EU introduces new Political advertising rules: what advertising Providers need to know

Are you active in marketing, communications, media, or do you offer online advertising services? Or are you involved in purchasing advertising as an organization or political party? If so, you will be affected by the new European Regulation 2024/900 on transparency and targeted political advertising, which will come into effect on October 10, 2025. These rules not only entail new obligations, but also significant risks in the event of non-compliance. In this blog, we explain what this regulation means for your organization and how you can prepare for it. What is political advertising according to the regulation? The regulation uses a broad definition of political advertising. Political advertising includes all communication intended to influence public opinion on elections or political issues, even if it does not originate from political parties. The obligations may therefore also apply to civil society organizations, companies, or lobby groups. The Regulation itself uses the term “sponsor” to refer to the party commissioning or purchasing political advertising, which in this blog is referred to as the “client”. ‘Sponsor’ means the natural or legal person at whose request or on whose behalf a political advertisement is prepared, placed, promoted, published, delivered or disseminated Obligations for providers and publishers of advertising services The new rules apply to all parties that offer or purchase political advertising, i.e. both providers and clients. Providers of advertising services – from online platforms to media agencies – must now, among other things: Check whether an advertisement is political advertising, who the client is, who has control over the client, where the funding comes from, and request other information that is relevant to compliance with the regulation; Record the information obtained; Take reasonable measures to verify that the information provided by the client is correct; Provide transparency about political advertisements that run on their platform; Provide a mechanism through which non-compliance with the regulation can be reported. Providers may not discriminate on the basis of the place of residence or place of establishment of the client. However, in the last three months prior to an election, political advertising services relating to that election may not be provided to clients from outside the European Union. Providers must also check this with their clients. What does this mean for clients? Clients are required to indicate whether any advertising is political in nature and to be fully transparent about funding and objectives. Incorrect or incomplete information may result in sanctions. In addition, clients must take into account stricter transparency requirements, such as disclosing the funding and objectives of the campaign. Processing of personal data and targeting What is targeting in political advertising? Targeting means that political advertising is specifically aimed at certain groups or individuals. This is done, for example, on the basis of their online behavior, location, or demographic data. Targeting is only permitted in the context of political advertising if consent has been given. Furthermore, only personal data obtained by the controller from the data subject may be used, and therefore no data from third parties. These rules apply in general to techniques for delivering advertising messages related to political advertising that involve the processing of personal data. If the controller has reasonable certainty that the data subject is under the age of 17, no personal data may be processed for the purpose of offering political advertising. Transparency and accountability in targeting Providers and publishers of advertising services must comply with strict accountability and transparency obligations. For example, they must establish and maintain an internal policy; keep records; and clarify the criteria used for selecting target groups and the personal data processed in doing so. In principle, it is prohibited to use special categories of personal data, such as political opinions, religion, or ethnicity, for targeting or amplification. This is only permitted if very strict conditions are met and explicit consent has been given. Consequences of non-compliance In the Netherlands, supervision of the regulation is carried out by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP). The AP has extensive enforcement powers. Violations of the rules on political advertising can result in heavy fines, reputational damage, and even a ban on offering advertising services. It is therefore important to ensure compliance in good time. What should you do now? It is important to adapt your processes and contracts to the new rules in good time, before October 10, 2025. Keep in mind that the next House of Representatives elections will be held on October 25. The new rules will therefore apply to the final phase of the campaign. Any communications made in the context of this campaign will already have to comply with the new rules. How can we help you? The implementation of this regulation requires legal, technical, and organizational adjustments. Our firm has extensive experience with this type of regulation and is happy to assist you with: Assessing your current processes; Drafting or adapting internal procedures and contracts; Training your employees; Providing guidance on supervision and enforcement. Would you like to know what these rules mean for your organization in concrete terms? Please contact Jan Baas or a colleague from the Data & Privacy Team. They are happy to assist you. 

The European Data Act comes into force with effect from 12 September 2025. This Regulation creates new rights and obligations that cover not just personal data, but data in general. The practical implications are huge. The Data Act particularly affects parties offering connected or Internet of Things (IoT)) products and cloud services. What is not often mentioned is that the Regulation also contains rules on data sharing agreements. These rules apply to all businesses. Providers of connected devices and related services The first main topic in the Data Act concerns the rules on the sharing and use of usage data from connected products and related services. These include products and services such as smartwatches and smart speakers with a virtual assistant like Alexa, as well as agricultural machinery with internet access. Businesses must comply with new obligations regarding connected products and related services as a result of the Data Act. First, companies that produce connected products and provide related services should design the products and services so that users can easily access their data (data access by design). Moreover, the Data Act gives users an explicit right of access to usage data. This right of access means that users of connected products and related services can easily access their usage data where data access by design has not been provided for. In addition, enterprises should also allow users to easily share their usage data with another party. Finally, buyers of connected products and recipients of a related service from the seller and the provider, respectively, should also be given certain information about how the connected product collects data. The data holder (usually the provider of the connected product or a related service) may now use non-personal data only if the agreement with the user of the connected product or related service allows it. The data holder must not use the data to derive insights about the economic situation, assets and production methods of the user, or the user’s use of the product or service, in a manner that could undermine the commercial position of the user on the markets in which the user is active. Data may be shared with third parties only when necessary to perform the agreement with the user. From 12 September 2026, connected products sold and related services provided must comply with the data access by design obligation. The other rules on connected products and related services, including the explicit right of access, already apply from 12 September 2025. Cloud service providers The second main topic concerns the rules imposed on data processing services. The term data processing services refers to a wide range of cloud services. The preamble refers to infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS), storage as a service and database as a service. The term also covers what are known as edge services. The obligations imposed on data processing service providers relate to 1) facilitating switching, 2) facilitating interoperability between different data processing services and 3) preventing international governmental access. From 12 September 2025, data processing service providers will have to comply with these rules. Sharing of data with governments The third main topic concerns rules on mandatory data sharing with public sector bodies, the European Central Bank, the European Commission or any other European Union body. These bodies can request data on the basis of exceptional necessity. This can only be done if, in an emergency situation, the bodies cannot obtain the data in a proper and timely manner by other means. Bodies may also request non-personal data when such data is necessary for the performance of a specific task in the public interest, such as the compilation of official statistics. These rules will also apply from 12 September 2025. Unfair contractual terms between enterprises Perhaps the most surprising part of the Data Act is the provision on unfair contractual terms. It applies to data-sharing agreements made between enterprises (B2B). In short, the article provides that contractual terms on data are not binding on the other party if the terms have been unilaterally imposed by the provider and are labelled unfair. The article contains a list of provisions that are always unfair (a black list) and a list of provisions that are presumed to be unfair (a grey list). If an enterprise uses a grey list clause, this enterprise must prove that the clause is not unfair. What is striking about the article is that it is set up as a black and grey list between enterprises. Black and grey lists have long existed for general terms and conditions imposed on consumers by enterprises (see, for example, Articles 6:236 and 6:237 of the Civil Code), protecting consumers from unfair general terms and conditions. So now there is a similar list for business-to-business agreements. This provision applies regardless of the size of the enterprises concerned. The obligations in this article cover all contracts and clauses on data access and use concluded between enterprises. Any agreement or provision on data sharing and use will need to take this article into account. The article will often also apply when enterprises enter into contracts between themselves about personal data, such as a joint controller agreement under Article 26 of the General Data Protection Regulation (GDPR). The application of the article is mandatory law. This means that enterprises cannot agree that the article does not apply to their relationship and cannot deviate from it. It is important that enterprises are aware of this article when entering into agreements on (personal) data. For buyers, though, it is important to always try to negotiate the unfair contract terms imposed on them. If no attempt has been made to negotiate the unfair terms, an enterprise cannot invoke the protection of the article. The provision applies to all agreements concluded after 12 September 2025. For some agreements entered into before 13 September 2025, the provision applies from 12 September 2027. This applies to agreements entered into for an indefinite period and those expiring after 11 January 2034. Monitoring and enforcement of the Data Act The Data Act has direct effect in the Dutch legal order, leaving no or limited scope for divergent or additional national rules. For the matters to be regulated nationally, a national Implementation Act is pending. The Regulation gives Member States the freedom to decide themselves which supervisory authority is competent to enforce the Regulation’s provisions. In the Netherlands, the Lower House has yet to vote on the draft Dutch Implementation Act. The current draft Data Regulation Implementation Act designates the Data Protection Authority (AP) and the Consumer and Market Authority (ACM) as supervisors. Conclusion The Data Act will apply in the Netherlands from 12 September 2025. The Data Act creates new rights and obligations for enterprises in particular. In particular, all enterprises will have to be vigilant of the rules on unfair contractual terms when concluding agreements on (personal) data. The AP and the ACM are likely to be designated as supervisors for compliance with the Regulation. The Data Act is not applicable at present. Nevertheless, enterprises are advised to take measures in advance. This will allow timely adaptation of operations to the obligations imposed by the Regulation. Finally More blogs on this topic will follow. Keep an eye on our website for the latest news. This blog originally appeared on Privacy Web. If you have any questions about the Data Act, please contact Jan Baas, Jiahui Plomp or one of our other Data & Privacy specialists. This article was co-authored by Jolijn Gijsen.

On May 2nd 2023 the Digital Markets Act (DMA)[1] entered into force. This European Regulation aims to ensure healthy and fair competition on the digital markets in the EU by imposing a set of rules and obligations on so-called ‘’Gatekeepers’’. Gatekeepers are big digital platforms which provide so-called core platform services, such as online search engines or app stores, and which possess significant power on the market. To prevent these gatekeepers from obstructing their competitors with their market power, the gatekeepers are bound to comply with the rules and obligations set out in the DMA. The DMA is part of the EU’s Digital Services Act Package and touches upon several competition and privacy law aspects. The first draft of the DMA has been published in 2021, together with the first draft of the Digital Services Act (DSA). The DMA is supposed to contribute to fairer and more contestable digital markets, together with the DSA, the GDPR and the AI Act. In this blogpost, we will set out the rules and obligations imposed on gatekeepers by the DMA, and will elaborate on how the DMA can be used by (smaller) competitors in order to prevent unfair competitive behaviour from gatekeepers on digital markets. Who are gatekeepers? Gatekeepers within the meaning of the DMA, are undertakings that provide core platform services and which fulfil the following three (cumulative) criteria: The undertaking has a size that impacts the internal market. The undertaking controls a major gateway for business users to end-users. The undertaking has an entrenched and durable position. The DMA also prescribes a list of core platform services, including online brokering services, online search engines, online social networking services and web browsers. If the above criteria are met, then the European Commission can formally designate the undertaking as a gatekeeper, meaning that the undertaking must comply with the DMA’s obligations. Currently, seven undertakings with a total of 24 services have been designated as gatekeepers under the DMA by the European Commission. They are Alphabet (including Google Search, YouTube), Amazon, Apple (including Appstore), Booking (Booking.com), ByteDance (TikTok), Meta (including Facebook, Whatsapp) and Microsoft (including Windows, LinkedIn).[2] Obligations and prohibitions for gatekeepers The DMA contains a comprehensive list of practices of gatekeepers considered unfair, and prescribes various obligations to gatekeepers. Gatekeepers are required to comply with these obligations within six months of the designation decision. For the initial six gatekeepers, the six-month deadline expired on 6 March 2024. Booking was designated as a gatekeeper later, and still has until 13 November 2024 to become fully DMA-compliant. A few examples of obligations imposed on gatekeepers by the DMA are the following: Enabling third parties to cooperate with the gatekeeper’s own services in certain specific situations; Providing business users with access to data on the knowledge platform that these users generate themselves; Providing advertisers and publishers using the gatekeeper’s platform with the necessary tools and information to analyse ads themselves on the gatekeeper’s platform; Enabling business users to promote their offerings on the gatekeepers platform and enter into contracts with customers outside the platform. On top of these obligations, the DMA prohibits certain behaviours performed by gatekeepers, such as: Rank own services and products on the platform higher or more favourably than comparable third-party products or services; Prohibiting consumers from contacting companies outside the platform; Preventing users from uninstalling automatically installed software or apps; Tracking end users outside the core platform gatekeeper service for the purpose of targeted advertising, without effective consent. Processing of personal data The DMA also affects the way gatekeepers process personal data. The DMA includes a number of obligations for gatekeepers aimed at protecting users’ privacy. These obligations ensure that gatekeepers do not abuse their (dominant) position by combining data of users collected in different services for commercial purposes. These are the following obligations: The gatekeeper may not process personal data of end users using third-party services through core platform services for the purpose of offering online advertising services; Personal data of the core platform service may not be combined with personal data of other core platform services, other gatekeeper services, or third-party services; Personal data from the core platform service may not be used in other separate gatekeeper services, including other core platform services, and vice versa; End users may not be automatically logged into other gatekeeper services for the purpose of combining personal data. European Commission investigations The European Commission has the power to investigate gatekeepers’ compliance with the DMA. It has now launched several such investigations. For example, Apple is the subject of three different non-compliance investigations. As part of one of these investigations, the European Commission published preliminary findings on 24 June 2024, stating that Apple’s steering rules used in the Apple App Store violate the DMA. Apple currently uses three types of business terms in the App Store under which app developers are not free to redirect their customers to alternative and/or cheaper distribution channels. For example, developers cannot provide pricing information within the app or otherwise communicate with their customers to promote offers available on alternative distribution channels. This, in the European Commission’s preliminary view, constitutes a violation of the DMA. Apple now has the opportunity to defend itself before the Commission will make final decisions regarding any non-compliance and potential penalties.[3] Non-compliance with the DMA If the European Commission’s investigation proves that a gatekeeper does not comply with the obligations set out in the DMA, the European Commission may impose penalties on the specific gatekeeper. The European Commission can impose fines on the platform of up to 10% of its total annual worldwide turnover or up to 20% in case of repeated infringements. The European Commission may also decide to impose a periodic financial penalty of up to 5% of the average daily turnover. Finally, additional measures may also be imposed in case of systematic violations of the DMA, which may go as far as an order to change the behaviour or structure of the platform concerned. Enforcement Compliance with the DMA is in principle enforced by the European Commission. However, there are several tools for market players/competitors who are hindered by gatekeeper’s behaviour, which can be used to initiate or encourage enforcement and/or compliance. First of all, complaints can be submitted to national competition authorities, such as the Authority Consumer and Market (ACM) in the Netherlands. These competition authorities are designated national regulators and have powers to launch investigations into gatekeeper designation of undertakings, or into conduct of already designated gatekeepers. In addition, competitors or other aggrieved parties can go directly to court to enforce compliance with the DMA or claim damages after a violation of the DMA has been established. This can be done, inter alia, in mass tort claims. Facing challenges with gatekeepers? Is your enterprise facing market obstructions relating to the dominant position of gatekeepers? Are your interests as a competitor and/or consumer being harmed by their actions? We can help you strategize to counteract these unfair practices and seek compensation for any damages incurred. Would you like to know more about the DMA? Feel free to contact Monika Beck, Jiahui Plomp or one of our other specialists. [1] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ 2022, L 265/1). [2] For an up-to-date overview of designated gatekeepers reference is made to the website of the European Commission ‘’Gatekeepers’’ [https://digital-markets-act.ec.europa.eu/gatekeepers_en]. [3] More information regarding the investigation can be accessed on European Commission, Press Release: Commission sends preliminary findings to Apple and opens additional non-compliance investigation against Apple under the Digital Markets Act, 24 June 2024 [https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3433]