×

EU Policy Update - September 2016

EU Policy Updates 05-10-2016

The long-awaited copyright proposal is finally out: The Commission displays itself as the guardian of artists and the defender of rights holders and publishers. Obviously, this can't make everyone happy. No real surprises with regards to the telecom review ever since the impact assessment was published. The free flow of data will be another "big one" – scheduled for end of November. Europol and Interpol had their big yearly conference, where they identified major challenges and corresponding priorities for the coming years. Meanwhile, Europol's terrorism-related units expand their reach and activities. Both Commission and Europol focus on enhancing collaboration between the public and private sectors and with law enforcement confirming the worrying trend to privatise responsibilities for otherwise state or law enforcement-related tasks.

How the Commission wants to modernise EU copyright: Current laws date back to 2001, a time without streaming, (most) social media, VoD, or news aggregators. On 14 September, the Commission released a legislative package, containing two directives (copyright, disabilities/use) and two regulations (broadcasting, disabilities/accessibility). The main aims are to increase the availability of and access to content (broadcasters, licensing), improve rules on education, research and cultural heritage (text & data mining, digitisation, access for disabled people, reform of exceptions and limitations), and to ensure a fair and sustainable marketplace (remuneration for right holders; neighbouring right for press publishers). The copyright directive in particular confirms a worrying trend within the Commission to increase the responsibility of and limit the exceptions granted to technical operators (platforms/intermediaries) under the e-commerce directive. The latter has not been touched (yet), but its key provisions are being perforated through new legislative proposals, such as the one on copyright.

Telecoms review launched: The Commission is determined to make the EU’s telecoms framework simpler and future-proof. On 14 September, it launched the recast of the old framework, i.e. a new code (the wording is inconsistent but means the same). That way it hopes to trigger investments into infrastructures in order to achieve its connectivity goal (download speeds of at least 100Mbps for 50% of all households by 2020 [currently at 8%], deployment of 5G as from 2018, free community WiFi access points). The new code aims to increase competition (for access and investments in networks), ensuring a better use of radio frequencies (spectrum allocation), stronger consumer protection (switching suppliers, affordable internet), and making the Internet safer (applying rules for traditional operators also to OTTs). (Documents of interest: Q&A, press release, proposed directive).

Schrems vs. Facebook on contractual standard clauses (SCCs): The Irish Data Protection Commissioner (DPC) has released an explanatory memo on the ongoing case. In a draft decision in May 2016, the DPC considered Schrem’s complaint was well founded because no “effective remedy” compatible with Art. 47 (EU Charter of Fundamental Rights) was available to EU citizens in the US. Also, SCCs did not address the absence of such remedy, and, therefore, SCCs themselves were likely to offend Art. 47 because US security services could still access and process EU citizens’ data. In June, the proceedings were admitted to the Irish High Court; four parties were admitted to join the proceedings as “friends of the Court” (US Government, BSA Business Software Alliance, Digital Europe and EPIC). The High Court will determine whether to refer the case to the European Court of Justice (ECJ) in a hearing on 7 February 2017, which will run for approximately 3 weeks.

A “mandatory free” flow of data in the EU? With the Internet of Things’ (IoT) unstoppable entry into everyone’s lives, EU (digital) Commission Vice-President Ansip (see speech) urged Europe not to “be afraid of data”. By 2020, Cisco predicts, 50 billion devices and objects will be connected to the Internet. Not only will this create demands on network infrastructure, it will also require data to be able to flow freely across the EU – which is not the case today. In Ansip’s view, it should not matter where data is stored, but that it can be accessed. “Forcible data localisation rules”, he argues, will lead to fragmentation, not better protection (this, he says, is guaranteed by the GDPR). The Commission will therefore publish (30 November) an initiative to “tackle unnecessary restrictions on where data is located”. This is read by others as a prohibition on “national authorities in the EU to store their data in their jurisdiction” (MEP Jan Philipp Albrecht). Around the same time, a new trade association saw the light of day in Brussels: CISPE brings together more than 20 cloud infrastructure service providers in Europe and pledges to “process and store your data exclusively in the EU”, to offer services that adhere to the GDPR, and to “give citizens back the control of their personal data” (see press release).

Interpol-Europol Conference highlights: The identification of cyber criminals crystallised as one of the key priorities of Interpol and Europol in the coming years. At their yearly conference (28-30/09), delegates from 56 countries met to exchange best practices and to find ways “to overcome technical, operational and strategic hurdles” that law enforcement agencies (LEA) are confronted with. Collaboration across LEA and between the public and private sectors is crucial to fight cybercrime, which is reflected in the World Economic Forum’s recommendations on that matter. The conference also looked at trends in cybercrime and found that ransomware overtook traditional malware across Europe and is expected rise in the future (s.a. Europol’s Internet Organised Crime Threat Assessment 2016). Other trends include the increasing complexity of malware (e.g. DDoS) attacks, the move of child sexual exploitation material to the Darknet (instead of P2P), the use of end-to-end encrypted platforms for sharing and of anonymous payment systems for paying for such content, a rising quality and apparent authenticity of phishing campaigns, etc. Europol and the GCA (Global Cyber Alliance, consisting of the New Work District Attorney’s Office, the City of London Police and the Center for Internet Security) are expected to sign a Memorandum of Understanding on the fight against cybercrime in the coming weeks.

Europol launches another advisory group: To enhance cooperation between law enforcement and industry, three advisory groups have been set up under Europol’s EC3 Programme. They are meant to assist the fight against cybercrime by exchanging knowledge, expertise and information, working out concepts, and striking the balance between disruption and prevention. The groups comprise: Internet Security, Financial Services, and Communication Providers. The latter is new and aims to “address and share all relevant information and expertise on developments in the area of internet communication”, defining priorities, advising on cooperation with ISPs, telcos, CERTs and “other relevant partners”. Members include telecom and cybersecurity representatives, RIPE NCC and EUROISPA. Unconfirmed focal areas include cyber-attacks (DDoS, Botnets, etc.), identifying criminal infrastructure, child sexual abuse material online, payment fraud, and Internet governance (anything from ISP cooperation, to data protection and retention), as well as prevention and awareness raising.

Europol not only deletes web content but also analyses user accounts: This was revealed by a parliamentary question to the government in Germany. In July, Europol’s Internet Referral Unit (EU IRU) released its “Year One Report” highlighting its achievements in terms of assessing and processing “violent extremist online content materials” on various platforms. Between July 2015 and 2016, more than 11,000 messages were assessed, out of which approximately 9,800 were proposed for referrals. Service providers (e.g. Twitter, Facebook, Google, Tumblr) removed 91.4% of such content. Yet, also 122 user accounts were the target of the unit’s investigations (in relation to illegal migration). However, no information is available with regards to how many of these accounts providers subsequently deleted. The material is being stored in a database called “Check the Web” – a library of jihadist terrorist online propaganda, which can be accessed by competent authorities in the EU Member States.

Facebook said to expand its anti-hate-speech efforts: More groups will be able to benefit from Facebook advertising credit and marketing advice under the Online Civil Courage Initiative in exchange for their efforts to counteract extremist messaging, the Wall Street Journal reported. So far the initiative focuses on France, Germany and the UK (s.a. The Verge).

Twitter releases transparency report: Twice a year, Twitter publishes statistics on how many information and removal requests it received, how many copyright and trademark notices – and whether or not they took action on these requests. Most information requests in Q1 2016 (overall increase of 2%) came from the US government (2,500), the UK (631) and France (572). Removal requests (+13%) came from governments, rights organisations, and/or lawyers – leader in Europe is France (466) ahead of the UK (174), and Germany (63), yet still no match to Russia with 1,601 requests.

Commission’s data protection unit split in two: DG JUST (justice and consumers), responsible for privacy, consumer rights and gender equality, will see its data protection unit (C3) split in two (see new structure). C3: Data protection under Head of Unit Olivier Micol, major focus: Digital Single Market related files, e.g. e-Privacy Directive. C4: International data flows and protection under Head of Unit Bruno Gencarelli, major focus: EU-US Privacy Shield, other international data agreements. The director of that Directorate (C), Paul Nemitz, who presented at the Jamboree 2016 data protection session, is coming to the end of his 5-year term. Normally, this means that Directors rotate, but this is not mandatory. The Directorate, so far, has been a strong defender of privacy rights. It could now see a shift more towards a more commercially oriented view on data protection.

Tougher lobbying rules for “all” EU institutions: If your organisation meets up with EU officials, you might better sign up to the transparency register. The Commission proposed to extend the current scheme (European Parliament, Commission) to include the Council of the EU – and to move from a voluntary to a mandatory system. Practically, you would only be able to meet EU decision-makers, enter the institutions’ premises or participate in policy forums if you have registered. However, there are obviously many more EU institutions than just the three mentioned above (e.g. EU Court of Justice, European Central Bank, the External Action Service, etc.). Also, the proposal targets only the “higher” levels, i.e. you could still meet the desk officer who is drafting legislative texts or MEP assistants without the need for prior registration.

European study into University-Business Cooperation: The European Commission’s Education and Cultural DG conducts a study on the cooperation between higher education institutions and public and private organisations. With more than 3,500 universities and 1,000 businesses involved it is said to be the most comprehensive study of this kind ever. The survey is available here (in 25 languages) and takes about 10 minutes to complete. Deadline is 11 November. As a token of gratitude, you can choose to receive a “Cooperation Readiness Assessment”, which is meant to assist you with future cooperation plans.

Commission wants to tighten rules on export of “dual use software”: Some countries have been found to use surveillance or monitoring (anti-virus, internal web traffic) software in ways that violate human rights. Stricter national controls are now supposed to restrict the export of such “dual use” products. The tech industry has expressed concerns about the “chilling effects” of a well-meaning proposal.

October is the European cybersecurity month: The ECSM is an EU-wide advocacy campaign supported and deployed by ENISA, DG CONNECT and other partners to promote and generate awareness about cybersecurity, network and information security, the safer use of the Internet, education, training and good practice exchange. This year, 295 activities across 28 countries are planned.

EuroDIG 2017 cycle starts: And it's EuroDIG’s 10th anniversary! The exact date and location in Tallinn are still to be confirmed. A call for issues (not workshop proposals) has been launched ending on 31 December. The documentation of EuroDIG 2016 can be found here: transcripts, videos, and pictures.

Additional reading

  • Want to check out the DSM schedule yourself? Here is the planning for the Permanent Representations (not only for the Digital Single Market) in the coming months.
  • Helping critical infrastructure manage cyber risks: Whereas this report focuses on the energy sector, recommendations are likely to apply to any critical infrastructure provider (World Energy Council).
  • EUIPO Webinar: The economic cost of IPR infringement in the EU (25/10), 10:00 AM-11:00 AM
  • Yahoo hack culprits: Cyber criminals of the Eastern European professional criminal hacker group “Group E” seem to be behind the Yahoo hack, not government-backed hackers (s.a. WSJ).
  • Tick, tock, tick, tock: New malware is hitting your network every four seconds (ZDNET)
  • Apple’s Messages app isn’t as private as you think (The Next Web)
  • Internet shutdowns: The risks and opportunities for technology sector investors (Share Action)
  • Facebook and Google: most powerful and secretive empires we've ever known (The Guardian)
  • Regulators concerned about privacy impact of IoT devices (ico, Telecompaper)
  • Largest DDoS attack ever delivered by botnet of hijacked IoT devices (Networkworld)
  • Swiss back stricter surveillance laws (Politico)
Published By CENTR