EU Policy Update - January 2020
In a nutshell: Croatia took over the presidency in the Council of the EU from 1 January 2020. The European Commission's 2020 Work Programme identifies which legislative and policy initiatives the Commission plans to put forward in the course of 2020, including the new consumer agenda and the review of the NIS Directive. Commissioner Reynders urges the European Parliament to advance on e-Evidence. Three European Parliament committees received competence for own-initiative reports on the Digital Services Act. Europol released the EU Digital Evidence Situation Report. The European Court of Justice ruled on Airbnb being an "information society service". The ECJ Advocate-General stated that the ePrivacy Directive excludes the general and indiscriminate retention of personal data obligation.
Croatia holds the Presidency of the Council until July 2020
Croatia took over the Presidency of the Council of the EU starting from January 2020. Several hearings in the European Parliament were held for the Croatian government to outline its priorities for the next 6 months. Digitalisation and consumer protection were highlighted by Croatia's Economy, Entrepreneurship and Crafts Minister, Darko Horvat, in the European Parliament's Internal Market and Consumer Protection Committee (IMCO). The Minister also touched upon the topic of artificial intelligence, stating that "the EU has all it takes to become a leader on artificial intelligence, in its own way and based on its own values.” When it comes to the on-going policy files that are currently being prioritised by the Croatian presidency, Croatia aims to reach an agreement on the terrorist content prevention regulation before March and one on e-evidence before June.
Commissioner for Justice Didier Reynders urges the European Parliament to advance on e-Evidence
The long-awaited Draft Report from the European Parliament on the controversial e-Evidence file saw the light at the end of 2019, with over 800 amendments being filed by the Members of the European Parliament before the winter break. Justice Commissioner Didier Reynders urged the Parliament to advance on its position during a hearing with MEPs in January, stating that law enforcement authorities need new rules "urgently". Rapporteur MEP Birgit Sippel, who is responsible for the Parliament's position on the proposal, disagreed with the urgency expressed by the Commissioner and stressed the fact that the Parliament works according to its own timetable.
Europol released European Union Digital Evidence Situation Report
At the end of 2019, Europol published its SIRIUS EU Digital Evidence Situation Report. The aim of the report is to assess the status of access to electronic evidence held by foreign-based "online service providers" (OSPs) across EU Member States. The report outlines the volume of requests to OSPs; the main reasons for refusal or delay of EU requests and the main challenges in the process. The main data for the report was gathered from transparency reports of the following companies: Airbnb, Apple, Automattic, Cloudflare, Dropbox, Facebook, Google, LinkedIn, Microsoft, Oath, Snapchat and Twitter. The selection of the companies was based on the relevance of the data held with respect to criminal investigations and on the availability of the transparency reports. In addition, Europol surveyed law enforcement authorities to gather their input on the data access requests to OSPs. According to the transparency reports of Airbnb, Apple, Facebook, Google, Microsoft, Oath, Snapchat and Twitter, the Member States which submitted the highest number of requests in 2018 were Germany, France, the UK, Spain and Italy. From a law enforcement perspective, the most needed type of data according to respondents is traffic data (e.g. connection logs, IP addresses, number of messages), followed by basic subscriber information (e.g. name, e-mail, phone number), and only then content data (e.g. photos, mail/messages content, files). Law enforcement agencies also reported that the main challenges with obtaining data from OSPs include lengthy Mutual Legal Assistance processes and lack of standardisation of companies' processes to receive requests (including knowledge of specific vocabulary and requirement of technical knowledge). Some of the main reasons for rejecting data access requests across OSPs include: 1) Non-existent data, as the requesting authority provided invalid identifiers; and 2) Requests that would result in the disclosure of a very large number of users’ accounts or a very extensive amount of records (i.e. "provide all data").
European Commission plans to review the NIS Directive in 2020
On 29 January, the European Commission published its Work Programme for 2020. According to the 2020 Work Programme, the Commission is planning to review the Directive on Security of Network and Information Systems (NIS Directive) to "further strengthen overall cybersecurity in the Union". According to the NIS Directive itself, the Commission should periodically review the Directive, in consultation with interested stakeholders, in particular with a "view to determining the need for modification in the light of changes to societal, political, technological or market conditions". The review of the NIS Directive is planned in Q4 of 2020 and potentially includes legislative changes.
Data protection and privacy
ECJ Advocate-General: ePrivacy Directive precludes an obligation to provide intelligence agencies with ‘bulk communications data’
On 15 January, the Advocate General of the European Court of Justice, Manuel Campos Sánchez-Bordona, delivered his opinion on joint data retention and surveillance cases in the UK, France and Belgium. The main proceedings in the case concern the acquisition and use by the United Kingdom Security and Intelligence Agencies (‘SIAs’) of bulk communications data. The data in question relates to ‘who’ is using the telephone and internet, and to ‘when, where, how and with whom’ they are using it. It includes the location of mobile and fixed-line telephones from which calls are made or received, and the location of computers used to access the internet. It does not include the content of the communications. The case is brought by Privacy International, who argues that the acquisition and the use of the aforementioned data is in breach of the right to privacy under the European Convention on Human Rights and contrary to EU law. The defendant SIAs argue that the exercise of their powers in this field is lawful and essential, in particular, in order to protect national security (particularly with regard to counterterrorism, counter-espionage and counter-nuclear proliferation). The Advocate General's opinion outlines that the data in question is governed by the respective EU data protection regime, irrespective of the reasons invoked by the SIAs. The national legislation cited as the basis for the SIAs’ acquisition and use of the data in question, according to Advocate General, involves the general and indiscriminate retention of personal data that readily provides a detailed account of the life of the persons involved, for a lengthy period of time. Furthermore, according to the Advocate General's opinion, access to the data in question must be subject to prior review by a court or an independent administrative authority whose decision should be made in response to a reasoned request by the competent authorities.
Three European Parliamentary Committees are responsible for drafting their own-initiative reports on the Digital Services Act
Three Parliamentary committees have obtained the responsibility to draft their own-initiative reports on the Digital Services Act: the Internal Market and Consumer Protection Committee (IMCO), Civil Liberties, Justice and Home Affairs (LIBE), and the Legal Affairs Committee (JURI). Parliamentary own-initiative reports are non-binding and are not part of the formal legislative process within the EU. Nevertheless, it can be seen as a significant forerunner to legislative procedures being initiated. The European Commission has no obligation to follow the Parliament's own-initiative reports when coming up with a legislative proposal, yet these can give indicators of the parliamentary position within the formal legislative process once the proposal on the DSA is on the table. The Progressive Alliance of Socialists and Democrats (S&D) is leading the efforts within both IMCO and JURI.
European Court of Justice: Airbnb is an "information society service"
The case originated from a complaint by the French Association for Professional Tourism and Accommodation (AHTOP) against Airbnb Ireland for the practice of activities concerning the mediation and management of buildings and businesses without a professional licence, as required by French law (the so-called Hoguet Law). Airbnb claimed that its activities are governed by the e-Commerce Directive and that the Hoguet Law, thus, cannot be applied to its services as they consider themselves to be an “information society service. The referring court, the tribunal de grande instance de Paris (Regional Court, Paris), is uncertain whether the service provided by Airbnb Ireland should be classified as an “information society service” within the meaning of the e-Commerce directive, and whether the e-Commerce Directive precludes criminal proceedings from being brought against Airbnb Ireland on the basis of French national law. To the first question of the referring court, the European Court of Justice ruled that the nature of the services provided by Airbnb Ireland can classify Airbnb Ireland as an “information society service”, as it offers an electronic platform to connect accommodation hosts and guests and to facilitate the conclusion of contracts concerning future interactions. Furthermore, Airbnb Ireland does not exercise any decisive influence over the conditions for the provision of the accommodation services, such as rental price or any decision over which hosts can advertise their accommodation on its platform, making it substantially different from Uber in the Uber France case.
To the second question, the ECJ ruled that the Hoguet Law restricts the freedom to provide an information society service. In essence, by applying the Hoguet Law to information society services, France has not complied with the respective provisions of the e-Commerce Directive that do allow Member States to make derogations from the freedom to provide information society service but only under exceptional circumstances and after notifying the European Commission and the Member State on whose territory the service provider in question is established of these intentions. Due to France failing to comply with the notification obligation, the Hoguet Law is deemed to be unenforceable against Airbnb Ireland.
A new Consumer agenda expected at the end of 2020
According to the European Commission's 2020 Work Programme, a new Consumer Agenda is in the works and is expected to see the light in Q4 2020. Part of the new consumer agenda is a potential revamp of the Product Liability Directive, taking into consideration new technological developments like artificial intelligence and the lifecycle of a stand-alone digital service (including software) that is subject to constant updates throughout. Questions of security, the liability of all actors within the supplier chain and the burden of proof when it comes to consumer redress need to be revised under the current Product Liability Directive that dates back to 1985. According to the European Commission representative who addressed the European Parliament at one of the public hearings dedicated to the topic, the current Product Liability Directive is a good example of a technologically-neutral legislation that has stood the proof of time. While the Directive is not perfect, it has established important principles for consumer protection that need to be carefully revised.