EU Policy Update - April 2017

EU Policy Updates 24-04-2017

In this edition of CENTR's EU Policy Update: more GDPR and ePR in our regulation acronym soup, ENISA's cybersecurity ambitions, update on geo-blocking and the Digital Single Market at the European Parliament, decrypting encryption in the European Commission Cybersecurity Strategy, Microsoft and Google unveil their transparency reports, Internet of Things are discussed in Brussels, CENTR to join "domains and jurisdiction contact group", and much more.

1. Work-in-progress: Recent developments in EU policy dossiers

WP29 publishes additional GDPR-related guidelines – you can comment: The grouping of national data protection authorities (DPAs) – also called Art. 29 Working Party (WP29) – adopted final guidelines on data protection officers (DPOs), including for whom it is mandatory to designate a DPO, where a DPO is placed in an organisation, as well as the tasks and the role of DPOs.

The guidelines on data protection impact assessments (DPIAs) are now open for public consultation until 23 May 2017. The concept of a DPIA is not formally defined in the GDPR. The guidelines, however, help assess whether an organisation is required to carry out a DPIA, which, according to the GDPR, is the case when processing “is likely to result in a high risk to the rights and freedoms of natural persons” (s. Art. 35 (3)). Examples include where processing yields profiles and can predict an individual’s performance, systematic monitoring or processing of sensitive data. Failure to carry out a DPIA if mandatory can result in heavy fines. DPIAs are an important tool for data controllers to demonstrate accountability. Organisations that are required to perform a DPIA but fail to do so are subject to heavy fines. Comments on the guidelines can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. and This email address is being protected from spambots. You need JavaScript enabled to view it..

ePrivacy review – state of affairs: Whereas Members of the European Parliament (MEPs) agree that the ePrivacy Regulation (ePR) proposal is an important complement of the GDPR and that timing is crucial, they are divided over whether over-the-top (OTT) communication providers, such as WhatsApp or Skype, should be regulated like traditional telcos or not. At a recent public hearing, MEPs discussed a range of issues, including cookies, online tracking, privacy and connectivity – but no conclusions were drawn.

Ahead of the hearing, the WP29 published its opinion generally welcoming the Commission’s proposal, especially the choice of a regulation as legal instrument and the inclusion of OTT providers within its scope. However, the group is concerned about clauses that relate to WIFI tracking (i.e. tracking people via locating terminal equipment), the conditions under which companies are permitted to analyse content and metadata, and “tracking walls”, including privacy by default settings regarding terminal equipment and software, which would deny customers access to certain services if they do not consent to tracking. The WP29 warns that the ePR, in its current form, would lower citizens’ protection as granted under the GDPR.

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, is expected to publish his opinion soon, arguing that definitions need to be clarified, as they currently do not fit the fundamental rights context.

ePR debates are closely linked to the more advanced review of the European Electronic Communications Code (EECC). The latter sets out definitions of, for example, electronic communications providers. The Maltese EU Presidency is still working on the Council’s position. A version dated 24/03 is available via Politico.

ENISA seeks more power: ENISA envisages to have a much stronger mandate and more money to tackle and support the cybersecurity challenges of the future. According to its vision set out in “Cyber Security Beyond 2020” it not only sees its role in providing advice to EU institutions and Member States, but also in “developing and promoting cybersecurity standards, managing certifications” – both upon request but also at its own initiative. Member States are likely to curb the organisation’s ambitions: so far, cooperation happens rather at bilateral level and ENISA would need to have substantial access to information at various levels in the Member States to fulfil its envisaged mandate.

Geo-blocking - state of affairs: The European Parliament will vote on its report on 25 April. After lengthy negotiations, the rapporteur managed to include copyrighted goods, such as music and e-books, into the text – an issue strongly opposed by the Council. Trilogue negotiations are set to start after the EP adopts its position. The main objective of the draft regulation is to end discrimination of customers or companies based on their nationality, place of residence or establishment when they trade online.

2. Coming up: (scheduled) initiatives on the horizon

Commission gets serious about Cybersecurity Strategy Update: The Commission is expected to address how it intends to handle encryption and data retention among other things. The proposal is planned for May. Various Commission DGs, Europol and industry representatives have been asked to provide input during a recent meeting.

Privacy Shield – you can complain: The WP29 has released a complaint form for individuals who fear that their personal data has been misused after being transferred from the EU to the US under Privacy Shield rules. Complaints are submitted to a citizen’s national DPA and from there passed on to the US Ombudsman. The form has been published in the context of an executive order by US President Trump on public safety that could undermine privacy protection of non-US citizens (s.a. article). A first annual review to evaluate the effectiveness and robustness of the Privacy Shield is scheduled for autumn 2017. The European Data Protection Supervisor (EDPS) has serious doubts about the Trump administration’s commitment to privacy protection and the Privacy Shield after Congress recently repealed FCC privacy rules for ISPs.

DSM in the European Parliament – you can participate remotely: The European Parliament’s committees that deal with issues related to the digital single market (DSM) are going to be busy next week. The following meetings all allow for remote participation.

  • Joint ITRE & IMCO Meeting discusses online platforms (24 April 2017)
  • LIBE Meeting will see presentations about Europol’s Serious and Organised Crime Threat Assessment report 2017, followed by a debate with experts on the fight against cybercrime, including how to deal with cross-border issues (24 April 2017)
  • LIBE Hearing on “Child sexual abuse and exploitation online and offline” will try to assess what measures have been taken to implement the corresponding directive (25 April 2017)

3. What else? Other things that happened at EU-level, mostly FYI

Microsoft and Google publish transparency reports: During the first half of 2016, Microsoft has received between 1,000 and 1,499 orders to disclose content of their users by the US government under Foreign Intelligence Surveillance Act (FISA) orders. This is more than double the amount than in the previous period. Google revealed that in 2016, it had received more than 90,000 government requests for user data – the majority of which came from the US, Germany and France. This constitutes an increase of 20% as compared to 2015. In both cases, the companies insist that they do not act on each of these requests, carefully analyse them and, if necessary, challenge the requests or orders in court.

Brussels hosts 4th European IoT Summit: The Internet of Things (IoT) is high on the agenda – for its potential as growth motor rather than for its potential to extrapolate security risks. At the summit, both Commission and industry representatives were eager to emphasise what IoT could do for Europe’s society and companies – partially to the extent that security risks were artificially downplayed during the debate. Discussions nevertheless touched upon privacy and cybersecurity, and addressed standardisation, interoperability, blockchain as well as the impact of IoT on the workforce (s.a. www.iotsummit.eu).

WP29 wants details about Yahoo surveillance: The WP29 has asked the US Office of the Director of National Intelligence to provide details about the legal basis and justification to surveil, in particular, European Yahoo customers. It also wants details about procedures that would make sure that the dissemination and retention of the data is kept to a minimum.

Public Survey on the future of the internet – you can participate: The European Commission, via the non-profit initiative REIsearch, has launched a series of public surveys enquiring how citizens perceive the future of the internet. Policy-makers hope to get a better idea of where priorities should be placed. The survey is launched via a group of media outlets, including Der Standard, El País, Frankfurter Allgemeine Zeitung, La Libre Belgique, Gazeta Wyborcza, Luxemburger Wort, Público, Il Sole 24 Ore, The Lancet, Cell and the Guardian (accessible here). 

4. Homework: Activities at domestic level

German hate speech law in violation of e-commerce directive? According to the new rules, social media companies and online platforms have to make sure to block or remove “obviously” illegal content within 24 hours after they have been notified by users. Otherwise, fines up to EUR 50 million could apply. The proposed law has now been sent to the Commission to check if it is in violation of the e-commerce directive.

The Commission is set to publish a follow-up on its platform communication on 10 May outlining how it intends to go about, for instance, terrorist content or hate speech. Guidelines, however, are unlikely to appear before the end of the year. So far the Commission has championed voluntary measures (s.a. EU Internet Forum), but with increasing pressure from Member States it might be inclined to go further and open up key clauses in the e-commerce directive that protect internet companies from having to monitor activity in their space and to proactively take down content. 

5. Further reading: Curiosities, background information, opinions

CENTR joins “domains and jurisdiction contact group”: The group runs under one of the programmes of the Internet & Jurisdiction network. It was established to develop options that could advance policy within certain areas that were identified at the 2016 Global Internet and Jurisdiction Conference. CENTR plans to contribute specifically to the group’s work on terminology. In the context of fighting against illegal content, the lack of clear terminology related to actions that registries are requested to undertake (such as “deleting” a domain name) often creates confusion. Widespread use of standard vocabulary, which CENTR could help to translate across Europe, could solve that issue. The group plans to meet virtually over the next 6 months and its work will be presented at the next Global Internet and Jurisdiction conference in February 2018 in Ottawa.

Delayed standards – no, you can’t buy it (yet): It might take some time until new WIFI-connected devices will come on the European market. The reason is a serious delay in the development of standards for manufacturers – driven by the 2014 Radio Equipment Directive. Completion was initially scheduled for 12 June. But neither the Commission, nor the European Telecommunications Standards Institute (ETSI) nor Member States were able to prevent the chaos. It remains to be seen if an extension to market new devices based on using old standards will be granted. So far the Commission has only confirmed that those manufacturers using old standards would not be punished.

Published By CENTR