In a nutshell: September was a busy month for EU policymakers, who were back in Brussels after the holidays. Cybersecurity remains a key focus point, while we are yet to see any significant progress on e-Privacy or e-Evidence in the Council of the EU, despite ongoing debates. Parliamentarians have discussed the .eu Regulation reform in ITRE. Europol has published its annual report on cybercrime trends, and the UK government is preparing its businesses and citizens for a no-deal Brexit scenario.
ITRE discusses the .eu Regulation
On 24 September Parliamentarians exchanged views about the ongoing .eu Regulation reform. The rapporteur on the file, Swedish MEP Fredrick Federley (ALDE), stressed the importance of the existence of .eu for the European online identity and the need to promote values such as multilingualism and the rule of law. Shadow rapporteurs expressed their satisfaction with the efforts led by the European Commission in the initial proposal. The EPP group stressed the importance of security when it comes to the .eu operation, while S&D highlighted the issue of securing trademark owners’ interests when registering a .eu domain name. The European Commission pointed out how good the cooperation had been with the European Parliament when it comes to the reform of .eu regulation. MEPs closed the hearing stating that the file will most likely be concluded before the end of the year.
Member State governments have consistently failed to reach an agreement on the file in the Council of the EU. One of the most contentious issues that keep governments diverging on the file is the question of a possibility to process the metadata of electronic communications for “legitimate reasons”. These legitimate reasons would go beyond user’s consent and specific purposes laid down by law, according to the most recent text issued by the Austrian Council Presidency. The text calls on the Member States’ delegations to continue providing relevant input, without much further progress in sight.
Another milestone for eIDAS implementation
Since 29 September, the cross-border recognition of eIDs has become mandatory across the Member States, according to the eIDAS Regulation. This means that Member States must accept the notified electronic identification means of other Member States for their online public services. Not all Member States are obliged to notify the Commission of their electronic identification systems, but if they do, they must also accept other notified eIDs from other Member States. Germany and Italy have completed their notification procedure. Luxembourg and Spain are about to complete the process, while Croatia, Estonia, Belgium, Portugal and the UK are currently going through the peer-review.
NIS Directive implementation
Although the deadline for transposing the NIS Directive to national laws was in May 2018, by now only 16 Member States have notified the European Commission of its full transposition. In July, the European Commission sent formal warnings to 17 countries to fully transpose the NIS Directive into their national laws. As a result, Denmark, Hungary, Ireland, Spain and Portugal have notified the Commission that they had taken measures to adopt the Directive. Austria, Belgium, Bulgaria, Greece, Latvia, Luxembourg, the Netherlands and Romania are amongst those countries that have not yet implemented the NIS Directive.
EU Cyber Envoy
The European Parliament will vote at the end of October on whether it wants to proceed with a pilot project for an “EU Cyber Envoy” to “coordinate the advancement of an open, interoperable, secure and reliable internet in the EU’s relations with third countries.” Dutch MEP Marietje Schaake and Estonian MEP Urmas Paet are behind these efforts, echoing the statements made in the non-binding resolution adopted by the European Parliament on 25 May 2018. MEP Schaake has previously welcomed the resolution and the Parliament’s endorsement of the work done by the Global Commission on the Stability of Cyberspace. The work of the Global Commission calls on states not to introduce national legislation that effectively disrupts the functioning of the organisations responsible for the DNS.
Illegal content and intermediary liability
The EU Code of Practice on Disinformation
The final version of the industry self-regulatory initiative to tackle disinformation online was published on 26 September. The Commission is expected to present the annex, roadmap and list of signatories of the Code in the coming weeks. By signing the Code and its Annex of best practices, the signatories agree to adhere to tackle disinformation online, including to have clear policies in place regarding the identity and the use of automated bots on their services. Industry “best practices” are expected to be identified in the Annex. The Sounding Board of the Forum, which provides advice on the Code and consists of associations representing the media sector, civil society, fact-checking organisations and academia, has identified the lack of monitoring mechanisms to track implementation of the Code as one of its weaknesses.
UK Government issues guidance on copyright in case of no-deal Brexit
On 24 September, the UK Government published a notice to guide citizens through a possible scenario if the UK leaves the EU in March 2019 without a deal, and how this would affect cross-border copyright. For example, in the case of sui generis database rights there will be no obligation for EEA states to provide database rights to UK nationals, residents and businesses. Website owners might also be encouraged to take down content or limit access to content based on geolocation, in case the exceptions for copyright protection recognised in Europe cease to apply in the UK.
Law enforcement access
EDPB comments on e-Evidence
The European Data Protection Board (EDPB) adopted an opinion on the new e-Evidence regulation, proposed by the European Commission in April 2018. The EDPB stressed that the proposed new rules, which provide for the collection of electronic evidence for cross-border investigations, should sufficiently safeguard the data protection rights of individuals and should be more consistent with EU data protection laws. The opinion is expected to be published in full during October. Meanwhile, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has commissioned a research study on the implications of the Commission’s e-Evidence proposal on the Member States’ sovereignty and is considering the existing legal framework around international cooperation. The study concludes that the direct cooperation proposed in the e-Evidence will affect the territorial sovereignty of Member States and will prevent them from taking responsibility for an effective protection of fundamental rights within their territories. Instead, the protective function is shifted to the service provider and/or the competent authority, neither of which is in position to ensure adequate protection.
Europol issues the cybercrime report
On 18 September Europol published its annual Internet Organised Crime Threat Assessment (IOCTA) that aims to provide an overview of the current, as well as anticipated future threats and trends of crimes conducted and/or facilitated online. The report highlights some difficulties that the GDPR-induced restrictions to the public WHOIS entail for law enforcement. The report states that none of the access systems to non-public WHOIS information that gTLD operators have recently introduced satisfy the needs of LEA. These access systems do not scale and fail to protect the confidentiality of the investigations, according to the report. In addition, there are no guarantees that registry or registrar operators would notify their clients that their domain was being investigated.