European Digital Compliance: Key Digital Regulation & Compliance Developments (February 2024)

Keep up with the latest legal and industry insights, news, and events from MoFo

To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main digital regulatory and compliance developments that took place in the final quarter of 2023.

This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1, Q2, Q3, Q4), 2022 (Q1, Q2, Q3, Q4) and 2023 (Q1, Q2, Q3).

In this issue, we report on a busy few months for digital regulation in the EU. In addition to the heavily publicized EU AI Act, the EU has moved forward with regulations relating to child sexual abuse material, product liability laws affecting digital products and services, media freedom, the EU Data Act, and the EU Cyber Resilience Act. Not to be outdone, the UK enacted its controversial Online Safety Act. We also report on new rules relating to the repair of goods, greenwashing claims, online contract withdrawal rights, and auto-renewal subscriptions.

1. Provisional agreement on the EU AI Act

In December 2023, the European Parliament (EP) and Council of the European Union reached a political agreement on the EU Artificial Intelligence Act (the “AI Act”). We recently summarized 13 key aspects of the AI Act.

What’s new?

Contrary to common practice in EU legislative proceedings, the EP and Council did not agree on a specific text for the AI Act. Instead, the EP and Council agreed on more general solutions for the final topics that they have been debating. The text of the AI Act is still being finalized in technical meetings and expected to be confirmed in February 2024. The supposedly final text has been leaked in the meantime and will be addressed in more depth in the next issue. It will enter into force after a 20-day publication period and a two-year transition period.

The provisional agreement includes the following key topics:

The list of banned AI systems has been expanded to include, for example, untargeted scraping of facial images from the internet for facial recognition databases.
There is agreement on a risk-based, two-tier approach for general purpose AI (GPAI). All GPAI systems must comply with EU copyright laws and transparency requirements. High-impact systems will also need to conduct model evaluations, assess and mitigate systemic risks, report incidents to the EU Commission, ensure cybersecurity, and report on energy efficiency.
Foundation model providers will be required to make a summary of training data publicly available, covering all types of data. The AI Act will oblige GPAI providers to respect EU copyright law, including text and data mining opt-outs. However, there are still uncertainties regarding technical standards for opt-outs and potential copyright issues related to AI model outputs. Joint solutions between copyright owners and AI providers are recommended to create a safe business environment.
Based on the leaked text, open-source AI models released under free and open-source licenses will be exempt from the obligations of the AI Act unless they are placed on the market or put into service as high-risk AI systems. The prohibitions under Title II and the transparency obligations under Title IV (for AI systems intended to directly interact with natural persons) will, however, also apply to open-source AI models.
The provisional agreement for the AI Act establishes a new body, the AI Office, within the Commission, to enforce common rules in all EU Member States and ensure EU-wide market surveillance of advanced AI models. The AI Board will serve as a coordination platform and advisory body to the Commission, with an advisory forum for gathering input from stakeholders.
The EP has included an obligation for public and private entities providing public services to conduct a fundamental rights impact assessment for high-risk AI systems. This includes outlining the purpose, scope, potential impact on fundamental rights, and plans to mitigate harms. Other stakeholders may also be involved in the assessment. If a data protection impact assessment is already required under the EU General Data Protection Regulation (GDPR), it will be conducted alongside the fundamental rights impact assessment.
The maximum penalties for non-compliance have been increased, ranging from €7.5 million or 1.5% of global annual turnover to €35 million or 7% of global annual turnover, with more proportionate penalty amounts for small and mid-sized enterprises (SMEs) and start-ups. This creates a strong financial incentive for organizations to comply with the AI Act’s provisions and ethical standards, which is similar to the incentives in the GDPR.
The EP and Council have now agreed to include a right for individuals to complain about AI systems. The complaint process is not specified, and individuals will also have the right to receive explanations for decisions based on high-risk AI systems.

What’s next?

Work is on-going to finalize the proposed text of the AI Act, with a final review and agreement needed from EP and Council negotiators, followed by a vote in both bodies. Once more details are available, potential impacts for businesses can be assessed. It is unlikely to be confirmed before February 2024, with a two-year transitional period for compliance expected. The regulation will impact how AI solutions are designed, built, trained, and deployed.

2. Regulation on Child Sexual Abuse Material: European Parliament proposes more limited regulatory obligations

In November 2023, the European Parliament (EP) adopted its position on a proposal on the so-called “CSAM Regulation” which relates to child sexual abuse material. In a number of respects, the EP’s approach is less onerous for digital service providers than the Commission’s original proposals.

The CSAM Regulation was first proposed by the European Commission in May 2022 (see our Q2, 2022 update). It aims to introduce a framework for providers of certain digital services operating in the EU to detect, report, and remove online child sexual abuse available via their services – including CSAM and child solicitation (so-called “cyber grooming”).

What’s new?

The EP has suggested some key changes to the Commission proposal that would affect the impact of the CSAM Regulation on in-scope services. Most importantly:

The EP suggests limiting the scope of risk management obligations in relation to online child sexual abuse. These obligations would only apply to: (i) “very large online platforms” designated under the EU’s Digital Services Act; (ii) services that are found to be substantially exposed to online child sexual abuse, video games with in-game communications features, porn websites, and services targeting children. The Commission proposal included no such limitation.
The EP suggests that all services targeting children must adopt a suite of technical and organizational youth protection measures, including restrictive default settings, parental controls, and specific content moderation. If adopted, this would become the most broadly-scoped and most comprehensive provision on youth protection obligations at the EU level.
In relation to app stores, the EP suggests limiting the scope of specific risk management obligations to app stores provided by companies designated as “gatekeepers” under the EU’s Digital Markets Act, while also severely limiting the burden associated with relevant substantive obligations.
The EP also suggests severely limiting the scope of so-called detection orders – i.e., orders to search users’ content and communications for known or new CSAM. These orders would not lead to indiscriminate searches (as suggested by the Commission) but rather remain limited to “suspicious” accounts.
The EP suggests limiting the scope of detection and removal orders in relation to cloud infrastructure services. Where in-scope services utilize cloud infrastructure services, authorities would only be able to turn to the cloud infrastructure provider to enforce detection and removal orders as a measure of last resort.

What’s next?

In parallel, the CSAM Regulation is also being debated in the EU Council by representatives of the Member State governments. It is currently unclear when and in what form the Council will be able to adopt its own position on the Commission draft – particularly due to concerns regarding the impact of CSAM detection orders on fundamental rights in certain EU Member States.

In any event, once the Council position is confirmed, trialogue negotiations among the Council, EP, and Commission will begin. As proposed by the Commission, the CSAM Regulation will enter into force six months after its final adoption.

3. Revised EU Product Liability Directive addresses the increase in AI and online shopping

In December 2023, negotiators from the European Commission, the European Parliament (EP), and the Council of the European Union reached a provisional (political) agreement to revise the four-decade old EU Product Liability Directive.

The Product Liability Directive establishes a strict liability (i.e., non-fault-based) regime to allow claimants to seek compensation for defective products throughout the EU, meaning that claimants do not need to prove fault to bring a successful claim.

What’s new?

The provisional agreement addresses the increase in online shopping (also from outside the EU) and the rise of new technologies (such as AI), as well as the need to ensure the transition to a circular economic model. To encourage innovation, the revised Product Liability Directive will not apply to open-source software developed or supplied as a non-commercial activity.

The new provisions are intended to ensure that there is always an EU-based entity (such as a manufacturer, importer, or their authorized representative) that can be held liable for a product which causes damage, even if the product was not purchased in the EU. In cases where such a liable company cannot be identified, the EP insisted that Member States should provide compensation through national compensation schemes.

The revised Product Liability Directive will clarify that IT security vulnerabilities are a product defect and will extend the rules on strict liability to:

Intangible products (including stand-alone software, digital content, SaaS, and AI applications)
Damages caused by loss or corruption of data
Online marketplaces (under certain conditions)
Fulfilment services providers if they fail to promptly identify a relevant economic operator established in the EU.

The new law will also improve the enforcement of civil law claims: by requiring disclosure of technical information to injured parties; allowing courts to presume that products are defective under certain circumstances; and reversing the burden of proof regarding the existence of a defect.

What’s next?

The text of the provisional agreement still has to be formally approved by the EP in plenary session (currently scheduled for April 2024) and then by the EU Council. After that, it will be signed and published in the Official Journal of the European Union and enter into force 20 days later. A 24-month transition period has been agreed, meaning that the new laws will enter into force in the first half of 2024 and apply from 2026.

4. Update on new EU rules promoting the repair of goods

In one of our previous updates on European digital regulation and compliance developments for 2023 (see Q1, 2023), we discussed that the European Commission had adopted a new Proposal for a Directive on common rules promoting the repair of goods (“Proposed Directive”) that will impose greater obligations on manufacturers of goods (including digital products) to repair defective products.

The Proposed Directive amends the remedies provided under the EU Sale of Goods Directive 2019/771 (SGD) for non-conformity so that consumers will only be able to choose replacement as a remedy if it is cheaper than repairing the goods.

What’s new?

The Commission’s proposal has entered the EU legislative process, where it has been discussed within the European Parliament and the Council, with both bodies proposing amendments to the proposal in preparation for trialogue negotiations:

Scope of the obligation to repair:

Commission: Proposes repair obligations for manufacturers of products listed in Annex II with “reparability requirements” set by the Commission.
Parliament: Intends to extend this obligation to all producers of Annex II products, even those without defined “reparability requirements”. This would give the Commission the right to add any product to Annex II.

Terms of the obligation to repair:

Commission: Allows producers to choose the terms of repair (e.g., free or for a fee).
Parliament and Council: Add requirements like timely repairs. Parliament proposes offering a refurbished product as an alternative and mandates that the producers must provide repair information and spare parts to third-party repairers at fair costs.

Online platform for repair:

Commission and Parliament: Encourage each Member State to set up an online platform for repairs and refurbished goods, covering more than Annex II goods.
Council: Prefers a single pan-European platform, allowing national platforms under certain conditions and including sellers of refurbished goods.

Liability period:

Parliament: Consumers must be provided with a temporary replacement if repair takes an unnecessarily long time; Parliament proposes to extend the statutory warranty period by twelve months once product is repaired.
Council: Proposes to extend the warranty period by six months if repair is chosen, with sellers informing consumers of their rights and the extended period.

What’s next?

It is expected that Parliament and the Council will reach an agreement and adopt the proposed Directive before the European Parliament elections in June 2024, so that the repairability requirements of the Directive could apply to products marketed in the EU/EEA from 2026–2027.

5. Green transition/greenwashing: EU Parliament adopts new law banning greenwashing and misleading product information

We reported in one of our previous updates that the European Commission (EC) is planning – as part of the EU’s Green Deal – amendments to the Unfair Commercial Practices Directive (UCP) and the Consumer Rights Directive (CRD) to support the next steps towards a cleaner and greener EU economy (see Q2, 2022). The EU Parliament has now adopted these amendments (see press release) which are meant to interact with the Green Claims Directive which is currently being discussed at the committee stage in the EU Parliament and on which we have also reported in one of our new updates (see Q1, 2023).

What’s new?

Amendment of the UCP

The amendment of the UCP aims at further protecting consumers from misleading environmental claims and unreliable sustainability labels. In particular, general environmental claims like ‘environmentally friendly’, ‘natural’, ‘biodegradable’, ‘climate neutral’, or ‘eco’ will be prohibited unless they can be properly evidenced.

Regarding the use of sustainability labels, the amendment only allows labels in the EU which are based on “official certification schemes or established by public authorities”. Finally, certain claims, according to which a product has a “neutral, reduced or positive impact on the environment because of emissions offsetting schemes”, will be banned.

Amendment of the CRD

The amendment of the CRD is focused on durability of products. In particular, producers will have to make guarantee information more visible. Also, a new harmonized label for an extended guarantee period will be introduced to clearly provide such information to consumers. The amendment also addresses false claims on the repairability of goods.

What’s next?

After having reached a provisional agreement in the trilogue (see press release) and the latest adoption by the EU Parliament, the amendments of the UCP and the CRD now need final approval by the Council. After that approval, the amendments will be published in the Official Journal, and Member States will then have 24 months for implementation.

6. EU implements mandatory “withdrawal function” requirement for online contracts

As we mentioned in one of our previous updates (see Q1, 2023), the European Commission issued a proposed Directive in May 2022 that would, among other things, require traders to include a withdrawal button on the same electronic interface used to conclude consumer contracts – but only to facilitate the exercise of the 14-day right of withdrawal for financial services sold electronically.

In March and April 2023, the Council of the European Union and the European Parliament adopted their positions on the Commission’s proposed Directive. To further increase consumer protection, their positions propose to extend the application of the withdrawal button to all distance consumer contracts concluded through an online interface (e.g., websites or mobile apps) – thus going far beyond the Commission’s original proposal.

What’s new?

In the meantime, the Council and Parliament proceeded to formally adopt the legislation in October 2023, and the final Directive was published in the Official Journal in November 2023.

Based on its final wording, the Directive facilitates the exercise of the right to withdraw from any distance contract by requiring the service provider’s interface to include a “withdrawal function” (now using broader terminology instead of “withdrawal button”) that is easily readable and accessible to the consumer. The withdrawal function must allow the consumer to send an online notice of withdrawal informing the trader of their decision to withdraw from the contract. Traders must also send to consumers an acknowledgement of receipt of the withdrawal without undue delay and on a durable medium, including its content and the date and time of its transmission. The consumer will be deemed to have exercised the right of withdrawal within the 14-day withdrawal period if they have sent the online declaration of withdrawal before the expiry of that period.

The objective of this withdrawal function is to raise consumers’ awareness of their rights of withdrawal and to ensure that it is as easy to withdraw from a contract as it is to conclude it. The withdrawal function is applied to all contracts concluded at a distance, not only financial services contracts.

What’s next?

The Directive must be transposed into the national laws of the Member States by December 2025. Its full application will start on 16 June 2026.

7. EU finalizes negotiations on new rules for political advertising

In November 2023, the EU institutions reached an agreement on the proposed new rules regarding political advertising in the form of a “Regulation on the Transparency and Targeting of Political Advertising”.

The Regulation recognizes that political advertising is a growing and increasingly cross-border business – particularly due to the use of digital ad-tech solutions. To combat disinformation, it aims to ensure that political advertising is as transparent as possible, including in terms of relevant targeting and ad delivery techniques.

Once in force, these new rules will apply to political ads regardless of the relevant distribution channels, but they will have a particular impact on online services where political ads may be placed.

What’s new?

The Regulation applies to anyone providing political advertising services across the entire value chain from preparation through dissemination of political ads – but it specifically targets publishers of political ads, i.e., services publishing, delivering, or disseminating such ads (such as social networks, broadcasters, ad networks). Its substantive rules essentially focus on provisions regarding ad transparency and related due diligence and on obligations regarding targeting and ad delivery techniques.

In terms of transparency obligations, the Regulation aims to ensure that it is apparent whether advertising qualifies as a political ad. For each political ad, it must further be transparent on whose behalf it is published, who financed it, what was paid in exchange for it, and where those funds came from. For all political ads published in the EU on “very large online platforms” designated under the EU Digital Services Act, this information will also be available in a public repository of political ads.
In the context of political ads, the Regulation will only allow the use of targeting and ad delivery techniques that involve the processing of personal data (e.g., cookies) under specific conditions, including a political-ad specific consent requirement, and a ban on profiling based on sensitive personal data. In addition, further transparency requirements apply where political advertising facilitates such techniques, particularly requiring information on targeting logic and parameters.

What’s next?

The finalized wording of the Regulation will now need to be formally adopted by the European Parliament and the EU Council before it can be published in the Official Journal and enter into force. Once that is done, it will apply subject to an 18-month transitional period – i.e., in any event, after the next European elections in June 2024.

8. EU finalizes its new European Media Freedom Act

In December 2023, the EU institutions agreed on the final wording for the new European Media Freedom Act (EMFA).

The EMFA is an EU Regulation that aims to harmonize and enhance EU rules on media pluralism, increase cross-border cooperation among media regulators, and address public and private interference with media outlets. See our previous reporting in our Q2, 2022 and Q3, 2022 updates.

What’s new?

The final EMFA wording still addresses all five categories of media entities contemplated by the original Commission draft in 2022, but it introduces some significant changes compared to that draft.

Providers of media services will enjoy further protection against state interference and unfair allocation of state advertising. This includes audiovisual and audio-only linear and on-demand offerings as well as press publications. However, media services with news and current affairs content will become subject to new obligations aimed at ensuring the editorial independence of relevant staff.
Manufacturers of devices and developers of user interfaces for audiovisual media services will have to implement functionalities so that users can change the default settings controlling or managing access to and use of such services. New wording added during the legislative process also requires them to respect the visual identity of the available media services.
Providers of “very large online platforms” as defined under the EU Digital Services Act will have to implement functionalities allowing users to self-declare that they are a media service under the EMFA. The very large online platform will then be subject to specific content moderation rules regarding content provided by declared media services. The final wording limits those specific rules to moderation measures aimed at enforcing the platforms’ terms (i.e., excluding moderation of illegal content).
Providers of audience measurement systems will be subject to general non-discrimination and transparency obligations, and they may have to disclose their methodologies upon request. The final wording also added an audit obligation for audience measurement systems that are not based on industry standards.
Providers of video-sharing platforms will not become subject to new substantive rules, but the EMFA facilitates cross-border enforcement of existing regulations for relevant services.

What’s next?

The finalized wording of the Regulation will now need to be formally adopted by the European Parliament and the EU Council before it can be published in the Official Journal and enter into force. Once that is done, it will apply subject to a 15-month transitional period – i.e., most likely at some point in 2025.

9. EU adopts its Data Act

We previously wrote about the EU Data Act (the “Act”) which was first proposed in February 2022 as part of the EU Commission’s strategy for data.

The Act came into force in January 2024.

What’s new?

The Act was published in the Official Journal of the European Union on 22 December 2023, which means that it came into force on 11 January 2024 and its provisions will become fully applicable as of 12 September 2025.

The Act (a) introduces harmonized rules on fair access to and use of data in connection with Internet of Things (IoT) products and related services, (b) enables users to switch more easily between different providers of data processing services, and (c) facilitates the interoperability of data, data sharing mechanisms and services, and common European data spaces.

The Act also applies to B2B relationships and, therefore, is not just a consumer-focused piece of legislation.

Some highlights of the Act’s provisions are the following:

Connected products and related services (for example, as provided through mobile apps or SaaS) put on the market after 12 September 2026 will need to be designed, manufactured, and provided in a way that allows the user, where technically feasible, to directly access the product/service data that they generate by using such devices.
Where data is not directly accessible by the user in such a way, the user can claim access to the “readily available” data from the data holder and request that it be shared with other data recipients.
A data holder can only use and share the product/service data based on a contract entered into with the user.
The Act prohibits certain unfair contractual terms if they are unilaterally imposed by one contract party on the other, such as a limitation on liability for intent or gross negligence.
Certain public sector bodies can request access to the data held by private companies in cases of public emergencies or for specific public interest purposes.
The Act imposes obligations on data processing services (such as IaaS, PaaS, or SaaS providers using shared resources for multiple customers) to ensure interoperability and enable users to switch from one provider to another more easily. While most obligations will only apply as of 12 September 2025, the restriction that the switching charge must not exceed the respective costs incurred by the provider is already applicable as of 11 January 2024. By 12 January 2027, providers of data processing services must not impose any switching charges on the customer for the switching process.

Read more detail about the scope and impact of the Act in our December 2023 client alert.

What’s next?

The Act will become fully applicable as of 12 September 2025 without further implementation steps by the EU Member States being necessary.

The Commission will need to produce some further documents and guidance, such as model contract clauses on data access and use, certain delegated acts, as well as harmonized standards regarding interoperability in relation to data sharing and data processing.

10. EU reaches provisional agreement on a Cyber Resilience Act

The Council of the European Union, in coordination with the European Parliament, has provisionally agreed to a proposed Cyber Resilience Act.

This legislation is a pivotal development in ensuring cybersecurity of digital products within the EU’s single market. It represents a significant step in harmonizing cybersecurity standards across the EU and underscores the increasing importance of digital security in product design and distribution.

What’s new?

Key points of interest for legal practitioners and businesses include:

Scope and objectives: The Act introduces comprehensive EU-wide cybersecurity requirements for digital products, covering the entire lifecycle from design to market availability. It encompasses all connected hardware and software products, with specific exemptions for products already regulated under existing EU cybersecurity laws.
Manufacturer responsibility: Central to the Act is the shift in compliance responsibility to manufacturers. They must undertake cybersecurity risk assessments, provide declarations of conformity, and engage in continuous cooperation with competent authorities. Additionally, manufacturers are responsible for maintaining robust vulnerability handling processes.
Consumer and business transparency: The Act enhances transparency, enabling consumers and businesses to make informed decisions based on the cybersecurity features of digital products.
Co-legislator amendments: Notable amendments include a simplified classification methodology for digital products, a defined support period of at least five years, and reinforced reporting obligations for actively exploited vulnerabilities. The role of the European Union Agency for Cybersecurity (ENISA) is notably strengthened in this context.

What’s next?

The final text is undergoing technical refinement and will require formal adoption once it has been through the trilogue process.

The Act will take effect three years post-enactment, allowing sufficient time for manufacturers to comply with the new requirements. Special provisions are made to support small and micro enterprises through awareness, training, and testing procedures.

11. EU right to withdraw from auto-renewing subscription contracts

The EU’s top court has ruled on a consumer’s right to withdraw from auto-renewing subscription contracts under the Consumer Rights Directive.

What’s new?

In Verein für Konsumenteninformationen v Sofatutor, the European Court of Justice (ECJ) was asked to consider a contract for the performance of services which provided for an initial free period for the consumer after which – unless the consumer terminates or withdraws from that contract during that period – payment is required for a period that is automatically extended for a fixed term.

The ECJ ruled that a consumer’s right to withdraw from a distance contract under the Consumer Rights Directive only applies once, at the start of the contract, and not when the free trial ends or the subscription auto-renews. So, there is no additional right of withdrawal at the conclusion of the free subscription period or when the free subscription converts to a regular, paid subscription.

However, this only applies if, at the time the contract is concluded, the trader has informed the consumer (in a clear, comprehensible, and explicit manner) that payment will be required for these services after the initial free period. Otherwise, the consumer does have a further right of withdrawal at the time of conversion to a regular, paid subscription.

What’s next?

This ruling limits consumers to a single right of withdrawal, applicable only at the start of the initial free period.

Companies using auto-renewal should be able to avoid cancellations at the time of transition to a paid subscription, provided they comply with the communication requirements.

However, failure to inform customers properly about the payment terms that will apply after the free period could lead to an increased risk of customers exercising their right of withdrawal upon conversion to a paid subscription.

Therefore, this decision places a greater emphasis on clarity and transparency in the terms of service, which could lead to adjustments in how subscription contracts are structured and communicated.

Germany

12. Updated draft legislation for OS-level youth protection settings

In November 2023, the German Federal States presented for public consultation an updated draft for their revision of the German Youth Protection State Treaty.

The revision, which was originally proposed in mid-2022, aims to enable parents to more easily set up parental controls at a central location on their own (and their kids’) devices to restrict access to inappropriate apps (see our Q2, 2022 update).

What’s new?

The draft still requires operating systems for media devices to feature a specific parental control mechanism that allows users to block unsuitable apps. However, the in-scope operating systems will now have to be designated by the regulator, so that the proposed rules would no longer be self-executing.

On in-scope operating systems, the new parental control mechanism will allow parents to set a device-wide age level (6, 12, 16, or 18) and it will block access to and installation of apps with an age rating higher than that age level. To facilitate this mechanism, the relevant system app store must collect age ratings for all available apps. The parental control mechanism must also deactivate app installations from non-system app stores, noting that the updated draft now permits such third-party app stores if they have a similar age-rating mechanism.

Apps that have their own built-in youth protection mechanisms are privileged. These apps must be made available regardless of the OS-level age setting. For such apps, the new draft also dropped the prior requirement of such apps having to automatically configure their internal mechanisms in accordance with the OS-level age setting.

What’s next?

The German States will now digest the input received during the consultation process and might then agree on a final wording for the new law. The law must then be ratified by all 16 State parliaments before it can enter into force. This will likely not happen before early 2025 and, judging from the pace of the legislative procedure to date, it may take even longer.

UK

13. UK Online Safety Act imposes greater compliance burden on in-scope digital providers

As we reported in November 2023, the UK’s controversial and long-awaited Online Safety Act (OSA) finally received Royal Assent in October 2023.

The OSA – which is intended to make the internet a safer place – comes with many additional duties and a greater compliance burden for in-scope companies (which includes user-to-user services like social media sites, content-sharing sites, online and mobile gaming services, and search services).

What’s new?

The UK’s communications regulator (“Ofcom”) has confirmed that it intends to take a phased approach to enforcement, with the first stage of new OSA-related duties to take effect in late 2024 – but it is urging in-scope (and potentially in-scope) businesses to start preparing now, and also to ‘have their say’ by engaging with Ofcom’s consultations (including an ongoing consultation on its proposals for protection from online illegal harms, which is due to close on 23 February 2024).

What should affected entities be thinking about?

When the OSA is fully in force, in-scope businesses will essentially need to “assess and manage risks” to their users’ online safety. This includes obligations to address user safety in your terms of service, and have adequate reporting and complaint systems in place for users – all while balancing safety measures against freedom of expression and right to privacy.

According to Ofcom’s draft codes of practice, certain “large services” – currently defined as those with an average user base of 7 million or more per month in the UK – will likely have additional obligations to comply with, such as the use of specific tools to detect certain types of content on their services, and staff training and internal codes of conduct on protection from illegal harms.

What can affected entities do in the meantime?

Consider whether or not you might be in scope for the OSA obligations and, if so, start to think about the ways in which illegal harms could take place on your service for the purposes of carrying out any mandated risk assessments under the OSA. We can work with you to carry out this exercise if you need a helping hand.
Engage with Ofcom’s consultations to help ensure that the industry’s concerns are being considered when shaping the codes of practice that will ultimately inform Ofcom’s approach to compliance and enforcement.
Calculate your number of monthly UK users, to see if you could be a “large service” and therefore be subject to additional obligations.

What’s next?

The rules are yet to come into force (pending secondary legislation from the UK Secretary of State and the publication of codes of practice by Ofcom) but businesses are being encouraged to start engaging with the OSA now.

Read more about the discussions which led to the OSA in our previous client alerts on the first draft of the original legislative proposal in 2021, its first introduction in 2022, the key changes in March 2023, and our article on the trolling offence in July 2023.

14. UK Online Fraud Charter: Fraud protection beyond the OSA

Major tech companies have signed an agreement with the UK government – called the Online Fraud Charter (the “Charter”) – to enhance protection against online fraud. The Charter is designed to complement the Online Safety Act (OSA) (and its related codes of conduct) as part of the UK government’s wider Fraud Strategy, which we previously wrote about in November 2023.

What’s new?

While commitment to the Charter is voluntary, by signing up, companies agree to adopt certain anti-fraud measures within six months of the Charter’s publication (i.e., before the end of May 2024). The Joint Fraud Taskforce will then hold these companies accountable for their implementation of the Charter.

The Charter’s list of actions will only apply to companies on a proportionate basis, so the entire list won’t apply to every company or in every circumstance, and the Charter sets out which types of companies are expected to implement which specific actions. However, the overarching commitments for companies to implement are as follows:

Blocking – Deploying measures to detect fraudulent material
Reporting – Using quick and simple mechanisms for reporting fraudulent material
Takedowns – Immediately taking action against fraudulent content and users
Advertising – Deploying measures to protect individuals from fraudulent ads
Law Enforcement – Using dedicated liaisons to respond to law enforcement requests
Intelligence Sharing – Engaging with initiatives to quickly share information about fraud
Transparency – Sharing information about fraud risks and how they are addressed
Communications – Delivering simple messaging to help users recognize and avoid online fraud
Horizon Scanning – Contributing to horizon scanning exercises

How does the Charter work with the OSA?

The Charter is a separate and distinct framework which is geared towards targeting a smaller subset of online platforms and services compared to the OSA. This means that that fulfilment of Charter obligations won’t necessarily mean fulfilment of a company’s fraud-related OSA duties, and so each framework should be approached separately.

What’s next?

The OSA will take precedence if there is any direct conflict with the Charter and the UK government plans to keep the Code under review to ensure that its commitments don’t duplicate or diverge from other regulatory requirements (including Ofcom’s future Codes of Practice).

15. UK government opens consultation on newly proposed security standards for data centres

The UK government is proposing a new statutory framework (the “Framework”) for UK-based third-party data centre services and is seeking views on the proposed Framework.

The government is particularly keen to receive feedback from parties such as cloud platform providers, managed service providers, data centre operators, data centre land and facility owners, and the customers and suppliers of these parties.

What’s new?

The Framework will target organizations that operate data centres, particularly those that provide co-location and co-hosting data centre services as a third-party provider.

This will include data centres that have other functions or services outside co-location or co-hosting. However, data centre services or parts of data centres that fall solely under: (i) public electronic communications services and networks; (ii) digital infrastructure; (iii) enterprise data storage and processing; (iv) cloud services; (v) managed services; and (vi) submarine or subsea fibre optic cables, will likely be out of scope (but still potentially subject to other regulations such as the UK’s Network and Information System (NIS) Regulations 2018).

More broadly, in its proposal, the UK government acknowledges that some parts of the data centre sector will already fall under the UK’s critical national infrastructure (CNI). The government is therefore also considering whether third-party data centre infrastructure should be a subsector of CNI, which is governed by its own separate regime.

What are the key takeaways?

The Framework sets out proposed obligations for in-scope organizations, including:

Registration – Registering with the designated regulator and providing relevant information regarding an organization’s UK operations;
Security and Resilience Measures – Taking appropriate and proportionate technical and organizational measures to manage risks or security and resilience of data centre services. This will include implementation of certain baseline measures for areas such as risk and incident management, resilience and service continuity, governance and personnel, and supply chain management; and
Incident Reporting – Reporting significant incidents to the regulator and in some cases, disclosing incidents to customers and other affected parties such as suppliers.

The Framework also suggests the establishment of: (i) a new regulatory function to enforce the Framework; and (ii) new standards, assessment frameworks, and other tools for a regulator to use to ensure that organizations have implemented baseline security and resilience measures. However, the government stopped short of proposing the establishment of a new regulatory body or identifying an existing regulatory body to enforce the Framework.

What’s next?

The consultation is open until 22 February 2024.

Christoph Nüßing
Counsel
Sana Ashcroft
Associate
Alistair Maughan
Partner
Andreas Grünwald
Managing Partner, Berlin
Charlotte E. Walker-Osborn
Co-head of Technology and Commercial for Europe and London
Robert Grohmann
Counsel
Jens Hackl
Counsel
Stephan Kreß
Counsel
Heval Mienert
Associate
Michelle Si-Ting Luo
Associate

Practices

Regions