Welcome to the January edition of Schoenherr's to the point: technology & digitalisation newsletter!
We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.
Insights waiting for you in this edition:
Editorial | Thomas Kulnigg & Maximilian Czernin
Another eventful year has recently come to an end, and we would like to thank our readers for enjoying our #TTPtech newsletter more than 10,000 times last year. We can't wait to see what's in store for the world of technology and digitalisation in 2023! Here's a little preview while we wait to see if cryptocurrency prices will recover from the bear market: Proposals for the European Single Access Point (ESAP), part of the Capital Markets Union (CMU) initiative, are expected to be finalised this year. This platform, similar to the EDGAR system in the US, will provide EU-wide access to public company information. EU policymakers are working to create a comprehensive framework for artificial intelligence to provide legal certainty and foster innovation, to be completed by mid-2023. The EU also aims to establish itself as a leader in cybersecurity through the Cyber Resilience Act, which will also be debated in 2023. In addition, we expect other interesting initiatives and decisions, which we will of course present in our always up-to-date, structured #TTPtech newsletter. Last but not least, the Schoenherr #TechNight will be back. More to follow soon!
Key legal topics in data centre development and investments | Mădălina Neagu
The recent years' sprint towards digitalisation was one of the decisive factors in accelerating the transformation of telecommunications infrastructure. The global markets expect an increase in investments in telecom infrastructure and Romania is no exception. Two large data centre investments have been announced in the last two years, one a 200 MW, 25,000 m2 technology campus outside Bucharest (completed) and the second to be developed by Microsoft. These add to the existing 19 operating data centres in Bucharest, which aggregate 65,883 m2 of data storage infrastructure. A number of key drivers support the increased demand for local infrastructure in the coming years, one of the most relevant being the digitalisation of the public administration. The Recovery and Resilience Plan for Romania implemented as part of the EU's plans to mitigate the economic and social impact of the coronavirus pandemic and make European economies and societies more sustainable and resilient has allocated close to EUR 2bln to the "Digital Transformation" pillar, funds available to the local administration for their digital transition. Read more
Robot lawyer takes its first case to court | Sara Khalil
A robot lawyer by DoNotPay will attend its very first court hearing on 22 February 2023 in the US according to a tweet by the company's CEO. The smartphone-based AI will not be physically present in court, but the defendant will be assisted by DoNotPay via smartphone and headphones to argue a speeding ticket case. DoNotPay will "listen" to the arguments brought in court and advise how to best argue the case accordingly. If the defendant loses, DoNotPay will cover the fine. The judge allegedly knows nothing about the robot lawyer advising the defendant. Only 2 out of 300 cases were feasible use cases, presumably because the kind of technology involved would be otherwise prohibited. In the February court case, the defendant is allowed to wear a Bluetooth enabled hearing aid. The CEO also tweeted that DoNotPay will pay any lawyer or person a million dollars if they argue a case in front of the US Supreme Court wearing AirPods and repeating exactly what the robot lawyer says – contingent on DoNotPay's agreement and rules being followed.
In Austria, the Code of Civil Procedure dating back to 1895 unsurprisingly does not provide for AI. But this does not mean that AI could not have limited use cases in courts, such as speech recognition to create minutes. For more on online courts, see also last year's Roadmap article on Judgments issued ex machina? Are AI-made judicial decisions the future? and blog post Court hearing via social network – has Europe missed its chance?.
DLT Pilot Regime – blockchain trading of securitised crypto assets | Matthias Pressler
Last year the EU finalised its pilot regime for market infrastructures based on distributed ledger technology (DLT). The DLT Pilot Regime introduces an EU regulatory sandbox and harmonised requirements for market participants, such as central securities depositories or market operators, that wish to establish a DLT market infrastructure. The DLT Pilot Regime will be applicable from 23 March 2023 for a maximum of six years. The overall aim of the new framework is to help establish market/trading systems based on the distributed ledger technology (and without centralised intermediaries) for crypto assets that qualify as financial instruments (other crypto assets will be subject to the MiCA Regulation). Through the DLT Pilot Regime the legislator, regulators and market participants should be able to build the necessary experience and evidence upon which a permanent EU regulatory regime could be based. The regime introduces three types of systems: (i) DLT multilateral trading facilities (DLT MTF); (ii) DLT settlement systems (DLT SS); and (iii) DLT trading and settlement systems (DLT TSS). By way of introducing the regulatory sandbox with defined temporary exemptions from certain otherwise restrictive requirements of the Markets in Financial Instruments 2 Directive (MiFID2) and the Regulation on Central Securities Depositories (CSDR), market participants can now more easily set up DLT-based trading/settlement systems that would otherwise be prevented by the strict regulatory requirements. During the application period (six years) the EU Commission would like market participants to explore the full potential of the DLT pilot regime and regulators to identify any necessary changes and improvements to the framework. In 2026, the ESMA will prepare and publish a comprehensive report on the functioning of the DLT Pilot Regime, based upon which a decision on a potential full and permanent implementation of the framework will be taken.
DORA: time to start preparing! | Matthias Pressler & Maximilian Nusser
Regulation (EU) 2022/2554 (Digital Operational Resilience Act – "DORA") entered into law on 17 January 2023. DORA will not only apply to most regulated financial institutions, including crypto asset service providers, but also to critical third-party information and communications technology ("ICT") providers, like cloud computing providers. DORA's primary objective is to ensure a high level of digital operational resilience against cyber risks. As such, DORA introduces new governance structures as well as internal systems and control requirements for financial entities. The regulation stipulates the management body's responsibility for a governance and control framework and ultimate accountability for the entity's ICT risk. Financial sector entities are required to establish policies, procedures and protocols to ensure the security, resilience and continuity of their IT systems. This includes incident management to ensure the monitoring of ICT-related incidents and the reporting of major incidents to the relevant authorities. Furthermore, to prepare for incidents and to identify weaknesses, this involves periodic testing of the resilience of IT systems and processes and the implementation of corrective measures. A major challenge towards DORA compliance will be managing third-party risk, which covers not only the ICT risk management framework, but also requires outsourcing agreements to comply with DORA and its contracting requirements. Even though DORA enters into force only two years from now (on 17 January 2025), the schedule is tight given the time necessary for financial entities to adapt their processes, procedures and systems and remediate any contracts with ICT service providers. To nudge regulated institutions towards compliance and in preparation for DORA, the FMA has announced in their annually published supervisory priorities that it will focus on ICT risks, their risk management and governance in 2023 (see our summary of the FMA supervisory priorities for 2023 here).
The Polish Patent Office and e-signatures | Daria Rutecka
On 28 December 2022, the Polish Patent Office announced in line with the case law of the Polish Administrative Supreme Court that the following rules must be applied to all letters sent to the Patent Office starting 1 January 2023: (i) if the content of a pleading, statement or specific request is the content of a general letter (cover letter), then this letter should bear a qualified electronic signature, trusted signature or personal signature; and (ii) if the general pleading (cover letter) or a form dedicated to dealing with a specific type of case (e.g. forms intended for filing an application, opposition to an application for a trademark, application for an entry in the register) is accompanied by attachments (e.g. description of the invention, patent claims), they should be signed with a qualified electronic signature, trusted signature or personal signature.
Digital Decade Policy Programme 2030 | Daria Rutecka
The first cooperation and monitoring cycle to reach EU 2030 Digital Decade targets has started in January 2023. EU Member States, in collaboration with the European Parliament, the Council of the EU and the Commission, will shape their digital policies to achieve the above-mentioned targets in four main areas:
- improving citizens' basic and advanced digital skills;
- ameliorating the use of new technologies (like AI or cloud) in EU businesses;
- further advancing the EU's connectivity, computing and data infrastructure;
- and making public services and administration available online.
In June 2023 the Commission plans to publish the first State of the Digital Decade report, including updates, assessments and recommendations on progress towards the targets and objectives.
Poland: data processing inspection plan for 2023 | Daria Rutecka
The Polish DPO has adopted a sectoral inspection plan for 2023 according to which inspections in 2023 will focus on the following:
- entities processing personal data in the Schengen Information System and Visa Information System;
- entities processing personal data using mobile applications;
- entities processing personal data using online (web) applications.
In case of the last two the DPO will verify how data processed in connection with the use of applications is secured and shared.
Lawsuits against providers of AI art generators: will they shed light on pressing IP issues? | Dominik Hofmarcher & Anna Katharina Tipotsch
The media has been full of stories lately about AI-generated art and texts. These reports raise interesting questions related to IP law. When news about the first lawsuits came in, we took the opportunity to share our thoughts on them in some academic work that will be published in the weeks ahead. The cases brought before courts in the UK and the US concern claims by artists as well as rightsholders against providers of AI art generators. These generators, accessible online, create unique pieces of art in a matter of seconds. But in order to enable them to do so, they have to be "trained", typically by feeding them huge amount of data. Such training data comprises pictures, drawings and photographs that are protected by copyright. While the current debates focus primarily on whether AI-generated works qualify as intellectual property and, if so, who is to be considered the legal owner of these rights, the pending cases step in earlier. The courts will have to clarify whether the training of the art generator may legally involve works protected by IP laws without the rightsholders' consent. In essence, the discussions will revolve around whether AI training is "neutral" from a copyright perspective or whether it includes the use of works that fall within authors' exclusive rights. Since AI training does include acts of reproduction (which is an exclusive right), the discussions may shift to exceptions and limitations provided by copyright law. On the one hand, AI training could be compared to a person surfing the web and reviewing the available material in order to learn from it (which is neutral from a copyright perspective or just includes transient or incidental reproduction, which is allowed). On the other hand, the reproductions for AI-training purposes have an economic relevance and are normally not merely transient or incidental. The outcome under different national or regional laws (e.g. US and EU copyright law) may vary, also depending on the available exceptions and limitations and their interpretation. These are only a few of the burning copyright issues in relation to AI tools. Stay tuned for future Schoenherr Legal Insights where we will highlight some legal challenges (and their prospect for alterations) of AI art generators.
New rules for cloud services – at least in the public sector | Veronika Wolfbauer
The European Data Protection Board (EDPB) has published a report on its coordinated enforcement activities in relation to the use of cloud-based services by public sector bodies. The report provides public authorities using cloud services with a set of recommendations ("Points of Attention"). Some background: in 2022, 22 data protection authorities across the European Economic Area (including the European Data Protection Supervisor) conducted coordinated investigations to examine how public bodies use cloud-based services. In total, around 100 public sector bodies were involved in the inquiries. They spanned the European institutions and different sectors, such as healthcare, finance, taxation, education, and providers and purchasers of IT services. The joint report is a summary of the findings of all enforcement authorities in the Coordinated Enforcement Framework. Although the specific investigations are still ongoing, the report provides guidance on how to check GDPR compliance when using cloud-based services – and not just for public authorities. Eight challenges identified by regulators during the Coordinated Enforcement Framework are given particular attention. These include pre-contractual issues related to conducting a data protection impact assessment (and/or risk assessment), as well as the role of parties and audit rights. Click here for more information.
EU proposes European tax on crypto assets Clemens Grassinger
On 16 January 2023, the European Parliament's Committee on Budgets published a draft report recommending, among other things, the introduction of a European tax on crypto assets, whose revenues would flow into the European budget as a new own resource. The Committee acknowledges the rapidly growing global market of crypto assets and that they are increasingly regarded as an investment option and payment method. Moreover, it argues that due to the high mobility and cross-border dimension of crypto assets, taxation at the EU level (rather than the national level) would be more efficient. Options for the proposed taxation include a tax on crypto-asset transactions, on capital gains from crypto-asset activities (based on a uniform tax rate for all EU Member States) and on the trading/mining of crypto assets, which could be determined based on environmental impact and electricity consumption. The draft report will now be discussed in more detail and could ultimately result in a regulation, directive or non-binding recommendation (with the latter two options being much more likely). In Austria, cryptocurrencies were included in the investment income tax regime in March 2022 and since then are essentially taxed in the same way as stocks.