In a nutshell: Negotiations on the DSA and NIS 2 reached a new milestone as the Council of the EU adopted its General Approach on both legislative initiatives. ENISA published its NIS Investments Report for 2021, highlighting the costs incurred by operators of essential services to comply with the NIS Directive. Europol published its Internet Organised Crime Threat Assessment for 2021. The Slovenian Presidency issued a Progress Report on the EUID proposal. The EDPB published its guidelines on international data transfers and raised concerns regarding the Digital Services Package currently under negotiation in the EU. The Advocate-General of the Court of Justice of the European Union issued an opinion in a case on state-enabled data retention in the electronic communications sector. Home Affairs Ministers released a Joint Statement during a Ministerial conference on the prevention and investigation of child sexual abuse.
The Council of the EU approved its General Approach on the DSA
On 25 November, the Council of the European Union approved its General Approach on the Digital Services Act (DSA) (see our previous reporting here). The General Approach clarifies that in addition to domain name system (DNS) services and top-level domain name registries (TLDs), registrars could also fall under the scope of ‘mere conduit’ intermediary services, and may therefore be exempt from potential liability for illegal content online accessible via their services. When receiving orders to act against illegal content or to provide more information, the General Approach obliges providers of intermediary services to “inform the recipient of the service who provided the content […] of the order received and the effect given to it”. The General Approach also clarifies that the DSA should “not provide a legal basis” for the issuing of such orders, nor for their territorial scope or cross-border enforcement. The EU or national law providing the basis for the order “may require additional conditions” for such orders and should also be the basis for their enforcement. As for the traceability of traders obligation (so called ‘Know-Your-Business-Customer’), the General Approach limits its reach to online marketplaces, as opposed to online platforms in the initial proposal by the European Commission
The Council of the EU adopted its General Approach on NIS 2
On 3 December, the Council of the EU adopted its General Approach on the proposal for a directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) (see our previous reporting here). The General Approach explicitly excludes root name server operators from the scope of the NIS 2 Directive. When it comes to the registration data accuracy obligation in Article 23, the General Approach states that TLD registries and registrars “should in particular verify the name and the email address of the registrant”. The Council also stresses that the maintained accurate datasets under Article 23 will have to include at least the registrants’ name, surname and e-mail address as well as the corresponding domain name and registration date. The text also suggests that TLD registries and registrars should have to respond to data access requests from legitimate access seekers within 72 hours free of charge. Such legitimate access seekers should include “competent authorities under Union or national law in the area of national security and criminal justice or CSIRTs”. The General Approach states that in cases of significant cyber threats, entities should notify “their service recipients in parallel to the competent authorities or CSIRTS of the threat itself”. The text also highlights that cybersecurity obligations under NIS 2 Directive should be strictly limited to cybersecurity risk-management measures and reporting and, “without prejudice to the governance of the global DNS by the multi-stakeholder community”.
ENISA published its NIS Investments Report for 2021
On 17 November 2021, the European Union Agency for Cybersecurity (ENISA) published its NIS Investments Report. The report aims to give an overview of the budget allocated to the network and information systems (NIS) by operators of essential services (OES) and digital service providers (DSP), as designated under the EU Directive on security of network and information systems (NIS Directive). According to the report, 67% of OES/DSP “required a dedicated budget for the NIS Directive implementation” and spent on average 98 000 euros for the implementation of the NIS Directive. 50% of organisations “required on median four additional full-time employees” for the implementation of the directive. The report also outlines that the OES/DSP have mainly invested in governance risk and compliance, network security and vulnerability management in order to implement NIS. Regarding NIS’ impact on their cybersecurity, 48.9% of surveyed OES/DSP responded that the NIS Directive enhanced their detection capabilities, “while 26% believe that it has strengthened their ability to recover from incidents”. Most OES/DSP also highlighted that “their information security controls meet or exceed industry standards”, with only 5% reporting that they do not. The report also outlines that 67.8% of organisations surveyed have never experienced any major security incidents.
Europol published its Internet Organised Crime Threat Assessment for 2021
Europol published its annual Internet Organised Crime Threat Assessment (IOCTA), assessing the state of cyber- and computer-related crime in the past 12 months. According to Europol’s findings in 2021, “COVID-19 continues to have a significant impact on the European fraud landscape in the second year of the pandemic”, while “phishing and social engineering remain the main vectors for payment fraud, increasing in both volume and sophistication”. Targeting “grey infrastructure” as the main vector for facilitating ransomware criminals, by targeting “bulletproof hosters” and imposing “KYC and AML requirements for cryptocurrency exchanges globally” is outlined as a way forward to tackle ransomware. Services falling under grey infrastructure beyond “bulletproof hosters” are “rogue cryptocurrency exchanges, and VPNs that provide safe havens for criminals”, according to Europol. According to IOCTA 2021, criminals are also increasingly targeting their efforts “to compromise digital supply chains”, as organisations need to grant network access to update distributors, which makes “third-party service providers an ideal target”. The IOCTA 2021 also mentions FluBot that uses a domain generation algorithm (DGA) to spread malware on mobile phones, as “one of the most prolific mobile banking trojans”. Some of the legislative changes that, according to Europol, will help law enforcement authorities include the availability of “quality data exchange with service providers”. More specifically, “clearer rules for registering IP addresses and domains could increase this data quality”, according to IOCTA 2021.
Slovenian presidency issued a Progress Report on the EUID proposal
The Slovenian presidency issued a Progress Report on the state of play of the proposal for a Regulation establishing a framework for a European Digital Identity (‘EUID Regulation’). The aim of the EUID Regulation is to amend the earlier eIDAS Regulation from 2014. The EUID proposal requires Member States “to issue a European Digital Identity Wallet under a notified eID scheme”, with the goal to “provide for universal access[...] to secure and trustworthy electronic identification and authentication”. The Progress Report notes the complexity of this legislative initiative and highlights concerns voiced out by some Member States regarding “the interplay between the proposal and the NIS 2 Directive” that may create confusion regarding authorities and their supervisory competences. According to the Progress Report “identity matching was also debated, as the adoption of unique and persistent identifiers appeared potentially problematic”. Some Member States called for “the need to respect the competence structure of national authorities and national access policies to registers”. Consequently, the drafting of the Council’s position on the EUID proposal will be a task for the upcoming French Presidency.
The European Data Protection Board issued a statement on the Digital Services Package and Data Strategy
On 18 November, the European Data Protection Board (EDPB) issued a Statement on the Digital Services Package and Data Strategy, raising concerns about digital proposals such as the Digital Markets Act (DMS), the Data Governance Act (DGA) and the Digital Services Act (DSA). According to the EDPB, these legislative proposals would “significantly impact on the protection of the fundamental rights to privacy and the protection of personal data” and could create a “lack of protection of individuals’ fundamental rights and freedoms”, a “fragmented supervision” as well as inconsistencies between the proposals. When it comes to fragmented supervision regimes under the Digital Services Package, the EDPB urges policymakers to address situations of potential overlap in competences of different ‘European Boards’ to be established under different legislative initiatives. The EDPB strongly recommends that each of the proposals clearly mention “data protection supervisory authorities among the relevant competent authorities with whom cooperation shall take place”. The proposals should also “provide for an explicit legal basis for the exchange of information necessary for effective cooperation and identify the circumstances in which cooperation should take place”. Competent supervisory authorities should also be able to “share information obtained in the context of any audits and investigation that relate to the processing of personal data with the competent data protection authorities, either upon request or on their own initiative”. To avoid potential ambiguities between the proposals, the EDPB also asks for proposals to “clearly state that they shall not affect or undermine the application of existing data protection rules”.
The European Data Protection Board adopted Guidelines on international data transfer rules under the GDPR
On 18 November, the EDPB adopted its Guidelines to help controllers and processors identify whether their international data transfers fall under the scope of Chapter V of the GDPR. Chapter V aims to ensure that “the level of protection guaranteed by the GDPR is not undermined” when personal data is transferred “to third countries or to international organisations”. Since the GDPR no longer applies to personal data transferred and made accessible to entities outside the EU territory, it must be protected in other ways, either by an adequacy decision from the European Commission or by provision of appropriate safeguards under Article 46 of the GDPR. To guide processors and controllers in identifying whether their transfer must comply with GDPR rules, the EDPB clarifies the conditions under which a transfer should be qualified as data processing: 1) “a controller or a processor is subject to the GDPR for the given processing”, 2) “this controller or processor (“exporter”) discloses personal data by transmission or otherwise makes it available to another controller, joint controller or processor (“importer”)”, 3) “the importer is in a third country or is an international organisation”. The EDPB then explains that international data transfer provisions apply when 1) a controller in the EU sends data to a processor in a third country, 2) a processor in the EU sends data back to its controller or sub-processor in a third country, 3) a subsidiary (controller) in the EU shares data with its parent company (processor) in a third country and 4) a processor in the EU sends data back to its controller in a third country. In such cases, customised safeguards must be taken to ensure adequate protection (e.g. Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Codes of conduct, certification mechanisms, ad hoc contractual clauses, international agreements). If the criteria as identified by the EDPB are not met, there is no “transfer” and Chapter V of the GDPR does not apply, according to the Guidelines.
The Advocate-General of the Court of Justice of the European Union issued an opinion on data retention regarding electronic communications
The Advocate-General (AG) Campos Sánchez-Bordona of the Court of Justice of the European Union (CJEU) released an opinion in the joint cases on personal data retention in the electronic communications sector, including within the provision of internet access. The cases were brought to the CJEU by several Member States fearing that the CJEU stance on data retention (notably La Quadrature du Net case) “could deprive State authorities of an instrument necessary to safeguard national security and to combat crime and terrorism”. In his opinion, the AG responds to the Member States’ concerns by recalling that “apart from the situation justified by the defence of national security, the storage of electronic communications data must be targeted”. That targeting, according to the AG, "may be established in accordance with the categories of persons concerned or based on geographical criteria”. The data retention regime of traffic and location data for all users under the EU legal framework needs to be limited in time. Furthermore, such a data retention regime can only be in place “as long as there are sufficiently solid grounds for considering that the Member State concerned is confronted with a serious threat to national security which is shown to be genuine and present or foreseeable”, while persons concerned have effective safeguards against the risks of abuse. The AG also recalls that CJEU case law requires access to retained data by competent national authorities to be subject to “prior review by a court or an independent authority”. Finally, the AG calls on the EU Member States to abandon “any attempt to prescribe the general and indiscriminate storage of all traffic and location data”.
Home Affairs Ministers released a Joint Statement during a Ministerial conference on the prevention and investigation of child sexual abuse
On 12 November 2021, Home Affairs Ministers of EU Member States, the Schengen States, the Western Balkans as well as the United States of America released a Joint Statement at a Ministerial Conference on the Prevention and Investigation of Child Sexual Abuse. The statement recalls that tackling child sexual abuse online is a priority for the Slovenian Presidency and for EU Member States. Ministers welcome the involvement of Europol, Eurojust and Interpol and point out that stakeholders should work together to better identify the victims and to bring the offenders to justice. They acknowledge the “paramount importance” of guaranteeing law enforcement access to data to better detect, prevent, investigate and prosecute child sexual abuse. To ensure this, appropriate solutions should be put in place “regarding data retention, encryption, e-evidence[...]”. The ministers nevertheless claim that these should be conditional to the respect of fundamental rights of privacy, protection of personal data and the right to a fair trial. They also welcome the Commission’s plans for the upcoming legislative proposal to prevent and combat child sexual abuse: “which may propose obligations on online service providers[...]”. The EU legislative proposal may also envisage the establishment of “an EU centre to prevent and combat child sexual abuse”. According to the statement, the new EU centre “should support law enforcement and industry to detect, report and remove child sexual abuse online, and facilitate Member States’ efforts on prevention and assistance to victims.”