EU Policy Update – November 2020

EU Policy Updates 08-12-2020

In a nutshell: The European Commission published a New Consumer Agenda, an Intellectual Property Action Plan and a proposal for a Data Governance Act regulation. The Representative Action Directive is awaiting its publication in the Official Journal of the EU. The European Data Protection Board issued its post-Schrems II recommendations for data transfers. The European Data Protection Supervisor issued an opinion on the temporary e-Privacy derogation proposal. The European Parliament’s LIBE Committee proposed amendments to the temporary e-Privacy derogation proposal.

Consumer Protection

The European Commission presented its “New Consumer Agenda”

On 13 November, the European Commission published its vision for EU consumer policy from 2020 - 2025 in the New Consumer Agenda ('the Agenda'). The Agenda outlines “the surge in consumer scams, deceptive marketing techniques and fraud in online shopping, to which an increasing number of consumers have fallen and continue to fall victim” as one of the concern areas for consumer protection in the EU that has come to the fore during the COVID-19 pandemic. To this end, the Agenda calls for “a need to keep a close watch for online scams and to further increase cooperation with other relevant networks including law enforcement authorities, domain registries[...]”. As a result, the Commission pledges to “support and facilitate cooperation between the Consumer Protection Cooperation network and other networks and stakeholders to tackle consumer scams, unfair marketing practices and fraud”. When it comes to the enforcement of consumer rights, the Agenda cites the strong basis for joint EU action under the Consumer Protection Cooperation (CPC) Regulation. The Agenda outlines that the Commission “will not hesitate to make use of its powers under the [CPC]Regulation to trigger coordinated enforcement actions on EU-wide issues where necessary”. In this regard, one of the focus areas for further work is “the impact of COVID-19 on consumer rights”, i.e. scams. To support the authorities under the CPC Regulation, the Commission is also planning to fund a project to set up an ‘EU e-Lab’ “as a platform that will provide a common toolbox that authorities can use to carry out online investigations and monitor dangerous products sold online”. This toolbox should include the deployment of “advanced IT solutions, using AI, data mining techniques and webcrawlers”.

The Representative Action Directive was formally adopted by the European Parliament

The European Parliament formally endorsed the Representative Action Directive (the latest version of the text is available here), as part of the enhanced consumer protection package in the EU. The new law will allow consumer groups to launch collective action in the EU for the purpose of injunction (ceasing or prohibiting) or redress (compensation) against the traders in areas such as data protection, travel and tourism, financial services, energy and telecommunication. Representative actions for collective redress can only be pursued if the national courts or authorities confirm that the trader has indeed broken EU law. The directive will enter into force 20 days following its publication in the Official Journal of the EU. Member states will then have 24 months to transpose the directive into their national laws, and an additional six months to apply it. The new rules will apply to representative actions brought on or after its date of application.

Intellectual Property

The European Commission published an Intellectual Property Action Plan

On 25 November the European Commission published a communication on “Making the most of the EU’s innovative potential: An intellectual property action plan to support the EU’s recovery and resilience” (‘IP Action Plan’). The IP Action Plan identifies intellectual property (IP) a “key asset to be able to compete globally” and stresses that “the quality of patents granted in Europe is among the highest in the world”. In digital technologies, European companies are leaders in “connectivity technologies”, according to the IP Action Plan. A few notable plans and initiatives concerning DNS, registries and registrars are highlighted below:

  • The management of IP rights remains a challenge and to this end the European Commission wants to provide a “one-stop shop access to information and advice about IP”, in cooperation with the EUIPO. The EUIPO “will develop a platform, the European IP Information Centre, which will be linked to the Single Digital Gateway and will offer access to all relevant information not only on IP formalities but also on related services (e.g. filing for domain name protection[...])”, according to the IP Action Plan. Regarding counterfeiting and piracy, the Commission “sees a clear need to step up efforts”.
  • The Commission aims to reinforce cooperation between “all involved players”, including domain name registries and registrars, to “curb piracy and counterfeiting”. To this end, the Commission plans to establish an EU Toolbox against counterfeiting (Q2 2022) that “will clarify roles and responsibilities and identify ways to work together”. One of the elements of the EU Toolbox is “the sharing of relevant data on products and traders, in compliance with EU data protection law”.
  • To protect the value of brands, the Commission plans to “step up its participation in global internet fora so that the international domain name system (DNS) fully respects IPRs, including Geographical Indications (GI), and ensure that IP protection is also reflected appropriately in policies concerning the governance of the domain name space and access to information on registrants (“Whois” data)”.

Data protection

The European Data Protection Board issued its post-Schrems II recommendations for data transfers

The European Data Protection Board (EDPB) published its recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. The recommendations are given in the context of the Schrems II ruling that invalidated EU-US Privacy Shield used as a legal basis for transatlantic data transfers. As a first step, the EDPB advises exporters “to know your transfers” by completing a mapping exercise of all transfers of personal data to third countries. A second step is to “verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR”. In case there is no valid adequacy decision issued by the European Commission under Article 45 GDPR, exporters need to rely on one of the transfer tools listed under Article 46 GDPR. A third step is to “assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools”. Any assessment in this regard need to be documented thoroughly, as “you will be held accountable to the decision you may take on that basis”. A fourth step is to “identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence”. If no supplementary measures are suitable, “you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data”. Supplementary measures can be of contractual, technical or organisational nature. A fifth step is to “take any formal procedural steps the adoption of your supplementary measure may require”. The sixth and final step will be for exporters to regularly re-evaluate “the level of protection afforded to the data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it”.

The European Commission published a proposal for a Data Governance Act

On 25 November, the European Commission published a Proposal for a Regulation on European data governance (Data Governance Act). The Data Governance Act proposal aims to foster the availability to re-use personal data from the public sector, private sector and individuals. Individuals will be able to share personal data voluntarily in so-called “personal data spaces”. According to the Commission’s Questions and Answers document: these personal data spaces are “novel personal information management tools and services” that will make it easier for Europeans to allow the re-use of their data for the benefit of society. The Data Governance Act will also establish a concept of “data intermediaries” (e.g. “data marketplaces”), a special category of data sharing providers that can act as a “as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data”. According to the Proposal these data intermediaries need to be neutral and cannot exchange data with third parties for their own interest.

Child protection

The European Data Protection Supervisor issued an opinion on the temporary e-Privacy derogation proposal

On 10 November, the European Data Protection Supervisor (EDPS) issued an opinion on the temporary e-Privacy derogation proposal for the purposes of combatting child sexual abuse, published by the European Commission in September (hereinafter the Proposal). The Proposal aims to allow providers of communications services such as web-based email and messaging services to continue detecting child sexual abuse online on their provided services. The EDPS stresses that the confidentiality of communications is a cornerstone of the fundamental rights of respect for private and family life and the protection of personal data. Even voluntary measures by private companies constitute an interference with these rights when the measures involve the monitoring and analysis of the content of communications, according to the EDPS. Any interference of fundamental rights under EU primary law must be provided for by law, respect the essence of rights to privacy and data protection, be proportionate and necessary, and genuinely meet the objectives of general interest recognised by the EU. According to the EDPS, the Proposal does not clearly indicate whether or not it seeks to provide a legal basis within the meaning of Article 6 GDPR, as it merely concerns the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse online. Due to the absence of an impact assessment accompanying the Proposal, the Commission has yet to demonstrate that the measures envisaged by the Proposal are strictly necessary, effective and proportionate, according to the EDPS.

The LIBE Committee in the European Parliament proposed amendments to the temporary e-Privacy derogation proposal

The Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (LIBE) is responsible for driving forward the Parliament's position on the temporary e-Privacy derogation proposal for the purposes of combatting child sexual abuse. On 13 November, the Rapporteur MEP Birgit Sippel issued a Draft Report, where end-to-end encryption is called out to be “an important tool to guarantee secure and confidential communications of users, including that of children”. Furthermore, any weakening of encryption can potentially be abused by malicious third parties, and therefore nothing in the proposed regulation should be interpreted as prohibiting or weakening end-to-end encryption, according to the Draft Report. The Draft Report also calls for limiting the scope of the regulation to apply only to videos or images exchanged over messaging or email services, excluding the scanning of text and audio communication. On 26 November, over 200 amendments were filed to the Draft Report by members of the LIBE committee.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.