EU Policy Update - May 2018
On 25 May, the GDPR entered into force. Strengthened by this achievement, the Commission keeps pushing for a quick adoption of the eprivacy regulation, but the pace of discussions in Council is slowing down. The .eu regulation has been released earlier this month and a swift adoption is expected by the end of 2018. Likewise, the Cybersecurity Act is making smooth progress and trilogue negotiations could start already in July. The attention is increasingly focusing on law enforcement matters with the Council beginning discussions on the e-evidence proposal and delivering considerations on data retention and the TELE2 ruling. Finally, the intermediary liability debate continues with a public consultation running until 25 June and possibly leading to a new legislation on notice and action in the autumn.
Commission launches new consultation on the role of platforms in tackling illegal content
The European Commission (EC) launched a public consultation on measures to further improve the effectiveness of the fight against illegal content online (deadline: 25 June 2018). This consultation also includes suggestions for measures such as “filtering technology” and “automated tools for detecting and/or blocking content”.
The EC adopted a Communication on 28 September 2017 with guidance on the responsibilities of online service providers in respect to illegal content online, which was followed on 1 March 2018 by a Recommendation on measures to effectively tackle illegal content online. The EC wishes to explore, by the end of 2018, possible additional measures to improve the effectiveness of combating illegal content online. In this context, the EC’s inception impact assessment remarks that “stakeholders (...) report diverging success regarding the speed of removal, in particular in the field of intellectual property rights”.
Commission publishes regulation on the “.EU” domain name
The proposal was adopted on 26 April and aims to create a new governance structure and to develop new eligibility criteria for EU/EEA citizens to register a .eu domain, regardless of their place of residence. In line with the 2014 Council Conclusions on Internet Governance, the regulation establishes the “.eu Multistakeholder Council” as an advisory body to the Commission in matters concerning the principles and procedures on the functioning of the .eu domain. The proposal has a good chance to be concluded by the end of 2018 under the Austrian Presidency of the Council. Indeed, the draft regulation does not seem to be politically sensitive.
The Commission is seeking feedback from stakeholders on the proposal by 17 July 2018 (see previous link).
Cybersecurity Act: considerable progress makes possible the adoption of the law in 2018
Deliberations continue on the Cybersecurity Act, which proposes a permanent mandate for ENISA as well as an EU-wide ICT certification framework. In the European Parliament, the lead Industry and Research Committee (ITRE) Committee has published amendments, focussing on whether the scheme should be voluntary or mandatory, as well as considering a risk-based approach to include certification levels for different products and services. The Internal Market (IMCO) Committee adopted its Opinion on the Cybersecurity act, underlining that the certification scheme should initially be voluntary, and shows support to establish an EU cybersecurity trust label. Both ITRE and IMCO documents integrate the principles of privacy and security by design, and promote industry engagement. ITRE will hold its final vote on 19 June.
In Council, Member States are close to an agreement, with the COREPER, grouping Member State EU Ambassadors, expected to adopt a general approach in June. Following this, Commission, Parliament and Council will enter into trilogue negotiations, with the aim to come to an agreement by the close of 2018.
Data retention: Council discusses “Renewable Retention Warrants”.
The Working Paper follows the initiative taken by the Maltese Presidency in analyzing how the Tele2 judgment should be integrated into legislation while ensuring the availability of data for the purposes of prevention and prosecution of crime. The document merely suggests the following considerations and does not reflect any concrete policies as of yet. It defined a Renewable Retention Warrant as a warrant issued by a competent national authority addressed to (an) electronic service provider(s) (ESPs) operating in the territory of a Member State, requesting the provider to retain data which is valid for a specific period of time. In that period, it can be renewed if it fulfils the specific conditions prescribed by national law for its renewal, including that its proportionality and necessity are justified by a prior and confirmed by a subsequent threat assessment.
The addressees are providers of "publicly available electronic communication services or of public communications networks" (e.g. fixed network telephony, mobile telephony, internet access, internet e-mail and internet telephony, OTTs). The warrant should have the possibility of renewal provided the requirements of necessity and proportionality in the first place are fulfilled by a subsequent follow-up threat assessment performed by the Member State or EU.
E-evidence: Member States discussing the new law
The debate in the Council on the proposal for cross-border access to e-evidence for criminal investigations is now in full swing and reached the next stage at a Justice and Home Affairs meeting on 4 June. We expect Council to proceed quickly on the file, but it remains uncertain if the legislative process will be concluded by the time of the EU elections in 2019.
The main elements upon which the debate centred so far are as follows:
- Scope: several Member States would like to enlarge the scope of the proposal to cover real-time lawful interception as well as direct access devices without the provider’s knowledge or assistance.
- Agreements with third countries: the e-evidence proposal should include a legal basis or obligation for the European Commission to negotiate an agreement with third country (as a matter of priority, the US). However, questions still remain as to how this would interact with Article 48 of the GDPR, which sets out provisions for data transfers to third countries.
- Risk of forum shopping: the lack of harmonised sanctions and lack of harmonised cost recovery mechanism could lead to providers and criminals’ forum shopping across the EU.
- Legal basis: Member States have questioned the legal basis used for the e-evidence proposal (Article 82 of the Treaty, which covers judicial cooperation) due to the nature of the cooperation mechanism proposed. Further questions have been raised regarding the UK and Irish opt-ins for judicial cooperation, the effects of Brexit, as well as how to work with Danish opt-outs in the area of justice and home affairs policy.
- Data categorisation: Member States raised concern over the four categories of data proposed by the e-evidence proposal (access, content, transactional and subscriber) as they are not clearly distinguishable from each other.
- Safeguards: the Production Order certificate does not sufficiently cover proportionality and necessity (here the issuing authority should assess together with the authority in the receiving Member State). Furthermore, providers should be able to signal abusive orders and the person concerned by the data request should be notified after the investigation is closed.
- Deadlines: Member States fully support the Commission’s proposals for time frames of 10 days for responses to Production Orders, and 6 hours in emergency cases.
In parallel, the Commission is consulting the public on its proposal until 19 July. This initiative is part of the Better Regulation process and is used by the Commission to fine tune its proposal during the negotiation phase.
Free Flow of Data: an ambitious timeline confronted with diverging views
The Parliament is speeding up its work aiming to have the new law adopted by the end of June under the Bulgarian Presidency. Even if ambitious, such a timeline is technically possible, provided the Parliament position is sufficiently close to that of the Council.
However, on the basis of the current discussions in Parliament, we can anticipate different perspectives on a number of issues:
- the exemptions granted to Member States to the general principle of the free movement of non-personal data within the Union
- the problem of mixed data sets, covering both personal and non-personal data, given that this regulation only addresses the latter
- the mechanisms for competent authorities to access data cross-border
- the review by the Commission of communicated data localisation requirements
Eprivacy: COREPER mandate in June technically possible, but unlikely
The last round of technical discussions in Council did not allow the Bulgarian Presidency to rally Member States and obtain a mandate to start negotiations with Parliament and Commission. Feedback gathered from Permanent Representations indicates that discussions are still going round in circles, with many open questions remaining, as well as a lack of progress due to some Member States lacking a firm position. As a consequence, the Presidency will present a progress report to the upcoming Telecom Council on 8 June with a set of questions for Ministers on next steps. On the basis of the outcome of the Telecom Council, the Bulgarians could resume technical discussions in June, but it is still unlikely that they could achieve a general approach before the end of their mandate. Therefore, it will be upon the incoming Austrian Presidency (July-December 2018) to reach a Council common position. Should they manage to enter negotiations in the Autumn, there remains a slim chance that the legislative process could be completed before the EU elections in May 2019.