In a nutshell: The Council of the EU approved its conclusions on the Future of EU Digital Policy, to which several EU countries reacted with their own proposal. The Council of the EU approved its conclusions on the Future of Cybersecurity. The Dutch government published a non-paper on effective EU cybersecurity legislation. The European Commission took stock of the implementation of the EU Security Union Strategy. The European Data Protection Board issued a statement on the Financial Data Access proposal. The Court of justice of the EU ruled on public authorities’ access to identity data and IP addresses. The Council of the EU formally adopted the Artificial Intelligence Act. The Council of Europe adopted an international treaty on Artificial Intelligence.
The Council of the EU approved its conclusions on the Future of EU Digital Policy
On 21 May, the Transport, Telecommunications and Energy Council approved its conclusions on the Future of EU Digital Policy. The conclusions stress that “digital sovereignty in an open manner” is essential for EU own path towards digital transformation and should be in line with the EU commitment to a “fair, open and rules-based global digital market”. The Council of the EU notes the “significant number of EU legislative acts” and stresses the need to prioritise their effective implementation. The Council of the EU also underlines the need to “thoroughly assess the impact of any new legislative initiative” on innovation. The Council of the EU calls on the European Commission to build synergies with EU Member States and ensure consistency in application of existing EU law, while reducing administrative burden. The Council of the EU emphasises the importance of harmonised standards in cybersecurity and digital identity. With regard to “innovative digital technologies”, such as AI, quantum computing, 6G, digital twins and virtual worlds, the Council encourages “dynamic ecosystems” supporting their development based on openness and a level-playing field for SMEs. The Council also encourages the development of “digital commons” for the benefit of society as a whole. Concerning digital infrastructure, the Council calls on the European Commission and the Member States to “carefully assess the current state of digital infrastructure and regulatory landscape to ensure a safe, robust and future-proof framework”. In sustainability, the Council calls for developing “evidence-based assessment methodologies for measuring the environmental footprint as well as the positive effect of digital technologies” based on standardised data. Regarding e-Government, the Council supports Commission’s efforts to develop “interoperable public digital services”, and stressed the need to “consider digital and interoperability implications of policies[…], in order to address potential issues ahead of time, to ensure the smooth implementation of legislation and to reduce the regulatory reporting burden as well as compliance costs”. The Council of the EU stresses the need to develop an “EU strategy” on the multistakeholder internet governance, with a view to “ensuring an open, free, affordable, neutral, global, interoperable, reliable and secure Internet”.
Estonia, Germany, Latvia and Lithuania expanded on the Future of EU Digital Policy
In response to the Council’s conclusions on the Future of EU Digital Policy, a group of EU Member States consisting of Estonia, Germany, Latvia and Lithuania (aka ‘Innovation Club’) issued its own vision for Europe’s Digital Future. According to the Innovation Club, the effective implementation of the existing EU tech regulation must be prioritised. While fully endorsing the aforementioned Council conclusions, the Innovation Club recognises that the conclusions do not cover all areas of EU digital policy that need attention. To this end, the members of the Innovation Club offer the European Commission recommendations within the following pillars: i) reducing the regulatory burden, (ii) ensuring high-class digital infrastructure, (iii) advancing Europe on its path to a data economy, and (iv) harnessing standardisation at the international level. The Innovation Club stresses the need to “ensure transparency consistency and predictability of the regulatory processes[...] by putting a stronger focus on impact assessments”, including targeted impact assessments performed by the Council of the EU before adopting its position. The Innovation Club also calls for scrutinising the impacts of the Commission’s delegated and implementing acts, and providing simple and non-binding guidelines in a form of “actionable checklists” that could help with implementation. In the area of “high-class digital infrastructure”, the Innovation Club calls for developing a sustainable “digital infrastructure that strengthens EU-wide digital sovereignty”, and codifying the net neutrality principle, as an “important means to preserve the free and open internet”. For “data economy”, the Innovation Club calls for “comprehensive and consistent interpretation and implementation of existing data protection frameworks across the EU”, and stresses the need to “better utilise technical and organisational approaches” to data minimisation. Personal data should be available for reuse and access, primarily in standardised formats. Regarding standardisation, the Innovation Club calls for increasing the pool of European experts in standardisation bodies, implementation of unified standards for data to facilitate data exchange, and acceleration of development of common technical standards for the EU Digital Identity Wallet.
Cybersecurity
The Council of the EU approved its conclusions on the Future of Cybersecurity
On 21 May, the Transport, Telecommunications and Energy Council also approved its conclusions on the “Future of Cybersecurity: implement and protect together”. The Council of the EU notes that the internet infrastructure is “mostly privately owned”, and stresses the key role and shared responsibility of Member States and the EU to set “a clear and agile regulatory [...]framework” to detect and recover from cyberattacks. The implementation of such framework should “build on the multi-stakeholder approach of the cybersecurity ecosystem and cooperation with international organisations and partners”. The Council of the EU calls on the European Commission to swiftly adopt delegated and implementing acts that are mandatory for the implementation of the NIS 2 Directive and the Cyber Resilience Act (CRA). The Council of the EU also strongly cautions against “fragmentation, duplication or overlap of cybersecurity Regulation” across the EU and urges the European Commission to “ensure a coherent approach”, avoiding unnecessary complexity when new initiatives are proposed. In this regard, “thorough impact assessments for all new legislative initiatives” are necessary. In the area of certification, the Council recognises its importance for implementation of NIS 2, CRA and other cybersecurity legislation. The Council also emphasises the role of digital identity to “bolster online security and trust”. With the recently finalised Regulation for a European Digital Identity (EUID Regulation), “the EU holds a unique prospect to use digital identity in the ongoing battle against phishing or social engineering”, according to the Council of the EU. Several calls are targeted at the NIS Cooperation Group and ENISA. These include (but are not limited to) swiftly developing an approach to “risk assessment and scenario building, based on a common methodology”, and continue its work on the ICT Supply Chain toolbox. The Council of the EU also underlines the need to “promote a consistent, coherent and transparent policy approach” to free and open-source software (FOSS), including its security. To that end, the Council calls for concrete measures aimed at supporting the security of FOSS that are of “public interest or widely used across the European economy”.
The Netherlands published a non-paper on effective EU cybersecurity legislation
On 26 of April, the Dutch government published a non-paper on achieving an “Effective EU cybersecurity legislation and decisive diplomacy in the cyberdomain”. The document highlights the importance of finding a balance between regulation and maintaining room for innovation. The first set of recommendations focus on “successful implementation of EU legislation and streamlining of the cybersecurity landscape”. The document highlights assisting Member States with the NIS 2 Directive implementation at the national level, also through the NIS Cooperation Group. Furthermore, a stock-taking exercise “of the different legal acts (sectoral and/or horizontal) and their interplay, coherence of the roles and responsibilities of different actors and networks active in the cyber domain and their interaction” should take place. New cybersecurity standards should be developed by the standardisation organisations but the European measures should align with international standards. Additionally, EU cybersecurity standards should be promoted in EU external relations. The document underlines that internet needs to be based on democratic values and fundamental rights. The EU should therefore prioritise investing in its economic strength and foster technical expertise. In practical terms the Commission should involve the Member States more closely in its digital partnerships and cooperation with third countries. It should also proactively engage in the upcoming Internet Governance multilateral processes, namely in the Pact for the Future, Global Digital Compact as well as in the WSIS+20 review. The focus should lie on enshrining “the concept of the public core and the necessary application of […] multistakeholder model in new multilateral agreements”. The EU should also improve its internal coordination to once again achieve a favourable outcome of the WSIS review, as was the case with WSIS+10.
The European Commission published the Seventh Progress Report on the implementation of the EU Security Union Strategy
On 15 May, the European Commission published its annual progress report on the diverse range of measures adopted within the context of the Security Union Strategy for 2020-2025. The report acknowledges the changed threat landscape which includes booming cybercrime, internal threat of terrorism, and external conflicts, such as Russian invasion of Ukraine and the conflicts in the Middle East. The report also notes the progress made in protecting physical and digital infrastructure, fighting radicalisation and organised crime, increased border protection and police and judicial cooperation. With regards to critical infrastructure, the report mentions the Directive on the Resilience of Critical Entities (CER Directive) and the revised NIS 2 Directive as two key legal frameworks for addressing current and future online and offline risks. Other important achievements under the cybersecurity topic include the adoption of the Cyber Resilience Act and of the EUID Regulation. As for the measures beyond 2025, the report stresses the “need to improve coordination between civilian communities and the military/defence eco-system”. As a result, “the connections between these two fields are likely to grow in the future”. Furthermore, closer coordination and complementarity between the EU agencies such as ENISA or EUROPOL shall be promoted, according to the report.
Data protection
EDPB issued a statement on FiDA
On 23 May, the European Data Protection Board (EDPB) adopted its statement on the financial data access (FiDA) and payments package. In its statement, the EDPB recalls previous opinions on the FiDA and payments package issued by the European Data Protection Supervisor (EDPS), and welcomes the fact that the European Parliament’s reports take on board most of the recommendations issued by the EDPS. The EDPB notes that despite those positive developments, “some recommendations on the FiDA proposal have not yet been implemented in a satisfactory manner”. The EDPB stresses the “large amounts and a wide variety of categories of personal data” that will likely be shared by data holders under FiDA, and therefore, recommends having “due regard to the data minimisation principle”. The EDPB also welcomes the clarification of ‘permission’ under FiDA in the ECON report (see our previous reporting here). The EDPB welcomes the amendment proposed in the ECON report clarifying that ‘permission’ should not be construed as ‘consent’ or ‘necessity for the performance of a contract’ under the GDPR.
The CJEU ruled on public authorities' access to identity data and IP addresses
On 30 April, the CJEU issued a judgment in the case La Quadrature du Net and Others () and lutte contre la contrefaçon). The case concerns the legality of French intellectual property rights (IPR) enforcement framework that gives powers to national authority (Hadopi) to access data relating to “civil identity associated with an IP address” retained by electronic communication services. The applicant La Quadrature du Net argued that the French legal basis giving such powers to Hadopi, without prior review by a judge or an impartial authority, is unconstitutional and contrary to the EU data protection framework. The referring French court asked, in essence, whether the EU e-Privacy Directive and the Charter of Fundamental Rights of the EU preclude national legislation to authorise such access by public authorities responsible for IPR enforcement. The IP addresses in question are collected within peer-to-peer networks and then subsequently matched with the subscriber’s full name, postal address, email addresses, telephone number and the address of the subscriber’s telephone installation by internet service providers. The CJEU ruled that that the general and indiscriminate retention of a vast set of static and dynamic IP addresses used by a person in a given period does not necessarily constitute, in every case, a serious interference with the fundamental rights. The general and indiscriminate retention of IP addresses can be lawful if subject to clear and precise rules under national legislation, as well as strict requirements. First, each category of data must be kept completely separate from other retained categories of data. Second, the separation of different categories of data must be technically “watertight”. Third, linking of data must be done through the “effective technical process”, and fourth, the reliability of watertight separation must be subject to regular review by another public authority. In the present case, the CJEU found that Hadopi does not have access to a set of traffic data that can draw precise conclusions about the private life of persons concerned. The general and indiscriminate retention of IP addresses, for the purposes of combating criminal offences in general, does not constitute a serious interference with the privacy of the holders of those addresses, if it is kept separate from other categories of data in a “watertight” manner. Furthermore, access to IP addresses for the sole purpose of identifying the person suspected of being involved in criminal offences is not contrary to EU law. With regard to the prior review of data access request by independent body or court, in case of data relating to the civil identity of users and if data is requested for the sole purpose of identifying the user, the interference with right to privacy cannot be classified as serious. As such, the prior review is not intended to apply. However, the national legislation must provide for additional safeguards to protect concerned users from linking data categories together and enabling drawing precise conclusions about their private life. Judicial or administrative review must take place before linking categories of data in case of repeated infringing activity by the same person.
AI
The Council of the European Union formally adopted the AI Act
On 21 May, the Council of the European Union has formally adopted the Artificial Intelligence Act (AI Act), which was previously agreed during the interinstitutional negotiations (see our previous coverage here and here). The regulation takes a risk-based approach to the different use cases of AI systems. Limited risk use cases of AI will be subject to transparency measures. High-risk AI systems will have to fulfil certain obligations, while social scoring is prohibited altogether. The AI Act also assumes a new governance architecture comprised of an AI Office within the Commission, a Scientific panel of independent experts, an AI Board comprised of Member States’ representatives and an Advisory forum for stakeholders. This adoption marks the end of the legislative process, the final step is the publication in the EU’s Official Journal after which the Act will come into force after 20 days.
The Council of Europe adopted an international treaty on Artificial Intelligence
On 17 May, the Council of Europe, adopted an international and legally binding treaty on Artificial Intelligence. The treaty is the result of two years of work of the Committee on Artificial Intelligence, which included 46 Member States of Council of Europe, the European Union as a standalone representative, and 11 non-members: Argentina, Australia, Canada, Costa Rica, the Holy See, Israel, Japan, Mexico, Peru, the United States of America, and Uruguay. The Committee also included civil society, academia and private sector representatives. While the convention is binding to its parties, its application on private sector companies is up to the discretion of each country. The convention establishes transparency measures, by for example mandating the identification of AI-generated content. The parties to the convention should also assess possible AI-related risks and potentially draw up measures to prevent human rights abuses. The parties will also have to ensure accountability and responsibility for “adverse impacts and that AI systems respect equality, including gender equality, the prohibition of discrimination, and privacy”. Means of redress have to be available to people whose rights have been violated by an AI system. The parties are not obligated to apply these rules to AI systems used in the context of national security, however, respect for international law and democratic institutions and processes is still required. The Convention also establishes a follow-up mechanism in the form of a Conference of the parties to ensure its effective implementation. It also requires parties to establish an independent oversight mechanism.