Make IT Clear - No. 11/2022

Case study from the USA

For the first time ever, New York-based artist Kris Kashtanova has received copyright acknowledgement for his comic book called 'Zarya of the Dawn', which was created with the help of the artificial intelligence Midjourney. Kashtanova has registered this comic as a visual work. Zarya of the Dawn is a work available on the AI Comic Books website. Kashtanova argues that he created the comic "with AI assistance". More precisely, this means that he conceived the storyline, created the layout of the panels and made artistic choices, fitting specific AI creations into a coherent whole.

The case is so interesting that the Copyright Office (USCO) has recognized work created by a human using AI as the property of the creator.

The author's goal, as he mentions, "was to reaffirm the fact that it is the artist who owns the copyright to his work, even if he creates something using AI." He was keen to set a precedent in law.

Certainly Zarya of the Dawn can set new standards in the industry. Firstly, the illustrator has become a machine, and secondly, copyright has been granted to such work. For the moment, the question of whether AI can itself be the creator of a work still remains without a definitive answer.

Overview

Entry into force: the DSA will formally enter into force on the twentieth day following its publication in the Official Journal of the European Union, but the main part of it will not become effective until 1 January 2024 at the earliest.

Territorial scope: European Union

Applicability in Poland: The DSA has been adopted in the form of a regulation and is therefore directly applicable in all Member States.

Relationship of the DSA to other sectoral regulations: As the DSA is a horizontal act - it does not replace or amend sectoral regulations, but complements them. For example, the DSA will complement the GDPR.

Relationship of the DSA to the E-Commerce Directive: The DSA will not significantly affect the E-Commerce Directive. It will repeal and regulate the Directive's provisions on mere conduit, hosting and caching services.

Relationship of the DSA to the Act on the provision of electronic services: The DSA will not repeal the entire Act, but only a few of its provisions.

Personal scope of the DSA: The DSA applies to providers of intermediary services offering network infrastructure, i.e:

• hosting services;
• online platforms bringing together sellers and consumers, e.g. app shops, online shopping platforms, social media platforms;
• very large online platforms posing a particular risk of spreading illegal content and risk of social harm.

DSA vs. cloud: as part of recent work on the law, cloud services are not considered an internet platform: "For the purposes of this Regulation, cloud computing services should not be considered an internet platform in cases where enabling the dissemination of specific content is a secondary or ancillary feature."

Overview

Effective date: It is not known when the Cyber Resilience Act will come into force, as work on it is ongoing. A public consultation was held from 6 to 17 October 2022. Once the regulation is adopted, Member State manufacturers will have two years to comply with the new requirements. The obligation to report vulnerabilities and incidents will already apply 12 months after entry into force.

Territorial scope: European Union

Applicability in Poland: The Cyber Resilience Act is to be adopted in the form of a regulation and is therefore directly applicable in all Member States.

Personal scope:

• manufacturer - any person who develops or manufactures goods with digital elements or has products with digital elements designed;
• importer - any person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;
• distributor - any person in the supply chain, other than the manufacturer or the importer, who makes a product with digital elements available on the Union market.

Scope: The Cyber Resilience Act has a broad scope of application. It applies to all products with digital elements whose use involves direct or indirect logical or physical data connection. A product with digital elements in this context means any software or hardware product with remote data processing solutions.

Case study from the USA

Instagram owner Meta has been fined €405 million by the Irish Data Protection Commissioner, Irish Data Protection Commissioner for allowing teenagers to create accounts that publicly displayed their phone numbers and email addresses.

The investigation began after a data scientist discovered that users, including under-18s, were switching to business accounts and having contact information displayed on their profiles.

Instagram allowed users aged between 13 and 17 to have business accounts on the platform, which showed users' phone numbers and email addresses.

The Irish Data Protection Commissioner also found that the platform operated a user registration system in which the accounts of users aged 13 to 17 were set to 'public' by default.

The fine is the second largest under data protection law. First place is still held by Amazon with a €746 million fine imposed in July 2021.

In a statement issued, Meta said it will appeal the penalty. A Meta spokesperson stated, among other things, that "this investigation focused on old settings that we updated over a year ago, and since then we have released many new features to help keep teens and their private information safe."

This is yet another fine imposed on one of Mark Zuckerberg's companies. Previously, the tech giant was fined €17 million in 2022 for failing to protect user data from breaches. Then, in September 2021, WhatsApp was fined $266 million for not being transparent enough with users about sharing their data with its parent company.

Overview

Deadline for entry into force: The implementation of the Directive should be adopted by EU Member States by 28 November 2021 and the new legislation should apply in individual Member States from 28 May 2022. To date, only 14 EU countries have complied with this obligation. In Poland, the legislation is still being revised.

How it will be applied in Poland: As the Omnibus is a directive, it must be implemented into the national legal order. To date, the directive has not been implemented.

Personal scope: The circle of addressees of the Omnibus Directive is very broad. For example, it includes:

• stationary shops;
• own online shop;
• Internet trading platforms (the Directive provides a definition of this);
• product search engines and price comparison websites;
• marketing service providers;
• promotional information intermediaries;
• providers of ratings and other opinion-checking tools.

The most significant obligations are:

• informing about the earlier price in case of a price reduction;
• checking that reviews actually come from consumers who have actually purchased/used the reviewed products/services;
• applying the GDPR and consumer protection law to contracts for the provision of digital content or digital services without the consumer paying a certain amount of money, but in exchange for their personal data;
• informing whether or not the price presented is personalized on the basis of automated decision-making and profiling.

Regulatory tsunami? No worries! 

Take a look at our regulatory map and click on the link for more information:

European Digital Map