The Regulation of Emerging Technologies in Greek Law

On 27 July 2022, the Greek Law 4961/2022 “on emerging information and communication technologies, the reinforcing of digital governance and other provisions” was published and set in force[1], except for the provisions regarding artificial intelligence, which entered into force on 1.1.2023, and the provisions regarding Internet of Things devices, which entered into force on 1.3.2023.

The new Law sets out the national framework for the regulation of artificial intelligence (“AI”), the Internet of Things (IoT), the provision of postal services using Unmanned Aircraft Systems (“UAS”), the use of distributed ledger technologies (“DLT”) and the conclusion of smart contracts, as well as the protection of works of three-dimensional printing (“3D Printing”).

Background, Purpose & Scope

Law 4961/2022 regulates the utilization and use of a basic set of contemporary emerging technologies with significant economic and social impact. It thus lays down the conditions for the rapid adoption and development of these technologies in Greek economy and society, with the ultimate goal of promoting the country’s digital transformation.

In terms of scope, the new Law enacts vertical obligations for providers of products and services related to AI, IoT and UAS in transport, and horizontal requirements for the use of AI and three-dimensional printing, while laying the foundations for conducting transactions with DLTs and smart contracts.

The purpose of Law 4961/2022 is, on the one hand, the lawful, safe and secure development, deployment and use of AI technologies by public and private entities and, on the other hand, the accommodation of the potential of IoT, UAS, DLT and 3D Printing for the public sector and the market[2].

The provisions of Law 4961/2022 unfold in four parts, which concern, among others, the digital upgrade of public administration (Part A’) and the utilization of emerging technologies by public bodies and private entities (Part B’).

In specific, Part A’ of the Law (articles 1-27) aims to establish the adequate institutional framework for the exploitation of the potential of AI by public and private sector bodies under conditions of fairness and security, as well as to strengthen the resilience of the public administration against cyber threats. In the context of serving this purpose, Part A of the Law includes regulations for (a) the development of artificial intelligence, and (b) the upgrade of information security and data protection in the public sector.

Furthermore, Part B of the Law (articles 28-57) aims at the exploitation by the public sector and the private market of the potential unleashed by advanced technologies in line with good practices, with the ultimate goal of consolidating the digital transformation of the country. For this purpose, Part B of the Law includes regulations regarding (i) the Internet of Things (“IoT”), (ii) Unmanned Aircraft Systems (“UAS”), (iii) distributed ledger, and (iv) 3D printing.

The Greek Legal Framework for the Regulation of AI

Taking into account the forthcoming adoption of the Artificial Intelligence (“AI”) Act by the European Union (“EU”), the Greek Law 4961/2022 introduces supplemental national provisions for the regulation AI use in the Greek public and private sectors.

The national framework follows a “risk-based approach“ for the regulation of AI in line with the proposed AI Act, enacting the following obligations per category of obligated entities:

Α. Public Bodies

Provision by Statute: Except for the Ministries of National Defense and Citizen Protection, the use of AI systems is permitted only by a special provision by statute, which includes appropriate safeguards for the protection of the rights of natural or legal persons affected by these systems[3].
Algorithmic Impact Assessment: Before deploying AI systems, in addition to performing a data protection impact assessment of Regulation (EU) 2016/679 (“GDPR”), public bodies shall have the obligation to execute algorithmic impact assessments in order to evaluate the risks that may arise to the rights, freedoms and legitimate interests of the persons affected by such AI systems. Appropriate safeguards for the protection of the rights of persons affected by the use of AI systems shall be further specified through the issuance of a Presidential Decree[4].
Operational Transparency: Each public body shall publicly disclose information, inter alia, about the commencement of operation and the operating parameters of any AI systems deployed as well as on the decisions taken or supported through them. Any complaints by affected persons on violations of transparency obligations shall be examined by the National Transparency Authority[5].
Register of AI Systems: Each public body shall maintain a register of the AI systems it uses[6].

Β. Private Entities

AI in the Employment Context: Prior to the deployment of an AI system, which affects the decision-making process concerning employees, existing or prospective, and has an impact on their conditions of employment, selection, recruitment or evaluation, private entities shall provide relevant information to the employee. This obligation also applies to digital platforms in respect of natural persons linked to them by employment or independent service contracts or project agreements. For any violation of this obligation, the Labor Inspectorate may impose monetary sanctions[7].
Ethical Use of Data: Any medium- or large-sized undertakings within the meaning of article 2 of Law 4308/2014[8], shall be obliged to adopt a policy for the ethical use of data, which includes information on the measures, actions, and procedures they apply to data ethical issues when using AI systems. In addition, entities obliged to issue corporate governance statements in accordance with article 152 of Law 4548/2018, must include in it information about their data ethics policy. The content of such policies shall be further specified through the issuance of a Joint Ministerial Decision[9].
Record of AI Systems: Any medium- or large-sized undertakings within the meaning of article 2 of Law 4308/2014 shall maintain a record of the AI systems deployed[10].

Finally, the new Law establishes the following national requirements for public procurement procedures for the design or development of AI system[11]:

The contractor shall furnish the contracting authority with information necessary to fulfil its transparency requirements on AI system operation stipulated in the Law;
The AI system shall be delivered in such a way so that the contracting authority be able to study its mode and parameters of operation, to further improve it and to publish or make available, in any way, those improvements; and

iii. Appropriate measures will need to be taken to bring the AI system in line with applicable laws, in particular, regarding the protection of human dignity, the respect for private life and the protection of personal data, non-discrimination, equality between women and men, freedom of expression, universal access for persons with disabilities, workers’ rights, and the principle of good administration.

It is explicitly stipulated that the provisions of Law 4961/2022 on AI technologies do not affect the rights and obligations provided for in the GDPR and supplementary Law 4624/2019 on the protection of personal data.

Finally, the new Law establishes, on the one hand, a Coordinating Committee for AI with responsibilities for the drafting of the National Strategy for AI and, generally, the formulation of policy around AI and, on the other hand, a Committee for the supervision of the strategy, which ensures the implementation, the coordination of the competent bodies and manages its enforcement.

To carry out their work, the two committees receive data and know-how from the national AI Observatory, also established by the Law, which has the duty to monitor and report on technological developments and policies around AI in the country and at an international level.

Provisions on Information Security & Data Protection

Law 4961/2022 further establishes the following institutions for shielding the country against threats related to information and network security[12]:

The General Directorate of Cybersecurity of the Ministry of Digital Governance is designated as the National Cybersecurity Certification Authority in accordance with article 58 of Regulation (EU) 2019/881. Ministerial decisions shall define the monitoring procedure and the bodies assessing the products, services and ICT procedures vis-a-vis the requirements of European cybersecurity certificates, as well as the relevant sanctions in case of non-compliance.
The Ministry of Digital Governance establishes the Hybrid Threat Analysis Observatory, i.e. the advisory body of the National Cybersecurity Authority with responsibility related to the analysis and prevention of hybrid threats in the field of cybersecurity.
The General Directorate of Cybersecurity of the General Secretariat for Telecommunications and Post of the Ministry of Digital Governance is designated as the national coordination center as per Article 6 of Regulation (EU) 2021/887.
In each central government body, an Information and Communication Systems Security Officer (“ICSSO”) is appointed, with the task of supervising the security of the entity’s network and information systems and ensuring the issuance of a risk analysis plan and the security policy of the Body’s ICT systems.
Each public body having a critical infrastructure also designates a Security Coordinator, who carries the duties of the ICSSO for this particular infrastructure.

Regulation 2019/881 on ENISA (the European Union Agency for Cybersecurity) created a European Union-wide cybersecurity certification scheme in the field of information and communication technology and strengthened ENISA by defining its specific role and responsibilities. The General Data Protection Regulation focuses on “Data Protection by Design”, where components related to both privacy and security meet, whereas the European Regulation on Cybersecurity focuses on “Security by Design”, which enables the products’ designers and constructors to receive the relevant certification and consequently strengthens the public confidence in the above products and services[13].

As per the new Law, providers of public electronic communication networks are required to have in place and align with an information security risk assessment plan, which they shall update on an annual basis. Also, a procurement plan in relation to the equipment obtained and the participation of third-party suppliers.

Finally, a register of data protection officers of public sector bodies is established as well as a relevant committee for the exchange of expertise and cooperation with ISDPS.

The Greek Legal Framework for the Regulation of IoT

According to the definitions of Law 4961/2022, Internet of Things (“IoT”) means any technology that[14]:

(a) allows devices or a group of interconnected or related devices, through their internet connection, to perform automatic processing of digital data; and

(b) enables the collection and exchange of digital data, in order to offer a variety of services to users, with or without human participation.

Law 4961/2022 imposes legal obligations on both manufacturers and importers / distributors and, also, operators of IoT devices[15].

According to the provisions of the new Law, manufacturers are required to accompany IoT devices with a declaration of compliance with the technical safety specifications, indicated in the law, as well as instructions for use and information on safe use.

In addition, each manufacturer is obliged to have a management process in place in relation to its IoT devices, in cases where it is ascertained by the user that: a) a security incident occurs, or b) a vulnerability exists in the security parameters of the device. This process should include appropriate documentation by the manufacturer about the nature and possible forms of occurrence of the security incident or the vulnerability, detailed instructions for dealing with them, as well as indicative measures to mitigate potential adverse consequences.

Importers and distributors are required to verify that the IoT devices they import or distribute are accompanied by a relevant declaration of compliance, as stipulated in the new Law, refrain from further import or distribution in case of absence and cooperate with competent public authorities for matters of compliance with the provisions of the Law.

On the other hand, operators of IoT devices are obliged to follow the technical safety specifications of the devices they deploy and use. They should also appoint an IoT Security Officer to monitor the security measures of their devices. Furthermore, they are required to maintain a register of IoT devices, updated on an annual basis and, in any event, when putting into service a new IoT device. Finally, each IoT operator should carry out an impact assessment of the planned personal data processing operations related to the operation of the IoT technology device.

The National Cybersecurity Authority is appointed as the competent authority to oversee the implementation of the national IoT security framework[16]. The Authority has the power to:

Require from manufacturers, importers, or distributors of IoT devices to take all necessary corrective actions in order to comply with the applicable legislation.
Order the temporary withdrawal from the market of IoT appliances presenting risks and their replacement in the market only if such risks have been removed.

Upon the Authority’s recommendation, the competent body of the Ministry of Digital Governance may impose penalties of up to € 15,000 and, in case of relapse, of up to € 100,000 on non-compliant manufacturers, importers, distributors and operators.

Forthcoming ministerial decisions shall specify the technical specifications and safety measures of IoT devices, the obligations of manufacturers, importers, and suppliers of such products as well as the relevant sanctions in case of non-compliance.

Provisions on the Use of UAS in the Context of Postal Services

Articles 43-46 of Law 4961/2022 amend the respective provisions of Greek Framework Law 4053/2012 on Postal Services[17], by introducing rules on the use of Unmanned Aircraft Systems (“UAS”) in the postal sector.

The new Law explicitly stipulates that the provision of postal services, for which a general or special permit has been granted, in all or part of the Greek territory, may be carried out using UAS, subject to approval by the National Telecommunications and Post Commission (“NTPC”)[18].

The use of frequencies by UAS for the provision of postal services shall be governed by the Delegated Regulation (EU) 2019/945 and the Implementing Regulation (EU) 2021/664[19].

According to the new Law, the technical characteristics and safety specifications of UAS used for the provision of postal services, as well as any other relevant issue, shall be specified through a decision issued by the Minister of Digital Governance, following an opinion of the NTPC and the Civil Aviation Authority[20].

The Greek Legal Framework for the Regulation of DLT

Law 4961/2022 defines “distributed ledger” as the repository of information that maintains records of transactions, and which is shared and synchronized between a set of DLT network nodes, using a consensus mechanism[21].

Furthermore, a blockchain is defined as a type of distributed ledger technology that records data in blocks, which are connected to each other in chronological order and form a chain of a consensual, decentralized and mathematically verifiable nature, which is mainly based on the science of cryptography[22].

Finally, a smart contract is defined as a set of coded computer functions, which is finalized and executed through distributed ledger technology in automated electronic form through instructions for the execution of actions, omissions, or tolerances, which are based on the existence or not of specific conditions, according to terms recorded directly in electronic code, scheduled commands, or programmed language[23].

In smart contracts, trust in the person of the counterparty is replaced by trust in the very system of blockchain technology to which they belong. Because of the technical guarantees it provides, that system is presumed not to make any errors. The nature and role of participants in the DLT ecosystem determines their legal liability for any damage caused by their acts or omissions[24].

The new law lays down the foundations for the validity of smart contracts executed within the jurisdiction of Greece. According to its provisions, the recording of data or the execution of contracts may be freely conducted through a blockchain or other DLT, rendering valid the declarations of will exercised in such a form[25]. Smart contracts bind contracting parties as per the general provisions of the Greek Civil, including its provisions on invalidity of private contracts or declarations of will[26].

The provisions of Law 4681/2022 also stipulate that the submission of information or data about smart contracts executed through blockchain or other DLT suffices as valid proof for their execution before national courts. An official expert report may also be submitted for the verification of the transposition of the respective software code into text[27].

The Greek Legal Framework for the Regulation of 3D Printing

Articles 53-57 of Law 4961/2022 set out the national framework for the regulation of 3D printing.

3D printing may be defined as the additive manufacturing technique by which, through successive deposition of successive layers of material, three-dimensional objects are made. This method has wide use in the production of spare parts and application in architecture, medical technology, weapons industry, industrial technology, etc[28].

In the new Law, “3D Printing” is defined as the process of uniting 3D printing materials through the technique of prosthetic successive stratification of such materials by using new technologies, especially 3D printers, and aiming on printing a physical object based on a digital model[29].

The new Law introduces the following amendments to Greek Framework Law 2121/1993 on copyright regarding works of speech on 3D printing[30]:

Any Computer Aided Design File (C.A.D. File) is explicitly characterized as a protected work of speech, as long as it includes a source code.
3D printers are expressly subject to a 4% private levy on their value for the benefit of authors and right-holders of neighboring rights.

Moreover, the new Law prohibits the use, sharing and hosting on online platforms of digital models or digital design files with the help of a computer or digital files of a typical triangle language or digital model design databases, without the prior permission of their right-holder[31].

As an exception, such acts are lawfully conducted without the permission of their right-holder if they are carried out solely for: (a) private, judicial or administrative use; (b) use for the benefit of persons with disabilities; (c) use for temporary or ancillary phases of a technological process that do not have independent economic significance; d) the fulfillment of educational or research purposes; (e) news purposes; or (f) the use of images or objects in public places or exhibitions in museums or in exhibits catalogues, provided that, in the above cases, the normal utilization of the work or other protected subject-matter is not affected and the legitimate interests of the author or the rightful owner are not unduly prejudiced.

The new Law also provides for the liability of online platform providers, through which digital models or digital files, without source code related to the 3D printing process, are used, shared, or hosted, in cases that, after becoming aware of the infringement, they do not take all necessary measures to remedy it[32].

Finally, the new Law establishes the liability of the creator or legal owner or seller, as the case may be, towards consumers for defective digital models or files related to the 3D printing process or three-dimensional printed objects or three-dimensional printers or scanners.

Conclusion

Artificial intelligence is a rapidly evolving technological field that is expected to radically transform major aspects of Greek society, such as the economy, health, as well as entrepreneurship and innovation. In addition, the Internet of Things is at the core of the fourth industrial revolution, offering solutions in many areas of economic and social life, such as extremely fast response services, reliable remote solutions, using applications with greater ease, decision support, better resource allocation and remote control of services. Furthermore, the use of Unmanned Aircraft Systems in postal services presents advantages in terms of environmental protection (smaller environmental footprint) and access to critical or island areas, as well as areas with difficult access. Accordingly, the lack of regulation in respect of distributed ledger technologies results in legal uncertainty for innovative businesses and acts as disincentive for attracting investment, while at the same time the potential of these technologies remains untapped. Finally, the diffusion of 3D Printing technologies across business sectors requires the protection of respective intellectual property rights[33].

The provisions of Law 4961/2022 establish a national framework for the promotion of these emerging technologies in Greece under conditions of trustworthiness, safety and cybersecurity, consumer protection, respect for fundamental rights and the democratic rule of law. Hence, the provisions of the new Law are expected to contribute to technological innovation and result in a positive impact on the overall digital transformation of the public and private sectors of the country.

[1] Greek Government Gazzette 146/A/27-07-2022, available: https://www.et.gr/api/DownloadFeksApi/?fek_pdf=20220100146.

[2] See articles 1 and 30 of Law 4961/2022.

[3] See article 4 of Law 4961/2022.

[4] See article 5 of Law 4961/2022.

[5] See article 6 of Law 4961/2022.

[6] See article 8 of Law 4961/2022.

[7] See article 9 of Law 4961/2022.

[8] According to the respective provisions of Law 4308/2014, medium-sized undertakings are those which fulfill two or more of the following criteria: (i) 250 employees, (ii) a turnover of up to €40 million and (iii) a net balance sheet total of up to €20 million. For large-sized undertakings the respective criteria increase up to: : (i) 250 employees, (ii) a turnover of up to €40 million and (iii) a net balance sheet total of up to €20 million

[9] See article 10 of Law 4961/2022.

[10] See article 10 of Law 4961/2022.

[11] See article 7 of Law 4961/2022.

[12] See articles 3-26 of Law 4961/2022.

[13] A. Michailaki, Law and Ethics in the applications of augmented reality, Nomiki Vivliothiki, 2022, p. 24-25.

[14] See article 31 of Law 4961/2022.

[15] See articles 32-35 of Law 4961/2022.

[16] The General Directorate of Cyber Security, part of the General Secretariat of Telecommunications & Posts of the Ministry of Digital Governance, has been designated as the National Cybersecurity Authority of Greece. The official website of the Authority is available here: https://mindigital.gr/dioikisi/kyvernoasfaleia.

[17] Greek Government Gazzette 44/A/07-03-2012, available: https://www.et.gr/api/DownloadFeksApi/?fek_pdf=20120100044.

[18] See article 45 of Law 4961/2022.

[19] See article 46 of Law 4961/2022.

[20] See article 45 of Law 4961/2022.

[21] See article 31 of Law 4961/2022.

[22] See article 31 of Law 4961/2022.

[23] See article 31 of Law 4961/2022.

[24] L. Kanellos, ‘Smart Contracts: Legal challenges and business prospects’, Nomiki Vivliothiki, 2021, p. 163.

[25] See article 47 of Law 4961/2022.

[26] See articles 130, 138, 159, 174-179 and 140-157 respectively of the Greek Civil Code.

[27] See article 51 of Law 4961/2022.

[28] M. Milapidou, ‘New Technologies in Health: Medical, Legal and Ethical Issues’, Nomiki Vivliothiki, 2021, p. 94.