On 20 October 2023, the National Authority for Administration and Regulation in Communications ("ANCOM") and the Ministry of Research, Innovation and Digitisation published for public consultation until 31 October 2023, the Draft Law on the establishment of measures for the implementation of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC, as well for the amendment and supplementation of Law No 365/2002 on electronic commerce (the "Draft Law").
Being subject to public consultation, the Draft Law will most likely undergo amendments, but due to the importance of the legislative act we wish to summarize, even at this stage, the main elements of the Draft Law provisions, as well as some aspects of context.
1. Elements underpinning the Draft Law
The Draft Law was initiated for the adoption of the necessary national legislative measures aimed at the implementation of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (hereinafter referred to as "Regulation" or "DSA Regulation"), a European legislative act that entered into force on 16 November 2022 and will be generally applicable as from 17 February 2024 (with the exception of certain obligations for certain types of large-scale services, which took effect on 25 August 2023). The DSA Regulation is binding on and directly applicable to the EU Member States in accordance with Article 288 of the Treaty on the Functioning of the European Union.
The activities falling within the scope of the DSA Regulation are varied, but the relationship between the content provider (the person who publishes certain information on an online platform) and the intermediary service provider (the person who makes a platform or service available so that the content in question can be accessed by recipients of the service) stands out.
Regarding the existing legal framework, the regulatory framework of digital services in Romania is based on Law No 365/2002 on e-commerce, which transposed into national law Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (hereinafter "Directive 2000/31/EC").
This law represented a significant step forward in the regulation of digital services and created a legal framework for e-commerce. In the meantime, however, the development of electronic communication networks and innovations in information technology have led to an increase in online activities such as social networks and digital platforms. Furthermore, search engines have also gained a key position, facilitating users' access to information.
Within this context, changes in consumer behaviour and the migration of businesses to the internet have underlined the importance of regulating digital services.
2. General concepts at the core of the Draft Law
Digital services making the subject matter of the DSA Regulation, whether provided separately or simultaneously, correspond to the following types (which are also currently regulated by Law 365/2002 on electronic commerce):
(a)„mere conduit services”: these include generic categories of services, such as internet exchange points, wireless access points, virtual private networks, DNS services and resolvers, top-level domain name registries, registrars, certificate authorities that issue digital certificates, voice over IP and other interpersonal communication services;
(b)„caching”: this includes the sole provision of content delivery networks, reverse proxies or content adaptation proxies;
(c)„hosting services”: these include categories of services such as cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing. This category also includes online platforms, very large online platforms ("VLOPs") and very large online search engines ("VLOSE").
Therefore, digital services cover a broad category of services performed in the online environment, ranging from simple web pages to infrastructure services provided for the operation of the Internet and online platforms, with the rules set out in the DSA Regulation mainly dealing with the obligations of intermediary service providers and online platforms (e.g., online marketplaces, social networks, content sharing platforms, app stores, online travel and accommodation platforms, etc.).
3. Subject matter, purpose and scope of the Draft Law
The Draft Law aims to establish the necessary measures for the application of the DSA Regulation, the designation of the digital services coordinator and the adoption of the sanctioning regime applicable in case of non-fulfilment of the obligations set forth under the Regulation or the law.
The main beneficiaries of the Draft Law are the recipients of the services provided by intermediary service providers, without omitting the fact that the aforementioned providers will continue to benefit from the conditional exemption from liability, previously also regulated by Directive 2000/31/EC, if they are not aware of illegal activities or content hosted or located on the platforms/services they provide and/or operate. Moreover, the general principles established by Directive 2000/31/EC remain valid (with some additions).
According to the Draft Law, the law shall apply to intermediary services offered to service recipients who are established or located in the European Union, provided by the intermediary service provider whose main place of establishment is in Romania or who is a resident in Romania or whose legal representative is established in Romania.
4. Digital Services Coordinator
Pursuant to the Draft Law, the National Authority for Administration and Regulation in Communications ("ANCOM") has been designated as the coordinator of digital services, being thus responsible for all aspects related to the supervision and enforcement of the DSA Regulation by intermediary service providers.
The appointment of ANCOM as the coordinator of digital services is intended to create the conditions for a formal communication between the state authorities and similar authorities in the other EU Member States and with the European Commission, in order to ensure a uniform and consistent application of the European legislation at EU level.
ANCOM, as coordinator of digital services, shall not express any opinion on the lawfulness of certain elements of content existing online.
For the application of the national rule, ANCOM shall also adopt secondary legislation (decisions of the institution) to regulate:
(a) the procedure for the transmission of information relating to the notification of intermediary service providers;
(b) the procedure for dealing with complaints, as well as the arrangements for communicating with the parties concerned, in compliance with Article 53 of Regulation (EU) 2022/2065;
(c) the conditions and procedure for granting, terminating, and withdrawing the certification of out-of-court dispute resolution bodies;
(d) the conditions and procedure for granting, suspending, terminating, and revoking the status of trusted notifier;
(e) the procedure for granting the status of approved researcher in the context of the DSA Regulation, as well as for issuing the decision to withdraw the right of access to the data of the providers of very large online platforms or online search engines established in Romania, as well as the method of communication with applicant researchers and other parties involved;
(f) the necessary elements relating to the establishment and collection of the supervisory fee.
5. Authorities responsible for supervising online content
According to the Draft Law, the relevant authorities (institutions, public authorities with supervisory powers over a particular sector or field of activity or judicial authorities) shall have the possibility to issue orders obliging an intermediary service provider to act against illegal content online or to provide certain information.
“Illegal content” means any information that, in itself or in relation to an activity, including the sale of products or the provision of services, is not in compliance with Union law or the law of any Member State which is in compliance with Union law, irrespective of the precise subject matter or nature of that law.
Online activities must comply with applicable national laws and public authorities responsible for supervising specific sectors offline must ensure that the same rules are equally observed online.
6. Regime of orders issued by the relevant authorities
In relation to the powers of market surveillance authorities (referred to in the Draft Law as "relevant authorities") in various sectors or areas of activity, the Draft Law emphasizes that these authorities shall maintain their powers under the legislation applicable to those sectors or areas of activity (applicable to offline activities) and clarifies that these authorities shall also have the power to issue the orders referred to in Art. 9 and 10 of DSA Regulation (orders to act against illegal content and orders to provide information), the rules proposed in the Draft Law being applicable to the extent that the legislation already in force does not contain sufficient means or instruments for the measures that can be ordered in relation to intermediary service providers.
Therefore, the market surveillance authorities in the various sectors or areas of activity will continue to monitor the application of the legislation under their responsibility, with the provisions of the Draft Law stating that these authorities may require intermediary service providers to act against illegal online content or to provide certain specific information.
The orders issued as per the above provisions may be challenged in administrative litigation before the Bucharest Court of Appeal under the terms of Law no. 554/2004 on administrative litigation.
The Draft Law also gives judicial authorities the possibility to issue the orders referred to in Articles 9 and 10 of DSA Regulation as part of the actions, activities or proceedings carried out by them according to the applicable legal provisions. In this case, the intermediary service provider shall have to provide ANCOM with information on the implementation of the order issued by these judicial authorities.
7. Obligations of digital service providers
The Draft Law establishes the obligation of intermediary service providers to submit an information notice, no later than 45 days after the start of the service provision, the purpose of which is to identify in concrete terms the undertakings providing an activity falling within the scope of the DSA Regulation.
The information must be sent to ANCOM, which may require, by decision, compliance with certain requirements as to form, content and conditions for the information set forth under the Draft Law.
The information obligation also applies accordingly to intermediary service providers established in Romania offering services on the date of entry into force of the law, regardless of the date of commencement of their provision, the 45-day period running from the date of entry into force of the abovementioned ANCOM decision.
At the same time, the draft requires that any change in the data contained in the initial information must be notified to ANCOM within 10 days from the date of occurrence, i.e., from the date of registration with the competent institutions, as appropriate.
Following receipt of the order to act against illegal content or to provide certain information, the intermediary service provider must inform the relevant authorities of how it has acted on that order, and the (relevant) issuing authority must inform ANCOM of how it has acted on that order.
8. Liability of digital service providers
As a principle, the principles of digital service providers’ liability remain those currently regulated by Law No 365/2002 on electronic commerce, whose provisions will be repealed and replaced by similar provisions contained in the DSA Regulation.
However, a new component has been added as to the awareness of an illegal content. Namely, the DSA Regulation provides that intermediary service providers should not be considered ineligible for exemption from liability simply because they carry out voluntary own-initiative investigations or other activities designed to detect, identify, remove, or block access to illegal content or because they take the necessary measures to comply with the requirements of Union law, including those set out in the Regulation.
The above provision is in line with legislative developments at the Court of Justice of the European Union (see C-236/08 - Google France and Google, C-324/09 - L'Oréal and Others, C-324/09 - L'Oréal and Others).
9. Carrying out inspections
In exceptional cases and only on the basis of a judicial authorization given by decision of the President of the Bucharest Court of Appeal or of a judge delegated for this purpose, ANCOM may carry out inspections in the exercise of its investigative powers. The authorization received from a judge provides the necessary guarantees that all the rights of the intermediary service provider will be respected.
These inspections will be carried out if it is necessary to examine the computer system or obtain copies of the algorithmic systems used by the intermediary service provider for the services provided.
ANCOM’s inspection staff, authorized to make an inspection, may also carry out unannounced inspections and may request any kind of information or justification related to the performance of their assignment, both on the site and when convened on ANCOM's premises.
Further to such inspections, measures may be ordered to seal certain premises used by the intermediary service provider.
Last but not least, inspections may be carried out by the European Commission pursuant to Article 69 of the DSA Regulation, in which case ANCOM’s personnel will assist and support the inspection activity at the premises of the intermediary service provider located in Romania, if applicable.
The intermediary service provider shall benefit from the full set of rights for the protection of its interests, including the possibility to appeal the decision ordering the inspection before the High Court of Cassation and Justice within 72 hours. The appeal will not suspend enforcement of the decision.
10. Penalty system
The Draft Law sets forth a penalty regime designed to discourage a possible behavior falling short of legal rules:
(a) the misdemeanors set out in Article 32, points 1-53 (such as failure by the intermediary service provider to inform, without undue delay, the authority issuing the order or any other authority specified in the order about the manner in which the order has been acted upon, specifying whether and when the order has been acted upon; failure by the intermediary service provider to designate a single point of contact or to publish the information necessary to easily identify and communicate with its single points of contact; as well as failure of hosting services providers to put mechanisms in place to allow any individual or entity to notify them of the presence on their service of specific items of information that the individual or entity considers to be illegal content), shall be punishable by a fine ranging between RON 5,000 and a maximum of 6% of the annual worldwide turnover recorded in the previous financial year by the intermediary service provider.
(b) the misdemeanor set forth in Article 32, paragraph 54 (i.e., non-fulfilment by the intermediary service provider or the person concerned of the obligation to transmit correct, complete or non-misleading information, to send a response or to rectify incorrect, incomplete or misleading information and for refusing to submit to an inspection) shall be punishable by a fine ranging between RON 5,000 and a maximum of 1% of the annual income or annual worldwide turnover generated in the previous financial year by the intermediary service provider or the person concerned.
The annual turnover shall be the one recorded in the latest annual financial statement reported by the intermediary service provider or person concerned.
Furthermore, failure by the intermediary service provider established in Romania to comply with the obligation to transmit to ANCOM the information referred to in Article 5, paragraph 1 of the Draft Law, with all the data included therein, including any changes to such data, within the prescribed time limit and in the prescribed format shall constitute a misdemeanor and shall be punishable by a fine ranging between RON 5,000 and RON 30,000.
The establishment of misdemeanors shall be recorded by ANCOM's inspection staff in the misdemeanor assessment and sanctioning report, which can be challenged before the court having jurisdiction over the headquarters of the digital services coordinator within 15 days from communication thereof, while the court of appeal for this situation is the Bucharest Court - Administrative Litigation Section.
Given the fact that intermediary service providers operate in the online environment, the Draft Law also provides for ANCOM’s possibility to issue the misdemeanor assessment and sanctioning report in electronic format, by derogation from the provisions of Article 19 of Government Ordinance No 2/2001 on the legal regime of misdemeanors, approved with amendments and additions under Law No 180/2002, as amended (hereinafter "GO No 2/2001").
The report concluded in electronic format shall be signed with a qualified electronic signature.
In order to verify the validity of the signature, misdemeanor assessment and sanctioning reports in electronic format must be sent via the My ANCOM service.
If this form of communication is not possible, the electronic file shall be sent by email (taking into consideration the data provided by the intermediary service provider) so that the attached certificate can be viewed.
The application of any civil sanctions shall be time-barred after three years from the date of the misdemeanor.
At the same time, the Draft Law also provides for certain actions that ANCOM may take which can entail the interruption of the limitation period:
(a) written requests for information sent to the intermediary service provider;
(b) inspection of the intermediary service provider in question.
In certain cases regulated by the Draft Law, the offender may pay, within a maximum of 15 days from the date of delivery or communication of the misdemeanor assessment and sanctioning report, half of the amount of the fine imposed, having been informed of this possibility in the report issued by the inspection officer.
ANCOM may impose administrative fines capped at a maximum daily amount of 5% of the average daily worldwide turnover or average daily worldwide revenue recorded in the previous financial year by the intermediary service provider concerned, calculated from the date specified in the sanctioning decision, to determine it:
(a) to provide in a correct, complete and non-misleading manner the information requested by ANCOM;
(b) to send the response to ANCOM's request or to rectify incorrect, incomplete or misleading information;
(c) to be subject to an inspection;
(d) to comply with the measures ordered by ANCOM as per the provisions of Article 40;
(e) to comply with a decision ordering interim measure.
ANCOM's decision imposing the above sanctions shall be enforceable without further formality.
The provisions of Articles 32 and 33 concerning the acts representing a misdemeanor shall enter into force 30 days after the date of the Draft Law publication in the Official Gazette of Romania, Part I, but no earlier than 17 February 2024.
11. Amendments to other regulatory acts
The Draft Law also proposes some amendments and additions to Law No 365/2002 on electronic commerce, which lacks certain provisions clarifying the powers of public institutions or authorities.
Among other things, clarifications are made stating that the application of Law No 365/2002 is not a responsibility resting only on the Authority for the Digitization of Romania, but also falling on the other institutions or public authorities that have prerogatives with regard to the supervision of a particular sector or field of activity, and which are also required to supervise and monitor the activities specific to the field they manage, and which are performed in the online environment.
Articles 12-15 of Law No 365/2002 on service providers’ liability will be repealed and replaced by the provisions of the DSA Regulation.
12. Proposed amendments to the Draft Law
Regarding this Draft Law, the main amendments proposed by the market participants include the clarification of the procedures for challenging and suspending the orders issued (regarding the obligation to follow the procedure prior to referral to the court), elimination of overlapping information obligations, restriction of ANCOM inspectors' powers of seizure and introduction of a minimum time limit for providing the information requested during inspections when such information cannot be provided on the spot.
Further articles are recommended to be added concerning the principles of individualization of the sanctions applied, the protection of the right to defense, access to the file during ANCOM's decision-making process, as well as the addition to the Draft Law of a specific regulation on the provider’s possibility to propose undertakings at any time during the inspection and the way in which such undertakings can be adopted.
Also proposed was the establishment of a clear and predictable order of fines application, the temporary removal of supervisory fees, and a definition of the consumer that should be identical to that in the DSA Regulation.
13. Other issues
The Draft Law sets forth the possibility for collaboration agreements to be concluded so as to ensure the exchange of data and/or information resulting for and from the application of the DSA Regulation, while observing the confidentiality of business secrets, the confidentiality of investigations and compliance with the applicable rules on personal data protection.
In line with the idea of strengthening the collaboration between public administration institutions or authorities, the Draft Law provides for the establishment of an inter-institutional group formed of representatives of institutions or public authorities with responsibilities in areas or sectors of activity that are relevant to the application of DSA Regulation, at the invitation of the digital services coordinator.
The inter-institutional group should cooperate and have regular exchanges of views on the work of intermediary service providers.
The Draft Law also contains certain general information on the possible establishment of a supervisory fee that could be charged to intermediary service providers, specifying that this fee:
(i) may be levied only where such a measure is strictly limited to what is necessary and proportionate to cover the costs incurred with the performance of ANCOM's tasks established for the application of DSA Regulation;
(ii) may be levied only starting from year 2027; such a fee may not be set and collected during the first 3 years after the enactment of the envisaged rule.
By Monica Iancu, Partner, and Alina Zaharia, Junior Associate, Bondoc si Asociatii