In a nutshell: October was declared European Cybersecurity Month, with the trilogue discussions moving forward regarding the EU Cybersecurity Act. Discussions on ePrivacy seem to be hopelessly stuck with no end in sight at the level of the EU Council, while the Regulation on Free Flow of Non-Personal Data in the EU gets adopted by the European Parliament. The E-Evidence proposal, for its part, receives more criticism from the European Data Protection Board.
Cybersecurity
EU Cybersecurity Act advances through interinstitutional negotiations
On 9 October, European Parliament’s Committee on Industry, Research and Energy (ITRE) received an update from its Rapporteur on the file MEP Angelika Niebler (EPP, Gemany) about the ongoing interinstitutional negotiations on the new set of rules for cybersecurity in the EU: the Cybersecurity Act. During the first trilogue meeting, the co-legislators together with the European Commission focused on strengthening the competence of ENISA by foreseeing to increase the agency’s budget and staff support. The EU Council sees the role of the EU cybersecurity agency as being supportive of the efforts made on national level. A reference to “all top-level domain names” when it comes to ENISA’s mandate in developing and supporting policies related to the public core of open internet has been inserted by the European Parliament. The EU Council is less explicit in its reference to DNS operators. However, it is supporting the Parliament’s position by assigning to ENISA the role of giving advice, guidance and best practices when it comes to the subject of cybersecurity and operators of essential services (including registries). The second trilogue meeting was dedicated to the EU-wide certification scheme for cybersecurity. The key question remains whether certification should be mandatory for some digital services. MEP Niebler highlighted the need to bring in consumers’ views when it comes to these discussions and pointed out that Member States are not very supportive of this idea. However, no strong opposition is seen amongst Member States either. A mandatory certification scheme for registries is supported by the Parliament’s text, although this should not create an unjustified cost for the industry and should be largely restricted to those elements that are critical for their functioning. The third trilogue meeting is expected to take place in November, after which the Austrian presidency is pushing for finalisation of the law before the end of the year.
Law enforcement access, privacy and data protection
EDPB declares the e-Evidence proposal inconsistent with EU law
The European Data Protection Board (EDPB) has published an analysis of the e-Evidence proposal. The rules for cross-border access to electronic data for law enforcement purposes is considered to be inconsistent with the EU acquis, including the case-law of the European Court of Justice and the European Court of Human Rights. The EDPB is concerned over the delineation between “non-content” and content data, as well as a disproportionately vague definition of “access data” in comparison to the other categories defined in the e-Evidence proposal. In particular, IP addresses are good examples of borderline cases when they can be classified as transactional and/or subscriber data, and as such be subject to different access regimes under the e-Evidence proposal. The EDPB has also highlighted the inconsistency of proposed e-Evidence Regulation and the difference between access regimes to content and “non-content data” with the current and future e-Privacy framework that also deals with law enforcement access to electronic communication data.
EDPS calls for faster progress in adopting the ePrivacy rules
European Data Protection Supervisor Giovanni Buttarelli calls for a speedier adoption of ePrivacy rules with at least the same level of protection of communications data as foreseen in the GDPR. ePrivacy is designed to be complimentary to GDPR, which does not specifically address communication data. Hence, a different set of rules in ePrivacy were introduced to apply data protection rules to the private information collected by communication services. The most contentious issue concerns the possibility to allow further processing of metadata by the electronic service provider “for compatible purposes”, ruling out the necessity to seek consent from data subjects. According to Buttarelli, this “compatibility clause” can in effect devalue safeguards of the GDPR and introduce “legitimate interest” as a legal basis for processing metadata by the provider, which is contrary to the case-law of the European Court of Justice (ECJ). The ECJ has previously ruled that metadata of electronic communication can be considered as sensitive personal data, while GDPR does not permit the processing of sensitive data with legitimate interest as the legal basis.
Free Flow of Non-Personal Data adopted by the European Parliament
New rules concerning the free movement of non-personal data within the EU for companies and public authorities were adopted by the European Parliament with 520 votes in favour, 81 against and 6 abstentions. The new law is due to be approved by the EU Council in November.
ICDPPC: the GDPR, five months on
During the 40th International Conference of Data Protection & Privacy Commissioners (ICDPPC), the President of the European Court of Justice (ECJ) Koen Lenaerts gave an update about the existing and coming jurisprudence of the ECJ when it comes to GDPR and privacy rules in general. Lenaerts reminded the audience that data protection principles derive from the EU primary law that is similar to constitutional law on national level and is codified in the Lisbon Treaty. When it comes to data protection cases before the ECJ, two groups of cases can be identified: 1) clarification of data protection rights when public measures interfere; 2) accountability of natural persons and legal entities who process personal data. When it comes to weighing different interests like the fight against terrorism and the right to privacy, it is important to keep in mind whether the interference with individual rights can lead to profiling. Given the seriousness of such interference with data protection, only serious crimes can justify such grave interference. In this case, access to data is subject to prior review by judicial or another independent body. The ECJ has provided guidance in several cases on the proportionality test between the interference with data protection (or right to privacy) and different purposes of public interest. If the requested data cannot lead to profiling of individuals, then any type of crime can justify such interference with data protection, as the breach of privacy is minimal. To illustrate this, the ECJ decided in early October that law enforcement access request to electronic data, such as the surnames, forenames and addresses of the owners is justified for the purpose of identifying the owners of SIM cards activated with a stolen mobile telephone.
Illegal content
Commissioner King exchanges views on preventing dissemination of terrorist content online with LIBE
During the hearing at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) dedicated to the proposal for preventing dissemination of terrorist content online, European Commissioner for the Security Union Julian King highlighted the need to tackle radicalisation online. According to Europol’s data, more than 150 online platforms are hosting terrorist content. With its proposal, the European Commission seeks to put a clear obligation on the Member States to put more resources into fighting radicalisation online. King also underscored the fact that law enforcement and judicial authorities are expected to identify what amounts to terrorist content, rather than online platforms which are expected to react swiftly to removal orders from the former. Members of the LIBE committee identified a few weaknesses of the current proposal of the European Commission. In particular, the proposal lacks sufficient safeguards to guarantee exceptions for media and a clear definition of “terrorist content”, according to the MEPs. King acknowledged the need to come up with consistent definition of “terrorist content” which can be applicable in all Member States.
