EU Policy Update - November 2017
EU decision-makers are slowly wrapping up major digital single market-related files before the end of the year. The Consumer Protection Cooperation regulation is (almost) signed and sealed with the European Parliament having approved trilogue negotiation outcomes (with some unfortunate results). Copyright issues (rightly or wrongly included in some dossiers) stifle most ongoing negotiations – but the will is there to find solutions. Accordingly, liability remains an important issue, e.g. for copyright-infringing or otherwise illegal content on platforms. Twitter and YouTube have recently changed their policies to (voluntarily) address harmful content. We can also see that across the Atlantic, the US has restricted the use of gag orders and announced a roll-back of net neutrality.
1. Work-in-progress: Recent developments in EU policy dossiers
Copyright reform (part 1): The Presidency, in a bid to finalise the Council position, proposed stronger monitoring obligations for certain internet companies. These include service providers, such as YouTube, whose “main purpose is to share and give access to the public of a significant amount of copyright protected works or other protected subject matter uploaded by its users who do not hold the rights in the content uploaded”. Critics fear that this could be in stark contrast to the liability exemptions granted by the e-commerce directive. Meanwhile, the European Parliament’s LIBE committee (Civil Liberties, Justice and Home Affairs), in preparing the Parliament’s position, voted in favour of similar yet lighter requirements for platforms to monitor their sites for copyright infringements.
Geo-blocking – copyright likely to be excluded: Geo-blocking describes a situation whereby an online trader prevents access to goods or services to a customer based on where he or she lives. Some Member States during Council negotiations insisted on making copyrighted goods (e.g. music, software, video games) part of the regulation. Such content, however, is often subject to a licensing system, which would have been largely offset by such a clause. A compromise, which is close to the Commission’s initial proposal, now foresees a review of the rules in two years, also to reassess if copyrighted goods should be included.
Strengthening cybersecurity in the EU: The measures proposed in the Council Conclusions include more money for cybersecurity research, strengthening EU agencies and promoting strong positions on the foreign affairs arena. It reiterates the importance of trusted encryption to ensure human rights and fundamental freedoms. Yet, it balances them off against the need for law enforcement to access data necessary for the investigations.
Consumer Protection Cooperation – not a vote for clarity: Earlier in November, the European Parliament (EP) plenary adopted the outcome of trilogue negotiations on the consumer protection cooperation regulation (see draft, voted results not available yet). The regulation aims at equipping consumer protection authorities with more powers and tools to protect consumers from harmful and illegal commercial practices of online traders (promoting counterfeits, misleading advertising, lack of information, etc.). Whereas the initial EP report included clarifications provided by actors, such as ISPs and domain name registries, the final text has largely dropped them. This includes explanations about to whom measures should be addressed in order to be effective. In fact, the final version includes new measures – an “explicit display of a warning to consumers” – without addressing anyone and without explaining how this should be (technically) achieved. Also, consumer protection authorities can “order the removal or modification of digital content” when other means are ineffective (Recital 12, line 22, and Article 8, line 174). With regards to domain registries and registrars, who are explicitly mentioned, these can now be ordered “to delete a fully qualified domain name”. The competent authority concerned would then be allowed to register it.
ECJ advisor vs. Facebook: In a non-binding decision, advisor to the European Court of Justice Yves Bot, argues that Facebook must not only adhere to Irish data protection rules (where it has its headquarters) but also to that of other countries where it has permanent offices and operations. Facebook, “respectfully disagreeing”, said that it would wait for the final decision of the ECJ expected in summer 2018. In Bot’s opinion, Member State authorities are not obliged to follow the judgment of a company’s primary supervisory authority (in this case that of Ireland). Nevertheless, he would not want to prejudice the GDPR. In fact, the GDPR introduces the concept of a “lead supervisory authority” (in the country where the company is headquartered), and foresees a mechanism whereby that lead authority needs to cooperate with those in other Member States where the company operates or where lots of users are affected.
IAPP data protection congress: Policy-makers and business representatives shared expectations and concerns about upcoming legislation, specifically the GDPR and the draft ePrivacy regulation (ePR). It is yet unclear (and unlikely) that the ePR will be wrapped up in time to apply together with the GDPR. Even though this would help address overlaps, e.g. when online marketers potentially need to obtain explicit consent before targeting users with advertising. Some feared that this could lead to “consent fatigue” – not so the new EP rapporteur on the ePR, Birgit Sippel (S&D, Germany), who opposes to such claims. The longevity of the EU-US Privacy Shield was also put into question given concerns by European data protection agencies over, e.g. onward transfers or complaint handling. The European Commission, however, is confident that the Shield will pass scrutiny by the European Court of Justice, which is currently reviewing related lawsuits (e.g., Digital Rights Ireland). Also, the issue of cross-jurisdictional e-evidence was addressed. In fact, EU justice ministers will meet in December to discuss a report (not published) on the retention of communications data. For more detail, see mlex reporting.
2. Coming up: (Scheduled) initiatives on the horizon
Copyright reform (part 2) - IPRED: Politico leaked a draft version of the Commission’s guidelines on the Directive on the enforcement of intellectual property rights (IPRED). While these guidelines are not legally binding, in many instances, they refer to EU case law. Rather than reviewing the directive, however, the Commission is working onguidelines for competent judicial authorities, which should help interpret its provisions in view of (technological) developments (IPRED dates back to 2004). This is due to the fact that Member States have applied the measures, procedures and remedies proposed by IPRED very differently (e.g. with regards to clarifying the concept of “intermediary”, calculating damage, proportionality between fundamental rights, digital evidence, and injunctions, including filtering systems). With regards to provisions in the e-commerce Directive, the Commission reiterated its commitment “to maintain the present liability scheme”. On the scope of IPRs covered: The Commission favours to define the Directive’s “scope as widely as possible in order to encompass all the IPRs” covered by EU or national law. This is further clarified in a non-legally binding statement from 2005 on Art. 2 (IPRED) issued
On injunctions: Measures addressed to an ISP must be strictly targeted, and the request should oblige to remove infringing content, rather than blocking it. Also, as per the e-commerce directive, no general monitoring obligation (i.e. extensive filtering systems) should be imposed on intermediaries. The guidelines refer to case law with regards to limits to the potential scope of an injunction. The guidelines seem to suggest that “dynamic injunctions” (e.g. UK and Ireland), or dynamic blocking (Denmark) could be a solution to cases in which the same website becomes available immediately after issuing the injunction with a different IP address or URL or where blocking actions are addressed to specific domain names (which then change).
European Commission unveils “digital” work programme 2018: In order to “complete the Digital Single Market”, the Commission seeks to launch a legislative proposal on “fairness in platform-to-business relations” (Q1 2018), to address “online platform challenges as regards the spreading of fake news” (Q1 2018, s.a. current public consultation), and to revise “Guidelines on market analysis and assessment of significant market power in the electronic communications sector” (Q2). In a statement, Juncker stressed that “the priority must now be on turning proposals into law, and law into practice.” The “digital” priority pending issues (which have been launched but are yet to be completed) include: the telecoms reform (Electronic Communications Code), the copyright reform, audio-visual media services, geo-blocking, e-Privacy regulation proposal, the free flow of non-personal data regulation and enhanced powers for ENISA.
European Commission launches consultation on fake news: DG CNECT hopes to receive insights into how to better define fake news (which can be harmful, but is not necessarily illegal), understand its spread and what platforms, news media companies and civil society are currently doing to counter its dissemination. Comments can be submitted here until 23 February 2018. An initiative (not clear yet whether legislative or non-legislative) is expected for April 2018.
EU states resist proposals to expand powers of BEREC: The Commission, under its Digital Single Market package, had proposed to turn BEREC, the pan-European assembly of national telecoms regulators, into an EU agency. Whereas such a move would come with new tasks and powers, it would also change BEREC’s internal rules and effectively give the Commission more direct control over the regulator. Also, BEREC’s decisions would become legally binding, which could contradict national rights. Therefore, Member States, at the meeting of telecoms ministers on 4 December, are likely to oppose such the proposal. However, there seems to be support for an independent BEREC management.
3. Beyond borders: Developments across the Atlantic and globally
US set to abolish net neutrality: The FCC (Federal Communications Commission) revealed plans to abolish current net neutrality regulations and allow ISPs to block websites, throttle web traffic for certain services or charge higher prices for faster delivery of their content. Such a move would technically offset a net neutrality regulation under the Obama administration in 2015. In January, President Trump argued that net neutrality stifled innovation and was an example of government overreach (s.a. Washington Post).
US DoJ sets the bar higher for gag orders: The US Department of Justice (DoJ) issued a memorandum in November on gag orders, which will make it more difficult for prosecutors to issue or renew protective orders that prevent tech companies from informing their customers that their personal data is disclosed to government agencies that investigate them. Prosecutors will now need to explain why gag orders are necessary, what their basis is and will not be able to easily extend them beyond a year. The 6 criteria prosecutors need to consider are explained here.
Facebook’s “like” button does not infringe privacy: According to a US district court, the “like” button does not violate user’s privacy by tracking them – even though Facebook collected data of users when they were logged out. Facebook is also party to other lawsuits accusing it of tracking user’s activity on health sites and of compiling a database of “faceprints” of people without their explicit consent.
YouTube wants to do more to restrict access to and warn against violent or sexually explicit videos featuring children’s characters, which would also stop the ad revenue generated by such videos. However, it will do so only when such content has previously been flagged. YouTube also said it would raise the age limit of viewers of such flagged content to 18 years old.
Twitter wants to do more to address abuse and harassment on its website and enforce its rules (s.a. new Twitter Rules). Users posting prohibited content will be required to delete it, might be temporarily restricted from creating posts, reacting to others or will be permanently suspended. Such content includes copyright-infringing content, graphic violence and adult content, making threats of violence or physical harm, engaging in targeted harassment, etc.
Uber didn’t do anything: For more than a year, Uber failed to notify regulators about a major data breach affecting 57 million of its customers and drivers (s.a. BBC). The data concerned included names, e-mail addresses and mobile phone numbers and their drivers’ license details, according to Uber. Whereas drivers have been granted free credit monitoring protection, the same will not apply to its customers. In 2014, Uber was already fined for failing to report a less serious breach. The GDPR foresees tough penalties and takes into consideration criteria such as time of breach notification, cooperation with authorities and repeated non-compliance when deciding on the volume of such fines. Various EU Member States (including Belgium, the UK, Italy and the Netherlands) already announced that they will investigate in how far their citizens’ personal data has been affected.
4. Proud to present: Success stories at EU level
Europol announces “biggest hit against online piracy”: Over 20,520 domain names were seized as a result of joint investigations by Europol, the US intellectual property rights coordination centre and law enforcement from 27 Member States [who’s missing?]. The domain names “were offering [sic] counterfeit goods, for example luxury products, sportswear, electronics, pharmaceuticals and online piracy on e-commerce platforms and social networks”. The seizure is the outcome of a joint global recurrent operation called “In Our Sites” (IOS).
Europol launches Sirius platform: The platform is supposed to help law enforcement across Member States conduct criminal investigations about digitally-enabled crimes, with a special focus on terrorism. The secure web platform allows to share knowledge and best practices and to analyse information received by different online service providers. It is also expected to foster the development of common tools and solutions.
London City Policy et al. launch alternative DNS resolver 220.127.116.11: Quad9 is a free, recursive, anycast DNS platform. It turns URIs into IP addresses and checks them against IBM’s threat intelligence database, thereby preventing users from accessing malicious sites. The database includes feeds from, for example, Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP (s.a. The Register). DNS queries are encrypted via TLS thereby avoiding access by third parties. Queries are routed through nearby data centres. IBM contributed the address 18.104.22.168 (as an alternative to Googles public DNS resolver 22.214.171.124). Other than with the Google service, Quad9 does not collect or store personally identifiable information. Quad9 is financed through donations and public funds, including from the City of London Police and the New York Police. Funding is diverse enough that, under its FAQs, Quad9 is confident that it “will not provide a censoring component and will limit its actions solely to the blocking of malicious domains around phishing, malware, and exploit kit domains”. See a technical analysis of Quad9 by Stéphane Bortzmeyer (Afnic) on the RIPE NCC site.
Successfully e-signed: In late October, European Parliament President, Antonio Tajani, and Maati Maasikas of the Estonian Presidency proudly signed the regulation ensuring the “Security of gas supply”. You wonder why this happening made it into CENTR’s EU Policy Update? It was the first time that a legally binding text was signed per electronic signature and the first (and probably last) time the eIDAS regulation saw such ceremonial application. According to eIDAS, a qualified e-signature has the same legal validity as a handwritten signature. It is not a given, however, that all upcoming legal texts will be e-signed.