EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to
On October 3, 2023, an overwhelming majority of the European Parliament (“Parliament”) adopted its position on the EU Media Freedom Act (the “Act”), introducing a number of amendments to the text of the Act as proposed by the European Commission (the “Commission”).
The Commission’s proposal for a Regulation establishing a common framework for media services in the internal market (European Media Freedom Act) and amending Directive 2010/13/EU, published on September 16, 2022, aims, inter alia, to safeguard media independence and promote media pluralism across the EU, in addition to establishing specific requirements for Very Large Online Platforms (“VLOPs”) as defined under Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (the Digital Services Act).
This blog post summarizes some of the key developments resulting from Parliament’s proposed amendments in relation to: (i) requirements for VLOPs when removing content of media service providers from their platforms (Article 17); and (ii) the rights of media service providers (Article 4).
Takedown obligations for VLOPs (Article 17)
Building on the Commission’s original proposal, the position adopted by Parliament, if enacted into law, would impose a number of obligations on VLOPs when taking down content found to be in violation of the platform’s own terms and conditions. As a general rule, VLOPs will need to ensure that their content moderation systems do not negatively impact media freedom and pluralism. More specifically, VLOPs must:…
On October 26, 2023, the European Court of Justice (“CJEU”) decided that the GDPR grants a patient the right to obtain a copy of his or her medical record free of charge (case C-307/22, FT v DW). As a result, the CJEU held that a provision under German law that permitted doctors to…
A would-be technical development could have potentially significant consequences for cloud service providers established outside the EU. The proposed EU Cybersecurity Certification Scheme for Cloud Services (EUCS)—which has been developed by the EU cybersecurity agency ENISA over the past two years and is expected to be adopted by the European Commission as an implementing act in Q1 2024—would, if adopted in its current form, establish certain requirements that could:
- exclude non-EU cloud providers from providing certain (“high” level) services to European companies, and
- preclude EU cloud customers from accessing the services of these non-EU providers.
Data Localization and EU Headquarters
The EUCS arises from the EU’s Cybersecurity Act, which called for the creation of an EU-wide security certification scheme for cloud providers, to be developed by ENISA and adopted by the Commission through secondary law (as noted in an earlier blog). After public consultations in 2021, ENISA set up an ad hoc working group tasked with preparing a draft.
France, Italy, and Spain submitted a proposal to the working group advocating to add new criteria to the scheme in order for companies to qualify as eligible to offer services providing the highest level of security. The proposed criteria included localization of cloud services and data within the EU – meaning in essence that providers would need to be headquartered in, and have their cloud services provided from, the EU. Ireland, Sweden and the Netherlands argued that such requirements do not belong in a cybersecurity certification scheme, as requiring cloud providers to be based in Europe reflected political rather than cybersecurity concerns, and therefore proposed that the issue should be discussed by the Council of the EU.…
On August 22, 2023, the Spanish Council of Ministers approved the Statute of the Spanish Agency for the Supervision of Artificial Intelligence (“AESIA”) thus creating the first AI regulatory body in the EU. The AESIA will start operating from December 2023, in anticipation of the upcoming EU AI Act (for a summary of the AI…
The field of artificial intelligence (“AI”) is at a tipping point. Governments and industries are under increasing pressure to forecast and guide the evolution of a technology that promises to transform our economies and societies. In this series, our lawyers and advisors provide an overview of the policy approaches and regulatory frameworks for AI in…
Germany’s hospital system is reported to be of high quality but is also very expensive by international standards. Hospitals and healthcare payers such as health insurances are exposed to increasing economic constraints. One particular point of criticism is, for example, the current system of Diagnosis Related Group (DRG)-based fees.
Patient treatments are compensated based on the DRGs which effectively leads to a lump-sum payment system per diagnosis (with certain exemptions). This system has pros and cons. As a downside, it is reported to create incentives for over-treatments to generate DRG-based fees per patient.
At the same time, many hospitals in Germany are at risk of closure and insolvency due to financial challenges. The German federal states have thus asked the federal government for financial support to finance the restructuring of the hospital system and prevent hospitals from bankruptcy.
German federal and state governments have been discussing an intended hospital reform for months. Provided that no additional money flows into the healthcare system, the principle for this reform is “outpatient care before inpatient care”. The financial volume incentive shall therefore be minimised and a concentration on larger hospitals and medical institutions shall optimise or at least improve the current structures and quality of medical care in Germany. This shall also be accompanied by a reduction of the general number of hospitals in Germany.
On 10 July 2023, the key objectives of the envisaged hospital reform plans (Eckpunktepapier: Krankenhausreform) have been agreed on: (1) Ensuring security of supply (in particular public responsibility for ensuring the provision of healthcare, so-called “Daseinsvorsorge”), (2) securing and increasing the quality of treatment, and (3) reducing bureaucracy. Particularly, this is to be reflected in the following key measures:…
In a new strategy published on July 11, the European Commission has identified Web 4.0 and virtual worlds—often also referred to as the metaverse—as having the potential to transform the ways in which EU citizens live, work and interact. The EU’s strategy consists of ten action points addressing four themes drawn from the Digital Decade policy programme and the Commission’s Connectivity package: (1) People and Skills; (2) Business; (3) Government (i.e., public services and projects); and (4) Governance.
The European Commission’s strategy indicates that it is unlikely to propose new regulation in the short to medium-term: indeed, European Competition Commissioner Margarethe Vestager has recently warned against jumping to regulation of virtual worlds as the “first sort of safety pad.” Instead, the Commission views its framework of current and upcoming digital technology-related legislation (including the GDPR, the Digital Services Act, the Digital Markets Act and the proposed Markets in Crypto-Assets Regulation) to be applicable to Web 4.0 and virtual worlds in a “robust” and “future-oriented” manner.
What Are Virtual Worlds and Web 4.0?
The Commission defines virtual worlds as being “persistent, immersive environments, based on technologies including 3D and extended reality (XR), which make it possible to blend physical and digital worlds in realtime, for a variety of purposes.” It considers Web 4.0 to be the “fourth generation of the World Wide Web,” which will feature “advanced artificial and ambient intelligence, the internet of things, trusted blockchain transactions, virtual worlds and XR capabilities.” These will enable digital and real objects to integrate and communicate with each other to “seamlessly blen[d] the physical and digital worlds.” According to Internal Market Commissioner Thierry Breton, the EU will “connect virtual world developers with industry users, invest in the uptake and scale-up of new technologies, and give people the tools and the skills to safely and confidently use virtual worlds.” The EU is keen to ensure that it establishes itself as a leader in Web 4.0 and virtual worlds, and that the emerging metaverse reflects EU values, principles, and fundamental rights. The strategy is the latest in a series of metaverse-related EU initiatives and announcements.…
Two speeches by the EU Commission President, Ursula Von de Leyen in March and April 2023, set out the EU’s policy towards China. In late April, the UK Foreign Secretary set out the UK’s emerging strategy and on the same day earlier this month, a UK Government Committee released a report which heavily criticized the UK’s dealings with China and the German Government released its long-awaited (and much-redrafted) China Strategy.
This blog looks at similarities between the three approaches and what conclusions we might draw about the implications.
EU China Strategy
The EU first labelled China a systemic rival in 2019. Since then, the European Commission has promoted the idea of “de-risking” the bloc’s most sensitive economic sectors to limit their dependence on China.
In a powerful speech in March 2023 Commission President Ursula Von der Leyen set out the need for the EU to develop its China Strategy. The new strategy was needed because of what she described as the hardening of China’s overall strategic posture, matched by human rights abuses at home and an increasingly assertive stance in Asia. She was careful to note that the EU’s position on China would depend on how China interacts with ‘Putin’s war’ and how China meets international human rights obligations. President Von der Leyen labelled as deliberate Chinese policies of disinformation and economic and trade coercion, saying they were used to target ‘countries to ensure they comply and conform’.
The tone of President Von der Leyen’s speech was set against the EU’s assessment that a newly assertive China was moving from an era of ‘reform and opening’ to one of ‘security and control’ whose purpose was ‘a systemic change of the international order [to place] China at its centre’. In her speech, The Commission President noted that ‘all companies in China…are…obliged … to assist state intelligence-gathering operations and to keep it secret’. President Von der Leyen concluded that Chinese focus on military, tech and economic security would increasingly trump the appeal of free markets and open trade.
However, President Von de Leyen made clear that the EU did not seek to ‘cut economic, societal, political or scientific ties’, but rather to ‘rebalance the relationship on the basis of transparency, predictability and reciprocity.’ Using language reminiscent of President Macron’s call for the EU to seek greater ‘strategic autonomy’, President Von der Leyen argued that the new relationship would require the EU’s economy and industry to be more competitive and resilient in the cyber and maritime, space and digital, defence, innovation, health, digital and clean-tech sectors. President Von der Leyen pointed to the Net-Zero Industry and the Critical Raw Materials Acts as examples of the EU’s determination to respond to Chinese domination of these critical sectors.…
On July 10, 2023, the European Commission adopted its adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”). The decision, which took effect on the day of its adoption, concludes that the United States ensures an adequate level of protection for personal data transferred from the EEA to companies certified to the DPF. This blog post summarizes the key findings of the decision, what organizations wishing to certify to the DPF need to do and the process for certifying, as well as the impact on other transfer mechanisms such as the standard contractual clauses (“SCCs”), and on transfers from the UK and Switzerland.
The Commission’s adoption of the adequacy decision follows three key recent developments:
- the endorsement of the draft decision by a committee of EU Member State representatives;
- the designation by the U.S. Department of Justice of the European Union and Iceland, Liechtenstein, and Norway (which together with the EU form the EEA) as “qualifying states,” for the purposes of President Biden’s Executive Order 14086 on Enhancing Safeguards for U.S. Signals Intelligence Activities (“EO 14086”). This designation enables EU data subjects to submit complaints concerning alleged violations of U.S. law governing signals intelligence activities to the redress mechanism set forth in the Executive Order and implementing regulations (see our previous blog post here); and
- updates to the U.S. Intelligence Community’s policies and procedures to implement the safeguards established under EO 14086, announced by the U.S. Office of Director of National Intelligence on July 3, 2023.
The final adequacy decision, which largely corresponds to the Commission’s draft decision (see our prior blog post here), concludes “the United States … ensures a level of protection for personal data transferred from the Union to certified organisations in the United States under the EU-U.S. Data Privacy Framework that is essentially equivalent to the one guaranteed by [the GDPR]” (para. 201).
Key Findings of the Decision
In reaching the final decision, the Commission confirms a few key points:…