Welcome to this February edition of Schoenherr's to the point: technology & digitalisation newsletter (read online)!

We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.

Editorial

AI Act on its way

The legislative process for the Artificial Intelligence Act (AI Act) is getting closer to the end. Work on the world's first act in this matter has been ongoing since April 2021, and the recent events indicate that EU member states will soon have to start working on how to implement the new regulations. To recall, the implementation of the aforementioned regulations aims to ensure that the use of artificial intelligence systems does not violate fundamental rights and that the principles of democracy and the rule of law are respected.

On 13 February 2024, members of the Internal Market and Consumer Protection committee (IMCO) and the Civil Liberties, Justice and Home Affairs committee (LIBE) reached a provisional agreement on the AI Act. 71 people voted in favour of the result of the negotiations with the Member States on the AI Act. Only eight were against. Therefore, the act will now be put to a vote at the plenary session of the European Parliament. If passed by the MEPs, the act will then go to the Council of Ministers for approval.

Reaching this next milestone was summed up by Mr Brando Benifei: "It was long and intense, but the effort was worth it. Thanks to the European Parliament's resilience, the world's first horizontal legislation on artificial intelligence will keep the European promise - ensuring that rights and freedoms are at the centre of the development of this ground-breaking technology. Correct implementation will be key - the Parliament will continue to keep a close eye, to ensure support for new business ideas with sandboxes, and effective rules for the most powerful models."

The AI Act is supposed to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI. At the same time, however, it aims to boost innovation and establishing Europe as a leader in the AI field.

The act will be fully applicable 24 months after its entry into force, except bans on prohibited practises (6 months after the entry into force); codes of practise (9 months after entry into force); general-purpose AI rules including governance (12 months after entry into force); and obligations for high-risk systems (36 months after entry into force).

February and the beginning of 2024 were also full of other exciting news in the area of data privacy, new technologies and VC. Below you can read more on the increased activity of the Polish DPA, recruitment for new VC programs, DORA, and the Data Act.

Daria Rutecka

Insights waiting for you in this edition:

New copyright levy in Austria

Dominik Hofmarcher

According to recently published new tariffs valid as of 1 February 2024, Austrian collecting societies are requesting a copyright levy for, among others, integrated memories in gaming consoles, digital toys and VR goggles placed on the market in Austria. However, the new tariffs are highly controversial, and not just due to the amounts involved.

Background

According to harmonised EU law, authors have a right to fair remuneration for private copies. In Austria, this is implemented through a system of storage media remuneration ("copyright levy"). The first distributors of storage media suitable for private copying pay the levy to the collecting society and add the amount to the price of the devices. The levy is therefore ultimately paid by the private user of the storage media. The collecting societies announce in autonomous tariffs which storage media they require remuneration for and in what amount. In practice, however, reduced tariffs are regularly negotiated between the collecting societies and the associations of the Chamber of Commerce. These are set out in so-called "Gesamtverträgen".

New tariffs

Currently, negotiations about a new Gesamtvertrag have failed. The tariffs now published by the collecting societies are therefore not negotiated tariffs but autonomous tariffs. The collecting societies request, among other things, EUR 15/30 for gaming consoles, EUR 3.75/7.50 for digital toys and EUR 6/9 for VR goggles, each depending on the storage capacity. It appears questionable to what extent the claims are justified, both in terms of their merits and their amount. Moreover, the currently valid Gesamtvertrag stipulates that game consoles are not subject to the copyright levy.

Consequences

Companies that sell affected products in Austria must now consider whether they will report the sales figures of affected products to the collecting society, whether or to what extent they will pay the levy (under reserve), and whether they will increase prices by the amount of the levy.

Venture Capital Glossary

Niklas Kerschbaumer & Dominik Tyrybon

Corporate Bodies

In most company forms, the organisational structure is defined by several key corporate bodies:

  • General Meeting (Gesellschafterversammlung) - mandatory
  • Managing Director (Geschäftsführung) - mandatory
  • Supervisory Board (Aufsichtsrat) - mandatory under certain conditions
  • Advisory Board (Beirat) - optional

General Meeting:

The General Meeting serves as the supreme decision-making body, consisting of all shareholders. It is mandatory to hold at least one annual ordinary General Meeting, typically convened by the management. Exclusive decisions, such as examining and approving the annual financial statements, profit distribution, changes to the articles of association or alterations to the share capital fall under the jurisdiction of the General Meeting.

Managing Director:

The Managing Director represents the company externally and oversees internal operations. A company may have one or more Managing Directors, and their representation power can be individual or collective.

It is crucial to distinguish the corporate role of the Managing Director from their employment relationship with the company. This distinction becomes evident, for instance, when a Managing Director is removed by shareholder resolution, but their employment contract remains intact.

Supervisory Board:

The Supervisory Board primarily exercises control functions over the management. The managing director is obligated to regularly provide reports on the business development to the Supervisory Board. While a Limited Liability Company or a Flexible Company in Austria is generally not required to have a Supervisory Board, it can be voluntarily established by the shareholders. Under specific conditions, such as meeting certain thresholds in terms of the number of employees or shareholders, share capital, revenue, and balance sheet total, a Supervisory Board becomes mandatory.

Advisory Board:

As an additional advisory body, shareholders may appoint an Advisory Board. The General Meeting can delegate certain powers to the Advisory Board. The establishment of an Advisory Board is optional and serves as an additional layer of guidance for the management.

Pro rata rights

Pro rata rights, also known as subscription rights or pre-emptive rights, constitute a contractual agreement between a company and its investors. Under this arrangement, investors are granted the option, though not the obligation, to maintain their proportional ownership in the company by participating in subsequent rounds of financing.

Austrian Context: In Austria, pro rata rights are reinforced by a statutory subscription right, ensuring that every shareholder has the opportunity to maintain their ownership percentage when new shares are issued. This statutory provision safeguards existing shareholders from dilution and fosters equitable treatment. In specific circumstances, there may be grounds for excluding statutory subscription rights on a case-by-case basis. The rationale for such exclusion must be thoroughly documented and can be contested by shareholders in court.

Contractual Extension: Additionally, shareholders may negotiate contractual subscription rights within the shareholders' agreement, which expand the scope beyond ordinary shares to include any instruments convertible into shares in the company. This contractual provision broadens the protection for shareholders, allowing them to participate in future financing rounds or conversions without dilution of their ownership stakes. It is common for such agreements to stipulate that a certain majority can exclude the right of subscription.

Benefits: Pro rata rights serve to uphold fairness and transparency within a company's capital structure by affording existing shareholders the opportunity to participate in future capital raises on equal terms. By preserving their ownership percentages, shareholders are incentivised to maintain their commitment to the company's growth and success.

Considerations: While pro rata rights provide valuable protection for existing shareholders, they may also impact the company's ability to attract new investors or raise capital efficiently. Balancing the interests of existing shareholders with the need for capital infusion requires careful negotiation and strategic decision-making.

Sectoral inspections of the Polish DPA

Daria Rutecka

In February 2024, the Polish Office for Personal Data Protection adopted a plan for sectoral inspections for 2024. Such inspections must be undergone by data processors using web-based applications, authorities processing personal data in the SIS and VIS systems, and by private entities with respect to the correctness of compliance with the information obligation

With respect to bodies that process personal data in the Schengen Information System and Visa Information System, the authority will simply verify the correctness of processing of SIS/VIS personal data on the basis of relevant legal provisions. Entities that process personal data using online (web) applications will be investigated with respect to the manner of securing and providing access to personal data processed in connection with the use of applications. This will be a continuation of the 2023 audit.

Private entities, however, will be verified in terms of the correctness of their compliance with the information obligations set forth in Articles 13 and 14 of the GDPR.

Data Act officially in force

Florian Terharen

The Data Act was recently published in the Official Journal of the EU and officially entered into force in January 2024. The Data Act aims to make data of "connected devices" accessible and usable to all. In particular, users of connected devices will be entitled to gain access to "their" data, i.e. the data generated through their use of connected devices such as smart speakers, self-driving cars, intelligent heating/cooling controls for smart homes, etc. But the Data Act also applies to "industrial data", which is, e.g., data generated by wind or water turbines or engines. To prevent lock-in effects, data holders may not refuse to disclose data unless it concerns business secrets, intellectual property or data that is subject to confidentiality obligations. Also, competitors will be entitled to request access to (industrial) data. The European Commission wants to accelerate the development of innovative services and more competitive prices for aftermarket services and more repairs of connected objects. The Data Act provides for a phased entry into force for individual provisions, and the provisions allowing for simplified access to data will be applicable from September 2025. However, companies must start to review, analyse and categorise the data they "hold" and apply adequate safeguards to the data they do not want to share. See here for more details and contact us to get started with the necessary steps for the implementation of the Data Act.

Adoption of ENISA Cybersecurity Certification Scheme

Florian Terharen

The 2019 Cybersecurity Act provides for a cybersecurity framework. This framework is intended for information and communication technology (ICT) products and offers a Union-wide set of technical standard requirements, rules and procedures on how to certify ICT products during their lifecycle and thus make them more trustworthy for users.

On 31 January 2024, the European Commission adopted the European Cybersecurity Scheme on Common Criteria (EUCC) which is the first scheme within the cybersecurity certification framework. The voluntary scheme drafted by ENISA also complements the Cyber Resilience Act, which will set requirements for all hardware and software products in the EU. The EUCC enables ICT suppliers interested in demonstrating assurance to undergo a standardised assessment within the EU. This process certifies various ICT products, including technological components like chips and smartcards as well as hardware and software. Drawing from the well-established SOG-IS Common Criteria evaluation framework for information systems security, which is currently utilised in 17 EU Member States, the scheme offers two assurance levels. These levels are determined by the perceived risk associated with the intended use of the product, service or process, considering factors such as the likelihood and impact of potential incidents.

The first set of final draft technical standards under DORA published

Katarzyna Szczudlik

The European Supervisory Authorities (EBA, EIOPA, and ESMA) have released the first set of final draft technical standards under the Digital Operational Resilience Act (DORA). Aimed at enhancing the digital operational resilience of the EU financial sector, these standards focus on strengthening Information and Communication Technology (ICT) and third-party risk management, along with incident reporting frameworks.

The key components include Regulatory Technical Standards (RTS) covering ICT risk management frameworks, both standard and simplified, to harmonise tools, methods, processes, and policies across different financial sectors. Another aspect is the RTS on criteria for classifying major ICT-related incidents, specifying materiality thresholds, and addressing significant cyber threats.

Crucially, there are RTSs on ICT third-party service providers (TPPs), outlining governance arrangements, risk management, and internal control frameworks for financial entities engaging with such providers. The Implementing Technical Standards (ITS) establish templates for the register of information, a vital component in the ICT third-party risk management framework.

These final draft technical standards, aligned with specific articles of DORA, underwent a public consultation from June to September 2023, resulting in refinements for simplification and addressing sector-specific concerns. The European Commission will review these drafts with the aim of adopting the standards in the coming months.

Several million zloty fine imposed by Polish data protection authority

Karolina Pikuła

On 17 January 2024, the President of the Personal Data Protection Office ("PPDPO") imposed an administrative fine of more than PLN 3.8 million on an e-commerce platform (the "Controller").

The case involved a data breach involving an unauthorised person gaining access to the personal data of approx. 2,200,000 customers of the Controller.

The breach took place in December 2018. There had already been one PPDPO decision issued in the case imposing a penalty of more than PLN 2m on the Controller, but as a result of a Supreme Administrative Court ruling, the decision was revoked and referred for reconsideration (due to several deficiencies during the proceedings and in the content of the decision).

As a result of the reconsideration, the PPDPO again found that the Controller:

  • failed to implement adequate technical and organizational measures to secure the processed personal data. According to the supervisory authority, one of the security measures that can protect against unauthorised access to data is two-factor authentication. This measure was not implemented by the Controller;
  • did not conduct a risk analysis that would take into account, among other things, the risks associated with the possibility of logging into the system from a public network;
  • did not implement solutions to monitor network traffic and react if abnormal activity was detected. As a result, the Controller was not sure if and what data had been stolen from its resources; and
  • did not implement adequate technical and organizational measures to ensure regular testing, measuring and evaluating of the effectiveness of technical and organizational measures to ensure the security of personal data.

In regard to the identified violations, the supervisory authority imposed a fine of more than PLN 3.8m on the Controller.

New PFR Ventures Programs to revive Polish VC stage

Katarzyna Solarz-Włodarska

PFR Ventures* is opening the recruitment for new VC/CVC programs funded from the European Funds for Modern Economy (FENG).

New programs will cover up to 40 venture capital funds. The financing of the funds will be of a mixed nature. Public contribution (from PFR Ventures) will amount to approx. EUR 500m, while private contribution (from the investors) will be up to EUR 250m. Management teams setting up such new VC/CVC funds may come from Poland or abroad, making the programs accessible to the teams from across Europe.

According to PFR Ventures' official announcements, each new VC program has its specifics targets:

  • PFR Starter and PFR Biznest – investments in small and medium-sized companies at early stages of development through VC funds;
  • PFR Otwarte Innowacje – investments in small and medium-sized companies with R&D components at both early and later stages of development;
  • PFR KOFFI – investments in small and medium-sized companies at the growth, development, expansion stages, as well as those entering new markets or adopting new solutions through financial intermediaries; and
  • PFR CVC – provision of capital to innovative companies through corporate venture capital funds, along with funds from corporate investors.

The last of the programs is open to corporations that are interested in corporate venturing.

Once the VC/CVC firm obtains the funds, it shall invest them further in chosen target companies, in a form of equity injection (i.e. in exchange for newly issued shares). Around 85 % of the funds shall be allocated to Polish startups, while 15 % shall go to the startups from abroad but with some Polish links.

The process has already commenced. Five recruitment series will have been realised by the end of 2024.

The programs are expected to activate Polish VC market, especially after a rather calm year 2023.

*PFR Ventures is one of the largest fund investors in the CEE region. Its only investor is the Government of Poland, either directly or through the Polish Development Fund or Polish Development Bank (BGK). It supports the development of the local venture capital and private equity market, and, more broadly, the innovation ecosystem. Through the VC/CVC funds, it finances innovative small and medium enterprises across different growth stages.

The DSA enters fully into force

Piotr Podsiedlik

The reaching of a preliminary agreement on the AI Act is not the only significant event for new technology regulation. 17 February 2024 is a very important date for all online intermediaries and online platforms. On that day, the Digital Services Act (DSA) will come into full effect. Until now, as of August 2023, the DSA has only applied to selected platforms with more than 45 million users (the equivalent of 10 % of the total population of the European Union). These entities are otherwise referred to as 'very large online platforms' (VLOP) and 'very large online search engines' (VLOSE). This category includes Instagram, You Tube, LinkedIn, Google Search and Facebook, among others, which were classified by the European Commission in April 2023.

Accordingly, the DSA will have to be followed by online platforms (commerce, app shops, social collaboration platforms), cloud hosting and website hosting providers, as well as intermediary services offering network infrastructure. The need to comply with the provisions of the act will be mandatory for all service providers who are present in the European Union. According to information provided by the European Commission, entities that can be classified as micro or small enterprises will be partially exempted from the obligation to comply with the DSA.

The aforementioned date for the full applicability of the DSA is not only significant for companies. Member State authorities have until 17 February 2024 to appoint a Digital Services Coordinator or to identify an already existing body to act as Coordinator. Not all Member States have managed to appoint such a Coordinator to this day.

In Poland, at the moment, the body that will supervise the implementation of the Digital Services Act has not yet been appointed. In January of this year, the Polish authorities held consultations on the assumptions of the draft Polish act on amending the act on electronic provision of services implementing the DSA. During the discussions, it was indicated, among other things, that the President of the Office of Electronic Communications should become the coordinator.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.