EU Policy Update - May 2019
In a nutshell: the EU has elected a new European Parliament. The EU Council has approved the European Commission's mandate to start negotiations for a transatlantic deal on e-Evidence and adopted a framework concerning restrictive measures against cyber-attacks threatening the EU. The European Commission has made policy recommendations regarding the Strategic Agenda for the following 5 years. ePrivacy negotiations revealed possible EU plans for data retention legislation.
The EU Council approved the European Commission's negotiating mandate for an EU-US agreement on e-Evidence
According to the EU Council decision dated 21 May, the EU Council has given the European Commission a negotiating mandate to conclude an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters. According to the decision, the EU-US agreement on e-Evidence should include the necessary safeguards for fundamental rights and freedoms and observe the principles recognised by the Charter of Fundamental Rights of the European Union. The negotiations shall be conducted in consultation with the EU Council.
The EU Council adopted a framework concerning restrictive measures against cyber-attacks threatening the EU or its Member States
On 17 May 2019, the EU Council established a framework which allows the EU to impose targeted restrictive measures to respond to cyber-attacks which constitute an external threat to the EU or the Member States. The framework allows the EU to impose sanctions on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Restrictive measures include a ban on persons travelling to the EU, and an asset freeze on persons and entities. According to this framework, cyber-attacks constituting a threat to Member States include those affecting information systems relating to, inter alia, "digital infrastructure" that is considered to encompass services necessary for the maintenance of essential social and/or economic activities. For this purpose, cyber-attacks are actions involving any of the following: (a) access to information systems; (b)information system interference; (c) data interference; or (d) data interception.
Europe elects a new European Parliament
European elections were held on 23-26 May. The results prove that two major political parties hold most of the seats: the center-right European People's Party (EPP) and the center-left Progressive Alliance of Socialists and Democrats (S&D), with 24 % and 20.4 % respectively. However, together they hold only 44 %, which is not enough for the necessary majority in the European Parliament to pass through legislation. The aforementioned coalition has thus lost its majority. This means that European centrists will have to unite more broadly in liberal coalitions in order to maintain their authority. The far-right has gained in influence, though this still remains largely marginal. The Greens have become the fourth largest voting bloc in the EU.
EU plans for post-election
An IMCO study reviews the rules introduced under the Digital Single Market initiative
The study, requested by the European Parliament's Committee on the Internal Market and Consumer Protection (IMCO), reviewed all the rules adopted during the 8th Parliamentary legislature (2014-2019) to strengthen the Digital Single Market (DSM). The report analysed the initiatives within the main policy areas for DSM, such as e-commerce and online platforms, e-government, data, cybersecurity, consumer protection etc. Finally, the report identified the remaining gaps and possible actions for the forthcoming Parliament’s legislature. The report outlines the fact that e-Commerce giants are destabilising some of the past governance models and, therefore, that the states (whether EU or national institutions) should adapt their policies while keeping control of the public sphere. According to the report, "different actions are needed to stimulate the start-up, then the scale-up and finally ensuring a sufficient duty of care by the most significant platforms". When it comes to the existing legal framework in the EU, the report suggests revisiting the e-Commerce Directive and "condition the liability exemption to the provision of an infrastructure facilitating the detection and the removal of illegal content by users, third parties and the platforms themselves, possibly relying on AI detection tools". In addition, the study proposes that regulators could rely on AI in effectively enforcing the existing rules: the so-called RegTech. In some cases, according to the Study, "the regulator could be replaced by the computer code when regulatory compliance is enshrined in the design of the digital technologies (compliance by design)". The authors suggest that "the development of RegTech and compliance by design raise a series of ethical and legal issues that will need to be addressed during the next parliamentary legislature".
The European Commission’s policy recommendations for the 2019-2024 Strategic Agenda
Ahead of the informal EU27 leaders’ meeting in Sibiu (Romania) on 9 May 2019, the European Commission has published its recommendations for the next strategic agenda for 2019-2024. According to these recommendations, Europe needs to invest in its key digital capacities in order to become "a world leader in digital transformation". In particular, the recommendations stress the need to "boost Europe-made and human-centric artificial intelligence" (AI), with a robust regulatory framework that proactively addresses the ethical and legal questions surrounding AI. Furthermore, the digital transformation requires "high standards in cybersecurity and consumer protection". Significant part of the recommendations are also dedicated to the need for tackling disinformation online. The European Commission defines disinformation as "verifiably false or misleading information that is created, presented and disseminated for economic gain or to intentionally deceive the public, and may cause public harm". As in the near future, AI will also be "increasingly used to carry out communication activities", the EU should encourage "more specialist training in artificial intelligence" as part of its Digital Education Action Plan.
Data retention and ePrivacy
Negotiations on ePrivacy legislation have been (hopelessly) stuck at EU Council level for months. The Romanian presidency has not been able to push through the deadlock within Member States. Some Member States appear to be pushing for additional text for the ePrivacy future framework to maintain "the possibility for existing and future data retention regimes". It is very likely that data retention legislation will be put forward during the next legislative mandate. It is not yet entirely clear in which form and shape the respective data retention proposals will see the light. However, based on the on-going negotiations on ePrivacy (and to some extent on e-Evidence), it is clear that ensuring some sort of data retention regime across the EU is high on the political agenda. Following the invalidation of the previous blanket data retention regime by the European Court of Justice (ECJ) in 2014 (Digital Rights Ireland), and its subsequent Tele2 ruling, the extent to which mass electronic communication data retention is justified in a "democratic society" has been subject to different interpretations across the Member States.
Outside the EU bubble
In response to the attacks of 15 March 2019 on the Muslim community in Christchurch, several governments and tech companies have endorsed non-binding commitments (the so-called Christchurch call) designed "to address the issue of terrorist and violent extremist content online and to prevent the abuse of the internet as occurred in and after the Christchurch attacks". To do so, the governments of states, such as France, Germany, the United Kingdom and New Zealand, and others commit to inter alia respective "regulatory and policy measures" to "prevent the use of online services to disseminate terrorist and violent extremist content". Tech companies, such as Google, Facebook and Twitter, commit to "take transparent, specific measures seeking to prevent the upload of terrorist and violent extremist content and to prevent its dissemination on social media and similar content-sharing services, including its immediate and permanent removal". The US government has not officially supported the Christchurch call, although it has endorsed the overall goals set in the call.