EU Policy Update - April 2018
This month saw an increase attention on encryption with the Commission launching an experts’ group and data protection authorities entering the debate. In parallel, the Commission released the long-awaited proposal to simplify cross-border access to e-evidence in criminal investigation. With deadline for the GDPR implementation approaching, new guidelines have been adopted to help the industry, while the WHOIS has been sanctioned again by DPA for non-compliance with the new data protection paradigm. New legislation on terrorism is being politically pushed by Germany, which would introduce a permanent monitoring obligation for platforms. Finally, ethics are entering the digital debate with the new Artificial Intelligence package.
Law enforcement cooperation
Encryption: Data Protection Authorities take position
The Article 29 Working Party, which gathers European data protection authorities, has released a statement on “encryption and their impact on the protection of individuals with regard to the processing of their personal data in the EU”. The statement advocates for a strong encryption regime throughout the EU, without the need to implement backdoors. The Working Party seeks a safe technical solution that does not compel encryption providers to give up master keys and backdoors in their software. Finally, the Working Party holds that the Law Enforcement Agencies’ access to data, while already considerable, must remain proportionate and targeted.
Encryption: European Commission hosts first experts’ meeting
A stakeholder roundtable was held on the ongoing work of the Commission on the role of encryption in criminal investigations. The event was organised by DG HOME (Home affairs), under the “label” of the EU Internet Forum. The Commission reiterated the message that they are “very seriously committed not to weaken encryption, and that they rule out mandatory backdoors and key escrows”.
They presented the structured dialogue with industry and civil society, which will have the objective of collecting best practices and “discovering new approaches to deal with encryption”.
Further discussions focused on soft capacity building actions that the EC will undertake to support national law enforcement agencies to tackle the challenges for criminal investigations that arise from encryption in electronic communications. This includes:
- Strengthening Europol’s technical capabilities (e.g. “intelligent password guessing” techniques, using information gathered during the investigation
- Creation of national centres of expertise
- Toolbox of best practices: DG HOME excludes “sensitive materials” (such as advanced spy softwares) in the foreseeable future. Training of law enforcement
- Observatory: this body will provide the EC with a (bi)annual report monitoring technical and legal.
E-Evidence: Commission published legislation on cross border access to e-evidence
The Commission published the long-awaited proposal for cross-border access to e-evidence for criminal investigations and a separate law which obliges service providers to designate a legal representative in the Union even if their HQ are in third countries. The e-evidence proposal targets Electronic Communications Services, Information Society Services Providers, Internet domain name and IP numbering services such as IP address providers, domain name registries, domain name registrars and related privacy and proxy services.
The main novelties concern the following:
- European Production Order: this will allow a judicial authority in one Member State to obtain electronic evidence (such as emails, text or messages in apps, as well as information to identify a perpetrator as a first step) directly from a service provider or its legal representative in another Member State, which will be obliged to respond within 10 days, and within 6 hours in cases of emergency (compared to up to 120 days for the existing European Investigation Order or an average of 10 months for a Mutual Legal Assistance procedure);
- European Preservation Order: this will allow a judicial authority in one Member State to request that a service provider or its legal representative in another Member State preserves specific data in view of a subsequent request to produce this data via mutual legal assistance, a European Investigation Order or a European Production Order (the text specify that this is not data retention);
- Designate a legal representative in the Union: to ensure that all providers that offer services in the Union are subject to the same obligations, even if their headquarters are in a third country, they are required to designate a legal representative in the Union for the receipt of, compliance with and enforcement of decisions and orders.
- Conflict of laws: specific mechanisms are introduced involving a judicial arbitration in case of conflict with the law of third countries which a provider offering services in the EU could be also subject to.
- Data concerned: subscriber data (pertains to the identity of a subscriber or customer/ technical data and data identifying related technical measures including password and authentication data); access data (data related to the user access and use of a service (time, duration, user ID etc.)); transactional data (type of interaction, data on the location of the device, date, time, duration, size, route, format) and content data (any stored data in a digital format such as text, voice, videos, images, and sound).
ePrivacy: Council to likely adopt a progress report in June
In the context of the last technical meeting on April 19th, Member States discussed further Article 6 concerning the permitted processing of meta-data. One of the main amendments proposed concerned expanding the list of processing instances to include processing for purposes of network management and optimisation; for the purpose of statistical counting as well as to add a requirement of a request by a competent authority when processing metadata for the vital interest of an end user. However, it seems that consensus is still missing on many aspects. At this stage, it is likely that the Bulgarian Presidency will just adopt a progress report by June 2018 and leave to the Telecom Council to decide how to move on politically. Additionally, the recent events related to Cambridge Analytica and Facebook have become part of the discussions and are used by civil society and Parliament to force a speedy adoption of the ePrivacy regulation.
GDPR: implementation deadline approaches
With the GDPR deadline set on May 25th, the Article 29 WP (WP29) is accelerating the adoption of guidelines to interpret key provisions of the law and to support the industry compliance process. In its April plenary session, the WP29 adopted guidelines on consent and transparency after a public consultation of six weeks as well as the revised BCR application forms, the updated working document on BCR approval procedure and the revised guidelines on urgency procedure. To provide interpretation on further aspects of the GDPR the WP29 will continue its work regarding the guidelines on certification, the territorial scope of the GDPR (Article 3 GDPR) and codes of conduct (Article 40 and 41 GDPR).
GDPR and ICANN: Article 29 Working Party continues to have concerns over the ICANN approach in implementing the GDPR
The Article 29 WP continues to have concerns regarding several aspects of the Proposed and Final Interim Model. A letter was sent pointing out criticalities such as the use of legitimate interest as legal ground for processing personal data, the access to non-public WHOIS data, security, retention period, international transfer.
Free Flow of non-personal data: Parliament discusses amendments to the proposed regulation
The Internal Market Committee of the Parliament found a broad consensus across the political groups on reaching a quick compromise on the text and have a committee vote on June 4th. Afterwards negotiations with Council could start in view of a general agreement by the end of 2018. As seen previously, the main contention came from determining which law applies between the GDPR and this regulation to mixed data sets, i.e. bundle of personal and non-personal data. However, the Parliament Legal Service clarified that both regulations could apply to the same data sets simultaneously. Regarding the ability of Member States to restrict the free movement of non-personal data, there seems to be consensus on keeping the exceptions limited and based on treaties and case law.
Commission releases Artificial Intelligence package
The Commission has released a Communication on Artificial Intelligence for Europe, which puts forward three different approaches to Artificial Intelligence: investing more in funding via the Horizon 2020 project; promoting education and skills and developing AI ethics guidelines by the end of the 2018. These guidelines will take into consideration issues of algorithmic transparency and will be developed on the basis of the EU's Charter of Fundamental Rights, following a large consultation of stakeholders within the AI Alliance which will be set up by July 2018.
Cybersecurity Act: European Parliament publishes Draft Report
As the so-called “Cybersecurity Act” continues its way through the legislative process in the European Parliament, the lead committee on the file, the Industry and Research Committee (ITRE), has published its Draft Report, proposing a first round of amendments to the European Commission’s proposal. The amendments focus on the new competences and powers of ENISA as a European Agency as well as the characteristics of the future EU-wide ICT certification scheme. Concerning ENISA’s role, it should respect national competences for cybersecurity in the areas of public security, defence, national security and state prerogatives in matters of criminal law. With regards to the ICT Certification scheme, it is interesting to note that the scheme should promote the principle of “security by design” to be implemented by manufacturers or service providers. The ITRE Committee is expected to vote on the file in June 2018.
New legislation on illegal content expected in 2018
France and Germany are pushing politically the Commission to propose legislation on terrorism in June 2018. The starting point would be the Recommendation on illegal content released in March, which deals with terrorism and the stay-down procedure. However, the Commission would like to first run a public consultation at the end of April, followed by an impact assessment over the summer break, and finally a legislative proposal in September 2018. A political decision on how to proceed should be adopted shortly.
Copyright: Council rushes to have a position, Parliament continues discussions
The Bulgarian Presidency has published a consolidated proposal which forms the basis to request a mandate and to enter negotiations with the European Parliament. On 27 April, the national Ambassadors to the EU (COREPER) will try to adopt the mandate. It is uncertain whether they will succeed, given the fact that they are still divided on Article 13; however, they are under considerable pressure from the European Commission and the Bulgarian Presidency. The Presidency proposal still requires Online Content Sharing Service Providers (OCSSPs) to implement duty of care and ex ante measures and explicitly excludes all OCSSPs giving the public access to copyright protected works from the exemption of liability defined in the E-Commerce Directive. The Presidency stipulates that a liability exemption is only possible where service providers apply preventive measures, and if some content is still made available, service providers are expected, upon notification of rightsholders, to take it down. Concerning then scope, on a positive note, internet access providers are still excluded from the scope. The European Parliament will adopt its position on 20-21 June. Therefore, negotiations between the institutions would start under the Austrian Presidency in July at the earliest.