Add a bookmark to get started

Abstract_Lights_P_0152
4 September 202417 minute read

Innovation Law Insights

5 September 2024
Artificial Intelligence

EU privacy authorities scrutinise AI training

Following an order from the Irish Data Protection Commission, X (formerly Twitter) suspended processing certain personal data to train its AI chatbot tool, Grok. This mirrors actions taken by the Garante, the CNIL, and the Hamburg privacy authority in recent months. How will developers and deployers of AI systems react to this?

As reported by my Irish DLA Piper colleagues in their article, the latest news relates to the dispute against X’s data processing for AI training of its chatbot tool, which originated from a complaint by consumer associations.

X claimed it had relied on the lawful basis of legitimate interest under the GDPR. But the complainants argued that X’s privacy policy – dating back to September 2023 – was insufficiently clear about how this applied to processing user data for training AI models like Grok.

Following this challenge, the Irish Data Protection Commission issued an order to suspend data processing for such purposes. A similar scenario occurred a few months earlier following complaints by NOYB against Meta’s reliance on legitimate interest for using data to train AI models. This led to engagement with the DPC and Meta’s eventual decision in June to suspend the relevant data processing.

This chain of events is similar to what happened to OpenAI in March 2023. The Italian privacy authority, the Garante, ordered the temporary limitation of ChatGPT’s data processing of Italian individuals, leading to a month-long suspension of the AI chatbot in Italy. Eventually, the temporary limitation was waived, but OpenAI had to commit to identifying the legal basis for processing users’ personal data for algorithmic training, which OpenAI should modify.

All of this occurs as the Hamburg privacy authority issued its Discussion Paper on Large Language Models and Personal Data, arguing that there's no processing of personal data in the information stored by LLMs. This position shows EU privacy authorities are open to GDPR-compliant AI training that might be validated in the current CNIL’s consultation on the topic.

There is no doubt that the lawfulness of AI training and its compliance with the GDPR can be better advocated by adopting a more transparent approach towards individuals regarding:

  • how their personal data is processed as part of this process;
  • what legitimate interest underlies the data processing; and
  • why such a legitimate interest is grounded, taking into account the technical measures needed to minimize data processing.

And the above can be further improved by implementing legal design solutions that are increasingly upheld by data protection authorities since they help users to actually understand what is performed and why that practice is compliant.

We're at a crucial point for the development of artificial intelligence in the European Union, a compromise shall be found, but it requires an effort by the multiple parties involved. This practice is quite new for data protection authorities that are used to merely enforce legislation. However, generative AI is likely to be the most prominent technology of the century, and it deserves a special treatment.

Author: Giulio Coraggio

 

Data Protection and Cybersecurity

NIS2 Directive transposed in Italy

On 14 December 2022, the European Parliament and Council finally adopted the NIS2 Directive. The NIS2 Directive aims at ensuring greater uniformity in the level of cybersecurity in the EU and represents the evolution of the previous Directive (EU) 2016/1148 (the NIS1 Directive), which was incorporated into Italian law without substantial changes by Legislative Decree No. 65/2018. The transposition of the NIS2 Directive by each EU member state is scheduled for completion by 17 October 2024.

The transposition of the NIS2 Directive in Europe

The transposition of the Directive remains fragmented to date.

Some countries, such as Germany and the Netherlands, plan to adopt transposing legislation by early 2025. Others have only published initial drafts of the implementing laws. However, the majority of EU member states have yet to begin implementing the Directive. And only a couple have already enacted their own legislation on the matter.

Belgium, for example, implemented the NIS2 Directive through a specific law which will take full effect on 18 October 2024. Under this law, companies subject to the Directive must register their services within either two or five months, depending on the type of service (Italy will soon take a similar approach).

And what about Italy?

Last February, the Italian Parliament delegated the responsibility for implementing the NIS2 Directive to the government by enacting European Delegation Law No. 15/2024. The Delegation Law required the government to adopt the legislative decree necessary to implement the Directive at least four months before the deadline specified in the Directive – by mid-June 2024. However, the Council of Ministers didn't approve the decree until early August.

What's new?

According to evaluations made by Bruno Frattasi, the director general of the Agency for National Cybersecurity (ACN), there are about 50,000 new actors involved in implementing the NIS2 Directive in Italy, which are to be considered in addition to the list of about 400 essential operators already identified with the NIS1 Directive.

This is because, pursuant to the Directive, three criteria have to be jointly considered to assess whether a certain entity, whether public or private, falls within the scope of application of the NIS2 Directive:

  • A sectorial requirement: Whether the entity provides its services or engages in activities in one or more of the economic sectors set out by the annexes to the Directive.
  • A dimensional requirement: Whether the entity qualifies as a medium-sized or large enterprise pursuant to article 2 of the Annex to Recommendation 2003/361/EC.
  • A territorial requirement: Whether the entity provides its services or engages in activities in the EU.

These criteria have to be understood as cumulative with respect to medium-sized and large companies, except for specific cases where the applicability of the NIS2 Directive is triggered regardless of the company size (for instance, in case of public administrations or if the disruption of the service provided by the relevant entity could pose a significant impact on public safety, public security or public health).

With specific reference to sectorial requirement, the NIS2 Directive distinguishes between entities in two types of sectors.

The first are “sectors of high criticality”, including:

  • energy
  • transportation (by air, water, rail and road)
  • banking and financial markets (in particular, financial markets’ infrastructures)
  • health
  • drinking water and wastewater
  • digital infrastructure
  • ICT service management (in a B2B context)
  • public administrations
  • the space sector

The second category is “other critical sectors”, including:

  • postal and courier services
  • waste management
  • chemical manufacturing and distribution
  • food production
  • processing and distribution (ie food businesses which are engaged in wholesale distribution and industrial production and processing)
  • manufacturing (with specific reference to medical devices, computers, and electronic products)
  • digital service providers (with specific reference to providers of online marketplaces, online search engines and, social network platforms)
  • research

As of 18 October 2024, companies that fall within the scope of the Directive must register on a platform being launched by ACN. This registration requires the relevant companies to provide a list of their activities and services, including all the necessary details for categorization into the appropriate relevance categories.

ACN will confirm these categories of relevance and finalize the process for registering activities and services on the platform by 31 March 2025.

Subsequently, companies subject to NIS2 will need to comply with stringent security obligations. These obligations must be promptly codified into internal policies to ensure corporate cyber compliance. Specifically, companies will have to adhere to the governance requirements set by the Directive, implement risk management measures, impose specific security obligations on third parties, evaluate contracts with ICT service providers, and report cyber incidents within the strict timeframes mandated by the regulations.

What about sanctions?

Failure to comply with the above obligations can result in significant penalties for companies. Following ACN's reporting of non-compliance, the relevant authority can issue administrative sanctions of up to EUR10 million or 2% of the total worldwide annual turnover for the subject's previous fiscal year, whichever amount is higher.

To avoid the sanctions, companies must analyse as soon as possible the applicability of the NIS2 Directive to their reality, also in view of the reporting obligations applicable in Italy since 18 October 2024. And they should carefully map their cyber structure both from a technical and compliance point of view to take the necessary measures as soon as possible.

Author: Giulia Zappaterra

 

Intellectual Property

Copyright recognition in fashion design: A landmark case in Denmark

On 9 August 2024, the Maritime and Commercial Court in Copenhagen issued a landmark decision recognizing copyright in a fashion design for the first time in Denmark. At the centre of the decision is the famous “Buckle Ballerina” shoe model from Danish company GANNI The court recognized that the shoe design is an original work of authorship and held it capable of copyright protection, in line with the Cofemel ruling of the Court of Justice of the European Union (CJEU). Therefore, Steve Madden's “Grand Ave” shoes were deemed to constitute infringement under both the Copyright Act and the Danish Marketing Practices Act.

GANNI had filed a lawsuit against the US company Steve Madden, accusing it of copying the Buckle Ballerina design with the Grand Ave shoe model. The Danish court ruled that the distinctive design elements, such as the pointed toe, low heel and metal buckles, were the result of creative rather than purely functional choices and therefore justified copyright protection.

In reaching its decision, the court took into account not only the creativity and originality of the design, but also the position of the brand in the market and the distinctiveness of the GANNI model. This is even more interesting if we consider that GANNI had been unable to document that Steve Madden’s design team was primarily inspired by GANNI’s shoe design, and there were differences between the products including the court’s acceptance that the competing products were not in the same price range. Notwithstanding this, design experts supported the ruling by stating that the similarity between the two styles was such that it was likely to confuse consumers. As a result, Steve Madden was banned from selling the Grand Ave model in Denmark.

Global implications: A comparison between Europe and the US

While the Danish decision primarily impacts Steve Madden sales in Denmark for now, it may have wider implications for the fashion industry in Europe, where design protection is gaining increasing attention, especially after the 2021 Cofemel ruling by the CJEU. In the US, by contrast, copyright enforcement in the fashion context remains complex due to the utilitarian nature of clothing and accessories, which limits copyright protection.

Author: Maria Vittoria Pessina

EU Intellectual Property Office publishes report on the Criminal Legislative Measures in Serious and Organised Intellectual Property Crime Cases

The European Union Intellectual Property Office (EUIPO) has recently published its report on the legislative measures taken by the member states of the EU in relation to intellectual property (IP) criminal infringements.

The report is entitled Legislative Measures related to Intellectual Property Infringements – Criminal Legislative Measures in Serious and Organised Intellectual Property Crime Cases. It uses several practical scenarios to highlight the different approaches and sanctions that characterise the legislative frameworks adopted by EU member states.

The report represents the third phase of the “Legislative Measures Study” series and has been designed to:

  • provide a useful overview of regulation across the EU, while also providing significant examples from selected countries outside the EU (including the UK and US); and
  • help understand the scope of national legislation in EU member states.

It provides a practical, practitioner-oriented overview, focusing in particular on the maximum terms of imprisonment provided by national legislators for the IP criminal offences analysed by the researchers. It also provides relevant information on sanctions other than imprisonment, on liability of limited-liability companies, on statutes of limitations, and on legal requirements for initiating criminal proceedings in the EU member states.

As a relevant background to the report, it's important to note that in 2021, “IP crime, counterfeiting of goods and currencies” was included among the EU’s priorities in the fight against organised crime for 2022-2025. Moreover, on 19 March 2024, the European Commission (EC) issued a relevant Recommendation on the measures that should be taken to effectively combat counterfeiting and improve the enforcement of intellectual property rights. The Recommendation emphasized the importance for EU member states to adopt dissuasive criminal legislation and sanctions and encouraged EU member states to review and reassess criminal measures to achieve this objective, also focusing on the relevance of the principle of proportionality of the penalty to the offence.

The report provides an overview of the IP crime legislative landscape in EU member states, with a particular focus on the diversity of maximum criminal sanctions for a wide range of IP crimes. It has been prepared on the basis of information obtained from publicly available sources up to July 2023 for most EU member states.

In particular, the report has analysed the consequences of serious and organised infringements related to trademark counterfeiting, copyright piracy, and theft of trade secrets (whether committed by an insider or through computer hacking) in the EU member states and the additional countries considered, as well as related crimes such as fraud, unauthorised access to computer systems (hacking), and money laundering.

One of the report's main findings is that, despite the existence of several international minimum standards, national legislation on criminal IP infringements varies considerably, not only internationally but also across EU member states.

As highlighted in the report, IP criminals can sometimes exploit these differences in national legislative frameworks. And in the worst case they can be an obstacle to effective investigations, prosecutions, and the rendering of proportionate and deterrent sanctions.

For these reasons, it's possible to conclude that the harmonisation of criminal enforcement measures and sanctions between member states, which is long due on these matters, could improve the effectiveness of the fight against IP-related crimes, ensuring a more unified and robust legal approach.

Author: Federico Maria Di Vizio

 

Technology Media and Telecommunication

New regulation on customer service in the electronic communications sector

On 8 August 2024, the Italian Communications Authority published Resolution No. 255/24/CONS dated 10 July, which concerns the regulations and quality indicators for customer service in the electronic communications and audiovisual media services sector.

As outlined in Article 2 of Attachment A to the resolution, the new regulations aim to ensure the following for users of electronic communications services:

  • accessibility to customer service
  • transparency and traceability of complaint management procedures
  • transparency and comparability of customer service quality results

The resolution follows the public consultation initiated with Resolution No. 375/19/CONS dated 23 July 2019 (whose outcomes are detailed in Attachment 1 of Resolution No. 255/24/CONS) and is aimed at updating the previous regulatory framework established by Resolution No. 79/09/CSP regarding the quality of telephone contact services, ie call centres, in the electronic communications sector. The authority, as specified in its press release concerning the adoption of the resolution at issue, in outlining the new discipline has taken into account the provisions of the new Electronic Communications Code set forth by Legislative Decree No. 259/2003, as amended by Legislative Decree No. 207/2021, as well as the results of a regulatory impact analysis, which highlight a growing trend among users to use digital contact methods for assistance with electronic communications services.

To this end, the resolution introduces, for the first time, guidelines on the provision and management of digital customer service channels.

The provisions of Resolution No. 255/24/CONS establish:

  • the free availability of customer service, as already provided for under the previous regulatory framework;
  • the requirement that the provision of telephone customer service with a human operator for electronic communications services be guaranteed at least on weekdays between 8:30 and 19:30 for business users and until 21:30 for consumer users;
  • the options within the “Interactive Voice Response” (IVR) system – an interactive response system capable of providing information to a caller who can interact via phone keypad or voice recognition to speak with a customer service representative – must be explicit, transparent, and comprehensible. It is also required that an option dedicated to submitting complaints be introduced at the first level of the IVR menu;
  • a 30-day timeframe for handling customer complaints, reduced from the previous 45-day period;
  • the customer's right to submit complaints via telephone, registered mail, and digital contact, if the operator provides such an option;
  • the obligation for the operator to provide the customer with a complaint identification code, which is logically and simply structured, to facilitate easy recall by the user;
  • the “average response time of the operator” must not exceed 150 seconds, and the “percentage of calls answered by an operator within 20 seconds” must not be lower than 40%.

As stated in the resolution, the new provisions will be implemented within 12 months of the publication of the resolution.

Authors: Flaminia Perna, Matilde Losa


Innovation Law Insights is compiled by the professionals at the law firm DLA Piper under the coordination of Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Miriam Romeo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna e Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as a report analyzing key legal issues arising from the metaverse qui, and a comparative guide to regulations on lootboxes here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print