European Digital Compliance: Key Digital Regulation & Compliance Developments
European Digital Compliance: Key Digital Regulation & Compliance Developments
To help organisations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the second quarter of 2022.
This follows on our previous updates on European digital regulation & compliance developments for 2021 (Q1, Q2, Q3, Q4) and Q1 of 2022.
In this issue, we note the large strides taken towards adoption of the EU Digital Services Act (which seeks to regulate the operations of all digital service providers operating in the EU, wherever the provider happens to be based) and the EU Data Governance Act. We also highlight other recent and forthcoming digital regulatory initiatives from the EU (and also case law), including changes that companies will need to make to online ordering processes affecting EU-based consumers. We also look in more depth at how the UK government is taking forward its self-declared “pro-competitive” regime for the regulation of digital markets and at a slight relaxation of UK product labelling rules for digital hardware.
In April 2022, the EU Parliament and Council reached political agreement on the Digital Services Act (DSA). The EU Parliament’s Internal Market Committee also endorsed the agreement in June, and it’s now expected that the DSA will be formally adopted by the EU Parliament very soon. The finalised text is not yet available to the public.
In parallel with the Digital Markets Act (DMA), the DSA seeks to regulate the operations of all digital service providers operating in the EU – wherever the provider happens to be based. It will come into effect as an EU Regulation, meaning that no further implementation into Member State law will be required.
The DSA aims to address large digital platforms, impose greater accountability on intermediaries for third-party content, and protect users from illegal goods, content or services. The DSA sets out a new framework of obligations to apply to all digital services that connect consumers to goods, services or content, including new procedures for faster removal of illegal content as well as comprehensive protection of users’ fundamental rights online. It adopts the principle that illegal offline acts should also be illegal online.
The DSA will apply to any online intermediary offering services in the EU. Intermediary services are broken down into various categories:
The strength of the DSA’s obligations is intended to be proportionate to the nature of the services and number of users for a given platform, so that larger digital services providers will be subject to more rigorous standards. The DSA imposes obligations on various online intermediary service providers, such as: to identify and remove illegal content; not to manipulate users’ choices through nudging or deceitful techniques (dark patterns); and to verify and check traceability information provided by traders that sell via platforms to consumers.
The Commission will have exclusive power to demand compliance for platforms with more than 45 million users, and penalties include up to 6% of those platforms’ worldwide turnover.
The final vote in the EU Parliament for the DSA is expected in July 2022, followed by a formal adoption by the Council and then publication in the EU Official Journal. The DSA is then expected to come into force in late 2023 or early 2024.
The new EU mechanism for the wider reuse of public-sector data – the Data Governance Act (DGA) – has now been adopted. We previously reported on the Data Act.
As of 24 September 2023, certain categories of data such as trade secrets, personal data and data protected by intellectual property rights may be reused and shared by companies and individuals alike without fear of being misused or compromised.
The DGA is a culmination of efforts by the EU to leverage the high-value data economy in the EU, which is expected to reach €829 billion by 2025. Previous consultation on this issue emphasised the lack of incentivisation for both individuals and companies to participate in data sharing. One of the DGA’s main aims will be to ensure that in-scope data is handled consistently with the principles and protections offered by the GDPR, ePrivacy Directive, consumer law, competition law and other applicable EU laws.
The DGA will be underpinned by a framework for data intermediation services (“DI Services”) which will provide the secure environment in which parties can share data. Where the sharing parties are companies, the DI Services will be facilitated via digital platforms and any providers of DI Services will need to add themselves to a central register. From a privacy perspective, the DI Services will give individuals full control over their personal data on top of the protection that they receive under the GDPR, e.g., through personal information management tools such as data wallets, so that the individual is at all times aware of how their data is shared with others, and can give/withdraw consent accordingly.
To help the European Commission navigate its oversight of the DI Services, a European Data Innovation Board will be created to advise the Commission and issue guidelines on how to nurture the development of data spaces and improve interoperability. Alongside this, the European Council is working on a regulation on harmonised rules on fair access to and use of data (somewhat confusingly referred to as the Data Act) and discussions are in full swing.
The EU is ramping up the fight against online sexual abuse of children with its draft “Regulation laying down rules to prevent and combat child sexual abuse“. The Regulation will impose requirements on providers of certain digital services or platforms operating in the EU to detect, report and remove child sexual abuse material (CSAM) offered via their services, under a regime overseen and enforced by regulatory authorities designated by EU Member States.
Since 2011, the EU has been fighting child pornography. Two years ago, the European Commission formulated a new “strategy for a more effective fight against child sexual abuse“. The proposed new Regulation is the latest step in this process and combats two types of online child sexual abuse: the online dissemination of child sexual abuse material (CSAM) and online solicitation of children (or “grooming”).
The proposal addresses any services that allow users to upload files, and any services allowing interpersonal communication (i.e., chat, audio or video calls). The service providers must perform a risk assessment, implement risk mitigation measures and report the results. Moreover, a national authority can issue a detection order, meaning that the service provider will have to employ technology to actively search user content for CSAM or interactions that resemble child solicitation. The authority can also request internet access service providers to block a website hosting, displaying or disseminating CSAM.
Of all the proposed new requirements, the most controversial has been the creation of possible detection orders in relation to child solicitation in interpersonal communication, because the technology required to implement such an order would necessarily break end-to-end encryption. Encrypted cloud storage and other “zero knowledge” services face the same dilemma: Compliance with the Regulation requires them to change their privacy-focused business model.
The proposal will be debated in the EU Council and the European Parliament, before likely entering the so-called trilogue procedure to negotiate a final version approved by all legislative bodies. The respective timeline is still unclear.
The German Federal States are planning to amend their youth protection rules to enable parents more easily to set up parental controls at a central location on their own (and their kids’) devices to restrict access to inappropriate apps. To the extent that it affects audiovisual services (as opposed to storage media), youth protection law is subject to State-level, not Federal, legislative powers in Germany. Nevertheless, to provide for coherent rules Germany-wide, the States coordinate their lawmaking by way of “interstate treaties”.
After discussing an early concept paper with industry stakeholders in fall 2021, the States published a “discussion draft” of the new law for public consultation in May 2022. The public consultation was open until late June 2022. The draft provides that apps must obtain mandatory age ratings, and that they may be blocked based on these ratings by a new youth protection mechanism to be implemented in the operating systems of user devices.
The draft further requires that operating systems for media devices must feature a parental control mechanism that allows users to block apps depending on their age rating. Apps that include a certified youth protection solution will not be blocked, but instead must provide an interface so that they can automatically align their built-in solutions with the age-settings of the operating system’s parental control mechanism. Furthermore, operating systems must allow (adult) users to deactivate app installations from non-system app stores and web browsers without “safe search” features when the parental control mechanism is active.
The States will now digest the input received during the consultation process, and then agree on a final wording for the new law. This must then be ratified by all 16 German State parliaments before it can enter into force, which will likely not happen before early 2023.
The European Commission has proposed new legislation on financial services contracts concluded at a distance that will make various changes to EU laws regarding the regulation of online financial services in the EU.
On the surface, the proposed change looks somewhat superficial. The Commission will repeal the Distance Marketing Directive (2002/65/EC) (DMD) and transfer its contents to the Consumer Rights Directive (2011/83/EU) (CRD).
The DMD contains consumer protection rules governing financial services contracts that are concluded remotely or at a distance, including requirements for the information that must be provided to the consumer before the contract takes effect, and providing a right of withdrawal and a prohibition on unsolicited communications from suppliers.
The CRD contains similar provisions with respect to other types of distance consumer contracts but currently excludes all financial services.
So the Commission now proposes to repeal the DMD and transfer its contents to the CRD via a new Chapter to the CRD that applies to financial services contracts concluded at a distance. But the net effect of the new proposal will be to make a number of changes to the applicable regulatory regime for financial services distance contracts, such as the following:
The EU Council and the European Parliament will now consider the Commission’s proposal. If and when adopted, EU member states will be given 24 months to transpose the Directive into national law.
The proposal will not have effect in the UK unless the UK government enacts similar requirements. So financial services providers operating across Europe will need to consider whether to apply two different approaches or harmonise their systems around one approach – presumably the more consumer-friendly EU regime.
From 1 June, a new Block Exemption Regulation for vertical agreements (the so-called Vertical Block Exemption Regulation No. 2022/720 or VBER, including related Guidelines) applies to all new in-scope agreements operative in the EU.
The purpose of the block exemption is to provide a “safe harbour” and generally exempt agreements between market players at different levels of the supply chain (so-called “vertical agreements”, e.g. between brand owners and retailers) from the EU’s prohibition on anti-competitive agreements (Art. 101 TFEU, including its national equivalents) if certain market share thresholds are met and provided the agreement does not contain certain prohibited restrictions. This regime is intended to reduce burden on businesses by giving them legal certainty around the compliance of certain categories of agreement with antitrust laws.
The new VBER retains many of the provisions found in the old VBER. For example, while there are some new clarifications on resale price maintenance, the new VBER continues to generally treat it as a hardcore restriction, consistent with recent enforcement action by the European Commission (EC) in this area.
However, there are some significant changes that companies need to understand in order to ensure that their distribution arrangements in the EU continue to benefit from the exemption. For instance, the rules for online sales restrictions have softened (e.g. by applying a softer approach to dual pricing for online and offline sold products, or by allowing restrictions on the use of online market places). But the new VBER is stricter with respect to dual distribution systems (where manufacturers sell directly to customers but also via retailers) and restrictions imposed by online market places (particularly so-called “most-favoured nation” clauses). We have summarised the key changes for businesses in our recent client alert.
Contracts already in place before 1 June 2022 must be amended to comply with the new rules by 31 May 2023. Any new agreement that falls within scope of the new VBER needs to be drafted appropriately. In particular, operators of online marketplaces should review the changes carefully and ensure not only that they make the necessary adjustments to their existing contracts but also that they follow the VBER guidelines when concluding new contracts.
The European Commission (EC) is planning amendments to the Unfair Commercial Practices Directive (UCP) and the Consumer Rights Directive (CRD) to support the next steps towards a cleaner and greener EU economy. This change will apply to all businesses operating in the EU, including those with a digital focus, because sustainability is a hot topic across all industries.
The EC’s declared aim is to strengthen the protection and position of consumers in order to achieve climate and environmental objectives under the EU’s “Green Deal“.
The planned amendments to the CRD would introduce new pre-contractual information obligations for contracts with consumers on the durability and reparability of products. For businesses with a digital focus, the proposal suggests an obligation on digital providers to provide information to buyers and consumers on the existence and length of the period during which the manufacturer commits to providing software updates.
The planned amendments to the UCP would mainly update the current law on misleading commercial practices in relation to green claims without introducing major changes. The draft introduces new (clarifying) provisions and extends the so-called “black list” (of prohibited behaviour) to ensure that companies do not mislead consumers about the environmental and social impacts of their products or services, the use of sustainability labels and the durability and reparability of products. The proposal, for instance, explicitly provides that it would be misleading to make generic environmental claims (e.g., “environmentally friendly”, “eco” or “green”) where the claimed environmental performance of the product or seller cannot be demonstrated, or to make an environmental claim about the entire product, even though the claim only concerns a certain aspect.
The proposal remains subject to discussion and its implementation may still take some time. Businesses should nevertheless begin to consider the likely changes to be made in the UCP in relation to “green” claims. This is because most of these principles already apply to all businesses today under the general prohibition on misleading commercial practices. In case of violations, companies are faced with private enforcement, such as cease-and-desist or damage claims, as well as fines.
The UK has proposed reforms to its consumer protection laws to give the Competition and Markets Authority (CMA) greater enforcement rights against proscribed online or digital conduct, and to introduce specific reforms to make companies responsible for fake online reviews and so-called “subscription traps”.
The CMA has long been requesting these reforms, which will likely result in a significant uptick in enforcement activity, once enacted.
A Draft Digital Markets, Competition and Consumer Bill (the “Draft Bill”) was included in the Queen’s Speech in May 2022, which sets out the UK government’s priorities for the year ahead. The Draft Bill is set to provide better protection for consumers online and enable the regulator (the CMA) to take more effective action on behalf of consumers. The Draft Bill will impose tighter rules on organisations operating online and strengthen the CMA’s enforcement powers, including the ability to impose fines of up to 10% of global turnover for breaches of consumer law.
The increase in the CMA’s enforcement powers is a significant reform. Currently, the CMA is unable to enforce decisions without going through the courts, and no penalties can be imposed for breaches (except where there is a failure to comply with a court order). Under the Draft Bill, the CMA will itself be able to issue decisions, and issue fines for more serious breaches.
The Draft Bill will also tighten rules in relation to specific areas of online activity, particularly subscription traps and fake reviews. With regards to subscription traps, the Draft Bill introduces specific requirements for organisations to send customers reminders regarding roll-over or auto-renewal contracts, and ensure that consumers are able to exit contracts in a straightforward and timely way. As we have pointed out before, the issue of auto-renewals is something that the CMA has previously considered, and EU regulators are also focused on it.
To increase protection from fake reviews, the Draft Bill proposes to add fake reviews to the list of automatically unfair practices under the Consumer Protection from Unfair Trading Regulations 2008. For example, online platforms will be “banned” from hosting consumer reviews without taking reasonable and proportionate steps to check they are genuine. What the regulator considers to be “reasonable and proportionate steps” has yet to be clarified.
Similar reforms are expected in the EU, where Member States are required to give their national consumer regulators the power to impose fines of up to 4% of global turnover by the end of May 2022.
Despite its inclusion in the Queen’s speech, the Government has not yet committed to legislating the Draft Bill in the current parliamentary term; as a result, it’s not yet clear when the new rules will come into force.
The UK Government has confirmed its intention to introduce a new regulatory regime targeted at regulating major digital platforms. The proposed “pro-competition” regime for the regulation of digital markets will give a suite of enforcement powers to the Digital Markets Unit (DMU), which has been established within the CMA pending the introduction of legislation, including the ability to designate major platforms with “Strategic Market Status” and impose various constraints on their conduct, including structural remedies.
History of the proposals
The proposals for a new forward-looking regime for the regulation of digital markets have their genesis in a series of expert panel reports and recommendations dating from 2019, including in particular the Digital Competition Expert Panel, chaired by Jason Furman. The Furman report on “Unlocking Digital Competition” concluded that existing regulatory powers were insufficient to tackle the novel challenges presented by the digital age and, in particular, recommended the introduction of a new regime which would include “pro-competition” policies to enable regulators to improve consumer choice by lowering barriers to entry and for interoperability, including through the use of enforceable codes of conduct for firms designated as having “strategic market status”.
Following the Furman Report, the CMA used its existing enforcement toolkit to develop its understanding of the relevant markets, starting with a wide-reaching market study into digital advertising in the UK, which concluded in July 2020, and culminating in the publication of advice to the government in December 2020 on the design and implementation of the new regime. The DMU was established within the CMA from April 2021.
Against this backdrop, the UK government issued a comprehensive consultation on proposals for reform in July 2021, taking on board most of the proposals made by the CMA and the Furman Review. The response to these proposals was published on 6 May 2022, when the government confirmed its intention to introduce new legislation to establish the regime.
Overview of the proposals
Like the EU regime, the regime will involve the “ex ante” regulation of firms designated as having “Strategic Market Status” (SMS). The test for conferring SMS will require that a company has “substantial and entrenched market power in at least one digital activity, providing them with a strategic position” and that there be a nexus to (and impact on competition in) the UK. The DMU will be required to produce detailed guidance on how it will conduct its assessment, which will be undertaken via a “market study” type investigation.
The regime will allow the DMU to develop an enforceable code of conduct specific to each designated firm, with “core obligations” to underpin this code, including the fair treatment of users, removal of barriers to switching and ensuring customers can make informed choices. These core obligations will be supported by a series of “conduct requirements” which will be set out in legislation, based on which the DMU will develop company-specific conduct requirements, including obligations not to leverage market power, impose discriminatory terms or engage in bundling, as well as positive duties of transparency.
Contrasts to the EU regime
The UK proposals differ quite materially from the EU regime, most importantly in that the proposed codes of conduct will be bespoke to the individual firms, unlike the EU regime which will require compliance with a set of standardised conduct rules for all designated “Gatekeepers”. There will also be the possibility for regulated firms to apply for an exemption for conduct that would otherwise breach code requirements where the relevant company can illustrate that such conduct brings about net consumer benefits. Such exemptions will not be available under the EU regime, although the bar for granting an exemption will likely be high.
Another key difference is the proposed ability for the DMU to implement broad ranging “pro-competitive interventions” (PCIs) where the DMU has identified an adverse effect on competition following a nine-month “market-study” type investigation. These remedies will be intended to address the “root causes” of market power on a company-specific basis and could include orders to allow interoperability, third party access to data or even structural separation.
Merger controls
Proposals for a bespoke merger regime have been dropped, but SMS firms will be required to report “their most significant” transactions to the CMA before closing, with its current thinking being that this would be where there is an acquisition of over 15% equity or voting share, the value of holding is over £25m and the transaction meets a UK nexus test. Separately, the proposed reforms to competition will introduce amendments to the existing merger control thresholds to address the CMA’s ability to investigate so-called “killer acquisitions”. In particular, the government has proposed introducing a new basis to intervene in mergers where the parties are not direct competitors, which will apply where at least one party has an existing “share of supply” of 33% in the UK and a UK turnover of £350m.
While the UK government has confirmed that the regime will be established, it is not clear when this will be, although this is unlikely to be before 2023. In the meantime, the DMU is fully up-and-running, and the CMA is using its full suite of existing powers to address current market concerns and develop the principles that will most likely apply to regulated firms once the regime comes into force. This includes a series of market studies and specific enforcement actions against some of the major platforms.
Most recently, the CMA announced in June 2022 the results of its market study into mobile phone ecosystems, in which it concluded that a more detailed market investigation should be launched into mobile browsers and cloud gaming. The Market Study report provides insight how the regime might be “operationalised”, including the CMA’s view on what an assessment of strategic market status would look like, as well as examples of conduct that could be addressed under codes of conduct and PCIs.
In June 2022, the UK government announced changes to help businesses to apply the new UK Conformity Assessed (UKCA) mark on most products placed on the market in Great Britain. This eases the transition from the EU’s “CE” mark, which will cease to apply to the UK market post-Brexit. The new rules are expressly intended to cover the supply of electronic devices.
Since the Brexit transition period ended, the UK government allowed businesses to continue to use the CE marking on affected products sold in the UK until 31 December 2022. With only six months to go until the end of this grace period, the UK government has announced some relaxation of the rules to ease the transition from CE to UKCA markings:
The government will quickly introduce the necessary legislation before the end of 2022. Manufacturers or suppliers into the UK of affected products (including digital hardware and electronic devices) should review how the new labelling and marking rules affect their products.
Cybersecurity risk management and reporting obligations rules in Europe are about to change significantly. The new Directive on measures for a high common level of cybersecurity across the EU (NIS 2) will impose stricter cybersecurity risk management requirements on more organisations, and introduce tougher supervisory and enforcement measures.
The Council of the EU and European Parliament have reached a provisional agreement on NIS 2, which was first proposed by the EU Commission in December 2020. Once formally adopted, NIS 2 will replace the current Directive (EU) 2016/1148 on security of network and information systems (NIS 1).
Among other things, NIS 2 will set the baseline for cybersecurity risk management measures and reporting obligations across all covered sectors, which includes energy, transport, chemical manufacturing, production and distribution, postal and courier services, healthcare and digital infrastructure.
NIS 2 forms part of the EU’s wider effort to better protect critical national infrastructure from cybersecurity threats, including the heightened risk and critical vulnerabilities associated with networking and information systems, and digital supply chains.
See our more detailed client alert for further insight.
The provisional agreement is now subject to approval by the Council of the EU and European Parliament and is expected to take place within the coming months. Once NIS 2 has been adopted, EU Member States will have 21 months thereafter to incorporate the provisions into their national law. However, EU Member States may well introduce national implementing laws ahead of the deadline, as some of them did with NIS 1.
The European Court of Justice (CJEU) has ruled that online traders need to give pre-contractual information to consumers about a manufacturer’s guarantee if that information has been made an essential element of the offer (Victorinox, Case C-179/21). This ruling clarifies what pre-contractual information is actually required to meet consumer protection laws (the Consumer Rights Directive (2011/83/EU) (CRD)).
The mere existence of a guarantee is not enough to trigger disclosure; traders can be silent about any manufacturer guarantees unless there is a legitimate consumer interest. This interest arises if that information is decisive for the consumer in deciding whether or not to enter into a contractual relationship with the trader.
To determine the central or decisive element of the offer, traders should consider:
Traders must still provide relevant information about their own guarantees.
The scope of this decision has been recently amplified by the ECJ ruling that an online intermediary can be a trader for the purposes of the CRD (see our summary from our Q1, 2022 update). This ruling is binding in the EU but (post-Brexit) not in the UK. UK courts may choose to take the ruling into account.
The European Court of Justice (CJEU) has ruled that, under the EU Consumer Rights Directive (CRD), an EU-based consumer is not bound by an online contract if any button or similar function used for online orders is not labelled, in an easily legible manner, only with either the words “order with obligation to pay” or a corresponding unambiguous formulation indicating that placing the order entails an obligation to pay the trader.
The CJEU case concerned the question of how the so-called “purchase button” on a seller’s online interface must be labeled in light of the CRD’s statutory obligation to use the wording “order with obligation to pay” or “corresponding” wording. In its recent ruling, the CJEU found that the directive requires that the fact that the function triggers an obligation to pay has to be:
The referring court (Local Court of Bottrop, Germany) had to decide whether a contract between a consumer and a hotel company was validly entered into and enforceable. The consumer had followed the procedure on a website on which the hotel company had offered its rooms. After clicking a button labelled “I’ll reserve”, the consumer had entered his personal details and the names of the individuals accompanying him, before clicking on a button labelled with the words “complete booking”. The hotel company claimed that the consumer would have to pay for the four double rooms that where subject of the procedure, despite never having shown up at the hotel.
The referring German court had doubts whether the obligations of the German version of the CRD were satisfied. Like the CRD itself, German law does not contain specific examples of “corresponding formulations,” with the consequence that sellers may use words of their choice that satisfy the requirement that the obligation to pay is evident. In the view of the referring court, albeit clear from the booking process, the term “booking” in the expression “complete booking” is not necessarily associated in everyday language with the obligation to pay financial consideration, but is often also used as a synonym for “pre-order or reserve in advance free of charge”.
Previous rulings of local German courts have taken into account the overall circumstances of the ordering process and, in particular, the configuration of that process, for the purpose of determining whether words such as those used by the operator of the booking website constitute an unambiguous formulation corresponding to the words “order with obligation to pay”.
Especially where EU Member State law does not provide examples of button labels, sellers are advised to assess whether the wording on their final ordering button (or similar function) explicitly indicates that its activation triggers an obligation to pay.
Article 17 of EU Copyright Directive includes a provision requiring online content-sharing service providers (OCSSP) to ensure that copyright-protected works cannot be uploaded without the prior consent of rights-holders – and has long been considered by those services’ users as a potential violation of their fundamental rights. This was based on the assumption that Art. 17 implied the use of upload filters.
Upload filter technology, in turn, was considered by some as not sufficiently developed to safeguard users’ rights to upload works on basis of copyright exemptions such as citation or parody. Against the background of these discussions, Poland brought an action for annulment of Art. 17 EU Copyright Directive before the European Court of Justice (CJEU). Poland argued that Art. 17 EU Copyright Directive infringed the freedom of expression and information guaranteed in the Charter of Fundamental Rights of the European Union.
The CJEU did not follow this argument, concluding instead that the obligation imposed on online content-sharing service providers to review (prior to its dissemination to the public) the content that users wish to upload to their platforms, has been accompanied by appropriate safeguards implemented by the EU legislature to ensure compliance with the Charter of Fundamental Rights. The CJEU explained that Art. 17 strikes a fair balance between fundamental rights of the services’ users on the one hand and the creators’ intellectual property rights on the other.
While not spelling out in detail how upload filter technology needs to be programmed or how Member States should transpose this requirement, there are some valuable takeaways.
The decision will likely impact the national transpositions of Member States for the EU Copyright Directive. Even though the transposition deadline passed in June 2021, many Member States are still in the process of implementing Art. 17 of EU Copyright Directive into their national laws.
In response to a series of judgments by the European Court of Justice (CJEU) from 2021, in April 2022 the German telecoms regulator Bundesnetzagentur (BNetzA) banned the zero-rating offerings of Germany’s top two mobile phone service providers.
“Zero-rating” regimes are implemented in mobile service contracts with limited data volumes. They allow users to use certain predefined online services, e.g., social-media, without consuming their data volume.
In earlier decisions, BNetzA found that the relevant zero-rating programs generally comply with the EU Open Internet Regulation (Regulation 2015/2021 of 25 November 2015). BNetzA relied on the guidelines on implementation of the Open Internet Regulation by the Body of European Regulators for Electronic Communications (BEREC) in force at the time, which generally consider zero-rating programs to be permissible, subject to certain conditions.
In 2021, however, the CJEU ruled not only that the specific programs that were subject of the proceedings are incompatible with the net neutrality principles as laid down in the EU Open Internet Regulation, but also that the entire concept of zero-rating violates the Regulation’s principles on equal treatment of data traffic. This led to the BNetzA ruling, but also resulted in BEREC revising its guidelines on implementation of the Open Internet Regulation. The new guidelines, published on June 9, 2022, now clarify that all differentiated pricing practices that are not application-agnostic are inadmissible. This includes zero-rating programs.
German affected mobile phone service providers have until 31 March 2023 to adjust to the BNetzA’s decision. Until then, all existing and yet to be concluded contracts with a zero-rating component can be continued. The German providers will most likely not be the last ones affected by the ruling of the CJEU. Due to the new guidelines of the BEREC, bans of zero-rating tariffs by the other EU telecom regulators can be widely expected. This will not only impact relevant mobile phone providers, but also any content providers that currently benefit from zero-rating programs across the EU.
We are grateful to the following members of MoFo’s European Digital Regulatory Compliance team for their contributions: Femi Omisore.