In a nutshell: this month’s EU Policy Update sees the consolidation of important trends. Member States’ Recommendations have been released, calling for intermediaries to be more “responsible” in tackling illegal content online. Similarly, the discussions on IT security are progressing in the Cybersecurity Act, where clear responsibilities and liabilities for all stakeholders taking part in ICT ecosystems are proposed. In parallel, a new mechanism aimed at facilitating the gathering of evidence in justice investigations will be proposed, including provisions for direct access to companies’ data by authorities of foreign countries. All this comes in the context of a data economy where even if the mandatory location of data by government could become more complicated, nothing prevents States to discuss new EU data retention provisions and companies are even further restricted in their ability to process data.
E-privacy: Council interpreting the TELE 2 Sverige case
In Council, discussions are progressing slowly on E-privacy. New compromise texts have been proposed by the Bulgarian Presidency and discussed in March. The compromise interprets the TELE2 Sverige ruling of the European Court of Justice (that introduced requirements justifying the retention of traffic and location data for serious crimes investigations), and affirms that meta-data are “always sensitive” and therefore need to be processed by a limited set of legal grounds (mainly consent). Such interpretation is questionable, as the TELE2 ruling clearly states that meta-data “can be” sensitive if the processing of a significant amount of such data allows the profiling of the user. Similar conclusions can be reached from the GDPR.
The next technical discussion will take place on March 28th. In Council, the objective is to agree on a common position by June 2018 to start negotiations with Parliament as soon as possible and adopt the law before the EU elections in May 2019. However, there is a clear lack of leadership in Council, and any meaningful progress depends on when big Member States, such as Germany and France, will put a proposal on the table.
Data retention: Council discussing options to reinstate an EU framework
Statewatch leaked several of the Council’s working documents related to a “reflection process” on the mandatory retention of telecommunications data. The documents include overviews of the legal framework for telecommunications data retention in the Member States, a presentation from Europol on the possibility of introducing a new measure on “targeted data retention”, and proposals for using the forthcoming ePrivacy Regulation to make possible some form of data retention. It is hardly surprising that such a discussion is taking place in parallel to the revision of the ePrivacy framework. However, both Parliament and Commission do not support the idea of solving the data retention issue in the context of the ePrivacy. This being said, the telco industry, which has already made the required investments to comply with the quashed data retention directive, is not opposed to the idea of having an EU harmonisation.
Free Flow of Data: Parliament pushes to limit the scope of data localisation
The law is currently in co-legislative procedure. The Council already agreed a position in 2017, while the European Parliament aims at having its own ready by June 2018 to start negotiations in September and adopt the new Regulation before the 2019 EU elections. The most interesting points discussed in Parliament so far concern the further limitation of data localisation by Member States, where the additional requirement of “imperative grounds” of public security has been introduced to justify an exemption, coupled with a mandatory notification to the Commission to assess compliance with EU law. However, such new requirements are not defined in the text, therefore the risk exists for multinational companies to have to abide by 27 different regimes. In case of mixed data sets (personal and non-personal data), the Parliament is of the opinion that the free flow regulation should apply to the whole data set without prejudice to the GDPR.
Law enforcement cooperation
E-evidence: a complex international scenario
In April the Commission is expected to release a legislative proposal to address the obstacles faced in criminal investigations in relation to access to e-evidence that is often stored outside the investigating country or handled by a foreign service provider.
Similar discussions are taking place across the Atlantic, where the US introduced a new bill, the Clarifying Lawful Overseas Use of Data (CLOUD Act), which stipulates that US service providers are obliged to comply with US orders to disclose content data, regardless of where such data is stored. In addition, it set out requirements to conclude international agreements allowing US service providers to deliver content data to a partner foreign government (as well as intercept wire communications), without the need for an MLA request.
However, and despite its inefficiencies, MLA are still in use and the Council of Europe is drafting an additional protocol to the Budapest Convention on Cybercrime aimed at laying down provisions for a more effective and simplified MLA regime, in addition to provisions allowing for direct cooperation with service providers in other jurisdictions.
European Commission adopts Recommendation on illegal content online and begins journey towards legislative proposal
On March 1st, the European Commission adopted a Recommendation on “measures to effectively tackle illegal content online” which takes further steps on hosting providers “responsibilities” regarding illegal content online.
While they refer generally to illegal content, terrorism material is singled out as deserving specific attention. On the latter, fast-track procedures should be introduced for materials referred by trusted flaggers, i.e. competent authorities or Europol for instance, with take-down removal to be performed under one hour following the notification.
The Commission will launch a public consultation in April for 12 weeks to seek stakeholders’ views on the issues of faster and more effective detection and removal procedures that also avoid false positive. A possible outcome could be horizontal legislation for notice and action, covering all intermediaries (not just platforms which are the main target of the Recommendation).
Member States adopt conclusions on Intellectual Property Rights
Following the Commission’s Guidance on the Enforcement of Intellectual Property Rights (IPRED) released in November 2017, this month, the EU Council adopted conclusions on the matter. While the conclusions show alignment with the Commission’s call for more proactive measures from the industry to be implemented via voluntary agreements, they also reiterate the lack of harmonisation of IPRED across EU Member States, the need for fair and effective judicial enforcement as well as the need to uphold judicial independence in matters of IPR.
European Observatory of Intellectual Property to discuss DNS
The European Observatory on Infringements of Intellectual Property Rights is a network of experts and specialist stakeholders that provides evidence-based contributions and data to enable EU policymakers to shape effective IP enforcement policies. The Observatory will meet on 17-19 April 2018 in Brussels, to discuss, amongst others, cooperation with intermediaries and the domain name system (by invitation only).
Copyright: a slow legislative process
The revision of the directive is still a work in progress. Neither Parliament nor Council have agreed a position yet, but could do so by the summer break. Should this be the case, and depending on how close the respective positions are, the revision could be completed before the EU elections in 2019.
Commission’s High-Level Expert Group report on fake news
The High-Level Expert Group put forward several recommendations on the transparency of online news, media literacy, research on the impact of disinformation in Europe. It advises the Commission against “simplistic solutions”, warning that any kind of censorship should be avoided. In this respect, the document stresses several times that freedom of expression and compliance with the EU Charter of Fundamental Rights must be ensured in the context of the fight against fake news. In terms of next steps, a multi-stakeholder coalition will be launched in July 2018 together with a European Code of Practices to counter disinformation. This non-binding document, similarly to the Code of Conduct on countering illegal hate speech online, will give guidance on the roles of relevant stakeholders (platforms, media, fact-checking organisations), based on a series of key performance indicators. The Commission will reassess in 2019 if a co-regulatory approach is necessary.
Cybersecurity (and IT security)
ENISA/Cybersecurity Act: Parliament moving the debate forward
In Parliament discussions on the Regulation on ENISA and the Cybersecurity Act are progressing. This month the Civil Liberties Committee (LIBE) adopted its opinion, which gives a good perspective on the direction of debate. The fight against cybercrime is of central focus in the opinion. It consists of two elements: attacks against information systems, such as hacking or distributed denial of service (DDoS), which require reinforcing IT security; other online crimes such as phishing attacks or financial and banking fraud which cannot be countered by IT security measures, as well as the need for public education campaigns directed to end-users. The opinion calls on ENISA to propose policies establishing clear responsibilities and liabilities for all stakeholders taking part in ICT ecosystems, particularly where the failure to act with proper IT security due diligence could result in severe safety impacts, massive destructions in the environment, trigger a systemic financial or economic crisis. Finally, the Agency should propose policies for the responsible exchange of information on “Zero days” and other types of security vulnerabilities that are not yet publicly known.