EU Policy Update – Summer 2020
In a nutshell: Germany took over the presidency of the Council of the EU starting from 1 July. The European Commission published the EU Security Union Strategy and the EU strategy for a more effective fight against child sexual abuse. It is also planning to revise the intellectual property rights protection framework in the EU and is currently consulting the public on its eIDAS Regulation revision plans. The European Parliament’s Committees have finalised a few Opinions on the numerous own-initiative reports to give more context and drive the legislative debate on the Digital Services Act. The European Court of Justice ruled that intellectual property rightholders cannot require social platforms to give out IP addresses, and invalidated the EU-US Privacy Shield Decision in its ground-breaking ruling concerning Facebook. The Advocate General of the European Court of Justice issued an opinion in the case about platform liability for intellectual property rights infringements committed by end-users.
Germany took over the EU presidency from 1 July
From 1 July to 31 December 2020 Germany is holding the presidency in the Council of the EU. In its time leading the discussions within the EU co-legislator - the Council of the EU, Germany is prioritising Europe's "technological sovereignty", that according to Germany's Presidency programme is needed "more than ever" in light of the COVID-19 pandemic. This, according to Germany's views also includes "the establishment of a high-performance, sovereign and resilient European digital infrastructure", supported by "common European standards and norms" and championed by European values and fundamental rights. To this end, Germany is emphasising "data sovereignty" and EU users’ ability to "store data securely on their devices without it being accessed by third parties", which would be ensured by creating legal conditions for all devices to feature "secure storage options or standardised secure elements". In its presidency priorities, Germany also calls for the "democratisation of the internet" and outlines its special focus on "fighting hate crime and racism". On e-evidence gathering, Germany commits to "strengthen judicial cooperation on combating cross-border crime". On cybersecurity, Germany strives to "encourage closer cooperation between the Member States in the area of network and information security, particularly with regard to the protection of critical infrastructure and other enterprises in the public interest".
The European Commission issued EU Security Union Strategy
On 24 July, the European Commission unveiled its EU Security Union Strategy. The Strategy emphasises the protection and resilience of critical infrastructure, including digital infrastructure, as an attack on the latter "could lead to disruptions in networks for power or finance". To this end, the European Commission is "looking into whether new frameworks for both physical and digital infrastructures could bring more consistency and a more coherent approach to ensuring the reliable provision of essential services”. According to the Strategy, Europe needs to be "prepared for possible future crises threatening the security, stability and resilience of the internet", by being "robust against cyber incidents and malicious online activities and limiting dependency on infrastructures and services located outside Europe”. This, according to the Strategy "will require a combination of legislation", including the NIS Directive review, and "looking at the deployment or hardening of core internet infrastructures and resources, notably the Domain Name System”. The Strategy also emphasises the need for the European Parliament and the Council of the EU to advance on the negotiations of the legislative proposal for cross-border access to electronic evidence (e-Evidence). Notably, the Strategy specifically calls out the importance of access to domain name registration information (i.e. 'WHOIS data') for criminal investigations, cybersecurity and consumer protection. According to the Strategy, "access to this information is becoming more difficult", pending the adoption of a new WHOIS policy by ICANN. The Commission pledges to continue working with ICANN and the multistakeholder community "to ensure that legitimate access seekers, including law enforcement, can obtain efficient access to WHOIS data in line with EU and international data protection regulations". This will include assessing possible solutions, including further legislation to clarify rules for accessing WHOIS data.
Several opinions on the DSA were adopted by the Committees of the European Parliament
The European Parliament is steadily advancing on its numerous own-initiative reports to give more context and drive the legislative debate on the Digital Services Act (DSA). See our previous reporting here, here, and here. During the summer, several Opinions by different Parliamentary committees were adopted. Some notable excerpts for technical operators are identified below:
- Opinion of the Committee of Civil Liberties, Justice and Home Affairs (LIBE) to the Committee on the Internal Market and Consumer Protection (IMCO): LIBE stresses that the DSA should uphold the right to use digital services anonymously, where the nature of the services or the existing legislation does not require the identification or authentication of the user or the customer. LIBE takes the position that any measure in the DSA should concern illegal content only as it is defined in EU law and national jurisdictions and should not include legally vague and undefined terms, such as “harmful content”. LIBE stresses that the responsibility for enforcing the law, deciding on the legality of online activities and content, as well as ordering hosting service providers to remove or disable access to illegal content, rests with independent competent public authorities. LIBE stresses that the DSA should explicitly prohibit any obligation on hosting service providers or other technical intermediaries to use automated tools for content moderation. LIBE believes that infrastructure service providers, payment providers, and other companies offering services to digital service providers, should not be held liable for the content a user uploads or downloads on their own initiative.
- Opinion of the Committee on Culture and Education (CULT) to IMCO: CULT calls for certain online intermediaries, such as domain name registrars, host services providers or online advertising service providers, to be required to verify the identity of their business customers under the 'Know Your Business Customer (KYBC) protocol'. Such a KYBC protocol should be applied to business customers and should not impact the personal data of individual users. CULT also acknowledges the principle that purely passive digital services, such as internet access providers are not responsible for the content conveyed over their services because they have no control over that content ('mere conduit'), have no active interaction with it or do not optimise it. According to CULT this principle must be retained, as it is the cornerstone of a free internet. The Opinion adds that "open source software, open standards and open technologies are best suited to ensuring interoperability, fair competition, and accessibility". CULT calls on "Member States, in cooperation with internet operators, Europol and Eurojust, to make notification and removal procedures more effective in order to delete violent and child-pornography content".
- Opinion of CULT to LIBE: CULT believes that platform liability should be tailored to respect the size of the operator and that a clear distinction should be made between operators and their engagement with the content, "based on clear and verifiable criteria and aspects, such as editorial functions, actual knowledge and a certain degree of control".
Advocate General of the CJEU: Online platforms are not directly liable for copyright infringements committed by their users
The Advocate General (AG) of the CJEU Saugmandsgaard Øe has issued an opinion in the joint case of YouTube and Uploaded vs Intellectual Property rightholders, originating from German courts. The arguments put forward by the rightholders against YouTube and Cyando (operating Uploaded) question the business model itself, as "[...]such operators[...]have radically altered the value chain in the cultural economy[...]". In essence, the rightholders claim that these operators encourage the users of their platforms to upload attractive content which, in most cases, is protected by copyright, with an aim to monetise and significantly profit from that content through advertising (the ‘YouTube’ model) or subscriptions (the ‘Cyando’ model), without adequately remunerating the rightholders (so-called ''value gap”). Rightholders claim that by allowing users to upload and publish these protected works on their platforms, YouTube and Cyando are, therefore, carrying out 'communication to the public', which is a protected Intellectual Property (IP)-right reserved exclusively for rightholders. By doing so, according to the rightholders, these platforms are directly liable for IP infringement. YouTube and Cyando invoked the safe harbour provision under Article 14 of the e-Commerce Directive (ECD) that exempts hosting service providers from direct liability for IP rights infringements committed by their users. In his opinion, AG Øe states that in the present cases of YouTube and Cyando, both platform operators are intermediaries who cannot be the ones carrying out the active role of 'communicating to the public', and as such cannot be directly liable for direct IP right infringement. Furthermore, the IP rights framework established in the EU and invoked by the rightsholders in the present cases, according to AG Øe does not govern the question of the secondary liability of persons who deliberately facilitate the carrying out of illegal acts by third parties: "It would be for the EU legislature to introduce a secondary liability regime into EU law". When it comes to establishing such a secondary liability regime, according to AG Øe, it "[...]must seek to discourage conduct that facilitates copyright infringements without, however, discouraging innovation or hindering any legal use of goods or services that can also be used for illegal purposes”. When it comes to Article 14 of the ECD, AG Øe considered in his opinion, that this liability exception reserved for hosting service providers applies to "all forms of liability", irrespective of the nature of the content, nor whether it is a primary or secondary liability.
The European Commission is planning to revise the intellectual property rights framework in the EU
The European Commission has published a roadmap for its upcoming communication on the "Intellectual property action plan" which is expected to see the light in the course of Q3 2020. The roadmap acknowledges the need to ensure that intellectual property (IP) boosts the resilience of the EU economy and promotes the transition to the digital and the green economy. To this end, the Commission is exploring ways to "upgrade the system for IP protection, e.g. by enabling the Unitary Patent system to offer a “one-stop-shop” for patent protection and enforcement. Furthermore, the Commission is committed to "fight IP theft", e.g. by continuing to monitor the application of the Intellectual Property Rights Enforcement Directive, specifically injunctions; by stepping up the fight against counterfeiting and strengthening the responsibilities of online platforms within the Digital Services Act and by "further clarifying how rightholders, intermediaries and law enforcement authorities at national and EU level should act, co-operate and share data".
The European Court of Justice ruled that rightholders cannot require social platforms to give out IP addresses
The European Court of Justice (CJEU) delivered a ruling in the case of an intellectual property rights infringement committed on YouTube by users who uploaded protected works without the authorisation of the rightholders. The rightholders demanded that YouTube provide them with a set of additional information relating to each of the users who had uploaded those works, namely: the email addresses, mobile phone numbers as well as the IP addresses used by the users in question to upload the files, and the IP address last used by those users to access their Google account in order to access the YouTube platform. Under the EU intellectual property rights law framework, competent judicial authorities can order, in response to a claim from rightholders, the disclosure of "the names and addresses" in connection to the proceedings concerning an infringement of an intellectual property right from the infringers themselves or a service provider whose commercial service was used in infringing activities. The referring court asked the CJEU whether the term "addresses" under the EU intellectual property rights law includes e-mail address, phone numbers and IP addresses. The CJEU ruled that in the absence of the explicit terms e-mail and IP addresses in EU law, "the meaning and scope of that term must be determined in accordance with its usual meaning in everyday language". Following this interpretation, the term "addresses" covers only the postal address, i.e. the place of a given person’s permanent address or habitual residence, and does not cover the provision of e-mail address, phone number and IP address.
The European Court of Justice invalidates EU-US Privacy Shied used for cross-Atlantic data transfers
The European Court of Justice (CJEU) has invalidated the EU-US Privacy Shield Decision used for personal data transfers to the US on the grounds that the US legal framework does not provide an 'adequate level of protection' for EU data subjects' personal data. The CJEU highlighted that the GDPR requires the taking into account of "relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation" when assessing the adequacy of the level of protection afforded by a third country when it comes to data transfers outside the EU. The term 'adequate level of protection', according to the CJEU, requires "the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union[...]". According to the CJEU, the US does not ensure a level of protection that is equivalent to EU standards, namely in connection with the absence of the judicial protection of persons whose personal data is transferred the US, and in the context of mass surveillance programs practiced by the US intelligence services that do not provide for any limitations on the power conferred on the US Authorities. The European Data Protection Board responded with an FAQ document to provide more details about the ruling and what it means for ongoing data transfers to the US.
The European Commission unveils its strategy to more effectively address child sexual abuse
On 24 July, the European Commission published an "EU strategy for a more effective fight against child sexual abuse". The strategy quotes reports that indicate that "the EU has become the largest host of child sexual abuse material globally". The strategy expresses the need to urgently address the "use of encryption technology for criminal purposes", through "possible solutions which could allow companies to detect and report child sexual abuse in end-to-end encrypted electronic communications". The Commission will also evaluate whether the existing Child Sexual Abuse Directive needs to be updated. In addition to the specific legislation on child sexual abuse, the Commission identified multiple EU legislative instruments which are relevant for the private sector's role in preventing and combating child sexual abuse. Notably, the Commission calls for the swift adoption of the e-Evidence regulation; the review of the e-Commerce Directive, by removing "disincentives for voluntary actions to address illegal content, goods or services intermediated online"; and the evaluation of Europol's mandate that at the moment is not able to receive personal data directly from private sector, "whose infrastructure is abused by perpetrators to host and share child sexual abuse material". More concretely, by Q2 2021 the Commission promises to "propose the necessary legislation to tackle child sexual abuse online effectively including by requiring relevant online services providers to detect known child sexual abuse material and require them to report that material to public authorities".
The European Commission is consulting the public on the eIDAS Regulation revision
As reported earlier, the European Commission is planning to update the regulatory framework concerning digital identification in the EU at the end of 2020 - the eIDAS Regulation. The Commission has already determined that the current eIDAS Regulation is not fit for purpose and it is working on a new legislative proposal, with an aim to provide all EU citizens with "their own trusted digital identity". The public consultation on this legislative reform has been launched and is open until 2 October.