10 minute read 30 Nov 2022
make it clear

Make IT Clear - No. 11/2022

Authors
Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law

Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.

Joanna Ostrowska (Gałajda)

EY Poland, EY Law, Senior Manager

Joanna Ostrowska is a Senior Manager in TMT an IP practice, responsible for cloud computing and cybersecurity projects.

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law

Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.

10 minute read 30 Nov 2022
Related topics Law

 

Here is the first edition of Make IT clear special materials 11/2022

 

Topics discussed:

  • Intellectual property -Copyright to a work created by AI
  • IT -Digital Services Act 
  • Cybersecurity - Cyber Resilience Act - Another EU response to cyber threats
  • Data protection -Lessons from another breach at tech giant 
  • E-commerce - The Omnibus Directive - a revolution in e-commerce
Copyright to a work created by AI
(Chapter breaker)
1

Chapter

Intellectual property

Copyright to a work created by AI

Case study from the USA

For the first time ever, New York-based artist Kris Kashtanova has received copyright acknowledgement for his comic book called 'Zarya of the Dawn', which was created with the help of the artificial intelligence Midjourney. Kashtanova has registered this comic as a visual work. Zarya of the Dawn is a work available on the AI Comic Books website. Kashtanova argues that he created the comic "with AI assistance". More precisely, this means that he conceived the storyline, created the layout of the panels and made artistic choices, fitting specific AI creations into a coherent whole.

The case is so interesting that the Copyright Office (USCO) has recognized work created by a human using AI as the property of the creator.

The author's goal, as he mentions, "was to reaffirm the fact that it is the artist who owns the copyright to his work, even if he creates something using AI." He was keen to set a precedent in law.

Certainly Zarya of the Dawn can set new standards in the industry. Firstly, the illustrator has become a machine, and secondly, copyright has been granted to such work. For the moment, the question of whether AI can itself be the creator of a work still remains without a definitive answer.

  • And what is it like in Poland?

    Under the Polish Law of 4 February 1994 on Copyright and Related Rights, protection is granted to works created solely by man. Artificial intelligence has only been programmed by man.

    Copyright law therefore does not protect the creation of programs or robots. At the same time, it must be emphasized that this only applies to a computer-created work that is generated by software in circumstances where there is no human author of the work.

  • How can such a situation be regulated?

    There are several possible directions such as:

    • creating a new law for AI-created works, which would be separate from copyright law;
    • Introducing a compensation obligation for authors of inspired works;
    • adopting regulation as in the UK - defining a machine-created work;
    • making the creation of copyright conditional on the level of human participation. However, this is a challenge to intellectual property law that may change the basis of the law's assumptions.
Digital Services Act
(Chapter breaker)
2

Chapter

IT

Digital Services Act

Overview

Entry into force: the DSA will formally enter into force on the twentieth day following its publication in the Official Journal of the European Union, but the main part of it will not become effective until 1 January 2024 at the earliest.

Territorial scope: European Union

Applicability in Poland: The DSA has been adopted in the form of a regulation and is therefore directly applicable in all Member States.

Relationship of the DSA to other sectoral regulations: As the DSA is a horizontal act - it does not replace or amend sectoral regulations, but complements them. For example, the DSA will complement the GDPR.

Relationship of the DSA to the E-Commerce Directive: The DSA will not significantly affect the E-Commerce Directive. It will repeal and regulate the Directive's provisions on mere conduit, hosting and caching services.

Relationship of the DSA to the Act on the provision of electronic services: The DSA will not repeal the entire Act, but only a few of its provisions.

Personal scope of the DSA: The DSA applies to providers of intermediary services offering network infrastructure, i.e:

  • hosting services;
  • online platforms bringing together sellers and consumers, e.g. app shops, online shopping platforms, social media platforms;
  • very large online platforms posing a particular risk of spreading illegal content and risk of social harm.

DSA vs. cloud: as part of recent work on the law, cloud services are not considered an internet platform: "For the purposes of this Regulation, cloud computing services should not be considered an internet platform in cases where enabling the dissemination of specific content is a secondary or ancillary feature."

  • Challenges

    Many obligations will be imposed on regulated entities, which will require new mechanisms, solutions and functionalities. 

  • Why is this important?

    The DSA aims to ensure a fair and competitive digital economy, one of the three main pillars of the policy orientations and objectives announced in the Communication 'Shaping Europe's Digital Future'. It also complements current EU and national competition rules..

  • How can we help you?

    The EY Law Digital team can help you: identify whether the new obligations apply to you and to what extent. During our deep dive sessions with clients, we identify key issues that need to be addressed and determine what steps are necessary to achieve compliance.

    Our team can also help you make the necessary changes to your T&Cs, internal procedures and help you design and implement the processes needed to achieve DSA compliance.

Cyber Resilience Act - Another EU response to cyber threats
(Chapter breaker)
3

Chapter

Cybersecurity

Cyber Resilience Act - Another EU response to cyber threats

Overview

Effective date: It is not known when the Cyber Resilience Act will come into force, as work on it is ongoing. A public consultation was held from 6 to 17 October 2022. Once the regulation is adopted, Member State manufacturers will have two years to comply with the new requirements. The obligation to report vulnerabilities and incidents will already apply 12 months after entry into force.

Territorial scope: European Union

Applicability in Poland: The Cyber Resilience Act is to be adopted in the form of a regulation and is therefore directly applicable in all Member States.

Personal scope:

  • manufacturer - any person who develops or manufactures goods with digital elements or has products with digital elements designed;
  • importer - any person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union;
  • distributor - any person in the supply chain, other than the manufacturer or the importer, who makes a product with digital elements available on the Union market.

Scope: The Cyber Resilience Act has a broad scope of application. It applies to all products with digital elements whose use involves direct or indirect logical or physical data connection. A product with digital elements in this context means any software or hardware product with remote data processing solutions.

  • How is it now?

    While existing internal market rules apply to some products with digital elements, the majority of hardware and software is currently not covered by any EU cybersecurity legislation. In particular, the current EU legal framework does not cover the cybersecurity of non-embedded software, despite the fact that cybersecurity attacks increasingly target vulnerabilities in such software.

  • Examples of responsibilities

    • Ensure the security of products with digital elements from the design and development phase and throughout the lifecycle;
    • Provide a consistent cybersecurity framework to facilitate compliance for hardware and software manufacturers;
    • Increase transparency of the security attributes of products with digital elements;
    • Enable businesses and consumers to use products with digital elements safely.
  • Why is this important?

    The Cyber Resilience Act introduces cyber security requirements for a wide range of products with digital elements, including software.

    It has strong links to other cyber security legislation including the NIS-2 Directive and GDPR.

Lessons from another breach at tech giant
(Chapter breaker)
4

Chapter

Data protection

Lessons from another breach at tech giant

Case study from the USA

Instagram owner Meta has been fined €405 million by the Irish Data Protection Commissioner, Irish Data Protection Commissioner for allowing teenagers to create accounts that publicly displayed their phone numbers and email addresses.

The investigation began after a data scientist discovered that users, including under-18s, were switching to business accounts and having contact information displayed on their profiles.

Instagram allowed users aged between 13 and 17 to have business accounts on the platform, which showed users' phone numbers and email addresses.

The Irish Data Protection Commissioner also found that the platform operated a user registration system in which the accounts of users aged 13 to 17 were set to 'public' by default.

The fine is the second largest under data protection law. First place is still held by Amazon with a €746 million fine imposed in July 2021.

In a statement issued, Meta said it will appeal the penalty. A Meta spokesperson stated, among other things, that "this investigation focused on old settings that we updated over a year ago, and since then we have released many new features to help keep teens and their private information safe."

This is yet another fine imposed on one of Mark Zuckerberg's companies. Previously, the tech giant was fined €17 million in 2022 for failing to protect user data from breaches. Then, in September 2021, WhatsApp was fined $266 million for not being transparent enough with users about sharing their data with its parent company.

  • Conclusions

    • GDPR has changed the rules of the game worldwide. No organisation storing or processing the personal data of EU residents can afford to overlook the provisions of GDPR in the scope of its operations. Whether it is a tech giant or a smaller organisation.
    • Although the GDPR has been in force for several years now, it is still not a simple task to collect, process and store personal data in compliance with these regulations.
    • Compliance with the GDPR is an ongoing process and any failure to comply will result in hefty financial penalties. 
  • How can we help you?

    The EY Law Digital team helps clients navigate the complex environment of data protection. We don't stop at the statement that 'measures must be adequate' in our advice - we tell you exactly what that means.

The Omnibus Directive - a revolution in e-commerce
(Chapter breaker)
5

Chapter

E-commerce

The Omnibus Directive - a revolution in e-commerce

Overview

Deadline for entry into force: The implementation of the Directive should be adopted by EU Member States by 28 November 2021 and the new legislation should apply in individual Member States from 28 May 2022. To date, only 14 EU countries have complied with this obligation. In Poland, the legislation is still being revised.

How it will be applied in Poland: As the Omnibus is a directive, it must be implemented into the national legal order. To date, the directive has not been implemented.

Personal scope: The circle of addressees of the Omnibus Directive is very broad. For example, it includes:

  • stationary shops;
  • own online shop;
  • Internet trading platforms (the Directive provides a definition of this);
  • product search engines and price comparison websites;
  • marketing service providers;
  • promotional information intermediaries;
  • providers of ratings and other opinion-checking tools.

The most significant obligations are:

  • informing about the earlier price in case of a price reduction;
  • checking that reviews actually come from consumers who have actually purchased/used the reviewed products/services;
  • applying the GDPR and consumer protection law to contracts for the provision of digital content or digital services without the consumer paying a certain amount of money, but in exchange for their personal data;
  • informing whether or not the price presented is personalized on the basis of automated decision-making and profiling.
  • Conclusions

    The Omnibus Directive introduces a number of new requirements for online operators. In the first months of application of the act, its provisions may be perceived as unclear for the (online) market as a whole, so we recommend that you carefully consider and identify your obligations and then adapt your business to the new requirements.

  • Why is this important?

    The Omnibus Directive aims to better enforce and modernize EU consumer protection rules. Entities covered by the directive will have to adapt their regulations, offers and information available in online shops to the new guidelines also contained in the implementing legislation.

  • How can we help you?

    The EY Law Digital team can help you: identify whether the new obligations apply to you and to what extent. During our deep dive sessions with clients, we identify key issues that need to be addressed and determine what steps are necessary to achieve compliance.

    Our team can also help you make the necessary changes to your bylaws, privacy policies and other clauses.

Regulatory tsunami? No worries! 

Take a look at our regulatory map and click on the link for more information:

European Digital Map

Summary

Here is the first study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us

Interested in the changes we have made here,

contact us to find out more.