent with unitary effect 

Until now, there has been no unitary patent system in Europe, which would allow a patent to be registered in all member states without the need for verification by national offices. The Unified Patent System and the Unified Patent Court have been under development since 2012 and are expected to become operational on 1 June 2023. The novelty of this system is that the patent will be granted collectively in the territory of all EU countries that have acceded to the Agreement and no validation will be required at national level. This represents a breakthrough in patent protection and will significantly shorten the path for entrepreneurs wishing to obtain such protection.

Key features of the new system 

  • The new system will not replace existing registration systems - it will be an additional avenue for international patent registration, where the application will not be verified at national levels.
  • The patent registration will not cover all European countries - only those that have acceded to the Unified Patent Court Agreement. At the time of publication, 17 member states have ratified the Agreement. Poland has not yet acceded to the Agreement.
  • A Unified Patent Court (UPC) will be established. Until now, disputes have been resolved exclusively by national courts. The UPC gives the possibility to litigate in an international procedure. The court will have jurisdiction over disputes relating to the patent with unitary effect and the European patent. With regard to the European patent, states have the option to opt out of submitting cases to the jurisdiction of the UPC.

Advantages and disadvantages of unitary patent protection 

Advantages:

  • Less complicated and cheaper procedure - a European patent with unitary effect will be valid across a dozen EU countries without the need for additional registration at national level.
  • The establishment of an international court will ensure uniformity of jurisprudence - reducing legal uncertainty.

Disadvantages:

  • Possibility of losing protection in the territory of multiple countries at the same time.
  • The economic sense of protection by a patent with unitary effect depends on the individual needs of the company. The solution may be suboptimal if the company's strategy is to explore the market and leave the protection right only in certain countries.

Potential impact on Polish entrepreneurs 

Poland has not joined the Unified Patent Court Agreement, but the new system will have an impact on Polish entrepreneurs. The case law of the UPC will influence the shape of Polish patent law and the judgments of Polish courts. In addition, a Polish entrepreneur will have the possibility to obtain a patent with unitary effect. In such a case, the protection right will not cover Poland, but the territory of the countries that signed the Agreement. As a result, it will be possible to enforce one's rights related to the unitary protection right before the UPC. 

European Data Protection Board report on the use of cloud services by the public sector
(Chapter breaker)
2

Chapter

IT

European Data Protection Board report on the use of cloud services by the public sector

In a report dated 17 January 2023. The European Data Protection Board ("EDPB") has provided a list of issues under the GDPR Regulation that public sector entities should pay particular attention to when contracting with cloud service providers. 

List of issues 

Public entities should consider the following, without prejudice to other obligations under the GDPR Regulation, to ensure that cloud deployments comply with the GDPR Regulation:

  • conducting a data protection impact assessment (DPIA);
  • ensuring that the roles of the parties to the contract are clearly and unambiguously defined;
  • ensuring that cloud providers act only on behalf of the public entity and in accordance with its documented instructions;
  • identifying personal data processed by the cloud provider as a controller;
  • ensuring that a viable objection to the involvement of new sub-processors is possible;
  • ensuring that the scope of personal data is determined in relation to the purposes for which they are processed;
  • the involvement of a data protection officer;
  • cooperation with other public entities in negotiations with the cloud provider; 
  • verifying that the processing is carried out in accordance with the data protection impact assessment
  • ensure that the procurement procedure provides for all necessary requirements for compliance with the GDPR;
  • ensuring compliance with Chapter V of the GDPR by identifying and implementing complementary measures where necessary;
  • analyzing the third country legislation that could apply to a specific cloud provider and could allow requests from third country authorities to access data stored by the cloud provider in the European Union;
  • verification of the conditions under which a public authority may carry out and participate in audits.

Would you like to know more?

The entire EDPB report can be found at the link:

edpb_20230118_cef_cloud-basedservices_publicsector_en.pdf (europa.eu)

New rules on abuse of electronic communications
(Chapter breaker)
3

Chapter

Cybersecurity

New rules on abuse of electronic communications

On 2 March 2023, a government bill on combating abuse of electronic communications was submitted to the Sejm. The new legislation is expected to enter into force 30 days after its publication in the Journal of Laws. Once it enters into force, a public entity's email provider will have three months to implement SPF, DMARC and DKIM mechanisms and six months to provide an email offering that allows the use of multi-component authentication methods.

The new provisions contain the rights and obligations of telecommunications undertakings and the competences of the President of the Office of Electronic Communications related to preventing and combating abuse of electronic communications.

  • Prohibition of abuse in electronic communication

    The Act contains an open catalogue of electronic communication abuse, due to the impossibility of identifying all forms of abuse in the light of rapid technological progress. Four specific (basic) forms of abusive communication have been identified:

    • generating artificial traffic - this is the initiation of long, long-distance calls that do not carry any content (so-called deaf phone calls);
    • smishing - these are fake text messages from a courier, bank or public institution containing, for example, a link to a website encouraging the submission of personal data or the transfer of electronic funds;
    • spoofing - impersonating the telephone number of a trusted institution or other person and attempting to intimidate the victim or trick them into providing money or personal data;
    • uauthorized change of address information - criminals modify the number they are calling from to make identification more difficult - this form of fraud is used, for example, to make billing for a call more difficult.
  • New obligations for e-mail providers

    Telecommunications undertakings will be required to take proportionate organizational and technical measures to counter abuse of electronic communications. One such measure is blocking SMS messages that contain smishing content and blocking voice calls that aim to impersonate another person or institution.

    From the effective date of the new rules, email providers for at least 500,000 users, 500,000 active accounts or public entities will be required to use SPF/DKIM/DMARC authentication mechanisms when providing email. Public entity email providers will also have to offer the use of multi-component authentication methods.

  • List of numbers maintained by the Office of Electronic Communications

    The President of the Office of Electronic Communications will maintain a list of telephone numbers used exclusively for receiving voice calls. Public finance sector units, banks and other financial or insurance institutions will be able to apply for a number to be included on the list. This solution will limit the possibility for fraudsters to impersonate employees of public offices or banks by using the hotline numbers visible on the public websites of these entities.

  • List of domain warnings

    Between January 2022 and November 2022 alone. NASK's CSIRT identified a total of 38,999 domains that are designed to mislead internet users and defraud them of their data and funds. The bill includes a definition of an alert list - this is an open warning list of internet domains that are used to defraud data and disadvantage users.

    The draft introduces a regulation under which anyone will be able to report to the NASK CSIRT an Internet domain that may be used for fraud. To simplify the procedure, the obligation to justify the report has been waived, although it will be possible. The NASK CSIRT will be able to put a domain on the warning list after verifying that indeed the primary purpose of the domain is to mislead and defraud internet users or to lead them to a disadvantageous disposition of property. The mechanism proposed by the International Telecommunications Union will be used, among others, to determine the 'primary purpose' of a website.

  • Sanctions

    For failing to fulfil the obligations provided for in the draft law, telecommunications undertakings will be able to be fined, among other things, up to 3% of the revenue of a given undertaking generated in the previous calendar year. Abuse of electronic communication, as defined in the bill, will be criminalized. Anyone who commits artificial traffic, smishing, CLI spoofing or unauthorized modification of address information for the purpose of gaining a material or personal benefit or causing damage to another person will be subject to a penalty of imprisonment from 3 months to 5 years. 

Right of access to one's own data - obligation to indicate the exact identity of the data recipients
(Chapter breaker)
4

Chapter

Data protection

Right of access to one's own data - obligation to indicate the exact identity of the data recipients

Judgment of the CJEU in case C-154/21

In its judgment of 12 January 2023 in Case C-154/21, the CJEU explicitly ruled that the right of access to one's own data contained in Article 15(1)(c) of the GDPR (Regulation 2016/679) means that, where the data has been or will be disclosed to recipients, it is incumbent on the controller to provide that person with the exact identity of the recipients of his or her data. Providing only the category of recipients is not sufficient. The data controller may limit himself to indicating "categories of recipients" only exceptionally, where:

  • it is not possible to identify those recipients; or
  • if the request is unjustified or excessive. 
  • Factual situation

    A German citizen made a request under Article 15 of the GDPR to the main postal and logistics service provider in Austria, Österreichische Post, for information regarding the identity of the recipients to whom Österreichische Post provided his personal data. Österreichische Post provided only general information without indicating the exact identity of the recipients, but only the category of recipients. Österreichische Post, in the course of its activities as a publisher of address books, offered citizens' data to its business partners for marketing purposes. In addition, data was passed on to customers, including advertisers in the mail order and stationary trade sector, IT companies, address book publishers and associations such as charities, non-governmental organizations (NGOs) or political parties.

  • Question for a preliminary ruling

    A citizen sued Österreichische Post and, as a result, the Oberster Gerichtshof, the highest court in Austria, deciding the dispute at last instance, referred a question to the CJEU for a preliminary ruling on the interpretation of Article 15(1)(c) of the GDPR:

    • whether the GDPR leaves the controller the choice whether to disclose the specific identity of the recipients of the data or only the categories of recipients, and
    • whether the GDPR grants the data subject the right to know the specific identity of those recipients.
  • Everyone has the right to know to whom personal data concerning them has been transmitted

    In response, the CJEU clarified that the controller, when exercising the right of access to personal data, is obliged to indicate to the data subject, upon request, the exact identity of those recipients and not only the category of recipients. Such action is intended to guarantee the actual exercise of this right, which enables the exercise of other rights granted by the GDPR such as the right of rectification, the right to erasure ("the right to be forgotten"), the right to restrict processing, the right to object to processing, the right to a remedy in case of harm. 

    Exceptionally, in specific circumstances, the controller may not provide the exact identity of the recipients when it is not (yet) possible to identify those recipients or when the controller demonstrates that the request is manifestly unfounded or excessive. This is the case when, for example, the processing serves archival purposes in the public interest, scientific or historical research purposes or statistical purposes. 

  • Who is the data recipient?

    According to the GDPR, „recipient” means a natural or legal person, public authority, individual or other entity to whom personal data is disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific proceeding in accordance with Union or Member State law are not considered recipients. 

  • Would you like to know more?

Work continues on new directive on liability for defective products
(Chapter breaker)
5

Chapter

E-commerce

Work continues on new directive on liability for defective products

28 September 2022. The European Commission has published a proposal for a new directive on liability for defective products. The new directive is intended to amend the existing Directive 85/374/EEC on product liability, adopted almost 40 years ago - in 1985.

The proposal aims to adapt the product liability regime in the European Union to the digital age, the circular economy business models present in the market and global value chains.

Legal Alert 

Protection of business secrecy

For any entrepreneur building his or her market position through innovation, new technologies and commercially valuable information, the protection of business secrets is extremely important. Company secrecy is often the most valuable element of an entrepreneur's assets.

In Polish law, a business secret is defined as information that collectively fulfils three prerequisites:

  • technical, technological, organizational information of the company or other information having economic value,
  • the information is confidential, i.e. it is not generally known to persons normally dealing with this type of information or is not easily accessible to such persons, and
  • the person entitled to use or dispose of the information has taken steps, exercising due diligence, to keep it confidential.

The above prerequisites can be interpreted in a number of ways, so it is not always clear whether all requirements have in fact been met.

EY Law has prepared a guide to protecting business secrets, including:

  • a discussion of the most important legal regulations related to the protection of business secrets;
  • a knowledge pill on the prerequisites for declaring a given piece of information a business secret;
  • advice on how to enforce your rights in the event of a breach of business secrecy;
  • the latest trends in this area.

The report is available on Lexology:

https://www.lexology.com/gtdt/tool/workareas/report/trade-secrets/chapter/poland

Summary

Here is the next study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us

Interested in the changes we have made here,

contact us to find out more.