The EU legislative session is officially back in swing, with a whirlwind of initiatives on the table for a packed second half of 2017. As it enters into the tail-end of its political mandate, the European Commission has been keen to highlight its continued legislative ambition, as it seeks to finalise the remaining legislative proposals of the 2015 Digital Single Market strategy. September has already seen the launch of a host of new cybersecurity initiatives, while a landmark communication on notice & action in the Internet sector is on the verge of publication. Meanwhile, the EU co-legislators have returned from their summer break with renewed motivation to make advancements on key ongoing legislative negotiations – namely, the e-Privacy regulation, and the Copyright Reform directive.
1. Work-in-progress: recent developments in EU policy dossiers
New EC proposal for Regulation for a “European Cybersecurity Agency” and a security labelling for ICT products: Released on September 13, this new ‘Cybersecurity Act’ is one on the most relevant actions put forward by the European Commission’s new cybersecurity package. The legislative proposal would elevate ENISA’s status to that of an official EU agency, thus giving it a stronger and more central role in the EU cybersecurity landscape. The agency would be tasked with proactively contributing to the development of policy in the area of network and information security. The proposal also creates a European Cybersecurity Certification Framework that foresees the emergence of future EU-wide cybersecurity certification schemes for specific products or services. As such, it seeks to provide companies with a "one-stop-shop" for cybersecurity certification of ICT products and services in the EU. As per the EU co-decision procedure, the legislative proposal must now be scrutinised and amended by the European Parliament and the EU Council, and expected to be adopted before the European elections in June 2019.
European Commission targets Whois accuracy in revised cybersecurity strategy: Alongside its new ‘Cybersecurity Act’ (see above), the European Commission published its revised EU Cybersecurity strategy on 13 September. The new non-legislative strategy included a specific section on online crime attribution, and the need for law enforcement to have access to accurate investigatory tools in the online sphere. In that context, the strategy notes that “enabling attribution of malicious activity also requires measures that create online accountability. To this end, the Commission will work to improve the availability and accuracy of the Domain Name and IP Whois systems in line with efforts of ICANN”.
European Parliament appoints MEPs and adopts terms of reference for special sub-committee on terrorism: During their plenary session in Strasbourg in early September, members of the European Parliament voted on the participants and terms of reference for the institution’s recently-formed special sub-committee on terrorism. The non-partisan committee will comprise MEPs from across different existing committees for which terrorism is a pertinent issue. Inter alia, the committee will focus on deficiencies in sharing judicial, law enforcement and intelligence information among member states; the impact of EU anti-terror laws on fundamental rights; and, best practices for protecting critical infrastructure. At the end of its 12-month mandate, the special sub-committee will deliver a series of policy recommendations on enhancing the fight against terrorism
EU Member States draft position on Copyright Reform directive fails to assuage fears of excessive scope: The EU institutions continue their negotiations around the proposed EU Copyright Reform directive. While discussions are progressing at speed in the European Parliament, the EU Council (representing Member State governments) has only just released its first tentative position on the legislative proposal. Testament to the controversy surrounding the ‘value-gap’ elements of the legislative proposal, the EU Council chairing nation – presently Estonia – has advanced two possible positions that differ in terms of the weight of obligations placed upon online intermediaries. Unfortunately, both versions of the EU Council position retain the content identification/filtering obligations that formed the basis of the original European Commission legislative proposal. The major difference lies in the fact that Option A (the ‘softer’ proposal) does not seek to limit the liability safe harbours to merely ‘passive’ hosting service providers, and does not seek to make intermediaries directly liable for the infringements of their users. The EU Council will continue their discussions on the text in the coming months, with the hope of reaching a final position in Q2 2018.
European Parliament adopts political resolution on cybercrime, calling for tougher online content control: The European Parliament Civil Liberties (LIBE) committee has published the final text of its recently-adopted non-legislative political resolution on the fight against cybercrime. The so-called ‘own-initiative report’ is broad in nature, and constitutes MEPs’ policy ‘wish-list’ vis-à-vis future European Commission and EU Member State legislative action in the field of cybercrime. The report affords considerable detail to the role and responsibilities of information society service providers in the fight against illegal content. The report highlights the need for greater cooperation between law enforcement authorities in different jurisdictions, and makes repeated references to the need for more effective notice & takedown mechanisms, and for information society service providers to enhance their voluntary actions with respect to online content control.
European Commission announces intention to launch public consultation on ‘fake news’ phenomenon: European Commissioner for Digital Affairs Mariya Gabriel has announced that the Commission will convene an expert group and launch a public consultation in the coming months concerning the ‘fake news’ phenomenon. The announcement reflects a growing political priority at EU-level to consider some form of regulatory intervention (hard or soft) on the ‘fake news’ phenomenon, and the general ‘duty of care’ of online intermediaries with respect to illegal/harmful content on their services. As per the EU policy trend in the area of online content control, it is highly likely that any future initiative around fake news will demand that online intermediaries take the lead in detecting and suppressing such content.
Estonian Presidency of Council of the EU releases draft amendments to the e-Privacy Regulation: In early September the Estonian Presidency of the EU Council published its first set of draft amendments to the legislative proposal for an E-Privacy Regulation. The provisions of the legislative proposal that concern access to data by law enforcement were not dealt with in the draft amendment. On that matter, Member States have requested more time for deliberation, especially on the question as to whether the provisions in question could be amended to restore EU-wide legal certainty to data retention regimes. Besides this, the Estonian presidency suggested a welcome amendment on article 15, which concerns public available directories. The amendment seeks to limit the obligations on directory providers to obtain consent from end-users for certain processing activities, and thus brings the article closer in line with the existing e-Privacy directive.
2. Coming up: (Scheduled) initiatives on the horizon
European Commission to publish notice & action legal guidelines on 27 September as leaks begin to emerge: New intelligence indicates that the European Commission’s non-binding legal guidelines on notice & action/voluntary content control will be published on Wednesday 27th September. These guidelines are highly relevant for the Internet sector, as they will inform how EU Member States craft future national legislation that concerns the content enforcement obligations of online intermediaries (e.g. NetzDG in Germany). Moreover, the policy trend set by these guidelines is likely to find its end goal in an eventual reopening of the E-Commerce Directive in the next European Commission mandate (2019-2024).
3. What else? Other things that are happening
Commission President Juncker delivers State of Union speech and Regulation on European Cybersecurity Agency: During his speech and ensuing debate on September 13, President of the European Commission, Jean-Claude Juncker focused mainly on the different ways to make the EU more democratic. Juncker’s most unexpected point in his speech related to his account of a ‘sixth scenario’ for the future of Europe, alluding to the other five that had been set out by the Commission earlier this year in its white paper on the future of the EU. Juncker envisaged a combination of both the Council and Commission Presidency posts, as well as a transnational list for the European Parliament elections. Little was said in relevance to digital issues as such but he presented the Commission’s proposal for a new European Cybersecurity Agency (see above) and recalled the need for Europeans to be protected better on the Internet by strengthening battles against online radicalisation and online terrorist propaganda.