EU Policy Update - April 2021
In a nutshell: The European Commission unveiled its proposal on the Artificial Intelligence Act and the EU Strategy to tackle organised crime until 2025. ENISA published research directions for the EU digital strategic autonomy. The Council of Europe published a new draft text of the 2nd Additional Protocol to the Budapest Convention. The negotiators in the European Parliament and the Council of the EU reached a provisional agreement on temporary rules to detect and remove child abuse material. The European Parliament adopted TERREG.
The European Commission unveils its proposal on the Artificial Intelligence Act
On 21 April, the European Commission published its proposal for a Regulation laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). The proposal establishes a list of prohibited Artificial Intelligence (AI): The prohibitions cover inter alia practices that have a significant potential to manipulate persons through “subliminal techniques beyond a person’s consciousness in order to materially distort a person’s behaviour in a manner that causes or is likely to cause that person or another person physical or psychological harm”. The proposal also prohibits AI-based social scoring for general purposes done by public authorities. High-risk AI systems should only be placed on the EU market or put into service if they comply with certain mandatory requirements, according to the proposal. These requirements should apply to high-risk AI “as regards the quality of data sets used, technical documentation and record-keeping, transparency and the provision of information to users, human oversight, and robustness, accuracy and cybersecurity”. AI systems identified as high-risk should be limited to those that have a significant harmful impact on the health, safety and fundamental rights of persons in the EU. As regards the management and operation of critical infrastructures, the proposal suggests that it is appropriate to “classify as high-risk the AI systems intended to be used as safety components in the management and operation of road traffic and the supply of water, gas, heating and electricity, since their failure or malfunctioning may put at risk the life and health of persons at large scale”.
ENISA published research directions for the EU digital strategic autonomy
On 23 April, ENISA published a document on "Cybersecurity Research Directions for the EU’s Digital Strategic Autonomy". The focus of this work, according to ENISA, is to identify the necessary research priorities to support the EU’s digital strategic autonomy and digital sovereignty. The report attempts to define the notion of digital strategic autonomy "as the ability of Europe to source products and services that meet its needs and values, without undue influence from the outside world". These needs may include hardware, software or algorithms, implemented as products and/or services. This research is intended to serve policymakers "in providing objective-driven strategic guidance for defining future projects and investments in cybersecurity". The research and innovation knowledge areas that were considered by the cybersecurity community to be the most significant for ensuring European digital strategic autonomy are: 1) data security; 2) trustworthy software platforms; 3) cyber threat management and response; 4) trustworthy hardware platform; 5) cryptography; 6) user-centric security practices and tools; and 7) digital communication security. When it comes to "issues related to [...]fundamental protocols" such as DNS or BGP, the report outlines that "the process of introducing secure alternatives to existing fundamental infrastructure is very slow". For example, "despite the fact that the current version of the DNS security extensions protocol was standardised between 2005 and 2013, the validation rate of domain names worldwide was less than 30% in April 2020", according to the report.
The Council of Europe published a new draft text of the 2nd Additional Protocol to the Budapest Convention
On 12 April, the Council of Europe published another draft of the 2nd Additional Protocol to the Budapest Convention on Cybercrime. The additional protocol concerns cross-border access requests to electronic evidence needed for "increased and more efficient cooperation between States and the private sector". In November 2020, an additional draft provision on requests for domain name registration information (Article 6) was added to this multilateral binding international treaty, in addition to an existing provision on cross-border access to general subscriber data (Article 7). Article 6 will allow state parties to the Budapest convention to adopt such legislative and other measures as may be necessary to empower its competent authorities, for the purposes of specific criminal investigations or proceedings, to issue a domain name registration data access request to an entity providing domain name services in the territory of another party, without the involvement of national competent authorities in the receiving state. In its final round of public consultations, the Council of Europe incited feedback from civil society, data protection authorities and the industry, before proceeding to the final stages of negotiations. Once the additional protocol is finalised and adopted, the protocol will be open for signatories and ratification by the states that are already parties to the Budapest convention.
The European Commission published the EU Strategy to tackle organised crime 2021-2025
On 14 April, the European Commission published its Communication on the EU Strategy to tackle Organised Crime 2021-2025. The strategy notes that the "agility of organised crime groups to adapt to and capitalise on the changes in the environment where they operate was confirmed during the Covid-19 pandemic". More specifically, criminal groups have exploited the pandemic to "expand online crime activities and to engage in fraud[...]". In the area of cybercrime, the strategy notes that it is "becoming more aggressive and confrontational". Rapidly progressing digitalisation creates new vulnerabilities that can be exploited in cyber-dependent crime. "Cyberattacks such as the creation and spread of malware, hacking to steal sensitive personal or industry data, or denial of service attacks, have increased over the last year both in number and degree of sophistication", according to the strategy. The counterfeiting of products is called a "high impact crime". As per the Intellectual Property Action Plan, in 2022 the Commission will establish an EU Toolbox for Counterfeiting, "setting out principles for joint action, cooperation and data sharing among law enforcement authorities, right holders and intermediaries". When it comes to the data retention of electronic communications data and metadata that is needed to conduct investigations, according to the strategy, the Commission intends to "analyse and outline possible approaches and solutions, in line with the Court’s[of Justice of the European Union] judgements, which respond to law enforcement and judiciary needs in a way that is operationally useful, technically possible and legally sound, including by fully respecting fundamental rights". Furthermore, the Commission "will consult Member States before the end of June 2021 with a view to devising the way forward". In general, access to electronic evidence also includes "swift and reliable access to WHOIS data, inter alia to help identify organised criminal groups that regularly abuse the Domain Name System (DNS) and other internet protocols in their cyberattacks or for other crimes such as scams or dissemination of illegal products and services", as outlined in the strategy. The strategy urges the European Parliament and the Council of the EU to "urgently adopt the e-evidence proposals to ensure speedy and reliable access to e-evidence for authorities".
The negotiators in the European Parliament and the Council of the EU reached a provisional agreement on temporary rules to detect and remove child abuse
The co-legislators, the European Parliament and the Council of the EU, reached a provisional agreement on a temporary e-Privacy derogation proposal for the purposes of combatting child sexual abuse, published by the European Commission in September (see previous reporting here and here). The agreed text aims to allow providers of communications services such as web-based email and messaging services to voluntarily detect, remove and report child sexual abuse material online as well as to use scanning technologies to detect cyber grooming. According to the European Parliament's press release, the "Parliament’s negotiators secured that national data protection authorities will have stronger oversight of the technologies used, an improved complaint and remedy mechanism, and that the processed data should be analysed by a person before being reported further". The deal will now be put to the Committee on Civil Liberties, Justice and Home Affairs (LIBE) and plenary for approval (indicative date 23 June) as well as to the Council of the EU.
The European Parliament adopted the TERREG
On 28 April, the European Parliament adopted the Regulation on preventing the dissemination of terrorist content online (TERREG). According to the new legislation hosting service providers will have to remove or disable access to flagged terrorist content in all member states within one hour of receiving a removal order from the competent authority. According to the adopted text, "providers of ‘mere conduit’ or ‘caching’ services, as well as of other services provided in other layers of the internet infrastructure, which do not involve storage, such as registries and registrars, as well as providers of domain name systems (DNS), payment or distributed denial of service (DDoS) protection services, should [...]fall outside the scope of this Regulation". The new regulation will target content such as texts, images, sound recordings or videos, including live transmissions, that incite, solicit or contribute to terrorist offences, provide instructions for such offences or solicit people to participate in a terrorist group. Content uploaded for educational, journalistic, artistic or research purposes, or used for awareness-raising purposes, will not be considered terrorist content under the regulation. The regulation will enter into force on the twentieth day following publication in the Official Journal. It will start applying 12 months after its entry into force.