We reflect on three legal developments which will continue to be relevant in 2023 to those in the Technology sector.
Data privacy continues to be a focus for Tech
This year, much like each preceding year since the GDPR was announced, has been exceptionally busy for those advising on data privacy and security matters. The demand for organisations to process personal data to drive innovation and commerce continued to grow in 2022. Technology companies continue to produce innovative products and services which are driven by data processing and rely on personal data to engage with customers, both current and prospective. For this reason, technology clients continue to focus on data protection as a core part of the development of their products and services.
In 2022, we have seen the data protection legal landscape develop with increased complexity. New data laws have come into force or been announced, and new guidance has been published interpreting current laws. These include:
- The Data Governance Act came into force in June 2022 and will apply from 24 September 2023
- In September, the European Commission published a proposal for a new Cyber Resilience Act
- The European Parliament and Council of Europe approved the NIS2 Directive in November
- The European Commission proposed the Digital Operational Resilience Act (DORA) in 2020 and the European Parliament adopted a provisional agreement in November
- The Digital Services Act 2022 and the Digital Markets Act 2022 (discussed further below)
New guidelines interpreting elements of current data privacy laws have also been published by data protection regulators. For instance, this year the European Data Protection Board has produced detailed guidance on data privacy issues including:
- Personal data breaches
- Data transfers
- Data subject rights
- The calculation of administrative fines
The enforcement of data privacy laws has also increased at pace. There have been significant sanctions, including fines in the hundreds of millions, for breaches of data privacy rules on issues like:
- Breaches of the transparency obligations
- International data transfers rules
- Non-compliance with cookies rules, and
- Infringements of data protection by design and by default (Article 25 GDPR)
Complying with GDPR When Using AI
In this round-up of content we wanted to highlight an article published earlier this year which reminded businesses of their existing obligations under GDPR relying on AI technology.
Since the publication of this article, it has been reported that the text of the proposed AI Act is nearing finalisation, though it will only apply two years after it has been adopted. The AI Act aims to address risks of specific uses of AI, categorising them into 4 different levels: unacceptable risk, high risk, limited risk, and minimal risk. The AI Act will supplement the rules in the GDPR as they apply to AI, imposing additional obligations for testing, risk management, documentation and human oversight throughout the AI systems’ lifecycle. Though controllers relying on AI will still need to comply with their obligations under the GDPR when using AI to process personal data.
Recent applications of AI technology have demonstrated the pace at which this technology is developing. Readers may have seen media reports of the impressive ability of the AI powered ChatGPT chatbot to respond in a human like way to extremely technical questions. As AI technology continues to be relied on by the tech sector, we think the regulation of AI will be a focus of 2023 and beyond.
Related Insight: Complying with GDPR When Using AI
Changes in consumer rights law
A key theme of 2022 has been regulators and legislators putting the protection of individuals, particularly end-users of digital services and products, on a more formal footing. We have seen several new pieces of consumer legislation at an EU and Irish level coming into force or nearing completion. One significant development which we wanted to highlight in particular is the recent entry into force of the Consumer Rights Act 2022 on 29 November 2022. This has been described as “the biggest overhaul of consumer rights law in 40 years” and its purpose is to modernise and strengthen consumer rights and remedies for Irish consumers.
The Consumer Rights Act 2022 has made widespread changes to consumer protection laws in Ireland and aligned them more closely with rules across the EU. It introduces new rules and obligations for traders selling to consumers, strengthens the remedies available to consumers and increases the penalties for traders that breach the law. We set out the material changes brought about by this legislation.
Related Insight: Publication of the Consumer Rights Bill 2022
Further regulation of big tech
Two pieces of legislation that will be significant for large technology companies in 2023 and beyond are the Digital Services Act and the Digital Markets Act.
The European Union’s Digital Markets Act (DMA) was published in the Official Journal of the EU on 12 October 2022 and entered into force on 1 November 2022. The aim of the DMA is to ensure contestability and fairness for digital sector markets. The DMA will introduce an ex ante regulation which imposes a number of obligations and prohibitions on “gatekeepers” offering “core platform services” in the European Union. The DMA was drafted to compliment existing competition law rules which will continue to apply in the digital sector and will likely have a significant impact on online digital platforms that qualify as “gatekeepers”.
The Digital Services Act (DSA) was published in November 2022 and applies to service providers with users based in the EU. Certain obligations will apply over the course of 2023, with full implementation by 17 February 2024. It imposes obligations which focus on content moderation, transparency and accountability on ‘intermediary services’. Obligations apply in a cascading fashion, with a base level of universal obligations, and more onerous obligations attaching to services which, due to their functionalities and / or size, may present increased risk for users. Obligations include making interface changes and engaging in periodic reporting on content moderation. The DSA provides for significant fines of up to 6% of global turnover for non-compliance.
Related Insight: EU Digital Services Act About to Enter into Force
It has been an exceptionally busy year in technology law developments in 2022, driven by an ever-changing tech landscape. There is little doubt that technology will continue to develop at pace in 2023, and there are no signs of regulators and law-makers lifting their focus on the sector.
For more information on the likely impact of the new legislation on your organisation, contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice