Nordic IPT Law Bulletin - January

IT & Telecom

EU legislation - Sweden/Denmark/Norway/Finland

In October 2022, the European Council adopted a final decision regarding enforcing USB-C as the universal standard for chargers in the EU
Consequently, all producers of phones, tablets, earphones and certain other electronics will need to make such appliances compatible with USB-C chargers by the end of 2024. By spring 2026, the same will apply for laptops. The decision is intended to serve both consumer interests and the environment.

The new cyber security directive, NIS2, was passed by the EU on 10 November 2022
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union ("NIS2") was published in the Official Journal of the European Union ("OJEU") on 27 December 2022. National implementing measures must be adopted by Member States and applied from 18 October 2024. With effect from the latter date, the NIS2 will repeal Directive (EU) 2016/1148 (commonly known as NIS1). NIS2 is a minimum harmonization directive and therefore Member States can adopt regulations that ensure a higher level of cyber security nationally.

The NIS2 aims to better protect both public and private sector, harmonizing the practices in the different member states, and includes rules and requirements for risk management measures and reporting obligations. The NIS2 significantly expands the scope of organizations which are comprised by the rules. The NIS2 will for example also apply to food production, waste management and many other essential functions, such as energy, transport, banking and more.

Norway

The Norwegian Consumer Council (CC) actively monitors companies' use of manipulative design in online services
Several companies have been found to utilize designs that are non-compliant with the requirements for consent and information, and many designs manipulate and trick consumers, affecting their decisions. Though still largely unregulated, the CC has in the last quarter actively encouraged several providers of online services and products, such as Clas Ohlson, Ticketmaster and Telia, to change their design practices. The CC has signalled that they will continue to monitor this market.

Intellectual Property and media

EU legislation - Sweden/Denmark/Norway/Finland

The Commission has presented a proposal for amended rules that will make it cheaper, faster and more predictable to protect industrial designs across the EU
An industrial design constitutes the external appearance of a product, characterized by its lines, contours or shape. The proposed amended Industrial Design Regulation and Directive modernizes the existing EC design rules and parallel national design schemes that were established and harmonized 20 years ago.

The aim of the amendments is to:
- simplify and streamline the procedure for registering a design throughout the EU;
- harmonize the procedures and ensure complementarity with the national design systems, and;
- allow reproduction of original designs for repair of complex products.

Sweden

The DSM Directive has been implemented into the Swedish Copyright Act resulting in several new provisions
After a long and highly publicized process, extensive changes resulting from the implementation of the Directive (EU) 2019/790 on copyright and related rights in the Digital Single Market (the DSM directive) have been introduced into the Swedish Copyright Act and will apply from 1 January 2023.

The changes include new exceptions and limitations to copyright for the purposes of text- and data mining, use of copyright protected works in education and use by cultural heritage institutions. A new right for press publishers and increased responsibility for online service providers in regard to content shared on their platforms that could be protected by copyright have also been introduced.

Of particular interest for rightsholders and users who exploit works protected by copyright are the new provisions entitling copyright authors to fair and appropriate remuneration for the exploitation of their work, right to information about the exploitation of their work as well as a right to additional remuneration given certain later circumstances related to the exploitation of their work (the so called bestseller-right).

The Swedish Copyright Act has also undergone editorial revisions related to the implementation of the DSM directive. For full details on the new provisions in the Swedish Copyright Act, please see the legislative proposal Prop. 2021/22:278.

Norway

In October 2022, the Oslo district court found that the online gambling company Unibet violated the Norwegian Copyrights Act when publishing a photo of soccer players Martin Ødegaard and Erling Haaland to its Instagram story
Unibet had not obtained a license to use the photo from the Norwegian Football Federation (NFF), which holds the intellectual property rights to the photo. The court found that the use of the photo clearly served Unibet's own marketing interests, and not public interests as argued by Unibet.

Damages were awarded based on the amount Unibet would have had to pay NFF for a license to use the photo, which the court estimated to be NOK 900,000. Because Unibet acted with intent or gross negligence, double compensation was awarded.

Use of Harry Potter music in concerts did not constitute copyright infringement, but was found contrary to good business practice under the Norwegian Marketing Act
In the dispute between Warner Bros (Warner) and the German company Star Entertainment (Star), the district court ruled that Star's use of music from the Harry Potter movies in its concerts, without Warner's consent , did not infringe on Warner's copyright or trademark rights. The court did however conclude that Star had acted contrary to good business practice according to Section 25 of the Norwegian Marketing Act.

Finland

Finland's response to the EU Media Freedom Act
On 10 November 2022, the Finnish State Council issued an official letter to the parliament regarding the EU Media Freedom Act (COM(2022) 457 final). In principle, Finland supports the EU Media Freedom Act and its goal to unify the regulation of the media sector of the EU member states in order to enhance the functioning of the internal market and to promote media freedom.

Trademark revocation
In the Finnish Market Court’s ruling MAO:H344/2022, Hyundai Motor Company demanded that the Market Court dismisses the decision of the Finnish Patent and Registration Office (“Office”) by which the Office had rejected Hyundai Motor Company’s application regarding the revocation of an international registration of “Palisad” figurative trademark due to non-use. The application was rejected because Hyundai Motor Company had not stated its legal interest in the matter as part of the application. The Market Court dismissed the decision and returned the matter to the Office.

Trademark ruled not distinctive
In the Market Court’s ruling MAO:H346/2022, Kesko Oyj demanded that the Finnish Market Court dismiss the decision of the Finnish Patent and Registration Office (“Office”) by which the Office had rejected the trademark application for “OMAN KYLÄN KAUP-PA” because the trademark was descriptive and therefore not distinctive. Kesko Oyj argued that the Office did not justify the rejection in a manner required by case law and the trademark was not to be considered descriptive and lacking distinctiveness. The Market Court ruled that the trademark was not distinctive and dismissed Kesko Oyj’s appeal.

Metadata and copyright law – an overview from the point of view of content management systems of video content sharing services
The IPR University Center, funded by the Finnish Ministry of Education and Culture, has produced a report where the regulation and practices of copyright metadata in the context of content management of large online content sharing service providers as defined in Article 17 of Directive (EU) 2019/790 on copyright and related rights in the Digital Single Market (the DSM directive) are examined. In relation to metadata, the report focuses especially on video content sharing services, which store significant amounts of copyright-protected content and whose content is based almost entirely on downloads made by users of the service. In particular, large video content sharing services use metadata as part of their sophisticated content management systems to describe and manage their content, including management of rights related to copyright.

In the report, some clarifications to Section 50 d of the Finnish Copyright Act regarding the electronic administration of rights are proposed. The report also encourages continued cooperation with stakeholders on data sharing and the harmonization of related practices, as well as efforts to promote solutions based on voluntariness. Further, the report recommends that the Finnish government survey the compatibility of list protection of Section 49 Subsection 1 of the Copyright Act in relation to the EU's future data regulation goals. The report also proposes European-wide measures to improve the use of metadata and the licensing of content on a European-wide basis.

Marketing law

EU legislation - Sweden/Denmark/Norway/Finland

The European Commission has proposed a ban on greenwashing by amending the Unfair Commercial Practice Directive (2005/29/EC)
The initiative has not yet resulted in new adopted legislation, however, in November 2022, three European Supervisory Authorities (European Banking Authority- EBA, European Insurance and Occupational Pensions Authority -EIOPA and European Securities and Markets Authority -ESMA) published a Call for Evidence on greenwashing. The purpose of the call for evidence is to gather input on potential greenwashing practices in the financial sector in the EU.

Moreover, the European Commission released its policy framework on bio-based, biodegradable and compostable plastic in November, with the aim of, inter alia, avoiding generic claims on plastic products such as bioplastic. This in turn, is part of the effort against greenwashing and misleading practices towards customers.

Sweden

Court ruling on health claims and differentiation between advertisement and editorial content
The Swedish Patent and Market Court (the "Court") has prohibited Happy Green AB from marketing foodstuffs along with health claims on the Swedish newspaper Expressen's website, in such a way that it is not clear that it is marketing. According to the Court, it is not possible for the consumer to distinguish between the advertisement and other editorial content, when observed briefly. The Court also prohibited Expressen Lifestyle AB from participating in the marketing. Furthermore, the advertiser had not provided evidence to support the health claims.

The Court found that the marketing involved false and misleading claims that the products were capable of improving or curing diseases.
The marketing was therefore, in each case, unfair under Section 8(2) of the Swedish Marketing Act and also constituted blacklisted commercial practices under points 11 and 17 respectively of Annex I to Directive 2005/29/EC, the so called "blacklist".

The prohibition is subject to a penalty payment of MSEK 2 for Happy Green and MSEK 10 for Expressen. The fine may be imposed if the companies violate the judgment.

Norway

The Consumer Authority (CA) continues to monitor the advertising of companies online, issuing fines where appropriate
In December, the CA issued notice of administrative both to the company Stayclassy (MNOK 1.5) and its CEO (NOK 400,000), in relation to a campaign initiated in October 2022 which was misleading and violated the Norwegian Marketing Control Act. Stayclassy had repeatedly failed to provide information about the preliminary prices ahead of sales, in addition to misleading consumers about discounts that were not in fact real.

Media Authority issues warning for unnecessarily large exposure of trader in reality show
The Norwegian Media Authority has issued a warning to Discovery after the grocery store Joker was displayed to an unnecessarily large extent in an episode of the reality show "71 degrees north - Norway's toughest celebrity". In the relevant episode, the participants were given NOK 800 to spend in a Joker grocery store. In the relevant scenes, Discovery used highlighting techniques such as angling, lingering and zooming on the Joker logo, posters and products.

Finland

Decisions of the Council of Ethics in Advertising
The Finnish Council of Ethics in Advertising (the ”Council”) has published two statements regarding the recognizability of advertisements published on social media channels of influencers. The Council considered in both cases that the advertisements were not sufficiently recognizable as such and not clearly marked by the influencer.

The Council does not issue binding judgements or rulings, only statements on whether an advertisement or advertising practice is ethically acceptable. However, the statements are generally well respected. For more information, see cases MEN 43/2022 and MEN 44/2022.

Consumer law

EU legislation - Sweden/Denmark/Norway/Finland

In November 2022, two new legislations aimed at digital services entered into force in the EU – the Digital Services Act (DSA) and the Digital Markets Act (DMA)
This legislative "package" aims at creating a safer digital space, that better protects the fundamental rights and freedoms of users, in addition to establishing and preserving a level playing field for businesses operating in the market.

The DSA (EU Regulation 2022/2065) sets specific rules and requirements for providers of digital services, while the DMA (EU Regulation 2022/1925) aims to facilitate a fairer business environment in the digital space, by establishing specific "do's" and "don’ts" for so called "gatekeepers", such as Meta and Google.
The obligations of the DSA and the DMA will roll out gradually, with full application as of 17 February 2024 (DSA) and March (DMA) 2024.

Sweden

Updated Consumer Agency Guidelines for pricing information
In connection with the legislative changes which entered into force on 1 September 2022 as a result of the so-called Omnibus Directive (EU) 2019/2161, in e.g. the Swedish Price Information Act, the Swedish Consumer Agency has published an updated version of their guidance on pricing information.

The purpose of the guidance is to make it easier for traders to be compliant with the new legislation and to not mislead consumers with price reduction announcements such as sales and campaigns etc.
The guidance can be found here.

Norway

New consumer regulation for suppliers of electricity imposing new obligations in relation to advertising and marketing as of 1 November 2022
The purpose of the new obligations is to make it easier for consumers to become informed, thereby providing a good basis for them to compare different offers / services.
The Consumer Authority ("CA") has issued an advance notification of administrative fine against Tinde Energi AS (Tinde) of NOK 3,000,000, and an administrative fine against the general manager of NOK 400,000 for breaching the Marketing Control Act.

Tinde sent out a notice about changes to the terms of the fixed price agreements they have with their private customers. The CA subsequently received a large number of complaints and therefore prioritized to send out notice of the decision to both Tinde and the general manager of the company on the same day. Among other things, Tinde notified their customer that the already agreed price would only apply until a newly introduced maximum electricity consumption limit was reached.

Finland

The Consumer Ombudsman has issued a statement regarding the binding nature of contracts in e-commerce
During 2021, the Finnish Consumer Ombudsman reviewed the delivery terms of 14 Finnish online stores and noticed that most of these terms contained an illegal provision based on which the seller is entitled to cancel the agreement for example, if the goods have been sold out. The Consumer Ombudsman issued a guidance letter to the online stores reminding them of the fact that an agreement concluded online with a consumer is binding. The Consumer Ombudsman will continue to follow-up on the issue.

Amendments to rules regarding distance selling by telephone
Amendments are being made to the Finnish Consumer Protection Act in the beginning of 2023 with respect to distance selling by telephone. Pursuant to the amendments, the agreement between a consumer and a trader carrying out distance selling by telephone cannot be concluded during the telephone call. The trader will have to send the consumer a written offer after the telephone call and the consumer must accept the offer in writing before the agreement shall be considered concluded. The amendments pro-vide better protection to consumers against aggressive telephone selling practices.

Data Privacy

EU legislation - Sweden/Denmark/Norway/Finland

Meta Platforms Ireland (Meta) was imposed fines of several hundred million Euros for GDPR violations during 2022
In Q4 alone, Ireland's data privacy supervisory authority, the DPC, responsible for supervising Meta, issued a fine of MEUR 265 for a user-data leak within Facebook in 2019; the EU's Court of Justice upheld the DPC's decision to fine Meta MEUR 225 for breaches at WhatsApp; and the European Data Protection Board announced three binding resolutions against Meta's Facebook, Instagram and WhatsApp on 6 December 2022, with final decision on the fines to be made by the DPC January 2023. Two fines were made public 12 January 2023 with total fines of MEUR 390.

European Data Protection Board adopted recommendations on Data Controller Binding Corporate Rules
In November 2022, the European Data Protection Board adopted Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C).

Draft adequacy decision for the EU-U.S. Data Privacy Framework
On 13 December 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework. The draft adequacy decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.

The draft adequacy decision will now go through the adoption procedure. The draft has, as a first step, been submitted to the European Data Protection Board for its opinion.
Once the adequacy decision for the EU-U.S. Data Privacy Framework has been adopted, EU entities will be able to freely transfer personal data to US companies which are certified under the new framework, without having to put in place additional data protection safeguards.

Sweden

New legislation on coherent healthcare documentation
On 1 January 2023, the new Act (2022:913) on coherent healthcare documentation (Sw: Lag om sammanhållen vård- och omsorgsdokumentation) entered into force. The Act contains provisions regarding processing of personal data carried out by healthcare providers and, in some cases, actors in the field of social services.

A data subject has been considered a qualified party in a supervisory case
An Administrative Court has ruled that a data subject ("DS") is a party in a supervisory case initiated based on his complaint to the Swedish Authority for Privacy Protection ("IMY").

In the case, a DS had submitted a complaint to the IMY regarding a company's handling of his request for access to personal data. Based on his and other DS's complaints, the IMY initiated an investigation. The IMY later rejected a request from the DS for the supervisory case to be decided within four weeks, arguing that the DS was not a party in the supervisory case under Swedish administrative law.

The court found that the DS was a party who had initiated the case insofar as it related to his complaint and the handling of his personal data. As such, his request for the case to be decided within four weeks had to be tried by the IMY.

Largest fine to date in Sweden is binding
On 20 December 2022, the Supreme Administrative Court decided not to grant leave to appeal in a case between Google and the IMY. As such, the Court of Appeal's judgement has become legally binding, requiring Google to pay a fine of MSEK 50 (approx. MEUR 4.5) due to how it handled the right to have search results removed under the GDPR.
The fine, although reduced by courts after the IMY, in 2020, set the amount to MSEK 72 (approx. MEUR 6.5), is the largest fine issued to date in Sweden under the GDPR.

Norway

In November 2022, the Norwegian Data Protection Authority issued an advance notification of an administrative decision on SSB which entails a ban on their planned collection of data on the Norwegian population's grocery purchases
The Norwegian Data Protection Authority ("DPA") received several complaints from individuals and businesses in the matter and concluded that there is no sufficient legal basis for such intrusive processing of personal data. Through the collection of bank data and bank transaction data, SSB would obtain information on what groceries the population buys. This data would then be able to be linked to socio-economic data such as household type, income and education level.

Unclear division of responsibility and inadequate internal control regarding processing of personal data by the Norwegian Correctional Service
The DPA has published a new report on the processing of personal data by the Norwegian Correctional Service (NCS), based on their inspection of the NCS (November 21- April 22). The report details some weaknesses, particularly regarding unclear division of responsibility and inadequate internal control, which likely relates to the patchwork of regulations the NCS currently operates under – data processing in relation to the execution of penal sentences is not subject to the GDPR or Norway's Personal Data Act.

Finland

The Administrative Court of Turku reverses judgement on administrative sanction due to rectification
The Finnish Data Protection Authority had issued an administrative sanction in the amount of EUR 12,500 to company X, inter alia, due to company X collecting unnecessary information of candidates during a recruitment process and the lack of necessary documentation required by the GDPR, such as the records of processing activities.

The Administrative Court reversed the decision to issue an administrative sanction to company X. The breach of the applicable regulations was deemed minor because company X had already, prior to the Finnish Data Protection Authority’s inquiry, rectified its practices with respect to the collection of candidate personal data. For more information, see case H1549/2022.

The Supreme Administrative Court rules right for the Data Protection Ombudsman to order a law firm to notify data subjects
The Supreme Administrative Court (the “Court”) considered whether the Finnish Data Protection Ombudsman had grounds to order a law firm to notify data subjects about a data breach. The e-mail credentials of a person employed by the law firm had come into the possession of an outside party through a so-called phishing e-mail. The e-mail credentials had been in the possession of the outside party for approximately two days. According to the report provided by the law firm, there were presumably approximately 2,000–2,500 names and e-mail addresses, 250–500 addresses of private individuals and 100–200 personal identification numbers in the email, OneDrive and Sharepoint which were accessible by using the email credentials.

The Data Protection Ombudsman was able to confirm that the e-mail was opened, it was used for access, and when opened by the outside party, the e-mails had been synchronized to the outside party. The Court stated that, even though there was no certainty of how widely the outside party had taken advantage of the personal data, it had access to a large number of personal data of identifiable natural persons. The Court therefore concluded that the risk to the rights and freedom of data subjects arising from the data breach could be considered both probable and severe. Therefore, the Data Protection Ombudsman had a right to order the law firm to notify the data subjects about the breach. For more information, see case KHO: 2022:131.

The Data Protection Ombudsman issues a notice to the Finnish Tax Administration regarding excessively extensive requests for information
The investigation by the Office of the Data Protection Ombudsman revealed that the Finnish Tax Administration had requested information from banks on all account transfers that had crossed the borders of Finland in the years 2015–2021. The information requests covered, among other things, purchases paid by bank card in foreign stores and online stores. In addition to the notice, the data protection ombudsman ordered the Finnish Tax Administration to delete personal data processed in violation of the data protection regulation and to stop submitting excessively extensive information requests to banks.

Other relevant legal topics

EU legislation - Sweden/Denmark/Norway/Finland

Work on EU "Artificial Intelligence Act" continues
On 6 December 2022, the EU Council of Ministers ("Council") adopted its general approach on the proposed Artificial Intelligence Act (COM/2021/206 final), following the draft regulation being presented by the EU Commission in April 2021. This will allow the Council to enter negotiations with the European Parliament on the proposed legislation, once the latter adopts its own position.

The aim of the Act is to ensure that AI systems are safe and respect existing law on fundamental rights.

The proposed regulation looks at dividing AI into four risk categories; the higher the risk, the stricter the regulation/requirements (with the highest risk being prohibited).
The next step is for the Council to enter into negotiations with the European Parliament once the Parliament adopts its own position with a view to reaching an agreement on the proposed regulation.

The DORA – EU Regulation on digital operational resilience in financial sector – to become applicable from 27 December 2025
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA") was published in the Official Journal of the European Union on 27 December 2022 and applies from 17 January 2025. The DORA will apply to a wide range of actors tied to the financial sector, including credit and payment institutions, insurance companies and ICT third-party service providers.

Sweden

Government may issue highly secure and trustworthy electronic IDs
The Government of Sweden has established a special investigator to examine the possibility of introducing a highly secure and trust-worthy government provided electronic identification (eID). The purpose is to promote security and robustness in the eID sector, as well as to enable more people with access to a digital identity.

The background to the establishment of a special investigator is the European Commission's proposed revision of Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions (the eIDAS Regulation). The regulation has not previously concerned eIDs and may, if revised in line with the proposal, require Member States to issue highly secure and trustworthy electronic IDs in the future (please see (COM(2021) 281) here for details about the proposal). The Swedish special investigator will thus investigate how Sweden might issue such eIDs, which government body shall issue eIDs and what type of digital infrastructure that is required to meet the call for high security and trustworthiness in the proposal.

The task force will present its recommendations and findings to the Swedish government 31 May 2024 upon which Sweden may introduce governmentally issued high security eIDs.

Norway

2022 saw increased focus on combatting gambling related issues, with the enactment of a new Gambling Act and a new gambling regulation which both entered into force 1 January 2023
The regulation, announced in November 2022, prohibits services of offering bonus and free rounds/spins, VIP programs, and other personalized or financial tricks to lure consumers back to gambling. The regulation also instates new rules for marketing and establishes that help-lines and age restrictions must be clearly communicated.

The Norwegian Gambling Authority (NGA) has actively monitored Trannel – owner of the online gambling platforms Unibet, Mariacasino, Storspiller and Bingo – in the final quarter of 2022, as Trannel continues to operate in Norway without a license. Trannel has been subject to daily enforcement fines of MNOK 1.2 since April 2019, which were stopped when Trannel announced plans to pull out of the Norwegian market.