European Digital Compliance: Key Digital Regulation & Compliance Developments
European Digital Compliance: Key Digital Regulation & Compliance Developments
To help organisations stay on top of the main developments in European digital compliance, Morrison & Foerster’s European Digital Regulatory Compliance team reports on some of the main European digital regulatory and compliance developments that have taken place in the first quarter of 2022 – and we look forward to what to expect in forthcoming months.
In this issue, we look at UK digital regulatory policy – and especially the publication of the UK’s Online Safety Bill, which is both far-reaching and controversial in its effects on providers of digital services. We also highlight recent and forthcoming digital regulatory initiatives from the EU – and the recent adoption of the Digital Markets Act that will regulate certain online services offered by large digital “gatekeeper” companies. And we report on the contrasting UK and EU approaches to cyber security and resilience and on recent prominent European case law affecting digital operations.
The UK government has finally introduced its draft Online Safety Bill to the UK parliament. The proposed new law sets out extensive requirements on all digital service providers operating in the UK, whether UK-based or not – and including obligations on digital providers to police illegal activity online, as well as, more controversially, activity that is not illegal but may be deemed harmful. Unhelpfully for the technology sector, the UK proposals are different from the EU’s plans to regulate online content.
The genesis of the Online Safety Bill was a White Paper on online harms published in 2019 – leading to the first publication of the draft bill in 2020 (read our summary). Since then, the UK government has gradually expanded the scope of the UK proposals to include new criminal offences regarding harmful online content and activity (such as against “cyberflashing”), duties to minimise fraudulent adverts and possible age verification requirements on adult content, among others. As one of the first major pieces of legislation aiming to tackle illegal and harmful content published online by regulating big social media platforms, it has attracted attention on the global stage.
The Bill proposes a duty of care on online providers to take responsibility for the safety of their UK users. This means that online service providers, regardless of their location, will be affected if they have a significant number of UK users. The Bill covers not just social media platforms – it also imposes duties on any provider of “user‑to‑user” services or any search services. This casts a wide net over internet service providers, including any platforms that provide forums, message boards, or host any user-generated content. Affected companies will have to make special assessments and fulfil specific duties where services are likely to be accessed by children in respect of both illegal and harmful content. To meet the duty of care, companies will need to put in place systems and processes to ensure user safety.
The Bill appoints Ofcom (the existing regulator of the UK communications and broadcasting sector) as the regulatory enforcement authority, with the power to block sites and also levy fines amounting to the higher of £18 million or 10% of global turnover.
The May 2021 draft of the Bill was subject to much public scrutiny by bodies, rights groups, affected companies, and campaigners. Following this and additional parliamentary scrutiny, new amendments are proposed, including:
Notably, the Bill goes beyond the EU’s proposed Digital Services Act by introducing duties of care in relation to harmful (but not necessarily illegal) content. The Bill also now requires UK Parliament to vote on the definition of so-called “lawful-but-awful” content. This aims to prevent those providing regulated services from applying an over-zealous approach to moderating content.
In addition to the above, the changes also propose bringing forward criminal sanctions on senior managers who fail to comply with information notices. However, it’s worth noting that the majority of the detail required by companies to ensure compliance will be published by the regulator once the Bill is enacted.
The Bill will be read in both Houses of Parliament and so could be subject to more revisions. See more in our client alert.
The UK government has described 2022 as a “landmark year” for shaping the UK’s digital regulatory policy. Looking to take advantage of what it perceives as momentum stemming from Brexit, the UK government is keen to put in place its vision of driving growth and innovation across the nation’s digital economy.
As part of these efforts, in March 2022, the Department for Digital, Culture, Media & Sport (DCMS) circulated a letter to the Digital Regulation Co-operation Forum (DRCF) – a consortium made up of some of the UK’s key regulators: the Competition and Markets Authority, the Information Commissioner’s Office, the Financial Conduct Authority, and the Office of Communications (Ofcom). In the letter, the DCMS highlighted the government’s priorities for the digital regulatory landscape and included requests for:
The DRCF has recently launched a new digital regulation research portal, which compiles its research into emerging and future digital developments from eight regulatory bodies, including the DRCF members noted above, the Intellectual Property Office, and the Bank of England. The research amassed will be publicly available, so it will not only contribute to the government’s efforts to gain industry insight, but should also be useful for the public at large.
The government’s actions as of late appear to line up with its efforts to make the UK an international leader in the digital regulation landscape, a point that was included in the government’s July 2021 plan for digital regulation. Despite such great ambitions, a recently published summary of stakeholder responses to this plan contain mixed views as to whether the UK should take a leadership role internationally and encourage international regulatory alignment.
The key stakeholder responses ranged from Big Tech organisations to regulators such as Ofcom and the UK Financial Conduct Authority. Amongst other requests, the stakeholders called for flexible and innovative new approaches to regulation, with an outcomes-based regulatory approach being preferred. The stakeholders also widely welcomed the DRCF as a positive starting point for ensuring that regulators are effective, coherent and coordinated, agreeing with the DCMS that regulatory coordination will be integral to successfully regulating digital tech and increased transparency.
Although it is helpful to know the government’s ideas and plans to implement proportionate and dynamic regulation, only time will tell whether or not it will be able to achieve this. It’s also interesting to note that the government professes to want to take a “strategic, pro-innovation approach to digital regulation” while at the same time producing, in the draft Online Safety Bill, a controversial and aggressive approach to digital regulation.
The DMA will come into effect as an EU Regulation, i.e., no further implementation into Member State law will be required. It addresses:
Once designated as a gatekeeper by the EU Commission, a company’s relevant core platform services will become subject to a range of specific behavioural obligations, such as a ban on certain self‑preferencing, data sharing, or access restriction practices. Those obligations will be self-executing, i.e., they will apply automatically without any further enforcement steps. Non-compliance will be subject to regulatory enforcement by the EU Commission (including potential fines), and may also lead to private enforcement by competitors or other third parties.
The specifics of the final compromise over the DMA’s wording have not yet been made public but, once they are, we will follow up with a detailed client alert. The legislation is now awaiting final adoption by the EU Parliament and Council. The DMA is then expected to take full effect in late 2023 or early 2024, taking various interim steps and transition periods into account.
The Declaration builds on previous EU legislation as well as the EU Charter of Fundamental Rights, and it outlines how these fundamental rights should apply in the digital sphere. The six chapters cover a wide range of issues from democratic values in the online world, fair and equal access, freedom of choice, censorship, child protection, and a “Green Deal” for digital technology.
The Declaration constitutes part of a wider EU digital agenda comprising ongoing legislative proposals such as the Digital Markets Act to reign in the power of gatekeepers (see above), the Digital Services Act to regulate online content, EU Artificial Intelligence Act, the EU Data Act (see below), and EU Chips Act.
While the title of the Declaration sounds ambitious, its legal effect will be limited. It is a political declaration with no directly binding effect. Despite this purely political nature, the Declaration will be an important guideline for on-going and future legislation in the digital sphere. Its three future signatories (the European Commission, Parliament, and Council) will consider the values and commitments enshrined in the Declaration when drafting the future rules for a digital Europe. The Declaration urges EU Member States to follow its best practices to avoid infringement proceedings later on.
The Declaration is expected to be signed in summer 2022.
On February 23, the European Commission published its proposal for the EU Data Act, a sweeping regulation that aims to provide a harmonised framework for data sharing, cloud switching, and international transfers of non‑personal data – read our full client alert. The Data Act is intended to “form the cornerstone of a strong, innovative and sovereign European digital economy” according to the Commission’s press release.
One main idea behind the proposal is the notion that every actor that contributes to the generation of data should be able to freely access that data. As such, the proposal touches upon both data protection and competition aspects throughout its four main areas of regulation – and so, for example, in the “Internet of Things” space, IoT products must be designed so that users can easily access any data generated through their use of the product; and, upon the user’s request, any data generated via IoT products must be made available to the user or to third parties designated by the user.
The Data Act also establishes detailed rules for the terms and conditions for mandatory data sharing under the Data Act or other EU law. For cloud services, the Data Act will provide a detailed regime for switching between cloud providers and restrictions for international data transfers within cloud infrastructure.
Once adopted, the Data Act will have significant impact on the data economy in the EU. It will primarily affect providers of connected products and related services as well as cloud providers, but it will potentially also concern any company that holds any data – personal and non-personal – as a result of offering its services in the EU. The Commission proposal will now be debated in EU Parliament and Council and can be expected to enter into force by mid-2024.
In Q1 of 2022, the European Commission held a public consultation regarding its plans for a new legislative initiative aimed at safeguarding media freedom in the EU. The initiative – labelled the “Media Freedom Act” – is based on the Commission’s view that the EU’s internal market suffers from diverging Member State rules on media pluralism, a lack of cooperation between national media regulators, and a lack of safeguards for diversity of opinion in online environments.
The Commission found that the existence different national regimes and enforcement procedures (as well as diverging interpretations of key regulatory concepts) can be a barrier to market entry and impede EU operations for media companies. It also wants to address the threat that some Member States might increasingly seek to use government resources to put pressure on the media or to interfere with editorial or management decisions.
To address these issues, the Commission is proposing several policy options – ranging from mere increased cooperation in existing pan-EU regulatory bodies such as the European Regulators Group for Audiovisual Media Services (ERGA) to full-fledged legislation aiming to further harmonise the applicable rules where they are found to diverge amongst Member States. The latter could lead to harmonised regulation of media transactions, transparency of media ownership, and safeguards for editorial independence of media outlets.
Based on the feedback collected during the public consultation that closed in March 2022, the Commission will now formulate its legal and regulatory response – likely in the form of a legislative draft. This is expected to be published in Q3 of 2022.
The EU Commission is pushing forward its initiative to promote more sustainable use of goods – one aspect of which could be a wide consumer “right to repair”. The initiative, which aims to tackle negative impacts on the global environment as a result of premature disposals of goods, will likely lead to an amendment of the Sale of Goods Directive, thereby imposing new requirements on manufacturers of many goods and items sold to consumers in the EU.
According to the EU Commission, under the current legislation, consumers usually choose to have defective products replaced rather than repaired during the statutory warranty period. Additionally, consumers purportedly lack incentives to buy second-hand or refurbished goods. The Commission finds that this leads to a growing amount of waste and negative environmental consequences. Therefore, the stated goal of the new initiative is to establish minimum repairability rules throughout the EU, enabling consumers to save costs, encouraging manufacturers to design longer-lasting goods, and facilitating the development of a circular economy.
Possible policy options considered by the EU Commission range from a voluntary commitment of businesses to repair goods to obliging producers or sellers to repair goods even beyond the statutory warranty period (in some cases, for free), and/or extending that warranty beyond the current minimum of two years.
The Commission held a public consultation asking stakeholders to submit their feedback on the existence and extent of the problem as well as on possible policy options and their likely impacts. Following that, the Commission will now formulate its legal and regulatory response – likely in the form of a legislative draft. This is expected to be published in Q3 of 2022, when the impact of any “right to repair” on manufacturers should become more clear.
NFTs (non-fungible tokens) are digital assets that represent natively digitally created works or digitalized real-world objects (e.g., images of existing artwork). In contrast to fungible tokens, non-fungible tokens are marked as “originals” by way of a digital signature in their blockchain. Blockchain technology ensures the tradability of NFTs by securing that – even though digital assets can easily be copied – the provenance and originality of a NFT cannot be tampered. NFTs are therefore even proposed as a secure way for trading real world assets such as real estate (in respect of which blockchain pilot projects have been initiated in Sweden and Georgia) or collectibles.
While the technology has been around for some time, NFTs have become increasingly popular with an increasing number of eye-catching artwork trades having taken place. However, NFTs are also used as new ways of exploiting brands, selling merchandise or opening up new streams of revenue. For example, all assets sold in the real world could additionally be sold as NFTs to different purchasers, thereby doubling revenue. Already, a substantial number of companies and organizations have picked up on this – with global sports leagues, for example, tokenizing images of special moments during key games as NFTs (thus taking the old-fashioned sports’ trading card concept to the next level). For a recent video game launch, users bought over $50 million in tokenized virtual real estate before the game was even released. Not surprisingly, numerous crypto start-ups are eager to digitalize and tokenize assets and sell NFTs, and NFT trading platforms have seen a significant rise in activities since 2021.
As with most new technology trends, a large number of legal questions are currently hotly debated by regulators, creators and investors alike. In the EU, one of the key questions relates to the application of financial market surveillance, including the potential qualification of NFTs as a prospectus or securities, or NFTs being subject to banking laws including registration and brokering license obligations.
In September 2020, the EU published the Markets in Crypto-assets Regulation (MiCA), which would regulate many types of cryptoassets that are currently seen as out-of-scope of the regulatory regime. MiCA’s definition of cryptoassets could be wide enough to include NFTs and so NFT issuers will likely be required to comply with certain business conduct and governance requirements.
In Q1 of 2022, the Commission has been trying to push MiCA forward in the EU legislative process, with key discussions focussing on the extent to which any issue cryptoassets would need to be supported by a prospectus-like white paper. Interestingly, cryptoassets that are “unique and not fungible with other cryptoassets” could be excluded from the requirement to publish a white paper for public offerings – and so this exemption would likely extend to NFTs as a whole (although perhaps not to fractional entitlements in NFTs).
The EU has approved a negotiating mandate for MiCA that will allow trilogue negotiations between the Parliament, Council and Commission – so MiCA will now proceed through to that stage of the legislative process. MiCA is anticipated to take effect by 2024.
Providers of “Internet of Things” (IoT) devices recently woke up to the reality that, with one simple strike from the European Commission, their products went from largely unregulated to being brought under full EU market control.
In January 2022, the EU published Delegated Regulation 2022/30/EU, bringing IoT devices within the scope of the Radio Equipment Directive 2014/53/EU (RED), and enforcing strict cybersecurity, privacy, and fraud prevention compliance requirements.
IoT providers have until 1 August 2024 to adapt their products to comply in order to keep EU market access. EU market surveillance authorities will be able to take corrective action, order recalls, and withdraw products for non‑compliance.
See our client alert for further insight.
The European Commission has launched a new initiative titled “Cyber Resilience Act” by which it aims address the risks that cybersecurity incidents in digital products and related services can pose for economic and social activity across the EU.
The Commission alleges that vendors of digital products and services (e.g., hardware manufacturers, software developers) often do not put in place adequate cybersecurity safeguards when placing their offerings on the EU market for various reasons, e.g., to beat their competition in the rollout of new products, to save costs, or because they lack sufficient expertise.
The Commission also found that vendors often react inadequately to cyber threats and vulnerabilities throughout the lifecycle. In light of these issues, the Commission sees a need to respond with regulation because it believes that existing legislation, such as the NIS Directive, the Cybersecurity Act, or product-specific requirements such as the ones for IoT products cited above, does not cover all relevant aspects (e.g., whole-lifecycle requirements) or types of products (e.g., non-embedded software).
To address these issues, the Commission is considering several policy options. The one with the most impact on companies doing business in the EU would be implementing horizontal rules setting up specific cybersecurity obligations for a broad range of digital products and services as well as for software. This could also entail CE certification requirements for relevant products or software via self-certification or mandatory third-party conformity assessments.
The Commission has invited stakeholders to provide feedback on these policy options by May 2022. Based on that feedback, the Commission will then finalise its legislative proposal, which it is expected to present in Q3 of 2022.
The UK Government’s Department for Digital, Culture, Media & Sport (DCMS) has launched a public consultation on proposals to amend the existing Network and Information Systems Regulations 2018 (NIS Regulations). This forms part of its wider effort to better protect the UK economy and critical national infrastructure from new and emerging cyber security threats.
Notably, the UK Government has highlighted the need to address the heightened risk and critical vulnerabilities arising from the growing dependence by in-scope essential services on networking and information systems and digital supply chains.
Key proposals include:
Once the consultation closes, DCMS will assess whether to bring forward new laws in the UK to strengthen the UK NIS Regulations. The effect is likely to be to impose new obligations on a wider range of digital services providers – which, in likelihood, will be different from the obligations and scope of the equivalent EU set of rules.
The European Court of Justice has held in Tiketa UAB v M.S. that a ticketing website that acts as a digital online intermediary for an event organiser is itself a trader for the purposes of the Consumer Rights Directive (2011/83/EU) (CRD) – and so has to ensure compliance with the CRD. This means that both an intermediary and a principal trader may both qualify as traders for CRD purposes at the same time.
The ECJ actually went further than the Commission’s own previous guidance. The decision will have an effect on any EU or non-EU-based digital platform through which other businesses provide goods or services to users.
It had been thought that an intermediary could avoid liability by telling consumers that it is acting as an intermediary. But the ECJ limited this exclusion to liability for non-conformity with the sales contract under the Sale of Goods Directive (1999/44/EC) (SGD) – whereas the CRD governs consumers’ rights rather than the application of contract law.
Unhelpfully, the ECJ decision doesn’t explain the extent of an intermediary’s obligation to “ensure compliance” with the CRD (e.g., the CRD rules around providing pre-contract information, withdrawal rights, delivery and additional payments). And, indeed, imposing a general compliance obligation on digital intermediaries is somewhat inconsistent with the amendments since made to the CRD by the EU Enforcement and Modernisation Directive, which merely require online marketplaces to disclose information such as the seller’s self-declared status (trader or consumer) and how the seller and marketplace have agreed to share contractual obligations such as delivery.
This ECJ is likely to need some clarification. But, in theory, it could mean that online marketplaces or webshops operating in the EU would now have to fulfil additional due diligence requirements, for example by checking and ensuring that traders on their platforms comply with the CRD, or they will need to start providing mandatory CRD information themselves.
Tiketa is a post-Brexit decision and so is not binding on the UK courts – although the UK courts may have regard to it.
In a landmark ruling on the pastiche copyright exemption, the Regional Court of Berlin has ruled that the reference to a pre-existing digital work by means of collage-like integration into a new work (in this case, an oil painting by acclaimed artist Martin Eder) is fully permissible as a so-called “pastiche” and does not constitute a copyright infringement of the referenced pre-existing work.
A pastiche is defined as a new artwork taking over an existing work (in whole or in part) or mirroring the style of an artist in order for the new artwork to “enter into a dialogue” with the referenced work. Under EU law, the pastiche has been anchored as a copyright exemption in the InfoSoc Directive since 2001 but has not been much discussed in courts or literature.
This judgment by the Regional Court of Berlin is one of the first rulings on the pastiche copyright exemption, which has long been recognised in German copyright law, but has been expressly included in the German Copyright Act (Section 51a UrhG) only in July 2021. The judgment could still be appealed. In its judgment, the Court emphasises the importance of the pastiche copyright exemption in the context of the artistic dialogue with digital artworks. This goes along with the reasoning of the lawmaker, which emphasises that the pastiche exemption has to take into consideration the increasing digitisation, new technical inventions, and corresponding new ways of interacting with digital works.
The judgment reaches beyond German copyright law and will likely be relevant for all future EU court interpretations of this exemption. It is of special significance to online content sharing service providers because Art. 17 (7) (b) Copyright Directive expressly obliges such providers to ensure that users can rely on the pastiche exemption when uploading their works. Upload filter technology will have to consider the pastiche exemption.
Interestingly, since the dispute was pending since April 2018, the BGH had to base its decision on the then‑applicable German and EU laws. Most prominently, this did not yet include the GDPR (Regulation (EU) 2016/679), which only entered into force in May 2018. In April 2018, the German Telemedia Act (TMG) provided that online services “shall enable the use of their services anonymously or under a pseudonym, insofar as this is technically possible and reasonable”. This was based on the Data Protection Directive 95/46/EC. The BGH held that the TMG complied with the Data Protection Directive. It thus concluded that social networks were allowed to request users to provide their real names when setting up their account with the social network. By contrast, the BGH held that it was not reasonable to require the users to use their real name also for the subsequent use of the social network. Social networks could therefore not enforce the real-name policies in their terms.
It will remain to be seen whether the BGH’s decision also applies under the current legal landscape under the GDPR and the new German Telecommunications and Telemedia Data Protection Act (TTDSG). The TTDSG contains provisions identical to those under the previous TMG about the anonymous use of online services. However, it is not entirely clear whether this TTDSG complies with the now-applicable GDPR. Hence, if this question become relevant again, German courts would likely refer the case to the European Court of Justice. Until that happens, social networks can still take the position that the requirement to allow pseudonyms has not been decided under current law and that requesting real names remains permitted for the time being.
During Q1 of 2022, two developments paved the way for a significant pruning of the German rules in the Network Enforcement Act (NetzDG) on how social networks and video-sharing platforms have to deal with illegal online content posted on their services:
On the litigation side, the NetzDG case will now make its way up the court hierarchy, and the review might eventually also include a referral to the European Court of Justice for a preliminary ruling. During this process, enforcement of the affected NetzDG rules will remain suspended for the companies engaged in legislation. It remains to be seen if the regulator issues a broader suspension also in favour of other companies – just like the German telecoms regulator has done it when courts found that German data retention rules violated EU law.
In respect of legislative pruning of the NetzDG, the Terrorist Content Online Regulation will apply from June 2022, and the German government will aim to have its implementing rules in force by that time. Further pruning may then be just around the corner, considering that the EU is expected to finalise its Digital Services Act (DSA) in Q2 of 2022. The DSA will bring into effect harmonised rules on how online services will have to deal with illegal content – and in the face of which existing national requirements in this space will have to step back.
We are grateful to the following additional members of MoFo’s European Digital Regulatory Compliance team for their contributions: Sakshi Rai and Femi Omisore.