Digital Signature Legality for Paid-Time-Off Policy in European Union

How to eSign a document: digital signature legality for Paid-Time-Off Policy in European Union

uh good morning good evening wherever you are and welcome to today's field fishal webinar thank you very much for joining us um my name is flick I'm a partner based out here in our Silicon Valley office and I'm delighted to say I'm joined by my colleagues Megan and imagin and we wanted to do this webinar because there has been an absolute Deluge some might say tsunami of new digital regulation that Europe has been pushing out um so much so that it's a huge amount to keep on top of and to understand how to kind of understand who it applies to to what extent we need to be um keeping in mind these new regulations as you map out your compliance um projects for this year so we're here to give you a really practical overview of the new pieces of legislation that are coming into effect this year or are due to come into effect in the next kind of one to two years to give you and help you inform form your kind of prioritization when you're building out that compliance program for 2024 um we're going to try and use a kind of chili uh we're going to apply chilies to the different pieces of legislation basically to tell you how hot or not we think they are and how much we think you need to take them into account now or maybe to the extent you can sort of delay factoring them into your compliance for this year so with that all said I'm going to hand over to my colleagues to kind of give you a bit of an overview of what we're going to talk about okay so we're going to cover a number of initiatives today um you can see on fly we've got digital markets act Digital Services act data governance act data Act and the AI act so a whole load of acronyms there um but all these initiatives are part of Europe's digital decade and back in March 2021 the European commission prevent presented its vision for Europe's digital transformation by 2030 and the Commission in intended to fund and support the development of sectors that are crucial to its digital sovereignty while also promoting common EU values and respecting fundamental rights and freedoms including privacy Safety and Security but with every ambitious plan follows a whole host of challenges to overcome and a raft of regulations to navigate okay so to keep things interesting and provide you with a realistic assessment of what's hot and what's not in EU digital regulation we've created a key to indicate the levels of spiciness for each piece of legislation and therefore where your compliance efforts should be focused so at the one chili end we have the least spicy regulations and not to say these aren't important but the key measures introduced by these regulations won't affect many of you at the medium spice level we have those regulations where there's a lot to get on top of but there is plenty of time to prepare and lastly we have the spiciest of the regulations they're just about to come into effect there's a whole host of obligations to get your head around and so the need to act now and prepare early is Paramount to ensure compliance so first up is the Digital Services act now as those of you who tune into field fish's webinars regularly will know we have just recently hosted an entire webinar just on the DSA are you subject to the DSA what are your responsibilities is a hosting service or an online platform and how will the DSA affect your business model all of these questions have been answered so please do check it out but at a very high level the DSA aims to protect users online by making it easier for them to flag hate speech terrorist propaganda child ography and other illegal content goods and services it also updates the liability regime for digital service providers and creates new takedown transparency and Reporting obligations this includes requirements provide users with information about why ads are shown and information about why content is recommended the DSA also introduces new obligations for intermediary services and these are tiered depending on the nature size and impact of the service so for example M conduits caching services and hosting services are subject to rather limited obligations while online platforms online search engines and online marketplaces are subject to additional obligations the most owner obligations are reserved for very large online platforms and very large online service providers including obligations to perform risk assessments and conduct yearly audits so the first Port of Call with a DSA will be to assess quickly whether you are caught which C you fall under and what the relevant obligations are for your organization so moving on to our next EU digital regulation the digital markets act the main purpose of the DM ma is to put an end to unfair practices by companies that act as Gatekeepers in the online economy these Gatekeepers are primarily large digital platforms that provide an important Gateway between business users and consumers and whose position can grant them the power to ACC as a private rle maker therefore creating a bottleneck in the digital economy so really this is unlikely to apply to many of you listening today but we're including here for completeness and so we have zero chilies here on our heat scale only seven companies have actually notified the European commission that they meet the criteria of gatekeeper including Google Amazon Apple Tik Tok meta Microsoft and Samsung all The Usual Suspects so our next digital regulation is the data governance act and essentially the DGA regulates the sharing of both personal and non-personal data held by public sector bodies that's subject to the rights of others and when we're talking about the right rights of others we're talking about Trade Secrets personal data or IP rights the DGA intends to facilitate the ReUse of public sector data by ensuring no business suffers from any discrimination when accessing data they would like to reuse and it prevents public sector bodies from entering into exclusive agreements relating to the ReUse of that data the rules under the DGA became applicable on 24th of September last year and most of the provisions only apply to public sector bodies there are some rules applicable to data intermediation service providers or data intermediaries and that is an organization which sets up commercial Arrangements between those holding the data and those wishing wishing to use the data providers likely to be within scope are data marketplaces consent management platforms and services set up to be the middleman between data subjects who want to make their personal data available and data users who want to use their personal data now the DGA specifically excludes from scope amongst others providers of cloud services data Brokers and providers of products resulting from value add to the data uh by the that service provider so if your quarters of data intermediary the DDA sets up a two-tier licensing regime with certain licensing conditions designed to ensure that data metor is the data metor is independence and restrict their reuse of data and in addition data intermediaries or need to consider if third countries offer appropriate protections for the non-personal data and need to resist government access to EU data so it's essentially creating a set of dat to transfer restrictions for non-personal data there's also a notification and registration process for data intermediaries with the local uh Authority now that all said given its limited application to most of our clients we've given the DGA a mild one chil here thanks Megan um so sitting alongside the data governance Act is something called the EU data Act um and its main purpose is really to create a framework for who can access and use data generated by connected products um and related Digital Services um in other words it kind of clarifies who can create value from data and under what conditions um and the idea behind this act was really to try and unlock the data companies um that you know that have access to this data to unlock that data and allow it to be used um and accessed by both the the users so the people who whose data it includes um and also other third-party recipients and much like the data governance act it also covers both personal and non-personal data so unlike the gdpr which is focused on the processing of personal data lots of these new digital pieces of Regulation that we're looking at extend to other sets of data too so who really needs to be concerned about this well the data act primarily applies to manufacturers suppliers and users of connected products in the EU uh as well as kind of related services and it potentially covers a broad range of products from Vehicles medical devices you know lifestyle equipment consumer G and consumer goods um there are also certain Provisions that apply to data holders that make data available to data recipients in the EU so that could include the manufacturer but it could also include providers of related services or even external Cloud s uh uh cloud service providers there are also Provisions uh that around public sector bodies and requiring that they share data or have access to data in certain situations um and probably most notable for many of our clients are actually the provisions that apply to data processing Services I.E providers of cloud services uh in the EU and I'll come on to that in a second so this is a really new piece of legislation it entered into force on the 11th of January this year but most of the provisions won't apply until the 25th of September 2025 um and there are some other Provisions which will uh take effect even later so what are the key obligations well if you are a manufacturer of of a connected product um you will have to be ensuring that they are designed and manufactured in a way that empowers users which could be businesses or consumers to easily and securely access use and share product data and related Serv service data and the intention here is that historically data generated by connected products so think about your smart uh home uh devices uh and other things were exclusively harvested by that manufacturer so they had a lot of control over over the data that was uh being generated from your use of those connected products um and that was felt to have given them a really unfair competitive advantage and left consumers with limited choices with respect to things like aftermarket services so getting um repair or or other types of services from other providers um so by imposing obligations to make that product data and related service data accessible to the users so the businesses or consumers that are using those products um it really aims to create create a more sort of competitive market and give consumers the benefit of certain Choice um so the act includes specific measures that allow users to gain access to their data um that that was connected by the products and also to share data with third parties again to provide aftermarket or other datadriven Innovative Services um and there are a few exceptions Bak into that so this is kind of somewhat like the gdpr right of portability there are also obligations imposed on third parties who'll be receiving that data for example they will be subject to sort of purpose limitation requirements so only allowed to process that data they receive for purposes that have been agreed with the user um there are also a number number of um unfair terms related Provisions that sort of cover that data access so the act out outlines when certain contractual terms between the different organizations who share data under the ACT will be deemed to be unfair um so again going to have some implications there between the contracts that are in place to facilitate those data sharing Arrangements essentially to kind of protect against an imbalance between the parties um and then those data holders are going to be required to make certain data available free of charge uh to public sector organizations where there is an exceptional need I a public interest argument and then I think probably most uh of most interest to our clients is the new Provisions that apply uh that sort of facilitate or aimed at facilitating easier switching between cloud and Edge services so there are going to be new rules which allow customers to more easily switch between different data processing providers uh without undue undue delay or cost and to Port their data and digital assets to another provider um or to Port it to their own infrastructure again the intention here is to remove obstacles whether precom commercial technical or contractual which inhibit customers from doing things like terminating the contract engaging another provider porting the customers uh exportable data and digital ass assets to new providers or to their own on-prem infrastructure um so to kind of bolster all of that switching the ACT sets out certain minimum contractual requirements that are going to have to be put in place to support the switching between the services um and those cloud service providers are also going to have certain transparency obligations which will require it to make available uh certain information on you know about how the switching can take place um amongst other things so um quite a bit there if you're a cloud service provider that's caught by the ACT there's also much like um Megan hinted at in the data governance act we're also seeing an extension of some of the data transfer rules to non-personal data so really extending the transfer rules under the gdpr andw and schwem 2 the schw 2 decision to Providers of data processing Services um and they are essentially going to be required to make sure that they're implementing appropriate safeguards to prevent any incompatible or unlawful access to that personal dat that data should say not just personal data by um governments so um what are the kind of um next steps here well if you're a manufacturer or a data holder of a connected product you're really going to Bear the bulk of the compliance obligations under this act um so you're going to have to implement design requirements get to know your data um start classifying uh data both non-personal and personal data uh to figure out what data sets you're going to have to potentially make available to the users we're again it's going to have an impact on data licensing terms um and you're also going to have to be ready to manage and respond to some of these access and portability requests the data R facilitates um and then if you're a cloud provider or or uh you're also going to have to think about updating your contracts um to factor in the minimum contractual requirements that apply under the act and also be aware of some of those International transfer requirements um and if you're a data recipient looking to kind of um get the value of some of the data that can be released from these connected products um and you know you may have a chance to profit from some of that data there's going to have to be appropriate data licensing terms that are put in place to go you know govern that sharing so quite a bit to think about I think for most of our clients um the real sort of area where you're going to be caught is if you're cloud service provider um and your kind of processing Falls within the scope there and it's really going to have impacts for contractual Arrangements that you have with your customers the users of th of those products so next slide please um so this is been the headline grabbing piece of new legislation that has in many ways dwarfed all other uh legislations in term in terms of interest uh amongst uh consumers amongst regulators and such like and even just the general legal community and that's the EU AI act um and it deserves to have got this much attention it's really a landmark piece of legislation because it's the first attempt that we've seen globally to implement a kind of uh attempt to to regulate AI there are obviously initiatives that are happening in other places in the world uh but this is really sort of the the first attempt that we've seen to horizontally uh regulate all AI uh systems and so there is an expectation that we may see something of the Brussels effect with this act um it may you know Inspire other regimes uh or at least set a benchmark for what needs to be in place when we are developing and um designing and using AI systems so some of you may have seen the excitement in January we got an unofficial leaked version of the um text that have been provisionally agreed in December um last Friday the exciting news was that that act uh was uh finally approved and we have seen the final approved version now published um and we expect this to the ACT to really come into Force probably in Q2 the formal adoption vote is provisionally scheduled for the 10th or 11th of April uh and after that vote happens um it should be published in the official journal and then trigger the implementation periods under the act so and I'll talk a little bit about those but spoiler alert um there is going to be quite you you know potentially a bit of time there for organizations who are caught uh to comply so who really needs to be paying attention to this act well um at its heart this is really a product safety and product liability piece of legislation um and so most of the responsibilities and obligations fall on the providers I.E the developers of AI systems that are high risk and we'll talk a little bit about what that means in a second um and more generally it applies a risk-based approach to regulating AI systems so as I say the bulk we've got certain um you know certain AI systems that are going to be absolutely banned outright um and those provisions and and those th that section of the ACT is actually going to come into effect the most quickly so we'll see the those uh prohibited AI systems you're going to not be able to to to use those within six months of the ACT coming into effect um and then we've got certain Provisions as I mentioned that are designed to regulate what we call highrisk AI uh systems and these are where the bulk of the obligations uh are going to apply and they're going to apply as I say principally to the providers I the developers of those AI systems so I think Google Microsoft meta open AI anthropic those guys and more um there's also going to be transparency and other specific requirements for what we call general purpose AI models um including Foundation models and generative AI um and then kind of moving down the tier of risk there's going to be Provisions that uh or regulation um that applies to any AI systems that interact with uh people I think chat Bots and they'll be subject to certain transparency obligations but then other AI systems are are not really subject to substant uh substantive requirements under the act as I say the bulk of them are going to hit the highrisk AI systems so with that said what is a prohibited system and what's a highrisk system so we've done extensive uh or the field Fisher team have done extensive webinars that go into real detail into the provisions of the AI act which I really encourage you to listen to uh the most recent one was kind of done I think on um a couple of weeks ago and we'll we'll provide links to those in the notes uh for this session um but broadly speaking um the prohibited AI systems include certain AI systems for biometric categorization and identification including uh those for untargeted scraping of facial data from the internet so I think Clear View and that mass scraping of of images to build a biometric database that's going to use be used to kind of categorize people based on things like sensitive grounds it also includes AI systems that deploy subliminal what we what the app refers to as subliminal techniques or exploits fun vulnerabilities or manipulates human behavior to circumvent fundamental rights or cause physical or psychological damage quite a broad uh and potentially ambiguous reference there but I think this is really trying to capture things like you know creepy toys that might include um AI systems that are there to sort of deceive children in some manipulative way um it also includes AI systems uh for emotion recognition um in law enforcement or for workplace and education those are banned um also banned at AI systems for social scoring evaluation or classification of people or groups uh over a period of time based on their social behavior so this is really kind of looking to China and other places where we've seen some fairly aggressive and and intrusive social scoring that's that's done on people there with negative real negative consequences for them um so those will be banned and and clearly if you're doing or have an AI system that you're developing or using that falls within any of those band uh prohibited uh lists or types then that's something you're going to have to act quickly to to stop doing but really where the focus of this regulation is is really regulating those high-risk AI systems um and that includes products that already subject to existing product safety legislation so again toys vehicles um airplanes things like that so if you've got an AI system that's embedded in any of those types of products or form a part of the safety component for those products then you're going to be it's going to be deemed a high-risk AI system but it also includes um AI systems that are used for sort of critical infrastructure like water gas and electricity or used to determine access to education systems um I think most notably in one where it may catch a lot of our clients is potentially the the uh bucket of AI systems using Recruitment and employment so if your system is being used or designed to help with the placing of job ads or scoring candidates or reviewing job applications that is going to be deemed a highrisk system both as if you're a developer and then if you're a user of that system you're going to have certain transparency obligations and then AI systems that are used for law enforcement Asylum and border control type scenarios or for influencing the outcome of democratic elections or processes and or used in insurance and Banking and in and banking sectors so it's not a Clos list and it could be supplemented in the future um as um you know as we get guidance and and other um sort of outcomes that come from um The Regulators but I think it's fair to say that the a number of those highrisk use cases probably don't capture a large number of organizations directly as developers unless you're designing which you know I think which is going to capture the most people those systems that are involved in Recruitment and employment so that might give some uh Comfort to those who are a little bit scared that the um EU AI Act is going to directly grab them I think it's you need to be mindful of the fact it's really only capturing those high-risk AI systems and then those who are using those systems are subject to obligations but they're slightly more light touch so if you are um designing using a higher risk system lots to do there you're going to have to put in place Risk Management Systems uh data governance measures there'll be technical documentation requirements record keeping requirements as well as transparency requirements um and then you'll also be subject to various procedural obligations around ensuring that you've got C markings that you're registering your system in a database as well as certain reporting obligations so lots to do if you're caught less so if you're not caught as a highrisk system the other sort of area which I think is going to catch um a few people is or a number of organizations is the provisions which regulate uh general purpose AI so this is really trying to capture your foundation models the generative AI um and that's going to be subject to a number of obligations if you are a developer of those systems um you're going to have to meet certain transparency requirements um there is extra obligations for those uh systems those general purpose AI systems that involve systematic risk um they're going to be subject to more stringent model evaluation requ requirements uh risk assessment requirements as well as certain cyber security and Energy Efficiency requirements it's quite a lot to do there um so as I said we you know we wanted to give you a quick overview in this um session but we encourage you if you want more detail to go and really listen to some of our more detailed webinars on the eua ACT it's a beast of a legislation it's over 258 pages so more than we can cover it in this session today um but um hopefully that gives gives you a good sense there and the reason we've given it to Chili's is because a number of the provisions are really going to only apply um two years after the law uh comes into effect so really we're looking at 2026 for lots of the um substant Provisions to start to kick in and regulate uh those high-risk systems and even 36 months from uh for some other highrisk systems um if you're a a provider of a general purpose AI system you've got a little less time there's going to be you've got a year to get up to compliance uh but everybody else in that high risk bucket has got between 24 and 36 six months to get their compliance up to speed so absolutely not a piece of law to be ignored it's got some really uh you know far-reaching consequences potentially those who involved in um processing that hits or or is um implicated with high-risk providers of high-risk systems and such like but um we've got a bit of time to comply there um and we're also waiting on quite a lot of extra guidance and codes of conduct that were expected to be released um under the ACT uh which will hopefully help organizations kind of navigate what they need to do to comply with this with this uh legislation okay so we can't not mention the UK's um digital regulation development so we're not going to spend too much time on them here uh there are lots of initiatives out there but there are only a few that are or have recently pushed through the legislative process and it's questionable whether others will make it through the next round of elections in the UK so the key one to keep in mind is the Online safety act and my colleagues have recorded a podcast on the Osa recently which you can find um on our Biz legal updates Channel which is well worth a listen um for more detail on this but in a nutshell the UK's Osa finally entered into force in October last year and aims to make the UK the safest place in the world to be online by cailing illegal content protecting children from online harm and giving adults more Choice over what they see online now the Osa doesn't bring a sudden influx of regulatory changes relatively few of the provisions come into Force immediately but it marks the beginning of a long process ofcom the UK regulator will be implementing the Osa in phases um and it's published its roadmap for that the first phase of the implementation will be on illegal harms and during each phase ofcom will be Consulting on draft guidance and codes of practice before each set of codes is approved by Parliament um so if you're c as an inscope service for that it's one to keep an eye on as those consultations and guidance um are announced and speaking of consultations just this week the UK government announced their response to their AI consultation um which opened last May doesn't um reveal anything concrete as such yet um and there were added questions to the consultation but the response did indicate that key Regulators so that's uh ofcom competition and Market Authority and the io should publish their plans on how they will comply with the government's AI white paper which previously set out different principles for AI governance um by the end of April so more um guidance to keep an eye on for that but no immediate action required so the key takeaway of this webinar is it's spicy out there but we have varying levels of heat so it's important to plan your EU digital agenda ingly you can prepare Now by ensuring good data privacy hygiene and bolstering your compliance programs well thanks for tuning in um we've referenced a number of our um podcasts and webinars um particularly the Osa one DSA webinar and the um eui act one you can find those um over on our uh YouTube channel and the podcast you can find by searching bite-sized legal updates um will F push your data and digital on your usual podcast Channel next up in March we've got a webinar which will which will be me again to be hearing my voice again um my colleague Moira and that will be on employee monitoring Trends and risks um so you uh keep an eye out for that and otherwise thanks thanks for listening hope you all have a good day yeah thanks everyone