With the start of the new year, we always weigh up what happened over the past 365 days, reviewing not only the present, but also what is to come. The same thing happens in matters of privacy and data protection, which is why we have decided to take a look ahead and see what topics will be discussed in 2023. These won’t be the only topics that we legal professionals will have to work with, but they will be three of the most interesting.
1: The Regulatory Framework Proposal on Artificial Intelligence (Artificial Intelligence Act)
For years the European Commission has had the firm intention to regulate the use and development of Artificial Intelligence (AI) systems, although there is still not a definitive text. The reason that a regulation has been chosen as the legal instrument to develop this matter is the need to uniformly apply the new rules, such as the definition of AI, the ban on specific harmful practices that AI would make possible, as well as the classification of AI systems.
The Proposal follows a risk-based approach and only imposes regulatory sanctions when an AI system is likely to pose high risks to fundamental rights and safety. In this way, the focus distinguishes between the uses of AI that generate: (i) an unacceptable risk, (ii) a high risk, and (iii) a limited or minimal risk. The list of prohibited practices (article 5) covers all AI systems whose use is considered unacceptable due to being contrary to the Union’s values -for example, due to violating fundamental rights- or which have a great potential to manipulate people through subliminal techniques that take advantage of the circumstances of specific vulnerable groups (such as minors or people with disabilities) to substantially alter their behaviour in a way that is harmful both to themselves and to others.
As European Regulations are directly applicable, they aim to reduce legal fragmentation and facilitate the development of a single market for legal, safe and reliable AI systems.
2. TrustPid or the Telco Supercookie
A few months ago, we started talking about a new identification system for advertising called “TrustPid”, known as the “Telco Supercookie”.
What is it? Vodafone, Telefónica, Orange and Deutsche Telekom have created a new joint venture (and have submitted their proposal to the European Commission) whose goal will be to develop a new digital identification system that will track users’ browsing habits and preferences through a digital token (TrustPid) which assigns a fixed IP to each client. Therefore, this cookie will not be placed on our computer, mobile device or browser, but rather at the level of the Internet Service Provider.) Its function will be to track clients to create pseudo-anonymous profiles through the data obtained, in a way that advertisers and publishers will be able to use the information to show advertising and personalised content for users.
These digital cookies cannot be rejected or blocked by the browser, but they can be disabled through a privacy portal that will be created for this purpose. According to the document submitted to the Commission, this privacy portal will also make it possible to review which brands and publishers have been given explicit consent for these purposes and will allow consent to be revoked at any time.
When will it be implemented? For the moment we will have to wait, as the European Commission must reach a decision on the matter by 10 February and afterwards the pilot tests would begin. In any case, it is clear that different operators are taking action with the goal of seeking alternatives to third-party cookies.
3. The Proposal for a Regulation for the European Health Data Space
The European Health Data Space will be the first shared health space in the EU and its main objective is to promote the exchange of health data and to support research on new preventive strategies, as well as on treatments, medicines, medical devices and results. As part of this matter, it is essential ensure that citizens have control over their own health data.
The European Commission considers the European Health Data Space (EHDS) to be a health-specific ecosystem formed by common rules, standards and practices, infrastructure and a governing framework whose objective is:
- To ensure that people have greater control and digital access to their personal electronic health data, both at the national level as well as in the EU, and to support the free movement of data, promoting an authentic single market for electronic medical records systems.
- To offer a coherent, reliable and efficient framework for the use of healthcare data in research, innovation, policy formulation and regulatory activities.
- To improve the provision of health care, digital health services, as well as research on treatments, medicines, medical devices and results.
- To accelerate the security and responsibility of Artificial Intelligence in health and in the healthcare sector.
In short, this regulation aims to allow the EU to take full advantage of the potential offered by the exchange, use and reuse of health data in a secure manner with full safeguards.
The year has started, and as we can see, there are many topics with a major impact on the table. Apart from the topics covered here, we will also see how the new Digital Markets Act (“DMA”) the Digital Services Act (“DSA”) and the eIDAS2 Regulation are being applied. The first two will have a major impact on digital platforms that operate within the EU. In turn, the eIDAS 2 Regulation promotes the implementation of a European electronic identity system which allows European citizens to have a digital identity that is recognised in every place in the European Union.
With all this in mind, we will continue breaking down these topics and much more throughout 2023.
Estrella Arana Gálvez
Data Protection Officer and Head of the Data Protection Area of PONS IP