EU Policy Update - Outlook to 2021
In a nutshell: The end of 2020 was full of policy and legislative proposals to fill the EU bubble’s agenda in 2021. The European Parliament’s LIBE committee approved its position on the e-Evidence package. The European Commission published the following legislative proposals, that are relevant for internet infrastructure actors: Europol’s revised mandate to increase its cooperation with private parties; the proposal for the Digital Services Act; the proposal for the NIS 2 Directive; and the proposal for a directive on the resilience of critical entities. In the coming months, the Commission is planning to come up with legislation on tackling the issue of child sexual abuse online and on digital identity.
The European Parliament approved its position on e-Evidence
On 11 December 2020, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament published its (awaited) Report on the proposal for a regulation on European Production and Preservation Orders for electronic evidence in criminal matters (e-Evidence). See our previous reporting on the file here, here and here. The Report attempts to take into consideration numerous concerns regarding the rule of law, the protection of fundamental rights and burdens on service providers to respond to countless data access orders by a myriad of law enforcement and judicial authorities across all EU Member States. For example, the report provides a way for the authorities in the 'executing state' to be involved when a foreign law enforcement/judicial authority issues a data access request to the service provider. The Report also instructs the Commission to establish “a common European exchange system with secure channels for the handling of authorised cross-border communication, authentication and transmission” of the data access orders and the requested data between the competent authorities and service providers. In case the data access order is incomplete or does not contain sufficient information, the service provider shall request clarification from the issuing authority, as well as the executing authority. The deadline to comply with foreign data access orders is 10 days and in emergency cases 16 hours, according to the Report. On 16 December the Report was approved by the European Parliament's plenary, and the trilogue negotiations can start with the Council of the EU and the European Commission on the final text of the legislation.
The European Commission unveiled its proposal for Europol's revised mandate
On 9 December 2020, the European Commission published its Proposal on Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role on research and innovation. The legislative proposal allows Europol to exchange personal data with private parties and analyse this data with a view to identifying all Member States concerned and providing them with the information necessary to establish their jurisdiction in cross-border crimes, including when it comes to terrorist content online. According to the proposal, Europol should be able to receive personal data from private parties, inform such private parties of missing information and ask Member States to request other private parties to share further additional information. The legislative proposal also gives Europol the possibility to act as a technical channel for exchanges between Member States and private parties.
The European Commission published its proposal for the Digital Services Act
On 15 December the European Commission published a Proposal for the Digital Services Act. The Proposal includes several points that are relevant to internet infrastructure actors, such as ccTLDs and registrars. Namely, domain name registries and registrars are considered to fall under the notion of “provider of intermediary services” for the purposes of the proposed regulation. This means that domain name registries and registrars can benefit from a liability exemption to the extent that they can be considered ‘mere conduit’, ‘caching’ and ‘hosting’ services, under the proposed regulation. According to the Proposal, a provider should be able to benefit from the exemptions from liability for ‘mere conduit’ and for ‘caching’ services when it is in no way involved with the information transmitted. The Proposal also upholds the prohibition of the general monitoring obligation, meaning that intermediaries are not encouraged to actively seek illegal content online. With regards to specific due diligence obligations applicable to all intermediaries, including the technical layer, the service providers will be obliged to provide a single point of contact for authorities, clarify any content moderation policies in their terms and conditions and engage in regular reporting on the actions they take.
The European Commission is planning to come up with a proposal on tackling the issue of child sexual abuse online
As indicated in the EU strategy for a more effective fight against child sexual abuse (see our previous reporting here) the Commission is planning to propose legislation “to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect child sexual abuse on their services and to report any such abuse to relevant public authorities”. According to the Commission's Inception impact assessment, reports on child sexual abuse online in the EU “have seen a dramatic increase”. These reports result from voluntary action by companies to detect images, videos and text-based threats such as grooming. According to the Commission, “there are discrepancies among companies’ voluntary efforts, meaning there is likely to be much more content that is not being detected”. Regulatory intervention at EU level can inter alia be justified by “the cross-border nature dimension of the Internet”. One of the objectives of the regulatory intervention is to ensure the “effective prevention, investigation and prosecution of child sexual abuse offences”, and more specifically to “prevent the abuse of online infrastructure for child sexual abuse”. A few legislative options are currently being considered by the Commission: 1) a legal framework establishing a legal basis for voluntary measures to detect, report and remove previously known and new material; 2) a legal framework for voluntary measures and a binding obligation for relevant service providers to detect, report and remove known material; 3) a legal framework which creates a binding obligation for relevant service providers to detect, report and remove child sexual abuse from their services, applicable to both known and new material. The legislative proposal is expected to be published in the second quarter of 2021.
The European Commission issued the EU's Cybersecurity Strategy for the Digital Decade
On 16 December, the European Commission published the EU Cybersecurity Strategy for the Digital Decade. The strategy stresses that the “threat landscape is compounded by geopolitical tensions over the global and open Internet and over control of technologies across the whole supply chain”. In particular, “the malicious targeting of critical infrastructure is a major global risk”. The centralisation of “essential Internet services for communications and hosting, applications and data” in the hands of a “few private companies” leaves the European economy and society “vulnerable to disruptive geopolitical or technical events which affect the core of the Internet[...]”. The strategy aims to ensure a global and open internet “with strong guardrails” to address risks to the security and fundamental rights of Europeans. To increase cybersecurity resilience in the EU, the Commission unveiled their proposal for the revised NIS Directive (see below). In the area of certification, the first Union Rolling Work Programme is expected to be adopted in the first quarter of 2021, focusing on the security of connected products. When it comes to the global DNS, the Commission intends “to develop a contingency plan, supported by EU funding, for dealing with extreme scenarios affecting the integrity and availability of the global DNS root system”. The Commission also intends to support the development of a public European DNS resolver service: the ‘DNS4EU’ initiative which “will offer an alternative, European service for accessing the global Internet”, in addition to existing public DNS resolvers. The Commission also intends to “better prevent the abuse of domain names” and “pursue the availability of accurate registration data” by continuing to engage with ICANN and other stakeholders in the Internet Governance system. In the field of standardisation, “shaping international standards in the areas of emerging technologies and the core internet architecture in line with EU values is essential to ensure that the Internet remains global and open, that technologies are human-centric, privacy-focused, and that their use is lawful, safe and ethical.”
The European Commission published a proposal for the NIS 2.0 Directive
On 16 December as part of its EU Cybersecurity Strategy for the Digital Age, the Commission published a proposal for a directive on measures for a high common level of cybersecurity across the Union, or the revised Directive on Security of Networks and Information Systems (NIS 2). The new Commission proposal “aims to address the deficiencies of the previous NIS Directive, to adapt it to the current needs and make it future-proof”. The proposal eliminates the distinction between operators of essential services and digital service providers. Entities are classified “based on their importance” and divided between essential and important categories. Top-level domain (TLD) registries are considered “essential entities”, together with other actors that are “critical for the integrity of the internet”, i.e. all providers of DNS services along the DNS resolution chain, incl. operators of root name servers, authoritative name servers for domain names and recursive resolvers. The digital infrastructure sector under “essential entities” has been also enlarged to include cloud computing service providers, data centre service providers, content delivery network providers, trust service providers, providers of public electronic communications networks. Most notably, the proposal includes an obligation on TLD registries, and the entities providing domain name registration services, for the TLD to collect and maintain accurate and complete domain name registration data. Furthermore, such entities are required to provide efficient access to domain registration data for legitimate access seekers, under the proposed NIS 2.
The European Commission published a proposal for a directive on the resilience of critical entities
On 16 December the Commission published a proposal for a directive on the resilience of critical entities. The proposal aims to “enhance the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities by increasing the resilience of critical entities providing such services”. According to the Commission, the proposal is “consistent and establishes close synergies” with the proposed NIS 2 Directive, and is expected to replace the earlier European Critical Infrastructure (ECI) Directive (see our previous reporting here). The proposed directive covers all critical sectors, namely energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration and space. When it comes to the digital infrastructure sector, the proposal for the directive aims to make sure that competent authorities under the proposed directive and the NIS 2 directive take “complementary measures and exchange information as necessary regarding cyber and non-cyber resilience”. According to the proposal, entities in the digital infrastructure should be treated as “entities equivalent to critical[...] pursuant to the directive” but solely for the purposes of the obligations and activities of Member States, while the Directive would not entail any additional obligations on providers.
EU digital identity legislation is expected in 2021
As reported earlier, the European Commission is working on legislation to provide for an “EU-wide framework for secure public electronic identification” and a “secure European e-identity”. According to the Commission, the change in eID legislation (the eIDAS regulation) is necessary as its implementation is weak and uptake by citizens is low. Additional challenges include difficulties in interoperability and lack of user-convenience. Furthermore, only 59% of the EU’s population has access to operational eID schemes. On the other hand, eID solutions provided by platforms create risks for further market dominance, user lock-in and loss of control over data, according to the Commission. To this end, the Commission is considering three possibilities for the upcoming legislation on eIDs: 1) to strengthen the eIDAS regulation by including the private sector under its scope; 2) to accredit private providers as a “Trust Service”; 3) “Self-Sovereign Identity” based on W3C standard.