techlaw Tag

by AMST Legal

Six New EU Regulations – like the AI Act – Explained

1. Introduction – Why are these EU laws relevant?

A lot of new EU regulations will become relevant this year and next years. To make these six new EU regulations easier to understand, the International Association of Privacy Professionals (IAPP) have shared helpful resources on their website. You can find good summarizes and explanations there.

To provide a simple way of getting acquainted with these new regulations, we wrote this article ´Six New EU Regulations – like the AI Act – Explained´. We did it to raise awareness of the IAPP and their resources as well. Why is this important? These six new EU regulations are not only relevant for legal professionals. It is important for anyone working with data, be it in engineering, management or in commercial teams. Keep reading to learn more about IAPP, the short charts they developed and additional comments about these new EU Regulations.

The IAPP inspired us to write this Article to give you more information about these new (and one already existing from 2022) EU Regulations.

2. What is the IAPP?

The IAPP is a large global information privacy community with the aim to help define, promote and improve the privacy profession on a global scale. On their website you will find many helpful tools that are available for free, like the comprehensive explanations of the newest EU regulation regarding data.

3. The evolving landscape of technology and data

It is no surprise that everything revolving around data and technology is constantly updating. New technology appears, new solutions are thought of and used, which affects our everyday lives. Together with this exciting evolution of technology and many areas of data usage, a need for extensive regulation is needed to keep up with the developments. This will unfortunately mean additional work from organizations to be compliant with these regulations.

Knowledge of these regulations is not only important to avoid heavy fines, but also to be able to show customers and partners that you are taking this serious. Even if it takes a while before these regulations will be fully implemented, it is important to get to know the impact, especially if you are developing or deploying AI. We have already noticed while negotiating and drafting commercial contracts, that companies expect to discuss steps taken towards compliance. One way to start understanding the basics of the new EU regulations is by studying the IAPP’s 101 Charters on New EU Data Regulation and this article ‘Six New EU Regulations – like the AI Act – Explained’.

4. Six New EU Regulations – like the AI Act – Explained

Now, let´s give you more details about the six new regulations, like the AI Act, Digital Markets Act and the NIS 2 Directive. See this link to learn the differences between an EU Regulation and a Directive.

AI Act

Applicability details

Entry into force: 1 August 2024. From 2 February 2025 certain prohibitions will apply. Full applicability: 2 August 2026. For detailed timeline: See here for updates within the EU, here for Swedish updates and here for updates in the Netherlands.

Comments

One of the most discussed regulations from the EU is the AI Act. After numerous discussions and proposals, the first AI Act ultimately entered into force 1 August 2024. As AI technology continues to evolve, and organizations use AI on a larger scale, the AI Act will play a big role in the near future. How it will play out exactly is hard to foresee, as the regulation only has been valid for a short time.

According to the EU, it has developed the AI Act in line with its values and principles to protect citizens from unacceptable risks. AI is a great tool for a wide range of possibilities. However there is uncertainty of its development and it can be used in disadvantageous ways. Therefore, using AI safely and in a regulated way will be the future in the EU.

Short summary of the AI Act: “The AI Act lays down a comprehensive legal framework for the development, marketing and use of AI in the EU in conformity with EU values. It promotes the uptake of human-centric and trustworthy AI while ensuring a high level of protection of health, safety and fundamental rights, including democracy, the rule of law and environmental protections”.

For more information on the AI Act, see here.

NIS 2 Directive

Applicability details

Deadline for EU Member States to implement: 17 October 2024.

Comments

Next, it is important to mention the NIS 2 Directive replacing the NIS 1 Directive. As tech usage and data breaches increase for many companies, data security and cybersecurity should be a high priority. If your company handle data, that is especially important. Unfortunately, cyber threats are more common now, why it is important to prepare and improve the EU’s cybersecurity. The NIS2 Directive is an important part of this initiative. The NIS 2 Directive aims to achieve a high common level of cybersecurity across the EU.

Three main points of the NIS2 Directive are to ensure that:

• The Member States are prepared by being appropriately equipped with e.g. a Computer Security Incident Response Team etc,
• A Cooperation Group is set up, making cooperating and information sharing among EU-member states easy, and
• An overall security culture is incorporated into vital sectors of the EU-member states.

The NIS2 Directive is applicable to many medium to large companies that are involved in the handling of data. See the links below to check if your company is required to take appropriate security measures and notify relevant national authorities of serious incidents for example.

The IAPP explains the broad effect of the NIS2 Directive as follows “This chart explores the NIS2 Directive on measures for a high common level of cybersecurity across the EU, which further improves the resilience and incident response capacities of the public and private sectors, and the EU as a whole”.

See further information from IAPP on NIS2 Directive, via this link.

For information about the NIS2 Directive in the Netherlands (in Dutch: Cyberbeveiligingswet (NIS2-richtlijn)), see the official explanation by the Dutch government here. For information about the NIS2 Directive in Sweden (in Swedish: Cybersäkerhetslagen), see the official explanation by the Swedish government here.

Data Act

Applicability details

Entry into force: 11 January 2024. Applicable from: September 2025.

Comments

The Data Act is a complimentary Act to the below discussed Data Governance Act (DGA). The main goal with the Data Act is to:

• Enhance Legal Certainty for the use and sharing of data,
• Protection Against Unfair Contracts,
• Public Sector Access to Private Data, e.g. in case of emergencies, and
• Make it easier for customers to switch between data-processing service providers.

Knowledge of the Data Act is therefore especially valuable for organizations that access and use data in the EU, which includes most organizations. Using and accessing data while keeping the market competitive is in line with numerous countries’ national legislation and now also on an EU level. Ensuring free flow of data opens opportunities that otherwise could have been lost.

Short summary of the Data Act: “The Data Act creates new rules on who can access and use data generated in the EU across all economic sectors. It aims to ensure fairness in the allocation of value from data, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible to all users”.

For more information on the Data Act, see links here: the IAPP, the European Commission and the Swedish government.

Data Governance Act (DGA)

Applicability details

Entry into force: 23 June 2022. Applicable from: September 2023.

Comments

The next part of the EU Data Regulation is the DGA. It is important to mention the DGA even though it has entered into force already. The DGA aims to increase trust and ease when sharing data while maintaining EU values and principles.

The method to achieve the aim of the DGA is through:

• better access to certain data from the public sector and data from citizens and business for society’s benefit, so called data altruism,
• easier ways to share date across borders,
• while ensuring ways of trustworthy data sharing.

The IAPP describes the DGA as follows: “The DGA seeks to foster public sector information reuse; to create a supervisory framework for the provision of data sharing services; and to establish a framework for voluntary registration of entities which collect and process data made available for altruistic purposes”.

Follow this link for further information from the IAPP on the DGA. See this link for explanations from the EU, this link for an explanation by the Dutch Government and this link for an explanation by the Swedish government.

Digital Markets Act (DMA)

Applicability details

Entry into force: 4 October 2022. Applicable from: 2 May 2023.

Comments

The previous new EU regulations, apart from the AI Act, focus on generallt promoting free flow of data. The DMA is different. It forces larger technology platforms, like Alphabet, Amazon, Meta etc, to allow smaller businesses to advertise on and use data gained from large technology platforms. Smaller businesses and consumers, as they are provided more options of better and cheaper services to choose from, receive more benefits from the DMA. As part of the “Digital Services Package” with the below discussed Digital Services Act (DSA), the two main goals are to:

• create a safer digital space where users’ fundamental rights are protected, and
• establish an even market in the EU and globally.

Most of the provisions in the DMA apply from 2 May 2023, but some has ben applicable since 1 November 2022. If you are involved in digital services within your business, it is important that you ensure compliance with the DMA.

Precisely like the IAPP lays it out, the DMA aims to do the following: “The DMA creates new obligations for big technology platforms acting as “gatekeepers providing core platform services” to create a fairer environment for business users that rely on gatekeepers, and to ensure consumers have access to better services and can easily switch providers”.

Follow this link for further information from IAPP on DMA.

Digital Services Act (DSA)

Applicability details

Entry into force: 8 November 2022. Applicable from: 17 February 2024

Comments

Hand in hand with the DMA, both constituting “the Digital Services Package”, the DSA aims to regulate online intermediaries and platforms, like marketplaces, social networks etc.

The special focus of the DSA is:

• preventing illegal and harmful activities,
• preventing the spread of disinformation while protecting the users’ safety and fundamental rights.

• strengthening of consumer rights online.

Along with the DMA, the DSA is intended to create a good online environment for both citizens and businesses. This became applicable from 17 February 2024. Thus, the DSA comes with regulation applicable for businesses that provide digital services to citizens in the EU.. However, this is only applicable for online platforms that have more than 45 million users per month in the EU.

The IAPP describes the DSA as follows: “The DSA aims to harmonize conditions for the provision of intermediary services and increases transparency requirements for online intermediaries”.

Read here for further information from IAPP on DSA and here for information from the Swedish government.

Final comments

Major changes are ahead as these regulation are applicable to all companies, private or public, that handle data. Staying compliant and being on track with these changes is important if you are affected. Hopefully this Article ´Six New EU Regulations – like the AI Act – Explained´ was helpful to you.

For further information about these regulations, contact us via lowa@amstlegal.com or visit the IAPP website or the links below for specific information on each EU Regulation.

Resources:

by reggers.robby

Canadian Court Recognizes👍as a Contract Agreement

As far as we are aware, a Canadian Court has made a first of its kind ruling relating to the acceptance of an emoji as a contract agreement. This is an interesting judgment to illustrate the developments relating to the acceptance of digital ways to approve contracts.

What was the verdict?

The Canadian Court Ruled that a 👍 Emoji Counts as a Contract Agreement. For details, please see https://lnkd.in/gyBrSAdn

The judge stated, amongst others, the following: “This court readily acknowledges that a 👍 emoji is a non-traditional means to ‘sign’ a document but nevertheless under these circumstances this was a valid way to convey the two purposes of a ‘signature’,” he wrote.

Correct decision?

What seems like an unusual verdict, actually makes a lot of sense looking at the facts in this specific case. After talking to each other on the phone, Kent (the Buyer) sends a copy of a contract as an offer to deliver the goods to him via text to Chris. Chris responds with a thumbs up.

Trend for the future

Without knowing the full background, this indeed looks like an agreement to enter into a contract (and agreeing to the contents of the contract). At least under Dutch law, depending on the circumstances of the case, this could reasonably be seen as entering into an agreement.

This is in line with other verdicts in the past years where offers and acceptance of these offers (agreement to contract) are accepted in digital form by e-mail, SMS, WhatsApp and other tech solutions like DocuSign etc. It is an important realization for everyone that the digital world is evolving and we need to adapt!

Lesson Learned

Next time you respond with (for example) 🚀 ✅ ✔️👍🏾🙏🏼 to a question or request to agree to an offer, be very mindful of your intentions.