European Digital Compliance: Key Digital Regulation & Compliance Developments

Keep up with the latest legal and industry insights, news, and events from MoFo

Estimated reading time: 30 minutes

To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the first quarter of 2023.

This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1, Q2, Q3, Q4) and (Q1, Q2, Q3, Q4) 2022.

In this issue, we look at how both the EU and UK are clamping down on green claims in advertising, EU proposals to require online traders to provide a “withdraw” button for consumers, and what the EU and the UK are doing to update and enforce their respective laws on the security of network and information systems. We also provide an update on the regulatory developments in artificial intelligence in the EU and UK.

1. EU targets heavy-data traffic generators and consults on a “Connectivity Tax”

The European Commission is considering intervening in the commercial relationship between large content and application providers (CAPs) and internet access providers (IAPs).

For several years, IAPs have been calling for some sort of compensation payable by certain CAPs whose services are the origin of a significant proportion of data traffic on their communications networks. The proposed compensation is labelled with terms such as “connectivity tax” or “fair share contribution”.

IAPs claim that the relationship between global “Big Tech” companies and the European infrastructure providers must be brought into balance. CAPs and major civil society organisations strongly oppose the concept, claiming that the traffic is caused by the IAPs’ own customers (i.e., users) who pay for the data transport.

What’s new?

In February 2023, the Commission launched an “exploratory consultation” on the “future of the electronic communications sector and its infrastructure”. The consultation intends to facilitate an open dialogue with all stakeholders about the “potential need for all players benefitting from the digital transformation to fairly contribute to the required investments”. The Commission sees a discrepancy between ever-increasing traffic volumes and only moderate IAP returns as well as a low appetite to invest in network infrastructure.

Apart from that, while the Commission’s questionnaire does not take a position per se, its design and language clearly reveal a level of sympathy with the idea of a contribution to be paid by the so-called “large traffic generators”. This terminology implies a characterisation of very few “Big Tech” companies as generating their profit at the expense of European infrastructure builders. Many of the questions seem to be designed to trigger responses in support of this imbalance being fixed.

In addition, a chapter with consumer-focussed questions emphasises the need for universal services and affordability of high-speed connectivity, practically ruling out that consumers should bear the cost of building up networks to cope with their own increased traffic demands (e.g., through data caps, higher subscription prices, etc.).

What’s next?

The Commission’s consultation is open until mid-May 2023. After the previous regulatory initiatives aimed at very large online platforms and gatekeepers through the Digital Services Act and the Digital Markets Act, it would not come as a surprise if the EU Commission now starts to lay the groundwork for another big U.S. tech-focussed regulatory initiative; this time with a direct financial impact.

In the meantime, see our fuller summary of the consultation and the underlying dispute.

2. The EU Data Act: Where does it stand, and what’s the UK position?

In February 2020, the European Commission published its proposal for a Data Act that intends to build a framework for sharing data generated by connected devices and related services. The hotly debated draft Data Act is intended to complement the existing suite of EU legislation relating to the use of data and, in its current form, would cover (with extraterritorial effect): (i) manufacturers of internet-of-things (IoT) products and providers of IoT services that are marketed or provided on the EU market; (ii) providers of data processing services with EU customers; and (iii) other owners of data, or data holders, that make available the data that is generated by the use of IoT products or services to data recipients in the EU.

Supporters of the draft Data Act have welcomed the draft legislation for driving a “future in which data is widely shared and further used for innovative business models, more efficient processes and better policy making”. On the other hand, critics have warned that the draft Data Act could actually lead to “an increase in anticompetitive or unfair practices among businesses” and flagged that businesses will face “pressure and costs in implementing the various measures imposed by the Data Act”.

Read our previous article on the scope and impact of the EU Data Act, which we have revisited (and provided input on the UK perspective). Note that, since publication of the latter, the UK government has withdrawn the first draft of its Data Protection and Digital Information Bill, replacing it with the Data Protection and Digital Information (No. 2) Bill. According to the UK government, the new draft bill is “much the same” as the withdrawn bill, but it combines (according to the UK government) the “best elements” of the UK GDPR with flexibility for businesses to determine how they comply with the new data laws.

What’s next?

The European Parliament adopted its position on the Data Act on March 14. It is likely that the EU Member States will shortly follow suit based on final compromise wording proposed by the EU Council presidency on March 17. After that trilogue negotiations can begin between both bodies and the European Commission, with a view to finalising the draft legislation.

3. New EU rules promoting the repair of goods

The European Commission has proposed a new EU Directive that will impose greater obligations on goods manufacturers (including digital products) to repair defective products.

What’s new?

In March 2023, the European Commission adopted a new Proposal for a Directive on common rules promoting the repair of goods (“Proposed Directive”), which is intended to boost the repair of consumer goods rather than replacement where technically possible, thereby leading to waste reduction and a more sustainable economy.

The Proposed Directive amends the remedies granted under the EU Sale of Goods Directive 2019/771 (“SGD”) for non-conformity in such a way that consumers will, in the future, only be able to choose replacement as a remedy when it is cheaper than repair.

Furthermore, for certain product groups listed in an Annex, the Proposed Directive introduces a new obligation to repair any defects that come into existence or become apparent outside and beyond the two‑year liability period imposed on sellers under the SGD.

The Annex covers household products like dishwashers, vacuum cleaners, tablets and mobile phones – and also servers and data storage products. There have been suggestions that the Proposed Directive’s scope could also be extended to allow “smart” products that incorporate (or are inter-connected with) digital content or digital services to be included in the Annex.

The obligation to repair includes:

an obligation on the producer to repair (or have a subcontractor repair) the product upon a consumer’s request, and to inform consumers of this producer obligation. Producers must also ensure that independent repairers have access to certain spare parts and repair-related information and tools;
an obligation on the repairer to provide to the consumer (upon request) standardised information about available specific repair services; and
an obligation on the EU member states to ensure that at least one online platform exists in their territory that allows consumers to find repairers.

What’s next?

The Commission’s proposal will now enter the EU’s legislative procedures, where it will be discussed within the European Parliament and the Council.

4. EU proposes a “withdraw button” requirement

The EU has moved one step closer to adopting a Directive that would require online traders selling goods and services to consumers to include a prominent “withdraw” button on their websites or apps.

Back in May 2022, the European Commission issued a proposed Directive that, among other things, provided that traders must include a withdraw button on the same electronic interface used to conclude consumer agreements – but this was only intended to apply to facilitate the exercise of the 14-day right of withdrawal for financial services sold electronically.

What’s new?

In March 2023, the Council of the European Union adopted its General Approach on the Commission’s proposed Directive, which will serve as a basis for upcoming negotiations on the bill with the European Parliament.

To further strengthen consumer protection, the Council position proposes extending the application of the withdraw button to all distance consumer contracts concluded by the means of an online interface (e.g., websites or mobile apps) – i.e., going far beyond the proposal by the European Commission. For such contracts, the online seller would have to ensure that the consumer can withdraw from the contract on that same online interface by using a clearly designated “button”.

The proposed withdraw button will need to be labelled in a legible manner and must contain nothing but the words “withdraw from contract here” or a corresponding unambiguous formulation. The withdraw button will need to be placed on the online interface in a prominent manner and be easily accessible to the consumer. Using the button must allow the consumer to make the withdrawal statement by providing or confirming the following information:

name of the consumer,
identification of the contract, and
details of the electronic means by which the confirmation of the withdrawal will be sent to the consumer.

The withdrawal statement must be submitted by using a confirmation button. Once the consumer uses the confirmation button, the online trader will need to send to the consumer a confirmation that the withdrawal statement has been submitted, including the date and time of the submission.

The planned withdraw button should not be confused with the “cancellation” button that has already been in force in Germany since July 2022. That cancellation button requirement was introduced independently of wider EU requirements by the German Fair Consumer Contracts Act (which we reported on in Q3, 2021) and applies to subscription agreements concluded online with consumers.

What’s next?

The next step is the trilogue negotiations between the European Commission, the European Parliament, and the Council to agree on a final version of the proposed Directive. The recitals of the proposed Directive provide that the withdraw button must be available during the withdrawal period. However, it is unclear how this requirement should work in practice. The withdrawal period generally begins with the receipt of the goods and would have to be calculated individually. It remains to be seen whether the EU legislators will make any adjustments in this regard.

5. Green Claims Directive: Verify green claims before you use them in the EU!

In March 2023, the European Commission presented its proposal for a Green Claims Directive (the “Proposal”) that will regulate the way companies substantiate and communicate their environmental claims.

The Proposal is the Commission’s follow-up to its 2020 study which found that 53.3% of green claims were vague, misleading or unsubstantiated, and that 40% were completely unsubstantiated.

What’s new?

The Proposal aims to introduce clear regulation for green claims and green labels. In particular, the Proposal provides that green claims must be substantiated with scientific evidence that is widely recognised, identifying the relevant environmental impacts and any trade-offs between them. Before companies can use any green claims in their marketing materials, they will need to submit supporting evidence alongside any draft green claim for assessment and verification by an officially accredited third party.

Regarding environmental labelling schemes, the Proposal provides that these should be solid and reliable, and their proliferation shall be controlled. New public schemes, unless developed at EU level, will not be allowed, and new private schemes will only be allowed if they can show higher environmental standards than existing ones and get a pre-approval.

Except for certain micro-enterprises (with less than ten employees and less than €2 million turnover or balance sheet), the rules would apply to all companies doing business in the EU, unless the claims are covered by more specific rules (such as the EU Ecolabel).

In case of non-compliance, penalties shall include rules on profit-skimming, temporary exclusion from public tenders and subsidies, and fines of up to 4% of the trader’s annual turnover generated in the EU Member State(s) concerned.

What’s next?

The Proposal will now go through the regular legislative process. It will be discussed both in the European Parliament and at the Council level. It is likely that the legislative process will take 12 to 24 months before the Directive enters into force, followed by a similarly long phase of implementation into Member State laws.

6. Network and information systems (NIS) regulation in the EU and UK

We have noted before that both the EU and the UK are working on updates to their respective laws on the security of network and information systems (NIS).

The current NIS regimes in the EU and the UK require in-scope organisations to apply appropriate security measures to protect against cyber threats – and this includes monitoring, auditing and testing, as well as specific procedures to report and respond to security breaches. Both the EU and the UK have recognised the need to adapt their NIS rules to respond to the changing landscape of cyber threats.

But, as in other areas where the UK and EU are pursuing similar goals on a separate track (see the articles on AI below), the question is: what will end up being the same, and, more importantly, what will be different?

What’s new?

EU developments

In the EU, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU (NIS 2) came into force in January 2023. NIS 2 replaces the Directive (EU) 2016/1148 on security of network and information systems (NIS 1).

See our full client alert for a more detailed review of the substantive obligations and enforcement rules introduced by NIS 2.

Since NIS 2 is a Directive, EU Member States must transpose into national law new provisions that will impose stricter cybersecurity risk management requirements on more organisations and introduce tougher supervisory and enforcement measures, among other things. Member States have until mid-October 2024 to implement the new requirements into their national laws. However, Member States may well introduce national implementing laws ahead of the deadline, as some of them did with NIS 1. Currently, no Member States have published national implementing laws transposing NIS 2.

In any event, in order to inform organisations’ compliance planning efforts and business impact assessments, organisations should already begin to identify:

any services and/or products that are likely to fall within the scope of NIS 2;
the relevant jurisdictions in which those services and/or products are made available, to determine which national implementing laws will likely apply;
the potential impact of the new requirements on such services and/or products; and
whether any services qualify for the “one-stop shop” mechanism and register with the relevant competent authority (where their “main establishment” is located) before mid-January 2025.

Greater UK enforcement

The UK’s existing NIS laws pre-date Brexit and so mirror NIS 1. But the UK government announced in 2022 that, while it will move forward with proposals to improve the UK’s cyber resilience, it is unlikely to follow the same approach as the EU NIS 2 directive. This is another area where the UK government plans to use Brexit as a means to lighten the regulatory burden and, it claims, maximise benefits to the UK economy.

Nevertheless, in January 2022, the UK proposed to amend the existing scope of the UK’s Network and Information Systems Regulations 2018 (NIS Regulations), for example, to expand the scope of affected services in order to regulate managed IT service providers.

On the one hand, the UK proposals are taking longer to bring to the table than NIS 2. However, even before any specific changes in the UK, the Information Commissioner’s Office (the regulator responsible for NIS in the UK; the “ICO”) is already pursuing an enforcement programme designed to get more organisations to register under the existing NIS regime. In particular, the ICO has been approaching businesses that provide cloud computing services in the UK and suggesting that they need to register under, and comply with, the NIS regulations. That may not always be a requirement (because only scalable and elastic cloud services are covered by the existing NIS Regulations, for example), but many providers are simply taking the approach that it’s easier and quicker not to argue and simply to register as a precaution.

What’s next?

EU Member States will implement NIS 2 over the next 18 months. In parallel, the UK is likely to implement its own update to the NIS Regulations. There will be divergence – certainly between the EU and the UK, but likely even between EU Member States.

In practice, although the UK approach may allow a more flexible, risk-based approach to NIS regulation and reporting, most affected businesses and organisations are likely to have customers in the EU as well as the UK. So they’ll need to comply with NIS 2 in any event and may be likely to opt to implement just one internal monitoring and reporting system rather than incur extra costs of complying with two different sets of rules. As in other areas, the UK’s divergent approach may just end up being an interesting footnote for many internationally operating businesses.

7. New UK advertising guidance clamps down harder on greenwashing claims

In February 2023, the UK’s Advertising Standards Authority (ASA) and the Committee of Advertising Practice (CAP) released new guidance that clamps down on companies making so-called “greenwashing” claims in their advertisements (the “Guidance”).

Many companies are increasingly seeking to raise their profile and attract customers and investors by highlighting their environmental prestige (for example, by disclosing their net zero targets) – and any of these companies operating in the UK will face increased scrutiny from ASA, which will be seeking to hold them accountable for any misleading claims.

The new Guidance (which comes after the EU recently published a draft law requiring companies to face strict penalties unless they justify within ten days the green claims that they make) strengthens the UK’s response to misleading greenwashing claims and draws on principles contained in the Green Claims Code published by the UK Competitions and Markets Authority (CMA) in 2021 – see more in our previous client alert.

According to the Guidance, any companies operating in the UK will need to carefully consider the language that they use to describe their products and services, ensuring that they substantiate any green claims with informative and accurate explanations.

The CMA is slowly following suit, having recently published a “Green Claims Code” and further guidance on how to make environmental claims that simultaneously comply with consumer protection law obligations.

What’s next?

We anticipate further legislation in this area – particularly the new Digital Markets, Competition and Consumer Bill, which is expected to grant the CMA further enforcement capabilities in the form of monetary penalties where companies have breached consumer protection laws.

The EU has also proposed a draft Green Claims Directive (see article 5 above), which sets out comprehensive requirements for companies making environmental claims. UK businesses operating in the EU will need to comply with these laws and similarly grant more powers to the regulators to enforce the new rules.

8. Data Protection and Digital Information Bill – the “new” UK GDPR

The UK government has published a new version of its bill to reform the UK’s data protection and e-privacy laws – the Data Protection and Digital Information Bill (No. 2) (the “Bill”). The introduction of the Bill reignites the UK government’s efforts from 2022, as part of its National Data Strategy, to move the UK’s data protection laws away from the EU GDPR standard, in a bid to improve growth, innovation and competition in the UK.

While the Bill retains key principles of its predecessor, the UK GDPR, some notable changes have been introduced, which the UK government believes will “[s]upport even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation”.

These changes include:

Amending the threshold for what constitutes “automated decision making”, with less-stringent requirements applying to decisions that do not use sensitive data (such as health or ethnicity data).
Removing the requirement for organisations to maintain a record of processing activities, unless the processing is considered high-risk – which the UK government views as “pointless paperwork for businesses”.
Creating a preset list of legitimate interests, which do not require controllers to carry out a balancing test prior to relying on legitimate interest as a basis. While the proposed list includes certain examples (e.g., direct marketing, intra-group transfers of personal data where necessary for administrative purposes and security purposes), it still remains narrow and does not include commercially focussed activities.

What’s next?

One of the big questions is whether the implementation of the Bill will compromise the European Commission’s recognition of the UK as an “adequate” third country that can sufficiently protect individuals’ data protection rights. In its press release accompanying the Bill, the UK government committed to ensuring that the “new regime maintains data adequacy with the EU”. However, if the Bill results in the UK moving further away from the GDPR standard, the UK government will have to work harder to demonstrate to the European Commission that it still meets the adequacy requirements. This issue could come to a head soon: the European Commission will start work on whether to extend its adequacy decision likely from next year.

For now, the Bill has only passed its first reading in the UK Parliament, and it will come under scrutiny as part of the UK legislative process and is therefore still subject to change.

9. The UK’s new Science and Technology Framework – the potential impact on digital businesses

The UK government has launched a Science and Technology Framework (the “Framework”) detailing its vision to strengthen the UK’s position as a science and technology superpower. The announcement follows the creation of a new ministerial department, the Department for Science, Innovation and Technology (DSIT), headed by the previous minister for Culture, Media and Sport, Michelle Donelan.

What’s new?

Consisting of ten priority points, the Framework is also backed by £370 million of government funding. It’s intended as a strategy to define a more cohesive, coordinated approach to Science and Technology within government.

Strategic focus

The Framework identifies artificial intelligence, engineering biology, future telecommunications, semiconductors and quantum technologies as “critical” technologies. A total of £250 million has been dedicated to “technology missions” in AI, quantum technologies and engineering biology. The government will be publishing various strategies, White Papers (including the awaited AI White Paper) and plans to bolster the UK’s progress in these areas. In addition to this, we can expect a refined approach to public communications on the overall science and technology goals for the UK.

Areas of development

There will be investment in research, but also in talent and infrastructure. In addition to exploring programs to attract international talent, there will be expanded opportunities for participation in STEM, whether by training, retraining or upskilling. Key infrastructure investments will be identified via collaborations and consultations. There is also an aim to increase investment in research via private and public funding.

Funding

In addition to further funding of research and development (R&D), investment in the industries will be increased by encouraging UK institutional investors to collaborate, delivering the Digital Growth Grant to small and scaling technology businesses and implementing recommendations of the Hill Review to enhance the attractiveness of the UK as a place to list.

Regulation

Overall, a light-touch approach to regulation is likely when considering the Framework and previously published AI strategies. The Framework describes a regulatory regime that utilises the UK’s post‑Brexit independence – it will be pro-innovation, easy to navigate and facilitate widespread commercial science and technology applications. Accordingly, work with global standards development organisations is to be continued, as well as the AI Standards Hub.

Global reach

The Framework would also foster the UK’s relationships and presence within these sectors on the global change. Success in this area will be as a result of prioritised international partnerships, strengthening the domestic offerings, diplomatic networks and a systematic approach to handling national security risks around R&D collaboration.

What’s next?

The science and tech community is still waiting to hear news on the UK’s participation in Horizon Europe, the EU’s funding scheme for research and innovation. Support for applicants is currently only in place until 30 June 2023. It has been reported that funds earmarked for the UK’s participation or an alternate scheme has since been returned to the Treasury. The UK’s participation is contingent on negotiations with the EU concerning the implementation of the Northern Ireland protocol.

10. UK government’s Spring Budget 2023: Boosting the UK’s digital economy

The UK government’s Spring Budget 2023 includes several “enterprise boosting measures” to support the UK’s digital economy and attract global investment to help high-growth digital companies “start, scale, and thrive in the UK”.

Regulation and spending measures

To support the rapid and safe introduction of emerging technologies, the government has accepted the UK chief scientific adviser’s nine recommendations for the regulation of emerging digital technologies. The recommendations seek to promote a pro-innovation approach and ensure that the UK’s regulatory environment enables innovation and a thriving digital economy. The government has also allocated £10 million extra funding to the medicines and healthcare products regulator to establish a rapid approval process for new medicines and technologies.

For research intensive companies, the government plans to:

invest £2.5 billion over ten years to fund the development of quantum technologies (see the full quantum strategy) and build an “exascale” supercomputer;
award a £1 million prize each year to researchers that drive progress in critical areas of AI;
extend the British Patient Capital program for an additional ten years, providing at least £3 billion in investment; and
announce twelve locations across the UK that will receive grants and tax concessions for five years to encourage investment and research.

Other (tax-related) measures

To create a competitive corporation tax regime, the government has also announced other measures that may benefit digital companies operating in the UK.

For example, the UK will mitigate the impact of increased corporation tax (from 19% to 25%) from 1 April 2023, by introducing a full expensing capital allowance regime to allow UK companies to immediately write off 100% of qualifying main-rate plant and machinery investments for the next three years, as well as making the £1 million annual investment allowance permanent.

Also, the UK will offer enhanced tax credits for loss-making R&D intensive small- and medium-sized enterprises (SMEs). In practice, this means that SMEs that spend 40% or more of their total expenditure on qualifying R&D will still be able to claim £27 from HMRC for every £100 of R&D investment, instead of the reduced £18.60 (as announced last year). This will benefit an estimated 4,000 digital SMEs. The scope of qualifying expenditure for R&D reliefs will also be expanded to include data and cloud computing costs.

11. Online Safety Bill arrives at the House of Lords – this isn’t even its final form!

The UK’s Online Safety Bill (OSB) appears to be gaining momentum once more, with its first and second readings in the House of Lords finally taking place in relatively quick succession on 18 January 2023 and 1 February 2023, respectively. This welcome development comes on the heels of the five-month delay that halted progress on the OSB last summer and is indicative of the UK government’s renewed commitment to bringing the OSB into force. See more in our previous client alerts on the Bill’s first drafting in 2021 and its first introduction in March 2022.

Since March 2022, the OSB has been subject to plenty of changes, with amendments being suggested and approved at rapid speed. For example, the proposed duties of care on online providers that were so polarising when included in the 2021 version of the draft OSB have been scrapped in favour of a more collaborative approach between service providers and the regulator Ofcom, whereby in-scope companies will be supported by the regulator Ofcom, and Ofcom will help to ensure that the companies’ terms and conditions of service are upheld. This is a notable change in tone from the self-policing duties originally suggested.

Another amendment proposed an approach to content moderation that would involve bypassing end-to-end encryption (E2EE) by scanning for the removal of harmful material (terrorist content and Child Sex Exploitation and Abuse content) from a user’s device before a message is sent and subsequently encrypted. Major providers of E2EE services have spoken out against this amendment, denouncing the proposed approach for threatening private and safe communication.

Some service providers have stated that they will not decrypt their E2EE services, even in the face of the large fines that the OSB seeks to impose (i.e., the greater of £18 million or 10% of annual global turnover). Others have gone as far as to consider pulling their services from the UK if the OSB is passed with these amendments. Commentators have also queried why the UK government’s approach to E2EE diverges from the EU’s Digital Markets Act, which seeks to balance the need for E2EE (because of its perceived ability to protect the rights of free expression and association) against the interoperability obligations that it imposes on messaging services. If the OSB is approved in its current form and major tech platforms hold firm on their promises, the UK stands to lose valuable E2EE messaging services that are widely used today.

Separately, it’s worth noting that new technologies are being developed just as quickly as new amendments to the OSB are being tabled. Providers of newer and up-and-coming technologies, such as generative AI, may find that they are immediately caught by the onerous obligations of the OSB, just as they are making a name for themselves. And the UK government may also have a seemingly impossible task on its hands to try keeping up with these newer technologies – potentially by continuing to issue ongoing amendments to the OSB, to ensure that it is not being outpaced by these newer generations of technology. As we have previously noted, a government more in-tune with the technology sector would be better off not trying to legislate ahead of the technology, but to be prepared to update the applicable rules regularly in line with technology platform advances.

What’s next?

The OSB is due to progress on to the committee stage in the House of Lords, which will undertake a line‑by‑line re-examination (with potentially even more amendments being tabled). The committee stage has not yet been scheduled, and no time limits are imposed for completion of this stage. We are still therefore potentially looking at a long road ahead for the OSB.

12. Class actions in Germany may apply to digital providers

In February 2023, the German Ministry of Justice published a draft law to strengthen class actions in Germany.

What’s new?

The new Draft of the Consumer Rights Enforcement Act (Verbraucherrechtedurchsetzungsgesetz – “VDUG‑E”) implements the EU’s Representative Action Directive (2020/1828) (“RAD”).

The main element of the VDUG-E is the introduction of the possibility to bring collective redress actions (Abhilfeklage) before the competent Higher Regional Court. Such claims can be initiated by so-called “qualified entities” (such as consumer associations), but not by individual consumers, and may include any monetary and non-monetary redress measures such as a price reduction, termination of contracts, refunds of the price paid, damages, etc., provided such claims are of the same kind (gleichartig).

It is important to note that the VDUG-E goes beyond the RAD’s requirements causing a direct effect on companies, especially also in the digital space. First, while the RAD’s scope was limited to certain violations of EU law, the VDUG-E provides that collective redress actions can be initiated for all violations of law resulting in a claim against another “undertaking”, i.e., for instance, also basic contractual or tort claims. Second, the collective redress action is not only open for consumers as required under the RAD, but also for small companies (employing less than 50 people and having an annual turnover or an annual balance sheet of less than €10 million).

What’s next?

If the VDUG-E comes into force in its current form, it seems likely that it will indeed strengthen class actions in Germany, particularly due to the implementation beyond the RAD’s requirements. But it is to be noted that the VDUG-E still needs to be discussed at several levels, so it is unclear how it will eventually look when it comes into force in June 2023.

13. Germany’s plans to ban advertising unhealthy food to children

The German Ministry for Food and Agriculture recently published its proposal for a “Children’s Food Advertising Act” to prohibit advertising and sponsoring for foods high in fat, sugar and/or salt (HFSS) in all media relevant to children under the age of 14 to protect them from diet-related diseases.

What’s new?

The proposal introduces different levels of advertising and sponsoring restrictions for HFSS foods, ranging from a complete ban of such advertising in certain media to an effects‑based restriction that relies on how likely the advertising would induce or encourage children under the age of 14 to consume HFSS foods.

While the proposal only obliges “food businesses and any natural or legal person providing advertising or sponsorship”, it will have an indirect effect on all media providers with advertising inventory, as the restricted advertisements must no longer be displayed on such inventory. As relevant media providers, the draft lists radio, press/print, information society services, audio-visual media services, VSPs and providers of outdoor advertising.

In particular, the proposal seeks to prohibit:

advertising and sponsoring on all the above media that are particularly likely to induce or encourage children to consume HFSS foods;
advertising of HFSS foods on radio and audio-visual media services between 6 a.m. and 11 p.m., regardless of its effect on children;
advertising of HFSS foods on all in-scope media except outdoor advertising if the advertising is directly related to content that is also appealing to children; and
outdoor advertising of HFSS foods in the vicinity of certain establishments used mainly by children, including daycare centers, schools, playgrounds, except for window surfaces of sales stands, kiosks or similar shops.

According to the draft, the enforcing authorities could penalise food businesses and advertising/sponsoring providers with fines up to €30,000 and confiscate any objects to which the infringement relates.

What’s next?

The draft already attracted broad criticism, supposedly leading the Ministry to hold back the launch of a public consultation that would allow businesses and industry associations to comment on the proposal. It is currently unclear if the political pressure will result in the Ministry changing the draft before starting the legislative process, including a public consultation, the adoption of a government draft and subsequent parliamentary proceedings.

So far, critics have argued that the proposal exceeds the government’s respective plans for HFSS foods advertising restrictions as laid out in the coalition agreement. It has further been pronounced that the federal legislator has no authority to establish media-related provisions (instead of the federal states) and that the proposed ban violates constitutional rights of affected industry players.

What are the EU and UK positions?

At the EU level, there is currently no harmonised regime for HFSS foods advertising. The Audiovisual Media Services Directive requires Member States to encourage codes of conduct aimed at reducing the exposure of children to HFSS foods advertising, but this only applies to TV and on-demand services, and Member States are free to go beyond that requirement.

In the UK, HFSS foods advertising has been restricted since 1 July 2017, and further measures were imposed as a result of consultations that took place in 2019 and 2020. The resulting legal landscape means that businesses must ensure that, inter alia: (i) ads that directly or indirectly promote HFSS products do not appear in children’s media (or in any other media where children make up over 25% of the audience); and (ii) they comply with volume, price and location restrictions in relation to the promotion of HFSS products. Looking ahead, a 9 p.m. watershed on TV advertising for HFSS products and a ban on paid‑for online advertising of HFSS products are due to come into force on 1 October 2025.

14. EU developments in artificial intelligence

There were a couple of notable artificial intelligence (AI)-related developments in the EU in January 2023.

First, the EU’s proposed regulatory scheme for AI took a further step through the legislative process. Also, the European Commission and the U.S. government signed an “Administrative Arrangement on Artificial Intelligence for the Public Good”.

We have written before that the EU is pursuing a more regulatory approach to AI than the United States (and – see the following article – the post-Brexit UK). Ideally, as with other emerging and developing technologies, it generally helps technology developers and implementers if governments are joined-up in their approach to the regulation and legislation. As described below, the EU seems set on its more‑regulatory approach, and the new collaboration agreement may be a welcome sign, but it only operates at the margins of the application of AI technologies.

What’s new?

On 24 January, the European Economic and Social Committee (EESC) adopted an opinion (“Opinion”) regarding the proposed AI Liability Directive. The AI Liability Directive supplements the proposed revision of the Product Liability Directive and lays down some procedural rules in the context of non-contractual liability for damage caused using AI systems. In particular, it defines some rebuttable “presumptions of causality” and introduces a form of discovery whereby a claimant can request that information relevant for the case regarding an involved high-risk AI must be disclosed by the operator or other liable parties. For more details, see our separate client alert on AI regulation in Europe and our blog post on AI trends for 2023.

The EESC overall approves of the proposed EU legislation and does not make major requests for amendments. One of its main points is the need to pursue a liability scheme as uniform as possible in its application across the EU and to reduce the risk of divergent interpretations under national case law. The EESC therefore calls on the EU to define with more clarity concepts such as “high-risk activities” (and believes that potential harm to the environment should be one of the factors to be included in the high-risk category) and “eligible damage”. It also calls for setting up a network of alternative dispute resolution bodies to make it easier for victims who have suffered harm to exercise their rights. The five-year horizon to review the effects of the directive is too distant for the EESC, and it suggests acting earlier, at most three years after the directive enters into force.

Also in January, the EU signed an AI Collaboration Agreement with the United States that’s designed to increase U.S.-EU collaboration on AI research. The agreement aims to address global challenges in the fields of climate change (e.g., extreme weather), natural disasters, healthcare, energy and agriculture by developing and utilising joint AI models. The agreement was signed in the context of the EU-US Trade and Technology Council (TTC), launched in 2021, and comes on the heels of the TTC Joint Roadmap for Trustworthy AI and Risk Management, which was published on 1 December 2022. The joint roadmap contains some very interesting statements regarding the shared risk-based approach of both the United States and the EU when it comes to AI.

The administrative arrangement’s primary focus is to increase U.S.-EU collaboration on AI research, because AI will play an increasingly important role for prediction and simulation in the areas listed above. Therefore, EU and U.S. researchers are encouraged to join forces to develop joint models for societal applications of AI without the need to transfer large amounts of training data. The arrangement also aims to share findings and resources with international partners.

What’s next?

While the administrative arrangement may be a sign of increasing U.S.-EU collaboration in the AI field, it’s by no means a transatlantic policy alignment on AI and has been likened to a mere statement of intent. Currently, it’s not expected that the United States will match the EU’s stricter and more granular regulatory approach when it comes to AI, although recent developments (in particular, the release of GPT-4) have fuelled these kinds of discussion in the United States.

15. UK developments in artificial intelligence

Back in October 2022, we noted that the UK was planning to diverge from the EU’s regulatory approach to AI by choosing a more liberal, non-regulatory approach. Quietly, the UK has dropped one key part of that plan. But, with considerably more fanfare, the UK has announced a White Paper that sets out the UK government’s latest plans for regulating AI – although, given that it’s called “A Pro-innovation Approach to AI Regulation”, no one should expect that the UK is going to adopt an EU-style regulatory approach.

What’s new?

The original UK plan on AI was a mix of action and inaction – designed, in theory, to make the UK a more competitive location for AI developers.

The positive action was a proposal to introduce a new copyright and database right exception permitting text and data mining (TDM) for any purpose – with the aim of speeding up the TDM process, which is often a precursor to the development of AI. Previously, the TDM exception only applied to non-commercial purposes.

The proposed lack of action was to choose not to replicate the EU’s regulatory proposals in relation to AI‑based technology – especially the new EU AI Act, the AI-related revision of the EU Product Liability Directive and the proposal for an EU AI Liability Directive, all described in our October 2022 alert.

It’s the first of these UK plans that has been changed. On 1 February 2023, the UK Minister for Science, Research and Innovation stated in a House of Commons debate on AI and IP rights that the UK Intellectual Property Office’s proposal to introduce a general TDM copyright and database exception will not be proceeding.

But if that point of detail was almost sneaked out into the public domain, the White Paper “A Pro-innovation Approach to AI Regulation” was launched with lots of publicity in March 2023.

The White Paper proposes a new regulatory framework (“Framework”) aimed at identifying and addressing various risks associated with AI development and use. But the Framework doesn’t assign rules or risk levels to entire sectors or technologies – as the EU proposes. Rather, it adopts a principles-based, context- and outcomes-oriented approach to regulating AI, which focusses on the use of AI rather than the technology itself. It lays out some key cross-sectoral principles (such as safety, security and robustness; appropriate transparency and explainability; contestability and redress) that existing regulators will be expected to implement proportionately.

What’s next?

The UK government still plans to make the UK a more liberal place as a location for AI development. But IP rightsholders will welcome the change in tactic from the UK regarding TDM specifically.

But it’s the White Paper that will form the UK’s government’s AI agenda for the near future. Further details about the implementation of the Framework will be provided through an AI Regulation Roadmap, which will be published alongside the UK government’s response to the consultation on the White Paper – both are expected to be published within the next 6 months.

But it remains unlikely that the UK will change course to develop stricter regulation of AI tools and platforms.

We are grateful to the following member of MoFo’s European Digital Regulatory Compliance team for their contributions: Brittnie Moss-Jeremiah, London Trainee Solicitor.