EU Policy Update - January 2019
In a nutshell: LIBE issued a Draft Report on the proposal for preventing the dissemination of terrorist content online; and asks the European Commission to put more work into its e-Evidence proposal. The Romanian Presidency has proposed a new compromise for the Copyright Directive to reconcile the differences between France and Germany on the exclusion of SMEs; and is attempting to move forward with the ePrivacy file. The trilogues have been concluded on the new rules for the re-use of public sector information.
Law enforcement access
e-Evidence: LIBE asks the EC to put more work into its e-Evidence proposal
On 7 February during the public hearing on the European Production and Preservation Orders in the Civil Liberties, Justice and Home Affairs Committee of the European Parliament (LIBE), MEPs expressed their concerns with the current e-Evidence Proposal by the European Commission, that puts specific new obligations on the service providers when dealing with foreign data-access requests. The Rapporteur, Birgit Sippel, questioned the legal basis of the e-Evidence Proposal and called for more clarity in the rules concerning access to different types of data. In her view, existing international judicial cooperation rules cannot be neglected and “traffic data” needs additional safeguards. Other concerns voiced by MEPs include the inability for SMEs to comply with a strict deadline of providing proper and secure access to requested data within 6 hours; a need for reimbursement mechanisms for the service providers and respect towards the dual criminality principle of international criminal law.
LIBE issues the Draft Report on the TERREG proposal
On 21 January the Civil Liberties, Justice and Home Affairs Committee of the European Parliament (LIBE) published its Draft Report on the Proposal for a Regulation on preventing the dissemination of terrorist content online (TERREG). The initial Proposal for a Regulation introduces the obligation for online hosting service providers to remove content that has been flagged as ‘terrorist’ within a tight deadline of one hour. The LIBE's Draft Report clarifies the definition of a 'hosting service provider' that falls under scope of the Proposal to include the service providers which make the stored information available to the public. The intention of this clarification, according to the Draft Report, is to avoid "a conflict with principles of privacy and undermine the provision on cloud infrastructure services". In case of delay with complying with the obligations set in the Proposal, competent authorities shall consider the size of a hosting service provider to be a mitigating factor when determining the type and a level of penalties, according to the Draft Report. Another Parliamentary committee IMCO, that has previously argued that they should receive shared competence over the file, has proposed that its Draft Opinion should explicitly exclude "services provided in[...]layers of the Internet infrastructure, such as registries and registrars, DNS (domain name system)". The main committee responsible for the Parliamentary position, LIBE, has however decided to support only the exclusion of cloud services from the scope of the TERREG in its Draft Report.
Copyright Directive: tensions in the EU Council delay further negotiations
The latest trilogue on the file was cancelled due to EU Member States refusing to endorse the Romanian Presidency's mandate to lead the negotiations on behalf of the EU Council. On 21 January MEP Catherine Stihler expressed her concerns with her EP colleagues in IMCO about the on-going interinstitutional negotiations with the EU Council and the European Commission. According to MEP Stihler, discussions in the meetings are disappointing, in particular regarding how the leading committee on the file, the Legal Affairs Committee of the European Parliament (JURI) is handling the negotiations. MEP Stihler also expressed her disappointment with the way IMCO has been treated in these negotiations. Meanwhile, the EU Council is hoping to move forwards in finding common ground when it comes to the possible exception from content monitoring obligations for SMEs. France and Germany disagree on such an exception. The latest text does not provide a blanket exception to SMEs and forces all platforms to conclude licensing agreements with rightsholders. However, as a compromise the Romanian Presidency is introducing a softer liability regime for SMEs with a turnover of less than 10 million euros and whose services have been available to the public for fewer than 3 years. These platforms are only to be subject to a notice and take down obligation in the first three years of their business activity. After that they will be obliged to comply with Article 13 and the additional filtering obligations set within, as proposed by the new compromise text. The Romanian presidency’s proposed compromise has been approved by the EU Council on 8 February. The trilogues will be resumed in the course of February.
New rules for the re-use of public sector data in the EU
On 22 January negotiators from the European Parliament, the EU Council and the European Commission reached an agreement on a revised set of rules for the re-use of public sector information (PSI Directive). According to the revised PSI Directive all public content that can be accessed under national Freedom of Information rules is in principle freely available for re-use. A particular focus will be placed on high-value datasets such as statistics or geospatial data as they are seen to have a high commercial potential. The scope of the Directive has also been enlarged to include open access to research data resulting from public funding. Public undertakings providing services on markets that are exempt from public procurement rules will also be exempt from any the obligations under the PSI Directive, insofar as their data are related to those services. The European Parliament and the EU Council will need to formally adopt the revised rules. The Commission will start working with the Member States on the identification of the high-value datasets which will be set out in an implementing act.
ePrivacy: compromise proposals from the Romanian presidency
The Romanian Presidency has put forward a proposal for compromise to address some of the concerns identified by Member States to break through the deadlock of the file in the EU Council. The proposal addresses the processing of electronic communications data for the purposes of child protection and the exclusion of national security and defence from the scope of ePrivacy. According to the text of the proposal, Article 6(1) has been modified to allow further data processing to enable the detection and deletion of material constituting child pornography. The compromise proposal also suggests excluding purposes for national defence and security activities from the scope of the ePrivacy, due to the concerns identified by Member States at an earlier stage. The compromise proposal does not specify which activities fall under this exception.
ENISA publishes its Threat Landscape Report for 2018
On 28 January ENISA published its annual Threat Landscape Report. According to the Report, 2018 is a year that has brought significant changes in the cyberthreat landscape. The main cyberthreat trends in 2018 include the fact that e-mail and phishing messages have become the primary vector for malware infection. The most common techniques that phishers used were domain typosquatting, domain shadowing, maliciously registered domains, URL shorteners and subdomain services. The riskiest and most spammy top-level domains, according to the Report, are .gq, .cf, .loan, .tk, .ml, .ga. .men, .faith, .top and .racing. The report also gives a few policy recommendations to policy makers, identifying the need to abolish regulatory barriers to collect and coordinate cyberthreat intelligence.