EU Policy Update - March 2019

EU Policy Updates 02-04-2019

In a nutshell: The European Parliament formally adopts the EU Cybersecurity Act and the Copyright Directive. The E-Evidence package receives further criticism in the series of Working Documents issued by LIBE. TERREG progresses speedily through the European Parliament’s committees. The European Data Protection Board gives guidance on the correlation of the GDPR and the e-Privacy Directive.


European Parliament adopts Cybersecurity Act

On 12 March, the European Parliament adopted the EU Cybersecurity Act with 586 votes to 44 and 36 abstentions. The new law establishes the first EU-wide cybersecurity certification framework to ensure that certified products, processes and services sold in EU countries meet cybersecurity standards. In the first year after the entry of the force of the Regulation, the European Commission will identify the list of ICT products, services and processes that will be included in the scope of a European cybersecurity certification scheme. Under the new cybersecurity rules, this certification is voluntary. However, the European Commission will regularly assess the efficiency and use of the adopted European cybersecurity certification schemes and whether a specific European cybersecurity certification scheme is to be made mandatory. As a matter of priority, the European Commission is obliged to focus on the sectors listed in Annex II of the NIS Directive, that includes ccTLDs. The EU Council now has to formally approve the Cybersecurity Act. The regulation will enter into force 20 days after it is published. According to ENISA's officials, the first schemes could come as early as 2019. The first schemes might potentially target the transposition of SOG-IS, cloud services and Internet of Things in the consumer space.

European Court of Auditors published a Briefing Paper on challenges of EU cybersecurity policy

On 19 March, the European Court of Auditors issued a Briefing Paper identifying the main challenges to effective EU cybersecurity policy. The Briefing Paper calls for a tailored legislative response in order to strike the necessary balance between privacy concerns and EU security imperatives. As an illustration, the Briefing Paper brings in the question of GDPR and publicly available WHOIS. The Briefing Paper questions the ways to meet GDPR aims “while understanding its implications on publicly available information on registrants of domain names and holders of blocks of IP addresses” and its impact on law enforcement investigations". In addition, the Briefing Paper highlights the fact that policies are complemented by the "right standards” for widespread adoption to enhance security. As an example, the Briefing Paper highlights the work of the European Commission and Europol with ICANN and RIPE-NICC to put "the right cybercrime architecture in place to support law enforcement and the judicial authorities".


The European Parliament issues another Working Document on e-Evidence

With a series of working documents, the European Parliament's leading committee on the e-Evidence proposal – the Committee on Civil Liberties, Justice and Home Affairs (LIBE) - is trying to frame discussions for a possible position on the file. While the working documents are not intended to be binding instruments, they nevertheless outline the possible questions for MEPs to consider when negotiating the European Parliament's position. On 11 March, LIBE issued the 4th Working Document on e-Evidence in relation with third country law (the document consists of several parts: A, B and C). This Working Document identifies possible conflicts between EU and US law when it comes to disclosure of data located in the US, as it will be simultaneously governed by both e-Evidence legislation, as well as its US equivalent – the US CLOUD Act. When it comes to the existing Mutual Legal Assistance (MLA) EU-US Agreement, the Working Document concludes "that extensive possibilities already exist to streamline and provide a faster and more efficient procedure in the scope of the existing legal framework without the necessity of new instruments."

Intermediary liability

The European Parliament adopts the Copyright Directive

On 26 March, the European Parliament in plenum voted 'for' revised rules on copyright in the EU, with 348 votes in favour and 274 against the reform. Before the new rules can become a valid legislation, the agreed text needs to be formally adopted by national ministers in the Council of the EU. The Copyright in the Digital Single Market Directive creates a new intermediary liability framework, obliging "online content sharing-service providers" (read: hosting service providers) to conclude licensing agreements with the rightsholders for copyrighted material to be uploaded to their services. Otherwise, the platforms can be held liable for content uploaded by third parties. This a significant divergence from existing rules on intermediary liability online deriving from e-Commerce Directive (2000) that establishes a so-called safe-harbour for online intermediaries who cannot be held liable for copyright infringements, unless they fail to “expeditiously act upon notification” of infringing content. The Copyright Directive will also impose an obligation on hosting service providers to check each content upload against the concluded licence, as the hosting service providers are obliged to “avoid the availability on their services of unauthorised works and other subject matter, as identified by the relevant rightholders”. In doing so, hosting service providers have to follow the "the best efforts in accordance to high industry standards of professional diligence" in order not to be held liable for copyright infringements committed by third parties.

TERREG is rapidly moving across the EU legislative process

The two European Parliament committees responsible for issuing their opinions on the proposal for a regulation on preventing the dissemination of terrorist content online (TERREG) have adopted their positions. On 4 March, the Committee on the Internal Market and Consumer Protection (IMCO) adopted its opinion on the file, proposing the direct exclusion of registries and registrars from the scope of the regulation that obliges hosting service providers to remove terrorist content in the originally proposed 1 hour deadline. The IMCO opinion suggests expanding the deadline for removal of terrorist content to 8 hours. On 13 March the Committee on Culture and Education (CULT) also adopted its opinion on TERREG. Similarly to IMCO, CULT also proposed to explicitly exclude registries and registrars from the scope of the Regulation. CULT suggests replacing the 1-hour removal deadline to a less specific time constraint of "without undue delay". Meanwhile, the main parliamentary committee responsible for negotiating the European Parliament's position on the file - LIBE - is expected to vote on their Report on 8 April. The latest compromise amendments do not explicitly exclude registries and registrars from the scope, however they do specify that the Regulation applies only to services at the "application layer", excluding "cloud infrastructure services, or electronic communications services". On the content removal deadline, the proposed compromise amendments follow a similar line to the IMCO Opinion with a proposal to expand the content removal deadline to 8 hours.

Data protection and privacy

The European Data Protection Board clarifies DPA duties under the e-Privacy Directive and the GDPR

On 12 March, the European Data Protection Board (EDPB) released an opinion on the interaction between e-Privacy and GDPR. The opinion was triggered by the Belgian data protection authority (DPA) which requested that the EDPB examine the interplay between the ePrivacy Directive (2002) and the GDPR. To reply to the question about competencies of DPAs in the context of data processing that falls under material scope of both ePrivacy Directive and GDPR, DPAs are competent to enforce the GDPR, irrespective of whether a subset of processing falls under the ePrivacy Directive or not. In relation to specific processing operations that trigger both the application of the ePrivacy Directive and the GDPR, DPAs are exclusively responsible for enforcing national provisions transposing the ePrivacy Directive in case these provisions give such authority to DPAs.

Elections corner

Five European political parties represent 79.89% of seats at the European Parliament elected in 2014. For the 2019 elections, these parties have put forward their political goals, reflected in manifestos and other supporting documents. For this EU Policy Update, we will look at relevant statements made by parties that concern the possible digital agenda for the coming years.

  • The European People's Party (EPP) has published several policy documents identifying their political goals for 2019. The documents support the need to closely monitor "internet platforms", and especially social media to combat and prevent radicalisation on the internet and via social media. In addition, the EPP calls for promoting investment in next-generation technologies and for utilising the Horizon2020 potential in order to accelerate research and support further innovation. In the field of cybersecurity, Member States should improve their infrastructure against cyberattacks, and the EU should have a coordinating role in these efforts in promoting "best practice".

  • The Alliance for Liberals and Democrats for Europe (ALDE) calls for the EU to be "the first to create a solid legal framework for new technologies such as blockchain, artificial intelligence and others to be used in the economy and public life". According to the ALDE Manifesto, legislation should however be focused on applications that use these new technologies and not on the underlying technologies themselves, since this would otherwise limit innovation and the creation of new applications. In addition, ALDE calls for every European to get a trusted and secure digital identity "to be able to log in and sign documents safely, in a 21st century manner".

  • The European Greens call for "an effective and independent EU authority for digital sector supervision in order to control and limit the market power of big corporations". The Greens also commit to defending "net neutrality – the principle that all data must be treated equally – as a foundation of the open internet". The Greens 2019 Manifesto also calls for the full implementation of European data protection rules. Additionally, the Greens call for "seizing the opportunities of digitisation, artificial intelligence and robotisation – while addressing their challenges and risks", and for access to shared resources, including to the internet or knowledge by everyone.

  • The European Socialist Party (PES) commits itself to social progress, leaving no person and no territory behind in digital transitions. The PES calls for a long-term investment plan to prepare industries and workers to benefit from "the digital revolution and the growth of artificial intelligence".

  • The Alliance of Conservatives and Reformists in Europe (ACRE party) have not put anything forward specifically related to a digital agenda in their corresponding programme.

  • The European Left have declared that they will "promote digital democracy, Internet neutrality[...]" and to guarantee "the right to impartial and true information. Develop communication rights, to avoid multinational companies or darknet being the only owners of communication channels".

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.