EU Policy Update - Wrapping up 2019
In a nutshell: At the end of 2019, the EU has a new European Commission, including a Commissioner for the Internal Market with an ambitious portfolio overseeing digital files, defence and space. One of the hot topics under discussion for the current legislative term, with intensified debates expected in 2020, is the Digital Services Act. The European Commission is looking into whether the new legislation that will revise the online intermediary landscape should encompass the DNS level. The e-Evidence package is advancing through the European Parliament, with the rapporteur issuing a long-awaited Draft Report on the file. More than 800 amendments were issued by the responsible Parliamentary committee on the legislative proposal, indicating that discussions on the role and responsibilities of service providers when issuing and preserving electronic evidence to foreign law enforcement authorities are far from over. On the seemingly less controversial topic of cybersecurity, the Commission is looking for ideas of potential cybersecurity certification areas under the EU Cybersecurity Act and the envisaged schemes within. One potential contender for future coordinated EU standardisation work in the area of security is 5G, as assessed by the EU cybersecurity agency, ENISA. Meanwhile, Member States are no less occupied with the topic of security, especially in the context of so-called hybrid threats when it comes to the critical infrastructure. The Council of the EU asks the Commission to evaluate the need for a possible legislative revision of the existing legal framework on critical infrastructures (but not NIS).
New Commission took office on 1 December
After a rocky start, the European Parliament approved the new college of the European Commission, led by the Ursula von der Leyen. The new European Commission took office on 1 December. For digital topics, the Commissioner for Internal Market, Thierry Breton (France) is the one to look out for. Breton, who will be closely working with the Executive Vice-President for Europe Fit for Digital Age, Margarethe Vestager, is responsible for the upcoming work on the Digital Services Act. During his hearing in the European Parliament, Breton promised to retain the limited liability framework established by the e-Commerce Directive ("safe harbour" provisions) and the prohibition of the general monitoring obligation in the upcoming reform. Having previously served both as a Finance Minister of France and as CEO of a big multinational corporation, Atos (up until 1 Nov 2019), Breton is expected to bring high-speed energy to the internal (market) matters of the EU.
European Commission confirms its plans to investigate DNS operators' role in the upcoming Digital Services Act
During the public event on the Digital Services Act organised in the European Parliament, the European Commission presented its current thinking and justification behind the upcoming legislative reform on intermediary liability online. The European Commission's representative highlighted the historical context within which the current e-Commerce Directive was negotiated in 1998-1999. Back then, Big Tech did not exist and the "information society" was nascent. The emerging services were labelled "information society services" and the idea of tackling illegal content online was materialised in the need to make sure that stolen creative goods were not sold online. As with every legislation, the question of its relevance needs to be re-evaluated periodically. Considering the drastic change of the digital services landscape in the last two decades, the European Commission is analysing whether the objectives that motivated legislators 20 years ago are still relevant and whether the e-Commerce Directive reflects today's reality and current digital services. Namely, the distinction between passive and active platforms when determining liability for tackling illegal content might create barriers for service providers to take voluntary actions in fear of losing their safe harbour, according to the European Commission. The revised scope of the intermediary definition is also something that needs to be looked into, according to the European Commission. Namely, DNS operators are subject to contradictory legal judgments across Member States, and there is a need to evaluate how they fit into the e-Commerce Directive's architecture.
European Parliament published its Draft Report on the e-Evidence proposal
The long-awaited response on the European Parliament’s possible position on the e-Evidence proposal finally saw the light at the beginning of November. The Rapporteur, MEP Birgit Sippel, revealed the Parliament's Draft Report, that seeks to draw a balance between the interests of law enforcement authorities, the prevention of the disruption of the provision of services, and the fundamental rights and freedoms of affected individuals. In this regard, the Draft Report includes several improvements. For example, the Draft Report envisages the (limited) involvement of the ‘executing’ Member State’s authorities for the execution of the European Production and Preservation Orders (EPOC(-PR)), and a clarification of the independence of judicial authorities that issue and/or validate EPOC(-PR) (including independent public prosecutors). The Draft Report also extends the emergency deadline of executing EPOC(-PR) by the service providers to 24 hrs. The Draft Report also re-classifies traffic data (e.g. IP addresses) to the same level of protection as "content data” and foresees the development of a common Union digital infrastructure for secure cross-border communication and transmission of e-evidence in the field of justice. More than 800 amendments to the draft report were filed by MEPs in the responsible Parliamentary Committee of Civil Liberties, Justice and Home Affairs (LIBE).
First EU cybersecurity certification schemes in the pipeline
At a cybersecurity event in Brussels, European Commission representatives gave more insight into the development of cybersecurity certification schemes under the framework established by the EU Cybersecurity Act. According to the European Commission, the planned certification schemes are not supposed to be standards per se but collections of standards that digital industries could adopt voluntarily. A group of stakeholders can come together and propose the development of a standard, that the European Commission can then mandate ENISA to work on. The first EU cybersecurity certification schemes that are currently in the pipeline have been proposed by the cloud industry, and the IoT standards within the SOG-IS framework that are already accepted within a number of Member States. The European Commission stressed on numerous occasions that engagement is needed from all stakeholders in the process of EU-wide cybersecurity certification. Additionally, more concrete plans on the upcoming certification schemes need to be reflected in the Union Rolling Working Programme that is expected to be in place by June 2020 at the latest. It is a strategic document that will determine which schemes will be put in place in the next years. These should be decided upon depending on the market needs and after a wide public consultation process.
ENISA mapped threats for 5G security networks
ENISA published its assessment of the 5G Threat Landscape that provides a technical view of the 5G architecture, sensitive assets, cyberthreats affecting the assets and threat agents. The ENISA 5G Threat Landscape intends to identify the most critical components in a 5G network, which may become a target to various cybersecurity threats. From a policy perspective, the ENISA 5G Threat Landscape aims to contribute to “the EU Cybersecurity Strategy and more specifically, to ongoing policy initiatives related with the security of networks and information system". The ENISA 5G Threat Landscape identifies "DNS manipulation" as one of the core network threats under "manipulation of network configuration data". Potential threat-actors, identified by ENISA, who can exploit network functions with increasingly connected IoT devices available for individuals to launch high-impact attacks (e.g. DDoS), are "technology-interested young individuals that have low motivation/low capabilities but are equipped with malicious tools" (so-called 'script kiddies'). As a recommendation to the European Commission and the Member States, ENISA suggests increasing the collaboration between different stakeholders to improve the current material on cyberthreats. For example, coordinating with the work of 5G standardisation bodies will be of particular importance, together with coordinating 5G initiatives that are active in the security field.
Council of the EU asks for the revision of the Directive on European critical infrastructures
On 10 December, the Council of the EU issued its conclusions on complementary efforts to enhance resilience and counter hybrid threats. In these conclusions the Council of the EU sets out its priorities concerning the "security of our Union against hybrid threats in the context of the implementation of the new Strategic Agenda for 2019-2024". One of the key areas identified by the Council of the EU in the context of "enhancing resilience to hybrid threats" is the protection of national and European critical infrastructures, as well as "functions and services critical to the proper functioning of the State". To this end, the Council of the EU invites the European Commission to consult with Member States on "a possible proposal for a revision of the Directive[2008/114/EC for the identification and designation of European critical infrastructures] early in the new legislative cycle, including potential additional measures to enhance the protection and resilience of critical infrastructure in the EU, taking into account the strong interdependencies between critical functions and services". In its conclusions the Council of the EU also recognised the importance of the NIS Directive "for the development of a risk-management and security culture by the operators in critical sectors", including in the context of hybrid threats.
Data protection and privacy
European Data Protection Board published guidelines on data protection by design and default (public consultation)
The European Data Protection Board (EDPB) is seeking feedback on its guidelines on GDPR Article 25 ('data protection by design and default'). Article 25 of the GDPR imposes an obligation on data controllers to (1) implement appropriate technical and organisational measures which are designed to implement the data protection principles and (2) integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. The EDPB gives guidance on what these "appropriate technical and organisational measures" can be and identifies these measures as "anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data", as long as these are appropriate and effective for reducing the risk of infringing the rights and freedoms of data subjects. An example of a technical measure or safeguard under Article 25, according to the EDPB, is the pseudonymisation of personal data. In the spirit of technological neutrality that is predominant in the GDPR, Article 25 does not prescribe the implementation of any particular technical or organisational measures, but these need to be robust and able to be scaled up. Additionally, the controllers need to demonstrate the effectiveness of the measures taken by determining appropriate key performance indicators, including metrics such as the level of risk, the reduction of complaints or performance evaluations, grading scales, expert assessments etc. The 'Data protection by default' principle means inter alia that "information security shall always be a default for all systems, transfers, solutions and options when processing personal data", according to the EDPB. Furthermore, the EDPB gives guidance on key design features when ensuring data accuracy (p. 21) and "integrity and confidentiality" under the principle of security (p. 23). On the latter, the EDPB suggests implementing an information security management system (ISMS) to "have an operative means of managing policies and procedures for information security". The guidelines are open for public comments until 16 January.