With the European Parliament entering its last meeting week, summer recess is creeping into the otherwise buzzing EU-quarters in Brussels – giving the (new) Slovakian EU Presidency a smooth start into its 6-month reign. The European Commission has closed a couple of public consultations and made sure to send out some “good vibes” before the break (e.g. finalising the EU-US Privacy Shield, announcing investment into cybersecurity). Legal cases are also part of this EU Update, with US internet companies going through gain and pain, and Facebook being party to the next landmark case potentially shaking not only transatlantic but also global data transfers of personal data.
Frequently used abbreviations: EC = European Commission, MS = Member States, EP = European Parliament, ECJ = European Court of Justice - View full list of acronyms
Companies can sign up to EU-US Privacy Shield as of 1 August: Both the EU and the US signed the new deal on 12 July (see EC Press Release). National data protection experts (Article 31 Committee) already gave its green light last week, Austria, Bulgaria, Croatia and Slovenia abstaining. Companies that transfer data from the EU to the US can sign up to the deal as of 1 August – details will follow this week. The text had undergone changes after EU data protection authorities (Article 29 Working Party) had requested improvements or otherwise warned to challenge the new deal in court. Their major concerns included: clarity of terms of use for data processing and onward transfers to third parties, loopholes for bulk collection of personal data by national security services, and the independence of the ombudsman. Negotiators made the following adjustments: personal data must be deleted if no longer needed for the initial purpose it was collected for, third parties need to ensure the same level of protection as companies that will sign up to the deal, the US explained its view on bulk collection in a separate document (added to the annex), new language on the independence of the Ombudsman was introduced. The Article 29 Working Party was not consulted again on the adjusted text (and not happy about it), but will discuss the final text in a meeting on 25 July. They cannot strike down the deal but obviously play a crucial role in enforcing its provisions. The EP will work on a (non-binding) resolution on the Privacy Shield text (expected in the fall) expressing its concerns with the text, namely that it will not stand the test before the ECJ. This opinion is shared more widely, e.g. here and here.
New coalition to fight online counterfeits: The newly formed Intellectual Property Crime Coordinated Coalition (IPC3) – a joint effort by Europol and the European Union Intellectual Property Office (EUIPO), formerly called OHIM – aims at tackling illicit trade, i.e. counterfeit goods and piracy online and offline. IPC3 will support law enforcement agencies across the EU with cross-border investigations, monitoring and reporting online crime trends, pushing for harmonisation and standardisation of legal instruments to counter IP crime worldwide, and training to public and law enforcement. The coalition refers to an OECD study (“Trade in Counterfeit and Pirated Goods”, 2016), which shows that illicit trade represented up to 2.5% of world trade (worth EUR 338 billion) in 2013; the impact of counterfeits and pirated products amounted to up to 5% of imports (EUR 85 billion) in the EU.
Google presents report on how it fights piracy: The automated rights management system Content ID is expected to solve the major concerns of copyright holders, i.e. that they are not in control of their content once users upload it (e.g. on YouTube), and hence lose out on remuneration. Content ID scans uploaded content against a database of files submitted to Google by (approved) content owners; they then have the option to track, monetise, block or mute content (via a “Content ID claim”). Google says that YouTube has created $2 billion USD for rights holders since 2007. The full report can be found here.
Slovakia takes over EU Presidency: Slovakia will focus on four priority areas: an economically strong Europe, the modernisation of the single market, a sustainable migration and asylum policy and a globally engaged Europe. Objectives with regards to Single Digital Market-related dossiers are: conclusions on eGovernment, general approach on wholesale prices for roaming, spectrum allocation, first reactions on both the telecoms review and copyright package (proposals expected in autumn), a first meeting on geo-blocking in November, a general approach on consumer protection cooperation regulation.
Net neutrality, BEREC and 5G: BEREC (Body of European Regulators for Electronic Communications) is tasked to define guidelines that should help national regulators (NRAs) implement (i.e. monitor and ensure compliance with) net neutrality rules set out in the Telecoms Single Market Regulation. BEREC has submitted its draft for public consultation. Net neutrality (as per the Regulation) requires public network providers to treat every packet alike unless there are legitimate reasons not to. Any filtering (slowing down traffic) is prohibited “except as necessary, and only for as long as necessary”. The only three valid exceptions are 1) to comply with an order by courts or public authorities (lawfulness of content, public safety), 2) to preserve the integrity and security of the network, services provided by that network, and of the terminal equipment of end-users (preventing cyber-attacks, i.e. through malicious software, identity theft, spyware), 3) to prevent impending network congestion. It seems, however, that a strict interpretation of the filtering prohibition could also ban permanent filtering measures against denial of service attacks, as documented in IETF’s best practice document BCP-38. Whereas BEREC, in the above exceptions, took into account filtering as a response to a particular threat to a network, it is unclear whether this would disallow filtering to protect other networks from threats created by the filtering network’s own users. This position has been put forward by Jisc - supported by CENTR in a contribution to BEREC's public consultation.
In the meantime, tech and telecom companies have pledged to deliver 5G internet across Europe by 2020, but say that they could not do so under “excessively prescriptive” net neutrality rules (which would exclude “specialised services”). This would delay the roll-out of automated driving, smart grid control, remote healthcare monitoring, etc. 5G would introduce so-called “network slicing”, which makes it possible to offer different levels of guaranteed quality to such new applications.
EP’s LIBE Committee supports Internet blocking: The EP’s civil liberties committee, on 4 July, passed amendments to the Terrorism Directive, calling, among other things, for the removal of terrorist content online, or to block access to such type of content if removal is not possible – either voluntarily or in response to court or administrative orders. The text has come under some criticism (vague definitions and provisions to protect of privacy). The directive will now be carved out in detail in trilogue negotiations (i.e. among EP, EC, and Council).
EU Investment in Cybersecurity: The EC launched a public private partnership (PPP) pulling together €450 million from the Horizon 2020 Programme to support businesses, universities and other researchers interested in investigating cybersecurity problems. Until 2020, the EC hopes to leverage the investment to €1.8 billion through the PPP, i.e. private funding. The first call for proposals can be expected in early 2017. The PPP focuses on areas, including secure online identities, training on cybersecurity best practices, and protecting cloud infrastructure.
EP adopts NIS Directive: This was the last formal step missing for the directive to enter into force (probably in August). MS will then have 21 months to implement it and 6 months to identify and list operators of essential services that will fall under the directive (i.e. potentially, but not necessarily also ccTLDs). It encourages MS cooperation and information exchange on cyberattacks, sets up CSIRTs across the EU and defines security and reporting obligations for critical infrastructure companies in key sectors, such as energy, transport, banking, digital infrastructure (Fact Sheet on the NIS Directive; background).
ePrivacy Consultation closed: In a joint statement, telecom organisations (e.g. ETNO, ECTA) and tech organisations (e.g. DigitalEurope and CCIA) ask for the directive to be scrapped arguing that the General Data Protection Regulation (GDPR) provided for numerous privacy safeguards and that overlaps should be avoided.
Microsoft wins appeal case over seizure of data stored abroad: On 14 July, the federal appeals court decided against the US Department of Justice, which wanted to force Microsoft to hand over customer emails stored on Irish servers (Case No. 14-2985). It argued that domestic search warrants issued under the 1986 Stored Communications Act (SCA) did not apply extraterritorially. Microsoft welcomed the decision as it helped ensure that “legal protections of the physical world apply in the digital domain”, i.e. customers can rely on their own countries’ laws to protect their privacy. The verdict could have an impact on where and how companies decide to store data and how the US and other governments can access evidence (e.g. in terrorism and criminal cases) stored in servers outside their jurisdiction. It is unclear at this point, whether the Justice Department will appeal to the Supreme Court (further reading: Wall Street Journal, Reuters).
Facebook wins cookie case Belgium: In November, a Belgian court ordered Facebook to stop collecting data of non-members (i.e. ordinary Internet surfers) in Belgium. Facebook appealed (and won) saying that Belgian courts were not competent to rule over the company’s cookie policy, as its European base of operations is in Dublin. German courts, however, have already called on the ECJ to decide which jurisdiction could actually have a say on this. Facebook argues that the “datr” cookie is important for the overall security of the network, for instance to filter out forged profiles.
Facebook case over standard contractual clauses (SCCs) continues: The US wants to join the Irish privacy case to explain how personal data is monitored that was transferred to the US under SCCs. The Facebook vs. Schrems case is “round 2” after the ECJ declared the Safe Harbour Agreement invalid. SCCs, or model clauses, where promoted as one valid alternative to the use of Safe Harbour for transatlantic data transfers. Schrems complained that Facebook Ireland was transferring his personal data to US-located servers under SCCs, where it was being processed without ensuring adequate protection as required by the EU Charter of Fundamental Rights. It is expected that more national courts will be evoked and a decision by the ECJ will become necessary. The case could have even wider repercussions than “Safe Harbour”, since SCCs are used not only for transatlantic transfers (by companies that have signed up to the scheme) but globally, including countries that the 1995 Data Protection Directive has not declared to provide “adequate” protection.
Reorganisation of DG CONNECT: The reshuffling exercise of DG CONNECT is complete and the new organisational structure has been published. The Internet Governance Task Force has moved to a new Directorate E and unit (E.3) with a new Head of Unit (Jesus Villasante). Unit E.3, among other things, “ensures the EU vision and voice on Internet Governance in fora such as IGF, ICANN, G8, ITU and WSIS” - potentially giving the unit a clearer and firmer mandate in these areas. Further, “the unit ensures Internet Governance, IETF participation and the management of the .eu domain.” Megan Richards remains Principal Advisor to DG Connect and her team will include Cristina Monti and Elena Plexida.
EU eID and trust services regulation takes effect: From now on electronic signatures and other trust services (eiDAS) will have the same legal weight as hand-written signatures across the 28 member countries. The regulation aims to facilitate online transactions and provide higher security for online banking and financial services. Measures also include electronic seals, deliveries, time stamps and website authentication to transfer across borders, which could eventually make it easier to, e.g. file taxes or start a business.
UN condemns restrictions to online speech rights: The UN Human Rights Council (UNHRC), in a resolution, supported human rights on the Internet, underlining that “the same rights that people have offline must also be protected online”. In addition, it “condemns unequivocally measures to intentionally prevent or disrupt access to or dissemination of information online” (i.e. censorship, blocking). In this context, the Global Network Initiative (including, e.g. Human Rights Watch, Church of Sweden, Nokia, Microsoft, Telefonica) expressed its concern about governments increasingly ordering network and communication shutdowns. In addition to undermining security and public safety (link to case study by Telenor Pakistan), such shutdowns “threaten free expression, restrict access to vital emergency, payment and health services and disrupt contact with family members and friends.”
Further reading
- The opinion of the Advocate General on Case C-582/14, whether dynamic IP addresses should be considered personal data, is now available in EN (and other languages).
- Work Programme of the European Union Intellectual Property Office (EUIPO) 2016.
- Open data creates life-simplifying apps (article): The Helsinki Region Infoshare service has opened the capital region’s data for everyone, and gives rise to apps and services that make everyday life easier.
