The year-end EU Policy Update comes in quite some density – and therefore with a new structure. No EU institution wanted to be perceived as idle, so you’ll find last-minute publications (consumer protection), (partial) positions (geo-blocking, terrorism, roaming), and reinforced initiatives (hate speech) – so that everyone is able to tell a success story after all. Still, some core proposals for 2016 had to be postponed to next year (ePrivacy, IPRED) – at least on the Commission’s agenda, since the incoming EU Presidency (Malta) might have set its priorities elsewhere. With so many digital files in course, you will find more background information in this update than usual – not least to keep you busy over Christmas! (By the way: If you are still in search of an advent calendar, Europol has the solution.)
1. Work-in-progress: Recent developments in EU policy dossiers
Consumer Protection Cooperation – promising IMCO draft report: In her recently published draft report, the Rapporteur supports the Commission’s general objective to make enforcement, especially in cross-border infringement cases, more efficient and effective. Yet, she considers the proposal often too vague, fostering legal uncertainty. Member States, not the Commission, should decide whether competent authorities act directly or via courts. The Commission’s harmonisation plans would change procedures and power structures considerably, at least in some Member States. The Greens cautioned to hold back Commission powers when it comes to blocking websites. CENTR has submitted a comment on the issue and helped clarify definitions around the DNS. Other MEPs now have time to table amendments until 11 January.
Council finalises position on geo-blocking: Customers or companies should not be discriminated against when trading online based on their nationality, place of residence or establishment. Online trader should no longer be able to block them from accessing platforms in their Member State or to redirect them to potentially more expensive domestic sites. Contrary to the Commission’s plans, the Council does not intend to ban price differentiation or different terms and conditions based on a customer’s origin, i.e. his IP address (see position). It excluded from the scope financial, audio-visual, transport, healthcare and social services as well as copyrighted content (music, e-books). Included are three cases where a trader 1) offers to deliver to a Member State, 2) provides, e.g. cloud services, data warehousing, website hosting, firewalls; and 3) provides services in his country, e.g. hotel accommodation, car rental. Payment methods, however, must be the same for all EU customers (s.a. Council press release). The Council also wants to leave exceptions under 2010 competition law (on luxury providers’ setting sales rules for platforms) and 2008 contract rules (on the application of national law) intact. European Parliament (EP) rapporteur Thun (EPP, PL), however, announced her intention to include copyrighted content, such as games, software and e-books in her draft report expected for 15 December.
Terrorism Directive takes next step: EU Member State representatives (COREPER) reached a political agreement on 30 November, followed by a positive vote of the European Parliament’s lead committee (LIBE) (latest available version of 21 November). Final adoption is expected in the coming months. Human rights organisations keep criticising the vague definition of “terrorism”, which could criminalise public protest, and that Internet companies can be asked to block certain websites without judicial oversight. According to activists, the directive borrowed from recent French law, which had also blocked Google and Wikipedia for a whole morning in October. Users were redirected to the website of the French ministry when their IP addresses were flagged. (s.a. EUObserver, EurActiv).
Free flow of data – just a little: With the Commission wheeling back on its ambitious initiative to ban data localisation obligations within the EU, 14 Member States have spoken up in favour of the free flow of data (BE, BG, CZ, DK, ET, IE, LV, LT, LU, NL, PL, SI, SE, UK). In their position paper, they argue that “national legislation should not be an artificial barrier to market access for enterprises from other Member States.” France strongly objects any legislative move towards lifting national data localisation laws, Spain and German are allegedly not that fond of it either. The Commission is expected to publish its proposal on 11 January (it had been planned for 30 November) (s.a. EDRi).
EU data protection authorities to publish GDPR guidelines: The Article 29 Working Party is set to adopt guidelines on the General Data Protection Directive at their next meeting on 12-13 December. Included are guidelines for data protection officers (DPOs), portability or reuse of data, etc. In an interview, chairwoman Isabelle Falque-Pierrotin said that she would expect industry to give propositions and share their reflections next year.
2. Coming up: (scheduled) initiatives on the horizon
Malta presidency priorities: Malta will be taking over the EU Presidency from Slovakia on 1 January. Priorities with regards to the digital area include: 1) security: Malta wants to enhance inter-state cooperation on criminal justice; and 2) Single Market: objectives include to end roaming charges, make progress on geo-blocking, portability of audio-visual content subscriptions, spectrum allocation and 5G, the free WiFi initiative (s.a. MT Telecommunications Work Programme). You might be missing other initiatives that the Commission would like to see progress on (see Work Programme below), such as copyright, ePrivacy, free flow of data, etc. The EU’s smallest Member State (423,000 inhabitants) is part of the so-called Trio-Presidency together with the Netherlands and Slovakia. It will be followed by Estonia in the second half of 2017.
Digital agenda in Commission Work Programme 2017: Under the banner of “Delivering a Europe that protects, empowers and defends” the Commission ventures into the new year. Again, the Commission wants to focus “on the important things” and “to do things better”. With regards to the Digital Single Market (DSM), the need for trust and cybersecurity are high on the agenda. Areas of priority (Annex III) include advancing or closing proposals on e-commerce, the free flow of data, digital contracts, copyright, geo-blocking, portability, audio-visual media services, telecoms, roaming, the WiFi4EU initiative, the terrorism directive. New initiatives (Annex I) include a mid-term review of the DSM Strategy, a data protection package (including protection of personal data when processed by EU institutions), the review of the ePrivacy directive, a framework for adequacy decisions when exchanging personal data with third countries). Annex II lists initiatives that will be reviewed, including ENISA’s mandate (in view of the NIS Directive), the revision of the .eu domain name regulation in view of TLD market place changes, the revision of consumer law, notably unfair terms in consumer contracts (indications of prices, sale of consumer goods and guarantees, B2C commercial practices, misleading advertising, injunctions). The Commission also released a “DSM state of play” document with some indicative timing on outstanding initiatives, e.g. the review of the Directive on the enforcement of intellectual property rights (IPRED), which, curiously, is missing from the work programme above.
Public consultation on “Next Generation Internet”: The Commission’s NGI initiative looks at the Internet of the (near) future, which reflects European values, becomes “more human” and “takes a fresh look” at issues that keep people from going online, such as data protection and transparency concerns. It will further intertwine the physical and virtual reality, connect more devices and sensors and offer new functions, applications, services and technological aspects. In order to get in stakeholders’ views on the Internet of the future, the Commission launched a public consultation (deadline 9 January 2017). Of interest to ccTLDs could be “Technology are 6: Networking solutions beyond IP” addressing the limitations of the TCP/IP (mobility, IP address management, task limitation, quality of service) and how to overcome them. More information on the NGI can be found here. A call for support actions under Horizon 2020 (objective ICT-41) will be launched in December.
European Defence Action Plan foresees stronger focus on cybersecurity: The Commission seeks closer cooperation with Member States to establish a cyber-training and education platform to enhance cyber resilience of IT systems and reduce cybercrime (see Action Plan, p. 18).
3. Ever popular: EU activities with potential (impact)
EU Internet Forum meets on 8 December: The European Commission is unhappy with progress since the Forum’s highly praised code of conduct came into existence six months ago (press release). The signees - Facebook, Twitter, YouTube and Microsoft - voluntarily committed to removing or disabling access to hate speech content online within 24 hours. A Commission report, however, shows low rates of compliance with only 40 per cent of recorded cases reviewed within that time span, and 80 per cent after 48 hours. More details about the evaluation, including the number of notifications, on which grounds and the reactions by IT company can be found in this fact sheet Justice Commissioner Vera Jourova threatens with legislative measures should the voluntary approach not work (see Reuters).
Social media companies combine efforts to fight hate speech: Two days before the EU Internet Forum meets, Facebook, Twitter, Microsoft and YouTube announced they were committing to the creation of a database (digital "fingerprints") to identify images and videos that spread terrorist propaganda and hate speech. Practically, if one company identifies and removes a piece of content, others can use the hash (digital fingerprint) to identify and remove the same piece of content from their network. Apparently, no automation would be used to remove such content.
EU Internet Forum – bad grades for transparency: Neither the list of participants nor the agendas of meetings have been made public – despite official requests to access to information, now backed by the EU Ombudsman. The Commission’s reply to the Ombudsman’s investigation remained sketchy, its argumentation for secrecy meagre and inconsistent, as EDRi laments. So far, officially, it is only known that the Forum consists of “Ministers, high-level representatives of major internet companies and relevant EU representatives.” The objective is to reduce “accessibility to terrorist content (removal of content)” [sic] and to increase the use of counter narratives. At the upcoming meeting, Member States will be asked to step up efforts to prevent online radicalisation and tackling terrorism propaganda online (see Council Background Paper).
Encryption, but only with backdoors: If it were up to France and Germany, Telegram, Whatsapp and the likes would soon see an end to their use of encryption. In their letter, the two Ministers of the Interior write that they want to be “able to rely more on the responsibility of electronic communication service providers, particularly those that are not based within the Union”, and to reinforce the “legal obligation” of providers “to cooperate with the competent authorities of Member States when it comes to criminal investigations” or “the immediate and permanent removal of public messages promoting terrorism.” What other EU Home Affairs Minister think about this move will become clearer at the next Council meeting on 9 December. A survey by the Slovak EU Presidency suggests that some countries, such as Poland, would even go as far as banning encryption that does not provide for built-in backdoors (you’ll find more answers from other governments under the same link). Yet, the Slovak Presidency is said to suggest more cooperation, information sharing and technical assistance by Europol – rather than a new law.
4. Proud to present: Success stories at EU level
Operation Avalanche: After four years of investigation, law enforcers together with industry players were able to take down a large infrastructure of malware families. The so-called Avalanche network was at the heart of global malware attacks and money mule recruiting campaigns resulting in damages of approx. EUR 6 million in Germany alone. Victims spread across 180 countries. Altogether, the operation involved investigators from 30 countries as well as the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain registries. It resulted in the take-down of more than 200 servers and 800,000 domains in over 60 TLDs being seized, sinkholed or blocked (for more information: Shadowserver, Europol press release).
Law enforcement authorities seize more than 4,500 illicit domain names selling counterfeits: The joint operation targeted copyright-infringing websites and third-party marketplace listings selling luxury goods, pharmaceuticals, etc. It was coordinated by Europol’s ICP3, the US National Intellectual Property Rights Coordination Center and Interpol (see Europol press release). The ICP3 is jointly operated by Europol and the EU Intellectual Property Office (EUIPO). It has recently launched the citizens’ awareness campaign “Don’t F***(ake) Up’’.
Roaming – sort of abolished: The Council finalised its position (“general approach”) on wholesale roaming prices last week opening the way to trilogue negotiations with the European Parliament and the Commission. Agreement on wholesale prices (among telecom companies) is necessary before the abolishment of roaming for end-customers can take effect in June 2017. For data, the Council foresees a “glidepath” with a maximum charge from EUR 0.01/MB in mid-2017 dropping to EUR 0.005/MB in mid-2021. For phone calls, the maximum surcharge would be EUR 0.0353/min, and for text messages, EUR 0.01 per message (see Council press release).
5. What else? Other things that happened at EU-level, mostly FYI
Umbrella agreement on data protection almost sealed off: What happens to EU or US citizens’ data when it is exchanged for law enforcement purposes across the Atlantic (i.e. criminal investigation and prosecution)? Their personal data will be protected under the rules of the so-called Umbrella Agreement, which was adopted by the European Parliament. Both the US and the EU confirmed internal approvals at the US-EU Ministerial Meeting on Justice and Home Affairs on 5 December. However, it remains to be seen whether the Trump administration will implement the deal. The President-elect had announced to call off all international agreements, which could also put the (now passed) Privacy Shield agreement and the (still negotiated) TiSA (see below) and TTIP negotiations at risk.
Commission falls prey to “black hat attack”: On 24 November, the Commission’s Internet access was down for hours after it became the victim of a DDoS attack. Traffic was sent to the EU’s main website, but also network gateways were targeted. No data was breached according to the Commission (see Politico).
Background: CETA, TTIP, TPP – and what is TiSA? The Trade in Services Agreement is currently being negotiated among 23 WTO members, including, e.g. the EU, the US, Turkey and Japan. The aim is to make sure that providers of services in one country can more easily provide them in another. Foreign suppliers should not be treated differently than local ones; their extent of operation should not be limited. TiSA is based on the existing General Agreement on Trade in Services (GATS) and therefore spans over the services covered by it, except air traffic rights and government services (justice, policing, defence). Each participating country can choose which type of services it wants to open to competition and the extent to which it wants to do so. TiSA does not include measures to protect investors, such as State Dispute Settlement (highly controversial in TTIP). TiSA does not address rules applying to suppliers that concern public health or safety, the environment, minimum qualifications of suppliers that wish to provide a service, or people’s rights at work. TiSA and GATS intertwine in that TiSA is drafted in a very similar way and could, practically, be used to update or upgrade existing GATS commitments when members choose to join it (Source: EU Commission). Greenpeace and Netzpolitik.org have recently leaked chapters of the draft agreement, notably on e-commerce and telecommunications. They see a danger to the relatively high levels of data protection in the EU: for instance, states with high levels of data processing and laxer rules (commonly referring to the US) could not be prevented from applying these laxer rules when processing foreign data. Along the same lines, they could sue states with data localisation requirements. The two organisations also criticise that platforms such as Youtube or Facebook would be able to regulate and enforce freedom of speech rules according to their own terms and conditions (often referred to as “privatisation of enforcement”). Initially, the deal was to be concluded this year. However, a ministerial meeting on 5-6 December was called off; negotiators will now meet to review progress and prepare for 2017. Stumbling blocks, “sources say”, are cross-border data flows (mainly due to delays of a EU position), new service and uncertainties about the US position after the elections (see article).
6. Homework: Activities at domestic level
UK – Investigatory Powers Bill becomes law: The bill received royal assent with the Queen signing it off on 29 November (The Guardian). Often called the “spy bill” or “snooper’s charter”, it will give new powers to security services for bulk surveillance and hacking into computers, networks, mobile devices or service. A government database storing the web browsing history (ICRs) of every citizen for up to one year will also be put in place, including apps used on their phone or metadata of phone calls. ISPs and mobile carriers will be paid by the government for storing the data, which can then be accessed by law enforcement through a central search engine (more details on The Verge). (Additional reading: ISOC)
Spain/UK – New campaigns to fight online Internet piracy: The Spanish Minister of Education, Culture and Sports announced the creation of a special prosecutor’s office to fight piracy and offenses related to intellectual property. There will also be an awareness-raising campaign in the media and one targeting school kids. The UK is also set to step up its anti-piracy efforts in 2017 in the context of the Creative Content UK (CCUK) initiative. Illegal file-sharing habits will be monitored and ISPs will send out “piracy alerts” to repeat copyright infringers informing them about legal alternatives.
US law enforcement’s right to hack reinforced: The Senate could not prevent an update of Rule 41 to take effect. The rule will give any judge (no matter the jurisdiction) the possibility to apply for a warrant to hack a suspect’s computer if he hides its location. Digital rights advocates fear that this will incite government to cherry-pick judges. Updates also aim at speeding up the take-down of botnets: Instead of individual warrants to hack each individual computer, a single application can be used for five or more computers – often criticised as a “blank check” to law enforcement (see The Hill). Rule 41 refers to “Search and Seizure” under the Federal Rules of Criminal Procedure.
US - Internet Archive announces move back to Canada: The Internet Archive (IA) is a non-for-profit organisation that keeps a digital library allowing for free public access to billions of archived web sites, software applications or games, music, videos, and public-domain books. It is also home to the popular “Wayback Machine” that gives access to cached websites, even if the sites themselves no longer exist. It was founded in 1996 and is based in San Francisco. It has data centres in San Francisco, Redwood City and Richmond. The IA advocates for a free and open Internet. After the US Presidential election, IA announced that it would move its backup data to Canada in fear of legislative changes affecting its archive in the US (see The Next Web, IA blog).
7. Further reading: Curiosities, background information, opinions
Facebook doesn’t need to ban fake news to fight it, argues The Guardian’s Alex Hern. Rather, it could “de-emphasise who shared a story into your timeline, instead of branding it with the logo and name of the publication itself.”
More on Facebook: With its censorship software specifically created for the Chinese market, Facebook goes against its own mission: to make “the world more open and connected”, writes The New York Time’s Mike Isaac.
The time to regulate the Internet of Things “is now or the price to pay may be a heavy one to bear”, argues this article summarising a recent exchange of letters in the Federal Communications Commission (FCC). On 16 November, the Energy & Commerce Committee held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks”, where one conclusion was that “the security vulnerabilities in the Internet of Things are deep and pervasive, and they won’t get fixed if the market is left to sort it out for itself. We need to proactively discuss good regulatory solutions; otherwise, a disaster will impose bad ones on us”.
- How election bots work (Wired)
- Facebook up against German hate speech laws (New York Times)
- This New Feature in Google News Highlights Fact-Checking (Fortune)
- Google's Jigsaw project has new ideas, but an old imperial mindset (The Guardian)
- Silencing the Messenger: Communication Apps Under Pressure (Freedom House)
- Council of Europe Octopus conference on cybersecurity (CoE)
- Europol in massive data breach on terrorism probes (EUObserver)