Work is currently underway in Poland and the EU on more than fifty legislative acts that constitute the sources of new technologies law. A list of the most important of these acts is given below, divided into particular subject areas within new technologies (cybersecurity, e-privacy, e-commerce, innovation, Internet, telecommunications, intellectual property, and data management). Mark Twain once said “nobody is safe of his life, property, and health when the parliament deliberates”.
1. Legislative proposal to amend the Polish National Security System (NSS) Act.
Status: The current proposal to amend the National Cybersecurity System Act is dated 3 October 2023, and the bill amending the NSS is expected to be passed in Q I/II 2023.
Who is affected: the obligations apply equally to public and private entities that hold operator of essential services and/or digital service provider status in the meaning of the NSS. Digital service providers include for instance cloud computing service, online shopping site, and online search site providers.
The main provisions in the amendment to the NSS:
- Incorporation of electronic communications operators into the national cybersecurity system,
- Incorporation of information sharing and analysis centers (isac) into the national cybersecurity system. Isacs are tasked with collecting, analyzing, and sharing information about vulnerabilities, cyberthreats, and cybersecurity incidents,
- Unifying cybersecurity incident reporting procedures,
- Introducing an option whereby external socs (security operations center - specializing in this field) perform cybersecurity tasks,
- Creating a national cybersecurity certification scheme, in which cybersecurity certificates will be issued,
- Hardware and software suppliers will be subject to a procedure to verify the kind of threats that could arise if particular hardware or software they offer was used in crucial entities in the polish economy,
- Granting of further powers to the government plenipotentiary for cybersecurity.
2. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
Status: The NIS 2 Directive, which amends the NIS Directive, on which the National Cybersecurity System Act is modeled, was published in the EU official journal on 27 December 2022 (L 333/80). The Directive is to be transposed into national law by 17 October 2024, while EU member states are to apply it from 18 October 2024. NIS 2 will probably be implemented as an element of amendment of the NSS Act.
Who is affected: entities categorized as essential and important entities as defined in NIS 2. In practice, this will mean current operators of essential services and digital service providers as defined in the NSS, as well as new categories of entities given this status.
The main NIS 2 provisions:
- In NIS 2, the present categories of operators of essential services, digital service providers and public entities have been replaced by the categories essential and important entities. Importantly, the list of sectors governed by the Directive will be longer than under the law at the moment.
- The main obligations of essential and important entities will be implementation of risk management measures in cybersecurity and reporting serious incidents.
- To ensure compliance with the obligations under NIS 2 by essential and important entities, supervision and enforcement measures have been introduced, including the option of fines.
Provisions on electronic marketing for the proposal for the Polish Electronic Communications Law.
Status: work is underway on a proposal for the Communications Law. The most recent version of the electronic communications bill was dated 9 December 2022 (Sejm docket 2861). Electronic marketing rules are laid down in articles 393-394 of the proposal for the Electronic Communications Law, and these rules are to come into force within six months of publication of the Electronic Communications Law.
Who is affected: articles 393-394 of the proposal for the Electronic Communications Law specify the prerequisites for lawful electronic marketing, and apply to any entities pursuing that activity regardless of whether they are defined as electronic communications undertakings in the Electronic Communications Law. The obligations laid down in these articles thus apply for example to undertakings that conduct or contract e-mail or text message campaigns, or that use forms of communication such as automated calling (interactive voice response - IVR), or telemarketing. They also apply to undertakings that install online identifiers (such as. cookies).
The main provisions in the bill on electronic communications (e-marketing):
- According to the law as it currently stands, marketing is regulated directly in two laws – article 10 of the Act on Electronic Services (AES) and article 172 of the Telecommunications Law (TL). When the ECL takes effect, this will be regulated in a single provision - article 393 of the ECL, which will take the place of the present article 172 of the TL, and thus article 10 of the AES will be repealed. One of the obligations that results from this legislative process will be to obtain legal persons’ consent to conduct campaigns by e-mail. This harmonization of the rules on contact for promotional and commercial purposes will also mean that current marketing activity consent clauses will have to be revised.
- Under the current laws, the issue of installing identifiers such as cookies was addressed in article 173 of the TL. In the proposal for the ECL, this is regulated in article 394 of the ECL, which will be worded in the same way, with no substantive changes to content, as the current article 173 of the TL.
1. Amendment to the Polish Consumer Rights Act and other acts (implementation of the Omnibus Directive).
Status: in force as of 1 January 2023. The amendment transposes Directive (EU) 2019/2161 of 27 November 2019 - Omnibus Directive. The main provisions in the Omnibus Directive are included in the amendment to the Consumer Rights Act, the Act on Combating Unfair Commercial Practices, and the amendment to the Competition and Consumer Protection Act, Act on Disclosure of Prices of Goods and Services, and the Code of Misdemeanors.
Who is affected: among those affected are firms that operate online stores and online shopping sites on which other people can effect e-commerce transactions.
The main provisions in the new legislation (implementation of the Omnibus Directive):
- Online shopping sites are required to inform consumers whether the seller provides products via the site, acting as an undertaking. This tells a consumer whether, for instance, they are entitled to withdraw from the agreement.
- New rules on promotion and the way in which price decreases are presented to consumers; to make promotions more transparent and more authentic, undertakings are required not only to state the special promotion price, but also to state the recent lowest price that the undertaking charged for that product; the rule is that there will be a reduction in the price of the product or service in effect in the thirty days prior to the decrease.
- The commercial practice of fake reviews has been prohibited, i.e. posting on online forums or contracting the posting of fake opinions and recommendations concerning products. The same applies to distortion of materials of that kind. Undertakings trading online are also required to ensure that these opinions and recommendations come from consumers who have in fact purchased or used the product.
- If an online shopping site operator uses product placement, it has to disclose this. Importantly, it is not sufficient to state that search results are influenced by algorithms; the main parameters that determine the order in which results are listed have to be stated as well.
2. Amendment to the Polish Consumer Rights Act, the Civil Code, and other acts (implementation of the EU Digital Directive and Sale of Goods Directive).
Status: in force as of 1 January 2023 This implements Directive 2019/771 of 20 May 2019 on certain aspects concerning contracts for the sale of goods (Sale of Goods Directive) and Directive EU 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (Digital Directive). The Sale of Goods Directive is implemented principally by an amendment to the Consumer Rights Act and Civil Code, while the Digital Directive is implemented in an amendment to the Consumer Rights Act.
Who is affected: 1) implementation of the Sale of Goods Directive affects any entities that sell goods and services, including those conducting e-commerce; 2) implementation of the Digital Directive affects suppliers of digital content or services, such as video games, e-books, music files, videos, e-publications, internet applications, internet site access, and file hosting services.
The main provisions in the legislation (implementation of the Sale of Goods Directive):
- There are new rules on the consumer statutory warranty.
- There are new requirements for compliance of a product with the contract, concerning both the type of item and the entity concerned. With regard to goods with a ‘digital element’ (smartphones, tablets), under requirements concerning product compliance with the contract, a consumer must be provided with updates, including security updates, necessary to ensure that the goods continue to be compliant with the contract.
- There is a new system of hierarchy of consumer protection measures, i.e. priority of a consumer’s rights where goods are not compliant with the contract.
The main provisions in the legislation (implementation of the Digital Directive):
- Requirements are specified regarding supply of digital content or services by undertakings and the respective consumer rights,
- Digital content or services must have all of the features commonly associated with a particular category of product (compatibility and functionality). For example, if a consumer purchases a film streaming service, it must be compatible with the most popular internet browsers.
- Digital content or services must be supplied as the latest available version at the moment of sale, which means that upon making the purchase the consumer will not have to download further updates immediately.
- There is a new rule that if digital content or services are provided continuously, the undertaking must provide the consumer with the respective updates while the digital content or service is provided. This is primarily a question of security updates, but also those that enable a consumer to continue using the provided digital content or service.
1. Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)
Status: the act on which work is currently underway was published on 21 April 2021, and is expected to be passed in Q I 2023. The Artificial Intelligence Act is to take effect 24 months from the moment it is passed.
Who is affected: The act is intended to regulate activities of artificial intelligence system operators. These include suppliers who place AI systems on the market or deliver them for use in the EU, and AI system users; users are entities that use AI in gainful or professional activity.
The main provisions in the proposal for the Artificial Intelligence Act:
- The primary aim is to reduce the risks connected with operating AI systems,
- Rules on placing on the market, delivery for use, and use of AI systems have been harmonized in the EU,
- Under the regulation, a risk-based approach is taken to AI, according to the principle that systems that involve a heightened level of risk should be subject to broader and more stringent requirements than systems for which the risk connected with use is limited or low. To this end, artificial intelligence systems have been divided into four categories
- Special requirements have been introduced regarding high-risk AI systems, as well as obligations of operators of such systems,
- Transparency requirements have been introduced with regard to AI systems intended to interact with individuals, systems that detect emotions, and biometric categorization systems, as well as systems that generate or are used to manipulate pictures, sound, or video content,
- A list of prohibited practices has been produced with regard to artificial intelligence,
- Severe fines of up to EUR 500 000 are provided for for breach of the Artificial Intelligence Act.
2. Proposal for a Directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence (AI Liability Directive).
Status: A proposal for the AI Liability Directive was published on 28 September 2022 and is currently undergoing the legislative process.
The main provisions in the AI Liability Directive:
The Directive applies to non-contractual civil claims due to damage caused by AI systems, when claims are filed on the basis of tortious liability. Special rules have been introduced in this context:
- disclosure of evidence regarding high-risk AI systems, to enable the plaintiff to give reasons for a non-contractual, civil law claim for compensation based on tortious liability;
- burden of proof, where non-contractual, civil law claims for compensation based on tortious liability are filed with a national court due to damage caused by an AI system.
1. Proposal for legislation to implement the Digital Services Act (DSA).
Status: Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) was passed on 19.10.2022. The regulation was published in the EU Official Journal on 27.10.2022 and took effect on 16.11.2022, however most provisions in the regulation will apply from 17.02.2024.
The Digital Services Act will be supplemented by a Polish act to implement it, to be passed in 2023. Work is currently in progress on the main precepts for the act.
Who is affected: entities specified as providers of intermediary services (internet intermediaries) in the Digital Services Act. For example, special obligations have been placed on internet site operators under the DSA, by applying examples of entities subject to obligations laid down in the DSA; these are: providers of hosting services (for example data centers), social media sites, online shopping sites, online stores with applications, sites for users to share content, and online sites on which travel services can be purchased or premises rented from private individuals.
The main provisions in the act implementing the Digital Services Act (DSA).
- Under the Digital Services Act, a minimum of one authority must be established in each EU member state, responsible for oversight of providers of intermediary services and enforcing the regulation. Work is underway in Poland on the precepts for a bill specifying the competences of this new “Internet regulator”. The regulator will have a range of new powers, including imposing fines (up to 6 % of annual revenue or turnover of the intermediary service provider concerned). At the same time, the Polish government is inclined towards a model in which the powers of the existing regulators (Office of Electronic Communications or the Office of Competition and Consumer Protection) are expanded,
- Regardless of the specified powers of the Polish digital services coordinator, the implementing legislation envisages, as in the case of the GDPR, – adaptation (amendment) of existing laws.
2. Proposal for an EU regulation on the transparency and targeting of political advertising
Status: The proposal for an EU regulation on political advertising was published on 25 November 2021, and work is currently underway on the regulation. It is intended to be adopted in 2023.
Who is affected: The regulation will be applicable to providers of political advertising services. In particular, it will apply to political advertising prepared, placed, promoted, published, or disseminated in the EU or addressed to natural persons in one or more member states regardless of the place of business of a provider of advertising services and the means used.
The major implications of the Regulation on Political Advertising:
- A range of requirements concerning political advertising transparency and reporting cases of unlawful advertising have been introduced,
- Political advertising targeting based on data that “reveal political opinions” will be prohibited except where the advertising addressee has given consent.
1. Proposal for the Polish Electronic Communications Law (ECL).
Status: The proposal for the ECL will implement Directive 2018/1972 of 11 December 2018 establishing the European Electronic Communications Code. The Directive was to be implemented by 21 December 2020, while Poland did not meet this deadline. As of the moment the ECL is passed, the Telecommunications Law will be repealed. The proposal for the ECL will also cover the issues regulated in the act to date but which do not implement at the same time the European Electronic Communications Code (such as electronic marketing rules – see point II above). Parliamentary work is underway on the proposal for the ECL of 9 December 2022 (Sejm docket 2861). Work is in progress at the same time on the proposal for an act implementing the ECL of 9 December 2022 (Sejm docket 286). A large majority of the provisions in the ECL are to take effect six months from publication.
Who is affected: the proposal for the ECL will cover a wider range of entities than under the law at the moment; in addition to conventional telecommunications operators, it will apply to firms not providing telecommunications services as well, in particular firms providing over-the-top (OTT) services, such as e-mail and online video call and chat tools.
The main provisions in the proposal for the ECL:
- The new law will apply to OTT service providers,
- The structure and wording of electronic communications service agreements will change,
- It will regulate the issue of direct billing,
- Prepaid funds not used will have to be returned to subscribers.
VII. Intellectual property.
1. Proposal for an amendment to the Polish Act on Copyright and Related Rights
Status: The EU legislation is Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Single Digital Market. For the internet sector, article 17 of the Directive will be most important. The deadline for implementing Directive (EU) 2019/790 was 7 June 2021. The latest version of the bill amending the Act on Copyright and Related Rights, which implements Directive 2019/790, dates back to 17 November 2022. The amendment is to be passed in the first half of 2023.
The main implications of the amendment to the copyright law, as regards new technologies law:
- Under the envisaged amendment to copyright law, a content-sharing service provider will only be permitted to disseminate works posted by users with the consent of the holder of rights to the work (the artist, producer, buyer of economic copyright, etc.)
- The service provider’s liability for copyright infringement due to disseminating works without permission will be risk-based, and a range of prerequisites will have to exist jointly to be released from liability; as a result, the proposed amendment to the Copyright Act will mean that online video platform etc. providers will have an obligation to monitor content.
VIII. Data governance.
1. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance (Data Governance Act).
Status: The regulation will take effect from 24 September 2023.
Who is affected: public sector entities.
The main provisions in the Data Governance Act:
- Greater options for private entities to reuse public sector information,
- Specified rules on providing data intermediation services between private entities
The Data Governance Act also creates a legal framework promoting a new business model for data sharing, being regulated data intermediation services between private entities. The act creates a system of trusted intermediaries who are to act in a neutral way. To ensure that neutrality, those entities will not be able to share data in their own interest, for example by selling them to another undertaking or using them to develop a product or service of their own. Principles are laid down for voluntary sharing of data by individuals or undertakings in the general interest – termed as an altruistic approach to data.
- Providing for an altruistic approach to data, i.e. a qualified legal form of data sharing. This concerns in particular situations in which individuals or undertakings provide data in the public interest voluntarily (such as a research project in medicine) and the data are not used for commercial purposes. Entities that intend to collect data for purposes that are in the general interest can apply to be registered in the national register of recognized data altruism organizations. This is intended to build the essential trust in data altruism and encourage individuals and undertakings to provide the organizations with the data for use in the general public interest.
2. Proposal for an EU Regulation on harmonised rules on fair access to and use of data (Data Act).
Status: the EC published the proposal for the Data Act on 23 February 2022. With regard to the relationship between the Data Governance Act and the Data Act, they are mutually complementary, as the Data Governance Act focuses on the legal framework, processes, and structures to support data sharing, while the proposal for the Data Act places greater emphasis on clarifying who can use data and under which conditions. Work on the proposal for the Data Act is ongoing.
Who is affected: holders of data generated through use by users of products or related services.
The main provisions in the proposal for the Data Act:
- Rules providing for greater access to data, for instance by granting users the right to demand access to data generated by products or the related services that they use,
- Rules ensuring that data can be easily transferred to facilitate switching between cloud data processing service providers.