8.11.2023

Prepare for the new wave of digital regulation

Artificial intelligence is currently a leading topic in the business world. Many companies are intensively trying to understand the significance of AI for their businesses – both as a risk and an enabler. Legislators have not been idle either. In Finland, the new national legislation on automated decision-making by public authorities entered into force this year already, and in the EU, the AI Act will likely soon follow suit.

Many companies are still trying to figure out what AI means exactly. Legislators have had the same problem: the definition of AI and, consequently, the AI Act’s scope of application have raised a great deal of debate. Under the broadest interpretation, many common present-day software solutions could be labelled `artificial intelligence’. At the moment, however, it seems that the definition included in the Act will be somewhat narrower than the wording in the first draft. Even though the AI Act is not yet in force, every company that produces and uses technology should already find out the extent to which the new regulation could apply to it since the proposal includes obligations to both producers and users of AI solutions.

The AI Act introduces new regulatory techniques

The AI Act introduces regulatory techniques that are somewhat new to the general IT industry. The exact obligations imposed by the Act depend on the risk rating the Act gives to a particular AI solution, and the specific content of the obligations is also determined by standards separate from legislation in the same way as, for example, in product safety legislation. Even though the Act does include a set of obligations, many of them are relatively generally formulated in the Act itself. The idea is that the obligations will be specified in more detail in technical standards, and compliance with these standards creates the presumption of compliance with legislation. Even though it is only a presumption, we have long since learned from product safety legislation that in practice the standards form an integral part of the regulatory framework.

The supervision of AI solutions raises questions

The supervisory solutions related to the Act have also raised a lot of discussion. Since many AI solutions are, in practice, based on the processing of personal data, many issues related to AI, such as the use of customer data to improve the service itself and the transfer of data to third-country cloud services, are already familiar from data protection legislation. To avoid the problem of having several supervisory authorities, some have suggested that data protection authorities would be the natural choice for supervising AI as well. This solution is not, however, without problems.

Under the AI Act, high risk systems subject to the most severe restrictions would also include systems where the related risks do not necessarily concern the processing of personal data. For example, the suggested high risk rating of road transport and electricity supply systems is likely based on concerns other than those related to personal data, even though some personal data is processed in these systems. In addition, it should be taken into account that the regulatory techniques based on product safety and technical standards would be more or less new to data protection authorities. We will keep monitoring the development of the AI Act and its supervision arrangements with great interest. Perhaps some conclusions may be drawn from the fact that the suggested national supervisory authority for the EU Data Governance Act is the Finnish Transport and Communications Agency.

We are also interested in seeing how the contractual practices around AI will develop. For example, Microsoft has already released an update to its terms and conditions, defining liabilities related to AI-generated content. Now is the time to establish contractual and market practices, and many want to take part in steering the development.

The EU is revamping digital regulation

AI is not the only digital regulation project by the EU that provokes discussion among businesses, far from it. There are several ongoing regulatory projects, and the upcoming EU Data Act, for example, is a key aspect in the regulation agenda of many companies. Among other things, the Act will require device manufacturers to increase the transparency and shareability of the data collected by their devices.

We are here to support our clients through the change of digital regulation in terms of both AI and other solutions. If you wish to discuss AI, its regulation or other themes of this blog in more detail, please do not hesitate to contact the authors.

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024