EU Policy Update – May 2023

EU Policy Updates 19-06-2023

In a nutshell: The incoming Spanish Council Presidency has published its work programme for the second half of 2023. The EU institutions are close to finalising the legislation on the GI protection for crafts/industrial products, while trilogues have begun for the proposal for the GI protection for agricultural products. The Commission has opened a call for tender for a study on IP rights enforcement and counterfeiting. The European Parliament’s ITRE Committee has published over 500 amendments to the Cyber Resilience Act. ENISA has published its report on DNS identity and the verification of domain name holders. The Council has shared its conclusions on the EU Policy on Cyber Defence. The European Parliament has approved the e-Evidence Regulation in Plenary. The EDPS has issued Opinions on the Commission Recommendation to open negotiations on International Agreements on the exchange of personal data with five South American states. The CJEU has clarified when a GDPR infringement may give rise to a right to compensation. The Swedish Council Presidency has shared a compromise text on proposed legislation to combat child sexual abuse online. The European Parliament voted on its compromise text and negotiating mandate to enter into interinstitutional trilogues on the AI Act.

The incoming Spanish Presidency of the Council of the European Union publishes work programme

On 1 July 2023, Spain will take over the rotating Presidency of the Council of the European Union. The incoming Spanish Presidency has published its work programme, highlighting the strategic priorities it seeks to set during its term. Foremost, it wants to make artificial intelligence (AI) and the conclusion of the EU AI Act its main objective, while also strengthening European cyber resilience. In respect to the latter, the Spanish Presidency mentions achieving progress on the Cyber Resilience Act, the Cyber Solidarity Act and the revision of the Cybersecurity Act. Broadly, the work programme notes that this will be the last presidency before the 2024 European Parliament elections, and stresses that the Spanish Council Presidency will focus on political objectives to help accelerate the EU's human-centric and rights-oriented digital transformation and its global competitiveness.

Intellectual Property

EU institutions are close to finalising legislation on the GI protection for crafts/industrial products

On 24 May, the Council of the EU’s Permanent Representatives Committee approved the compromise text reached with the European Parliament at the beginning of May on the proposal for a regulation on the geographical indication (GI) protection for craft and industrial products. On 30 May, the Legal Affairs Committee (JURI) of the European Parliament also approved the agreement reached in the interinstitutional negotiations. According to the agreement and when it comes to domain name related provisions, the establishment of a "domain name information and alert system" has been omitted from the final text. However, the Commission will have to carry out an evaluation on the feasibility of such a system "against the abusive use" of crafts/industrial GIs, and submit a report on its main findings to the European Parliament and to the Council of the EU within 18 months. Based on the outcome of this evaluation, the Commission should, when necessary, come up with a legislative proposal to establish such a system. EU ccTLDs offering alternative dispute resolution (ADR) procedures to resolve domain name disputes should ensure that ADR procedures recognise registered GIs as a right that can be invoked in these procedures, according to the agreement.

EU institutions started trilogue negotiations on the proposal for the GI protection for agricultural products

The EU institutions have moved to the final stage of the negotiations on the proposal for a regulation on GI protection for wine, spirit drinks and agricultural products, after the European Parliament approved its position on the proposal on 1 June, and the Council of the EU approved its negotiating mandate on 8 May 2023. According to the published 4-column document, the European Parliament and the Council of the EU have opposing views with regard to the provisions related to domain names (see our previous reporting here). According to the European Parliament's position, the "recognition and protection of established rights in the domain names industry at international level is essential[...]" and to this end, the European Commission should pay "special attention to the need to include the protection of geographical indications rights at domain names level", at ICANN level and within the Uniform Domain Name Dispute Resolution Policy (UDRP). The European Parliament also wants to task the EUIPO with the "monitoring of the registration of domain names in the Union" which might conflict with the registered GIs, as part of a domain name alert system to be established by the EUIPO. The Parliament also seeks to enlarge the scope of domain name related provisions to all TLDs operating in the EU. Meanwhile, the Council of the EU’s position is to keep the scope of the GI protection to alternative dispute resolution (ADR) procedures established across EU ccTLDs, with a suggestion to delete any reference to the "domain name information and alert system" from the legislative proposal.

The European Commission is seeking to conduct a study on IPR enforcement and counterfeiting

The European Commission has opened a call for tender for a follow-up study on the application of the Directive on the enforcement of intellectual property rights (IPRED) and contribution to the EU Toolbox against counterfeiting (see our previous reporting here). The study will assess the situation as to how the measures provided by the IPRED are used in the different Member States, and will provide policy and legal recommendations as to what improvements can be made to improve the fight against counterfeiting, in particular in the context of the upcoming EU Toolbox against counterfeiting. The study is expected to take into account: (i) all steps of counterfeiting activities (from the manufacturing to the putting on the market); (ii) all actors that can be involved in the fight against counterfeiting activities, e.g. right holders, intermediaries online and offline, public authorities; (iii) technological developments (e.g. blockchain and artificial intelligence technologies) that improve efficiency in tackling counterfeiting. The tender documents also mention the unavailability to issue dynamic blocking injunctions across all EU Member States that could be applied more so to intellectual property rights (IPR) than copyright; as well as potential clarifications for data sharing between IP holders, intermediaries and public authorities in the context of IPR infringements. The call for tender is open until 26 June 2023.


ITRE issued numerous amendments for the Cyber Resilience Act

On 4 May, the European Parliament's Committee on Industry, Research and Energy (ITRE) published over 500 amendments (see here and here) to the proposal for a Cyber Resilience Act (CRA), as suggested by ITRE members. Several amendments target the question of the inclusion of Free Software under the Regulation. Notable amendments include a suggestion to differentiate between “independent developers of free and open source software” and “commercial open-source” that is “developed by a single organisation” generating “significant revenues from related use in business relationships”. The former, together with manufacturers that include these components to their products should not be subject to stricter compliance rules under the CRA. Other amendments include placing a responsibility on the manufacturer that has integrated Free Software into their product, including for the compliance of the Free Software component; or requiring individual or micro developers of Free Software to “make best efforts in order to comply with the requirements […] during the 12 months from placing a software on the market". With regard to the relationship between the CRA and the NIS 2 Directive, some notable amendments include a requirement to subject "critical products with digital elements" used by essential entities under the NIS 2 Directive to "a strategic supply chain risk assessment that includes non-technical factors to assess the risk of the manufacturer being subject to undue interference from a third country". Other amendments are also in favour of requiring manufacturers to report significant vulnerabilities to CSIRTs, instead of ENISA, and to streamline reporting requirements under different legal instruments to avoid an unnecessary administrative burden, conflicting reporting obligations and double fines.

ENISA published its report on DNS identity and the verification of domain name holders

At the end of May, ENISA published its report on “DNS identity: Verification and Authentication of Domain Name Owners”. The report seeks to provides a view of the authentication and verification of domain name owners in the context of domain name registration. It identifies the security challenges, good practices, security controls and associated risks in the domain name registration ecosystem. When it comes to the verification of domain name holders' identity, the report suggests following "good security practices": 1) support of two-factor authentication (2FA) to strengthen verification, 2) use of national eID schemes, where available, 3) use of PCI DSS data, 4) use of third-party verification. The report is targeted at "national authorities involved in the security of the DNS, as well as top level domains (TLDs) and entities providing domain name registration services" to give information about possible risks and identify good practices for the verification of domain name holders. In the case of European ccTLDs, the report has identified "three primary tools" for risk assessment and to identify suspicious registrations: checking registration data against a database, using machine learning or AI tools to do the checking and doing validation through a stepwise set of processes. 

The European Parliament approves its negotiating mandate to enter into interinstitutional trilogues on the AI Act

On 11 May 2023, the European Parliament adopted its compromise text on the AI Act that was approved by a plenary vote on 14 June. The Parliament’s position includes 'critical infrastructure', necessary for the provision of an essential service within the meaning of Article 2(4) of the Critical Entities Resilience (CER) Directive. Critical infrastructure is included in the scope as long as the AI systems are used as a safety component in the management and operation of critical digital infrastructures. Components intended to be used solely for cybersecurity purposes should not qualify as safety components. Finally, critical infrastructure is included in the context of the AI regulatory sandbox, where lawfully collected data may be used to develop and test the AI system. Among one of the possible grounds for using the AI regulatory sandbox is that the AI system shall be developed for safeguarding substantial public interest, including for the safety and resilience of critical infrastructure.

The Council publishes its conclusions on the EU Policy on Cyber Defence

On 22 May, the Council published its conclusions on the EU Policy on Cyber Defence. It identifies cyberspace as a field for strategic competition which EU Member States must approach coherently. Therefore, the Council stresses the need to invest individually and collaboratively in full-spectrum cyber defence capabilities, utilising EU cooperation frameworks and financial incentives. The Council recognises that the EU's defensive abilities are strengthened by the NIS 2 Directive and Directive on Critical Entities Resilience, while reiterating its Recommendation on a coordinated approach by the Union to strengthen the resilience of critical infrastructure. Simultaneously, the Council conclusions note that NIS 2 does not apply to public administration entities active in the area of defence, and encourages Member States to develop non-legally binding voluntary recommendations inspired by NIS 2 to increase cybersecurity in the defence community. The Council calls for the Commission and the High Representative of the European Security and Defence College to develop an implementation plan for the EU Policy on Cyber Defence in the second quarter of 2023, to be evaluated in the second quarter of 2024.

Data protection

The Parliament votes to approve the e-Evidence Regulation in plenary

On 13 June 2023, the European Parliament voted on the e-Evidence Regulation in plenary (final text), and adopted it with 433 votes in favour, following a debate on 12 June. The Council has previously stated that it will likewise approve the position, in case the plenary does not introduce any amendments. Therefore, this concludes a lengthy legislative process which began in 2018. The purpose of the e-Evidence Regulation is to enable law enforcement to request the provision or preservation of electronic evidence held in other Member States. Domain name registries, domain name registrars and domain name related privacy and proxy services are included in the scope as ‘service providers’. The conditions for the issuing of European Production (EPOC) or Preservation Orders (EPOC-PR) are set out in detail, including requirements on who may issue such orders. Further, the approved position sets out amended procedures in emergency cases, defined inter alia as situations with an imminent threat to a critical infrastructure, including exceptions to the validation of orders by judicial authorities and with tight deadlines of 8 hours upon the receipt of an order.

EDPS issues five Opinions on Commission Recommendation to open negotiations on International Agreements on the exchange of personal data

On 4 May, the European Data Protection Supervisor (EDPS) issued five Opinions on the European Commission's Recommendation to open negotiations on International Agreements on the exchange of personal data between Europol and five Latin American countries (Ecuador, Brazil, Peru, Bolivia and Mexico), in order to fight serious crime and terrorism. These International Agreements build on the Europol Regulation, which emphasises principles such as storage limitation and data minimisation. In this context, across countries, the EDPS recommends that future Agreements explicitly list the criminal offences and purposes on the basis of which individuals' personal data may be exchanged, to support specificity and purpose limitation. Further, the EDPS recommends improving supervision capacities and installing stronger safeguards, e.g. in terms of security measures for data processing and a periodic review of storage time limits.

The CJEU has clarified when a GDPR infringement may give rise to a right to compensation

The Court of Justice of the European Union (CJEU) has ruled that not every infringement of the GDPR gives rise, by itself, to a right to compensation, per the Court's press release. In its ruling of 4 May 2023 in UI v Österreichische Post AG, the CJEU provided more nuanced reasoning. Given that the right to compensation established in Article 82 GDPR sets out three cumulative conditions - (i) an infringement, (ii) the existence of resulting material or non-material damage, and (iii) a causal link existing between infringement and damage - infringements alone, without a causal link to damage, cannot give rise to compensation. The Court clarifies that an infringement of the GDPR does not necessarily result in damage, but also that 'damage' is conceptualised broadly in the GDPR. Therefore, in cases where the three cumulative conditions for compensation are met, the right to compensation is not dependant on a degree of 'seriousness', since "[m]aking compensation for non-material damage subject to a certain threshold of seriousness would risk undermining the coherence of the rules established by the GDPR".

Child protection

The Swedish Council Presidency issues a compromise text on proposed legislation to combat child sexual abuse online

As the draft legislation to prevent and combat child sexual abuse online (previous reporting can be found here, here and here) makes its way through the institutions, the Swedish Council Presidency has issued a compromise text. The compromise maintains the Commission's inclusion of provisions concerning the blocking of child sexual abuse material (CSAM) via uniform resource locators (URLs), while the Parliament's leading Civil Liberties, Justice and Home Affairs (LIBE) Committee's draft report uses the potentially more granular 'uniform resource identifiers'. Like the LIBE Report, the Swedish Presidency's compromise text also inserts an additional Article 18a concerning delisting orders, per which online search engines can be obliged to take reasonable measures to delist an online location where CSAM can be found. Towards this end, a database of indicators shall be operated, which contains a list of URLs compiled for the purpose of issuing blocking and delisting orders.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.
Published By Marlene Straub
Marlene is the Senior Policy Advisor at CENTR. She focuses on policy developments and liaises with institutions, governments and other organisations in the internet ecosystem.

Related News

EU Policy Updates 09-05-2023
EU Policy Update – April 2023

EU Policy Update – April 2023

EU Policy Updates 10-11-2022
EU Policy Update – October 2022

EU Policy Update – October 2022

Polina Malaja
EU Policy Updates 14-06-2022
EU Policy Update – May 2022

EU Policy Update – May 2022

Polina Malaja