EU Law and Regulatory

On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).

In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.

Key takeaways

  1. In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
  2. The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
  3. The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.

Summary of the Position Paper

The EDPB first outlines certain overlaps between data protection and competition law (e.g., data serving as a parameter of competition). The EDPB argues that as both legal regimes seek to protect individuals and their choices, albeit in different ways, “strengthening the link” between data protection and competition law can “contribute to the protection of individuals and the well-being of consumers”.

The EDPB takes the view that closer cooperation between DPAs and CAs would therefore benefit individuals (and businesses) by improving the consistency and effectiveness of regulatory actions. Moreover, the EDPB emphasises that, based on the EU principle of “sincere cooperation” between regulatory authorities and pursuant to the European Court of Justice’s ruling in Meta v Bundeskartellamt (2023), cooperation between DPAs and CAs would be “in some cases, mandatory and not optional”.Continue Reading EDPB highlights the importance of cooperation between data protection and competition authorities

On 15 January 2025, the European Commission recommended that EU Member States review outbound investment in three critical technologies—semiconductors, AI, and quantum—with the aim of potentially creating an EUwide regime to regulate such investment. EU Member States should report to the Commission on their findings and risk assessment within 18 months. These findings would inform a future policy proposal, so any introduction of outbound investment rules in the EU is likely to be several years away.

How did we get here?

Outbound investment mechanisms aim to regulate domestic companies making outward investments of capital, expertise, and knowledge that could contribute to the ‘leakage’ of critical and sensitive  technologies to third countries. Outbound investments typically take the form of EU firms purchasing equity in non-EU entities (e.g.  through joint ventures, greenfield investments), but can also take place through less structured arrangements such as R&D cooperation or transfer of employees.

The focus on outbound investment screening has its roots in transatlantic cooperation on China policy, and specifically the desire to minimize Western technology leakage to China. In particular, the U.S. Treasury Department issued new regulation prohibiting or otherwise requiring disclosure of outbound investment—in semiconductors, AI, and quantum—in Chinese entities as well as entities in other jurisdictions that hold certain interests in Chinese companies. The regulations entered into force on 2 January 2025.

Within the EU, outbound investment control was put on agenda with the European Economic Security Strategy and a subsequent white paper on outbound investment. Before then, only a few EU countries, such as Austria and Spain would screen outbound investment, and there had been no EU-wide approach on this topic.

What does it mean?

EU Member States are requested to monitor outbound investments in three critical technologies: semiconductors, AI, and quantum. The original white paper proposal also named biotechnologies amongst suggested critical technologies to be covered by the review, but this has been dropped in the new recommendation. The recommended scope of the monitoring exercise is as follows:Continue Reading Toward EU Outbound Investment Regulation

The new European Commission, which took office in December 2024, will likely rebalance its policy priorities, putting greater emphasis on competitiveness and innovation and less on risk-prevention and regulation. Over the past five years, the EU adopted several sweeping tech regulations, such as the Digital Services Act (DSA), the Digital Markets Act (DMA), and the AI Act. For the next five years, the focus is likely to be on implementing and streamlining these rules, rather than adopting new overarching tech regulatory frameworks. The Commission will also seek to facilitate greater public and private investment in technology, a sector in which the EU has lagged over the past 20 years, as noted by Mario Draghi in his report on Europe’s competitiveness.

Tech Policy Central to the EU

For the 2024-2029 term, Henna Virkkunen has been appointed as the Executive Vice-President (EVP) for Tech Sovereignty, Security and Democracy. Virkkunen’s portfolio places tech policy at the heart of the new Commission’s agenda, reflecting its strategic importance for EU competitiveness.

Virkkunen, a former Member of the European Parliament from Finland with a robust track record in tech policy, assumes leadership of the Directorate-General for Communications Networks, Content and Technology (DG CNECT). In contrast to the often-aggressive stance of her predecessor, Thierry Breton, towards industry leaders, Virkkunen is expected to be more collaborative. Virkkunen’s alignment with von der Leyen’s vision is anticipated to bring coherence to the Commission’s tech agenda. DG CNECT no longer reports to two Commissioners (Vestager and Breton in the last Commission), which will simplify its management. Placing it under EVP Virkkunen, who is relatively senior in the College of Commissioners, underscores that digital policy is a priority for this Commission.

Virkkunen will need to coordinate closely with other Commissioners, such as Stéphane Séjourné (EVP for Prosperity and Industrial Strategy), who will oversee the development of a European competitiveness fund to support emerging technologies. This initiative should align with Virkkunen’s efforts to strengthen EU capabilities in AI and semiconductors through Important Projects of Common European Interest. Virkkunen also effectively oversees four other Commissioners, including Ekaterina Zaharieva (Startups, Research and Innovation), who has been mandated to set up a European AI Research Council in order to bolster innovation, and Michael McGrath (Democracy, Justice, the Rule of Law and Consumer Protection), who will revise data retention rules to address potential privacy and security concerns.

Virkkunen’s Ambitious Policy Agenda

Henna Virkkunen’s mission is both expansive and strategically aligned with the EU’s overarching goals of digital sovereignty and competitiveness. She has three core priorities: artificial intelligence (AI), cloud computing, and quantum technologies.Continue Reading What Does the New European Commission Mean for EU Tech Policy?

On 15 January 2025, the European Commission published an action plan on the cybersecurity of hospitals and healthcare providers (the “Action Plan”). The Action Plan sets out a series of EU-level actions that are intended to better protect the healthcare sector from cyber threats. The publication of the Action Plan follows a number of high-profile incidents in recent years where healthcare providers across the European Union have been the target of cyber attacks.

Whilst the Action Plan primarily focuses on healthcare providers including hospitals, clinics, care homes, rehabilitation centres and others, the plan identifies interdependence between those providers and the healthcare industry. Therefore, some of the measures proposed address risks affecting the broader healthcare supply chain and ecosystem, and will potentially have implications for pharmaceutical and biotechnology industry players as well as medical device manufacturers.

The action that will be of most significance for industry is the plan for Member States to request that entities subject to the NIS2 Directive, including healthcare organisations, must report on ransom payments when reporting significant incidents to the competent authority under the NIS2 Directive (section 3.3, p.14). The Action Plan rationalizes this proposal by stating that the collection of further data is needed to understand the effectiveness of measures taken against ransomware attacks, and noting that such reporting would support the effective investigation of incidents. Reporting of ransomware payments is not required by the NIS2 Directive, so this would represent a significant change for in-scope entities. While this is titled a ‘national action’ to be implemented by Q4 2025, it is not immediately clear from the Action Plan if the proposal would take the form of a new EU law that imposes the obligation on Member States or otherwise.Continue Reading European Commission Publishes Action Plan on Cybersecurity of Hospitals and Healthcare Providers

On 1 December 2024 the 2025-2029 College of Commissioners took office, led by President Ursula von der Leyen in her second term.

This blog explores what companies can expect from the new European Commission in the field of EU State aid.

Key takeaways

  • The Commission will establish a new State aid framework to allow EU Member States to grant State aid for (i) accelerating the roll-out of renewable energy, (ii) deploying industrial decarbonisation, and (iii) ensuring sufficient manufacturing capacity for clean tech “made in Europe” while preserving cohesion objectives.
  • Approval of State aid for Important Projects of Common European Interest (“IPCEIs”) will be made simpler and faster. The Commission may further expand the scope of IPCEIs to include innovations more broadly and possibly manufacturing projects.
  • The Commission will create a ‘European Competitiveness Fund’, aimed at supporting the development of strategic technologies and their manufacturing in the EU. Depending on its design, this fund may help level the playing field among EU Member States.
  • State aid rules will be revised to enable wider housing support measures, notably for energy efficiency and social housing. Other State aid rules will also undergo a revision during the 2025-2029 mandate, such as aid to the transport sector or for companies in difficulty.

Perpetuation of relaxed State aid rules for the green transition?

President Ursula von der Leyen announced in her political programme for the 2025-2029 mandate the need to have a new Clean Industrial Deal, to decarbonise, and to bring down energy prices.

As a key pillar of the EU Clean Industrial Deal, she called for the establishment of “a new State aid framework” (see mission letter to Executive Vice-President (“EVP”) Ribera, responsible for the ‘Clean, Just and Competitive Transition’ and thus for EU competition policy). This new framework will allow EU Member States to grant State aid for (i) accelerating the roll-out of renewable energy, (ii) deploying industrial decarbonisation, and (iii) ensuring sufficient manufacturing capacity for clean tech in the EU. It will build on the experience of the Temporary Crisis and Transition Framework (“TCTF”) and preserve cohesion objectives.

This new State aid framework may make more permanent the relaxed State aid rules in relation to the green transition.

As a response to the U.S. Inflation Reduction Act, heavily subsidising the green transition, the Commission relaxed the EU State aid rules for the roll-out of renewable energy, industrial decarbonisation, and manufacturing in the EU/EEA of relevant equipment for the transition towards a net-zero economy (for more details, see our blogpost). The TCTF was remarkable in terms of industrial policy because, under general State aid rules, support to large businesses pursuing manufacturing projects is generally considered unnecessary – large companies have access to capital and those measures may be considered highly distortive. Such aid could traditionally only have been authorised by the Commission under strict conditions and in support of a new economic activity in disadvantaged areas under the Commission’s Regional Aid Guidelines (“RAG”).Continue Reading State aid – Outlook for the European Commission’s 2025-2029 Mandate

From January to June 2025, Poland will hold the Presidency of the Council of the European Union, presenting an ambitious agenda organized around the concept of security to tackle some of the EU’s most pressing challenges. This blog outlines the announced focus areas for technology, trade, defense, and ESG. Each of these topics is pivotal to ensuring the EU’s competitiveness, resilience, and sustainability in an increasingly complex global landscape.

Technology: Driving Innovation and Digital Transformation

The EU’s technological landscape is at a crossroads, driven by competition with the U.S. and China, and regulatory reforms such as the Digital Markets Act and the AI Act. The Polish Presidency will advance digital resilience by focusing on cybersecurity and AI governance. It commits to “promote the strengthening of European AI research, development and competence centres across the EU and support EU activities for entrepreneurs implementing disruptive technologies.” Poland also pledges to develop a “a comprehensive and horizontal approach to cybersecurity” by holding “a discussion on best practices in Member States on investing in cybersecurity” and creating a “new EU cybersecurity strategy.”

The EU-U.S. Trade and Technology Council (TTC), which has facilitated transatlantic cooperation, faces uncertain prospects under evolving political landscapes. If disbanded, new bilateral arrangements like a UK-EU TTC may emerge. In technology diplomacy, the EU will likely prioritize collaborations on export control, investment screening, and dual-use technologies with allies​, including the U.S.

Trade: Enhancing Competitiveness and Reducing Dependencies

The EU’s trade policy faces heightened complexities in balancing openness with economic security. Amidst Russia’s destabilizing actions and the economic decoupling from China, the Polish Presidency prioritizes reinforcing the EU’s economic sovereignty. Enhancements to the EU Customs Union and trade components of the Association Agreements with Ukraine and Moldova are expected, aligning economic cooperation with strategic resilience.Continue Reading “Security, Europe!” Priorities of the Polish Presidency of the EU Council

As the world anticipates the return of Donald Trump to the White House, the European Union (“EU”) braces for significant impacts in various sectors. The first Trump administration’s approach to transatlantic relations was characterized by unpredictability, tariffs on imported goods, a strained NATO relationship, and withdrawal from the Iran nuclear deal and the Paris climate agreement. If past is prologue, the EU must prepare for a renewed era of uncertainty and potential adversarial policies.

Trade Relations

Trump’s self-proclaimed identity as a “tariff man” suggests that trade policies would once again be at the forefront of his administration’s priorities. His campaign promises, which include imposing global tariffs on all goods from all countries in the range of 10 % to 20%, signal a departure from traditional U.S. trade policies. Such measures could have severe repercussions for the EU, both directly through increased tariffs on its exports and indirectly via an influx of dumped products from other affected nations, particularly China. Broad-based tariffs of this nature would likely provoke retaliatory measures from the EU.

The EU’s response toolkit would likely mirror many of the actions it employed between 2018 and 2020 in reaction to U.S. tariffs imposed during the first Trump administration. These measures would include retaliation on U.S. products to maximize political pressure by targeting Trump-supporting constituencies, pursuing chosen legal challenges against the U.S. at the World Trade Organization, and implementing safeguards to shield the EU market from an influx of Chinese and other diverted goods following U.S. tariff hikes. Very practically, the EU has suspended tariffs on US exports of steel and aluminum to its market worth €2.8 billion. The suspension expires on 1 March 2025, requiring an active decision on whether to reintroduce them or not.

In executing these measures, the EU is expected to collaborate with allies such as the UK, Canada, Japan, Australia, and South Korea to amplify its response. The EU may also explore smaller trade agreements or informal “packages” with the U.S. as part of a negotiated tariff truce. Broader protective measures could also be pursued, focusing on subsidies and industrial policies aimed at strengthening Europe’s strategic sectors, beyond actions specific to the U.S. Some cooperation with the U.S. on China may also be possible in areas like export control, investment control, and dual-use technologies.Continue Reading Policy Implications for Europe Under a Second Trump Administration

The European Union has just published a new (recast) Urban Wastewater Treatment Directive (“UWWTD”) in the EU’s official journal.  The UWWTD imposes important new Extended Producer Responsibility (“EPR”) obligations that will have a significant financial and administrative impact on companies marketing human medicines and cosmetic products in the EU.  Member States must implement the new UWWTD by July 31, 2027 and must apply the new EPR obligations to in‑scope companies by December 31, 2028. 

In a previous blog, we discussed the new EPR obligations in detail.  In this blog, we outline the key financial provisions of the EPR obligations and raise different questions concerning Member States’ discretion when transposing the EPR obligations into their national laws.

Extended Producer Responsibility under the UWWTD

The UWWTD requires Member States to ensure the treatment of urban wastewaters to remove micropollutants (so‑called fourth stage, or “quaternary” treatment).  Article 9 of the Directive also requires Member States to ensure that producers that market products listed in Annex III (i.e., human medicinal products and cosmetic products) have EPR obligations and pay, via producer responsibility organizations (“PROs”), for the costs of the quaternary treatment of urban wastewater, for data collection, and for other costs required to exercise their EPR. 

Specifically, Article 9 requires that producers subject to EPR obligations must cover:

  • At least 80% of the costs associated with quaternary treatment of wastewater to remove micropollutants.  This includes both capital investments for building or expanding urban wastewater treatment facilities and operational expenses for the treatment facilities.
  • 100% of the costs for gathering data on the products they place on the market.
  • 100% of other costs (e.g., administrative) required to exercise their EPR.

As noted above, Annex III currently lists human medicines and cosmetics as the product groups covered by the EPR obligations.  However, the UWWTD requires the Commission to assess the possible expansion of that list and to make the related legislative proposals by December 31, 2033.

National Implementation: Some Questions

The EPR obligations of the UWWTD will only apply to producers once Member States implement them into their national laws.  The Directive requires Member States to adopt their national implementing laws by July 31, 2027 and to apply the EPR obligations not later than December 31, 2028.  Member States may choose to apply the EPR obligations earlier.

The UWWTD leaves Member States with some discretion as to how they implement the EPR obligations, and also allows Member States to impose stricter and broader requirements.  Recital 3 of the Directive makes this clear, as it states that “[i]n line with Article 193 of the [TFEU] Member States can go beyond the minimum requirements set out in this Directive.  Member States could consider for instance […] imposing additional requirements for, or broadening the spectrum of the application of, their national extended producer responsibility systems.” Continue Reading The EPR Obligations of the New Urban Wastewater Treatment Directive Key Questions and Next Steps for Member States

On 1 December 2024 the 2025-2029 College of Commissioners took office, led by President Ursula von der Leyen in her second term. This blog explores what companies can expect from the new Commission regarding the EU Foreign Subsidies Regulation (“FSR”).

The FSR was adopted in December 2022 to address distortions caused in the EU by foreign subsidies. It introduced two notification tools for prior clearance of concentrations and public procurement procedures – effective since 12 October 2023 – and an ex officio tool for investigations by the Commission into suspicious foreign subsidies – effective since 12 July 2023. For a detailed overview of the FSR, see our previous blog post.

Key takeaways

  • The first year of FSR enforcement has seen a higher number of FSR notifications than the Commission anticipated in its 2021 Impact Assessment, in terms of both transactions and public procurement procedures. The Commission has initiated four in-depth investigations. By contrast, the ex officio tool has rarely been used with only two investigations launched.
  • For its 2025-2029 mandate, the Commission is aiming to vigorously enforce the FSR, especially as regards concentrations.
  • The Commission appears willing to discuss possible amendments to the FSR (in particular, to the public procurement notification thresholds).

The first year of FSR enforcement

The first year of FSR enforcement has seen a higher number of FSR notifications than the Commission anticipated in its 2021 Impact Assessment. Based on data disclosed by officials at conferences: (i) DG COMP, responsible for the enforcement of the FSR in relation to concentrations, received more than 100 transaction notifications (with 98 cases closed), compared to the 30 initially anticipated; and (ii) DG GROW, responsible for the enforcement of the public procurement tool, received approximately 140 notifications, compared to the 36 initially anticipated.Continue Reading The EU Foreign Subsidies Regulation – Outlook for the European Commission’s 2025-2029 Mandate

On 2 December 2024, the European Data Protection Board (“EDPB”) adopted its draft guidelines on Article 48 GDPR (the “Draft Guidelines”). The Draft Guidelines are intended to provide guidance on the GDPR requirements applicable to private companies in the EU that receive requests or binding demands for personal data from public authorities (e.g., law enforcement or national security agencies, as well as other regulators) located outside the EU.

The Draft Guidelines focus in particular on Article 48 GDPR, which states that a binding demand from a non-EU public authority “requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”

As an initial matter, the EDPB addresses the question of whether Article 48 operates as a blocking statute—i.e., a prohibition on disclosure of personal data subject to the GDPR to non-EU public authorities in the absence of an international agreement (e.g., a mutual legal assistance treaty) that permits that disclosure. The Draft Guidelines state that, even in the absence of such an international agreement, companies can in principle disclose personal data in response to such demands, provided that they (a) have a valid legal basis for doing so under Article 6 GDPR, and (b) can validly transfer the personal data outside the EU in accordance with Chapter V GDPR (e.g., on the basis of an EU adequacy decision, “appropriate safeguards”, or one of the derogations set out in Article 49 GDPR). The Draft Guidelines nonetheless make clear that, absent such an international agreement, any demand from a non-EU public authority will not be recognized as a binding demand by, or enforceable in, EU courts.

The Draft Guidelines also provide guidance on the Article 6 legal bases and Chapter V transfer grounds that might apply where a private entity receives a request or demand for personal data from a non-EU public authority. This guidance is broadly consistent with the EDPB’s analysis in its 2019 joint opinion with the EDPS on the CLOUD Act. Of particular note:Continue Reading EDPB adopts draft guidelines on requirements when responding to requests from non-EU public authorities