EU Policy Update - July 2016 (II)

2016-08-08 EU Policy Updates

Will the EU see a new data retention law? The Commission’s plans for a new EU-wide data retention law will have been reinvigorated by the recent opinion of the ECJ’s Advocate General. The latter states that a general obligation to retain data may be compatible with EU law provided that strict safeguards are in place. Accordingly, the “bulk collection” of data would only be admissible in the fight against serious crime, when strictly necessary to do so and when limited to the strictly necessary. It will be up to national courts to decide if these requirements are met. However, one can assume that in order to avoid a fragmented approach across the EU, the Commission will want to put it under the umbrella of an EU directive.

EDPS wants to expand scope of ePrivacy directive: The European Data Protection Supervisor (EDPS) sees a clear need to extend the scope of the ePrivacy framework (see opinion) to cover more types of communication services and providers. Individuals should be protected across all “functionally equivalent” services (e.g. telephony and Voice over IP). Also new services should be protected (e.g. machine-to-machine communications in IoT) irrespective of the type of network or communication service used. Users’ confidentiality should be protected across publicly accessible networks, including Wi-Fi in hotels, coffee shops, etc. “Genuine” consent should be pivotal, especially when it comes to tracking and monitoring for traffic and location data. End-to-end encryption should be allowed, “back-doors” (decryption, reverse engineering) should be prohibited. Prior consent “for all types of unsolicited electronic communications” should be required. The EDPS is an independent institution of the EU and has a merely advisory role.

DPAs’ role in Privacy Shield: National data protection authorities (DPAs) will play a crucial role in the enforcement of provisions of the new EU-US Privacy Shield. They will help EU citizens “exercising their rights under the privacy shield mechanism, in particular when dealing with complaints” (see statement). Their European grouping, the Article 29 Working Party, will review the effectiveness of safeguards in 2017. Companies can sign up to the new transatlantic data transfer agreement as from 1 August 2016.

European Agenda on Security: Where do we stand? The Commission sees itself well on track when it comes to putting in place actions to tackle security threats over the period of 2015-2020 (see MEMO). Actions with a “digital” dimension include the fight against terrorism (e.g. Directive on Terrorism, now in trilogue, s.a. EP Briefing; launch of the European Counter Terrorism Centre as part of Europol); radicalisation (Communication June 2016, incl. illegal hate speech online; the EU Internet Forum and the Code of Conduct; creation of the EU Internet Referral Unit at Europol), and research and innovation (cybersecurity funding under Horizon 2020). The Commission feels thwarted in a couple of areas, where things move at dissatisfactory speed (e.g. border control, PNR, terrorist financing, the terrorism directive) and would like to move ahead with a couple of other actions (e.g. stronger and smarter information systems, strengthening of the European Counter Terrorism Centre, jurisdiction for accessing digital evidence).

Half a million replies to BEREC’s net neutrality consultation: It remains to be seen if the Body of European Regulators for Electronic Communications will be able to “digest” all input until its meeting on 30 August. On this day, BEREC plans to share the outcome of the public consultation on its proposed guidelines on the implementation of European net neutrality rules by National Regulators (NRAs). Their obligations to monitor and ensure compliance with the rules are set out by the Telecoms Single Market Regulation EU 2015/2120. CENTR submitted a Board of Directors contribution.

Review of telecoms framework sooner than expected: The European Commission is apparently set to publish its review document already on 14 instead of 21 September. A review is deemed necessary to take account of new app-based communication services (OTT) that provide services similar to those offered by “traditional” telecoms (e.g. Voice over IP), yet do not need to comply with the same level of regulation or requirements (e.g. providing emergency calls). It will also look into spectrum allocation and 5G investment. The Commission’s proposal for a copyright review is still expected for 21 September.

CNIL accuses Microsoft of breaking French data protection law: The National Data Protection Commission (CNIL) issued a public formal notice to the company requesting it to stop collecting excessive data and tracking browsing by users without their consent through the new operating system Windows 10. According to CNIL, the privacy policy failed to comply with the French Data Protection Act in various areas, including: irrelevant or excessive data being collected, a lack of security (authentication), a lack of individual consent (default setting for advertising), no option to block cookies, and data being transferred to the US under the invalidated “safe harbour”. Microsoft now has three months to comply with the French law, otherwise CNIL may move towards sanctions.

Reactions in Germany after various attacks: The German government is set to step up its fight against propaganda inciting terrorism and hate speech online. While the Minister of the Interior called on ISPs to take on more responsibility and liability for crimes committed in their networks, the Minister of Justice has expressed his dissatisfaction with Facebook’s efforts to delete hate speech online (“too little, too slow, often the wrong things”). The need for further regulation would be lower, “the better companies manage to take on their responsibility” – a statement that some interpreted as an indirect threat to come up with (European) regulation.

ENISA evaluation: ENISA has to undergo a performance reviews to see if the EU Agency meets its objectives and sticks to its mandate (retrospective) and to assess whether these have to be modified and extended (forward looking). This might be the case, especially in the light of new tasks that have been assigned to the agency by the NIS Directive. The evaluation is scheduled to be concluded in Q2 2017 (see roadmap).

Law enforcement and security companies unite to fight ransomware: Europol, Intel Security, Kaspersky Lab and Dutch police join forces on the new online portal against ransomware

Details on the investigatory powers bill: If you are interested in the draft text and impact assessment of the UK’s “spy bill”, you can find more details here. It sets out the legal framework for the state to “to acquire and retain communications, communications data and other information, ensuring that UK law enforcement agencies and the security and intelligence agencies continue to have the tools necessary to investigate and prevent criminal activity and threats to national security.”

Further reading: