European Union: European Digital Compliance: Key Digital Regulation & Compliance Developments

The protection of children online is a constant focus for regulators and lawmakers across Europe - in terms of legislative action, compliance efforts and enforcement. While we only focus on developments in Germany and the UK in this section, regulators across Europe (including in France, Ireland, Italy and Norway) are also paying close attention to children's online experiences.

Age Appropriate Design Code

The UK Age Appropriate Design Code (referred to as the Children's Code) came into effect in September 2021, echoing other child-focused frameworks such as the U.S. Children's Online Privacy Protection Act.

The Children's Code is overseen by the UK Information Commissioner's Office (ICO) and its aim is to protect children from online harms and empower them online. The Children's Code is a statutory data protection code of practice, containing 15 standards that apply to qualifying information society services e.g., providers of online apps, programmes, games and connected devices. The 15 standards address how organisations should build data privacy safeguards into their online services so that they are appropriate for use by children (such as making sure that parental controls or geolocation tracking are explained to children in an age-appropriate way). Notably, these services need not be directly addressed to children: the Code will apply if such services are likely to be accessed by children in the UK. 

While it is not new law, the Children's Code will be used by the ICO as a key benchmark against which to check organisations' compliance with the wider data privacy regime in the UK, meaning that any breach of the Children's Code could trigger enforcement action from the ICO. As such, any organisations whose operations in, or accessible from, the UK could fall within the remit of the Children's Code should carefully review the 15 standards either to implement appropriate measures to comply with the Code and the underlying data privacy regime or demonstrate why the Code does not apply to their services.

The drive to protect children's privacy in the digital world has also spilled over into other areas, such as the UK Advertising Standards Authority (ASA). In July 2021, the ASA published its findings from an investigation into the distribution of ads for alcohol, gambling, and high fat, salt, and sugar (HFSS) products on websites and other prominent global online platforms and streaming channels. Although 75% of the audience of these websites were adults, the ASA called on marketers to design their targeting tools to become more age appropriate, to minimize children's exposure to HFSS ads, as well as gambling and alcohol ads.

What's next?

Many social media platforms are taking steps to apply age-restrictive changes to their online content. In the UK, the high profile afforded to these efforts is because breaches of the Children's Code may trigger the same level of enforceability and fines as those of breaches under the UK GDPR. As such, any complaint under the Children's Code could draw negative attention to organisations, and potentially even a wider audit by the ICO of an organisation's approach to data protection. Nonetheless, with increased use of the internet by children, especially against the backdrop of the pandemic, the ICO has made clear that it seeks to protect children within the digital world, rather than denying them access altogether. Compliance with the Children's Code may just be the beginning of more robust standards required of organisations in the UK when it comes to handling children's privacy.

German Federal Supreme Court sets advertising standards for influencer marketing

The highest German court has ruled in three parallel cases on how influencers need to indicate clearly the advertising on their social media channels. Germany's Unfair Competition Act and the EU Audiovisual Media Services Directive prohibit surreptitious advertising in the interest of transparency. And the law only allows product placement if the influencer identifies it as such. The court thus found that Instagram "tap tags" must be identified as advertisement unless the entire Instagram account is identified as commercial advertising or the influencer is not paid for that particular post.

Study on the impact of influencer marketing on minors in Germany

Germany and the EU are in conflict about Germany's new national law imposing additional rules on media intermediaries and third party media services.

In November 2020, Germany enacted its new Media State Treaty (MST). Among other things, the MST regulates how search engines, app stores and other "media intermediaries" must treat third party media services to which they provide access - including by imposing transparency and non-discrimination obligations on affected providers.

Crucially, these rules are set to apply not only to providers of media intermediaries who are (or who are deemed to be) established in Germany under the EU's country-of-origin principle, but also to any such services offered on the German market. This approach triggered criticism by the European Commission when the MST was first adopted, but the Commission ultimately did not interfere.

Now, this conflict has broken open again as a result of the adoption by German State Media Authorities of statutes to further specify the MST's media intermediary rules (as mandated by the MST). These statutes are necessary because the actual MST rules are rather vague and thus lack clarity for both regulators and affected providers. 

The statutes were originally set to enter into force on 1 September 2021. However, when responding to the notification to it of these statutes, the Commission issued a "detailed opinion" arguing that the statutes violate EU law, particularly because they create barriers to free trade between member states by imposing additional rules on media intermediaries based in other EU member states. The Commission asked Germany to remedy these concerns, otherwise threatening to open infringement proceedings under Art. 258 TFEU.

On that basis, Germany initiated negotiations with the Commission on how to address these concerns by amending the statutes, thus further delaying their entry into force. It is currently not expected that this case will be concluded before November 2021. So, providers offering media intermediary services in Germany will be able to enjoy an extended grace period before proper enforcement of the respective rules finally begins. Nonetheless, as already demonstrated by the MST regulators, they are not afraid to step in against suspected infringements even without being able to rely on the controversial statutes.

In August 2021, Green lawmakers in the EU, alongside the Tracking-Free Ads Coalition, began an initiative to amend the EU's proposed Digital Markets Act in relation to targeted digital advertising.

Targeted advertising is a key feature, which many so-called "Big Tech" companies have implemented to personalise advertising to their consumers by combining personal data across multiple platforms.

The proposed amendment would have the effect of prohibiting the combination of consumers' personal data in this context, on the grounds of respecting consumers' rights, and increasing compliance with EU data protection and privacy law. While it does not contain a blanket ban on all targeted advertising, the proposed amendment seeks to increase the obligations of platforms not to use personal data without consumers' explicit consent. Under the proposed amendment, non-compliance could result in companies being fined up to 10% of their total worldwide annual turnover.

What's next?

Notably, the obligations under the Digital Markets Act apply only to those companies that meet the requirement of "gatekeepers", i.e., companies with large, systemic online market platforms. Supporters of the proposed ban believe that the amendment would increase the ability of small and medium-sized businesses (SMEs) to compete fairly in the digital world. While the proposals are still under review by EU lawmakers, the amendment's critics (which include over 1,800 SMEs and certain EU MEPs) suggest that a total ban could possibly increase costs of advertising for SMEs.

The EU has broadened the scope of its export control regime to add new due diligence, reporting and potential authorisation requirements that affect EU companies with digital cross-border offerings relating to surveillance technology. The amendments are included in the EU's recast of the EU Dual-Use Regulation.

One of the key drivers for effective export control regulations is the protection of human rights. To enhance this goal and protect against human rights violations more generally, the EU now obliges exporters to ensure that they export so-called "cyber surveillance items" only if certain checks have been conducted or - if needed - an authorisation has been obtained. A new duty of care obliges exporters to analyse carefully whether there is an intent to use the items in connection with internal repression or human rights violations.

"Cyber-surveillance items" are newly defined as items "specially designed to enable the covert surveillance by monitoring, extracting, collecting or analysing data" from IT systems. This applies for example to intrusion software or certain surveillance software.

Effective 9 September 2021, if an exporter becomes aware (based on its due diligence findings) that any cyber-surveillance items are intended for human rights violations, the observations must be reported to the authorities. Under certain conditions, an export control license is required.

Digital companies should adapt their internal compliance programmes to these additional restrictions to comply with the enhanced duty of care.

In July 2021, the OECD/G20 Inclusive Framework on Base Erosion and Profit Shifting (IF) agreed a two-pillar solution to address the tax challenges arising from the digitalisation of the global economy and ensure that multinationals pay a fair share of tax wherever they operate.

Under current proposals, pillar one would apply to approximately 100 of the largest and most profitable multinationals with turnover above ?20 billion and profitability above 10%. Between 20% and 30% of residual profit (profit in excess of 10% of revenue) will be subject to tax in market jurisdictions in which these multinationals have at least ?1 million in revenue. It is expected that compliance and management, including tax filings, will be through a single entity.

The commitment under pillar two is to a global minimum tax of at least 15% (applicable to any company with over ?750 million of annual revenue) applied on a country-by-country basis.

Despite the progress being made on the two-pillar solution, around half of European countries, including the UK, have unilaterally implemented a digital services tax (DST). The UK currently applies a 2% levy on revenue of groups that provide a digital services activity and where these revenues exceed £500 million. The UK has committed to remove its DST once a comprehensive global solution is in place.

What's next?

Finalisation of the proposals, along with a detailed implementation plan, is scheduled for October 2021, with a view to implement the changes in 2023.

On 2 September 2021, the European Court of Justice (CJEU) decided that zero rating tariff options are generally incompatible with EU net neutrality rules.

"Zero rating" describes a practice where internet access providers do not count the data traffic caused by certain applications towards the customer's contractually agreed data cap.

The CJEU's decision was somewhat unexpected. German courts had actually only asked the CJEU whether certain elements of two large global telecom companies' zero rating tariff options comply with EU net neutrality rules (e.g., a limitation of the video streaming bandwidth or an exclusion of mobile tethering).

In July 2021, the German Federal Court of Justice issued a landmark decision on the legitimacy of user account bans on social media services.

The court decided to reinstate the account of a Facebook user after Facebook had banned the user for violation of its community guidelines. Facebook's community guidelines prohibit "hate speech". They allow the platform to delete content flagged as hate speech and to block users disseminating such content.

In its decision, the Federal Court of Justice emphasized the important role in society played by social media platforms (and especially Facebook), and inferred that Facebook must follow a four-step process when enforcing its guidelines. The court put emphasis on the need for a social media platform to:

(1) notify a user immediately after a deletion or ban,

(2) provide a comprehensive explanation for the sanction,

(3) give the user the opportunity to remonstrate and provide context, and

(4) review its decision anew, with a view to reinstating the account.

Facebook reacted by confirming that: "We have zero tolerance for hate speech, and we're committed to removing it from Facebook." It is reportedly reviewing judgment to ensure that it can continue to effectively remove hate speech in Germany.

CJEU hearing on German data retention rules

A case concerning the current German data retention regime is progressing: the parties travelled to the European Court of Justice (CJEU) in Luxembourg for oral hearings in September 2021.

The current German regime is the country's second attempt at implementing data retention after the first one had been declared unconstitutional by the Federal Constitutional Court in 2010. And, to date, this second attempt has been similarly unsuccessful: even before its entry into force in 2016, several parties had initiated injunctive proceedings requesting a moratorium on their obligation comply with the new rules.

German regional courts granted these requests, ruling that the new German rules violate the requirements, which had been set up by the CJEU in the meantime. Ever since then, enforcement of the German regime has effectively been suspended, although the respective rules legally remain in force.

Eventually, the Federal Administrative Court referred these cases to the CJEU, which is now expected to issue its final decision in February 2022 at the earliest.

Commission launches non-public consultation on a "way forward on data retention"

This CJEU ruling is also expected to inform the fate of other existing data retention regimes across the EU as well as the EU-level discussions on a potential way forward. To that end, the European Commission has recently launched a non-public consultation that presents possible legislative and non-legislative solutions for data retention on the basis of CJEU case law.

The Commission sets out three potential policy solutions, i.e., (1) having Member States implement their own national data retention initiatives without any EU-level involvement, (2) having the Commission publish recommendations or a guidance document to assist Member States in aligning national and EU law, and (3) adopting a new EU-level legislative proposal on data retention. These proposals will now be discussed within the

The European Court of Justice (CJEU) has revisited the question of whether the supply of software constitutes a sale of goods or the provision of services. The answer to this question is important because of the legal consequences under different European laws of selling goods or providing services.

For such an apparently simple question, surprisingly there has never been a comprehensive answer that would apply uniformly across all different legal regimes.

The most recent CJEU decision (interestingly, in this post-Brexit world, on a question referred to it by the UK Supreme Court) arose in the context of the Commercial Agents Directive - which imposes obligations to compensate commercial agents for the sale of goods made after the termination of an agency relationship.

The CJEU ruled that, where it is supplied via an agent on the basis of a perpetual licence, software does constitute goods and the Commercial Agents Directive does apply. One of the deciding factors for the CJEU was that the term "goods" means a product that has a monetary value and can be part of a commercial transaction; and so, because software meets this threshold, it should be classified as good, regardless of whether or not it is in electronic form. From a commercial perspective, it would also undermine the protection of the Commercial Agents Directive if commercial agents supplying software were excluded from its remit.

The UK Supreme Court now needs to implement the CJEU's decision by formulating its own judgment. If followed, this would mean that companies with agents appointed in the UK for the resale or marketing of software, may find themselves triggering the UK Commercial Agents Regulations - including the obligation to compensate or indemnify agents for post-termination sales. Regardless, until the matter is definitively addressed by UK parliament, this will likely not be the last that we hear on it in English courts, particularly as UK consumer legislation and policy differentiates between goods, services, and digital content.

The UK has given product manufacturers, importers and sellers extra time to implement post-Brexit rules on product labelling. This means that existing CE certifications will continue to be sufficient for entering the UK market in lieu of applying the new UKCA (UK Conformity Assessed) markings.

But, from 1 January 2023, a wide range of products (including most electronic and digital hardware) sold in the UK will need to bear the new UKCA marking (and to have been through the assessment process to allow the UKCA mark to be affixed). Of course, the corollary is that after that date affected products sold in both the EU and UK will need to comply with both the EU's CE marking scheme and the new UKCA marking.

A CE conformity assessment marking is evidence of a manufacturer's self-assessment that its product meets all of the specified essential safety requirements set out in certain EU directives. A wide range of products must bear the CE marking if they are put on the market in the EU. After Brexit, the UK announced the UKCA as a UK equivalent to the CE mark. The original timetable was that, from 1 January 2021, the UKCA (and not the CE marking) would be the marking for goods placed on the market in Great Britain that were previously subject to the CE marking. But to give manufacturers time to adjust, the UK said that manufacturers could continue to use the CE marking until 1 January 2022.

However, because many companies will not be ready to move to UKCA markings by the end of 2021, the UK has announced that the CE marking will now be accepted for a further year, until 1 January 2023. So companies can choose to comply with either or both of the CE and UKCA regimes until that date.

The UKCA marking will need to be used when placing goods on the UK market from 1 January 2023, unless there is a further extension. 

Northern Ireland is covered by different rules. Under the Northern Ireland Protocol that came into force on 1 January 2021, Northern Ireland will align with relevant EU rules relating to the placing on the market of manufactured goods.

One effect of Brexit was the greater freedom that it gives to successive UK governments to shape policy to encourage investment and the growth of different sectors of the UK economy. The downside for affected global businesses is if policy changes lead to different operational rules across the main European markets.