In a nutshell: The European Commission filed an action against the EDPS, published a report on the State of the Digital Decade, a study on geoblocking, a risk assessment report on cyber resilience on EU’s telecommunications and electricity sectors, and opened consultations on Digital Identity Wallets, EU-US Data Privacy Framework and guidelines on the protection of minors under the DSA. European Commission’s president-elect von der Leyen published Political guidelines for the upcoming Commission mandate, CPC Network started an action against Meta’s ‘pay or consent’ model. Europol published the IOCTA report. United Nations’ Ad Hoc Committee finalised the Convention against Cybercrime.
European Commission published the second report on the State of the Digital Decade
On 2 July, the European Commission published the second report on the Stare of the Digital Decade, providing an overview of the progress made in achieving the digital targets set for 2030. The report also includes an assessment of national Digital Decade strategic roadmaps across EU Member States. According to the conclusions of the report, the “EU has considerably upgraded its action through regulatory and non-regulatory measures”. However, despite their efforts Member States are encouraged to “step up their contribution to the achievement of the Digital Decade objectives” with concrete policies. According to the report, the European Commission’s mandate of 2019-2024, “has overhauled the digital policy landscape, by proposing and negotiating 23 legislative files which have contributed to reinforce EU’s position in the Digital Decade”. This list includes the Digital Services Act (DSA), the Digital Markets Act (DMA), the NIS 2 Directive, and the European Digital Identity (EUID) Regulation, amongst others. After the wave of regulatory efforts, the EU needs to deliver on implementation and enforcement. Amongst remaining gaps in the digital 2030 targets, the report mentions the (un)availability of eID schemes, digital public services and access to e-Health records. Namely, significant gaps exist in the provision of “fully user-centric, accessible, and sovereign digital public services”. By 2023, 22 out of 27 national eID schemes have been notified in accordance with the eIDAS Regulation. In order to swiftly implement and enforce regulation, the EU and its Member States should engage in more coordination and mitigation of administrative burden. Member States are encouraged to adjust their national roadmaps to align with the ambition of the Digital Decade policy programme before November 2024.
Ursula von der Leyen presented Political Guidelines for the European Commission 2024-2029
Ahead of her re-election as the head of the European Commission, Ursula von der Leyen presented her Political Guidelines for the European Commission in 2024-2029. In her Political Guidelines, von der Leyen pledges to adopt “a new approach to competition policy” in assessing mergers and preventing market concentration. Each Commissioner under von der Leyen’s lead “will be tasked with focusing on reducing administrative burdens and simplifying implementation” and “will hold regular dialogues on implementation with stakeholders”. To protect the security of health systems, von der Leyen pledges to propose a European action plan on the cybersecurity of hospitals and healthcare providers in the first 100 days of the mandate. Ramping up and intensifying the enforcement efforts under the DSA and DMA is also on the agenda. To support AI development, von der Leyen pledges to put forward a European Data Union Strategy that will draw on existing data rules for businesses and administrations to share data at scale. In order to increase the competitiveness of European businesses, von der Leyen promises to propose a revision of the Public Procurement Directive that should “enable preference to [...] European products in public procurement for certain strategic sectors”. Von der Leyen also suggests to “more than double” Europol’s staff and to strengthen Europol’s oversight and mandate, including in the area of tackling illegal profits and asset confiscation. In order to proactively counter disinformation, von der Leyen promises to propose a European Democracy Shield, “building on the examples of Viginum in France or the Swedish Psychological Defence Agency”, and complementing “digital enforcement” under the DSA. Von der Leyen also envisages a leading role for Europe “in reforming the international system” that should start with the upcoming UN Summit for the Future. According to the Political guidelines, Europe should seize an opportunity “on digital questions where strong safeguards and a new form of governance are needed”.
Consumer protection
European Commission published a study on geoblocking
In July 2024, the European Commission published a “Study for the further evaluation of the Geo-blocking Regulation”. In 2018, the EU introduced the Geoblocking Regulation that addresses the discriminatory online practices affecting consumers based on their location, residence or nationality. The study aims to provide a review of the evolution of cross-border e-commerce within the EU since the adoption of the Geoblocking Regulation. According to the study, the COVID-19 pandemic is the “single largest shock to the growth of e-commerce” in the recent past and had a significant impact on its growth. A number of challenges persist in cross-border e-commerce, including harmonisation of regulations and VAT rules. Additionally, consumers’ increased demand for fast deliveries makes it difficult for traders to compete cross-border. The study identified that SMEs benefit from the availability of online marketplaces, as they can avoid the costs related to setting up and maintaining their own online web shop, including resources to develop a digital infrastructure. At the same time, 64% of European brands state that over-reliance on marketplaces is not sustainable, due to lock-ins and concentration levels, and brands strive for selling their products via their own sales channels. The study also identified that company’s own website was the most popular sales channel for domestic sales, while a marketplace was the most popular sales channel for cross-border sales.
CPC Network started an action against Meta’s ‘pay or consent’ model
On 22 July, the Consumer Protection Cooperation (CPC) Network sent a letter to Meta regarding its ‘pay or consent’ model that is potentially in breach of EU consumer law. In 2023, Meta had requested consumers to either subscribe to use its social media services against a fee or to consent to Meta’s use of their personal data for personalised ads. The action by the CPC Network is focused on assessing Meta’s practices solely under EU consumer law, and is not connected to other ongoing investigations into Meta’s practices under the DMA, DSA and the GDPR. Several practices used by Meta raise concerns and could potentially be considered unfair under EU consumer protection acquis, such as misleading consumers via imprecise terms, language and complicated navigation practices when users want to understand how their personal data is used across Meta’s services. Meta has until 1 September 2024 to reply to the letter of the CPC network and to propose solutions addressing consumer protection concerns. If Meta does not take the necessary steps to solve the concerns raised, CPC authorities can decide to take enforcement measures, including sanctions.
Cybersecurity
The European Commission published a risk assessment report on cyber resilience on EU’s telecommunications and electricity sectors
On 24 July, the European Commission, the NIS Cooperation group and ENISA published a risk assessment report based on cyberthreat risk scenarios in the EU. The document focuses on the telecommunications (including ‘core internet infrastructure’) and energy sectors. The identified threats include exploiting of zero-day vulnerabilities, ransomware, supply chain risks and cyber espionage. The top identified risks concern mobile and fixed communications networks, the internet’s core infrastructure (i.e. “physical infrastructure”) and satellite communications. Special focus is given to the risks of sabotage of undersea cables. Specifically, non-proprietary software and reliance on HTTP and TCP/IP protocols is mentioned as a vulnerability to the cybersecurity of submarine cable networks. In the context of interdependence between different sectors, the report identifies top-level domain name servers, internet exchange points and large cloud data centres, that pose considerable cross-border spill-over risks in case of their compromise or disruption. The report also presents resilience and cybersecurity posture-building suggestions, such as sharing of good practices in mitigating ransomware, vulnerability monitoring and disclosure, building synergies between CSIRTs and law enforcement. Finally, the report notes that identified building blocks and scenarios should serve as a standardised toolbox for future EU-level risk assessments.
e-Evidence
Europol published the Internet Organised Crime Threat Assessment report
On 26 July, Europol published the Internet Organised Crime Threat Assessment (IOCTA), an annual report on the latest cybercrime threats in the EU. The IOCTA notes the growth in the number of cybercriminals, and the enlarging attack surface due to the continuous growth in use of digital technologies. The main threats identified include the dissemination of child sexual abuse material (CSAM), fraud schemes through phishing, and the use of AI tools, in the crime-as-a-service market. The report notes that new technologies lower the entry barriers for cybercriminals, who are in many cases underage. Ransomware continues to be widely used, increasingly in campaigns against small and medium-sized businesses. The key enablers of cybercrime include the dark web, with Tor network being the most popular entry point. In addition, the cybercriminals are using end-to-end encrypted messaging applications to communicate; and crypto currencies as a means of payment. The outlook for the future includes increasing number of AI-assisted cybercrime, which lowers the technical knowledge needed to orchestrate an attack. The report identifies decentralisation of internet through blockchain and peer-to-peer technology as a challenge for the lawful access by law enforcement authorities (LEAs). The report notes that child sexual exploitation, including AI-generated CSAM, remains as one of the top priorities for LEAs. Europol will also focus on prevention of cybercrime through Cyber Offender Prevention strategy to deter, especially young, perpetrators from committing cybercrime.
Data protection
European Commission’s filed an action against EDPS
On 1 July, the European Commission has filed an action against the European Data Protection Supervisor’s (EDPS) decision regarding the Commission’s use of Microsoft 365 suite. This follows EDPS decision from March which found the European Commission’s use of Microsoft products as infringing on data protection rules (see our previous coverage here). EPDS had ordered the Commission to suspend all data flows to Microsoft and its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. European Commission has now filed 13 pleas before the EU General Court to annul this decision. The pleas allege lack of competence, erroneous interpretations and application of multiple provisions of the data protection rules.
The European Commission opened public consultation on the EU-US Data Privacy Framework
On 9 August, the European Commission opened a consultation to inform an upcoming report on the functioning of the EU-US Data Privacy Framework (see our previous reporting here). The data protection adequacy decision was adopted in July 2023, in response to the CJEU Schrems II ruling that struck down the EU-US Privacy Shield. This report will be the first one of the series of periodic reviews, written together by the European Commission and the representatives of the European data protection authorities. The stakeholders were invited to send their feedback on the functioning of the Data Protection Framework until 6 September, which will in turn inform the upcoming report.
eID
The European Commission opened public consultations on Digital Identity Wallets
On 12 August, the European Commission opened five public consultations on draft implementing acts for the European Digital Identity Wallets as laid down in the EUID regulation. The published consultations ask for feedback on the requirements for certification of the conformity of European Digital Identity Wallets, electronic notification system of trusted entities that establish trustworthiness of the European Digital Identity Framework, lifecycle management of both personal identification data and electronic attestations, requirements for protocols and interfaces, requirements for integrity and core functionalities. The deadline for sharing feedback is 9 September.
Child protection
The European Commission published a call for evidence on the guidelines on the protection of minors
On 31 July, the European Commission published a call for evidence on the guidelines on the protection of minors. The call for evidence stems from Article 28 of the DSA which obliges the providers of online platforms to put in place “appropriate and proportionate measures to ensure a high level of privacy, safety and security of minors on their service”. Said article also permits the Commission to issue guidelines on this matter. The guidelines will apply to all platforms, including to those that are aimed at adults, but are nonetheless visited by underage users due to inadequate or absent age verification tools. In addition, online platforms accessible to children should also conduct a child-specific impact assessments. The Commission is asking for input on the scope of the guidelines, concerns for minors online, and risk assessment within content moderation systems, commercial practices, age assurance and verification. The feedback period is open until 30 September 2024.
Outside of the EU bubble
The UN Ad Hoc Committee finalised the Convention against Cybercrime
On 8 August, the United Nations Ad Hoc Committee has adopted the final version of the UN Convention Against Cybercrime after more than 3 years of negotiations. The convention’s aim is to strengthen “international cooperation for combating certain crimes committed by means of information and communications technology systems”, as well as to share e-evidence. Once adopted and ratified, the treaty would establish mutual legal assistance for the access to e-evidence in cybercrime, punishable by at least 4 years of imprisonment under domestic law. The treaty has been criticised by human rights organisations for the lack of human rights safeguards, and for the broad scope of its application. The treaty obliges its signatories to establish legislative measures in their domestic law to criminalise illegal access to ICT system, illegal interception of non-public transmission of data, interference with electronic data, CSAM, and non-consensual dissemination of intimate images. The next step is the formal adoption of the treaty during the UN General Assembly session in September. The treaty needs to be ratified by at least 40 UN Member States to officially enter into force.