The Digital Services Act 2024 was signed into law last month. This legislation formally designates and empowers Coimisiún na Meán as the Irish Digital Services Coordinator and the Competition and Consumer Protection Commission as a competent authority with specific responsibility for online marketplaces under the EU Digital Services Regulation. See a more in-depth discussion about the changes brought about by the Digital Services Act here.
At the end of 2023, the EU marked a milestone when the co-legislators reached preliminary agreement on the text of the Artificial Intelligence Act. We wrote about the implications of the AI Act on business and the steps needed to prepare for its implementation here. The Act had not yet been finalised and will only enter into force twenty days after it is published in the Official Journal of the EU. We will continue to monitor developments on the AI Act and expect to see some movement in this area soon, given the time pressure to finalise the text before the European Parliament elections in June 2024.
Last year, the CJEU delivered a number of landmark decision on the award of damages under the GDPR and provided welcome clarity on the interpretation of the legislation. The CJEU shows no sign of slowing in this area. In December 2023, we reported on the case of Gesamtverband Autoteile-Handel v Scania C-319/22 on whether a Vehicle Identification Number constituted personal data for the purpose of the legislation. We also discussed the decisions in C-683/21 and C-807/21, where the CJEU rejected the application of a strict liability test for imposing fines under the GDPR.
Domestically, we have also seen a growing body of case law in this area. The Irish High Court recently published a significant judgment in Nolan & Ors v Dildar & Ors [2024] IEHC 4. The decision addresses the scope of data controllers' liability to data subjects for infringement of their rights. Although the case was brought under the Data Protection Acts 1988 and 2003, it is nonetheless a significant decision as it indicates the potential quantum of damages that may be awarded to data subjects bringing compensation claims for damage suffered due to data protection violations under the new regime. We discuss the implications of that decision here. At the start of the year, section 77 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023 was commenced, expanding the jurisdiction to hear infringement proceedings under the Data Protection Act 2018 to the District Court. The monetary jurisdiction in these cases will be the same as the existing monetary jurisdiction of the District Court (€15,000). The extension of the jurisdiction to the District Court is likely to increase the prevalence of damages claims for a breach of data protection, particularly in circumstances where damages can be recovered for non-material loss.
ACTS AWAITING COMMENCEMENT
Date signed into law: 11 February 2024
The Digital Service Act was passed to give in Ireland to certain provisions of the EU Digital Services Act (Regulation (EU) 2022/2065). The DSA was adopted on 16 November 2022 and applied to the 19 Very Large Online Platforms ("VLOPs") and Very Large Online Search Engines ("VLOSEs") from 25 August 2023. The European Commission has primary responsibility for regulating the VLOPs and VLOSEs, but will do so in concert with national authorities.
As an EU Regulation, most of provisions of the DSA have direct effect without the need for any national implementing measures. However, national legislation is necessary to give effect to the supervision and enforcement provisions of the DSA. The Bill provides that Coimisiún na Meán shall be designated as the Irish Digital Services Coordinator and competent authority under the DSA, as well as designating the Competition and Consumer Protection Commission ("CCPC") as a competent authority for Articles 30, 31 and 32 of the DSA, which relate to online marketplaces.
In particular, Coimisiún na Meán and the CCPC will have power under the Bill to: undertake investigations into infringements of the DSA; issue compliance notices and orders to end a contravention; enter into commitment agreements with intermediary service providers; apply for an order to block access to an intermediary service; and impose administrative fines and/or daily penalty payments, in circumstances of ongoing infringement, up to the maximum limits set out in the DSA. The Bill also provides for a number of criminal offences.
Latest stage: Fully commenced on 16 February 2024.
Date signed into law: 7 November 2022
This act consolidates and updates existing consumer protection laws that regulate consumer contracts, as well as introducing new and enhanced consumer protection measures, particularly in the area of digital goods and services. The act gives effect to a number of EU consumer rights directives, including, inter alia, the following:
· Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services (The Digital Contents Directive)
· Directive 2019/771 on certain aspects concerning contracts for the sale of goods (The Revised Sale of Goods Directive); and
· The main provisions of Directive 2019/2161 on the better enforcement and modernisation of EU consumer protection rules (The Omnibus Directive). This Directive itself amends the Unfair Contract Terms Directive 93/13/EEC; the Unfair Commercial Practices Directive 2005/29/EC; the Consumer Rights Directive 2011/83/EU, and the Price Indication Directive 98/6/EC.
Latest stage: The whole act, other than s.161, has been commenced. There has been no update since the Autumn Horizon Tracker.
Online Safety and Media Regulation Act 2022
Date signed into law: 10 December 2022
This act provides for the establishment of a Media Commission, Coimisiún na Meán, and the dissolution of the Broadcasting Authority of Ireland. The legislation introduces a regulatory framework for online safety to tackle the spread and amplification of harmful online content, as well as updates to the regulation of audiovisual media services and the implementation of the revised Audiovisual Media Services Directive.
Latest stage: The act was partially commenced on 15 March 2023 by SI 71/2023 but a number of sections await commencement.
Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023
Date signed into law: 2 March 2023
This act transposes Directive 2018/1972 establishing the European Electronic Communications Code (Recast). The legislation will update the enforcement regime for the Commission for Communications Regulation, as well as introducing new consumer protection measures such as an enhanced alternative dispute resolution process, compensation schemes, and a "Customer Charter" amongst others. The legislation will also amend the Communications Regulation Act 2002.
Latest stage: Full Act commenced. Section 17 was amended by SI 300/2023 European Union (Electronic Communications Code) (Amendment) Regulations 2023. The Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023 (Regulatory Provisions) Regulations 2023 were passed on 13th June 2023.
Communications (Retention of Data) (Amendment) Act 2022
Date signed into law: 21 July 2022
The Communications (Retention of Data) (Amendment) Act 2022 (the "Amendment Act") amends the Communications (Retention of Data) Act 2011. It is intended to address the impact of recent EU case law relating to the Graham Dwyer murder conviction. The CJEU delivered a judgment in the Dwyer case in April 2022, confirming that Irish law is inconsistent with EU law, insofar it allows the general and indiscriminate retention of traffic and location data for the purposes of 'combating serious crime'. The Amendment Act provides that the general and indiscriminate retention of traffic and location data is only permitted on 'national security grounds', where approved by a designated judge following an application by the Minister of Justice. The Amendment Act is only intended to be a temporary fix to allow more time for overhaul of the 2011 Act. The government has announced that it will bring forward a set of wider reforms to clarify and consolidate the law on data retention. Heads of a new bill entitled the "Communications (Data, Retention and Disclosure) Bill" are in preparation.
Latest stage: The whole act has been commenced.
IRISH PROPOSED LEGISLATION
Communications (Data, Retention and Disclosure) Bill
This bill will consolidate and replace the current Communications (Retention of Data) Act 2011.
Latest stage: Heads of bill in preparation.
National Cyber Security Bill
This bill will establish the National Cyber Security Centre of Ireland ("NCSC") on a statutory basis and provide for related matters including clarity around its mandate and role.
Latest stage: Work is underway.
Criminal Justice (Protection, Preservation of and Access to Data on Information Systems) Bill 2023
This bill proposes to give effect to those provisions of the Council of Europe Convention on Cybercrime 2001 not already provided for in national law in order to enable ratification of the Convention.
Latest stage: Work is underway.
Interception of Postal Packets and Telecommunications Messages (Regulation) (Amendment) Bill
This bill proposes to amend various pieces of legislation in respect of electronic communications.
Latest stage: Work is underway.
STATUTORY INSTRUMENTS
European Union (Electronic Communications Code) Regulations 2022 (S.I. 444/2022)
Alongside the Communications Regulation and Digital Hub Development Agency (Amendment) Act 2023, which was recently signed into law (see above), these regulations give effect to Directive (EU) 2018/1972 establishing the European Electronic Communications Code (the "EECC"). The EECC addresses developments in the electronic communications sector, particularly the emergence of Over the Top ("OTT") service providers, as well as updating a number of key areas to ensure that the EU's regulatory framework is suitable for the digital age. Under these regulations, the Commission for Communications Regulation is appointed as the national regulatory authority to oversee and enforce the rules.
Latest stage: These regulations have yet to be commenced.
EU DIRECTIVES AWAITING IMPLEMENTATION
NIS2: Directive on Measures for a High Common Level of Cybersecurity across the Union
Date published: 27 December 2022
This proposed revision to the Network and Information Security Directive (Directive (EU) 2016/1148) will strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce stricter enforcement requirements, including harmonised sanctions across the EU to address the growing threats posed by digitalisation and the surge in cyber-attacks. Once adopted, it will replace Directive 2016/1148.
Transposition date: 18 October 2024
EU REGULATIONS
Procedure reference: 2022/0047/COD
Date published: 23 February 2022
This regulation aims to increase legal certainty for consumers and businesses to access data generated by the products or related services they own, rent or lease. It will maximise the value of data in the economy and establish fairness by putting in place rules on the use of data created by Internet of Things (“IOT”) devices and related services.
Latest stage: Published in the EU Official Journal on 13 December 2023, and entered into force on 2 January 2024. It will apply from 12 September 2025.
Digital Operational Resilience Act ("DORA")
Date published: 27 December 2022
DORA is designed to consolidate and upgrade Information and Communications Technology ("ICT") risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. It will also introduce an oversight framework for critical ICT third party providers, including cloud service providers.
Latest stage: Published in the EU Official Journal on 28 December 2022, and entered into force on 16 January 2023. It will apply from 17 January 2025.
Date published: 15 December 2020
This regulation is part of the European Digital Strategy, “Shaping Europe’s Digital Future”, announced in December 2020 which aims to upgrade the rules governing digital services in Europe. This regulation will create harmonised rules defining and prohibiting certain unfair practices by “gatekeeper” platforms (providers of core platform services) and introduces a new competition tool to deal with structural competition problems across markets which cannot be tackled or addressed using existing competition rules. The measures include new powers for the Commission to conduct market investigations.
Latest stage: Published in the EU Official Journal on 12 October 2022, and entered into force on 1 November 2022. Most of the DMA provisions applied as of 2 May 2023.
Date published: 27 October 2022
This regulation is one of two legislative initiatives announced by the Commission as part of the European Digital Strategy, “Shaping Europe’s Digital Future”, announced in December 2020, which aims to upgrade the rules governing digital services in Europe. It is intended to update the eCommerce Directive and regulate the provision of digital services by: (i) online intermediaries; (ii) hosting services; (iii) online platforms; and (iv) very large online platforms (“VLOPs”) and very large online search engines ("VLOEs") ie, online platforms and search engines that reach 45 million or more average monthly users in Europe.
Latest stage: Entered into force on 16 November 2022. It will apply from 17 February 2024, except for certain provisions applicable to VLOPs and VLOEs. The DSA will apply to VLOPs and VLOEs from four months after their designation as same by the European Commission. The proposed Digital Services Bill will implement the act.
Date published: 3 June 2022
The purpose of this regulation is to establish a framework to facilitate general and sector-specific data-sharing (including data of public bodies, private companies and citizens). The regulation provides for:
· A reuse regime for certain categories of public sector data
· A framework for data intermediation services which aims to establish commercial relationships for the purposes of data sharing between data subjects, data holders and data users
· Contribution to data altruism and the creation of common safeguards to increase trust in recognised data altruism organisations
Latest stage: Published in the EU Official Journal on 3 June 2022, and entered into force on 23 June 2022. It shall apply from 24 September 2023.
EU DRAFT LEGISLATION
Procedure reference: 2017/0003 (COD)
Date published: 10 January 2017
This proposal forms part of the EU Digital Single Market Strategy. The proposed regulation has been amended on a number of occasions. An update to the 2002 Marketing ePrivacy Directive was seen as necessary to address new technological and market developments as well as the emergence of new techniques for tracking users’ online behaviour. The proposed ePrivacy Regulation will repeal the 2002 ePrivacy Directive and will complement the GDPR.
Latest stage: First reading in the Council.
Procedure reference: 2022/0303/COD
Date published: 28 September 2022
The purpose of this directive is to address shortcomings in liability rules where artificial intelligence ("AI") systems are used, setting out standardised rules for access to information and easing the burden of proof in relation to AI claims.
Current liability rules, particularly fault-based rules, are not suitable for handling AI liability claims. Because of the complex nature of AI, specifically the so-called "black box" effect, it is difficult for victims to successfully prove the requirements for their claims. To help claimants overcome the challenges in establishing a causal link between fault, based on non-compliance with duty of care requirements, and output by AI systems, a 'presumption of causality' is introduced in the proposal. The presumption is rebuttable however and claimants are required to meet a number of conditions such as demonstrating that the output produced by the AI system gave rise to the damage in question. In cases where high-risk AI is involved, claimants will also have a right of access to information from companies.
Latest stage: First reading in the Council.
Procedure reference: 2021/0106 (COD)
Date published: 21 April 2021
In proposing a regulatory framework on AI, the Commission has identified the following specific objectives:
- to ensure that AI systems placed and used on the EU market are safe and respect existing law on fundamental rights and EU values;
- to ensure legal certainty to facilitate investment and innovation in AI;
- to enhance governance and effective enforcement of existing law on fundamental rights and safety requirements applicable to AI systems; and
- to facilitate the development of a single market for lawful, safe and trustworthy AI applications and prevent market fragmentation.
While acknowledging that AI is a fast-evolving and strategic technology with tremendous opportunities, the Commission believes that some uses of AI pose specific significant risks to the application of various EU rules designed to protect fundamental rights, ensure safety and attribute liability.
Latest stage: On 8 December 2023, provisional agreement was reached following informal trilogue negotiations between the Council, Parliament and Commission.
Procedure reference: 2022/0272/COD
Date published: 15 September 2022
This regulation introduces cybersecurity requirements for products with digital elements. It aims to bolster cybersecurity rules to ensure more secure hardware and software products.
Latest stage: First reading in the Council.