On 5 December 2025, the Act Transposing the NIS 2 Directive and Regulating Key Aspects of Information Security Management in the Federal Administration (Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (“NIS2UmsG”) (see here, in German only) became binding in Germany. According to the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik (“BSI”) (see here, in German only), roughly 29,500 companies will have to comply with the increased cybersecurity requirements adopted by the NIS2UmsG.Continue Reading Germany Transposes NIS 2 Directive – Increased Cybersecurity Requirements for Businesses
Digital Fairness Act Series — Topic 4: Digital Subscriptions
Digital contracts and subscriptions have significantly increased, with the subscription economy tripling since 2017, according to the European Commission’s Digital Fairness Act Fitness Check. However, the Fitness Check points out that the number of issues with digital subscriptions, such as difficult cancellations, automatic renewals without reminders, and unclear subscription terms, have also increased. The Commission proposes to tackle these issues in its proposed Digital Fairness Act (“DFA”), which recently entered its consultation phase (see our blog post here).
This post briefly highlights certain issues with digital subscriptions identified in the Fitness Check, outlines how these issues are currently regulated in the EU, and considers the Fitness Check’s proposals to address these issues. It is the fourth post in our series on the upcoming DFA – previous posts covered influencer marketing, AI chatbots in consumer interactions, and personalised advertising and pricing.Continue Reading Digital Fairness Act Series — Topic 4: Digital Subscriptions
Covington Robotics Forum Spotlight – Enhanced Autonomy: Strategies to Navigate New Regulations, Risks & Opportunities
On May 14, 2025, Covington convened experts across our practice groups for the Fourth Annual Covington Robotics Forum to explore the legal and regulatory risks and opportunities impacting robotics, AI, and connected devices. Eight Covington attorneys discussed global forecasts relevant to these spaces in a highly concentrated 90-minute session, culminating in an Industry Spotlight moderated by Covington partner Nick Evoy featuring Casey Campbell, Deputy General Counsel and Chief Intellectual Property Counsel at Figure AI. Highlights from the Forum are captured below.
AI & Robotics in the Workplace
Covington attorneys Carolyn Rashby and Anna Oberschelp de Meneses addressed key considerations for companies implementing AI tools. In the U.S., though no federal laws specifically address robotics or the use of AI in employment, employers must still comply with preexisting federal laws, like Title VII and FCRA. Conversely, various states and localities are creating legislation specifically aimed at these topics, such as New York City’s Local Law 144, which regulates employer usage of automated employment decision tools. Similarly, a patchwork of rules exists in the EU, requiring companies to monitor both EU-level regulations and directives, as well as member state-specific laws. Recommended best practices for employers seeking to utilize AI tools and robotics in the workplace include reviewing for, and mitigating potential bias in, AI vendors and tools, maintaining human oversight, and instituting ongoing training and compliance measures.
Product Safety, Product Liability & Risks
Covington attorneys Joshua González and Daniel Auten addressed key considerations for product safety and product liability in robotics. They identified robotics and AI as some of the most actively transforming spaces within product liability law today, highlighting a recent case which found that both a manufacturer of a robotics device and the software developer could be subject to product liability claims. Key defenses in robotics-related product liability suits may include asserting federal or state preemption, arguing for lack of proximate causation, and importantly, pre-planned contractual defenses and indemnifications. On the regulatory side, the CPSC and NHTSA have hosted a number of information gathering meetings on robotics, and will likely continue to issue relevant reports and monitor industry standards. Recommendations for companies in this space include developing strategies for eventual regulatory engagement, monitoring any enforcement activities, and staying abreast of regulatory obligations, such as reporting requirements.Continue Reading Covington Robotics Forum Spotlight – Enhanced Autonomy: Strategies to Navigate New Regulations, Risks & Opportunities
German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account
In January 2025, the German Supervisory Authority of Hamburg (“HSA”) examined the practices of online retailers based in Hamburg as to whether they allowed consumers to make purchases without creating a user account. This was mentioned in a press release issued by the HSA regarding a ruling by the Hamburg Higher Regional Court confirming a HSA’s decision that online retailers may, in certain circumstances, require consumers to create a user account. This, in turn, follows the guidance published by the German supervisory authorities (“German SAs”) in 2022 (in German), which stated that online retailers generally may not require consumers to create a user account in order to make a purchase.
Background: German SAs’ Guidance
According to the German SAs, there may be practical reasons for consumers to create an account for online purchases (e.g., to keep relevant information for future purchases), but it cannot be assumed that they are always interested in doing so. Therefore, consumers should be able to shop online without creating an account.
With respect to the processing of the consumer’s account information (e.g., username, password, order history), the German SAs take the view that the creation of an account is generally not necessary for the performance of the purchase contract so that the online retailer generally may not rely on this legal basis (Article 6(1)(b) GDPR). However, the German SAs also recognized that there may be situations where online retailers may require consumers to create an account, for example, specialized dealers for certain professional groups. In any case, the online retailer must limit the processing of the personal data to the extent necessary in order to comply with the data minimization principle (Article 5 (2) (c) GDPR). For example, if a consumer chooses not to create an account, the online retailer should only collect and further process the data necessary to fulfill the order and should delete the data after that fulfillment, unless the online retailer is required by law to archive the data.
In the absence of “contractual performance” as a legal basis (see above), the online retailer requires the consumer’s consent (Article 6(1)(a) GDPR) for the processing of his or her data in connection with the creation of an account, according to the German SAs. As this consent must be freely given, the consumer should have the choice to make a purchase with or without a user account. Consumers that choose not to create a user account should not suffer any disadvantages; in particular, the online trader should not make it more difficult to place an order or reduce the level of security for the protection of personal data.
For consumers who choose to create an account, online retailers may only use account information (such as order history) for advertising purposes if they obtain separate consent from the consumer. They also need separate consent to retain consumers’ payment information for future purchases.Continue Reading German SA Checks Whether Online Retailers Allow Consumers to Make Purchases Without Creating an Account
European Commission Publishes Automotive Industrial Action Plan
On March 5, 2025, the European Commission published the Industrial Action Plan for the European Automotive Sector. This plan outlines measures to strengthen the competitiveness of the European automotive industry and to accelerate the transition to zero-emission mobility in the EU. This plan is the result of the “Strategic Dialogue” that has been taking place in Brussels in the last month between vehicle manufacturers in the EU and EU officials. The plan announces a catalogue of initiatives to be adopted by the Commission, but the expected timelines and the interplay between different initiatives is not always clear. This blog summarizes some of the initiatives likely to be relevant to stakeholders in the EU automotive industry—particularly those in the electric vehicle (“EV”) supply chain.Continue Reading European Commission Publishes Automotive Industrial Action Plan
Covington’s Fifth Annual Technology Forum – Looking Ahead: New Legal Frontiers for the Tech Industry
Technology companies are grappling with unprecedented changes that promise to accelerate exponentially in the challenging period ahead. We invite you to join Covington experts and invited presenters from around the world to explore the key issues faced by businesses developing or deploying cutting-edge technologies. These highly concentrated sessions are packed
Continue Reading Covington’s Fifth Annual Technology Forum – Looking Ahead: New Legal Frontiers for the Tech IndustryInside Privacy Audiocast: Episode 18 – Recent Developments in GDPR Enforcement
Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and
Continue Reading Inside Privacy Audiocast: Episode 18 – Recent Developments in GDPR Enforcement