In a nutshell: The European Commission has published its strategy on Web 4.0 and virtual worlds, complemented by an own-initiative Draft Report from the European Parliament’s IMCO Committee. Trilogues on the agricultural geographical indication proposal continue after the summer break. The Commission published Key Performance Indicators under its Live Piracy Recommendation. A Proposal on Financial Data Access implicates domains. The European Commission adopted an adequacy decision on the EU-US Data Privacy Framework, which the EDPB confirmed in a note. The ENISA mandate and EU cybersecurity certification framework are up for evaluation. The path toward trilogues on the Cyber Resilience Act is cleared by the European Parliament’s ITRE Committee and the Council of the European Union. The Spanish Presidency issued a compromise text on the Proposal to combat child sexual abuse online. For some very large actors, the Digital Services Act has started taking effect. The European Parliament and Council have approved a trilogue compromise on the Energy Efficiency Directive.
The EU publishes its strategy on Web 4.0 and virtual worlds
On 11 July, the European Commission published a communication on virtual worlds and Web 4.0. It sets out the strategy and proposed actions to tackle challenges and opportunities of virtual worlds and the expected fourth generation of the World Wide Web, based on advanced artificial intelligence, the internet of things, blockchain, and immersive experiences. According to the strategy, “drawing from the lessons of the current internet”, the development of virtual worlds is likely to pose challenges to fundamental rights and objectives of “general public interest in a democratic society”, such as childrens’ rights, data protection and privacy, disinformation, cybersecurity, and consumer protection. In terms of opportunities, virtual worlds are likely to create more business opportunities and “efficient productions cycles”. The Commission aims for a Web 4.0 that is powered “by open and highly distributed technologies and standards that enable interoperability between platforms and networks”. Concerning concrete actions planned in the foreseeable future, the Commission expects to develop a “virtual worlds toolbox” that includes the use of “trustworthy digital identity and digital wallet solutions”, consumer protection, cybersecurity and intellectual property (IP) (Q1 2024). The upcoming IP toolbox against counterfeiting (see our previous reporting here) will give IP rightsholders “guidance and recommendations on how to enforce their rights” both offline and online. The Commission recognises the importance of open standards to ensuring that the future Web 4.0 ecosystem is not dominated by “a select few”. As a result, the Commission will “engage with key organisations” active in standardisation of open and interoperable virtual worlds and Web 4.0, and support “open-source innovation”. Additionally, the Commission pledges to support the “creation of a technical multi-stakeholder governance process to address essential aspects of virtual worlds and Web 4.0 that are beyond the remit of existing internet governance institutions” (from Q1 2024).
On 4 August, the European Parliament's Committee on the Internal Market and Consumer Protection (IMCO) issued a Draft Report on its own-initiative procedure on virtual worlds, recommending further improvement of the Commission's strategy. The Draft Report points out the lack of a “universally recognised or agreed definition” of virtual worlds and considers the need for further work in this area. The Draft Report highlights that “the debate over the need for the identification of users in virtual worlds” should be a priority area, especially for the purpose of identifying individuals by the competent authorities. The Draft Report calls on the Commission to conduct an assessment on “how to ensure that the infrastructure needed is delivered to consumers”.
The trilogue negotiations on agricultural geographical indications proposal continue after summer
On 18 July, EU institutions held a trilogue negotiation meeting in which the latest draft of the proposal for a regulation on geographical indication (GI) protection for wine, spirit drinks and agricultural products (see our previous reporting here) was discussed. According to the draft text published ahead of the trilogue on 18 July, EU institutions reached a provisional agreement on several terms and definitions, such as “geographical indications” and “generic terms”. The institutions also reached a provisional agreement on Article 27 regarding the “protection of geographical indications” that inter alia prohibits any “misleading indications” relating to products liable to convey a false impression of their origin, which also applies to domain names. Another agreement was reached concerning potential tasks that producer groups representing GI rightsholders may exercise; these include combatting “infringements and suspected fraudulent uses” of GI products and “monitoring and verifying” the use of GIs on “online interfaces”. The latest publicly available text includes no agreement on other domain name related provisions, such as the establishment of the “domain name information and alert system”. The Spanish Presidency is expecting to finalise this legislative initiative during its term.
The Commission publishes Key Performance Indicators under its Live Piracy Recommendation
In May 2023, the European Commission published a recommendation on combating the online piracy of sports and other live events (see previous reporting here). In order to follow-up on the recommendation’s adoption, the Commission published a set of key performance indicators (KPIs) in late July 2023. The KPIs have been formulated with the help of the European Union Intellectual Property Office (EUIPO), to whom relevant data on the different KPIs must be submitted to regularly. The KPIs cover a range of questions, including the volume of unauthorised retransmissions, the treatment of notices, voluntary cooperations, and the use of dynamic injunctions. In the initial recommendation, DNS or IP blocking is mentioned as a method to interrupt illegal retransmissions. Relevant injunctions would usually be addressed to internet access providers, who, under the KPI relating to dynamic injunctions, must report the number of domains or IP addresses they blocked as a result of a court or administrative order. Where administrative authorities are involved in the implementation of dynamic injunctions, they must also report the number of blocked domains and IP addresses, broken down by number per sport competition or live event, where possible. By November 2025, the Commission will assess the recommendation’s effects based on this data, and evaluate whether additional measures are needed at EU level.
European Commission publishes proposal on financial data access
On 28 June, the European Commission published a Proposal for a Regulation on a Framework for Financial Data Access. The broad intention is to establish clear rights and obligations to manage customer data sharing in the financial sector, in a way that balances the flow and wide use of data while preserving high privacy, security, safety and ethical standards. The hope is that data access will lead to more innovative financial products and services for users and will stimulate competition in the financial sector. In order to guarantee consumer trust and ensure a level playing field, competent authorities shall supervise and authorise who is eligible to access consumers’ data, and according to which rules. Within their supervision framework, competent authorities are granted a set of powers. They may investigate breaches of data access rules, impose penalties and administrative sanctions. Where there are no other options to halt or prevent a breach, competent authorities may “order domain registries or registrars to delete a fully qualified domain name and to allow the competent authority concerned to record such deletion”, among other measures, including removing or restricting access to an online interface, as well as displaying an explicit warning.
European Commission adopts adequacy decision on EU-US Data Privacy Framework and EDPB comments in Information Note
On 10 July, the European Commission adopted an implementing decision on the EU-US Data Privacy Framework. The decision confirms that, from the Commission’s perspective, the US ensures an adequate level of protection for personal data transferred from the EU to US companies. The 2020 abolition of the Privacy Shield had created legal uncertainty, which the Commission decision ends, including by introducing new binding safeguards to address concerns raised by the Court of Justice of the EU in Schrems II. These include restricting US public authorities and security agencies’ data access to what is strictly necessary and proportionate to protect national security. Further, to improve EU citizens’ redress against possible breaches, mechanisms are introduced allowing individuals to bring cases before free-of-charge dispute resolution mechanisms against private companies, and a dedicated data protection review court (DPRC), in case of breaches by US intelligence agencies. US companies will be able to join the Data Privacy Framework by certifying their compliance with a number of privacy obligations (e.g., on data retention) by 10 October.
The European Data Protection Board (EDPB) has published an information note on the adequacy decision, providing clarity on its implications for data subjects and entities transferring personal data from the EU to the US. The EDPB makes clear that data transfers to US-based entities which are not included in the the list of organisations which the US ensures offer adequate protection for personal data, cannot be based on the adequacy decision. Rather, they will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g. through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR.
ENISA mandate and EU cybersecurity certification framework up for evaluation
The European Commission has opened an evaluation on the European Union Agency for Cybersecurity (ENISA) and the EU cybersecurity certification framework, as required by the 2019 Cybersecurity Act. The evaluation’s call for evidence is open until 16 September 2023, and the Commission aims to conclude its evaluation by the end of June 2024. Its goals are to assess how ENISA is performing towards its mandate, objective and tasks, as well as the need to potentially modify its mandate. Further, the evaluation will examine the impact, effectiveness and efficiency of the EU cybersecurity certification framework. The evaluation will specifically take into account the evolution of ENISA’s regulatory environment as well as its ability to deal with policy challenges, presently dominated by the NIS 2 Directive, with several more proposals making their way through the institutions, including the Cyber Resilience Act and Cyber Solidarity Act.
The European Parliament's ITRE Committee and Council of the European Union clear the way towards trilogues on the Cyber Resilience Act
On 19 July 2023, the European Parliament’s Committee on Industry, Research and Energy (ITRE) approved its final committee report on the Cyber Resilience Act (CRA), and voted in favour of entering inter-institutional negotiations. This Committee approval is pending a vote in plenary, set for September. The final ITRE position maintains amendments to include free and open-source software in scope “only where such software is made available on the market in the course of a commercial activity”. When a commercial actor seeks to integrate free and open-source software components into products with digital elements, they should first do their due diligence and be responsible for handling vulnerabilities in free and open-source elements. Relating to the coordinated vulnerability disclosure requirements in the NIS 2 Directive, the ITRE Committee draft maintains the reliance on ENISA to notify CSIRTs of vulnerabilities, which manufacturers must alert ENISA of under the CRA. Essential entities under NIS 2 shall be deemed compliant with the requirements of Article 23 NIS 2 if they have notified significant incidents, according to the CRA. Vice versa, essential entities who submit their incident notification pursuant NIS 2 should be deemed compliant with the reporting obligations under the CRA. Manufacturers may also voluntarily notify ENISA of less grave incidents, such as cyber threats and near misses. ENISA shall establish a secure digital reporting mechanism for reporting obligations as a single point of entry.
Also on 19 July 2023, the Council of the European Union agreed on its negotiating mandate for the CRA. Similarly to the ITRE position, it also clarifies that the CRA should only apply to free and open-source software that is supplied in the course of a commercial activity, although it does not go into much further detail. Unlike the ITRE position, the Council position foregrounds CSIRTs and the CSIRT network in the context of reporting obligations, instead of ENISA. ENISA shall maintain and manage a single reporting platform, while alerts about actively exploited vulnerabilities and other grounds for notification shall be addressed to CSIRTs. Further, the Council position does not specifically address compliance overlap between NIS 2 and the CRA for “essential entities” under NIS 2. Rather, the Council position addresses “sectors of high criticality” in scope of the NIS 2 Directive’s Annex I.
The Spanish Presidency issued a compromise text on the Proposal to combat child sexual abuse online
On 16 July, the Spanish Presidency issued a compromise text on the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse ('CSAM Regulation') (see our previous reporting here). According to the Presidency draft, encryption-related provisions are moved to the non-binding part of the Regulation (recital), rather than staying in operative part (Article 1). The prohibition of general monitoring obligation has been deleted from the text entirely. The Presidency draft also introduces an obligation on hosting service providers and providers of interpersonal communications services to keep logs of “processing of content and other data in connection with the execution of detection orders” for up to five years. The draft also expands the scope of the proposal to online search engines, and includes an additional delisting order enforcement power for competent authorities requiring search engines to react within 24 hours.
The Digital Services Act starts taking effect
After the first set of 19 Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs) were designated by the Commission in April 2023, the Digital Services Act (DSA) has come into force for them. On 28 August, the Commission received the first online platform reports from the VLOPs and VLOSEs, outlining identified systematic risks and the possible measures to address them, as well as increasing transparency of decision-making. While these reports aren’t available publicly yet, a report published by the Commission shows that several VLOPs’ anti-disinformation policies were insufficient against the Russian information war after the invasion of Ukraine, and did not meet what was required under the DSA. Furthermore, several VLOPs had failed to implement measures under the Code of Practice against Disinformation at a systemic level. Given that the DSA foresees ‘codes of conduct’, adherence to which could demonstrate effort to mitigate risks, the failure to apply the Code of Practice may inspire the European Board for Digital Services to take a different approach with the codes of conduct. Meanwhile, member states are passing national legislation to pave the way for the DSA. In this regard, in response to a question by MEP Geoffroy Didier, Commissioner Breton commented that “Member States should refrain from adopting national laws that would overlap with those regulations or create stricter or more detailed provisions in the concerned regulatory fields.” The Commission will protect the DSA’s integrity, where necessary, with its enforcement powers.
The Parliament and Council approve trilogue compromise on the Energy Efficiency Directive
In July, the European Parliament and Council respectively approved the outcome of the trilogue negotiations on the Energy Efficiency Directive. The Directive seeks to improve the energy efficiency across various sectors, including in the ICT sector, especially highlighting the energy consumption of data centres. To promote sustainable development, “Member States should require the collection and publication of data which are relevant for the energy performance, water footprint and demand-side flexibility of data centres[...] with significant footprint”. The reporting obligation refers to the spaces and equipment that serve primarily or exclusively for data-related functions (server rooms), including the necessary associated equipment, such as cooling, lighting, battery arrays, or uninterruptible power supplies. Data resulting from reporting obligations should be used to develop sustainability indicators, e.g. on the reuse of waste heat. Included in scope are owners and operators of data centres with a power demand of at least 500kW, relating only to the installed information technology. By 15 May 2025, the Commission will assess the available data and will submit a report to Parliament and Council. This report will include, where appropriate, legislative proposals containing further measures to improve energy efficiency, including establishing minimum performance standards.