In a nutshell: The European Council adopted its conclusions, committing to strengthening work on digital solutions, such as eIDs. The EU institutions started trilogue negotiations on the GI protection for crafts/industrial products proposal. The Swedish presidency published its suggested amendments to the proposal for a regulation on GI protection for agricultural products, while the European Committee of the Regions issued its Opinion. The European Commission shared the Consumer Scoreboard. The EDPB circulated guidelines on certification as a tool for transfers and initiated a coordinated enforcement action. The European Parliament assigned the leadership of negotiations on the Cyber Resilience Act to ITRE. ENISA published a report on AI cybersecurity.
European heads of state commit to unlocking the value of data
In the Council, European heads of state have committed to a growth-enhancing regulatory environment, which also meets the vulnerabilities exposed by recent crises. They place a particular focus on the Digital Single Market. The European Council calls for a ‘rationalisation’ of reporting requirements under digital legislation (although without mentioning specific regulation), for a broad reduction of the administrative burden on the private sector, as well as for competitiveness checks on new legislation. One explicit goal is to unlock the value of data in Europe, including via machine-readable and standardised data. Another goal is to “considerably increas[e] the uptake of digital solutions (such as eID[s)]”. The implication is that the outcome of the EUID trilogues, which began on 21 March, will be even more relevant, as European governments have committed to promoting EUID use in a digital society.
EU institutions entered trilogue negotiations on the GI protection of crafts/industrial products proposal
After the European Parliament's Committee on Legal Affairs (JURI) adopted its report on the proposal for a regulation on the geographical indication (GI) protection for craft and industrial products last month, the JURI decision to enter into interinstitutional negotiations was confirmed by the European Parliament’s plenary on 15 March. On 22 March, the Council of the EU published a 4-column document in preparation of the interinstitutional negotiations, highlighting the initial positions of all three institutions. For further highlights on the institutional positions on the proposal, see our previous reporting here, here and here.
The Swedish presidency proposed amendments to the domain name related provisions of the proposal on the GI protection of agricultural products
The Swedish Council presidency published its suggested amendments to the proposal for a regulation on GI protection for wine, spirits drinks, agricultural products (dated 27 February). When it comes to the domain name related provisions, the suggested amendments include expanding their scope to all TLD registries established in the EU, as opposed to limiting their application to EU ccTLDs, as in the European Commission’s original proposal. According to the suggested amendments, all EU TLD registries shall recognise GIs as a right that can be invoked within alternative dispute resolution (ADR) procedures. In addition, the EUIPO shall establish and develop a so-called “domain name information and alert system” to provide GI applicants with information about the availability of the GI as a domain name, upon the submission of a GI application. EU TLD registries shall cooperate with the EUIPO for the purpose of providing relevant information and data, according to the Presidency proposal. CENTR has published further analysis on the implications of the EU GI reform on the digital infrastructure and global internet governance.
The European Committee of the Regions issued its Opinion on the proposal on the GI protection of agricultural products
On 2 March, the European Committee of the Regions (CoR) published its suggested amendments to the proposal for a regulation on GI protection for wine, spirits drinks, agricultural products. According to the CoR, EUIPO will contribute to the EU GI system “by offering its expertise on intellectual property as well as in the performance of tasks related to the protection of geographical indications, including on the internet”. Consumers shall also be able to easily identify protected goods within not only e-commerce but also the Domain Name System. When it comes to domain name specific GI protection, the CoR is suggesting expanding the scope of protection to “domain registries” that is supposed to encompass non-EU actors. To that end, domain name registries must “automatically” or upon the request of parties with a legitimate interest “revoke or transfer a domain name registered to the recognised producer group of the products with the geographical indication concerned, or to the Member State of origin of the geographical indication concerned”, following the ADR procedure. As for the establishment of the “domain name information and alert system”, the Region’s Committee suggests including it in the list of potential activities that EUIPO may undertake.
The European Commission published the Consumer Scoreboard
On 27 March, the European Commission published the results of the 2023 Consumer Conditions Scoreboard, a survey on consumption habits in the EU Member States, Iceland and Norway. According to these results, the vast majority of consumers expressed concerns about their safety online. In particular, 94% expressed concerns about online targeted advertising, with 70% worried about the inappropriate use and sharing of personal data, 66% about the collection of online data and related profiling without explicit knowledge or agreement and 57% about cookies' installation. During the European Consumer Summit, the Commissioner for Justice, Didier Reynders, pledged to revise EU “key” consumer law, in response to consumer concerns over online shopping. The upcoming reform includes revising product safety, a new enforcement package with the possibility to reinforce EU-level action, and potentially new proposals around “solutions to address the issues related to cookies”.
The EDPB published guidelines on certification as a tool for transfers
The European Data Protection Board (EDPB) has published its Guidelines 07/2022 on certification as a tool for transfers, to comply with Article 46 of the General Data Protection Regulation (GDPR), which requires that data exporters establish appropriate safeguards for personal data transfers to third countries. Certification is one available safeguard for transfers, per Article 46(2)(f) GDPR. Building on the Guidelines 1/2018 on certification and identifying certification criteria, the Guidelines 07/2022 place a special focus on the role of the data importer in certification schemes. Section three of the guidelines provides greater detail on certification criteria and establishes additional specific criteria, especially for cases of transfers to third countries, including inter alia assessments of third country legislation, rules on onward transfers, redress and enforcement. Section four provides elements to be included within binding and enforceable commitments between the data importer and exporter (e.g. in contracts), such as a warranty that the importer will uphold their commitments under the certification.
The EDPB investigates the role of DPOs across the EEA in coordinated enforcement
In addition to the above, the EDPB has initiated a coordinated enforcement action, through which 26 data protection authorities (DPAs) across the EEA (including the EDPS) will investigate the designation and position of the approximately 500.000 data protection officers (DPOs) via questionnaires. The objective is to assess whether DPOs are properly resourced to ensure their organisations’ compliance with data protection law, as required by Articles 37-39 of the GDPR. Once the action is concluded and the questionnaire results are analysed, the DPAs will decide on possible further national supervision and enforcement actions, as well as prompt targeted follow-up at EU level.
Committee competences in the European Parliament assigned for the CRA
The European Parliament has assigned the leadership of negotiations on the Cyber Resilience Act (CRA) to the Industry, Research and Energy Committee (ITRE), which will be responsible for coming up with the European Parliament’s position on the legislative proposal (see our previous reporting here). ITRE will share the competence for Article 4 on the free movement of products in scope, Article 8 on high-risk AI systems, as well as Articles 21 and 22 on the CE safety marking with the Internal Market and Consumer Protection Committee (IMCO) and the Civil Liberties, Justice and Home Affairs Committee (LIBE). These two will each have exclusive competences for a handful of articles. LIBE will bear the responsibility for Article 41(5) on data protection supervision, while IMCO will hold exclusive competence for Article 7 on general product safety and Article 9 on machinery products. The work in progress timetable indicates that in the ITRE Committee, Rapporteur Nicola Danti (Renew) will officially present a draft report on 25 April, with a provisional vote on tabled amendments scheduled for 19 July.
ENISA published research on AI cybersecurity
On 14 March, ENISA published a report on the “Cybersecurity of AI and standardisation”. The overall objective of the research is “to provide an overview of standards (existing, being drafted, under consideration and planned) related to the cybersecurity of artificial intelligence (AI), assess their coverage and identify gaps in standardisation”. The report also examines how standardisation can support the implementation of the cybersecurity aspects embedded in the proposed AI Act (see our previous reporting here). The report argues that “existing general purpose technical and organisational standards”, such as ISO 27001 and ISO 9001, can partially contribute to mitigating some of the risks posed by AI, as software and “therefore software security measures can be transposed to the AI domain”. As for the recommendations concerning the AI Act, the report stresses the importance of the inclusion of cybersecurity aspects in the risk assessment of high-risk systems. It also highlights the lack of standards on competences for the validation, testing, auditing and certification of AI systems. Finally, the report notes that the coherence between the draft AI Act, draft Cyber Resilience Act and the Cybersecurity Act should be ensured to inter alia “avoid duplication of efforts at national level”.