EU Policy Update – May 2021
In a nutshell: The European Parliament is steadily advancing on developing its positions on the proposals for the Digital Services Act, the NIS 2 Directive, the CER Directive, and has adopted a resolution on the challenges of sports events organisers. The Portuguese presidency in the Council of the EU published a progress report on the Digital Services Act. ENISA published its first EU cybersecurity certification scheme. The Cybercrime Convention Committee within the Council of Europe approved the draft of the 2nd Additional Protocol to the Budapest Convention concerning access to electronic evidence. The European Data Protection Board expressed concerns over the alignment of the draft text of the 2nd Additional Protocol to the Budapest Convention with the EU data protection framework.
LIBE issued a Draft Opinion on the Digital Services Act
On 19 May, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) published its Draft Opinion on the Digital Services Act (DSA) proposal. The key proposals in the Draft Opinion include “the right to use and pay for digital services anonymously wherever technically possible”. Most notably for mere technical intermediaries, the Draft Opinion stresses that “illegal content should be removed where it is hosted, and mere conduit intermediaries should not be required to block access to content”. When it comes to assessing the legality of content, the Draft Opinion stresses that “the decision on the legality of content should rest with the independent judiciary, not with administrative authorities”. Furthermore, “end-to-end encryption should not be restricted as it is essential for internet safety”, according to the Draft Opinion.
IMCO issued a Draft Report on the Digital Services Act
On 28 May, the European Parliament's Committee on the Internal Market and Consumer Protection (IMCO) issued its Draft Report on the DSA proposal. The draft report suggests a clarification on the definition of ‘illegal content’, and most notably suggests expanding the “Know-Your-Business-Customer” (KYCB) principle to all intermediaries, including domain name registries and content delivery networks. The suggested KYCB principle in the Draft Report requires all intermediaries, including domain name registries and content delivery network providers, to collect a certain dataset that includes billing data, physical address, phone number and a copy of identification etc. The Draft Report also attempts to reinforce the powers of the Digital Service Coordinators and the European Commission to restrict access to the interface and/or transfer a domain name to a competent public authority in case of “repeated infringements of the obligations laid down in the Regulation or to avoid the risk of serious harm”.
Portuguese presidency in the Council of the EU published a progress report on the Digital Services Act
On 12 May, the Portuguese presidency in the Council of the EU published a progress report on the discussions on the DSA proposal within the Council of the EU. According to the progress report, the discussions up until the publication of the report have particularly concentrated “on the general architecture, scope and substantial provisions, as well as the overall enforcement system of the future Regulation”. Some of the most sensitive political and legal issues according to the Member States are enforcement issues, as well as the need for better cross-border cooperation among Digital Services Coordinators, joint investigation and requests for Commission intervention. The issue of effective enforceability also concerns non-EU service providers “who offer their services in the Union, but do not comply with the obligations of the proposed Regulation”. Member States also broadly support the introduction of the KYBC-principle, and some suggest expanding the scope to include other types of intermediaries, as well as micro- and small enterprises.
The European Parliament adopted a resolution on the challenges of sports events organisers
On 19 May, the European Parliament adopted a resolution with recommendations to the European Commission on the challenges of sports events organisers in the digital environment. The resolution notes that the illegal transmission of sports events and the dissemination of illegal content online is harmful for end users “due for example to such end users being exposed to personal data theft, malware or other online related forms of harm or detriment” and asks the Commission to “submit without undue delay” a proposal for legislative acts that ensure the protection of live sports event broadcasts. The resolution notes that “injunction procedures are relatively long and usually come into effect after the broadcast has ended” and points to the practices developed at national level, such as “live injunctions and dynamic injunctions, that have proved to be a means of tackling piracy of sports event broadcasts more efficiently”. As for concrete proposals for amending the current EU legal framework, the resolution calls for “Know-Your-Business-Customer obligations” on intermediaries under the Digital Services Act “to prevent their services from being abused to facilitate the illegal streaming of sports events”. Additionally, the resolution calls for harmonised legislation “allowing, where live sports events are concerned, for the use of injunctions that should have the effect of blocking the access not only to the infringing website, but to any other website that contains the same infringement, regardless of the domain name or IP address used, and without the need for a new injunction to be issued”.
ITRE issued a Draft Report on NIS 2
On 3 May, the European Parliament's Committee on Industry, Research and Energy (ITRE) issued a Draft Report on the proposal for a directive on measures for a high common level of cybersecurity across the Union (the NIS 2 Directive) (see our previous reporting here). The Draft Report excludes root name servers from the scope of the NIS 2 Directive, as proposed by the Commission, and specifies the scope to include “recursive domain name resolution services for internet end-users and authoritative domain name resolution services as a service procurable by third-party entities” when it comes to DNS service providers. The Draft Report suggests promoting the use of “interoperable secure routing standards”, and suggests that “relevant stakeholders including Union businesses, internet service providers and browser vendors should be encouraged to adopt a DNS resolution diversification strategy”. DNS service providers “should use state-of-the-art security protocols, offer users the possibility to actively avoid resolving malign traffic, should respect privacy and should be discouraged from monetising user data”, according to the Draft Report. When it comes to the registration data accuracy obligation applicable to domain name registries and registrars, the Draft Report adds the verification criteria, in addition to the obligation to collect “accurate and complete” registration data. Domain name registries and registrars “should aim to ensure the integrity and availability of such data by implementing technical and organisational measures, such as a confirmation process for registrants”, according to the Draft Report. When it comes to access to registration data, the Draft Report suggests that registries and registrars should respond to WHOIS access requests within 72 hours. The Draft report suggests including a definition of domain name registration services that comprises of “services provided by domain name registries and registrars, privacy or proxy registration service providers, domain brokers or resellers, and any other services which are related to the registration of domain names”. The Draft Report also specifies that the relevant information that registries, registrars and other entities providing domain name registration services should collect, maintain accurate, complete and verify should at the very least include “the registrants' name, their physical and email address as well as their telephone number”.
IMCO issued a Draft Opinion on NIS 2
On 4 May, the European Parliament's IMCO committee issued a Draft Opinion on the NIS 2 Directive proposal. The Draft Opinion attempts to limit the scope of the NIS 2 Directive based not only on the size of (TLD sector excluded!) but also combined with an assessment of the criticality of entities within each sector. This would allow for medium and large entities which, following a risk assessment, are of a low level of criticality and dependency on otherwise critical entities, to be left outside the scope of the Directive, according to the Draft Opinion. Similarly to ITRE Draft Report, the Draft Opinion adds the obligation of verifying registration data on registries and registrars.
ITRE issued a Draft Opinion on the proposal for a directive on the resilience of critical entities
On 3 May, the European Parliament's ITRE committee issued a Draft Opinion on the proposal for a directive on the resilience of critical entities (CER Directive) (see our previous reporting here). The Draft Opinion attempts to clarify that Member States should take measures to avoid double reporting and control due to the two separate CER and NIS 2 directives. The Draft Opinion also suggests equating the single points of contact within supervising authorities under both the CER and NIS 2 Directives. The Draft Opinion also suggests that critical entities under the CER should “without imposing, or discriminating in favour of, the use of a particular type of service or technology, make use of accepted European standards and specifications relevant to the resilience of critical entities”.
ENISA published its first EU cybersecurity certification scheme
On 26 May, the European Union Agency for Cybersecurity (ENISA) formally transmitted to the European Commission the first candidate cybersecurity certification scheme on Common Criteria. The scheme aims to serve as a successor to existing schemes operating under the SOGIS MRA (Senior Officials Group Information Systems Security Mutual Recognition Agreement). The scheme covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 and is intended to form the foundation of a European Cybersecurity certification framework. The latter will consist of several schemes, and it is expected to gradually increase trust in ICT products, services and processes certified under these schemes and reduce costs within the Digital Single Market, according to ENISA. The second candidate scheme in the making is related to cloud services, and ENISA is about to launch the preparation of an EU cybersecurity certification scheme on 5G.
The 2nd Additional Protocol to the Budapest Convention approved by the preparatory committee
On 28 May, the Cybercrime Convention Committee (T-CY), representing the signatory parties to the Council of Europe's Budapest Convention approved the draft of the 2nd Additional Protocol to the Convention on Cybercrime (see our previous reporting here). The 2nd additional protocol concerns cross-border access to electronic evidence, including domain name registration data (Article 6) across all signatory parties to the Cybercrime Convention. According to the Council of Europe, experts from the 66 States that are currently parties to the Budapest Convention from Africa, the Americas, Asia-Pacific and Europe participated in its preparation, including in more than 95 drafting sessions. Following T-CY approval of the draft Protocol on 28 May, it will be further considered by relevant Council of Europe bodies. Formal adoption is expected in November 2021 and opening for signature in early 2022. Once signed and ratified, the Cybercrime Convention together with its additional protocols will be considered as a legally binding and enforceable international instrument.
The European Data Protection Board provided feedback in the last public consultation round of the 2nd Additional Protocol to the Budapest Convention
On 4 May, the European Data Protection Board (EDPB) submitted written comments on the draft 2nd Additional Protocol to the Budapest Convention. In its written submission, the EDPB stresses the need for the EU negotiating parties to ensure that “the provisions laid down in the additional protocol do comply with the EU acquis in the field of data protection in order to ensure its compatibility with EU primary and secondary law”. From an EU data protection law point of view, the protocol will be applicable for the disclosure and transfer of personal data from the EU to third countries. Regarding the provision enabling requests for domain name registration information (Article 6), the EDPB recalls that the conditions under which an entity providing domain name services must grant such access must be provided by law, to ensure that the processing relies on a clear legal basis and that the data protection safeguards are enforceable. The EDPB expresses concern over the “lack of commitment at the level of the protocol” that entails the risk of the provision lacking any protecting effect regarding the processing of the personal data already disclosed.