We reflect on three legal developments which will continue to be relevant in 2024 to those in the Technology sector.
Tech regulation and enforcement on the horizon
With the advent of general-purpose AI, such as OpenAI’s ‘ChatGPT’ and Google’s ‘Bard’, technological developments have come to dominate our attention in the past year. This has set a fire under the feet of regulators and significantly increased the intensity and pace of regulatory scrutiny of technology companies. In addition, privacy concerns continue to play a significant role in the regulatory agenda, as data constitutes the oil fuelling the AI boom.
While the EU’s proposed AI Act may have stolen the show, important new data privacy measures have also come online in the past year. These include:
- The European Commission’s proposed AI Act was revised by the European Parliament in June and is expected to be finalised by the end of this year, with a view to becoming effective in 2026.
- In July this year, the European Commission also proposed a GDPR Procedural Regulation to complement the GDPR and improve its enforcement.
- The Digital Markets Act (DMA) was enacted in 2022 and largely became effective this year, with the designation of ‘gatekeepers’ in September.
- The Digital Services Act (DSA) was also enacted in 2022 but applies from February 2024, although ‘VLOPs’ and ‘VLOSEs’ have already been designated by the European Commission.
- The Digital Operations Resilience Act (DORA) came into force in December 2022 and applies from January 2025.
- In Ireland, the Online Safety and Media Regulation Act 2022 partially came into force in March 2023.
- The Data Governance Act, which came into force in June 2022, became applicable from 24 September 2023.
In the past year, the European Data Protection Board also published its final guidelines on:
- Deceptive design patterns
- The calculation of administrative fines
- Identifying a controller’s lead supervisory authority
- The right of access
- Personal data breach notifications
In addition to the proposal for a GDPR Procedural Regulation, which is designed to strengthen the enforcement of the GDPR, supervisory authorities across the EU, including the Irish Data Protection Commission (DPC), have maintained a steady pace of enforcement. The DPC alone concluded five investigations into major technology companies headquartered in Ireland in the past year, handing down total fines of over €1.5 billion, while other regulators remain active across the EU also. These issues include, for example:
- Breaches of the rules on sending unsolicited marketing communications
- Breaches of transparency obligations and the principle of fairness
- Breaches of rules relating to international data transfers
- Infringements of data protection by design and by default (Article 25 GDPR)
Regulating generative AI
As the enactment of the AI Act is fast approaching, providers of AI systems need to ensure that they comply with their obligations before going to market with their products. The AI Act will adopt a risk-based approach to AI, such that the obligations arise on a sliding scale of risk, from minimal or no risk to unacceptable and prohibited levels of risk.
Many companies are considering deploying ‘general-purpose’ or ‘generative AI’ to their services to improve efficiencies and generate new knowledge for both internal and external purposes. However, when developing and rolling out these systems, companies will need to consider if such systems will be categorised as ‘high-risk’ under the proposed AI Act, a designation which will require significant compliance documentation and other compliance efforts. While the European Parliament’s negotiating position includes specific obligations in respect of such generative AI systems, we eagerly await the final text of the AI Act by the end of this year to determine how exactly such AI systems will be governed.
Related insight: ChatGPT and the EU AI Act
Gatekeepers, platforms or both?
The enactment of the DSA and DMA has given rise to a whirlwind of compliance queries from small-, medium- and large-scale technology companies. While the DMA regulates ‘gatekeepers’ of the digital sector, the DSA will regulate a much broader range of intermediary services, as well as ‘Very Large Online Platforms’ (VLOPs) and ‘Very Large Online Search Engines’ (VLOSEs). In April this year, the European Commission designated 17 VLOPs and 2 VLOSEs, many of which are the largest technology companies in the world.
The potential fines for breach of the obligations imposed on these companies under the DSA are up to 6% of global turnover. The DSA envisages a distributed but parallel enforcement mechanism, consisting of the European Commission, the European Board for Digital Services and national Member State authorities known as Digital Services Coordinators. The European Commission will be the primary regulator for VLOPs and VLOSEs, while other providers will be under the supervision of a Digital Services Coordinator. In Ireland, the recently established Coimisiún na Meán will act as the national Digital Services Coordinator.
Given the significance of the DSA, we have prepared a series of videos designed to provide clarity, insights and an expert perspective on this landmark EU law. To date, our vlog series has addressed the threshold criteria for determining who is subject to the DSA, content moderation and online e-commerce marketplaces.
Related insight: DSA Series: Does the DSA Apply to Me?
Restoring international dataflows
International dataflows are essential components of the global ‘knowledge economy’. This is particularly true for EU-US data transfers, given that the USA remains the top foreign direct investor in most of the EU’s member states. However, such data transfers have been the subject of repeated challenges by privacy activists in the EU. In July this year, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), meaning that personal data can continue to be securely transferred from the EU to US companies. This new framework is the result of detailed negotiations between the Commission and the US Government.
We have identified two key learnings from this development. First, US companies that import data from the EU can self-certify their compliance with the DPF. Those US organisations that maintained their Privacy Shield certification can automatically transfer to the DPF, provided that they update their privacy policies accordingly. Second, for those organisations not relying on the DPF, conducting a transfer impact assessment will nonetheless become far easier than before because they can take into account the European Commission’s adequacy decision.
Related insight: International Data Transfers & the New EU-US Data Privacy Framework
It has been another year of exciting and fast-paced developments in the technology sector. Our clients have experienced a range of challenges, from adopting compliance programmes in anticipation of new Irish and EU regulations to increased regulatory investigations and enforcement action on foot of longer-standing legislative measures.
The technology sector is bracing itself for further significant legislative developments in 2024. Rapid advancements in general-purpose AI have spurred heightened regulatory scrutiny and enforcement. A number of significant legislative measures have already come online for the tech sector this year, such as the DMA and Online Safety and Media Regulation Act 2022, and many more will come into effect over the course of the next two years. In addition, of particular concern is the EU’s AI Act, which is expected to be adopted before the end of this year.
As we approach 2024, companies face the imperative of compliance with these regulations, with potential fines for breaches reaching up to 6% of global turnover under the DSA and 10-20% of worldwide turnover under the DMA. The role of 'gatekeepers' and the broader scope of intermediary services regulation under the DMA and DSA pose intricate challenges for businesses of all sizes. While the fines for non-compliance with the AI Act have not yet been finalised, we expect that these will also be significant.
Restoration of international dataflows, particularly EU-US transfers under the new Data Privacy Framework, will provide a crucial avenue for the global 'knowledge economy' in 2024 and beyond. It is likely that these dataflows will continue to be closely scrutinised and tested for legality by privacy activists across the EU.
Against this backdrop, technology companies must not only adapt to current regulations but also anticipate evolving obligations throughout 2024. With the establishment of new regulators and the increasing intensity of enforcement actions, the need for clear and concise legal advice on both advisory and contentious issues will remain paramount. As the regulatory landscape continues to evolve, staying informed and proactive will be essential for navigating the complex intersection of technology, data protection, and the law.
For more information and expert advice, contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.