10 minute read 20 Dec 2022
make it clear

Make IT clear - 12/2022

Authors
Justyna Wilczynska-Baraniak

EY Polska, EY Law, Intellectual Property, Technologies and Personal Data, Partner, Attorney-at-law

Intellectual Property, Technology and Personal Data Team Leader. Experienced in legal advisory for multi-jurisdictional clients.

Maciej Bisch

EY Poland, EY Law, Manager, Attorney-at-law

Lawyer with years of experience in intellectual property law, data protection, commercial company law and dispute resolution.

10 minute read 20 Dec 2022

 

Here is the Make IT clear special materials 12/2022

 

Topics discussed:

  • Intellectual property - NFT and intellectual property law 
  • IT - The Cyber Security Certification Scheme for Cloud Services
  • Cybersecurity - Statement of the Polish Financial Supervision Authority (PFSA) on the cyber security activities of insurance and reinsurance undertakings 
  • Data protection - 27 December 2022 is the deadline for SCC exchange for data transfers
  • E-commerce - Digital Markets Act
  • Legal alert on Cloud and Cyber - The regulatory tsunami is unleashed
NFT and intellectual property law
(Chapter breaker)
1

Chapter

Intellectual property

NFT and intellectual property law

What is NFT?

NFT stands for 'non-fungible token'. In this case, we should understand the word 'non-fungible' as 'having no equivalent in other objects/currencies'. Generally speaking, NFT is a type of cryptographic token based on blockchain technology. 

Popularity of the NFT

NFT gained huge popularity during the global lockdown in 2020. Initially, the technology was associated exclusively with art, particularly images and visuals. Nowadays, NFT is gaining popularity and is used in areas such as entertainment, gaming, fashion and even retail and real estate.

In 2021, the valuation of the NFT market was estimated at $40 billion.

Copyright of a work and NFT

The trading of NFT tokens has not yet been regulated in any way. Therefore, it is now necessary to adapt the existing legal regulations to the specifics of NFTs.

An NFT may constitute a work within the meaning of Article 1(1) of the Act of 4 February 1994 on Copyright and Related Rights if it fulfils the statutory prerequisites for recognition as a work within the meaning of copyright law.

First of all, it is necessary to distinguish between the situation in which a real existing e.g. work of art has its counterpart in the form of NFT, and the creation of a graphic or other work immediately in the form of NFT. In the first case, the sale of the NFT would not normally lead to a transfer of copyright in the associated existing artwork. In the second case, on the other hand, one should be able to distinguish between two situations. The first is the ownership of the NFT and the second is the ownership of the intellectual property rights to the NFT token.

It is important to note that the owner of an NFT may own, for example, a particular copy of a 'digital' photograph or music file, and not own the intellectual property rights to that photograph or music file.

The acquisition by the purchaser of an NFT token of the intellectual property rights to that token, is of great importance in the context of its further dissemination.

In order for the intellectual property rights to pass to the purchaser of the NFT, that purchaser must enter into an agreement for the transfer of copyright, as it is not sufficient to simply buy the NFT token in question. The consequence of the failure to effectively transfer copyright to the purchaser of the NFT token is that it is still the original creator who holds those rights. And as a consequence, the owner of the NFT may not be entitled, for example, to reproduce, distribute or publicly perform the NFT object.

Does the acquisition of an NFT result in a licence?

The acquisition of an NFT will most often not involve a transfer of copyright, but at most a licence.

On the legal side, the sale of an NFT is closest to a non-exclusive licence, which does not give the purchaser exclusive rights to the work. 

A licence agreement may be a more practical solution than an actor's rights transfer agreement for the reason, among others, that a non-exclusive licence does not have to be in writing. Depending on the platform on which NFT tokens are sold, the scope of the licence may vary. Typically, a narrow scope licence is granted, which does not include the right to commercially exploit the works acquired under NFT. 

Want to know more about blockchain technology and NFT?

We invite you to read our article: Blockchain, metaverse and NFT - are society, businesses and regulators ready for the challenges ahead? | EY Poland

The Cyber Security Certification Scheme for Cloud Services
(Chapter breaker)
2

Chapter

IT

The Cyber Security Certification Scheme for Cloud Services

ENISA (The European Union Agency for Cybersecurity) is currently drafting a regulation on cyber security certification for cloud services (EUCS). 

What is the purpose of the proposed EUCS?

The Cyber Security Certification Scheme for Cloud Services („Programme”) aims to further improve the conditions for the Union's internal market in cloud services by strengthening and streamlining the cybersecurity assurance of services. The EUCS project is a comprehensive set of rules, technical requirements, standards and procedures agreed at European level to ensure adequate cyber security of a specific product, service or process.

The draft legislation aims to harmonise the security requirements of cloud services with the provisions of other European acts, international standards, industry best practices, as well as with existing certifications in EU Member States.

Current stage of work

The public consultation has now closed. The project is currently in the dialogue phase. It is difficult to assess how quickly the work will progress. 

Highlights of the certification

  • At the moment, certification is voluntary i.e. cloud providers can decide for themselves whether they want their products to be certified;
  • Certification will apply to all types of cloud services - from infrastructure to applications
  • Certification will increase confidence in cloud services by setting reference security requirements;
  • Certification includes three levels of assurance: "basic", "substantial" and "high";
  • The certification scheme proposes a new approach inspired by existing national systems and international standards;
  • Certification can be issued for a maximum period of three years;
  • The certification scheme includes transparency requirements, such as the location of data processing and storage. 

Lack of agreement on the "sovereignty requirement"

The European Commission has asked the European Union Cyber Security Agency (ENISA) to add sovereignty requirements to the Programme to ensure resilience against foreign jurisdictions. Concerns about adding a „sovereignty requirement” to the draft Programme were raised by Denmark, Estonia and Greece, among others. Sovereignty requirements were supported by France and Italy, for example.

Accordingly, on 19 September 2022. Germany called on the European Commission for a political discussion on the sovereignty requirements that the European Commission wants to include in the Programme.

Why is this important?

In addition to the advantage of obtaining a certain level of safety, certification will certainly make it easier for non-EU operators to operate in the European market and help build confidence in the European market for such suppliers.

Statement of the Polish Financial Supervision Authority (PFSA) on the cyber security activities of insurance and reinsurance undertakings
(Chapter breaker)
3

Chapter

Cybersecurity

Statement of the Polish Financial Supervision Authority (PFSA) on the cyber security activities of insurance and reinsurance undertakings

The Office of the PFSA pointed out the incorrect practice: 

  • Overly simple and obvious encryption of documents containing insurance secrets by using PESEL number, date of birth as password;
  • Excessive use of active links in SMS/mail

 In the Authority’s Statement, attention was drawn to:

  • The need to use more secure customer interaction channels, such as the insurance company's mobile app;
  • The need to ensure the use of multi-factor authentication in accessing documents containing insurance secrets - indirectly, its absence could jeopardize the security of customer funds through unauthorized access to account number information;
  • The need to monitor third-party IT providers based on the IT guidelines for the insurance sector (equivalent to Recommendation D in the banking sector);
  • Expanding customer education campaigns to include channels other than the internet or the app, as this creates a gap among those who do not use these forms of communication.
  • Why is the Statement of the PFSA important?

    The Statement is part of a European trend of insistence that financial entities attach particular importance to cyber security - in this case, in the relationship with the insurance company's customer. In the insurance company-customer relationship, it is incumbent on the company to look at the relationship from different perspectives:

    • The perspective of proper data inventory - what data, in which services and in which systems are processed;
    • Proper control over the development of IT systems, both within the insurance company and using external companies;
    • Proper control and guidance of IT implementations, especially of the insurance company's applications;
    • Continuous monitoring of applications for cyber security risks.

    The PFSA’s Statement addresses the threads of data leakage penalties from GDPR and also reputational risks for the insurance company.

    Given that the Statement was prepared by, among others, the cyber-security department of the PFSA Office, special attention should be paid to the proper conduct of IT projects in an insurance company. In this regard, in the Statement, the Office of the PFSA referred to the 2014 Guidelines for IT in Insurance and Reinsurance Undertakings, which detail the key areas of IT in insurance companies.

    It should be borne in mind that the Regulation of the European Parliament and of the Council on the operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014 (DORA) in certain spheres such as the need for penetration testing or contractual requirements will strongly affect the practice of conducting IT projects in insurance companies. 

27 December 2022 is the deadline for SCC exchange for data transfers
(Chapter breaker)
4

Chapter

Data protection

27 December 2022 is the deadline for SCC exchange for data transfers

Pursuant to the European Commission's Implementing Decision 2021/914 of 4 June 2021, the deadline for the implementation of the new standard contractual clauses (SCCs) for the transfer of personal data to third countries adopted under the aforementioned Decision expires on 27 December 2022.

  • Reasons for creating new standard contractual clauses

    • The clauses adopted in 2001 and 2010 were drafted at a time when the applicable EU data protection legislation was still Directive 95/46/EC - while as of 2018, the GDPR is in force, which introduces new obligations;
    • The old clauses were drafted more than a decade ago in a different reality to the one we currently face. It was necessary to ensure that the sets of clauses allowed both to correctly reflect factual situations, e.g. long chains of processing and onward entrustment of data, and to allow for clauses between more than two entities and the dynamic accession of further entities to the contracts.
  • Which contracts are subject to amendment?

    The obligation to update already extends to all transfer agreements, including those concluded by 27 September 2021.

    Any new contract entered into after 27 September 2021 will require the application of the new SCCs if, in the course of its execution, there is a sharing, or other form of transfer of personal data outside the EEA. After 27 December, the application of the "old SCCs", i.e. those issued by the Commission even before GDPR, will constitute a breach of data protection rules.

  • What is the change?

    The new standard contractual clauses are based on a modular approach, which allows for the selection of the elements of the contract that are most appropriate for the real relationship between the parties. This is intended to provide more practical data protection in transfers outside the EEA. 

  • What should I do before 27 December 2022?

    Entities using legacy standard contractual clauses to process data outside the EEA should: 

    • Review their personal data entrustment agreements and the use of the legacy SCCs; 
    • Renegotiate their data processing agreements outside the EEA;
    • Conduct a transfer impact analysis (TIA) on data protection.
  • Want to know more about the new standard contractual clauses?

  • How can we help you?

    The EY Law Digital team will support you with any data transfer activities outside the EEA, including the introduction of new SCCs. In addition, we can assist with TIA and other data protection activities.

Digital Markets Act
(Chapter breaker)
5

Chapter

E-commerce

Digital Markets Act

Overview

Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act) was published in the Official Journal of the European Union on 12 October 2022 and came into force on 1 November 2022.

The aim of the new regulation is to put an end to unfair practices by companies that act as „Gatekeepers” in the online platform economy

When will a company be considered an „Gatekeepers”?

  • When it has a significant impact on the internal market. This requirement will be presumed where the undertaking to which it belongs achieves an annual EEA turnover equal to or above EUR 6.5 billion in the last three financial years, or where the average market capitalization or the equivalent fair market value of the undertaking to which it belongs amounted to at least EUR 65 billion in the last financial year, and it provides a core platform service in at least three Member States;
  • This requirement will be presumed where the company provides a core platform service that has more than 45 million monthly active end users established or located in the Union and more than 10 000 yearly active business users established in the Union in the last financial year;
  • it enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future. A company is presumed to meet this requirement when the thresholds indicated above have been reached in each of the last three financial years.
  • Responsibilities of the „Gatekeepers"

    „Gatekeepers " must comply with their obligations under Articles 5, 6 and 7 of the Digital Markets Act. For example, „Gatekeepers” have an obligation to refrain from combining personal data obtained through core platform services with personal data obtained through any other services offered by the „Gatekeepers”. In addition, they have an obligation to refrain from preventing or hindering business users from commenting to the relevant public authority on practices committed by the „Gatekeepers”, and they have an obligation to provide advertisers with information on advertising prices. 

  • Examples of sanctions

    In the event that the „Gatekeepers” fail to comply with the above obligations, the EC may impose penalties of 10% of its total worldwide turnover achieved in the previous financial year or, in addition to the penalty already granted, may impose a further penalty of up to 20% of worldwide turnover in the event of repeated infringement of at least the same type. In addition, the EC may impose periodic fines of up to 5% of the average daily worldwide turnover achieved in the preceding financial year. 

  • What next?

    The Digital Markets Act will come into force on 2 May 2023. Potential „Gatekeepers” will have to notify the European Commission of their core platform services if they meet the thresholds established by the Digital Markets Act. Upon receipt of a complete notification, the Commission will have 45 working days to assess whether a company meets the thresholds and then qualify it as an „Gatekeepers”. Once qualified, Guardians will have six months to comply with the requirements of the Digital Markets Act. 

Legal alert on Cloud and Cyber

The regulatory tsunami is unleashed

 

On 28 November 2022, the Council of the European Union announced of the Directive on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148, following its approval by the European Parliament on 10 November 2022 (NIS 2) 

  • The NIS 2 Directive introduces new provisions to support a high, common level of cyber security across the EU. It strengthens cyber security requirements for medium and large entities that operate and provide services in key sectors. NIS Directive 2 updates the 2016 NIS Directive.
  • The NIS 2 Directive is intended to address the shortcomings of the 2016 NIS Directive. The revised Directive aims to address discrepancies in cybersecurity requirements and the implementation of cybersecurity measures in different Member States.
  • The NIS 2 Directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the 20th day after publication. From its entry into force, Member States will have 21 months to transpose its provisions into national law.

On 28 November 2022, the Council of the European Union announced of a Regulation on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, following its approval by the European Parliament on 10 November 2022 (DORA)

  • The DORA regulation establishes uniform requirements for the security of networks and information systems of financial sector companies and key ICT service providers. DORA is addressed to almost all entities in the financial sector.
  • One of the most important changes that DORA will bring is the direct inclusion of ICT providers (designated as key ICT providers) in financial supervision (through the designation of a lead supervisory authority).
  • The DORA Regulation will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day after publication. The regulation will become applicable throughout the European Union 24 months after its entry into force.

On 10 November 2022, the joint EU Communication "EU Policy on Cyber Defence" was published.

  • The European Commission and the High Representative presented a joint communication on the EU's cyber defence policy and the Military Mobility Action Plan 2.0 to address the deteriorating security environment following Russia's aggression against Ukraine and to enhance the EU's ability to protect its citizens and infrastructure.
  • With the new cyber defence policy, the EU will strengthen cooperation and investment in cyber defence to better protect, detect, deter and defend against the growing number of cyber attacks.
  • The EU cyber defence policy aims to enhance the EU's cyber defence capabilities and strengthen coordination and cooperation between the military and civilian cyber communities (civilian, law enforcement, diplomatic and defence). It will increase the effectiveness of cyber crisis management in the EU, while strengthening the European Defence Technology Industrial Base (EDTIB). 

On 3 November 2022, a new draft Regulation of the European Parliament and of the Council on harmonized rules on fair access to and use of data (Data Act) was published

  • The regulation establishes rules governing who can access non-personal data generated within the EU and how. The new regulation is intended to contribute to the wider use of data for common prosperity, boost the market for data-driven products and services, and open up the field for innovation.
  • The Data Act and the Data Governance Act are part of a broader data strategy that aims to put the European Union at the forefront of modern legal solutions in a data-driven society.
  • Work on the Data Act is still going strong. Recently, the Czech Council Presidency submitted another, second compromise draft regulation to the Working Party on Telecommunications and the Information Society.

Summary

Here is the second study prepared as part of the Make IT clear program.

Every month we will show you the trends that entrepreneurs should follow and the solutions that should be implemented in order to be up to date with the law of technology, intellectual property and data protection. We will also indicate the risks and challenges associated with your business.

Do not hesitate to contact us!

Contact us

Interested in the changes we have made here,

contact us to find out more.