In a nutshell: This month, security initiatives topped the agenda in Brussels. The European Commission published its Fifteenth Progress Report on a Security Union and the Council agreed on a general approach on the Cybersecurity Act, while the incoming Austrian Presidency of the Council announced that it will prioritise security issues. On the data economy front, negotiations on the Free Flow of Data Regulation were finalised while in the Council technical discussions on ePrivacy will continue until the end of 2018. Finally, the debate on the use of technical measures to tackle illegal content online intensified in the on-going copyright reform discussions, where the Parliament’s leading committee’s position got rejected in the plenary vote.
Council of the EU: Austrian Presidency Priorities
Austria will hold the EU Council Presidency from July to December 2018. “A Europe that protects” is the motto Austria has chosen for its Presidency. One of the three overarching political priorities will be “Securing Prosperity and Competitivity through Digitalisation”, where Austria calls for avoiding over-regulation and stimulating innovation and digitalisation.
The Austrian programme highlights the following relevant files for ccTLDs:
- .eu Top Level Domain: the Presidency is expecting to make progress on this file and to achieve a general approach. The Presidency considers .eu to be a valuable element of the European identity online.
- E-evidence: the Presidency states it will be strongly engaged on this file.
- ePrivacy: the Presidency will advocate for future-proof data protection provisions in the digital sector, with a focus on negotiations on the ePrivacy Regulation. Under political pressure of Germany and other countries, Austria will prioritise the file to reach a Council’s position by end 2018.
- Digital Security and Cybersecurity: Austria also expects to finalise the Cybersecurity Act negotiations. For Austria, the protection of critical infrastructure is a priority and the dependence on non-European security technology renders the EU vulnerable, which must be tackled in a sustainable manner. The EU Internet Forum is seen to provide a platform for internet industry to improve cybersecurity. One of the latter’s key objectives is to reduce accessibility to terrorist content online (through so-called “database of hashes” developed by the internet industry as a shared database to help identify potential terrorist content on online platforms).
- Copyright/illegal content: the aim is to complete negotiations on the Directive on Copyright in the Digital Single Market by the close of 2018. The Presidency also states that the Commission Recommendation on measures to effectively tackle illegal content online is to be fully implemented.
Considering the number of difficult files on the table of the Austrian Presidency, it is unlikely that the Presidency reaches an agreement regarding all its identified priorities.
Law enforcement
E-evidence: European Parliament exchanges views with Commissioner for the Security Union Julian King
The Civil Liberties Committee (LIBE) of the European Parliament held an Exchange of Views with Commissioner Julian King on e-evidence. The Commissioner stressed the key focus on accelerating the process for judicial authorities’ access to data, as the current situation has led to a high level of voluntary cooperation outside of judicial processes. He further added that the proposals will provide a basis to enable cooperation with key partners, such as the US. Main questions focused on the categorisation of meta data (four sub-categories of meta-data have been identified to be provided according to specific crimes), safeguards for data protection, due process (authentication mechanisms) as well as the respect of fundamental rights and the rule of law. The Commission hopes for negotiations to conclude by May 2019, before the European Parliament elections.
Cybersecurity
Commission’s Fifteenth Progress Report towards an effective and genuine Security Union
The report covers the following developments:
- Commission calls on ICANN to accelerate its efforts to comply with GDPR, and to deliver in time an appropriate model that provides for access to WHOIS data for legitimate purposes;
- The report presents the state of play on the removal of terrorist content online following the application of the Recommendation on tackling illegal content online, by both industry and Member States and other key partners such as Europol. According to the Report more companies are adopting proactive measures to identify terrorist content, resulting in a higher volume of such content being removed.
Cybersecurity Act: Council agrees on a general approach
In June, Member States agreed on a position on the Cybersecurity Act. The proposal includes renaming ENISA as the “European Union Agency for Cybersecurity”, making it a body of the EU with a legal personality. This will have an impact on the quality of the guidelines provided by the Agency, its support to Member States in implementing EU laws and its advisory role to the Commission. Within the Agency, the European Cybersecurity Certification Group will be set up to advise and assist the Commission in its work to ensure a consistent implementation and application of cybersecurity certification policy issues.
Data economy
ePrivacy: Member States avoid rushing into negotiations
In June, TELECOM Ministers met to discuss a negotiating mandate on the ePrivacy Regulation. Despite on-going political push by the Commission, most Member States deemed it necessary to keep discussing the regulation at a technical level under the incoming Austrian Presidency. At the meeting, countries raised criticism on the overlaps of the proposal with the GDPR, the need for more flexibility in processing data, and the lack of technological neutrality.
Free Flow of Data: EU institutions reached a political agreement
On 19 June, the European Parliament, Council and Commission adopted new rules that will allow data to be stored and processed everywhere in the EU without unjustified restrictions. The regulation will apply six months after the publication in the Official Journal (which has not been done yet) and its main provisions are as follows:
- Prohibit data localisation restrictions: Member States will have to communicate to the Commission any remaining or planned restrictions on the storage and processing of non-personal data. The Regulation has no impact on the application of the General Data Protection Regulation (GDPR), as it does not cover personal data. In case of mixed dataset (personal and non-personal data), the GDPR provision guaranteeing free flow of personal data will apply to the personal data, and the new regulation will apply to the non-personal data.
- Public authorities will be able to access data for scrutiny and supervisory control wherever it is stored or processed in the EU. Member States may sanction users that do not provide access to data stored in another Member State.
Intermediary liability
Parliament rejects committee's report on copyright
On 20 June, the Legal Affairs Committee (JURI) of the Parliament adopted its long-awaited report on copyright. The new law is expected to be finalised by the end of 2018. The Austrian Presidency will prioritise a political agreement, however the report was challenged in plenary, where a majority of MEPs voted against the JURI report. As a consequence, the file will be reopened for further public discussions in the Parliament amongst all 751 MEPs under the exceptional legislative procedure envisaged in Rule 69c. The Parliament will vote on its possibly renewed position in September.
The JURI report targets content sharing service providers that, in the original proposal of the Commission, were limited to online platforms under Article 14 of the E-Commerce Directive (hosting providers). The Parliament added a list of exemptions of hosting providers from the scope of the Directive which includes non-profit online encyclopaedia and scientific repositories, cloud service providers, open source software developing platforms, and online marketplaces. The Parliament defined the “online content sharing service provider” (that falls under the scope of the Directive) as an internet service provider whose main purpose is to store and to give access to the public to the works uploaded by their users, and which optimises the content, and as such goes beyond providing mere physical facilities. The position of the Council is more conservative and in line with the Commission’s approach.
Parliament holds hearing on tackling illegal content online
The European Parliament Internal Market and Consumers Committee (IMCO) hosted a hearing to debate the current intermediary liability regime, with a focus on the recent Commission’s Communication, and to gather insights on how to improve the existing legislative framework. The main message was that policy-makers must focus on coming up with a balanced approach, respecting users’ rights without burdening SMEs excessively.
A few highlights from the discussions:
- Vertical vs. horizontal legislation: The Commission voiced out a necessity to shift from a general horizontal legislative framework (e-Commerce Directive) to several vertical specific legislations (e.g. Copyright, Directive on combating terrorism, etc.
- Proactive measures: doubts were expressed towards the Commission encouraging online intermediaries to adopt proactive measures, because this would be incompatible with the e-Commerce Directive and the Charter of Fundamental Rights.
- Counter-notice mechanisms and transparency: experts were in favour of addressing the over-removal of lawful content through the implementation of counter-notice mechanisms and transparency in the decision-making process.
- Human supervision: streaming services insisted that the ideal way to tackle illegal content online lies in a mix of automated filtering systems and human review.
- SMEs: Several panellists pointed out the difficult implementation of legal removal obligations by SMEs as they lack the resources to comply.
