European Union

The EU Digital Services Act (“DSA”) will start applying from February 17, 2024 to a broad array of intermediary services offered in the EU, including online marketplaces, web-hosting services, cloud services, search engines, and social media platforms.  The DSA will require these providers to include certain information in their existing terms and conditions (“T&Cs”).  We set out below an overview of the chief changes providers will need to make to their T&Cs in light of the DSA.

(For a general overview of the DSA, its scope of application and obligations, see our previous blog posts here, here and here).Continue Reading Digital Services Act’s Impact on Terms of Service

The recently agreed Cyber Resilience Act isn’t the only new EU cybersecurity rule set to be published this December: by the end of the year, the European Commission is expected to adopt its draft regulations to establish a European cybersecurity certification scheme (“ECCS”). Continue Reading EU cyber regulation wave quietly rolls on – Commission set to finalize new cyber standards

Yesterday, the European Commission, Council and Parliament announced that they had reached an agreement on the text of the Cyber Resilience Act (“CRA”). As a result, the CRA now looks set to finish its journey through the EU legislative process early next year. As we explained in our prior post about the Commission proposal, the CRA will introduce new cybersecurity obligations for a range of digital products sold in Europe. We’ll provide a more detailed summary of the agreed text once it is finalized and published but in this post we set out a brief summary of key provisions. In terms of timing, the CRA will come into force over a phased transition period starting in late 2025.
Continue Reading The EU’s Cyber Resilience Act Has Now Been Agreed

On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments.  Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases

EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold

On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW).   As a result, the CJEU held that a provision under German law that permitted doctors to ask their patients to pay for the costs associated with providing access to their medical record is contrary to EU law.Continue Reading CJEU Holds That GDPR Right of Access Overrules Local Laws

A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:

  1. exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
  2. preclude EU cloud customers from accessing the services of these non-EU providers.

Continue Reading Implications of the EU Cybersecurity Scheme for Cloud Services

On October 17, 2023, the European Commission adopted a proposal to review the Alternative Dispute Resolution (“ADR”) framework.  The review consists of: (i) a proposal to amend the ADR Directive; (ii) a proposal to repeal the Online Dispute Resolution (“ODR”) Regulation; and (iii) a recommendation addressed to online marketplace and EU trade associations. 

Amended ADR

On 9 October 2023, the European Parliament’s Internal Market and Consumer Protection Committee (IMCO) and Committee on Legal Affairs (JURI) agreed revised wording to amend the European Commission’s (the “EC”) proposed new Product Liability Directive (the “Directive”). The vote was passed with 33 votes in favour to 2 against. If adopted, the Directive will replace the existing (almost 40-year old) Directive 85/374/EEC on Liability for Defective Products, which imposes a form of strict liability on product manufacturers for harm caused by their defective products.Continue Reading EU Legislative Update on the New Product Liability Directive

On June 27, 2023, the European Parliament and the Council of the EU reached a political agreement on the Data Act (see our previous blog post here), after 18 months of negotiations since the tabling of the Commission’s proposal in February 2022 (see our previous blog post here).  EU lawmakers bridged their differences on a number of topics, including governance matters, territorial scope, protection of trade secrets, and certain defined terms, among others.

The Data Act is a key component of the European strategy for data. Its objective is to remove barriers to the use and re-use of non-personal data, particularly as it relates to data generated by connected products and related services, including virtual assistants. It also seeks to facilitate the ability of customers to switch between providers of data processing services.

We’ve outlined below some key aspects of the new legislation.Continue Reading European Parliament and Council Release Agreed Text on Data Act