In a nutshell: The European Commission has published a white paper on digital infrastructure needs and a recommendation on secure submarine cable infrastructure. Members of the European Parliament adopted the Regulation on Geographical indication protection for wine, spirit drinks and agricultural products, and suggested further amendments to the Framework for Financial Data Access. The European Data Protection Board issued an opinion on the main establishment of a controller under the GDPR. The EU Member States, supported by ENISA and the NIS coordination group, published a report on the cybersecurity and resilience of communications infrastructure. The European Court of Human Rights ruled on encryption in private communications. The German government issued a strategy for international digital policy. The Digital Services Act is now applicable to all intermediaries.
Intellectual property
European Parliament adopted the geographical indications protection regulation for agricultural products
On 28 February, the European Parliament adopted the Regulation on Geographical Indication (GI) protection for wine, spirit drinks and agricultural products. According to the press release of the European Parliament, “[d]omain names using GIs illegally will be shut down or access to them disabled via geo-blocking”, in addition to the European Union Intellectual Property Office (EUIPO) developing a domain alert system. The latest text that members of European Parliament were asked to approve is available here. As a recap, according to the approved final text, GI protection applies to all domains that are accessible in the EU, irrespective of the place of establishment of the registries. Alternative dispute resolution systems of EU ccTLD registries should acknowledge GIs as a right to be invoked during domain name disputes. The enforcement of GI protection online, specifically in connection to domain names, should follow the Digital Services Act (DSA) framework: competent authorities should be able to remove or disable access to domain names registered in breach of the GI protection, taking into account the principle of proportionality and the rights and interests of affected parties. The EUIPO is entrusted with the establishment and management of a domain name information and alert system, based on voluntary agreements with EU ccTLDs. Once the Council of the EU also formally adopts the regulation, it will be published in the EU Official Journal and enter into force 20 days later.
Data protection
European Parliament issued amendments for the Framework for Financial Data Access
The European Parliament’s Committee on Economic and Monetary Affairs (ECON) published amendments to the Draft Report on the FiDA proposal. This draft law aims to ease the access to and reuse of consumer data across the financial sector (see our previous coverage here). Among the newly published amendments is a proposed change to the enforcement measures in Article 18, which in the European Commission’s original proposal included orders for domain name deletion of a non-compliant financial service provider. The new amendment tabled by the Rapporteur brings the language of the article closer to the already existing enforcement measures under the Consumer Protection Cooperation (CPC) Regulation. The amended text now specifies that the domain name deletion should happen “where appropriate” and allows the competent authority to register the deleted domain. This is in contrast to the European Commission’s proposed text which only mentioned that the competent authority records the deletion. The next step in the legislative process is for the lead Committee ECON to agree on its version of the text based on the submitted amendments. Once formally adopted, this version will then form the European Parliament’s basis for the interinstitutional negotiations with the Council of the EU. In parallel to the work in the ECON Committee, the Council of the EU’s version of the proposal is prepared by the representatives of EU Member States.
EDPB issued an opinion on the notion of main establishment of a controller in the EU
On 13 February, the EDPB issued an opinion on the notion of main establishment of a controller as defined in the General Data Protection Regulation (GDPR). The French supervisory authority asked for clarification on the notion of main establishment of a controller and on the applicability of the one-stop-shop, under the Article 4(16)(a) of GDPR. The determination of the main establishment is important for cross-border enforcement purposes for controllers operating in multiple EU Member States. The lead supervisory authority, typically the data protection authority, of the country where the controller has the main establishment functions as a single point of contact for cross-border requests coming from supervisory authorities from other countries. This ‘one-stop-shop’ is to the benefit of the controller as it only has to engage with one authority, thus facilitating compliance. The EDPB’s opinion states that the “place of central administration” can be considered as a main establishment under article 4(16)(a) of GDPR “only if it takes the decisions on the purposes and means of the processing of personal data and it has the power to have the decisions implemented”. Should there be no evidence that the decision-making power on the purposes and means for a specific processing lie within the Union, EDPB notes, “there is no main establishment under Article 4(16)(a) GDPR for that processing. Therefore, in that case, the one-stop-shop mechanism should not apply.” This interpretation therefore implies that any supervisory authority remains competent to take individual action, with the burden of proof on the controller’s main establishment lying with the controller itself.
Cybersecurity
EU Member States published a report on the cybersecurity and resilience of communications infrastructure
On 21 February, EU Member States, with the support of the European Commission and ENISA, published a report on the cybersecurity and resiliency of EU communications infrastructure and networks. The report is the result of a high-level risk assessment conducted by the NIS Cooperation Group, the European Commission, and ENISA, in consultation with BEREC. The report contains the main threats and vulnerabilities identified during the risk assessment, develops a set of risk scenarios and makes a number of strategic and technical recommendations. The risk assessment and gap analysis focus on the risks of cyberattacks on the EU’s communications infrastructure and networks by a hostile third country. The scope of “communications infrastructure” includes routing of internet traffic and networks and systems used for the provision of top-level domain registries (TLDs) and DNS services. The main threats identified in this risk assessment include wiper/ransomware attacks, supply chain attacks, network intrusions, DDoS attacks, nation state interference on suppliers, power cuts, and insider threats. The report also makes a number of recommendations to Member States on how to address risk-scenarios stemming from the main threats. These include assessing resilience of international interconnections and core internet infrastructure, such as submarine cables. Member States should also clarify which national authorities have the mandate to supervise these international interconnections. The report also recommends that Member States foster information-sharing about threats within Information Sharing and Analysis Centres (ISACs). The report encourages ENISA and Member States to raise awareness about the BGP security and promote the adoption of good internet routing practices. The report suggests that the NIS Cooperation Group develops guidelines for security measures for IXPs and CDNs to support NIS competent authorities in supervising this subsector.
Content moderation
Digital Services Act became applicable to all intermediaries
On 17 February 2024, the Digital Services Act (DSA) started to apply to all intermediaries in scope of the legislation. The new rules already apply to the Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), platforms with more than 45 million users, since August 2023. As of this moment there are 22 VLOPs/VLOSEs designated by the Commission that consequently have to follow stricter obligations under the DSA, such as mandatory risk assessment and mitigation measures, increased transparency of their recommender and content moderation systems, as well as opening up access to their data for independent researchers. At a national level, the DSA will be enforced by the respective Digital Service Coordinators, with the European Commission primarily focusing on the additional obligations put on VLOPs/VLOSEs. The Commission can open an investigation into the VLOP/VLOSE compliance with a potential fine of 6% of global turnover in the case of non-compliance. The enforcement of the DSA is also supported by a cooperation framework between the Commission and national authorities. Four national media regulators from France, Ireland, Italy, and the Netherlands have signed administrative agreements which will reinforce the effective coordination on the DSA. The cooperation network is complemented by the European Centre for Algorithmic Transparency, established in 2023 in Sevilla, which is expected to research algorithms, analyse transparency reports, and identify emerging risks.
Connectivity
European Commission published a white paper on Europe’s digital infrastructure needs
On 21 February, the European Commission published a white paper on “How to master Europe’s digital infrastructure needs?” identifying telecom market fragmentation and lack of investments as key challenges in improving the rollout of European digital infrastructure and reaching the European Digital Decade targets. The development of the digital network infrastructure should foster economic growth through enabling the use of services such as AI, virtual worlds, Web 4.0, Industrial IoT, and by bringing improvements in remote healthcare, as well as other benefits. The document presents scenarios to achieve these objectives. Among them is coordinating infrastructure rollout through large-scale pilots, allowing for EU-wide radio spectrum procurement by telecom providers, moving from copper to fibre connections, and addressing barriers to network centralisation. Finally, the white paper identifies physical security of infrastructure as an area of further development. Namely, in the area of secure communications using quantum and post-quantum technologies, and in the security and resilience of submarine cable infrastructure. This document is in the initial stage of the policymaking process, before the actual (non)legislative document is published by the European Commission. It is open for consultation until 30 June. This white paper is accompanied by a recommendation on submarine cable infrastructure security and resilience (see below).
European Commission published a Recommendation on Secure and Resilient Submarine Cable Infrastructures
Along with the white paper on European digital infrastructure, the European Commission issued a recommendation that focuses on ensuring the security of the submarine cable infrastructure. Namely, the EU Member States are encouraged to do regular risk assessments and stress-testing of the submarine cable infrastructure. In addition, the Member States should also work on national fast-tracking of permit-granting procedures for the development of submarine cables. Member States are encouraged to assist the Commission in developing a “Cable security toolbox”, which sets out the risk mitigating measures for high-risk suppliers. The recommendation also supports the deployment of “Cable Projects of European Interest”, a submarine cable connecting Member States or “significantly enhancing connectivity” with third countries.
e-Evidence
European Court of Human Rights ruled on encryption
On 13 February, the European Court of Human Rights (ECtHR) ruled in favour of encrypted communications in the case of Podchasov v Russia. The case revolves around a Telegram user who filed a complaint against the alleged violations of his private life and private communications. The applicable law of the Russian Federation mandates that the “internet communication organisers”, such as Telegram, are obliged to “store on Russian soil all communications data generated by Internet users for a duration of one year and the contents of all communications for a duration of six months,” including any information necessary to decrypt the communications, and to provide that data to the law enforcement authorities and security services upon request. The ECtHR upheld the argument that providing the law enforcement agencies and security services with the decryption keys would undermine the private communications of all users, not just of the one the authorities are interested in. The legal regime governing access to retained internet communications in Russia “did not provide for adequate and effective guarantees against arbitrariness and the risk of abuse” by law enforcement authorities, according to the ECtHR. Therefore, the ECtHR has reached the conclusion that indiscriminate data retention with a lack of procedural safeguards is in violation of the right to respect for private and family life as stipulated in the European Convention on Human Rights. The ECtHR also highlighted that encryption “appears to help citizens and businesses to defend themselves against abuses of information technologies, such as hacking, identity and personal data theft, fraud and the improper disclosure of confidential information”.
Internet governance
German government issued a strategy for international digital policy
On 7 February, the German federal government published its first “Strategy for International Digital Policy”. Its aim is to serve as a “joint compass for an active and international digital policy” for the German federal government. The strategy is a result of “an inclusive consultation process”, including dialogues with civil society, digital associations, research establishments, and industry representatives. According to the strategy itself, the German federal government agreed on the common principles, including advocating for a “global, open, free, and secure Internet” and for the protection of fundamental rights online and offline, as well as enhancing “value-based technology partnerships” and strengthening a secure and sustainable global digital infrastructure, amongst others. When it comes to the internet governance, the German federal government “advocates for a global, open, free and secure Internet as it is a driver of innovation, cooperation, social inclusion, sustainability and economic development”. The German federal government pledges to uphold internet governance that “includes all stakeholders”. To this end, Germany is “strengthening its commitment in multilateral bodies”, including the UN and ITU. The strategy stresses that a multistakeholder approach is “essential for global digital networking” and supports the IGF as “the central global discussion forum” for internet governance. The strategy also recognises the crucial role of open standards and technical interoperability for global internet and supports the German government’s efforts to advocate for the “central role and future-proof development of established institutions of technical Internet governance”, such as ICANN and IETF. The strategy also recognises the importance of “open source basic technologies” for digital sovereignty. It also references involvement of the technical community in “the exchange of knowledge on key technology fields, regulation as well as economic, social and ecological effects of digital technologies”. The German federal government is also supporting the “development of norms, principles and standards” in multistakeholder formats for AI.
