News

In a nutshell: October was declared European Cybersecurity Month, with the trilogue discussions moving forward regarding the EU Cybersecurity Act. Discussions on ePrivacy seem to be hopelessly stuck with no end in sight at the level of the EU Council, while the Regulation on Free Flow of Non-Personal Data in the EU gets adopted by the European Parliament. The E-Evidence proposal, for its part, receives more criticism from the European Data Protection Board.

In a nutshell: September was a busy month for EU policymakers, who were back in Brussels after the holidays. Cybersecurity remains a key focus point, while we are yet to see any significant progress on e-Privacy or e-Evidence in the Council of the EU, despite ongoing debates. Parliamentarians have discussed the .eu Regulation reform in ITRE. Europol has published its annual report on cybercrime trends, and the UK government is preparing its businesses and citizens for a no-deal Brexit scenario.

In a nutshell: While summer months are typically calm on the policy front, the 2018 summer turned out to be a very interesting time for ccTLDs. The Parliament ITRE Committee’s report on the EU Cybersecurity Act got adopted by expanding its scope directly to the DNS. The Committee also came up with its draft position regarding the .eu regulation that is currently ongoing its revision. The content debate intensifies with copyright directive proposal moving to trilogue negotiations after the vote in the European Parliament, and the eagerly awaited proposal for tackling (read ‘blocking’) terrorist content online.

In a nutshell: This month, security initiatives topped the agenda in Brussels. The European Commission published its Fifteenth Progress Report on a Security Union and the Council agreed on a general approach on the Cybersecurity Act, while the incoming Austrian Presidency of the Council announced that it will prioritise security issues. On the data economy front, negotiations on the Free Flow of Data Regulation were finalised while in the Council technical discussions on ePrivacy will continue until the end of 2018. Finally, the debate on the use of technical measures to tackle illegal content online intensified in the on-going copyright reform discussions, where the Parliament’s leading committee’s position got rejected in the plenary vote.

On 25 May, the GDPR entered into force. Strengthened by this achievement, the Commission keeps pushing for a quick adoption of the eprivacy regulation, but the pace of discussions in Council is slowing down. The .eu regulation has been released earlier this month and a swift adoption is expected by the end of 2018. Likewise, the Cybersecurity Act is making smooth progress and trilogue negotiations could start already in July. The attention is increasingly focusing on law enforcement matters with the Council beginning discussions on the e-evidence proposal and delivering considerations on data retention and the TELE2 ruling. Finally, the intermediary liability debate continues with a public consultation running until 25 June and possibly leading to a new legislation on notice and action in the autumn.

This month saw an increase attention on encryption with the Commission launching an experts’ group and data protection authorities entering the debate. In parallel, the Commission released the long-awaited proposal to simplify cross-border access to e-evidence in criminal investigation. With deadline for the GDPR implementation approaching, new guidelines have been adopted to help the industry, while the WHOIS has been sanctioned again by DPA for non-compliance with the new data protection paradigm. New legislation on terrorism is being politically pushed by Germany, which would introduce a permanent monitoring obligation for platforms. Finally, ethics are entering the digital debate with the new Artificial Intelligence package.

In a nutshell: this month’s EU Policy Update sees the consolidation of important trends. Member States’ Recommendations have been released, calling for intermediaries to be more “responsible” in tackling illegal content online. Similarly, the discussions on IT security are progressing in the Cybersecurity Act, where clear responsibilities and liabilities for all stakeholders taking part in ICT ecosystems are proposed. In parallel, a new mechanism aimed at facilitating the gathering of evidence in justice investigations will be proposed, including provisions for direct access to companies’ data by authorities of foreign countries. All this comes in the context of a data economy where even if the mandatory location of data by government could become more complicated, nothing prevents States to discuss new EU data retention provisions and companies are even further restricted in their ability to process data.

The Commission and WP29 are worried about the state of affairs of GDPR implementation – and so are businesses according to surveys. Both the EU and Member States are stepping up the fight against illegal content. “Voluntary” measures are often not deemed enough at national level where laws have been or are being implemented. What shape an instrument at EU-level will take remains to be seen. We also look at cross-jurisdictional issues, including a potential solution to the Microsoft vs. DOJ case and how MPA managed to block content in Ireland.

If anyone expected the content debate to slow down in 2018, the Commission has proven them wrong. Already in the first weeks of the year, the Commission gathered more than 20 CEOs to tell them that their efforts to remove illegal content have improved but are by far not sufficient. Next week, the Commission will publish another evaluation report and by May, we will know whether to expect legislation or “just another voluntary” initiative. Businesses are responding by increasing their transparency – not only with regards to their efforts in fighting illegal content, but also in making users more aware of how much of their (personal) data governments request to access. Some key Digital Single Market files (ePrivacy, copyright, free flow of data) will be picked up again during the first quarter of the year, this time under the lead of the Bulgarian Presidency (check out the nice combination of Latin and Cyrillic script in their logo). Developments in the US are likely to swap over the Atlantic and impact the way EU citizens’ data is protected within and from the US.

EU decision-makers are slowly wrapping up major digital single market-related files before the end of the year. The Consumer Protection Cooperation regulation is (almost) signed and sealed with the European Parliament having approved trilogue negotiation outcomes (with some unfortunate results). Copyright issues (rightly or wrongly included in some dossiers) stifle most ongoing negotiations – but the will is there to find solutions. Accordingly, liability remains an important issue, e.g. for copyright-infringing or otherwise illegal content on platforms. Twitter and YouTube have recently changed their policies to (voluntarily) address harmful content. We can also see that across the Atlantic, the US has restricted the use of gag orders and announced a roll-back of net neutrality.