To help organisations stay on top of the main developments in European digital compliance, Morrison & Foerster’s European Digital Regulatory Compliance team reports on some of the main European digital regulatory and compliance developments that have taken place in the fourth quarter of 2021 – and we look forward to what to expect in 2022.
In this issue, we look at the key digital regulatory legislative initiatives in the EU, the UK and Germany, and at the main elements of the EU’s 2022 “Work Programme for the Digital Age”, including the forthcoming EU Digital Services Act and Digital Markets Act. We also review key elements of the UK’s regulatory programme that will affect digital markets, especially in relation to consumer online safety. In a couple of areas – especially the development of cybersecurity requirements that will affect manufacturers of wireless and connected products, and laws on the security of network and information systems – we look at the different paths being adopted by the EU and UK towards similar regulatory goals. And we have updates on restrictions in digital advertising, auto-renewal of digital subscriptions and the implementation of the digital services tax.
The European Commission has published its annual Work Programme for 2022 – and digital issues form key parts of the EU’s forthcoming legislative agenda.
The Commission aims to deliver on six headline ambitions, including the digital transformation of the EU. Seven of its policy and legislative initiatives aim to improve the EU’s digital environment, and there are nine REFIT (Regulatory Fitness and Performance programme) initiatives to evaluate whether existing EU digital legislation remains fit for purpose. And all of this is on top of 16 priority pending “digital age” proposals that the Commission has already submitted for formal adoption by the European Parliament and the Council.
Key EU digital proposals for 2022 include:
The EU’s proposed Digital Services Act aims to regulate the operations of all digital services providers operating in the EU – wherever the provider happens to be based. The DSA seeks to address the dominance of large digital platforms, impose greater accountability on intermediaries for third-party content, and protect users from illegal goods, content or services. The DSA adopts the principle that illegal offline acts should also be illegal online.
Providers of digital platforms will be responsible for removing illegal content, meeting transparency obligations and completing additional due diligence. The DSA builds upon the EU’s e-Commerce Directive, while harmonising regulation across the EU and clarifying issues such as liability for third-party content.
In November 2021, the EU Council adopted its general approach for the DSA, although some member states described the agreement as “fragile”. In December 2021, the European Parliament’s Committee on Internal Market and Consumer Protection (IMCO) adopted its position on the DSA, which is scheduled to be voted on (and confirmed) by the Parliament’s plenary session in January 2022.
Some key changes by the IMCO and the Council include:
The EU Digital Markets Act is progressing in parallel to the DSA. It will impose specific obligations on gatekeepers who control “core platform services” that act as a gateway between business users and customers. These platforms are companies with significant online influence, such as search engines and social media companies; and non-compliance with the DMA will result in fines and penalty payments.
In November 2021, the Parliament’s IMCO approved the DMA, and the EU Council adopted its general approach to the DMA. A month later, the EU Parliament approved the IMCO’s text.
Some key changes by the IMCO and the Council include:
For the DSA, inter-institutional negotiations (the so-called “trilogues”) among the European Parliament, the Council and the Commission can begin as soon as the European Parliament confirms the IMCO position. For the DMA, trilogue discussions already began in early January 2022.
The Commission has agreed with the European Parliament and the Council that making Europe “fit for the digital age” will be one of their joint legislative priorities in 2022. Technology and digital businesses will want to keep a close eye on these key developments. Notably, the list of Work Programme initiatives is not exhaustive and the Commission may also bring forward new unplanned initiatives throughout the year.
Just as the EU is making digital regulation a key priority, the UK is also taking legislative steps to increase online and digital protection (or, depending how you look at it, increase the digital regulatory compliance burden).
As we have previously reported (see our initial client alert), the UK Online Safety Bill (OSB) will introduce a new regulatory framework to tackle harmful content online. The OSB will make in-scope companies take more responsibility for the safety of their users by introducing a statutory duty of care to prevent the proliferation of illegal content and activity online, and to protect users against content that is harmful but not illegal.
Currently, the OSB proposes a duty of care on certain online providers (essentially, so called “big tech” social media companies and search engines – but see our initial client alert for a summary of what types of digital providers are affected) to take responsibility for the safety of their UK users. Those regulated providers would have to produce clear and accessible terms of service and enforce them consistently in relation to content harmful to adults. This means that online service providers, regardless of their location, will be affected if they have a significant number of UK users. Ofcom (the existing regulator of the UK communications and broadcasting sector) would have the power to block sites and also levy fines amounting to the higher of £18 million or 10% of global turnover.
The OSB is subject to pre-legislative scrutiny by a UK parliamentary committee which has now reported on its review and recommended that the UK push for clearer and tighter regulation. The report recommends a harsher regulatory environment, including that: there should be additional criminal offences; Ofcom’s (the relevant regulator) powers must be expanded; and the duties imposed on organisations must be clarified.
In November 2021, the UK Board of Trade issued a new report on digital trade. The report recommends eight priorities for UK digital trade policy, and identifies five strategically significant objectives: securing access to overseas digital markets to allow investment and operation across borders, open and trusted international data flows, protection of consumer rights, development of digital trading systems and collaboration with international partners to set fair standards of trade.
The recommendations on the OSB given by the cross-party committee are not binding. The government will now consider the report. But the current UK Secretary of State in charge of digital policy has vowed to toughen the rules as much as she can, so it’s more likely than not that the OSB rules will get tightened.
On the digital trade report it is questionable how the UK can actually achieve the goals set out in the report in practice. The paper has identified that free trade deals will have real impact on digital trade: specifically the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a Digital Economy Agreement with Singapore, and other strategic partnerships with the OECD, WTO E-Commerce Joint Initiative and G7. The UK government will now consider the non-binding recommendations of the report.
On 8 December 2021, the new German government took office. Based on its coalition agreement, which was signed one day earlier, all things digital will be high on the agenda of the new government. The agreement is full of “digital” plans across numerous policy areas. However, while it sets out broad plans and announces substantial reviews of existing legal frameworks, it lacks concrete measures in many areas. At the same time, of course, the field of digital regulatory compliance is increasingly governed by binding rules at the EU level that will further restrict the room for national initiatives going forward.
Nonetheless, if the new German government sticks to its plans, market participants should expect significant changes to the relevant legal frameworks for digital regulatory compliance over the next four years. See our client alert for further details.
In addition, two main digital regulatory initiatives already adopted by the German government recently entered into force:
The UK ICO released an opinion (the “Opinion”) in November 2021 on the topic of online advertising and how proposals for reform and regulation this arena should be integrated with data protection principles.
Since its last report on adtech in 2019, the ICO acknowledges that the adtech industry has been developing a number of solutions that mark a shift towards less intrusive tracking and profiling practices. The Opinion sets out guidance for market participants to develop new adtech solutions in a way that effectively addresses the ICO’s concerns and complies with applicable data protection law. Importantly, any new or different tracking solutions should remain technology-neutral, and not introduce additional privacy threat vectors and/or increase the use of fingerprinting.
Separately – but still on the topic of digital advertising – the European Court of Justice ruled in November 2021 that inbox advertising (i.e., a webmail service providing ads that mimic emails) qualifies as direct marketing and requires user opt-in.
The German government had referred five questions to the ECJ, asking whether inbox ads qualify as “use of electronic mail for the purposes of direct marketing” in the sense of Art. 13 ePrivacy Directive (2002/58/EC). The ECJ concluded that placing advertising messages in an email inbox in a form similar to that of an actual email does indeed constitute a use of electronic mail for the purposes of direct marketing within the meaning of the ePrivacy Directive. It held that such messages give rise to confusion, which may result in users being redirected, against their will, to a website containing ads. Therefore, the same requirements as for direct email marketing apply to inbox ads, i.e., the requirement to obtain a user’s consent (opt-in). The CJEU’s rationale could also be applied beyond email environments considering the broad definition of “electronic mail” in the ePrivacy Directive.
The ICO has stated that it will keep the expectations set out in its Opinion under review, and is therefore open to further input from organisations in relation to the matters set out in the Opinion. But the list of considerations highlighted by the ICO can serve as a checklist for organisations implementing adtech solutions, so that they can assess the extent to which the solution is (or is not) privacy-friendly.
Note also that the EU’s Digital Markets Act (reported above) may also affect how digital and targeted advertising can be used in the EU. The proposed DMA will apply to the major companies providing so-called “core platform services” most prone to unfair practices, which will include providers of online advertising services. Companies that meet the quantitative thresholds to fall under the scope of the DMA will have to refrain from imposing unfair conditions on businesses and consumers. As part of this, the European Parliament wants to see additional requirements imposed on the use of data for targeted or micro-targeted advertising.
Regulators across Europe are taking steps to require manufacturers of connected products to make their devices more secure against cyber-attack. There is concern that the design of wireless devices sold in the EU does not guarantee a sufficient level of cybersecurity, personal data protection and privacy of their users.
In the EU, the Commission has proposed regulations under the Radio Equipment Directive that would require manufacturers to improve the cybersecurity of certain types of wireless devices that use radio technology. The regulations will apply not only to EU manufacturers, but also to any manufacturers who place products on the EU market, so compliance will be important to any global businesses that export to the EU.
The proposed new laws will cover internet-enabled devices, wearables that collect biometric data and toys and childcare equipment, including smartphones, tablets, cameras, electronics, baby monitors, smartwatches, fitness trackers and telecommunications equipment. Products excluded from the scope of the legislation include motor vehicles and medical devices, because their cybersecurity standards are covered in other legislation. The regulations will not apply retrospectively, so any devices already sold in the EU can continue to be used without the need for specific adaptations until the end of their lifecycle.
This is different from (and additional to) the proposed European Cyber Resilience Act announced by Commission President von der Leyen in her 2021 State of the Union speech; that Act will cover more products and a wider product lifecycle.
The post-Brexit UK is also planning to create a new regulatory scheme that will make consumer connectable products more secure against cyber attacks. The current UK Product Security and Telecommunications Infrastructure Bill is a wide-ranging piece of legislation that will impact all economic actors in the supply chain from manufacturers and importers to distributors. The UK government will specify security requirements relating to relevant connectable products and create obligations on manufacturers, importers and distributors to comply with those relevant security requirements.
Given the pervasiveness of wireless and connected technology, the Bill is also likely to impact property developers, and tradesmen installing home products like smart fridges and thermostats (where the products cannot be sourced from elsewhere). This may come as a surprise to many, especially when considering the wide-ranging enforcement powers in the Bill, which include eye-watering fines up to the greater of £10 million or 4% of an organisation’s qualifying worldwide revenue, putting the Bill’s financial penalties on a par with those that can be issued for a breach of the retained EU law version of the General Data Protection Regulation.
The EU cybersecurity device regulations will be scrutinized by the European Parliament and the Council in early 2022 and, if no objection is raised, will be published and take effect, subject to a 30-month transitional period to enable manufacturers to adapt the design of affected products.
In the UK, the Bill does not yet contain details of what the relevant security standards will be (and those will be set out in regulations to be issued by the Secretary of State at a later date). So we don’t yet know the full impact of the proposed legislation – nor whether there are overlaps with (or differences from) the separate EU requirements that will be imposed on many of the same products.
European regulators are tackling perceived unfairness in the market for consumer digital subscriptions that auto-renew, often even if the user has stopped using the product. Auto-renewal laws have also been a focus of legislative activity in the U.S.
At the EU level, auto-renewals for subscription agreements were already severely restricted for B2B and B2C telecoms contracts: the European Electronic Communications Code (Directive (EU) 2018/1972) requires that customers must be able to terminate their auto-renewed telecoms contracts at any time with a notice period of one month. Providers must also inform their customers of the impeding end of the current term and termination options prior to each automatic renewal. These rules should already be in force across the EU, but a number of Member States are still behind with their implementation efforts.
In Germany, new rules under the Fair Consumer Contracts Act that restrict auto-renewals for all consumer subscription agreements will enter into force in March 2022. Based on these rules, it will no longer be possible to agree on auto-renewals except where any renewal is for an indefinite period only and the consumer is explicitly given a termination right with a notice period of no longer than one month. See our prior client alert.
In the UK, the issue of auto-renewals has gained highest focus in the market for anti-virus software, which was subject to a study by the Competition and Markets Authority (CMA). The CMA has now published compliance principles for anti-virus software providers that use auto-renewing contracts. As a result of an investigation by CMA into one leading anti-virus software provider, the CMA is now calling on all other providers to review their current terms and practice – and to change them where necessary.
The principles also contain practical guidance on how to comply.
Although targeted at anti-virus software providers, any business with consumer-facing auto-renewing subscriptions in other digital markets should consider the guidance as best practice.
MoFo has also reported on similar regulatory activity in the U.S. with a number of states introducing or revising auto-renewal laws.
Our Q3 Alert discussed the July 2021 OECD proposals on a two-pillar solution to address the tax challenges arising from the digitalisation of the global economy. On 8 October 2021, the OECD further refined the proposals with rates and thresholds provided, more information on the scope of carve-outs and a detailed implementation plan. The OECD announced that 136 countries (increasing to 137 by the signing of Mauritania) had agreed on the outstanding aspects of the proposals, with four countries (Kenya, Nigeria, Pakistan and Sri Lanka) yet to join.
Since the July statement, under pillar one, the percentage of residual profits (any profit above a 10% margin (now to be calculated using an averaging mechanism)) re-allocated to market jurisdictions was set at 25%. To appease objections, the OECD agreed to reduce the turnover threshold to €10 billion, contingent on successful implementation of pillar one, with the relevant review beginning after seven years. Under pillar two, the global minimum tax rate was set at 15%, with Ireland successfully negotiating removal of the “at least” qualifier. In addition, a carve-out for those countries in the initial phase of international activity and a de minimis exclusion were included.
A two-year moratorium (until 31 December 2023) on new digital services taxes (DSTs) was also introduced. In line with this, on 21 October 2021, the UK, Austria, France, Italy and Spain (each having implemented DSTs, or equivalent) and the U.S. agreed to transition from such measures as part of the implementation of pillar one. In summary, (i) the U.S. agreed to terminate proposed punitive trade actions against DST-imposing countries, (ii) DST-imposing countries could maintain DSTs until the implementation of pillar one and (iii) DST-imposing countries would give credit for taxes accruing during an interim period, to the extent that they exceed a notional amount calculated against any equivalent tax that would be due under pillar one.
We expect the next steps to be the publication of model rules implementing pillar two that, together with a draft multilateral convention implementing pillar one, will include further details, including on dispute prevention and resolution and the mechanics for phasing out interim DST measures.
In the last quarter of 2021, there were two relevant enforcement developments in Germany in combatting harmful online activity that have relevance beyond the individual cases:
Based on the decision on liability of social media providers, all operators of online services disseminating user-generated content should brace for increased third-party litigation activities in light of their content moderation efforts. In line with the EU principles for provider liability, operators of online services should ensure to act expeditiously upon receiving reports on allegedly illegal content.
The decision on enforcement of German youth protection rules against services based in other EU Member States is an important milestone for the German authorities. However, it is unlikely to be the basis for increased enforcement against EU services doing business in Germany. The Court essentially confirmed that German authorities must adhere to the complicated procedure established under EU law before they can directly target foreign EU services (which the authorities did in the case at hand).
Both the EU and UK are working on updates to their respective laws on the security of network and information systems (NIS). As ever where the UK and EU are pursuing similar goals on a separate track, the question is: what will end up being the same and, more importantly, what will be different?
The EU’s “NIS Directive” (Directive on security of network and information systems) was the first piece of EU-wide cybersecurity legislation designed to achieve a high common level of network and information system security across the EU’s critical infrastructure. It applies to certain businesses operating in the EU (operators of essential services in the energy, transport, health, water and digital infrastructure sectors, and certain digital service providers, i.e., online search engines, online marketplaces and cloud computing services). It requires businesses to: secure their network and information systems by taking technical and organisational measures appropriate to the risk; ensure service continuity by taking appropriate measures to prevent and minimise the impact of any incidents; and notify the regulators of any security incident that has a significant impact.
In late 2021, the EU Council and the European Parliament each agreed on their positions on the European Commission’s proposal for a Directive on measures for high common level of cybersecurity across the Union (the “NIS 2 Directive”), which is set to replace the existing NIS Directive. All three bodies will now engage in inter-institutional trilogue negotiations to finalize the terms of NIS 2 Directive in early 2022.
Once it is adopted, EU Member States will have 24 months (according to the Council text) to fully transpose the NIS 2 Directive into national law.
The NIS 2 Directive is intended to modernize and broaden the scope of the existing NIS Directive, and to provide greater clarity for subjected entities and sectors, while strengthening and harmonising existing security requirements. To this end, the NIS 2 Directive is set to introduce a number of key reforms:
for not complying with incident reporting and/or cybersecurity risk management measures, whichever is higher.
The UK implemented the NIS Directive before Brexit through the Network and Information Systems Regulations (2018) (the “NIS Regulations”). The NIS Regulations were updated at the end of 2020 in advance of the end of the Brexit transition period (with the changes taking effect in January 2021). Further amendments were also introduced in light of the first post-implementation review of the NIS Regulations and prior reviews regarding implementation of the NIS Directive. The next Post-Implementation Review is due in 2022.
In 2021, the UK government set out its response to a public consultation that focused on addressing deficiencies in some of the incident-reporting thresholds.
As a result of the consultation, in December 2021, the Network and Information Security (EU Exit) Regulations 2021 were made to amend (from January 2022) the incident-reporting thresholds for relevant digital service providers under the NIS Regulations, such that the reporting thresholds will instead be set, on a national basis only, by the ICO in guidance. This change will bring digital service providers in line with other organisations covered by the UK NIS rules, such as operators of essential services, for whom thresholds are already set out in guidance.
Germany recently revised its own implementation of the NIS Directive in May 2021 by adopting a new statute branded “IT Security Act 2.0”. The new rules largely pre-empted many of the amendments now debated at the EU level so that only limited further revisions will likely be necessary once the NIS 2 Directive is finalized.
In October 2021, the UK Intellectual Property Office (IPO) released an open consultation on Artificial Intelligence (AI) and its interaction with Intellectual Property (IP) and copyright protection. This consultation follows an earlier call for views on the AI and the IP framework by the UK government. This consultation has more focused aims, looking at the future treatment of three key areas:
This consultation is released against the backdrop of the UK’s National AI Strategy, which was published in September 2021, and laid out the government’s plans to turn the UK into a global AI powerhouse in the next 10 years. As such, plans to reform the copyright and patent regime for the benefit of encouraging AI research and innovation are a key step in meeting the long-term needs of a sustainable AI ecosystem and economy. This wider government strategy followed a similar publication in April 2021 by the European Commission, which set out its own comprehensive proposals for regulating AI technologies. These steps by national governments illustrate both a general regional desire to regulate and the proliferation of these dynamic, new technologies.
The IPO consultation laid out some far-reaching policy options for each of three areas the IPO is seeking responses on, such as copyright and patent protection being extended for computer-generated works. Particularly for AI-devised inventions, the IPO suggested there could be a new right entirely, akin to patents but with limited exclusive rights. This right would afford AI technologies shorter-term rights over their inventions, so as to reflect the more efficient ways in which AI technologies invent than their human counterparts. The IPO acknowledged there is no other known country that provides for a separate right for AI inventorship, thus highlighting the UK’s aspirations of becoming a progressive global leader in the AI sector. Even the Parliamentary undersecretary of state at the Department of Digital, Culture, Media and Sport (DCMS) stated that, with the National AI Strategy, the UK wants to keep minimum regulation of this sector so as to encourage innovation.
These views of the UK government remain at odds with the European Commission proposals that inclined towards more strict regulation of “high risk” AI. The divergence between the UK and the EU stances on the topic of AI may make business in the EU difficult for UK-based AI-developing companies, and vice versa. Furthermore, while the UK government is still in the phase of policy consultations, the EU Parliament and lawmakers are already negotiating their proposed AI regulations. As such, the EU may adopt its own regulatory AI proposal well before the UK, undermining the potential trend-setting aspirations of the UK government. Nonetheless, the UK government’s pro-commerce stance on AI regulation may be welcomed by the AI industry.
The EU is likely to curtail the retention of traffic and location data unless there is a serious threat to national security.
In November 2021, Advocate General (AG) Campos Sánchez-Bordona published his opinion on three cases regarding data retention, including one German joint case that involved an appeal against domestic court judgments that were originally in favour of two companies providing internet access services. The internet service providers successfully challenged the German legislative obligation to store customers’ telecommunications traffic data from 1 July 2017 and the Federal Network Agency’s (FNA) appeal application was referred to the Court of Justice of the European Union (CJEU).
The CJEU acknowledges concerns that recent case law on data retention and access could deprive Member States from safeguarding national security and combatting crime and terrorism. However, the AG views this case law to already answer the FNA’s question and his opinion addressed three main points regarding the German position:
Although the AG’s opinion is non-binding, it is highly influential and the CJEU has already ruled in previous cases that groundless, generalised data retention is incompatible with EU law. We now await the CJEU’s judgment, but the AG’s opinion itself has been “noted with great attention” by Germany’s traffic light coalition. The coalition is comprised of Germany’s Social Democrats, who campaign for data retention, and the Greens and Free Democrats, who are strongly against such retention without just cause.
Business from across the EU are teaming up to build a European data and cloud infrastructure aided by significant EU funding. In October 2021, government representatives and more than 200 companies from across the EU came together to kick-off the matchmaking process for an integrated Important Project of Common European Interest on Next Generation Cloud Infrastructure and Services (IPCEI-CIS).
The IPCEI-CIS program aims at creating an EU-wide open and scalable digital infrastructure to promote technological innovation, data sovereignty and cybersecurity for Europe’s industries. Eligible sub-projects will target various “building blocks” along the value chain of the envisaged Distributed Multi Provider Cloud-Edge Continuum. They will normally have to involve cross-border cooperation and, in any case, have to benefit a wider part of the European economy. Companies whose proposals have been pre-selected by the 12 participating EU member states are now looking for partners and collaborations to realize the joint project. Once cleared by the EU Commission, participants of the IPCEI-CIS will benefit from significant funding: Germany alone has earmarked up to €750 million.
(Pre-)Notification of the industrial cloud project to the EU Commission for approval under state aid rules was supposed to begin in December 2021. This makes the IPCEI-CIS the first project to be assessed under the revised Communication on IPCEI, which was adopted in November 2021 and has been in force since January 2022. Most importantly, the EU Commission will consider whether the project pays tribute to the sustainability and climate objectives of the EU by promoting energy efficiency of cloud infrastructure and applications. EU Member States expect the projects to start in mid-2022.
We are grateful to the following members of MoFo’s European Digital Regulatory Compliance team for their contributions: Trevor James, Felix Helmstädter, James McDevitt, Alexander Eisenfeld, Georgia Wright, and trainee solicitors Harry Anderson, Sakshi Rai and Michelle Luo.