Database
Trading restrictions
EUROPEAN UNION
Since January 2018
Chapter Online sales and transactions |
Sub-chapter Barriers to fulfillment
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance) (Payments Services Directive) (PSD2)
A revised version of the Payment Services Directive (PSD2) went into force in January 2018. This update of the Directive intends to foster payment in new technology sectors, but the strong security guidelines including the 'two factor autentification' have been criticized. TheDdirective includes a 'strong customer authentication' for payers to access their payment account online or to initiate an "electronic remote payment transaction". Companies in the tech sector have argued that it could stifle innovation.
Coverage Horizontal
Trading restrictions
EUROPEAN UNION
Reported in September 2017
Chapter Standards |
Sub-chapter Product screening and testing requirements
Proposal Regulation on on ENISA, the "EU Cybersecurity Agency", and Repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (''Cybersecurity Act'') (2017/0225 (COD))
The proposal for a Cybersecurity Act would introduce cybersecurity certification schemes by the EU Agency for Network and Information Security (ENISA). Once an European cybersecurity certification scheme is adopted, manufacturers of ICT goods or providers of ICT services will be able to submit an application for certification of their products or services to a conformity assessment body of their choice. The certifications would apply in all member states.
Coverage ICT goods and digital services
Trading restrictions
EUROPEAN UNION
Since 2009
Chapter Quantitative Trade Restrictions |
Sub-chapter Export restrictions
Regulation (EC) No 428/2009
Under the EU regime, the export of dual use items is subject to control and dual use items may not leave the EU customs territory without an export authorisation. The list includes: electronics, computers, telecommunications and information security (see Annex I, Regulation (EC) No 428/2009).
Coverage Electronics, computers, telecommunications and information security
Trading restrictions
EUROPEAN UNION
Since 2007
Chapter Quantitative Trade Restrictions |
Sub-chapter Local Content Requeriments for commercial market
EU Directive on Audiovisual Media Services (AVMS)
The EU Directive on Audiovisual Media Services (AVMS) covers traditional broadcasting services as well as audiovisual media services provided on-demand, including via the Internet. Article 13 of the Directive imposes on Member States the obligation to ensure that on-demand service providers promote European works, despite there is no explicit content quota.
Given the nascent and specific nature of on-demand services, the article does not impose any specific tool to promote European works. It only provides examples of means to carry out such promotion, which include:
- financial contributions to the production and rights acquisition of European works (by investing 1%-5% (mostly around 2%) of the total yearly turnover in the production or rights acquisition)
- promoting a share and/or the prominence of European works in the catalogues offered to the public (usually between 10%-60%).
The Directive has been implemented by Member States in different ways, ranging from very extensive and detailed measures to a mere reference to the general obligation to promote European works.
Given the nascent and specific nature of on-demand services, the article does not impose any specific tool to promote European works. It only provides examples of means to carry out such promotion, which include:
- financial contributions to the production and rights acquisition of European works (by investing 1%-5% (mostly around 2%) of the total yearly turnover in the production or rights acquisition)
- promoting a share and/or the prominence of European works in the catalogues offered to the public (usually between 10%-60%).
The Directive has been implemented by Member States in different ways, ranging from very extensive and detailed measures to a mere reference to the general obligation to promote European works.
Coverage On-demand audiovisual services
Sources
- USTR, 2014 National Trade Estimate Report on Foreign Trade Barriers, https://ustr.gov/sites/default/files/2014%20NTE%20Report%20on%20FTB.pdf
- http://ec.europa.eu/digital-agenda/en/news/promotion-european-works-practice
- https://rm.coe.int/1680783dc7
Trading restrictions
EUROPEAN UNION
Chapter Quantitative Trade Restrictions |
Sub-chapter Import restrictions
Import restrictions
No import restrictions have been found for the EU on digital goods. However, many EU member states maintain their own list of goods subject to import licensing, which might in some cases constitute a barrier to digital trade. For various rules applying to specific products being imported into the customs territory of the EU, the TARIC (Tarif Intégré de la Communauté) can be consulted.
Coverage Certain products
Sources
- US Commercial Service, "Doing Business in Greece:
2014 Country Commercial Guide for U.S. Companies", 2014 - http://ec.europa.eu/taxation_customs/dds2/taric/taric_consultation.jsp
Trading restrictions
EUROPEAN UNION
Since March 2014
Chapter Content access |
Sub-chapter Censorship and filtering of web content
European Court of Justice rulingn - Case C-314/12 "UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH and Wega
Filmproduktionsgesellschaft mbH"
Filmproduktionsgesellschaft mbH"
The European Court of Justice has interpreted in 2014 that Internet Service Providers (ISPs) may be ordered by national courts to block customer access to a copyright-infringing websites.
Coverage Internet service providers
Restrictions on data
EUROPEAN UNION
In July 2011
Chapter Intermediary liability |
Sub-chapter Lack of safe harbor for intermediary liability
Judgment of the European Court of Justice of 12 July 2011 on the case C-324/09 L’Oréal v eBay
The Judgment of the European Court of Justice on the case C-324/09 L’Oréal v eBay specifically concerns the liability of the operator of the online marketplace. The ECJ recalled that only ‘intermediary service providers’ may rely on the exemption from liability provided for by Article 14 of Directive 2000/31/EC. The operator of an online marketplace is not an intermediary service provider of this kind if, instead of taking a neutral position between the customer-seller concerned and potential buyers, confining itself to technical and automatic processing of the data relating to the offers it stores, it plays an active role of such a kind as to give it knowledge of, or control over, those data.
This is the case where the operator provides the customer-seller with assistance consisting in particular of optimising the presentation of the offers or promoting them.Moreover, it will not be able to rely on the above-mentioned derogation from liability if it appears that it was aware of facts or circumstances on the basis of which a diligent economic operator should have realised that the offers for sale were unlawful and failed to act expeditiously to remove these offers or to disable access to them.
This is the case where the operator provides the customer-seller with assistance consisting in particular of optimising the presentation of the offers or promoting them.Moreover, it will not be able to rely on the above-mentioned derogation from liability if it appears that it was aware of facts or circumstances on the basis of which a diligent economic operator should have realised that the offers for sale were unlawful and failed to act expeditiously to remove these offers or to disable access to them.
Coverage Internet intermediaries
Restrictions on data
EUROPEAN UNION
Since 2000
Chapter Intermediary liability |
Sub-chapter Lack of safe harbor for intermediary liability
Directive 2000/31/EC (e-Commerce Directive)
The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbor. The Directive covers any type of infringement of third-party rights, including intellectual and industrial property rights and personality rights.
The limitations on liability in the Directive apply to clearly delimited activities (mere conduit, caching and hosting) carried out by internet intermediaries, rather than to categories of service providers or types of information. While it was not considered necessary to cover hyperlinks and search engines in the Directive, the Commission has encouraged Member States to further develop legal security for Internet intermediaries.
Since not all Member States have transposed the relevant articles consistently, the national case law is divergent and leads to legal insecurity on an EU level.
The limitations on liability in the Directive apply to clearly delimited activities (mere conduit, caching and hosting) carried out by internet intermediaries, rather than to categories of service providers or types of information. While it was not considered necessary to cover hyperlinks and search engines in the Directive, the Commission has encouraged Member States to further develop legal security for Internet intermediaries.
Since not all Member States have transposed the relevant articles consistently, the national case law is divergent and leads to legal insecurity on an EU level.
Coverage Internet Intermediaries
Restrictions on data
EUROPEAN UNION
Since 1995
Since May 2018
Since May 2018
Chapter Data policies |
Sub-chapter Sanctions for non-compliance
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data - Art. 24
General Data Protection Regulation (Regulation 2016/679)
General Data Protection Regulation (Regulation 2016/679)
Tthe General Data Protection Regulation (GDPR), which entered into force in May 2018, introduces burdensome administrative fines that can be imposed by the supervisory bodies. The upper limits for these fines are:
- EUR 10,000,000, or 2% of the infringing organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's obligations on data controllers, data processors, certification bodies, and monitoring bodies.
- EUR 20,000,000, or 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's principles on data processing (including conditions for consent), data subject's rights, data transfer to third countries and international organizations, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.
- EUR 10,000,000, or 2% of the infringing organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's obligations on data controllers, data processors, certification bodies, and monitoring bodies.
- EUR 20,000,000, or 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's principles on data processing (including conditions for consent), data subject's rights, data transfer to third countries and international organizations, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.
Coverage Horizontal
Restrictions on data
EUROPEAN UNION
Since August 2016
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
Network Information Security (NIS) Directive
The Network Information Security (NIS) Directive requires that an operator of an essential service relying on the service of a digital service provider for the provision of an essential service must notify the relevant authority of any incident affecting the digital service provider which has a 'significant impact' on the continuity of the essential service. “Digital service providers” include to online marketplaces, online search engines, and cloud computing services. The NIS applies to essential service providers and digital service providers with more than 50 employees or an annual balance sheet over 10 millon EUR.
The Directive was adopted by the European Parliament on July 6th 2016 and entered into force in August 2016. Member states have 21 months to transpose the directive into their national laws and 6 months more to identify operators of essential services.
The Directive was adopted by the European Parliament on July 6th 2016 and entered into force in August 2016. Member states have 21 months to transpose the directive into their national laws and 6 months more to identify operators of essential services.
Coverage "Essential services providers" and "digital services providers"
Sources
- https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive
- https://iapp.org/news/a/nis-gdpr-a-new-breach-regime-in-the-eu/
- http://www.theregister.co.uk/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/
- http://www.out-law.com/en/articles/2016/july/eu-network-and-information-security-directive-finalised/
Restrictions on data
EUROPEAN UNION
Reported in January 2017
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (e- Privacy Regulation)
The proposed EU's e-Privacy Regulation stipulates that firms must inform users of security risks when they identify them and, if the risk "lies outside the scope of the measures to be taken by the service provider", inform them of the remedies that users can take and provide an indication of the likely costs involved. As a result of this requirement, firms that are not able to remedy security risks timely would put themselves at greater risk in disclosing the vulnerabilities of their system to their users, increasing the risk of data breaches by actors capable of exploiting them. This is the case, for example, if information on security risks is leaked to the wider public.
Coverage Horizontal
Restrictions on data
EUROPEAN UNION
Since 2002
Since June 2013
Since March 2014
Since May 2018
Reported in January 2017
Since June 2013
Since March 2014
Since May 2018
Reported in January 2017
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
Directive 2002/58/EC (e-Privacy Directive)
Regulation 611/2013
Opinion 03/2014 on Personal Data Breach Notification
General Data Protection Regulation (Regulation 2016/679)
Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (e- Privacy Regulation)
Regulation 611/2013
Opinion 03/2014 on Personal Data Breach Notification
General Data Protection Regulation (Regulation 2016/679)
Proposal for a Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (e- Privacy Regulation)
According to the e-Privacy Directive (Directive 2002/58/EC) and Regulation 611/2013, personal data breaches in electronic communication services must be notified to the competent national authority. Notification to the authority shall be done no later than 24 hours after the detection of the personal data breach where feasible, extensible to 72 hours in some cases. When the personal data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller shall also notify the data subject of the breach without undue delay.
An opinion adopted by the Working Party 29 on 25 March 2014 expanded the personal data breach notification requirement in the e-Privacy Directive to controllers beyond electronic communication providers. The General Data Protection Regulation, effective since May 2018, enshrines this measure into EU law.
The proposed e-Privacy Regulation will replace the e-Privacy Directive. It is currently unclear how the overall regime will change as a result.
An opinion adopted by the Working Party 29 on 25 March 2014 expanded the personal data breach notification requirement in the e-Privacy Directive to controllers beyond electronic communication providers. The General Data Protection Regulation, effective since May 2018, enshrines this measure into EU law.
The proposed e-Privacy Regulation will replace the e-Privacy Directive. It is currently unclear how the overall regime will change as a result.
Coverage Electronic communications services and other controllers
Sources
- http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp213_en.pdf
- http://ec.europa.eu/justice/data-protection/law/files/recast_20091219_en.pdf
- http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:173:0002:0008:en:PDF
- https://gdpr-info.eu/art-33-gdpr/
https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52017PC0010
Restrictions on data
EUROPEAN UNION
Since May 2018
Chapter Data policies |
Sub-chapter Administrative requirements on data privacy
General Data Protection Regulation (Regulation 2016/679)
Since May 2018, the General Data Protection Regulation requires that organizations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale, must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States imposing such requirements also on private companies.
Coverage Horizontal
Restrictions on data
EUROPEAN UNION
Since May 2014
Chapter Data policies |
Sub-chapter Personal rights to data privacy
C-131/12 - Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González
In May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if "the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed". The ruling is therefore recognizing the so-called right to be forgotten.
Coverage Search engines
Restrictions on data
EUROPEAN UNION
Since May 2018
Chapter Data policies |
Sub-chapter Personal rights to data privacy
General Data Protection Regulation (Regulation 2016/679)
The General Data Protection Regulation enshrines the right to be forgotten under the "right to erasure", stipulating that this right should be enforced "without undue delay". Finally, should the controller have made the personal data public, it has to erase the personal data, and take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure of the data.
Coverage Horizontal