EU Policy Update - October 2016

EU Policy Updates 31-10-2016

When it comes to sharing EU citizens’ data with the US, the EU likes to think of itself as the bastion of data protection. However, the walls of protection are thinner within the EU itself, especially when EU and national law-makers declare war on terrorism. Governments and law enforcement alike increasingly request to access, retrieve and retain personal data and to limit the availability of encryption to users and companies. Their greatest challenge, however, seems to be to draft legal texts that reflect and respect how the Internet works. This includes defining clear, non-ambiguous measures that effectively tackle the identified problems without compromising the openness, resilience and stability of the Internet. In this EU Policy Update, you will find news on Digital Single Market files, international data transfer agreements, mass surveillance as well as landmark cases, such as Breyer vs. Germany or Microsoft vs. DOJ.

Consumer protection cooperation review delayed in Council: Council is likely to delay its positioning on the Commission proposal, apparently because too much information is missing to understand its implications. It is rather unlikely that this will have an impact on the timing in the European Parliament. However, it will delay the overall legislative process around the dossier. Some Member States might be hesitant to embrace the current Commission proposal: not only would they be required to improve cooperation among consumer protection authorities; national consumer protection laws and structures would also need to be adapted. CENTR has released a comment on the matter (link) to ask for essential clarifications.

EU-US Privacy Shield takes new hit: An Irish privacy advocacy group has legally challenged the adoption of the Shield on the grounds that is does not adequately protect EU citizens’ privacy. The filing was submitted to the Luxembourg-based General Court, the lower court of the ECJ, already in September. So far, about 500 companies have signed up to the Privacy Shield (s.a. article). It replaces the invalidated Safe Harbour agreement.

Next round in Microsoft vs. DOJ case: The US Justice Department, in a petition, requested that the July ruling be revisited. The latter had found that Microsoft need not hand over data stored in Ireland to US authorities. A US government warrant could hence not be used to force US tech companies to share data on users that are stored outside US territory. The standard legal instrument to be used in such cases is a Mutual Legal Assistance Treaty (MLAT). Whereas such an MLAT exists between the US and Ireland, the DOJ seems to consider it too time-consuming due to series of necessary approvals.

Commission 2017 Work Programme reveals delays in major DSM files: Affected by these delays are, e.g. the review of the ePrivacy Directive and the free flow of data initiative (see below), initially planned for December and November, respectively. For 2017, the Commission also foresees a mid-term progress report on the digital single market (DSM) and a review the role of ENISA, especially in light of the NIS directive. Also on the agenda are an e-commerce VAT refit, adequacy decisions with regards to third-country data transfers and an initiative for a “single digital gateway” to help businesses develop cross-border services. This had once mentioned harmonised procedures to register domain names. In the fight against terrorism, the Commission will review the European Security Agenda, launch an initiative on access to electronic evidence, and further strengthen Europol and EC3 (link to work programme).

Let data flow freely in the EU: DG Connect wants to end restrictions on the free movement of data, including restrictions on the location of data for storage and processing purposes – as long as it does not happen for data protection reasons. Currently, so the Commission, technical and legal barriers at Member State level bear a high cost for businesses, which are required to set up data centres in various states or pay more for data storage and processing. Other problems to be tackled are the questions of who owns or controls data, (re)usability, and access to or transfer of data and liability arising from the use of data. The initiative is meant to complement the GDPR in that it removes unjustified data location restrictions. The roadmap is quite detailed, revealing the different options considered by the Commission, and worth a read. To date, some countries have strong national data localisation laws to the dismay of tech companies (see this letter). The initiative will be revealed in 2017.

Terrorism Directive in trilogue: European Parliament (EP), Council and Commission are now working on compromises. As often during such three-partite negotiations, additional (half-) sentences are added that are not always making this clearer. For instance, the fight against terrorism-related content or “online content constituting a public provocation to commit a terrorist office” foresees blocking (where removal is not possible). However, the notion of blocking is interchangeably used to refer to the blocking of content and the blocking of access to content. So far, a reference to the e-commerce Directive is included. Yet, depending on what type of blocking is referred to, might not be applicable or limited in its applicability.

DG Home to publish communication on terrorism and radicalisation: The Commission wants to tackle the problem that terrorists use many means to transfer funds and to make payments to finance their operations. Data on such transactions is held in databases, but mostly at national level and by the private sector – hence access might be difficult. According to its roadmap, DG Home does not plan a proposal (at least not at this stage), but “an overview of options” to detect terrorists’ financial transaction data – still in Q4 2016. This will also “require the collection, processing and analysis of a large number of data which is privately held and collected by service providers for a different purpose than the fight against terrorism.” Inevitably, another plan that will impact citizens’ data protection and privacy rights, and not least the way service provides should make that data accessible.

ECJ ruling on data retention and IP addresses: The ECJ has released its judgment on the Breyer vs. Germany Case C-582/14. Mr Breyer sued Germany for running Federal institution websites that register and store IP addresses, i.e. personal data. Firstly, the European Court of Justice (ECJ) ruled that a web site operator may indeed have a legitimate interest to do so, e.g. to protect itself against cyberattacks. Second, the ECJ confirms that, under certain circumstances, dynamic IP addresses constitute personal data, e.g. if an operator has legal means that allows it to identify the visitor by means of information held by internet access providers (press release).

European DPAs send letters to WhatsApp and Yahoo: The Art. 29 Working Party, consisting of European data protection authorities (DPAs), are concerned about how these companies are handling EU citizens’ data. WhatsApp, after it was swallowed by the Facebook family, is requested “not to proceed with the sharing of users’ data until the appropriate legal protections can be assured.” Yahoo has been asked to provide more information about the recently revealed mass data breach. In the meantime, Italy’s anti-trust agency started looking, inter alia, into whether WhatsApp sharing policy imposed “unfair” conditions on users (Reuters).

Ireland to scrutinize Yahoo after massive user surveillance scandal: The Irish Data Protection Commissioner will look into allegations that Yahoo helped the NSA to snoop customers’ data: “Any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern.” Yahoo, having its European base in Ireland, falls under Irish watch (s.a. Reuters 1 and The Next Web, Reuters 2). In the meantime, the US gets increasingly pressed to disclose secret court orders related to the Yahoo email search (Reuters).

France and Belgium want tech firms to step up counter-terrorism efforts: Prosecutors from both countries want tech companies’ help to access encrypted correspondence between terrorists – but so far many requests are simply ignored. They also called for a global common legal framework, which would allow investigators to make systematic requests for accessing and sharing encrypted information (see article).

German justice minister still not happy with anti-hate speech activities: If social media companies, such as Facebook and Twitter, don’t do more to prevent the quick spreading of hate speech and delete posts reported by users, they will be held responsible. The threat by Minister Maas of introducing regulation keeps hovering over them. He is expecting “significant improvements” by March 2017 (see article (EN) and article (DE)). Regulatory measures could be envisaged not only at German but also at European level, e.g. by exploring if the audio-visual media services directive (AVMS), currently under review and containing provisions to protect minors, could be extended to social media platforms.

Twitter will do something, but only after election: In its quarterly earnings report, the company announces “meaningful updates” to its policies and enforcement, which will include stepping up anti hate-speech efforts – but not before the US Presidential election.

New UK Guidelines on online harassment and sexual abuse: Sexting between those under 18 but of similar age and in a relationship will not instigate police investigation. However, virtual mobbing that incites hatred, doxxing (publishing personal information such as addresses), and “dog piling” with derogatory hashtags to target victims can amount to criminal activity (The Guardian, BBC). Meanwhile, a draft bill on “cyber bullying” is circulating in Italy (Freemedia).

Web accessibility rules for disabled pass European Parliament: This concerns public service websites and apps, operated, e.g. by hospitals or tax authorities. Member States will have 21 months to transpose the directive into national law; public sites and apps get some additional time to improve user-accessibility (EP press release).

German MEPs start “Save the Link” campaign: With this initiative they attack the Commission’s copyright proposal, which – among many other things – includes ancillary rights for publishers. According to these MEPs, the proposal would make the sharing of small snippets of articles, including titles on a private blog, Twitter or Facebook, illegal (see article (DE)).

Patchy e-Government deployment in EU: A Commission study shows that while France, Germany and Scandinavian countries are progressing on online public administration, Italy, the UK and Poland are lagging behind. Generally, e-government services aren’t transparent enough and do not operate well across borders.

EU funding available for CERTs/CSIRTs: The Commission has published a call for proposals (deadline: 15 December 2016) granting funding of up to 75% to Member States that are eager to develop their cyber security capacities through their CERTs/CSIRTs. This includes activities to increase their preparedness (e.g. through acquiring better tools to detect and analyse threats) and mutual cooperation. Details can be found here.

EP approves deal to strengthen Europol-China police cooperation: The European Parliament (EP) backed the deal, which would strengthen the mutual fight against organised crime in the beginning of October. This includes human trafficking, drug-related crime, and cybercrime (s.a. EP press release).

Oettinger to add Commission budget and admin portfolio: Bulgarian Kristalina Georgieva, the EU’s Commissioner for Budget and Administration and ex-candidate for the position of UN Secretary General, will leave the Commission to become CEO of the World Bank. Digital Commissioner Oettinger will take over her responsibilities and adds the management of a EUR 161 billion annual budget and more than 30,000 staff to his current portfolio. It might also gain him the title of Commission Vice-President. Bulgaria will now have to find a new candidate for EU Commissioner; further reshuffling within the Commission (and “grilling” by the European Parliament) can be expected.

FCC imposes new privacy rules on ISPs: For example, ISPs will be required to obtain opt-in consent from users before they can share web browsing data or private information with third parties (link to new rules). The US Federal Communications Commission (FCC) also announced that that it will limit the use of mandatory arbitration clauses in ISP’s terms and conditions.

Phone app Signal receives first federal grand jury subpoena: So far, however, the company behind Signal (Open Whisper Systems) has only shared limited information with authorities. It said that it neither collected nor retained the “metadata” on calls and messages requested by the FBI (times, dates, direction of communication, phone numbers). Tech companies increasingly press the government to allow them to be more transparent about the number and types of orders they receive in criminal and national security cases. They also started limiting the amount of data harvested (s.a. Washington Post).

Cyber-attack on Dyn: The DDos attack, which took down or disrupted services, including Twitter, Netflix and Spotify, has heralded a new era of tactics, according to the New York Times: the use of hundreds of thousands of infected IoT devices – without their owner’s knowledge. The FBI and Department of Homeland Security in the US are now looking into the Dyn attack. Here is Dyn’s official statement.

Further reading

On data protection and privacy

  • Are you ready to comply with the GDPR? (New Statesman)
  • Down with the data monarchy (Politico)
  • Spanish watchdog to probe WhatsApp-Facebook data swap (Telecompaper)
  • UK’s Information Commissioner’s Office publishes privacy notice checklist to improve organisations' transparency (ICO)
  • What happens when policy is made by corporations? Your privacy is seen as a barrier to economic growth (The Guardian)
  • Surveillance in the Post-Obama Era (New York Times)

On cybersecurity

  • A major Internet of Things hack has shown the importance of cybersecurity (Business Insider)
  • Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products (Cloud Cybersecurity Alliance
  • Telekom launches cloud platform for multiple IoT systems (Telecompaper)
  • Largest ever Euro cyber security simulation concludes (ENISA, acumin)
  • BSA Cybersecurity study (BSA)
  • Europol report warns about “crime as a service” in the Cloud (heise, DE)


  • Trump forgot to register critical domains and he's not getting them back (TheNextWeb)
  • French operators back trial on right to internet service (Telecompaper)
  • Couldn’t make it to the PIR-hosted DNS Forum in Washington D.C. in September? Here is PIR’s blog with all recordings, s.a. YouTube
  • UK Police websites unsecure: British police websites lack any form of automatic secure connection and leaving sensitive data more vulnerable to being intercepted. (Politico)
  • Digital markets require a fresh approach to competition policy (GSMA study)
Published By CENTR