EU Policy Update - February 2018

EU Policy Updates 12-02-2018

The Commission and WP29 are worried about the state of affairs of GDPR implementation – and so are businesses according to surveys. Both the EU and Member States are stepping up the fight against illegal content. “Voluntary” measures are often not deemed enough at national level where laws have been or are being implemented. What shape an instrument at EU-level will take remains to be seen. We also look at cross-jurisdictional issues, including a potential solution to the Microsoft vs. DOJ case and how MPA managed to block content in Ireland.

Data protection / GDPR

Commission issues guidance on GDPR: Worried about implementation progress, the Commission wants to help national administrations, national data protection authorities and itself to take the last steps towards compliance with the GDPR. Part of the effort is an online tool targeting SMEs and providing answers to FAQs. The Commission considers it necessary that Member States finalise the set-up of the legal framework at national level. At this stage, only two MS have adopted relevant national legislation: Austria and Germany. DPAs need to ensure that the new independent European Data Protection Board is fully operational. Member States need to provide necessary financial and human resources to national DPAs. Also, businesses, public administrations and other organisations processing data need to get their acts together. Find links here: Commission press release; Commission communication - guidance on direct application of the GDPR; various fact sheets.

Commissioners advise ICANN on GDPR-implementation: Three Commissioner (Avramopoulous/DG HOME, Jourova/JUST, King/Security) sent a letter to ICANN addressing the need of the WHOIS system to comply with EU data protection laws. The Commissioners seek to find a bridge between the need to achieve “public policy objectives” (fighting crime, cyber-attacks and intellectual property infringements), which would call for a relatively open WHOIS, and the need to comply with the EU’s own rules with regards to data protection, which would imply a WHOIS with less (or no) publicly available personal data. Recalling the principles of the GDPR, the Commissioners ask ICANN to keep various things in mind when coming up with solutions, including “gated access” (as “but one option”), and the need of law enforcement for clear and workable access procedures. The difficulty in building this bridge is reflected in this comma-laden sentence, which also hints towards an additional factor of uncertainty: Member States. “It would be important for these authorities for the new model to maintain, to the extent possible, while ensuring full compliance with the GDPR requirements, a functionally centralised way to access to relevant data. The power of such authorities to access data through that centralised system would remain determined by national law”.

How GDPR-ready are European businesses? California-based company Senzing queried more than 1,000 companies from five EU Member States (France, United Kingdom, Germany, Spain, Italy) about their state of compliance with the GDPR. 60% stated that they do not feel that they are ready, 40% said they did. 44% are concerned about their ability to comply; 14% are very concerned. Spanish companies are most concerned. In an attempt to measure the “costs” of compliance with the GDPR, Senzing estimates that companies should expect to get an average of 89 GDPR enquiries (data subject requests) per month. In order to deal with them, companies will need to search in an average of 23 different databases - each taking about 5 min. This will amount to a total of 172 hours spent per month (more for larger companies). Around the same time, a survey by Data News in Belgium showed that only 5.5% of about 600 companies surveyed felt ready for the GDPR. Most companies have taken first steps (about 35%), whereas almost 19% still have to start preparations (more statistics here).

RIPE NCC shares its GDPR compliance model: Netherlands-based RIPE NCC is confident that its current database operations are in line with the GDPR. The organisation processes personal data of EU citizens, notably of persons holding Internet number resources. Contact details of resource holders and those responsible for the administration and technical maintenance of a particular network are needed in order to get in touch with them in case of a problem in the network. Nevertheless, relevant documentation and procedures are subject to further review. If you are interested in more details about the “legal basis for the processing”, watch this space for an additional blog article: https://labs.ripe.net/gdpr

WP29 elects new head: On 7 February, Working Party 29 (WP29), the grouping of national data protection authorities, elected Austrian Andrea Jelinek as new chair of the WP 29 for at least 5 years. WP29 will soon turn into the European Data Protection Board in line with the GDPR.

Outgoing WP29 Chair sees gloomy future for adequacy decisions: Adequacy decisions cannot build the only basis of data flows to regions outside of Europe, says outgoing WP29 Chair, Falque-Pierrotin (CNIL), as “you need to survey all the laws of the country and we have other transfer tools that are much more flexible like BCRs [binding corporate rules], contractual clauses.” (s.a. euractiv).

Illegal content / fake news

“Legal instrument” on illegal content on the way: The Commission will discuss “legal instruments” to tackle illegal content online at its upcoming meeting on 28 February. The instrument is likely to reflect the (relative) frustration of the Commission regarding the industry’s efforts to speedily take down illegal content (s.a. Code of Conduct). The scope of this instrument and its actual form are yet to be defined. Therefore, it is not clear yet whether it will cover terrorist-related content only or also hate speech, and whether it is going to be guidance or legislation. For now, the Commission (DG Home) is working on an impact assessment.

The other side of blocking “illegal content”: Wikipedia remains blocked in Turkey, but Wikipedia still does not know why. On 29 April 2017, access was blocked based on a law that bans websites that are obscene or threaten national security. Since then, the website is deemed to continue publishing illegal content. A “mirrored” version of the website remains available (s.a. Hurriyet). In the meantime, a legislative proposal foresees that specific website providers will need to pass a “security check” before they can obtain an online license. The responsible Turkish minister argues that in doing so, rules for TV broadcasters are merely applied also to the Internet (s.a. Heise).

Illegal content moves to small platforms: While the Commission pats its back for having made internet companies “voluntarily” remove more illegal content more speedily under its code of conduct, illegal content has moved away from mainstream platforms (mostly those who signed the Code of Conduct) to niche platforms, such as Gab.ai, web.tv and Justpaste.it (which is part of the Code), writes Politico, based on results of a review by the Counter Extremism Project.

Social media companies to provide data on their illegal content action in the UK: Social media companies will be required to provide data for an annual transparency report, which keeps track of their progress in taking down hate speech content, according to a recent speech by UK Prime Minister Therea May. This includes information about the amount and nature of content being flagged and how the companies respond to it, including details on how much and what kind of content is being removed. Facebook, YouTube and Twitter already do so – but not all of them do it regularly or based on the same definitions (s.a. Bloomberg). In the meantime, House of Commons’ representatives are getting ready for a fact-finding mission to Washington, where they will conduct a hearing with Facebook, Google and Twitter over the spread of misinformation on their platforms (s.a. Washington Post).

German chancellor signals willingness to amend online hate speech law: The law (“NetzDG”), which came into force on 1 January, might be changed to reflect recent critique, Angela Merkel announced. The law requires social media platforms to remove illegal content within 24 hours – else they can face fines of up to €50 million. Critics argue that this has led to “overblocking”, thereby restricting freedom of speech and fostering sympathy for far-right or anti-immigrant politicians whose posts are deleted and who display themselves as scapegoats.

Austria refers Facebook hate speech case to CJEU: Austrian politician Eva Glawischnig had sued Facebook over (not) removing an insulting post about her in 2016. In May 2017, the Vienna Court ruled that the post must be deleted not only in Austria but globally. It also said that not only the original posting but also similar postings would have to be removed. This led to the question whether the company would have to monitor its network proactively (e.g. via filters or algorithms) or react to notifications only. The Austrian Supreme Court now referred the case to the Court of Justice of the European Union (CJEU) (s.a. Edri, Der Standard).


Implementing Regulation on NIS Directive published: The act, which provides rules for digital service providers (DSP), further specifies elements and parameters for setting security and notification requirements. Generally, DSPs refer to cloud computing services, online marketplaces and search engines. ccTLD registries have been added to the directive’s annex II as ‘operators of essential services’ (OES). However, it is up to the Member States to finally decide on who will be considered an OES. The act takes effect on 20 February 2018. It is yet unknown when it will enter into force.

Call for participation in Cyber Security Experts Groups: ENISA, the agency for network and information security, is seeking experts in IoT to exchange views on cyber security threats, challenges and solutions. To participate, find more information here.

Other EU/European issues

Copyright discussions – state of affairs: Member States in the Council have still not managed to come to an agreement with regards to the most controversial issues around the copyright reform. Discussions on measures that would require platforms to monitor their networks more effectively for copyright infringing content have been put on hold. Now it’s all about rights holders getting their fair share of remuneration generated by internet services that disseminate creative content. The Bulgarian Presidency remains confident it will achieve a negotiation mandate to start trilogue discussions with the European Parliament (EP) and the Commission. The EP’s lead committee JURI, however, has just announced that the votes are likely to be postponed to April.

EP takes last formal step to end geo-blocking: Agreement among the three EU institutions, Commission, EP and Council, had already been found in November 2017. However, final adoption by the Parliament was still missing. With its favourable vote on 6 February, the EU will see an end to unjustified geo-blocking and other geographically-based restrictions that undermine online shopping and cross-border sales. This includes location requirements (i.e. restrictions) for registering a domain name. Some Members of the EP are not happy with the outcome. They would have liked the regulation to cover also non-audiovisual or audiovisual content (i.e. Youtube and Spotify), as videos, music, e-books and online gaming are the services with which users experience most frustration when it is not available in their country.

EuroDIG 2018 theme revealed: “Innovative strategies for our digital future” will be the overarching theme of this year’s EuroDIG, which will take place in Tbilisi on 5-6 June 2018. At its recent planning meeting, participants also discussed the draft programme – everyone is invited to comment until 15 February. Once the programme is fixed, the organisation of sessions will start.

Cross-jurisdictional issues

New US bill on oversees law enforcement access? At the core of the proposed Clarifying Lawful Overseas Use of Data (CLOUD) Act by US Senator Hatch is the Microsoft vs. US Department of Justice (DOJ) case. The (still open) question is whether Microsoft needs to comply with a US warrant seeking access to e-mails stored in its data centre located in Ireland. The Supreme Court will hear oral arguments at the end of February. According to the CLOUD proposal, bilateral data-sharing agreements with other countries could allow US authorities to obtain overseas data with an American court warrant. US companies could challenge such warrants on the basis that they would violate the law of the country where the data is stored. Politico provides a one-page summary. US tech companies Apple, Google, Facebook, Microsoft and Oath have expressed their support of the Act, which “would require baseline privacy, human rights and rule of law standards in order for a country to enter into an agreement” (s. here). In the meantime, UK Prime Minister Theresa May urged President trump to support the bill which she considers a critical to international criminal and terrorism investigations, as it would also assist UK authorities.

MPA achieves that Irish ISPs block content: The blocked streaming sites include 123movieshub.to, putlocker.io and RARBG.to, which allowed users to access to copyright infringing content. Motion Picture Association (MPA) asked the Irish Commercial Court to expand blockades, which, in turn ordered all major Irish ISPs to do so (s.a. Torrentfreak). None of the ISPs opposed the application. The Commercial Court had granted a fast track procedure, as there was “significant public interest in granting the orders” (s.a. Irish Examiner).

Other areas of (potential) interest

Opportunities for ccTLDs? Facebook use is on the decline: The decline is mainly due to a decrease in viral videos and changes to the newsfeed which now favours posts from friends and family over that of news outlets (see Bloomberg’s analysis). Still, Facebook reported better than expected earnings for Q4 2017 (s.a. BBC). A debate in the US has started about the addictive character of social media and technology. Ex-employees of Facebook and Google have founded the “Center for Humane Technology” that raises awareness of the negative effects, especially on children (s.a. New York Times).

Commission wants to know more about blockchain: A Blockchain Observatory and Forum will be launched to highlight key developments in blockchain technology and to foster collaboration among stakeholders (read more). The Commission has been funding blockchain projects through the FP7 and Horizon 2020 since 2013. Until 2020, it will fund projects that could draw on blockchain technologies for up to €340 million.

Published By Peter Van Roste
Peter Van Roste is the General Manager of CENTR, overseeing all of CENTR’s activities and liaising with governments, institutions and other organisations in the internet ecosystem.