Home / People / Katalin Horváth
Portrait of Katalin Horváth

Katalin Horváth

Senior Counsel

Contact
CMS Cameron McKenna Nabarro Olswang LLP Magyarországi Fióktelepe
YBL Palace
Károlyi utca 12
1053 Budapest
Hungary
Languages Hungarian, English, German

Katalin Horváth is a senior counsel in the commercial team of CMS Budapest, where she specialises in software, IT and IP law, legal regulation of artificial intelligence and data protection matters. Besides these she has extensive experience in copyright-, IT-, software- and internet law, with a particular focus on online and mobile services, payment solutions, web stores and fintech services. Katalin has an up-to-date knowledge in relation to artificial intelligence and new technologies, such as blockchain, IoT, robots and drones. 

She regularly publishes articles in relation to data protection, artificial intelligence and copyright law matters and she participates conferences in relation to software law and data protection, such as she regularly participates in HWSW Mobile! Conference. 

Katalin is member of the Hungarian AI Coalition and she helps the establishment of the national MI strategy as technology legal expert. 

Before joining CMS, she gained considerable experience in preparing agreements in relation to software, IT operation and copyrighted works, as well as film production agreements. She is member of Council of Copyright Experts.
 

more less

"Deep understanding of Hungarian copyright law."

Chambers, 2021

Relevant experience

  • The largest oil and gas company in the region on their digitalisation projects and smart office campus. Our support included complex data protection matters, full GDPR compliance and several digitalisation projects.
  • Hungarian AI Coalition on formulating the Hungarian AI strategy and advising on specific AI projects such as setting up an AI regulatory roadmap, formulating a response to the EU White book on AI, ethics of artificial intelligence, automated vehicles, quantum computing or fundamental rights & consumer protection and AI.
  • A major IT company on software, IT, other technology law related cases on a daily basis, including elaborating the company’s new contractual structure and contracts for software development, support services, software licensing, server hosting, cloud-based IT services and data processing.
  • Microsoft on a full range of legal matters, among others on various regulatory matters, such as the profiling requirements under the draft EU Data Protection Regulation, permitted use of social media videos, and government surveillance rights; on a software use audit; on assessing the feasibility of cloud services in the healthcare sector and in the public sector and on preparing various template agreements, data privacy / cloud / used software information materials.
  • UPC DTH on a complex cross-border 4 jurisdictions GDPR project where we are elaborating the data protection and GDPR structure of the company, preparing all documentations, policies, agreements, statements necessary for GDPR compliance including GDPR issues concerning employees, suppliers, subscribers, online webpages, cookies, call centres.
  • Partner in Pet Food on continuous advice in GDPR compliance and data protection matters in Hungary, the Czech Republic, Slovakia, Poland and the Netherlands.
  • Dr. Lenkei group on elaborating the data processing strategy, methods and system of the 6 legal entities of the Dr. Lenkei company group in a cross-border GDPR project. We prepared all documents, elaborated data protection internal processes necessary for GDPR compliance and created a unique joint controller structure within the company group for certain type of data processing.  We successfully advised the company group in connection with its Facebook pages and marketing activities as well as related to cookie consent.
  • A leading electronics company on data protection matters and GDPR compliance, such as the introduction of an HR system and contract management system; the establishment and use of a cross-border customer database; the use of internal policies; the implementation of data storage practices; conducting DM and electronic advertisement activities; the introduction of a customer loyalty program and the processing of customer ratings; conducting e-commerce and various online operations; data collection practices through mobile devices; employment related data processing; the processing of personal data via Smart TVs; monitoring of employee GPS data and the collection of location data.
more less

Memberships & Roles

  • Council of Copyright Experts
  • Hungarian Copyright Forum
  • LIDC (International League of Competition Law)
  • Hungarian Association for the Protection of Industrial Property and Copyright
  • Budapest Bar Association
more less

Education

  • 2005 - Doctor of Law, Cum laude, Faculty of Law, Eötvös Lorand Science University
more less

Feed

06/08/2021
Hun­gari­an tour­ism sec­tor faces new man­dat­ory data re­port­ing rules
For se­cur­ity reas­ons, ac­com­mod­a­tion pro­viders and those wish­ing to use ac­com­mod­a­tion ser­vices are re­quired to provide ex­tens­ive ad­di­tion­al in­form­a­tion on guest iden­tit­ies. From 1 Septem­ber 2021, ac­com­mod­a­tion...
30/07/2021
EDPB is­sues draft Guidelines on codes of con­duct for data trans­fers
The European Data Pro­tec­tion Board (EDPB) is­sued its draft Guidelines 04/2021 on the codes of con­duct to be used as a tool for fa­cil­it­at­ing data trans­fers. These guidelines are the second in a series...
16/06/2021
EDPB ap­proves first EU GDPR Code of Con­duct for Cloud Ser­vice Pro­viders
Fol­low­ing the sub­mis­sion by the Bel­gian Data Pro­tec­tion Au­thor­ity, on May 19 the European Data Pro­tec­tion Board (EDPB) ap­proved the EU Cloud Code of Con­duct with sub­sequent fi­nal ap­prov­al by the Bel­gian...
15/06/2021
New GDPR Code of Con­duct ap­proved for Cloud In­fra­struc­ture Ser­vice Pro­viders
The European Data Pro­tec­tion Board (EDPB) and the French Data Pro­tec­tion Au­thor­ity (CNIL) ap­proved the CISPE Data Pro­tec­tion Code of Con­duct of Cloud In­fra­struc­ture Ser­vice Pro­viders in Europe (CISPE...
11/06/2021
EDPB is­sues Re­com­mend­a­tion on cred­it card data stor­age for one-click pay­ments
The European Data Pro­tec­tion Board (EDPB) has ad­op­ted a new re­com­mend­a­tion on the leg­al basis for the stor­age of cred­it card data by e-com­merce mer­chants for the pur­pose of one-click pay­ment of fur­ther...
03/05/2021
Hun­gary: HUF 10 m fine levied for data breach re­lated to COV­ID-19 rap­id...
The Hun­gari­an Na­tion­al Au­thor­ity for Data Pro­tec­tion and Free­dom of In­form­a­tion (NAIH) has im­posed a HUF 10 mil­lion fine on the 11th Dis­trict Pub­lic Health De­part­ment of the Gov­ern­ment Of­fice of the Cap­it­al...
26/04/2021
European Com­mis­sion pro­poses first leg­al frame­work on AI
Over the last two years, the EU has paved the way for a uni­form leg­al frame­work for the de­vel­op­ment, mar­ket­ing and use of AI that con­forms with Uni­on val­ues. As a res­ult, on 21 April 2021 the European...
14/04/2021
Di­git­al Ser­vices Act (DSA): A new leg­al frame­work for the plat­form eco­nomy
The European Com­mis­sion has is­sued the draft pro­pos­al for the Reg­u­la­tion on a Single Mar­ket for Di­git­al Ser­vices (Di­git­al Ser­vices Act, the “DSA”), which cre­ates a new leg­al frame­work for di­git­al ser­vices, amends the e-Com­merce Dir­ect­ive, and pre­pares the EU law for new and in­nov­at­ive in­form­a­tion so­ci­ety di­git­al ser­vices.The DSA sets out uni­form, har­mon­ised rules for in­ter­me­di­ary ser­vice pro­viders (the “ISPs”) to foster in­nov­a­tion, growth and com­pet­it­ive­ness, to bet­ter pro­tect con­sumers and their fun­da­ment­al rights on­line, to en­sure a safe, pre­dict­able and trus­ted on­line en­vir­on­ment, to of­fer more choices for users and less ex­pos­ure to il­leg­al con­tent, to provide ac­cess to busi­ness users to EU-wide mar­kets through plat­forms, and to fa­cil­it­ate the scal­ing up of smal­ler plat­forms, SMEs and start-ups. The new draft rules es­tab­lish:a frame­work for the con­di­tion­al ex­emp­tion from li­ab­il­ity of ISPs;rules on spe­cif­ic due di­li­gence and oth­er ob­lig­a­tions tailored to dif­fer­ent cat­egor­ies of ISPs;law en­force­ment rules and a new re­gime for co­oper­a­tion of and co­ordin­a­tion between the com­pet­ent au­thor­it­ies. 1. Which di­git­al ser­vice pro­viders are covered? The DSA cov­ers those ISPs, wheth­er es­tab­lished in or out­side the EU, that provide in­ter­me­di­ary ser­vices such as con­duit ser­vices, cach­ing ser­vices, host­ing ser­vices to re­cip­i­ents (users, busi­ness users, con­sumers, in­di­vidu­als and leg­al en­tit­ies us­ing the in­ter­me­di­ary ser­vices) hav­ing an es­tab­lish­ment or res­id­ence in the EU.The defin­i­tions of con­duit, cach­ing and host­ing ser­vice pro­viders re­mained the same as in the e-Com­merce Dir­ect­ive; the DSA only re­peats those e-Com­merce Dir­ect­ive defin­i­tions word-for-word.The draft reg­u­la­tion con­tains spe­cial ob­lig­a­tions for on­line plat­form host­ing pro­viders and very large plat­forms as a spe­cial cat­egory of on­line plat­forms, and defines those host­ing ser­vices as fol­lows:On­line plat­forms are pro­viders of host­ing ser­vices which store and make avail­able in­form­a­tion to the pub­lic at the re­quest of a re­cip­i­ent of the ser­vice, e.g. on­line mar­ket­places, app stores, col­lab­or­at­ive eco­nomy plat­forms and so­cial me­dia plat­forms. However, if stor­ing or mak­ing in­form­a­tion avail­able to the pub­lic is a minor and an­cil­lary fea­ture of an­oth­er ser­vice, and can­not be used without that oth­er ser­vice for ob­ject­ive and tech­nic­al reas­ons, the ser­vice does not qual­i­fy as an on­line plat­form. This is the situ­ation with the com­ment sec­tion in an on­line news­pa­per or email and private mes­saging ser­vices.Very large on­line plat­forms are on­line plat­forms which provide their ser­vices to a num­ber of av­er­age monthly act­ive re­cip­i­ents of the ser­vice in the EU equal to or high­er than 45 mil­lion. The list of very large on­line plat­forms is pub­lished in the Of­fi­cial Journ­al of the EU. 2. No change in the li­ab­il­ity of ISPs for in­form­a­tion stored or trans­mit­ted in their ser­vices The DSA does not change the li­ab­il­ity re­gime of ISPs for il­leg­al con­tent. It only re­peats the li­ab­il­ity pro­vi­sions of the e-Com­merce Dir­ect­ive word-for-word and also main­tains the e-com­merce rule that ISPs do not have a gen­er­al ob­lig­a­tion to mon­it­or the in­form­a­tion they trans­mit or store, or to act­ively seek facts or cir­cum­stances in­dic­at­ing il­leg­al activ­ity.As an ad­di­tion, the draft reg­u­la­tion stip­u­lates that ISPs can still refer to the ex­emp­tion of li­ab­il­ity even if they con­duct vol­un­tary self-ini­ti­ated in­vest­ig­a­tions or oth­er activ­it­ies aimed at de­tect­ing, identi­fy­ing and re­mov­ing, or dis­abling ac­cess to, il­leg­al con­tent, or take the ne­ces­sary meas­ures to com­ply with the re­quire­ments of EU law. 3. What are the new ob­lig­a­tions? The DSA stip­u­lates new ob­lig­a­tions on ISPs at dif­fer­ent levels. Com­mon ob­lig­a­tions ap­ply to all kind of ISPs, in­clud­ing on­line plat­forms and very large on­line plat­forms. Host­ing pro­viders have ad­di­tion­al ob­lig­a­tions, and the DSA con­tains spe­cial ob­lig­a­tions for on­line plat­forms com­pared to oth­er host­ing ser­vices. In ad­di­tion, very large on­line plat­forms have fur­ther ob­lig­a­tions to man­age sys­tem­ic risks. 3.1 Com­mon ob­lig­a­tions ap­plic­able to all ISPs Provid­ing in­form­a­tion to au­thor­it­ies based on or­ders: if an ISP re­ceives an or­der from an au­thor­ity to act against il­leg­al con­tent, the ISP must in­form the au­thor­ity without un­due delay about the ac­tions it takes and the time of those ac­tions. Fur­ther­more, if the ISP re­ceives an or­der to provide in­form­a­tion about a spe­cif­ic in­di­vidu­al re­cip­i­ent of a ser­vice, the ISP must con­firm the re­ceipt of the or­der to the au­thor­ity without un­due delay and must provide the re­ques­ted in­form­a­tion with cer­tain lim­it­a­tions.Des­ig­nat­ing points of con­tact and leg­al rep­res­ent­at­ives: ISPs must es­tab­lish a single point of con­tact for dir­ect elec­tron­ic com­mu­nic­a­tion with the au­thor­it­ies and pub­lish it. Fur­ther­more, ISPs not es­tab­lished in the EU but of­fer­ing ser­vices in the EU must des­ig­nate in writ­ing a leg­al rep­res­ent­at­ive (to­geth­er with its name and con­tact de­tails) in one of the EU coun­tries where the ISP of­fers ser­vices for re­ceipt, ex­e­cu­tion and en­force­ment of au­thor­ity de­cisions and for co­oper­a­tion with the au­thor­it­ies. This des­ig­nated leg­al rep­res­ent­at­ive can be held li­able for non-com­pli­ance with ob­lig­a­tions un­der the DSA.In­dic­at­ing re­stric­tions in terms: all re­stric­tions (in­clud­ing con­tent mod­er­a­tion, al­gorithmic de­cision-mak­ing, and hu­man re­view rules) re­lated to the use of ISPs’ ser­vices re­gard­ing in­form­a­tion provided by the re­cip­i­ents must be in­cluded in the terms and con­di­tions of the ser­vices.Pub­lish­ing an­nu­al trans­par­ency re­ports: ISPs must pub­lish de­tailed an­nu­al re­ports of any con­tent mod­er­a­tion they en­gaged in dur­ing the rel­ev­ant peri­od. These re­ports must in­clude, among oth­ers, cer­tain in­form­a­tion on the or­ders from au­thor­it­ies, no­tices on il­leg­al con­tent and com­plaints re­ceived by the ISP, as well as on con­tent mod­er­a­tion by the ISP. 3.2 Ad­di­tion­al ob­lig­a­tions on all host­ing pro­viders Man­aging no­tices on il­leg­al con­tents: the host­ing pro­vider must in­tro­duce eas­ily ac­cess­ible, user-friendly elec­tron­ic pro­cesses for man­aging no­tices on il­leg­al con­tents. The DSA lists the man­dat­ory ele­ments of such a no­tice. The host­ing pro­vider must con­firm the re­ceipt of such no­tice in a re­spond­ing email and no­ti­fy the claimant of its de­cision without un­due delay.Provid­ing reas­on­ing for de­cisions: if the host­ing pro­vider de­cides to re­move or make un­avail­able any il­leg­al con­tent provided by the re­cip­i­ent, it must in­form the re­cip­i­ent of the de­cision and give clear reas­on­ing for that de­cision. This reas­on­ing must con­tain all man­dat­ory ele­ments lis­ted in the DSA. The de­cision must be pub­lished in an an­onymised way in the Com­mis­sion’s pub­lic data­base. 3.4 Spe­cial ob­lig­a­tions of on­line plat­forms The pro­vi­sions ap­plic­able to on­line plat­forms can­not be ap­plied to SME on­line plat­forms. The fol­low­ing ad­di­tion­al ob­lig­a­tions ap­ply to on­line plat­forms, in­clud­ing very large on­line plat­forms:Com­plaint man­age­ment sys­tem: on­line plat­forms must main­tain an in­tern­al, user-friendly, eas­ily ac­cess­ible elec­tron­ic com­plaint man­age­ment sys­tem and must grant ac­cess to it to the re­cip­i­ents. The re­cip­i­ents can sub­mit com­plaints elec­tron­ic­ally here against the on­line plat­form’s de­cisions on their il­leg­al con­tent.Out of court dis­pute set­tle­ment: re­cip­i­ents af­fected by an on­line plat­form’s de­cision on il­leg­al con­tent are en­titled to turn to an out-of-court body cer­ti­fied by the di­git­al ser­vice co­ordin­at­or. The on­line plat­forms are bound by the de­cision of this body. The DSA con­tains the de­tailed rules for the pro­ceed­ings and the de­cisions of this cer­ti­fied body.Pri­or­ity for trus­ted flag­gers: on­line plat­forms must pro­cess the no­tices on il­leg­al con­tent sub­mit­ted by trus­ted flag­gers with pri­or­ity. The di­git­al ser­vice co­ordin­at­ors are en­titled to qual­i­fy an en­tity as a trus­ted flag­ger if all con­di­tions lis­ted in the DSA are met. The list of trus­ted flag­gers is pub­lished in the Com­mis­sion’s pub­licly avail­able data­base.Meas­ures against ab­us­ive no­tices and counter-no­tices: on­line plat­forms must sus­pend their ser­vices to re­cip­i­ents that fre­quently provide mani­festly il­leg­al con­tent. Fur­ther­more, on­line plat­forms must also sus­pend the pro­cessing of no­tices and com­plaints sub­mit­ted by per­sons that fre­quently sub­mit no­tices or com­plaints that are mani­festly un­foun­ded. The DSA con­tains de­tailed rules for the cir­cum­stances to be as­sessed in the case of such sus­pen­sion.Re­port­ing sus­pi­cions of crim­in­al of­fences: on­line plat­forms must promptly in­form the mem­ber states’ com­pet­ent law en­force­ment au­thor­it­ies, or in cer­tain cases Euro­pol, if they be­come aware of any sus­pi­cion of a crim­in­al of­fence in­volving a threat to the life or safety of per­sons has taken place, is tak­ing place or is likely to take place.Know Your Busi­ness Cus­tom­er: on­line plat­forms must identi­fy their traders pro­mot­ing mes­sages or of­fer­ing products or ser­vices to EU con­sumers, and must ob­tain in­form­a­tion about them lis­ted in the DSA, among oth­ers the name, con­tact de­tails, re­gis­tra­tion num­ber, copy of the ID card of the trader. More de­tailed trans­par­ency re­ports: on­line plat­forms must in­clude ad­di­tion­al in­form­a­tion in their an­nu­al trans­par­ency re­port, such as in­form­a­tion about out-of-court dis­putes, sus­pen­sions, and auto­mated con­tent mod­er­a­tion. Fur­ther­more, on­line plat­forms must pub­lish in­form­a­tion at least once every six months on the av­er­age monthly act­ive re­cip­i­ents of the ser­vice in each EU coun­try.User-fa­cing trans­par­ency of on­line ad­vert­ising: on­line plat­forms must en­sure that ad­vert­ise­ments dis­played in their ser­vices con­tain in­form­a­tion that this is an ad­vert­ise­ment, who is the ad­vert­iser, and the tar­get audi­ence of the ad­vert­ise­ments. 3.5 Very large on­line plat­forms’ spe­cial ob­lig­a­tions for man­aging sys­tem­ic risks The draft reg­u­la­tion con­tains the fol­low­ing spe­cial ob­lig­a­tions for very large on­line plat­forms for man­aging sys­tem­ic risks:Risk man­age­ment ob­lig­a­tions: very large on­line plat­forms must con­duct an­nu­al risk as­sess­ments on the sig­ni­fic­ant sys­tem­ic risks stem­ming from the func­tion­ing and use of their ser­vices in the EU. Fur­ther­more, based on these risk as­sess­ments, they must put in place reas­on­able, pro­por­tion­ate and ef­fect­ive risk mit­ig­a­tion meas­ures for the sys­tem­ic risks they identi­fy. The DSA con­tains a de­tailed list of those risk-mit­ig­a­tion meas­ures.Ex­tern­al risk audit­ing and pub­lic ac­count­ab­il­ity: very large on­line plat­forms must con­duct an­nu­al audits on com­pli­ance with the DSA and the code of con­duct via an in­de­pend­ent, ex­tern­al pro­fes­sion­al aud­it­or. The aud­it­or must is­sue a writ­ten audit re­port in­clud­ing the man­dat­ory ele­ments lis­ted in the DSA in writ­ing.Trans­par­ency of re­com­mend­er sys­tems: if a very large on­line plat­form uses a re­com­mend­er sys­tem, it must in­clude the main para­met­ers of and cer­tain in­form­a­tion about this sys­tem in its terms and con­di­tions, and must en­sure op­tions for users not in­volving pro­fil­ing.More trans­par­ency in on­line ad­vert­ising: very large on­line plat­forms must make pub­licly avail­able, through APIs, an an­onymised re­pos­it­ory about the on­line ad­vert­ise­ments dis­played on the plat­form. The re­pos­it­ory must con­tain the con­tent of the ad­vert­ise­ments, each ad­vert­iser’s name, the peri­od when each ad­vert­ise­ment was dis­played, and cer­tain in­form­a­tion about the tar­get audi­ence of each ad­vert­ise­ment.Data shar­ing with au­thor­it­ies and re­search­ers: very large on­line plat­forms must provide ac­cess to the data to the di­git­al ser­vice co­ordin­at­or or the Com­mis­sion for mon­it­or­ing and as­sess­ing com­pli­ance with the DSA, and must grant ac­cess to the data to vet­ted aca­dem­ic, in­de­pend­ent re­search­ers for con­duct­ing re­search that con­trib­utes to the iden­ti­fic­a­tion and un­der­stand­ing of sys­tem­ic risks. Data ac­cess must be en­sured via APIs or on­line data­bases.Com­pli­ance of­ficer: very large on­line plat­forms must ap­point at least one pro­fes­sion­al com­pli­ance of­ficer to mon­it­or com­pli­ance with the DSA. The com­pli­ance of­ficer’s name and con­tact de­tails must be provided to the di­git­al ser­vice co­ordin­at­or and the Com­mis­sion.Ad­di­tion­al trans­par­ency re­port­ing du­ties: very large on­line plat­forms must pub­lish trans­par­ency re­ports every six months and must pub­lish and sub­mit ad­di­tion­al re­ports lis­ted in the DSA to the di­git­al ser­vice co­ordin­at­or and the Com­mis­sion. 4. Com­pet­ent au­thor­it­ies, for­um shop­ping All EU mem­ber states must des­ig­nate a com­pet­ent na­tion­al en­force­ment au­thor­ity for the DSA and the same or an­oth­er au­thor­ity as the di­git­al ser­vice co­ordin­at­or. Each di­git­al ser­vice co­ordin­at­or has the power of in­vest­ig­a­tion and is en­titled to de­mand in­form­a­tion from the ISPs and any oth­er per­son on sus­pec­ted in­fringe­ments of the DSA, to carry out on-site in­spec­tions, to ask staff of the ISPs to give ex­plan­a­tions, to or­der the ces­sa­tion of an in­fringe­ment, to im­pose fines, and to ad­opt in­ter­im meas­ures.The EU mem­ber state in which the main es­tab­lish­ment of the ISP is loc­ated will have jur­is­dic­tion over the ISP. If an ISP does not have an es­tab­lish­ment in the EU but of­fers ser­vices in the EU, it will be deemed to be un­der the jur­is­dic­tion of the EU mem­ber state where its leg­al rep­res­ent­at­ive resides or is es­tab­lished, which en­ables for­eign ISPs to choose the EU jur­is­dic­tion by des­ig­nat­ing its leg­al rep­res­ent­at­ive. If the ISP fails to ap­point a leg­al rep­res­ent­at­ive, all EU mem­ber states will have jur­is­dic­tion over that ISP.The DSA es­tab­lishes the European Board for Di­git­al Ser­vices, an in­de­pend­ent ad­vis­ory group of di­git­al ser­vice co­ordin­at­ors on the su­per­vi­sion of ISPs with ad­vis­ory tasks for di­git­al ser­vice co­ordin­at­ors and the Com­mis­sion.The DSA in­tro­duces en­hanced su­per­vi­sion for very large plat­forms. In this case, the di­git­al ser­vices co­ordin­at­or will con­sider all opin­ions and re­com­mend­a­tions of the European Board for Di­git­al Ser­vices and the Com­mis­sion. The Com­mis­sion and the Board is en­titled to re­com­mend that the di­git­al ser­vice co­ordin­at­or in­vest­ig­ates the in­fringing activ­ity. The Com­mis­sion is en­titled to ini­ti­ate its own pro­ceed­ings against a very large on­line plat­form in cases defined in the DSA. The DSA con­tains spe­cial rules for pro­ceed­ings ini­ti­ated by the Com­mis­sion against a very large plat­form, with spe­cial pro­ced­ur­al rights and ob­lig­a­tions. 5. Sanc­tions The DSA does not con­tain an ex­haust­ive list of sanc­tions for an in­fringe­ment of the reg­u­la­tion; the Mem­ber States will set out the rules on sanc­tions. The draft reg­u­la­tion defines the fol­low­ing max­im­um amount of pen­al­ties:6% of the an­nu­al in­come or turnover of the ISP for in­fringing the ob­lig­a­tions in the DSA;1% of the an­nu­al in­come or turnover of the ISP for sup­ply­ing in­cor­rect, in­com­plete or mis­lead­ing in­form­a­tion, fail­ing to reply or rec­ti­fy in­cor­rect, in­com­plete or mis­lead­ing in­form­a­tion, and fail­ing to sub­mit to an on-site in­spec­tion;5% of the av­er­age daily turnover in the pre­ced­ing fin­an­cial year per day, cal­cu­lated from the date ap­poin­ted by the de­cision in the case of daily, peri­od­ic pen­alty pay­ments. 6. Next steps The European Par­lia­ment and Mem­ber States will dis­cuss the Com­mis­sion’s pro­pos­al ac­cord­ing to the or­din­ary le­gis­lat­ive pro­ced­ure, which will take at least 18 months. Once ad­op­ted, the DSA will dir­ectly ap­ply across the EU and ISPs will have three months to pre­pare for the new leg­al re­gime.We will con­tinu­ously mon­it­or the status of the le­gis­lat­ive pro­cess and keep you up­dated on any changes to the draft text of the DSA.
12/04/2021
EU Di­git­al Ser­vices Act gives new leg­al frame­work for plat­form eco­nomy
The European Com­mis­sion has is­sued the draft pro­pos­al for the Reg­u­la­tion on a Single Mar­ket for Di­git­al Ser­vices (Di­git­al Ser­vices Act or DSA), which cre­ates a new leg­al frame­work for di­git­al ser­vices...
06/04/2021
Hun­gary de­clares it law­ful to col­lect in­form­a­tion that a work­er is pro­tec­ted...
The NAIH, Hun­gary’s data pro­tec­tion au­thor­ity, has is­sued a guid­ance on how em­ploy­ers can law­fully de­term­ine wheth­er an em­ploy­ee is pro­tec­ted against COV­ID-19. Em­ploy­ers must ad­apt their in­tern­al policies...
06/04/2021
EU is­sues draft of Di­git­al Mar­kets Act aimed at cre­at­ing a new and fair...
The European Com­mis­sion has pub­lished a draft pro­pos­al for a new com­pet­i­tion law frame­work for large on­line plat­forms, called the Di­git­al Mar­kets Act (DMA). The Com­mis­sion pro­posed the DMA due to the...
01/04/2021
Di­git­al Mar­kets Act: a new and fair busi­ness frame­work for large plat­forms
The European Com­mis­sion has pub­lished the draft pro­pos­al for a new com­pet­i­tion law frame­work for large on­line plat­forms, called the Di­git­al Mar­kets Act (the “DMA”). The reas­on the Com­mis­sion pro­posed the DMA is that a small num­ber of large on­line plat­forms cap­ture the biggest share of over­all value gen­er­ated in Europe’s di­git­al eco­nomy, and these plat­forms have emerged by be­ne­fit­ting from sec­tor char­ac­ter­ist­ics such as strong net­work ef­fects, of­ten em­bed­ded in their own plat­form eco­sys­tems. These plat­forms rep­res­ent the key struc­tur­ing ele­ments in today’s di­git­al eco­nomy, in­ter­me­di­at­ing the ma­jor­ity of trans­ac­tions between end users and busi­ness users. A few large plat­forms in­creas­ingly act as gate­ways or gate­keep­ers between busi­ness users and end users, and en­joy a long-term, en­trenched po­s­i­tion, of­ten as a res­ult of the cre­ation of con­glom­er­ate eco­sys­tems around their core plat­form ser­vices, which re­in­forces ex­ist­ing entry bar­ri­ers.The DMA deals with those large on­line plat­forms act­ing as gate­keep­ers in di­git­al mar­kets. The DMA aims to en­sure that:these plat­forms be­have fairly on­line;in­nov­at­ors and tech­no­logy start-ups will have new op­por­tun­it­ies to com­pete and in­nov­ate in the on­line plat­form en­vir­on­ment without hav­ing to com­ply with un­fair terms and con­di­tions that lim­it their de­vel­op­ment;con­sumers will have more and bet­ter ser­vices to choose from, more op­por­tun­it­ies to switch their pro­vider if they so wish, dir­ect ac­cess to ser­vices, and fairer prices. Who are the gate­keep­ers? Gate­keep­ers are core plat­form ser­vices which meet the qual­it­at­ive and quant­it­at­ive cri­ter­ia set out in the DMA. Core plat­form ser­vices in­clude on­line in­ter­me­di­ation ser­vices, search en­gines, so­cial net­work­ing ser­vices, video-shar­ing plat­form ser­vices, num­ber-in­de­pend­ent in­ter­per­son­al com­mu­nic­a­tion ser­vices, op­er­at­ing sys­tems, cloud com­put­ing ser­vices, ad­vert­ising ser­vices in­clud­ing any ad­vert­ising net­works, ad­vert­ising ex­changes and any oth­er ad­vert­ising in­ter­me­di­ation ser­vices, provided by a pro­vider of any of the core plat­form ser­vices lis­ted above.A core plat­form ser­vice qual­i­fies as a gate­keep­er, if:it has a sig­ni­fic­ant im­pact on the in­tern­al mar­ket, which is pre­sumed if it achieves an an­nu­al EEA turnover equal to or above EUR 6.5 bil­lion in the three pre­ced­ing fin­an­cial years, or where the av­er­age mar­ket cap­it­al­isa­tion or the equi­val­ent fair mar­ket value of the un­der­tak­ing to which it be­longs amoun­ted to at least EUR 65 bil­lion in the pre­ced­ing fin­an­cial year, and it provides a core plat­form ser­vice in at least three Mem­ber States;it op­er­ates a core plat­form ser­vice which serves as an im­port­ant gate­way for busi­ness users to reach end users, which is pre­sumed if it has more than 45 mil­lion monthly act­ive end users es­tab­lished or loc­ated in the Uni­on and more than 10,000 yearly act­ive busi­ness users es­tab­lished in the EU in the pre­ced­ing fin­an­cial year;it en­joys a long-term, en­trenched po­s­i­tion in its op­er­a­tions or it is fore­see­able that it will en­joy such po­s­i­tion in the near fu­ture, which is pre­sumed if the thresholds in point b) were met in each of the three pre­ced­ing fin­an­cial years.   What are the gate­keep­ers’ main ob­lig­a­tions? Do’s and Don’ts     What kind of tools and powers do the Com­mis­sion and oth­er bod­ies have? The DMA grants powers and dif­fer­ent pro­ced­ur­al rights to the European Com­mis­sion and es­tab­lishes the Di­git­al Mar­kets Ad­vis­ory Com­mit­tee for is­su­ing opin­ions in is­sues re­lated to the DMA.The DMA gives the Com­mis­sion the fol­low­ing powers:to des­ig­nate core plat­form ser­vices that meet the DMA cri­ter­ia as gate­keep­ers;to re­view ad-hoc the status of gate­keep­ers on re­quest or on its own;to re­view at two-year in­ter­vals the status of gate­keep­ers;to spe­cify meas­ures to be taken by gate­keep­er to com­ply with the DMA;to sus­pend cer­tain gate­keep­er ob­lig­a­tions un­der the DMA at a gate­keep­er’s re­quest, if the gate­keep­er demon­strates that com­pli­ance with that spe­cif­ic ob­lig­a­tion would en­danger its eco­nom­ic vi­ab­il­ity;to ex­empt a gate­keep­er from cer­tain ob­lig­a­tions un­der the DMA on the grounds of pub­lic mor­al­ity, pub­lic health or pub­lic se­cur­ity;to ini­ti­ate mar­ket in­vest­ig­a­tions:lower-ro­manto ex­am­ine wheth­er a pro­vider of core plat­form ser­vices should be des­ig­nated as a gate­keep­er;in­to sys­tem­at­ic non-com­pli­ance by a gate­keep­er;to ex­am­ine wheth­er cer­tain ser­vices in the di­git­al sec­tor should be ad­ded to the list of core plat­form ser­vices and identi­fy prac­tices that might lim­it the con­test­abil­ity of core plat­form ser­vices or might be un­fair.The DMA grants in­vest­ig­at­ive, en­force­ment and mon­it­or­ing powers to the Com­mis­sion dur­ing its pro­ceed­ings, based on which the Com­mis­sion is en­titled to:re­quest in­form­a­tion from any un­der­tak­ings and from the gov­ern­ments and au­thor­it­ies of EU mem­ber states;ac­cess data bases and al­gorithms;in­ter­view any private per­son or leg­al en­tity to col­lect in­form­a­tion re­lat­ing to the sub­ject-mat­ter of an in­vest­ig­a­tion;con­duct on-site in­spec­tions at the premises of any un­der­tak­ings, in­clud­ing to­geth­er with aud­it­ors and ex­perts;or­der in­ter­im meas­ures against a gate­keep­er on the basis of a prima facie find­ing of an in­fringe­ment of ob­lig­a­tions un­der the DMA;mon­it­or the ef­fect­ive im­ple­ment­a­tion and com­pli­ance with the ob­lig­a­tions un­der the DMA.   What will the sanc­tions for non-com­pli­ance be? If the Com­mis­sion ad­opts a non-com­pli­ance de­cision in which it finds that a gate­keep­er does not com­ply with one or more ob­lig­a­tions un­der the DMA, the Com­mis­sion may fine a gate­keep­er.The max­im­um amount of a fine is 10% of the total world­wide an­nu­al turnover of the gate­keep­er in the case of a ma­ter­i­al breach of the ob­lig­a­tions un­der the DMA, and a max­im­um 1% in the case of a less ser­i­ous breach of ob­lig­a­tions un­der the DMA.The Com­mis­sion is also en­titled to or­der peri­od­ic pen­alty pay­ments of up to 5% of the av­er­age daily turnover in cer­tain cases defined in the DMA.In the case of sys­tem­at­ic breaches of the DMA ob­lig­a­tions by gate­keep­ers, ad­di­tion­al rem­ed­ies may be im­posed after a mar­ket in­vest­ig­a­tion. Such rem­ed­ies will need to be pro­por­tion­ate to the of­fence com­mit­ted. If ne­ces­sary and as a last re­sort, non-fin­an­cial rem­ed­ies can be im­posed. These can in­clude be­ha­vi­our­al and struc­tur­al rem­ed­ies, e.g. the di­vestit­ure of (parts of) a busi­ness.   What are the next steps? The European Par­lia­ment and Mem­ber States will dis­cuss the Com­mis­sion’s pro­pos­al ac­cord­ing to the or­din­ary le­gis­lat­ive pro­ced­ure, which will take at least 18 months. Once ad­op­ted, the Act will dir­ectly ap­ply across the EU and the core plat­form ser­vice pro­viders will have six months to pre­pare for the new leg­al re­gime.We will con­tinu­ously mon­it­or the status of the le­gis­lat­ive pro­cess and keep you up­dated on any changes to the draft text of the DMA.