European Digital Compliance: Key Digital Regulation & Compliance Developments – Contracts and Industrial Legislation

To help organisations stay on top of the main developments in
European digital compliance, Morrison Foerster’s European
Digital Regulatory Compliance team reports on some of the main
topical digital regulatory and compliance developments that have
taken place in the second quarter of 2022.

This follows on our previous updates on European digital
regulation & compliance developments for 2021 (Q1, Q2, Q3, Q4) and
Q1 of 2022.

In this issue, we note the large strides taken towards adoption
of the EU Digital Services Act (which seeks to regulate the
operations of all digital service providers operating in the EU,
wherever the provider happens to be based) and the EU Data
Governance Act. We also highlight other recent and forthcoming
digital regulatory initiatives from the EU (and also case law),
including changes that companies will need to make to online
ordering processes affecting EU-based consumers. We also look in
more depth at how the UK government is taking forward its
self-declared “pro-competitive” regime for the regulation
of digital markets and at a slight relaxation of UK product
labelling rules for digital hardware.

EU Digital Policy and Legislation

  1. EU Digital Services Act: Agreed & Ready for
    Approval
  2. EU Data Governance Act: May 2022, Council approved the
    Act
  3. EU proposed regulation on online child sexual
    abuse
  4. Germany: Draft legislation requires centralised youth
    protection mechanisms in operating systems, covering apps, browsers
    and app stores
  5. EU: Proposed amendments affect online financial
    services agreements, including a “withdrawal
    button”
  6. EU: New Vertical Block Exemption Regulation
    adopted
  7. EU: Proposal on “green” claims in digital
    (and other) products

UK Digital Policy and Legislation

  1. UK Competition and Consumer Reform: Greater Regulatory
    Enforcement Powers
  2. UK digital regulatory policy: UK Government confirms
    plans to introduce pro-competition regime for digital
    markets
  3. UK: Relaxation of product safety labelling
    rules

Cyber Security and Resilience

  1. Cybersecurity: NIS 2 Directive

Notable Case Law

  1. EU case law: When do online traders need to give
    pre-contract information about their or third-party
    manufacturers’ guarantees?
  2. EU case law: Requirement for a clear “Purchase
    Button” online
  3. EU case law: the legitimacy of content recognition
    technology
  4. EU Telecoms Regulation: German enforcement measures
    against “zero-rating” offerings

1. EU Digital Services Act: Agreed & Ready for
Approval

In April 2022, the EU Parliament and Council reached political agreement on the
Digital Services Act (DSA). The EU
Parliament’s Internal Market Committee also endorsed the
agreement in June, and it’s now expected that the DSA will be
formally adopted by the EU Parliament very soon. The finalised text
is not yet available to the public.

In parallel with the Digital Markets Act (DMA),
the DSA seeks to regulate the operations of all digital service
providers operating in the EU – wherever the provider happens to be
based. It will come into effect as an EU Regulation, meaning that
no further implementation into Member State law will be
required.

The DSA aims to address large digital platforms, impose greater
accountability on intermediaries for third-party content, and
protect users from illegal goods, content or services. The DSA sets
out a new framework of obligations to apply to all digital services
that connect consumers to goods, services or content, including new
procedures for faster removal of illegal content as well as
comprehensive protection of users’ fundamental rights online.
It adopts the principle that illegal offline acts should also be
illegal online.

The DSA will apply to any online intermediary offering services
in the EU. Intermediary services are broken down into various
categories:

  • organisations offering network infrastructure (e.g.,
    internet access providers, domain name registrars);
  • hosting services (e.g., cloud and webhosting
    services);
  • online platforms (e.g., online marketplaces, app
    stores, collaborative economy platforms and social media
    platforms); and
  • very large online platforms (VLOPs), which reach more than 45
    million consumers in Europe.

The strength of the DSA’s obligations is intended to be
proportionate to the nature of the services and number of users for
a given platform, so that larger digital services providers will be
subject to more rigorous standards. The DSA imposes obligations on
various online intermediary service providers, such as: to identify
and remove illegal content; not to manipulate users’ choices
through nudging or deceitful techniques (dark patterns); and to
verify and check traceability information provided by traders that
sell via platforms to consumers.

The Commission will have exclusive power to demand compliance
for platforms with more than 45 million users, and penalties
include up to 6% of those platforms’ worldwide turnover.

What’s Next?

The final vote in the EU Parliament for the DSA is expected in
July 2022, followed by a formal adoption by the Council and then
publication in the EU Official Journal. The DSA is then expected to
come into force in late 2023 or early 2024.

2. EU Data Governance Act: May 2022, Council approved the
Act

The new EU mechanism for the wider reuse of public-sector data –
the Data Governance Act (DGA) – has now been
adopted. We previously reported on the
Data Act.

As of 24 September 2023, certain categories of data such as
trade secrets, personal data and data protected by intellectual
property rights may be reused and shared by companies and
individuals alike without fear of being misused or compromised.

The DGA is a culmination of efforts by the EU to leverage the
high-value data economy in the EU, which is expected to reach ?829
billion by 2025. Previous consultation on this issue emphasised the
lack of incentivisation for both individuals and companies to
participate in data sharing. One of the DGA’s main aims will be
to ensure that in-scope data is handled consistently with the
principles and protections offered by the GDPR, ePrivacy Directive,
consumer law, competition law and other applicable EU laws.

The DGA will be underpinned by a framework for data
intermediation services (“DI Services“)
which will provide the secure environment in which parties can
share data. Where the sharing parties are companies, the DI
Services will be facilitated via digital platforms and any
providers of DI Services will need to add themselves to a central
register. From a privacy perspective, the DI Services will give
individuals full control over their personal data on top of the
protection that they receive under the GDPR, e.g., through
personal information management tools such as data wallets, so that
the individual is at all times aware of how their data is shared
with others, and can give/withdraw consent accordingly.

What’s Next?

To help the European Commission navigate its oversight of the DI
Services, a European Data Innovation Board will be created to
advise the Commission and issue guidelines on how to nurture the
development of data spaces and improve interoperability. Alongside
this, the European Council is working on a regulation on harmonised
rules on fair access to and use of data (somewhat confusingly
referred to as the Data Act) and discussions are in full swing.

3. EU proposed regulation on online child sexual abuse

The EU is ramping up the fight against online sexual abuse of
children with its draft “Regulation laying down rules to prevent and combat
child sexual abuse”. The Regulation will impose
requirements on providers of certain digital services or platforms
operating in the EU to detect, report and remove child sexual abuse
material (CSAM) offered via their services, under
a regime overseen and enforced by regulatory authorities designated
by EU Member States.

Since 2011, the EU has been fighting child pornography. Two
years ago, the European Commission formulated a new “strategy for a more effective fight against child
sexual abuse”. The proposed new Regulation is the latest
step in this process and combats two types of online child sexual
abuse: the online dissemination of child sexual abuse material
(CSAM) and online solicitation of children (or
“grooming”).

The proposal addresses any services that allow users to upload
files, and any services allowing interpersonal communication
(i.e., chat, audio or video calls). The service providers
must perform a risk assessment, implement risk mitigation measures
and report the results. Moreover, a national authority can issue a
detection order, meaning that the service provider will have to
employ technology to actively search user content for CSAM or
interactions that resemble child solicitation. The authority can
also request internet access service providers to block a website
hosting, displaying or disseminating CSAM.

Of all the proposed new requirements, the most controversial has
been the creation of possible detection orders in relation to child
solicitation in interpersonal communication, because the technology
required to implement such an order would necessarily break
end-to-end encryption. Encrypted cloud storage and other “zero
knowledge” services face the same dilemma: Compliance with the
Regulation requires them to change their privacy-focused business
model.

What’s Next?

The proposal will be debated in the EU Council and the European
Parliament, before likely entering the so-called trilogue procedure
to negotiate a final version approved by all legislative bodies.
The respective timeline is still unclear.

4. Germany: Draft legislation requires centralised youth
protection mechanisms in operating systems, covering apps, browsers
and app stores

The German Federal States are planning to amend their youth
protection rules to enable parents more easily to set up parental
controls at a central location on their own (and their kids’)
devices to restrict access to inappropriate apps. To the extent
that it affects audiovisual services (as opposed to storage media),
youth protection law is subject to State-level, not Federal,
legislative powers in Germany. Nevertheless, to provide for
coherent rules Germany-wide, the States coordinate their lawmaking
by way of “interstate treaties”.

After discussing an early concept paper with industry
stakeholders in fall 2021, the States published a “discussion
draft” of the new law for public consultation in May 2022. The
public consultation was open until late June 2022. The draft
provides that apps must obtain mandatory age ratings, and that they
may be blocked based on these ratings by a new youth protection
mechanism to be implemented in the operating systems of user
devices.

The draft further requires that operating systems for media
devices must feature a parental control mechanism that allows users
to block apps depending on their age rating. Apps that include a
certified youth protection solution will not be blocked, but
instead must provide an interface so that they can automatically
align their built-in solutions with the age-settings of the
operating system’s parental control mechanism. Furthermore,
operating systems must allow (adult) users to deactivate app
installations from non-system app stores and web browsers without
“safe search” features when the parental control
mechanism is active.

What’s Next?

The States will now digest the input received during the
consultation process, and then agree on a final wording for the new
law. This must then be ratified by all 16 German State parliaments
before it can enter into force, which will likely not happen before
early 2023.

5. EU: Proposed amendments affect online financial services
agreements, including a “withdrawal button”

The European Commission has proposed new legislation on
financial services contracts concluded at a distance that will make
various changes to EU laws regarding the regulation of online
financial services in the EU.

On the surface, the proposed change looks somewhat superficial.
The Commission will repeal the Distance Marketing Directive
(2002/65/EC) (DMD) and transfer its contents to the Consumer Rights
Directive (2011/83/EU) (CRD).

The DMD contains consumer protection rules governing financial
services contracts that are concluded remotely or at a distance,
including requirements for the information that must be provided to
the consumer before the contract takes effect, and providing a
right of withdrawal and a prohibition on unsolicited communications
from suppliers.

The CRD contains similar provisions with respect to other types
of distance consumer contracts but currently excludes all financial
services.

So the Commission now proposes to repeal the DMD and transfer
its contents to the CRD via a new Chapter to the CRD that applies
to financial services contracts concluded at a distance. But the
net effect of the new proposal will be to make a number of changes
to the applicable regulatory regime for financial services distance
contracts, such as the following:

  • There are new pre-contractual information
    requirements
    , which must reach the consumer at least
    a day before the consumer is bound by any distance contract.
  • In relation to the right of
    withdrawal
    , there will need to be a withdrawal button
    that is clearly visible.
  • Providers must give consumers an adequate
    explanation
    about the proposed financial services
    contracts to enable the consumer to assess whether the contracts
    are adapted to their needs and financial situation. Also, if a
    trader uses an online tool for this purpose (such as a chatbot or
    “roboadviser”), the consumer will have a right to request
    and obtain human intervention.

What’s Next?

The EU Council and the European Parliament will now consider the
Commission’s proposal. If and when adopted, EU member states
will be given 24 months to transpose the Directive into national
law.

The proposal will not have effect in the UK unless the UK
government enacts similar requirements. So financial services
providers operating across Europe will need to consider whether to
apply two different approaches or harmonise their systems around
one approach – presumably the more consumer-friendly EU regime.

6. EU: New Vertical Block Exemption Regulation adopted

From 1 June, a new Block Exemption Regulation for vertical
agreements (the so-called
Vertical Block Exemption Regulation No. 2022/720 or
VBER, including related
Guidelines) applies to all new in-scope agreements operative in
the EU.

The purpose of the block exemption is to provide a “safe
harbour” and generally exempt agreements between market
players at different levels of the supply chain (so-called
“vertical agreements”, e.g. between brand owners and
retailers) from the EU’s prohibition on anti-competitive
agreements (Art. 101 TFEU, including its national equivalents) if
certain market share thresholds are met and provided the agreement
does not contain certain prohibited restrictions. This regime is
intended to reduce burden on businesses by giving them legal
certainty around the compliance of certain categories of agreement
with antitrust laws.

The new VBER retains many of the provisions found in the
old VBER. For example, while there are some new clarifications
on resale price maintenance, the new VBER continues to generally
treat it as a hardcore restriction, consistent with recent
enforcement action by the European Commission (EC) in this
area.

However, there are some significant changes that companies need
to understand in order to ensure that their distribution
arrangements in the EU continue to benefit from the exemption. For
instance, the rules for online sales restrictions have softened
(e.g. by applying a softer approach to dual pricing for online and
offline sold products, or by allowing restrictions on the use of
online market places). But the new VBER is stricter with respect to
dual distribution systems (where manufacturers sell directly to
customers but also via retailers) and restrictions imposed by
online market places (particularly so-called “most-favoured
nation” clauses). We have summarised the key changes for
businesses in our recent client alert.

What’s Next?

Contracts already in place before 1 June 2022 must be amended to
comply with the new rules by 31 May 2023. Any new agreement that
falls within scope of the new VBER needs to be drafted
appropriately. In particular, operators of online marketplaces
should review the changes carefully and ensure not only that they
make the necessary adjustments to their existing contracts but also
that they follow the VBER guidelines when concluding new
contracts.

7. EU: Proposal on “green” claims in digital (and
other) products

The European Commission (EC) is planning amendments to the
Unfair Commercial Practices Directive (UCP) and the Consumer Rights
Directive (CRD) to support the next steps towards a cleaner and
greener EU economy. This change will apply to all businesses
operating in the EU, including those with a digital focus, because
sustainability is a hot topic across all industries.

The EC’s declared aim is to strengthen the protection and
position of consumers in order to achieve climate and environmental
objectives under the EU’s “Green Deal”.

The planned amendments to the CRD would introduce new
pre-contractual information obligations for contracts with
consumers on the durability and reparability of products. For
businesses with a digital focus, the proposal suggests an
obligation on digital providers to provide information to buyers
and consumers on the existence and length of the period during
which the manufacturer commits to providing software updates.

The planned amendments to the UCP would mainly update the
current law on misleading commercial practices in relation to green
claims without introducing major changes. The draft introduces new
(clarifying) provisions and extends the so-called “black
list” (of prohibited behaviour) to ensure that companies do
not mislead consumers about the environmental and social impacts of
their products or services, the use of sustainability labels and
the durability and reparability of products. The proposal, for
instance, explicitly provides that it would be misleading to make
generic environmental claims (e.g., “environmentally
friendly”, “eco” or “green”) where the
claimed environmental performance of the product or seller cannot
be demonstrated, or to make an environmental claim about the entire
product, even though the claim only concerns a certain aspect.

What’s Next?

The proposal remains subject to discussion and its
implementation may still take some time. Businesses should
nevertheless begin to consider the likely changes to be made in the
UCP in relation to “green” claims. This is because most
of these principles already apply to all businesses today under the
general prohibition on misleading commercial practices. In case of
violations, companies are faced with private enforcement, such as
cease-and-desist or damage claims, as well as fines.

8. UK Competition and Consumer Reform: Greater Regulatory
Enforcement Powers

The UK has proposed reforms to its consumer protection laws to
give the Competition and Markets Authority (CMA) greater
enforcement rights against proscribed online or digital conduct,
and to introduce specific reforms to make companies responsible for
fake online reviews and so-called “subscription
traps”.

The CMA has long been requesting these reforms, which will
likely result in a significant uptick in enforcement activity, once
enacted.

A Draft Digital Markets, Competition and Consumer Bill (the
Draft Bill“) was included in the
Queen’s Speech in May 2022, which sets out the UK
government’s priorities for the year ahead. The Draft Bill is
set to provide better protection for consumers online and enable
the regulator (the CMA) to take more effective action on behalf of
consumers. The Draft Bill will impose tighter rules on
organisations operating online and strengthen the CMA’s
enforcement powers, including the ability to impose fines of up to
10% of global turnover for breaches of consumer law.

The increase in the CMA’s enforcement powers is a
significant reform. Currently, the CMA is unable to enforce
decisions without going through the courts, and no penalties can be
imposed for breaches (except where there is a failure to comply
with a court order). Under the Draft Bill, the CMA will itself be
able to issue decisions, and issue fines for more serious
breaches.

The Draft Bill will also tighten rules in relation to specific
areas of online activity, particularly subscription traps and fake
reviews. With regards to subscription traps, the Draft Bill
introduces specific requirements for organisations to send
customers reminders regarding roll-over or auto-renewal contracts,
and ensure that consumers are able to exit contracts in a
straightforward and timely way. As we have pointed out before, the issue of
auto-renewals is something that the CMA has previously considered,
and EU regulators are also focused on it.

To increase protection from fake reviews, the Draft Bill
proposes to add fake reviews to the list of automatically unfair
practices under the Consumer Protection from Unfair Trading
Regulations 2008. For example, online platforms will be
“banned” from hosting consumer reviews without taking
reasonable and proportionate steps to check they are genuine. What
the regulator considers to be “reasonable and proportionate
steps” has yet to be clarified.

Similar reforms are expected in the EU, where Member States are
required to give their national consumer regulators the power to
impose fines of up to 4% of global turnover by the end of May
2022.

What’s Next?

Despite its inclusion in the Queen’s speech, the Government
has not yet committed to legislating the Draft Bill in the current
parliamentary term; as a result, it’s not yet clear when the
new rules will come into force.

9. UK digital regulatory policy: UK Government confirms plans
to introduce pro-competition regime for digital markets

The UK Government has confirmed its intention to introduce a new
regulatory regime targeted at regulating major digital platforms.
The proposed “pro-competition” regime for the regulation
of digital markets will give a suite of enforcement powers to the
Digital Markets Unit (DMU), which has been established within the
CMA pending the introduction of legislation, including the ability
to designate major platforms with “Strategic Market
Status” and impose various constraints on their conduct,
including structural remedies.

History of the proposals

The proposals for a new forward-looking regime for the
regulation of digital markets have their genesis in a series of
expert panel reports and recommendations dating from 2019,
including in particular the
Digital Competition Expert Panel, chaired by Jason Furman. The
Furman report on “Unlocking Digital Competition”
concluded that existing regulatory powers were insufficient to
tackle the novel challenges presented by the digital age and, in
particular, recommended the introduction of a new regime which
would include “pro-competition” policies to enable
regulators to improve consumer choice by lowering barriers to entry
and for interoperability, including through the use of enforceable
codes of conduct for firms designated as having “strategic
market status”.

Following the Furman Report, the CMA used its existing
enforcement toolkit to develop its understanding of the relevant
markets, starting with a wide-reaching market study into digital
advertising in the UK, which concluded in
July 2020, and culminating in the publication of advice to the
government in December
2020 on the design and implementation of the new regime. The
DMUwas established within the CMA from April 2021.

Against this backdrop, the UK government issued a comprehensive
consultation on proposals for reform in
July 2021, taking on board most of the proposals made by the
CMA and the Furman Review. The
response to these proposals was published on 6 May 2022, when
the government confirmed its intention to introduce new legislation
to establish the regime.

Overview of the proposals

Like the EU regime, the regime will involve the “ex
ante” regulation of firms designated as having
“Strategic Market Status” (SMS). The test for conferring
SMS will require that a company has “substantial and
entrenched market power in at least one digital activity, providing
them with a strategic position” and that there be a nexus
to (and impact on competition in) the UK. The DMU will be required
to produce detailed guidance on how it will conduct its assessment,
which will be undertaken via a “market study” type
investigation.

The regime will allow the DMU to develop an enforceable code of
conduct specific to each designated firm, with “core
obligations” to underpin this code, including the fair
treatment of users, removal of barriers to switching and ensuring
customers can make informed choices. These core obligations will be
supported by a series of “conduct requirements” which
will be set out in legislation, based on which the DMU will develop
company-specific conduct requirements, including obligations not to
leverage market power, impose discriminatory terms or engage in
bundling, as well as positive duties of transparency.

Contrasts to the EU regime

The UK proposals differ quite materially from the EU regime,
most importantly in that the proposed codes of conduct will be
bespoke to the individual firms, unlike the EU regime which will
require compliance with a set of standardised conduct rules for all
designated “Gatekeepers”. There will also be the
possibility for regulated firms to apply for an exemption for
conduct that would otherwise breach code requirements where the
relevant company can illustrate that such conduct brings about net
consumer benefits. Such exemptions will not be available under the
EU regime, although the bar for granting an exemption will likely
be high.

Another key difference is the proposed ability for the DMU to
implement broad ranging “pro-competitive interventions”
(PCIs) where the DMU has identified an adverse effect on
competition following a nine-month “market-study” type
investigation. These remedies will be intended to address the
“root causes” of market power on a company-specific basis
and could include orders to allow interoperability, third party
access to data or even structural separation.

Merger controls

Proposals for a bespoke merger regime have been dropped, but SMS
firms will be required to report “their most significant”
transactions to the CMA before closing, with its current thinking
being that this would be where there is an acquisition of over 15%
equity or voting share, the value of holding is over £25m and
the transaction meets a UK nexus test. Separately, the proposed
reforms to competition will introduce amendments to the existing
merger control thresholds to address the CMA’s ability to
investigate so-called “killer acquisitions”. In
particular, the government has proposed introducing a new basis to
intervene in mergers where the parties are not direct competitors,
which will apply where at least one party has an existing
“share of supply” of 33% in the UK and a UK turnover of
£350m.

What’s Next?

While the UK government has confirmed that the regime will be
established, it is not clear when this will be, although this is
unlikely to be before 2023. In the meantime, the DMU is fully
up-and-running, and the CMA is using its full suite of existing
powers to address current market concerns and develop the
principles that will most likely apply to regulated firms once the
regime comes into force. This includes a series of market studies
and specific enforcement actions against some of the major
platforms.

Most recently, the CMA announced in June 2022 the results of its
market study into mobile phone ecosystems, in which it concluded
that a more detailed market investigation should be launched into
mobile browsers and cloud gaming. The Market Study report provides insight how the
regime might be “operationalised”, including the
CMA’s view on what an assessment of strategic market status would look like, as
well as examples of conduct that could be addressed under codes of
conduct and PCIs.

10. UK: Relaxation of product safety labelling rules

In June 2022, the UK government announced changes to help
businesses to apply the new UK Conformity Assessed (UKCA) mark on
most products placed on the market in Great Britain. This eases the
transition from the EU’s “CE” mark, which will cease
to apply to the UK market post-Brexit. The new rules are expressly
intended to cover the supply of electronic devices.

Since the Brexit transition period ended, the UK government
allowed businesses to continue to use the CE marking on affected
products sold in the UK until 31 December 2022. With only six
months to go until the end of this grace period, the UK government
has announced some relaxation of the rules to ease the transition
from CE to UKCA markings:

  • Manufacturers of affected products will be able to apply the
    UKCA mark to products that were conformity assessed by EU bodies
    before the end of 2022. There will be no need to have a separate UK
    assessment until the product’s certificate expires or 31
    December 2027, whichever is earlier.
  • Some CE-marked products imported into the UK before the end of
    2022 will not need to be re-certified for the UKCA
    requirements.
  • Existing rules on labelling will be extended until the end of
    2025, so UKCA markings can be added to products by sticky labels or
    through accompanying documentation.

What’s Next?

The government will quickly introduce the necessary legislation
before the end of 2022. Manufacturers or suppliers into the UK of
affected products (including digital hardware and electronic
devices) should review how the new labelling and marking rules
affect their products.

11. Cybersecurity: NIS 2 Directive

Cybersecurity risk management and reporting obligations rules in
Europe are about to change significantly. The new Directive on
measures for a high common level of cybersecurity across the EU
(NIS 2) will impose stricter cybersecurity risk
management requirements on more organisations, and introduce
tougher supervisory and enforcement measures.

The Council of the EU and European Parliament have reached a
provisional agreement on NIS 2, which was first proposed by the EU
Commission in December 2020. Once formally adopted, NIS 2 will
replace the current Directive (EU) 2016/1148 on security of network
and information systems (NIS 1).

Among other things, NIS 2 will set the baseline for
cybersecurity risk management measures and reporting obligations
across all covered sectors, which includes energy, transport,
chemical manufacturing, production and distribution, postal and
courier services, healthcare and digital infrastructure.

NIS 2 forms part of the EU’s wider effort to better protect
critical national infrastructure from cybersecurity threats,
including the heightened risk and critical vulnerabilities
associated with networking and information systems, and digital
supply chains.

See our more detailed client alert for further insight.

What’s Next?

The provisional agreement is now subject to approval by the
Council of the EU and European Parliament and is expected to take
place within the coming months. Once NIS 2 has been adopted, EU
Member States will have 21 months thereafter to incorporate the
provisions into their national law. However, EU Member States may
well introduce national implementing laws ahead of the deadline, as
some of them did with NIS 1.

12. EU case law: When do
online traders need to give pre-contract information about their or
third-party manufacturers’ guarantees?

The European Court of Justice (CJEU) has ruled that online
traders need to give pre-contractual information to consumers about
a manufacturer’s guarantee if that information has been made an
essential element of the offer (Victorinox, Case
C-179/21). This ruling clarifies what pre-contractual information
is actually required to meet consumer protection laws (the Consumer Rights Directive (2011/83/EU)
(CRD)).

The mere existence of a guarantee is not enough to trigger
disclosure; traders can be silent about any manufacturer guarantees
unless there is a legitimate consumer interest. This interest
arises if that information is decisive for the consumer in
deciding whether or not to enter into a contractual relationship
with the trader.

To determine the central or decisive element of the offer,
traders should consider:

  • the way in which the goods are offered (including the content
    and layout);
  • the prominence of the guarantee mentioned – i.e., if
    the manufacturer’s guarantee is only mentioned incidentally and
    not for commercial purposes, it is less likely to be
    central/decisive; and
  • the likelihood that average consumers would be confused about
    who was offering the guarantee and how they could exercise their
    rights under it.

Traders must still provide relevant information about their own
guarantees.

What’s Next?

The scope of this decision has been recently amplified by the
ECJ ruling that
an online intermediary can be a trader for the purposes of the
CRD (see our summary from our
Q1, 2022 update). This ruling is binding in the EU but
(post-Brexit) not in the UK. UK courts may choose to take the
ruling into account.

13. EU case law: Requirement for a clear “Purchase
Button” online

The European Court of Justice (CJEU) has ruled that, under the
EU Consumer Rights Directive (CRD), an EU-based consumer is not
bound by an online contract if any button or similar function used
for online orders is not labelled, in an easily legible manner,
only with either the words “order with obligation to
pay” or a corresponding unambiguous formulation
indicating that placing the order entails an obligation to pay the
trader.

The CJEU case concerned the question of how the
so-called “purchase button” on a seller’s online
interface must be labeled in light of the CRD’s statutory
obligation to use the wording “order with obligation to
pay” or “corresponding” wording. In its recent
ruling, the CJEU found that the directive requires that the fact
that the function triggers an obligation to pay has to be:

  • entirely clear from only the words on the label on the relevant
    button (or a similar, alternative function); and
  • without any reference to an overall assessment of the
    circumstances such as the purchase flow.

The referring court (Local Court of Bottrop, Germany) had to
decide whether a contract between a consumer and a hotel company
was validly entered into and enforceable. The consumer had followed
the procedure on a website on which the hotel company had offered
its rooms. After clicking a button labelled “I’ll
reserve”, the consumer had entered his personal details and
the names of the individuals accompanying him, before clicking on a
button labelled with the words “complete booking”. The
hotel company claimed that the consumer would have to pay for the
four double rooms that where subject of the procedure, despite
never having shown up at the hotel.

The referring German court had doubts whether the obligations of
the German version of the CRD were satisfied. Like the CRD itself,
German law does not contain specific examples of
“corresponding formulations,” with the consequence that
sellers may use words of their choice that satisfy the requirement
that the obligation to pay is evident. In the view of the referring
court, albeit clear from the booking process, the term
“booking” in the expression “complete booking”
is not necessarily associated in everyday language with the
obligation to pay financial consideration, but is often also used
as a synonym for “pre-order or reserve in advance free of
charge”.

Previous rulings of local German courts have taken into account
the overall circumstances of the ordering process and, in
particular, the configuration of that process, for the purpose of
determining whether words such as those used by the operator of the
booking website constitute an unambiguous formulation corresponding
to the words “order with obligation to pay”.

What’s Next?

Especially where EU Member State law does not provide examples
of button labels, sellers are advised to assess whether the wording
on their final ordering button (or similar function) explicitly
indicates that its activation triggers an obligation to pay.

14. EU case law: the legitimacy of content recognition
technology

Article 17 of EU Copyright Directive includes a provision
requiring online content-sharing service providers
(OCSSP) to ensure that copyright-protected works
cannot be uploaded without the prior consent of rights-holders –
and has long been considered by those services’ users as a
potential violation of their fundamental rights. This was based on
the assumption that Art. 17 implied the use of upload filters.

Upload filter technology, in turn, was considered by some as not
sufficiently developed to safeguard users’ rights to upload
works on basis of copyright exemptions such as citation or parody.
Against the background of these discussions, Poland brought an
action for annulment of Art. 17 EU Copyright Directive before the
European Court of Justice (CJEU). Poland argued that Art. 17 EU
Copyright Directive infringed the freedom of expression and
information guaranteed in the Charter of Fundamental Rights of the
European Union.

The CJEU did not follow this argument, concluding instead that
the obligation imposed on online content-sharing service providers
to review (prior to its dissemination to the public) the content
that users wish to upload to their platforms, has been accompanied
by appropriate safeguards implemented by the EU legislature to
ensure compliance with the Charter of Fundamental Rights. The CJEU
explained that Art. 17 strikes a fair balance between fundamental
rights of the services’ users on the one hand and the
creators’ intellectual property rights on the other.

While not spelling out in detail how upload filter technology
needs to be programmed or how Member States should transpose this
requirement, there are some valuable takeaways.

  • Firstly, Member States can legitimately request the use of
    upload filter technology as long as they take great care that
    safeguards that protect users’ rights are included.
  • Secondly, the court states that, in some cases, implementation
    of content recognition technology will be the only way to comply
    with Art. 17 EU Copyright Directive.
  • Thirdly, the CJEU nevertheless clarifies that OCSSPs cannot be
    required to preventively block the upload to content where its
    lawfulness would require an independent assessment by the OCSSP
    considering the information provided by the rights-holders and
    existing copyright exemptions. This strengthens OCSSPs’
    positions by placing an additional burden on rights-holders to
    provide extensive information on their works to the providers.

What’s Next?

The decision will likely impact the national transpositions of
Member States for the EU Copyright Directive. Even though the
transposition deadline passed in June 2021, many Member States are
still in the process of implementing Art. 17 of EU Copyright
Directive into their national laws.

15. EU Telecoms Regulation: German enforcement measures against
“zero-rating” offerings

In response to a series of judgments by the European Court of
Justice (CJEU) from 2021, in April 2022 the German telecoms
regulator Bundesnetzagentur (BNetzA) banned the zero-rating
offerings of Germany’s top two mobile phone service
providers.

“Zero-rating” regimes are implemented in mobile
service contracts with limited data volumes. They allow users to
use certain predefined online services, e.g.,
social-media, without consuming their data volume.

In earlier decisions, BNetzA found that the relevant zero-rating
programs generally comply with the EU Open Internet Regulation
(Regulation 2015/2021 of 25 November 2015). BNetzA relied on the
guidelines on implementation of the Open Internet Regulation by the
Body of European Regulators for Electronic Communications (BEREC)
in force at the time, which generally consider zero-rating programs
to be permissible, subject to certain conditions.

In 2021, however, the CJEU ruled not only that the specific
programs that were subject of the proceedings are incompatible with
the net neutrality principles as laid down in the EU Open Internet
Regulation, but also that the entire concept of zero-rating
violates the Regulation’s principles on equal treatment of data
traffic. This led to the BNetzA ruling, but also resulted in BEREC
revising its guidelines on implementation of the Open Internet
Regulation. The new guidelines, published on June 9, 2022, now
clarify that all differentiated pricing practices that are not
application-agnostic are inadmissible. This includes zero-rating
programs.

What’s Next?

German affected mobile phone service providers have until 31
March 2023 to adjust to the BNetzA’s decision. Until then, all
existing and yet to be concluded contracts with a zero-rating
component can be continued. The German providers will most likely
not be the last ones affected by the ruling of the CJEU. Due to the
new guidelines of the BEREC, bans of zero-rating tariffs by the
other EU telecom regulators can be widely expected. This will not
only impact relevant mobile phone providers, but also any content
providers that currently benefit from zero-rating programs across
the EU.

We are grateful to the following members
of MoFo’s European Digital Regulatory Compliance team for their
contributions: Femi Omisore.

Because of the generality of this update, the information
provided herein may not be applicable in all situations and should
not be acted upon without specific legal advice based on particular
situations.

© Morrison & Foerster LLP. All rights reserved

Comments are closed.