Digital Services Act: European Commission commences consultation

On the 2 June 2020 the European Commission initiated an open public consultation as part of its evidence-gathering exercise to inform the contents of the upcoming Digital Services Act (DSA) legislative package (expected to be put forward in late 2020). The consultation seeks to gather views, evidence and data from a variety of interested parties including:

  • individuals;
  • businesses;
  • online platforms;
  • academics; and
  • civil society.

The consultation covers issues such as safety online, freedom of expression, fairness and a level playing field in the digital economy. The consultation will run until 8 September 2020.

What is the Digital Services Act and how did we get here?

The DSA is a landmark legislative package first announced by Commission President Ursula von der Leyen in her political guidelines back in July 2019 and is expected to reinforce the single market for digital services, upgrade the EU’s liability and safety rules for digital platforms and provide smaller businesses with the legal clarity and level playing field they need to compete effectively in the digital economy. Margrethe Vestager (the EC’s VP for Digital) has also expressed her hope that the DSA can be used to prevent the tipping of markets, where one company obtains high monopoly profits and market share, creating an anti-competitive environment for other firms.

The DSA comes in the wake of recent scandals regarding data harvesting and selling, Cambridge Analytica, fake news, political advertising and manipulation and a host of other online harms (from hate speech to the broadcast of terrorism). The IMCO (the EU Parliament’s Committee on the Internal Market and Consumer Protection) has also noted the relevance of the DSA in light of COVID-19 and recent abusive practices by traders selling fake or illegal products or imposing unjustified and abusive price increases or other unfair conditions on consumers.

On 24 April 2020 the IMCO published a draft report with recommendations to the Commission on the objectives and contents of the Digital Services Act. In particular, the IMCO recommended that the DSA should:

  • place greater transparency and compliance obligations on information society and internet service providers and their business customers;
  • introduce concrete measures (including a ‘notice-and-action mechanism’) to empower users to notify online intermediaries of the existence of potentially illegal content or behaviour;
  • close the existing legal loophole allowing suppliers based outside of the EU to sell products online to European customers which do not comply with Union rules on safety and consumer protection;
  • introduce ex-ante regulation of the ‘online gatekeepers’ of the digital economy (i.e. large platforms such as Google, Amazon and Facebook) so as to open up the market to new entrants; and
  • strengthen and modernise existing provisions on out-of-court settlement and court actions to allow for effective enforcement and consumer redress.

The DSA is expected to impact social media platforms, search engines, video gaming platforms, online marketplaces and other information society services and internet service providers.

See the official European Commission press release here.

Hayley Brady
Hayley Brady
Partner, Head of Digital and Media, London
+44 20 7466 2079

James Balfour
James Balfour
Associate, London
+44 20 7466 7582

Jeremy Purton
Jeremy Purton
Senior Associate, Digital TMT and Sourcing, London
+44 20 7466 2142

UK Government issues call for Views on post-Brexit Cyber Security Certification

Last week, the Department for Digital, Culture, Media & Sport issued a Call for Views on the certification scheme currently anticipated by Regulation (EU) 2019/881 (the Cybersecurity Act) after Brexit. The closing date for responses has been extended to 15 October 2019. In the issued document, the UK Government proposes to maintain “a close relationship with the EU on cyber security following our departure from the EU, and will seek to cooperate on approaches to cyber security certification with the EU”. Continue reading

EU adopts new sanctions framework targeting external cyber-attacks

On 17 May, the EU adopted legislation which will enable it to impose sanctions against persons and entities who engage in cyber-attacks against the EU and its member states. The sanctions will be designed “to deter and respond to cyber-attacks with a significant effect which constitute an external threat to the EU and its Member States”. The new regime underlines a clear commitment by the EU to continue to strengthen its capability to address its “[concern] at the rise of malicious behaviour in cyberspace”. Continue reading

Happy GDPR-versary! Herbert Smith Freehills reflections on a year of GDPR regulation

The GDPR came into effect almost a year ago on the 25 May 2018. As the most significant reform of data protection law in Europe for over 20 years, the legislation raised expectations of a cultural shift in attitude to data privacy. A year on from the fanfare of implementation, this bulletin looks at key aspects of what we have seen and learnt since implementation, and what we can expect for the future.

Enforcement

Although we are still waiting for a ‘GDPR mega fine’, we have seen a EUR 50 million fine levied by the CNIL in France and there have also been some interesting enforcement decisions coming out of Europe in the first 12 months. There have been rumours of a fine matrix being developed by the regulators to help assess the level of fine to be imposed but, for now at least, it remains unclear how fines are calculated and when a ‘mega fine’ may be appropriate.

Interesting enforcement action to note so far includes:

UK: ICO finds HMRC to be in “significant” breach of data protection legislation but does not impose a fine

In May 2019, the ICO found HMRC in the UK to be in “significant” breach of the GDPR by processing special category biometric data (voice recognition data) without a lawful basis. However, instead of imposing a monetary penalty, the ICO issued an enforcement notice requiring HMRC to delete the relevant data by early June 2019. For more information on this enforcement action, see our blog post here.

Belgium: Court of Appeal asks CJEU for GDPR guidance on the ‘one stop shop’

In May 2019, the Belgian Court of Appeal asked the European Court of Justice for help interpreting the application of the GDPR’s ‘one stop shop’ and whether the designation by companies of a lead supervisory authority in Europe precludes any other European supervisory authority from taking enforcement action against that company. The results of the case will either open or close the doors for regulators across Europe to cast aside the one stop shop when looking to enforce GDPR compliance in their home jurisdiction. For more information on this enforcement action, see our blog post here.

Poland: When is it a disproportionate effort to provide a privacy notice?

In April 2019, the Personal Data Protection Office in Poland issued a €220,000 fine to a digital marketing company for breaching its obligations under Article 14 of the GDPR (i.e. to provide a privacy notice to individuals). The decision has some important practical implications for organisations, including that: (i) the collection of publicly-available information from the internet does not relieve you of your obligations under the GDPR; (ii) a significant cost (in this case €8 million) involved with providing privacy notices to individuals is not sufficient to be able to rely on the ‘disproportionate effort’ exemption under Article 14; and (iii) the GDPR is not prescriptive about how individuals must be provided with privacy information but the ‘passive’ posting of a notice on a website is unlikely to be sufficient where the individuals are unaware of the collection of their data. For more information on this enforcement action, see our blog post here.

Germany: German competition regulator takes enforcement action against Facebook for data issues

In a slight move away from privacy regulation, the German competition authority, the Federal Cartel Office, announced the results of its investigation into Facebook in February 2019. The decision highlights the ever increasing tension between competition and privacy regulation. The FCO found that Facebook had a dominant position in the German market for social networks, and abused this with its data collection policy. The FCO did not impose a fine on Facebook, but has instead required Facebook in the future to only use data from non-Facebook sources where it has users’ voluntary consent, the withholding of which cannot be used to deny access to Facebook. For more information on this enforcement action, please see our blog post here.

UK: First extra-territorial enforcement action commenced by the ICO

In October 2018, the UK data protection regulator, the ICO, issued its first enforcement notice under the GDPR. The notice was particularly noteworthy because it was issued against a company located in Canada, which does not have any presence within the EU. Despite the breaches being alleged, the enforcement notice was the first issued by the ICO relying on the extra-territorial provisions of the GDPR under Article 3. For more information on this enforcement action, please see our blog post here.

Guidance

For many companies, a frustrating aspect of GDPR compliance over the last year has been the uncertainty. One year on from GDPR implementation and many questions remain unanswered. But we have now started to see signs that fundamental questions may eventually be answered and new regulatory guidance is starting to drip feed through the process.

Interesting regulatory guidance published over the last year includes:

A global regulation? EDPB guidelines on GDPR’s extra-territoriality provisions

The expansive nature of the GDPR’s extra-territoriality provisions has resulted in many organisations outside of Europe questioning whether or not they are subject to the GDPR regime. The market has eagerly awaited any guidance in respect of how Article 3 of the GDPR should be interpreted, and so the draft EDPB guidance published late last year was welcomed by the data community and the market as whole. However, whilst the draft guidance answered certain questions about the application of the GDPR, it also left a number of gaps and so we are still awaiting the final version of the guidance in the hope that some of those gaps will be closed. For more information on this guidance, see our blog post here.

EDPB guidance on when processing is “necessary for the performance of a contract”

In April 2019, the EDPB published guidance on the ability of online service providers to rely on the fact that processing is necessary for the performance of a contract in order to legitimise their processing of personal data. Although aimed specifically at online services, the guidance will nonetheless be useful for all controller organisations looking to rely on this processing condition. The guidance adopts a fairly narrow approach to interpretation with an objective assessment of “necessity” being required as opposed to relying on what is permitted under or required by the terms of a contract. For more information on this guidance, please see our blog post here.

EDPB opinion on the interplay between GDPR and ePrivacy

With companies having completed their GDPR compliance programmes, thoughts are now turning to the next major piece of European regulation in the data privacy sphere, the proposed ePrivacy Regulation, and how ePrivacy interacts with the GDPR, particularly with respect to cookie consent and email marketing. In March 2019, the EDPB published an opinion on the interplay between GDPR and ePrivacy which, whilst interesting, also confirmed that the whole ePrivacy regime is currently being renegotiated at a European level and the new ePrivacy Regulation could further change the position outlined in the opinion. As such, the opinion itself appears to be of minimal use for companies. For more information on this guidance, please see our blog post here.

What’s still to come?

One year on from GDPR implementation and we’ve seen limited enforcement action and even less regulatory guidance, meaning that companies are still having to try and find their way through compliance without direction. Much remains unknown and unanswered but what can we expect (or hope) from the next 12 months?

Brexit

The Brexit issue rumbles on without much/any clarity or certainty. We know that an adequacy decision for the UK is extremely unlikely in the short term but whether or not an interim transition deal is achievable (including with respect to data protection and data transfers) remains unknown at this stage.

International transfers

Although the results of the EU-US Privacy Shield annual review in 2018 seem to confirm that the Privacy Shield remains intact for the short term, there remain significant uncertainties around the future of other compliant international data transfer mechanisms. In particular, the validity of the so-called Standard Contractual Clauses (“SCCs”) continues to be challenged through the courts which could result in the SCCs being struck down by the CJEU in the same way that the US Safe Harbor was in 2015.

Continuing on the theme of international transfers, we are also still awaiting the publication of updated versions of the SCCs. The current versions still refer to the 1995 Directive instead of the GDPR but cannot be amended for sense without the risk of invalidating them. There are rumours that the EU Commission has started to consider an update, including potentially updating the controller to processor SCCs to include Article 28 obligations. However, we have yet to see anything concrete coming out of Europe.

ePrivacy Regulation

As mentioned above, the ePrivacy Directive is currently being renegotiated and was originally intended to be ready in time for the GDPR implementation. However, the failure of the European institutions to agree on a number of issues has resulted in multiple delays and it now does not look likely that a draft will be agreed before the end of 2019/early 2020, meaning that the situation regarding cookie consent and email marketing is likely to remain uncertain for a considerable period of time.

Enforcement

As noted above, we are still awaiting a GDPR ‘mega fine’ but we also haven’t yet seen much in the way of significant volumes of enforcement action in order to be able to gain any meaningful insights into enforcement. There are rumours of significant enforcement actions in the pipeline from the ICO and the Irish Data Protection Commissioner, and we also know that there have been a number of material personal data breaches since implementation of the GDPR, but we will have to wait and see what happens in year two of GDPR.

Individual rights and data disputes

Although the GDPR provided for enhanced data subject rights for individuals, we have also started to see it being used innovatively as a mechanism by individuals to assert other rights, including human rights and the right to privacy. We have seen Prince Harry assert that a news company’s photograph of him at home was in breach of GDPR, and a claim against the Police for their use of facial recognition technology has recently started in Wales. Going forward, we are therefore likely to see GDPR used as a tool in disputes. For more information about this, please see our blog post here.

Data breach compensation

Perhaps the elephant in the room sits with data breach compensation. In April 2019 the Supreme Court granted Morissons permission to appeal against the Court of Appeal ruling that it was vicariously liable for its employee’s misuse of data, in the first successful UK class action for a data breach. Whilst the date for the Supreme Court’s hearing is still to be confirmed, the appeal is likely to take place during the course of 2020. For more information on the case, please see our blog post here.

New emerging technologies

The age-old issue of technological innovation outpacing the ability of legislation to keep up has reared its head only one year into the GDPR’s lifecycle. Organisations are having to apply the text of the GDPR to scenarios including blockchain technology, connected and autonomous vehicles and AI techniques that simply weren’t envisaged at the time of writing. In this rapidly evolving technological landscape, the need for regularly updated, up-to-the-minute official guidance in respect of these types of scenarios has never been greater but this will be an extremely challenging demand for the regulators to satisfy.

To keep up to date with the latest legal developments as they happen, please subscribe to our data blog here.

Contacts

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Claire Wiseman
Claire Wiseman
Senior Associate and Professional Support Lawyer, Digital TMT & Data, London
+44 20 7466 2267
Lauren Hudson
Lauren Hudson
Associate, Digital TMT & Data, London
+44 20 7466 2483

EU proposal to the WTO on modernising e-commerce rules

Despite the rapid growth of international e-commerce, there are currently no multilateral rules regulating digital trade. On 3 May 2019, the EU made public its Communication to the World Trade Organisation (“WTO“), suggesting negotiating proposals for a series of WTO disciplines and commitments relating to e-commerce and telecommunications services (“Proposal“).

The Proposal is in response to the Joint Statement issued by the EU and 49 other WTO members on 29 January 2019, which recognises the need for modernisation, and confirms their intention to commence negotiations on trade-related aspects of e-commerce. Continue reading

The end of “self-regulation”: UK to introduce world first statutory duty of care to combat harmful online content

In a world first, the UK Government yesterday unveiled plans to introduce tough new measures requiring social media companies and technology firms, among others, to protect online users. Chief among the proposals is a statutory duty of care for online service providers to take reasonable steps to protect users from harmful content, with those within scope facing substantial fines (and individual liability for members of senior management) where the duty is breached. The proposed online safety framework signals the end of self-regulation, and demonstrates the UK Government’s clear intention to take comprehensive action to tackle harmful online content. Continue reading

The European Parliament votes in the EU Copyright Directive including controversial Articles 11 and 13

On 26 March 2019, the European Parliament voted in favour of the new EU Copyright Directive (the “Directive”) marking the end of lengthy negotiations and delays. The aim of the Directive is to enhance the position of rights’ holders in relation to the use of their material on the internet but, in particular, Articles 11 and 13 have attracted criticism and much lobbying from interested parties. Continue reading

Clarification on the status of the EU-US Privacy Shield on a no deal Brexit

The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.

Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed. Continue reading