Menu
4 July 2024

SUMMER Newsletter

ARTIFICIAL INTELLIGENCE

Council of Europe Framework Convention on AI: 1st (binding) international treaty on AI

This Convention aims to ensure that the activities carried out as part of the life cycle of artificial intelligence systems are fully compatible with human rights, democracy and the rule of law, while at the same time being conducive to technological progress and innovation.

AI presents both opportunities and risks:

  • discriminatory practices in selection processes, particularly on the basis of gender or ethnic origin ;

  • the undermining of democratic processes (for example, through the dissemination of false information or deepfakes);

  • invasion of privacy and personal autonomy;

  • misuse of artificial intelligence systems by certain states for repressive purposes..

The Framework Convention promotes and encourages innovation to minimise these risks and ensure that technological developments in the field of artificial intelligence are carried out in a responsible and ethical manner. It applies to the use of AI systems by both public authorities and private players.

The Convention imposes transparency and control requirements on Member States:

  • The decision-making processes and operation of AI models must be understandable and accessible to the stakeholders involved;

  • Users must be informed when they interact with AI;

  • States must take measures to ensure that those responsible for AI systems anticipate and mitigate risks;

  • They must assess the need for moratoria or bans on systems that threaten fundamental rights;

  • They must set up an independent body to monitor the application of the Convention..

Exceptions to these transparency obligations may apply in the interests of public order, national security or in the context of research and development activities.

Finally, States must provide individuals with remedies to challenge decisions taken by an AI in the event of a human rights violation.

The Convention will be open for signature by States in September 2024, including non-European countries. The Council of Europe has clarified that the Framework Convention on AI is compatible with the European Union’s regulation on AI, the AI Act, adopted in 2024.

FIRSH TIP: Firsh helps companies audit their AI systems and anticipate future regulations

NEW TECHNOLOGIES

The European Regulation on Digital Operational Resilience (DORA): improving cybersecurity in the financial sector

The European Digital Operational Resilience Act (DORA) establishes cybersecurity and IT risk management rules for a large number of financial entities. It will come into force on 17 January 2025.

Its scope includes virtually all entities in the financial sector (credit institutions, investment firms, trading platforms, management companies), as well as third-party companies providing them with IT services for critical or important functions.

The regulation imposes the following obligations:

  • Implement an information and communication technology (ICT) risk management framework. This framework must include the implementation of governance and internal control rules, the development of a digital operational resilience strategy and the introduction of a comprehensive ICT business continuity policy;

  • Notifying the relevant national authorities (in France: AMF or ACPR) of incidents identified as major and related to ICT;

  • Carry out digital operational resilience tests. Financial entities identified as systemic or with a high ICT risk will have to implement threat-based penetration tests simulating the modus operandi of real cyber attacks;

  • Manage the risk associated with the use of third-party ICT service providers, including new contractual requirements. Financial entities remain fully responsible for complying with the obligations of the DORA Regulation when using such third parties;

  • Cooperate between financial sector players in sharing operational information on cyber threats and vulnerabilities.

The Regulation introduces a principle of proportionality, allowing certain financial entities (particularly small ones) to benefit from a simplified regime, or even to be exempted.

Third-party providers of ICT services considered “critical”, i.e. likely to have a systemic impact on the stability, continuity or quality of the provision of financial services, are subject to a European-level supervisory framework.

FIRSH Tip: Firsh assists companies in carrying out an audit of their ICT services and helps them to update their contracts and draw up an ICT risk management framework.

 

PERSONAL DATA

Open data: the CNIL publishes its recommendations on opening up and re-using data published on the Internet

The aim of these recommendations is to reconcile the opening up and re-use of data published on the Internet with the challenges of protecting privacy.

These recommendations are aimed at “open data disseminators”, i.e. players (public authorities, companies, individuals, etc.) who make personal data available to the public in open data format, i.e. in a format that is open, easily reusable and machine-readable, and “data re-users” who wish to re-use all types of personal data published on the Internet for various purposes (scientific research and R&D, commercial prospecting, etc.).

It makes the following recommendations to both types of player:

  • The party processing the personal data must first ask whether it qualifies for the purposes of the General Data Protection Regulation (GDPR), on the basis of which its obligations will depend;

  • Identifying a legal basis for the data processing project to ensure compliance;

  • Informing data subjects about the processing of their data, and in particular about its dissemination on the internet;

  • Respecting the rights of data subjects;

  • Data processing must be adequate, relevant and limited to what is necessary for the purposes for which it is intended;

  • The personal data processed must be accurate and, if necessary, kept up to date.

The CNIL also identifies specific recommendations concerning certain frequent uses of data by re-users, such as the re-use of data for the purpose of distributing directories of professionals, for the purpose of creating and enriching databases intended for commercial prospecting, for scientific research purposes (excluding health), and the extraction of data by public authorities as part of their missions.

For further information: https://www.cnil.fr/fr/ouverture-et-reutilisation-de-donnees-personnelles-sur-internet-la-cnil-publie-ses-recommandations

FIRSH Tip : Firsh helps companies to interpret and apply the CNIL’s recommendations.

INTELLECTUAL PROPERTY

What copyright for AI-generated works?

In the age of generative AI, we may well wonder about the rights of authors of works generated in this way.

Across the Atlantic, the first cases of this kind are coming to light. In 2024, the American author of a book based on texts generated on her instructions by ChatGPT obtained recognition of her copyright by the US Copyright Office (USCO). However, the protection granted remains limited to the “selection, coordination and arrangement of the text generated by the AI”. In other words, the author enjoys protection for the book as a whole, but not for individual sentences. In 2023, a similar case had already been examined concerning a comic strip with illustrations generated by Midjourney on the basis of indications provided by the author.

Under French law, the Intellectual Property Code protects the author of a “work of the mind” (art. L111-1). This work must be original, i.e. it must reflect the personality of its author. Human intervention is therefore essential. A work created in part with the help of AI could be protected by copyright if the latter had sufficiently intervened in the creative choices.

FIRSH Tip: it is strongly recommended reading the general conditions of use of AI systems, which generally give details of copyright. For example, Midjourney reserves a “perpetual, worldwide, non-exclusive copyright licence” on the elements produced by users using the platform. Conversely, ChatGPT assigns all property rights over the output data to the users.

AI and music: when major US music labels sue generative AIs for copyright infringement

The major US music labels – Sony, Universal and Warner, represented by the Recording Industry Association of America (RIAA) – filed a lawsuit on 24 June 2024 against Suno and Udio, two music artificial intelligence (AI) companies, for “infringing the copyrights of their artists and labels”. The defendants allegedly trained their AI model on millions of tracks by artists who had signed contracts with these labels and had not given their consent.

The RIAA is asking for up to $150,000 per work whose copyright has been infringed.

So the question is: does the US Fair Use Act authorise AI-generated services to collect large catalogues of copyrighted music?

Derived from American legislation and case law, Fair Use is a set of rights rules applicable in countries that have adopted the Common Law legal system. It constitutes a set of limitations and exceptions to the use of works protected by copyright. The owner of a copyright cannot prevent another person from using the work if that use meets certain criteria (the commercial nature of the use, the nature of the protected work, whether or not the extract used is significant in relation to the work as a whole, and the effect of the use on the potential market for the work or its value).

In France, exceptions to copyright are listed exhaustively in Article L.122-5 of the Intellectual Property Code.

FIRSH tip: it is advisable to ensure that the planned exploitation of an initial work via an AI system does not infringe the applicable legal framework in terms of intellectual property and may fall within one of the exceptions provided for by law.

SECURING THE DIGITAL SPACE IN FRANCE

Publication of the law aimed at securing and regulating the digital space (SREN law)

Law no. 2024-449 of 21 May 2024 aimed at securing and regulating the digital environment, known as the SREN law, was published in the Journal Officiel on 22 May.

It focuses on three main areas: protecting minors and citizens online, combating misinformation and illegal content on the Internet, and strengthening the powers of Arcom and CNIL in application of the European Digital Services Act (DSA) and Digital Markets Act (DMA) regulations.

  1. Protection of minors and citizens online

  • Obligation for pornographic sites to comply with an Arcom standard setting minimum technical requirements for age verification systems providing access to their content. In the event of non-compliance, Arcom will be able, following formal notice, to block pornographic sites that do not check the age of their users and remove them from search engines within 48 hours (art. 2).

  • New powers for judges, who will be able to impose an additional penalty of a six-month “ban” from social networks (one year in the event of a repeat offence) for people convicted of online hate, cyber-harassment or other serious offences (child pornography, pimping, etc.).

  • Raising awareness among secondary school pupils of the risks associated with AI-generated content and among students of sexist and sexual cyber-violence.

  1. Combating disinformation and illegal content

  • Arcom has been given new powers. It will be able to order operators to block, within 72 hours, the broadcasting on the Internet of a “propaganda” channel from foreign media affected by European sanctions (such as Sputnik or Russia Today France). In the event of non-compliance, it will be able to order the blocking of the site concerned and impose a fine of up to 4% of the operator’s turnover or €250,000.

  • Introduction in article 226-8 of the Criminal Code of an offence specific to deepfakes, AI-generated content representing a person without their consent, punishable by one year’s imprisonment and a €15,000 fine.

  • Introduction in article 226-8-1 of the Criminal Code of an offence specific to pornographic deepfakes, punishable by two years’ imprisonment and a fine of €60,000.

  1. New powers for regulatory authorities under the European DSA and DMA regulations

  • These two European texts impose obligations on digital giants.

  • Under the DSA, Arcom is designated as the “digital services coordinator” in France. The Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (DGCCRF) becomes the authority responsible for monitoring compliance with the obligations of market place providers. The Commission Nationale de l’Informatique et des Libertés (CNIL) will be responsible for ensuring that platforms comply with the restrictions on advertising profiling (ban on the use of sensitive data or on minors).

  • With regard to the DMA, the Autorité de la concurrence and the Ministry of the Economy will be able to investigate, receive information and cooperate with the European Commission on the practices of access controllers, within the framework of the “European Competition Network”.

For further information: https://www.vie-publique.fr/loi/289345-loi-du-21-mai-2024-securiser-et-reguler-lespace-numerique-sren#le-cloud-les-locations-touristiques-les-jonum.

 

« FIRSH » NEWS

Portrait of Claire Poirson in the Bulletin du Barreau

Our founding partner, Claire Poirson, was honoured to be interviewed by journalist Louis Doucet and to have her portrait published in the Bulletin du Barreau.

She answered a few questions about her life, her career and her vision of the legal profession, which led her to found her own firm, FIRSH, specialising in intellectual property, information technology and data law.

“I wanted my freedom and to practise according to my values, as close as possible to our oath of office and the expectations of society, a firm that is a ‘good citizen’ and open to the technological and environmental challenges faced by our clients”.

This is one of the reasons why FIRSH is a company with a mission, advising start-ups and groups on emerging human-centred technologies. FIRSH has also been appointed as a Member of the France 2030 Digital College by the General Secretariat for Investment in relation to innovative tech and AI projects. To take things a step further, Claire Poirson has set up her own legal laboratory, FIRSH LAB, which works on the law of tomorrow and best practice in the use of tech.

Her values are also reflected in her commitment, as vice-president of the Association française des femmes juristes (AFFJ) and vice-president of 2GAP, to gender equality and shared governance, to the presence of women in the media and on the executive committees of French companies, and to helping refugees.

“I’m sure that these two commitments nourish me. Commitment to a cause, whatever it may be, lifts us up, so I’m a better lawyer for my clients when I take part in these collective actions”.

Link to the article: https://fr.zone-secure.net/109394/2097543/#page=19&utm_medium=email&utm_campaign=Le%20Bulletin_10_2024

Find out more about Firsh’s contributions to the advancement of law and innovation:

  • Claire Poirson’s participation in the round table entitled “AI and the customer journey: risks, opportunities or necessity?” at the Rencontres de la Gestion conference

  • Co-organisation by Claire Poirson of a webinar on the European NIS2 Directive and its transposition into French law, with Bruno Grunemwald, Director of Public Affairs at ESET France

  • Participation by Claire Poirson in the round table entitled “The promise of AI for tomorrow’s mobility” as part of the opening event of Mobilités Innov’ organised by the Agence de l’Innovation dans les Transports at the Musée de l’Air et de l’Espace.

  • Organisation by Claire Poirson of a conference on the French and European legal framework for networks, AI and disinformation with the FAKE OFF journalists’ collective

In June, Firsh assisted clients with the following projects:

  • Negotiating the terms of a framework agreement between a perfume designer and a major cosmetics and perfumery brand

  • Settlement of a case involving copyright infringement in the furniture sector

  • Negotiation of a confidentiality agreement for a client with a highly innovative and strategic project in the field of energy and the environment

  • Taking steps to protect software with the Agence pour la Protection des Programmes and drafting escrow agreements

  • Application of enforcement procedures as part of a legal dispute following the seizure of bank accounts under commercial law

  • Personal data audit for a client supplying software in SaaS mode based on a generative AI system

📢 To follow us on LinkedIn and receive our newsletter, click here: https://www.linkedin.com/company/firshlaw/

📢 There is no direct collection of your personal data and therefore no emailing from FIRSH ! 

Our news
18 June 2024
CONFERENCE WITH JOURNALISTS ASSOCIATION FAKE OFF – MISINFORMATION AND THE LAW
Read more
17 June 2024
ROUND TABLE – AI IN TRANSPORT AND MOBILITY
Read more
14 June 2024
WEBINAR ON CYBERSECURITY – NIS2 DIRECTIVE
Read more