EU Policy Update - March 2020
In a nutshell: Before Brussels, along with its institutions, was locked down due to the COVID-19 pandemic, the European Commission managed to issue a few strategic documents on the industrial future (including digital) and the Single Market Enforcement Action Plan. The COVID-19 pandemic resulted in the delay of a number of priority files in the digital sphere, like the Digital Services Act, both on the side of the Commission, as well as the Parliament. Instead, policymakers seem to be pushing the boundaries of Europe's privacy and consumer protection legislation to respond to the pandemic. Meanwhile, the Commission is expected to continue to work on the NIS Directive revision as planned and to come up with a legislative proposal in Q4 2020.
The European Commission put forward its industrial strategy
On 10 March, the European Commission published "A New Industrial Strategy for Europe". The industrial strategy aims to position the European Union "as an enabler and regulator". This is because, according to the Commission, "setting the framework and providing political and policy direction is crucial to offer the certainty needed for investors, innovators and industry alike." The industrial strategy also recognises that small and medium-sized businesses (SMEs) "account for over 99% of all European firms[...] and are our economic and social backbone". When it comes to EU leadership, the industry strategy claims that the EU is "a world leader in green technology patents and other high-tech sectors". When it comes to digital technologies, the strategy puts strong emphasis on enhancing the EU’s "industrial capacity in critical digital infrastructure", with particular focus on rolling out 5G networks. The strategy also identifies the need for the EU to boost the industry's competitiveness by "developing new standards and technical regulation, coupled with increased EU participation in international standardisation bodies". Furthermore, the industry strategy highlights that "access to medical products and pharmaceuticals" will be "equally crucial for Europe's security and autonomy". Therefore, in 2020 "a new EU pharmaceutical strategy will be put forward, focusing on the availability, affordability, sustainability and security of the supply of pharmaceuticals”.
The European Commission adopted its Single Market Enforcement Action Plan
On 10 March, the European Commission issued a communication on its "long-term action plan for better implementation and enforcement of single market rules" (hereinafter Action Plan). According to the Action Plan, in order to strengthen cooperation on the enforcement of single market rules, a joint Single Market Enforcement Task-Force (SMET) will be set up. SMET will be composed of Member States and the Commission to follow the implementation of the Action Plan. In addition to SMET, there will be "a cooperation network to be set up between national enforcement coordinators", along with the Single Market Scoreboard that will monitor the performance of the application of single market rules. Areas of focus in providing more specific guidance for national authorities include the digital area and specifically cybersecurity.
The European Parliament's Committee on Culture and Education issued its draft opinions on the Digital Services Act
The European Parliament's Committee on Culture and Education (CULT) is responsible for giving an opinion on two own-initiative reports on the Digital Services Act (DSA) in the European Parliament: to the Legal Affairs Committee (JURI) and to the Committee on Civil Liberties, Justice and Home Affairs (LIBE). On 20 March, CULT issued its draft opinion calling on JURI to safeguard the availability of journalistic and other editorial content available online; noting that automated procedures may support decisions on the legality of content but cannot replace such decisions; and pointing out that "regulations on the findability of content and restrictions on self-referencing can make a significant contribution to the dissemination of lawful content". On 23 March, CULT also issued its draft opinion on the DSA for LIBE, pointing out that "fundamental communication freedoms are not alterable", including by private terms and conditions; calling for protective measures to remain the task of the state and the judicial review; calling for the recognition and developments of privacy and digital-freedoms enhancing services; and calling for sector-specific rules for audio-visual media services.
Public consultation on Digital Services Act postponed
During an online event, the European Commission's representative re-assured the audience that the promised public consultation on the Digital Services Act is yet to see the light. According to the Commission, the consultation is ready to be issued but has been postponed due to the COVID-19 pandemic. Before the COVID-19 outbreak, the aforementioned public consultation had been supposed to be launched in the course of March.
The European Commission plans for the NIS Directive revision
During an online event, the European Commission gave some insights into the planned review of the NIS Directive that is initially planned for 2020. The Commission reiterated that, although the NIS Directive itself became operational across Member States in 2019, its negotiation began in 2012, making it a legislative instrument that has been around for a while. The European Commission is currently looking into the effectiveness of the legislation and consulting stakeholders. The NIS Directive envisages a deadline for the periodic review to be concluded by May 2021, but the Commission's decision was to accelerate this process and to bring the review forward to 2020. As reported earlier, the Commission has already identified inconsistencies in identifying "operators of essential services" and "digital service providers" under the NIS Directive across Member States. According to the Commission, these national differences "are not really justified": e.g. same operators face different recognition models in different Member States. In addition, Member States are also approaching the issue of "security measures" and how these are defined at national level differently. As a result, the Commission expects to come up with a new legislative proposal after carrying out an impact assessment. Another area of focus for the European Commission is to assess whether any additional sectors should be included under the scope of the NIS legislation.
The European Data Protection Board issued a statement on processing personal data during the COVID-19 pandemic
The European Data Protection Board (EDPB) issued a clarifying statement on processing personal data during an emergency like the COVID-19 pandemic. According to the EDPB, the GDPR allows competent health authorities and employers to process personal data in the context of the epidemic without the consent of the individuals, when such processing is necessary for reasons of "substantial public interest in the area of public health". With regard to the processing of telecom data, such as location data, national laws implementing the ePrivacy Directive must be respected, according to the EDPB. Public authorities should first seek to process location data in an anonymous way. However, the ePrivacy Directive does enable Member States to introduce additional legislative measures to "safeguard public security". Such exceptional legislation is only possible if it is a necessary, appropriate and proportionate measure within a democratic society. In case of an emergency, such legislation should also be strictly limited to the duration of the emergency at hand, according to the EDPB. Users of electronic communication services must have a right to judicial remedy in case emergency laws allow the processing of non-anonymised data. Invasive measures, such as the “tracking” of individuals (i.e. the processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances, according to the EDPB.
Advocate General of the ECJ: Opinion on concept of consent of the data subject
The Advocate General of the European Court of Justice delivered an opinion in the case of Orange Romania SA v ANSPDCP, a dispute between a telecom provider and a national data protection authority on the former obligation to collect and store a copy of customers' ID cards in the context of contractual negotiations. Orange Romania concluded paper-based contracts for the provision of mobile telecom services with the copies of their customers' ID annexed to the contracts. The content of those contracts included a statement that the customer had been informed and had consented to the collection and storage of their ID copies. However, such consent had been established by pre-ticking the relevant box in advance. The DPA issued an administrative penalty towards Orange Romania on the grounds that copies of ID had been taken and stored without customers' explicit consent. Orange Romania argued that customers were free to object to the storage of their ID copies. The referring court called upon the ECJ to specify the conditions under which consent to the processing of personal data may be considered valid. The Advocate General of the ECJ advised that the ECJ had already established in another case that "consent given in the form of a preselected tick of a checkbox does not imply active behaviour on the part of the website user". According to the AG, "such finding is equally applicable for the analogue world", where consent in the form of preselected checkbox cannot imply active consent on the part of an individual who is signing the contract. Additionally, the AG indicated that it appears legitimate for a company to ask customers to provide proof of their identity for the purposes of the conclusion of a contract. However, to require a customer to consent to the copying and storing of ID "appears to go beyond what is necessary for the performance of the contract".
The European Commission and EU consumer authorities pledge to take action against the spread of fake products online
On 19 March, the European Commission announced that, together with the network of national consumer protection authorities, a set of joint actions are being prepared to tackle the issue of "rogue traders selling false products online" since the start of the COVID-19 outbreak. Didier Reynders, Commissioner for Justice and Consumers, urged "online marketplaces and media hosting platforms" to help in fighting "predatory behaviour" during the pandemic. On 20 March, together with the Commission, the EU consumer authorities issued a common position on "stopping scams and tackling unfair business practices on online platforms" that notifies platforms of the most commonly-reported breaches of EU consumer law in the context of the COVID-19 outbreak. The objective of the common position is to "ask and help online platform operators to better identify such illegal practices, take them down and prevent similar ones to reappear."