In a nutshell: The European institutions have concluded their trilogue negotiations on the GI protection of crafts and industrial products, while the Swedish Council presidency has put forward amendments to the sister proposal on the GI protection for agricultural products. The European Commission published a proposal for a regulation on standard essential patents, and released its recommendation on combatting online piracy. Commissioner Reynders outlined upcoming plans for the revision of the Consumer Protection Cooperation Regulation. Commissioner Breton introduced the European Cyber Shield. The Commission proposed a new Cyber Solidarity Act and a targeted amendment to the Cyber Security Act. In data protection, the EDPS has submitted input on the Commission’s GDPR review, and the EDPB adopted guidelines on data subjects’ right to access. The draft Insolvency Directive attracted submissions from the European Economic and Social Committee and the Parliament of the Czech Republic. The European Parliament’s LIBE Committee has published its draft report on proposed legislation to combat child sexual abuse online.
Intellectual Property
The European Parliament and the Council of the EU reached a provisional agreement on the GI protection of crafts/industrial products
On 2 May, the EU institutions concluded their trilogue negotiations on the proposal for a regulation on the geographical indication (GI) protection for craft and industrial products (see our previous reporting here). According to the European Parliament's press release, the new rules foresee a procedure to register GIs first at national level, followed by an examination of the producers’ application by the EU Intellectual Property Office (EUIPO). According to the Council of the EU’s press release, the agreement "ensures that the protection of craft and industrial GIs also applies to the domain name space and the online environment". The provisional agreement needs to be endorsed and formally adopted by both institutions, before being finalised as legislation.
The Swedish presidency suggested amendments to the proposal on the GI protection for agricultural products
In the course of April, the Swedish presidency proposed more amendments to the proposal for a regulation on GI protection for wine, spirits drinks, agricultural products (dated 3 April) (see our previous reporting here). When it comes to the domain name related provisions, the suggested amendments include limitations of the scope of the legislation to alternative dispute resolution systems of ccTLD registries that should acknowledge GIs as a right to be invoked during domain name disputes. There were suggestions to omit references to a domain name information and alert system from the proposal.
The European Parliament adopted its report on the GI protection for agricultural products
On 20 April, the Agriculture Committee (AGRI) adopted its position on the proposal for a regulation on GI protection for wine, spirits drinks, agricultural products. According to the European Parliament's press release, to "better protect GIs online" the AGRI position endorses "provisions to ensure that all domains abusing the name of a GI are automatically closed or assigned to a producer group that uses the GI legally". To assist with the task, the EU Intellectual Property Office (EUIPO) "should establish an alert system monitoring the registration of domain names". Furthermore, according to the press release, the recognised producer groups - designated by EU countries and acting as the sole representative for specific GIs - are given more responsibilities, such as establishing minimum conditions for the use of a GI name or supervising the fair use of GIs.
The European Commission published a proposal for a regulation on standard essential patents
On 24 April, the European Commission issued a proposal for a regulation on standard essential patents (SEPs). SEPs are patents that "protect technology" that is essential to a standard. Typically, SEPs are required to be licenced under the so-called fair, reasonable and non-discriminatory (FRAND) terms and conditions, in order to be included in a standard developed by standard development bodies, such as ETSI or IEEE. By including their technology in standardisation, SEP holders are seen to have a "strong economic position vis-à-vis a potential standard implementer" because implementers must either pay for a licence or forego manufacturing products that use the standard. The European Commission's proposal seeks to provide enhanced transparency regarding SEP licensing, and creates a competence centre within the EUIPO to administer SEP databases and the procedures for essentiality checks for registered SEPs. The proposed rules are designed to bring SEPs closer to SMEs, as the proposal suggests a separate mechanism for more favourable FRAND negotiations for SMEs, including the possibility to consider discounts and royalty-free licensing.
The European Commission published its recommendation on combatting online piracy
On 4 May 2023, the European Commission published its recommendation on combating the online piracy of sports and other live events. The objective is for online services to act more expediently when intervening on illegal retransmissions of livestreamed shows and events. Among different technical measures, DNS or IP blocking is mentioned explicitly as a method to interrupt illegal retransmissions. The proposal clarifies that "[a]n injunction is usually addressed to Internet access providers, as those are well placed to prevent the access of end users", while also stating that "other providers of intermediary services may be misused to facilitate unauthorised retransmissions or to circumvent blocking injunctions", naming content delivery networks, reverse proxies, and alternative DNS resolvers. Therefore, all intermediary service providers, pursuant to the Digital Services Act, shall consider voluntary measures to prevent the misuse of their services. Given the structure of the internet, and the roles of different types of intermediary services, effective solutions must be adapted to their respective functions.
Consumer protection
Commissioner Reynders outlined upcoming plans for consumer law revision
During a hearing with the European Parliament, the Commissioner for Justice Didier Reynders highlighted what is on the agenda for the upcoming revision of EU consumer law. As the European Commission is preparing a revision of the Consumer Protection Cooperation (CPC) Regulation, Reynders highlighted the need to strengthen consumer protection enforcement and redress mechanisms, including sanctions in EU-wide cases and cases concerning non-EU traders. The Commission is also planning to tackle the issue of "confusing cookie banners" and start by incentivising businesses to adapt their cookie practices via voluntary pledges. The Commission is also conducting an overall "fitness check" of the existing EU consumer law and whether it is fit for purpose in the digital era, including consistency with more recent legislation, such as the Digital Services Act. As for the CPC Regulation revision, the official responsible for the reform within the European Commission highlighted the need to strengthen the competences of national consumer protection authorities in conducting "market surveillance of online actors" and increase the European Commission's sanctioning powers. The Commission is aiming to publish the legislative proposal before summer recess.
Cybersecurity
Breton introduces his vision for a European Cyber Shield
When opening the International Forum on Cyber Security in Lille, Commissioner Breton laid out his vision for a European Cyber Shield. Europe has become a growing target for cyberattacks, whereas cyber policies are dispersed at national level. In Breton's words, "we are only as strong as the weakest link in the chain". He describes four pillars of the European Cyber Shield; protection, detection, defence and deterrence. Standout pieces of legislation within these pillars are the NIS2 Directive, the Cyber Resilience Act and the Cyber Solidarity Act, among others. Breton concluded his speech on the note of cybersecurity collaborations, foregrounding the EU-US cyber dialogue.
Commission Proposal for a Cyber Solidarity Act
On 18 April 2023, the European Commission published its proposal for a (Cyber Solidarity Act). The stated objective of this proposed Regulation is "to strengthen capacities in the EU to detect, prepare for and respond to significant and large-scale cybersecurity threats and attacks". Mechanisms include a 'European Cyber Shield' comprised of national and cross-country 'Security Operation Centres' (SOCs), as well as a 'Cyber Emergency Mechanism', which is made up, among other elements, of an 'EU Cybersecurity Reserve', consisting of incident response services from private service providers (‘trusted providers’), who can be deployed in emergencies. The Cyber Solidarity Act interacts with the NIS 2 Directive and consistently references it, for example, in its definitions of 'entities operating in critical or highly critical sectors', as well as in designating the entities in the scope of the 'Cyber Emergency Mechanism' (Chapter III). Under this umbrella, the draft Cyber Solidarity Act proposes measures spanning the coordinated cybersecurity preparedness testing of entities designated by ENISA and the NIS Cooperation Group (Article 11), as well as the modalities of receiving support from the 'EU Cybersecurity Reserve' (Articles 12-14). Despite such innovations, the proposal's stated objective is to "build on and support the existing cybersecurity operational cooperation and crisis management frameworks, in particular European cyber crisis liaison organisation network (EU-CyCLONe) and the computer security incident response teams (CSIRTs) network."
The European Commission proposed a Targeted Amendment to the Cyber Security Act
The Commission has proposed a targeted amendment to the Cyber Security Act concerning 'managed security services'. Managed security service providers carry out or assist customers' activities relating to cybersecurity risk management; they are considered as 'essential' or 'important entities' per the NIS 2 Directive. At the same time, they are themselves targets of cyberattacks and pose a particular risk, due to their close integration into their customers' operations. The targeted amendment seeks to include managed security services in the scope of a harmonised European cybersecurity certification scheme, which already exists in the Cyber Security Act for information and technology (ICT) products, ICT services and ICT processes. In the absence of this amendment, Member States had already begun developing their own certification schemes for managed security services, which pose a risk of fragmentation owing to inconsistencies in cybersecurity certification schemes across the EU. The amendment's objective is to counteract fragmentation, via "a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services, ICT processes and managed security services". The proposal complements the proposed Cyber Solidarity Act and the NIS 2 Directive.
Data protection
The EDPS submits input to the Commission’s GDPR revision
The European Data Protection Supervisor (EDPS) has submitted input to the Commission's efforts to review the General Data Protection Regulation (GDPR)'s enforcement mechanisms. The EDPS supports the Commission's efforts to streamline cooperation between national Data Protection Authorities (DPAs) and the EDPS to facilitate more effective, consistent enforcement. Towards this end, the EDPS suggests two specific measures. First, that the Commission include a provision in its forthcoming initiative stressing that all DPAs must cooperate actively, and that the EDPS must be considered a "supervisory authority". Second, it recommends that the Commission consider an amendment of the IMI Regulation, to allow a more centralised exchange of information between the EDPS and DPAs, and to strengthen their cooperation and facilitate secure communication. Despite these concrete proposals, the EDPS emphasises that procedural harmonisation cannot resolve all structural issues related to the GDPR's one stop shop mechanism.
The European Data Protection Board adopted guidelines on the right of access
On 28 March, the European Data Protection Board (EDPB) adopted guidelines on data subjects' right of access. According to the guidelines, the overall aim of the right of access is "to provide individuals with sufficient, transparent and easily accessible information about the processing of their personal data". This will make it easier for the individual to exercise other rights such as the right to erasure or rectification. According to the EDPB, the right of access under data protection law is to be distinguished from similar rights with other objectives, such as the right of access to public documents. Right of access exercised under data protection law does not require the data subject to give reasons for the access request: "the controller will have to deal with the request unless it is clear that the request is made under other rules than data protection rules". According to the guidelines, the GDPR allows for certain limitations of the right of access. However, these limitations should not result in refusing an access request altogether. The rejection of access requests by controllers has to be interpreted narrowly: the scope of considering a request as manifestly unfounded is limited. The data can be sent to the data subject by e-mail, provided that all necessary safeguards are applied.
The proposal for a Directive to Harmonise Insolvency attracts submissions from the European Economic and Social Committeem and the Parliament of the Czech Republic
The European Economic and Social Committee (EESC), a consultative body representing economic and social interest groups, among others, has released an opinion on the Commission proposal for a directive harmonising certain aspects of insolvency law (see our previous reporting here). The EESC makes suggestions concerning the outstanding issue of managing the insolvency of natural persons, for whom no equivalent cross-border regime exists, or the harmonisation of definitions of insolvency grounds across Member States. The opinion recommends that "insolvency practitioners, in cases of legitimate interests, [should] have direct and expeditious access to the national asset registers, regardless of the Member State where the practitioner has been appointed". The EESC favours the "effective involvement of independent insolvency practitioners", "to help reduce the burden on the judiciary", although there are no further details as to who might be able to qualify and/or be appointed as an independent practitioner.
Meanwhile, the Parliament of the Czech Republic's Chamber of Deputies (Committee on European Affairs) has submitted an opinion to the European Commission, concerning the application of the principles of subsidiarity and proportionality in the insolvency proposal. The Committee supports the Czech government's efforts to include only minimum requirements for the harmonisation of national insolvency instruments. The rationale is that this "will provide member states with a greater degree of flexibility".
Child protection
The LIBE Committee publishes Draft Report on proposed legislation to combat child sexual abuse online
In May 2022, the European Commission proposed legislation to prevent and combat child sexual abuse online (previous reporting can be found here and here). The Commission's proposal includes provisions concerning the blocking of child sexual abuse material (CSAM) "that cannot reasonably be removed at source" via uniform resource locators. On 19 April, the leading Civil Liberties, Justice and Home Affairs (LIBE) Committee issued its draft report. Notably, the LIBE opinion replaces the Commission's use of 'uniform resource locators' with 'uniform resource identifiers'; the implication is that the blocking of content would occur on a more granular basis. Further, the LIBE report inserts an additional Article 18a concerning delisting orders, per which online search engines and other artificial intelligence systems can be obliged to take reasonable measures to delist particular resources indicating specific items of CSAM.
