×

EU Policy Update - June 2024

EU Policy Updates 02-07-2024

In a nutshell: The Hungarian Presidency set its priorities for the Council of the EU, ahead of its term starting from 1 July. The Belgian Presidency published a progress report on the FiDA and insolvency directives reform. The Council of the EU reached an agreement on a common position regarding GDPR enforcement reform. FRA issued a report about the experiences of data protection authorities. The European Commission published a draft implementing act on the NIS 2 Directive. G7 leaders adopted the Apulia communiqué, including its political priorities for cybersecurity. The High-Level Group on Access to Data for Effective Law Enforcement published recommendations. European citizens elected their representatives in the European Parliament for 2024-2029.

The Hungarian Presidency set its priorities for the Council of the EU

From 1 July Hungary’s term for the presidency of the Council of the EU is taking place until the end of 2024. Ahead of its term, the Hungarian Presidency unveiled its programme, setting its priorities and main directions for the next months. The Hungarian Presidency will put “a strong emphasis on improving European competitiveness, integrating this objective into all policies, by applying a holistic approach”. In thematic areas, the Hungarian Presidency notes the importance of the proposal for financial data access regulation (FiDA), that reflects “the challenges and opportunities of digitalization”. In the field of organised cybercrime, the Hungarian Presidency will continue working on developing “a long-term legislative solution to prevent and combat online child sexual abuse”. In the area of data retention and access to from law enforcement, the Hungarian Presidency highlights the importance of training, information and communication on EU law enforcement priorities in Member States and EU institutions. Negotiations on the draft directive on insolvency proceedings is highlighted as work in progress during the Hungarian Presidency, with a particular focus on competitiveness. In the telecom sector, Hungary’s priorities are “adopting Council conclusions that reflect on the white paper of the European Commission [on the future of the European telecom sector] and reviewing the experiences gained from numerous legislative and policy initiatives in recent years”. Hungary is also planning to evaluate the implementations of the Digital Services Act, and prepare the implementation of the AI Act and the European Digital Identity Regulation. In terms of the upcoming legislative initiatives, Hungary anticipates the review of the Cybersecurity Act and the presentation of an EU Space Law.

Data protection

The Belgian Presidency issued a progress report on FiDA

On 14 June, the Council of the EU published a progress report on FiDA negotiations (see our previous reporting here). The presented text cannot be considered a compromise text, as several comments from Member States have not yet been addressed. With regard to including domain name registries and registrars in scope of the FiDA proposal as part of the enforcement measures, the proposed changes to Article 18 include the alignment of the text with the CPC Regulation and the Regulation of Crypto-Market Assets (MiCA). These changes would allow competent authorities to order registries and registrars to delete domain names of non-compliant financial services, but only as a measure of last resort, with the possibility for competent authorities to register deleted domain names. In addition, the enforcement measures involving domain registries and registrars leaves a margin of discretion to competent authorities subject to compliance with the principles of (national) administrative law (e.g., proportionality). According to the Belgian Presidency interpretation, the wording in Article 18 does not make the use of enforcement measures involving domain registries mandatory. According to the Belgian progress report and as highlighted by the Spanish Presidency before, “a general desire in the Council to proceed with caution” remains. The data sharing activity, the sensitivity of data in scope and the potential implications on the financial sector and on consumer protection “call for a thorough and well-thought approach when reviewing the FiDA Regulation Proposal”.

The Belgian Presidency made some progress in negotiations on the insolvency proposal

The Council of the EU published several Belgian Presidency proposals for compromise on the proposal on the insolvency directive: see here and here (and our previous reporting here). The insolvency directive concerns access to “national asset registers” and other information concerning financial assets of an insolvent estate, including domain registration information. The Belgian Presidency’s compromise proposal suggests limiting access to national asset registers in Article 18 (including domain name registries) by insolvency practitioners across the EU only if such access is available according to national law. In addition, access to information held by national asset registers should be provided swiftly, but not necessarily in an automatic way, according to the Presidency’s compromise proposal. Insolvency practitioners should be able to contact registers located in a different Member State directly, yet national access conditions should apply. In addition, the proposal also envisages transfer of contracts of the debtor without consent of suppliers or counterparty of the contracts. The Belgian Presidency proposal includes a reference to the ‘intuitu personae’ principle that limits automatic contract transfer in cases when the contract was entered into on the basis of personal attributes of contractual parties. According to the progress report issued by the Belgian Presidency, most Member States have raised objections to the establishment of a special EU regime for insolvent microenterprises, that amongst other things includes the establishment of electronic auction systems of assets belonging to insolvent business. As on the way forward, Member States welcome the increase in the number of working party meetings and the acceleration of the speed of work, which reflects the high political priority of the insolvency reform.

The Council of the EU reached an agreement on a common position regarding GDPR enforcement reform

On 13 June, the Council of the EU reached a common agreement on its position regarding the ongoing GDPR enforcement reform (see our previous reporting here). The proposal for the Regulation laying down additional procedural rules relating to the enforcement of the GDPR concerns improving cooperation between national data protection authorities in cases of cross-border GDPR enforcement. Once adopted, the regulation will provide tools to speed up the process of handling cross-border complaints filed by data subjects, and any follow-up investigations. It also clarifies the procedural deadlines and steps of an investigation and for the adoption of a binding opinion by the European Data Protection Board (EDPB). The Council agreed that throughout the cooperation procedure, national data protection authorities should be able to provide their views to the lead supervisory authority. The Council also introduces an early resolution mechanism which allows authorities to resolve a case prior to initiating the standard cross-border procedure. This can be the case when the company or organisation in question has addressed the infringement or when an amicable settlement to the complaint has been found.

FRA issued a report on experiences of data protection authorities

On 11 June, the European Union’s Fundamental Rights Agency (FRA) issued its report on “GDPR in practice: Experiences of data protection authorities”. The European Commission is due to publish its second evaluation report in 2024. Ahead of the second evaluation, the European Commission requested that FRA collects data on the experiences, challenges and practices identified by data protection authorities (DPAs) in implementing the GDPR. From the fieldwork data, FRA identified the following key challenges faced by DPAs when implementing the GDPR: 1) Inadequate resources risk undermining the DPAs’ mandate and independence; 2) Investigatory measures listed in the GDPR are appropriate but could be complemented with other tools to reinforce DPAs’ supervisory capacity; 3) Large number of complaints; 4) Awareness among the general public on data protection does not necessarily mean that they actually understand legislation; 5) Providing scientific researchers with advice, due to the lack of field- and technology-specific guidance; 6) Advising and supervising public bodies acting as data controllers; 7) Data protection challenges posed by new technologies; 8) EDPB internal structures and cooperation model that may create overhead for the national DPAs.

Cybersecurity

The European Commission published a draft implementing act on the NIS 2 Directive

On 27 June, the European Commission published a draft implementing act under the NIS 2 Directive, specifying the rules concerning technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers. According to the draft implementing act, some of the network security measures require a multistakeholder approach in identifying “the best available standards and deployment techniques”. These security measures include i) the transition towards latest generation network layer communication protocols, (ii) the deployment of internationally agreed and interoperable modern e-mail communications standards, and (iii) the application of best practices for Internet routing security and routing hygiene. The draft also specifies when a cybersecurity incident can be considered significant for the aforementioned operators. According to the draft, an incident can be considered significant for TLD registries when a) an authoritative domain name resolution service is completely unavailable; (b) for a period of more than one hour, the average response time of an authoritative domain name resolution service to DNS requests is more than 10 seconds, (c) the integrity, confidentiality or authenticity of stored, transmitted or processed data related to the administration of the TLD is compromised. In the annex of the draft, the abovementioned operators, such as TLD registries, can find the list of cybersecurity risk-management measures that specify the implementation of Article 21 of the NIS 2 Directive. The European Commission welcomes public feedback on the draft implementing act before 25 July.

G7 leaders adopted Apulia communiqué

On 14 June, leaders of the G7 adopted the Apulia G7 Leaders' Communiqué that outlines areas of mutual cooperation on global challenges and interconnected crises. Amongst many areas of interest, the Communiqué outlines cybersecurity. According to the G7, the security of society depends on “an open, interoperable, safe, secure, resilient, human rights respecting use of cyberspace”. The G7 is working collectively on “advancing responsible state behaviour[...], through the application of international law, [...]targeted capacity-building initiatives, based on a multistakeholder approach”. The G7 is pursuing a “four-fold approach to counter malicious cyber activities”: i) responsible state behaviour; 2) improving cybersecurity of private sector; 3) developing tools to deter and respond to cybercriminals by disrupting their infrastructure; iv) strengthening cybersecurity capacity of partners. The G7 specifically recognises rising cyberthreats on critical infrastructure, such as the energy sector. More discussions on good cybersecurity practices, including supply chain resilience, are to be continued. G7 also promises to “promptly explore avenues towards establishing mutual recognition of schemes for reliable cyber-safe products”. In addition, the G7 communiqué highlights the risks of exporting dual-use technology, including quantum technologies. For these reasons, the G7 “will promote efforts, where necessary and according to our respective legal frameworks, to implement export controls to address risks to international security”. The G7 leaders also recognise the “common interest in ensuring the highest standards for sensitive data protection”.

e-Evidence

The High-Level Group on Access to Data for Effective Law Enforcement published recommendations

The High-Level Group on Access to Data for Effective Law Enforcement (HLG) issued its recommendations for facilitating law enforcement access to electronic data. The group consists of high-level representatives of the Member States, the European Commission, EU bodies and agencies, and the EU Counter-Terrorism Coordinator, and was established in June 2023. The recommendations do not represent an official European Commission position. According to the background information accompanying the recommendations, the EU has “strong rules to facilitate cross-border access to electronic evidence”, in a form of the regulatory e-Evidence package. However, the absence of data retention obligations “negatively affects the effectiveness of e-evidence rules, as there is no guarantee that all the information subject to European preservation or production orders[...] is available”. Moreover, the e-Evidence rules “do not address encryption”. The HLG considers the pace of technological developments in encryption to be “rapid to the point that existing decryption tools and techniques are becoming ineffective”. The HLG notes “the current absence of any level of harmonisation of data retention legislation across the EU and difficulties in meeting the criteria indicated by the CJEU” which limits general and indiscriminate retention of traffic and location data to fighting serious security threats and allowing only targeted retention of such data for fighting serious crime. Dynamic IP addresses are specifically noted as technological development that has evolved since the CJEU case-law was developed. The HLG took the view that the EU should require minimum levels of retention (at least of data needed to identify a user) from operators. The HLG recommends pursuing standardisation “to ensure harmonised categorisation of data to be retained and accessed, but also for establishing secure channels for the exchange between competent authorities and service providers”. The HLG also noted the issues of territorial jurisdiction over data and considers a legislative package to address jurisdictional issues, similarly to the e-Evidence Regulation, as well as bilateral agreements with countries such as the United States. On the topic of encryption, the HLG discussed the need for standardisation that could address operational law enforcement access in standards, such as 6G, and establishment of the “lawful access by design” principle for all “relevant technologies” (without weakening end-to-end encryption).

EU elections

EU citizens elected their representatives in the European Parliament for 2024-2029

EU elections weekend of 6-9 June concluded in a list of new MEPs who will take their office in the European Parliament for the term 2024-2029. According to Politico, the European People's Party (EPP) scored the highest according to the voting results. The Socialists and Democrats (S&D) remained stable, while the liberal Renew Europe group and Greens lost the most seats. The two groups in the European Parliament on the furthest right, the European Conservatives and Reformists (ECR) and the Identity and Democracy (ID) group, will control 131 seats. The seat projections per country are available here, while some EU Member States’ data (notably Estonia, Italy, Latvia, Slovenia and Spain) still remains provisional. The first plenary session of the new legislative term will take place from 16 to 19 July in Strasbourg. Before that session, the newly-elected Members are forming political groups based on shared political ideas. At the first plenary, the Parliament will elect its new President, vice-presidents, as well as decide on the number of MEPs who will be sitting in each parliamentary committee. At a later stage, MEPs will vote to elect a new President of the European Commission. Then they will assess candidates for commissioners through public hearings. The new Commission will need to secure Parliament approval in a plenary vote to take office.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.