News

Unsurprisingly, national debates about how to increase security in the light of terrorism carry over into this week’s European Council meeting. It remains to be seen if fundamental rights can stand the test of time. “Brussels” is getting ready for the summer recess, yet not without giving a good pre-break push to some of the key dossiers (e.g. ePrivacy draft report, Consumer Protection Cooperation trilogue). Watch out for a couple of new (or awaited) initiatives in the last trimester of 2017, such as cybersecurity, data flows and collecting e-evidence across borders.

The EU (among others) has been taken by surprise: WannaCry has demonstrated how ill-prepared the block is against cyber-attacks. Expectations are high that the Network and Information Systems Security Directive (NISD) will increase both public and private actors’ capacity to prevent and react to large-scale incidents. Also, the EU is revamping its Cybersecurity Strategy and Europol has been equipped with new powers and is very keen on communicating its actions and successes. Other Digital Single Market (DSM) related files are also moving forward, e.g. the audio-visual media services directive (AVMSD). The widened scope of the AVMSD, new initiatives proposed under the DSM review together and (Member State) actions against hate speech (see Facebook) are strong indicators that intermediary liability is high on the agenda again. For now, the European Commission, especially DG Connect, still displays itself as the defender of the e-commerce Directive and its principles – but its defence lines crumble under increasing pressure from the Member States and the Commission’s own sectoral legislation.

In this edition of CENTR's EU Policy Update: more GDPR and ePR in our regulation acronym soup, ENISA's cybersecurity ambitions, update on geo-blocking and the Digital Single Market at the European Parliament, decrypting encryption in the European Commission Cybersecurity Strategy, Microsoft and Google unveil their transparency reports, Internet of Things are discussed in Brussels, CENTR to join "domains and jurisdiction contact group", and much more.

One could easily get the impression that the internet is an evil place – at least judging by the number of EU-level initiatives that are meant to protect the citizens from crime, terrorism, cyber-threats, eavesdropping, data abuse and more. The only attempt at fostering a free flow of data was stripped down to a nice-to-have-but-unlikely-to-happen, after various Commissioners and Member States did not really see a need to address national data localisation rules. An overview of these initiatives, combined with an update on court cases related to copyright, data protection and surveillance make up this month’s EU Policy Update.

The year-end EU Policy Update comes in quite some density – and therefore with a new structure. No EU institution wanted to be perceived as idle, so you’ll find last-minute publications (consumer protection), (partial) positions (geo-blocking, terrorism, roaming), and reinforced initiatives (hate speech) – so that everyone is able to tell a success story after all. Still, some core proposals for 2016 had to be postponed to next year (ePrivacy, IPRED) – at least on the Commission’s agenda, since the incoming EU Presidency (Malta) might have set its priorities elsewhere. With so many digital files in course, you will find more background information in this update than usual – not least to keep you busy over Christmas! (By the way: If you are still in search of an advent calendar, Europol has the solution.)

When it comes to sharing EU citizens’ data with the US, the EU likes to think of itself as the bastion of data protection. However, the walls of protection are thinner within the EU itself, especially when EU and national law-makers declare war on terrorism. Governments and law enforcement alike increasingly request to access, retrieve and retain personal data and to limit the availability of encryption to users and companies. Their greatest challenge, however, seems to be to draft legal texts that reflect and respect how the Internet works. This includes defining clear, non-ambiguous measures that effectively tackle the identified problems without compromising the openness, resilience and stability of the Internet. In this EU Policy Update, you will find news on Digital Single Market files, international data transfer agreements, mass surveillance as well as landmark cases, such as Breyer vs. Germany or Microsoft vs. DOJ.

The long-awaited copyright proposal is finally out: The Commission displays itself as the guardian of artists and the defender of rights holders and publishers. Obviously, this can't make everyone happy. No real surprises with regards to the telecom review ever since the impact assessment was published. The free flow of data will be another "big one" – scheduled for end of November. Europol and Interpol had their big yearly conference, where they identified major challenges and corresponding priorities for the coming years. Meanwhile, Europol's terrorism-related units expand their reach and activities. Both Commission and Europol focus on enhancing collaboration between the public and private sectors and with law enforcement confirming the worrying trend to privatise responsibilities for otherwise state or law enforcement-related tasks.

Europe’s net neutrality rules are ready to be tested on the ground: BEREC, the body of European regulators for electronic communications, published guidelines for national regulators who will be responsible for overseeing the rules when applied by telecom providers. The latter will see their opportunities to diversify data speed offers reduced (but hold their tongues for now). In the meantime, (draft) documents keep leaking out of the Commission – copyright and the telecom review being first on the list. Official versions expected in Q4 include: Telecoms review (13/9), copyright (21/9), Cloud computing (October), Startup initiative (November), free flow of data (30/11), VAT for e-commerce and e-Privacy (December).

Will the EU see a new data retention law? The Commission’s plans for a new EU-wide data retention law will have been reinvigorated by the recent opinion of the ECJ’s Advocate General. The latter states that a general obligation to retain data may be compatible with EU law provided that strict safeguards are in place. Accordingly, the “bulk collection” of data would only be admissible in the fight against serious crime, when strictly necessary to do so and when limited to the strictly necessary. It will be up to national courts to decide if these requirements are met. However, one can assume that in order to avoid a fragmented approach across the EU, the Commission will want to put it under the umbrella of an EU directive.

With the European Parliament entering its last meeting week, summer recess is creeping into the otherwise buzzing EU-quarters in Brussels – giving the (new) Slovakian EU Presidency a smooth start into its 6-month reign. The European Commission has closed a couple of public consultations and made sure to send out some “good vibes” before the break (e.g. finalising the EU-US Privacy Shield, announcing investment into cybersecurity). Legal cases are also part of this EU Update, with US internet companies going through gain and pain, and Facebook being party to the next landmark case potentially shaking not only transatlantic but also global data transfers of personal data.