For this first legal bulletin of 2022, we have chosen a different format than usual and are providing a quick overview of developments in individual areas.
The legislative process in the Czech Republic in areas important to internet traders has been practically at a standstill for several months. Unfortunately, this also applies to those issues that should already have been incorporated into Czech law (in accordance with the requirements of European directives). Due to the establishment of the new Chamber of Deputies, all draft laws from the previous electoral term were, in accordance with legislative rules, returned to the relevant departments, which will bring further delays.
A number of amendments about which we previously informed members in detail have therefore not yet entered into force, and it is not entirely clear when exactly this will happen. This concerns both the anticipated extensive amendment to the Civil Code and the amendment to the Consumer Protection Act. These include, for example, the requirements of the so-called Omnibus Directive, which introduces, among other things, new regulation in the area of presenting discounts, information obligations of marketplace operators towards consumers, and new regulation in the area of administrative sanctions. Furthermore, there are the requirements of two directives relating to digital content, which are intended to bring, for example, new regulation of seller’s liability for digital elements of goods and new regulation in the area of digital content distribution in general. Together with this amendment, a number of legislative deficiencies in the Civil Code are also to be rectified (compared to the wording of the Consumer Rights Directive).
APEK will address the consequences for internet traders’ practice of the Czech Republic’s failure to implement the requirements of European directives in a timely manner in special documents.
On 20 January 2022, a majority of Members of the European Parliament voted to approve the draft DSA Regulation (Digital Services Act), about which we have previously informed. This regulation is intended to regulate a relatively wide range of providers of information society services (providers of hosting space in various forms), including so-called platforms.
At the beginning of February 2022, a draft regulation referred to as the “Data Act” was leaked to the public. The aim of the new regulation is to promote data sharing between businesses (B2B) and ensure the accessibility and use of such data in the European market. We will continue to monitor the situation regarding this legislative initiative.
In January 2022, the Austrian data protection authority issued a decision declaring the storage of cookies when using the Google Analytics service to be inconsistent with the GDPR, specifically as a result of the unlawful transfer of personal data to the United States. This also occurred in the wake of the previous CJEU Schrems II decision, about which we previously informed members. The supervisory authority in France reached the same conclusion approximately one month later, whilst supervisory authorities in Denmark and the Netherlands are also examining this situation. It can therefore be assumed that if this issue were to come under scrutiny by the Office for Personal Data Protection, no different decision can be expected. Traders should bear this in mind when using the Google Analytics service or other services provided by American companies on a similar basis.
The Belgian supervisory authority recently imposed a fine of EUR 250,000 for breach of the GDPR on IAB Europe, which operates a very popular “system” for collecting and managing the consent of website users. From the traders’ perspective, this decision is interesting in that the use of similar systems offering “solutions” to regulatory issues in the area of cookie storage and personal data processing may not always bring the desired result.
The European Data Protection Board has issued new Guidelines 01/2021. The aim of these Guidelines is to assist data controllers in deciding how to proceed in the event of a data security breach. The GDPR contains, in certain cases, an obligation to notify a personal data security breach to the relevant national supervisory authority and to inform the natural persons whose personal data are affected by the breach (Articles 33 and 34 GDPR).
The Board has also issued Guidelines 01/2022 (currently intended for public consultation), which concern the rights of data subjects, specifically their right of access to personal data. The aim of the right of access (Article 15 GDPR) is to provide natural persons with sufficient and easily accessible information about the processing of their personal data so that they can verify the lawfulness of data processing.
Jiří Moravec
This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal bulletin No. 01/2022 intended for members of this association.
This text was translated from Czech to English using an AI translator.