New Technologies

AI Act: New scenarios in the regulation of artificial intelligence

The AI ACT, the European Regulation on Artificial Intelligence, was approved by the European Parliament on June 14, will be submitted for consideration by EU countries in the Council, with the aim of becoming law by the end of 2023.  The proposed AI Act takes a risk-based approach and provides for penalties of up to €30,000,000 or up to 6 percent of the previous year's total annual worldwide turnover in the event of infringement.

The proposed EU Regulation on Artificial Intelligence aims to create a reliable legal framework for AI, based on the EU’s fundamental values and rights, with the goal to ensure the safe use of AI, and prevent risks and negative consequences for people and society.

The proposal establishes harmonized rules for the development, marketing, and use of AI systems in the EU through a risk-based approach with different compliance obligations depending on the level of risk (low, medium, or high) that software and applications may pose to people's fundamental rights: The higher the risk, the greater the compliance requirements and responsibilities of developers.

In particular, the AI Act proposes a fundamental distinction between:

-          "Prohibited Artificial Intelligence Practices", that create an unacceptable risk, for example, for the violation of EU fundamental rights. This includes systems that:

o   Use subliminal techniques that act without a person's knowledge or that exploit physical or mental vulnerabilities and are such as to cause physical or psychological harm;

o   Used by public authorities, such as, social scoring, real-time remote biometric identification in public spaces, predictive policing based of indiscriminate collection, and facial recognition unless there is a specific need or judicial authorization.

-          "High-Risk AI Systems" that pose a high risk to the health, safety or fundamental rights of individuals, such as systems that enable biometric Identification and categorization of individuals, to determine access to educational and vocational training institutions, to score admission tests or conduct personnel selection activities, to be used for political elections, etc. The placing on the market and use of this type of systems, therefore, is not prohibited but requires compliance with specific requirements and the performance of prior conformity assessments.

In particular, these systems must comply with a number of specific rules, including:

-          Establishment and maintenance of a risk management system: it is mandatory to establish and maintain an active risk management system for artificial intelligence (AI) systems.

-          Quality criteria for data and models: AI systems must be developed according to specific qualitative criteria for the data used and the models implemented to ensure the reliability and accuracy of the results produced.

-          Documentation of development and operation: Adequate documentation of the development of a given AI system and its operation in required, including the systems’ compliance with applicable regulations.

-          Transparency to users: it is mandatory to provide users with clear and understandable information on how AI systems work, to make them aware about how data are used and how results are generated.

-          Human oversight: AI systems must be designed so that they can be supervised by human beings.

-          Accuracy, robustness and cybersecurity: it is imperative to ensure that AI systems are reliable, accurate and secure. This includes taking steps to prevent errors or malfunctions that could cause harm or undesirable outcomes.

In some cases, conformity assessment can be carried out independently by the manufacturer of AI systems, while in other cases it may be necessary to involve an external conformity assessment body.

-          "Limited Risk AI Systems" that do not pose significant risks and for which there are general requirements for information and transparency to the user. For example, systems that interact with humans (e.g., virtual assistant), that are used to detect emotions, or that generate or manipulate content (e.g., Chat GPT), must adequately disclose the use of automated systems, including for the purpose of enabling informed choices or opting out of certain solutions.

The Regulation is structured in a flexible way so that it can be applied or adapted to different cases that may arise as a result of technological developments. The Regulation also takes into account and ensures the application of complementary rules, such as those on data protection, consumer protection and the Internet of Things (IoT).

The Regulation provides for fines of up to 30 million euros or up to 6 percent of the total annual worldwide turnover of the preceding year in case of violation.

As mentioned above, the text approved by the European Parliament will be submitted to the Council for consideration, with the aim of being adopted by the end of 2023. If so, it will be the first legislation in the world to address in such a comprehensive and detailed manner the potential issues arising from placing AI systems on the market.

We will provide updates on future regulatory developments

For details and information, please contact David Ottolenghi of Clovers.

 

How to "transform" a Company into an "innovative start-up" under Italian Law.

download.jpg

Under Italian Law, an innovative start-up is a company whose exclusive or predominant corporate purpose is the development, production and marketing of innovative products or services with high technological value. The Italian system set forth certain requirements and grants certain concrete benefits connected to this particular type of company.

However, not everyone knows that it is possible for those who have already set up a company to transform it into an innovative start-up and to benefit from its advantages.

Transformation" is possible provided that certain requirements are met.

The conversion into an Innovative Start Up does not constitute a real corporate transformation and it is therefore not necessary to follow the complex and costly procedure set forth for this specific extraordinary operation (notary fees, advertising requirements, etc.).

However, it is essential to verify compliance with certain requirements and to proceed with the preliminary verification of all phases of the "transformation" process.

Verification of the corporate purpose

The first requirement to be verified is related to the corporate purpose of the existing company, as it is necessary to evaluate the possible modification of the same before finalizing the change. The regulations in force provide, in fact, as a requirement for innovative start-ups, to have "as exclusive or prevalent corporate purpose, the development, production and marketing of innovative products or services with high technological value".

This analysis is particularly delicate but, if carried out carefully, it allows to save the costs connected to the notarial deed of change of the corporate object.

General requirements and term for the "transformation”

At the same time, the company must proceed with the transformation no later than 5 years (60 months) from the date of incorporation and must meet the requirements of common innovative start-ups (e.g. not distributing or having distributed profits), while at the same time undertaking not to exceed 5 million annual turnover and to continue not to distribute profits for the entire period during which it maintains this corporate form.

There are three other requirements required by current legislation:

  • compliance with a predetermined percentage of research and development expenditure;

  • 2/3 employees with a master's degree;

  • company is the owner or licensee of a patent or intellectual property right.

However, it is sufficient that only one of these can be configured to proceed with the relative variation in innovative start-ups.

The procedure

The transformation process does not require any particular bureaucratic formalities and is entirely telematic, although assistance from a professional with adequate regulatory experience is obviously advisable.

In fact, the first step consists in the electronic compilation by the company's legal representative of the innovative startup self-declaration model. Once the form has been filled in, in order to register the company in the special section of the Register of Companies, the form must be digitally signed and sent electronically together with the Single Communication to the Register of Companies.

It should be remembered that this declaration must be renewed periodically by filing it within 30 days of the approval of each financial statement and in any case within six months of the end of each financial year in order to certify the permanence of the legal requirements.

With regard to the Single Communication, in the "VARIATION" section, a large number of data must be entered relating, for example, to the activity carried out, the corporate purpose and research activities, and this information must also be updated promptly in the event of changes.

Finally, it should be noted that, for the purposes of registration in the special section of the Register of Companies, innovative start-ups are automatically considered to be registered in the special section of the Register of Companies following the completion and submission of the application in electronic format.

Smart Contract and Blockchain: what they are, how they work and their compliance with GDPR.

smart.contract.jpg

According to the definition of art. 1321 of the Civil Code, a contract is "the agreement between two or more parties to establish, modify or terminate a legal asset relationship". A smart contract is instead a "piece of code" - a software - that executes an agreement between its parties if certain conditions are met.

On the basis of these simple definitions it is easy to note that while contracts in the legal sense of the term require the parties to play an active role - i.e. the performance of specific actions for the fulfilment of obligations - smart contracts are "self-executing" because, once the conditions are met, the outcome of the desired transaction is automatically obtained on the basis of the terms incorporated in the code. It is therefore possible to see that in a smart contract - unlike what might happen in a legal contract - a delay or failure to fulfil obligations is technically impossible.

On the basis of these considerations it can be argued that in a smart contract it is not necessary that there is a prior trust between the parties and that there is a third party who is entrusted with the power to coercively impose performance in the event of a breach. All this is possible because the trust component - at the heart of the legal contract - is replaced by the implicit transparency of the Blockchain infrastructure on which the smart contracts are placed and operate.

Blockchain: transparency and lack of authority

The Blockchain can be defined as a set of blocks linked together in an immutable way and that record information using a cryptographic system. This infrastructure allows parties with no previous contractual (and therefore trusted) relationships to carry out transactions securely and without the supervision or control of a centralized authority.

The development of blockchain technology has contributed to the spread of smart contracts by enhancing some of their fundamental characteristics.

Being stored in the public system and distributed, transactions that take place in Blockchain can be verified and validated by all participants in the network. From this it follows that the security of the system is greatly increased, since any change, alteration, deletion of a transaction should be replicated in each distributed registry. Therefore, the smart contacts implemented on Blockchain are virtually unchangeable and are not subject to any external interference.

These mechanisms also allow unknown parties to carry out transactions without the need for a trusted third party on which network participants should otherwise rely to perform and enforce mutual obligations. The lack of a centralized third party also leads to a reduction in transaction costs, as no fees are retained by any intermediary (e.g. financial institutions).

Using smart contracts implemented on blockchain is now a reality in many sectors, including financial and insurance markets, real estate, commercial agreements and copyright management.

Leases could also benefit from blockchain technology: the lessor could provide the lessee with a digital key to be delivered in exchange for an electronic payment. The operation would be considered extraordinarily secure because only if both the electronic key and the payment are actually made available (as verified by hundreds of participants in the blockchain system) the transaction will be carried out.

Oracle: bridge between virtual and real

In most cases, the execution of smart contracts is activated through the reception of information collected from institutional sources located in the real world and which is entered into the Blockchain system through a "bridge" - called oracle.

Oracle is a structure that connects what is in the chain of blocks from what is outside it, acting as a bridge between off-chain and on-chain events. The external data used by an oracle can derive both from events in the "real" world (for example, tracking a shipment) and from the digital environment (stock market data and other public indexes).

To understand how Oracle works, it is interesting to analyze the use of smart contracts in the insurance market. A policy designed to ensure coverage of losses resulting from earthquakes could benefit from a smart contract component. In this situation, the oracle would have the function of retrieving relevant information in the real world - for example, the seismic magnitude value directly from official government sources - and feeding it into Blockchain. In this way, the amount of compensation to be paid to the insured could be determined automatically without the need for any documentation to be produced by the insured. This mechanism is also suitable for reproduction in other contexts such as delayed or cancelled flights insurance.

Blockchain, Smart Contract and GDPR

All data entered into Blockchain are pseudonymized (suitable for revealing the identity of users through a reidentification process) and therefore fall within the scope of recital 26 of the GDPR, which requires the application of the European Regulation to all information relating to identifiable persons.

Despite the provisions of the regulation, it is easy to see that the effective application of the GDPR provisions to the Blockhchain infrastructure raises a number of issues.

One of the main aspects of the Blockchain is the lack of a centralized authority: each participant has the ability to create, verify and have access to the public register of transactions and all relevant data. In a decentralised context such as that of the Blockchain, it is therefore impossible to define the roles of data controller and data controller (key figures in European legislation).

It should also be noted that the data entered in Blockchain are by nature immutable, while the GDPR assumes that any data can be modified or deleted at the request of the data subject, when he wants to exercise the right to rectification of information or the right to be forgotten, under Articles 16 and 17.

Not even the principle of data minimization can be easily applied to the blockchain system: the records in fact include data from all previous transactions that are constantly expanding and are stored in the devices of all participants in the network. This is in open contrast to the provisions of the GDPR that provide that personal data are processed only when necessary for specific purposes previously identified.

Cars, Sneakers and Social Media: Ferrari vs. Philipp Plein

plein-ferrari.jpg

The origin of the lawsuit between Ferrari and Philipp Plein dates back to  August 2019, after the publication of some posts on Plein’s personal Instagram profile.

Specifically, the German designer published some pictures and videos showing one of his Ferrari with a pair of sneakers (the “Moneybeast” model, on sale for almost €5000) resting on the trunk of the car.

Only few days after such publication, Ferrari's lawyers warned Plein inviting him to remove the above mentioned contents, within a 48-hour term, as they constituted illicit use of the Ferrari’s trademark.

Ferrari therefore accused Philipp Plein of having exploited the notoriety of Ferrari’s brand to advertise its products and to confuse consumers, leading them to assume the existence of a partnership between Ferrari and Plein’s brand in relation to such specific model of shoes.

Ferrari also believed that the posts published by Plein were offensive, since they also “objectified” the female bodies of the models included in the pictures. Therefore, the posts were considered not in line with the values promoted by Ferrari, which did not intend to be associated with such type of content.

In response, Plein approached Ferrari's CEO directly, stating to be a dissatisfied customer and that he did not intend to proceed with the removal of the posts.

The Court of Milan was called to rule on the matter and, in June 2020, ordered Philipp Plein to delete all the posts in which the Ferrari trademark had been unlawfully represented and to pay €300,000 as compensation for damages.

In order to make a conscious use of social networks, every user must be aware that a picture  posted online could constitute an infringement of intellectual property rights of third parties.

While this concept should be familiar to every user, influencers and public figures with a significant social media following should be required to pay specific attention to these issues when posting content that depicts trademarks or other IP-protected contents without the express permission of the owner.

Philipp Plein's personal Instagram profile has more than 2 million followers. As such, the posts violating the Ferrari trademark were potentially able to reach a huge number of users.

The assessment of an infringement of third parties’ trademarks in connection with posts published on social media is based on whether such publication has a commercial or advertising purpose.

The Court of Milan held that the Instagram posts published by Plein had a clear commercial purpose (despite the fact that the pictures had been posted on the designer's personal profile and showed a car owned by him) and that Plein’s products would be perceived as more exclusive and desirable thanks to the connection with the Ferrari brand. 

Cloud Computing: infrastructure features and legal profiles.

cloudrossogrigio.jpeg.png

The European Network and Information Security Agency (ENISA) defines Cloud Computing as the infrastructure that a Provider makes available to the user to enable him/her to access resources, spaces, software or development environments accessible through remote servers owned by third parties.

In terms of volume, the Cloud Computing market is growing significantly every year. In Italy alone, the estimated sales for cloud computing for 2020, exceeds 2.5 billion euros.

The success of Cloud technology is due to the flexibility of a systema that does not require complex configurations and substantially simplify the management and use of company resources without requiring major economic investments.

  Types of Cloud Computing

There are 3 different types of Cloud structures:  

  • Infrastructure as a Service (Iaas): this is the hardware infrastructure that is the basis of every Cloud system. The provider provides the user with hardware without having to manage it himself. An example of IaaS is the storage space made available by the provider.

  • Platform as a Service (Paas): these are conceived as "bridge" platforms between an IaaS structure and a SaaS structure in which the Provider makes the structure available but it is up to the user to install and implement the software. This type of Cloud is normally aimed at developers who use the Paas to exploit specific automation features and avoid having to write ad hoc code.

  • Software as a Service (SaaS): this is the most widely used Cloud structure and offers a service that is easily accessible even to non-professionals. The end user, in fact, does not need any technical expertise and can use the swrvices provided by the Provider through any device. The Provider that provides a SaaS service via the web provides users with a series of application services that can be directly used by end customers.

SaaS infrastructures are systems that allow the use of spreadsheets via the web or applications that allow the insertion of e-commerce forms to websites that originally did not foresee them.

Cloud Computing Models

Private Cloud Computing: this is a Cloud structure that is created by the Provider to meet the specific needs of individual customers and is intended for their exclusive use. Large companies sometimes opt for a private Cloud model in order to maintain greater control over exported data: in the internal Cloud, in fact, the data stored remains in the organizational structures over which the user has full and exclusive control. By adopting this system, the wealth of personal and sensitive data is processed directly within the organization itself. In the Private Computing system it is possible to negotiate the contract that governs the relationship between the company using the service and the Provider.

  • Ibrid Cloud Computing: this is the model often used by public administrations and represents a middle way between Private Cloud Computing and Public Cloud Computing. Using a hybrid Cloud model allows the user to delegate to a public Cloud system the services or applications that involve the processing of non-sensitive data, while certain processes involving sensitive data and requiring enhanced security measures remain managed solely within the organization.

  • Public Cloud Computing: is the infrastructure owned by the Cloud Provider whose use is not dedicated to a single user but to a multiplicity of indeterminate users. In Public Cloud Computing you do not have the possibility to negotiate terms and conditions of use because you are faced with an "as it is" service. In fact, the user can have access to the service by adhering to a standardized contract prepared unilaterally by the Provider.

Cloud Contracts as atypical agreements

Cloud contracts are characterized by not having its own structure, but it can be defined using two different typical negotiating schemes: the service contract and the license agreement.

  • Service contract: the obligation - on the part of the contractor is to provide a service for a specific consideration. If a SaaS system is taken into account, it is easy to see that its main characteristic is precisely that it makes an IT structure external to the private or corporate IT structure accessible and allows the user to use software services managed by third parties. It seems therefore simple to trace a contract with a SaaS Provider to the case provided for by art. 1665 cc.

  • License Agreement: is a legal instrument that allows the use of a product (software) and establishes the manner of use of the product itself through the imposition of constraints and limits for the user.

Since Cloud contracts have common characteristics of both the license agreement and the service contract, it did not seem convenient to drastically opt for one or the other solution, but it seems more appropriate to configure the Cloud contract as an atypical contract.  In addition to the general conditions of service, Cloud contracts require some specific documentation such as the Service Legal Agreement and the Service Legal Objective.

The Service Legal Agreement is a specific document that contains the reference parameters for the provision of the Cloud Provider service and for monitoring the level of quality of service actually provided.

The Service Level Objective, on the other hand, is the document in which the parameters for measuring the performance of the provider are agreed in order to limit the emergence of disputes between the two parties on the quality and quantity of the service provided.

Cloud Provider and GDPR: how to choose a Cloud Provider

The European Data Protection Regulation (2016/679) provides that where processing is to be carried out on behalf of the data controller, the controller must only use controllers offering sufficient guarantees to implement all appropriate technical and organisational measures which meet the requirements of the Regulation and ensure the protection of the data subject's rights.

It would therefore be good practice for the data controller, before signing the contract with the Cloud Provider, to verify the latter's adherence to a code of conduct referred to in Article 40 GDPR or other certification mechanism.

The adherence to a code of conduct can in fact be assessed as a guarantee of the Provider's sufficient reliability. For example, the CISPE (Cloud Infrastructure Services Provider in Europe) code of conduct is a coalition of more than 20 Cloud Infrastructure Providers operating in the territory of the Member States and ensures compliance with GDPR and best security practices in data processing.

In addition to adhering to a code of conduct, before signing a contract with the Cloud Provider, it is important to ensure that the Cloud Provider guarantees:

Data portability i.e. the transition of data from one Provider to another in case of need (e.g. in the event that the Provider inserts a pejorative and unilateral change of the service conditions in the T&C and the customer wants to withdraw from the contract)

The adoption of data encryption tools or their pseudonymisation

The storage and processing of data within the EU as it is always preferable to rely on providers that process data within the European Union or in countries for which an adequacy decision has been made.