Contributed By DLA Piper UK LLP
Concept
The metaverse is a term describing a hypothetical, future, enhanced, digital environment where users will be able to move smoothly between several spheres (social, work, leisure, shopping, etc) in one single digital environment. The metaverse could also be seen as the integration of the digital and physical worlds.
In practical terms, the metaverse is an advanced version of the internet that can be accessed through VR headsets, augmented reality appliances and more common devices such as mobile phones and personal computers or laptops. So far, the metaverse is mainly a commercial venture and competition is increasing between major technology companies, all of which are developing their own metaverse offerings.
A term often mentioned alongside the metaverse due to its correlation is “Web3”. The latter has to be seen as the concept of a new, decentralised internet constructed on blockchains or distributed ledgers collectively managed by participants. Although the metaverse and Web3 are different concepts, Web3 technologies can enhance the metaverse experience.
Laws and Regulations
No specific laws for the metaverse have been introduced in Belgium. Accordingly, all general laws and principles that apply to the “real world” by default also apply to the metaverse.
In many situations, the legal framework can be seamlessly applied to the digital context, but there may be situations where existing laws are not always adapted to the reality of the metaverse.
For example, general contract law will apply to the transactions concerning non-fungible tokens (NFTs), intellectual property protects works can be generated and enforced in the metaverse, and companies active in the metaverse will have to comply with data protection and consumer laws. Furthermore, all criminal law provisions will also apply to offences committed in the metaverse.
According to established case law relating to online disputes, Belgian law will apply to websites which envisage a public in the Belgian territory.
Key Legal Challenges
A select number of key legal challenges are outlined below.
Intellectual property rights
The enforcement of intellectual property rights in the metaverse may lead to practical difficulties and challenges, just as it has been in the past for Web 1.0 and Web 2.0 disputes. Therefore, it will be important for businesses to actively monitor the metaverse for possible infringements.
One of the questions that will arise is which jurisdiction will be competent to examine infringement claims that might take place in the metaverse, as the metaverse does not belong to a concrete jurisdiction and as it may be difficult to identify the real identity of the infringer.
Data protection and cybersecurity
Lots of personal data will be processed in the metaverse. This will range from traditional types of personal data to the tracking of movements and activities in the metaverse. Given the cross-border character of the metaverse, many different data protection laws may need to be taken into account when processing personal data.
Book XII of the Belgian Code on Economic Law is dedicated to regulating the digital economy. This includes the Belgian implementation of the Directive on electronic commerce.
New Belgian laws, impacting Book XII, are however to be expected, given the entry into force of the EU Digital Markets Act (DMA) (Regulation 2022/1925) and the EU Digital Services Act (DSA) (Regulation 2022/2065), respectively on 1 November and 16 November 2022.
The DSA establishes a new standard for the accountability of online platforms regarding illegal and harmful content, which is to be transposed in national law. In addition, it includes provisions – which are already operational – related to the transparency obligations of online platforms and the identification of very large online platforms (VLOPs) and very large online search engines (VLOSEs).
Essential for the transposition of this regime into Belgian law is the implementation of three key measures. Firstly, the draft federal law must be introduced to enact the DSA, assigning duties to the Belgian Institute for Postal Services and Telecommunications (BIPT/IBPT) – acting as both the federal competent authority and the Digital Services Co-ordinator – regarding the oversight of DSA-provisions falling under federal jurisdiction. Concurrently, decrees at the level of the federated entities are necessary to appoint their respective competent authorities responsible for supervising provisions within their jurisdictional purview. Additionally, fostering collaboration between the federal government and communities is imperative. This collaboration would involve establishing a comprehensive agreement delineating various aspects such as the designation of the BIPT as the DSC, clarification of roles for competent supervisory authorities and the DSC, formulation of frameworks for co-operation and information exchange among competent authorities concerning the DSA, and arrangements for Belgium’s representation within the broader European digital services sphere.
The DMA, in turn, targets online platforms which qualify as “gatekeepers” and therefore create a bottleneck in the digital economy, and is applicable as from 2 May 2023.
The designation of the first organisations as “gatekeepers” by the European Commission happened in September 2023. Regulating these platforms will enhance competition and create a fairer business environment for businesses who depend on gatekeepers.
Laws and Regulations
As there are no contracting laws specifically tailored to cloud and edge computing contracts in Belgium, general contract law applies to such contracts (eg, consumer laws, and specific laws for certain kinds of contracts). Contractual arrangements thus need to be heavily relied on in order to cover issues not dealt with under traditional contract law, or dealt with in a way that is not readily applicable to cloud and edge computing. In addition to contract law, a number of other laws and regulations also apply to specific issues or aspects of cloud solutions.
The Directive of 2016 on Security of Network and Information Systems (the “NIS-1 Directive”) (Directive 2016/1148) mainly aims to strengthen critical infrastructure in the EU, but also contains provisions regarding cloud computing. Providers of critical infrastructure have to comply with the (national implementation of the) security requirements of the NIS-1 Directive – ie, the requirement to adopt appropriate security measures.
This NIS-1 Directive was transposed into Belgian law through the Belgian NIS Act of 7 April 2019 (the “NIS Act”), and its executing Royal Decree of 12 July 2019. On 16 December 2020, the European legislator presented a new cybersecurity strategy, following which in 2022 a new Directive on measures for high common level of cybersecurity across the Union (the “NIS-2 Directive") (Directive 2022/2555), and a new Directive on the resilience of critical entities have been adopted. Time-wise, the Belgian government has until 17 October 2024 to transpose both directives into national legislation and to adopt and publish all measures necessary for compliance.
The Belgian authorities, specifically the Centre for Cybersecurity Belgium (CCB), are keen on expediting the publication of the Belgian law for the transposition of the NIS-2 Directive, aiming to provide clarity to relevant entities well before that deadline. The Belgian Council of Ministers has already prepared a proposal for an implementing act and accompanying implementation decree, which are still to go through the entire legislation formation process.
Regulations in Specific Industries
To date, there are few sector-specific rules in Belgium in relation to cloud services, as several sectors have rules in relation to outsourcing in general (eg, in the banking and insurance sector).
In 2019, for instance, the National Bank of Belgium (NBB) issued a circular on outsourcing arrangements (the “Circular”) that applies to a wide number of financial institutions. With the Circular, the NBB has fully integrated the European Bank Authority Guidelines on outsourcing arrangements of 25 February 2019 (the “EBA Guidelines”) (EBA Guidelines 2019/02) into its supervisory practices.
In order to be compliant, financial institutions wishing to outsource part of their activities must, among other things, ensure that the outsourcing contract provides for a range of obligations and must submit a file to the regulator in certain circumstances. Similar but more strict obligations exist for (re)insurance companies.
As of 16 January 2023, the first major EU-wide legislation treating digital resilience entered into force, being the Digital Operations Resilience Act for the Financial sector (DORA) (Regulation 2022/2554). Its purpose is to establish uniform standards for ICT risk mitigation across all EU financial entities, more particular establishing a framework for ICT risk management, incident reporting, operational resilience testing and third-party ICT risk monitoring.
DORA goes beyond the scope of the previously mentioned EBA Guidelines (which it will replace), addressing both personnel and material aspects, and isis designed to ensure digital operational resilience throughout the entire financial ecosystem. Consequently, a broader range of financial entities as well as ICT service providers (including cloud service providers) will need to adhere to the DORA conditions.
Furthermore, DORA sets forth requirements that emphasise the establishment of strategies, frameworks, and governing processes essential for achieving digital operational resilience.
Processing of Personal Data
The General Data Protection Regulation (the GDPR) (Regulation 2016/679) is applicable to all processing of personal data. To the extent that the data uploaded by an organisation includes personal data, the GDPR will also be applicable to cloud solutions and will have to be taken into account by both cloud providers and users. Certain obligations and restrictions under the GDPR can be especially problematic with regard to cloud solutions (eg, data transfers to third countries – as mentioned further below).
For instance, the GDPR prohibits data transfers to third countries without either being able to rely on an adequacy finding issued for the third country by the European Commission (eg, Japan, Switzerland, and New Zealand) or having provided appropriate safeguards (eg, binding corporate rules, standard contractual clauses, an approved code of conduct or certification mechanism). If a cloud provider has data centres in such third countries, this requirement should therefore be taken into account.
According to the GDPR, the transfer of data subject to data protection outside the European Union must not compromise the level of protection guaranteed by the GDPR for natural persons. Data transfers to a third country or international organisation are permissible when the European Commission determines that the third country, specific sectors within that country, or the international organisation ensures an adequate level of protection.
A list of countries with such adequacy decisions is available. On 10 July 2023, the European Commission approved a new adequacy decision for the United States, known as the “EU–US Data Privacy Framework”, in the wake of the Schrems-decisions taken by the CJEU in the past. The new framework aims to facilitate data export to organisations on the “Data Privacy Framework List” without the need for transfer instruments outlined in Article 46 of the GDPR. Data controllers transferring personal data to organisations not on the list must still use necessary transfer instruments, as stipulated in the GDPR, to ensure an appropriate level of protection, such as model contract clauses or binding corporate rules (EDPB recommendations 01/2020).
Additionally, the decision outlines remedies available to individuals whose data is transferred to the United States under the adequacy decision, should they believe the involved organisation in the US is not adhering to the Data Privacy Framework. This adequacy decision follows the invalidation of two previous decisions, Safe Harbour and Privacy Shield, by the Court of Justice of the European Union in the “Schrems I” and “Schrems II” rulings.
For Belgian businesses and organisations involved in cross-border data exchanges with the United States, this framework streamlines the process of transferring personal data without the need for additional safeguards such as Standard Contractual Clauses or Binding Corporate Rules. This simplification can lead to increased efficiency and reduced administrative burdens for Belgian companies engaging in international collaborations, data sharing, or utilising cloud services hosted in the United States.
Additionally, Belgian individuals benefit from enhanced privacy protections when their data is transferred to the United States under the EU–US Data Privacy Framework. They have specific legal remedies available if they believe that a US-based organisation is not complying with the provisions of the Data Privacy Framework, providing an added layer of security and control over their personal information.
Another privacy-related topic can be found in the fact that in cloud computing situations, where cloud service providers come into play, the obligation to notify data breaches to both data subjects and data protection authorities typically requires more extensive involvement of the provider than in the case of merely local IT solutions, given the typically greater reliance on the former.
In cloud computing contracts, other aspects have to be carefully planned, such as the question of return or destruction of personal data, and the question of liability of the provider. In this respect, during the month of July 2023, the working group on Switching Cloud Providers and Porting Data (SWIPO) presented its Converged Code of Conduct for cloud services. Since the Data Act is in force as of January 2024, SWIPO plans to update its third Code of Conduct to address the necessary requirements set forth in the Data Act and help ensure compliance with the anticipated provisions relating to porting and switching between data processing services. Once amended, SWIPO anticipates that the Code will be eligible to be listed in the “Cloud Rule Book” as a Data Act implementation tool.
Laws and Regulations
Artificial intelligence will be governed under an array of laws and regulations.
Legal challenges
Liability
As one of the characteristics of AI is that it can take decisions with a degree of autonomy, the question of liability (“Who is responsible when an AI system causes damage or breaches the law?”) quickly emerged. In this respect, the European Parliament adopted a resolution with recommendations to the Commission on a civil liability regime for artificial intelligence on 20 October 2020 in which it stated that there is no need for a complete revision of liability regimes, but that the capacity of self-learning and the potential autonomy of Al-systems requires specific and co-ordinated adjustments to the liability regimes. The European Parliament also emphasised that the new common rules for Al-systems should take the form of a regulation.
On 8 December 2023, the European Parliament and the Council reached a provisional political agreement on the key points of the regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (the “Artificial Intelligence Act”). The draft Artificial Intelligence Act contains a tiering of regulatory requirements depending on the inherent risk associated with the Al system that is being used – namely (i) prohibited Al practices, (ii) high-risk Al systems, and (iii) low-risk Al systems. High-risk Al systems are permitted provided the strict controls set out in the regulation to mitigate the risks are in place. Key regulatory controls on high-risk Al systems include the obligation to maintain a risk management system, complete and up-to-date technical documentation, designed to allow for effective human oversight and to ensure an appropriate level of accuracy, robustness and security. Different obligations will apply depending on the role of a party in the AI system’s supply chain, including requirements applicable to providers as well as to deployers (ie, the users) of the AI system.
The question whether foundation models and/or general purpose AI systems need to be specifically regulated was a major point of discussion in the trilogue negotiations. The Commission’s proposal of April 2021 did not include specific rules for foundation models or general purpose AI systems. However, with the notable market entry of several powerful general purpose AI systems since the initial proposal was published, these discussions became highly relevant. The draft Artificial Intelligence Act now contains dedicated obligations for “general purpose AI models” which are stricter depending on whether such models are considered to present “systemic risk”.
After formal adoption and official publication of the draft Artificial Intelligence Act, this Regulation is expected to enter into force in the first half of 2024, following which it will gradually enter into application. All prohibited systems will need to be phased out within six months. The majority of the other requirements will then become applicable 24 months after the entry into force.
Additionally, the Commission has published a proposal for an Artificial Intelligence Liability Directive (AILD) on 28 September 2022. The proposed Directive aims at improving the functioning of the internal market by laying down rules for certain non-contractual civil liability for damage caused with the involvement of AI. For now, liability questions regarding Al are still governed by the general liability framework. Regarding non-contractual liability, Belgian law sets out three conditions that need to be fulfilled for liability to be attributable to a party: fault, damage and a causal link between the two. The burden of proof lies with the claimant. Where an AI system causes harm, however, it may be difficult to determine with precision which action or inaction led to the breach or damage and whether it was a “fault”.
It remains to be seen whether non-compliance with (some of) the obligations set out in the Artificial Intelligence Act will contribute/lead to the determination that the supplier/user has made a “fault”. The AILD would introduce a rebuttable presumption of causality in the case of fault – ie, the lack of compliance with a duty of care under the AI Act, or any other EU or national law.
Given the current legal uncertainty, organisations working on projects involving AI systems must carefully regulate liability in their contractual arrangements, including matters that have an indirect impact on liability (eg, applicable law and choice of jurisdiction).
Data protection
AI systems process vast quantities of data, including personal data in most cases. In accordance with the requirements of the GDPR, key requirements such as data minimisation and privacy by design have to be taken into account when creating or working with AI systems in Belgium.
Intellectual property
Most relevant in this respect is copyright. The conditions of copyright – namely a “work” that is “original” – have been interpreted by the CJEU and are, to a certain extent, similarly applied throughout the EU. This means that the same issues will be faced by all the countries in the EU – for example, “who will be the author when an AI system makes a work of art?”
The first component of originality, also known as the “objective component”, holds that the work must be the result of an intellectual creation. The second component, known as the “personality requirement” or “subjective component of originality”, holds that a personal touch must be given to the work in order to reach the threshold of originality. From these criteria it can be deduced that human input is a prerequisite for copyright.
As AI systems are not likely to be able to claim copyright protection in the near future, the creator of the AI system (the legal or natural person) should document the process of creation and arrange internal assignment of all IP rights, including copyright, to themselves, following the principle of Belgian property law that “the fruits of a good belong to the owner of the good”.
There is no strict definition of the internet of things (IoT), so for the purpose of this article the collection of devices that have the ability to sense, amass and analyse data, and to communicate through networks will be considered as the IoT.
Data Protection
The first important legal framework that needs to be taken into account is data protection law. Because of the nature and goal of IoT devices (ie, smart mobile applications, smart home units, wearables, home assistants, etc), large amounts of data are being collected and processed, some of which will be considered personal data under the GDPR.
The applicability of this framework has a number of consequences as to how IoT devices should be designed (in particular the overarching principle of privacy by design).
Consent
Not all IoT devices and services are organised along the lines of traditional graphical user interfaces, so asking for consent cannot always be worked directly into the functionality. As a result, IoT manufacturers and resellers must think of alternative ways to collect consent, in such a way that it meets the requirements of the GDPR: consent must be freely given, specific, informed and unambiguous.
Data minimisation
The GDPR requires that the personal data used is relevant and limited to what is necessary in relation to the purpose for which it is processed. This is a direct challenge to the data maximalism that is typical of IoT devices and services. One suggested way to keep this balance is “edge computing”, which allows the devices themselves to select the data necessary for processing further down the line.
Data protection impact assessments
In addition to the scenarios provided in the GDPR, the Belgian Data Protection Authority has set out a number of scenarios in which a data protection impact assessment (DPIA) is mandatory, and one of them specifically concerns the deployment of certain kinds of IoT devices – ie, large-scale processing of data generated by devices with sensors sending data over the internet or any another means for the purpose of analysing or predicting individuals’ economic situation, health, preferences or personal interests, reliability or behaviour, localisation or movements.
Cybersecurity
Cybersecurity is also a major point of attention. Various authorities internationally have expressed concern regarding the security of a lot of IoT devices, as these devices have the potential to enable the misuse of information, unauthorised access or attacks on other systems.
In Belgium, there are no specific minimum-security requirements, but specific sectors have requirements in relation to data breach notifications (eg, telecommunications, critical infrastructure, finance in specific cases) and data protection rules also provide for notification obligations in relation to personal data breaches.
ePrivacy Directive (M2M)
Under the ePrivacy Directive 2002/58/EC (ePD) (Directive 2002/58), a key question is whether machine-to-machine communications (M2M) – eg, the communications between an IoT device and the server of the vendor/service provider – are protected by the ePD’s rule of confidentiality of communications.
This question was not settled based on the wording of the ePD (which refers to “parties” to a communication), or in Belgium based on the wording of the Belgian implementation.
The draft ePrivacy Regulation aims to resolve this by clearly covering IoT services and devices. Current drafts provide for confidentiality of communications, including M2M-interactions, potentially affecting how certain organisations currently use IoT devices.
In 2023, the approval of the ePrivacy Regulation was still not realised, giving rise to uncertainties regarding the future of this proposal.
Interoperability
In the past, many companies developed IoT services or devices with their own independent infrastructure. With the increasing prevalence of IoT devices and services, the issue of interoperability – ie, ensuring seamless communication between devices, networks, and platforms – will naturally come to the forefront. A concrete (and quite literal) example of addressing this need is the introduction of a universal charger for mobile devices, expected to be implemented in 2024. Under these new regulations, consumers will not require a different charger each time they purchase a new device. Instead, they can use a single charger for a variety of small and medium-sized portable electronic devices. This common charger aims to enhance convenience by standardising charging interfaces and fast charging technology, ultimately even leading to a significant reduction in electronic waste.
Within the ongoing efforts to create a European Digital Single Market, the EU has dedicated publications to interoperability architecture for IoT.
While this is not currently a legal requirement, it is highly recommended to consider the question of interoperability with existing services, whether through adopting an open architecture, integrating a third-party architecture (eg, by way of an application programming interface (API)) or making available a software development kit (SDK) for others to use for interoperability.
There are no particular requirements under Belgian law in this respect.
Legal Landscape
European level
In November 2018, the European Parliament adopted a directive concerning audiovisual media services (the “AVMS Directive”) (Directive 2018/1808). and a directive on copyright and related rights in the Digital Single Market (the “DSM Directive”) (Directive 2019/790) in April 2019.
National level
The AVMS Directive has been implemented by the Belgian legislature at four different levels, in four different ways. In Belgium, community-level governments (Flemish, French and German-speaking) are in charge of the regulation of audio–visual media services in their respective territories, based on the place of establishment of the provider. By way of an exception, the federal government has the power to regulate audio–visual media services established in the capital region, Brussels, unless they need to be considered as belonging to the Flemish or French community because of their activities.
The DSM Directive has been transposed in Belgium by a federal Act, changing the Belgian Code of Economic Law with a wide range of relevant topics.
In conclusion, the Belgian legal framework is composed of two federal acts, a Flemish decree, a French decree and a German decree. These acts are not always consistent and therefore it is necessary to check, in practice, which requirements apply depending on the establishment of the service provider.
Main Requirements for Providing Audio–Visual Media Services
Requirements common to linear and non-linear providers
The following requirements are to be considered common to linear and non-linear providers.
Linear providers (eg, TV and broadcasters)
Under Flemish radio and TV broadcasting rules, national, regional, network and local radio broadcasting is subject to prior authorisation (by the Flemish government). For other forms of broadcasting, no authorisation is required, but a notification process applies.
Under the French community decree, radio and regional TV broadcasting is also subject to prior authorisation. Other audio-visual media services in the French community must notify the regulator (Conseil Superieur de l’Audiovisuel – CSA) before they start their activity.
Non-linear providers (eg, on-demand providers)
Promotion of EU works
At least 30% of the catalogues of on-demand audio–visual media service providers must be European works and such works must be given prominence. In addition to this, there are small nuances according to the decrees. In the French decree a gradual increase to reach 40% is encouraged. The Flemish decree also provides a precision in that, of the 30% of European works, a “significant proportion” must be Dutch-speaking. Finally, providers shall, on an annual basis, provide a report on the achievement of the objectives.
Netflix tax
There is a financial contribution obligation (known as the Netflix tax) according to which the media service provider must contribute financially to the production of European works. The French and Dutch Decree provide for a similar mechanism providing for an option between (i) co-producing or pre-purchasing French/Dutch works or (ii) payment to a Dutch/French local fund. However, the federal act does not contain such an obligation. Nor does the German-speaking community, at least for audio–visual media services providers established in the same community or the same member state. External providers, on the other hand, may be subject to this financial contribution obligation.
Video-Sharing Platforms
The scope of the AVMS Directive includes video-sharing platforms, whereby this concept is defined as an economic service whose main purpose, severable section or essential functionality must be to provide programmes, user-generated videos or both, to the general public. The relevant rules are to be found in Article 28b of the AVMS Directive and transposed into the federal act and the respective decrees of the communities.
It should be noted that due to the lack of editorial responsibility of these platforms, it is said that a “light” regime applies to video sharing platforms. Therefore, they are not subject to all the rules in the same way as “true” audio–visual media services, ie, services with editorial control.
They must however take appropriate measures:
The Belgian telecommunication rules, mainly found in the Belgian Act on Electronic Communications, are heavily influenced by EU rules. This has become even more the case since the adoption of the European Electronic Communications Code (the EECC) (Directive 2018/1972), and will be even more so once the EU adopts the long-awaited ePrivacy Regulation. Regarding the latter, however, it remains to be seen if, when and which form it would adopted.
The EECC applies to electronic communications services (ECS) and electronic communication networks (ECN). An electronic communications service is defined as a service, normally provided for remuneration, via electronic communications networks, which encompasses – with the exception of services providing, or exercising editorial control over, content transmitted using electronic communications networks and services – the following types of services:
An “interpersonal communication service” is defined as “a service normally provided for remuneration that enables direct interpersonal and interactive exchange of information via electronic communications networks between a finite number of persons, whereby the persons initiating or participating in the communication determine its recipient(s) and does not include services which enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service”. As a result of this definition, online services which are functionally equivalent to traditional voice telephony, text messages (SMS) and electronic conveyance services such as voice-over IP, messaging services and web-based email services may also fall under the scope of the EECC. The Belgian draft law transposing the EECC contains identical definitions.
Providers of ECN and ECS are, generally, allowed to carry out their activities in Belgium. Depending on the ECN/ECS that they offer they will have to comply with certain obligations. An example is the notification to the Belgian regulator (BIPT/IBPT) before starting to provide any public ECN/publicly available ECS on the Belgian territory.
Qualification of Contract
Technology agreement is a broad term that can encompass (and combine) several kinds of technology services, such as licensing, maintenance, outsourcing, cloud computing services or even developing of software. When concluding or reviewing a technology agreement, it is important to qualify it appropriately to specify the applicable legal framework. In particular, it is important to check whether the agreement fits within the framework of one (or several) of the legally defined contracts under Belgian law.
The Belgian Civil Code (BCC) names several kinds of agreements, such as construction agreements or commercial agency agreements, and provides both mandatory rules (ie, those from which one cannot deviate by contract) and implied rules (ie, rules that apply when the agreement does not cover that specific issue) that may apply to these kinds of agreements. If an agreement does not fit into the framework of any of the legally regulated contracts, parties enjoy a broad contractual freedom, but must ensure that they regulate all the important aspects in detail to avoid any legal gaps.
SLAs
An important part of any technology agreement is the set of service levels applicable to the contract, namely the commitment in practice by the supplier or service provider – eg, to a certain percentage of delivery, accuracy, availability, etc, or to responding within a specific number of days or hours to a request or issues. Service level agreements (SLAs) typically apply to the contractual annexes on service levels.
Nature of obligations
The description of these service levels is crucial for their legal classification under Belgian law, which makes a distinction between obligations to attain a specific result (obligation de résultat/resultaatsverbintenis) and “obligations of means” (obligation de moyens/middelenverbintenis), the latter often translated into English as a “(commercially) reasonable effort” obligation.
In the case of a result obligation, the simple failure to reach the result will be viewed as a “fault” (ie, non-performance) that can trigger liability; for obligations of means, however, a higher threshold applies and the party claiming liability must be able to demonstrate that the defaulting party did not do all that was (commercially) reasonable.
SLAs: not just an IT matter
In many companies in Belgium and abroad, SLAs are often drawn up by IT teams without properly taking the actual terms and conditions of the agreement into account. One must ensure that an SLA has been checked or drawn up in consultation with the legal department to avoid legal misunderstandings.
Service levels are presumed to be result obligations, unless stated otherwise in the agreement, but service providers prefer to transform them into obligations of means – for example, by including expressions such as “to the best of its ability” or “strive” in the SLA. In that case, the service provider can only be held liable when non-compliance and fault can be proven by the customer. The customer, on the other hand, will aim for more certainty by using terms such as “ensures” or “result” in the SLA; in which case, the service provider can be held liable if the results and milestones set out in the SLA have not been achieved (except where this is attributable to the customer or to force majeure).
Liability
Contracting parties may limit or exclude their liability in an IT services agreement. This can be done by the incorporation of a liability clause or through the wording of the obligations, the inclusion of assumptions and a broad definition of force majeure.
Under Belgian law, it is allowed and generally accepted to exclude a party’s liability for specific losses, on the condition that such exclusions:
As a result, liability clauses typically include caveats in this respect. Should there be none, the entire agreement, or at least the liability clause, could be held void, according to the principle that if any of the terms of a contract prove to be inapplicable or contrary to a mandatory provision of the law, the validity of the entire contract must be examined. The risk of such a discussion can be mitigated by including a “severability” clause, stipulating that if any (part of a) provision is or becomes illegal, invalid or unenforceable, this shall not affect or impair the legality of any other (part of a) provision of the IT services agreement.
Intellectual Property
Intellectual property (IP) plays an important role in IT services agreements. IT services often go hand in hand with the use of pre-existing IP of the supplier, pre-existing IP of the customer and third-party IP. Sometimes an IT services agreement involves the creation of something new which might also be protected by IP.
Contrary to what is often believed, there are various options to divide the IP on a new creation between the parties, ranging from full ownership for the supplier to full ownership for the customer. In an IT outsourcing agreement, the pre-existing IP typically remains with each party, with a form of cross-licensing (each party grants a licence to the other for the use of its own pre-existing IP).
In the case of a software as a service (SaaS) agreement, all IP rights on the SaaS solution are reserved for the SaaS provider, but this party typically grants the customer a non-exclusive, non-transferable, worldwide, limited right to use and access the SaaS solution for internal business purposes.
Step-In Right
A step-in right is a discretionary right for a customer to partially or fully take over services or appoint a third party to deliver services instead of the supplier. The foundations for step-in are in the Civil Code, which case law is interpreted as permitting step-in without prior court intervention, subject to certain cumulative requirements (ie, urgency, a prior determination that there is a contractual breach, a prior notice to remedy the breach, immediate involvement of the third party after expiry of the notice period, and good faith).
The step-in principle is not mandatory law and parties may contractually exclude step-in or alter its conditions by adding scenarios in which step-in is possible (for instance, if the supplier causes material interruption or disruption of services or exceeds service credit levels during a certain period.
B2B Relationships
The Belgian B2B Act regulates several aspects of B2B relationships. In essence, it prohibits:
In the context of IT services agreements, the most relevant part pertains to unfair terms. The Act foresees a black list (presumed to be unlawful without possibility of rebuttal) and a grey list (presumed to be unlawful until proven otherwise).
The black list targets terms which:
The grey list targets, among others, terms which:
New Civil Code
From 1 January 2023, the new Belgian Civil Code applies, introducing a number of modifications that will impact the conclusion of technology agreements. Amongst other things, the new Civil Code foresees:
Types of Electronic Signature
Under Belgian law, the electronic execution of contracts can be done using three types of electronic signature, which follows from the eIDAS Regulation (Regulation 910/2014/EU), as incorporated in Book XII of the Belgian Code of Economic Law.
Normal electronic signatures
A (normal) electronic signature is defined broadly as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. Examples include a name below an email, a PIN, a password, a scanned signature, symmetric and public key cryptography authentication methods and biometric authentication methods.
A (normal) electronic signature may not be denied legal effectiveness and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form and not based upon a qualified certificate. This type of electronic signature, however, does not (automatically) receive the same legal effect as a handwritten signature.
Advanced electronic signatures
An advanced electronic signature is defined as an electronic signature which meets the following requirements:
In practice, mainly asymmetric public key cryptography (PKI) systems meet the requirements of this definition. It must, however, be emphasised that the legislation does not confer specific legal effectiveness to this type of electronic signature that would be different from (normal) electronic signatures. The main difference between a (normal) electronic signature and an advanced electronic signature is that the latter generally is considered to be more trustworthy, and that consequently more evidential weight is attached to it.
Qualified electronic signatures
A qualified electronic signature is an advanced electronic signature (i–iv) that is (v) created by a qualified electronic signature creation device, and (vi) based on a qualified certificate for electronic signatures. A certificate is an attestation linking electronic signature validation data to a natural person and confirming at least the name or pseudonym of that person. The certificate must contain certain mandatory statements and must have been issued by a qualified certification service provider.
A typical example of a qualified electronic signature is the one placed with a Belgian eID card. A qualified electronic signature is automatically assimilated to and legally presumed to be equivalent to a handwritten signature.
Functional Equivalence and Proving the Existence of an Agreement
In Belgium, the principle of consensualism applies to the validity of contracts. Mutual consensus, even verbally, of both parties is thus sufficient to conclude a valid agreement. In deviation from this principle, the Belgian legislature at times imposes certain formal requirements (such as a signature) for the valid conclusion of a contract. In this regard, the principle of “functional equivalence for formal requirements” applies. This means that any legal or regulatory formal requirement for the valid conclusion of contracts by electronic means is fulfilled if the functional qualities of this requirement are safeguarded (Article XII.15 of the Belgian Code of Economic Law). Thus, if some “writing” or a “signature” would be required for the valid conclusion of a contract or an electronic contract, an electronic signature (regardless the type) will suffice.
In certain circumstances, Belgian law, however, deviates from this principle of “functional equivalence for formal requirements”. For example, within employment law, only a handwritten signature or the equivalent qualified electronic signature can be used. The same applies for a tender in the context of public procurement law.
Furthermore, it is relevant to emphasise that there is a difference between concluding a valid agreement (as described above) and being able to enforce that agreement by proving its existence and contents, which is subject to specific requirements.
For example in a B2B environment, the Belgian law of evidence (incorporated in Book 8 of the new Civil Code), specifies that evidence between and against businesses relies on a free system of evidence. Consequently, the evidence of the existence of a contract in a B2B context may be given by electronically signed contracts. In this regard, courts will grant legal effect to electronically signed contracts as soon as two legal conditions are met. Firstly, as to the document itself, the writing must consist of “a set of alphabetical characters or of any other comprehensible signs affixed to a medium which allows access to it for a period of time appropriate to the purpose for which the information may be used and protects its integrity, whatever the medium and the means of transmission”. Secondly, the signature must consist of “a sign or a sequence of signs by which a person identifies himself and which indicates his intention”.
Digital Identity Schemes
While the eIDAS Regulation was ground-breaking at the time, the Regulation also included important gaps and is generally considered not to have been fully exploited in its potential.
Following a review, the European Commission drafted a proposal regarding the framework for a European Digital Identity, which would amend the EU eIDAS Regulation. This framework would introduce the “digital wallet”, which may be provided by public authorities or by private entities recognised by a member state, and which will link a citizen’s national digital identity to other personal attributes (eg, driving licence or bank account). This new framework is expected to provide a major increase of legal security and opportunities for the use of public and private online services within the EU – including in relation to electronic signatures. However, it remains to be seen how much of the proposal will have been amended once it reaches its final form as the draft was rather ambitious.
Rue aux Laines 70
1000
Brussels
Belgium
+32 2 500 15 00
+32 2 500 16 00
kristof.devulder@dlapiper.com www.dlapiper.com