One could easily get the impression that the internet is an evil place – at least judging by the number of EU-level initiatives that are meant to protect the citizens from crime, terrorism, cyber-threats, eavesdropping, data abuse and more. The only attempt at fostering a free flow of data was stripped down to a nice-to-have-but-unlikely-to-happen, after various Commissioners and Member States did not really see a need to address national data localisation rules. An overview of these initiatives, combined with an update on court cases related to copyright, data protection and surveillance make up this month’s EU Policy Update.
1. Work-in-progress: recent developments in EU policy dossiers
Copyright-infringing torrent sites can be blocked: This is the recently published opinion (C-610/15) of the Advocate General (AG) at the European Court of Justice (ECJ). He clarifies that operators of websites that facilitate - e.g. through indexing, providing search engines - the sharing of files containing copyrighted works on peer-to-peer networks (e.g. The Pirate Bay), breach EU copyright law, if: one, they are aware that the work was shared without the copyright holder’s consent; two, if they did not take action to make access to that work impossible. National courts can issue injunctions against ISPs ordering them to take (“proportionate” yet effective) measures to limit or stop access to such sites. AG opinions are not binding, but the ECJ usually follows them.
Draft regulation on e-Privacy published. The main objective of the review of the current directive is to ensure the confidentiality of all electronic communications and privacy for both content and metadata derived from electronic communications. The proposed regulation is meant to complement and particularise the GDPR. Whereas the GDPR only applies to the processing of personal data of individuals, the e-privacy regulation (ePR) covers (B2B, B2C and C2C) communication - whether this data is considered personal or not. It also grants confidentiality and integrity of users’ devices. Encryption or data retention are not regulated by either the ePR or the GDPR. In its current shape, the ePR not only seems to cover over-the-top services (OTT) that are similar to those of traditional telecom companies, as was the prime motivation for the review. In fact, any service that involves electronic communications could be affected. Applied to the DNS, query or WHOIS data could also be impacted, for which consent or risk information procedures could become obligatory.
Consumer Protection Cooperation - next steps: The European Parliament’s (EP) lead committee on the dossier, IMCO, considered amendments to the draft report on 9 February, a vote in committee is foreseen in March. The Maltese EU Presidency is aiming to reach a general approach in February. The EP’s research service has published a briefing on the issue.
Commission launches free flow of data initiative: Under the banner of “building a data economy” the European Commission aims to tackle barriers to the free flow of data. A public consultation will assess if such barriers are unjustified, disproportionate and/or cause legal uncertainty. If deemed so, a legislative project could follow this year. The initiative is relevant to organisations that (would like to) store or process data in multiple EU-locations but are currently forbidden to do so due to national legislation. It is equally important to those that benefit from data localisation rules, e.g. by using data security on nationally-based servers as a trust argument. The consultation also addresses the question of data ownership, looking at (non-personal), machine-generated data as an economic, valuable and therefore tradeable, good.
LIBE committee passes report on Big Data: The European Parliament’s civil rights committee passed a report warning about the dangers of big data to fundamental rights, especially when citizens are not aware that their data is being collected and used by large corporations. The report calls on companies to be transparent about their big data models and to respect GDPR requirements, e.g. the need to anonymise or pseudonymise data without the possibility to re-identify the individual behind it. The report was created at the own initiative of MEP Ana Gomes: if it passes in plenary, it will become a non-binding resolution, reflecting what the EP thinks of Big Data before any (legislative) initiative is launched by the Commission.
What’s the EU doing to fight terrorism? A good overview of measures at EU-level has been published by the European Parliament’s research service.
2. Coming up: (scheduled) initiatives on the horizon
Facebook vs. Schrems on standard contractual clauses (SCC): After the European Court of Justice (ECJ) struck down the Safe Harbour Agreement, the new Privacy Shield was developed and SCCs deemed a valid alternative for transatlantic data transfers. Schrems, however, also challenged SCCs (see his website) - in Ireland. But the Irish DPC (data protection commissioner) now wants to refer the case to the ECJ (see explanatory memo), which could create an international crisis, even bigger than the one following Safe Harbour, if theses clauses are ruled to be invalid.
National DPAs group publishes GDPR Action Plan: The Art. 29 Working Party (WP29), consisting of national data protection authorities (DPA), have laid out how they see the GDPR in force in about 500 days. It is in this context, that the WP29 will publish guidelines, e.g. on consent and profiling, and will update existing opinions and referentials on “data transfers to third countries and data breach notifications”. Business and civil society are invited to join a meeting (“Fablab”) of the WP29 on April 5 and 6 (no location mentioned).
What the EU could do to fight IoT Botnets: Mirai is only one example of very effective IoT botnet and its impact. The European Commission seems to be working on an IoT “trust label” that would inform consumers about the security of the device they are about to buy. The e-Privacy regulation (proposal) might also impact voice-controlled devices that process communication data (such as Siri or Echo). Legislation on cybersecurity certifications is also on the Commission’s agenda, but apparently not soon. Hard law is deemed to be better apt to make manufacturers liable for poorly secured devices. Here are some sites that show just how unsafe some devices are: Insecam (security cameras), Shodan.io (from people’s fridges to power plants).
3. Proud to present: success stories at EU level
Europol steps up fight against terrorism: Europol has significantly increased information sharing on terrorism-related threats - thanks to the European Counter Terrorism Centre (ECTC), which includes the Internet referral unit. Last year, Europol supported 127 counter-terrorism operations as compared to 86 in 2015. These include anything from countering online terrorism propaganda to fighting weapon trafficking.
Europol and GCA sign MoU: Europol and the Global Cyber Alliance (GCA) signed a Memorandum of Understanding (MoU) on 20/01/17 to cooperate in the fight against cybercrime in particular through more information exchange and joint international projects. Best practice recommendations include the Internet Immunity project and better adoption of DMARC email validation policies, as well as the No More Ransom project.
ENISA publishes 2016 Threat Landscape Report: The main motivation behind malicious cybersecurity activities is monetisation and political impact, according to the report. It is subdivided into emerging technologies in hardware and ad-hoc and sensor networking for mobile-to-mobile communications, and cyber-threat taxonomy.
4. What else? Other things happening at EU-level
Europol wants to improve online crime attribution: Law enforcement is challenged by the widespread use of so-called Carrier-Grade Network Translation (CGN) technologies by ISPs. CGN allows multiple users to share a single IP and makes it technically impossible for ISPs to comply with legal orders that request them to identify an individual subscriber or “online offender”. Europol relates the increased use of CGN to the omission of ISPs to invest into the transition from IPv4 to IPv6. A network of Law Enforcement Cybercrime Specialists has now been created to document cases of non-attribution, exchange best practices and step up cooperation with ISPs and content providers to improve the traceability of IP addresses behind CGN.
5. Homework: activities at domestic level
Ireland creates social media watchdog: The task of the “Digital Safety Commissioner” (DSC) will be to monitor if social media, e.g. Facebook or Twitter, is doing enough to fight, i.e. take down, online abusive material. The DSC will also oversee the creation of an efficient take-down procedure according to nationally agreed standards. If social media do not apply the standards, compliance would be ordered through court orders (s.a. Irish Independent).
US court backs Microsoft suit over surveillance gag orders: Federal judge, James Robart, in his opinion, sided with Microsoft, which had sued the Department of Justice (DoJ) over breaching its customers’ rights under the First Amendment. The company argued that government court orders requesting user data stored online often came with gag orders with no end date - analogous with “permanent injunctions”, according to the judge. In addition, Microsoft claimed that it was restricted by government to notify customers about requests for their data. In some cases, “First Amendment Rights may outweigh the Government interest in secrecy”, the judge wrote. He rejected, however, arguments for a violation of the Fourth Amendment, which bans unreasonable searches and seizures. This is not the end of the case. The judge allowed Microsoft to proceed with its lawsuit, rejecting the government’s motion to dismiss the case. The DoJ is now reviewing the opinion.
Federal appeals court upholds decision in Microsoft e-mail seizure case: By a 4-4 vote, the court refused to reconsider its decision forbidding the US government from forcing Microsoft to hand over customer e-mails that are stored on servers outside the US. However, the dissenting judges called upon the US Supreme Court or Congress to reverse the decision (s.a. Reuters).
