European Digital Compliance: Key Digital Regulation & Compliance Developments

• Published date: 04 July 2022
• Subject Matter: Finance and Banking, Corporate/Commercial Law, Consumer Protection, Compliance, Financial Services, Corporate and Company Law, Contracts and Commercial Law, Consumer Law
• Law Firm: Morrison & Foerster LLP
• Author: Mr Alistair Maughan, Andreas Grünwald, Marie-Claire Strawbridge and Christoph Nü'ing

To help organisations stay on top of the main developments in European digital compliance, Morrison Foerster's European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the second quarter of 2022.

This follows on our previous updates on European digital regulation & compliance developments for 2021 (Q1, Q2, Q3, Q4) and Q1 of 2022.

In this issue, we note the large strides taken towards adoption of the EU Digital Services Act (which seeks to regulate the operations of all digital service providers operating in the EU, wherever the provider happens to be based) and the EU Data Governance Act. We also highlight other recent and forthcoming digital regulatory initiatives from the EU (and also case law), including changes that companies will need to make to online ordering processes affecting EU-based consumers. We also look in more depth at how the UK government is taking forward its self-declared "pro-competitive" regime for the regulation of digital markets and at a slight relaxation of UK product labelling rules for digital hardware.

EU Digital Policy and Legislation

1. EU Digital Services Act: Agreed & Ready for Approval
2. EU Data Governance Act: May 2022, Council approved the Act
3. EU proposed regulation on online child sexual abuse
4. Germany: Draft legislation requires centralised youth protection mechanisms in operating systems, covering apps, browsers and app stores
5. EU: Proposed amendments affect online financial services agreements, including a "withdrawal button"
6. EU: New Vertical Block Exemption Regulation adopted
7. EU: Proposal on "green" claims in digital (and other) products

UK Digital Policy and Legislation

8. UK Competition and Consumer Reform: Greater Regulatory Enforcement Powers
9. UK digital regulatory policy: UK Government confirms plans to introduce pro-competition regime for digital markets
10. UK: Relaxation of product safety labelling rules

Cyber Security and Resilience

11. Cybersecurity: NIS 2 Directive

Notable Case Law

12. EU case law: When do online traders need to give pre-contract information about their or third-party manufacturers' guarantees?
13. EU case law: Requirement for a clear "Purchase Button" online
14. EU case law: the legitimacy of content recognition technology
15. EU Telecoms Regulation: German enforcement measures against "zero-rating" offerings

1. EU Digital Services Act: Agreed & Ready for Approval

In April 2022, the EU Parliament and Council reached political agreement on the Digital Services Act (DSA). The EU Parliament's Internal Market Committee also endorsed the agreement in June, and it's now expected that the DSA will be formally adopted by the EU Parliament very soon. The finalised text is not yet available to the public.

In parallel with the Digital Markets Act (DMA), the DSA seeks to regulate the operations of all digital service providers operating in the EU - wherever the provider happens to be based. It will come into effect as an EU Regulation, meaning that no further implementation into Member State law will be required.

The DSA aims to address large digital platforms, impose greater accountability on intermediaries for third-party content, and protect users from illegal goods, content or services. The DSA sets out a new framework of obligations to apply to all digital services that connect consumers to goods, services or content, including new procedures for faster removal of illegal content as well as comprehensive protection of users' fundamental rights online. It adopts the principle that illegal offline acts should also be illegal online.

The DSA will apply to any online intermediary offering services in the EU. Intermediary services are broken down into various categories:

• organisations offering network infrastructure (e.g internet access providers, domain name registrars);
• hosting services (e.g., cloud and webhosting services);
• online platforms (e.g., online marketplaces, app stores, collaborative economy platforms and social media platforms); and
• very large online platforms (VLOPs), which reach more than 45 million consumers in Europe.

The strength of the DSA's obligations is intended to be proportionate to the nature of the services and number of users for a given platform, so that larger digital services providers will be subject to more rigorous standards. The DSA imposes obligations on various online intermediary service providers, such as: to identify and remove illegal content; not to manipulate users' choices through nudging or deceitful techniques (dark patterns); and to verify and check traceability information provided by traders that sell via platforms to consumers.

The Commission will have exclusive power to demand compliance for platforms with more than 45 million users, and penalties include up to 6% of those platforms' worldwide turnover.

What's Next?

The final vote in the EU Parliament for the DSA is expected in July 2022, followed by a formal adoption by the Council and then publication in the EU Official Journal. The DSA is then expected to come into force in late 2023 or early 2024.

2. EU Data Governance Act: May 2022, Council approved the Act

The new EU mechanism for the wider reuse of public-sector data - the Data Governance Act (DGA) - has now been adopted. We previously reported on the Data Act.

As of 24 September 2023, certain categories of data such as trade secrets, personal data and data protected by intellectual property rights may be reused and shared by companies and individuals alike without fear of being misused or compromised.

The DGA is a culmination of efforts by the EU to leverage the high-value data economy in the EU, which is expected to reach ?829 billion by 2025. Previous consultation on this issue emphasised the lack of incentivisation for both individuals and companies to participate in data sharing. One of the DGA's main aims will be to ensure that in-scope data is handled consistently with the principles and protections offered by the GDPR, ePrivacy Directive, consumer law, competition law and other applicable EU laws.

The DGA will be underpinned by a framework for data intermediation services ("DI Services") which will provide the secure environment in which parties can share data. Where the sharing parties are companies, the DI Services will be facilitated via digital platforms and any providers of DI Services will need to add themselves to a central register. From a privacy perspective, the DI Services will give individuals full control over their personal data on top of the protection that they receive under the GDPR, e.g., through personal information management tools such as data wallets, so that the individual is at all times aware of how their data is shared with others, and can give/withdraw consent accordingly.

What's Next?

To help the European Commission navigate its oversight of the DI Services, a European Data Innovation Board will be created to advise the Commission and issue guidelines on how to nurture the development of data spaces and improve interoperability. Alongside this, the European Council is working on a regulation on harmonised rules on fair access to and use of data (somewhat confusingly referred to as the Data Act) and discussions are in full swing.

3. EU proposed regulation on online child sexual abuse

The EU is ramping up the fight against online sexual abuse of children with its draft "Regulation laying down rules to prevent and combat child sexual abuse". The Regulation will impose requirements on providers of certain digital services or platforms operating in the EU to detect, report and remove child sexual abuse material (CSAM) offered via their services, under a regime overseen and enforced by regulatory authorities designated by EU Member States.

Since 2011, the EU has been fighting child pornography. Two years ago, the European Commission formulated a new "strategy for a more effective fight against child sexual abuse". The proposed new Regulation is the latest step in this process and combats two types of online child sexual abuse: the online dissemination of child sexual abuse material (CSAM) and online solicitation of children (or "grooming").

The proposal addresses any services that allow users to upload files, and any services allowing interpersonal communication (i.e., chat, audio or video calls). The service providers must perform a risk assessment, implement risk mitigation measures and report the results. Moreover, a national authority can issue a detection order, meaning that the service provider will have to employ technology to actively search user content for CSAM or interactions that resemble child solicitation. The authority can also request internet access service providers to block a website hosting, displaying or disseminating CSAM.

Of all the proposed new requirements, the most controversial has been the creation of...