News

EU Policy Update - February 2020

2020-03-09 EU Policy Updates

In a nutshell: The European Commission published its digital strategy, data strategy and White Paper on Artificial Intelligence, and plans to open a public consultation on priorities in cybersecurity certification. Digital Commissioner Breton voiced the need for a 'stay-down' duty, in addition to content takedowns by online intermediaries. Germany will focus on online hate speech during its presidency in the Council of the EU in the second half of 2020. The European Parliament is in a hurry to issue its three own-initiative reports on the Digital Services Act, with the Rapporteur for the Legal Affairs committee calling to re-focus the debate on a "follow the money" approach. The EDPB has provided guidance on the applicability of the GDPR to unfair algorithms.

Digital agenda

The European Commission published its digital strategy: "Shaping Europe's digital future"

On 19 February, the European Commission published its digital strategy and vision for digital policymaking in the next five years. The digital agenda outlines several legislative and non-legislative initiatives planned by the Commission in the months to come. Some of the highlights that are relevant for digital infrastructure actors are as follows:

  • Digital Services Act (Q4 2020): new and revised rules to deepen the internal market for digital services, by increasing and harmonising the responsibilities of online platforms and information service providers and reinforce the oversight of platforms’ content policies in the EU. According to the Commission, the sale of illicit, dangerous or counterfeit goods and dissemination of illegal content must be tackled as effectively as possible.
  • Delivering a new Consumer Agenda (Q4 2020).
  • Revision of the eIDAS Regulation (Q4 2020): to improve its effectiveness, extend its benefits to the private sector and promote trusted digital identities for all Europeans. According to the Commission, a universally-accepted public eID is necessary for consumers to have access to their data and securely use the products and services they want without having to use unrelated platforms and unnecessarily sharing personal data with them.
  • A European cybersecurity strategy, including the establishment of a joint Cybersecurity Unit, a review of the Security of Network and Information Systems (NIS) Directive and a push to the single market for cybersecurity.

Data protection

European Commission unveiled "A European strategy for data"

On 19 February, the European Commission published its data strategy. According to the Commission, "data is the lifeblood of economic development", as "the basis for many new products and services, driving productivity and resource efficiency gains across all sectors of the economy". Not only does data allow "for more personalised products and services", it also enables "better policy making" and upgrades government services. The data strategy acknowledges different concepts to data access exercised in the US and China, while stressing the need for Europe to find its own way, "balancing the flow and wide use of data, while preserving high privacy, security, safety and ethical standards". In order to use the potential of data economy to benefit individuals and society at large, the European Commission aims "to create a single European data space – a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data". According to the European Commission, "currently there is not enough data available for innovative re-use, including for the development of artificial intelligence". Obstacles for data re-use in Europe include (but are not limited to) fragmented legal frameworks across Member States, lack of economic incentives for business-to-business data-sharing, imbalances in market power, lack of interoperable standardised formats for gathering and processing data from different sources, and problems on both the supply and demand side of cloud.

As part of its vision towards a strengthened data economy, the European Commission intends to put in place:

  • A legislative framework for the governance of common European data spaces (in Q4 2020) to "foster data interoperability between sectors and, where relevant, within sectors" (focus on standardisation activities).
  • Data Act (2021), which inter alia intends to include the revision of the Database Directive and a possible clarification of the application of the Trade Secrets Protection Directive (evaluation of the EU IPR legal framework).

EDPB provided guidance of applicability of GDPR to unfair algorithms

In their response to MEP Sophie in 't Veld's request concerning the appropriateness of the GDPR as a legal framework to protect citizens from unfair algorithms, the European Data Protection Board (EDPB) questioned the general validity of a common assumption "that the more data is used to train algorithms, the more accurate they become at predicting what they were trained to do". According to the EDPB, the "data maximisation" approach creates an incentive for potentially unlawful data collection and further processing. Algorithms are becoming more and more complex, which makes them less transparent, according to the EDPB. When it comes to algorithmic decision-making, the general principles enshrined in Article 5 of the GDPR, "specifically lawfulness, fairness and transparency, accuracy, data minimisation and purpose limitation govern the processing of personal data, both when creating and using algorithms". The GDPR also requires "anyone using an algorithm for automatic decision-making, to inform data subjects of the existence of this process and provide meaningful information about its logic, as well as the significance and envisaged consequences", according to the EDPB. Lastly, the EDPB considers that there is already an extensive legal framework around data protection, and additional legislation in the area of data protection aimed at a specific technology is premature at this time. The focus should rather be on the development of existing norms, especially transparency and accountability requirements.

Cybersecurity

The European Commission revealed its White Paper on Artificial Intelligence

On 19 February, the European Commission published its "White Paper on Artificial Intelligence - A European approach to excellence and trust". According to the White Paper, Europe needs to strive towards creating an "ecosystem of excellence" and an "ecosystem of trust" when coming up with the policy and regulatory framework for artificial intelligence (AI). According to the Commission, AI technologies have many public benefits, for example by "equipping law enforcement authorities with appropriate tools to ensure security of citizens". In particular, it helps identify online terrorist propaganda and "identifying dangerous hidden objects or illicit substances or products". However, AI also poses a certain high risk to our society, according to the White Paper. Hence, AI technologies change the concept of safety currently established in the EU by the relevant legal framework. According to the White Paper, these risks may be linked to cyberthreats, personal security risks or risks that result from loss of connectivity. In order to support consumers' trust in AI technologies, particular "key requirements" might benefit from being explicitly covered by the upcoming EU regulatory framework on AI. Currently, the requirements regarding transparency, traceability and human oversight of algorithmic decision-making are not specifically covered under any valid legislation. In addition to proposing amendments to existing legislation (e.g. Product Safety Liability Directive), "a new legislation specifically on AI may be needed". Furthermore, ENISA is currently planning to conduct a threat landscape study on AI, in order to feed into the European Commission's work on AI. Following the publication of the White Paper, the European Commission is gathering feedback from the public. The public consultation is open until 31 May.

European Commission plans to open a public consultation on the priorities in cybersecurity certification

At a cybersecurity event in Brussels, a representative of the European Commission provided some information on the current cybersecurity certification schemes in the pipeline, following the implementation of the EU Cybersecurity Act (CSA). The CSA establishes the first EU-wide certification framework that envisages the introduction of cybersecurity certification schemes for "ICT products, ICT services and ICT processes". Under the CSA, a "path for mandatory certification" is open but currently, the priority is in making sure that the schemes are introduced. The priorities for future schemes need to be identified in the Union Rolling Work Programme, adopted by the European Commission. The Commission is planning to open a public consultation on the priorities within the Union Rolling Work Programme by the end of Q1 2020. Any mandatory scheme that might be introduced in the future needs to be accompanied by relevant legislation, according to the European Commission. Any mandatory schemes also need to be justified by the corresponding market developments.

Content moderation

Germany will focus on online hate speech during its presidency in the Council of the EU

Germany's Justice Minister, Christine Lambrecht, has stated that Berlin will focus on European cooperation to tackle online hate speech during its upcoming presidency in the Council of the EU (starting from July 2020). She also stressed that European rules need to focus on holding digital platforms accountable for being inactive when incitement of hatred takes place on their services. The statement is in line with the recent amendment passed by the German government to tighten what is already one of the toughest legal frameworks for the removal of potentially illegal material. According to the existing German legislation – the Network Enforcement Act (also NetzDG) - social media platforms are required to remove potentially illegal material from their services within 24 hours of being notified. The new legislative proposal, approved by the German government in February, obliges platforms to report content related to terrorism, racial hatred and child sexual abuse to the Office of the Federal Criminal Police, including providing information on "the last IP address and port number most recently assigned to the user profile".

The Rapporteur for the Parliament's own-initiative report on the Digital Services Act in JURI calls to re-focus the debate

The rapporteur for the own-initiative report in the European Parliament's Legal Affairs Committee (JURI), MEP Tiemo Wölken (Group of the Progressive Alliance of Socialists & Democrats - S&D), has stated at an industry event in Brussels that when it comes to the digital agenda of the EU, regulations (as in the highest form of binding EU legislation) are much more welcome than directives, in order to minimise their potentially divergent implementations across Member States. When it comes to the Digital Services Act (DSA), MEP Wölken stressed that the question of intermediary liability should be avoided as the primary focus of the debate. Instead, a fresh approach to the DSA is needed, including by taking a "follow the money" approach. The transparency of decision-making processes on the platforms, with a focus on the ad business should be one of the key issues in the upcoming DSA discussions, according to MEP Wölken. During the hearing in the European Parliament, MEP Wölken stressed the need to make sure that the removal of content "stays in the hands of judiciary", but a 'duty of care' for platforms is, nevertheless, needed. In addition, the S&D Position Paper on the "Our Inclusive Digital Europe - Leaving Nobody Behind. Offering Opportunity For Everyone" (adopted on 5 February) stresses the need to impose obligations on platforms to "make their used algorithms transparent as these may easily influence consumers’ choices and opinions".

Commissioner Thierry Breton: online intermediaries should have a 'stay-down' duty when dealing with illegal content

Digital Commissioner Thierry Breton addressed the European Parliament during the hearing with JURI and gave a few insights into the Commission's thinking on the intermediary liability reform. According to Commissioner Breton, the Commission is looking into the possibility of introducing an 'ex ante' regulation, similar to the highly-regulated telecom sector to bring clarity into intermediaries' responsibilities in tackling illegal content online. According to Commissioner Breton, it is important that illegal content stays down when it comes to takedowns. The Commissioner supported the prohibition of general monitoring that is currently being codified in the e-Commerce Directive. However, according to Breton, there is a need to analyse the possibility of platforms to monitor their services within legal limits and within their own capacity.

Outside the EU bubble

The Singapore High Court: cybersquatting is against public policy objectives

An interesting domain name dispute case was recently concluded in Singapore (as reported by Neil Wilkof, IPKat) where the High Court ruled that a domain name transfer agreement can be precluded by public policy considerations in the case of cybersquatting. While cybersquatting per se is not considered illegal according to Singapore's legislation, the court, nevertheless concluded that "[...]in the current world where the reach of the Internet is so wide, and the use of Internet websites is so pervasive, the abusive and/or illegal usage of domain names needs to be controlled and/or curbed. The court takes judicial notice of the fact that the world wide web was invented by Tim Berners-Lee back in 1989; he wrote the first web browser in 1990.[...]The use of the internet has expanded exponentially since with its attendant abuse. Such abuse must be arrested".