Welcome to the October edition of Schoenherr's to the point: technology & digitalisation newsletter!

We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.

Editorial | Roland Vesenmayer

Austria: First ministerial draft DSA Accompanying Act

The Austrian Ministry of Justice has submitted the first draft of the accompanying act to the Digital Services Act ("DSA").

Accordingly, the already existing communications authority KommAustria should be the Digital Services Coordinator in Austria. In the future, this authority would be responsible for, among other things, the establishment of an out-of-court dispute settlement body or the designation of the "trusted flagger" status.

KommAustria is also authorised to file an application with the Federal Administrative Court to order the temporary restriction of users' access to the affected service or to the affected online interface of the intermediary services provider.

In addition, the Act contains a catalogue of administrative penal provisions that correspond to the obligations under the DSA. If an intermediary service provider violates the penal provisions, KommAustria is also responsible for imposing the fines, which can amount to up to 6 % of the company's worldwide annual turnover.

The draft also includes amendments to the Austrian E-Commerce Act. The right of a third party to the disclosure of user data against host providers (an Austrian peculiarity) will be extended to all providers with whom the infringing user has concluded an agreement on the storage and (now new) transmission of information. Thus, it seems that third parties can now request user information also against access providers, such as domain registrars, telecommunication providers, etc. In addition, the judicial takedown system is set to become less bureaucratic, as courts will have to send the takedown order to the intermediary by e-mail and not by international court service.

Furthermore, a non-material claim for damages in the case of significant defamation on the internet ("Hass im Netz") was anchored in the law. Under the previous law, non-material damage was only to be compensated if there was an additional explicit provision in the law. According to Section 1330(1) ABGB, "full satisfaction" is not to be paid but only the "real" damage is to be compensated. The explanatory notes to the draft state that the defamation must reach a certain intensity to be compensated. Accordingly, "for example, not every written communication between young people, which also contains harmless swear words from youth culture" could be compensated. When assessing the amount of non-material damages, the explanatory notes stay vague and point out that, depending on the specific circumstances, the case law on similar cases or existing legal provisions may serve as a guide.

The draft is now in the review phase until 12 November 2023. We will keep you posted on any further news on the DSA.

Venture Capital Glossary: Reporting obligations and information rights | Niklas Kerschbaumer & Dominik Tyrybon

Reporting obligations

Reporting obligations in the start-up ecosystem pertain to the requirements and commitments of founders and management to provide relevant and timely information to investors and stakeholders. These obligations are often agreed in shareholders' agreements and typically encompass:

Financial reporting: This includes disclosure of financial statements (income statements and balance sheets) and cash flow reports, offering investors insights into the company's financial performance.

Operational updates: Ongoing operational updates help investors understand the day-to-day progress and challenges faced by the start-up, ensuring transparency.

Legal and compliance disclosures: Sometimes start-ups are obliged to disclose any legal issues, disputes or regulatory changes that may affect their operations.

Use of funds: Start-ups are expected to account for how investment capital is being utilised, detailing the allocation of funds for different business activities.

Reporting obligations are essential for maintaining trust and keeping stakeholders informed about the start-up's financial health, operational progress and potential risks.

Information rights

Information rights refer to the legal entitlements of shareholders, particularly in an Austrian limited liability company (GmbH), to access and obtain information regarding the company's affairs. These rights are granted to individual shareholders irrespective of their ownership stake. In contrast to the Austrian Stock Corporation Act, the GmbH Act in Austria provides for comprehensive information rights of shareholders and shareholders have the right to inspect business documents. These rights ensure transparency, accountability and a means for shareholders to stay informed and exercise oversight in the company.

Reporting obligations are typically requested and implemented during a financing round, where investors demand a regular reporting format for key metrics. In contrast, information rights are fundamental rights that are always present for every shareholder, always ensuring transparency and access to company affairs.

Venture Capital Glossary: Alternative venture capital investment instruments: convertible loans and SAFEs | Niklas Kerschbaumer & Dominik Tyrybon

Equity investments in a capital increase is the traditional and prevalent method of venture capital (VC) and start-up financing (i.e. capital in exchange for equity). As alternative or bridge financing instruments, convertible loans (CLA) or simple agreements for future equity (SAFE) are commonly used in VC and start-up practice.

CLAs and SAFEs are designed to allow investors to provide capital to a start-up while deferring the determination of the company's valuation until a later date.

  • CLA: A CLA is a debt instrument. A loan disbursed under a CLA converts into equity in the start-up at a future specified date or upon specified triggering events, typically a subsequent traditional equity financing round. Conversion of the loan amount occurs at a predetermined conversion price upon a triggering event. The conversion price is usually set at a discount to the valuation established in the next financing round, rewarding early investors for their risk and supporting the start-up's growth. The terms and conditions of CLAs can vary widely, leaving room for discussion and negotiation between investors and start-ups. For example, CLAs may provide for mandatory or voluntary conversion events, with interest on the loan amount either converting into equity or not. Additionally, the conversion price may be subject to a floor (minimum conversion price) or cap (maximum conversion price), and the catalogue of warranties provided by the company can range from comprehensive to minimal. Furthermore, the maturity date of the loan may be set in the near or distant future, and a discount rate may apply or not apply to the conversion price among other potential variations.
  • SAFE: A SAFE is a more streamlined and founder-friendly alternative to a CLA. SAFEs represent a promise that investors will receive equity in the start-up at a future specified date or upon specified triggering events. Unlike loans disbursed under CLAs, SAFEs do not accrue interest, and there is no repayment option for the investment. Instead, investors receive a mandatory delivery of new shares as consideration for the pre-payment of the investment, making SAFEs simpler in structure. While the fundamental concept of SAFEs is straightforward, other terms in a SAFE do not significantly differ from those found in CLAs. Once again, a wide variety of terms is possible and subject to negotiations between investors and start-ups. Please refer to the information provided above. The tax treatment of SAFEs under Austrian law remains somewhat uncertain. Nonetheless, there is a good argument that SAFEs may offer certain advantages over CLAs from an Austrian tax standpoint.

Both CLAs and SAFEs are popular options for start-ups and investors, as they provide flexibility in terms of issuing new shares while allowing start-ups to secure financing without immediately determining a fixed valuation. However, the specific terms and conditions of such financing instruments can vary, so it is essential to carefully negotiate and document the terms in legal agreements to ensure clarity and alignment between investors and start-ups. Although it is not a common practice in Austria, it is advisable to conclude CLAs and SAFEs in the form of a notarial deed.

Crypto-Update: Crypto bull rally while MiCAR Level 2 measures emerge | Michael Schmiedinger

A surge of optimism has been sweeping through the crypto markets, driven by the belief that the US is on the verge of approving Bitcoin exchange-traded funds (ETF). This belief was bolstered by a recent appellate court ruling in favour of Grayscale, ordering the US Securities and Exchange Commission (SEC) to revisit Grayscale's application for admission to trading of a spot BTC ETF. In addition, there have been growing signs that BlackRock, the world's largest asset manager, is about to file an application to list a Bitcoin ETF, too. For Bitcoin, the positive sentiment is amplified by the upcoming halving event that is due to occur in April 2024. After the halving, the rewards miners receive for validating transactions on the blockchain, known as block rewards, will reduce by half from the current 6.25 to 3.125 Bitcoins per block, resulting in a reduction of Bitcoin supply.

Meanwhile, the European Securities and Markets Authority (ESMA) continues to prepare Level 2 measures in connection with the Markets in Crypto-Assets Regulation (MiCAR). Earlier this month, the ESMA published its second consultation paper on Technical Standards specifying certain requirements under the MiCAR (see the first consultation paper of July 2023 here). The second set of Technical Standards covers major topics under the MiCAR, such as the content to be included in crypto-asset white papers (including sustainability disclosure aspects), pre- and post-trade transparency measures, record-keeping and business continuity.

Cybersecurity Month returns | Clemens Pretscher

October is Cybersecurity Month, a time to raise awareness about online security and promote best practices to safeguard our data. Despite the enormous increase in cybercrime, many of us still fail to properly protect our own data. To get you started, we have listed a few measures that do not take much effort but make a huge difference:

  • Password managers: Creating strong passwords and changing them frequently is essential to protect your sensitive information. Using a password manager makes this task far more convenient, as it typically includes a password generator for strong and unique passwords, avoids password reuse and syncs all passwords across your devices for easy access. Many providers offer free basic versions with great features.
  • Multi-factor authentication (MFA): Adding an extra layer of security through multi-factor authentication significantly enhances your online protection. By requiring an additional verification step, such as a unique code sent to your phone, MFA restricts unauthorised access to your accounts, even if your password is compromised.
  • Secure your Wi-Fi network: An easy step is to change the default login credentials for your router to a strong password and to enable encryption (WPA2/WPA3) for advanced protection against unauthorised access. Many routers also offer the possibility to set up a guest network, which only provides internet access, but does not grant access to the main network itself.
  • Update your software: Turn on automatic updates to make sure your software is regularly updated. If automatic updates are not supported, you should install the updates as soon as possible after you have received the corresponding notifications. This is the best way to ensure you have the latest security patches and best protection.

Generative AI: indemnification for copyright infringements | Roland Vesenmayer

To tackle the current legal concerns arising from the use of generative AI, Microsoft and Google have announced that they will assume responsibility for the potential legal risks involved if customers are challenged on copyright grounds for the use of their generative AI models. Restrictions apply.

Microsoft limits their indemnification to cases where a third party sues a commercial customer for copyright infringement for using Microsoft's Copilots (including Microsoft 365 Copilot) or the output they generate. Microsoft would "defend customers and pay the amount of any adverse judgments or settlements that result from the lawsuit", as long as the customer used Microsoft's guardrails and content filters for their products.

Google limits their indemnification to their customers' use of the training data that Google uses for generative AI models in all their services as well as the generated output from Duet AI in Google Workspace and a range of Google Cloud services. According to the amended T&C of Google Cloud and Google Workspace, this indemnity does not apply if the customer (i) creates or uses such generated output that they knew or should have known was likely infringing, (ii) disregards, disables or circumvents source citations, filters, instructions or other tools to help use generated output responsibly, (iii) continues using the generated output after they received a notice of an infringement claim, or (iv) used the generated output commercially and the allegation is based on a trademark right.

It therefore remains to be seen whether other tech giants will follow this trend, especially OpenAI. After all, Microsoft's Copilot is built on OpenAI's GPT4 large language model.

Clearview AI successfully challenges UK privacy penalty | Marija Vlajkovic & Andrija Saric

Clearview AI, a US-based facial recognition company, has amassed a vast database of billions of photos by scraping public websites, including social media platforms. With 3,000 customers, it is by far the most used facial recognition AI system by law enforcement and military entities. In principle, Clearview helps law enforcement identify suspects in criminal investigations by police uploading a photo of an individual and receiving potential matches from Clearview AI's database. While Clearview appears to be the best choice among facial recognition AI systems (its competitor DataWorksPlus was involved in a scandalous wrongful arrest by Detroit police in 2020), it too has been the subject of controversy and legal challenges, as its practice of scraping images from the internet without individuals' consent has raised privacy concerns.

Privacy sanction and Clearview AI's appeal

Clearview AI has successfully appealed against a privacy sanction imposed by the UK's Information Commissioner's Office (ICO). In 2022, the ICO concluded that Clearview committed multiple breaches of UK privacy laws, ordered the deletion of data on UK citizens and issued a fine of approx. GBP 7.5m.

The appeal was won on legal jurisdictional grounds, with the tribunal ruling that Clearview AI's activities were exempt from UK data protection laws due to their association with foreign law enforcement. The company argued that it is a foreign entity serving "foreign clients", primarily for their national security and criminal law enforcement functions. The tribunal accepted Clearview AI's claim that it exclusively provides its services to non-UK/EU law enforcement or national security bodies and their contractors. As a result, the ICO's enforcement decision, which found breaches of the UK GDPR, was overturned.

Previous legal actions against Clearview AI

The penalty from the UK is merely one among multiple legal actions and cases that Clearview AI has faced lately. Last July, the company was fined USD 20m and prohibited from handling biometric information in Greece due to breaches of the EU GDPR. Regulators in France and Italy have also levied comparable fines against the company. However, back in May, the French data protection authority confirmed that Clearview AI did not pay the fine. There is currently no information on whether any of these penalties ultimately were enforced.

In the USA, Clearview AI reached a settlement with the American Civil Liberties Union and several other plaintiffs last year. The settlement essentially banned Clearview AI from selling its database to private businesses or individuals anywhere in the USA, restricting its business to American government agencies.

What can be expected in the EU?

The European Data Protection Board (EDPB) and the European Data Protection Supervisor have previously advocated for a ban on mass-scale and indiscriminate collection of personal data for law enforcement, specifically mentioning practices like scraping of online photos. The EDPB has also issued guidelines on facial recognition in law enforcement, emphasising the importance of data protection rules and assessing the "necessity and proportionality" of AI tools.

The EU is currently working on a risk-based framework for AI regulation. Earlier, the Commission's 2021 proposal identified AI systems with real-time and remote biometric facial recognition systems as prohibited. Members of the European Parliament supported amendments to the draft EU AI Act, proposing a ban on indiscriminate scraping of biometric data from social media, deeming it a violation of human rights, as well as on real-time and ex-post biometric facial recognition systems, except in severe crimes. The fate of this proposal in the final AI Act is uncertain. Even if it is included, the ability of regional regulators to enforce it against non-compliant foreign companies remains an open question. Nevertheless, we are eager to see the final EU AI Act, which should be completed by the end of 2024.

Advice on cutting-edge AI-assistant launched by Erste Bank | Matthias Pressler

Artificial intelligence is on the rise and has seen an unprecedent boost over the last 12 months, in particular due to developments related to OpenAI's ChatGPT. It now has also reached the financial industry, not only in internal test balloons but in a fully rolled-out AI "Financial Health Prototype" launched by Erste Bank and available to the general public. Schoenherr experts were invited to help navigate the legal aspects of this new beta tool, the very first on the Austrian and CEE markets.

Check out Erste Bank's Financial Health Prototype here: https://erstebank.ai/

Setting up an AI tool still entails many uncertainties, including legal ones. Operators should seek to reduce as many uncertainties as possible. Is an AI-powered tool compliant with financial regulatory aspects (e.g. with the regulations regarding investment services)? What is the nature of the relationship between the user of the AI tool and the offeror? Can the input data generated by users be used to train the AI tool? Who is the author of content resulting from conversations with the AI tool?

Questions like those and many more need to be considered during the legal assessment of an AI project. Although not yet finalised, the EU AI Act will play a very important role when setting up an AI-assisted project in the future, in particular in the area of elevated risk, including financial services. Financial institutions should prepare themselves for the challenges ahead to be in pole position to use the new technologies.

ChatGPT: talk, see and surf! | Tullia Veronesi

Almost a year after OpenAI introduced ChatGPT to the world, big changes are coming. The developers at OpenAI have not only improved the content, but also made fundamental changes that will revolutionise the user experience.

Talking instead of typing: the future of interaction

Perhaps the most exciting new feature concerns the way we communicate with ChatGPT. You will no longer have to rely on the keyboard to interact with your AI assistant. Like Alexa or Siri, you can simply press the "Speak" button and utter your question or command. ChatGPT will then convert your spoken message to text, feed it into its powerful language model, and present the answer to you in spoken form.

Unlike existing voice assistants, ChatGPT's responses are said to be much more accurate and understandable. This ground-breaking feature will initially be available only to paying users and enterprise customers. It is expected to be available to all ChatGPT users shortly thereafter.

Pictures speak louder than words

In addition to voice, OpenAI brings another exciting new feature: the ability to upload and share images with ChatGPT. This feature is reminiscent of Google Lens and opens up impressive possibilities.

Simply take a picture of something that piques your interest and upload it to ChatGPT. The system will then ask you for more details and generate the appropriate answer based on your input. Compared to traditional searches, the chances of getting the right answer right away are greatly increased. However, there is an important limitation: ChatGPT will not answer questions about personal information or people in the images, in order to maintain privacy.

The power of language and creativity

OpenAI has also made impressive progress in AI speech. A new model allows AI to be trained with your own voice to translate spoken text into other languages. This could be of particular interest to podcasters who want to reach a global audience. However, due to the potential for abuse, this feature will not be available to all users.

Another exciting development involves DALL-E, OpenAI's AI image generator. It can now interact seamlessly with ChatGPT. You can tell DALL-E what kind of images you need more easily than ever before, and the AI will turn your creativity into visual artwork.

Beyond ChatGPT: exploring the internet

In addition to these exciting new features, ChatGPT has also acquired the ability to search the internet to provide you with up-to-date and reliable information with direct references to the sources. This enhancement removes the limitations that previously prevented ChatGPT from providing information beyond September 2021.

The future of ChatGPT promises more interactivity and opportunities than ever before. With new voice and image capabilities, as well as the ability to explore the web, ChatGPT will become an even more valuable partner in your digital life.

EDPB/EDPS joint opinion on digital euro | Daria Rutecka

On 18 October 2023, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued a joint opinion on the proposed regulation on the digital euro as a central bank digital currency. The digital euro would serve as a means of electronic payment both online as well as offline (the two modalities). Each of these modalities may require a different approach and safeguards to be taken with respect to personal data processing. The EDPB and EDPS urge including an explicit reference to the applicable cybersecurity legal framework. One of the main recommendations presented in the joint opinion is the introduction of a privacy threshold for low-value online digital payment transactions. Additionally, the EDPB and EDPB explain that the personal data classified as "user identifier" or "information on online digital euro payment transactions" should be further specified. Furthermore, the processing of personal data within the fraud detection and prevention mechanism must be better defined. The EDPB and the EDPS recommend that the proposal recall the ECB's obligation to carry out a DPIA and entrust the European Central Bank to provide a digital euro with built-in compliance with the data protection obligation by design and by default during the next steps of the project, such as the adoption of technological choices, scheme rules and proof of concept.

event review | AI LTHE

The first ever Innovators' Forum was organised by the Legal Tech Hub Europe (LTHE) at k47 in Vienna on 13 October 2023. Schoenherr Partner and COO Gudrun Stangl and our Head of Digitalisation Andrei Salajan took a leading role in this initiative in their capacities as members of the LTHE. The attendees and panellists included representatives from leading European law firms.

Artificial intelligence is more than just a tool, but has the potential to transform many professions, the legal industry included. The thought-provoking discussions generated by the panellists and keynote speakers got us closer to understanding how AI products will impact our daily work. Hence, investing in AI is not just a question of RoI, but a necessity to stay relevant.

At Schoenherr, we are dedicated to the continuous development of legal tech and to offering our clients the most advanced legal services using cutting-edge tools. This latest high-profile event reinforces the firm's commitment to this path.

Stay tuned for what the future has in store!

event review | AI Master Class

Scheduled for October-December 2023, the first ever Master Class dedicated to AI called "Regulating Artificial Intelligence: Legal and Ethical Challenges" will be organised by the Institute for Artificial Intelligence of Serbia and the Faculty of Organisational Sciences of the University of Belgrade, bringing together over 70 international and domestic experts. We are delighted that our Serbian IP partner Andrea Radonjanin and our data protection partner Marija Vlajkovic will take a part in this event that addresses the legal and ethical challenges of AI and provides a global perspective by covering international regulatory trends and practices, with a specific focus on the European Union and Serbia.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.