Looking Ahead – Technology, Data Privacy, Cybersecurity and IP developments in 2023 | Perspectives & Events
Related Author: Kiran Chita, Trainee Solicitor
In this update we outline some of the technology, data privacy, cybersecurity and IP legal developments to look out for in 2023, as well as some of the questions organisations may be grappling with over the coming year.
For a visual depiction of some of the content covered in this alert, please see our associated graphic.
Challenges posed by the development of AI technology
Ongoing development of AI technology in 2023 will continue to give rise to longstanding critical legal questions for organisations creating, financing and/or using such programs – for instance “who owns the intellectual property rights in the AI program?” and “who owns the intellectual property rights in the output of the AI program?” Developments in AI technology and the role(s) that the technology plays in an organisation’s eco-system in 2023 will ultimately shape the new scenarios in which longstanding critical legal questions are posed, as well give rise to novel questions altogether; for instance, the continued development and adoption of AI technology which is capable of generating new content (i.e. unique text, images, video and sound content).Organisations should be cognisant of the new legal and operational challenges arising from these AI technologies. For instance, the potential for cybercriminals with little or no technical experience using the tools to generate malware or convincing phishing emails, or the ability for the technology to be reverse-engineered and the training data (which could include personal data) being accessible – possibly giving rise to data privacy related issues.
Corresponding with its ongoing development, the regulation of AI technologies has become an increasing focus, particularly within the EU. The EU Artificial Intelligence Act (“AI Act“) is expected to become the first global standard for regulating or banning certain uses of artificial intelligence.
A draft of the AI Act was approved by the European Council on 6 December 2022, and the EU Parliament is scheduled to vote on the draft AI Act by end of March 2023. This means the AI Act is likely to enter into force in late 2023 or early 2024, and it’s expected that businesses will have a transitional period of 18 months to ensure compliance.
The EU is also intending to introduce regulation relating to the liability of manufacturers of AI technologies. The draft AI Liability Directive, published on 28 September 2022, relates to non-contractual civil fault-based liability only and reduces the burden of proof for claimants requesting compensation for damages caused by an AI system.
Supporting these specific AI-focused legislative instruments, the draft Product Liability Directive, published on 28 September 2022, will also affect AI technologies and ”digital manufacturing files and software”. The Product Liability Directive establishes a strict liability framework for defective products and intends to provide a harmonised effective compensation system at an EU level.
The UK Government has also announced proposals for the regulation of AI, indicating that it intends to take a less centralised and more risk-based approach in comparison to the EU’s AI Act. The results of this consultation and proposed next steps have not yet been published.
Platform regulation developments
Regulation of digital services and platforms is being reformed in the EU by the new Digital Markets Act (“DMA”), which becomes applicable from 2 May 2023, and the Digital Services Act (“DSA”), which largely becomes applicable on 17 February 2024. The DMA and DSA are expected to have a large impact on the way businesses use and share data across their digital platforms.
The DMA and DSA relate to a broad range of digital services, respectively the new rules will primarily affect:
- “Gatekeeper” online platforms, which have a systemic role in a market to ‘bottleneck’ entrants. For example, search engines, video sharing platforms, web browsers, operating systems, virtual assistants, advertising services, social media or cloud computing systems. When deciding if a business is a Gatekeeper, the number of active users, turnover, the number of member states it is operating in and how durable its operations are may all be considered. Further guidelines on the Gatekeeper designation process are anticipated; and
- Online intermediaries and large platforms (“Intermediaries”), such as marketplaces, social media sites, and hosting and network infrastructure providers. Very Large Online Platforms and Very Large Search Engines will be subject to additional rules.
The DMA and DSA are broadly aimed at creating safe digital spaces, a fair environment for businesses, protecting the rights of service users and fostering innovation, competition and growth in the market.
The European Commission has recognised that this package of new legislation is addressing concerns that have arisen on an extremely large scale. Additionally, the legislation of digital services has been largely unchanged since the e-Commerce Directive 2000. As such, the new restrictions and obligations are a significantly higher burden and will affect a large number of businesses and, in some cases, require material changes to operations, particularly in relation to the use of personal data.
However, businesses are likely to benefit from the increased competition in the market from the DMA as well as the legal certainty and harmonisation introduced by the DSA. The EU’s impact assessment (see here) predicts that this will particularly benefit the growth and innovation of SMEs.
DATA PRIVACY AND CYBERSECURITY
EU-US and UK-US personal data transfer arrangements
2023 may be the year in which the EU Commission and/or UK Government agree and adopt adequacy decisions with the United States (“US“) to permit the free flow of EU and UK-based personal data to the US.
Currently, the state of play with respect to EU-US and UK-US adequacy arrangements is that:
EU-US Trans-Atlantic Data Privacy Framework
- 25 March 2022: the US Government and European Commission announced their agreement in principle to a new Trans-Atlantic Data Privacy Framework (“DPF“). The DPF seeks to address the concerns raised by the European Court of Justice in the 2020 Schrems II decision in which the previous EU-US Privacy Shield was deemed unsatisfactory from an EU law perspective (see our coverage here).
- 7 October 2022: President Biden signed an Executive Order which was intended to implement certain US commitments under the DPF. The executive order creates additional privacy and civil liberties safeguards for US signals intelligence collection activities (see our coverage here).
- 13 December 2022: The European Commission published its draft adequacy decision for the US. The draft decision must now go through the European Commission’s adoption procedure.
- 17 January 2023: The European Data Protection Board considered the European Commission’s draft adequacy decision at its first plenary meeting of the year. It is expected that the adequacy decision will be finally adopted in mid-2023 (see our coverage here).
UK-US adequacy decision
The UK has categorised the US as a “priority destination” in which the UK is seeking to strike a data partnership. In December 2021, the UK and US announced plans to deepen the dialogue on UK-US personal data flows.
On 7 October 2022, the UK announced “excellent” progress had taken place on reaching a UK adequacy assessment for the US and announced an intention to expedite a review of the safeguards outlined in President Biden’s Executive Order of the same day, before seeking to lay any proposed adequacy decision before Parliament in early 2023.
On 17 January 2023, at the inaugural meeting of the US-UK Comprehensive Dialogue on Technology and Data, the UK and US restated their commitment to finalising and implementing a data bridge for UK-US data flows in 2023.
UK data adequacy decisions (data bridges)
Transfers of personal data out of the European Union and United Kingdom are prohibited unless they take place in accordance with an otherwise permitted avenue set out in the EU GDPR and UK GDPR respectively. One of the avenues permitting the international transfer of personal data is where the importing country has received an adequacy decision from the European Commission / UK Government (as applicable) under which the importing country is deemed to have ensured an ‘adequate’ level of protection for personal data. For example, an adequacy decision is the current mechanism for international data transfers from the UK to the European Economic Area and vice versa.
The UK Government has previously committed to championing the international flow of data as one of five priority areas of action in its National Data Strategy and subsequently published a statement on international data transfers that announced several priority jurisdictions for adequacy assessments. The UK Government has also designated the US, Australia, Columbia and Singapore and the Dubai International Financial Centre (“DIFC”) as priority jurisdictions for data partnerships (see here).
During the course of 2022, progress was made in relation to number of the UK’s priority jurisdictions – including:
Further progress on UK adequacy assessments will be an area to look for in 2023.
- A meeting between the UK Department for Digital, Culture, Media & Sport (“DCMS“) and the US Department of Commerce in October 2022 resulted in an announcement of progress towards a data adequacy agreement.
- At the end of 2022, the UK Government determined that the Republic of Korea provides an adequate level of protection in respect of transfers of personal data and gave effect to a data bridge regulation for international data transfers to the Republic of Korea.
- In December 2022, the DCMS published a joint statement with the DIFC setting out both parties’ commitment to developing the UK-DIFC data partnership.
Child privacy / online harms
The UK Online Safety Bill (the “Bill“) was proposed by the UK Government to establish a new regulatory framework to protect children and tackle illegal content online. The amended Bill is currently at the report stage in the House of Commons and 2023 will be a critical year in the Bill’s passage to potentially becoming an Act of Parliament.
The Bill introduces new rules for companies that offer user-generated content, in addition to search engines, to protect users from abuse, fraud and violence. The Bill is part of a wider trend at the EU and UK level aimed at protecting users, particularly children, in the digital space.
The Bill has attracted a great deal of attention with critics arguing that enacting certain provisions would result in a restriction of free speech. In response, the UK Government published an amended Bill in the latter stages of 2022 in which the offence of ‘harmful communications’ was removed, as were provisions relating to ‘legal but harmful’ content accessed by adults which social media platforms would have to consider removing.
Among the obligations in the current Bill, platforms must tackle and remove illegal material from their sites. The largest, highest-risk platforms must provide adults with tools that allow them to choose the types of content they see and senior managers will have a legal obligation to ensure their company complies with information requests from Ofcom, the appointed regulator. Moreover, platforms likely to be accessed by children will have a duty to protect children from legal but harmful content. Companies that fail to comply with the obligations introduced by the Bill could face fines of up to £18m or 10% of global annual turnover (whichever is higher) or being blocked by Ofcom.
Brexit bonfire – Retained EU Law (Revocation and Reform) Bill
Rishi Sunak announced that a new Brexit Delivery Unit would be “reviewing every EU law on our statute book” within his first 100 days of office as Prime Minister. The UK Government then introduced the Retained EU Law (Revocation and Reform) Bill at Westminster on 22 September 2022 (the “Bill”), which proposes to removal all retained EU laws (which were retained subject to the EU (Withdrawal) Act 2018.
Primary legislation, which has been incorporated into the laws of England and Wales by an act of Parliament, such as the Equality Act 2010 will not be affected by the Bill.
The Bill aims to address the following concerns with the retention of EU law:
- The Bill introduces a “sunset” for all secondary retained EU regulation, which would remove its effect from 31 December 2023. This secondary legislation is wide ranging, including rules on food standards, gas safety certifications, and airline safety. However, there are concerns that not all relevant legislation has been included in the 2,417 pieces so far identified and that there may be unintended consequences.
- often replicates or overlaps with domestic law, causing confusion and uncertainty;
- the general principles of EU law may no longer be relevant to the UK following Brexit;
- too much retained EU law was effectively given the same status and protection in domestic law as primary legislation;
- the supremacy of EU law was inconsistent with the UK’s democratic and parliamentary traditions;
- that CJEU case law should not have an elevated status in UK law (post-Brexit);
- flexibility was needed to remove retained law quickly if its declared invalid by the CJEU; and
- guidance to courts, and the role of EU law in legal education, should be reviewed in light of Brexit and the aforementioned proposed changes
Upcoming European cybersecurity regulation
EU cybersecurity lawmakers have been busy drafting new legislation in 2022 and 2023 looks to be the year when some of that legislation will be finalised and adopted. These new laws seek to elevate cybersecurity and information communications technology (“ICT”) risk management to the board level by holding management bodies accountable for failures surrounding matters such as adopting and managing appropriate cybersecurity measures, supervising compliance with those measures and fulfilling cybersecurity training obligations.
Incoming EU cybersecurity legislation which organisations should be aware of in 2023 include:
NIS 2 Directive
The NIS 2 Directive is an EU Directive which seeks to strengthen cybersecurity standards in essential and important entities operating in a range of critical industries. The NIS 2 Directive builds upon the EU’s 2016 NIS Directive and outlines management liability for failure to manage cyber risks, including supply chain due diligence obligations and new incident and cyber threat reporting requirements.
The NIS 2 Directive was published in the EU Official Journal on 27 December 2022 and entered into force on 16 January 2023. EU Member States now have 21 months to transpose the Directive into national law.
For further information on the NIS 2 Directive, see our recent coverage here.
Digital Operational Resilience Act (“DORA“)
DORA is an EU Regulation which seeks to strengthen cybersecurity and operational resilience requirements on particular financial institutions operating in the EU.
In-scope organisations are required to establish and maintain resilient ICT systems and tools which minimise network and other information technology risk, as well as a requirement to report certain ICT-related incidents to competent authorities, clients and individuals (as appropriate). DORA also applies to ICT third-party service providers that are designated as critical due to the systemic importance of the financial instructions that rely on their service. Some early concerns for IT providers from an implementation and preparedness perspective concern the lack of granularity surrounding certain defined terms in the legislation – including the definition of “criticality”.
DORA was published in the EU Official Journal on 27 December 2022 and entered into force on 16 January 2023. Organisations will have 24 months to ensure compliance as DORA will apply from 17 January 2025.
Intellectual property acquisitions in insolvency and restructuring situations
Continued or worsening challenges to the global markets and other economic pressures in 2023 may ultimately result in an increase in organisations seeking to restructure their business arrangements and/or entering into some sort of insolvency process.
Intellectual property rights may comprise a highly valuable asset class for distressed companies, which may give rise to an increase in acquisition activity for intellectual property rights in distressed businesses. This includes sales of intellectual property rights in distressed companies whilst they remain solvent and once those companies have entered into formal insolvency proceedings.
Unitary Patent and the Unified Patent Court
The long-awaited Unitary Patent and Unified Patent Court (“UPC”) system is intended to commence on 1 June 2023. The system aims to offers users a “cost-effective option for patent protection and dispute settlement across Europe” through allowing users to make a single application for patent protection in all EU Member States. Infringement and enforcement proceedings will also be heard by the UPC in order to avoid parallel litigation in different member states and uncertainty in the event there is a difference in decisions.
From 1 January 2023, transitional measures come into force allowing applicants to file requests for unitary effect with the European Patent Office, which would delay the decision to grant a European patent. However, initial plans to begin a “sunrise” period on 1 January 2023, ending with the UPC Agreement coming into force on 1 April 2023, have been postponed by two months to support the implementation of the case management system.
New UK copyright exception for text and data mining
Last year, the UK Government announced its intention to introduce a new copyright and database right exception permitting text and data mining for any purpose. The new exception would develop the UK’s current copyright exception for text and data analysis, which currently only covers text and data mining practices in a non-commercial setting, and was in response to the UK Government’s wider consultation into AI and intellectual property.
Text and data mining comprises the process of using computer techniques to analyse large information sets in order to extract knowledge from those information sets. These techniques can lead to the discovery of patterns, trends and relationships among the data, as well facilitate further data analysis.
If implemented, the new exception will be well-received by the wide pool of stakeholders benefitting from text and data mining, which includes developers of AI and research institutions. Equally, the UK Government has stated that “all users of data mining technology will benefit, with rights holders having safeguards to protect their content”. The UK Government has provided some indication on what those safeguards may be, having announced that safeguards will primarily centre on the requirement of lawful access – namely the rights holders’ right to choose the platform on which their content is made available and whether any paywall is in place to permit such access.