Skip to main content
|

Add a bookmark to get started

Bookmarks info
9 May 202415 minute read

Innovation Law Insights

9 May 2024
Artificial Intelligence

Data Scraping and Generative AI: Dutch Data Protection Authority gives controversial perspective

The Dutch data protection authority has provided guidelines that are particularly pertinent for companies using data scraping to train generative AI systems. Here are the key takeaways:

  • Legitimate Interest: This is likely the only legal basis for data scraping, even if the data is publicly available and promptly removed after collection. The question is whether individuals currently have a legitimate expectation that their data will be scraped by AI and how to ensure that it’s the case.
  • New Processing Considerations: Data scraping is not a compatible purpose for further data collection and processing; it only applies only to a new processing activity. This position is quite rigid and inconsistent with the first remark. A different legal basis will apply to existing data processing which might end up with an unfeasible option.
  • Commercial vs. Non-Commercial Interests: Purely commercial interests do not justify the use of legitimate interest as a legal basis. If scraping is for non-commercial purposes such as fraud prevention or improving security, it may be permissible. Companies process personal data for commercial purposes, and that could not be otherwise. We can prove that such interests are balanced with those of data subjects who might also benefit from that and that should be enough.
  • Ethical Implications: Before scraping, companies must consider the potential harms and whether individuals have reasonable expectations of their data being used in such a manner. The threshold to meet the reasonable expectation standard must be clearly set. Using solutions of legal design might enable a higher level of transparency and increase arguments maintaining the existence of such expectations.
  • Transparency and Data Management: Companies must be transparent about their data processing activities and strive to delete, pseudonymize, or anonymize data as soon as possible. Documenting the development process of the AI system and proving its compliance with the regulatory framework are crucial. They require collaboration between IT and legal departments of companies which we hopefully will see more and more in companies’ organizations.
  • Special Categories of Data: When dealing with special categories of data, it’s crucial to consider if the individual has actively made the data public. 📌 I wonder whether the regulatory framework is sufficiently mature to enable data scraping of special categories of data.

What is your view on the view of the Dutch privacy authority on data scraping by AI systems? AI is the future, it requires the proper legal guardrails and documented processes to protect the interests of businesses and enable its fully compliant exploitation.

Author: Giulio Coraggio

 

Data Protection and Cybersecurity

The interpretation of data concerning health according to the ECJ Advocate General under the GDPR

The Court of Justice of the European Union (CJEU) published the Opinion of Advocate General Szpunar in case C-21/23 concerning the interpretation of data concerning health under the GDPR.

The case related to an online sales platform offering non-prescription medicines available only in pharmacies. The second question posed to the CJEU was whether customers' data transmitted during the purchase of non-prescription medicines on an online platform fall within the category of data concerning health under EU data protection law.

Advocate General analyses data concerning health under the GDPR

To answer this question, the Advocate General commenced his analysis by referring to Articles 4(15) and 9 of the GDPR and the relevant case law. At the heart of the Advocate General's argument is the assumption that data that allows conclusions to be drawn about an individual's state of health should be classified as data concerning health. But a significant challenge arises in the context of online purchases of non-prescription medicines. While the act of ordering such products online inherently involves the processing of data that may reveal health-related information, it cannot be definitively concluded that the purchaser is the end user of the medicine.

The Advocate General highlighted the possibility that online orders may be placed by individuals on behalf of others, without a direct link between the identity of the purchaser and the intended user of the medicine. In the absence of a prescription or explicit identification of the end user, any inference as to the state of health of the data subject becomes, at best, speculative.

Consequently, the Advocate General concluded that the data processed for online purchases of non-prescription medicines available only in pharmacies do not clearly fall within the category of data concerning health.

Extending the scope of data concerning health to include data from online purchases could paradoxically lead to greater privacy risks. The GDPR's strict requirements for the processing of sensitive data, including explicit consent, could inadvertently encourage purchasers to disclose the identity of the end user, exposing more health-related information.

What is the impact of the opinion?

The Advocate General's opinion provides valuable insights into the interpretation of the GDPR's provisions in the evolving landscape of online healthcare services.

It highlights the need to carefully consider the interpretation of data concerning health on a case-by-case basis, bearing in mind that there should be a degree of certainty as to the inferences that can be drawn about the health status of a data subject. In addition, the Advocate General highlighted the potential implications of broadening the scope of health data, which could lead to the identification of the actual end user to whom the online order relates.

Author: Roxana Smeria

 

Victim of a ransomware attack sanctioned by the Italian data protection authority

With three recent measures (web docs. no. 10002324, 10002533, 10002287), the Italian Data Protection Authority has sanctioned the Lazio Region, LAZIOcrea and ASL Roma 3 following the ransomware cyber-attack suffered in the summer of 2021, which led to the blockage of the Regional Health System.

The ransomware attack suffered by Lazio Region

Summer of 2021 was marked by a serious cybersecurity incident that affected the Lazio Region's healthcare system, with direct consequences on the availability of essential services and the management of the healthcare data of millions of citizens. In the night, between 31 July and 1 August, a ransomware attack seriously compromised systems, causing a significant blockage of daily healthcare operations. This incident prompted a decisive response from the Italian Data Protection Authority, which imposed fines totalling EUR401,000 on several responsible entities.

The dynamics of cyber attack

The malware, introduced via an employee's laptop, paralyzed numerous essential services: from managing medical bookings to collecting referrals and registering vaccinations. The blockade lasted from 48 hours up to several months for some functions, highlighting, according to the Italian privacy authority, significant gaps in the IT security managed by LAZIOcrea, the company in charge of regional information systems, and the Lazio region itself.

Violations and sanctions

The Italian Data Protection Authority, through in-depth investigations and inspections, found that both LAZIOcrea and the Lazio Region had committed serious violations of privacy legislation. These violations stemmed mainly from the use of outdated systems and the lack of adequate security measures to prevent and promptly detect personal data breaches.

In response, the Data Protection Authority issued fines totalling EUR401,000, distributed as follows:

  • EUR271,000 to LAZIOcrea for failure to take appropriate preventive and reactive measures.
  • EUR120,000 to the Lazio Region, which, as data controller, should have exercised more effective supervision over LAZIOcrea. This failure led to an inadequate response during the attack, with LAZIOcrea deciding to shut down all systems without knowing which were compromised or how to contain the spread of malware. This exacerbated the impact of the attack, prolonging the unavailability of essential healthcare services.
  • EUR10,000 to ASL Roma 3, for failing to notify the data breach in the context of the crisis.

Final reflections

By imposing the sanctions, the Italian Data Protection Authority confirmed its stance on the importance of proactive and responsible management of information systems, particularly when dealing with sensitive data such as health data.

Author: Matteo Antonelli

 

Intellectual Property

Navigating the intersection of social media and design law

The convergence of social media and intellectual property landscapes has been thrust into the spotlight by a recent verdict from the EU General Court sending ripples of concern throughout the fashion sector and highlighting the critical role of timing and celebrity sway in patent disputes.

It's common practice for companies to use the promotional power of celebrities and influencers on social media. These collaborations often involve celebrities contributing to the design process of specific products or even taking on roles in a brand's creative direction.

The case in question highlights the influence of social media on patent law and features music, makeup and fashion icon Rihanna and leading global sportswear company. Rihanna's Instagram posts turned out to be the final straw for the company’s Registered Community Design (RCD) No. 3320555-0002 (also known as the "contested RCD").

Before the ruling, the sportswear company filed an application on 26 July 2016, seeking to register a community design for a trainer falling under class 02-04 of the Locarno Agreement. Handelsmaatschappij J. Van Hilst BV contested this, applying to the EUIPO for a declaration of invalidity based on Article 25(1)(b) of Regulation No 6/2002. They presented posts from Rihanna's Instagram dated 16 and 17 December 2014, showing her wearing similar shoes.

On 19 March 2021, the Invalidity Division granted the declaration of invalidity. The sportswear company appealed this decision on 21 April 2021. The General Court, in its decision, divided the analysis into two parts, corresponding to the pleas on which the company based its appeal. First, it addressed the inadmissibility of the application for a declaration of invalidity. Then, it tackled the breach of Article 7(1) of Regulation 6/2002.

While seemingly straightforward, this case raises intriguing questions. One such query revolves around the extent of disclosure required to invalidate an RDC. The General Court implied that complete disclosure to specialized circles in the relevant sector is necessary, aligning with existing case law, which requires the comparison of the overall impression produced by RDC and earlier designs under art. 6(1) CDR to be made in the light of the overall appearance of each of those designs. It’s not permissible to take individual features of several designs, combine them and compare that combination with the contested RDC. So it’s for the invalidity applicant to identify and reproduce precisely and entirely the design that is allegedly earlier to demonstrate that the contested design cannot be validly registered.

Given that the entire earlier design must have been disclosed, the next question is whether the General Court was justified to make assumptions on what the non-visible parts of the earlier design looked like. In the same decision, the General Court held that the disclosure of an earlier design cannot be proved by means of assumptions. There is no apparent reason not to apply it to the disclosure of parts of the earlier design (cf. CJEU, Easy Sanitary Solutions v Group Nivelles and EUIPO, cases C-361/15 P and C-405/15 P, para. 65).

The General Court merely assumed that the non-visible part of the left shoe shares the same features as the visible parts and that shoes are manufactured to constitute a pair of uniform shoes. Although reasonable, such assumptions potentially reverse the burden of proof. As mentioned above, it’s for the invalidity applicant to identify and reproduce precisely and entirely the earlier design.

Finally, the question arises whether the General Court was entitled to make a finding of fact assuming the appearance of the back of the left shoe without referring to the findings of the Board of Appeal.

The purpose of an appeal to the General Court is to review the legality of the decisions of the BoA. That review must be done based on the factual and legal context of the dispute as it was brought before the BoA (settled case law, e.g. T-724/17, para.) 21). Neither the parties (see Article 188 of the Rules of Procedure of the Court of First Instance) nor the Court can go beyond this factual and legal context (T-36/17, para. 18). Therefore, if the BoA did not establish what the back of the left shoe looked like (not even by making an assumption), it seems to be contrary to the principle for the Court to make such a finding for the first time.

From a practical standpoint, this case underscores the importance of timely design filings and vigilance regarding celebrity endorsements on social media. It also highlights the evolving landscape of patent law in response to the digital era's challenges.

This design dispute serves as a wake-up call for brands navigating the realm of social media influence and digital innovation. As Rihanna's Instagram post reshapes design law's landscape, brands must adapt with foresight and vigilance to thrive in this digital age.

Author: Maria Vittoria Pessina

 

Technology Media and Telecommunication

The latest amendments to the Italian Consumer Code on contracts concluded by telephone and service contracts with tacit renewal

Law No. 214 of 30 December 2023 made two significant amendments to the Italian Consumer Code (Law No. 206 of 6 September 2005) that affect contracts concluded by phone and the tacit renewal of service contracts.

Para. 6 of Article 51 provides that when a distance contract is concluded by phone, the trader must confirm the offer to the consumer, who will be bound only after they’ve signed the offer or after they’ve accepted the offer in writing. In such cases, the document can be signed with an electronic signature within the meaning of Article 21 of Legislative Decree No. 82 of 7 March 2005, as amended. The confirmations may also be made on a durable medium, but “the consent shall not be considered valid if the consumer has not previously confirmed receipt of the document containing all the contractual terms and conditions, transmitted on paper or another durable medium which is available and accessible.”

Despite the principle of freedom of the contract’s form derived from Article 1325 No. 4 of the Italian Civil Code, the provision clarifies that the contract must be in writing where the phone is used as medium to negotiate. The phone conversation is only useful for obtaining the consumer’s consent to an offer, which must then be confirmed by sending a copy signed by the consumer or a written declaration of acceptance. This confirmation can take place on a durable medium, such as the exchange of emails, with digitized documents. The addition of the last sentence strengthens the protection of the consumer, since their consent to confirmations on durable means cannot be considered valid until they’ve confirmed the receipt of the contractual document: in other words, the signature will no longer be the only condition for the validity of the contract.

Furthermore, Article 65-bis was added. It states that in service contracts concluded for a fixed term with an automatic renewal clause, the trader must notify the consumer of the date by which they can send formal notice of termination. The notice must be sent in writing, by text message or other telematic means indicated by the consumer, and a failure to do so will enable the consumer to withdraw from the contract at any time without charge, until the subsequent expiry of the contract.

This provision also aims to evaluate consumer protection and it’s intended as a supplement to the professional’s obligation to inform the consumer of the contract’s duration and of any automatic renewal before signing it. The legislator provides that the written form must also be used for notice concerning cancellation and give the consumer a choice of how they would like to communicate with the service provider.

Author: Alessandra Faranda

Innovation Law Insights is compiled by the professionals at the law firm DLA Piper under the coordination of Arianna Angilletta, Matteo Antonelli, Edoardo Bardelli, Carolina Battistella, Carlotta Busani, Giorgia Carneri, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Alessandra Faranda, Nadia Feola, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Deborah Paracchini, Maria Vittoria Pessina, Tommaso Ricci, Miriam Romeo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna e Matilde Losa.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.

Print

Related capabilities

Consumer Goods, Food and RetailMedia, Sport and EntertainmentTechnologyIntellectual Property
SitemapPrivacy policyYour privacy choicesLegal noticesCookie policyMake a payment

DLA Piper is global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA piper's structure, please refer the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper US