Legal Brain

In the dynamic landscape of corporate governance, where transparency, accountability, and security are paramount, blockchain technology emerges as an outstanding solution. Revolutionizing traditional practices, blockchain offers a decentralized system that ensures immutable records, fostering trust and integrity in corporate operations.

As businesses face increasingly complex regulatory environments and heightened stakeholder expectations, harnessing the power of blockchain not only enhances governance mechanisms but also paves the way for a new era of corporate transparency and efficiency.

In this article, our objective is to provide a brief overview of the transformative capabilities of blockchain technology in corporate governance.

A reminder: what is blockchain technology?

Imagine blockchain like a big digital notebook where you can write down information, but once it's written, it can't be changed or erased. Each page of this notebook is connected to the next one, creating a chain of pages, hence the name "blockchain." This notebook is shared with lots of other people, and everyone has a copy. When someone adds new information to the notebook, everyone can see it, and because it's connected to the previous pages, they can be sure it's accurate and hasn't been tampered with. So, blockchain is like a super secure and transparent way of keeping track of information online.

How can blockchain technology be used in corporate governance?

Corporate governance succinctly encompasses the decision-making processes within corporations, including matters related to business administration, management, and future strategic planning. Blockchain technology is a promising option for listed companies characterized by a large number of shareholders. Nevertheless, its adoption can also bolster corporate governance for smaller, closely held companies featuring a more limited shareholder base.

What are the benefits of blockchain technology in corporate governance?

The main benefits of employing blockchain technology in enhancing share ownership transparency may be summarized as follows:[1]

• Cost Reduction in Voting Procedures: Blockchain simplifies shareholder identification, reducing costs and time in proxy voting. It ensures real-time distribution of voting entitlements, minimizing the risk of shareholders losing their voting rights.

• Accuracy of Ballots and Decision Legitimacy: Blockchain allows precise identification of voters, ensuring accurate voting processes and mitigating the risks of incorrect counting or overvoting. This boosts the legitimacy of corporate decisions.

• Increased Transparency in Corporate Governance: Blockchain enhances share ownership transparency by tracking ownership in real-time, reducing discrepancies between recorded and beneficial shareholders, and aiding in fraud detection and prevention.

• Streamlined Proxy Voting Architecture: Blockchain simplifies proxy voting, empowering shareholders to control their shares directly, making the process faster and more efficient, and enabling effective monitoring of proxy assignments and votes.

• Enhanced Shareholder Democracy: Blockchain reduces barriers to participation in company decision-making, leading to stronger shareholder control over boards of directors, improved corporate governance, reduced agency problems, and increased market liquidity and capital efficiency.
  

What are the legal implications of using blockchain technology in corporate governance?

The legal implications of using blockchain technology in corporate governance can vary depending on the jurisdiction but would be expected to cover at least:

• regulatory compliance such as the need to abide by corporate governance mandatory legal provisions, legislation concerning securities and legislation concerning personal data privacy and protection;

• digital identity namely the applicability of legal provisions concerning both identification of signatories, as well as the binding nature of signatures;

• liability and accountability or, in other words, responsibility for faults in using the technology.

In every scenario, considering the advantages offered by this technology, it is highly probable that blockchain will see increasingly widespread adoption in corporate governance. Exploring the legal ramifications of its utilization will likely necessitate a comprehensive series of articles merely to scratch the surface. Stay tuned for more.

[1] Based on the research included under this source: Panisi, Federico and Buckley, Ross P. and Arner, Douglas W., Blockchain and Public Companies: A Revolution in Share Ownership Transparency, Proxy-Voting and Corporate Governance? (May 1, 2019). 2 Stanford Journal of Blockchain Law & Policy 2019, University of Hong Kong Faculty of Law Research Paper No. 2019/039, UNSW Law Research Paper No. 19-100, Available at SSRN: https://ssrn.com/abstract=3389045 

ChatGPT 4 users have found that AI can generate images based on given instructions. The instructions can be very detailed or, on the contrary, general. The result of the AI's imagination are vivid colour images, very expressive and illustrative of the idea suggested by the human user.

The question is: can these images be used commercially?

The Terms of Use (Terms) of OpenAI (the developer of ChatGPT) for the European Economic Area (EEA), Switzerland, and UK (updated as at 15 February 2024) state as follows: “Your Content. You may provide input to the Services (“Input”), and receive output from the Services based on the Input (“Output”). Input and Output are collectively “Content”. You are responsible for Content, including ensuring that it does not violate any applicable law or these Terms. You represent and warrant that you have all rights, licences, and permissions needed to provide Input to our Services. Ownership of Content. As between you and OpenAI, and to the extent permitted by applicable law, you (a) retain your ownership rights in Input and (b) own the Output. We hereby assign to you all our right, title, and interest, if any, in and to Output.”

Our interpretation is that the concept of "Content" includes both the description of the image provided by the user and the image generated by ChatGPT based on the instructions received. Given OpenAI's clear and unequivocal agreement to assign all rights to the Content to the user, we believe that the images generated by ChatGPT according to the instructions should be allowed to be used for commercial purposes (even sold) without violating any legal or contractual provisions. Images created by ChatGPT do not need to be expressly attributed to AI, but if the user wishes to indicate authorship, then the OpenAI Terms contain recommended wording to be used for this purpose. Note that, according to the recently adopted EU AI Act (to be discussed in a future post), users of an AI system that generate or manipulate images, audio or video content that substantially resemble existing persons, objects, places or other entities or events and that would give a person the false impression that they are authentic or true (" deepfake"), must make it known that said content has been artificially generated or manipulated.

Note: Image created with DALL·E 3 The image above was created with ChatGPT 4 at our request to draw itself while working on images requested by users.

We aim to analyze the distinctions between "consent/agreement" required for contract conclusion and performance between a data subject and a data controller (a concept that we have further discussed here), and "consent" as the legal basis for processing. This analysis will be presented in a manner that minimizes technical jargon and includes practical examples. Despite appearing similar in legal terms, these concepts possess nuanced differences, which we seek to elucidate.

However, when we discuss two of the legal bases of data processing, namely CONTRACT and CONSENT, the same concept - "consent" - takes on different meanings that, if not well understood, may cause problems while identifying the legal basis of the processing: (i) art. 6 para. 1 lit. (a) of GDPR, namely, CONSENT or (ii) art. 6 para. 1 lit. b), namely the performance of a CONTRACT.

The Romanian dictionary DEX defines the notion of "consent" as "an agreement of the persons entering into a contract."[1]

Also, from the perspective of the Civil Code, the notion of consent is synonymous with "agreement” or “will", as arising from the following legal provisions:

• No one can be subjected to any interference in his/her intimate, personal or family life, nor in his/her domicile, residence or correspondence, without his/her consent[2].

• It is forbidden to bring prejudice to a person's honour and reputation without his/her consent (...)[3].

• Marriage is concluded between a man and a woman through their personal and free consent[4].
  

From the contractual point of view, consent represents, according to the Civil Code, along with capacity, object and cause, one of the four essential elements for the validity of the contract entered into between two or more persons.

Therefore, for the conclusion of a contract, the consent of the parties is always needed.

Is this consent necessary for the conclusion of a contract the same as the consent provided by the GDPR as the legal basis for processing?

In other words, whenever the data subject gives their consent for the processing of their personal data, do they enter into a contract with the data controller?

How will we know if a data subject has given consent to enter a contract or has given consent without it leading to the conclusion of a contract?

From GDPR perspective, consent is a legal basis of processing different from the performance of the contract.

According to art. 6 of the GDPR, the processing is legal only if and to the extent that at least one of the following conditions applies[5]:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

For someone with legal training, making the distinction is straightforward. However, for data controllers, discerning between consent as the legal basis for processing and consent as a requisite for contract conclusion presents practical challenges.

The correct identification of the legal basis of processing, between the two proposed for our analysis, is extremely important at least for the following considerations that both the data controller and the data subject should be aware of:

if the processing takes place based on the data subject's consent, this means that the data subject can withdraw it at any time, without the data subject being harmed/damaged in any way as a result of the withdrawal, without any consequences being drawn to her.

Example: The data subject submitted a registration for a marathon, providing the organizers with their name, age and contact details and, before starting the marathon, they no longer wish to participate, withdrawing consent. Based on the data subjects’ request, the organizer will exclude them from the list of participants without any negative consequences for the data subject, except for the inherent one, i.e. the loss of the chance to run in that marathon and possibly win a prize.

On the contrary, when the legal basis for the processing is represented by the "necessity of performing a contract" to which the data subject is a party, the withdrawal of the consent might represent, in fact, a manifestation of the right to terminate that contract, which, if terminated, may have some negative consequences, in accordance with the nature and the provisions of the contract, even potential sanctions for the data subject.

Example: A data subject has signed a contract with a travel agency by which they accepted the price of the services, the payment dates and a penalty of x % to the contract value if the price will not be paid in due course. In this case, the exercise of the right to oppose to the processing of the personal data the data subject might exercise, will be considered a request for termination of such contract which will lead, once terminated, to the payment of the agreed penalty due to the failure of paying the agreed price.

The two legal bases can coexist, but the data controller must correctly identify each purpose of the processing and the legal basis related to each of the purposes.

The data controller has the obligation to ensure that the provision of the consent for a specific purpose of the processing which is based on such consent is not obtained through the same action by which consent is given for the conclusion of a contract. Thus, having independent legal grounds, the termination of processing based on one legal basis will not automatically cause the end of the processing based on the other legal basis.

Example: The most relevant example in this regard is the one from the online environment, in the following situation, very often encountered. The user of a shopping website is requested, through separate "boxes", to tick, on the one hand, that he agrees with the "Terms and Conditions" of the website (T&C), and on the other hand, that they wish to receive marketing communications. By ticking the first box, the user expresses their consent to enter into the contract for the sale of the products (it is the consent necessary for the valid conclusion of the contract, in the form of T&C, the processing of personal data having as a legal basis here, the need for the performance of the contract), while by ticking the second box, the user expresses their consent to receive communications (here, the legal basis for processing is consent). While the user can opt-out of marketing communications at any time without any consequence, they can opt out of the T&C only subject to the T&C and legal provisions regarding, for example, the right of withdrawal from distance contracts concluded with consumers. While the user can opt-out for marketing communications at any time without any consequence, withdrawal from the T&C might have some consequences for the user, depending on the T&C provisions and in consideration of the legislation for consumer protection in force regarding the withdrawal from the contracts concluded at distance with the consumers.

The withdrawal of consent (for marketing communications, in the example above), will not lead to the obligation of the data controller to delete the data that is processed for the purpose of performing the contract.

Consequently, data controllers should clearly know the purpose of the processing of each category of data and the legal basis of such processing in order to be able to respond to any requests of data subjects.

Tip to make distinguishing between the two much simpler!

When the processing of personal data obliges neither the data subject and, in most cases, nor the data controller, to comply with certain terms, conditions or other obligations (except for those related to personal data protection) and, therefore, there is no consequence on the data subject if he they withdraw consent, most likely that processing is based on consent, as the legal basis of the processing.

On the contrary, when the processing of personal data gives rise to obligations on the data subject and, in most cases, also on the data controller and whose non-compliance may have some consequences for the data subject, that processing most likely has as legal basis of the processing the necessity of contract performance.

Example:

The data controller wants to promote its business and it organizes a series of invitation based events, without any cost for the participants (e.g.: no attendance fee). The data controller will not be able to send invitations by email to potential participants if it does not have their prior consent to receiving such invitations. Although potential participants agreed, in the first place, to receiving such invitations, they can withdraw their consent at any time, which means that they can opt out of receiving such invitations at any time, without any harmful consequences on them, except for not being able to attend such events. On the other hand, if a person is invited to those events as speaker, in exchange for a remuneration, their personal data will be processed by the organizer based on the necessity of performing the contract concluded between them. Therefore, if the speaker will require the deletion of their personal data, depending on the terms of the contract concluded with the data controller, that will probably lead to the termination of the contract, with some liability of the data subject for the damages caused to the data controller and their personal data will most likely continue to be processed by the data controller on other legal grounds (e.g.: legal obligation or legitimate interest).

[1]  https://dexonline.ro/definitie/consim%C8%9B%C4%83m%C3%A2nt

[2] Romanian Civil Code, art. 71 para. (2)

[3] Ibid, art. 72 para. (2)

[4] Ibid, art. 271

[5] Art. 6 provides for additional legal grounds of processing but, for the purpose of this article, we have mentioned only the indicated ones.