EU Policy Update – March 2021
In a nutshell: The European Commission unveiled its Digital Targets for 2030. Four EU countries called for European digital sovereignty in a letter to the European Commission. The European Data Protection Supervisor issued an opinion on the Europol Regulation proposal and the NIS 2 Directive proposal. The European Court of Justice delivered a judgment about the admissibility of evidence in cases of access to electronic communications traffic and location data. The Council of the EU adopted conclusions on the EU cybersecurity strategy. The European Parliament adopted its resolution on the implementation of the GDPR. EUIPO published a discussion paper on challenges and good practices to prevent the misuse of domain names for IP infringements.
The European Commission unveiled its Digital Decade targets for 2030
On 9 March, the European Commission published its communication "2030 Digital Compass: the European way for the Digital Decade". The communication outlines the Commission's digital vision to be achieved by 2030, including basic digital skills, gigabit for everyone, the first computer with quantum acceleration, 75% of EU companies using Cloud/AI/Big Data, 80% of citizens using digital ID, etc. As part of its multi-country projects, the Commission intends to further digitalise the public sector by building "in complementarity and synergy with the eIDAS framework" and offering "on a voluntary basis European Digital Identity, to access and use digital services online from the public and private sectors in a privacy-enhancing way and in full compliance with existing data protection laws". On a global level, "the EU should lead the way towards a wider coalition of like-minded partners" to "defend the open, decentralised internet, based on a single world wide web, and a use of technology that respects individual freedoms and promotes a digital level playing field". Such a coalition should work together to, inter alia, set standards "in multilateral fora – such as on the ethical use of artificial intelligence – [...], and secure cyberspace".
Germany, Denmark, Finland and Estonia call for EU digital sovereignty
On 1 March, the Prime Ministers of four EU Member States: Germany, Denmark, Finland and Estonia sent a letter to the President of the European Commission, Ursula von der Leyen, calling for Europe to become digitally sovereign. According to the letter, "Digital sovereignty is about building on our strengths and reducing our strategic weaknesses, not about excluding others or taking a protectionist approach". In order to strengthen the EU’s digital sovereignty, the four Member States call for identifying "systems of critical technologies and strategic sectors" to get clarity on "where Europe’s strengths are and where there may be strategic weaknesses and high-risk dependencies which could lead to supply shortages or cybersecurity risks". In a second step, the letter calls for the refinement of the EU’s policy approach for critical technologies and to ensure "open markets and open supply chains". In addition, the digitisation of the government must be an important driver of innovation, according to the letter. To this end, the letter calls for the Commission to come up with proposals (and strengthen existing initiatives) establishing "solid framework conditions that foster an innovative, responsible and safe digital economy": including an EU-wide digital identity, a legislative framework for artificial intelligence, quantum computing, EU-based distributed data cloud solutions and a European approach to foster communication network virtualisation and new technologies (openRAN), in addition to "building on current discussion on the Digital Services Act and the Digital Markets Act[...]".
The European Data Protection Supervisor issued an opinion on the Europol Regulation proposal
On 8 March, the European Data Protection Supervisor (EDPS) published an opinion on the Proposal for Amendment of the Europol Regulation. According to the EDPS opinion, "there is no inherent and irreconcilable conflict between security and fundamental rights, including the right to data protection". The best approach to reconcile any differences between the values and interest at stake, "is to conduct a fair and objective assessment of the necessity and proportionality of the proposed measures". The EDPS welcomes the choice of the Commission to discard other policy options, which would have allowed Europol to query databases managed by private parties or to request personal data directly from private parties. According to the EDPS, such powers would not have been compatible with the EU founding treaties, which excludes the application of coercive measures by Europol. The EDPS notes that the revised Europol Regulation proposal is not clear on the exact legal role and responsibilities of Europol, when acting as a service provider by offering infrastructure for data exchanges between Member States and private parties.
The European Court of Justice delivered a judgment about the admissibility of evidence in cases of access to electronic communications traffic and location data
The European Court of Justice (CJEU) delivered a judgment in a case concerning the access of state authorities to data making it possible to identify the source and destination of a telephone communication from a suspect’s landline or mobile telephone, to determine the date, time, duration and type of that communication, to identify the communications equipment used and to establish the location of the mobile communication equipment used (i.e. traffic and location data). The CJEU was asked by the referring court whether such access to traffic and location data by state authorities in domestic identity fraud cases "amounts to interference with the fundamental rights which is so serious that such access should be restricted to combating serious crime, regardless of the period in respect of which the State authorities have sought access to the retained data". The referring court also asked the CJEU to clarify whether the public prosecutor's office may be regarded as an independent administrative authority that can authorise access to such traffic and location data by the competent state authorities in a pre-trial procedure. The CJEU held that even access to a limited amount of traffic and location data or access to data across a short period may provide precise information on the private life of a user of electronic communication. The CJEU also reiterated the principle of effectiveness that requires national criminal courts to disregard information and evidence obtained by means of the general and indiscriminate retention of traffic and location data, in the context of criminal proceedings against suspected persons, where those persons are not in a position to effectively comment on that information. Consequently, the CJEU held that EU law precludes national legislation that permits public authorities to have access to a set of traffic or location data that allows precise conclusions to be drawn concerning private life, for the purposes of the prevention, investigation, detection and prosecution of criminal offences, without such access being confined to procedures and proceedings to combat serious crime or prevent serious threats to public security, irrespective of the length of the retention period and the quantity of that data. As for the necessary independence of the judicial or administrative authority to be able to authorise the access to traffic and location data for the purposes of a criminal investigation, the CJEU held that the public prosecutor's office which directs the investigation procedure and, where appropriate, brings the public prosecution cannot be considered to be an independent authority who can carry out the authorisation review objectively, impartially and free from any external influence. The public prosecutor has, in essence, the task to act as a prosecutor in the proceedings, and not to rule on a case in complete independence.
The European Data Protection Supervisor issued an opinion on the Cybersecurity package
On 11 March, the European Data Protection Supervisor (EDPS) published an opinion on the EU Cybersecurity Strategy (see our previous reporting here) and the NIS 2 Directive Proposal. The EDPS supports the overall objective of the Cybersecurity Strategy "to ensure a global and open internet with strong safeguards for the risks to security and the fundamental rights", recognising the strategic value of the internet and its governance in the multistakeholder model. Regarding the NIS 2 proposal, the EDPS identifies numerous concerns with the proposed text, including the need to align it with the privacy and data protection perspective, "in order to ensure a holistic approach and enable synergies when managing cybersecurity and protecting the personal information they process". Most notably for domain registries and registration data, the EDPS welcomes the data protection limitations reinstated in the recitals of the proposal that concern the processing of WHOIS data. However, the EDPS strongly recommends adding a general substantive provision of the application of data protection law directly in the articles. When it comes to Article 23 that attempts to create a specific data accuracy principle on domain name registries and registrars, along with the obligation to publish some registration data and provide access to non-public personal information to "legitimate access seekers", the EDPS recommends specifying a number of notions enshrined within this provision. For instance, the EDPS recommends clearly spelling out what constitutes “relevant information” in the provision that obliges domain name registries and registrars to collect and maintain relevant information on domain name holders. Similarly, the EDPS recommends clarifying in greater detail which categories of data domain registration data should be subject to publication. The EDPS also reminds of the relevant GDPR provisions and the respective CJEU case-law, that considers certain data concerning legal persons to fall under personal data. Furthermore, the NIS 2 proposal fails to define “legitimate access seekers”, nor specifies any purposes for such access, according to the EDPS. Consequently, the interference with the fundamental right to the protection of personal data, such as the requirement to provide personal information to third parties in Article 23, must lay down clear and precise rules governing the scope and application of the measure and impose minimum safeguards. The EDPS underlines that the NIS 2 text must further clarify which (public or private) entities might constitute “legitimate access seekers”.
The Council of the EU adopted conclusions on the EU cybersecurity strategy
On 22 March, the Council of the EU adopted conclusions on the EU Cybersecurity Strategy for the digital decade. The Council of the EU reaffirms the view of "substantially shaping international norms and standards in the areas of emerging technologies and the technical and logical infrastructure essential to the general availability and integrity of the public core of the Internet, so that these are in line with universal and EU values and through a multi-stakeholder approach, the further development of norms and standards within the Union is essential". According to the conclusions, this will "ensure that the Internet remains global, open, free, stable and secure and that the use and development of digital technologies are human rights respecting, and that their use is lawful, safe and ethical". The Council of the EU also strongly supports the multistakeholder model for internet governance and cybersecurity and "commits itself to reinforcing regular and structured exchanges with stakeholders". The Council also takes note of the NIS 2 proposal and looks forward to "discussions with the Commission, ENISA, the two EU DNS Root Server Operators and the multi-stakeholder community to assess the role of the two EU DNS Root Server Operators when it comes to guaranteeing that the Internet remains globally accessible and non-fragmented". The Council also welcomes further discussion on the Commission’s plans to develop an alternative European service for accessing the global internet (“DNS4EU” initiative), "based on a transparent model which conforms to the latest security, data protection and privacy by design and by default standards and rules, in order to contribute to increased resilience, while maintaining and enhancing international connectivity for all Member States".
The European Parliament adopted its resolution on the implementation of the GDPR
On 25 March, the European Parliament adopted a resolution on the Commission evaluation report in the implementation of the GDPR. In its non-legislative resolution, the European Parliament expresses concern that 'legitimate interest' is "very often abusively mentioned as a legal ground for processing" and points out that "controllers continue to rely on legitimate interest without conducting the required test of the balance of interests, which includes a fundamental rights assessment". In this regard, the European Parliament is particularly concerned by the fact that "some Member States are adopting national legislation to determine conditions for processing based on legitimate interest by providing for the balancing of the respective interests of the controller and of the individuals concerned, while the GDPR obliges each and every controller to undertake this balancing test individually, and to avail themselves of that legal ground". The European Parliament also welcomes the fact that the EDPB has already started work to update an opinion on the application of legitimate interest. The European Parliament also calls for more consistency in applying the GDPR across the EU and "calls on DPAs to strive for consistent interpretation and guidance facilitated through the EDPB". The European Parliament also deplores the fact that "the Member States’ use of the facultative specification clauses (e.g. processing in the public interest or by public authorities on the basis of the Member State’s law and age of children to consent) has been detrimental to the achievement of full data protection harmonisation and to the elimination of diverging market conditions for companies throughout the EU". In this regard, the European Parliament calls on the European Commission "to use its powers to intervene in Member States where national measures, actions and decisions undermine the spirit, objective, and text of the GDPR, with a view to preventing unequal protection for citizens and market distortions".
The EUIPO published a discussion paper on challenges and good practices to prevent misuse of domain names for IP infringements
On 23 March, the EUIPO published a discussion paper on "Challenges and good practices from registrars and registries to prevent the misuse of domain names for IP infringement activities". The discussion paper hopes to "contribute to a better understanding of the domain name ecosystem, the good practices that are developing to prevent the misuse of domain names for IP-infringing activities, and the challenges and opportunities to extend or replicate some of these good practices". According to the discussion paper, many IP infringing websites are controlled by the infringer "which means that the infringing entity (or its proxy) is the registrant of the domain name". While the GDPR has had an impact on the accessibility of registration data, these restrictions have a limited impact on the capacity of IP owners to effectively identify the holder of a domain name used for IP-infringing activities, since "IP infringers rarely use their real contact details", according to the discussion paper. However, "they do hinder IP owners’ ability to identify contact details that are obviously fake". The discussion paper highlights collaboration opportunities between registries and trademark offices for alert systems "offering measures of availability check and/or alert to their users" when a domain name is registered that is identical to existing trademark applications. These measures are considered to be a good practice to prevent IP infringements in the domain name space. Registration data verification measures can be "a very effective way to block fraudulent registrations", according to the discussion paper. In cases of lacking national eID solutions and/or challenges to verify foreign registrations, the discussion paper points out the use of "alternative identification solutions", such as performing a risk assessment on registration data or verifying the registrant’s identity through payment methods. When it comes to measures to monitor and detect abusive registrations, the discussion paper highlights the need for registry operators to develop ways to "share data with each other so that patterns detected in one TLD could be used by other TLDs to determine whether similar illegal activities are ongoing".