10 minute read 31 May 2023
make it clear

Make IT clear - 04-05/2023

Authors
Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law

Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.

Joanna Ostrowska (Gałajda)

EY Poland, EY Law, Senior Manager

Joanna Ostrowska is a Senior Manager in TMT an IP practice, responsible for cloud computing and cybersecurity projects.

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law

Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.

10 minute read 31 May 2023
Related topics Law

 

Here is the Make IT clear special materials 04-05/2023

 

Topics discussed:

  • U.S. Supreme Court's much-awaited ruling
  • IT - The European Parliament has adopted the content of the regulation of AI
  • Cybersecurity - Implementation of the NIS2 Directive in Poland - key business challenges
  • Data protection - Update on the activities of the European Data Protection Board
  • E-commerce - Explanations of the President of the OCCP on price reductions - selected issues 
  • Legal Alert – Protection of business secrecy
U.S. Supreme Court's much-awaited ruling
(Chapter breaker)
1

Chapter

Intellectual property

U.S. Supreme Court's much-awaited ruling

18 May 2023. The US Supreme Court has handed down its ruling in the case between the Andy Warhol Foundation for the Visual Arts and photographer Lynn Goldsmith.

The ruling is crucial in terms of interpreting the US construction of 'fair use'. In Poland, the institution most similar to 'fair use' is the institution of permitted use regulated by the Act on Copyright and Related Rights of 4 February 1994.

Case study

In 1981, photographer Lynn Goldsmith took an iconic photograph of Prince. Three years later, Andy Warhol used the photograph as the basis for a series of new works (including an orange silkscreen print of Prince's photograph - Orange Prince - subsequently featured on the cover of Vanity Fair) claiming that he had taken 'inspiration' from the original image.

The photographer claimed that her rights had been infringed (she did not receive any remuneration for this; a royalty was paid, but to the Andy Warhol Foundation).

On 1 July 2019. The Court of First Instance ruled that, within the series of works created by Andy Warhol, there were grounds for assuming fair use and, on the same basis, dismissed Lynn Goldsmith's counterclaim for copyright infringement. The court of first instance ruled in favour of the Warhol Foundation. In its reasoning, the court pointed out that the more appreciated and distinctive the artist's work and style, the greater the artist's entitlement to adopt others' works.

Lynn Goldsmith appealed against the judgment of the Court of First Instance. In the appeal, she raised, inter alia, the allegation that the Court of First Instance misapplied the institution of fair use.

The Court of Appeal amended the judgment by ruling that the Court of First Instance had misapplied the institution of fair use.

The Court of Appeal did not share the position of the court of first instance that the Prince series was "transformative" in relation to the photograph in question. The Court of Second Instance indicated that Andy Warhol's works were 'much closer to presenting the same work in a different form. The Court of Appeals found it significant that the series at issue retained the essential elements of Lynn Goldsmith's photographs 'without significantly adding or altering those elements’.

The case has now reached the US Supreme Court.

Lawyers for the Andy Warhol Foundation argued that Andy Warhol had sufficiently transformed the photographs, so there was no copyright infringement.

The Supreme Court ruled on 18 May 2023 that Andy Warhol had indeed infringed Lynn Goldsmith's copyright when he created his 'Prince' series of works. The court rejected claims by lawyers for the Andy Warhol Foundation that his work was sufficiently transformative.

Not all judges shared this opinion, but the majority ruled in favour of photographer Lynn Goldsmith.

What impact can this judgment have? 

The Supreme Court's decision in this case may primarily affect US AI companies, which have so far based their operations precisely on the construct of 'fair use’.

US and European AI companies base their operations on the institutions of fair use. This is because AI relies heavily on material that is protected by copyright law.

The criteria considered for 'fair use', however, are so vague that there can be many interpretations. Consequently, in the US, court decisions are shaping interpretations of this legal construct. Of course, time will tell to what extent the US courts will interpret the ruling expansively, and to what extent they will find that the present case involved entirely different, specific facts.

Two US institutions that call for the protection of works from artificial intelligence, i.e. the Recording Industry Association of America and the National Music Publishers Association, are satisfied with the Supreme Court ruling.

Furthermore, the Supreme Court's ruling in the case described above may have positive consequences for all photographers whose copyrights have been infringed because someone has been 'inspired' by their work. 

The European Parliament has adopted the content of the regulation of AI
(Chapter breaker)
2

Chapter

IT

The European Parliament has adopted the content of the regulation of AI

On 14 June, the European Parliament adopted a negotiating position on the Artificial Intelligence Act (AI Act). The next step on the AI Act legislative path will be the negotiations with the Council of the European Union on the final form of the regulation.

Purpose of the AI Act

The main objectives of the AI Act are:

  • to create regulations that limit the risks associated with the use of artificial intelligence,
  • to ensure a high level of security for companies and individuals and at the same time to promote the development of AI technologies,
  • to harmonize regulations for the marketing, provision and use of AI systems in the European Union. 

Classification of AI systems

Classification of AI systems using a risk-based approach:

  • of minimal risk, which will not be subject to regulation and can be freely developed (usually for internal or private use); 
  • low-risk, whose providers will be obliged to comply with appropriate information and transparency requirements,
  • high risk, i.e. systems that will significantly invade people's privacy, which may include remote biometric identification. The AI Act provides for numerous obligations on both providers and users regarding the use of high-risk AI systems.

Examples of provisions adopted by the EP

  • an obligation to carry out a fundamental rights impact assessment (AI impact assessment) before commissioning a high-risk AI system;
  • expanding the types of AI by adding, inter alia, a definition of "fundamental model", i.e. an AI model trained on broad data, at large scale and designed for generality of results that can be adapted to a wide range of characteristic tasks;
  • expanding the definition of high-risk AI system to include, inter alia, systems that may result in harm to health, safety, fundamental rights or the environment,
  • extension of the list of prohibited practices to include, inter alia, numerous uses of biometric data, e.g:
  1. oex post (follow-up) biometric identification of persons - except in the case of the most serious crimes and subject to judicial approval;
  2. obiometric categorization of persons on the basis of sensitive, individual and group characteristics (e.g. gender, race);
  3. ocrime prediction, i.e. systems enabling the profiling of potential offenders using behavioral, trait or geo-location data;
  4. oemotion recognition systems used, for example, for crime fighting purposes;
  5. oapplications based on mass data retrieval from the Internet or video surveillance cameras;
  • ensure the right of citizens to complain about AI systems and receive explanations for decisions based on high-risk AI systems that have a significant impact on their rights;
  • increasing the maximum amount of potential penalties to as much as €40 million or 7% of the company's total annual worldwide turnover from the previous financial year.
Implementation of the NIS2 Directive in Poland - key business challenges
(Chapter breaker)
3

Chapter

Cybersecurity

Implementation of the NIS2 Directive in Poland - key business challenges

The Directive on measures for a high common level of cyber-security within the Union (NIS2 Directive) provides legal measures to increase the overall level of cyber-security in the EU. EU cyber-security legislation introduced in 2016 was updated by the NIS2 Directive, which came into force in 2023. 

  • Managing cyber security in the organization

    • NIS2 significantly increases the number of entities that will be required to provide cyber security as required by NIS2.
    • To ensure that an organization's internal governance meets the requirements of NIS2, each entity should:
    1. ohave an information security policy,
    2. oprevent, detect and respond to incidents,
    3. oensure business continuity and crisis management,
    4. omanage vulnerabilities,
    5. oreport incidents.
    • In order to adapt smoothly to the changes introduced by NIS2, which should be considered one of the main challenges, knowledge, financial and human resources are required - which can be a challenge for many actors. 
  • Outsourcing management

    • One of the key aspects of NIS2 is ensuring security in the supply chain.
    • The main challenges in this regard:
    1. oinability of organizations to oversee the supply chain themselves,
    2. oambiguous criteria for assessing suppliers, which create uncertainty about the viability of a device.
  • Increased cost of doing business

    A lack of experience and resources to ensure NIS2 compliance will force organizations to outsource, which can increase the cost of doing business. 

  • EY report

    The EY Law Polska team, together with the EY Consulting Polska team, have produced the report "The Future of Cyber Security in Europe. Challenges of the NIS2 Directive", which includes a discussion of the following issues:

    • Impact of the NIS2 Directive on different stakeholders.
    • Recommended actions for NIS2 entities.
    • Macroeconomic impact of the NIS2 Directive,
    • An expanded regulatory regime for cyber security in the EU,
    • Different approaches to the implementation of the NIS Directive and their impact on the implementation of the NIS2 Directive in different EU Member States. 

    We invite you to download the report from the EY website:

    https://www.ey.com/en_pl/law/the-future-of-cybersecurity-in-europe-nis2-directive

Update on the activities of the European Data Protection Board
(Chapter breaker)
4

Chapter

Data protection

Update on the activities of the European Data Protection Board

The European Data Protection Board is the institution that ensures the consistent application of the General Data Protection Regulation (GDPR). It is composed of representatives of data protection authorities from the 27 EU Member States and 3 European Economic Area countries, as well as the European Data Protection Supervisor.

Below is a selection of updates on the activities of EDPB. 

  • Highest penalty in GDPR history

    Following a binding EDPB decision on 13 April 2023, Meta Platforms Ireland Limited (Meta IE) has been fined €1.2 billion following an investigation into its Facebook service by the Irish Data Protection Authority (IE DPA).

    The penalty was imposed for Meta's transfer of personal data to the US under standard contractual clauses (SCCs) from 16 July 2020. In addition, Meta was required to bring its data transfers into compliance with the GDPR.

    The €1.2 billion fine is the largest ever imposed under GDPR. The previous record holder was Amazon, which had to pay a fine of €764 million two years ago. In addition, in January 2023.

    Meta was fined €390 million in Ireland for forcing users to consent to personalized ads, in breach of EU privacy rules.

    Meta's breach is "very serious as it concerns a transfer that is systematic, repetitive and continuous", commented Andrea Jelinek, president of the European Data Protection Board, on the decision. She further added that "Facebook has millions of users in Europe, so the amount of personal data transferred is huge. The unprecedented penalty sends a strong message to the organization that serious breaches have far-reaching consequences." 

  • New guidelines adopted

    Following a public consultation, the EDPB  has adopted the final version of the Guidelines on Facial Recognition Technology in Law Enforcement. The guidelines provide guidance to EU and national legislators, as well as law enforcement authorities, on the implementation and use of facial recognition technology systems. Among other things, the guidelines emphasize that facial recognition tools should only be used in strict compliance with the Police Directive.

    Link: Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement | European Data Protection Board (europa.eu)

  • Establishment of a special group

    EDPB has set up a specific task force on ChatGPT. This is because the use of this tool may involve the processing of personal data. The implementation of ChatGPT in professional activities raises new challenges, also with regard to the protection of personal data. 

    You can find out more about updates in the operation of the EDPB on the website: EDPB | European Data Protection Board (europa.eu)

Explanations of the President of the OCCP on price reductions - selected issues
(Chapter breaker)
5

Chapter

E-commerce

Explanations of the President of the OCCP on price reductions - selected issues

From 1 January this year, traders organizing discounts must report the lowest price of the 30 days preceding the promotion. The new rules are intended to prevent price juggling, i.e. raising prices just before a sale in order to give the impression that the discount is more attractive than it actually is.

On 8 May this year, the full explanations of the President of the Office of Competition and Consumer Protection on price reductions were published. The explanations of the President of the OCCP are very extensive, so we will present selected issues. 

  • Reference period for calculating lowest price

    • The reference period for calculating the lowest price of the 30 days prior to discounting shall comprise 30 consecutive calendar days. It shall be set so that its last day is the day before the day on which the good or service could be purchased for the first time at the discounted price. The time limit does not change as long as the promotion continues under unchanged conditions, even if it is longer than 30 days.
    • If the price reduction lasts longer than 30 days, it is particularly important that the trader states the dates on which it will apply. Long-lasting promotions may be considered to be misleading to consumers.
    • In order to determine the reference period, it is irrelevant whether the goods were available at all times during that period. Indeed, the reference period is the 30 calendar days, not the 30 days in which the goods were available.
    • For the determination of the reference period, it is also irrelevant when the communication of the reduction or the preparation of the marketing material took place.
  • Reference point for the calculation of the reduction

    The OCCP guidelines indicate that the lowest price in the last 30 days prior to the reduction should be taken as the reference point for calculating the size of the reduction. Therefore, calculating the size of the reduction on the basis of the regular price is not acceptable.
     

  • Dynamic prices

    • "Dynamic pricing" is colloquially defined as a selling price determined on the basis of time-varying criteria influencing the price (dynamic pricing). Dynamic pricing, on the other hand, is to be distinguished from price individualization as referred to in Article 12(1)(5a) of the Consumer Rights Act - individual price adjustment on the basis of automated decision-making).
    • If a reduction in the price of a service (e.g. transport, accommodation, meal preparation) is announced, the trader must display the lowest price 30 days before the reduction.
    • In the case of services whose prices are calculated on the basis of components that are subject to dynamic pricing (e.g. in the case of a transport service, the price per km, in the case of an accommodation service, the price per hotel night), the comparison of the selling price and the lowest price from 30 days before the reduction must be made using the same mechanisms.
    • Prices are calculated on a component basis subject to the trader also being able to differentiate between services - e.g. an overnight service at the weekend may be treated as a different service from an overnight service during the week. 

Summary

Here is the next study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us

Interested in the changes we have made here,

contact us to find out more.