Tag: EU

The EU Digital Markets Act

The EU has recently unveiled its much-expected landmark proposal for a Digital Markets Act (DMS). Twenty years after the introduction of the eCommerce Directive, the DMA envisages a new legal basis for competition and platform management, covering everything from content moderation  to app stores, search and self-preferencing.

The DMA introduces rules for platforms that act as “gatekeepers” in the digital sector. These are platforms that have a significant impact on the internal market, serve as an important gateway for business users to reach their customers, and which enjoy, or will foreseeably enjoy, an entrenched and durable position. This can grant them the power to act as private rule-makers and to function as bottlenecks between businesses and consumers.

With an eye mainly to US big-tech, the Digital Markets Act is set to prevent gatekeepers from imposing unfair conditions on businesses and consumers and ensure the openness of important digital services. Examples of these unfair conditions that gatekeepers sometimes impose on others include prohibiting businesses from accessing their own data when operating on these platforms, or situations where users are locked into a particular service and have limited options for migrating to alternative service providers.

Gatekeeper on the historic Banco Santander, Lisbon.

The enforcement system of the DMA is of particular importance, as the proposal does not seem to leave much space to national authorities. In fact, the European Commission shall be vested with extensive investigative powers (see Articles 19-21) and shall be able to impose fines and periodic penalty payments in case of non-compliance (Articles 26-27) of the same magnitude as in antitrust cases (up to 10% of annual turnover and 5% of daily turnover for fines and periodic penalty payments respectively).

In case of systematic non-compliance that has further strengthened or extended the gatekeeper’s position, the Commission may even impose behavioral or even structural remedies on the gatekeeper, including divestiture (Article 16). Structural remedies are a last resort penalty and can be imposed only if there are no equally effective behavioral remedies. The European Commission may also issue interim measures (Article 22) and accept commitments offered by the gatekeeper (Article 23).

Together with the Digital Services Act, the DMA is oriented at providing better protection to consumers and to fundamental rights online, establishing a powerful transparency and accountability framework for online platforms and leading to fairer and more open digital markets.

Harmonised across the EU and directly applicable, the new rules will make it easier to provide digital innovations across borders, while ensuring the same level of protection to all citizens in the EU.

Further information can be retrieved from the Commission’s dedicated webpage.

New Rules to Improve Fairness within the Online Platform Economy

Over the past decade, online platforms (such as Shopify, Magento, Etsy, etc.) have established their presence as important economic players, connecting economic actors and boosting efficiency while spurring innovation and new business models.

As of today, they play an important role in many industries, since they allow buyers and sellers of goods and services to trade and communicate with each other. At the same time, they create network effects, and raise new issues related to fairness, transparency, and market distortions.

This ecosystem is now regulated by means of Regulation 2019/1150 on online platform-to-business relationships (P2B Regulation).

The regulation, which directly applies throughout the Union since 11 July 2020, has introduced a set of transparency rules to be followed by online platforms in their relations with business users, to address unfair and potentially harmful contractual clauses and trading practices, and lack of effective redress.

Its scope covers online intermediation services and online search engines provided, or offered to be provided, to business users and corporate website users, respectively, that have their place of establishment or residence in the Union and that, through those online intermediation services or online search engines, offer goods or services to consumers located in the Union, irrespective of the place of establishment or residence of the providers of those services and irrespective of the law otherwise applicable.

The key points covered by the regulation can be summarized as follows:

    • Terms and Conditions will have to be written in plain and intelligible language;
    • Business users will have to be informed of any modification of the Terms and Conditions;
    • Platforms will have to respect a reasonable notice period depending on the nature of the modification (minimum is fixed at 15 days) unless a business user gives an explicit agreement for this period to be shortened;
    • Providers of online intermediation services will have to provide business users with the reasons for restricting or suspending individual products/ services;
    • In case of definitive termination of the online intermediation service offered, the platform will provide the business user concerned with a statement of reasons at least 30 days in advance;
    • The providers of these services have to formulate and publish general policies on what data generated through their services can be accessed, by whom and under what conditions;
    • Providers of online intermediation services as well as online search engines will be required to clearly inform businesses about the main parameters determining how goods and services are ranked;
    • Online search engines should be transparent about any preferential treatment they give to their own products and services offered through their search sites;
    • Providers of online intermediation services will be required to explain the use of contract clauses demanding the most favourable range or price of products and services offered by their professional users;
    • Online platforms will have to set up or have in place internal complaint handling mechanisms (small enterprises with less than 50 staff members and generating ≤€10 million turnover will be exempted from this obligation);
    • Business users will have access to out-of-court dispute settlement through easily accessible external mediators (small enterprises with less than 50 staff members and generating <€10 million turnover will be exempted from this obligation);
    • Representative organisations or associations will be able to defend businesses in courts against possible infringements of the proposed rules by online platforms or search engines.

Furhtermore, an EU Observatory of the Online Platform Economy has been established to look into the current and emerging challenges and opportunities for the EU in the online economy. The observatory shall be monitoring online trends, the evolution of trading practices, and the development of national policies, in order to monitor, anticipate and solve issues arising in the online economy.

Protecting your personal data in elections

A year ago, the Facebook–Cambridge Analytica data scandal was illustrating in the most obvious way that data processing techniques for political purposes can pose serious risks, not just with regard to the rights to privacy and data protection, but also to the institutional integrity of democracy.

This matter of digital precariousness has been recently addressed by the European Data Protection Board, which adopted on 13 March 2019 a statement on the use of personal data during election campaigns. In this statement EDPB welcomes the set of measures presented by the European Commission in September 2018, and highlights a number of key points that need to be taken into consideration, when political parties and candidates process personal data in the course of electoral activities.

In the said statement, following bullet points were underlined to be respected when political parties process personal data during their election campaigns:

  • Personal data revealing political opinions is a special category of data under the GDPR. As a general principle, the processing of such data is prohibited and is subject to a number of narrowly-interpreted conditions, such as the explicit, specific, fully informed, and freely given consent of the individuals.
  • Personal data which have been made public, or otherwise been shared by individual voters, even if they are not data revealing political opinions, are still subject to, and protected, by EU data protection law. As an example, using personal data collected through social media cannot be undertaken without complying with the obligations concerning transparency, purpose specification and lawfulness.
  • Even where the processing is lawful, organisations need to observe their other duties pursuant to the GDPR, including the duty to be transparent and provide sufficient information to the individuals who are being analysed and whose personal data are being processed, whether data has been obtained directly or indirectly. Political parties and candidates must stand ready to demonstrate how they have complied with data protection principles, especially the principles of lawfulness, fairness and transparency.
  • Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted. Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject.
  • In case of targeting, adequate information should be provided to voters explaining why they are receiving a particular message, who is responsible for it and how they can exercise their rights as data subjects. In addition, the Board notes that, under the law of some Member States, there is a transparency requirement as to payments for political advertisement.

The above opinion has been published with an eye on the upcoming European elections and other elections taking place across the EU.

More particularly, as regards Greece, the Hellenic Data Protection Authority has already provided practical guidance and recommendations to stakeholders by means of Directive 1/2010 (available in Greek). Directive 1/2000 covers not only EU and national, but also local, municipal and regional election campaigns. Therein, the Greek Authority clarifies, among others, that communicating a political campaign by e-mail, or SMS messages is allowed without the consent of the potential voter, only exceptionally, that is under the following two concurring conditions: (i) the sender has legally obtained the potential voter’s details in the context of a prior transaction of similar scope, i.e. an older political campaign, and (ii) the recipient is able to exercise the right to object, by being provided with an easy and clear “opt-out” system.

Political campaigners are about to face rough seas in getting their message across this time. And it is a matter of time until the Hellenic Data Protection Authority announces the first sanctions against stakeholders and players of the political arena.

Unlocking e-commerce in Europe

On 3 December 2018, Regulation (EU) 2018/302, better known as the Geo-blocking Regulation, entered into force. This development is a part of the European Commission’s digital single market strategy to ban unjustified geo-blocking, which restricts the consumers’ ability to access a website, complete a purchase, being rerouted to a country specific website, or refused delivery or payment because of their location.

Geo-blocking occurs when a consumer wants to browse products or services on a trader’s website, but is denied access. This can include the practice of rerouting to a country specific version which may display different products or prices. Even when consumers can access their preferred site, they may be prevented from finalising the purchase or are required to pay by debit or credit card from a particular country. Geo-blocking Regulation now prevents this behaviour by prohibiting the practice of automatically rerouting consumers to country specific websites and banning unjustified discrimination in relation to payment methods. In fact, only few days following the Regulation’s entry into force, the European Commission fined Guess €40 million for anticompetitive agreements to block cross-border sales.

Nevertheless, although EU-based traders will no longer be permitted to refuse to sell to consumers based on their nationality or place of residence, the new rules do not require such traders to offer delivery of the goods to consumers who live in a different country. Certain goods and services are excluded from the scope of the Regulation, including transport services, retail financial services and healthcare service. Importantly, the Regulation does not cover the provision of (non-audiovisual) copyright protected content services (such as e-books, online music, software and videogames). Audio-visual services also do not fall within the scope of the Regulation.

This webpage, provided by the European Commission, explains in a concise way how online sellers can ensure their services are compatible with the new rules and provides examples of best practices.

Trade Secrets finally protected?

Contrary to IP rights, trade secrets do not enjoy absolute and exclusive protection under Greek law. They are protected by means of confidentiality, non-use, non-disclosure agreements, and their protection is always “post factum”. Furthermore, civil proceedings do not offer an appropriate measure to preserve the secrecy of confidential information enforced in trade secret litigation. Nevertheless, trade secret protection is a company must-have, no less vital than protecting your patents, design rights or trademarks.

Trade Secrets Directive

The landscape is about to change. In 2016, the EU took steps to harmonize EU law, to ensure businesses can protect their innovative work and preserve competitive gains, by adopting the Trade Secrets Directive, which Greece should have transposed by June 9, 2018. The Directive contributes to the commitment to create a single market in the EU for intellectual property rights. Although the domestic legislative initiatives remain unclear, what is certain is that companies doing business in Europe must act now to ready themselves for this important reform.

The Trade Secrets Directive creates a baseline minimum level of protection which every member state must institute. It starts by setting out a uniform definition of a trade secret: any information that is secret (not generally known among or readily accessible to persons within the relevant circles of trade) and has commercial value because it is secret. The definition thus extends beyond more classic trade secrets like construction drawings or recipes and may include negative information like known product defects or company code of conduct violations.

Intent will no longer suffice. Companies must actively take reasonable steps to protect their trade secrets – and be able to show they did in court. A company failing to take such steps, or unable to prove it did so, could lose its trade secret protection.

When deciding on the scope of protection granted to a trade secret, courts will therefore consider the protective measures a company can show it employed. This makes it especially important for companies to implement far-reaching protective steps.

Furthermore, the Directive strengthens the position of employees – most notably, their freedom to bring any knowledge and experience gained during their tenure with a company to their next employer. Companies should therefore take steps to contractually ensure confidentiality during an employee’s tenure.

The Way Forward

If applied correctly, trade secret protection can be a cost-efficient way to protect a company’s intellectual property. But companies need to actively shape their trade secret compliance strategy to properly protect their assets. Companies should hence consider following precautionary measures:

  • Think about what information may qualify as trade secret and Include its protection as part of the corporate IP strategy.
  • Identify risks to the trade secrets, either such risks arise from employees or business partners, especially in R&D projects.
  • Apply effective protection of trade secrets, by resorting to: (a) practical protection measures, such as restricted access, password protection or decentralization; (b) contractual measures, especially with employees and business partners, by revisiting many of your agreements; and (c) legal measures, such as prosecuting known misappropriation before Greek courts.

Implementing a trade secret protection strategy now wards off a case of unexpected misappropriation and is in parallel the optimal way to properly protect a valuable asset in view of the forthcoming legislative changes.

Privacy Shield: stronger protection for transatlantic data flows

In the aftermath of the CJEU judgment in Maximillian Schrems vs Data Protection Commissioner case (Case C-362/14), and following the invalidation of the Safe Harbor in October 2015, the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic data transfers on Tuesday, 2 February 2016: the EU-U.S. Privacy Shield (IP/16/216).

The adoption procedure of the decision texts was finalized by the European Commission on 12 July 2016, after the relevant opinion of the article 29 working party (national data protection authorities) and the European Parliament resolution of 26 May.

This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States and offers legal clarity for businesses relying on transatlantic data transfers. The Shield has been drafted, among others, to further illuminate the bulk collection of data, strengthen the Ombudsperson mechanism, and set more explicit obligations on companies as regards limits on retention and onward transfers.

The EU-U.S. Privacy Shield summarily touches upon the following points:

  • Strong obligations on companies handling data: under the new arrangement, U.S. companies wishing to abide by the EU-U.S Privacy Shield will be obliged to register in the Privacy Shield register and re-certify annually. Moreover, their privacy policies will have to be updated, so as to appropriately inform data subjects on their current access rights and the available recourse mechanisms. Especially for onward transfers to third party service providers, companies will remain fully liable and will ensure that third parties’ processing data enjoy the same level of protection in case of a transfer from a Privacy Shield company.
  • Clear safeguards and transparency obligations on U.S. government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Notably, the U.S. Government has ruled out indiscriminate mass surveillance on personal data transferred to the US. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State. It is notable that on 24 February 2016, the Judicial Redress Act was signed. The Act permits EU data subjects to seek remedies for violation of their personal data against U.S agencies in U.S courts.
  • Effective redress mechanisms: Any citizen who considers that their data has been misused shall benefit from several dispute resolution mechanisms. Ideally, the complaint shall be resolved by the company itself, or by an Alternative Dispute resolution (ADR) process, the costs thereof shall not be incurred by the concerned individual. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.

For further information, you can have a look at the EU-U.S. Privacy Shield fact-sheet, published by the European Commission in July 2016 [link], as well as the European Commission’s practical guide to the EU-U.S. Privacy Shield  [link].