To help organizations stay on top of the main developments in European digital compliance, Morrison Foerster’s European Digital Regulatory Compliance team reports on some of the main topical digital regulatory and compliance developments that have taken place in the third quarter of 2023.
This report follows our previous updates on European digital regulation and compliance developments for 2021 (Q1, Q2, Q3, Q4), 2022 (Q1, Q2, Q3, Q4) and 2023 (Q1, Q2).
In this issue, we highlight further examples of the growing regulatory divergence between the EU and UK in digital issues. While the EU’s Digital Markets Act and Digital Services Act are in force, the UK has started the process of implementing its own regulatory regime for digital markets with the publication of its UK Digital Markets, Competition and Consumer Bill, which will affect both digital providers and increase the enforcement of consumer laws generally by regulatory authorities. And, while the EU is close to agreement on a new EU Data Act and EU AI Act, the UK’s controversial Online Safety Bill has become law.
1. European Union finalizes the EU Chips Act
The European Union has finalized a new law designed to strengthen the EU’s semiconductor ecosystem (Regulation (EU) 2023/1781) or – in short – the EU Chips Act.
The Chips Act recognizes that semiconductors are at the core of any digital device and digital transition, but also that the EU has, in the past, suffered unprecedented disruptions in the semiconductor supply chain that exposed long-lasting vulnerabilities such as a strong third-country dependency in manufacturing and design of chips.
Under the Chips Act, the EU wants to increase EU resilience in the field of semiconductor technologies, reinforce the EU’s semiconductor ecosystem by reducing dependencies, enhance digital sovereignty, stimulate investment and strengthen the resilience of the EU’s semiconductor supply chain.
To achieve these goals, the Chips Act sets up new rules in three key pillars:
- With a “Chips for Europe” initiative, the Chips Act will make available EU funding for five operational objectives: i.e., for (i) design capacities for semiconductor technologies; (ii) pilot lines for semiconductor productions; (iii) an enhanced development of quantum chips; (iv) competence centres for skill development; and (v) a Chips Fund that provides access to debt financing and equity for semiconductor businesses.
- To enhance security of supply and resilience, the Chips Act provides a mechanism for businesses to build new “Integrated Production Facilities” or “Open EU Foundries” and have them recognized by the European Commission. Recognized businesses will have access to facilitated permit-granting at the EU Member State level, priority access to pilot lines and enhanced public funding.
- To prevent future significant supply shortages, the Chips Act requires the European Commission to monitor the EU’s semiconductor sector to identify potential supply crises as early as possible. In this process, Member States must identify “key market actors” along the semiconductor supply chain that are established in their territories. In case of a crisis, the European Commission can activate a “crisis stage” that grants it access to an “emergency toolbox”. This provides the Commission with powers to: (i) gather information from semiconductor businesses in the EU; (ii) issue binding priority orders to businesses recognized as “Integrated Production Facilities” or “Open EU Foundries” (see above); and (iii) engage in central purchasing of semiconductor products on behalf of EU Member States.
The Chips Act entered into force in September 2023, shortly after being published in the EU’s Official Journal. It will have direct impact on businesses considering expanding their semiconductor capabilities in or to the EU. Existing semiconductor businesses in the EU can be exposed to new obligations under the Chips Act in connection with its crisis response mechanism.
2. EU initiative on virtual worlds and Web 4.0
The emergence of virtual worlds rings in the fourth generation of the internet (so-called Web 4.0). This has not gone unnoticed by the EU Commission. In July 2023, it published the “EU initiative on Web 4.0 and virtual worlds”, calling it “a head start in the next technological transition”.
The Commission has not yet presented a formal legislative proposal. Rather, the Commission’s goal for this initiative is first to provide a comprehensive overview of the Web 4.0 development. The Commission announced 10 (non-legislative) actions focused on the following pillars:
- People and Skills: Supporting the development of skills in order to build a necessary talent pool, promoting guiding principles for virtual worlds and developing a Virtual Worlds Toolbox for the general public.
- Business: Supporting a European Web 4.0 ecosystem by, for example, launching a new European Partnership, promoting collaboration and fostering a supportive business environment.
- Government: Improving public services, by supporting public flagships such as the so-called CitiVerse, an immersive urban environment that can be used to optimize spatial planning and management.
- Governance: Bringing Member States and other stakeholders together to master the Web 4.0 transition.
The Commission plans to launch specific initiatives based on the above pillars between now and mid-2024.
The Commission stresses that the EU has a “robust, future-oriented legislative framework”, that already applies to various aspects of Web 4.0. To ensure that the EU becomes a major player in this field, the Commission encourages the European Parliament and the Council to endorse its strategy.
3. Digital Services Act & Digital Markets Act Update
The Commission’s efforts to create a more competitive tech market and tackle illegal content through the Digital Markets Act (DMA) and the Digital Services Act (DSA) are shaking up the tech landscape.
In September 2023, the Commission designated 22 core platform services provided by six gatekeepers under the DMA. The designation follows the notification by the companies as potential candidates (see our Q2 2023 edition), because the Commission now has determined that these companies cross the relevant thresholds regarding revenue, market capitalization, and/or user numbers. The designated services will each be subject to several new obligations, such as allowing users to uninstall pre-installed apps, making it easier for users to switch between different messaging platforms and a ban on self-preferencing.
Since 25 August 2023, the DSA already applies to the Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) that the Commission had designated in April. This means that these companies must now take steps to combat the spread of illegal and harmful content online, be more transparent about how they target users with ads and enhance their internal governance regarding related issues.
Following their designation, gatekeepers now have six months to comply with the new obligations imposed under the DMA. And the clock is ticking – at the end of this six-month period, gatekeepers are obliged to submit and publish a detailed compliance report in which they outline how they will comply with each of the obligations of the DMA.
For the DSA, some companies have challenged their designation as a VLOP under the DSA (see the two pending actions before the EU’s General Court – action 1; action 2). For all non-VLOP companies that are in-scope of the DSA, its rules will apply from 17 February 2024. Since the EU Member States will be charged with enforcing the DSA against these non-VLOP companies, many of them are in the process of adapting their national laws (e.g., to revise conflicting local rules and to set up enforcement authorities) – see article 11 for the relevant German efforts.
4. Cyber Resilience Act: Trilogue discussions begin
In our Q3 2022 edition, we reported that the EU Commission had published its draft for a proposed “Cyber Resilience Act” or, more officially, the “Regulation on horizontal cybersecurity requirements for products with digital elements” (the CRA). In July 2023, the Member States’ representatives were able to reach a common position on the CRA for the EU Council to enter into interinstitutional negotiations with the European Parliament (Trilogue). In September 2023, this was followed up by the EU Parliament’s confirmation of the Committee decision on a mandate for the Trilogue.
In its July 2023 position, the EU Council suggests several changes to the proposed text of the CRA (see the latest version). For example, the Council wants to eliminate the concept of “critical” in reference to products containing digital components and a substantial portion of the items mentioned in Annex III. Instead, the Council proposes three categories of products as a new Annex IIIa. Additionally, the Council suggests shifting the responsibility for reporting cybersecurity incidents and actively exploitable vulnerabilities from ENISA to the national Computer Security Incident Response Teams (CSIRTs) in a two‑step process involving initial notification within 24 hours and a second notification within 72 hours. Furthermore, the Council proposes to delay the application of the CRA for 36 months (instead of the 24 months proposed by the original draft) once adopted.
In its September 2023 mandate for the CRA (see report), the EU Parliament also proposes changes to the definition and scope of products to which the new rules will apply, suggesting three different lists based on the level of criticality and cybersecurity risk. The Parliament also suggests expanding, instead of shortening, these lists by adding new products such as identity management systems software, password managers, biometric readers, smart home assistants, smart watches and private security cameras. The Parliament also suggests changes to many of the CRA’s definitions, to compliance timelines, and the distribution of responsibilities between the different market actors. One substantive area of focus is more specifically regulating security updates.
Based on the finalized positions by both EU bodies, Trilogue negotiations on the CRA have now kicked off. The duration of these proceedings can vary significantly depending on the complexity of the legislative proposal, the level of agreement or disagreement among the involved institutions and other factors. There is no fixed or standardized timeframe for Trilogue negotiations.
What’s the UK position?
Meanwhile, in the UK, manufacturers of consumer connectable tech need to watch out for new mandated security requirements from 29 April 2024. The new regulations come courtesy of the PSTI Act (see our previous reporting), which set standards for any manufacturer of in-scope products – although the regulations confirm that charge points for electric vehicles, medical devices and smart meter products are exempt, since these are already regulated. Computers (desktop and laptop) and tablets are also exempt – as long as they are not exclusively designed for children under 14 years. The security requirements cover passwords, reporting of security issues and information on minimum security update periods, and refer to technical standards in order to deem compliance.
As a reminder, the enforcement authority may investigate compliance failures and issue:
- compliance, stop and recall notices;
- monetary penalties, up to a maximum of £10 million or 4% of worldwide revenue (whichever is greater); and
- uncapped daily penalties of up to £20,000.
5. Update: First report on the implementation of the EU Platform to Business Regulation
The EU Commission has published its first preliminary review of the EU Platform to Business Regulation (the P2B Regulation) – and has committed itself to boost enforcement of the requirements of the P2B Regulation.
The P2B Regulation has applied in the EU since 12 July 2020. As we have reported in our previous client alert, the P2B Regulation seeks to create a fair, predictable, sustainable and trusted online business environment for smaller businesses and traders on online platforms. The P2B Regulation contains three main parts relating to the relationship between business users and online intermediary service providers:
- the first part deals with transparency (e.g., ranking transparency) and accessibility;
- the second part governs dispute resolution methods; and
- the third part concerns measures to enforce these rules.
After being in force for more than three years, the Commission conducted its first preliminary review of the P2B Regulation. The Commission found in its report “(i) initial positive effects of the EU’s P2B Regulation, while noting that its full potential is not yet reached; (ii) a current lack of compliance by providers of online intermediation services with this Regulation, coupled with a lack of awareness among business users; and (iii) complementarity with other EU acts”, particularly the Digital Services Act and the Digital Markets Act.
To tackle especially the level of awareness and compliance, the Commission will work with EU Member States “to disseminate information in different sectors and for all players, via different channels including informational campaigns, business networks and other tools (e.g. YourEurope)”. The Commission also identified codes of conduct as a relevant tool, especially in the hotel bookings and online marketplace sectors, to “operationalise the application of the P2B Regulation”.
6. The fight against online fraud: Too little too late from the UK’s Joint Fraud Taskforce?
The UK’s Joint Fraud Taskforce (JFT) convened in July 2023 for the first time since the UK government published its Fraud Strategy in May 2023. Nineteen organizations from both the public and private sectors were in attendance to discuss the progress that has been made so far in respect of the commitments set out in the Fraud Strategy to date and how best to make headway on the action items that remain.
The UK’s Fraud Strategy sets out how government, law enforcement, regulators, industry and charities will work together to “cut fraud incidents by 10% from 2019 pre-Covid levels” by December 2024. Items that the JFT has already ticked off its to-do list include the development of charters for the retail banking and telecoms sectors, which have seen some success. For example, the telecoms charter contributed to the blocking of over 600 million scam texts and the filtering out of “vast numbers” of scam calls before they could reach the public. The next priority item on the agenda seems to be the creation of an online fraud charter for application in the tech sector.
The online fraud charter would require organizations in the tech sector to proactively block scams, facilitate fraud reporting and remove fraudulent content swiftly in response to the rapidly increasing volume of social media-based scams. If the content of the charter sounds like it overlaps slightly with certain provisions of the UK’s Online Safety Act (OSA), that’s because it likely does.
The original aim of the charter was to implement stronger measures to combat fraud in the tech industry before the introduction of the OSA (then the Online Safety Bill). But, given that the OSA sprinted its way through the final parliamentary stages of the legislative process (see article 7 below), one might query whether the development of online fraud charter would add anything of substance to the OSA, which is also intended to tackle fraudulent content and advertising.
Watch this space for further updates as we track the implementation of the OSA and its impact on the online fraud charter and/or the Fraud Strategy (if any) over the coming months.
7. Online Safety Bill becomes law
The UK’s controversial Online Safety Bill (OSB) has at last staggered through the parliamentary stages in both the House of Commons and the House of Lords, and received Royal Assent on 26 October 2023. It is now the Online Safety Act 2023 (OSA).
The UK government’s stated purpose for the OSA is to make the internet a safer place. Whether that will actually be the OSA’s effect is open to question. But it is certain that the OSA will make life harder for online platforms and search engines. The OSA imposes a duty of care on user-to-user services and search engines offering services in the UK to prevent the proliferation of illegal content and activity online.
Read more about the OSB in our previous client alerts on the first draft of the Bill in 2021, its first introduction in 2022, the key changes to the Bill in March 2023 and our most recent article on the trolling offence in July 2023.
In September 2023, the OSB completed the penultimate stage of the UK’s legislative procedure – the consideration of amendments. The House of Lords and the House of Commons agreed on the exact wording of the OSB in uncharacteristically swift fashion: the consideration of amendments took less than a month to complete, while the OSB’s first reading took place in the House of Commons on 17 March 2022 and did not reach the House of Lords until 18 January 2023.
Although now as the OSA its provisions have become law, many of its substantive provisions do not come into force immediately. Ofcom (the online safety regulator under the OSA) needs to publish a number of codes of practice and guidance setting out the detail on how providers will need to comply with the OSA, and the government will need to make secondary legislation on issues such as how services are to be categorized. The UK government’s Department for Science, Innovation and Technology has been working closely with Ofcom throughout the OSB’s legislative process, which should mean that Ofcom is primed to take action relatively quickly now that the OSA has become law. We anticipate that Ofcom will launch imminent consultations on the standards that in-scope companies will be expected to meet with regard to illegal online harms.
Watch this space for further updates as we track the implementation and impact of the OSB over the coming months.
8. UK scraps elimination of CE mark
The UK has reversed a Brexit-related change in product labelling: the end of CE product labelling rules applying in the UK has now been postponed indefinitely.
For many years, manufacturers and suppliers of a wide range of products (including most electronic devices) into the EU market have had to undertake safety and compliance testing and affix a CE mark to their products as a declaration of conformity. After the UK left the EU as part of Brexit, the UK government introduced the same concept under a new UK Conformity Assessed (UKCA) marking requirement. The new UKCA mark took over from the CE mark on 1 January 2021, but with an overlap transition period until 31 December 2022 (subsequently extended to 31 December 2024).
Now the UK has gone one step further and announced that the period during which the CE marking may be used in Great Britain is to be extended indefinitely.
Apparently, this change of heart is “part of the government’s drive for smarter regulation” – which is ironic given that one of the foundations upon which Brexit was built was freedom from EU-derived regulation.
Regardless, the extension will cut business costs and time required to place products on the UK market.
Manufacturers and suppliers of a wide range of products will be able to rely on a single CE conformity assessment and not have to go through a separate process to get a parallel UKCA marking. In practice, this may mean that fewer companies will even bother to seek a parallel UKCA marking.
9. CMA and ICO jointly targeting more enforcement of misleading web design
The UK Information Commissioner’s Office (ICO) and the Competition Markets Authority (CMA) jointly published their position on the dangers of harmful website design practices (the “Position Paper”) in August 2023.
The Position Paper highlighted that some common website design practices (referred to in the Position Paper as the concept of “Online Choice Architecture”) negatively impact consumers’ ability to exercise meaningful choice and control, for example, where individuals are steered toward accepting less privacy-friendly options. The ICO and CMA share concerns that a lack of choice and control on behalf of the end-user risks infringing data protection and consumer law.
The main focus in the Position Paper is on companies that “deploy design practices in digital markets, as well as product and UX designers”, with an emphasis on how design choices can have serious data protection, consumer and competition implications. The Position Paper also provides practical examples of design practices that may cause end-user harm, including, but not limited to, “confirmshaming”, “biased framing”, “bundled consent” and “default settings”.
Looking forward, the ICO and CMA have outlined a number of key principles and expectations for firms using Online Choice Architecture in relation to personal data choices:
- Put the user at the heart of design choices;
- Use designs that empower user choice and control;
- Test and trial design choices; and
- Comply with data protection, consumer and competition law.
The EU Position. As the EU’s Digital Services Act (DSA) nears implementation, dark patterns are coming under increasing scrutiny as the DSA prohibits the use of such techniques. The DSA defines “dark patterns” as an online interface design practice that “deceives or manipulates” users or “otherwise materially distorts or impairs their ability […] to make free and informed decisions”. And, even though the DSA’s recitals mention several cases where these criteria are supposed to be met (including some of those relevant under the CMA’s Position Paper), there is still some debate about what exactly constitutes a dark pattern under EU laws.
The ICO has commented that it will look to take enforcement action to preserve individuals’ data protection rights (particularly in the case of vulnerable people) if practices involving Online Choice Architecture do not improve. Further, the ICO has committed to undertaking a review of the cookie banners for some of the most frequently used UK websites as part of its work on cleaning up dark patterns.
The CMA has similarly indicated that Online Choice Architecture practices remain a priority area and that it looks to utilize its consumer and competition enforcement powers to ensure that best practice is followed.
10. Loot boxes in video games – UK government guidance
The Association for UK Interactive Entertainment (UKie) has outlined 11 key “Industry Principles” (the Principles) in response to the increasing use of loot boxes in certain online video games, particularly boxes that are purchased with real (or virtual) money. The Principles were developed in line with the two key objectives outlined in the July 2022 report issued by the Department for Digital Culture, Media & Sport (DCMS), stating that:
- children should not be able to purchase loot boxes without the supervision of a parent or guardian; and
- spending controls and transparent information should be available to all players.
The Principles suggest that game developers should:
- make available and publicize technological controls to mitigate the risks of users (particularly children) using loot boxes;
- disclose the presence of loot boxes prior to purchasing the game;
- give clear probability disclosures, so that users understand the mechanics of the loot boxes;
- design and present loot boxes in a manner that is easily understandable; and
- commit to lenient refund policies, especially in instances where children have purchased loot boxes without their parents’ knowledge.
In addition, relevant stakeholders are asked to commit to working with the UK government and each other to monitor and measure the effectiveness of the Principles.
DCMS expressed hope, in its July 2023 guidance, that the implementation of the Principles has the capacity to enhance player protections. The 12-month implementation period seeks to draw together the efforts of gaming companies, players, parents and other groups to measure the effectiveness of current guidance.
Further, in support of the implementation of the Principles, UKie and the Technical Working Group (comprising of various industry leaders) have launched a three-year, £1 million public information campaign on safe and responsible play.
For now, DCMS has not expressed any appetite to legislate the use of loot boxes, commenting that an industry-led approach is more likely to be effective in the first instance and is less likely to stifle development and creativity within the gaming sector. DCMS has, however, indicated its intention to keep reviewing options for legislative reform in the future as well as observing approaches adopted by other international jurisdictions.
11. Draft DSA implementing act published
Discussions about the long-awaited draft of the German Digital Services Act (DDG), which will implement certain provisions of the EU Digital Services Act (DSA) – see our Q4 2023 update – are picking up speed.
In August 2023, the Ministry for Digital and Transport presented its initial draft for the DDG.
As an EU Regulation, the DSA is directly applicable in all EU Member States, without the need for separate transposition into Member State laws. However, since the DSA will be enforced at the Member State level for all non-VLOP/VLOSE companies, Member States must make arrangements to set up the necessary authorities and procedures. Also, a number of Member States – including Germany – enacted content moderation rules in the past that will conflict with the DSA once it’s fully in force in February 2024.
One of the key questions that the DDG draft addresses is enforcement in Germany:
- The Federal Network Agency (BNetzA) will be designated as the Digital Services Coordinator and will act as the key authority for the enforcement of the DSA. In addition, the German legislator has opted for several task-specific responsibilities for federal and state authorities, particularly in the fields of law enforcement, data protection and youth protection.
- The DDG also implements the DSA’s GDPR-style approach to fines, with companies facing penalties of up to 6% of their annual turnover for violations of the DSA.
In addition, the DDG also triggers changes to more than 30 existing German laws. Most of these changes are purely editorial. The only significant substantive change is that the German Network Enforcement Act (NetzDG) will be repealed. NetzDG was implemented in 2017 to set forth content moderation obligations for social networks and video-sharing services at the national level. These rules will be superseded by the DSA once fully in force.
While discussions about the DDG draft are ongoing, the German government expects the implementing act to be finalized and in force once the DSA becomes fully applicable on 17 February 2024.
Until then, a particular focus of legislative discussion will be specifics regarding the designation of the regulatory authorities. In particular, the German states (Länder) claim to be involved more closely in the enforcement of the DSA after all, citing constitutional concerns. However, how and to what extent the states will be involved is left to discussions in the legislative process.
12. Drafts for German implementation of the NIS2 and CER Directives published
Legislative discussions on the German implementation of the EU’s NIS2 Directive (see our Q4 2023 update) and the CER Directive (again, see our Q4 2023 update) are in full swing, with published official ministerial drafts on the implementing laws providing more clarity on the following key points:
Germany plans to implement the NIS2 Directive via the proposed NIS2-Umsetzungsgesetz. A fully legislative draft is not yet available. However, in September, the German government initiated a public consultation on certain draft rules – including the following key points:
- Operators of essential and important services must implement a detailed list of mandatory cybersecurity measures and assessments.
- The BSI will be the main point of contact and regulatory authority, with strengthened enforcement powers.
- Essential entities can be fined up to EUR 10 million or 2% of total annual worldwide sales for violations; important entities can be fined up to EUR 7 million or 1.4% of total annual worldwide sales.
The CER Directive shall be implemented via the proposed “KRITIS-Dachgesetz”, for which the Ministry of the Interior had published an initial legislative draft in July:
- Operators of critical entities (KRITIS) must comply with minimum physical resilience requirements, in addition to existing cybersecurity rules (and NIS2 obligations).
- Operators must conduct recurring risk assessments and implement measures to mitigate identified risks.
- Operators must proactively register with the Federal Office for Information Security (BSI) and the Federal Office for Economic Affairs and Export Control (BAFA) as well as report security incidents to the BSI.
The public consultation on both ministerial drafts is now closed, and an official government draft for both laws is expected soon. This will be followed by the ordinary legislative procedure, during which the German Parliament will consider and vote on the drafts. The implementation deadline for the NIS2 and CER Directives will expire on 17 October 2024.
In the meantime, there’s no news on the UK’s own “NIS 2”. We covered the UK government’s consultation response on its proposed NIS 2 plans in January 2023 – and we are still eagerly awaiting the unveiling of the contents (or indeed timeline) of any updates to the UK NIS Regulations.