Data protection and digital issues in 2024

The first quarter of 2024 has flown by and it’s time to tackle new projects! To keep you up to date in the area of data protection and digital matters, we have summarized some of the most important developments in 2024 for you.

Digital Services Act

The “Digital Services Act” (DSA), which aims to prevent illegal or harmful online activities and the spread of dis­information, currently only applies to very large online platforms (“VLOPs”) and very large online search engines (“VLOSEs”). The entire set of rules has applied since ­17 February 2024 and therefore also applies to smaller platforms as a result. By means of a graduated regulatory system, various due diligence obligations now apply to ­online platforms, in particular the obligation to remove illegal content quickly and efficiently. EU Member States are ­required to create the corresponding foundations and powers for their national authorities to enforce the new EU law by the aforementioned deadline. A draft bill for an implementing law has been available in Germany since 4 August 2023 and was approved by the Federal Cabinet on 20 December 2023. The first reading in the Bundestag took place on 18 January 2024. The transposition period of the DSA could therefore not be met and the legislation process is still ongoing.

Artificial Intelligence Act

The “Artificial Intelligence Act” (AI Act), which was drafted in April 2021, was adopted by the European Parliament on 13 March 2024. The AI Act lays down harmonized rules for the placing on the market, putting into service or use of AI systems within the EU and is intended to promote innovation as well as reduce AI-correlated risks. It provides transitional regulations from the time it enters into force (expected May 2024). After six months (expected November 2024), prohibited practices in the AI sector (Art. 5 AI Act) must be shut down. The AI Act will take full effect from mid-2026.

Data Act

The “Regulation on Harmonized Rules on Fair Access to and Use of Data” (Data Act), which was published on 13 December last year, entered into force on 11 January 2024. However, the Data Act will not apply until 20 months after its entry into force, from 12 September 2025. The aim of the regulation is to enable increased and better use of data in various areas of life in the future. To this end, the Data Act regulates, for example, the transfer of data ­between companies and consumers (B2C), between companies themselves (B2B) and also – in narrow exceptional cases – to public authorities (B2G). There are also pro­visions prohibiting abusive contractual clauses for data access and data use between companies, as well as contractual regulations and technical implementations when switching between data processing services (so-called cloud switching).

Digital Act and Health Data Utilization Act

The German legislator also has plans. On 30 August 2023, the Federal Cabinet passed the “Act to Accelerate the Digitalization of the Healthcare System” [Entwurf eines Gesetzes zur Beschleunigung der Digitalisierung des Gesundheitswesens] (Digital Act) and the “Act on the ­Improved Use of Health Data” [Entwurf eines Gesetzes zur verbesserten Nutzung von Gesundheitsdaten] (Health Data Use Act). The Digital Act aims to introduce electronic patient files from 2025, further develop electronic prescriptions and create new rules for telemedicine. The Health Data Use Act aims to improve the availability of health data, particularly for public welfare purposes. Both laws were passed by the Bundestag on 14 December 2023 and are expected to be passed by the Bundesrat on ­2 February 2024.

Regulating short-term rental platforms

Less well known, but with a potentially major impact on the daily lives of many people, is the draft “Regulation on data collection and sharing relating to short-term accommodation rental services”, which is intended to enable ­national control of short-term rental platforms such as Airbnb. The Regulation aims to introduce clear rules for data sharing and harmonized administrative procedures within the EU in order to better tackle illegal holiday ren­tals in major cities and enforce local regulations. An agreement on the Regulation was reached in trilogue on ­16 November 2023, which was approved by the European Parliament in February 2024. After the Regulation enters into force, short-term rental platforms will have two years to implement the ­necessary data sharing mechanisms.

NIS-2 Implementation Act

The “Directive on measures for a high common level of cybersecurity across the Union” (NIS 2 Directive), which provides for numerous legal measures to increase the overall level of cybersecurity in the EU and introduces various innovations compared to the first version of the NIS Directive from 2016, came into force in 2023. EU Member States are now required to implement the Directive into national law by 17 October 2024. A correspon­ding draft bill from the Federal Ministry of the Interior and for Home Affairs is already available.

Cyber Resilience Act

From smartwatches and baby monitors to other products and software that contain a digital component and are not already covered by existing regulations, the Cyber Resi­lience Act (CRA) is intended to protect consumers and businesses that buy or use software or products with a digital component. Inadequate security features will ­become a thing of the past with the introduction of mandatory cyber security requirements at every stage of the supply chain. Software and products that are connected to the internet should be CE marked. While the European Parliament approved the CRA on 12 March 2024, it is not expected to enter into force before mid-2024.

Recording digital working time

According to the rulings of the European Court of Justice of 14 May 2019 (C-55/18) and the Federal Labor Court [Bundesarbeitsgericht] of 13 September 2022 (1 ABR 22/21), employers are obliged to introduce and apply a system to record the daily working hours of their employees. A draft by the Federal Ministry of Labor on the structure of ­recording working time in the Working Hours Act, which was published on 18 April 2023, is intended to specify this obligation and put it on a legal basis. The draft, which ­requires employers to digitally record the start, end and duration of employees’ daily working hours, is contro­versial and is considered too inflexible. The legislative process has not progressed since then, but due to considerable pressure on the issue, developments are expected in 2024. The “Working Hours Act” task force of the Bundesverband der Wirtschaftskanzleien in Deutschland (BWD) has published a position paper on this subject, which is well worth reading (see here).

Employee Data Protection Act

Will it really happen this time? In 2024, the question still remains as to whether the Employee Data Protection Act [Beschäftigtendatenschutzgesetz], which has been awaited for over a decade, will enter into force. The draft law envisaged in the coalition agreement and announced in the Federal Government’s data strategy for 2023 is expected to be available by mid-2024. In any case, the arguments for and against are very well known (see here).

Markets in Crypto-Assets Regulation

The “Markets in Crypto-Assets Regulation” (MiCA) is ­intended to provide legal certainty for crypto assets – cryptocurrencies, security tokens and stablecoins. MiCA is intended to ensure risk-appropriate regulation of ­distributed ledger technology and virtual assets in the EU by increasing the protection of investors and contributing to the functioning of the markets. The MiCA was ­approved by the EU Parliament on 20 April 2023 and published in the Official Journal of the European Union on 9 June 2023. Some provisions are due to enter into force as early as July 2024, while the majority will not take effect until early 2025.

Revised Product Liability Directive

On 14 December 2023 the EU Parliament and the Council reached a political agreement on the revised Product ­Liability Directive (see here). This is intended to replace the current Product Liability Directive, which dates back to 1985. In particular, the area of new digital technologies, including software and AI ­systems, will be taken into ­account and product liability regulations will be tightened. The vote in the European Parliament is scheduled for 10 April 2024, with entry into force expected in mid-2024.

EU Digital Identity Wallet

Identity cards, drivers’ licenses, health certificates, bank accounts and more – all of these will be subject to a single framework for trusted and secure digital identity, enabling universal access to secure and trusted electronic identification and authentication for public and private services in the EU. The agreement following the trilogue negotiations in February 2024 still needs to be adopted by the European Parliament. The corresponding implementing provisions will be adopted 6 and 12 months after the adoption of the Regulation. 24 months after the adoption of the relevant implementing provisions setting out the technical specifications for the EUid wallet and its certification, EU Member States will have to make EUid wallets available to their citizens. EUid wallets are therefore not expected to be available before 2026/2027.

Legal and ethical guidelines for the metaverse

The EU Parliament has published a draft report discussing the legal and ethical challenges involved in developing ­virtual worlds and the metaverse. The report places ­particular emphasis on standardized definitions, ethical guidelines, data protection and the applicability of EU law. The vote in the European Parliament took place on ­15 January 2024.

Pact for accelerating planning, approval and implementation

Planning and approval procedures will be accelerated. On 6 November 2023, the Federal Chancellor and the leaders of the Federal States in Germany concluded a pact to accelerate planning, approval and implementation [Pakt für Planungs-, Genehmigungs- und Umsetzungsbeschleunigung] to digitize and accelerate planning and approval processes in Germany and thus secure the competitiveness of Germany. The acceleration will be decisive for ­several core areas such as digitalization, the energy tran­sition, improving infrastructure and achieving climate targets, and will be incorporated into the legislative process in a timely manner. The first results of the federal-state pact should be available in the first quarter of 2024.