In spite of the traditional summer lull that has descended across Brussels’ European quarter, the EU Institutions have been quietly preparing for what is set to be a hectic autumnal legislative session. Most noteworthy is the European Commission’s intention to come forward with a legislative proposal on cross-border access to e-evidence in the coming months, and a key policy roadmap for the initiative has just been released. Besides this, the European Commission will publish both a revised cybersecurity strategy and new guidelines on voluntary online content control measures in September, with officials putting the final touches on both this month. In terms of ongoing work, the European Parliament continues to focus heavily on online child protection and the fight against terrorism, while the legislative discussions around the proposed E-Privacy regulation – and all its linkages with data retention – continue in earnest.
1. Work-in-progress: recent developments in EU policy dossiers
Review of ENISA Regulation and laying down an EU IoT security certification and labelling: In its 2016 Cybersecurity Communication the European Commission announced that it would undertake a root and branch evaluation of ENISA (the EU cybersecurity agency) and also develop a proposal for a European ICT security certification framework to be presented in 2017. To this end, the European Commission launched a public consultation ending on 4 August on the different ENISA-related policy options put forward in its ‘Inception Impact Assessment (IA)’. Options put forward by the Commission ranged from keeping the current ENISA mandate to having an enhanced EU cybersecurity agency with extended role and competences. In addition, the Commission continues to analyse the need for a new IoT security labelling legislation that would set out mandatory harmonised security requirements for vendors. The Commission will present a revised version of the EU Cybersecurity strategy in September 2017, which will advance the work streams on both ENISA reform and security labelling.
European Commission publishes policy roadmap and public consultation on e-evidence initiative: For the last 18 months, the European Commission has been assessing the effectiveness of the existing frameworks by which criminal offences can be investigated and tackled in cyberspace. The Commission’s work has focused especially upon criminal investigations in cyberspace which contain a cross-border dimension, and how the analogue-era cooperation mechanisms between national law enforcement authorities could be reformed to reflect new operational challenges.
At the direction of the EU Member States, the European Commission has committed to bring forward a legislative proposal on cross-border access to e-evidence in January 2018. As a first step in the process, the Commission recently published a policy roadmap, outlining the baseline objectives and possible components of the upcoming legislative proposal. Most notably, the policy roadmap foresees likely regulatory intervention to:
- Create a legal framework authorising authorities to directly request or compel a service provider in another Member State to disclose e-evidence processed in the EU.
- Create a legal framework without the cooperation of a service provider or the owner of the data, through a seized device or an information system.
- Create a legal framework to provide for an understanding of the types of electronic evidence and service providers that fall within the scope of the measures proposed.
The complete policy roadmap can be read here, and a complimentary public consultation seeking feedback on it can be found here (deadline for responses: 27 October).
European Parliament publishes draft version of upcoming political resolution on protecting children online: The European Parliament is currently drafting a political resolution on the state of EU child protection law. The non-legislative political resolution will serve to set out MEPs’ policy wish-list for future EU-level regulatory intervention in the field of child protection. The resolution will focus extensively on the challenge of child sexual abuse material (CSAM) on the Internet. To that end, the draft text calls for the Internet industry to ‘do more’ in terms of content control, including by:
- The obligation for service providers to mandatorily report CSAM discovered on their networks to law enforcement authorities and/or national CSAM hotlines.
- Member States are encouraged to introduce mandatory blocking obligations for CSAM accessible by their citizens, as a complement to efforts to remove such content at its hosting source.
- Member States and the Internet industry should enhance the functioning of Notice & Action regimes, and the development of access blocking ‘blacklists’ to be distributed regularly to ISPs.
The European Parliament LIBE committee draft resolution can be read here.
Study on “the Liability Regime & Notice-and-Action Procedures”: In the context of the mid-term review on the implementation of the Digital Single Market Strategy, the European Commission has launched a study on “the Liability Regime & Notice-and-Action Procedures”. It aims to provide an in-depth analysis of the potential challenges raised in the current set-up of the liability regime for online hosting service providers. Also, it focuses on the existent notice-and-action practices for taking down illegal content. Targeted surveys were conducted, until 21 August, with key stakeholders, such as hosting service-providers, organisations providing notifications on the existence of illegal content online, as well as national authorities and users of hosting service providers.
2. Coming up: (Scheduled) initiatives on the horizon
‘Good Samaritan’ content removal guidance and Notice & Action legislation: The European Commission is expected to publish in September 2017 legal guidelines for Internet intermediaries who undertake voluntary proactive measures to detect and suppress illegal content on their services. Stemming from concerns about terrorism, hate speech, and so-called ‘fake news’ online, Member States are also stepping up their pressure on the Commission to propose a new law on Notice & Action before the end of 2017. While there is broad agreement at EU level that a new Directive would help mitigate many of the operational challenges and cross-border legal fragmentations that hinder illegal content removal, concerns exist that such a proposal would open a ‘Pandora’s box’ given the present political climate. As part of a fact-finding exercise, the European Commission also published the outcome report of its recent expert stakeholder workshop concerning the functioning of Notice & Action regimes in Europe which provides a useful refresher on the current policy issues with respect to illegal content removal.
E-Privacy regulation: getting data retention back in the law: Institutional discussions on the revision of the EU E-Privacy legislation are progressing quickly in the European Parliament where a position will be probably adopted by the end of 2017. Member States in the EU Council, though, are more cautious given the close links of this file with other, ongoing initiatives (i.e. Electronic Code, guidelines on data retention, GDPR application). The legislative process could conclude by end-2018 with an application period that could vary from 6 to 12 months, depending on the political negotiations.
The provisions of the legislative proposal that concern access to data by law enforcement – which the invalidated EU Data Retention directive was built on – is of particular importance. In the absence of a European framework for data retention, Member States’ attention has turned towards the E-Privacy regulation as one of the possible options to establish a new European paradigm. The discussion amongst the Member States in Council is considered so important that a separate working group has been dedicated to assessing the requirements of the recent Tele 2 judgment, which called into question the validity of Member States’ data retention regimes. An additional layer of complexity in the discussions around data retention concerns the use of encryption technologies and prohibition for law enforcement back-doors – which the Parliament is introducing in its position – and the parallel need to have access to intelligible data by law enforcement.
Council recent discussion document on data retention and e-Privacy regulation
Council questionnaire on the Tele 2 judgement in the context of the e-Privacy revision.
European Commission tenders for research study on fight against child sexual abuse material online: The European Commission is currently undertaking a broad policy reflection on the effectiveness of the current European framework for tackling child sexual abuse on the Internet. As part of this process, the Commission has launched a call to tender for a study that will assess and evaluate how CSAM hotlines work independently and collaboratively, and will also issue recommendations on how hotlines could more effectively serve their mission to fight CSAM online. Moreover, it will assess the effectiveness of INHOPE (the international association of Hotlines), and will pull together insights from law enforcement, ISPs, online safety practitioners, as well as the hotlines themselves. The study will be launched in early 2018 and run for 22 months. Its findings will then feed into future European Commission regulatory interventions in the field of online child protection. The full call to tender can be read here.
European Parliament establishes dedicated sub-committee on terrorism: The European Parliament has voted to establish a temporary committee of enquiry to focus on terrorism in Europe. The temporary committee, whose mandate lasts for a 12-month period, will hold regular hearings with external stakeholders and experts, that will culminate in a series of policy recommendations for enhancing the fight against terrorism. The purpose of European Parliament temporary committees is to scrutinise a policy issue which is considered to be particularly politically urgent, and one that falls outside the work programme or capacities of an existing permanent committee. Previous Parliament temporary committees have focused on the Panama Papers tax evasion scandal, and the Volkswagen diesel emissions scandal. The temporary committee’s work will begin in Q3 2017.
3. What else? Other things that are happening
Mariya Gabriel confirmed as new Digital European Commissioner: On 4 July, the European Parliament approved Mariya Gabriel’s nomination to be the next European Digital Economy and Society with 517 votes in favour, 77 against and 89 abstentions. The Bulgarian Commissioner will continue to lead on the implementation of the Digital Single Market Strategy launched in 2015 and work in coordination with EU Commission Vice-President Andrus Ansip, in charge of the Digital Single Market, and Vice-President Jyrki Katainen, in charge of Jobs, Growth, Investment and Competitiveness. Mariya Gabriel has appointed her cabinet, with Lora Borissova as head of cabinet, Carl Buhr as deputy, Eric Peters as an expert, and members Alina Ujupan, Manuel Mateo and Andrea Almeida Cordero.
