Photo of Lisa Peets

Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm's Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), "Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements." "Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters."

Earlier this week, Members of the European Parliament (MEPs) cast their votes in favor of the much-anticipated AI Act. With 523 votes in favor, 46 votes against, and 49 abstentions, the vote is a culmination of an effort that began in April 2021, when the EU Commission first published its proposal for the Act.

Here’s

From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Pending Delegated Acts

  • Draft Delegated Act on Conducting Independent Audits. This draft delegated act defines the steps that designated VLOPs and VLOSEs will need to follow to verify the independence of the auditors, particularly setting the rules for the procedures, methodology and templates used. According to the draft delegated act, designated VLOPS and VLOSEs should be subject to their first audit at the latest 16 months after their designation. The consultation period for this draft delegated act ended on June 2, 2023.
  • Draft Delegated Act on Data Access for Research. This draft delegated act specifies the conditions under which vetted researchers may access data from VLOPs and VLOSEs. The consultation period for this draft delegated act ended on May 31, 2023.

Continue Reading Draft Delegated and Implementing Acts Pursuant to the Digital Services Act

A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:

  1. exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
  2. preclude EU cloud customers from accessing the services of these non-EU providers.

Data Localization and EU Headquarters

The EUCS arises from the EU’s Cybersecurity Act, which called for the creation of an EU-wide security certification scheme for cloud providers, to be developed by ENISA and adopted by the Commission through secondary law (as noted in an earlier blog). After public consultations in 2021, ENISA set up an ad hoc working group tasked with preparing a draft.

France, Italy, and Spain submitted a proposal to the working group advocating to add new criteria to the scheme in order for companies to qualify as eligible to offer services providing the highest level of security. The proposed criteria included localization of cloud services and data within the EU – meaning in essence that providers would need to be headquartered in, and have their cloud services provided from, the EU. Ireland, Sweden and the Netherlands argued that such requirements do not belong in a cybersecurity certification scheme, as requiring cloud providers to be based in Europe reflected political rather than cybersecurity concerns, and therefore proposed that the issue should be discussed by the Council of the EU.Continue Reading Implications of the EU Cybersecurity Scheme for Cloud Services

In a new strategy published on July 11, the European Commission has identified Web 4.0 and virtual worlds—often also referred to as the metaverse—as having the potential to transform the ways in which EU citizens live, work and interact.  The EU’s strategy consists of ten action points addressing four themes drawn from the Digital Decade policy programme and the Commission’s Connectivity package: (1) People and Skills; (2) Business; (3) Government (i.e., public services and projects); and (4) Governance.

The European Commission’s strategy indicates that it is unlikely to propose new regulation in the short to medium-term: indeed, European Competition Commissioner Margarethe Vestager has recently warned against jumping to regulation of virtual worlds as the “first sort of safety pad.” Instead, the Commission views its framework of current and upcoming digital technology-related legislation (including the GDPR, the Digital Services Act, the Digital Markets Act and the proposed Markets in Crypto-Assets Regulation) to be applicable to Web 4.0 and virtual worlds in a “robust” and “future-oriented” manner. 

What Are Virtual Worlds and Web 4.0?

The Commission defines virtual worlds as being “persistent, immersive environments, based on technologies including 3D and extended reality (XR), which make it possible to blend physical and digital worlds in realtime, for a variety of purposes.”  It considers Web 4.0 to be the “fourth generation of the World Wide Web,” which will feature “advanced artificial and ambient intelligence, the internet of things, trusted blockchain transactions, virtual worlds and XR capabilities.”  These will enable digital and real objects to integrate and communicate with each other to “seamlessly blen[d] the physical and digital worlds.”  According to Internal Market Commissioner Thierry Breton, the EU will “connect virtual world developers with industry users, invest in the uptake and scale-up of new technologies, and give people the tools and the skills to safely and confidently use virtual worlds.”  The EU is keen to ensure that it establishes itself as a leader in Web 4.0 and virtual worlds, and that the emerging metaverse reflects EU values, principles, and fundamental rights. The strategy is the latest in a series of metaverse-related EU initiatives and announcements.Continue Reading European Commission Publishes New Strategy on Virtual Worlds

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European Strategy for Data (see our

On 31 May 2023, at the close of the fourth meeting of the US-EU Trade & Tech Council (“TTC”), Margrethe Vestager – the European Union’s Executive Vice President, responsible for competition and digital strategy – announced that the EU and US are working together to develop a voluntary AI Code of Conduct in advance of

On 11 May 2023, members of the European Parliament’s internal market (IMCO) and civil liberties (LIBE) committees agreed their final text on the EU’s proposed AI Act. After MEPs formalize their position through a plenary vote (expected this summer), the AI Act will enter the last stage of the legislative process: “trilogue” negotiations with the

On June 23, 2022, the UK introduced a series of further trade restrictions in relation to Russia, including in connection with certain security-related goods and technology, iron and steel products, communications interception and monitoring services, jet fuel and fuel additives, UK or EU currency banknotes and a broad category of “revenue generating goods” which includes a range of items used by various industries. The UK supplemented these measures with additional asset-freezing sanctions on June 29.

This alert summarizes these new sanctions measures and touches upon further recent UK sanctions developments, including proposals for further restrictions on the import of gold into the UK and Russian access to UK trusts services.

New Trade Restrictions

The Russia (Sanctions) (EU Exit) (Amendment) (No. 10) Regulations 2022 further amended the UK’s Russia sanctions Regulations (the “UK-Russia Regulations”) to introduce the new trade restrictions outlined, which came into force on June 23, 2022.Continue Reading UK Introduces Further Sanctions Measures Relating to Russia

On June 6 and June 9, 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) issued additional guidance on the sanctions that prohibit U.S. persons from making a “new investment” in Russia and from providing accounting, trust and corporate formation, and management consulting services to any person located in Russia.

Separately, from June 15, 2022, the UK Office of Financial Sanctions Implementation (“OFSI”) gained new powers to impose financial penalties for breaches of UK sanctions regulations (including, but not limited to, the UK sanctions regulations with respect to Russia) on a strict liability basis and to publish reports of cases where it is satisfied that a breach of financial sanctions has occurred but where no penalty is imposed.

This alert summarizes these new sanctions developments.

New U.S. Sanctions Developments

Guidance on the Prohibitions on “New Investment” by U.S. Persons in Russia

On June 6, 2022, OFAC issued guidance in the form of responses to new frequently asked questions (“FAQs”) to clarify certain aspects of the prohibitions on “new investment” in Russia by U.S. persons that were imposed under the following executive orders (“E.O.s”):

  • E.O. 14066, issued on March 8, 2022 (prohibiting new investment by U.S. persons in the energy sector of the Russian Federation, as described in our March 10 alert); 
  • E.O. 14068, issued on March 11, 2022 (prohibiting new investment by U.S. persons in any sector of the Russian Federation economy as may be determined by the Secretary of the Treasury, in consultation with the Secretary of State); and 
  • E.O. 14071, issued on April 6, 2022 (prohibiting “all new investment in the Russian Federation by U.S. persons, wherever located” as well as “any approval, financing, facilitation, or guarantee by a U.S. person, wherever located, of a transaction by a foreign person where the transaction by that foreign person would be prohibited by E.O. 14071 if performed by a U.S. person or within the United States,” as described in our April 11 alert.

Continue Reading Recent Developments in U.S. and UK Sanctions: OFAC Guidance on “New Investment” and Prohibition on the Provision of Certain Services to Any Person in Russia; UK Sanctions Enforcement Developments

On May 10, 2022, Prince Charles announced in the Queen’s Speech that the UK Government’s proposed Online Safety Bill (the “OSB”) will proceed through Parliament. The OSB is currently at committee stage in the House of Commons. Since it was first announced in December 2020, the OSB has been the subject of intense debate and scrutiny on the balance it seeks to strike between online safety and protecting children on the one hand, and freedom of expression and privacy on the other.

To what services does the OSB apply?

The OSB applies to “user-to-user” (“U2U”) services—essentially, services through which users can share content online, such as social media and online messaging services—and “search” services. The OSB specifically excludes  email services, SMS, “internal business services,” and services where the communications functionality is limited (e.g., to posting comments relating to content produced by the provider of the service). The OSB also excludes “one-to-one live aural communications”—suggesting that one-to-one over-the-top (“OTT”) calls are excluded, but that one-to-many OTT calls, or video calls, may fall within scope.Continue Reading Online Safety Bill to Proceed Through Parliament