Innovation Law Insights
26 July 2024Data Protection & Cybersecurity
Large language models (LLMs) Do NOT process personal data according to the Hamburg privacy authority
The Hamburg Data Protection Authority issued an insightful discussion paper addressing privacy risks and AI with a nuanced grasp of the technology.
Here are some groundbreaking insights:
- LLM Processing & Data Storage: Unlike traditional data systems, LLMs process tokens and vector relationships (embeddings), which the Hamburg DPC argues do not constitute "processing" or "storing" personal data under GDPR.
- Tokenization vs. Personal Data: Tokens and embeddings in LLMs do not have the direct, identifiable link to individuals required by CJEU jurisprudence to be considered personal data.
- Memorisation Attacks: While extracting training data from LLMs is possible, these attacks are often impractical and legally questionable, meaning personal data identification isn't always feasible under current legislation.
- Legality of LLM Usage: Even if personal data was mishandled during LLM development, it doesn’t necessarily make using the resulting model illegal, offering reassurance to those deploying third-party models.
This paper reflects a sophisticated, tech-savvy approach to the intersection of AI and privacy.
Will other EU privacy authorities follow the same path? That would indeed be groundbreaking change for the industry!
Author: Giulio Coraggio
Google's Privacy Practices Face Scrutiny by Consumer Protection Authority in Italy
Google faces a consumer protection probe in Italy over privacy concerns; investigation scrutinizes data practices across its services.
Google Under Scrutiny: Italian Consumer Protection Probe Launched
The Italian Competition Authority (AGCM) has launched an investigation into tech giant Google's alleged unfair commercial practices, marking a significant intersection of consumer protection law and privacy concerns. This probe delves into how Google manages user data across its vast array of services, questioning whether the company's practices comply with both consumer laws and privacy regulations.
At the core of this consumer protection investigation are three key issues:
- Consent Mechanisms: The AGCM is examining whether Google's methods for obtaining user consent for data sharing are transparent and fair. There are concerns that these practices might be misleading or aggressive, potentially infringing on user rights.
- Information Transparency: Investigators are scrutinizing the quality and completeness of information Google provides to users about data usage. The question is whether users are fully informed about how their personal information is utilized across Google's ecosystem.
- Implications of Consent: The probe aims to understand the full extent and consequences of user consent. Are users truly aware of what they're agreeing to when they accept Google's terms?
Consumer Protection Meets Privacy: A New Regulatory Frontier
This investigation represents a new frontier in consumer protection enforcement, where data practices are viewed not just as privacy issues but as potential sources of market power. The AGCM is exploring whether Google's extensive data collection and usage give it an unfair competitive advantage, potentially stifling competition in the digital marketplace.
The probe also raises questions about compliance with GDPR, which sets strict standards for data protection and user consent. By linking consumer protection concerns with privacy regulations, this investigation could set a precedent for how regulators approach the tech industry's data practices in the future.
For Google, this scrutiny presents a significant challenge. The company must defend its data practices while maintaining user trust and complying with increasingly stringent regulations. The outcome of this investigation could have far-reaching implications not just for Google, but for how companies approach data privacy and consent globally.
Companies in any industries are closely watching this case, as it could influence:
- How consumer protection regulators view data as a competitive asset
- The balance between innovation and privacy protection
- Future regulations on data collection and usage in the EU and beyond, also because regulators closely watch dark patterns.
Legal Design: A Potential Solution?
In response to these challenges, many companies are increasingly turning to legal design. This innovative approach aims to make legal documents, including privacy policies and consent forms, more user-friendly and comprehensible.
Legal design involves:
- Simplifying complex legal language
- Using visual elements to enhance understanding
- Structuring information in a more intuitive way
The goals of implementing legal design are multifaceted:
- Increase transparency and build trust with users
- Protect companies from privacy law and consumer protection challenges
- Potentially boost user engagement and satisfaction
By investing in legal design, companies hope to address some of the very issues at the heart of this antitrust investigation. Clear, concise, and visually appealing consent mechanisms could potentially mitigate concerns about misleading or aggressive data collection practices.
At DLA Piper, we have created a dedicated legal design offering made of designers with a legal background as well as lawyers. Contact us if you want to know more.
Author: Giulio Coraggio
The GPEN published its 2024 Sweep report focusing on dark patterns
The Global Privacy Enforcement Network (GPEN) published its 2024 Sweep report focusing on "Deceptive Design Patterns" (DDPs), also known as "dark patterns," observed in websites and mobile applications. This initiative aimed to scrutinize how design choices in digital platforms influence, manipulate, or coerce users into making decisions that may not be in their best interests, particularly concerning privacy.
Background
The Sweep took place from January 29 to February 2, 2024, with participation from 26 privacy enforcement authorities (PEAs), including the Italian Data Protection Authority, examining a total of 1,010 websites and apps. This year's Sweep was significant as it was coordinated with the International Consumer Protection and Enforcement Network, marking a robust collaboration between privacy and consumer protection regulators. This collaboration underscored the growing intersection between privacy and consumer protection in the digital economy.
Methodology
The Sweep aimed to replicate the consumer experience and the participating PEAs had to interact with websites and mobile apps to evaluate how they manage privacy choices, provide privacy information, and handle account logouts and deletions. The Office of the Privacy Commissioner of Canada coordinated the Sweep, providing standardized instructions and a questionnaire to ensure uniformity in evaluation. The questionnaire focused on five key indicators derived from the OECD's taxonomy of dark patterns:
- Complex and confusing language: privacy policies that are excessively technical or long, making them difficult for users to understand.
- Interface interference: design elements that manipulate users' perception and decision-making regarding their privacy options.
- Nagging: repeated prompts that may undermine users' privacy interests.
- Obstruction: additional steps that hinder users from achieving their privacy-related goals.
- Forced Action: coercing users to provide more personal information than necessary.
Key Findings
The Sweep revealed that dark patterns were prevalent in the majority of websites and apps reviewed, with 97% containing at least one deceptive design element. The most common DDP was the use of complex and confusing language in privacy policies, found on average in 89% of the cases. These policies were often overly lengthy (some had more than 3.000 words) and filled with technical language, discouraging users from reading and understanding them.
Interface interference was another frequent dark pattern, observed on average in 43% of interactions. This included tactics such as false hierarchy, where less privacy-protective options were more prominently displayed, and preselections of more privacy-intrusive settings. Confirm-shaming, using emotive language to nudge users towards certain choices, such as confirming the privacy settings of the app, was also identified.
Obstruction was used on average in 39% of interactions, creating barriers for users trying to exercise their privacy rights. For instance, the option to delete accounts was either difficult to find or involved multiple clicks, with 55% of sites not providing a straightforward account deletion option.
Nagging and Forced actions were less common but still notable, appearing in 14% and 21% of interactions, respectively. These patterns included repeated prompts to interrupt the user experience and encourage users to give in to the requests to avoid further nuisance and mandatory data provision to access services or delete the account, thereby compromising user autonomy.
Recommendations
To mitigate the negative impact of dark patterns, the GPEN recommends organizations to:
- simplify privacy policies to make them accessible and comprehensible;
- design interfaces that respect users' privacy choices without manipulation;
- avoid unnecessary steps and barriers in privacy-related processes; and
- provide clear and easy options for account management, including deletion.
To be compliant with such indications it is recommended to adopt legal design techniques that will help the user make more informed decisions and will ensure compliance with the principles and obligations of the GDPR.
Author: Roxana Smeria
Intellectual Property
Tetris celebrates its 40th anniversary: a brand triumph in the European Union
Introduction
The iconic game Tetris is celebrating a remarkable milestone: its 40th anniversary. Known for its catchy tune, Tetris has earned a unique place not only in the history of video games, but also in the field of intellectual property. The main melody of Tetris, together with its logo and name, is even recognised as a European Union Trademark (EUTM), marking a significant success for the US-based Tetris Holding Corporation.
Historical background
Tetris, considered to be one of the best video games ever created, originated in the Soviet Union. It was developed by Alexey Pajitnov and first released on 6 June 1984. The game's simple yet addictive design quickly gained popularity, and its subsequent release alongside the Nintendo Game Boy - still considered one of the smartest decisions in gaming history - cemented its status as a cultural phenomenon.
Protecting a sound mark: the legal perspective
The recognition of the Tetris melody as an EUTM highlights the evolving nature of trademark law in the European Union. Traditionally, trademarks have been associated with visual symbols or logos. However, protection has been extended to sound marks, which can include jingles and other sounds that serve as an indicator of commercial origin.
Under EU law, a sound can be registered as a trademark if it is distinctive and capable of being represented graphically. The rules governing the registration of sound marks were updated in 2017 by Regulation (EU) 2017/1001, which abolished the requirement of graphic representation, provided that the mark is represented in a clear, precise, self-contained, easily accessible, intelligible, durable and objective manner.
This amendment extended the scope of protection for sound marks, allowing the registration of sounds that can be described by musical notation or represented in digital audio format.
For a sound mark to be registrable in the European Union, it must meet certain basic criteria:
- Distinctive character: the sound must be capable of distinguishing the goods or services of one undertaking from those of other undertakings. This means that the sound must not be common or generic but must have a unique character that makes it instantly recognisable and associated with a specific commercial origin. In the case of the Tetris melody, its widespread recognition and direct association with the game fulfil these criteria. The ability of the sound to immediately recall the specific product, in this case the video game Tetris, is decisive for its registrability.
- Representation: with the changes introduced by Regulation (EU) 2017/1001, a sound mark no longer must be represented graphically. However, it must be represented clearly and accurately, which may include musical notation or a digital audio file. This representation must be self-contained, easily accessible and intelligible to anyone consulting the trademark register.
- Durability and objectivity: the representation of the sound mark must be durable, i.e. it must retain its distinctive character over time, and objective, i.e. it must enable anyone to identify the sound registered as a trademark clearly and without ambiguity.
The registration of the Tetris melody as an EUTM is not an isolated case. Other well-known sounds, such as MGM's lion roar or Intel's jingle, have been registered as sound marks. These examples demonstrate how sounds can act as powerful branding tools, capable of instantly evoking a product or company in the minds of consumers.
The successful registration of the Tetris melody as an EUTM by Tetris Holding Corporation highlights the importance of intellectual property rights in the video game industry. It shows how companies can use trademark protection to protect their unique assets and maintain their competitive advantage. This move not only protects the Tetris brand, but also reinforces its heritage and cultural significance.
Conclusion
The recognition of the Tetris melody as a European Union trademark for its main melody, logo and name is a testament to its enduring legacy and cultural impact. This success not only recognises the rich history of the game, but also illustrates the dynamic nature of trademark law and its ability to adapt to new forms of intellectual property.
Author: Maria Rita Cormaci
UPC: first substantial judgments of the Düsseldorf and Paris local divisions
Just over a year after the UPC became operational, namely on 3 and 4 July, the Düsseldorf Local Division and the Paris Local Division issued their first substantial judgments in two proceedings on the merits.
The first decision was rendered by the Düsseldorf Local Division in a dispute concerning a patent held by a German company relating to a bathtub sanitation device. After declaring the plaintiff's patent invalid in its original version, the Court upheld an auxiliary request as valid. On this basis, granting the plaintiff's claims, the Court issued an injunction against the defendant which is valid in seven UPC Member States: Austria, Belgium, Denmark, France, Italy, Luxembourg and the Netherlands.
The second judgement, rendered by the Paris Local Division on 4 July, was instead the outcome of a proceedings concerning a patented technology for the remote monitoring of glucose levels in diabetic patients. The Court upheld the defendant's counterclaim for revocation and declared the plaintiff's patent invalid for lack of inventive step in all 17 Member States which ratified the UPCA. Accordingly, the Court did not rule on the infringement claim.
The judgments, which we will comment on in more detail, were rendered only one year after the UPC system became operational, confirming the efficiency of the system and the UPC's commitment to deliver decisions rapidly, including those on the merits.
Author: Laura Gastaldi
Technology Media and Telecommunication
AGCom initiates public consultation on regulatory measures concerning the assignment of radio frequencies for terrestrial broadband and ultra-broadband wireless electronic communications systems
With Resolution 247/24/CONS dated June 26, 2024, published on July 2, 2024, AGCom has initiated a public consultation on future regulatory measures concerning the assignment of radio frequencies for terrestrial broadband and ultra-broadband wireless electronic communications systems whose rights of use will expire on December 31, 2029.
Specifically, this pertains to the rights of use of radio frequencies assigned in Italy to various operators for the development of high-speed wireless networks and related fixed and mobile services. Exceptions include Wireless Local Loop (WLL) rights of use in the lower part of the 26 GHz band (i.e., the frequency range 24.5 – 26.5 GHz), which will expire in 2026, and those assigned in 2018 for 5G, which will be valid until December 31, 2037.
The text submitted for public consultation (Annex A to Resolution 247/24/CONS) consists first of an introductory section, a second section describing the framework of rights of use expiring on December 31, 2029, and a third section concerning the wireless services market in Italy. Following these initial sections, the first question posed by AGCom asks participants if they have "any additional issues to highlight regarding the context summarized thus far".
A fourth section follows, dedicated to the preliminary assessments of the Authority, in which it emphasizes that the "simultaneous expiration of the rights of use for such a substantial number of spectral resources should not pose an obstacle to the dissemination and development of ultra-high-speed wireless services across the territory". Thus, it is crucial to establish administrative procedures to make the spectral resources available to the market in a timely manner, ensuring their continuous use.
In the fourth section, AGCom recalls the various solutions provided by the Electronic Communications Code (Legislative Decree No. 259/2003, as amended by Legislative Decree No. 207/2021 – ECC) concerning the rights of use of frequencies, namely: (i) their extension; (ii) renewal; and (iii) the adoption of a competitive or comparative assignment procedure for the rights of use of frequencies pursuant to Article 67 ECC.
AGCom highlights that these solutions can be applied, if necessary, in a differentiated manner based on the type of expiring rights of use. The Authority considers that various combinations of extension, renewal, and new assignment of the rights of use of frequencies may be worthy of evaluation.
Finally, the Authority, having expressed additional considerations regarding the potential approaches, asks interested parties participating in the public consultation to:
- present their observations and proposals regarding the Authority's guidelines on future regulatory measures concerning the expiring frequencies;
- provide and justify their position on the most appropriate type of procedure to apply to the frequencies;
- indicate the conditions and obligations they believe should be associated with the expiring rights of use of frequencies;
- indicate the pro-competitive measures that should be adopted in future procedures regarding the expiring rights of use;
- provide information and elements about the possible development roadmap of the technological ecosystem concerning the 28 GHz band and the expected methods for using this frequency and its coexistence with various applications in the band. The Authority also asks participants if they believe "the band should be subject to refarming with the replacement of WLL systems".
The subject interested in participating in the public consultation must submit their contributions by September 30, 2024.
Authors: Flaminia Perna, Matilde Losa
Innovation Law Insights is compiled by DLA Piper lawyers coordinated by Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.
Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna and Matilde Losa.
For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.
Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.
You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here. And check out a DLA Piper publication outlining Gambling regulation here, a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.
If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.