EU Policy Update – Summer 2021
In a nutshell: Slovenia took over the Presidency of the Council of the EU. The European Parliament adopted a temporary ePrivacy derogation to detect and remove child abuse. The NIS2 and CER Directives, as well as the DSA Regulation proposals advanced through the European Parliamentary discussions. The Council of the EU published its conclusions on intellectual property policy. The European Data Protection Board adopted guidelines on the concepts of controller and processor. ENISA published a report stating that supply chain cyberattacks are expected to quadruple in 2021.
The Slovenian presidency priorities in the Council of the EU
From 1 July, Slovenia took over the presidency of the Council of the EU. The presidency programme of Slovenia identifies a few key areas where the presidency is expecting to achieve progress within the Council of the EU and lead its work in the context of regulatory and policy initiatives. In the area of Justice and Home Affairs, the Slovenian Presidency pledges to “strive for increased internal security and the protection of citizens when discussing the Directive on the resilience of critical entities”. When it comes to cybersecurity resilience, the Slovenian Presidency pledged to “endeavour to reach a general approach or start negotiations with the European Parliament” on the proposal for a directive on measures for a high common level of cybersecurity (NIS2) “as quickly as possible”. On the Digital Services Act (DSA) proposal, the Slovenian Presidency is also aiming to make as much progress as possible, including reaching an agreement in the Council of the EU.
The European Parliament adopted a temporary ePrivacy derogation to detect and remove child abuse
On 30 July, the Regulation on a temporary ePrivacy derogation for the purposes of combatting child sexual abuse entered into force (see previous reporting here). The Regulation allows providers of communications services such as web-based email and messaging services to voluntarily detect, remove and report child sexual abuse material online, “by scanning either the content, such as images and text, or the traffic data of communications using, in some instances, historical data”. The technology used for those activities could be hashing technology for images and videos and classifiers and artificial intelligence for analysing text or traffic data. The temporary derogation will be applicable until 3 August 2024.
IMCO adopted its NIS2 Opinion
On 14 July, the members of the European Parliament’s Committee on the Internal Market and Consumer Protection (IMCO) adopted their Opinion on the NIS2 Directive proposal (see our previous reporting here). The IMCO opinion suggests amendments to include “privacy or proxy registration service providers, domain brokers or resellers, and any other services that are related to the registration of domain names” under the NIS2 Directive and specifically with regard to the data accuracy obligation under Article 23. The data accuracy obligation in Article 23 should be expanded to include an additional data verification obligation of relevant information necessary to identify and contact domain name holders, according to the IMCO Opinion. That relevant information should at least include the registrant’s name, their physical and e-mail address and phone number, according to the text. Regarding providing access to domain name registration data for ‘legitimate access seekers’, the IMCO Opinion includes an amendment to oblige registries, registrars and other domain name registration service providers to respond to these within 72 hours.
Amendments to LIBE’s Draft Opinion on NIS2
Members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) proposed amendments to their Draft Opinion on the NIS2 Directive proposal (see our previous reporting here). In relation to the registration data accuracy obligation applicable to domain name registries and registrars in Article 23, suggested amendments include both the deletion of the corresponding obligation, as well as the limitation of the relevant information that registries and registrars should maintain accurate and complete to the registrant's name and e-mail address. Other amendments filed by the LIBE members include limiting legitimate access seekers under Article 23 to law enforcement authorities, CERTs/CSIRTs and data protection authorities.
IMCO adopted its Opinion on the CER Directive proposal
On 26 July, the members of IMCO committee adopted their Opinion on the proposal for a directive on the resilience of critical entities (CER Directive). The IMCO opinion tries “to ensure closer alignment and harmonisation” of both the CER and NIS2 directives. To this aim, the IMCO opinion suggests amendments that require entities under the scope of both the CER and NIS2 directives to “benefit from a single point of contact and a common set of rules”. Furthermore, entities that are identified as essential entities under the NIS2 Directive but are not identified as critical entities under the CER Directive should also enhance the resilience of their physical infrastructure, according to the IMCO opinion.
ENISA published a report on supply chain attacks
On 29 July, the European Union Agency for Cybersecurity (ENISA) published a report on the threat landscape for supply chain attacks which predicted that supply chain attacks are expected to quadruple in 2021 compared to 2020. Most of the supply chain attacks that were analysed by ENISA in 2020-2021 focused on the suppliers’ software code in order to target customers, including personal data and intellectual property, according to the report. ENISA therefore urged policymakers to establish coordinated action at EU level to reach a “common level of cybersecurity in the EU”. To limit supply chain attacks, several protective measures should be taken on both the customer’s and supplier’s side. Customers are encouraged to further analyse suppliers’ compliance with cybersecurity practices and to define security requirements for the acquired products and services in contracts. On the other hand, suppliers should put in place mechanisms to ensure the secure development of their products and services, consistent with commonly accepted security practices, such as conformity statements for ISO 27001. In addition, suppliers should implement good practices for vulnerability management. The latter could include the monitoring of security vulnerabilities and risk analysis through a vulnerability scoring system.
ECON published its Draft Opinion on the DSA
On 8 July, the Committee on Economic and Monetary Affairs (ECON) issued its Draft Opinion on the DSA proposal. The Draft Opinion suggests including the right to use and pay for information society services anonymously wherever technically possible, and to omit Article 6 that concerns voluntary own-initiative investigations and other activities aimed at detecting, identifying and removing, or disabling access to illegal content. The Draft Opinion also suggests that the European Commission should lay down the rules on penalties applicable to infringements of the DSA by intermediaries, as opposed to the Member States, which is what the proposal currently states.
LIBE adopted its Opinion on the DSA
On 15 July, the members of the LIBE committee adopted their Opinion on the DSA. The opinion suggests prohibiting the general obligation on providers of information society services to limit the anonymous or pseudonymous use of their services. According to the LIBE Opinion, mere conduit intermediaries should not be required to block access to content, as illegal content should be removed where it is hosted. The opinion also suggests removing Article 6 and the reference towards voluntary own-initiative activities to detect and remove illegal content. LIBE also suggests allowing only an independent judiciary to make decisions regarding the legality of content, and not administrative authorities.
IMCO’s Draft Report on the DSA received more than 2000 amendments
Members of the IMCO committee proposed amendments to their Draft Report on the DSA (see our previous reporting here). More than 2000 amendments were filed to the Commission's proposal: see here, here, here, here, here, here, here, here and here. Some notable amendments for technical infrastructure actors include: the know-your-business-customer (KYBC) obligation on all intermediaries, including domain name registries; stay-down measures applicable to all intermediaries to ensure that illegal content does not re-appear on their services; and extending the mere conduit liability exemption to technical auxiliary functional services.
Amendments on JURI’s Draft Opinion on the DSA
Members of the European Parliament's Committee on Legal Affairs (JURI) proposed their amendments to the JURI Draft Opinion on the DSA (see our previous reporting here). Over 1000 filed amendments are available here, here, here and here. Some notable amendments include the addition of IP addresses to the relevant information that authorities can require from intermediaries when making orders to provide information; waivers from due diligence obligations for non-profit organisations that serve “a manifestly positive role in the public interest, or are SMEs without any systemic risk related to illegal content”; stay-down measures for hosting service providers; clarifications of the definition of illegal content; the prohibition of the obligation to use automated tools for content moderation; orders for intermediaries to restore lawful content; and an obligation on all intermediaries to display the identity of a business user that offers goods and services.
The Council of the EU published its conclusions on intellectual property policy
On 18 June, the Council of the EU (Economic and Financial Affairs) approved its conclusions on intellectual property policy. The conclusions highlight a necessity “to encourage reflections on the prevention of and fight against criminal violations of IP rights, in particular counterfeiting and piracy, and their connection with international economic and financial crime”. These reflections may possibly include “a need to conduct a stocktaking exercise on existing legal differences between the Member States’ criminal law frameworks, on possible criminal law and prosecution gaps and on legal and practical obstacles to cross border cooperation within the EU”. The conclusions also note that “the volume of counterfeiting goods still remains unacceptably high on online marketplaces” and therefore take the view that efforts between rightsholders and online marketplaces “will be strongly reinforced by the Digital Services Act and the upcoming EU Toolbox against counterfeiting”.
The European Data Protection Board adopted guidelines on the concepts of controller and processor
On 7 July, the European Data Protection Board (EDPB) adopted guidelines on the concepts of controller and processor in the GDPR. The EDPB confirmed that the legal status of an actor as either a “controller” or a “processor” must in principle be determined by its actual activities in a specific situation, rather than upon the formal designation of an actor, e.g. in a contract. A similar principle also governs the relationship of joint controllers: all existing or envisaged arrangements should be checked against the factual circumstances regarding the relationship between the parties. A merely formal criterion would not be sufficient, and both entities should be in a position to determine the purposes and means for data processing jointly. When it comes to determining concrete responsibilities between joint controllers, the EDPB recommends making such an arrangement in a binding document such as a contract or another legally binding act under EU or Member State law.