EU Policy Update - March 2016

EU Policy Updates 29-03-2016

Brussels attacks – Law enforcement and Justice Ministers target online communication: At an ad hoc meeting of the Justice and Home Affairs (JHA) Council, ministers stated the need to “secure and obtain more quickly and effectively digital evidence” and more “direct contacts” of law enforcement with service providers. One means of doing so could be the expansion of the e-Privacy Directive to Internet platforms and online communication apps. Yet, concrete measures are to be identified at the upcoming EU Council meeting in June. Also, they aim at developing “effective preventive measures” against radicalisation, including “countering the rhetoric of Daesh” in particular through communication strategies”. The Commission “will intensify work with IT companies, notably in the EU Internet Forum to counter terrorist propaganda” with the objective to create a code of conduct against hate speech online by June 2016 (see below).

The JHA statement, while meant to demonstrate unison in the objective to tackle terrorism, shows the mistrust among Member States and European actors, including when it comes to information/intelligence sharing. While calling for an intensification of collaboration with private actors to share and make more information available, there are currently no interoperable databases through which such information could be shared. Even if these existed (which is one objective), the problem of linking and exploiting database records persists (e.g. different languages, typos, different categories, etc.). In addition, it is common knowledge that Member States mistrust each other and fear for the loss of intelligence data if shared with others that do not keep such data safe. These differences are reflected in the JHA statement itself, which calls for support of the Counter Terrorism Group (CTG – independent of Europol or other EU institutions), the Joint Investigation Teams (on an ad hoc basis with selected Member States), and liaison teams of experts at Europol.

At EU-level, the blocking and blame-shifting game continues: the Council accuses the European Parliament (EP) of halting the votes on the passenger name records (PNR) Directive. The EP, however, wants to hold the vote on PNR together with the one on the General Data Protection Regulation (GDPR). The latter, however, needs to be signed off by Council first.

EU-US Privacy Shield - The data protection authorities’ woes and worries: Several EU data protection authorities (DPAs) doubt that the rules for transatlantic data transfers comply with EU law. Stumbling blocks include (the absence of) rules for data retention, the role of the ombudsman Catherine Novelli (is she indeed independent and does she have real powers?) and legal uncertainty (are judicial redress options really available to EU citizens?). The grouping of all EU privacy watchdogs (Art. 29 Working Party) is expected to publish its (non-binding) opinion around its next meeting on 12-13 April. In the meantime, the European Parliament’s civil rights committee (LIBE) “grilled” key negotiators in a hearing. The latter clarified that the two mechanisms, the ombudsman and the strict limitation of bulk harvesting data, would apply to all companies regardless of whether they sign up to the “Shield” or not. They also underpinned the legal value of the letter (signed by US Secretary of State, John Kerry) building the basis of the EU-US Privacy Shield, reminding the audience that this was also the case for Safe Harbour, which lasted 15 years. Ahead of the meeting, 27 civil liberties groups sent a letter expressing the need for renegotiation to make sure the pact complied with EU law.

General Data Protection Regulation (GDPR) – anti-profiling rules restricted for the sake of cybersecurity: In a response to a Parliamentary question, EU Justice Minister Jourová confirmed that the processing of certain personal data (i.e. creating profiles of individuals) was indeed possible, if a data controller tried to prevent “unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks”. This exception (Recital 39) was built in “to avoid deterring cybersecurity efforts” by companies specialising on it.

European Court of Justice (ECJ) opinion - WIFI operators not responsible for illegal downloads: Sony Music Entertainment had sued a Munich-based shop that had offered its customers free WIFI access (Case C-484/14). The system was used to download illicit music recordings. The non-binding opinion of the European Court of Justice’s Advocate General holds that the operator “is not liable for copyright infringements committed by users of that network”, does not need to terminate the service or monitor communication (press release). In an unusual move, the opinion not only considered economic arguments (commercial freedom, liability of telecom operators) but also weighed economic versus societal aspects (impact on freedom of expression, potential for innovation).

Draft of European cloud initiative, e-government action plan and ICT standards leaked: According to the documents leaked by Politico the Commission aims to install a cross-continent open science cloud for researchers and scientists and a “European data infrastructure” to enhance Europe’s super-computing powers. On e-government, the Commission wants to establish the “once-only principle” whereby citizens would share their data once and governments would be obliged to share it with each other. If such increased compatibility of IT systems across governments would also increase the sharing of intelligence and terrorism-related information remains uncertain. On ICT standards, the Commission is likely to focus on (guidelines for) 5G, Internet of Things (draft Staff Working Document), big data and cybersecurity. It might also include parts on intellectual property rights. Commission communications on these topics are expected by 6 April.

European Parliament approves Big Data Report: The non-binding report at the own initiative of MEP Barbara Kappel (Austria/Europe of Nations and Freedom Group, also the group of Le Pen’s Front National), approved by plenary, takes a positive stance towards Big Data, emphasises its potential and cautions about excessive regulation.

New radio frequencies for mobile internet services? The Commission adopted a long-term strategy for use of the 470-790 MHz frequency band. The 694-790 MHz band is proposed to be repurposed to use it for wireless broadband, television broadcasting should have priority in the 470-694 MHz band (see summary).

Release of Copyright II proposal (partially) postponed: The second package will be split into audio-visual rules (still expected for 1 June) and copyright-enforcement rules (delayed at least until end of June).

Release of e-Privacy Directive proposal postponed: The Commission’s proposal on a review of privacy rules for telecom operators is pushed back by one month to around end of year. A public consultation is planned to be launched in the first week of April and a public event will be held in Brussels on 12 April. The 2002 Directive obliges telecom operators to ensure the confidentiality of communications and the security of their networks. The overhaul could see new actors fall under the scope of privacy rules, such as Skype, Whatsapp and other voice and messaging services. Internet platforms have also been mentioned in the light of the Brussels attacks at a recent JHA Council meeting. The Commission said it was too early to say if these changes were indeed to be included.

Justice and Home Affairs (JHA) ministers adopt general approach on Counter-Terrorism Directive: On 11 March, EU Justice and Home Affairs ministers adopted a general approach on the proposal for a Directive on combating terrorism, which includes provisions on criminalising preparatory acts, such as “aiding and abetting, inciting or attempting such acts”. The latter could also relate to content online and/or the fact that it is (not) removed expeditiously. The Directive is currently going through the legislative stages in the European Parliament.

 Report by the EU Counterterrorism coordinator issue: The report refers to the role of Europol and stresses the need for public-private cooperation, e.g. on the removal of terrorist content and hate speech online. Both strands (confusingly under the lead of different DGs, i.e. HOME and JUST) are somewhat united under the EU Internet Forum, an informal meeting of the Commission with “senior representatives from the world's leading social media companies”. The forum is likely to play a stronger role in the light of the Brussels attacks (see above).

Background on the EU Internet Forum: not much is known about the forum, if one is not part of it. The digital rights organisation EDRi made an overview and provides a collection of documents available. The objective, as also stated by the recent JHA Council, is to come up with a code of conduct against hate speech online, similar to an industry agreement in Germany. The latter, however, is confusingly unspecific about whether it refers to illegal content or arbitrary enforcement of service providers’ terms of service. EDRi warns that a recent Council position on the Europol regulation(11 March 2016) would enable law enforcement (Europol) to assess “the enforcement of contracts between businesses and their customers, giving Europol the power to encourage deletion without the responsibility for deletion, which would fall on the provider”. Article 4, 1, (m) states that online service providers would receive referrals to internet content by Europol and could “voluntarily consider” whether the content is compatible with their own terms and contitions.

EU-US hold joint security workshop in The Hague: About 20 experts from law enforcement and public administration met at Europol to discuss counterterrorism and organised crime, focusing on threats at ports of entry, identity and document fraud, obtaining electronic evidence, etc.

Counter Terrorism Group (CTG) kicks off: The informal gathering of 30 European intelligence services aims to exchange operative information on terrorism. Apparently, it will not be embedded in EU structures (the EU Commission is part of it, but has no say), nor will it use the infrastructure of or directly cooperate with Europol’s European Counter-Terrorism Centre. The CTG Presidency is linked to the EU Presidency (i.e. headed by the respective Member State). The information has been shared by the German government as a response to a Parliamentary question by the Left (see article in heise.de, in German).

10% increase in cyber strikes against US federal agencies: More than 77,000 cyber incidents were reported in 2015.

Apple case dropped: The FBI succeeded in accessing the content on the iPhone that was used in the San Bernardino terrorist attack. As a result, the Justice Department (DOJ) dropped the case, but without revealing which method was used or whether they had found evidence. A week earlier, it was reported that an Israeli firm had found a way to crack the smartphone.

UK Investigatory Powers Bill moves ahead: The controversial bill gained wider support at its second reading in the House of Commons (but still has some way to go in the legislative process). It would allow law enforcement to look into connection records, such as websites, applications, messaging services – yet not individual messages sent or pages visited. Also, it would oblige Internet Service Providers (ISPs) to store the browsing history of all customers for one year and to give law enforcement access to electronic devices owned by suspects. In addition, it allows bulk collection of personal data or “data harvesting” from online services. The UK Home Secretary Theresa May would like to see the bill pass by the end of the year. In the beginning of March, France’s lower house also passed a billed that foresees penalties for companies (up to 350,000 EUR) and executives (up to 5 years in prison) who refuse to decrypt information in terrorist investigations. EU Commissioner Ansip urged both countries not to support backdoors while Europol’s Director Rob Wainwright keeps insisting that “encryption is part of the problem”, calling for an expansion of police powers to access phone calls, encrypted Internet-based communication, etc.

Swiss Parliament strengthens surveillance law: The revision of the Swiss “BÜPF” will allow for the use of so-called Govware (Trojan software used by government) and “special technical devices” (e.g. IMSI-catchers) to locate mobile phones (further reading, in German).

Published By CENTR