EU Policy Update – February 2023

EU Policy Updates 16-03-2023

In a nutshell: The European Parliamentary committees have finalised their work on the GI protection of crafts/industrial products proposal and the EUID regulation, and expressed criticism over the EU-US Data Privacy Framework. The European Commission published the European Digital Identity Wallet Architecture and Reference Framework, and a proposal for Gigabit Infrastructure Act, while seeking public views for the upcoming GDPR enforcement review and the future of the connectivity sector. The EU is also revising its insolvency law and has included domain registries in its scope. The Swedish presidency proposed a list of critical products under the CRA. The EDPS is piloting the use of Free and Open Source Software. ENISA published its multiannual single-programming report for 2023-2025. The Leipzig Regional Court ruled in favour of Sony against Quad9.

Intellectual property

JURI approved its report on the GI protection of crafts/industrial products proposal

On 28 February, the Committee on Legal Affairs (JURI) adopted its Report on the proposal for a regulation on the geographical indication (GI) protection for craft and industrial products (see our previous reporting here). The adopted JURI report recognises that in certain geographical areas, the possibility for a single producer to be considered a GI applicant should be ensured. However, the geographical area should always refer to natural features and not private property boundaries, according to the Report. The JURI Report recognises that GI protection should be granted to names included in the Union register of GIs for craft and industrial products, however, phonetic or visual similarity to a registered GI “should also be taken into consideration”. The holders of a registered GI or a producer group having a legitimate interest should be empowered to request the revocation or the transfer of the domain name within all TLDs established in the EU, following an appropriate alternative-dispute-resolution procedure or judicial procedure. Similarly to this, the JURI report also expands the scope of a “domain name information and alert system” to all TLDs established in the EU. During the public hearing in JURI, the Rapporteur responsible for the JURI report, and subsequently for the Parliament’s position on the legislative proposal, MEP Marion Walsmann, expressed her hope for the European Parliament and the Council of the EU to reach an agreement establishing the domain name information and alert system, as GIs should be protected together with domain names. The Rapporteur is of the opinion that the domain name information and alert system is “a very good extension” of the reform. Once the mandate to enter into negotiations with EU governments is confirmed by the Parliament as a whole, the trilogue negotiations on the final text of the legislation can start.


The European Parliament’s EUID position is ready to be voted on, while the Commission has prepared specifications for EUID

On 9 February, the Industry, Research and Energy Committee (ITRE) Committee in the European Parliament adopted its position on the proposal for the European Digital Identity Framework (‘EU’). Notably, the ITRE maintains the Commission proposal’s obligations for browsers to recognise qualified certificates for website authentification (QWACs), which had attracted criticism for lowering the protection of sensitive information transmitted online, since QWACs may be exempt from browsers’ security checks. The ITRE position emphasises that “web browsers shall not be prevented from taking [necessary and proportionate] measures[...] to address substantiated risks”. Pirate Party MEPs celebrated that their alliance was able to prevent a compulsory unique identification number for EU citizens, and ensure that the eventual digital identity wallets will be published as open source. These positions are pending plenary approval, earliest in the March 2023 session, after which they must withstand the interinstitutional negotiations. Meanwhile, the Commission has published version 1.0 of the European Digital Identity Wallet Architecture and Reference Framework. It provides developers with “specifications needed to develop an interoperable [European Digital Identity] Wallet Solution based on common standards and practices”, to support the implementation of of the EUID Regulation, without prejudicing the legislative process.

Data protection

Domain "registers" under scope of the EU insolvency law review

At the end of 2022, the European Commission published a proposal for a directive harmonising certain aspects of insolvency law. The lack of harmonised insolvency regimes across the EU has been identified as “one of the key obstacles to the freedom of capital movement in the EU and to greater integration of the EU’s capital markets”. According to the explanatory statement accompanying the proposal, “the ongoing energy crisis and the limited fiscal space for public subsidies may result in an increase in business exits in the future”. As a result, ”more companies may experience conditions where their debt level turns out to be unsustainable”. The proposal targets the following dimensions of insolvency law: (i) the recovery of assets from the liquidated insolvency estate; (ii) the efficiency of proceedings; and (iii) the predictable and fair distribution of recovered value among creditors. As part of this reform, the proposal also aims to ensure “access by insolvency practitioners to various registries containing relevant information on assets that belong or should belong to the insolvency estate”, and obliges Member States to “provide non-domestic insolvency practitioners with direct and swift access to the registers listed in the Annex”, including “registers of internet domains”. According to Article 18 of the proposal, Member States shall ensure that insolvency practitioners, regardless of the Member State where they have been appointed, have direct and expeditious access to the national asset registers, including domain registries, located in their territory. According to the relevant recitals, access to non-public information held by a range of national registers needs to be ensured for the purposes of identifying and tracing assets belonging to the insolvency estate.

The European Commission is preparing for the GDPR enforcement review

The European Commission is getting serious about reviewing the GDPR’s enforcement mechanisms. They have launched a call for evidence, which closes on 24 March 2024, after already announcing the review in their 2023 work programme. The objective is for the new rules to “harmonize some aspects of the administrative procedure” and to “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms” in cross-border cases, by “streamlining the cooperation” between national data protection supervisory authorities. Given the predictable onslaught of activism and lobby attention, the Commission will propose the new regulation before the summer, and keep it as targeted and limited as possible. The reform is not expected to have any impact on the rights of data subjects, the obligations of data controllers and processors, or the lawful grounds for processing personal data under the GDPR.

LIBE issued a draft motion on the EU-US Data Privacy Framework

Under the leadership of MEP Juan Fernando López Aguilar in the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the European Parliament has published a Draft Motion for a Resolution on the adequacy afforded by the EU-US Data Privacy Framework. The draft resolution recalls criticisms of the Framework, referencing EU fundamental rights standards, Schrems I and II. The draft resolution will be finalised in March, to likely be voted on in the April plenary session. The Commission has worked with US authorities to re-establish data flows, and a draft adequacy decision in December 2022, to address the CJEU’s concerns in Schrems II. Some scepticism remains among European privacy authorities. The LIBE resolution criticises the Commission’s draft adequacy decision, given their argument that it does not meet the criteria set in Schrems I and II. The Committee refers to the absence of “clear and strict mechanisms for monitoring and review in order to ensure that decisions are future proof”, as well as European businesses’ needs for legal certainty.

The EDPS started a pilot of the use of Free and Open Source Software

In February 2023, the European Data Protection Supervisor (EDPS) started piloting the use of Free and Open Source Software (FOSS), such as Nextcloud and Collabora Online (based on LibreOffice). Together, these offer the possibility to share files, send messages, make video calls and collaborate in “a secured cloud environment”, according to the EDPS. Furthermore, FOSS solutions offer “data protection-friendly alternatives to commonly used large-scale cloud providers” and may minimise vendor lock-in to monopoly providers. By procuring FOSS solutions, the EDPS is hoping to avoid data transfers to non-EU countries and allow for a “more effective control over the processing of personal data”.


The Swedish presidency proposed a list of critical products under the CRA

The Swedish Council presidency shared a compromise text for the Cyber Resilience Act (‘CRA’)  on 10 February, which is not public yet, though being discussed at ministerial level. Major changes have been introduced in the categorisation of ‘critical’ and ‘highly critical’ products. The latter category includes products which have an important security function and are central to managing a broader system, including, for example, network and identity management systems, authentication tools and VPNs, while public key infrastructure and digital certificates have been categorised as ‘critical’.

ENISA published its work programme for 2023

The European Union Agency for Cybersecurity (ENISA) has published its multiannual single-programming report for 2023 to 2025. The report outlines an active regulatory landscape, spanning, among others, the implementation of the NIS 2 Directive, the establishment of a Joint Cyber Unit to improve collaboration across the cybersecurity ecosystem and the ongoing negotiations on a Cyber Resilience Act (CRA). It also highlights the operational activities planned by ENISA to respond to the EU’s regulatory needs by delivering assistance and advice to the EU and Member States in developing cybersecurity policy. According to the programme, ENISA will support the European Commission and Member States “on new policy initiatives through evidence-based inputs”. In addition, ENISA provides support to Member States and EU institutions in the implementation of the NIS 2 and other cybersecurity-relevant legislation. This activity “seeks to avoid fragmentation and supports a coherent implementation of the Digital Single Market” in the EU, primarily when it comes to the implementation of digital identity and the “resilience of the public core of the open internet (e.g., DNS4EU)”.

Connectivity infrastructure

The European Commission published a proposal for a Gigabit Infrastructure Act

On 23 February, the European Commission issued its proposal for a Gigabit Infrastructure Act, which aims to revise the 2014 Broadband Cost Reduction Directive, due to the “fast advances in digital technologies” and the needs for “significant network investment [...]to keep up with increasing bandwidth demands”. The Gigabit Infrastructure Act, therefore, aims “to contribute to the cost-efficient and timely deployment” of the ‘very high capacity networks’ “necessary to meet the EU’s increased connectivity needs”. The proposal suggests expanding the scope of the definition of a network operator beyond “undertakings providing or authorised to provide electronic communications networks” and includes operators of other types of networks, such as transport, gas or electricity, providing associated facilities that have an increasing role in the rollout of 5G networks and that offer connectivity in rural areas. The proposal also creates an ‘access obligation’ to physical infrastructure that is not part of a network but is owned or controlled by public sector bodies. The proposal also mandates in-building physical infrastructure, access points and in-building fibre wiring for new and majorly renovated buildings, and requires Member States to adopt relevant national standards/technical specifications and certification mechanisms.

The European Commission is seeking views on the potential developments of the connectivity sector’s infrastructure

On 23 February, the European Commission launched a public consultation on the “changing technological and market landscape and how it may affect the sector for electronic communications”. According to the explanatory statement accompanying the launch of the public consultation, “digital markets and[...] connectivity markets are facing transformative technological and market developments”, such as cloud data storage, edge computing, the Metaverse, artificial intelligence and virtual reality. The exploratory consultation is expected to gather stakeholder views on the potential “need for all players benefitting from the digital transformation to fairly contribute to the required investments” into connectivity infrastructure. According to the explanatory statement, “massive investments in network infrastructure are still needed to achieve Europe’s Digital Decade goals”, with estimates quantifying the investment needs at around 174 billion EUR until 2030. Some European providers of electronic communication networks and services claim that they are suffering from “a lower return on investment, especially when compared to companies in the and infrastructure operators”. As a result, there is a need to investigate the needs of the connectivity sector for the future. The exploratory consultation is open for public feedback for 12 weeks.

Content Moderation

Quad9 loss against Sony before Leipzig Regional Court

The Sony v Quad9 saga continues before the Leipzig Regional Court, which held that operators of DNS resolvers can be held liable for copyright infringements. Netzpolitik.org characterised the ruling as a 'blatant miscarriage of justice', while Quad9 considers it an ‘exceptionally dangerous precedent’. Although the German Telemediengesetz (TMG), the e-Commerce Directive and the Digital Services Act exclude mere conduits from liability, the judges attributed a “sufficient causal contribution” (German: adäquat-kausalen Beitrag) to Quad9, in making the two sites in question available. However, the Leipzig Court did not even assess Quad9 as a service under the TMG, but rather as liable under German copyright law, for playing a “central role” in the infringement by making the illegal downloads available by resolving the site. Whether German copyright law was intended to be applied to resolvers is questionable. In response to counterarguments stressing the disproportionate legal and technological burden of country-specific DNS blocking, and the GeoIP technology already implemented by Quad9 in response to the prior Hamburg ruling, the Court contended that Quad9 also filters out malware, equating it with copyrighted material. In a blogpost, Quad9 cites global jurisdictional implications and chilling effects as reasons for why they will appeal the case.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.
Published By Marlene Straub
Marlene is the Senior Policy Advisor at CENTR. She focuses on policy developments and liaises with institutions, governments and other organisations in the internet ecosystem.