Database

A revised version of the Payment Services Directive (PSD2) went into force in January 2018. This update of the Directive intends to foster payment in new technology sectors, but the strong security guidelines including the 'two factor autentification' have been criticized. TheDdirective includes a 'strong customer authentication' for payers to access their payment account online or to initiate an "electronic remote payment transaction". Companies in the tech sector have argued that it could stifle innovation.

The proposal for a Cybersecurity Act would introduce cybersecurity certification schemes by the EU Agency for Network and Information Security (ENISA). Once an European cybersecurity certification scheme is adopted, manufacturers of ICT goods or providers of ICT services will be able to submit an application for certification of their products or services to a conformity assessment body of their choice. The certifications would apply in all member states.

Under the EU regime, the export of dual use items is subject to control and dual use items may not leave the EU customs territory without an export authorisation. The list includes: electronics, computers, telecommunications and information security (see Annex I, Regulation (EC) No 428/2009).

The EU Directive on Audiovisual Media Services (AVMS) covers traditional broadcasting services as well as audiovisual media services provided on-demand, including via the Internet. Article 13 of the Directive imposes on Member States the obligation to ensure that on-demand service providers promote European works, despite there is no explicit content quota.

Given the nascent and specific nature of on-demand services, the article does not impose any specific tool to promote European works. It only provides examples of means to carry out such promotion, which include:
- financial contributions to the production and rights acquisition of European works (by investing 1%-5% (mostly around 2%) of the total yearly turnover in the production or rights acquisition)
- promoting a share and/or the prominence of European works in the catalogues offered to the public (usually between 10%-60%).

The Directive has been implemented by Member States in different ways, ranging from very extensive and detailed measures to a mere reference to the general obligation to promote European works.

No import restrictions have been found for the EU on digital goods. However, many EU member states maintain their own list of goods subject to import licensing, which might in some cases constitute a barrier to digital trade. For various rules applying to specific products being imported into the customs territory of the EU, the TARIC (Tarif Intégré de la Communauté) can be consulted.

The European Court of Justice has interpreted in 2014 that Internet Service Providers (ISPs) may be ordered by national courts to block customer access to a copyright-infringing websites.

The Judgment of the European Court of Justice on the case C-324/09 L’Oréal v eBay specifically concerns the liability of the operator of the online marketplace. The ECJ recalled that only ‘intermediary service providers’ may rely on the exemption from liability provided for by Article 14 of Directive 2000/31/EC. The operator of an online marketplace is not an intermediary service provider of this kind if, instead of taking a neutral position between the customer-seller concerned and potential buyers, confining itself to technical and automatic processing of the data relating to the offers it stores, it plays an active role of such a kind as to give it knowledge of, or control over, those data.

This is the case where the operator provides the customer-seller with assistance consisting in particular of optimising the presentation of the offers or promoting them.Moreover, it will not be able to rely on the above-mentioned derogation from liability if it appears that it was aware of facts or circumstances on the basis of which a diligent economic operator should have realised that the offers for sale were unlawful and failed to act expeditiously to remove these offers or to disable access to them.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbor. The Directive covers any type of infringement of third-party rights, including intellectual and industrial property rights and personality rights.

The limitations on liability in the Directive apply to clearly delimited activities (mere conduit, caching and hosting) carried out by internet intermediaries, rather than to categories of service providers or types of information. While it was not considered necessary to cover hyperlinks and search engines in the Directive, the Commission has encouraged Member States to further develop legal security for Internet intermediaries.

Since not all Member States have transposed the relevant articles consistently, the national case law is divergent and leads to legal insecurity on an EU level.

Tthe General Data Protection Regulation (GDPR), which entered into force in May 2018, introduces burdensome administrative fines that can be imposed by the supervisory bodies. The upper limits for these fines are:
- EUR 10,000,000, or 2% of the infringing organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's obligations on data controllers, data processors, certification bodies, and monitoring bodies.
- EUR 20,000,000, or 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher for infringement of the GDPR's principles on data processing (including conditions for consent), data subject's rights, data transfer to third countries and international organizations, and non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows.

The Network Information Security (NIS) Directive requires that an operator of an essential service relying on the service of a digital service provider for the provision of an essential service must notify the relevant authority of any incident affecting the digital service provider which has a 'significant impact' on the continuity of the essential service. “Digital service providers” include to online marketplaces, online search engines, and cloud computing services. The NIS applies to essential service providers and digital service providers with more than 50 employees or an annual balance sheet over 10 millon EUR.

The Directive was adopted by the European Parliament on July 6th 2016 and entered into force in August 2016. Member states have 21 months to transpose the directive into their national laws and 6 months more to identify operators of essential services.

The proposed EU's e-Privacy Regulation stipulates that firms must inform users of security risks when they identify them and, if the risk "lies outside the scope of the measures to be taken by the service provider", inform them of the remedies that users can take and provide an indication of the likely costs involved. As a result of this requirement, firms that are not able to remedy security risks timely would put themselves at greater risk in disclosing the vulnerabilities of their system to their users, increasing the risk of data breaches by actors capable of exploiting them. This is the case, for example, if information on security risks is leaked to the wider public.

According to the e-Privacy Directive (Directive 2002/58/EC) and Regulation 611/2013, personal data breaches in electronic communication services must be notified to the competent national authority. Notification to the authority shall be done no later than 24 hours after the detection of the personal data breach where feasible, extensible to 72 hours in some cases. When the personal data breach is likely to adversely affect the personal data or privacy of a data subject, the data controller shall also notify the data subject of the breach without undue delay.

An opinion adopted by the Working Party 29 on 25 March 2014 expanded the personal data breach notification requirement in the e-Privacy Directive to controllers beyond electronic communication providers. The General Data Protection Regulation, effective since May 2018, enshrines this measure into EU law.

The proposed e-Privacy Regulation will replace the e-Privacy Directive. It is currently unclear how the overall regime will change as a result.

Since May 2018, the General Data Protection Regulation requires that organizations conducting "regular and systematic monitoring of data subjects on a large scale" or whose activities include the processing of sensitive personal data on a large scale, must appoint a Data Protection Officer (DPO). Previously, only European institutions and bodies were required to appoint at least one person as a DPO, with some Member States imposing such requirements also on private companies.

In May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if "the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed". The ruling is therefore recognizing the so-called right to be forgotten.

The General Data Protection Regulation enshrines the right to be forgotten under the "right to erasure", stipulating that this right should be enforced "without undue delay". Finally, should the controller have made the personal data public, it has to erase the personal data, and take reasonable steps to inform controllers which are processing the personal data that the data subject has requested the erasure of the data.