Agefi Luxembourg - janvier 2025

Janvier 2025 40 AGEFI Luxembourg Digital By VincentWELLENS&Ottavio COVOLO, avocats à la Cour, NautaDutilhAvocats Luxembourg S.à r.l. T he year 2024was notably signifi- cant for advancements in regula- tions governing technology and data.We believe that the key trends in this area of the lawfor 2025will be buil- dingupon such regulatory initiatives with the aimof providing fur- ther legal certainty, espe- cially in light of the industry responses (andpush-back) seen in certain fields. #1RegulatingAI The year 2024 was marked by the contin- uing growth and integration of AI systems, and more specifically generative AI tools, by both business and individuals alike. 2025 will see the first sections of Regulation (EU) 2024/1689 (the “ AIAct ”) entering into applicationon 2 February 2025.As a re- minder, theAIAct aims at regulating theuse andde- velopmentofAIthrougha“risk-basedapproach”.AI systemsarecategorisedaspresentinga“limitedrisk”, “high-risk”, or “unacceptable risk” to fundamental rights, democracy, and the rule of law. According to thelevelofrisk,AIsystemsmustcomplywithappro- priate obligations such as carrying out mandatory fundamentalrightsimpactassessments;creatingaro- bust cybersecurity framework; or implementing humanoversight. The first wave of applicable provisions concerns the prohibitionofcertainAIswhich,duetotheirinherent risk, cannot be released nor deployed onto the Euro- peanmarket.SuchAIsarelistedinart.5oftheAIAct, under the reservation that otherEUlawtextsmayset out further prohibitions. Prohibited AI practices in- clude“ subliminaltechniquesbeyondaperson’sconscious- ness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting the behaviour of a person or a group of persons by appreciably impairing their ability to make an informed decision ”, which may cover certain forms of dark patterns, or even “ AI systems to infer emotions of a natural person in the areas of workplace and education institutions, except where the use of theAI systemis intended to be put inplace or into the market for medical or safety reasons ”, which would in any case be precluded on the existing pri- vacy framework concerning the surveillance of em- ployees in theworkplace. Inaddition,anoftenoverlookedsection,alsoentering into application on 2 February 2025, is a general re- quirement for both providers and deployers ofAI to takemeasuresensuring“AIliteracy”,definedasskills, knowledge and understanding to allow providers, deployers and affected persons (i.e., any end-user of theAI, includingboth internal staffandexternal end- users) to “ tomake an informed deployment ofAI systems, aswellastogainawarenessabouttheopportunitiesandrisks ofAI and possible harm it can cause ”. Inpractice, it is ex- pected that entities implement mandatory trainings onAI, although there is still some uncertainty about the exact scope of such training (in terms of level of detail, or tailoring to theAIs inuse or toAI in general forinstance)andwhetherthisalsomeansputtingout resources for external end users of suchAI deployed by said entity (e.g., users of a AI-powered customer support chat bot). The second wave of requirements under the AI Act will enter into application on 2August 2025 concern- ing the notifying authorities and notified bodies, the governanceof supervisoryauthorities and thepenal- ties, andgeneral-purposeAImodels (“ GPAI ”). Due to the rapid developments in the field of GPAI, theAIAct introduces a two-tiered approach, namely GPAIwithorwithout‘ systemicrisk ’.Thecategorisation depends on the computing power of the GPAI, re- ferred to as floating-point operations per second or ‘ Flops ’ and used tomeasure the computational com- plexity of training and runningAI models. While all providers of GPAI systemswill have to complywith transparencyobligations,suchasprovidingtechnical documentation; providing details about the training data; and complying with EU copyright laws, providers of GPAI systems with ‘systemic risk’ will havetocomplywithadditionalrequirements,suchas implementing appropriate cybersecurity measures, but also reporting obligations on energy efficiency and in the event of serious incidents. The main impact of the AI Act would be onAI sys- temsclassifiedas“high-risk”,triggeringanimportant number of documentation and assessment related obligations to ensure that the deployment of the AI follows a risk-based approach. These requirements will onlyenter intoapplication from2August 2026. It isrecommendedforsuppliersandusersofAIsystems to anticipate on the implementation of the regulation allthemoresoasthisregulationisunprecedentedand is not based on a pre-established framework. This being said, the GDPR remains an important piece of legislation, given notably the recent EDPB Opinion 28/2024 of December 2024 on data protection aspects related to the processing of personal data in the con- text ofAImodels underlining inparticular the ability of controllers to evidence the anonymisation of per- sonal data used in the training of theAI, and the des- ignation of the CNPD as the competent supervisory authority for the purposes of theAIAct (pursuant to bill of lawn°8476). #2Regulationof platforms andBigTech It is interesting to note that the rules for BigTechhave materialisedacrossseveralnewlegalandenforcement initiativesand2025willseeacontinuationofthistrend turningmore to enforcement. TheDigitalMarketsAct(“ DMA ”),nottobeconfused withits‘sister’DigitalServicesAct(“ DSA ”),hascome intoforceinMarch2024.TheDMAisapplicabletoso- called “gatekeepers” in the digital world assuring, amongst others, a higher degree of interoperability withother(smaller)playersandbreakingupthesyn- ergiesbetweendifferentbusinesssegmentsofBigTech conglomerates. The European Commission is ex- pected to followits investigationandenforcement ef- fortsbothonthegroundandagainsttheappealsfiled by certain designated gatekeepers concerning their designationunder theDMA. Onarelatednote,theEDPBadoptedinApril2024be- spoke requirements for “large online platforms” in terms of valid consent or paymodels (i.e., where the optionisgiventotheusertoeitheraccepttargetedad- vertising to pay to access the website) without how- ever aprecise alignmentwith the like notionof “very large online platforms” under the DSA, underlining thatregulatoryauthoritiesmaynothesitatetopursue new requirements instead of levying existing ones. Likewise, we expect that many of the practices that would be enforced via competition lawwould now be easier toenforceon thebasisof theDMA. Compe- titionlawwill,however,continuetoplayaroleviathe applicablemerger control rules on the basis ofwhich some BigTech acquisitions canbe prohibited. In addition, the Data Act , facilitating switching be- tween cloud service providers and imposing specific obligations in terms of contractual terms and switch- ing charges, will become applicable from12 Septem- ber 2025, impacting the negotiation and revision of contractualtermsfromthebiggestplayersinthecloud service industry, and their repercussions across the chainofservicesrelyingonsuchcloudinfrastructure. #3Continued focus on IT resiliency and thirdparty riskmanagement The earliest development in 2025 will be the entry into force of the Digital Operational Resilience Act (“ DORA ”) regulating designated critical ICT third- party service providers such as the large cloud ser- vice providers) delivering services to the financial sector. Although DORA enters into application on 17 January 2025, and in-scope entities are expected to have already prepared in advance in terms of in- ternal governance arrangements, reporting require- ments, and negotiationwith third party ICT service providers, a certain grace period is likely to be ex- pectedgiven the important number of requirements stemming fromDORA. The German BaFINhas for instancerequestedsupervisedentitiestocomplywith the registers of information requirements by 11April 2025, and underlined that a list of critical ICT service providers is expected to be published by European SupervisoryAuthoritiesinQ22025.TheCSSFwilldis- close its target date soon. DORA establishes a set of requirements, from risk managementtooperationalresiliencetesting,through incident management and reporting in the financial sector at large with an impressive list of no less than 21different categoriesof in-scopeentities, fromcredit institutions to ICT service providers, through fund managers, crypto-asset service providers and insur- ance intermediaries. This regulationwill thus have a significant impact on the Luxembourg financial cen- ter. DORA also regulates the contents of contractual arrangements concluded between financial entities and ICT service providers. The significant amount of work required to complywithDORA froman oper- ationalpointofviewislikelytoinvolveabroadrange of services of the in-scope entities and requires the re- viewofthemostimportantICTagreementsoftheen- tities concerned. AshighlightedbytheEDPBinitsOpin- ion 22/2024 adopted in October 2024 on the reliance of sub-processor, there is a key importance for controllers to be reasonably aware of the identity andactivitynotonlyoftheirimmedi- ate sub-processors, but also of throughout the processing chain, a posi- tion reminiscent of the requirements under the DORA RTS of sub-con- tracting requiring entities to be able tomonitor thewhole subcontracting chain of ICT services sup- porting critical or im- portant functions. This parallel hints at a possi- ble convergence be- tween regulatory frame- works toadopt similar po- sitions on essentially the same questions,increasingcertaintyforsupervisedentities. InadditiontoDORA,theNIS2Directive(remodeling oftheoriginalNISDirective)isafurtherlegaltextim- posingobligations in terms of IT resilience for a list of (highly)criticalsectors(mostutilitiessectors,creditin- stitutions, space sector, manufacturing of important products).Aimedat improvingharmonisationof EU requirements, the NIS2 Directive sets specific mini- mum rules (and ensures consistency with DORA, where needed) in terms of ICT risk analysis and se- curitypolicies,incidenthandling,businesscontinuity andcrisismanagement, aswell as supplychainsecu- rityandsecurityinnetworkandinformationsystems acquisition, development and maintenance. The bill of law (n°8364) transposing the NIS2 Directive into Luxembourg lawis yet to be voted. In parallel, the “ Cyber Resilience Act ” has been adoptedon23October2024.Thisactaimsatimprov- ingcybersecurityintechnologicalproducts(including hardwareandsoftware)designed,manufactured,im- portedor otherwisedistributedwithin theEU, by es- tablishing minimum cybersecurity requirements for such products. This new initiative demonstrates that cybersecuritymustbeanessentialconsiderationinthe designprocessof newtechnological products (and in the review process for importers and distributors), even for consumer-grade products. #4The data economy: opendata&data sharing The European data strategy that was announced by theEuropeanCommissionin2020aimstocreateasin- glemarketfordata,inwhich–personalandnon-per- sonal – datawill flow freely across sectors benefiting various stakeholders, boosting Europe’s global com- petitiveness and data sovereignty. The Data Gover- nance Act (“ DGA ”) and the Data Act are pivotal in this respect. The DGA includes conditions for the re- use of certain categories of data held by public sector bodies, sets rules for the provision of data intermedi- ation services, and introduces a framework that facil- itates data altruismfor objectives of general interest. TheDataActbycontrastaimstoensurefairnessinthe digital environment, stimulate a competitive data market, open opportunities for data-driven innova- tionandmakedatamore accessible for all. It includes harmonisedruleson(i)makingdatageneratedbythe use of a product or related service (e.g., IoT applica- tions) available to the user thereof, (ii) making data availablebydataholderstodatarecipients,publicsec- tor bodies andUnion institutions, agencies or bodies, (iii)facilitatingswitchingbetweendataprocessingser- vices, (iv) introducing safeguards against unlawful thirdpartyaccesstonon-personaldata,and(v)thede- velopmentofinteroperabilitystandardsfordatatobe accessed, transferred andused. A Luxembourg bill of law (n°8395) aims at imple- mentingboththeDGAandthe“onceonly”principle, wherebyanadministrationcannotrequestacitizento produceadocument or information that is already in the possessionof another administration. Other key trends in the EU and in Luxembourgwill bethecreationofsectoraldatasharingmechanismsis “ envogue ”,forexample,withtheEUlegislativeinitia- tive toadopt a regulationonaEuropeanHealthData Space (“ EHDS ”) for healthdata, nowawaiting a for- malvotefromtheCouncil-followingapoliticalagree- ment reached in March 2024 with the European Parliament - before its publication in the official jour- nal,aswellastheproposalforaregulationonaframe- work for Financial DataAccess (“ FiDA ”) facilitating the sharing of data in the financial sector beyond the existing account information access rules under the payment services regulatory framework. These initiatives will however be subject to scrutiny from both in-scope entities and the individuals whose datawill bemanagedunder these initiatives, particularly from a privacy and data protection standpoint given such considerations may lead to the nullity of a legal provision (see for instance the ultimate beneficial owners registers’ open access being shut down by the CJEU). #5GDPRenforcement&increased riskof privacy litigation The GDPR as shown above still retains a particular importance and data protection authorities are in- creasingly seen as taking an active role beyond data protection to ensure an overall surveillance of risks posed by technology and related industries (be it in BigTech, AI or 3 rd party management). Whilst the above approachwill raise questions of alignment be- tween the different regulatory regimes, the proposal foraregulationharmonizingcertainaspectsofGDPR enforcement remains to be negotiated between the EuropeanParliament and theCouncilwithdisagree- mentsremainingaheadofthetrilogue,particularlyon the positionof the complainant. Anothertrendinrecentyearsistheawardofdamages for data protection related breaches, which is seeing some increase in Europe, although at a slower pace than in other jurisdictions such as with the US. The CJEU has held that even if the breach resulted in no material damages being evidenced, it does recognise the right of the claimant to receive somenon-material (i.e., moral damages, even for a trivial amount based solely on the . In the recent Bindl case (T-354/22), the GeneralCourtoftheEuropeanhasorderedtheEuro- pean Commission to pay EUR 400 for non-material damages to a visitor of its website due to the transfer of their IP address to thewebsite of Facebook hosted in theUS following a click on the “Sign inwith Face- book” plug-in. Another arguably trivial claimwhich maygiverisetosuchmoraldamagescouldbethefact pattern in the Mousse ruling before the CJEU (C- 394/23) holding that the processing of “Mr” or “Ms” is not necessary for the booking of train tickets. It remains to be seen whether this will bolster claimants’ interest in privacy litigation in the EU and reversethegeneraltrendinEuropeofseeingenforce- mentstemmingfromregulators’initiativesratherthan from individual claimants, but this does send an en- couraging signal to privacy claimants (especially ac- tivists) that any breach of GDPR, irrespective of its trivial importance, could lead to the award of moral damages. Tech &Data Law: 5 trends for 2025 Abonnez-vous / Subscribe Abonnement au mensuel (journal + édition digitale) 1 an (11 numéros) = 55€ abonnement pour Luxembourg et Belgique - 65€ pour autres pays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’édition papier. NOM : .......................................................................................................................................................................... ADRESSE : .................................................................................................................................................................. LOCALITÉ : ................................................................................................................................................................ PAYS : ........................................................................................................................................................................... TELEPHONE : ............................................................................................................................................................ EMAIL : ....................................................................................................................................................................... - Je verse …… € au compte d’AGEFI Luxembourg à la BIL / LU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) - Je désire une facture : .............................................................................................................................................. - N° TVA : .................................................................................................................................................................... Abonnement au mensuel en ligne Si vous préférez vous abonner en ligne, rendez-vous à la page ‘S’abonner’ sur notre site Internet : https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi au vendredi) Informations en ligne sur https://www.agefi.lu/Abonnements.aspx