Make IT clear - 03/2023

The Act contains an open catalogue of electronic communication abuse, due to the impossibility of identifying all forms of abuse in the light of rapid technological progress. Four specific (basic) forms of abusive communication have been identified:

• generating artificial traffic - this is the initiation of long, long-distance calls that do not carry any content (so-called deaf phone calls);
• smishing - these are fake text messages from a courier, bank or public institution containing, for example, a link to a website encouraging the submission of personal data or the transfer of electronic funds;
• spoofing - impersonating the telephone number of a trusted institution or other person and attempting to intimidate the victim or trick them into providing money or personal data;
• uauthorized change of address information - criminals modify the number they are calling from to make identification more difficult - this form of fraud is used, for example, to make billing for a call more difficult.

Telecommunications undertakings will be required to take proportionate organizational and technical measures to counter abuse of electronic communications. One such measure is blocking SMS messages that contain smishing content and blocking voice calls that aim to impersonate another person or institution.

From the effective date of the new rules, email providers for at least 500,000 users, 500,000 active accounts or public entities will be required to use SPF/DKIM/DMARC authentication mechanisms when providing email. Public entity email providers will also have to offer the use of multi-component authentication methods.

The President of the Office of Electronic Communications will maintain a list of telephone numbers used exclusively for receiving voice calls. Public finance sector units, banks and other financial or insurance institutions will be able to apply for a number to be included on the list. This solution will limit the possibility for fraudsters to impersonate employees of public offices or banks by using the hotline numbers visible on the public websites of these entities.

Between January 2022 and November 2022 alone. NASK's CSIRT identified a total of 38,999 domains that are designed to mislead internet users and defraud them of their data and funds. The bill includes a definition of an alert list - this is an open warning list of internet domains that are used to defraud data and disadvantage users.

The draft introduces a regulation under which anyone will be able to report to the NASK CSIRT an Internet domain that may be used for fraud. To simplify the procedure, the obligation to justify the report has been waived, although it will be possible. The NASK CSIRT will be able to put a domain on the warning list after verifying that indeed the primary purpose of the domain is to mislead and defraud internet users or to lead them to a disadvantageous disposition of property. The mechanism proposed by the International Telecommunications Union will be used, among others, to determine the 'primary purpose' of a website.

For failing to fulfil the obligations provided for in the draft law, telecommunications undertakings will be able to be fined, among other things, up to 3% of the revenue of a given undertaking generated in the previous calendar year. Abuse of electronic communication, as defined in the bill, will be criminalized. Anyone who commits artificial traffic, smishing, CLI spoofing or unauthorized modification of address information for the purpose of gaining a material or personal benefit or causing damage to another person will be subject to a penalty of imprisonment from 3 months to 5 years. 

A German citizen made a request under Article 15 of the GDPR to the main postal and logistics service provider in Austria, Österreichische Post, for information regarding the identity of the recipients to whom Österreichische Post provided his personal data. Österreichische Post provided only general information without indicating the exact identity of the recipients, but only the category of recipients. Österreichische Post, in the course of its activities as a publisher of address books, offered citizens' data to its business partners for marketing purposes. In addition, data was passed on to customers, including advertisers in the mail order and stationary trade sector, IT companies, address book publishers and associations such as charities, non-governmental organizations (NGOs) or political parties.

A citizen sued Österreichische Post and, as a result, the Oberster Gerichtshof, the highest court in Austria, deciding the dispute at last instance, referred a question to the CJEU for a preliminary ruling on the interpretation of Article 15(1)(c) of the GDPR:

• whether the GDPR leaves the controller the choice whether to disclose the specific identity of the recipients of the data or only the categories of recipients, and
• whether the GDPR grants the data subject the right to know the specific identity of those recipients.

In response, the CJEU clarified that the controller, when exercising the right of access to personal data, is obliged to indicate to the data subject, upon request, the exact identity of those recipients and not only the category of recipients. Such action is intended to guarantee the actual exercise of this right, which enables the exercise of other rights granted by the GDPR such as the right of rectification, the right to erasure ("the right to be forgotten"), the right to restrict processing, the right to object to processing, the right to a remedy in case of harm. 

Exceptionally, in specific circumstances, the controller may not provide the exact identity of the recipients when it is not (yet) possible to identify those recipients or when the controller demonstrates that the request is manifestly unfounded or excessive. This is the case when, for example, the processing serves archival purposes in the public interest, scientific or historical research purposes or statistical purposes. 

According to the GDPR, „recipient” means a natural or legal person, public authority, individual or other entity to whom personal data is disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific proceeding in accordance with Union or Member State law are not considered recipients. 

• Official press release:

https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-01/cp230004pl.pdf

• Whole judgment: 

https://curia.europa.eu/juris/document/document.jsf?text=&docid=269146&pageIndex=0&doclang=PL&mode=lst&dir=&occ=first&part=1&cid=13227

The proposal for a new Directive on liability for defective products is based on the European Commission's evaluation of the current Directive 85/374/EEC on liability for defective products  (link: EUR-Lex - 31985L0374 - EN - EUR-Lex (europa.eu) as well as collecting evidence and opinions from a wide range of stakeholders.

The Expert Group on Liability and Emerging Technologies also prepared a report on "Liability for Artificial Intelligence and other emerging digital technologies„ (link: Liability for artificial intelligence and other emerging digital technologies - Publications Office of the EU (europa.eu))

In October 2022. The European Parliamentary Research Service (EPRS) published an evaluation of the existing directive (link: Aligning the Product Liability Directive with the circular economy and emerging technologies: Revision of Directive 85/374/EEC | Think Tank | European Parliament (europa.eu)).

Meanwhile, in January 2023. EPRS published a preliminary impact assessment accompanying the European Commission's proposal for a new directive on liability for defective products (link: Updating liability rules for defective products (europa.eu)).

• Reducing the burden of proof on consumers seeking compensation for damage suffered as a result of defective products.
• Making any economic operator who has substantially modified a product liable for any defect in that product.
• Introduce new rules on liability for products such as software (including artificial intelligence systems) and digital services that affect the way a product works (e.g. navigation services in autonomous vehicles).
• Introduce the possibility for consumers to receive compensation for defective products manufactured outside the EU. 

The next step is the consideration of the proposal by the European Parliament and the Council. In the European Parliament, the matter was assigned to the Committee on Legal Affairs (JURI), with Pascal Arimont (EPP, Belgium) as rapporteur.

We invite you to read the material available at the link:

New Product Liability Directive (europa.eu)