Unsurprisingly, national debates about how to increase security in the light of terrorism carry over into this week’s European Council meeting. It remains to be seen if fundamental rights can stand the test of time. “Brussels” is getting ready for the summer recess, yet not without giving a good pre-break push to some of the key dossiers (e.g. ePrivacy draft report, Consumer Protection Cooperation trilogue). Watch out for a couple of new (or awaited) initiatives in the last trimester of 2017, such as cybersecurity, data flows and collecting e-evidence across borders.
1. Work-in-progress: Recent developments in EU policy dossiers
Draft report on ePrivacy regulation published: MEP Lauristin released her draft report on the ePrivacy Regulation last week. Lauristin largely supports the Commission’s proposal, specifically with regards to extending the scope of the ePR to cover telco-like service providers, such as Whatsapp or Skype. At the same time, she calls for reinforced rules (e.g. encryption, do not track) and more clarity (independence of European Electronic Communications Code). Lauristin is a strong defender of personal rights and freedoms, which is reflected in her draft report. Unfortunately, she has announced that she will leave the Parliament – with no successor of the dossier officially announced yet (more detailed information was shared via the eupolicynet mailing list).
ECJ rules that platforms can infringe copyright: The European Court of Justice (Case C-610/15) has ruled that the “making available and managing an online platform for sharing copyright-protected works, such as ‘The Pirate Bay’ (TPB), may constitute an infringement of copyright. Even if the works in question are placed online by the users of the online sharing platform, the operators of that platform play an essential role in making those works available.” The judgment reinforces the trend to make “intermediaries” liable for what happens on their platforms and/or networks with regards to content. In fact, in the TPB case, they simply “cannot be unaware”. The Dutch courts will now take up the case again based on the interpretation of the ECJ (more detailed information was shared via the eupolicynet mailing list).
Final stretch of trilogue on Consumer Protection Cooperation? Chief negotiators of the European Parliament (EP), the Council and the Commission are meeting again this Friday to discuss compromises on a few remaining, controversial issues of the draft regulation. Ahead of the meeting, the Council pre-emptively announced that it “agreed” with the EP. However, this concerns rather global agreement on the need to strengthen EU-wide cooperation among national authorities responsible for enforcing consumer protection laws. This includes a number of extra minimum powers of national authorities, mutual assistance and improved alert mechanisms. Despite the Council’s enthusiasm, however, some issues still need to be discussed, above all details about blocking websites. CENTR advocated the use of concise terminology with regards to “domains” and to take heed of national legal systems, which, in some countries, require court orders to effectuate, for instance, blocking actions.
2. Coming up: (Scheduled) initiatives on the horizon
Collecting e-evidence across borders: Service providers are likely to face new regulation obliging them to hand over e-evidence to authorities from EU Member States other than their own. A proposal for a regulation, expected by the end of this year, is likely to address ways to 1) increase formal cooperation between authorities of two countries (through MLAs); 2) enhance direct cooperation between law enforcement authorities (LEA) and service providers, looking at both voluntary and mandatory options; 3) directly access, e.g. cloud servers, from a computer, in case authorities do not know where the data is located or stored. The latter has raised many questions with regards to feasibility and legal grounds for doing so.
Annual review of Privacy Shield in September: The Art. 29 Working Party (WP29), the gathering of national data protection authorities (DPA) in the EU, shared how it intends to prepare for the annual review – even though it is, in fact, the European Commission and the US Government who conduct the review. The WP29 wants to make sure that bulk collection of data is indeed “as tailored as feasible, limited and proportionate”. It also wants to look into how the US legal system handles automated decision-making – this is particularly interesting for those performing work on big data analytics.
Designated Digital Commissioner Gabriel gets through hearing unscathed: During her hearing at the European Parliament, Mariya Gabriel (Bulgaria), said that she will launch proposals on cybersecurity and data flows in the fall and step up efforts to complete the digital single market. Gabriel is a former conservative MEP focusing mainly on gender equality and development. She can take over her new position once the EP plenary confirms her nomination – probably in July.
3. Proud to present: Success stories at EU level
EU Internet Forum - Commission proudly presents progress: One year ago, the secretive forum, kick-started by DG Home and involving US internet companies, such as Facebook, Microsoft, Twitter and YouTube announced a Code of Conduct whereby they committed to step up efforts in combating illegal hate speech online. This includes reviewing most requests in less than 24 hours and checking them against their guidelines and removing the content if necessary. EU Commissioners Ansip (CNECT) and Jourová (JUST) are happy with the progress – yet not happy enough. Despite companies removing twice as many cases than last year, and faster, Ansip already talks about “redoubling joint efforts” and “bringing more clarity to notice and action procedures to remove illegal content in an efficient way”. Jourová hails self-regulation as an approach that “can work”, recognising that companies “carry a great responsibility”, yet immediately adding that they “need to make further progress to deliver on all the commitments”. It is not clear how much is and how much of this will remain “self-regulatory”.
4. What else? Other things that are happening
Europol issues report on counterfeiting and piracy in the EU: The report, jointly drafted by the EU Intellectual Property Office (EUIPO) and Europol, gives an overview of how counterfeiting and piracy have evolved over the past year and what the emerging trends are. It highlights negative impacts of IPR crime on citizens’ health and safety as well as on the environment. Criminal groups in IPR crime are often also engaged in drug or human trafficking or money laundering on top of document fraud and corruption. China remains the main country of provenance of counterfeited goods, which are transited through Hong Kong. Better rail transport between China and the EU poses an additional challenge. Online distribution of protected content, including illegal TV broadcasts, is identified as a digital issue. Cross-border investigations, the challenge to deal with new technologies and low penalties are highlighted as specific barriers to effectively fighting IPR crime.
How Google and Facebook want to fight terrorism online: Last week, Facebook announced that it will use artificial intelligence (AI) programmes to prevent and remove terrorist-related content from its platform. The company has also employed an extra 3,000 people to check posts and remove those that go against its guidelines. AI is used to cross-check uploaded content against, e.g., previously removed ISIS propaganda videos. Facebook also experiments with using AI to understand text. Only a few days later, Google said that it is investing into algorithms that spot terrorist content and will increase the number of trusted users for flagging content and engaging into counter-terrorism speech. It also wants to warn YouTube users of certain videos that include, e.g. “inflammatory religious or supremacist content”, even if they do not clearly violate its policies. Such content will also no longer be monetised. Proactive action of (social media) companies has increased amidst calls from European politicians that they should take on more responsibility for what happens on their platforms.
“Five Eyes” wants tech companies to share encrypted data: The intelligence-sharing coalition of Australia, Britain, Canada, New Zealand and the U.S. is referred to as the “Five Eyes”. At their meeting in July, they want to discuss how technology companies can be “urged” to share encrypted data with security officials.
5. Homework: Activities at domestic level
Belgian DPA issues recommendations on how to appoint DPOs under GDPR: The Belgian Privacy Commission provides, among other things, details about the functions of the DPO and its compatibility with other positions within an organisation, his or her tasks, such as monitoring GDPR compliance, assisting with data protection impact assessments, cooperation with DPAs etc. It also recommends to document the process of appointing the DPO.