Intellectual property

Focus on…

Intellectual property
By

The EU Artificial Intelligence Act – Regulation (EU) 2024/1689 – (hereinafter referred to as the "AI Act") has been in force since 1 August 2024.

Since then, many companies have been seeking clarity on whether they are affected by it. Given the potential for significant financial penalties in the event of violations, this is an essential question. The technical complexity and comprehensive legal framework of the AI Act present significant challenges for many. This article provides an overview of key questions companies should ask to determine whether the AI Act applies to them.

Am I Using an AI System, and Is It Covered by the AI Act?

The AI Act is based on the premise of an AI system. The definition of an AI system is intentionally comprehensive to encompass software that presents the typical risks associated with AI. The ability of the system to adapt and to infer, that is to say to engage in learning, reasoning and modelling processes, are key criteria.

An AI system may comprise one or more AI models, a user interface, or other components such as content filters or information processing systems. It is therefore possible that software which initially appears unremarkable may also fall under the scope of the AI Act if it forms part of an application or product. For example, the question of whether a customer chatbot on a company's website qualifies as an AI system under the AI Act requires an individual and comprehensive examination of various factors, possibly involving the assistance of experts.

The broad interpretation of AI systems has resulted in numerous software solutions that are now indispensable to the day-to-day operations of companies being subject to the AI Act. This has significant implications for industries and sectors such as quality control, logistics, financial services, and security, where AI is becoming an increasingly crucial technology. Examples of AI in action include machines that perform quality inspections as part of the production chain, algorithms for monitoring warehouse capacity, programs that process large amounts of data for personalised investment recommendations, and chatbots. Additionally, AI is present in many of the software applications we use daily, including search engines, streaming services with recommendation algorithms, voice assistants, facial recognition software, navigation systems, autonomous driving assistance systems, as well as in word processing and translation programs.

What Is My Role in Using the AI System?

The AI Act targets a broad range of entities and differentiates between providers, importers, distributors, and operators. While the majority of companies are unlikely to be importers or distributors, it would be prudent to examine the criteria for being a provider or operator in closer detail.

A provider is defined as the individual or entity responsible for developing or having developed an AI system or model and subsequently placing it on the market or putting it into operation under their own name. It should be noted that other individuals may subsequently be classified as providers. This may occur if they attach their name or brand to an AI system that has already been placed on the market or put into operation, make a significant change to such an AI system, or change the purpose of such an AI system so that it is classified as high-risk. In practice, this means that making changes to the purpose or retraining an AI system can be sufficient to make someone a provider.

An operator can be any natural or legal person, including authorities, institutions, or other entities that use an AI system under their own responsibility.

Is the Nature of My Use Covered by the AI Act?

It should be noted that not every use of an AI system falls within the scope of the AI Act. It is therefore important to ascertain whether your use may be exempt from the scope of the legislation.

In certain circumstances, an exemption may apply if services, procedures or components covered by the AI Act are provided free of charge and with disclosed parameters. There are also specific exemptions for scientific research and development, provided that testing does not occur under real-world conditions. Another exemption applies to operators if the use is exclusively for personal, non-professional purposes. Furthermore, certain exemptions apply to law enforcement authorities.

Outlook

The reality is that many companies are already utilising AI systems in their IT architecture or digitised production without being fully aware of it. While the AI Act will be implemented gradually, it is crucial for companies to conduct a comprehensive review now to ascertain whether and to what extent their activities fall under the AI Act. It is advisable to consider this aspect when acquiring new IT solutions that increasingly rely on AI or new digital production technology. The measures to be taken will depend on the risk assessment of the AI used and the role of the company. These may include the establishment of a quality management system, comprehensive documentation, reporting and registration obligations, and compliance verification.

In the event that the AI Act applies, it would be prudent to swiftly consider these measures in light of the potentially significant financial penalties.

The Intellectual Property and Information Technology team at Binder Grösswang is available to assist you with the practical implementation of the AI Act.

Please Note: The information provided is for general guidance only and does not constitute legal advice from Binder Grösswang Rechtsanwälte GmbH. It is not a substitute for seeking individual legal advice. Binder Grösswang Rechtsanwälte GmbH accepts no liability of any kind for the content and accuracy of the blog.

Author:

Ivo Rungg

News & Developments
ViewView
Intellectual Property

"black Friday" - Now Freely Usable For Promotions In Austria

Black Friday is unquestionable one of the most profitable and busiest days of the year for retail, particularly online. Worldwide almost all online store do offer sales or special promotions on Black Friday or Cyber Monday. Already after this practice has established online, a trademark for "BLACK FRIDAY" was registered in Germany back in 2013. In 2016 a Chinese company acquired the trademark and then filed in 2017 for its extension to Austria. Based on the registered trademark, it granted exclusive rights to an Austrian company, which licensed usage rights to various partner stores against remuneration. Further, an exclusive "Black Friday-Cooperation Program" was established. Non-partners who used the event name or trademark were prosecuted and requested to either pay a license fee or refrain from running Black Friday promotions. Some followed the request and entered into license agreements. Some, however, did challenge the validity of the trademark. Finally, respective proceedings to check the actual protection of the trademark were initiated. Austrian courts now held that the trademark "BLACK FRIDAY" is not protected in Austria. Black Friday is unquestionable one of the most profitable and busiest days of the year for retail, particularly online. Worldwide almost all online store do offer sales or special promotions on Black Friday or Cyber Monday. Already after this practice has established online, a trademark for "BLACK FRIDAY" was registered in Germany back in 2013. In 2016 a Chinese company acquired the trademark and then filed in 2017 for its extension to Austria. Based on the registered trademark, it granted exclusive rights to an Austrian company, which licensed usage rights to various partner stores against remuneration. Further, an exclusive "Black Friday-Cooperation Program" was established. Non-partners who used the event name or trademark were prosecuted and requested to either pay a license fee or refrain from running Black Friday promotions. Some followed the request and entered into license agreements. Some, however, did challenge the validity of the trademark. Finally, respective proceedings to check the actual protection of the trademark were initiated. Austrian courts now held that the trademark "BLACK FRIDAY" is not protected in Austria: The court held that the word "BLACK FRIDAY" cannot be monopolised in Austria, since it lacks of distinctiveness. The term is mere generic. Therefore, the international registration for Austria has been refused. The decision is final and enforceable. Thus, anyone may use the popular advertising term "BLACK FRIDAY" in Austria for free without the need of entering into license agreements and to pay remunerations. If a company entered into a license agreement in the past, one may possibly challenge the payment obligation thereunder. However, the decision covers only the word trademark. Any registered sign combining a distinctive word and figurative design with the term is not covered. Further, no one is entitled to make the impression to be member of the Black Friday-Cooperation Program without having entered into a respective agreement. Thus, any promotion using the term Black Friday should be checked to comply with the outlined framework. The decision is also limited to Austria. In other jurisdictions, the trademark might still be enforceable, although also challenged. In Germany, for example, the basis mark is challenged in court proceedings which is now pending before the Federal Patent Court as court of appeal. Thus, one has to be cautious with for e-commers business typical cross border marketing campaigns not to infringe still valid registrations in other jurisdictions. Axel Anderl, Managing Partner and Head of the IT, IP and Data Protection Practice at DORDA Rechtsanwälte GmbH Alexandra Ciarnau, Associate and member of the IT, IP and Data Protection Practice at DORDA Rechtsanwälte GmbH
DORDA Rechtsanwälte GmbH - October 28 2019
Intellectual Property

Austrian Data Protection Authority Issued The "black List"

Processing operations subject to the requirement of a data protection impact assessment. Following the "White List", the data protection authority has now also issued the long-awaited "Black List" in form of a binding regulation. This provides greater clarity as to when Data Protection Impact Assessments ("DPIA") are actually to be carried out in practice in Austria. As already in the draft, the regulation does not provide an exhaustive list of processing operations that are subject to the requirement. Rather, the regulation specifies criteria - some of which require further interpretation - which shall make it necessary to carry out a detailed examination. Art 35 GDPR establishes the requirement for controllers to carry out and continuously update DPIA if the data processing is associated with a "probably high risk" for the data subjects. In practice, however, it is sometimes difficult to assess when such a high risk is to be expected. Art 35 Para 5 GDPR therefore stipulates that the Data Protection Authorities shall provide a list of processing operations ("Black List") which are subject to the requirement of a DPIA in any case. This shall make the vague criteria more tangible for the controllers and processors and at the same time to serve as an aid to interpretation. After a first draft of the Austrian Data Protection Authority had circulated a few weeks ago, the corresponding regulation of the authority on processing operations for which a data protection impact assessment is to be carried out ("DSFA-V") was published on 9 November 2018. As previously explained by DORDA data protection experts, this is a supplement to the existing Austrian White List, which as opposite exempts certain processing operations from the obligation to carry out a data protection impact assessment since 25 May 2018. In a nutshell, the recently issued Black List distinguishes between processing operations where a DPIA must already be carried out in the case of one criterion and those where at least two different criteria must apply cumulatively in order to trigger this obligation. However, data processing operations that are already included in the White List are expressly excluded from the requirement of a DPIA. This establishes a meaningful link between the two lists. In practice, both regulations have to be reviewed in parallel when assessing the necessity of a DPIA. The issued Black List largely corresponds to Data Protection Authority's previously published draft. One welcomed aspect is that the critical comments on the draft by European Data Protection Board - which is also chaired by Dr Jelinek - have been taken into account: For instance, the mere existence of joint controllers as a trigger for an obligation to carry out a DPIA has finally been deleted. As a result, each of the following criteria for itself triggers the requirement for a DPIA: Ratings or classifications (including profiling and forecasting) in case of potential adverse effects; Profiling and automated decision making; Monitoring, surveillance or control of data subjects, in particular in public areas; Data processing using or applying new or advanced technologies or organisational solutions, in particular artificial intelligence or biometric data processing; Merging and/or comparing data sets resulting from more than one processing operation, where such merging and/or comparing may lead to adverse decisions; Data processing in the personal area - even with consent With regard to employment relationships, there is a (reasonable) exception for processing operations already authorized by a plant agreement (consent of the works council) or the consent of the staff representatives. This is most likely based on the appreciated consideration that in such cases the involvement of a concrete body who represents data subject's interests and thus ensures control of the measures and sufficient reconciliation of interests. Thus, no further examination is required. A data protection impact assessment shall also be carried out if at least two of the following criteria are met:         · Large-scale processing of special categories of personal data;         · Large-scale processing of data on criminal convictions and offences;      · Collection of location data as defined in the Telecommunications Act (Telekommunikationsgesetz – TKG); ·  Processing of data on persons in need of higher protection (e.g. minors, employees, patients, mentally ill persons and asylum seekers); · Merging and/or comparing of data sets from several processing operations, provided that they are processed for purposes other than originally intended. However, it is still unclear what "large-scale" processing means. Recital 91 only provides the well-known negative definition that data processing should not be considered to be on a large scale if the processing concerns patients or clients of an individual physician or lawyer. At the same time, however, it is not possible to deduce when the threshold of large-scale processing is reached. Both regulations - Black and White List – now provide for greater clarity as to when and under what circumstances a DPIA is required. Nevertheless, in practice, there is still room for interpretation due to the purposes and criteria, some of which are only roughly explained. It will therefore be up to the practical exercise and, above all, the decisions of the national Data Protection Authorities and, in particular, the European Court of Justice, to provide for sharper distinctions in this regard. Authors: Axel Anderl, Felix Hörlsberger, Nino Tlapak, Dominik Schelling, Alexandra Ciarnau
DORDA Rechtsanwälte GmbH - October 28 2019