In a nutshell: The European Commission opened a public consultation on the cross-border enforcement of consumer protection law and issued proposals to reform the EU framework on geographical indications. The European Court of Auditors published the conclusions of its report on intellectual property rights in the EU. The CJEU reaffirmed the prohibition of the general and indiscriminate retention of electronic communications data and held that online content-sharing service providers’ obligation to monitor content under the Copyright Directive is compatible with freedom of expression. The European Parliament and the Council of the EU reached a political agreement on the DSA. The European Parliament adopted the Data Governance Act in plenary, and JURI issued its Draft Opinion on the proposal for an EUID. ENISA issued its report on Coordinated vulnerability disclosure policies in the EU. The EU, the US and other international partners issued a Declaration for the Future of the Internet.
The European Commission issued proposals to reform the EU framework on geographical indications
The European Commission issued two proposals which aim to reform the EU framework on geographical indications. Its first proposal from 31 March for a Regulation on geographical indications for wine, spirit drinks, agricultural products and quality scheme for agricultural products aims to revise the existing geographical indications system (GI) in the EU in order to better enforce GI rules and protect them on the internet, including “against bad faith registrations[…] and uses in the domain name system”. As for the second proposal from 13 April, the Commission aims to expand the protection of GIs, currently reserved to agricultural products, wine and spirits, to craft and industrial products (CIs). The proposal also intends to expand the GI protection to the online world, “including domain names on the internet” by establishing “directly applicable GI protection for CI products at Union level”, building on the existing regime for agricultural products. Ensuring an “efficient registration of geographical indications for craft and industrial products” at EU and international level is also a priority that is outlined in the proposal. Another measure put forward is that the European Union Intellectual Property Office (EUIPO) should establish an information and alert system which will inform applicants when a domain name “conflicting with their geographical indication is registered”. The domain name alert system should in principle also be expanded to all trademarks registered in the EU, according to the proposed amendment to existing trademark legislation under Regulation 2017/1001, as part of the GI protection package. The proposals also contain common provisions, for instance by stipulating that the alert system should also inform applicants of the “availability of the geographical indication as a domain name”. Both proposals also stress that persons with legitimate interests in registered GIs should also be entitled to “request for the revocation or the transfer of the domain name” if it was registered without rights, in bad faith, or without legitimate interest in the GI. The proposals also stipulate that competent authorities designated under the regulations may issue orders to act against illegal content.
The European Court of Auditors issued a special report on EU intellectual property rights
On 26 April, the European Court of Auditors (ECA) issued a special report on intellectual property rights in the EU, laying down the results of its audit conducted from 2017 to 2021 on the protection of EU trademarks, geographical indications and design in the internal market. The audit found that despite a general solid and robust EU IP framework, there are still some shortcomings regarding its implementation and enforcement. Regarding geographical indications, the report stresses that the scheme for agricultural products does “not cover the full range of goods classed as agricultural products” under the World Trade Organisation Agreement (WTO) and that the EU lacks a registration system for craft and industrial products, making it “difficult or impossible to ensure their protection”. The ECA therefore advises the Commission to “provide for the protection of geographical indications for non-agricultural products” and to extend “EU trademark enforcement protection to all EU intellectual property rights”. It also states that the Commission should analyse and register GI applications “in a timely manner and provider Member States with official guidelines on geographical indication controls” by 2025. As for the IPR Enforcement Directive, the report found some disparities within the Member States regarding its transposition, leading to “a divergence of IP protection in the Single Market”. The ECA therefore advises the Commission to better monitor customs enforcement, standardise reporting activities and “establish a control strategy based on IPR risk management”.
The European Parliament and the Council of the EU reached a political agreement on the Digital Services Act
On 23 April, the European Parliament and the Council of the European Union reached a political agreement on the Digital Services Act (DSA). According to the Council’s press release, the new agreement prohibits ‘dark patterns’, requires platforms that are accessible to minors “to put in place special protection measures to ensure their safety online” and imposes a “duty of care of marketplaces vis-à-vis sellers who sell their products or services on their online platforms” (see our previous reporting here). European Commission President Ursula von der Leyen has stated that the agreement reached is historic and will “upgrade ground-rules for all online services in the EU”, giving “practical effect to the principle that what is illegal offline, should be illegal online”. The political agreement is awaiting a formal approval by the European Parliament and the Council.
The CJEU held that content filtering under the Copyright Directive is compatible with freedom of expression
On 26 April, the Court of Justice of the European Union (CJEU) affirmed that online content-sharing service providers’ obligation to review protected content prior to its dissemination to the public is compatible with freedom of expression, as the filtering obligation is accompanied by the necessary safeguards enshrined in the EU copyright legislation. According to the EU Copyright Directive 2019/790, although online content-sharing services can be held liable for copyright infringements where protected works are unlawfully uploaded on their services, they can be exempt from liability if they have preventively monitored the content through automatic recognition and filtering tools. The CJEU also cited the relevant case law of the European Court of Human Rights (ECtHR) stipulating that “the internet has now become one of the principal means by which individuals exercise their right to freedom of expression and information”. According to the relevant case-law of the ECtHR, in light of their accessibility and capacity to store and communicate vast amounts of information, internet sites play an important role in enhancing the public’s access to news and facilitating the dissemination of information in general. In relation to online content-sharing platforms, the CJEU held that despite its limitation to the exercise of the right of freedom of expression and information of users, this monitoring obligation is proportionate to the purpose of protecting intellectual property rights. First, the Directive ensures that the liability of service providers can only be incurred if the rightsholders concerned provide them “with the relevant and necessary information with regard to that content”. Second, the legislator made it clear that filtering tools could not include “measures which filter and block lawful content” and that the Copyright Directive could not lead to any general monitoring obligations. The Directive also puts in place procedural safeguards which protect the right to freedom of expression in case the “providers of those services nonetheless erroneously or unjustifiably block lawful content”. Finally, the CJEU recalled that when transposing the Directive, Member States must “take care to act on the basis of an interpretation of that provision which allows a fair balance to be struck” between different rights.
ENISA issued its report on Coordinated vulnerability disclosure policies in the EU
On 13 April the European Union Agency for Cybersecurity (ENISA) issued its report on Coordinated vulnerability disclosure policies in the EU (so called ‘CVD’). According to the report, “security research, communication between stakeholders, patching and good security practices” are key in addressing security vulnerabilities with global repercussions. CVD policies are also relevant for the implementation of the NIS 2 directive, which will require Member States to “design cybersecurity strategies that promote the development of CVD policies”. Regarding CVD policies within the EU, the report finds that currently only four Member States have any in place and four others are about to implement them. Some stakeholders have also taken initiatives at national level, such as the collaboration between the DNS.PT Association and the Portuguese National Cybersecurity Centre that launched a campaign to “promote the adoption of good practices and standards contributing to the security, integrity, and confidentiality of the internet”. According to the study, one of the obstacles for more harmonised CVD policies is the legal risk researchers face when reporting vulnerabilities (e.g. potential data protection breaches). Other obstacles include the “limited economic incentives for vulnerability research”. To tackle such challenges, ENISA provides a set of recommendations. For instance, ENISA recommends amending the Cybercrime Directive 2013/49/EU to recognise researchers’ status as potential whistleblowers, which would offer additional protection to ethical hackers. As for the limited economic incentives, ENISA recommends that both the EU and Member States encourage participation in bug bounty programmes. ENISA also recommends that the EU should suggest a “common model” of CVD and “encourage the harmonisation of CVD initiatives across countries.
The European Commission opened a public consultation on the cross-border enforcement of consumer protection law
The European Commission opened a public consultation on the cross-border enforcement of consumer protection law, which aims to gather feedback from different stakeholders regarding the enforcement of consumer rights in the EU. The consultation was launched ahead of the Commission’s reports on the enforcement and out-of-court dispute resolution of consumer protection law, which are expected to be conducted before 2023. These will analyse the progress in the implementation of the Consumer Protection Cooperation (CPC) Regulation, the European Online Dispute Resolution (ODR) Directive, and the Alternative Dispute Resolution (ADR) Directive that may serve “as a foundation for future legislation and/or non-legislative initiatives aiming at strengthening public enforcement and redress tools available to consumers”. Stakeholders have until 27 June to respond to the public consultation, which takes the form of a 14-question survey.
The JURI Committee issued its Draft Opinion on the proposal for a European Digital Identity
On 29 April, the European Parliament’s Committee on Legal Affairs (JURI) issued its Draft Opinion on the Commission’s proposal for a European Digital Identity (eID). According to the opinion, European Digital Identity Wallets should allow users to use “electronic signatures and seals which are accepted across the Union” and should ensure high levels of security, including the encryption of content. The Draft Opinion also stipulates that EU Digital Identity Wallets should ensure their “seamless interoperability” by relying on the use of Free and Open Source technology. As for cybersecurity, JURI stresses that if the trust service providers fail to fulfil the cybersecurity risk management requirements listed in the NIS 2 Directive, the supervisory body may withdraw the “qualified status of that provider or of the service concerned”. JURI also suggests that Member States should not prevent or restrict eIDs from being used anonymously or under pseudonyms unless EU or national law requires identification for legal purposes. Within 12 months following the entry into force of the eID Regulation, Member States will have to notify at least one eID scheme, including the European Digital Identity Wallet.
The European Parliament adopted the Data Governance Act in plenary
Following its agreement with the Council of the European Union in November 2021, the European Parliament adopted the Data Governance Act in plenary (see our previous reporting here). The Regulation establishes the concept of ‘data altruism’ that allows data subjects to voluntarily share their personal data based on informed consent, and aims to “encourage the use of public sector data for the purposes of scientific research” through a “harmonised framework for data exchanges”. Data which is not accessible due to commercial and statistical confidentiality and data that is included in works over which third parties have intellectual property rights is excluded from the scope of the Regulation. Before any transmission of data for the purposes of re-use, personal data should be anonymised, or data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. The Regulation encourages the establishment of providers of ‘data intermediation services’ to serve as a tool to connect the different actors, contribute “to the efficient pooling of data” and to the “facilitation of bilateral data sharing”. These providers of data intermediation services can include public sector bodies and must be neutral. According to the Regulation, the Commission will establish a European Data Innovation Board with representatives of competent authorities from all Member States, the European Union Agency for Cybersecurity (ENISA) and the European Data Protection Board, among others, to assist the Commission in developing a “consistent practice for data altruism”. The Board will also help develop guidelines “for cybersecurity requirements for the exchange of storage and data” and common European data spaces. The Regulation recalls that the GDPR does not apply to anonymous information, and that Member States should “promote the creation and the procurement of data in formats and structures that facilitates anonymisation in this regard”.
The CJEU reaffirmed the prohibition of the general and indiscriminate retention of electronic communications data
On 5 April 2022, the CJEU reaffirmed the prohibition of the general and indiscriminate retention of electronic communications data by referring to principles established by the CJEU in its previous case-law (see our previous reporting here). The CJEU reiterated that the general and indiscriminate retention of traffic and location data as a preventive measure to combat serious crime and for the prevention of serious threats to public security is contrary to EU law. The retention of traffic and location data must be limited, “on the basis of objective and non-discriminatory factors, according to the categories of persons concerned or using a geographical criterion, for a period that is limited in time to what is strictly necessary”. However, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, competent authorities can require providers of electronic communications to undertake “for a specified period of time, the expedited retention of traffic and location data” in their possession (so called ‘quick freeze’). The CJEU also recalled that general retention can be allowed for data relating to the identification of users of electronic communications systems (subscriber data) and for IP addresses assigned to the source of an internet connection for a limited period.
Outside the EU bubble
The European Union, the United States and 32 other international partners issued a Declaration for the Future of the Internet
The European Union, the United States and 32 other international partners issued a Declaration for the Future of the Internet, affirming their commitment to protect and respect “human rights online and across the digital ecosystem” and calling on other partners to join them to “affirm guiding principles[…] in the future of the global Internet”. Signatories of the Declaration highlighted their ambition to “protect and fortify the multistakeholder system of Internet governance and to maintain a high level of security, privacy protection, stability and resilience of the technical infrastructure” of the internet. According to the Declaration, these principles should be promoted within “existing multilateral and multistakeholder fora” and translated into “concrete policies and actions” by guiding policymakers, citizens and businesses. More specific guiding principles listed in the Declaration include combatting cybercrime, protecting personal data, promoting and using trustworthy network infrastructure, refraining from blocking lawful content and from “undermining the technical infrastructure essential to the general availability and integrity” of the internet. According to the Commission’s press release, the Declaration is an inclusive initiative and its signatories will continue reaching other countries to involve them in this initiative.