Photo of Lisa Peets

Lisa Peets

Lisa Peets is co-chair of the firm's Technology and Communications Regulation Practice Group and a member of the firm's global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world's best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), "Lisa provides an excellent service and familiarity with client needs."

June 18, 2024, Covington Alert

On June 12, 2024, the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) and the U.S. Commerce Department, Bureau of Industry and Security (“BIS”) issued additional measures to counter Russia’s continued aggression in Ukraine. The measures, announced in advance of the G7 summit in Italy last week, are intended to “continue to drive up costs for the Russian war machine.”

The actions taken by OFAC and BIS include new prohibitions on providing certain information technology- and software-related services to persons located in Russia, establishing additional sanctions designed to target the Russian financial infrastructure, strengthening secondary sanctions that can be applied to non-U.S. persons (including in particular non-U.S. financial institutions), and expanding export controls restrictions on items destined for Russia and Belarus (including with respect to certain types of software). Along with the new rules, OFAC designated for property-blocking sanctions more than 300 individuals and entities (including parties identified for sanctions by the U.S. State Department), while BIS used its authority to make additions to the Entity List, issue Temporary Denial Orders, and notify U.S. distributors of additional restrictions on shipments to parties known to be supplying items to Russia. Significantly, BIS altered its Entity List rules to permit certain address-only designations to the Entity List and, among other designations, added to the Entity List eight addresses in Hong Kong with a high diversion risk. Exports, reexports, or transfers of certain items subject to the Export Administration Regulations (“EAR”) to purchasers, intermediate or ultimate consignees, and end ­users who use those addresses generally will require authorization from BIS.

Separately, on June 13, 2024, the UK Government imposed a new round of asset-freezing sanctions on a number of notable Russian entities. The European Union is also considering a 14th package of sanctions measures relating to Russia, although as of this writing the EU has not yet enacted the new package.

New U.S. Sanctions

Prohibition on Certain Information Technology and Software Services

As part of the joint actions, OFAC issued a determination pursuant to the authority of Executive Order 14071 (the “IT and Software Services Determination”) that prohibits the exportation, reexportation, sale, or supply, directly or indirectly, from the United States, or by a U.S. person, wherever located, of (i) information technology (“IT”) consultancy and design services, and (ii) IT support services and cloud-based services for enterprise management software and design and manufacturing software (collectively, “Covered Software”) to any person located in the Russian Federation, unless licensed or otherwise authorized by OFAC. The IT and Software Services Determination is effective beginning at 12:01 eastern daylight time on September 12, 2024. “U.S. persons” include U.S. legal entities and their non-U.S. branches; U.S. citizens and lawful permanent residents, no matter where located or employed; and persons present in the United States.Continue Reading U.S. Government Issues New U.S. Sanctions and Export Controls Targeting Russia and Belarus for Continued Aggression Against Ukraine; Update on European Sanctions Developments

Although the final text of the EU AI Act should enter into force in the next few months, many of its obligations will only start to apply two or more years after that (for further details, see our earlier blog here). To address this gap, the Commission is encouraging

Continue Reading European Commission Calls on Industry to Commit to the AI Pact in the Run-Up to the European Elections

Earlier this week, Members of the European Parliament (MEPs) cast their votes in favor of the much-anticipated AI Act. With 523 votes in favor, 46 votes against, and 49 abstentions, the vote is a culmination of an effort that began in April 2021, when the EU Commission first published its 

Continue Reading EU Parliament Adopts AI Act

From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Pending Delegated Acts

  • Draft Delegated Act on Conducting Independent Audits. This draft delegated act defines the steps that designated VLOPs and VLOSEs will need to follow to verify the independence of the auditors, particularly setting the rules for the procedures, methodology and templates used. According to the draft delegated act, designated VLOPS and VLOSEs should be subject to their first audit at the latest 16 months after their designation. The consultation period for this draft delegated act ended on June 2, 2023.
  • Draft Delegated Act on Data Access for Research. This draft delegated act specifies the conditions under which vetted researchers may access data from VLOPs and VLOSEs. The consultation period for this draft delegated act ended on May 31, 2023.

Continue Reading Draft Delegated and Implementing Acts Pursuant to the Digital Services Act

A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:

  1. exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
  2. preclude EU cloud customers from accessing the services of these non-EU providers.

Data Localization and EU Headquarters

The EUCS arises from the EU’s Cybersecurity Act, which called for the creation of an EU-wide security certification scheme for cloud providers, to be developed by ENISA and adopted by the Commission through secondary law (as noted in an earlier blog). After public consultations in 2021, ENISA set up an ad hoc working group tasked with preparing a draft.

France, Italy, and Spain submitted a proposal to the working group advocating to add new criteria to the scheme in order for companies to qualify as eligible to offer services providing the highest level of security. The proposed criteria included localization of cloud services and data within the EU – meaning in essence that providers would need to be headquartered in, and have their cloud services provided from, the EU. Ireland, Sweden and the Netherlands argued that such requirements do not belong in a cybersecurity certification scheme, as requiring cloud providers to be based in Europe reflected political rather than cybersecurity concerns, and therefore proposed that the issue should be discussed by the Council of the EU.Continue Reading Implications of the EU Cybersecurity Scheme for Cloud Services

In a new strategy published on July 11, the European Commission has identified Web 4.0 and virtual worlds—often also referred to as the metaverse—as having the potential to transform the ways in which EU citizens live, work and interact.  The EU’s strategy consists of ten action points addressing four themes drawn from the Digital Decade policy programme and the Commission’s Connectivity package: (1) People and Skills; (2) Business; (3) Government (i.e., public services and projects); and (4) Governance.

The European Commission’s strategy indicates that it is unlikely to propose new regulation in the short to medium-term: indeed, European Competition Commissioner Margarethe Vestager has recently warned against jumping to regulation of virtual worlds as the “first sort of safety pad.” Instead, the Commission views its framework of current and upcoming digital technology-related legislation (including the GDPR, the Digital Services Act, the Digital Markets Act and the proposed Markets in Crypto-Assets Regulation) to be applicable to Web 4.0 and virtual worlds in a “robust” and “future-oriented” manner. 

What Are Virtual Worlds and Web 4.0?

The Commission defines virtual worlds as being “persistent, immersive environments, based on technologies including 3D and extended reality (XR), which make it possible to blend physical and digital worlds in realtime, for a variety of purposes.”  It considers Web 4.0 to be the “fourth generation of the World Wide Web,” which will feature “advanced artificial and ambient intelligence, the internet of things, trusted blockchain transactions, virtual worlds and XR capabilities.”  These will enable digital and real objects to integrate and communicate with each other to “seamlessly blen[d] the physical and digital worlds.”  According to Internal Market Commissioner Thierry Breton, the EU will “connect virtual world developers with industry users, invest in the uptake and scale-up of new technologies, and give people the tools and the skills to safely and confidently use virtual worlds.”  The EU is keen to ensure that it establishes itself as a leader in Web 4.0 and virtual worlds, and that the emerging metaverse reflects EU values, principles, and fundamental rights. The strategy is the latest in a series of metaverse-related EU initiatives and announcements.Continue Reading European Commission Publishes New Strategy on Virtual Worlds

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European

Continue Reading Political Agreement Reached on the European Data Act

On 31 May 2023, at the close of the fourth meeting of the US-EU Trade & Tech Council (“TTC”), Margrethe Vestager – the European Union’s Executive Vice President, responsible for competition and digital strategy – announced that the EU and US are working together to develop a voluntary AI Code

Continue Reading EU and US Lawmakers Agree to Draft AI Code of Conduct

On 11 May 2023, members of the European Parliament’s internal market (IMCO) and civil liberties (LIBE) committees agreed their final text on the EU’s proposed AI Act. After MEPs formalize their position through a plenary vote (expected this summer), the AI Act will enter the last stage of the legislative

Continue Reading EU Parliament’s AI Act Proposals Introduce New Obligations for Foundation Models and Generative AI

On June 23, 2022, the UK introduced a series of further trade restrictions in relation to Russia, including in connection with certain security-related goods and technology, iron and steel products, communications interception and monitoring services, jet fuel and fuel additives, UK or EU currency banknotes and a broad category of “revenue generating goods” which includes a range of items used by various industries. The UK supplemented these measures with additional asset-freezing sanctions on June 29.

This alert summarizes these new sanctions measures and touches upon further recent UK sanctions developments, including proposals for further restrictions on the import of gold into the UK and Russian access to UK trusts services.

New Trade Restrictions

The Russia (Sanctions) (EU Exit) (Amendment) (No. 10) Regulations 2022 further amended the UK’s Russia sanctions Regulations (the “UK-Russia Regulations”) to introduce the new trade restrictions outlined, which came into force on June 23, 2022.Continue Reading UK Introduces Further Sanctions Measures Relating to Russia