European Digital Compliance: Key Digital Regulation & Compliance Developments
European Digital Compliance: Key Digital Regulation & Compliance Developments
To help organisations stay on top of the main developments in European digital compliance, Morrison & Foerster’s European Digital Regulatory Compliance team reports on some of the main topical developments in this area that have taken place in the second quarter of 2021.
On 28 April 2021, the European Parliament formally adopted the Regulation on preventing the dissemination of terrorist content online. The Regulation targets content that incites, solicits or contributes to terrorist offences or solicits people to participate in a terrorist group. Most notably, the Regulation will require online platforms to remove terrorist content within one hour of having received a removal order from the relevant national authorities. Online platforms covered by this Regulation will include providers of social media, video, image and audio-sharing services, as well as file-sharing services and other cloud services, insofar as those services are used to make the stored information available to the public at the direct request of the content provider. These online platforms will not have a general obligation to monitor or filter content, but they will have to undertake specific measures to address the misuse of their services where national authorities have established that they have been exposed to terrorist content. We note that content uploaded for educational, journalistic, artistic or research purposes will not be considered terrorist content under the Regulation. While the rules on penalties will be set by individual Member States, the Regulation provides that companies should face fines of up to 4% of their global turnover for persistent non-compliance.
The requirements of the Regulation will come into effect on 7 June 2022. Online platforms should use the next few months to consider how they will robustly address this type of misuse by users, including preparing (and testing the capability of) their internal systems to respond quickly to exposure, and to remove terrorist content from their servers within the one hour timeframe. In doing so, they should also review how they moderate content, more generally, to ensure compliance with existing deletion obligations, such as the national hate speech rules under the German “NetzDG” law, and also to look ahead at what may need changing when the EU’s pending Digital Services Act (DSA) is adopted.
Organisations who use consumer-facing terms and conditions (T&Cs) in Europe may have to think again about how they go about updating and changing those T&Cs.
The German Federal Court of Justice found to be unfair (and, therefore, illegal and unenforceable) a common way to make changes to T&Cs used in respect of consumers in Germany.
Germany’s strict rules for T&Cs already make most clauses illegal that would allow businesses to make unilateral changes to ongoing agreements (e.g., subscriptions). By this new decision, which was triggered by a set of T&Cs used by German banks, the Court has now invalidated one of the remaining approaches for unilateral amendments that is currently being used broadly across industries: a workaround whereby changes to T&Cs are framed not as unilateral acts by the business, but as mutually agreed amendments, with the consumer’s acceptance deemed to be given so long as they do not object within a specified deadline (so-called “tacit consent”). See our full client alert for further details.
Based on the Court’s decision, the continued use of clauses such as those now declared illegal will mean a higher risk of enforcement action – by consumers, consumer groups and possibly government regulatory agencies. These types of amendment clauses cannot be relied on as a basis to make binding changes to ongoing agreements, and companies will need to think again about how to make changes. T&Cs for Germany should therefore be reviewed and updated. But the problem goes wider than just Germany: T&Cs are usually drafted to cover all users or consumers globally or Europe-wide and companies don’t want to have to adopt one process to amendments for German consumers and a different approach to the rest of Europe. So the question is how to balance the risk of unenforceability in Germany against a more laborious or cumbersome approach applied Europe-wide?
The fairness and transparency of consumer T&Cs also remain on the agenda in the post-Brexit UK, with a recent court decision serving as a reminder that businesses may not always be able to rely on one-sided terms against consumers. See our full client alert for further details.
The UK government has published a draft Online Safety Bill (the “Bill”) that is designed to tackle illegal and harmful content published online.
Announced in May 2021, the Bill imposes a duty of care on certain online providers to take responsibility for the safety of their UK users. This means that online service providers, regardless of their location, will be affected if they have a significant number of UK users. It also appoints Ofcom (the existing regulator of the UK communications and broadcasting sector) as the regulator, with the power to block sites and also levy fines amounting to the higher of £18 million or 10% of global turnover.
The Bill will require providers of (1) “user-to-user” services and (2) search services to prevent the proliferation of illegal content and activity online. The first category includes companies that allow users to upload and share their own content. Most obviously, this includes global social media companies but, on closer analysis, this category is very broad and may include any provider that hosts user-generated content. The second category includes companies that enable users to search multiple websites and databases. Affected companies will also have to make special assessments and fulfil specific duties where services are likely to be accessed by children in respect of both illegal and harmful content. To meet the duty of care, companies will need to put in place systems and processes to ensure user safety.
Notably, the Bill goes beyond the EU’s proposed Digital Services Act by introducing duties of care in relation to harmful (but not necessarily illegal) content.
All companies falling within the scope of the Bill will need to balance their content duties with the duty to safeguard freedom of expression and democratically important content; increased censorship is a key concern of campaigners. After being reviewed by a parliamentary committee, the Bill will be debated by MPs before being approved. See more in our client alert.
In June 2021, the German parliament adopted a draft law dubbed the Anti-Darknet Act. The Act targets operators of illegal online trading platforms and their server infrastructure providers with criminal penalties of up to 10 years of imprisonment. These online platforms for drugs, weapons, stolen credit cards, counterfeit currency and more made headlines when police investigations took down DarkMarket (in 2021), Wall Street Market, Dream Market (both in 2019), Hansa and AlphaBay (both in 2017).
Crucially, the new draft law only applies if the trading platform is operated with the purpose of enabling or facilitating an enumerated list of criminal offences. Similarly, the infrastructure provider must intend or know that the infrastructure will be used for this purpose. This protects legitimate online trading platforms, which could covertly be used by criminals.
Legislators expect that the new rules will make it significantly easier to prosecute operators of illegal platforms because law enforcement agencies will no longer have to prove knowledge of a specific illegal act committed via the platform.
The new law will now enter into force before the end of 2021. Once in force, the new rules may also provide a new tool for companies susceptible to brand piracy or counterfeit products. Such companies could strengthen their fact-finding investigations with the help of the police, as the enumerated list of criminal offences covered by the new law not only includes capital offences, drug-trafficking and child pornography but also (computer) fraud, hacking-related offences and infringements of trademarks, geographical indications and registered designs.
In response to increasing threats of hacker attacks against critical infrastructure systems in the financial, energy, and other key sectors, the German IT Security Act 2.0 took effect in May 2021.
The new rules expand the circle of enterprises subject to specific IT security regulation to include, among others, municipal waste management and certain “special public interest” companies. They also raise the bar of security requirements: Affected companies now have to register with the German Federal Office for Information Security (BSI). Operators of critical infrastructure must implement state of the art “attack detection systems”. Future government decisions may prohibit the use of “critical components” of untrustworthy suppliers in such infrastructures. IT security requirements are particularly severe for 5G networks: Critical components used in such networks require prior certification by a recognised body, while 5G network operators face periodic security reviews.
The tougher stance against IT security threats is backed up by an increased maximum fine for violations of IT security obligations of €20 million (previously €100,000) and by significantly expanded competencies of the BSI to ensure network security and consumer protection on IT security issues.
Key requirements for applying the new provisions, such as the specification of critical components or criteria to determine “special public interest” companies, remain subject to secondary legislation and thus uncertain. In addition, the German government has published draft legislation further extending the group of critical infrastructure operators regulated by IT Security Act 2.0.
The Telecommunications (Security) Bill aims to boost the security standards of the UK’s telecoms networks by placing new legal duties on communication providers to improve their security practices. It will also introduce new powers for the UK government to impose controls on communications providers’ use of goods, services or facilities supplied by high-risk vendors. Alongside enforcing the new legislation, Ofcom will be given the responsibility of monitoring and assessing telecoms providers’ security. Companies that fall short of the new duties or fail to follow directions on the use of high-risk vendors could face heavy fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 per day.
Given that the Bill is undergoing its second reading in the UK House of Lords, the key thing to look out for now is the secondary legislation, which will set out the specific security requirements that communications providers must meet. The UK government’s announcement confirms an intention to engage with providers on the technical details of the secondary legislation before it’s finalised later in 2021, so companies should keep an eye out for upcoming opportunities to discuss their concerns regarding the impact of these rules on their businesses.
We have reported before that both the EU (via the Digital Services Act and Digital Markets Act) and the UK (though the establishment of its Digital Markets Unit) are moving towards greater regulation of so-called “Big Tech” companies.
In what could be seen as an instance of a company trying to get ahead of the type of the new European legislation, in May 2021 the global online marketplace eBay announced the successful pilot of its Regulatory Portal. This new mechanism permits selected, trusted authorities efficiently to report listings for illegal or unsafe items to be taken down from eBay – without the need to ask eBay’s permission. The online portal complements both eBay’s existing customer reporting facility and eBay’s own efforts to remove such illegal or unsafe listings. The portal is in a beta phase and will apparently later incorporate functionalities such as seller communication. The UK’s Ofcom and Office for Product and Safety Standards are a few of the 50+ approved regulators with access to the portal. Dangerous and counterfeit goods are the obvious targets of such measures.
The portal’s innovation may partly be driven by the anticipation of increased digital regulation. The EU’s proposed Digital Services Act also suggests a similar concept of “trusted flaggers”. Online platforms might be required to set up mechanisms to ensure that reports of illegal content by trusted flagger entities (as appointed by Member States) are prioritised and processed without delay.
In May 2021, Germany adopted new legislation that moves towards allowing full access to public roads for autonomous vehicles. This is only a next step, because the new legislation (titled “Act on Autonomous Driving”) only permits autonomous vehicles of SAE level 4 – i.e., those that are restricted to operate in certain defined conditions (e.g., “people movers” on pre-defined routes or short-range transportation of goods). Local road authorities must approve these conditions based on individual applications.
However, despite the still-limited roll-out of autonomous vehicles, the new law also lays the groundwork for further steps towards actual autonomy. Instead of drivers, autonomous vehicles will have “technical supervisors” who must be ready to interfere if necessary, which will further limit autonomy, at least for now. Owners of autonomous vehicles must make sure to store certain log data, e.g., in case of irregularities in the operation of the vehicle. Third parties have a claim to access this data in case of accidents with an involvement of the autonomous vehicle. The law also regulates over-the-air updates that activate dormant autonomous driving functionalities.
The new rules are expected to enter into force during summer 2021. However, further legislation will be necessary to allow for fully autonomous mobility on German roads. Also, the new law does not yet regulate the question of who will be liable in case of accidents caused by autonomous vehicles.
Following the publication of its research paper on harms to competition and consumers caused by algorithms in January 2021, the UK Competition and Markets Authority (CMA) ran a consultation requesting input on the paper from market participants. On 7 June 2021, the CMA released a summary of the 27 responses received, which indicated the areas of key concern for respondents, and highlighted a number of suggestions as to the CMA’s role and enforcement powers.
The responses are intended to inform the CMA’s “Analysing Algorithms Program”, which was launched alongside the publication of the paper. Given the commercial value and prevalent use of algorithms, businesses will no doubt be watching this space for further consultations, guidance and papers published as part of this program in the CMA’s crackdown on algorithmic harms.
New rules allowing for anonymity and the speedy resolution of disputes related to novel digital technology were published by the UK Jurisdiction Taskforce of Lawtech in April 2021. The Digital Dispute Resolution Rules are optional rules that can be used for, and incorporated into, on-chain (i.e., occurring on a blockchain) digital relationships and smart contracts. The purpose of the rules is to facilitate the swift and cost-effective resolution of commercial disputes, involving cryptoassets, smart contracts, blockchain and other technologies, using arbitration, or expert determination for expert issues.
Contracting parties can agree to incorporate the rules, usually by including them in a contract or by agreeing to arbitrate under the rules once a dispute arises. This will avoid the need for costly litigation and help parties resolve the matter outside of court. The outcome of any automatic dispute resolution process will be legally binding on the parties.
The rules also contain provisions to allow parties to retain anonymity once they have provided evidence of their identity to a tribunal. This recognises a key motivation of digital assets users. The guidance published alongside the rules suggests and allows for modifications; parties will therefore be able to tailor a dispute resolution solution to their needs. The taskforce will review the rules and their applications next year.
Over the past few weeks, there have been a few developments on things that we wrote about in our Q1, 2021 tracker of Key European Digital Regulation & Compliance Developments.
We are grateful to the following members of MoFo’s European Digital Regulatory Compliance team for their contributions: Jannis Werner, Dominik Arncken, Theresa Oehm, and Alexander Eisenfeld, Mercedes Samavi, and trainee solicitors Georgia-Louise Kinsella and Georgia Wright.