EU Policy Update - April 2020
In a nutshell: Europol issued its report on cybercrime and the COVID-19 pandemic. The European Parliament has been busy with numerous committees advancing on their draft reports and opinions for the Digital Services Act. The European Court of Justice ruled that Amazon is not infringing trademark rights by storing infringing goods on behalf of a third-party seller. The Advocate-General of the European Court of Justice issued an opinion in the case of the enforcement of intellectual property rights against YouTube.
Europol issued its report on cybercrime and the COVID-19 pandemic
On 3 April, Europol issued its report on "Catching the virus, cybercrime, disinformation and the COVID-19 pandemic". According to Europol, "the impact of the COVID-19 pandemic on cybercrime has been the most visible and striking compared to other criminal activities”. One of the key findings presented by Europol in its report is that COVID-19 related phishing and ransomware campaigns "are expected to continue to increase in scope and scale". At the same time, Europol reported that "only a slight increase in the number of distributed denial-of-service (DDoS) attacks has been observed" following the outbreak of the COVID-19 pandemic. When it comes to malicious domain name registrations, Europol stated that "following an initial spike" in the COVID-19 related registered domains, the current figures show that "this appears to have stabilised". According to Europol, "these registered domain names form the backbone for many criminal operations". When it comes to the sale of illicit goods online, Europol reported that "so far, there has not been a notable increase in the number of users buying" these goods.
European Parliament advances on the (numerous) own-initiative reports on the Digital Services Act
The month of April was busy for the European Parliament, with numerous committees advancing on their draft reports and opinions for the upcoming legislative reform - the Digital Services Act (DSA). The most interesting excerpts for technical operators are identified below (in chronological order of their publication):
- Draft Opinion of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) for the Committee on the Internal Market and Consumer Protection (IMCO): recommends that the Commission should "work on harmonising the national personal identification sign-ins with a view to creating a single Union sign-in system in order to ensure the protection of personal data and age verification".
- Draft Opinion of IMCO to LIBE: The Draft Opinion states that the liability exemptions in the e-Commerce Directive "must be maintained and strengthened" in the DSA. The Draft Opinion also recognises that SMEs and large players have "differing capabilities with regard to the moderation of content" and warns "that overburdening businesses with disproportionate new obligations could further hinder the growth of SMEs and require recourse to automatic filtering tools, which may often lead to the removal of legal content". The Draft Opinion also notes the "significant differences between digital services” and “calls for the avoidance of a one-size-fits-all approach".
- Draft Report of the Committee on Legal Affairs (JURI): The Draft Report focuses on the market dominance that some businesses offering digital services enjoy "due to strong data-driven network effects". The Draft Report notes potential rule of law concerns when content is removed without a clear legal basis, for example when hosting platforms are encouraged to pro-actively remove content based on "automated content removal mechanisms". The Draft Report proposes that the DSA should include "a regulation that establishes contractual rights as regards content management, lays down transparent, binding and uniform standards and procedures for content moderation, and guarantees accessible and independent recourse to judicial redress". The Draft Report considers that any final decisions on the legality of user-generated content must be made by "an independent judiciary and not a private commercial entity". To this end, the Draft Report recommends "the establishment of a European Agency tasked with monitoring and enforcing compliance with contractual rights as regards content management". The suggested European Agency should also be able to impose fines of up to 4 % of the total worldwide annual turnover for non-compliance with the DSA, according to the Draft Report. When it comes to the scope of the DSA, the Draft Report suggests that the Regulation should apply to "content hosting platforms of content that is accessible in websites or through smart phone applications in the Union". The Draft Report also calls for a "stay-up principle" that guarantees that "content that has been subject of a notice shall remain visible until a final decision has been taken regarding its removal or takedown".
- Draft Report from IMCO: Highlights that the COVID-19 pandemic has “exposed serious shortcomings of the current regulatory framework which call for action at Union level" to address difficulties for the e-Commerce sector. The Draft Report notes that "information society services[...] bear significant social responsibility in terms of protecting users" and "preventing their services from being exploited abusively". The Draft Report notes that the "COVID-19 pandemic has shown how vulnerable EU consumers are to misleading practices" of selling fake or illegal products online, and that this problem is aggravated by the fact that "often the identity of these companies cannot be established". Therefore, the Draft Report calls on the Commission to require service providers to "verify the information and identity of the business partners with whom they have a contractual commercial relationship", and to ensure that the "information they provide is accurate and up-to-date" (the so-called "Know Your Business Customer" principle). The Draft Report also notes that "there is no 'one size fits all' solution to all types of illegal and harmful content" and calls for a more aligned approach at Union level. The Draft Report also stresses that safeguards from the legal liability regime for "hosting intermediaries" need to be preserved, along with the prohibition of general monitoring. The Draft Report considers that a "central regulatory authority should be established which should be responsible for the oversight and compliance with the Digital Services Act". Finally, in the interest of legal certainty, "the Digital Services Act should clarify which digital services fall within its scope". The new legal act, according to the Draft Report, should apply to all digital services, which are not covered by specific legislation. The Draft Report specifically calls on the Commission to clarify to what extent "new digital services", including domain name services fall within the scope of the DSA. When it comes to illegal content, the definition of what constitutes such content should be clarified in the DSA. The Draft Report suggests that "a violation of EU rules on consumer protection, product safety or the offer or sale of food or tobacco products and counterfeit medicines, also falls within the definition of illegal content".
- Draft Report of LIBE: The Draft report stresses the need "that illegal content is removed swiftly and consistently in order to address crimes and fundamental rights violations" and "considers that voluntary codes of conduct only partially address the issue". To this end, the Draft Report calls for "barriers to filing complaints with competent authorities to be removed" when removing illegal content from platforms. The Draft Report expresses its strong belief "that the current EU legal framework governing digital services should be updated with a view to addressing the challenges posed by new technologies and ensuring legal clarity and respect for fundamental rights". The Draft report notes the challenge for law enforcement to conduct investigations when "some terms of services from content platforms do not allow law enforcement to use non-personal accounts" and calls for the terms of services of digital service providers to be "clear, transparent and fair". The Draft Report also supports "the creation of an independent EU body to exercise effective oversight of compliance with the applicable rules" under the DSA.
Advocate-General of the ECJ: Intellectual property rights enforcement online does not cover IP addresses
The Advocate General of the European Court of Justice (ECJ) delivered an opinion in the case of Constantin Film Verleih GmbH v YouTube LLC, Google Inc. The case concerns the refusal by YouTube to provide certain information required by a film distributor, Constantin Film Verleih, regarding users who have placed several films online in breach of Constantin Film Verleih’s exclusive intellectual property rights. More specifically, the film distributor has asked YouTube to provide it with the email addresses, telephone numbers and IP addresses used by those users. Under the EU Intellectual Property Rights Enforcement Directive 2004/48 Article 8, Member States are obliged to enable the competent judicial authorities in their jurisdiction to order that certain information be provided in the context of proceedings concerning an infringement of an intellectual property right. That certain information includes "names and addresses" under the Enforcement Directive but it does not specify whether an IP address or an e-mail address is considered to fall under the scope. The referring court (Germany) has asked the ECJ whether the EU Enforcement Directive must be interpreted as meaning that the Member States are obliged to enable the competent judicial authorities to order that information about a user who has uploaded files which infringe an intellectual property right, including the email address, telephone number, IP address used to upload those files and the IP address used when the user’s account was last accessed be provided. According to the Advocate General, the "usual meaning in everyday language must be the starting point in the process of interpreting the concept of ‘names and addresses’ used in Article 8(2)(a) of Directive 2004/48". Deriving from that interpretation, the telephone number as requested by the German film distributor from YouTube cannot be included into the concept of 'names and addresses'. Furthermore, according to the Advocate General, in everyday language the term ‘address’ refers only to the postal address. Therefore, when it is used without any further clarification, that term does not cover the email address or the IP address.
ECJ: Amazon is not infringing trademark rights by storing infringing goods on behalf of a third-party
The European Court of Justice (ECJ) delivered its judgment in the case of Coty Germany GmbH v Amazon. The dispute concerns the sale of a trademark-infringing product on <www.amazon.de> by a third-party seller. The rightsholder in the case argued that Amazon is not solely a warehouse-keeper who does not provide any assistance in the sale of the goods it stores in its warehouse. On the contrary, Amazon replaces the seller entirely "in the notice for sale and when the contract of sale is performed", hence making the company liable for trademark infringement in the case, according to the provisions of the EU trademark law. The ECJ noted that that the EU trademark law provisions "are intended to provide a trademark proprietor with a legal instrument allowing him to prohibit, and thus to prevent, any use of his trademark by a third party without his consent. However, only a third party who has direct or indirect control of the act constituting the use is effectively able to stop that use and therefore comply with that prohibition”. Hence, by merely storing the third-party trademark-infringing goods in its warehouses, an online marketplace operator like Amazon is not 'using' the trademark that can justify the counteractions by the rightsholder under the EU trademark law. The ECJ left open the question, however, of whether Amazon could become liable for trademark infringement indirectly under the e-Commerce Directive, as "the referring court did not raise that question".