An anti-obscenity association issued a proposal for an Act on Protection of Minors against Pornographic Content on 16 December 2019. It has gained the official support of the Family Council, which recommended to the Prime Minister that the proposal be adopted for further legislative work. The Minister of Family, Labour and Social Policy announced that work on the bill should conclude in the first half of 2020. The need to restrict children’s access to pornography is obvious, but the proposal has generated much controversy, mainly due to the proposed mechanism for age verification, which may invade internet users’ privacy. The proposal would also impose additional obligations on telecommunications operators, electronic service providers, and payment service providers.
Author: Adam Polanowski
Verification of age to access pornographic content
New technologies in the AML/CFT National Risk Assessment
On 17 July 2019 the General Inspector of Financial Information (GIIF) published Poland’s first AML/CFT National Risk Assessment. This document of nearly 450 pages was prepared pursuant to the new Anti Money Laundering and Counter Financing of Terrorism Act, which introduced regulations requiring GIIF to prepare a national assessment and update it periodically.
Can a user’s account be accessed through screen scraping?
The EU reform of the payment services sector is now entering the last straightaway. One of the key changes launched by adoption of the revised Payment Services Directive (PSD2) was introduction of new types of payment services which require access to the user’s payment account using a type of interface defined in the regulations. The duties connected with such access rest on the providers operating the accounts, which have a choice between creating a dedicated “application programming interface” (API) or upgrading their existing user interface system. Both solutions are to a certain extent linked with the earlier known and controversial method of screen scraping.
What is screen scraping?
Screen scraping is automated harvesting by a computer program of data presented in visual form, usually not adapted for machine reading. The data obtained in this way may derive from various sources, such as websites displayed by a browser, computer programs, or mobile applications.
Could businesses be sued for data leaks?
When hackers exploited vulnerability due to software not being updated at a US credit agency, important data of millions of customers in the US, Canada, and the UK were leaked. The US federal authorities have launched an investigation that could lead to millions in fines. Bosses at the firm were questioned in a congressional hearing and the agency is facing the largest class action in US history. This sounds like the plot of a financial thriller, but the Equifax case did in fact happen and is a lesson for the future.
Apart from disrupting business activity, causing financial losses, and damaging a firm’s image, hacking can also lead to severe fines for failing to comply with personal data protection or cybersecurity regulations. Businesses which are victims of cybercrime might also be liable towards customers and employees for loss or leaking of important data. Compensatory liability is also possible under Polish law in cases of this kind, and may affect anyone. Cybersecurity reports show that approximately three quarters of businesses have experienced a cybersecurity incident of some kind, and these statistics are unlikely to fall in the near future. Former FBI director Robert Mueller summed up this situation well, saying “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again”.
Prosta Spółka Akcyjna: a list of shares in a dispersed database
A proposal presented in May by the Ministry of Entrepreneurship and Technology for amendments to the Commercial Companies Code provides for a new type of capital company – Prosta Spółka Akcyjna (PSA). This legislative proposal has been criticised for an excessive amount of regulation and complexity of the provisions, and also has been welcomed for achieving the principal goal of the initiative, which is making the legal environment suitable for start-ups. This article discusses the section of the amendment that deals directly with new technologies.
Private enforcement under the GDPR
While the new data protection regulation provides for severe administrative penalties for failure to comply, it is well known that whether a penalty is effective is determined not by its severity but by its inevitability. Even though the personal data protection authority has been given broad powers, it does not have adequate means of exercising them. A solution could be a private enforcement mechanism within the regulation, whereby any person whose data has been breached can independently seek a judicial remedy.
Private enforcement is being used more and more as an addition to the public law mechanism for the enforcement of regulatory provisions. This solution has been introduced recently in compensatory liability cases for breach of competition law. A solution of this kind is also possible under the GDPR.