Perhaps European tech companies can’t compete with American giants like Microsoft, Google or Amazon; or Asians like Alibaba and Tencent. But if there is one thing that Europeans can be proud of, it is the body of law that emanates from the EU: regulations that establish what companies can and cannot do with our data and that, in most cases, serve as inspiration for legislative texts of third countries.
As the experts at Paradigma Digital tell us on the occasion of the European Data Protection Day that is celebrated on January 28, last year has been especially intense in this field, with the approval of key regulations such as the European Artificial Intelligence law. or the law of digital markets. But there is much more that companies should take into account.
European Artificial Intelligence Law
In April 2022, a Proposal for a Regulation establishing harmonized standards on artificial intelligence in the European Union was approved. This regulation urges the use of AI and the development of its industry under “democratic standards” so that “technology completes human work.”
It will be applicable to all uses of AI that affect EU citizens, regardless of the headquarters of the service provider or the place where the system is developed or executed, inside or outside the borders of the EU, as is already the case. with the European Data Protection Regulation.
In it they address the risks of specific uses of AI, classifying them into 4 different levels: unacceptable risk, high risk, limited risk and minimal risk, to ensure that Europeans can trust the AI they are using. The Regulation is also key to building an ecosystem of excellence in AI and positioning Europe to play a leading role globally, as it would be the first world power to have this type of regulation.
For the development of many of its forecasts, the European Union has established the Spanish Agency for Artificial Intelligence, the first institution of its kind in the European Union, which will have its headquarters in A Coruña.
Among its functions we find the creation of a voluntary certification framework for companies on the responsible design of digital solutions, advice to companies and public entities, and the power to inspect and penalize, once the European regulation on the use of information enters into force. artificial intelligence, as well as carrying out outreach activities.
Digital Markets Law and the Digital Services Law
On the other hand, on November 1, 2022, two determining regulations in the EU for online platforms have entered into force, although they will begin to be applicable as of May 2, 2023:
On the one hand, the Digital Markets Act (DMA). This rule seeks to put an end to unfair practices by companies that act as guardians of the economy of online platforms.
It defines when a large online platform qualifies as a “gatekeeper.” These are digital platforms that provide an important gateway between business users and consumers, whose position can give them the power to act as a private rule maker and thus create a bottleneck in the digital economy. To address these issues, the DMA will define a series of obligations that must be respected, including prohibiting guardians from engaging in certain behaviors.
As for the Digital Services Act, or DSA, it seeks to create a safer and more responsible online environment, offering new protections to users and legal certainty to companies throughout the single market by regulating intermediaries in line, thus becoming an international reference by being a pioneer in establishing a regulation of this type.
It applies to all digital services that connect consumers with goods, services or content. It creates new obligations for online platforms to reduce harm and counter risks online, introduces robust online user rights protection, and places digital platforms in a new single framework of transparency and accountability.
To do this, the European Commission is creating a European Center for Algorithmic Transparency (CETA) in order to support its supervisory function.
New data protection agreement between Europe and the US
Following the annulment of the previous agreement in 2020 and two years of negotiations, a new agreement has been approved whose objective is to restore an important legal basis for transatlantic data flows, which is intended to address the issues raised by the Court of Justice of the European Union, thus trying to prevent it from being annulled again, considering that the United States did not provide sufficient guarantees to protect the privacy of the data.
NIS Directive 2
In December 2022, Directive NIS 2, Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022, regarding measures aimed at guaranteeing a high common level of cybersecurity throughout the Union, entered into force. amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (SRI Directive 2).
This Directive establishes cybersecurity obligations for Member States, measures for cybersecurity risk management and notification obligations for entities within its scope, obligations relating to the exchange of information on cybersecurity, as well as supervision and enforcement obligations for Member states.
Proposal for a Regulation on cybersecurity in products with digital elements
On the other hand, in September 2022 the European Commission approved the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and which modifies Regulation (EU) 2019/1020. The proposed Regulation aims to set EU-wide cybersecurity requirements for a wide range of hardware and software products and their remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters, or routers.
In this regard, the European Data Protection Supervisor (EDPS) has ruled, stressing the importance of the cybersecurity of products with digital elements to effectively protect the fundamental rights of people in the digital age, including their rights to privacy and data protection, showing its agreement with said proposal and recommending, among other issues, the inclusion of the principles of data protection by design and by default as an essential part of these requirements.
These standards, along with other initiatives, are part of the European Union’s cybersecurity strategy.