One law to rule them all

The Law is structured in three main chapters, each one regulating specific technologies, while a fourth chapter (Articles 102 et seq.) introduces the provisions of the Ministry of Labor and Social Affairs ('the Ministry'):

Part one

The first part (Articles 1 to 27) sets a target for the digital upgrading of the public administration and aims to create the appropriate institutional background for the legitimate and safe utilisation of the potential of artificial intelligence ('AI') (by public and private sector) and to strengthen the resilience of the public administration against to cyber threats. It is worth noting that the Law does not step into the scope of regulation of the EU Regulation on laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain legal acts ('the AI Act'), thus no definition of AI is attempted. According to the relevant provisions, prior to the making or use of any AI systems, all (public) bodies are obliged to first conduct an Algorithmic Impact Assessment ('AIA') analysing the intended purpose of use, the technical specifications of the implemented systems, and the possible risks posed for the (human) rights. The demand for transparency on the operation of AI systems is at the core of each public body obligations and accordingly they should maintain an update AI systems registry.

The same also applies to private entities with a specific provision on algorithmic explicability when an automated decision is made on the recruitment stage of a prospective employee or for consumer profiling, a provision that looks like Article 22 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') (automated individual decision-making, including profiling). Furthermore, an obligation for an 'Ethical Data Use Policy' is introduced, so each organisation may carefully plan and control the use of the personal data it controls and process. In this context - of a certain size and above - businesses are now required to adhere to an ethical data use policy, i.e, to maintain an internal documentation on the measures, actions, and procedures they apply in the context known as the ethical use of data, in particular the data they use in IT systems. It goes without saying that clarifications will be given for the implementation of the measure - after all, a joint decision of the Ministers of Development and Investments, Digital Governance, and a recommendation of the National Bioethics and Technoethics Committee is foreseen, to specify the content of the policy and regulate every other necessary detail for its implementation of this article. The provisions relating to the use of AI systems will enter into force on 1 January 2023 and no definition of AI exists in the Law as, while waiting for the AI Act and knowing that it is a complex issue that has generated intense debate at the EU level, it becomes obvious how difficult is to fit into the confines of a definition without oversimplifying the developments of the technology or comprehensively defining all its techniques and capabilities. Therefore, the Law has a technology-neutral approach as awaiting a single EU-wide definition from the Commission, was preferred.

Part two

The second part (Articles 28 et seq.) concerns the utilisation of advanced technologies. These provisions attempt to make rational use of the possibilities provided by the technologies of the Internet of Things ('IoT'), Unmanned Aircraft Systems ('UAS'), distributed ledger technology ('DLT'), and the 3D printing in the context of exercising the responsibilities of public sector bodies and in operating the framework of the private market, with the goal of consolidating the digital transformation of the country. IoT devices should be allowed after a compliance declaration issued by the manufacturer and detailed instructions on installation and a list of potential risks. IoT provisions will enter into force on 1 March 2023. Recording of data and transactions taking place via blockchain and the ability to conclude smart contracts are now expressly recognised by virtue of the Law, and shall still be governed by the Greek Civil Code, since the Law provides that it directly applies to blockchain and smart contracts. The Law applies to both public and private blockchain/DLT networks. On 3D printing, the Law provides specific amendments to the Law 2121/1993 on Copyright, Related Rights and Cultural Matters to resolve the issues risen by the 3D printing technologies and introduce a prohibition on the use, hosting, and sharing of digital models, virtual designs, or standard triangle language ('STL') digital files on online platforms used for 3D printing, without the prior consent of their rights holder.

Part three

The third part of the Law (Articles 58 et seq.) provides for a national policy of administrative procedures and a national program for the simplification of procedures ('EPAD'), as well as other provisions to strengthen digital governance. The purpose of these provisions is to enrich the actions that are included in the EPAD, the creation of a National Administrative Procedures Policy ('EPDD'), and the further strengthening of the digital transformation of the country by ensuring the necessary organisational flexibility of the structures of the Ministry of Digital Governance and its supervised entities, as well as the institutionalisation of new digital services.

The purpose of this framework

In their speech in Parliament introducing the Law, the Minister of Digital Governance made a reference to the Collingridge dilemma to address the argument of why a small country like Greece has decided to proactively regulate these technologies: "During the initial stages of a new technology, legislation is difficult as there is insufficient knowledge/information/awareness of the issues. When the unwanted effects of the technology emerge, it has penetrated so much into life and the economy that any attempt at regulatory control is met with backlash from the people who develop it, the investors and the users themselves".

According to its Explanatory Memorandum, some of the main objectives of the Law are:

• The implementation of a comprehensive national strategy for the development of AI in Greece, which is based on modern technological developments in the field in question.
• The strengthening of the resilience of the state and its critical infrastructures in cyber threats and achieving a high level of cybersecurity in the country through the formulation of an integrated strategy of dealing with cyberattacks, as reflected in the National Cybersecurity Strategy 2020-2025.
• Ensuring a high level of security of the information that is circulated through IT devices, especially when these devices interact with humans either directly or indirectly. This objective takes on great importance due to the growing number of cyber attacks or threats of cyber attacks against the country's critical infrastructure, which intensify in times of international crises.
• The use of radio spectrum frequencies to upgrade the postal service provision framework.
• The legislative clarification of the basic terms and concepts that appear in the 3D printing process, the strengthening of transaction security, and the securing of the confidence of traders regarding intellectual and other rights per phase of 3D printing from the creation of the digital model to the creation of the printed physical object.
• The simplification of individual administrative procedures, the provision of upgraded services by electronic means, and the adoption of best administrative practices for standardisation and transparency of public administration procedures through a modernised National Register of Procedures.

The Law does not apply to technologies implemented for the purposes of national defence and security, the intelligent services, and the Ministry of Civil Protection and Public Order. There should be more general provisions especially in the light of developments at EU level - e.g. which practices will be universally prohibited, such as in relation to facial recognition, etc. Several of these are incompatible with personal data legislation, so the Ministry considers that in this phase there are sufficient guarantees.

The Ministry also considers the Law the right instrument to achieve regulatory objectives without being overly (and in detail) 'regulatory' causing a disproportionate compliance burden, as it primarily talks about obligations of IT manufacturers to organisations that will use it, and not to end users. It is stressed that the Law takes account of the AI Act, as well as other current initiatives at European and international level, and does not contradict these instruments but specifies the rights of individuals in harmony with these initiatives. Therefore, there are areas that the Ministry chose not to touch on and issues that it considered better to be regulated uniformly at EU level anyway. The targeted areas are the ones considered most important based on Greece's needs and expectations, as well as the Government's planning (ie. public sector, labour, and consumers).

Last, but not least, the provisions of the Law do not attempt to establish special rules derogating from the GDPR. Therefore, a relevant reference was made under Article 3, ensuring that the proposed provisions do not affect, in any way, the rights and obligations deriving from the EU and national law for the protection of personal data and privacy. On the contrary, new provisions are created with the aim of increasing the level of awareness, transparency, and accountability, without disproportionately burdening businesses and the public sector.

Spiros Tassis Founder
[email protected]
Tassis & Associates Law Office, Athens