The Metaverse and its Regulation

The metaverse could be considered the greatest technological revolution of recent years. Since its recent inception, it has become the central focus among technological advances. This concept refers to a three-dimensional virtual reality, where individuals can interact through avatars much like they do in reality. The metaverse will allow us to study, hold work meetings, attend concerts, go shopping and engage in a long list of activities, many of which are currently beyond the imagination. The reality is that the metaverse is still early in its development. Certainly, it is mainly used today for the development of leisure activities and especially for video games, but its applications will continue to grow exponentially.

There is no doubt that the evolution of the metaverse is unstoppable, so it is becoming urgently necessary to regulate the legal aspects that derive from it, encompassing matters such as data protection or cybersecurity.

Currently, regulatory frameworks exist both at Spanish and European levels, which can serve as a basis for the resolution of potential problems that may occur in the development of the metaverse. In the EU, the General Data Protection Regulation (GDPR), the Digital Services Act, the Digital Markets Act and the Cybersecurity Act are all pertinent, among others. In Spain, the Ley Orgánica de Protección de Datos y garantía de los derechos digitales (LOPDGDD), which transposes the GDPR, and the Ley de Servicios de la Sociedad de la Información (LSSI), which regulates the electronic procurement of goods and services, constitute the main regulations to deal with the metaverse phenomenon for the time being.

Obviously, these rules do not cover the abundance of situations and conflicts that will have to be resolved in the coming years; for now, the aforementioned pieces of legislation will have to be subsidised with the common Spanish contractual and consumer protection law.

The Agencia Española de Protección de Datos (AEPD), the Spanish data protection authority, has recently focused on the metaverse and its privacy risks. This body acknowledges that the metaverse is made possible as a result of the development and expansion of a multitude of technologies in constant evolution which interact in the metaverse, such as internet of things (IoT), artificial intelligence (AI), blockchain, 5G, digital identity techniques, cloud or edge computing, and virtual reality or augmented reality technologies.

The Challenges Posed by the Metaverse

There are two essential risks that will have to be faced in relation to the metaverse: privacy and data security.

As the AEPD points out, the metaverse can be very intrusive from the privacy point of view since the processing of data in this environment is massive. Thus, the processing of some specific categories of data will be of paramount importance and will make it possible to extract extremely detailed information from users. Such is the case with biometric data. Virtual reality glasses will be able to determine what we like and what gives us pleasure or elicits rejection with the analysis of the changes in our pupils.

Likewise, the perception of postural changes or the position of avatars in the virtual environment will reveal information of which the user is not aware. This information can be used to personalise marketing campaigns based on specific profiles.

So, each of the technologies that converge in the metaverse present certain privacy risks that will have to be addressed, ranging from non-consensual profiling to identity theft. Therefore, it will be essential to adopt the necessary measures based on the mechanisms provided for in both of the data protection regulations. These measures must integrate impact assessments, data security, transparency in data processing, the guarantee of the rights of the data subjects and the minimisation of data collection.

The very concept of the metaverse as a virtual reality space in which people interact as they do in the real world also entails the presence of (cyber)criminals and a space conducive to piracy. Blockchain technology, through its process validation system, can help mitigate these risks, but it cannot make them disappear, at least not on its own. It must go hand in hand with the implementation of strong cybersecurity measures that can neutralise techniques such as phishing or prevent the theft of cryptocurrencies.

However, the development of the metaverse will have to face other challenges, beyond privacy or cybersecurity. For example, there are even AI tools for image and video generation that can alter creative processes and consequently affect the work of artists.

This leads on to the potential problems related to intellectual property. Since the non-fungible tokens (NFTs) are subject to transactions in the metaverse, mechanisms must be established to verify their authenticity and identify copies or plagiarism. Some lawsuits have already been filed by luxury firms against the plagiarism of their products through NFTs.

In any case, none of the above will be a reality without the input of the big technology companies that lead the development of the metaverse. In recent months, these companies have suffered significant falls in the stock market, arising from the global situation and the false growth expectations that were born as a result of the pandemic. Mass layoffs and cost containment motivated by the fear of a recession and rising interest rates (and therefore higher financing costs) are a certainty, so it remains to be seen whether progress on the metaverse will be made as fast as expected. In any case, it seems that adverse conditions are cyclical and we are only facing a fair adjustment in the technology sector, and sooner or later the definitive impetus for the development of the metaverse will take effect.

Brief Introduction to the Concept of Digital Economy

Digital economy entails the use of technology for the production of goods and services, as well as for their subsequent commercialisation, for example, e-commerce, mobile applications or online banking. There is no doubt about the importance of the role that the digital economy plays in our lives today.

In line with the above, it is a reality that within the EU and in each of its member states, a real digital revolution is being experienced. This is confirmed by the huge number of regulations that are being adopted in recent months and the many others that are in the processing phase, precisely because more and more aspects of our lives are developing in the digital environment and the advance of technology is inevitable and occurring at a significant speed.

Digital Regulation

Before entering into detail on the regulations that expressly regulate the digital economy, it is convenient to briefly review the recently approved provisions that refer in a more general way to digital rights, essential for human beings to interact in an orderly manner in the digital environment.

Decision (EU) 2022/2481 of 14 December 2022 sets out the strategic agenda for the Digital Decade Policy Programme 2030, and is based on the communication of 9 March 2021 entitled “2030 Digital Compass” to guide the digital transformation of the EU for the coming years.

In this context, we must also refer to the declaration on European Digital Rights and Principles for the Digital Decade, adopted on 15 December 2022. It reflects the EU's commitment to achieving a secure digital transformation, putting people at the centre, in order to achieve the objectives of the aforementioned 2030 Digital Compass.

In Spain, these digital commitments are reflected in the Digital Rights Charter, presented by the Spanish government in July 2021, which aims to protect citizens from the possible risks generated by disruptive technologies. They are not normative in nature and therefore merely constitute a frame of reference for public authorities.

This document is complemented by the Digital Spain 2026 strategy, which constitutes the update of the Spanish digital transformation roadmap launched in July 2020.

Regulation on Digital Services and Digital Markets

As previously announced, having laid the foundations that should govern any regulatory development in the digital field, we must highlight the very recent publication of several rules that directly regulate certain aspects of the digital economy and that constitute the Digital Services Package presented by the European Commission in 2020.

This digital package basically translates into the approval of Regulation (EU) 2022/2065, of 19 October 2022, known as the Digital Services Act (DSA), and Regulation (EU) 2022/1925, of 14 September 2022, known as Digital Markets Act (DMA).

The adoption of these two rules is an essential part of the EU's Digital Agenda and aims to create a safer digital space, both for citizens and businesses, in the face of the exponential growth of digital services, especially after the pandemic.

In the end, it is a question of establishing a specific set of uniform rules for the entire EU in order to ensure legal certainty and the proper functioning of the internal market by creating a secure and reliable online environment.

It should also be noted that the EU legislature has chosen a Regulation and not a Directive to regulate the package of digital measures, which implies its direct application as law without the need for transposition in all countries of the European Economic Area (EU plus Iceland, Norway and Liechtenstein).

Digital Services Act

The DSA aims to be a pioneer in the regulation of digital services by reformulating in detail the rights and obligations of certain intermediary service providers, users and digital businesses in order to strengthen respect for fundamental rights in the EU and establishing a new liability regime for certain platforms. In this sense, new diligence requirements are established for intermediary services providers in terms of the actions to be carried out in the face of illegal content.

It is a necessary update because since the former Directive on electronic commerce was published in 2000 (and transposed into Spanish law by the LSSI), there have been no significant changes in these regulations, despite the fact that the transformation of digital markets and services since then has been overwhelming.

It should be noted that the new DSA does not derogate from the old Directive of the year 2000 and, therefore, the LSSI will continue to be in force in Spain regarding any provisions that do not contradict the DSA. Thus, in Spain, verification work will have to be carried out to verify the enforceability of the provisions of the LSSI that do not contradict the DSA.

As happened with the GDPR, the DSA will involve a significant effort from the operators so that they can adapt to its provisions, which is why much of its articles will not be applicable until 17 February 2024, without prejudice to the fact that the rule entered into force on 16 November 2022.

In addition, in the wake of the GDPR, the DSA affects those providers that address their services to citizens located in the EEA, including big Chinese and American technology companies. Moreover, the DSA includes a strong sanctioning regime for deterring non-compliance.

The DSA concerns the following intermediary service providers:

• Intermediary services offering network infrastructure, such as internet access providers and domain name registrars;
• hosting services, eg, cloud computing and web hosting; and
• online platforms, such as social media platforms, marketplaces and app stores.

In addition, it includes an extensive reference to very large online platforms (VLOP), which reach more than 10% of Europe's 450 million consumers, to which a specific regime will apply.

These above-mentioned services can be divided into three groups:

• those of mere conduit;
• those of caching; and
• hosting services (including online platforms).

Furthermore, the DSA incorporates three new figures:

• digital services co-ordinators shall be appointed by each member state and shall be advised by the European Board for Digital Services.
• trusted flaggers shall be appointed by the digital services co-ordinator of each member state for the purpose of recognising and flagging illegal content.
• compliance officers will need to be appointed by the VLOP, and for practical purposes, as many compliance-related positions should be appointed in large companies (eg, DPO), they will often end up outsourcing these figures to compliance companies.

One of the central components of this new regulation is the inclusion of measures to fight against illicit goods, services or online content, including a liability exemption regime (“safe harbour”) that applies to mere conduit and caching services when they are not involved with the information transmitted, and from which providers of hosting services or data storage services may also benefit if certain requirements are met. Among others, the provider should, upon obtaining actual knowledge or awareness of illegal content, act to remove or to disable access to that content. Thus, the provider will only be liable when it has actual knowledge that the activity or information stored is illicit and do not proceed to the withdrawal of said data or to disable access.

In this sense, the interpretative problems will derive from the consideration of the concept of “actual knowledge”. The practical problems will come because the removal of such illicit content must take place respecting the fundamental rights of the recipients, including the freedom of expression and the right to information. The balancing of such rights will be complicated by providers and may entail serious difficulties in determining liability in court.

So, what would happen if the platform mistakenly removes content upon notice from a trusted flagger and it turns out that content was not illegal? This could happen, for example, in the case of closure of profiles on social media platforms. It seems that the end user affected by such improper termination of their profile has no legal action according to DSA provisions to assert their rights. In this regard, it should be borne in mind that the content of profiles on social media platforms can affect many other areas, such as the intellectual property rights related to such content. Clearly, a solution to this problem will have to be found by the member states.

Digital Markets Act

The DMA aims to ensure a level playing field for digital companies by fostering competition for the benefit of all users. That is why the position of the “gatekeeper” acquires special relevance, understanding those platforms with a significant impact on the internal market, as they act as a gateway for professional users to reach end users.

In this sense, the DMA aims to prevent gatekeepers from imposing unfair conditions on these users, whether professionals or end-users, thus prohibiting the development of unfair practices by platforms with the highest market share. This will facilitate the growth of start-ups that will be able to operate in a fairer and more equitable environment.

For example, gatekeepers will need to ensure that end users can easily unsubscribe from platform services or uninstall pre-installed services. In addition, they must allow their business users to promote their offers and enter into contracts with their customers outside the gatekeeper platform, or provide them with access to the data they generate when using the gatekeeper’s platforms.

As for prohibitions, among others, they will not be able to track end users outside the gatekeeper’s core platform service for targeted advertising purposes, without effective consent having been granted, and they will not be able to classify their products or services more favourably than those offered by third parties.

These companies shall be designated gatekeepers for at least one of the core platform services included in the DMA, which are as follows:

• online intermediation services;
• online search engines;
• online social networking services;
• video sharing platform services;
• number-independent interpersonal communications services;
• operating systems;
• web browsers;
• virtual assistants;
• cloud computing services; and
• online advertising services.

Within the framework of the DMA, as was the case with the DSA, we can refer to the creation of three figures.

• The gatekeepers ‒ For a company to acquire the status of gatekeeper it must meet certain qualitative and quantitative thresholds provided for in the regulation.
• The High-Level Group ‒ It will be composed of several European bodies with sufficient expertise to advise on the implementation of the DMA.
• The compliance officers, appointed by each gatekeeper.

The Commission shall be the authority empowered to enforce the provisions of the DMA. To this end, it may count on the collaboration of the authorities and courts of each member state, with whom it may act in a co-ordinated manner to carry out the necessary investigative measures.

In any case, any user who sees their rights violated in relation to the DMA may assert them before the national courts, directly invoking the violation of the provisions contained in the aforementioned legal text.

The DMA was published on 12 October 2022, entered into force on 1 November 2022 and will apply from 2 May 2023.

Brief Reference to Digital Finance

The discussion on the digital economy cannot end without including a brief reference to digital finance, given the growth of the crypto-asset market.

In order to undertake appropriate regulation in the field of digital finance, the EU has also prepared a package of rules to regulate this sector. Only one of these will be discussed here, the proposal for MiCA Regulation (Markets in Crypto-assets), pending final approval.

The future MiCA Regulation will regulate the issuance and trading of crypto-assets on platforms, excluding financial instruments and NFTs. It aims to cover the existing legal gap in the commercialisation of cryptocurrencies at European level, favouring legal certainty, consumer and investor protection, market integrity and financial stability, bearing in mind the importance that stablecoins are gaining, which will be supervised by the European Banking Authority (EBA).

General Perspective

Article 6 (30) of Directive (EU) 2022/2555, of 14 December 2022, concerning measures to ensure a high common level of cybersecurity across the European Union (NIS 2 Directive) defines cloud computing as “a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations”.

Edge computing consists of cloud computer services delivered closer to where the data era being generated or collected (Recital 34 NIS 2 Directive).

Cloud service providers are considered “digital service providers” under Directive to EU 2016/1148, known as NIS 1 Directive, which was transposed into Spanish legislation by virtue of Royal Decree-Law 12/2018, on the security of networks and information systems, subsequently developed by Royal Decree 43/2021. The provisions on cybersecurity contained in that legislation are therefore applicable to cloud service providers.

In any case, the NIS 1 Directive has recently been superseded by the aforementioned NIS 2 Directive (in fact, it repeals it with effect from 18 October 2024). NIS 2 Directive, which was published in the OJEU on 27 December 2022 and entered into force 20 days after its publication, includes in its scope, as did the NIS 1 Directive, cloud computing services (Recital 33), as long as the providers provide their services or carry out their activities in the EU territory. They should therefore be subject to the new cybersecurity provisions provided for in the NIS 2 Directive, which should be transposed by the member states up to 17 October 2024.

As stated in this regulation, cloud computing services include, among others, infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and network as a service (NaaS).

Regulated Industries

As far as the banking sector is concerned, although there are no specific regulations for cloud computing as such, the European Banking Authority (EBA) published at the end of the 2017 Recommendations on outsourcing to cloud service providers. Basically, it offers a guide to be followed by financial institutions that decide to make use of this technology.

In Spain, the Bank of Spain, as supervisory authority, ensures compliance and the correct application of these recommendations.

In the insurance sector, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers in a similar sense to those applied to the banking sector.

The Dirección General de Seguros y Fondos de Pensiones, the supervisory body in Spain, endorsed the EIOPA guidelines by resolution of 10 July 2020 and since then has been ensuring their correct follow-up.

The European Securities and Markets Authority (ESMA) also published its guidelines on 10 May 2021 in the same sense as the previous ones.

Data Protection

The very idiosyncrasy of cloud computing implies that companies providing this type of services must respect the applicable data protection regulations as cloud computing inevitably involves the processing of data. Therefore, it will be necessary to comply with the provisions set forth in the GDPR and the LOPDGDD.

In this sense, the first issue to be resolved is the quality in which the cloud computing service provider acts, since, depending on the specific legal relationship that unites it to its client, it will be considered processor (the most common, which entails the signature of the processing agreement provided for in Article 28 GDPR), or joint-controller by exercising control jointly with its client, with the legal consequences that this entails.

It should be borne in mind that the determination of the legal position occupied by each party determines the law applicable to the contract. Thus, when the client is controller and the provider is processor, the applicable law will be that of the client.

In any case, it will be desirable for the client that the contract with the cloud services provider includes a data portability clause in the event of termination of the agreement. The provider should facilitate such portability to the new service provider or to the client themselves.

Finally, we must not ignore the importance of cloud computing services in international data transfers, that is, with third countries outside the EEA. If such transfer takes place, all necessary measures must be taken to safeguard the processing of data by providing adequate guarantees and, if necessary, signing the standard contractual clauses in their latest approved version.

The AEPD published guidelines in 2018 for cloud computing service providers and for clients in order to resolve the doubts that may arise in terms of data protection in this type of relationship.

Regulations on Artificial Intelligence and Big Data.

Although the concepts of big data and AI have different functionalities, they are closely related in that both revolve around data. Thus, they share advantages, benefits and also risks.

On the one hand, AI constitutes the ability of a machine to exhibit the same capabilities as humans, allowing learning or problem solving for specific purposes. On the other hand, big data refers to the set of technologies that are used to collect and process massive amounts of data and extract valuable information through advanced analytical systems.

There has been an undeniable tremendous rise of AI and big data in recent years in all areas, thanks to the rapid evolution of technology. This has allowed the application of both technologies to a large number of sectors with fascinating results.

However, the use of intelligent systems can in turn entail enormous risks for human beings and even violate their fundamental rights.

For all the above, the public authorities have accelerated normative and institutional development to promptly control this phenomenon and make the most of all the benefits that these technologies offer, as well as to protect the individual, who must always be located at the centre of digital law, as the EU has stated in its recent regulations and those in development.

Specifically, in terms of AI, regulation is prolific both at EU level and in Spain, although currently only soft law instruments exist. In any case, every attempt at regulation is accompanied by the arduous task of trying to balance conflicting interests. On one side are the interests of technology companies in developing their systems with the fewest obstacles possible, and on the other side are those of the public authorities that, despite their interest in technological progress, must also ensure the protection of the fundamental rights of their citizens.

EU Regulations

In April 2021, the Commission presented a proposal for a regulation that will be known as the Artificial Intelligence Act (AI Act). As pointed out above, this regulation is aimed at encouraging the development of AI by promoting investment and innovation and, in turn, focuses on the risks that this entails in order to achieve safe AI that respect fundamental rights.

Previously, several studies and guidelines had aimed to reflect on AI from an ethical perspective. Such is the case of the Ethical Guidelines for a reliable AI, of 2019, endorsed by the European Commission, or the study of the European Parliament Research Service (EPRS) entitled “European framework on ethical aspects of artificial intelligence, robotics and related technologies: European added value assessment”. Subsequently, in February 2020, the European Commission published the White Paper on Artificial Intelligence, and the European Parliament published the Resolution of 20 October 2020 containing recommendations on ethical aspects of artificial intelligence, robotics and related technologies.

In the field of insurance, the EIOPA published in 2021 “Artificial Intelligences Governance Principles: Towards Ethical and Trustworthy Artificial Intelligence in the European Insurance Sector”, with the aim of ensuring responsible and safe use of this technology within the insurance market.

In any case, all that exist so far are soft law instruments, which are not binding. The AI Act is here to change this and is the result of the EU's claim to leadership in the regulation of AI worldwide; it is one of the essential milestones of its Digital Agenda.

The text proposed by the Council to define AI limits this definition to systems developed through machine learning and strategies based on logic and knowledge.

Four categories of IA systems are established:

• minimal risk;
• low risk;
• high risk; and
• unacceptable risk (which are prohibited).

Therefore, it is the high-risk systems that draw the focus of this rule as they can potentially pose the greatest threats to fundamental rights.

Indeed, certain sectors require the creation of a register for high-risk systems and the regulation of additional requirements for their users; however, the possibility that this would delimit the use or development of AI makes it difficult to include such provisions in the final text of the Regulation.

In order to ensure compliance with the provisions contained in the future AI Act, the regulation is completed with a strong system of fines and penalties. However, no specific mechanisms are included to protect possible violations of fundamental rights.

With all the above, on 6 December 2022 the Council laid the groundwork for “trilogue” dialogues between the Council of the EU, the European Parliament and the Commission on the proposal for the AI Act.

Finally, it should be noted that on September 2022 the Commission submitted a proposal for a Directive on adapting non-contractual civil liability rules to AI (known as AI Liability Directive). It provides for new rules on disclosure of information and burden of proof in proceedings for claims for damages caused by AI systems. This regulation delves into an issue as important as liability for fault or negligence in the claims indicated and represents a new advance in the package of measures planned by the EU for the regulation of AI, which is completed by the proposal to revise the Directive of 25 July 1985 on liability for damage caused by defective products.

All of this is intended to adapt the rules on product liability, as well as the non-contractual civil liability regime, to the digital age and, in particular, to AI.

Spain

Spain has also taken the development of new technologies very seriously and, with regard to AI, has adopted several regulatory measures with the aim of becoming one of the pioneer countries in the regulation of digital aspects.

In 2019, the Spanish Strategy for I+D+I in AI was approved, as was the Digital Strategy for Artificial Intelligence (ENIA) in 2020, within the framework of the Digital Spain 2026 Agenda, in order to facilitate the development of inclusive, sustainable and citizen-centred AI.

Some of the measures that are provided for and have already been implemented are the creation of the Data Office and the figure of the Chief Data Officer (who has already been appointed), as well as the implementation of the Artificial Intelligence Advisory Council. In addition, the Spanish Agency for the Supervision of AI will soon be created, with headquarters located in A Coruña, and all of this in compliance with the provisions of the Recovery, Transformation and Resilience Plan (Plan de Recuperación, Transformación y Resiliencia - PRTR).

In addition, the previously revised Digital Rights Charter of 2021 includes a specific section on AI rights.

Article 23 of Law 15/2022, of 12 July 2022, comprehensive for equal treatment and non-discrimination, is the first inclusion in a Spanish Law of a specific provision on AI for the purposes of establishing mechanisms so that the algorithms used by public administrations consider non-discrimination, transparency and accountability, where technically feasible. To this end, impact assessments should be carried out. It also calls for the promotion of ethical AI that respects fundamental rights. In addition, a seal of quality of algorithms, still pending regulatory development, will be promoted.

Finally, in June 2022, the government of Spain and the European Commission presented a project to implement the first EU regulatory sandbox on AI. The objective is the joint definition by the competent authorities and companies developing AI of the best practices that should serve as a basis for the implementation of the future AI Act.

Legal Aspects on AI and Big Data

Although, as indicated, there is a great interest at both EU and domestic level in effectively regulating AI, the truth is that today the legal conflicts that may arise as a result of the use of AI and big data must be resolved by resorting either to common national law in civil matters, commercial or criminal, or to sectoral legislation that regulates industrial and intellectual property, data protection or business secrets, among others.

However, we have seen that there are already several initiatives that touch on aspects as varied as product liability or the protection of fundamental rights against the interference of new technologies.

It is undeniable that both AI and big data seriously endanger privacy, even more so with the development of neurotechnology by big technology multinationals. Thus, the implications in the field of data protection are unquestionable and, in any case, the provisions of the RGPD and the LOPDGDD must be complied with.

For example, referring to big data, profiling is one of its main uses, which may involve certain risks linked to discrimination for possible data processing based on predictions. In addition, it is necessary to bear in mind the practical difficulty posed by the existence of future uses of the data not foreseen at the time of its collection and for which the user's consent is not granted.

Difficulties also arise in data sources and data reuse. An assessment of the risks and even a data protection impact assessment will have to be carried out and the data will have to be anonymised. In the end, any project involving AI and big data must respect the principle of accountability and be developed by default and by design.

In any case, the data shall be processed lawfully, fairly and in a transparent manner, and the data subjects must be duly informed about the processing of their data. In this respect, the AEPD has published a code of good practices in data protection for big data projects.

Many privacy situations may arise regarding data treatments as common today as those involving the so-called web scrapping techniques that, wrongly relying on access to data from public sources, skip the obligations derived from the data protection regulations. All this must be aligned with the Data Governance Act (Regulation (EU) 2022/868, published in the OJEU on 3 June 2022), which establishes mechanisms for the re-use of certain categories of publicly/held protected data.

The extraction of information from websites may also entail intellectual property risks where those pages are protectable, and copyright can be invoked. The European Network and Information Security Agency (ENISA) identified in the report big data security, the different digital and cybersecurity threats for big data projects. This reinforces the transversal importance of cybersecurity in terms of AI and big data, so that the application of the regulations in this matter cannot be ignored.

IoT and its Main Implications

On 16 September 2014, the Article 29 Working Party (now the European Data Protection Board) issued an opinion on the evolution of IoT and defined it as the infrastructure in which multiple sensors embedded in common devices record, process, store and transfer data and interact with other devices or systems, making use of its network connection capabilities.

From a data protection perspective, it should be noted that on 3 December 2020, the AEPD published an explanatory article with the implications that IoT devices could have in terms of data protection. Thus, according to this guide, there are multiple actors involved in the processes linked to IoT devices (manufacturers, developers, cloud computing providers, telecommunications operators and social networks, among others).

Each of these agents may adopt the role of controller or processor, and, based on this, they must assume the obligations provided for each figure in the applicable data protection regulations.

Likewise, the categories of data subject to processing will be diverse, including contact data, internet usage habits, geolocation, physiological data, images, voice, and many more.

IoT devices can process not only data directly captured or provided by the user itself, but also inferred data, which is obtained from the analysis and processing of a large volume of data from various users through the use of technologies such as big data and AI.

All this can pose serious privacy risks since certain devices are able to capture habits and behaviours in an extremely detailed way, to such an extent that any hint of privacy disappears completely and the legal basis that legitimises the processing of data is completely blurred.

This is especially worrying in cases of voice-controlled devices, which can capture conversations totally unrelated to their use.

Also relevant is the incipient rise of home automation IoT devices that allow control of different elements of the home, such as air conditioning, lighting or blinds. There is already an increasing tendency to connect these devices directly to the manufacturer's cloud, which will be accessed through an app, using 5G technology. This will imply new challenges in terms of privacy protection.

In any case, in the absence of specific regulation, and without prejudice to the provisions below, common Spanish Law must be resorted to in order to resolve possible conflicts arising from the application of the IoT, although most attention must be paid to the EU and Spanish regulations on data protection. Especially relevant are Articles 21 and 22 GDPR relating to the right to object to data processing and automated decision-making, including profiling.

IoT Regulations

The complexity derived from IoT devices has been addressed, from the most technical point of view, from the regulation of cybersecurity. It has already become clear that any vulnerability in IoT devices can jeopardise the privacy of users, so it makes perfect sense that cybersecurity stands as the key element in protecting the rights of users of IoT devices.

Thus, in the EU, special mention should be made, on the one hand, to the NIS 2 Directive regarding network and information security, which is applicable to IoT devices, and on the other hand, to the proposal of the Cyber Resilience Act, given that it will include a regulation on cybersecurity requirements for products with digital elements to ensure more secure hardware and software products.

In Spain, the approval of Royal Decree-Law 7/2022, of 29 March, on requirements to guarantee the security of fifth-generation electronic communications networks and services, is essential for the regulation of IoT. 5G technology will be crucial for the connectivity of IoT devices.

Legislative Overview

The emergence of new forms of audiovisual content consumption led to a review of the regulation of audiovisual media services within the EU, which resulted in the approval of Directive (EU) 2018/1808, of 14 November 2018, published in the OJEU on 28 November 2018. This Directive lays down EU-wide media content rules for the provision of audiovisual media services, including traditional television broadcasts, on-demand services and platform video sharing (also known as Audiovisual Media Services Directive).

The application of this regulation aims to strengthen the safety of viewers and, to this end, for example, the regulation referring to illegal content is extended to include video-sharing platforms. It also includes measures for the protection of minors and disabled persons and encourages the adoption of codes of conduct to limit the advertising of unhealthy products intended for minors.

The Directive establishes the country of origin principle, according to which audiovisual media service providers are subject to the law and jurisdiction of the member state in which they are established.

It was transposed belatedly into the Spanish legal system by virtue of the recent Law 13/2022, of 7 July (General Law on Audiovisual Communication), and part of its most relevant content is summarised in the following points.

• Protection of children and teenagers from inappropriate content. Providers must offer an age-rating system. Thus, content not recommended for children under 18 can only be broadcast between 10pm and 6am.
• Besides the television activity, it covers payment platforms in streaming and video sharing services through platforms and users of special relevance (so-called influencers), as long as they are established in Spain. As a result, platforms such as Netflix, HBO or Amazon Prime are not affected by this law.
• All the above-mentioned subjects must:
1. be registered in the state registry of audiovisual communication service providers (regulations on which are still pending);
2. include systems to verify users’ ages;
3. establish mechanisms to rate content according to age; and
4. include a functionality for users who upload videos to declare whether they contain advertising.
• Subliminal advertising, tobacco and electronic cigarettes, as well as advertising that violates human dignity is prohibited.
• The advertising of esotericism or gambling, as well as alcoholic beverages, may only be carried out in certain time slots.
• Advertising is generally limited to 144 minutes between 6am and 6pm, and to 72 minutes between 6pm and 12am.
• The European audiovisual work is promoted by reserving certain percentages for its broadcasting.
• The production of audiovisual works by women is encouraged, as well as the promotion of co-official languages in Spain.

Influencers

As noted above, the new Spanish regulation includes certain obligations for users of special relevance who use video-sharing platforms.

The European Regulators Group for Audiovisual Media Services (ERGA) includes in the definition of vlogger, content creators, streamers, influencers, or video sharing platforms.

Video sharing platforms (eg, Instagram) are those that:

• offer the general public content created by the users themselves;
• do not have editorial responsibility for such content;
• their aim is to inform, entertain or educate;
• are offered through electronic communication systems; and
• the content is organised mainly by algorithms.

That said, the users of special relevance (influencers) of video sharing platforms must meet the following requirements:

• the service they offer is an economic activity;
• they assume editorial responsibility for their content;
• they have educational, entertainment or informational purposes; and
• they have a significant number of followers or users.

Once the above requirements have been met, they must comply with the aforementioned obligations provided for in the Spanish General Law on Audiovisual Communications.

Requirements for the Provision of Audio-Visual Media Services

The provision of television and radio communication services requires, prior to the start of the activity, responsible declaration before the competent audiovisual authority in Spain (the Ministry of Economic Affairs and Digital Transformation). The service may be provided as soon as such declaration is filed without prejudice to the supervisory powers of the competent authority.

The provision of television and radio communication services by means of hertzian waves requires a prior licence granted by means of a public tender. This licence shall be accompanied by a concession for the exclusive use of the public radioelectric domain.

To be a licensee, one of the following conditions must be met:

• to have nationality of a member state or a state that recognises this right to Spanish legal persons;
• to have a registered office in a member state or in a state that recognises this right to Spanish legal persons; and
• to have a representative domiciled in Spain for notification purposes.

Licences shall be granted for a period of 15 years, automatically renewable for successive periods of equal duration if the holder has been fulfilling the requirements to be the holder of said licence and provided that there is no third party who, under certain conditions, intends to grant the same licence.

The provision of the video sharing service through platforms, including influencers who make use of these services, should only be registered in the State Register of Audiovisual Communication Service Providers, once it is put into operation, without prejudice to complying with the rest of the general obligations already explained above.

General Regulatory Framework

The regulation of telecommunications in Spain is given by Law 11/2022, of 28 June (General Telecommunications Law), which entered into force on 30 June 2022. This regulation is the result of the transposition of Directive (EU) 2018/1972 of 11 December 2018, establishing the European Electronic Communications Code, which was part of a telecommunications laws package that included the creation of the Body of European Regulators for Electronic Communications (BEREC).

One of the main objectives of the Spanish General Telecommunications Law is the massive deployment of 5G networks, and it includes the new classification of electronic communications services provided for in the Directive, which distinguishes between:

• internet access services;
• interpersonal communications services (both number-based and number-independent); and
• services consisting of the conveyance of signals.

Over the Top

As for number-independent interpersonal communications services, ie, without public numbering resources assigned, there is the so-called OTT (over the top), whose services are provided by means of data transmission over third-party networks. This is, for example, the case of some social networks that integrate messaging services. Although OTTs are not legally considered as operators, they must first communicate their intention to provide services.

The law provides for certain obligations for OTTs, which obviously also apply to other operators, among which we can highlight the following:

• communicate the start of its activity to the Registry of Operators, whose management corresponds to the CNMC;
• comply with the obligations to provide information to the authorities;
• ensure the rights of end users; and
• adopt the necessary measures for the management of security risks.

General Requirements

Regarding the requirements for the provision of networks and electronic communications services, it is established that it may be carried out by natural or legal persons who are nationals of any country belonging to the EEA or of any other nationality when so established by international agreements.

Those interested parties must previously notify the Register of Operators of the start of their activity and submit to the conditions provided for the specific service they wish to provide. If the content of the notification does not meet the requirements, the service shall be refused. However, bear in mind that this does not apply to OTTs, which will only have to communicate the start of their activity to the Registry of Operators for purely statistical purposes.

In the development of its business, the operator should comply with any obligations regarding consumer protection rights and transparency, as well as respecting fundamental rights and freedoms.

The resolution of conflicts between operators in the Spanish market will be resolved by the CNMC. The resolution of certain cross-border disputes shall be carried out with the intervention and opinion of BEREC.

Telecommunications Equipment

Telecommunications equipment placed on the market must comply with the legally required specifications, in accordance with the conformity assessment procedures to be established. Certain cases of mutual recognition are foreseen where the conformity of equipment has been assessed in accordance with the essential requirements of another member state. Equipment requiring concessions, permits or licences may be put into service only when it has obtained such ratings. The surveillance of the market for telecommunications equipment and its adequacy will be the responsibility of the Spanish Secretary of State for Telecommunications and Digital Infrastructures.

Installers of telecommunications equipment (and those who assume its maintenance) must submit to the Registry of Telecommunications Installation Companies a responsible declaration on compliance with the requirements for the exercise of said activity, prior to the start of it.

Use of the Public Radio Domain

The common use of the public radio domain shall not require any enabling title. The special use of the public radio domain is carried out of the frequency bands enabled for its exploitation in a shared way, without limitation of number of operators or users. The private use of the public radio domain is carried out through the exclusive exploitation or by a limited number of users of certain frequencies in the same physical area of application.

The enabling titles by means of which rights of use of the public radio domain are granted will take the form of general authorisation, individual authorisation, administrative affectation or concession. The granting of rights of use of the public radio domain will take the form of general authorisation in cases of special use of frequency bands

The general authorisation will be understood to be granted without any further formalities than the notification to the Spanish Secretary of State for Telecommunications and Digital Infrastructures, without prejudice to the obligation to pay the corresponding fees.

Individual authorisations shall be granted for use by radio amateurs or for private use for self-provision. For the rest of the cases not contemplated above, an administrative concession will be required. The duration of the enabling title will depend on each case.

Regulatory Framework

Technology contracts are commercial contracts that make specific reference to the use and implementation of new technologies. They often pose a challenge for the consumer or small non-specialist business as they are faced with highly technical documents imposed by large technology companies that offer no room for negotiation.

For all the above, it is important that the client takes into consideration certain crucial aspects before formalising the contract.

Technology contracts do not find a specific regulation in the Spanish legal system, so it will be necessary to resort to common Spanish law, mainly the Civil Code and the Commercial Code, depending on whether both parties are merchants, or the client is a consumer, in which case the provisions of the General Law for the Defence of Consumers and Users will apply.

Pre-formulated Standard Agreements

Pre-formulated standard agreements (contratos de adhesión) acquire special relevance in the framework of technology. These are contracts in which there is an imbalance between the parties so that one party imposes the conditions that will govern the contractual relationship on the other, as the weak party has little or no negotiating capacity to refute the provisions of the document imposed on them.

In these cases, the content of the contract is integrated almost entirely by general conditions of mass traffic and, in accordance with the provisions of both the Spanish General Law for the Defence of Consumers and Users, and the Spanish Law on General Contracting Conditions, the unfair clauses that may be included in such contracts will be null and void when contracted with a consumer.

Main Challenges

The formalisation of technology contracts involves risks for the client that must be detected and, if possible, neutralised. Furthermore, it is advisable that the client has at least a minimal knowledge in this area so as to avoid unexpected occurrences.

In addition, on many occasions the contract will ultimately be reviewed by a legal advisor prior to signing (or at least that would be desirable). This implies that lawyers must be very aware of the particularities of this type of contract, and they must also have knowledge, even if it is basic, regarding the object of the contract. This means that professionals in the legal sector have to be increasingly familiar with technological concepts in order to be able to advise correctly their clients in this growing sector.

Main features on Technology Agreement

As indicated, there are no specific provisions in the Spanish legal system for this type of contract. However, they contain certain clauses that are usually repeated or that should exist. It is important to focus on these clauses as they can complicate the execution of the contract. These clauses include the following.

• The duration of the contract and its rollover.
• The price and its possible future revisions.
• The causes of termination and the periods of notice.
• The processing of personal data. This point acquires special relevance in certain services that involve massive access to personal data. It will be necessary to analyse in each case whether it is also appropriate to sign a contract for data processing, as provided for in Article 28 of the RGPD, or if international data transfers will take place, in which case the relevant measures must be adopted.
• The liability assumed by each of the parties. In particular, it is highly advisable to clearly indicate whether the providers are subject to a best-efforts obligation or a performance obligation where the client is seeking for specific results.
• It is common to include a service level agreement (SLA) that details in depth the object of the provision and the quality standards.
• The intellectual property of the software or deliverables.
• Confidentiality obligations.
• Technical specifications, which are usually accompanied in the form of an annex.
• Penalties for non-compliance. In this sense, it is common for the provider to limit its liability economically and, in addition, exclude certain concepts such as loss of profits or indirect damages. It will be necessary to check if these limitations prevent the correct compensation of the client for the damages that may be caused.

Regulations Currently in Force

The use of electronic signatures is becoming more and more common, and contracts are increasingly being signed online for basic needs, such as buying food or clothes, or to interact with the public administration. This creates the need for electronic signature methods that generate trust among users, way beyond the simple insertion of the scanned handwritten signature.

The EU responded to this need with the approval of EU Regulation 910/2014, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market (known as eIDAS). In Spain, it finds its legal equivalent in Law 6/2020, of 11 November, regulating certain aspects of electronic trust services, which complements the eIDAS Regulation only in those aspects that have not been harmonised at European level and that must be developed by each of the member states.

The eIDAS Regulation distinguishes between the electronic signature, the advanced electronic signature and the qualified electronic signature.

We will distinguish each of the aforementioned types of signatures depending on whether it allows us to identify the signatory with certainty, security regarding the possible manipulation of the content of the contract or the technical means required for its use.

• The electronic signature is an electronic signature which, for example, consists of accepting payment and the terms and conditions in any online purchase. It is the simplest type of signature since no electronic certificate or physical devices are needed to sign. Just “click”. In this case, the real identity of the signatory is not verified, so this method offers fewer guarantees.

• As for the advanced electronic signature, it is one that meets certain technical requirements, specifically, those provided for in Article 26 of the eIDAS Regulation. An example is the biometric signature, which collects the graphics of a handwritten signature on a touch device that stores biometric data and closes with a time stamp that prevents subsequent modifications of the document.
• Finally, the qualified electronic signature is a type of advanced electronic signature created by means of a qualified device for the creation of electronic signatures which is based on a qualified electronic signature certificate. It is used, for example, in relations with public administrations. It provides the maximum legal guarantees and has a legal effect equivalent to that of a handwritten signature.

Both the advanced and qualified electronic signatures allow the signatory to be identified, prevent subsequent modifications of the document in question, display full legal effects and are admissible as evidence in judicial proceedings.

Devices qualified for the creation of electronic signatures shall comply with certain security requirements. Commission Implementing Decision (EU) 2016/650 of 25 April 2016 publishes a list of standards for the safety assessment of such devices.

Spanish legislation, on the other hand, applies to public and private providers of electronic trust services established in Spain and to those with a permanent establishment who are not supervised by the authority of another member state. The legislation regulates certain aspects, some of the most relevant of which are the following.

• Electronic certificates, for the period of validity shall not exceed five years. Legislation also describes the circumstances for verifying the identity of the signatory.
• Obligations of electronic trust service providers. They must be subject to the regulation on data protection and guard and protect the signature creation data. In addition, they must constitute a civil liability insurance for a minimum amount of EUR1,500,000, except if they belong to the public sector. Such insurance may be replaced by a bank guarantee.
• Liability regime. Certain cases of limitation of the liability of electronic trust service providers are included, for example, in cases of negligence on the behalf of the signatory in the preservation of their signature creation data.
• Information security obligations.
• Supervision and control. These tasks will be carried out by the Spanish Ministry of Economic Affairs and Digital Transformation.
• List of infractions and penalties.

The Future Digital Identity in the EU

In June 2021, a framework for a European Digital Identity was proposed by the EU to be made available to citizens, residents and businesses in the EU through a European Digital Identity Wallet.

To this end, a proposal for a Regulation amending the eIDAS Regulation was prepared. This proposal aims to ensure universal access to secure and reliable electronic identification and authentication, all through a personal digital wallet stored on the mobile phone.

The wallet shall be issued with an electronic identification system that complies with the “high” security level, all based on cybersecurity certification schemes that should provide a harmonised level of confidence in the security of the wallets. Thus, the Cybersecurity Act will be fully applicable to the Electronic Identity Regulation.

The proposed Regulation has a special impact, not only on cybersecurity, but also on the protection of personal data. Its articles include several references to the GDPR and ensure compliance with its principles by qualified trust service providers. In particular, reference is made to the obligation of member states to ensure the protection of personal data and to prevent user profiling.

“Trilogues” should now begin to reach agreement on the proposal for a regulation between the EU institutions.