IT-Gruk 8/2023: News within IT and privacy law – and happy summer holidays!

(Note this is translation of the Norwegian version of IT-Gruk 8/2023.)

Privacy and the USA: Schrems II soon to be over?

On Monday July 3, 2023, the US authorities announced that they have now implemented the complaint mechanism according to the Executive Order (EO) 14086 for the EU/EEA, and the mechanism will enter into force when the European Commission has issued an adequacy decision for the US. In addition, the Office of the Director of National Intelligence (ODNI) has confirmed that the US Intelligence Community has adopted its policies and procedures pursuant to EO 14086. Together, the mechanism, policies and procedures puts in place the main section of the security measures under EO 14086. Can we now expect a finalization of the draft adequacy decision published in December 2022? https://www.commerce.gov/news/press-releases/2023/07/statement-us-secretary-commerce-gina-raimondo-european-union-us-data

The Norwegian Digital Services Act: Do you know what you should have done by June 30?

The Digital Services Act entered into force on January 1, 2023. One of the consequences of the Act is that a provider of digital services is obliged to notify consumers at least once every six months that the digital service will expire and that consumers have the right to cancel the service. This follows from section 33(4) of the Digital Services Act and the notification must be sent actively, such as by email or SMS. It is not sufficient to notify in a passive way, such as by providing information online. As the Act entered into force on January 1, the first 6-month period expired on June 30, 2023. By not sending a notification, the provider risks that the consumer may cancel the service free of charge, and with effect from the day the notification should have been sent.

The Norwegian Transparency Act: Are you ready to publish your statement?

The Norwegian Transparency Act aims to promote respect for fundamental human rights and decent working conditions by businesses and ensure public access to information. The Act entered into force on July 1, 2022, with an obligation to provide information for businesses subject to the Act. These are businesses that offer goods or services in Norway or abroad and are of a certain size (two of three conditions: at least 50 employees, NOK 70 million in revenue or NOK 35 million in balance sheet total). In addition, the businesses are required to publish their due diligence assessment no later than June 30, 2023. A due diligence assessment is a process or working method for mapping, preventing, accounting for and following up how an organization handles actual and potential negative consequences of its activities.

Data protection: When is personal data identifiable?

There is a growing number of judgements that contribute to the understanding of the GDPR. A key judgement came on April 26 in case T-557/20 between the Single Resolution Board (SRB) and the European Data Protection Supervisor (EDPS). The judgment came from the EU General Court, and could thus be appealed to the ECJ as the supreme court, but the case addressed the issue of pseudonymization of personal data when transferred to a third party. The third party in this case was Deloitte, which received data from SRB for analysis. Deloitte itself could not re-identify the individuals in the dataset without the “key” to do so being provided by SRB. The EDPS concluded that this was a breach of the GDPR and the duty to inform upon a transfer. The Court, on the other hand, based its judgement on GDPR art. 4(1), as well as the European Court of Justice’s judgment C-582/14, and found that the EDPS had not carried out a risk-based assessment of whether it was reasonably likely that the individuals could be re-identified. In this case, the Court emphasized that the assessment must be seen from the recipient’s perspective, i.e., based on Deloitte’s perspective regarding their efforts and the possibility of re-identification. It should be noted that this is a lower court judgment that can be appealed, but the judgment opens for the threshold for anonymization to be set lower. Perhaps data processing agreements are not necessary in all cases with pseudonymized data?

Copyright and Harry Potter music

The case between Warner Bros and Star Entertainment concerning the marketing and performance of three concerts in Norway with music from the Harry Potter films has now been resolved with a judgement from the Borgarting Court of Appeal (LB-2023-13976). The case concerned several claims related to copyright infringement in connection with the planned concerts. Warner has exclusive rights to all film music from the Harry Potter films and had not given permission to use it. Star believed, however, that it had received authorization from TONO as the Norwegian collection society. After a more detailed assessment, the court concluded that Star had prepared and performed altered versions of the music without consent, thereby creating a new adaptation with hight of authorship (norw. “verkshøyde”) that infringed Warner’s rights.  The result was therefore a ban on the performance of the adapted music and compensation to Warner. The court also stated that marketing of the concerts was not in violation of section 25 of the Norwegian Marketing Act, and there was no infringement of Warner’s trademarks nor infringement of copyright through the use of scores. What is interesting for anyone interested in music is that the judgement nevertheless clarifies that there will be some room for interpretation and adaptation of a work, but that there will be a limit where, for example, a medley of songs can easily constitute a new adapted work.

DMA: Who are the gatekeepers of digital services?

The DMA or Digital Markets Act is the EU regulation on digital markets. It entered into force on November 1, 2022, and aims to prevent large digital platforms from abusing their position but at the same time ensure access on equal and fair terms. The impact of the DMA is not expected until 2024, but already on July 3, 2023, was the notification deadline to the European Commission for those companies that meets the thresholds to be covered as “gatekeepers”. On Monday this week, the following companies were on the list: Alphabet (Google), Amazon, Apple, ByteDance (TikTok), Meta, Microsoft and Samsung. The Commission now has 45 days to assess whether these companies meet the thresholds and designate them as gatekeepers, after which the companies’ compliance must be established within 6 months, but no later than March 6, 2024. The requirements follow from DMA art. 5-7 and contain over 20 specific obligations, such as the prohibition of favoring own products and services.

While the DSA has got its VLOPs

And speaking of the DMA, we must also mention its vertical twin, the Digital Service Act, which is the regulation that aims to strengthen the internal digital market and regulate very large digital service providers and search engines with over 45M monthly active users (VLOP and VLOSE). The DSA in a way updates the old e-commerce directive. All internet platforms had until February 17, 2023, to report their number of users, and on April 25, 2023, the Commission designated the following companies as VLOPs with the obligations under the DSA: Alibaba Aliexpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Maps/Play/Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, Youtube and Zalando. As major search services, (VLOSE) Bing and Google Search were identified. These are now in a 4-month period where they must ensure compliance with the DSA.

If you thought the AI Act was the only EU regulation we were waiting for…

We have already mentioned the AI Act in many news messages (our “IT-gruks”) recently, and most people have realized that the draft AI Act has been adopted by the EU Parliament. Thus, the trilogue negotiations are underway and we are waiting for the European Commission, the EU Parliament and the EU Council to agree. It is most likely to happen sometime in the next 6 months. In addition, we are waiting for:

• The AI Liability Directive which is in the works (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52022PC0496), and
• the ePrivacy Act which is dragging on (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010).

While other EU regulations have more or less been put in place with greater speed:

• Data Act (regulation promoting data portability for primarily IoT data), political agreement in June 2023: https://www.consilium.europa.eu/en/press/press-releases/2023/06/27/data-act-council-and-parliament-strike-a-deal-on-fair-access-to-and-use-of-data/
• MiCA regulation for crypto markets, adopted in May 2023: https://www.consilium.europa.eu/en/press/press-releases/2023/05/16/digital-finance-council-adopts-new-rules-on-markets-in-crypto-assets-mica/
• Marketing of the Financial Services Directive (distance marketing of consumer services), political agreement in June 2023: https://www.consilium.europa.eu/en/press/press-releases/2023/06/06/council-and-parliament-reach-provisional-political-agreement-on-financial-services-contracts-concluded-at-a-distance/

Privacy and Meta: Unlawful use of personal data under GDPR

It’s a hectic time for Meta. The European Court of Justice recently published a judgement in case C-252/21 between Meta/Facebook and German cartel authorities. The judgement addresses Meta’s use of individual user data that is linked to other usage than direct activities on Facebook. This is referred to as “off-Facebook data” and concerns usage related to visits to third-party pages and applications, or other Meta services. This is data that is used for targeted advertising. The antitrust authority prohibited the use of German citizens’ data without consent for “off-Facebook data” as it was considered to be an abuse of a dominant market position and not in compliance with the GDPR. The Court notes that a breach of the GDPR, in the form of lack of consent, can be used as a basis for assessing whether there is an abuse of a dominant market position. Compliance with the GDPR itself must nevertheless be ensured by the appropriate data protection authority. For Meta, this most likely means that Meta must look more closely at the legal basis for processing “off-Facebook data”, which cannot be hidden away in other terms and conditions for general use of Facebook functionality.

What is the state of the internet in Norway?

“The internet is here to stay,” said one of my colleagues the other day, before adding quickly: “And that’s probably also the case with AI”. A little chuckle is in order before the summer holidays. But what is the current state of the Internet here in Norway? In June, the Norwegian Communications Authority (NKOM) published the annual report for the Internet in Norway 2023. We note that internet neutrality appears to be good in Norway and that this provides more equal conditions for providers of internet services. In addition, the penetration of IPv6 in Norway is increasing to 36%, up from 24% last year.

GRETTE TECHNOLOGY AND DIGITALISATION: NEWSLETTER | BREAKFAST MEETING: We assist all types of businesses with assessments related to data protection/GDPR, IT contracts/projects, intellectual property law and other legal matters related to technology and digitalisation. Please feel free to contact us for an initial clarification with the head of Grette’s Technology and Digitalisation department: Peter Lenda on tel 924 01 652 or pele@grette.no. Previous IT-Gruk’s are available on Grette’s news pages (Norwegian only).