Final Agreement on the DMA
The EU co-legislators (the European Parliament and the Presidency of the Council of the EU, on behalf of the governments of the Member States), assisted by the European Commission, have forged an agreement on the Digital Markets Act. The final text is yet to be presented, but the main elements of the final political agreement, topping up the Commission’s initial proposal, are as follows:
-
the regulation will apply to companies with more than €7.5 billion in annual turnover or €75 billion in market capitalisation
-
the scope was extended to virtual assistants and web browsers in addition to the initial core platform services (operating systems, app stores, search engines, social networks, video-sharing platforms, messenger services and other online intermediation services)
-
intra-platform processing and combination of personal data is only allowed with explicit user consent
-
default choice screens will be required for browsers, virtual assistants and search engines
-
access based on fair, reasonable and non-discriminatory conditions (FRAND) was extended from app stores to social media and search engines; it’s unclear until the final text will be presented if a last-minute amendment, in favour of publishers and supported by the French Presidency, on remuneration of online content, was also added
-
interoperability obligations were added for messaging services: in a delay of 2 years the ‘gatekeepers’ will have to ensure interoperability for encrypted messages, photos, voice messages and attachments, if so requested by other platforms; interoperability obligations for end-to-end encrypted calls, video calls and group chats will be applicable within four years after a ‘gatekeeper’ designation; social media interoperability is to be subject to a later review
-
the possibility of a temporary ban on killer acquisitions was added as one of the possible behavioral and structural remedies in cases of systematic infringement
-
the level of penalties and fines could be up to 10% of a company’s global turnover, and in the case of repeated infringements, up to 20% of global turnover.
The outcome of the negotiations needs to be formally approved by both co-legislators. The regulation is expected to enter into force around October this year and will be applicable after 6 months. The concrete effects of the regulation on the market is expected to be visible starting from the second part of 2023, after the procedure for designation of ‘gatekeepers’ will be concluded. For developers, this means a radical change in how ecosystems operate, and potentially a sharp reduction in EU market access.
The US and the EU Announce a Successor to Privacy Shield
On the occasion of US President Joe Biden’s visit to Brussels, the US and the European Commission officially announced on March 25, that they have committed to a new Trans-Atlantic Data Privacy Framework. The new agreement will address the concerns raised by the Court of Justice of the European Union when it struck down the Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework in 2020. The US stated that it “has committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data, and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
UK’s Online Safety Bill
The UK Government has presented the Online Safety Bill to Parliament. Unlike the EU’s DSA, its scope covers ‘legal but harmful’ content that the online platforms will be required by law to remove (in addition to illegal content). The categories of harmful content will be defined in separate legislation. The bill covers a wide range of obligations for services which host user-generated content online, and services which facilitate online interaction between users and search engines. The version introduced to the Parliament updates the initial draft published last year. The amendments include obligations for pornographic content providers to protect minors, for service providers to tackle faudulent advertising and anonymous abuse, as well as the incrimination of “cyberflashing,” among other things. The enforcement will be ensured by Ofcom, the UK’s media regulator. The proposed fines are up to 10% of a company’s annual global turnover. The executives of companies found to be in violation of the law could face criminal liability.
Privacy & Data Protection
The Irish Data Protection Commission (DPC) has announced a decision in its Meta (Facebook) inquiry, imposing a fine of €17 million. The DPC found that Meta Platforms “failed to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data,” in the context of twelve personal data breaches back in 2018. The DPC’s decision, according to the GDPR’s One-Stop-Shop mechanism, also represents the collective views of its counterpart supervisory authorities throughout the EU.
The Italian Data Protection Authority has fined Clearview AI €20 million for unlawful use of biometric data of Italian citizens. It also has ordered the company to erase data relating to individuals in Italy and has banned any further collection and processing of data through the company’s facial recognition system. The company was also ordered “to designate a representative in the EU to be addressed in addition to or instead of the US-based controller in order to facilitate exercise of data subject rights.”
The Italian Authority
has also started an investigation into possible risks arising from the processing of personal data on Italian users by the Russian company that produces the Kaspersky antivirus software.
The Danish Data Protection Authority has published a Guidance on the use of cloud. It contains a section dedicated to transfers to third countries and another specific one on the US, with concrete examples on technical supplementary measures. The Guide states that if companies use a cloud service where the cloud provider needs to have access to the transferred data in clear text, the European Data Protection Board (EDPB) “cannot currently envisage supplementary technical measures that will effectively ensure an essentially equivalent level of protection to that in the EU/EEA.”
The French Cybersecurity Agency (ANSSI) has published its new certification for “trusted” cloud services “SecNumCloud.” The standard “guarantees that the cloud service provider and the data it processes cannot be subject to non-European laws,” by providing both data localization requirements and specific measures against extraterritorial reach of foreign laws. The French certification will contribute to the European cybersecurity certification scheme for cloud providers, currently under development and based on the EU Cybersecurity Act adopted in 2019.
The European Data Protection Board (EDPB) has published draft Guidelines on Dark patterns in social media platform interfaces. The Guidelines’ aim is to help organizations to design their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR. Interested parties can submit comments untilMay 2, 2022.
The privacy organization noyb has launched a second round of action on cookie banners, comprising 270 draft complaints sent to website operators following a first batch last year. The organization is planning to continue its campaign to reach the proposed goal of 10,000 websites, and also to extend it “to pages that use other Consent Management Platforms (CMPs) beside OneTrust, such as TrustArc, Cookiebot, Usercentrics, Quantcast etc. which currently can’t be detected by the software.”
IAB Europe has released the latest comprehensively updated ‘Guide to the Post-Third-Party Cookie Era’, to enable brands, agencies, publishers, and tech intermediaries to prepare for the impending post-third-party cookie era.
Competition
The European Commission and the UK’s CMA have opened parallel antitrust investigations into an agreement between Google and Meta for online display advertising services, which concluded in 2018 (so-called “Jedi Blue”). The regulators consider that the agreement could affect competition in the market of online display advertising and harm publishers and consumers by possibly excluding ad tech services competing with Google’s Open Bidding programme.
The Dutch Competition Authority (ACM) has received an adjusted proposal from Apple concerning compliance with the requirements for access to the AppStore of dating apps, imposed under Dutch and European competition rules. However, because the proposal was received late, ACM imposed the tenth and last penalty payment of the maximum of €50 million. After the assessment of the proposal, if ACM still considers that Apple is not compliant, it may impose further periodic penalty payments. Apple published the changes made to the entitlements and re-stated the disagreement with ACM’s order and that the company is appealing it.
The Paris Commercial Court has fined Google €2 million for unfair commercial practices in relation to app developers, following a complaint from the French Economy Ministry from 2018 (as reported by Politico). Certain contractual clauses for the Play Store (dated back in 2015-2016 and changed since) were found in breach of the French Commercial Code, as imposing “obligations that create a significant imbalance in the rights and obligations of the parties.”
A class action was initiated in Portugal by a consumer organization against Google. The Ius Omnibus organization claims that Google harmed Portuguese users of mobile communication equipment, having “no effective alternative to using the Android operating system and applications (apps) and in-app content for Android,” and subject to “increased prices they have paid through the Google Play Store (as a consequence of the 30% fee on sales of digital products in the Play Store).”
European cloud providers have filed a third complaint against Microsoft concerning “unfair use of software licenses … to control the cloud infrastructure market.”
The U.K.’s CMA has approved Microsoft’s $19.7 billion acquisition of transcription software firm Nuance Communications. After assessing the impact of the transaction on the supply of healthcare transcripti
on, the CMA conclusion was that it “does not give rise to a realistic prospect of a substantial lessening of competition” in the U.K. The acquisition was also approved by the EU Commission in December last year.
The CMA decided to pursue an in-depth investigation into the merger between NortonLifeLock and Avast, after the cybersecurity firms opted for not submitting remedies in response to the raised concerns. The CMA is concerned that the deal “could lead to a reduction in competition” in the relevant markets within the UK. The merger was already cleared by regulators in the US, Germany and Spain.
Cybersecurity
The European Commission has proposed a Cybersecurity Regulation and an Information Security Regulation with the aim to create a minimum set of information security rules and standards for all EU institutions, bodies, offices and agencies to ensure an enhanced and consistent protection against the evolving threats to their information. Later this year, the Commission will also offer another legislative proposal – the Cyberresilience Act – which is intended to impose obligations for manufactures and providers of digital products and services. Stakeholders can respond to a consultation untilMay 25, 2022.
The German Federal Office for Information Security (BSI) has issued a warning against the use of virus protection software from the Russian manufacturer Kaspersky. Although the Kaspersky products are not banned, the BSI strongly recommends “replacing applications from Kaspersky’s virus protection software portfolio with alternative products.”
Electronic Frontier Foundation (EFF) technologists, along with 36 top cybersecurity experts, issued an open letter urging EU lawmakers to reject an amendment to the Digital Identity Framework (eIDAS) requiring web browsers to accept Qualified Website Authentication Certificates (QWACs). The cybersecurity experts warn that the amendment “would put the entire website security ecosystem at risk by requiring browsers to trust third parties designated by the government without any security assurances.”
Developers Alliance, together with other 18 associations, signed a statement on coherent regulatory approach on software, with reference to the proposal for Eco Design Regulation for Mobile Phones, Cordless Phones and Tablets. The proposed requirements on software updates and how operating systems should be updated, upgraded, installed, and secured, are undermining commonly accepted privacy and security best practices. The considerations outlined in the joint statement are also relevant for the upcoming EU Cybersecurity Resilience Act.
Miscellaneous
The European Parliament has voted on its position on the regulation proposal on markets in crypto-assets. The most important amendments set strict requirements for crypto transactions, such as providing authorities with information on the source of the asset and its beneficiary and creating a blacklist of those crypto companies that are not complying with the EU rules. The proposed rules would also cover transactions from so-called unhosted wallets, with the specification that “technological solutions should ensure that these asset transfers can be individually identified.” The crypto community, including companies like Coinbase, have put pressure on EU lawmakers stating that the new rules will be stricter for crypto than for cash, and will put the privacy of people holding non-custodial digital wallets at risk.The Council of the EU, representing the EU member states governments, adopted its position in autumn last year and will enter into negotiations with the Parliament in order to agree on a final text of the regulation.
EU financial regulators have issued a warning to consumers on the risks of crypto-assets. The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pension Authority (EIOPA) warn that “many crypto-assets are highly risky and speculative,” and “are not suited for most retail consumers as an investment or as a means of payment or exchange.”
The European Commission has published a call for evidence, accompanied by an open public consultation on a proposal on access to vehicle data, functions and resources, which would complement the proposal for the Data Act. The Commission has stated that the proposal is aimed “to address some sector-specific issues, such as the bi-directional access to vehicles resources and the interplay between access to data and cybersecurity.” The consultation is open until June 21, 2022.
The EU Court of Justice has clarified that the ‘private copying’ exception under the Copyright Directive applies to the storage in the cloud of a copy of a protected work for private purposes. This doesn’t exclude that righholders must receive fair compensation, but it’s not necessarily to be imposed on cloud providers. “In the event of practical difficulties related to the identification of end users, Member States may introduce a private copying levy chargeable t
o the producer or importer of the servers by means of which the cloud computing services are offered to natural persons. That levy will be passed on economically to the purchaser of such servers and will ultimately be borne by the private user who uses that equipment or to whom a reproduction service is provided.”
The UK Government has announced its intention to propose new legislation on digital identities in response to a public consultation. An accreditation and certification process will be set up, as well as the legal framework for trusted organizations to carry out verifications against official data held by public authorities and to confirm the legal validity of digital forms of identification. Also, a new Office for Digital Identities and Attributes (ODIA) will be set up as an interim governing body for digital identities.
A Collaborative Platform for Digital Supervisors (SDT), comprising the Netherlands Authority for Consumers and Markets (ACM), the Dutch Data Protection Authority (AP), the Netherlands Authority for the Financial Markets (AFM) and the Media Authority (CvdM), has launched a study into how companies, institutions and governments can inform internet users in a way that everyone understands. The study will inform future policies and regulatory actions. Also, the SDT will coordinate with each other on how they will supervise new European rules in the field of digitization. This concerns, for example, upcoming rules for dealing with large technology companies, the data and platform economy (such as the Digital Services Act, the Digital Markets Act, the Data Governance Act and the Artificial Intelligence Act).
