Data Protection

New Developments in Digital Services Law: The Draft Digital Services Act

As of February 17, 2024, Regulation (EU) 2022/2065, better known as the Digital Services Act ("DSA") will be fully applicable in all EU member states (for particularly large providers of intermediary services such as Facebook and TikTok, many obligations already apply since August 2023).

Although the DSA itself already comprehensively regulates the provision of so-called intermediary services (see article of 27 October 2022), there is still room for maneuver as well as a need for implementation regulations at the member state level. To that end, the German government has recently presented a draft bill on implementation of the Digital Services Act (Digitale-Dienste-Gesetz, "DDG-E").

The draft contains some noteworthy points:

Federal Network Agency as essential competent authority

Pursuant to Section 12(1) DDG-E, the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway is to be designated the essential competent authority for the enforcement of the DSA within the meaning of Art. 49(1) DSA. On the one hand, this highlights the importance of a safe online environment, which thus assumes a similar significance to traditional utilities. Compared to the federally fragmented supervision in the area of data protection, this centralization of enforcement powers at the federal level is likely to ensure a relatively forceful supervision and hopefully a higher degree of legal certainty.

With regard to certain regulations,  12(2), (3) DDG-E also assigns responsibilities to the Federal Agency for the Protection of Children and Young People in the Media and the Federal Commissioner for Data Protection and Freedom of Information.

Differentiated fines and amounts of fines

Within the framework of the maximum amounts stipulated by the DSA, Section 25 DDG-E provides for a differentiated concept:

  • A fine of up to EUR 50,000 may be imposed in the event of unlawful concealment of the commercial nature of a message and the violation of certain information and disclosure obligations, such as the obligation to provide an imprint (in future Section 5 DDG) and the obligation to provide information to the authorities (Section 25(1), (2), (5) No. 3 DDG-E).
  • Up to EUR 100,000 may be due for certain violations of Regulation (EU) 2019/1150 on the promotion of fairness and transparency for commercial users of intermediary services as well as for violations of certain transparency and information obligations of the DSA (e.g. to designate a contact point). If the annual turnover of the company that has violated these obligations is more than EUR 10 million, the fine can also be up to 1% of the worldwide turnover in the year prior to the authority's fining decision.
  • A fine of up to EUR 300,000 may be imposed for other violations of the above-mentioned Regulation (EU) 2019/1150, as well as for other breaches of the DSA. With regard to the DSA, this may in particular be breaches of obligations in connection with the notice and action mechanism and complaint handling system to be established under the DSA and violations of the prohibition of personalized advertising based on sensitive personal data. For companies with an annual turnover of more than EUR 5 million, the maximum limit is instead 6% of the previous year's global turnover.

The explicit provision that the period prior to the authority's decision is decisive for the calculation of the fine (not the period prior to the infringement) may become relevant in particular in the case of investments in start-ups, which may commit infringements in their "wild" founding phase. Even if these are remediated during the growth phase (e.g., under pressure from the investor), the authority could impose fines after the fact, which are then calculated on the basis of the turnover that the "mature" start-up achieves after it has been "kick-started" by the investment.

Repeal of the NetzDG as well as the TMG/Imprint

As of February 17, 2024, the Telemedia Act (Telemediengesetz, TMG) as well as the Network Enforcement Act (Netzwerkdurchsetzungsgesetz, NetzDG) are to be repealed (cf. Article 37 DDG-E). Section 5 DDG-E continues the general information obligations (so-called "imprint obligation") previously contained in Section 5 TMG. Even if the content of the provisions does not differ from each other, many websites citing the provision will have to be adapted in this respect.

Accord (Einvernehmen) with data protection supervisory authorities

Section 20 DDG-E stipulates that the authority responsible for implementing the DSA must make decisions in accord (Einvernehmen) with the competent data protection supervisory authority, insofar as its performance of duties affects the review of compliance with the General Data Protection Regulation (GDPR) and other data protection regulations. This is intended to ensure that the data protection supervisory authorities continue to play the primary role in monitoring of compliance with data protection regulations. The Court of Justice of the European Union recently imposed a similarly vague duty of cooperation on the Federal Cartel Office’s review of activities relevant under data protection law (judgment of 4 July 2023 - C-252/21).

Next steps

The draft must now go through the legislative process. Entry into force by 17 February 2024 is ambitious, but not impossible.

In parallel to the efforts of the legislator, companies offering intermediary services in the EU should start preparing for the new regulations of the DSA and the DDG now at the latest in order to avoid fines and claims for damages.