The EU (among others) has been taken by surprise: WannaCry has demonstrated how ill-prepared the block is against cyber-attacks. Expectations are high that the Network and Information Systems Security Directive (NISD) will increase both public and private actors’ capacity to prevent and react to large-scale incidents. Also, the EU is revamping its Cybersecurity Strategy and Europol has been equipped with new powers and is very keen on communicating its actions and successes. Other Digital Single Market (DSM) related files are also moving forward, e.g. the audio-visual media services directive (AVMSD). The widened scope of the AVMSD, new initiatives proposed under the DSM review together and (Member State) actions against hate speech (see Facebook) are strong indicators that intermediary liability is high on the agenda again. For now, the European Commission, especially DG Connect, still displays itself as the defender of the e-commerce Directive and its principles – but its defence lines crumble under increasing pressure from the Member States and the Commission’s own sectoral legislation.
1. Work-in-progress: Recent developments in EU policy dossiers
Digital Single Market (DSM) review: In its Digital Single Market Review (DSM), the Commission identifies areas of progress and gaps with regards to the 16 key measures. The measures were mapped out in the DSM Strategy published in 2015, including geo-blocking, copyright, cybersecurity, ePrivacy, free flow of data, etc. [more detail in your internal EU Policy Update]. The aim of wrapping up “key legislation” by the end of 2017 is rather unrealistic – a prominent example is the review of intellectual property enforcement (IPRED), which was promised for 2016. It will be important to monitor initiatives that relate to platforms, as these focus on an EU-approach to fighting illegal content online.
.eu regulation review kicks off: The Commission is consulting the public about whether current rules for the .eu top-level domain need to be changed or updated in light of changes in the domain name market, “which is now much more dynamic and competitive”. The consultation runs from 12 May until 8 August 2017.
EDPS wants ePrivacy and telecom rules disentangled: In his recent opinion, the European Data Protection Supervisor (EDPS), Buttarelli, welcomes the ePrivacy regulation (ePR) proposal as a complementary legal tool to the GDPR, which ensures the confidentiality of electronic communications. He also supports the inclusion of so-called “over-the-top” services (OTT). He doubts, however, that the complex ePR proposal can really ensure privacy in electronic communications. The ePR distinguishes between metadata, content data, data from terminal equipment, each with its own rules and exemptions. Buttarelli also criticises that actual definitions are not to be found in the ePR but in a different legal instrument, the European Electronic Communications Code (EECC), which focuses on telecoms. Instead of closely linking the two, the necessary definitions should be put in the ePR.
AVMSD ready to move to trilogue: A coalition of MEPs was not able to stop the Parliament’s plenary vote on the audio-visual media services directive (AVMSD), which would force platforms to monitor content for potential harm to minors or discriminatory impact. In the Council, the eight Member States which had previously spoken out against such a move as well, mysteriously fell silent. The latest Presidency compromise foresees a role for the Commission to define and regulate rules for social media, which is ironic, since the Commission’s initial proposal had (deliberately) not foreseen any such rules. The sectoral directive constitutes a rather blunt move against the current e-commerce Directive, which excludes general monitoring obligations and limits the liability of intermediaries.
2. Coming up: (Scheduled) initiatives on the horizon
29 digitally-versed MEPs want to ban data localisation rules: In a letter addressed to Commission President Juncker, they argue that data localisation cannot (or only rarely) be justified either on economic or privacy grounds. To date, many Member States uphold rules that require that e.g. tax or health data be stored on national territory. Some countries strongly support removing such barriers, whereas others, such as France strongly oppose it, mainly for security reasons. In its Digital Single Market review, the Commission has refrained from a legislative proposal in that area. However, it announced to start infringement procedures against some countries on the basis of illegal barriers to the free flow of services. A public consultation on the issue is planned; results can be expected in the fall.
“Not technical but political”: Mariya Gabriel is set to become Bulgaria’s new Commissioner. The role foreseen for her is that of Digital Commissioner (previously Oettinger), temporarily held by Digital Vice-President Andrus Ansip. Before she can take on her tasks, however, she has to go through the traditional “grilling” in the European Parliament where the committee closest to her DG (most likely ITRE) can be expected to ask tough questions about her competences and intentions. Whereas the Parliament does not have the power to either approve or dismiss individual Commissioners (only the Commission as a whole), it has already succeeded in replacing suggested Commissioners it deemed “incompetent”. Gabriel seems quite relaxed about her posting: she told POLITICO that a commissioner was “primarily a political job, not a technical one” – an interesting statement for a future Digital Commissioner.
Priorities of Estonia’s EU Presidency: No less than 24 digitally-focussed high-level events are planned during Estonia’s 6-month reign starting in July, including the free flow of data (July), cybersecurity (September), e-justice (October), and cyber defence (November). The “cyber-focus” is also reflected in its priorities: 1) an open and innovative European economy, 2) a safe and secure Europe, 3) a digital Europe and the free flow of data, 4) an inclusive and sustainable Europe. Estonia is the first to kick off the programme of the so-called “trio-Presidency”, which it holds together with Bulgaria and Austria.
3. Proud to present: Success stories at EU level
Europol coordinates cross-country removal of online terrorist propaganda: Belgium, Greece, Poland, Portugal, the US and Europol’s Internet Referral Unit teamed up to identify and remove terrorist and violent extremism content at the end of April. Europol reports that 2,068 such pieces in 6 languages were accessed for referral, hosted on 52 online platforms. These mainly included IS and al-Qaeda affiliated media outlets, but also others, primarily those that allow for anonymised posting. Europol stressed that “the final removal of the referred material is a voluntary activity carried out by the concerned service providers, in accordance with their own terms and conditions”.
4. What else? Other things that happen(ed) at EU-level
European reactions to WannaCry: More than 150 countries were affected and over 230,000 systems infected by the crypto-ransomware, as ENISA explains. Its executive director, Udo Helmbrecht, tried to reassure the public that ENISA is “closely monitoring the situation and working around the clock”. The European Commission urged Member States to coordinate their defences against cyberattacks; public and private actors should take their responsibility seriously. The Greens in the European Parliament are holding a hearing on 7 June about “#WannaCry: Lessons learned for security and liability in the Internet of Things”.
“Cyber aggression” on the rise: Data breaches, mass disinformation campaigns, cyberespionage and attacks on critical infrastructure happen on a daily basis. The Yahoo data breach, the Telecom internet outage, the DDoS attack against Dyn and the repeated attack against Ukraine’s power grid are just a few prominent examples in 2016 alone. Prosecution, however, remains problematic, also given that some attacks are state-sponsored. The European Commission’s in-house think tank, the European Political Strategy Centre, published a report [before “Wannacry”] arguing that the EU and its Member States are ill-prepared for large-scale attacks and suggesting tools (an “effective European Cyber Shield”) to close the gaps.
Promote to demote: Paul Nemitz, previously director on fundamental rights in DG Just (and speaker at last year’s CENTR Jamboree), has become “principal advisor on strategies for cross-cutting justice policies or legal actions” in the same DG. Emmanuel Crabit is now acting director of Directorate C. Nemitz, an outspoken defender of fundamental rights, is likely to have become too powerful in a directorate that while dealing with privacy and intermediary liability, is trying to shift towards innovation and competitiveness rather than privacy. Whereas it is not unusual that directors move after five years, it is not mandatory. It is not the first time that the promotion to “principal advisor” has been used to move more senior staff out their positions (and then abolish the post once they leave).
5. Homework: Activities at domestic level
Denmark quits and re-enters Europol: As of 1 May, Denmark is no longer member of Europol – honouring a referendum that was held on the issue in 2015. However, as observer state, the country will still have access to Europol’s databases and participate in information-sharing based on a new cooperation agreement. However, they have to justify why they want access. To date, it is unclear what will happen with the UK’s membership after Brexit.
Facebook was previously sanctioned EUR 150,000 by France’s privacy authority over a failure to protect customer data (including mass gathering of personal data, unfair tracking using cookies and inadequate information to users about their rights). The investigation was supported by authorities from Belgium, Hamburg, Spain and the Netherlands. The Netherlands still needs to decide on whether it fines Facebook.
Meanwhile, Italy’s Antitrust Regulator sanctioned Whatsapp with EUR 3 million over insufficient transparency on data sharing with Facebook.
An Austrian court ruled that Facebook must remove hate speech content (in the present case “trolling”) from across its platform – not just in Austria (more via Reuters).
In Germany, Justice Minister Heiko Maas has had it: a code of conduct signed by social media in 2015 did not deliver; social media still do not act quickly enough when it comes to removing hate speech content on their platforms. Now he threatens with fines of up to EUR 50 million if they fail to do delete or block obviously criminal content within 24 hours; they have 7 days for less obvious cases but with an obligation to report back to the person who complained about the content. Also, courts would be able to order social networks to reveal the identity of those posting content. The law is pushed through the legislative process – national elections are looming in September and security is likely to feature prominently in most parties’ programmes. The draft has raised concerns about shifting the responsibility to judge the legality of content to private companies. Also, short deadlines could force companies to delete or over-block content as a precautionary measure. Practically, the (only) likely way to speedily take down hate speech content would be automated content filters, which raise concerns about their use in democratic systems.
In the meantime, an investigation of The Guardian reveals more details about how Facebook handles postings related to terrorism, pornography, violence, hate speech, etc. The internal rules and guidelines, which, according to some of Facebook’s moderators are often confusing and inconsistent, have raised questions about the company’s ethics.