×

EU Policy Update - October 2024

EU Policy Updates 12-11-2024

In a nutshell: Designated Commissioners outlined their priorities. Sauli Niinistö published the report on strengthening Europe’s security. The EDPB published opinion on the controller-processor obligations, guidelines on legitimate interest basis for processing data, and its Work Programme for 2024-2025. The Council of the EU adopted the Cyber Resilience Act. The European Commission adopted NIS 2 implementing act and concluded a Fitness Check of EU consumer law on digital fairness. Europol published a report on Intellectual Property crime with EUIPO, and a report on the use of encryption with Eurojust.

Designated Commissioners answered how they want to approach their agendas

On 23 September, designated European Commissioners published their written answers to questions posed by the Members of the European Parliament (MEPs), in expectation of their confirmation hearings in the beginning of November. These hearings are intended for MEPs to question the upcoming Commissioners and understand their vision for the new Commission mandate. The hearings started in the week of 4 November and will conclude by 12 November. The Commissioner-designate, Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen (Finland) wants the EU to play a leading role in the global digital governance. She specifically wants to coordinate between EU Member States in the UN, IGF and other relevant international fora and technical organisations, such as ICANN. She also wants the EU to be more active on standardisation, especially in connection to legislation such as the AI Act. Finally, under her direction the European Commission should present an action plan on the cybersecurity of hospitals and healthcare providers within the first 100 days. The Commissioner-designate for Internal Affairs and Migration Magnus Brunner (Austria) wants to present a new European Internal Security Strategy, looking at online and offline threats. Another focal point is the tackling of cyber-facilitated crime through better cross-border cooperation and access to electronic evidence. He also wants to update law enforcement’s tools for access to digital information, including revising the rules on data retention. Finally, he wants to strengthen the mandate of Europol. Commissioner-designate for Democracy, Justice and Rule of Law Michael McGrath (Ireland) wants to present the Digital Fairness Act focusing on tackling the issues of dark patterns, influencer marketing, addictive design and online profiling. He also wants to rapidly conclude the ongoing update to General Data Protection Regulation (GDPR) procedural rules (see our previous reporting here).

Cybersecurity

The Council of the European Union adopted the Cyber Resilience Act

On 10 October, the Council of the EU adopted the Cyber Resilience Act (CRA) which marks the final step in the legislative process. The CRA intends to harmonise rules for placing products or software with a digital component to the market; lay out requirements governing the planning, design, development and maintenance of such products with obligations throughout the value chain and for their entire lifecycle. Once in force, compliant products will bear the “CE” marking. The CRA also establishes tiers of products with digital elements that are differentiated based on their sensitivity. Class I marks important products with digital elements, such as public key infrastructure and digital certificate issuance software, physical and virtual network interfaces or “routers, modems intended for the connection to the internet, and switches”. The important and critical products with digital elements are then required to undergo conformity assessment procedure, depending on the specific product in question. The products are listed in the annexes, which can be amended based on Commission’s Delegated Acts. The CRA was already adopted by the European Parliament in March 2024. The final step is the publication of the Regulation in the Official Journal of the EU. The Regulation will enter into force 20 days after and will apply 36 months afterwards.

The European Commission adopted the NIS 2 Implementing Act on risk management and incident reporting

On 17 October, the Commission adopted the Implementing Regulation for laying down rules for the application of NIS 2 Directive’s technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant for  DNS service providers and TLD name registries. The Implementing Act’s annex provides a list of mandatory cybersecurity risk management measures for digital infrastructure actors, such as TLD registries, for the purposes of complying with Article 21 of the NIS 2 Directive. The Implementing Act defines significant incident for TLD registries as compromising the availability of DNS resolution, and compromising the “integrity, confidentiality or authenticity of stored, transmitted or processed data related to the technical operation of the TLD”. The Implementing Act also envisages developing a multistakeholder forum tasked to identify the best available standards and deployment techniques for DNS and internet routing security, and routing hygiene. Furthermore, the NIS 2 and CER directives had a transposition deadline on 17 October. By this date all of the EU Member States should have transposed these directives into their own national legal systems. However, so far, only 5 and 2 countries have notified the Commission of their transposition for NIS 2 and the CER directive respectively, leaving the remaining Member States in different steps of the process.

Sauli Niinistö report outlined how to make Europe more secure

On 30 October, the European Commission published the report on Strengthening Europe’s Civilian and Military Preparedness and Readiness, prepared by the former Finnish president Sauli Niinistö. The report aims to answer questions on improving identification of risk, mainstreaming civilian and military preparedness and civilian-military cooperation. The report takes into account the geopolitical, climatic, economic and technological risk drivers and proposes actions to strengthen the EU’s ability to respond. In terms of enhancing cybersecurity, the report notes of how attacks on hospitals, energy grid or the water infrastructure can have broad negative societal repercussions. While the EU recently introduced cybersecurity legislation like the NIS 2 and the Critical Entities Resilience (CER) Directive, there is a “growing need to go further”. Cybersecurity should be integrated into a whole-of-government approach to ensure operational coordination between civilian and military actors. In addition, public and private sector should improve trust on sharing threat intelligence, including through the European Cybersecurity Alert System. NIS 2 and CER directives leave out certain sectors like defence, and key manufacturing, that provide essential services during crises. The report therefore suggests extending the critical infrastructure resilience frameworks to cover the crisis-relevant sectors as well.

Data Protection

EDPB adopted several guiding documents during its October plenary

On 9 October, the EDPB adopted several documents providing guidance on obligations for processors and sub-processors, processing of personal data based on legitimate interest, and its Work Programme for 2024-2025.

  • Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s). According to the Opinion, controllers should have the information on the identity (i.e., name, address, contact person) of all processors and sub-processors readily available at all times. To this end, the processor should proactively provide to the controller all this information and should keep it up to date at all times. The controller’s obligation to verify whether the (sub-)processors present ‘sufficient guarantees’ to implement the appropriate measures should apply regardless of the risk to the rights and freedoms of data subjects. The extent of such verification may vary, notably on the basis of the risks associated with the processing and depending on the nature of technical and organisational measures. Regarding controller-processor contracts, the EDPB states that a basic element for such contracts is the commitment for the processor to process personal data only on documented instructions from the controller, unless the processor is “required to [process] by Union or Member State law to which the processor is subject”.
  • Guidelines 1/2024 on processing of personal data based on Article 6(1)(f) GDPR (legitimate interest). According to the Guidelines, for processing to be based on “legitimate interest”, three cumulative conditions must be fulfilled and carried out before relevant processing operations: 1) the pursuit of a legitimate interest by the controller or by a third party; 2) the need to process personal data for the purposes of the legitimate interest(s) pursued; and 3) the interests or fundamental freedoms and rights of the concerned data subjects do not take precedence over the legitimate interest(s) of the controller or of a third party. There is no exhaustive list of interests that may be considered as being legitimate. In the absence of a definition of that concept in the GDPR, a wide range of interests is, in principle, capable of being regarded as legitimate: e.g., having access to information online, ensuring continued functioning of publicly available websites, obtaining personal information for the purposes of establishing, exercising or defending a legal claim, product improvement, assessing creditworthiness, etc. The Guidelines also note that “[t]he collection and analysis of personal data for the purposes of ensuring a high level of network and information security must meet both the necessity and balancing tests”, meaning that the objective of security “cannot justify an excessive processing of personal data”. The Guidelines are open for public consultation before 20 November.
  • EDPB Work Programme 2024 – 2025. According to the Work programme, the EDPB plans to focus on enhancing harmonisation and promoting compliance through guidelines, and advice on the EU legislation. For the purposes of the effective GDPR enforcement, the EDPB will facilitate the use of cooperation tools enshrined in Chapter VII of the GDPR and of the Law Enforcement Directive (LED); support exchanges of information under the Coordinated Enforcement Framework; and evaluate and enhance the IT tools and systems used internally. The EDPB will also focus on common positions and guidance in cross-regulatory landscape, such as the interplay between the EU data protection law and other EU laws.

Europol and Eurojust published a report on the use of encryption

On 10 June, Europol, Eurojust and the European Commission’s Directorate-General for Migration and Home Affairs (DG HOME) published a first report on the use of encryption in the EU. The report discusses the use of encryption and in quantum computing, cryptocurrencies, biometric data, telecommunication technologies, AI and the DNS. The report notes that police and judicial authorities can be prevented from accessing digital evidence by privacy-enhancing technologies, such as end-to-end encryption. According to the report, DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ) makes it difficult to lawfully intercept DNS requests. The challenges brought by these different privacy-enhancing protocols differ: DoT and DoQ allow the law enforcement to analyse the traffic patterns, while keeping the DNS request itself encrypted. The DoH, on other hand, makes the traffic pattern analysis difficult. The report suggests allowing law enforcement agencies to send lawful requests to DNS providers in order to obtain the content of DNS requests and DNS traffic data.  The report also notes how the DNS protocol can be misused for criminal purposes. The listed examples include command and control communications, where malware uses fake DNS requests to communicate; and cover channel/data exfiltration, where malware sends data outside of the infected machine hidden in DNS queries. The report notes that the DNS encryption is an “area of concern for the investigative powers”, since they are becoming increasingly dependent on service providers’ cooperation. According to the report, “it is crucial that DNS encryption, if implemented, would allow law enforcement to access and process suspects’ DNS traffic.”

Intellectual Property

EUIPO and Europol jointly published a report on Intellectual Property crime

On 16 October, EUIPO and Europol jointly published a report titled “Uncovering the ecosystem of IP Crime”. The document explores the ecosystem of intellectual property (IP) crime, as well as their drivers, mechanisms and enablers. The report highlights cybersquatting as one of the techniques used by IP criminals. Namely, the use of domain names very similar to those of established brands that trick unsuspecting buyers into believing they are on a legitimate website, e.g., a web shop. Furthermore, the report notes that counterfeiters use false identities to register domains and that “DNS abuse is intimately linked to the trade into counterfeit goods in the EU marketplace”. The report concludes that industry and other stakeholders must remain proactive in “implementing automated tools to facilitate the detection of counterfeit goods […] online”. 

Consumer protection

The European Commission concluded a Fitness Check of EU consumer law on digital fairness

On 3 October, the European Commission published its Fitness Check of three Directives, which “form the core of the framework of consumer protection that applies to most traders and consumer-facing sectors in the EU”: 1) Unfair Commercial Practices Directive 2005/29/EC; 2) Consumer Rights Directive 2011/83/EU; and 3) Unfair Contract Terms Directive 93/13/EEC. According to the conclusions of the Fitness Check, the technology-neutral nature of EU consumer law, together with its principle-based rules and more prescriptive obligations are necessary components of the regulatory framework for the Digital Single Market. The Directives have provided the necessary minimum of regulatory certainty and consumer trust to support the development of a diverse market of digital products and services in the EU. At the same time, the Fitness Check shows that the Directives have only partially provided a high level of consumer protection in the digital environment. Most importantly, the effectiveness of the three Directives is diminished by ineffective enforcement mechanisms, despite the improvement of the cross-border enforcement within the Consumer Protection Cooperation (CPC) Network. In parallel to this Fitness Check, the Commission is reflecting on the possible need to reform the CPC Regulation. There is also a persistent complexity of applying consumer protection rules in the digital area in conjunction with other digital legislation. At present, the level of consumer protection may vary depending on the Member State in which consumers reside, the trader’s location, business model or underlying technologies that are used in their products or services, according to the conclusions of the Fitness Check. For the way forward, more attention is needed to address the dark patterns, reducing legal uncertainty, and facilitating more effective enforcement.

 

Published By Filip Lukáš
Filip is the Policy Advisor at CENTR, advising members on relevant EU policy and liaising with governments, institutions and other organisations in the internet ecosystem.