Welcome to the September edition of Schoenherr's to the point: technology & digitalisation newsletter (read online)!

We are excited to present a selection of legal developments in the area of technology & digitalisation in the wider CEE region.

Editorial

How to stand out in the right way: tackling the risks of using a lurid slogan in a Google ad

In a recent decision (25 April 2023, 4 Ob 49/23v), the Austrian Supreme Court found that customers who visit the website of an advertiser after clicking on a misleading Google ad fall victim to an unfair commercial practice even if their perception gets corrected through further information on the respective website. Thus, for the first time, the court confirmed that the settled case law, where luring customers into a physical shop already counts as them making "transactional decisions", also applies to the virtual world.

The case at hand concerned a Google ad that contained the eye-catching slogan "mobile phones for € 0". The (less attractive) contractual terms were displayed through an -icon, which was positioned not next to the slogan but to the company logo, and only opened up when being clicked on. In the eyes of the court, this overall presentation was misleading because it failed to clearly indicate the onerous conditions and price components of the offer promoted by the ad.

While the outcome of this decision seems hardly surprising, it shows the importance of considering the overall impression created by one's online (e.g. Google) ads even when space is limited (and expensive). In particular, lessons can be drawn as to how a clarifying note, something which is often necessary to prevent eye-catching slogans from being misleading, should or should not be presented online. According to settled case law, such notices must be "clearly perceptible" for an average consumer, a threshold which is not always easy to determine, especially when being confronted with new communication tools. Looking at this particular case, it appears that advertisers may be well advised to act with care when positioning and using more unconventional means such as icons or pop-out notes to present material information.

Antonia Hirsch

Meet us: Thomas Kulnigg will be speaking at the Fintech Forum 2023, on 10 October 2023.

Insights waiting for you in this edition:

Venture Capital Glossary

Niklas Kerschbaumer & Dominik Tyrybon

Vesting in Venture Capital

Vesting is a crucial concept in the world of venture capital often included in shareholders' agreements and employee participation programmes that aims to align the interests of investors on the one side and founders and other key team members (such as employees) on the other side. Find out more about the key components of vesting such as "good leaver", "bad leaver", "cliff" and "acceleration." in our venture capital glossary.

Disposal of shares

Disposal of shares refers to the process of transferring ownership or selling shares in a company from one shareholder to another. Several key terms and concepts are associated with the disposal of shares, each with its own implications. The exact terms of the concepts can greatly differ from one company to another, and are typically determined through prior negotiations. Get an overview of how such concepts are defined in our venture capital glossary.

Cybersecurity in the AI Act

Veronika Wolfbauer

A report recently published by the Joint Research Centre (JRC), the European Commission's science and knowledge service, focuses on the cybersecurity requirements for high-risk AI systems set out in Article 15 of the European Commission's proposed AI law. While the European Commission's AI Act considers AI systems holistically rather than focusing solely on individual AI models, it requires comprehensive security risk assessments. This approach combines standard cybersecurity methods with AI-specific measures. It is vital to note that while securing AI models has its challenges, the key is effective risk mitigation across the entire AI system.

Stronger GDPR enforcement?

Florian Terharen

On 4 July 2023, the European Commission proposed a new Regulation laying down additional procedural rules relating to the enforcement of the GDPR. These new rules will support the effectiveness and efficiency of enforcement and set up specific procedural rules not only for the authorities when applying the GDPR in cross-border-cases, but also for the parties of these proceedings.

While not changing any substantial elements of the GDPR, these new rules will help individuals to clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process, help businesses to clarify their due process rights when a DPA investigates a potential breach of the GDPR, and help DPAs to smoothen cooperation and enhance the efficiency of enforcement.

In particular, the rights of complainants and parties under investigation as well as the cooperation and dispute resolution mechanism of the GDPR are now to be governed more precisely.

See here for details.

Bridging the gap between Serbian regulations and the GDPR: Serbia's Data Protection Strategy unveiled

Marija Vlajkovic & Andrija Saric

In late August 2023, at the initiative of Serbia's Data Protection Commissioner (the "Commissioner"), the Government of Serbia adopted the Data Protection Strategy for the 2023-2030 period (the "Strategy"). The previous strategic document in this field was adopted in 2010 and did not make the anticipated impact, as neither the action plan nor the working group for its enforcement were established. As vast technological changes and increase in data processing happened in the meantime, the latest Strategy intends to pave the way to future changes of data protection regulation in Serbia by providing goals and mechanisms for their implementation. Find out more about the most relevant goals and mechanisms here.

The EU Digital Services Act: 19 designated online platforms have completed their last-minute compliance preparations, Serbia is just looking over its shoulder

Marija Vlajkovic

While most provisions of the EU Digital Services Act ("DSA") will not begin to apply until February 2024, the EU Commission has nevertheless designated 19 "very large online platforms" and "very large search engines" – so-called gatekeepers – for which the strictest rules under the DSA took effect on 25 August this year. Read more here.

Controversial passenger verification at Ryanair

Daria Rutecka

At the end of August 2023, the Polish Data Protection Authority announced that Ryanair, a budget airline based in Ireland, had sparked controversy in Poland due to its use of additional and quite unusual passenger verification at checkout. The airline urged passengers not only to present an ID such as a passport for inspection at the airport, but also required scans of those documents. Additionally, Ryanair reportedly expected passengers to pay an extra fee to verify their identity in the computer system if they refused to provide the abovementioned scans. After receiving numerous complaints, the Polish Data Protection Authority initiated an inspection. As the authority informed on its official website, once the complaints are fully analysed and formal deficiencies are corrected, the case will be forwarded to the Irish supervisory authority. At the same time, the Polish Data Protection Authority requested that the President of the Office of Competition and Consumer Protection consider examining the airline's practices to decide whether they constitute a violation of the collective interests of consumers.

Google-owned Fitbit accused of GDPR violations in EU

Özgür Semiz

Fitbit, a consumer electronics and fitness company, is facing questions over its data transfer practices. While they argue users have consented to international data sharing, critics say Fitbit pressures users into this, violating the GDPR. For any consent to be lawful, it must be freely given, specific, informed and unambiguous. The contention is that Fitbit is not providing full transparency about these data transfers, which means users cannot truly give informed consent, as stipulated by the GDPR. Additionally, the GDPR insists on users having the ability to withdraw their consent at any time without adverse consequences, but Fitbit users can only do so by deleting their accounts and forfeiting all their data. The Austrian privacy rights organisation "noyb" has brought these issues to data protection authorities in Austria, the Netherlands and Italy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.