Contributed By Traple Konarski Podrecki & Partners
Laws and Regulations (General)
In the Polish legal system, there is no legislation specifically dedicated to cloud computing services. In general, cloud computing projects require compliance with the following key laws and regulations:
The most important sectors that have their own – additional to the legal acts indicated above – regulations specifying the rules for using cloud computing are finance and public administration.
In the case of financial institutions, the most important regulation is the Communication from the Financial Supervision Authority of 23 January 2020 concerning the processing of information in a public or hybrid computing cloud by supervised entities. In addition to the Communication, the standards developed by industry organisations (eg, the Polish Bank Association - Polish Cloud and the Polish Insurance Association - Insurance Cloud) are of key importance.
It should be stressed that this legislation takes into account the principles laid down in documents adopted by the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA).
In the case of public administration, the resolution of the Council of Ministers of 11 September 2019 on the "Common State Information Infrastructure" initiative, which is of an organisational nature, is crucial.
The resolution specifies, among other things, the principles that apply to:
Processing of Personal Data in Cloud Computing
According to the position of the Polish Data Protection Authority (PUODO), a list of the most important legal requirements provided by the GDPR, which should serve to eliminate or mitigate risks related to cloud computing, includes:
Risk and Liability
Blockchain technology is not directly regulated in Polish law. However, the use of blockchain solutions is entirely legal in Poland and the applicable provisions are contained in various legal acts (eg, tax regulations, financial sector regulations and general regulations concerning contractual obligations). Intellectual property law, criminal law and administrative laws are applicable as well.
In terms of blockchain risks, the main issues raised are privacy (including the protection of personal data), cybersecurity and relevant operating standards.
When analysing the relationship of intellectual property rights to the use of blockchain technologies, it should be noted that the subject of intellectual property rights protection may be the blockchain (distributed ledger technology, or DLT) solution itself, as well as the content that the blockchain contains. Therefore, from the point of view of the current application of blockchain technology, the most important issue would be the legal qualification of the blockchain itself. In this respect, it seems that blockchain technologies would qualify, for example, as computer programs (regulated in the Act of 4 February 1994 on Copyright and Related Rights) or databases (regulated in the Act of 27 July 2001 on the Protection of Databases) on the ground of the Polish copyright system. For the above reasons it is worth noting that blockchain solutions often use open-source assets, which may lead to licensing problems and affect commercialisation. In addition to Polish copyright regulation, the Act of 30 June 2000 on Industrial Property Rights may affect the scope of the protection of a blockchain solution.
Regardless of the above, blockchain technology may also be used to record intellectual property rights and to document copyright transactions (licences and agreements concerning transfer of economic copyrights) and that aspect of the use of the technology should also be taken into consideration during examination of project conformity with IP rights requirements.
Taking into account the specificity of blockchain operation, the first point that raises particular data privacy concerns is the issue of assigning responsibility for data processing to individuals (that use a particular blockchain product). Another privacy problem specific to blockchain is that, due to the way in which blockchain technology operates, it may be technically and organisationally be difficult for data subjects to exercise their rights (eg, right to be forgotten).
In light of the above, actions are being taken to make legislative changes related to the issue of data processing in the context of blockchain technology. For example, the working party of the Ministry of Digital Affairs responsible for blockchain and DLT technologies has actively advocated for statutory limitations on certain rights granted to data subjects within the GDPR during the processing of personal data by blockchain technologies.
Polish law does not regulate the service level of blockchain technologies. The general provisions of the Civil Code concerning obligations and contractual provisions based on the principle of freedom of contract will apply in this respect. If a given solution is qualified as a key service in the meaning of the Act on the National Cybersecurity System, it will also be necessary for the service provider to meet the service level requirements resulting from that act. In order to identify the required level of service, it may also be necessary to identify sector-specific regulations concerning adequate level of protection of personal data or privacy and cybersecurity.
In view of the potential cross-border nature of the use of blockchain technology solutions, a whole range of procedural issues concerning the determination of both the law and the competent court for a service contract may also prove problematic. Given the complexity of blockchain technology contracts, each element of the blockchain technology should be analysed separately. Parties to a contract should bear in mind how they wish to have the jurisdiction and the law applicable to the contract determined. It is also worth remembering that the situation of consumers is regulated differently: there are certain rules concerning limitation of contractual rights provided to protect them. Freedom to choose foreign jurisdiction and foreign law is limited in contracts with consumers.
The basic legal problem concerning artificial intelligence (AI) is the black box phenomenon, referring to the lack of transparency of this type of technical solution. This phenomenon occurs when it is not entirely clear on what basis a particular solution works. This situation raises questions from the perspective of GDPR compliance. For the development of AI it is necessary to provide access to a large amount of data, which is then processed by the algorithms on which the artificial intelligence is built.
One of the main challenges is, therefore, to ensure an adequate level of data protection. In this respect, specific legal risks may arise from profiling and automated decision making, which have been subject to limitations under the GDPR. As for the right to be forgotten, it should be noted that it covers both "input personal data" (personal data used to create the profile) as well as “output data" (the profile itself or the "score" given to the person). Moreover, an additional issue is data controllers' responsibility for adaptation of the protection measures to the severity, extent and scope of the data processing.
Another legal problem, both from a civil and criminal law point of view, is the question of who will be held liable for damages caused by AI. At the moment there are no separate regulations in Poland concerning AI.
One should not forget about the problems concerning copyright law that arise from the specificity of AI. The question of whether AI can be a creator in the meaning of copyright law is closely related to the question of the possible legal personality of works of this type. Currently, under the Polish Copyright and Related Rights Act, only the result of human creative activity is protected. Therefore, on the basis of Polish law, it is not possible to grant a copyright to an AI. A separate issue is whether the rights to works created in this way will be held by other persons (eg, developers or owners of software (algorithms) responsible for the operation of AI). It seems, currently, that it will be difficult to assign copyright protection to this group of people in this respect as well.
At present, there is no regulation concerning the internet of things (IoT) in Poland, and the regulators have not issued any separate regulations in this area.
IoT projects require analysis of the following laws:
Although the National Cybersecurity System Act does not explicitly refer to IoT, entities using IoT solutions and providing IoT-related services may both be operators of a key service and providers of digital services within the meaning of the Act, and therefore be obliged to perform the obligations set out in the Act.
The IoT is not explicitly mentioned in the GDPR, but recital 30 refers to the use of RFID tags. It must therefore be assumed that, especially in the case of the "consumer" IoT, there is processing of personal data within the meaning of the GDPR.
Categories of IoT devices to which the processing of personal data relates include:
From the perspective of the GDPR, the biggest risks are considered to be:
Civil Law Liability and Intellectual Property
A specific problem related to the use of IoT devices is the scope of civil law liability under the regulations on damages caused by dangerous products. In this connection, it should be emphasised that a product is generally understood to be only a movable thing, so the liability regime excludes, for example, an IoT service provider (ie, the liability regime does not cover the supply of defective data).
As far as IP rights are concerned, it should be noted that under the current interpretation, due to the exhaustion of the right and the acquisition of the statutory licence to use the software, the purchaser of the thing (IoT device) is free to further dispose of it with the software installed in it.
There are no separate provisions in Polish public or private law dedicated to IT contracts.
The Civil Code
Under Polish private law, two basic groups of regulations contained in the Civil Code apply to contracts. Firstly, general provisions for all types of contracts. They regulate, inter alia, the principles of liability for non-performance or improper performance of a contract. Secondly, specific provisions for particular types of contracts.
As far as general rules are concerned, for IT contracts concluded in B2B relationships, the principle is that the parties are free to determine the content of the contract. The limits of the parties' freedom are determined primarily by the provision of Article 473 of the Civil Code. According to it, one cannot only exempt the debtor from liability for damage that they may intentionally cause to the creditor.
As far as specific provisions are concerned, the Civil Code does not contain separate provisions for IT contracts. Depending on the subject of the contract, the provisions of work contracts apply (eg, in the case of IT deployments) or service contracts. It is also worth remembering that the provisions of copyright law contain special rules concerning contracts, modifying the provisions of the Civil Code. In the case of IT contracts, provisions strengthening the legal position of IT vendors as creators of computer programs are therefore of particular importance. This applies, for example, to withdrawal procedure.
Service Level Agreements
Service Level Agreement (SLA) provisions are an important part of the contract. With regard to the service level agreement, the ordering party should, first of all, remember to specify in the contract the quality of the service (performance service level objective) by clearly indicating the availability of particular resources, services and support (eg, by indicating the response time). Additionally, it is necessary to ensure appropriate provisions concerning service security (security service level objective). Issues of data management (data management service level objective) are also very important (eg, back-up, data restoration and transfer), and may be of key importance in the context of contract termination (exit plan). In the context of an SLA, it is worth remembering that individual parameters may be influenced by the guidelines of regulators (eg, the Financial Services Authority).
Under IT contracts, one of the most important issues is securing the rights to the implemented software. It is necessary to determine whether and to what extent the contracting authority acquires the property rights to the software. The most popular model is the licence model, in which the author's economic rights to the software remain with the software developer and the ordering party uses the software as a licensee. In the case of software that is subject to customisation, there is commonly a mixed model (ie, the supplier of a given solution licenses the supplied software and transfers the proprietary copyrights to the customised parts to the ordering party).
Under Polish law, the way data is regulated depends on whether it concerns natural persons or legal entities. The protection of personal data is regulated by the GDPR and the Act on Personal Data Protection.
According to the Polish Data Protection Authority (PUODO), personal data includes information about a sole entrepreneur who is a natural person. Personal data within the meaning of the GDPR is also considered to be the data of contact persons at legal entities. In terms of personal data, the GDPR is complemented in the Polish legal system by the Personal Data Protection Act. Its importance is expressed, inter alia, in:
Non-personal data is regulated by the EU regulation on the processing of non-personal data and various other special laws on specific sectors and company secrets. Among other things, non-personal data may be protected as a "trade secret" if it meets the requirements set out in Article 11(4) of the Act on Combating Unfair Competition. In accordance with the above provision, undisclosed technical, technological and organisational information of the enterprise or other information of economic value, in respect of which the entrepreneur has taken the necessary steps to maintain its confidentiality, will be protected.
The regulation of employers monitoring and limiting the use by employees of company computer resources can be found in various legal acts in the field of both labour law, and privacy and personal data protection.
The Labour Code
Firstly, it should be noted that the regulations concerning employee monitoring are contained in Articles 22 (2) and 22 (3) of the Labour Code. The employer may monitor the employee only if the conditions specified in Articles 222 and 223 of the Labour Code are met.
As far as email monitoring is concerned, on the basis of Article 22 (3) Section 1 of the Labour Code, the prerequisites for its application are the necessity to ensure the work organisation enables full use of working time or proper use of work tools made available to the employee. An employer performing email control of their employees must remember that there is another condition for such action – the control of employees' mailboxes must not violate the confidentiality of correspondence or other personal rights of the employee (Article 22 (3) Section 1 of the Labour Code).
The analysed provision will also apply to other forms of monitoring, when it is necessary to ensure the organisation of work that allows full use of working time and the proper use of the work tools made available to the employee (Article 22 (3) Section 4 of the Labour Code). Under this provision will be, for example, control of company phones (calls and text messages) or determining the location, on the basis of a GPS signal, of an employee device/vehicle entrusted to that employee by the employer.
Moreover, it is worth pointing out that the issue of video monitoring of employees has been included in Article 22 (2) of the Labour Code.
In relation to email monitoring and other forms of monitoring, the provisions on video surveillance, found in Article 22 (3) Sections 3 and 4 of the Labour Code, shall apply accordingly. Therefore, the employer should specify, in an appropriate internal regulation, the objectives, scope and manner of applying the monitoring. Information about the introduction of email monitoring or another form of monitoring should be provided by the employer no later than two weeks before its launch, and for new employees, before they are admitted to work. Data obtained as a result of employee monitoring may be processed for a maximum period of three months from the date of its acquisition, unless it constitutes or may constitute evidence in proceedings conducted under the provisions of law.
The above regulations on labour law are closely related to the regulations on personal data protection. According to the definition expressed in Article 4 point 1 of the GDPR, personal data is any information about an identified or identifiable natural person. In the case of an employer, the data subject (ie, the employee) will be an identified person, and information about them obtained as a result of the inspection will constitute personal data. The above definition indicates that the category of personal data includes, in particular, location data as well as one or more factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of an individual. These factors may result from other forms of employee monitoring.
The employer may only process the employee's biometric data in a particularly justified case (eg, restriction of access to sites where the employer may require special authorisation due to company secrecy or professional skills needed to enter protected areas).
The processing of data resulting from monitoring often entails a high risk for the rights and freedoms of data subjects. Therefore, the employer should, before applying it, consider whether it is subject to the obligations resulting from Article 35 of the GDPR (impact assessment of data processing). The Communication of the President of the PUODO (the Polish Office for the Protection of Personal Data) of 17 June 2019 on the types of personal data processing operations requiring assessment of the consequences of processing for their protection may be helpful in this respect.
The current Telecommunications Act sets out the rules for the performance and control of activities consisting of the provision of telecommunications services, the provision of telecommunications networks or the provision of accompanying services (jointly referred to in the Act as telecommunications activities). The definitions of the above-mentioned activities are very broad. Therefore, the Polish Telecommunications Act could apply to a wide range of entities and services.
Telecommunications activity is a regulated activity that, as a rule, does not require a licence. However, a telecommunications undertaking is obliged, under Article 10(1) and (2) of the Telecommunications Act, to make an entry in the register of telecommunications undertakings kept by the President of the Office of Electronic Communications (UKE).
The situation is different in the case of the frequency (spectrum) and numbering system defined in the Telecommunications Act, which is based on a licensing system.
The frequencies shall be managed in accordance with the principles set out in Articles 111 et seq of the Telecommunications Act. Reservations of frequencies shall be made for entities that meets the requirements set out in the Act; in particular, entry in the register of communication entrepreneurs or a permit to use radio equipment is granted if the frequencies covered by the application:
The entity that obtained the right to dispose of the frequency in a frequency reservation shall pay annual fees for the right to dispose of the frequency (Article 185(1) of the Telecommunications Act).
With respect to numbering management, the President of UKE, by way of a decision, assigns numbering, in accordance with the national numbering plans for public networks, to telecommunications undertakings, local government units conducting telecommunications activities other than telecommunications undertakings and other entities listed in the Act (Articles 126 et seq of the Telecommunications Act). The numbering is assigned in accordance with the Ordinance of the Minister of Digital Affairs of 19 March 2014 on detailed requirements for numbering management in public telecommunication networks.
In addition, under Article 143 of the Telecommunications Act, regarding the use of radio equipment, one is required to obtain a radio licence, which is issued by the President of UKE in the form of a decision.
Electronic Communications Law
The existing provisions of the Telecommunications Law are to be replaced by the provisions of the Electronic Communications Law, implementing the provisions of Directive No 2018/1972 on the European Electronic Communications Code (EECC). By the date provided for in the Directive No 2018/1921 for the mandatory transposition into national law of its provisions (ie, 21 December 2020), Poland had transposed only a small part of the provisions concerning the protection of subscribers/consumers, the new Electronic Communications Law will come into effect by the second half of 2021.
The Act of 29 December 1992 on Radio and Television Broadcasting applies to media service providers established in the territory of the Republic of Poland (Article 1a of the Act). Dissemination of television and radio programmes, with the exception of public radio and television programmes, requires a licence to be obtained by the interested entrepreneur (Article 33(1) of the Act on Radio and Television Broadcasting). The above requirement does not apply to the distribution of television programmes exclusively in ICT systems, unless such programmes are to be distributed on the ground, via satellite or cable networks (Article 33(2) of the Act on Radio and Television Broadcasting). The competent authority for concessions is the President of the National Broadcasting Council.
It should also be noted that the Act on Radio and Television Broadcasting does not require a licence to be obtained for entities providing on-demand audio-visual media services. Exclusion from the obligation to obtain a licence does not mean that the Act does not address any obligations. The entity providing audio-visual media services on demand is obliged to perform the obligations specified in Articles 47a et seq (eg, to gradually ensure accessibility of the provided programmes for the disabled and to mark product placement).
It should also be stressed that the Act on Radio and Television Broadcasting does not apply to other formats to which the provisions of the Act on Provision of Electronic Services will apply.
Polish law does not explicitly regulate the use of encryption or the circumstances in which a company is required to use encryption technology. However, it is worth noting that failure to adopt such solutions may, in certain cases, lead to violation of personal data or the privacy of users of the unsecured solution, as well as, in the case of institutions and legal persons, lead to violation of sector-specific obligations.
According to the GDPR, the data controller is obliged to implement appropriate technical and organisational measures (including pseudonymisation and encryption). Thus, encryption is a recommended data protection mechanism appearing directly in legislation, but also a commonly recommended technique by many organisations dealing with security. In the absence of specific regulations on encryption, there are also no specific legal requirements for its use.
It should be pointed out that the obligation to maintain the secrecy of correspondence is limited in some circumstances. Article 179 of the Telecommunication Act, for example, obliges an entrepreneur to ensure technical and organisational conditions for access to and recording of telecommunication transmissions by services indicated therein (eg, the police or border guards). Additionally, regulations concerning "eavesdropping" are also included in the provisions regulating the activities of specific public services (eg, in the Act of 6 April 1990 on the Police or the Act of 10 June 2016 on Counter-Terrorist Activities).
The impact of COVID-19 on the TMT sector in Poland has been felt most keenly in three main areas.
Firstly, TMT companies, especially small and medium-sized enterprises in this industry, were the recipients of assistance from a number of government programmes, referred to successively as COVID-19 Anti-crisis Shields 1.0–4.0. However, there is no such programme dedicated exclusively to the TMT industry, nor are there any plans for such a programme.
Secondly, pursuant to Article 6 of the COVID-19 Act, which relates to procurement involving goods or services necessary to counter COVID-19, the provisions of Public Procurement Law do not apply where there is a high likelihood of the disease spreading rapidly and uncontrollably or where the protection of public health so requires. Exemptions provided for in Article 6 of the COVID Act-19 may also apply to public contracts for the supply of IT equipment or IT services.
Thirdly, due to the COVID-19 pandemic, the entry into force of a number of important TMT regulatory initiatives has been delayed. This is especially true for cloud services in the financial and public sectors. The purpose of the postponement of the compliance obligations was to make the acquisition of cloud services in these sectors more flexible.