The April 2022 EU & UK Policy Update.
Final agreement on the DSA
Following last month’s DMA milestone, EU co-legislators (the European Parliament and the Council of the EU) have reached an agreement on the Digital Services Act (DSA).
The updated digital content regulation sets a series of obligations based on the size and scope of a provider’s online services, with stricter requirements for very large online platforms (VLOPs – online platforms with more than 45 million monthly active users), and for very large online search engines (VLOSEs). Micro and small enterprises will be exempt from certain obligations. The main elements of the political agreement are:
an updated “notice and action” procedure for removal of illegal content online, with an obligation for online platforms to take quick action following users’ reports,
a duty of care for online marketplaces to apply the “Know Your Business Customer” principle, including random checks to prevent illegal content,
VLOPs will have to assess and mitigate systemic risks and will be subject to independent audits each year,
VLOPs must implement special measures in times of crisis, as demanded by the European commission and member state authorities,
the European Commission and the member states will have access to the algorithms of VLOPs,
a ban of targeted advertising for minors and on sensitive data for others (e.g. sexual orientation, religion, ethnicity, etc.),
prohibition of dark patterns and enhanced transparency of recommender systems (VLOPs and VLOSEs must provide users at least one option that is not based on personalization),
protection for victims of cyberviolence, especially non-consensual sharing of illegal content (revenge porn) with immediate takedowns,
compensation for those users seeking redress for any damages or loss due to infringements of the regulation by online platforms,
severe penalties for online platforms and search engines – up to 6% of their worldwide turnover, with the European Commission having exclusive enforcement competence for VLOPs.
After the text is finalized at the technical level it will be formally approved by both Parliament and the Council. The regulation will come into force 20 days after its publication in the EU Official Journal and the rules will apply 15 months later.
Internal Market Commissioner Thierry Breton tweeted that “any company operating in Europe needs to comply with our rules – regardless of their shareholding,” warning Elon Musk that he will need to “quickly adapt to the Digital Services Act.” A delegation of the European Parliament’s Internal Market Committee will travel to Silicon Valley in May to discuss the new EU digital rules with different companies, including Meta, Google, Apple, academia, and government officials.
A Nuanced Judgment on Upload Filters for Copyrighted Content
The Court of Justice of the European Union has dismissed Poland’s arguments that Article 17 of the Directive on copyright and related rights in the Digital Single Market infringes on freedom of expression and information. Art. 17 imposes an obligation for online platforms to block the uploading of illegal content that infringes copyright.
The Court appreciated that “the obligation on online content-sharing service providers, to review, prior to its dissemination to the public, the content that users wish to upload to their platforms, resulting from the specific liability regime established in the Directive, has been accompanied by appropriate safeguards in order to ensure respect for the right to freedom of expression and information (…), and a fair balance between that right, on the one hand, and the right to intellectual property, on the other.”
The safeguards the Court is referring to are the limitations on how the obligations are to be implemented, “by in particular, measures which filter and block lawful content when uploading.” The Court notes “that a filtering system which might not distinguish adequately between unlawful content and lawful content, with the result that its introduction could lead to the blocking of lawful communications, would be incompatible with the right to freedom of expression and information and would not respect the fair balance between that right and the right to intellectual property.”
New Competition Investigations
The European Commission has sent a Statement of Objections to Apple on alleged abuse of its “dominant position in markets for mobile wallets on iOS devices.” The Commission takes issue with Apple’s decision to limit the access of mobile wallet apps to the NFC (“tap&go”) technology on its devices.
The Netherlands Authority for Consumers and Markets (ACM) has rejected Apple’s App Store changes for dating apps that want to use 3rd party payment systems, considering them again insufficient, according to a statement to the Verge. The ACM imposed periodic penalty payments totaling €50 million and is preparing a new series of fines.
The ACM recently received a complaint from dating app Match about terms and conditions for the in-app payment service Google Play Billing, as Politico reports.
Green Light for Class Actions Against Data Protection Infringements
The Court of Justice has decided that consumer protection associations may bring representative actions against personal data protection infringements. The interpretation responds to a request of the German Federal Court of Justice on action for an injunction against Meta Platforms, Ireland, brought by the German Federal Union of Consumer Organizations and Associations.
While the GDPR is harmonizing the protection of personal data across the EU,
the European Court considered that certain provisions of the GDPR make it possible for the Member States to lay down additional rules. The Court supported national rules allowing consumer protection associations to bring legal proceedings “on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions,” which “may be related to the infringement of a rule on the protection of personal data.” The Court also stated that an association can bring such a representative action without it “being necessary to identify, individually and beforehand, the person specifically concerned by that processing and to allege the existence of a specific infringement of the rights deriving from the data protection rules.”
EU Rebuffs New Trans-Atlantic Data Privacy Framework
The European Data Protection Board (EDPB) has published a statement on the announcement of a new Trans-Atlantic Data Privacy Framework, emphasizing that it “does not constitute a legal framework on the basis of which EEA data exporters can transfer data to the U.S.” The EDPB reminded data exporters that they must continue taking the necessary actions to comply with the case-law of the Court of Justice of the European Union (CJEU), and in particular, its Schrems II decision of 16 July 2020.
Noyb, the organization lead by privacy activist Max Schrems, has published a decision of the Austrian data protection authority which rejects the “risk-based approach” for international data transfers. In the case of Google Analytics, the Austrian DPA considered that Google’s IP anonymization is not sufficient to justify a low-risk, and so companies cannot rely on Standard Contractual Clauses (SCCs) for international data transfers.
European Health Data Space: Promise and Limitations
The European Commission has launched the European Health Data Space (EHDS), a “framework to use health data for research, innovation, policy-making and regulatory activities, while ensuring full compliance with the EU’s high data protection standards.” Among the proposed measures, a common European format for medical documents across the EU will be implemented through interoperability and mandatory security requirements. Manufacturers of electronic health record systems will need to certify compliance with these standards, and the use of health datasets by researchers, companies or institutions will require a permit from a health data access body, to be set up in all Member States. The proposal was submitted to the Council and the European Parliament for discussion and approval.
UK studies algorithms and dark patterns
The UK’s Digital Regulation Cooperation Forum (DRCF) has published two discussion papers: one on the benefits and harms of algorithms and another on auditing algorithms and the role of regulators. The papers are part of DRCF’s Algorithmic Processing workstream. Stakeholders are invited to give input by June 8, 2022. DRCF is formed by the Competition and Markets Authority (CMA), the Information Commissioner’s Office (ICO), the Office for Communications (Ofcom), and Financial Conduct Authority (FCA).
The UK’s Competition and Markets Authority (CMA) has published two papers discussing and summarizing evidence on online choice architecture and how it potentially causes harm.
Russian Yandex Banned in Estonia
The Estonian government banned Yandex, starting on 11 April, including its taxi app Yandex Pro. Internet service providers and application stores were ordered to comply with the sanction and restrict users’ access to Yandex websites and apps. The Minister of Enterprise and Information Technology, Andres Sutt, stated that “the purpose of the sanction is to prevent the collection and use of data of Estonian users by the Russian intelligence services. In order to use the Yandex application, it is necessary to provide access to a large amount of personal data that is processed on the company’s servers in Russia, and that may be used in intelligence activities against Estonia and Europe. In today’s political situation, this is a significant threat to Estonia’s security.”
Pegasus Spyware Scandal Continues in the EU
The European Parliament’s Committee of Inquiry investigating the use of Pegasus and equivalent surveillance spyware has started its work. The committee will gather information on the extent to which EU Member States or third countries are using intrusive surveillance that violates the rights and freedoms enshrined in the Charter of Fundamental Rights of the European Union. The investigation started at the time as Citizens Lab of the University of Toronto’s revelations on additional spyware targets in the UK (official UK networks, including the Prime Minister’s Office and the Foreign and Commonwealth Office), and in Catalonia, Spain (Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organizations).
Cybersecurity Certification Conference
The EU Agency for Cybersecurity (ENISA) will organize the 2022 edition of the Cybersecurity Certification Conference on 2-3 June as a hybrid event, physically organized in Athens, Greece, but which can be attended online across the globe. More details and registration here.
EU-India Trade & Tech Cooperation
EU Innovation Lags Be
hind the US
A joint report by the European Patent Office (EPO) and the European Investment Bank (EIB) found that “despite the impressive patent activity, Europe’s small deep tech businesses lag behind their US counterparts.” The report offers recommendations to support the growth of EU firms and foster deep-tech innovation in the European Union.
European Video Game Industry Given Ministers’ Blessing
EU Member States Ministers of Culture expressed their support for the competitiveness of the European video games industry: “It is essential to stimulate the creation and growth of strong and competitive European cultural and creative enterprises of all sizes that are able to compete with global players in general, and in particular in markets where the EU has a competitive advantage, and in emerging new markets such as augmented and virtual reality (AR/VR), video games or artificial intelligence, for example when it is used to support production and access to cultural and creative works.”
EU’s Own Social Media Platforms
The European Data Protection Supervisor (EDPS) has launched the public pilot phase of two social media platforms: EU Voice and EU Video. The platforms will serve EU institutions, bodies, offices, and agencies in their interaction with the public. They are based on Mastodon and PeerTube software and they’re aimed “to contribute to the European Union’s strategy for data and digital sovereignty to foster Europe’s independence in the digital world.”