The Metaverse and its Regulation
The metaverse could be considered the greatest technological revolution of recent years. Since its recent inception, it has become the central focus among technological advances. This concept refers to a three-dimensional virtual reality, where individuals can interact through avatars much like they do in reality. The metaverse will allow us to study, hold work meetings, attend concerts, go shopping and engage in a long list of activities, many of which are currently beyond the imagination. The reality is that the metaverse is still early in its development. Certainly, it is mainly used today for the development of leisure activities and especially for video games, but its applications will continue to grow exponentially.
There is no doubt that the evolution of the metaverse is unstoppable, so it is becoming urgently necessary to regulate the legal aspects that derive from it, encompassing matters such as data protection or cybersecurity.
Currently, regulatory frameworks exist both at Spanish and European levels, which can serve as a basis for the resolution of potential problems that may occur in the development of the metaverse. In the EU, the General Data Protection Regulation (GDPR), the Digital Services Act, the Digital Markets Act and the Cybersecurity Act are all pertinent, among others. In Spain, the Ley Orgánica de Protección de Datos y garantía de los derechos digitales (LOPDGDD), which transposes the GDPR, and the Ley de Servicios de la Sociedad de la Información (LSSI), which regulates the electronic procurement of goods and services, constitute the main regulations to deal with the metaverse phenomenon for the time being.
Obviously, these rules do not cover the abundance of situations and conflicts that will have to be resolved in the coming years; for now, the aforementioned pieces of legislation will have to be subsidised with the common Spanish contractual and consumer protection law.
The Agencia Española de Protección de Datos (AEPD), the Spanish data protection authority, has recently focused on the metaverse and its privacy risks. This body acknowledges that the metaverse is made possible as a result of the development and expansion of a multitude of technologies in constant evolution which interact in the metaverse, such as internet of things (IoT), artificial intelligence (AI), blockchain, 5G, digital identity techniques, cloud or edge computing, and virtual reality or augmented reality technologies.
The Challenges Posed by the Metaverse
There are two essential risks that will have to be faced in relation to the metaverse: privacy and data security.
As the AEPD points out, the metaverse can be very intrusive from the privacy point of view since the processing of data in this environment is massive. Thus, the processing of some specific categories of data will be of paramount importance and will make it possible to extract extremely detailed information from users. Such is the case with biometric data. Virtual reality glasses will be able to determine what we like and what gives us pleasure or elicits rejection with the analysis of the changes in our pupils.
Likewise, the perception of postural changes or the position of avatars in the virtual environment will reveal information of which the user is not aware. This information can be used to personalise marketing campaigns based on specific profiles.
So, each of the technologies that converge in the metaverse present certain privacy risks that will have to be addressed, ranging from non-consensual profiling to identity theft. Therefore, it will be essential to adopt the necessary measures based on the mechanisms provided for in both of the data protection regulations. These measures must integrate impact assessments, data security, transparency in data processing, the guarantee of the rights of the data subjects and the minimisation of data collection.
The very concept of the metaverse as a virtual reality space in which people interact as they do in the real world also entails the presence of (cyber)criminals and a space conducive to piracy. Blockchain technology, through its process validation system, can help mitigate these risks, but it cannot make them disappear, at least not on its own. It must go hand in hand with the implementation of strong cybersecurity measures that can neutralise techniques such as phishing or prevent the theft of cryptocurrencies.
However, the development of the metaverse will have to face other challenges, beyond privacy or cybersecurity. For example, there are even AI tools for image and video generation that can alter creative processes and consequently affect the work of artists.
This leads on to the potential problems related to intellectual property. Since the non-fungible tokens (NFTs) are subject to transactions in the metaverse, mechanisms must be established to verify their authenticity and identify copies or plagiarism. Some lawsuits have already been filed by luxury firms against the plagiarism of their products through NFTs.
In any case, none of the above will be a reality without the input of the big technology companies that lead the development of the metaverse. In recent months, these companies have suffered significant falls in the stock market, arising from the global situation and the false growth expectations that were born as a result of the pandemic. Mass layoffs and cost containment motivated by the fear of a recession and rising interest rates (and therefore higher financing costs) are a certainty, so it remains to be seen whether progress on the metaverse will be made as fast as expected. In any case, it seems that adverse conditions are cyclical and we are only facing a fair adjustment in the technology sector, and sooner or later the definitive impetus for the development of the metaverse will take effect.
Brief Introduction to the Concept of Digital Economy
Digital economy entails the use of technology for the production of goods and services, as well as for their subsequent commercialisation, for example, e-commerce, mobile applications or online banking. There is no doubt about the importance of the role that the digital economy plays in our lives today.
In line with the above, it is a reality that within the EU and in each of its member states, a real digital revolution is being experienced. This is confirmed by the huge number of regulations that are being adopted in recent months and the many others that are in the processing phase, precisely because more and more aspects of our lives are developing in the digital environment and the advance of technology is inevitable and occurring at a significant speed.
Before entering into detail on the regulations that expressly regulate the digital economy, it is convenient to briefly review the recently approved provisions that refer in a more general way to digital rights, essential for human beings to interact in an orderly manner in the digital environment.
Decision (EU) 2022/2481 of 14 December 2022 sets out the strategic agenda for the Digital Decade Policy Programme 2030, and is based on the communication of 9 March 2021 entitled “2030 Digital Compass” to guide the digital transformation of the EU for the coming years.
In this context, we must also refer to the declaration on European Digital Rights and Principles for the Digital Decade, adopted on 15 December 2022. It reflects the EU's commitment to achieving a secure digital transformation, putting people at the centre, in order to achieve the objectives of the aforementioned 2030 Digital Compass.
In Spain, these digital commitments are reflected in the Digital Rights Charter, presented by the Spanish government in July 2021, which aims to protect citizens from the possible risks generated by disruptive technologies. They are not normative in nature and therefore merely constitute a frame of reference for public authorities.
This document is complemented by the Digital Spain 2026 strategy, which constitutes the update of the Spanish digital transformation roadmap launched in July 2020.
Regulation on Digital Services and Digital Markets
As previously announced, having laid the foundations that should govern any regulatory development in the digital field, we must highlight the very recent publication of several rules that directly regulate certain aspects of the digital economy and that constitute the Digital Services Package presented by the European Commission in 2020.
This digital package basically translates into the approval of Regulation (EU) 2022/2065, of 19 October 2022, known as the Digital Services Act (DSA), and Regulation (EU) 2022/1925, of 14 September 2022, known as Digital Markets Act (DMA).
The adoption of these two rules is an essential part of the EU's Digital Agenda and aims to create a safer digital space, both for citizens and businesses, in the face of the exponential growth of digital services, especially after the pandemic.
In the end, it is a question of establishing a specific set of uniform rules for the entire EU in order to ensure legal certainty and the proper functioning of the internal market by creating a secure and reliable online environment.
It should also be noted that the EU legislature has chosen a Regulation and not a Directive to regulate the package of digital measures, which implies its direct application as law without the need for transposition in all countries of the European Economic Area (EU plus Iceland, Norway and Liechtenstein).
Digital Services Act
The DSA aims to be a pioneer in the regulation of digital services by reformulating in detail the rights and obligations of certain intermediary service providers, users and digital businesses in order to strengthen respect for fundamental rights in the EU and establishing a new liability regime for certain platforms. In this sense, new diligence requirements are established for intermediary services providers in terms of the actions to be carried out in the face of illegal content.
It is a necessary update because since the former Directive on electronic commerce was published in 2000 (and transposed into Spanish law by the LSSI), there have been no significant changes in these regulations, despite the fact that the transformation of digital markets and services since then has been overwhelming.
It should be noted that the new DSA does not derogate from the old Directive of the year 2000 and, therefore, the LSSI will continue to be in force in Spain regarding any provisions that do not contradict the DSA. Thus, in Spain, verification work will have to be carried out to verify the enforceability of the provisions of the LSSI that do not contradict the DSA.
As happened with the GDPR, the DSA will involve a significant effort from the operators so that they can adapt to its provisions, which is why much of its articles will not be applicable until 17 February 2024, without prejudice to the fact that the rule entered into force on 16 November 2022.
In addition, in the wake of the GDPR, the DSA affects those providers that address their services to citizens located in the EEA, including big Chinese and American technology companies. Moreover, the DSA includes a strong sanctioning regime for deterring non-compliance.
The DSA concerns the following intermediary service providers:
In addition, it includes an extensive reference to very large online platforms (VLOP), which reach more than 10% of Europe's 450 million consumers, to which a specific regime will apply.
These above-mentioned services can be divided into three groups:
Furthermore, the DSA incorporates three new figures:
One of the central components of this new regulation is the inclusion of measures to fight against illicit goods, services or online content, including a liability exemption regime (“safe harbour”) that applies to mere conduit and caching services when they are not involved with the information transmitted, and from which providers of hosting services or data storage services may also benefit if certain requirements are met. Among others, the provider should, upon obtaining actual knowledge or awareness of illegal content, act to remove or to disable access to that content. Thus, the provider will only be liable when it has actual knowledge that the activity or information stored is illicit and do not proceed to the withdrawal of said data or to disable access.
In this sense, the interpretative problems will derive from the consideration of the concept of “actual knowledge”. The practical problems will come because the removal of such illicit content must take place respecting the fundamental rights of the recipients, including the freedom of expression and the right to information. The balancing of such rights will be complicated by providers and may entail serious difficulties in determining liability in court.
So, what would happen if the platform mistakenly removes content upon notice from a trusted flagger and it turns out that content was not illegal? This could happen, for example, in the case of closure of profiles on social media platforms. It seems that the end user affected by such improper termination of their profile has no legal action according to DSA provisions to assert their rights. In this regard, it should be borne in mind that the content of profiles on social media platforms can affect many other areas, such as the intellectual property rights related to such content. Clearly, a solution to this problem will have to be found by the member states.
Digital Markets Act
The DMA aims to ensure a level playing field for digital companies by fostering competition for the benefit of all users. That is why the position of the “gatekeeper” acquires special relevance, understanding those platforms with a significant impact on the internal market, as they act as a gateway for professional users to reach end users.
In this sense, the DMA aims to prevent gatekeepers from imposing unfair conditions on these users, whether professionals or end-users, thus prohibiting the development of unfair practices by platforms with the highest market share. This will facilitate the growth of start-ups that will be able to operate in a fairer and more equitable environment.
For example, gatekeepers will need to ensure that end users can easily unsubscribe from platform services or uninstall pre-installed services. In addition, they must allow their business users to promote their offers and enter into contracts with their customers outside the gatekeeper platform, or provide them with access to the data they generate when using the gatekeeper’s platforms.
As for prohibitions, among others, they will not be able to track end users outside the gatekeeper’s core platform service for targeted advertising purposes, without effective consent having been granted, and they will not be able to classify their products or services more favourably than those offered by third parties.
These companies shall be designated gatekeepers for at least one of the core platform services included in the DMA, which are as follows:
Within the framework of the DMA, as was the case with the DSA, we can refer to the creation of three figures.
The Commission shall be the authority empowered to enforce the provisions of the DMA. To this end, it may count on the collaboration of the authorities and courts of each member state, with whom it may act in a co-ordinated manner to carry out the necessary investigative measures.
In any case, any user who sees their rights violated in relation to the DMA may assert them before the national courts, directly invoking the violation of the provisions contained in the aforementioned legal text.
The DMA was published on 12 October 2022, entered into force on 1 November 2022 and will apply from 2 May 2023.
Brief Reference to Digital Finance
The discussion on the digital economy cannot end without including a brief reference to digital finance, given the growth of the crypto-asset market.
In order to undertake appropriate regulation in the field of digital finance, the EU has also prepared a package of rules to regulate this sector. Only one of these will be discussed here, the proposal for MiCA Regulation (Markets in Crypto-assets), pending final approval.
The future MiCA Regulation will regulate the issuance and trading of crypto-assets on platforms, excluding financial instruments and NFTs. It aims to cover the existing legal gap in the commercialisation of cryptocurrencies at European level, favouring legal certainty, consumer and investor protection, market integrity and financial stability, bearing in mind the importance that stablecoins are gaining, which will be supervised by the European Banking Authority (EBA).
Article 6 (30) of Directive (EU) 2022/2555, of 14 December 2022, concerning measures to ensure a high common level of cybersecurity across the European Union (NIS 2 Directive) defines cloud computing as “a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations”.
Edge computing consists of cloud computer services delivered closer to where the data era being generated or collected (Recital 34 NIS 2 Directive).
Cloud service providers are considered “digital service providers” under Directive to EU 2016/1148, known as NIS 1 Directive, which was transposed into Spanish legislation by virtue of Royal Decree-Law 12/2018, on the security of networks and information systems, subsequently developed by Royal Decree 43/2021. The provisions on cybersecurity contained in that legislation are therefore applicable to cloud service providers.
In any case, the NIS 1 Directive has recently been superseded by the aforementioned NIS 2 Directive (in fact, it repeals it with effect from 18 October 2024). NIS 2 Directive, which was published in the OJEU on 27 December 2022 and entered into force 20 days after its publication, includes in its scope, as did the NIS 1 Directive, cloud computing services (Recital 33), as long as the providers provide their services or carry out their activities in the EU territory. They should therefore be subject to the new cybersecurity provisions provided for in the NIS 2 Directive, which should be transposed by the member states up to 17 October 2024.
As stated in this regulation, cloud computing services include, among others, infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and network as a service (NaaS).
As far as the banking sector is concerned, although there are no specific regulations for cloud computing as such, the European Banking Authority (EBA) published at the end of the 2017 Recommendations on outsourcing to cloud service providers. Basically, it offers a guide to be followed by financial institutions that decide to make use of this technology.
In Spain, the Bank of Spain, as supervisory authority, ensures compliance and the correct application of these recommendations.
In the insurance sector, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers in a similar sense to those applied to the banking sector.
The Dirección General de Seguros y Fondos de Pensiones, the supervisory body in Spain, endorsed the EIOPA guidelines by resolution of 10 July 2020 and since then has been ensuring their correct follow-up.
The European Securities and Markets Authority (ESMA) also published its guidelines on 10 May 2021 in the same sense as the previous ones.
The very idiosyncrasy of cloud computing implies that companies providing this type of services must respect the applicable data protection regulations as cloud computing inevitably involves the processing of data. Therefore, it will be necessary to comply with the provisions set forth in the GDPR and the LOPDGDD.
In this sense, the first issue to be resolved is the quality in which the cloud computing service provider acts, since, depending on the specific legal relationship that unites it to its client, it will be considered processor (the most common, which entails the signature of the processing agreement provided for in Article 28 GDPR), or joint-controller by exercising control jointly with its client, with the legal consequences that this entails.
It should be borne in mind that the determination of the legal position occupied by each party determines the law applicable to the contract. Thus, when the client is controller and the provider is processor, the applicable law will be that of the client.
In any case, it will be desirable for the client that the contract with the cloud services provider includes a data portability clause in the event of termination of the agreement. The provider should facilitate such portability to the new service provider or to the client themselves.
Finally, we must not ignore the importance of cloud computing services in international data transfers, that is, with third countries outside the EEA. If such transfer takes place, all necessary measures must be taken to safeguard the processing of data by providing adequate guarantees and, if necessary, signing the standard contractual clauses in their latest approved version.
The AEPD published guidelines in 2018 for cloud computing service providers and for clients in order to resolve the doubts that may arise in terms of data protection in this type of relationship.
Regulations on Artificial Intelligence and Big Data.
Although the concepts of big data and AI have different functionalities, they are closely related in that both revolve around data. Thus, they share advantages, benefits and also risks.
On the one hand, AI constitutes the ability of a machine to exhibit the same capabilities as humans, allowing learning or problem solving for specific purposes. On the other hand, big data refers to the set of technologies that are used to collect and process massive amounts of data and extract valuable information through advanced analytical systems.
There has been an undeniable tremendous rise of AI and big data in recent years in all areas, thanks to the rapid evolution of technology. This has allowed the application of both technologies to a large number of sectors with fascinating results.
However, the use of intelligent systems can in turn entail enormous risks for human beings and even violate their fundamental rights.
For all the above, the public authorities have accelerated normative and institutional development to promptly control this phenomenon and make the most of all the benefits that these technologies offer, as well as to protect the individual, who must always be located at the centre of digital law, as the EU has stated in its recent regulations and those in development.
Specifically, in terms of AI, regulation is prolific both at EU level and in Spain, although currently only soft law instruments exist. In any case, every attempt at regulation is accompanied by the arduous task of trying to balance conflicting interests. On one side are the interests of technology companies in developing their systems with the fewest obstacles possible, and on the other side are those of the public authorities that, despite their interest in technological progress, must also ensure the protection of the fundamental rights of their citizens.
In April 2021, the Commission presented a proposal for a regulation that will be known as the Artificial Intelligence Act (AI Act). As pointed out above, this regulation is aimed at encouraging the development of AI by promoting investment and innovation and, in turn, focuses on the risks that this entails in order to achieve safe AI that respect fundamental rights.
Previously, several studies and guidelines had aimed to reflect on AI from an ethical perspective. Such is the case of the Ethical Guidelines for a reliable AI, of 2019, endorsed by the European Commission, or the study of the European Parliament Research Service (EPRS) entitled “European framework on ethical aspects of artificial intelligence, robotics and related technologies: European added value assessment”. Subsequently, in February 2020, the European Commission published the White Paper on Artificial Intelligence, and the European Parliament published the Resolution of 20 October 2020 containing recommendations on ethical aspects of artificial intelligence, robotics and related technologies.
In the field of insurance, the EIOPA published in 2021 “Artificial Intelligences Governance Principles: Towards Ethical and Trustworthy Artificial Intelligence in the European Insurance Sector”, with the aim of ensuring responsible and safe use of this technology within the insurance market.
In any case, all that exist so far are soft law instruments, which are not binding. The AI Act is here to change this and is the result of the EU's claim to leadership in the regulation of AI worldwide; it is one of the essential milestones of its Digital Agenda.
The text proposed by the Council to define AI limits this definition to systems developed through machine learning and strategies based on logic and knowledge.
Four categories of IA systems are established:
Therefore, it is the high-risk systems that draw the focus of this rule as they can potentially pose the greatest threats to fundamental rights.
Indeed, certain sectors require the creation of a register for high-risk systems and the regulation of additional requirements for their users; however, the possibility that this would delimit the use or development of AI makes it difficult to include such provisions in the final text of the Regulation.
In order to ensure compliance with the provisions contained in the future AI Act, the regulation is completed with a strong system of fines and penalties. However, no specific mechanisms are included to protect possible violations of fundamental rights.
With all the above, on 6 December 2022 the Council laid the groundwork for “trilogue” dialogues between the Council of the EU, the European Parliament and the Commission on the proposal for the AI Act.
Finally, it should be noted that on September 2022 the Commission submitted a proposal for a Directive on adapting non-contractual civil liability rules to AI (known as AI Liability Directive). It provides for new rules on disclosure of information and burden of proof in proceedings for claims for damages caused by AI systems. This regulation delves into an issue as important as liability for fault or negligence in the claims indicated and represents a new advance in the package of measures planned by the EU for the regulation of AI, which is completed by the proposal to revise the Directive of 25 July 1985 on liability for damage caused by defective products.
All of this is intended to adapt the rules on product liability, as well as the non-contractual civil liability regime, to the digital age and, in particular, to AI.
Spain has also taken the development of new technologies very seriously and, with regard to AI, has adopted several regulatory measures with the aim of becoming one of the pioneer countries in the regulation of digital aspects.
In 2019, the Spanish Strategy for I+D+I in AI was approved, as was the Digital Strategy for Artificial Intelligence (ENIA) in 2020, within the framework of the Digital Spain 2026 Agenda, in order to facilitate the development of inclusive, sustainable and citizen-centred AI.
Some of the measures that are provided for and have already been implemented are the creation of the Data Office and the figure of the Chief Data Officer (who has already been appointed), as well as the implementation of the Artificial Intelligence Advisory Council. In addition, the Spanish Agency for the Supervision of AI will soon be created, with headquarters located in A Coruña, and all of this in compliance with the provisions of the Recovery, Transformation and Resilience Plan (Plan de Recuperación, Transformación y Resiliencia - PRTR).
In addition, the previously revised Digital Rights Charter of 2021 includes a specific section on AI rights.
Article 23 of Law 15/2022, of 12 July 2022, comprehensive for equal treatment and non-discrimination, is the first inclusion in a Spanish Law of a specific provision on AI for the purposes of establishing mechanisms so that the algorithms used by public administrations consider non-discrimination, transparency and accountability, where technically feasible. To this end, impact assessments should be carried out. It also calls for the promotion of ethical AI that respects fundamental rights. In addition, a seal of quality of algorithms, still pending regulatory development, will be promoted.
Finally, in June 2022, the government of Spain and the European Commission presented a project to implement the first EU regulatory sandbox on AI. The objective is the joint definition by the competent authorities and companies developing AI of the best practices that should serve as a basis for the implementation of the future AI Act.
Legal Aspects on AI and Big Data
Although, as indicated, there is a great interest at both EU and domestic level in effectively regulating AI, the truth is that today the legal conflicts that may arise as a result of the use of AI and big data must be resolved by resorting either to common national law in civil matters, commercial or criminal, or to sectoral legislation that regulates industrial and intellectual property, data protection or business secrets, among others.
However, we have seen that there are already several initiatives that touch on aspects as varied as product liability or the protection of fundamental rights against the interference of new technologies.
It is undeniable that both AI and big data seriously endanger privacy, even more so with the development of neurotechnology by big technology multinationals. Thus, the implications in the field of data protection are unquestionable and, in any case, the provisions of the RGPD and the LOPDGDD must be complied with.
For example, referring to big data, profiling is one of its main uses, which may involve certain risks linked to discrimination for possible data processing based on predictions. In addition, it is necessary to bear in mind the practical difficulty posed by the existence of future uses of the data not foreseen at the time of its collection and for which the user's consent is not granted.
Difficulties also arise in data sources and data reuse. An assessment of the risks and even a data protection impact assessment will have to be carried out and the data will have to be anonymised. In the end, any project involving AI and big data must respect the principle of accountability and be developed by default and by design.
In any case, the data shall be processed lawfully, fairly and in a transparent manner, and the data subjects must be duly informed about the processing of their data. In this respect, the AEPD has published a code of good practices in data protection for big data projects.
Many privacy situations may arise regarding data treatments as common today as those involving the so-called web scrapping techniques that, wrongly relying on access to data from public sources, skip the obligations derived from the data protection regulations. All this must be aligned with the Data Governance Act (Regulation (EU) 2022/868, published in the OJEU on 3 June 2022), which establishes mechanisms for the re-use of certain categories of publicly/held protected data.
The extraction of information from websites may also entail intellectual property risks where those pages are protectable, and copyright can be invoked. The European Network and Information Security Agency (ENISA) identified in the report big data security, the different digital and cybersecurity threats for big data projects. This reinforces the transversal importance of cybersecurity in terms of AI and big data, so that the application of the regulations in this matter cannot be ignored.
IoT and its Main Implications
On 16 September 2014, the Article 29 Working Party (now the European Data Protection Board) issued an opinion on the evolution of IoT and defined it as the infrastructure in which multiple sensors embedded in common devices record, process, store and transfer data and interact with other devices or systems, making use of its network connection capabilities.
From a data protection perspective, it should be noted that on 3 December 2020, the AEPD published an explanatory article with the implications that IoT devices could have in terms of data protection. Thus, according to this guide, there are multiple actors involved in the processes linked to IoT devices (manufacturers, developers, cloud computing providers, telecommunications operators and social networks, among others).
Each of these agents may adopt the role of controller or processor, and, based on this, they must assume the obligations provided for each figure in the applicable data protection regulations.
Likewise, the categories of data subject to processing will be diverse, including contact data, internet usage habits, geolocation, physiological data, images, voice, and many more.
IoT devices can process not only data directly captured or provided by the user itself, but also inferred data, which is obtained from the analysis and processing of a large volume of data from various users through the use of technologies such as big data and AI.
All this can pose serious privacy risks since certain devices are able to capture habits and behaviours in an extremely detailed way, to such an extent that any hint of privacy disappears completely and the legal basis that legitimises the processing of data is completely blurred.
This is especially worrying in cases of voice-controlled devices, which can capture conversations totally unrelated to their use.
Also relevant is the incipient rise of home automation IoT devices that allow control of different elements of the home, such as air conditioning, lighting or blinds. There is already an increasing tendency to connect these devices directly to the manufacturer's cloud, which will be accessed through an app, using 5G technology. This will imply new challenges in terms of privacy protection.
In any case, in the absence of specific regulation, and without prejudice to the provisions below, common Spanish Law must be resorted to in order to resolve possible conflicts arising from the application of the IoT, although most attention must be paid to the EU and Spanish regulations on data protection. Especially relevant are Articles 21 and 22 GDPR relating to the right to object to data processing and automated decision-making, including profiling.
The complexity derived from IoT devices has been addressed, from the most technical point of view, from the regulation of cybersecurity. It has already become clear that any vulnerability in IoT devices can jeopardise the privacy of users, so it makes perfect sense that cybersecurity stands as the key element in protecting the rights of users of IoT devices.
Thus, in the EU, special mention should be made, on the one hand, to the NIS 2 Directive regarding network and information security, which is applicable to IoT devices, and on the other hand, to the proposal of the Cyber Resilience Act, given that it will include a regulation on cybersecurity requirements for products with digital elements to ensure more secure hardware and software products.
In Spain, the approval of Royal Decree-Law 7/2022, of 29 March, on requirements to guarantee the security of fifth-generation electronic communications networks and services, is essential for the regulation of IoT. 5G technology will be crucial for the connectivity of IoT devices.
The emergence of new forms of audiovisual content consumption led to a review of the regulation of audiovisual media services within the EU, which resulted in the approval of Directive (EU) 2018/1808, of 14 November 2018, published in the OJEU on 28 November 2018. This Directive lays down EU-wide media content rules for the provision of audiovisual media services, including traditional television broadcasts, on-demand services and platform video sharing (also known as Audiovisual Media Services Directive).
The application of this regulation aims to strengthen the safety of viewers and, to this end, for example, the regulation referring to illegal content is extended to include video-sharing platforms. It also includes measures for the protection of minors and disabled persons and encourages the adoption of codes of conduct to limit the advertising of unhealthy products intended for minors.
The Directive establishes the country of origin principle, according to which audiovisual media service providers are subject to the law and jurisdiction of the member state in which they are established.
It was transposed belatedly into the Spanish legal system by virtue of the recent Law 13/2022, of 7 July (General Law on Audiovisual Communication), and part of its most relevant content is summarised in the following points.
As noted above, the new Spanish regulation includes certain obligations for users of special relevance who use video-sharing platforms.
The European Regulators Group for Audiovisual Media Services (ERGA) includes in the definition of vlogger, content creators, streamers, influencers, or video sharing platforms.
Video sharing platforms (eg, Instagram) are those that:
That said, the users of special relevance (influencers) of video sharing platforms must meet the following requirements:
Once the above requirements have been met, they must comply with the aforementioned obligations provided for in the Spanish General Law on Audiovisual Communications.
Requirements for the Provision of Audio-Visual Media Services
The provision of television and radio communication services requires, prior to the start of the activity, responsible declaration before the competent audiovisual authority in Spain (the Ministry of Economic Affairs and Digital Transformation). The service may be provided as soon as such declaration is filed without prejudice to the supervisory powers of the competent authority.
The provision of television and radio communication services by means of hertzian waves requires a prior licence granted by means of a public tender. This licence shall be accompanied by a concession for the exclusive use of the public radioelectric domain.
To be a licensee, one of the following conditions must be met:
Licences shall be granted for a period of 15 years, automatically renewable for successive periods of equal duration if the holder has been fulfilling the requirements to be the holder of said licence and provided that there is no third party who, under certain conditions, intends to grant the same licence.
The provision of the video sharing service through platforms, including influencers who make use of these services, should only be registered in the State Register of Audiovisual Communication Service Providers, once it is put into operation, without prejudice to complying with the rest of the general obligations already explained above.
General Regulatory Framework
The regulation of telecommunications in Spain is given by Law 11/2022, of 28 June (General Telecommunications Law), which entered into force on 30 June 2022. This regulation is the result of the transposition of Directive (EU) 2018/1972 of 11 December 2018, establishing the European Electronic Communications Code, which was part of a telecommunications laws package that included the creation of the Body of European Regulators for Electronic Communications (BEREC).
One of the main objectives of the Spanish General Telecommunications Law is the massive deployment of 5G networks, and it includes the new classification of electronic communications services provided for in the Directive, which distinguishes between:
Over the Top
As for number-independent interpersonal communications services, ie, without public numbering resources assigned, there is the so-called OTT (over the top), whose services are provided by means of data transmission over third-party networks. This is, for example, the case of some social networks that integrate messaging services. Although OTTs are not legally considered as operators, they must first communicate their intention to provide services.
The law provides for certain obligations for OTTs, which obviously also apply to other operators, among which we can highlight the following:
Regarding the requirements for the provision of networks and electronic communications services, it is established that it may be carried out by natural or legal persons who are nationals of any country belonging to the EEA or of any other nationality when so established by international agreements.
Those interested parties must previously notify the Register of Operators of the start of their activity and submit to the conditions provided for the specific service they wish to provide. If the content of the notification does not meet the requirements, the service shall be refused. However, bear in mind that this does not apply to OTTs, which will only have to communicate the start of their activity to the Registry of Operators for purely statistical purposes.
In the development of its business, the operator should comply with any obligations regarding consumer protection rights and transparency, as well as respecting fundamental rights and freedoms.
The resolution of conflicts between operators in the Spanish market will be resolved by the CNMC. The resolution of certain cross-border disputes shall be carried out with the intervention and opinion of BEREC.
Telecommunications equipment placed on the market must comply with the legally required specifications, in accordance with the conformity assessment procedures to be established. Certain cases of mutual recognition are foreseen where the conformity of equipment has been assessed in accordance with the essential requirements of another member state. Equipment requiring concessions, permits or licences may be put into service only when it has obtained such ratings. The surveillance of the market for telecommunications equipment and its adequacy will be the responsibility of the Spanish Secretary of State for Telecommunications and Digital Infrastructures.
Installers of telecommunications equipment (and those who assume its maintenance) must submit to the Registry of Telecommunications Installation Companies a responsible declaration on compliance with the requirements for the exercise of said activity, prior to the start of it.
Use of the Public Radio Domain
The common use of the public radio domain shall not require any enabling title. The special use of the public radio domain is carried out of the frequency bands enabled for its exploitation in a shared way, without limitation of number of operators or users. The private use of the public radio domain is carried out through the exclusive exploitation or by a limited number of users of certain frequencies in the same physical area of application.
The enabling titles by means of which rights of use of the public radio domain are granted will take the form of general authorisation, individual authorisation, administrative affectation or concession. The granting of rights of use of the public radio domain will take the form of general authorisation in cases of special use of frequency bands
The general authorisation will be understood to be granted without any further formalities than the notification to the Spanish Secretary of State for Telecommunications and Digital Infrastructures, without prejudice to the obligation to pay the corresponding fees.
Individual authorisations shall be granted for use by radio amateurs or for private use for self-provision. For the rest of the cases not contemplated above, an administrative concession will be required. The duration of the enabling title will depend on each case.
Technology contracts are commercial contracts that make specific reference to the use and implementation of new technologies. They often pose a challenge for the consumer or small non-specialist business as they are faced with highly technical documents imposed by large technology companies that offer no room for negotiation.
For all the above, it is important that the client takes into consideration certain crucial aspects before formalising the contract.
Technology contracts do not find a specific regulation in the Spanish legal system, so it will be necessary to resort to common Spanish law, mainly the Civil Code and the Commercial Code, depending on whether both parties are merchants, or the client is a consumer, in which case the provisions of the General Law for the Defence of Consumers and Users will apply.
Pre-formulated Standard Agreements
Pre-formulated standard agreements (contratos de adhesión) acquire special relevance in the framework of technology. These are contracts in which there is an imbalance between the parties so that one party imposes the conditions that will govern the contractual relationship on the other, as the weak party has little or no negotiating capacity to refute the provisions of the document imposed on them.
In these cases, the content of the contract is integrated almost entirely by general conditions of mass traffic and, in accordance with the provisions of both the Spanish General Law for the Defence of Consumers and Users, and the Spanish Law on General Contracting Conditions, the unfair clauses that may be included in such contracts will be null and void when contracted with a consumer.
The formalisation of technology contracts involves risks for the client that must be detected and, if possible, neutralised. Furthermore, it is advisable that the client has at least a minimal knowledge in this area so as to avoid unexpected occurrences.
In addition, on many occasions the contract will ultimately be reviewed by a legal advisor prior to signing (or at least that would be desirable). This implies that lawyers must be very aware of the particularities of this type of contract, and they must also have knowledge, even if it is basic, regarding the object of the contract. This means that professionals in the legal sector have to be increasingly familiar with technological concepts in order to be able to advise correctly their clients in this growing sector.
Main features on Technology Agreement
As indicated, there are no specific provisions in the Spanish legal system for this type of contract. However, they contain certain clauses that are usually repeated or that should exist. It is important to focus on these clauses as they can complicate the execution of the contract. These clauses include the following.
Regulations Currently in Force
The use of electronic signatures is becoming more and more common, and contracts are increasingly being signed online for basic needs, such as buying food or clothes, or to interact with the public administration. This creates the need for electronic signature methods that generate trust among users, way beyond the simple insertion of the scanned handwritten signature.
The EU responded to this need with the approval of EU Regulation 910/2014, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market (known as eIDAS). In Spain, it finds its legal equivalent in Law 6/2020, of 11 November, regulating certain aspects of electronic trust services, which complements the eIDAS Regulation only in those aspects that have not been harmonised at European level and that must be developed by each of the member states.
The eIDAS Regulation distinguishes between the electronic signature, the advanced electronic signature and the qualified electronic signature.
We will distinguish each of the aforementioned types of signatures depending on whether it allows us to identify the signatory with certainty, security regarding the possible manipulation of the content of the contract or the technical means required for its use.
Both the advanced and qualified electronic signatures allow the signatory to be identified, prevent subsequent modifications of the document in question, display full legal effects and are admissible as evidence in judicial proceedings.
Devices qualified for the creation of electronic signatures shall comply with certain security requirements. Commission Implementing Decision (EU) 2016/650 of 25 April 2016 publishes a list of standards for the safety assessment of such devices.
Spanish legislation, on the other hand, applies to public and private providers of electronic trust services established in Spain and to those with a permanent establishment who are not supervised by the authority of another member state. The legislation regulates certain aspects, some of the most relevant of which are the following.
The Future Digital Identity in the EU
In June 2021, a framework for a European Digital Identity was proposed by the EU to be made available to citizens, residents and businesses in the EU through a European Digital Identity Wallet.
To this end, a proposal for a Regulation amending the eIDAS Regulation was prepared. This proposal aims to ensure universal access to secure and reliable electronic identification and authentication, all through a personal digital wallet stored on the mobile phone.
The wallet shall be issued with an electronic identification system that complies with the “high” security level, all based on cybersecurity certification schemes that should provide a harmonised level of confidence in the security of the wallets. Thus, the Cybersecurity Act will be fully applicable to the Electronic Identity Regulation.
The proposed Regulation has a special impact, not only on cybersecurity, but also on the protection of personal data. Its articles include several references to the GDPR and ensure compliance with its principles by qualified trust service providers. In particular, reference is made to the obligation of member states to ensure the protection of personal data and to prevent user profiling.
“Trilogues” should now begin to reach agreement on the proposal for a regulation between the EU institutions.
Spain has taken the development of new technologies and improving quality in telecommunications very seriously and, although a large part of the regulations governing these aspects come from the EU, it is true that many initiatives have been taken at national level aiming to lead the technological revolution in Spain’s international neighbourhood.
Thus, for example, Spain has focused much of its efforts on the development and implementation of artificial intelligence for application by private companies and the public administration.
The wide deployment of 5G technology also deserves special mention, and in Spain the 3.58 GHz and 700 MHz frequencies have already been auctioned, putting Spain among the countries with the highest levels of 5G connectivity.
This high degree of connectivity, in combination with other features such as Spain’s strategic geographical position, is leading to the exponential growth of data centres in the country, a sector that is experiencing record investment figures and is seeing significant growth forecasts. Several companies, such as Amazon or Google, have either already located their data centres in Spain or are planning to do so.
This article will consider two topical examples of national regulation of specific matters that have great practical application, either at present or in the near future. Discussion will firstly cover the issues arising from the digital heritage and its transmission after the death of its owner. The second part covers the form in which crypto-asset advertising is regulated in the Spanish territory, awaiting approval of the corresponding regulation on crypto-assets by the EU.
The Digital Will
The inheritance of digital heritage
The internet has become an indispensable and fundamental tool for the development of multiple aspects of our professional, academic and personal lives. We interact on social networks, send and receive files (music, photographs, news, etc), use email, post blogs, access forums, and more.
People’s interaction with digital environments generates an enormous amount of information that accumulates throughout their lives and becomes part of the legacy of each person when they die. Such interaction results in the creation of digital identities, which is nothing more than the projection of our personalities in cyberspace.
The EU is no stranger to this reality and is therefore already working on the future European Digital Identity through a European Digital Identity Wallet, which will be stored on mobile phones. The wallet shall be issued with an electronic identification system that complies with the required high level of security; it may be used for both online and offline public and private services across the EU, such as opening a bank account, filing tax returns, renting a car or applying for a bank loan.
This implies that the factors that shape our digital identity today will increase in the coming years, as a large part of people’s lives will be managed through digital means. Therefore, what happens to an individual’s digital data when they pass away is becoming concern.
As a starting point, it must be noted that digital identity as such does not integrate inheritance, but defence of the digital identity corresponds to the heirs based on the actions for the protection of the honour, privacy and image of the deceased person provided for in the Spanish Organic Act 1/1982, of May 5 of civil, on civil protection of the right to honour, personal and family privacy and self-image. In addition, Article 3 of the Spanish Organic Law on Data Protection and guarantee of digital rights (LOPDGDD), which transposes the EU General Data Protection Regulation, regulates the right of access, rectification or deletion of data of the deceased by the persons related to them (spouse, steady partner, ascendants, descendants or heirs), who may contact the data controller or the data processor to communicate the death, for the purpose of protecting the memory of the deceased.
However, and beyond the formation of a digital identity, the truth is that interactions on the internet also result in the conceptualisation of a digital heritage that is integrated by the information we send or receive, or information that which we store in the cloud. This includes aspects as diverse as ebooks, sound files, rights on music or audio-visual platforms, balances in electronic purses, cryptocurrencies, or online purchases pending delivery, among many others.
Digital heritage does have a place in inheritance and is capable of economic quantification, although the quantification proceedings can come with several complications. Thus, digital assets can be ordered through the granting of what is called a digital will. However, this term should not cause confusion. The digital will is not a will formalised online through digital platforms; it is a document that orders the succession of digital heritage, which has already been defined. The Spanish legal system only allows the granting of a will before a public notary and never through digital means, so there is no specific means to order the succession of digital patrimony beyond the explicit provisions that may be included in the will.
In Spain, the legislature of Catalonia was a pioneer in regulating this phenomenon before any country in the EU. It did so through Law 10/2017, of 27 June, on digital wills. This rule provides that people can express their digital wills so that the heir (or the person designated for that purpose) acts before the digital service providers where the testator had active accounts after their death (or in circumstances of judicially modified capacity), promoting provisions that determine the way to handle one’s presence in digital environments in the event of death. In the absence of a will, a specific document of digital wills may be granted to regulate these aspects.
Digital wills may instruct the designated person to:
The aforementioned Catalan law also regulated the creation of an electronic registry for digital wills, so that persons with a legitimate interest could determine the existence of a digital will document. However, the creation of such registry was declared null and void and against the Spanish Constitution on the grounds that the competence for the establishment of registers lies with the State. This being the case, it should be the central government that takes the initiative for the creation of this registry for the whole country, which would be desirable in view of the growth in importance of digital wills that is expected in the coming years.
In any case, the relationship between digital assets and the protection of personal data is undeniable since, as noted above, one of the most common provisions of the digital will is the regulation of access by heirs to the accounts and digital profiles of the deceased.
Thus, it is logical that Article 96 of the LOPDGDD regulates the right to a digital will, which must be construed as a reinforcement of the provisions of the aforementioned Article 3 of the LOPDGDD. This precept empowers those related to the deceased, heirs or executors to contact the digital service providers in order to access the information and give the appropriate instructions regarding said information according to the will of the deceased embodied in their digital will. It should be noted that Article 96 is the only provision that contains a reference to the digital will and applies to the entire Spanish territory.
Difficulties and challenges
Although the regulations presented are concise, the truth is that the digital heritage faces a wide range of problems and issues that hinder the implementation of the succession of digital heritage and are resolved as the need arises.
Thus, for example, where the deceased is the holder of cryptocurrencies, they must ensure that their heirs know of its existence, as well as the access codes; in the absence of a registry that the heirs can consult, they may not be aware of the assets if they have not been previously informed of them or if they have not been expressly identified in the will. Likewise, since they are not legal tender, they must be converted to calculate their value in the inheritance.
In relation to emails, there is a personal contract between the account holder and the service provider. Therefore, the account will not be transferable and, of course, the heir will not be able to send emails from the address of the deceased. However, the heir must be able to access the content of the emails for the sole purpose of verifying whether content with patrimonial relevance capable of forming part of the inheritance has been transmitted (whether sent or received). For such access, a court order will be required.
Social networks with profiles that, like email, cannot be transmissible may be used for the exchange of content that is eligible for protection under intellectual property laws. In this case, the heirs must be able to access information with patrimonial content but not the personal data of the account profile. Profiles can be closed or kept active to honour the memory of the deceased. In any case, it is becoming clear that some kind of intervention is needed, as the number of active profiles corresponding to deceased people is increasing exponentially.
For influencers and people with YouTube channels that generate income, digital inheritance acquires a particularly relevant role.
Another difficulty to be faced relates to the identification of and access to the multiple and changing profiles of the deceased after the digital will has been granted. Many profiles are created under pseudonyms, which makes it difficult to identify the person behind them. Consider also that passwords may be changed without the knowledge of the heirs. For all of the above reasons, it is necessary to establish mechanisms that, based on blockchain technology, allow interested parties to consult existing profiles and request passwords. Some of these problems could be solved if social networks were to require digital identification for the creation of profiles, in connection with the above-mentioned European Digital Entity.
Anyway, casuistry is endless, and every day new issues arise that require a legal solution (eg, purchases that have not yet been received, accounts on online gaming and gambling sites or contracts for SaaS services). Additionally, although there is no great urgency with regard to this subject because digital heritage is mainly held by people who are not of testing age, it is highly probable that the interest in regulating digital inheritance will grow significantly as a great part of our assets become digital.
The Advertising of Crypto-Assets
The growing presence of crypto-assets in the financial market is an incontestable reality and, although it opens a window for opportunities, the current scarcity in terms of regulation poses a risk for investors who decide to opt for these assets because they are still not adequately protected.
There are many small non-professional investors who enter the cryptocurrency market without having sufficient information as to the risks involved in these investments, including their complexity, volatility and potential lack of liquidity.
It cannot be ignored that the phenomenon of social networks and influencers affects users who are carried away by the financial recommendations of those who use these platforms to promote this type of investment without the necessary knowledge and training.
In order to fight the legal uncertainty that still surrounds transactions involving crypto-assets, the EU is finalising, within the framework of its Digital Finance Package, the proposal for a Regulation on markets in crypto-assets (known as the MiCA Regulation), which results from its aim to develop and promote new technologies in the financial sector, particularly blockchain and distributed ledger technology (DLT). Thus, the MiCA Regulation defines crypto-assets as digital representations of value or rights and focuses mainly on:
However, while waiting for the entry into force of the MiCA Regulation, the National Securities Market Commission (Comisión Nacional del Mercado de Valores - CNMV), the Spanish authority for supervising and inspecting the securities markets, published the Circular letter 1/2022, of 10 January in force since 17 February 2022, which focuses on regulating a very specific aspect of crypto-assets ‒ their advertising.
Despite the specificity of its purpose, this rule is particularly relevant because it includes a definition of crypto-asset in the Spanish legal system for the first time. Specifically, it defines it as the digital representation of a right, asset or value that can be transferred or stored electronically, using distributed ledger technologies or similar technology.
As can be seen, both definitions, that of the MiCA Regulation and that of the Circular, are practically identical.
Scope of application of the Circular
Before entering fully into the regulation of the Circular regarding the requirements for the advertising of crypto-assets, it is worth mentioning the elements outside its scope of application. For this, it is important to be clear that crypto-assets are divided into different types, the following being some of the most relevant in the context of this article.
It should be noted that the Circular regulates advertising activity related to crypto-assets for investment purposes but excludes from its scope:
The exclusion criteria provided for in the Circular are broad and relatively generic, which could constitute a source of interpretative problems when it comes to discerning which products are or are not included in the scope of the regulation.
As for the subjects affected, the Circular will apply to:
For the Circular to apply, in addition, the advertising must be addressed to investors in Spain, regardless of the nationality or domicile of the provider. It is presumed that this is the case when it is done through physical means in Spain (including web pages and domains) and when the advertisements are made in Spanish or in any other official language of Spain.
Conditions for advertising activity
In general, advertising of crypto-assets in Spain, included in the scope of the Circular, must comply with the following conditions.
The application of the Circular and its effectiveness
As noted above, the Circular arises from the need to regulate certain aspects related to crypto-assets and, in particular, for the protection of investors until European regulations are passed.
Thus, the CNMV focuses its efforts on making potential investors aware of the risks linked to these assets. In August 2022, the Spanish authority published a study that revealed the current low penetration of crypto-assets as an investment object. However, the same study indicated that 40% of investors in cryptocurrencies believe that legal regulation exists in this regard, while 29% consider that the investment is not riskier than other assets. Only 17% of investors consider that the liquidity of cryptocurrencies is scarce. This is striking because these percentages indicate that the population most familiar with this type of investment is not aware of its real risks and its lack of regulation.
However, the truth is that the inclusion of the advertising warnings provided for in the Circular attracts the attention of more than half of the investors, many of whom decide to seek additional information about cryptocurrencies after such warnings.
Moreover, the CNMV, being aware of the weight and scope of the activity of influencers in social networks, has set its sights on them and the investment recommendations they issue while identifying themselves as experts in the field. Thus, these influencers are requested to include clarifications on their activity and are required to fully comply with the provisions of the Circular.
The new Securities Markets and Investment Services Act
Although it is not directly related to the advertising of crypto-assets, it is worth including a final note in relation to the draft of the new Spanish Securities Markets and Investment Services Act, the text of which was published on 12 September 2022.
It should be noted that this draft includes distributed ledger technology for the registration, clearing and settlement of negotiable securities and financial instruments. In addition, the relevant provisions are contemplated taking into account the forthcoming approval of the MiCA Regulation. In this sense, the CNMV is designated as the competent authority for the supervision of compliance with the MiCA Regulation.