Brussels has been a hive of activity over the last four weeks, with a flurry of new policy initiatives and advancements in ongoing files of relevance. Most notably, the European Commission published its long-awaited guidelines on notice & action and voluntary content control, which serve to codify the EU policy trend that sees the Internet sector’s role in online content control move from a ‘reactive’ to a ‘proactive’ relation. Meanwhile, the lawmakers continue to discuss the legislative proposal for an E-Privacy regulation, with continued possibility that Member States will use the legislative proposal to reintroduce data retention obligations at EU-level. In a positive development, the European Commission has ruled out any medium-term EU-level action to weaken encryption through legislation, but will use the upcoming legislative proposal on cross-border access to e-evidence as an alternative means of mitigating the perceived ‘going-dark’ problem.
1. Work-in-progress: recent developments in EU policy dossiers
European Commission publishes guidelines on notice & action and voluntary content control: On 28 September, the European Commission published its long-awaited guidelines on notice & action and voluntary content control. The guidelines, which are non-legislative, are directed at Member States who are considering measures to enhance online enforcement. They also serve as a ‘final warning’ for online intermediaries who are perceived to be neglecting their responsibility in the fight against illegal content, with the Commission indicating that legislative action will be proposed if no self-regulatory progress is made by summer 2018. A key theme in the guidelines is that online intermediaries need to move from a ‘reactive’ notice & action regime (i.e. passively waiting for notifications of illegal content), to a ‘proactive’ one (i.e. mainstreaming cyber hygiene in their activities). To that end, intermediaries are, inter alia, expected to deploy easy-to-use content flagging mechanisms, undertake voluntary action to detect and remove illegal content, and establish ‘trusted flagger’ mechanisms with law enforcement authorities and various third-party entities. The European Commission press release announcing them can be found here.
European Commission rules out medium-term EU-level action to weaken encryption: On 18 October, The European Commission outlined its policy intentions with respect to encryption, as part of a broader policy package on counter-terrorism. Specifically, the new Commission’s progress report rules out any EU-level medium-term legislative action that would weaken encryption, such as mandatory backdoors or key escrows. Rather, the Commission will devote resources to a series of soft ‘capacity building’ initiatives to help national-level law enforcement tackle the challenges for criminal investigations that arise from encryption in electronic communications. These include training for law enforcement authorities, the establishment of structured dialogues between key stakeholders, and increased funding for Europol to enhance its decryption capacities. On encryption, there is presently limited appetite at the political level of the Commission to open what is seen to be a policy ‘Pandora’s box’. In that respect, it should be noted that while ruling out EU-level action, the Commission’s report takes no position on national governments’ domestic policy initiatives that aim at weakening encryption.
EU Member States begin focused reflection on impact of copyright reform legislative proposal on intermediary liability landscape: The EU co-legislators have made little meaningful progress in their discussions on the legislative proposal for a copyright reform directive in the last month. Despite early momentum, the European Parliament discussions on the proposal are in gridlock, and it is unlikely that the leading MEPs will be able to agree on an institutional position until December 2017 at the earliest. Meanwhile, the EU Council (representing Member State governments) has begun a dedicated reflection on the broader implications of the content filtering/intermediary elements of the proposal (art. 13). Amongst a number of Member States, there is concern that the Commission’s copyright proposal will radically transform the liability framework for internet intermediaries with respect to third-party copyright infringements. Member State governments met in Brussels last week to discuss the proposal, and the Estonian presidency of the EU Council (temporary chairing nation) is expected to produce a fresh institutional compromise text in late November 2017.
EU Council publishes new assessment report on European cybercrime policies: The EU Council has published a new report that evaluates cybercrime policies across the EU. The report is part of a broader EU Council reflection on implementation of EU policy in the area of justice & home affairs, and is based on interviews and legal analysis conducted in the 28 EU Member States. In addition to evaluating the implementation and effectiveness of cybercrime policies in the EU Member States, the report also includes numerous recommendations for how the fight against cybercrime could be enhanced. Without devoting too much detail to vertical cybercrime policy areas (e.g. terrorism, fraud), the report places a heavy focus on procedural frameworks, such as investigative techniques, cooperation with service providers, etc.
European Parliament discusses amendments to child protection resolution, calling for tough online enforcement: On 19 October, the European Parliament Civil Liberties (LIBE) committee held a session to consider amendments to its draft political resolution on the fight against child abuse and exploitation. The political resolution is non-legislative in nature and takes the form of an implementation report on Directive 2011/93/EU (the so-called Child Exploitation Directive). Of particular interest was the Member of the European Parliament (MEP) in charge of the file’s support for the primacy of removal at source, as well as her call for enhanced public-private cooperation and hotline funding. The leading MEPs will now come together in a bid to consolidate the 160 suggested amendments into a set ‘compromise amendments’, which will then be voted in committee on 21 November and added to the draft report, thus constituting the final text of the Parliament’s political resolution.
E-Privacy regulation state-of-play: On 19 October, the European Parliament Committee for Civil Liberties (LIBE) voted its report on the ePrivacy Regulation. The report (unofficial voted text) was adopted by a small majority of politicians. Whereas the need for users’ consent for processing and other safeguards will not please the affected industry players, the fact that encryption has been strengthened (not allowing for built-in backdoors or reverse-engineering) has been hailed by privacy groups. LIBE also adopted the mandate to start negotiations with Member States which will be voted at the Strasbourg plenary session the week of 23 October. Plenary is expected to adopt a weak mandate, which might not make it easy for the Rapporteur (and chief negotiator of the Parliament) to sustain her position when hammering out the details with the Council.
European Commission assesses on-going efforts at EU level to have a harmonised implementation of NIS Directive: The European Commission released a Communication titled ‘Making the most of Network and Information Security (NIS)’ looking at the implementation process of the NIS Directive across Member States. The document has been published along with a more technical annex, that seeks to provide interpretative guidance for national governments on key aspects of the NIS Directive before the transposition to national legislation deadline of May 2018. On the same day, the European Commission also published a draft implementation regulation that concerns the security and notification obligations of so-called ‘digital service providers’ (DSPs) under the NIS Directive. Once adopted, the regulation will have immediate direct effect in all Member States.
WP29 issues guidelines on profiling and automated decision-making, data breach notification: The public is invited to comment on the guidelines of the grouping of EU data privacy watchdogs by 28 November. With regards to profiling and automated decision-making, the WP29 acknowledge the benefits (efficiency, resource saving, better market segmentation and tailored services), but also warn of the risks to individuals’ rights and freedoms (i.e. reinforced stereotyping or social segregation). The breach notification guidelines specify how companies should notify the competent authority in case their data is breached or hacked.
2. Coming up: (Scheduled) initiatives on the horizon
European Parliament to undertake new political resolution on fight against illegal content online: The European Parliament Civil Liberties committee (LIBE) has requested permission from the institution’s coordinators to begin work on a new political resolution on the fight against illegal content. The non-legislative resolution would seek to respond to the recent European Commission guidelines on notice & action and voluntary content control (see above), and would set out MEPs’ policy wish-list with respect to the fight against illegal content in the medium-term.
European Commission to issue legal guidelines for Member States on application of intellectual property rights enforcement directive: In 2004, the EU adopted a broad procedural law governing the enforcement of intellectual property rights (the ‘IPRED’). For many years the directive has been the target of sustained attack by rights-holder interest groups, who have argued that it is unfit to ensure effective protection of intellectual property rights online and cross-border. In this context, the European Commission committed in its 2015 Digital Single Market strategy to review the functioning of the IPRED as a precursor to a reopening of the legislation. Such a reopening will almost certainly focus on the application of the directive to the online sphere, particularly with regard to injunctive relief (e.g. domain name suspension) and the ability of IP litigants to secure evidence from internet intermediaries (e.g. WHOIS accountability.) Despite pressure from rights-holder groups, it is now almost certain that the European Commission will not seek to reopen the directive before the end of the present political mandate (May 2019). On the contrary, the Commission will publish new non-legislative guidance on how Member States should implement the existing IPRED in November 2017.
European Commission to present new regulation on consumer protection online surveillance in December 2017: Since the publication of the European Commission’s guidelines on notice & action and voluntary content control (see above), a series of spin-off policy work-streams have crystallised, including the expected proposal by mid-December 2017 from the European Commission’s Directorate General for Justice, for a Regulation on market surveillance for online sales. The regulation will build on recent Commission guidelines and will clarify responsibilities of actors involved in the placement of products for sale on the EU market, with a focus on e-commerce. As per the recent Consumer Protection Cooperation (CPC) Regulation, the new legislation on market surveillance is likely to deal with the capacity of market surveillance authorities to request internet intermediaries to remove or disable access to information concerning non-compliance and unsafe products (notice & action procedure).
Europol-ENISA want to step up cooperation to address IoT security and safety: At the recent conference, 250 participants discussed how connected devices can be secured and what measures are needed to protect them from cyber threats. In Europol’s view, this is not only a technical, but also legal, policy and regulatory challenge. One of their conclusions was that ‘securing the end device is often technically difficult and expensive to achieve, the focus should therefore be on securing the architecture and underlying infrastructure’. Also, cooperation is needed among the private sector, law enforcement and the CSIRT community. For now, there was no call for new regulatory measures, but existing ones should be either completed or better ‘leveraged’. This includes defining ‘baseline security recommendations for IoT’ (to be published by ENISA in the coming months), as well as standardisation, certification and labelling.
European Commission publishes first annual review of Privacy Shield: According to the Commission, US authorities are making sure that data transferred from the EU to the US is adequately protected by the Privacy Shield. It is particularly satisfied with more regular and rigorous monitoring by the Department of Commerce and better means for individuals to obtain redress. However, some adaptations are recommended, e.g. to address false claims of participation in the Shield (s.a. IAPP). So far approximately 2,400 companies have signed up to the Shield.
Europol wants to end Carrier Grade NAT and increase accountability online: At a recent workshop, Europol and the Estonian Presidency lamented the widespread use of Carrier Grade Network Address Translation (CGN) technologies by internet access providers. The use of such technologies, by which one single IP address is used by multiple, sometimes thousands of subscribers at the same time, makes it almost impossible for law enforcement to investigate and attribute crime and for ISPs to comply with orders that oblige them to identify a single subscriber. The Estonian Presidency promised to put the issue on its agenda. Participants discussed other solutions, including a voluntary code of conduct for ISPs to reduce the number of CGN, content providers that log source port numbers, or adopting regulations that increase IPv6 deployment.
3. What else? Other things that are happening
European Heads of States and Government discuss how to have a stronger and more coherent Digital Europe: The Estonian Presidency of the Council of the European Union organised on 29 September a Digital Summit in Tallinn to bring together EU heads of state and government. The aim of the Summit was to serve as a platform for launching high-level discussions on plans for digital innovation. Conclusions of the Summit served as a basis for discussion for the following European Council meeting that took place on 19 October, during which European leaders called for a future-oriented regulatory framework by completing the Digital Single Market Strategy in all its elements by the end of 2018. To that end, they asked Telecom Ministers to prioritise and speed up the work on the Digital Single Market during the next Telecoms Council on 24 October. EU leaders called also for a common approach to cybersecurity as well as putting a special focus on combating terrorism and online crime. This includes the EU leaders’ call to ‘robustly tackle online illegal content’. It remains to be seen if they will content themselves with the self-regulatory approach currently taken by the European Commission. Full Council conclusions can be found here.
European Commission high-level group on Internet governance meets in Brussels: On 3 October, the European Commission’s high-level group on Internet governance (HLIG) met in Brussels for its quarterly meeting. As per the recent trend, the meeting included a multi-stakeholder session to complement the discussions between Member State government representatives. The multi-stakeholder session included presentations on the latest developments at ICANN by the organisation’s Vice President, Stakeholder Engagement & Managing Director for Europe Jean-Jacques Sahel, as well as a briefing on Microsoft’s proposal for a Digital Geneva Convention by the company’s EMEA cybersecurity policy lead, Jan Neutze. Besides the external presentations, participants were also briefed on the outcomes of the recent European Commission public consultation on the next generation internet, as well as preparations by the European Commission and the Swiss government for the next Internet Governance Forum, taking place in Geneva between 18-21 December. On October 4th, members of the HLIG met with the CENTR General Assembly in Brussels. During that joint meeting, two sessions were dedicated to high interest EU policy topics: a session where Prabhat Agarwal (CNECT F2) presented a summary of the new commission guidelines for platforms and a session where Svetlana Schuster (CNECT H1) provided an overview of the state of play of the NIS Directive implementation.
4. Homework: Activities at domestic level
Belgium vs. Facebook: The Belgian privacy committee took Facebook to court over tracking the online behaviour of users that are not subscribed to the social network. It challenges in particular the use of cookies and social plug-ins. Facebook argues that it is governed by law in Ireland (where it is headquartered) and not Belgian law. The Belgian Court will have to establish that is has jurisdiction over the case and whether Belgian law applies, before it can look into a potential breach of data protection rules. A ruling is expected at the earliest in a few weeks. Time might ‘solve’ the issue, as the GDPR, once in force, will make companies subject to the authority of a single regulator (s.a. mlex).
Curious injunction in Poland tells company to ‘google’ itself to monitor for illegal content: A collecting society demanded that a file hosting platform remove pirated copies of three movies – and eventually sued it claiming damages and requiring the platform to remove any illegal copies of the movies that would be uploaded in the future. While the injunction has not been published yet, media reported that the Court ordered the platform to monitor itself – specifically by ‘googling’ itself once per month for the next three years in order to detect any pirated copies of the three movies. Discussions continue whether this implies a ‘general monitoring’ obligation under the e-commerce directive or whether the hosting platform has to act because it ‘became aware’.
