1. Increased focus on IT resilience
The EU Digital Finance Package includes a proposal for a regulation on digital operational resilience for the financial sector (DORA). DORA is expected to be finalised before the end of this year and to enter into force in 2024. The reform that followed the 2008 global financial crisis focused on financial resilience. Fourteen years on, it is clear that digital and information communication technologies (ICT) give rise to risks and opportunities for the financial sector. These risks need to be properly understood and managed, especially in times of stress. DORA signals that Brussels is committed to doing so. DORA focuses not only on cybersecurity, cloud computing and outsourcing but rather on the entire ICT ecosystem by addressing governance, ICT risk management requirements, ICT related incident reporting, digital operational resilience testing, information sharing and ICT third-party risks. The latter means that critical ICT third-party service providers will be subject to EU oversight. DORA indeed subjects ICT third-party service providers to oversight by the regulators responsible for the financial services sector and empowers the latter to control ICT risks. Now that most financial institutions and ICT service providers have a good grip on the GDPR, it’s time to start preparing for DORA.
2. Harmonisation of consumer protection
In the Netherlands, the EU Digital Content Directive will be implemented by means of a new title in Book 7 of the Civil Code. The new bill is closely aligned with the existing consumer sales legislation, which will be amended to implement the EU Sale of Goods Directive. As opposed to their predecessors, these directives provide for maximum harmonisation to guarantee a uniform level of consumer protection in the area of digital goods, content and services throughout the EU. National differences will no longer be allowed. The deadline to implement both directives was 1 July 2021, and the new national legislation should have entered into force on 1 January 2022. However, in the Netherlands, the new bill was only recently discussed in Parliament. In the meantime, the provisions of both directives are already applicable (if necessary, pursuant to directive-compliant interpretation). The directives cover topics such as the conformity of goods with the sales contract, remedies in the event of noncompliance and the associated burden of proof as well as the interoperability and compatibility of digital content.
3. Anything data
In 2022, we expect to see an increase in enforcement actions by the Dutch Data Protection Authority (DDPA). On 13 January 2022, the DDPA announced it was investigating two complaints regarding the use of Google Analytics. Further to this announcement, the Dutch Financial Times reported on 7 February 2022 that the DDPA had concluded that the Dutch websites needed to immediately stop using IAB Europe’s widely used advertising system, as it appeared to violate the GDPR. Moreover, the DDPA imposed a record fine of EUR 2.75 million on the Dutch Tax Administration. In addition, we expect to see privacy-related developments in various class actions brought under WAMCA (Wet afwikkeling massaschade in collectieve actie), including a case against TikTok (claiming EUR 6 billion). In the context of cookies, there is a chance that the long-awaited e-Privacy Regulation will enter into force this year. In the Netherlands, this regulation would replace the relevant provisions of the Dutch Telecommunications Act (Telecommunicatiewet).
Other EU legislative initiatives to watch include the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Data Act, the Artificial Intelligence Act, the EU Whistleblowing Directive, and the NIS2 Directive. Meanwhile, with regard to GDPR compliance, all international data transfer agreements based on earlier versions (from 2001, 2004 or 2010) of the EU standard contractual clauses (SCCs) will have to be updated and replaced by the 2021 SCCs (or another appropriate data transfer mechanism) by 27 December 2022. Accordingly, data transfer impact assessments will have to be conducted for the non-EEA countries to which personal data are transferred. On a related note, the final version of the European Data Protection Board’s Guidelines 05/2021, which clarify the concept of an international data transfer, is expected to be adopted later this year. Moreover, we expect further guidance and recommendations to be published in accordance with the EDPB’s Work Programme 2021/2022.
4. Continued focus on artificial intelligence (AI)
With the development and deployment of AI systems constantly increasing in all areas, both AI developers and users should keep track of the legislation currently being proposed at the EU level. The European Parliament’s resolution on a civil liability regime for AI (issued on 20 October 2020) includes a proposed statutory framework for civil liability claims and a regime of strict liability for the operators of high-risk AI systems. Against the backdrop of this resolution (and others covering e.g. IP and ethics), the European Parliament’s Special Committee on AI in a Digital Age (AIDA) presented its draft report in November 2021. While the aim is for the EU to be the leader in setting global standards in terms of AI, the committee warns that the EU is currently falling
behind in the global tech race. The draft report stresses that it is necessary to speed up and streamline legislative and governance processes when it comes to digital policy. The draft report will be put to a vote in committee in March 2022, followed by a plenary debate and vote in May 2022. Given the report’s urgent call for action, we can expect to see much more activity in this area throughout 2022.
5. The metaverse
The metaverse will allow companies to engage with their current client base in new ways as well as reach new audiences. More metaverse platforms are expected to be launched in 2022, giving rise to a matrix of legal implications. For example, technology companies may have to agree to certain metaverse standards so that they can operate amongst different creators, so as to ensure that each metaverse is accessible from all devices involved. Content owners will need to start thinking about how to police copyright infringement in the metaverse, and content licensees will need to review their licence agreements to make sure their rights also cover the metaverse. Extending trademark protection to include the metaverse and considering the patent, copyright and design right implications of this shift to the virtual, which may even warrant other business or licensing models, would seem a sensible approach as well.