The Digital Policy of the EU

 

The Digital Policy of the EU

Ulrich Herfurth, attorney-at-law in Hanover and Brussels
Sara Nesler, Mag. iur. (Torino), LL.M. (Münster)

 

 

Data economy

European legislators have therefore taken action in several areas in recent years, launching the European Digital Pact and creating new and fundamental legal models for a wide range of areas.

The most massive complex to date is the European General Data Protection Regulation, which has applied to companies since May 2017 and grants consumers comprehensive data protection, but also places a heavy burden on companies due to its requirements.

This article provides an up-to-date overview of the regulatory areas – most of which have already been the subject of compacts and are accessible.

>>        www.herfurth.de/publications

 

Data Act

The Data Act aims to create a data market in all sectors within the European Union. It can be seen as the cornerstone of the legal system for data: it creates an EU-wide allocation of data to data owners and data users, i.e. their producers. This applies not only to personal data already protected by data protection law, but also in particular to machine data (industrial data/system data). The Data Act determines who is authorised to access and use the data generated by networked devices and promotes fairness and innovation in the sharing of data. It requires data owners to make the data available to users and on request of the user third parties on fair and transparent terms, while ensuring that the data is accessible to public bodies in exceptional circumstances, such as public emergencies. In addition, the Data Act contains provisions to ensure the interoperability of data and to prevent unauthorised access by third countries.

The Data Act came into force on 11 December 2024 and will apply from 12 September 2025 directly in the member states

 >>       See also: HP Compact, The European Data Act: Update 2024, February 2024

  

Data Governance Act

The aim of the Data Governance Act is to promote the availability of data for use by strengthening mechanisms for sharing data across the EU and increasing trust in data intermediaries. The regulation aims to achieve this primarily through three measures: the provision of public sector data, the registration requirement for data intermediaries and new rules for data altruistic organisations and so-called data trustees.

The Data Governance Act came into force on 23 June 2023 and became applicable on 24 September 2023.

>>       See also: HP Compact, „The Data Governance Act and the EU Data Act“, February 2022

 

Digital Markets Act

With the Digital Markets Act, the EU wants to limit the market power of large digital corporations („gatekeepers“) and increase fairness in the digital market. In particular, the regulation is intended to promote innovation, growth and the competitiveness of smaller companies. To this end, the DMA prohibits gatekeepers from imposing unfair conditions on companies and consumers due to their market power.

Germany has already used a similar approach to extend the Competition Act (GWB) with the 11th amendment to the GWB. Among other things, the GWB makes it easier for the Federal Cartel Office to scrutinise companies with „paramount cross-market significance for competition“. This also covers cases that were not covered by the „market power“ criterion in defined markets.

The Digital Markets Act (DMA) came into force on 01 November 2023 and became applicable on 02 Mai 2023.

>>       See also: HP Compact, The EU Digital Markets Act, February 2022

 

Digital Services Act

The Digital Services Act (DSA) will have a significant impact on the digital sector in the EU. By standardising rules for service providers in the EU, the DSA increases security in the digital environment. New rules apply in particular to online platforms such as online marketplaces and social networks. For example, they are subject to stricter liability for illegal content and stricter requirements for content moderation and the transparency of advertising. In addition, the DSA also contains regulations for other providers of online services such as web hosts.

The Digital Services Act has been in force since 16 November 2024 and became applicable on 17 February 2024.

>>       HP Compact, Digital Services Act, September 2020, update 2024 coming soon

 

New Vertical BER and Vertical Guidelines

 Like the previous regulation, the new Vertical Block Exemption Regulation creates an exemption from the general prohibition of restrictions of competition for certain vertical agreements, i.e. between companies operating at different levels of the production, supply and distribution chain. The updated version of the regulation contains several changes that affect online distribution and could require or enable companies to adapt their distribution models.

The new Vertical Regulation and the new Vertical Guidelines came into force on 1 June 2022. A transitional period until 31 May 2023 applied to existing contracts.

 >>       See also: HP Compact, Restrictions of competition in distribution, October 2022

  

MiCAR

Regulation on Markets in Cryptocurrencies (MICAR) creates a standardised European regulatory framework for cryptocurrencies. Trading in cryptocurrencies (secondary market) will be subject to authorisation throughout Europe. Accordingly, service providers must fulfil several requirements in order to obtain and retain authorisation. MiCAR has made trading in cryptocurrencies somewhat safer for investors, at least within the European Union.

The Regulation on Markets in Cryptocurrencies entered into force on 29 June 2023 and will be applicable from 30 December 2024

 

Cybersecurity

Cyber Resilience Act

The Cyber Resilience Act aims to improve the cyber security of products with digital elements that include both hardware and software, such as baby monitors, smartwatches, computer games and routers. It imposes a number of obligations on manufacturers, importers and distributors to ensure that these products meet strict cyber security standards.

Key measures include the requirement for cyber security by design, compliance assessments, timely reporting of security vulnerabilities and disclosure of security incidents.

The European Parliament adopted the Cyber Resilience Act on 12 March 2024. The text still needs to be formally adopted by the Council before it can enter into force.

>>       See also: HP Compact, The EU Cyber Resilience Act, March 2022

 

NIS 2.0 Directive

The aim of the Network and Information Security Directive (NIS 2.0) is to ensure a high common level of security of network and information systems in the EU through cybersecurity measures. Compared to the previous directive, the scope of application has been expanded and the requirements for companies and public bodies have been increased to improve resilience against cyber attacks. In addition, the directive strengthens the powers of the BSI and promotes cooperation and the exchange of information between member states in order to counter threats more quickly and effectively.

The NIS 2.0 was published on 27 December 2022 and must be transposed into national law by the member states by 17 October 2024.

>>       See also: HP Compact, The NIS 2 Directive, coming soon

 

Artificial intelligence

The AI Act | Artificial Intelligence Regulation

 With the AI Act, Europe is the first in the world to create a fundamental legal categorisation and structure for AI. The aim of the regulation is to promote artificial intelligence in the EU while ensuring a high level of protection and security. To this end, the EU has chosen a risk-based approach with four risk levels: AI systems with an unacceptable risk are banned. For AI systems with a high or low risk, the regulation creates new requirements, while AI systems with only a minimal risk may continue to be used within the existing legal framework.

The AI Act was adopted by the Council on 21 May 2024 and is expected to enter into force soon. It will become applicable two years after its entry into force.

>>       See also: HP Compact, Artificial intelligence in the legal framework, January 2019;
Artificial intelligence in Europe, September 2021

 

 Product Liability Directive

 The European Product Liability Directive was created to protect consumers against damage and injury caused by unsafe physical products. The legal view has developed that products with digital elements and software as such should also be covered by product liability. The current amendment to the directive now explicitly states that software applications and AI systems are also „products“.  The directive thus lays the basis for strict liability for software and AI systems.

The European Parliament adopted the new Product Liability Directive on 12 March 2024. It is due to come into force at the end of 2026. 

 

AI Liability Directive

In addition to the Product Liability Directive, the directive should serve as a basis for fault-based claims for damages, but does not deal with liability as such, only with procedures for this.  The key points of the draft are the obligation to disclose evidence and a rebuttable presumption of causality between the fault of the supplier or user and the damage that has occurred.

The legislative process on the AI Liability Directive has stalled. Following an opinion by the European Economic and Social Committee (EESC) in January 2023, no further steps were taken.

 

 Social

Whistleblower Directive

The directive serves to protect people who report breaches of EU law. It obliges companies with more than 50 employees and public bodies to set up internal reporting channels. Whistleblowers may not be penalised or persecuted because of their report. In addition, reports must be treated confidentially in order to protect the identity of the whistleblower. Violations of the directive can result in significant sanctions.

The Whistleblower Directive came into force on 16 December 2019 and had to be transposed into national law by the member states by 17 December 2021. In Germany, the corresponding Whistleblower Protection Act came into force on 2 July 2023.

>>       See also: HP Compact, The Whistleblower Protection Act, September 2023

 

Platform Work Directive

The directive “on improving working conditions in platform work” introduces two important innovations: it helps to determine the correct employment status of people working for digital platforms and it regulates the use of algorithmic systems in the workplace for the first time at EU level. The directive was adopted on 24 April 2024 and should enter into force from mid-2026 at the earliest following its adoption by the Council and publication.

>>       See also: HP Compact, Platform Work, coming soon

 

+ + +