In a nutshell: The Regulation on .eu has entered interinstitutional negotiations after the European Parliament adopted its position. The EU-wide cybersecurity scheme is being debated in trilogues on the EU Cybersecurity Act. The e-Evidence proposal receives more criticism from a plethora of stakeholders, including judiciary and national data protection authorities. The Austrian Presidency issued its general approach on preventing the dissemination of terrorist content online in the Council of the EU.
The European Parliament adopts its position on the .eu regulation
On 22 November, the European Parliament’s Committee on Industry, Research and Energy (ITRE) adopted the European Parliament’s position on the .eu Regulation. ITRE also adopted the mandate to enter interinstitutional negotiations with the Council of the EU and the European Commission (so-called ‘trilogues’). The Parliament’s position asks the European Commission to assess the potential role of the European Union Intellectual Property Office (EUIPO) in the registration of .eu domain names and allocate names to the applicants of the European Union trade marks. The Parliament clarified the obligation to disseminate TLD zone files “where appropriate”, as well as applying the principle of “due diligence” to maintaining data accuracy in the WHOIS. The Parliament also wishes to have a greater role in deciding over the registry’s policies when it comes to blocking, suspending or revoking a domain name by obliging the European Commission to adopt delegated acts. Additionally, the Parliament calls for the establishment of an .eu Multistakeholder Advisory Group that would be equipped to provide expert advice to the .eu registry in terms of the management of the .eu, cybersecurity and privacy measures, as well on as cooperation with law enforcement.
EU Cybersecurity Act: final trilogue scheduled for December
New rules for a stronger EU Agency for Network and Information Security (ENISA) and a potential new EU cybersecurity certification scheme are currently being negotiated between the European Commission, the European Parliament and the Council of the EU with the final trilogue-discussion scheduled for 10 December. Ahead of a three-way interinstitutional meeting on 28 November, the CENTR Board published a statement calling for co-legislators to ensure that the discussions over the possibly mandatory EU cybersecurity certification scheme properly take into consideration the existing international and globally-recognised standards in the field of information security. The CENTR Board is also asking for an appropriate level of representation from all affected stakeholders, including ccTLDs which might be directly affected by the outcome of the current negotiations. In particular, ccTLDs might be obliged to be certified under the newly-established EU cybersecurity certification scheme as “operators of essential services”, if the European Parliament’s position prevails.
Law enforcement access
E-Evidence: the proposal receives more backlash from stakeholders and data protection authorities
On 27 November the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held a hearing on electronic evidence in criminal matters, focussing on the current e-Evidence Proposal. Three panels representing a wide range of stakeholders gave their view on the legality and proportionality of the initial proposal by the European Commission. The majority of stakeholders representing telecom operators, internet service providers, academia, civil society and judicial authorities highlighted the shortcomings of the current proposal when it comes to questions of sovereignty and territorial jurisdiction, as well as a considerable negative impact on fundamental rights and freedoms, that is against existing jurisprudence and the interpretation of primary EU law. The proposed regime bypasses the standard protections of a Member State where the law enforcement order shall be executed, as no judicial oversight in the enforcing state is envisaged by the Proposal. As such, the jurisdiction of one Member State is being enforced in another, without the latter having any meaningful say in it. Furthermore, service providers who have to comply with the incoming foreign law enforcement orders do not have the opportunity to challenge the legality of the orders. No judicial oversight in the enforcing state is envisaged to help service providers verify the legality of such orders according to their local laws, nor in the issuing Member State. On 9 November German data protection authorities also voiced their criticism (in German only) towards abolishing the notion of “double criminality” – the cornerstone of international criminal law when it comes to cross-border investigations. The e-Evidence proposal abolishes this principle and allows access requests for electronic data directly from service providers in another Member State for the investigations of crimes, regardless of whether the corresponding deed is considered illegal in the Member State where the service provider is based.
The Council of the EU issues its position on the proposal to prevent the dissemination of terrorist content online
The Council of the EU revealed its position on the Proposal for the Regulation on preventing the dissemination of terrorist content online. The Proposal introduces the obligation for online hosting service providers to remove content that has been flagged as ‘terrorist’ within a tight deadline of one hour. Registries and registrars, although not explicitly mentioned in the initial Proposal by the Commission, were not intended to be added in the scope of proposed regulation, despite the rather fluctuating definition of a hosting provider. The Council’s position nevertheless goes further, by explicitly excluding “services provided in other layers of the Internet infrastructure, such as registries and registrars, DNS (domain name system)[...]” from the scope of new obligations to remove content online. France, Germany and the UK are said to be backing the Council’s position.
Outside the EU bubble
ICANN seeks input for its work on GDPR compliance
The EPDP Team, which has been equipped to come up with an appropriate ICANN Consensus Policy on complying with the GDPR and other relevant privacy and data protection laws and regulations has issued its Initial Report on the Temporary Specification on gTLD Registration Data. The Initial Report provides 22 preliminary recommendations to address WHOIS and GDPR compliance and incites the public to give further feedback on some remaining issues. For example, this includes whether registries and registrars should be permitted or required to distinguish registrants as natural or legal persons; or based on registrants’ geographic location. Public comments for the Initial Report are open until 21 December. The EPDP Team will then integrate the public comments received into its work on the Final Report.