EU Policy Update - January 2018

EU Policy Updates 15-01-2018

If anyone expected the content debate to slow down in 2018, the Commission has proven them wrong. Already in the first weeks of the year, the Commission gathered more than 20 CEOs to tell them that their efforts to remove illegal content have improved but are by far not sufficient. Next week, the Commission will publish another evaluation report and by May, we will know whether to expect legislation or “just another voluntary” initiative. Businesses are responding by increasing their transparency – not only with regards to their efforts in fighting illegal content, but also in making users more aware of how much of their (personal) data governments request to access. Some key Digital Single Market files (ePrivacy, copyright, free flow of data) will be picked up again during the first quarter of the year, this time under the lead of the Bulgarian Presidency (check out the nice combination of Latin and Cyrillic script in their logo). Developments in the US are likely to swap over the Atlantic and impact the way EU citizens’ data is protected within and from the US.

Commission to disclose results of online hate speech evaluation in January: The Commission is currently assessing the effectiveness of the code of conduct on countering illegal online hate speech signed by Facebook, YouTube, Twitter and Microsoft, among others. Results can be expected on 18 January. So far, the code is said to have led to improvements, but progress is not sufficient. While existing signatories are expected to step up and speed up their efforts to remove illegal content, other platforms are expected to join the code. Based on the results of the evaluation, the Commission will decide whether legislative action is needed. It promised to do so by May 2018. In the meantime, Germany’s own law on online hate speech has taken effect on 4 January, while France recently called for regulation on how fake news are displayed.

Facebook hate speech case referred to ECJ: Austria’s Supreme Court has called on the European Court of Justice (ECJ) to decide in how far the social network is responsible for policing and removing certain types of content. At issue is a case of allegedly defamatory content aimed at a Green politician from Austria. The content was removed after an Austrian court order – but only within Austria, so the politician asked that Facebook uses automated filtering tools to remove other instances of the post. Facebook argued that this was virtually impossible. The ECJ will now need to look at the case in the context of the e-commerce Directive, which exempts hosting providers from a general monitoring obligation. The Court is now expected to give guidance on whether Facebook needs to remove content only in one country or also in others. It will also need to decide how Facebook should proceed with similar or identical posts, e.g. by monitoring its platform.

Copyright vote in Parliament postponed: Due to remaining controversies over key articles in the draft, the European Parliament’s legal committee (JURI) decided to postpone the vote from end of January to 26-27 March 2018. One of the key issues under discussion is Article 13, which requires online platforms to install upload filters on content to check for copyrighted or illegal content. However, such filters are likely to constitute a general monitoring obligation on platforms, thus contradicting the e-commerce Directive.

Europol and Facebook fighting online terrorist content together: At the recent “Referral Action Day” organised by Europol’s Internet Referral Unit (IRU), Facebook restated its commitment to “remove terrorists [sic] and posts that support terrorism” whenever they become aware of them. Items referred by the IRU contained videos and other publications glorifying or supporting terrorism and extremism. According to the Europol press release, “the final removal of the referred material is a voluntary activity by the concerned social medial platforms, taking into consideration their own terms and conditions”.

New High-Level Group on Fake News and online disinformation: The Commission has appointed 39 experts to the group, including representatives from social media platforms, news media organisations, journalists, academia and civil society. The group is expected to help the Commission define the phenomenon of fake news and the role and responsibility of stakeholders in this respect.

Transparency on the rise: Facebook and Twitter have published their latest transparency reports. Facebook’s report indicates a 21% increase in governments requests for user data. Three quarters of these requests came from the US, India, the UK, Germany and France. Twitter will start indicating to users whether tweets were removed to comply with court orders or local laws.

ePrivacy regulation – final negotiations expected in Q1: As one of its last tasks, the Estonian Presidency, on 5 December 2017, presented new compromises on key articles of the ePrivacy regulation draft, which concern permitted processing, storage and erasure of communications data and the protection of stored communications in user devices. The Presidency tried, while – according to same stakeholders failing, to better define under what circumstances the ePrivacy regulation or, respectively, the GDPR applies. Final negotiations among European Parliament, Council and Commission are expected to take place in early 2018. For a general overview, read this article.

Free flow of data – EP agrees on lead committee: The free flow of data regulation proposal has now entered the European Parliament (EP) stage. The lead committee will be the Internal Market Committee (IMCO), while the Industry Committee (ITRE) remains the lead on the draft regulation on ENISA’s mandate. IMCO is expected to vote on its position in June. A first debate in IMCO is scheduled on 23 January. The likely rapporteur in IMCO is Anna Maria Corazza-Bildt, EPP, Sweden.

Microsoft warrant case – And the beat goes on: In January, a grouping of business associations from Germany, Poland, Ireland and France, announced to file an amicus brief to the US Supreme Court over US law enforcement access to e-mails stored in Ireland. Already in December, the European Commission stated that it would do the same. While the business associations clearly warn of the negative consequences of the Department of Justice’s position (i.e. that such data must be handed over), the Commission stated that it would not be in support of either of the two parties. Microsoft was the first US company to challenge a domestic search warrant seeking data held in data centres outside the US.

US vote could impact EU-US Privacy Shield: The US House of Representatives voted to reinstate a programme under the Foreign Intelligence Surveillance Act that allows US intelligence agencies to access the communications of foreigners outside the US via internet and telecom services (FISA Section 702). The House rejected an amendment which would have included judicial oversight. The absence of surveillance of European citizens by the US is a condition of the EU-US Privacy Shield on transatlantic data transfers. It could put the agreement at risk when the EU is re-assessing its legality in 2018. So far, the US has also failed to appoint a permanent ombudsman. This was also raised by the Article 29 Working Party (WP29), the grouping of European Union data protection authorities, in a report in December. If no improvements are made, the WP29 threatens to take “appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling."

The Pirate Bay - Domain names are property: The Swedish Supreme Court, on 22 December 2017, decided that a domain name is a type of property and can be confiscated. Swedish law enforcement can now take over The Pirate Bay-related domains. The registrar has already received an executive request to this effect.

UK to become “third country” under GDPR after Brexit: In a “notice to stakeholders”, the European Commission’s DG JUST states that, after Brexit, transfers of personal data to the UK will be subject to GDPR rules applying to third countries. This means that in the absence of an adequacy decision, model clauses, binding corporate rules or approved codes of conduct need to be in place.

Published By Peter Van Roste
Peter Van Roste is the General Manager of CENTR, overseeing all of CENTR’s activities and liaising with governments, institutions and other organisations in the internet ecosystem.