The European Union (EU) is introducing new regulations for online and tech businesses to create a consistent legal framework across various sectors. By 2025, several European and German laws will come into effect. Want to know which ones? Keep reading! This alert provides a quick overview of what these 2025 frameworks are about, who they may concern and when they will apply.

The EU General Product Safety Regulation

  • What? The EU General Product Safety Regulation (GPSR) replaces the old General Product Safety Directive and includes various safety requirements for products. The regulation covers product safety analysis, labeling requirements, and rules for product recalls.
  • Who? It impacts all economic operators and online marketplaces dealing with products that are intended or likely to be used by consumers. The GPSR also applies if the product is manufactured or sold online from outside the EU, provided the product is intended for consumers in the EU.
  • When? The GPSR has been in effect since December 13, 2024.

The EU DORA Regulation

  • What? The Regulation on Digital Operational Resilience for the Financial Sector (DORA) establishes a harmonized legal framework for managing cybersecurity and ICT risks in financial markets. It aims to ensure resilient operations during major business interruptions that could threaten network and information system security. The Regulation focuses on ICT risk management, reporting requirements, digital resilience testing, and third-party risk management.
  • Who? The DORA covers a wide range of EU financial entities, e.g. credit institutions, investment firms or management companies.
  • When? The DORA applies from January 17, 2025.

The NIS2 Directive

  • What? With the introduction of the Directive on measures for a high common level of cybersecurity across the Union (NIS2), the EU aims to improve cybersecurity in critical sectors in response to growing threats. Affected companies are required to implement risk management measures, registration obligations and incident management.
  • Who? The scope of NIS2 is significantly broader compared to the previous NIS1 Directive. It covers all companies that meet quantitative thresholds and provide or carry out their activities in critical sectors in the EU.
  • When? Member states were required to implement this regulation into national law by October 17, 2024. Germany is behind schedule, but it is expected that the German implementation law will come into effect in the second quarter of 2025. The timetable depends to a large extent on the composition of the future federal government.

The German Accessibility Strengthening Law

  • What? The German Accessibility Strengthening Act (Barrierefreiheitsstärkungsgesetz – BFSG) implements the European Accessibility Act (EAA). The law aims to ensure the accessibility of products and services, enabling people with disabilities to participate in society.
  • Who? It requires various economic operators to meet specific accessibility requirements for products and services offered in Germany, including e-commerce offerings like webshops and consumer terminals with interactive services.
  • When? The BFSG was enacted on July 16, 2021, and will be applied from June 28, 2025.

The EU AI Act

  • What? The Regulation on Artificial Intelligence (AI Act) is the first legislation to set specific rules for developing and providing artificial intelligence. It classifies AI Systems into different risk categories, each with its own set of requirements.
  • Who? The AI Act primarily applies to operators, providers, importers, and distributors of AI systems. It is sufficient for the application if the AI system is placed on the market in the European Union.
  • When? While the AI Act itself will fully apply on August 2, 2025, the regulations on prohobited AI systems will already apply from February 2, 2025. The regulations on high-risk AI models, will then apply from August 2, 2027.

The European Media Freedom Act

  • What? The European Media Freedom Act (EMFA) introduces a new framework to protect media pluralism and independence. It includes various information obligations, such as disclosing the names of beneficial owners.
  • Who? The EMFA applies particularly to media services and media service providers that offer information, entertainment, or education to the public.
  • When? The EMFA will be effective from August 8, 2025. However, some articles will apply earlier, starting from November 8, 2024, February 8, 2025, and May 8, 2025.

The EU Data Act

  • What? The EU Data Act (DA) introduces new rules for the exchange, distribution, and use of data, including non-personal data. The DA also enhances data interoperability and data-sharing mechanisms and services.
  • Who? It targets manufacturers of connected products (IoT), providers of related services, their users, and data holders. The DA applies in particular to products placed on the market in the Union and providers of related services; irrespective of the place of establishment of those manufacturers and providers.
  • When? The DA entered into force on January 11, 2024, and its rules will mainly apply from September 12, 2025.

The EU Product Liability Directive

  • What? The new EU Product Liability Directive (PLD) aims to update European product liability law to address digitalization challenges and business developments in recent years. The liability regime for economic operators is expected to become significantly stricter.
  • Who? The PDL covers all movable or immovable products placed on the market or put into service in the EU. One of the significant changes is that the directive now also covers digital products like software.
  • When? Member states must implement this directive into national law by December 9, 2026. Due to its significant impact, businesses are advised to understand its effects on their business models early on.

What’s next?

The European Union’s regulatory landscape is evolving, with significant projects slated for the year 2025. A key focus will be on regulating product compliance and e-commerce platforms. Although the list of legislative acts is not exhaustive, several important laws are already in the pipeline for the upcoming years. The Cyber Resilience Act, the Machinery Regulation, and the e-Evidence Package are only some examples. Online and tech companies will continue to face new challenges as these regulations come into effect.

EU data strategy: Stay up to date on Data Act, AI Act, Digital Services Act, NIS2, Cyber Resilience Act, European Health Space and others with our blog series.

UK NIS and critical national infrastructure updates

The UK government recently created a page on the new Cybersecurity and Resilience Bill updating the Network and Information Systems (NIS) Regulations 2018. There is no draft of the bill available yet, but it is confirmed the Bill will cover five sectors (transport, energy, drinking water, health, and digital infrastructure) and digital services (online marketplaces, online search engines, and cloud computing services). It will add obligations on cyber incident reporting and expand to include cybersecurity risk in the supply chains. There will be at least twelve regulators in the UK responsible for implementing the updated NIS Regulations and they will be given greater powers. The Bill will be introduced to Parliament in 2025.

At present, the cybersecurity risks in the supply chain are managed via a government-backed cybersecurity certification scheme called Cyber Essentials (based on self-assessment) and Cyber Essentials Plus (assessed by a third party). It is a voluntary scheme and is not restricted to a specific industry. Cyber Essentials or Cyber Essentials Plus are often a condition for the provision of ICT services to the UK government. ENISA has not included Cyber Essentials in its mapping of NIS2 requirements to international standards and frameworks in its draft NIS2 guidance. The government reported on its ongoing talks with the EU on cybersecurity legal framework which hopefully means there may be further alignment between the two regimes.

When it comes to critical national infrastructure, the UK government’s approach is reflected in the Resilience Framework. The UK government plans to develop critical infrastructure standards by 2030. In the meantime, the UK government appears to focus on industry-specific cybersecurity requirements, for example cybersecurity requirements were set out in the Telecommunications (Security) Act 2021 for entities in telecoms. It has also created the National Protective Security Authority to provide support to critical national infrastructure entities, which at present cover 13 sectors1 (data centres were added as a sub-group in September 2024).

EU NIS2 and CER updates

In the meantime, the EU member states are continuing to implement NIS2 which became enforceable on 18 October this year. Although the progress varies from EU member state to member state, the majority either have implemented the local legislation on NIS2 or published a proposal. In Germany, for example, the current draft is in internal discussion in committees of the German parliament. The latest draft reflects the suggested changes of the committee for home affairs. Certain regulators in EU member states published their own guidelines on the NIS2 regulations and provided a platform for self-reporting for organisations that fall within the scope of NIS2 (e.g. the Italian National Cybersecurity Agency opened an online portal from 1 December 2024).

Organisations are still working on ensuring their compliance with NIS2 requirements and should look into the available guidelines in the EU member state they operate in. There may be more clarity in terms of what is required from service providers in the digital infrastructure and managed security services2 from the European Commission given their cross-border operations. The European Commission’s implementing act provides details on what their policies should look like and sets thresholds for significant incidents for each type of organisation. ENISA published draft guidelines for such organisations in support of the implementing act that is open for consultation until 9 January 2025.

As for the EU Critical Entities Resilience Directive (CER), EU member states were to adopt and publish local implementing acts by 18 October 2024. The CER covers 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, production, processing and distribution of food. EU member state competent authorities are to carry out risk assessments by 17 January 2026 using the list of essential services in the CER and identify critical entities to whom CER will apply by 17 July 2026.
Updates on DORA and the UK Operational Resilience rules.


Cybersecurity requirements for financial entities in the UK and the EU

As for financial entities, they are also working towards compliance with the new cybersecurity compliance rules both in the UK and the EU. In the UK, the operational resilience (usually abbreviated as opres) rules become enforceable by 31 March 2025 whereas the EU Digital Operational Resilience Act (DORA), a sector-specific cybersecurity legislation, will become enforceable on 17 January 2025. Although the two regimes are aimed to achieve the same purpose, they differ in terms of how risk is to be determined and when to notify competent authorities. DORA requirements are clarified in the relevant regulatory and implementing technical standards which are nearly 1000 pages long and are legally binding.

The scope of the UK opres rules is limited to banks, building societies, PRA-designated investment firms, insurers, recognized investment exchanges, enhanced scope senior managers, certification regime firms, firms authorised or registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011, whereas DORA applies to almost all regulated financial entities. Financial entities will continue looking for efficient ways of complying with both regimes if they are present both in the UK and the EU.

Please let us know if you need assistance in identifying whether your services fall within the scope of NIS2 and we can help navigate the plethora of local requirements.

1 Chemicals, civil nuclear, communications (including data centres), defence, emergency services, energy, finance, food, government, health, space, transport, and water.

2 DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, online search engines, and of social networking services platforms, and trust service providers.

Artificial intelligence (“AI”) is everywhere, and it continues to be a featured topic at many industry conferences. Sometimes this relatively new topic can feel a bit stale. However, a very interesting AI paper was recently published:  Artificial Intelligence, Scientific Discovery, and Product Innovation by Aidan Toner-Rodgers (November 6, 2024). While several previous papers have shown that AI may be useful in drug discovery (e.g., Merchant 2023), this is perhaps the first paper to provide “real world,” causal evidence that AI improves outcomes for scientific research and development.

The high-level takeaway from the paper is that “AI-assisted researchers discover 44% more materials, resulting in a 39% increase in patent filings and a 17% rise in downstream product innovation. These [discovered] compounds possess more novel chemical structures and lead to more radical inventions.” Id. at Cover Page. Moreover, highlighting the synergy between human skill and AI, the benefit of AI was more pronounced for top researchers at the firm – whose output nearly doubled – while the bottom third of scientists saw little benefit from AI. Id.

This human-AI synergy may be crucial for companies seeking to patent an AI-discovered drug molecule. Indeed, Courts have held that “only a natural person can be an inventor, so AI cannot be.”  Thaler v. Vidal, 43 F.4th 1207, 1213 (Fed. Cir. 2022), cert denied, 143 S. Ct. 1783 (2023). Moreover, according to The Inventorship Guidance for AI-Assisted Inventions issued by the U.S. Patent and Trademark Office, “[t]he patent system is designed to encourage human ingenuity.” See Federal Register, Vol. 89, No. 30, at 10046, available at (https://www.federalregister.gov/documents/2024/02/13/2024-02623/inventorship-guidance-for-ai-assisted-inventions). Accordingly, “inventorship analysis should focus on human contributions, as patents function to incentivize and reward human ingenuity. Patent protection may be sought for inventions for which a natural person provided a significant contribution to the invention[.]” Id. at 10044.

But what constitutes a “significant contribution”?  The closest analogy is likely the scenario in which multiple natural people are listed as inventors on a single patent application. According to the Guidance, Courts must evaluate several factors articulated in Pannu v. Iolab Corp., 155 F.3d 1344, 1351 (Fed. Cir. 1998), including ‘[did the individual] “(1) contribute in some significant manner to the conception or reduction to practice of the invention; (2) make a contribution to the claimed invention that is not insignificant in quality, when that contribution is measured against the dimension of the full invention, and (3) do more than merely explain to the real inventors well-known concepts and/or the current state of the art.’’ Federal Register, Vol. 89, No. 30, at 10047. Failing to meet any one of those factors “precludes that person from being named an inventor”. Id.

Further, according to the Guidance:

[A] natural person must have significantly contributed to each claim in a patent application or patent. In the event of a single person using an AI system to create an invention, that single person must make a significant contribution to every claim in the patent or patent application. Inventorship is improper in any patent or patent application that includes a claim in which at least one natural person did not significantly contribute to the claimed invention.

Id. at 10048.

Accordingly, companies should consider documenting human involvement in all phases of its materials discovery process. The goal, of course, would be to show that a human inventor “substantially” contributed to each claim in a patent application. To determine whether a human’s contribution was significant, the Guidance stated that “a person who takes the output of an AI system and makes a significant contribution to the output to create an invention may be a proper inventor.” Id. at 10048. Just as critically, the Guidance provides some examples of human contributions that are likely not considered significant enough to meet the Pannu test, including: (1) recognizing a problem and having a general goal or research plan (which is then presented to an AI tool); (2) reducing an AI-created output to practice; and (3) “overseeing” an AI system that eventually creates an output. Id. at 10048-49.

The full paper is linked for your reference, and the highlights are presented below. If you have questions about this study or AI more generally, please do not hesitate to reach out.

  • Study Design:  The author randomized the use of an AI tool for materials discovery in a cohort of 1,018 scientists at the R&D lab of a large U.S. firm, which specializes in materials science (specifically healthcare, optics, and industrial manufacturing). Toner-Rodgers at p. 1.
  • AI Tool:  The AI tool selected for the study was a set of graph neural networks (GNNs) trained on the “composition and characteristics of existing materials”, which then “generat[ed] ‘recipes’ for novel compounds predicted to possess specified properties.” Id. at 1, 9. The GNN architecture represents materials as multidimensional graphs of atoms and bonds, enabling it to learn physical laws and encode large-scale properties. Id. at 9. From there, scientists evaluated the outputs and synthesized the most promising options. Id. at 1.
  • Materials Discovery:  AI-assisted scientists discovered 44% more materials. These compounds possessed superior properties, revealing that the model also improves quality. This influx of materials leads to a 39% increase in patent filings and, several months later, a 17% rise in product prototypes incorporating the new compounds. Accounting for input costs, the AI tool boosted R&D efficiency by 13-15%. Id. at 1. The effects on materials discovery and patenting emerge after 5-6 months, while the impact on product innovation lags by more than a year. Id. at 16. No data was presented regarding commercialization of a discovered compound.
  • Quality: AI increased the quality of R&D as opposed to merely building out currently understood, low value outputs. For atomic properties, the tool increases average quality by 13%. Id. at 18. AI led to statistically significant improvements in average quality (9%) and the proportion of high-quality materials. Id.
  • Novelty:  The AI tool increased the “novelty of discoveries, leading to more creative patents and more innovative products.”  Id. at 20. In the absence of AI, scientists focus primarily on improvements to existing products, with only 13% of prototypes representing new lines. But this AI tool caused an increase in the treatment group (22%), engendering a shift toward more radical innovation. Id. at 18-20.
  • Synergy with Humans:  The high-quality scientists saw the most benefit from AI. The bottom third of researchers saw minimal gains but, the output of top-decile scientists increased by 81%, which suggests that AI and human expertise are complements in the innovation production function. Id. at 22. Moreover, top scientists leverage their expertise to identify promising AI suggestions, enabling them to investigate the most viable candidates first. Id at 21-22. Moreover, some highly skilled scientists can observe certain features of the materials design problem not captured by the AI tool. Id. at 33. In contrast, others waste significant resources investigating false positives. Id. at 26.
  • Impact on Human Labor:  AI dramatically changes the discovery process. The tool automates a majority of “idea generation” tasks, reallocating scientists to the new task of evaluating model-suggested candidate compounds. Id. at 38. In the absence of AI, researchers devote nearly half their time to conceptualizing potential materials. This falls to less than 16% after the tool’s introduction. Meanwhile, time spent assessing candidate materials increases by 74%. Id. at 2. Time spent in the experimentation phase also rises. Id. at 27.

In sum, AI is labor-replacing when it comes to identifying new materials, but labor-augmenting in the broader process because of the need for human judgment in evaluating potential compounds. Id. at 28. The author noted a slump in workplace satisfaction among scientists with 82% reporting reduced satisfaction with their work. Id. at 36. Further research is needed on this potential “brain drain”, as this paper highlights the benefits of combining the top human minds at a company with AI.

On 24 October 2024, the UK Department for Science Innovation and Technology announced new legislation to modernise the UK’s use of data and boost the UK economy.

The focus of the new Data Use and Access Bill (the “new Bill”) is not just on data protection – it covers wider topics, such as the rules for digital identity verification, minor amendments to the Online Safety Act, the National Underground Asset Registers, technical standards for IT services in health care, and others.

The data protection section is covered in part 5 and it contains some of the  changes to the data protection requirements proposed by the previous government in the Data Protection and Digital Information Bill (the “previous Bill”), which failed to pass before the general election. Please see a table showing what changes were kept from the previous Bill below. The new Bill also introduced new additions, such as the following:

  • Data Portability: The Secretary of State will be empowered to introduce provisions requiring data holders to provide customer data to a customer or third party at the customer’s request, reinforcing the data portability right afforded under the UK GDPR.
  • International transfers: the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime was called out as the basis for transfers in reliance on international law. It is between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America.
  • Automated decision-making: there are further restrictions on automated decision-making involving sensitive processing. Such processing should be allowed only with explicit consent and the decision-making must be authorised or required by law.

The reforms should not pose any risk to the UK’s adequacy decision from the EU, which is due to be reconsidered in 2025. We expect the reforms to pass through the legislative process quickly. Businesses should monitor the Bill’s progress so that they are ready to comply with the reforms.

In a rapidly evolving technological landscape, the National Institute of Standards and Technology (NIST) has released crucial guidance on managing risks associated with generative AI (GenAI). Our latest client alert delves into the newly published GenAI Profile (NIST AI 600-1), which outlines 12 potential high-level risks and offers actionable strategies for mitigation by breaking down these mitigation strategies into four categories: govern, map, measure, and manage. From addressing data privacy concerns to ensuring compliance with future AI laws, this alert provides insights for organizations to navigate the complexities of GenAI responsibly. Read the full alert to understand how aligning with NIST’s recommendations can fortify your AI governance program and prepare you for upcoming regulatory changes.

The European Commission (the “Commission”) announced its plans to open a public consultation on the new Standard Contractual Clauses (“SCCs”) in the fourth quarter of 2024. The new SCCs will address the scenario where the data importer (controller or processor) is based outside of the European Economic Area (“EEA”) but is directly subject to the General Data Protection Regulation (“GDPR”) due to Art. 3(2) – offering goods and services to individuals in the EU or monitoring their behaviour within the EU.

Background

When the Commission adopted the 4 June 2021 SCCs for the transfers of personal data to third countries, the scope of these SCCs was limited to transfers from a data exporter subject to the GDPR to a data importer (controller or processor) who was not subject to the GDPR. The 2021 SCCs were not therefore designed for situations where both the data importer and exporter were directly subject to the GDPR.  In its Guidelines 05/2021, the European Data Protection Board (“EDPB”) called for the Commission to prepare another set of SCCs to cover the gap.

Next steps

If the Commission will follow the EDPB commentary in Guidelines 05/2021, we expect the new SCCs to focus on the risks associated with the data importer being located in a third country: to address possible conflicting national laws and government access in the third country. The obligations under the new SCCs may incorporate the GDPR principles, information notice to data subjects about the transfers and the risks associated with transfers to a third country, detailed security measures for transfers, notification of data breaches, and provisions governing onward transfers.

What does this mean?

Recent EU supervisory authority decision(s) to impose significant financial penalties on organisations for failing to use appropriate safeguards when transferring personal data to third countries has shown that regulators are not afraid of rigorously enforcing compliance. Organisations cannot rely on the legal uncertainty that has been ongoing since the issuance of the 2021 SCCs to explain why they transfer personal data to third countries without adequate protections in place.  

Until the new SCCs are published, organisations should ensure they carefully assess their data transfers, put in place appropriate safeguards either under the most-up-to-date version of the SCCs or use other transfer mechanisms that the GDPR provides for, and complete any transfer impact assessments, where necessary.

A recent decision by a data protection regulator confirms that derogations under Art. 49 GDPR must be relied upon on an exceptional basis. First of all, to rely on a derogation, transfers must not be repetitive. Further, when relying on the transfer for the performance of a contract with a data subject (Art. 49(1)(b) or for the conclusion or performance of a contract concluded in the interest of the data subject (Art. 49(1)(c), the exporter needs to ensure the necessity requirement is met, i.e. the main purpose of the contract could not be achieved without a transfer, and (2) there are no less intrusive alternatives available. 

Witnessing the race to harness the power of Artificial Intelligence (“AI”) by markets and businesses, the Federal Trade Commission (“FTC”), recently issued a warning over the emerging technology and its ever-widening use cases. Citing its authority under Section 6(b) of the FTC Act, the Commissioners voted 5-0 on July 19 in favor of issuing investigative orders to eight companies regarding the use of consumer data to set individualized prices for products and services, which the Commission refers to as “surveillance pricing.” In announcing the move, FTC Chair Lina Khan claimed that “the FTC’s inquiry will shed light on [the] shadowy ecosystem of pricing middlemen.”

  • The agency’s inquiry focuses on four areas:
    Types of products and services being offered: The types of products and services that each company has produced, developed, or licensed to a third party, as well as details about the technical implementation and current and intended uses of this technology which may facilitate pricing decisions;
  • Data collection and inputs: Information on the data sources used for each product or service, including the data collection methods for each data source, the platforms and methods that were used to collect such data, and whether that data is collected by other parties (such as other companies or other third parties);
  • Customer and sales information: Information about whom the products and services were offered to and what those customers planned to do with those products or services; and
  • Impacts on consumers and prices: Information on the potential impact of these products and services on consumers including the prices they pay.

Price differentiation and “dynamic pricing” – the practice of offering different pricing to different segments of consumers – has been around for a long time. In a blog post accompanying its announcement of the orders, the FTC explains its new inquiry into this practice as a response, in part, to advancements in machine learning technology that make it easier to collect and process large volumes of personal data in service of algorithmic pricing models. Although the orders are framed as requests for information – with none of the companies accused of any wrongdoing – they serve as another reminder of the Commission’s increased focus on artificial intelligence and algorithmic decision making.  This focus increasingly occurs at the intersection of the agency’s bureaus of competition and consumer protection.  That the Commission vote was unanimous suggests a strong interest in studying the issue among the Commissioners.

In addition to concerns around AI, the announcement may suggest a further intent by the Commission to revisit the law of price differentiation. The FTC’s characterization of the issues could be read to suggest a view that price differentiation is not presumptively legal if it is predicated on businesses gathering information to determine the prices set in a given transaction.

Section 6(b) findings are typically confidential but may culminate in a report of findings and recommendations for policymakers and other stakeholders. Considering the speed in which AI-enabled business practices continue to emerge and evolve – coupled with the Commission’s clear desire to keep up – expect the FTC to prioritize this study going forward.

According to the German Federal Supreme Court (Bundesgerichtshof – “BGH”), companies must substantiate “climate neutral” advertising claims: Where such advertising claims lack sufficient substantiation in direct proximity to the claim, they will likely be considered misleading and, therefore, in breach of the statutory requirements of the German Act against Unfair Commercial Practices (Gesetz gegen den unlauteren Wettbewerb – UWG).

Background of the case

A leading German manufacturer of sweets (“Advertiser”) advertised in a magazine that all its products were produced in a “climate neutral” manner. The Advertiser’s manufacturing process was, in fact, not CO2 neutral. To reduce its CO2 footprint, the Advertiser supported climate protection projects carried out by a third party. German competition watchdog Wettbewerbszentrale considered the advertisement misleading and initiated legal action against the Advertiser

The BGH’s decision

In its third instance judgment of 27 June 2024, case no I ZR 98/23, the BGH sets strict substantiation standards for “climate neutral” claims. The BGH’s key considerations are summarised in its press release, while the fully reasoned judgment has not yet been published. The BGH ruled that the particular advertising claim would be misleading within the meaning of section 5(1) UWG and, therefore, prohibited.

In the BGH’s view, the advertising claim “climate neutral” is ambiguous as it can mean (i) reduction of CO2 emissions or (ii) offsetting of CO2 emissions. According to the BGH, reducing CO2 emissions on the one hand and offsetting CO2 emissions on the other cannot be considered equally suitable means for achieving climate neutrality. Rather, reducing CO2 emissions would take precedence over offsetting CO2 emissions. According to the BGH, vague environmental claims such as “climate neutral” may be legally permissible only if the specific meaning of the claims would be explained as part of the advertising itself. By contrast, in the BGH’s view, it shall not be sufficient to refer to information on an external website, including where such external website can be accessed through a QR-code displayed in close proximity to the advertising claim.

The reason for this strict view is that environmental claims – as with health claims – entail an increased risk of misleading consumers. Accordingly, there is a greater need to inform the target audience about the specific meaning of the claim.

The BGH’s press release suggests that the judgment does not impose a general ban on “climate neutral” claims. Nor does the BGH categorically prevent advertisers from supporting environmental claims with offsetting measures, such as third-party climate protection projects. However, it follows from the BGH judgment that advertisers must act diligently when making environmental claims. In particular, where the climate-friendly effects of the advertised products are achieved (only) by implementing offsetting measures, sufficient explanatory substantiation must be included “in the advertisement itself”. The press release does not reveal whether and how the judgment provides any guidance on (i) what standards advertisers must meet to comply with the requirement to substantiate their “climate neutral” claim “in the advertisement itself” and (ii) potential exemptions from this strict requirement. These aspects will be of particular relevance where the advertising is made online where easily accessible substantiation can be provided via hyperlinking, overlays and other technical means. Therefore, the fully reasoned judgment must be reviewed once published.

Interplay with upcoming EU legislation

In light of recent developments on the EU level, the BGH’s ruling appears to be relevant only for a transitional period ending 27 March 2026. The background is that Directive (EU) 2024/825 empowering consumers for the green transition through better protection against unfair practices and through better information (“Directive“) needs to be transposed into national laws of EU member states until this date. The Directive regulates, among other topics, advertising claims, which are based on the offsetting of greenhouse gas emissions, that a product has a neutral, reduced or positive impact on the environment in terms of greenhouse gas emissions. Such advertising claims will be prohibited under the Directive as misleading in all circumstances. This is a key difference compared to the BGH judgment.

Claims that fall under the Directive include “climate neutral”, “CO2 neutral certified”, “carbon positive”, ”climate net zero”, “climate compensated”, “reduced climate impact” and “limited CO2 footprint”. Such claims should only be allowed where they are not based on the offsetting of greenhouse gas emissions outside the product’s value chain but are instead based on the actual lifecycle impact of the product in question, as the former and the latter are not equivalent (Directive, Recital 12). Finally, it needs to be noted that the EU legislator emphasised that “such a prohibition should not prevent companies from advertising their investments in environmental initiatives, including carbon credit projects, as long as they provide such information in a way that is not misleading and that complies with the requirements laid down in Union law” (Directive, Recital 12). Clearly, it will be a challenge for the practice to identify what is not misleading in this particular context. In particular, the increased substantiation requirements under the proposed EU Green Claims Directive will need to be taken into account. For further information on the proposed EU Green Claims Directive, please see the Reed Smith in-depth article of 19 April 2023, “Greenwashing – EU proposes strict requirements for environmental claims: key points on the Green Claims Directive”.

The First Circuit Court of appeals has affirmed that specific personal jurisdiction must be based on defendants’ intentional conduct. In affirming the dismissal of a consumer class action that alleged “wiretapping” claims based on ordinary website activity, the federal appeals court’s decision reflects growing judicial skepticism toward the proliferation of class action claims applying old statutes to ubiquitous Internet technologies.

The Recent Trend of Electronic Wiretapping Lawsuits

Rosenthal v. Bloomingdales.com, LLC exemplifies the flood of statutory wiretapping claims inundating website operators and federal courts these days. A website visitor claimed that when he navigated to the defendant retailer’s website, it recorded his site visit and shared that information with analytics vendors. The plaintiff argued that this activity represents electronic wiretapping—a criminal offense under state and federal law in most jurisdictions. Such statutory claims have gained in popularity in recent years because they authorize plaintiffs to seek liquidated damages without proving measurable economic harm.

This and similar recent claims seek to contort decades-old “wiretapping” statutes and other laws to impose serious criminal liability on thousands of businesses who use ordinary website analytics tools. Website operators have strongly objected to these suits. And in the last two years, skeptical courts have begun to dismiss these claims on a number of grounds.

Background

In this case, the U.S. District Court for the District of Massachusetts dismissed the plaintiff’s lawsuit without addressing the statutory wiretapping issue. Instead, it ruled that it did not have personal jurisdiction in Massachusetts over an out-of-state retail website operator whose related conduct did not target the state. The court held that in order for it to exercise specific jurisdiction over the retailer, the retailer had to voluntarily conduct activities in the state, and the lawsuit had to arise from those activities. Here, the allegedly harmful activities were the retailer’s incorporation of vendor-provided analytics tools into its website—an action that was not intentionally directed at Massachusetts. The district court distinguished between plaintiff’s intentional actions in accessing the website while in Massachusetts and the retailer’s maintenance of the site and related vendor contracts. Thus, it found no “demonstrable nexus” between the plaintiff’s claims and the retailer’s relevant contacts with Massachusetts. The Court of Appeals affirmed. Even where the retailer did business in the Bay State—both online and in stores—the court observed that such general contacts were unrelated to the plaintiff’s specific claims. The retailer’s website was available nationwide and configured in a way that it treated all visitors the same, wherever they were from. It did not intentionally target users in Massachusetts. Had the plaintiff shown otherwise or identified a connection to Massachusetts beyond the plaintiff’s mere browsing of the website, the result might have been different.

Applying Long-Established Jurisdictional Principles to Novel Theories of Liability

The Rosenthal decision comes closely on the heels of the U.S. Court of Appeals for the Ninth Circuit’s recent decision in Briskin v. Shopify, Inc., which affirmed a similar dismissal. Both cases demonstrate that fleeting Internet contacts—as opposed to substantial, intentional local contacts—face an uphill climb. Personal jurisdiction doctrine is rooted in basic notions of due process and fairness: where a defendant is not at home, it is unfair to be dragged into court in a place where the defendant did not target specific conduct. By protecting businesses from being sued in states where they did not direct specific, intentional conduct, courts may curtail the class action plaintiff’s bar’s efforts to funnel cases into courts they expect to be more receptive to their theories.

On 25 March 2024, Ofcom called for evidence for the third phase of its online safety regulations. This call for evidence will culminate in Ofcom’s third consultation paper, which will act as guidance for service providers to ensure compliance with the Online Safety Act (“OSA”). 

The third phase of online regulations introduces further guidance on the extra duties that will arise under the OSA for category 1, 2A, and 2B services (explained here), which could include:

Additional Duties
ContentProtect news publisher, journalistic content and/or content of democratic importance
Terms of UseInclude certain additional terms of use
Specify a policy in the terms of use regarding disclosing information to a deceased child’s parents about their child’s use of the service
AdvertisingPrevent fraudulent advertising
TransparencyPublish a transparency report 
Additional featuresProvide user empowerment features
Provide user identity verification

Along with this, Ofcom has also published their advice to the UK Government on the thresholds to be used to decide whether or not a service will fall into Category 1, 2A or 2B.

Through this call for evidence, Ofcom is inviting industry stakeholders, expert groups, and other organisations to provide evidence that will help inform and shape Ofcom’s approach to the OSA regulations. The call for evidence will close on 20 May 2024, after which Ofcom will publish its third consultation paper in 2025.

Preceding this third consultation paper are two consultation papers that have already been finalised and published by Ofcom. The first paper acts as guidance for user-to-user (“U2U”) and search services on how best to approach their new duties under the OSA. The second paper is specific to service providers of pornographic content.

The proposed measures under the first consultation paper vary based on the size and risk profile of the service. A “large service” is any service with an average user base greater than 7 million per month in the UK, which is approximately equivalent to 10% of the UK population. Every other service is a “small service”.

Further, when assessing the risk profile, services are expected to conduct the risk assessments themselves, and classify their services into one of the following criteria:

  1. Low risk: low risk for all kinds of illegal harm
  2. Specific risk: faces the risk of a specific kind of harm/harms
  3. Multi risk: faces significant risks for illegal harm

Notably, for large companies that have a multi-risk profile, almost all the proposed measures apply, except those recommended for automated content moderation, enhanced user control, and certain reporting obligations. Online safety regulations are expected to affect more than 100,000 service providers, many of which will be small businesses based in the UK and overseas[RS4] . Ofcom offers a free self-assessment tool to assess if these regulations will affect your company. If your organisation is large and sophisticated and requires a tailored approach to ensure compliance with these regulations, we can assist with this.