digital economy regulation

This week’s edition features stories about the adoption of the Data Governance Act; an insight by the European Parliament rapporteur into the final agreement on the revised directive on the security of network and information systems; another milestone in the process of formal adoption of the Digital Markets Act; and draft guidance for consultation by European data protection authorities on the calculation of fines for data protection infringements and the use of facial recognition by law enforcement authorities. It also lists events taking place this week.

The French data protection authority (CNIL) published criteria to assess the lawfulness of cookie walls (i.e. the practice of denying access to a website or app by users who do not accept to be tracked). The criteria investigate whether a “real and fair” alternative is offered when the user decides to not give consent to the storage of cookies for accessing a website or a service.

The UK government is consulting until 29 June 2022 on a voluntary code of practice which will set minimum security and privacy requirements for application store operators (e.g. Google Play Store, Apple App Store), as well as app developers. App store operators and developers would be jointly responsible to implement for each app in the store a vulnerability disclosure process, including “clearly visible contact details” to enable users or security researchers to easily notify security flaws. They would also have to explain why an app requires access to a user’s contacts and location data to function.

This week’s edition features stories about the provisional agreement reached by EU institutions on the draft revised directive on the security of network and information systems (NIS2); a report by the NIS Cooperation Group on the security implications of open radio access network (open RAN) technology for 5G networks; another step towards the adoption of the draft Digital Markets Act; the opinion of an adviser to the EU top court on whether telecoms providers should obtain subscribers’ consent before including their contact details in directories; and a summary of Cullen International’s regulatory briefing on the draft Data Act. It also lists events taking place this week.

The Advocate General of the Court of Justice of the EU considered that telecoms operators and other directory service providers should obtain consent from subscribers before including their contact details in directories pursuant to the e-Privacy Directive and the General Data Protection Regulation. Moreover, data controllers should take appropriate measures to allow the exercise of the right to erasure when a subscriber submits a request of removal of personal data from directories.

Slovak telecoms regulator, RÚ, published guidance on cookies, focusing on attributes of a valid consent. The guidance includes examples of cookie banners which RÚ considers (non-)compliant.