Innovation Law Insights

Artificial Intelligence

AI Act into Force: Is Your Company Ready for Compliance?

The AI Act was published in the Official Gazette of the European Union and has now officially come into force. Is your business ready to comply with it?

The different provisions of the AI Act will become applicable during a specific timeline that you can find in our report available here. However, with the clock running, no business can afford to adopt a technology which might have to be dismissed, renegotiated, and in any case changed in a few months.

Below is the methodology that we recommend towards becoming compliant:

1. Map AI systems : Identify all AI systems your business currently uses or plans to use. The risk is that your business is already using artificial intelligence solutions without it being aware and without considering the legal implications, for instance, due to local initiatives of departments or even individuals.
2. Create an AI governance framework: Establish internal rules for the use and approval of AI solutions. These rules should consider the obligations arising from the AI Act, data protection regulations, intellectual property laws, ISO standards for areas that are not covered, and ethical rules in line with ESG principles. These rules should not just prohibit any sort of usage of AI solutions since otherwise, there is a risk that employees will try to bypass them. They should create an approval process so that employees are aware of how business needs must be escalated.
3. Create material to ease the understanding of the AI governance framework internally and start training your employees: The policy is usually accompanied with a leaflet that, in a short and easy-to-understand mannersummarises the most important contents of the governance framework. At the same time, organising training sessions for the different business units with a specific focus on the AI solutions impacting their activity is also a useful step. If employees and officers do not understand what can and cannot be done with AI solutions, the business will remain at risk.
4. Form an internal AI committee: Assign a team to evaluate AI solutions using a compliance-by-design approach. This team can include senior management, but it also needs operational members who will be involved in the assessment of the AI solution, liaise with the different business units, and monitor the AI solution even after its implementation.
5. Select and prioritise AI solutions: Determine which AI solutions to invest in and establish their priority levels. This activity will need a prior high-level assessment of the compliance risks and implications of the solutions identified by the business. The AI committee will then have to select solutions that fit the aforementioned requirements and obtain relevant budget approvalt.
6. Test and evaluate AI solutions: Begin evaluating selected AI technologies. This activity has technical and compliance implications. To support businesses in this potentially time-consuming task, we have developed Prisca AI Compliance, a solution that allows a convenient assessment of the compliance of artificial intelligence solutions across the AI Act, data protection laws, IP laws, and ISO standards, generating a detailed report that can be used for internal compliance as well as towards regulators and third parties challenging the conduct of the company. Watch a video about this product here.

Do you want to know more about the above-mentioned methodology? Reach out to us to discuss. In the meantime, you can read here some material on the most relevant legal issues of AI compliance.

Author: Giulio Coraggio

AI Act: When is the Survey on your Employees becoming a prohibited artificial intelligence practice?

The AI Act lists among the artificial intelligence prohibited practices the usage of systems inferring emotions in the workplace, but when does a survey of employees fall into this category?

The prohibited artificial intelligence practices able to infer emotions under the AI Act

The AI Act has now come into force, and the first deadline is 2 February 2025, when the provisions on prohibited AI practices (and the relevant sanctions) will become applicable. One of the prohibited AI practices that is more heavily discussed now relates to:

the use of AI systems to infer emotions of a natural person in the areas of workplace.

This broad provision applies to any AI system that can infer emotions. Indeed, the ability to infer emotions is also mentioned in recital 14 of the AI Act, where the Act provides that "biometric data can allow for the authentication, identification or categorisation of natural persons and for the recognition of emotions of natural persons."

However, is the provision of the AI Act limited to artificial intelligence practices using biometric data?

The limits of compliance of a survey on employees with the AI Act

The issues addressed above are particularly relevant to surveys frequently run on employees to understand their level of satisfaction, morale, and potential information about their mental conditions. Especially after the pandemic, such surveys have become common and are run through software that can analyze and aggregate data.

These surveys trigger significant data protection and employment law issues across the European Union. But when do they also qualify as a prohibited AI practice?

We shall see how AI authorities address the issue. Running these surveys and allowing employees to respond to questions with open-ended answers is risky since they might communicate information beyond the purpose of the survey. However, this aspect is more of an employment and data protection law issue.

Indeed, the usage by the EU legislators of the term "inferring" seems to refer to cases when the artificial intelligence system detects some information that employees are not willing to share but can be understood through their answers. Otherwise, the legislators would have used the term "communicating," and an AI system would not be necessary to know such information.

We have seen surveys that rely on keywords to understand the mood of the interviewed individual. In such cases, the system already goes beyond what the potential employee wants to communicate. A case-by-case analysis is likely necessary. However, individuals' emotions are not inferred even in such a case since predetermined keywords are not tailored to the specific individual.

All in all, only biometric data can detect information unique to a specific individual. However, we shall see how the EU regulator interprets this provision. In any case, given the approaching deadline businesses should start scrutinising their current practices to check whether any of them qualify as AI-prohibited practices.

Author:: Giulio Coraggio

 

Data Protection & Cybersecurity

Is Your Cybersecurity Tool Capturing Employees’ Email Metadata in Italy?

The decision of the Data Protection Authority regarding the retention of email metadata might have a severe impact on the cybersecurity strategy of businesses operating in Italy.

In today’s digital world, the intersection of cybersecurity and data protection has never been more critical. As businesses face increasing cyber threats, the retention of email metadata plays a pivotal role in safeguarding operations and ensuring compliance. The recent position taken by Italy's Data Protection Authority has brought attention to the challenges of balancing email metadata retention with employee privacy. How can businesses navigate these new rules while maintaining robust cybersecurity measures and adhering to GDPR requirements?

The Italian Data Protection Authority’s Decision

Last month, the Italian Data Protection Authority (Garante per la protezione dei dati personali) made headlines by limiting the storage period of employees’ email metadata.

Initially, the retention period was set at 7 days but was later extended to 21 days. The authority clarified that this limitation does not apply to metadata within employees’ inboxes, creating a distinction between different types of email metadata. However, the issue remains.

The Implications for Cybersecurity

While the decision has been widely discussed in terms of data privacy, there has been less focus on its implications for cybersecurity. In an era where cyber threats are pervasive and constantly evolving, the ability to retain and analyse email metadata is crucial for identifying and mitigating potential risks.

1. Cyber Threat Detection and Prevention: Email metadata, such as sender and receiver information, timestamps, and IP addresses, can provide valuable insights into unusual or suspicious activities. Shortening the retention period could hinder the ability of cybersecurity tools to detect patterns and trends that indicate cyber threats.
2. Incident Response and Investigation: When a cyberattack occurs, having access to historical email metadata can be vital for forensic investigations. It allows security teams to trace the origin of the attack, understand its scope, and develop strategies to prevent future incidents. If this data is deleted too soon, it could compromise the effectiveness of incident response efforts.
3. Compliance and Legal Considerations: Many industries are subject to regulations that require the retention of certain data for extended periods. Ensuring compliance with these regulations while balancing data privacy concerns can be challenging. A robust data protection compliance program is necessary to navigate these complexities.

Balancing Data Retention and Privacy

The debate around email metadata retention in Italy highlights the need for a balanced approach that considers both cybersecurity needs and data privacy rights. Here are some key considerations:

• Negotiating with Trade Unions: Engaging with trade unions and employee representatives can help develop policies that respect privacy while addressing security concerns. Transparent communication and collaboration are essential in reaching agreements that benefit all parties.
• Implementing a Structured Data Protection Compliance Programme: Businesses must go beyond temporary measures and establish comprehensive data protection compliance programmes. This includes the performance of a data protection impact assessment, a legitimate interest assessment, and a policy on the usage of emails’ metadata. However, the most relevant goal is to prove that the retention of employees’ email metadata is not aimed at monitoring employees but is essential for the operation of the company.
• Evaluating Retention Policies: Regularly reviewing and updating data retention policies for the retention of metadata of employees’ emails in Italy is crucial. Businesses should assess the necessity of retaining specific types of metadata and consider the potential risks and benefits. Ideally, businesses should provide relevant evidence of the need to retain metadata for much longer than the 21-day period indicated by the Data Protection Authority in Italy.

The Future of Email Metadata Retention (not only for cybersecurity) in Italy

The recent decision by the Italian Data Protection Authority to limit the storage of email metadata has opened important discussions about the intersection of cybersecurity and data privacy. Businesses must adopt strong data protection and employment law measures to justify a longer retention period, otherwise they might face severe GDPR fines.

Author:: Giulio Coraggio

DORA: An Overview of the Final Draft Regulatory Technical Standards on Subcontracting

On July 26, 2024, the European Supervisory Authorities (ESAs) issued the final draft of the Regulatory Technical Standards (RTS) concerning subcontracting under the Digital Operational Resilience Act (DORA). This represents one of the most crucial RTS' connected to DORA and should be carefully analysed by both financial entities and ICT service providers.

The provisions of DORA on subcontracting

DORA mandates specific contractual provisions for financial entities engaging ICT third-party service providers (ICT TPPs). These include the obligation for financial entities to specify whether subcontracting of ICT services supporting critical functions is permitted and under what conditions. The RTS further clarifies the conditions under which subcontracting should be authorized and provides several additional requirements that should be duly taken into account.

Initially published in December 2023, the draft RTS underwent substantial feedback during the consultation period and some key changes were made in response to industry concerns.

Key highlights of the Final Draft of the RTS regarding subcontracting

The key changes made by the ESAs following the public consultations are:

• Supply chain: More focus has been provided to the supply chain as a whole and to the conditions that should apply to all subcontractors throughout the chain.
• Contractual agreements: Provisions and elements that should be included in the contractual agreements between the financial entities and the ICT service provider have been defined in more detail and can be identified through the entire RTS. In this regard, a new article clarifies that “Changes relative to contractual agreements [...] made necessary to comply with this Regulation, shall be implemented in a timely manner and as soon as it is possible”.
• Timely remediation: the ESAs emphasized that there will be no transitional period for compliance with the RTS. Financial entities are expected to implement necessary changes to their contractual agreements by the enforcement date of DORA (January 17, 2025).

An overview of the RTS structure

The final draft RTS is structured to cover three main subcontracting phases: (i) pre-contractual (involving risk assessments and due diligence); (ii) contractual; and (iii) termination.

• pre-contractual phase

The RTS requires the financial entities to duly evaluate and identify the overall risk profile and complexities of the ICT services before authorizing subcontracting. Factors that financial entities should consider include the type and location of ICT services, length of subcontractor chains, data handling, regulatory oversight, and the impact of disruptions on service continuity.

Additionally, financial entities are also required to evaluate the single subcontractor through a due diligence process whose elements are listed by article 3. This aims to ensure that the final responsibility remains vested in the financial entity.

Focus is also given to the group application of the Regulation. Particularly, parent companies must ensure consistent implementation of subcontracting conditions across all group entities regarding ICT services supporting critical functions.

• contractual phase

When the pre-contractual assessments have been completed, the financial entity can authorise the subcontract, provided that the conditions listed by article 4, 5 and 6 of the RTS are met.

Particularly, if the ICT service provider is not willing to accept the conditions set out by the RTS and include the mandated elements in its agreement with the financial entity, the latter should not authorise subcontracting. These elements include clear responsibilities, monitoring obligations, risk assessments of subcontractors, continuity planning, security standards, and audit rights.

Notably, the RTS also requires the financial entity to obtain from the ICT service provider the rights to review and propose changes to the terms and conditions of subcontracting (particularly when major changes in these terms occur). Also, the right to audit the subcontractor directly should be obtained.

These elements are expected to be highly debated and negotiated between the financial entities and ICT service providers, also considering that subcontracting chains may be significantly long and complex. Careful and accurate clause drafting is, therefore, essential.

• termination phase

Article 7 sets out three additional rights to termination that the financial entity should obtain for its agreements with ICT service providers.

Particularly, the financial entity should be able to terminate the agreement with the ICT service provider in material changes to the subcontracting agreements have been implemented despite the objection of the financial entity (or before the relevant notice period has expired). Also, and in line with DORA, a termination right should be granted to the financial entity for unauthorized subcontracting by the ICT service provider.

Addressing feedback and future considerations

While the aim of the RTS is understandable, stakeholders have raised concerns over the practicality of monitoring and controlling entire subcontracting chains as well as the feasibility of obtaining all rights mandated by the RTS when negotiating with ICT service providers.

All these concerns are now under the lens of the European Commission which has received this RTS for its review and adoption.

While waiting for the final version, financial entities are urged to promptly familiarise themselves with the RTS and integrate its provisions in their DORA implementation process.

Authors:: Edoardo Bardelli, Alessandra Faranda

EDPB's FAQ on the Data Privacy Framework (DPF) regarding transfers of personal data

The European Data Protection Board (EDPB) has published the FAQs on the "EU-US Data Privacy Framework – for European businesses" to address the most common questions regarding transfers of personal data between the EU and the United States.

What is the DPF?

The Data Privacy Framework (DPF) is a self-certification mechanism that allows organizations in the European Economic Area (EEA) to transfer personal data from the European Union to the United States in compliance with Article 45(3) of the GDPR. On July 10, 2023, the European Commission adopted a new adequacy decision under Article 45(3) GDPR to regulate personal data flows from the EU to the US.

Within the context of the EU-US Data Privacy Framework, this decision enables certified US organisations to freely exchange data with European companies, facilitating the flow of information between two major trading partners. This means that European organisations adhering to the DPF are not required to adopt the additional safeguards provided for in Article 46 of the GDPR.

However, the adoption of this mechanism left several questions unanswered. Therefore, the European Commission published FAQs which – even in this case – did not provide all the necessary answers.

The EDPB's FAQs on the DPF

The EDPB has thus adopted a document addressing the most frequent questions about the DPF, particularly:

• What is the scope of the DPF? The DPF applies to US organisations subject to the Federal Trade Commission (FTC) or the Department of Transportation (DoT). Non-profit organisations, banks, insurance companies, and telecommunications companies are excluded.
• What needs to be done before transferring personal data to the US? It is necessary to verify that the organisation to which you intend to export the data holds an active and applicable certification under the DPF. Remember, the DPF is only valid for one year, and an organisation may choose to voluntarily withdraw from the DPF. If the US organisation is not certified under the DPF, the safeguards outlined in Chapter V of the GDPR (such as SCCs) must be applied.
• What to do if the US organisation is a data controller? In this case, it is necessary to ensure that the transfer complies with the GDPR, ensuring that (i) there is a legal basis under Article 6 of the GDPR for the transfer; (ii) all GDPR principles (such as the principle of data minimization) are respected; and (iii) data subjects have been duly informed.
• What to do if the US organisation is a data processor? In this case, a data processing agreement (DPA) must be concluded under Article 28 of the GDPR, and it must be ensured that sub-processors are also bound by the DPA.

Impact on Companies

Despite the clarifications from the EDPB, as highlighted by the Board itself, the DPF is not a mechanism that securely and permanently covers all transfers to the US. Firstly, it is noted that this certification is only temporary (lasting only one year) and voluntary. Secondly, its scope, although extensive, does not cover all US organisations.

Therefore, it is highly recommended to conduct a Transfer Impact Assessment (TIA) even for companies that have obtained DPF certification to avoid being unprepared, for instance, in the face of a possible (and not so improbable) Schrems III.

DLA Piper has developed a legal tech tool to conduct TIAs more quickly and efficiently. To learn more, click here.

Author: Enila Elezi

 

Technology Media and Telecommunication

BEREC launches two public consultations to prepare guidelines on access to in-building physical infrastructure and coordination of civil engineering works

On 24 July 2024, the Body of European Regulators for Electronic Communications (BEREC) launched two public consultations functional to the preparation of guidelines on, respectively, access to in-building physical infrastructure and coordination of civil works.

BEREC's adoption of such guidelines is provided for in Regulation (EU) 2024/1309 on measures to reduce the cost of deploying gigabit electronic communications networks – as part of the Gigabit Infrastructure Act.

Article 11(6) and Article 5(6) of the Gigabit Infrastructure Act respectively provide that, by 12 November 2025, after consulting stakeholders, the national dispute settlement bodies and other competent Union bodies or agencies in the relevant sectors, as appropriate, and after taking into account well-established principles and the specific situations of each Member State, BEREC shall publish:

• Guidelines on the terms and conditions of access to in-building physical infrastructure, including on the application of fair and reasonable terms and conditions, and the criteria that the national dispute settlement bodies should follow when settling disputes; and
• Guidelines on the application of Article 5 – concerning the coordination of civil works – in particular concerning (a) apportioning the costs associated with the coordination of civil works; (b) the criteria that the dispute settlement bodies should follow when settling disputes falling within the scope of Article 5; (c) the criteria for ensuring sufficient capacity to accommodate foreseeable future reasonable needs if coordination of civil works is refused for being unreasonable.

With the two public consultations at issue, accordingly to the relevant provisions of the Gigabit Infrastructure Act, BEREC asks any interested subjects to provide their input on the questions and issues that in their opinion should be addressed in the guidelines on access to in-building physical infrastructure and in the guidelines on coordination of civil engineering works.

Interested subjects can submit their input to the two public consultations by 20 September 2024.

Authors: Massimo D'Andrea, Flaminia Perna, Matilde Losa

---

Innovation Law Insights is compiled by the professionals at the law firm DLA Piper under the coordination of Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Miriam Romeo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna e Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.