Add a bookmark to get started

14 February 20237 minute read

Brussels IP and Tech Update – February 2023

In this first edition of our IP and Tech Update in 2023, we bring you news on the new EU rules on digital operational resilience in the EU financial sector (DORA). The rules were adopted on 16 January 2023. We also look at the modernised cybersecurity requirements (NIS 2), which entered into force.

We highlight changes to Belgian law that affect the audio-visual sector and the proposal for amending the Design Directive (98/71/EC).

We also discuss the latest CJEU decision regarding the GDPR’s right of access, the Irish DPA’s decisions for Meta on the legal basis under the GDPR for providing personal advertisements and a recent judgment of the Belgian Constitutional Court on the possibility for interested third parties to bring an appeal against a decision of the Belgian Data Protection Authority.

And we share with you the publication of the Belgian DPA regarding their participation in the first annual coordinated action of the EDPB regarding public cloud use by the public sector.

To conclude, we’re also happy to announce that our 2023 GDPR Fines and Data Breach Survey has been published.


Featured insights

NIS 2 Directive on modernised cybersecurity rules across the EU entered into force

The revision of the NIS Directive was published in the Official Journal of the European Union on 27 December 2022 in the form of Directive (EU) 2022/2555 and entered into force on 16 January 2023. The new rules have an extended scope to new sectors and entities, impose responsibility on management bodies to approve measures to manage cybersecurity risks and include strengthened incident notification obligations. The Member States’ implementing rules of the NIS 2 Directive will apply from 18 October 2024. See our blogpost here for a high-level summary of the key changes brought about by this Directive.

New DORA rules for harmonised digital operational resilience in the EU financial sector entered into force

On 16 January 2023, the new EU regulation on digital operational resilience for the financial sector (DORA) entered into force. DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities. In-scope entities have until 25 January 2025 to prepare for the start of DORA’s application. Find a summary of key requirements here.

Amended scope of the copyright tax regime

Despite fierce opposition from the sectors involved – especially the IT sector – and political ping-pong in the media, the Programme Act (which, among other things, describes the reform of the copyright tax regime) was published in the Belgian Official Gazette on 30 December 2022. Following a political compromise, the tax regime for copyright transfer will be (thoroughly) changed, with a limitation regarding the personal and material scope. In a blogpost prepared in collaboration with our tax team, read update on the reform here.

Changes in the Belgian audio-visual sector

On 14 November 2018, the European Parliament adopted Directive 2018/1808 amending the AVMS Directive (2010/13/EU) on the coordination of certain provisions concerning audio-visual media services in view of changing market realities. On 17 April 2019, the European Parliament adopted Directive 2019/790 on copyright and related rights in the Digital Single Market. The implementation of these directives in Belgian law has shaken up the Belgian audio-visual sector by introducing major changes. Belgian entities subject to these rules will have to review their practices and modify their contracts to meet the new laws. This blogpost outlines some of those major changes in the Belgian audio-visual sector.

Proposals for amending Directive 98/71/EC and Regulation 6/2002 on the legal protection of designs

In light of the EU Action Plan for IP aiming towards a green IP, the Commission will modernise the legislation on design protection to make it more accessible and better support the transition to the digital and green economy. The Commission has published its proposals for amending the Design Directive and the Design Regulation on 28 November 2022.

One of the main features of these proposals is to introduce a repair clause. If these proposals are adopted, there will no longer be design protection available for component parts of a complex product for the purpose of repair of that complex product so as to restore its original appearance.

CJEU decision on the right of access to individual recipients of personal data

On 12 January 2023, the European Court of Justice delivered its judgment on the right of access to personal data under Article 15 GDPR. The CJEU held that when exercising their right of access under the GDPR, data subjects must be provided with the individual data recipients of their personal data. The CJEU decision has wide implications for data controllers and is likely to present significant challenges when answering DSARs. Read our blogpost here.

Ireland’s Data Protection Commission (DPC) fines Meta EUR390 million after its legal basis for targeted ads found to breach GDPR

In two interesting decisions of the Irish DPC of 4 January 2023, Meta has been fined eye-catching figure in relation to its Facebook and Instagram platforms. In addition to posing challenges for Meta’s business model, the DPC decisions reflect growing disagreement across EU Data Protection Authorities regarding the use of “contractual necessity” as a legal basis under the GDPR for providing personal advertisements and the legal authority of the European Data Protection Board to order DPAs to bring new investigations. The DLA Piper data protection team has set out the key facts related to these cases and an outline of our initial takeaways here.

Constitutional Court rules that third parties should be able to appeal DPA decisions

Following a reference for a preliminary ruling by the Belgian Council of State, the Belgian Constitutional Court ruled that an interested third party should be able to bring an appeal against a decision of the Litigation Chamber. As the Act on the establishment of the Data Protection Authority of 3 December 2017 does not foresee this possibility, it is considered unconstitutional. Read our blogpost here.

Use of cloud-based services by the public sector – EDPB report and comments of the Belgian DPA

The EDPB has published a report on the conclusions of its first annual coordinated action focused on public cloud use. The report proposes a set of recommendations for controllers using cloud services. The Belgian DPA participated in this coordinated action and provided comments at the national level. You can find the publication here.


Valuable resources

DLA Piper GDPR fines and data breach survey

Our latest edition of the annual GDPR Fines and Data Breach Survey reveals a number of interesting trends, including that supervisory authorities across Europe have issued a total of EUR2.92 billion in fines since 28 January 2022, more than double the aggregate value of fines issued in 2021. You can download the report here.


We’d like to hear from you

Do you have an intellectual property, technology or data protection related question or a topic you’d like us to address in this IP and Tech Update series? Please email us and we’d be more than happy to look into it.