EU Policy Update - Legislative status in 2019
In a nutshell: The end of 2018 was busy in Brussels. Legislators managed to agree on the new rules for.eu and to finalise trilogues on the Cybersecurity Act. The Romanian Presidency has picked up the baton from its Austrian counterparts in the EU Council and will continue discussions on e-Evidence, together with the Copyright Directive and the Terrorist Content Regulation in 2019. 30 initiatives under the "Digital Single Market" proposal by the Juncker-led European Commission were intended to be completed by the end of 2018, with 7 open files still awaiting final agreement in the course of 2019 before the new European Parliament is elected in May. The Romanian Presidency expects to reach an agreement on the Copyright Directive and ePrivacy.
Changes coming up in .eu
New rules for .eu are approved by co-legislators
On 19 December 2018 the ambassadors of EU Member States in the EU Council endorsed the agreement on the new .eu rules, achieved in the trilogue discussions with the European Parliament and the European Commission. On 14 January 2019 the agreed text was approved by the European Parliament, after which it needs to be confirmed by the telecom ministers in the Council of EU. Following adoption, the regulation will be published in the EU's Official Journal. It will enter into force 20 days after publication. The new rules will apply from 13 October 2022, except for the revised eligibility criteria that will enter into force in 6 months after publication. The new .eu regulation revises the eligibility for a .eu domain name to include EU citizenship, irrespective of one's residence. Other revisions include the European Commission's mandate to work with other EU agencies to fight speculative and abusive registrations of domain names, including cybersquatting. Special attention in the revised regulation is given to the European Union Intellectual Property Office (EUIPO). The Commission shall assess how to cooperate with EUIPO to fight abusive registrations by June 2022. In addition, a special Multistakeholder Advisory Group is bound to be established by the European Commission to advise the latter on the governance of the .eu registry. The Group should reflect the principles of Multistakeholderism and could consist of representatives from the private sector, the technical community, civil society and academia, as well as from Member States' authorities and international organisations.
UK Government advises on the registration of .eu domain name in case of a no-deal Brexit
On 21 December 2018, the UK Government published its guidance on .eu top level domain name registrations in the event of a ‘no deal’ EU exit. Rightfully so, the UK Government based its analysis on the currently valid .eu Regulation from 2002, without taking into account the latest revision that is still yet to be formally adopted by the co-legislators in the coming months. Although the EU has revised the eligibility criteria for a .eu domain name to include EU citizens, meaning that UK residents with EU citizenship would be eligible for .eu domains, these changes would only apply for 6 months since after the publication of the new law. The UK's exit from the EU is scheduled for 29 March 2019, meaning the .eu rules from 2002 will continue to apply by the time of Brexit. UK registrants for .eu are therefore advised to consider whether they would like to transfer their domain names to other top-level domains. Notably, the UK Government is advising its citizens to consider top-level domains such as .com, .co.uk, .net or .org.
EU agrees on the establishment of EU-wide cybersecurity certification
On 19 December, the EU Council approved the agreement reached in the trilogues discussion for the new rules on EU-wide enhanced cybersecurity: the EU Cybersecurity Act. On 14 January 2019, the same text was approved by the Parliament’s leading committee on the file (Committee on Industry, Research, Telecoms & Energy – ITRE). The co-legislators ask the EU cybersecurity agency ENISA to assist Member States in their implementation of the NIS Directive. ENISA is asked to support the stability of the public core of the open internet, including in relation to the DNS, Border Gateway Protocol, and IPv6, as well as all top-level domains. ENISA may also be equipped to develop EU cybersecurity certification schemes at the request of the European Commission. The respective certification schemes under the Cybersecurity Act remain voluntary according to the agreement. The agreed text gives the European Commission the primary obligation in developing the respective certification schemes and obliges the Commission to asses regularly and at the latest by 31 December 2023 whether any particular EU cybersecurity certification scheme needs to be made mandatory. The Commission needs to then identify which services and products fall under mandatory certification. As a priority, the Commission will focus on the sectors listed in Annex II of the NIS Directive that includes ccTLDs. To assist the Commission in preparation of the certification schemes, two special advisory groups will be established: The Stakeholder Cybersecurity Certification Group and the European Cybersecurity Certification Group. The Stakeholder group is expected to include a wide representation of stakeholders, including service providers, standardisation bodies and consumer organisations, selected through a transparent and open call. The second group will consist of national cybersecurity authorities, while stakeholders and third parties can participate in their meetings.
Law enforcement access
e-Evidence: Council agrees on its position
On 7 December the Council of the EU adopted its general position on the e-Evidence file. The Council's text introduces ex-ante judicial validation for all European Productions or Preservation Orders in case the latter are issued with judicial oversight. The Council retained the distinction between on the one hand content and transactional data, and on other hand "less sensitive" subscriber and access data. Cross-border access to the latter can be authorised by prosecutors or "any other competent authority", provided the Order is validated by the judiciary or the prosecutor. This distinction is further enforced in the Council's text by introducing an exception to the involvement of judicial authorities of the receiving Member State when seeking subscriber and access data in emergency cases. In this case, the ex-ante validation by judicial authorities is not needed. The Council's position also introduces an additional safeguard for the service provider not to be able to comply with the Orders in case of a de facto impossibility to do so if "the data have been deleted lawfully before receiving the order". Sanctions for infringing the obligations set in the Regulation can be up to 2% of the total worldwide annual turnover of the service provider's preceding financial year, according to the Council's general approach. Trilogues on the e-Evidence proposal can start as soon as the European Parliament agrees on its position. The Parliament is yet to come up with its position, identifying a number of sensitive issues with the European Commission's initial proposal in its Working Document. Before it starts drafting "a legally sound legal instrument", the Parliament intends to draft further topical working documents with a more detailed analysis of the issues concerning for example, the relation with other international instruments, the execution of orders and the role of service providers, conditions for issuing Production and Preservation orders etc.
The Copyright Directive and the new intermediary liability regime
Interinstitutional negotiations were expected to be concluded on 21 January, however the trilogue was cancelled after a few Member States refused to endorse the latest proposal put forward by the Romanian Presidency. According to the text proposed by the Romanian Presidency, Article 13 of the Proposal - that has so far been one of the most contentious issues in the Directive - is there to stay, meaning that the Copyright Directive will establish a new liability regime for hosting providers. Questions remain as to whether micro- and small enterprises will be exempted from the new rules of preventing flagged copyrighted material from being available online, and whether actions required from platforms should be proportional to their size and the amount of copyrighted material on their services. An agreement is also pending on the fate of user-generated content (as in parody, pastiche, illustration, quotation, criticism etc.) and whether users will be allowed to upload content under these explicit exceptions. Final votes by the co-legislators are expected to happen in the end of March/beginning of April.
The European Parliament considers shared competence between the committees on Terrorist Content Online Regulation
On 7 December the EU Council approved its general approach on the Proposal for the Regulation on preventing the dissemination of terrorist content online, leaving registries and registrars explicitly out of the scope of the Regulation. The European Parliament has, however, decided that multiple committees should have a shared competence on certain parts of the legislation. The Civil Liberties Committee (LIBE), that has so far been the responsible for the Parliament’s position, now has to share its competence with the Culture and Education Committee (CULT) under Rule 54 of the Procedure on all aspects related to audiovisual content online. The Rapporteur for the file in LIBE, British MEP Daniel Dalton, is under pressure to finish the file before the European Parliament's elections in May.
Privacy and data protection
The European Commission attempts to break the deadlock on ePrivacy in the Council of the EU
The Romanian Presidency is determined to make progress on the file that has been hopelessly stuck at Member States level in the Council of the EU. To overcome the criticisms by some of the Member States, the European Commission has drafted informal technical explanations on the points of concern that will be presented during the upcoming Council meetings. One of those concerns is related to the use of child protection measures online and the impact of ePrivacy rules on detecting child abuse online. When it comes to the use of child protection measures online, the informal paper clarifies that the ePrivacy Regulation allows Member States to restrict the confidentiality obligations set in the Regulation proposal for the prevention, investigation, detection or prosecution of criminal offences that child abuse falls under. In addition, the informal paper reiterates that the ePrivacy rules concern only the service providers that provide electronic communications services, excluding cloud service providers, social media websites and video sharing platforms that are normally not considered as electronic communications services.
Outside the EU bubble
Russian senators propose a bill for a "national" internet
On 14 December a draft bill was submitted to the Russian Duma according to which a national domain name system and special rules for internet trafficking are to be established to ensure the stability, integrity and security of the internet on the territory of the Russian Federation, in case of deliberate disruption of public internet. The proposal includes a paragraph on "creating a national system for receiving information about domain names[...], including about domain names in the national domain name system, [...]as well as authorisation of domain name resolution". If adopted, national authorities will be equipped to come up with the exact rules concerning such a national domain name system, both concerning its establishment and its use. It is unclear from the proposal whether the "national domain name zone" is intended to be just a back-up of the existing DNS or a completely separate DNS. More on the proposed bill from Georgia Institute of Technology, Internet Governance Project.