EU Policy Update – February 2022

EU Policy Updates 10-03-2022

In a nutshell: The European Commission kickstarted the year with a set of publications of relevance for ccTLDs, such as the DNS Abuse Study and the Communication on an EU Strategy on Standardisation. The Commission also released proposals for a European Declaration on Digital Rights and a Data Act. Regarding intellectual property, the Commission issued a call for evidence on the upcoming EU Toolbox against Counterfeiting, whilst the European Parliament published a Study on the Cross Border Enforcement of Intellectual Property Rights in the EU. Co-legislators reached a provisional agreement on amending the Europol regulation, and IMCO published its Draft Report on the EUID proposal. The EDPB launched a coordinated enforcement action on the use of cloud services by the public sector.

The European Commission published its DNS Abuse Study

On 31 January, the European Commission published its DNS Abuse Study, which intends to “assess the scope, impact, and magnitude of DNS abuse, as well as to provide input for possible policy measures on the basis of identified gaps” (see our previous reporting here). The Study first starts by defining DNS abuse as “any activity that makes use of domain names or the DNS protocol to carry out harmful or illegal activity”. When it comes to domain name industry and different actors within, the Study finds that EU ccTLDs are “by far the least abused in absolute terms and relative to their overall market share” and that new gTLDs are “the most abused group of TLDs”. As for recommendations given by the authors to address DNS abuse, most of them are targeted either at both gTLDs and ccTLDs, or solely at ccTLDs. For example, the Study recommends that all TLD registries should “verify the accuracy of the domain registration (WHOIS) data”, among others, through harmonised Know Your Business Customer (KYBC) procedures and eID authentication. ccTLDs should also, “in the same manner as gTLDs, provide a scalable and unified way of accessing complete registration (WHOIS) information using the Registration Data Access Protocol (RDAP)”. The authors also encourage ccTLDs to consider “publishing DNS zone file data through DNS zone transfer of a system similar to the Centralized Zone Data Service (CZDS) maintained by ICANN”. Regarding intellectual property rights (IPR) infringements, the Study states that the majority of domain registrars and registries refuse “to take action when the domains they service are used for IPR infringement” and that “some registries do not respond to requests and/or have very limited reporting procedures”. They are therefore encouraged to “develop or improve existing similarity search tools or surveillance services to enable third-parties to identify names that could potentially infringe their rights”. Finally, the authors do not consider addressing abuse cases through the “rigid linear referral path (website operator - registrant - hosting provider - reseller, if any - registrar - registry operator)” to be appropriate.

The European Commission proposed a European Declaration on Digital Rights and Principles for the Digital Decade

On 26 January, the European Commission proposed a European Declaration on Digital Rights and Principles for the Digital Decade. The Declaration aims to define a set of principles for “a human-centred digital transformation and should “serve as a reference point for businesses and other relevant actors when developing and deploying new technologies” whilst guiding policy makers. As part of the Declaration, the Commission commits to ensuring that all Europeans “are offered an accessible, secure and trusted digital identity” but that citizens should not provide “data more often than necessary when accessing and using digital public services”. Measures shall be taken to “tackle all forms of illegal content in proportion to the harm they can cause […]and without establishing any general monitoring obligations”. The Declaration also reveals that connectivity for all should be ensured, regardless of citizens’ place of living or income, and that a “neutral and open Internet where content, services and applications are not unjustifiably blocked or degraded” should be protected.  As for safety and security, the EU shall ensure that “people, businesses and public institutions” are protected from cybercrime, “including data breaches and cyberattacks”. The Declaration also mentions children’s’ digital rights and states that children shall be protected from “harmful and illegal content, exploitation, manipulation and abuse online”. The European Commission, the European Parliament and the Council of the EU will soon discuss the content of the Declaration, which is intended to take the form of a joint solemn declaration signed by the three institutions. According to the Commission’s Communication accompanying the Declaration, the Commission will monitor the measures taken by Member States to put the Declaration into practice.

The European Commission presented its Proposal for a Data Act

On 23 February 2022, the European Commission presented its proposal for a Regulation on harmonised rules on fair access to and use of data (‘Data Act’). The proposal aims to unlock the potential of the European data economy “by providing opportunities for the reuse of data”, and by ensuring “fairness in the allocation of value from data among actors in the data economy”. Amongst other things, the Data Act aims to allow businesses and consumers to easily switch their data and other digital assets between competing providers of cloud and other data processing services. It mainly targets physical connected products which “obtain, generate or collect […]data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service”. This includes IoT devices and virtual assistants, for example. The proposal also intends to support “the development of interoperability standards for data to be reused between sectors”. Under the proposal, data holders will have to make data available to their customers upon their request. The data concerned is “any digital representation of acts, facts or information and any compilation of such facts or information, including in the form of sound, visual or audio-visual recording”. This entails an obligation on the data holders to “make available the data generated by the use of a product or related service[...] without undue delay, free of charge” to the users of their product, including with an aim to move that data to third parties of users’ choice. Public authorities may also request data to be made publicly available in exceptional cases if this is needed to perform a task in the public interest. In this case, different criteria would have to be fulfilled before making the data available (the data request should be clear and concise, proportionate to the exceptional need, proven to be needed for exceptional purposes etc.). The Data Act also clarifies that the sui generis right which enables the protection of databases in the EU “does not apply to databases containing data generated or obtained by the use of products or related to services”.

The European Commission published its Communication on an EU Strategy on Standardisation

On 2 February, the European Commission published its Communication entitled “An EU Strategy on Standardisation – Setting global standards in support of a resilient, green and digital EU single market”. The Commission explains that “many third countries are taking an assertive stance to standardisation” and that Europe must therefore not only strengthen “standardisation skills across industry and academia”, but must also ensure its competitiveness and technological sovereignty. The strategy identified several strategic areas where “an urgent need for the development of standards” exists. These include, for example, data interoperability, data sharing and data re-use. The strategy acknowledges that “the strategic importance of standards has not been adequately recognised at the cost of EU leadership in standards-setting”. To reduce Europe’s dependency on standardisation priorities set by “private and non-European industry-led consortia”, the European Commission lays down a list of steps it intends to take.  For example, the Commission intends to “set up a High-Level Forum to assist the Commission in anticipating upcoming standardisation priorities” and “review existing standards to identify needs for revisions or development of new standards[…]”. It will also create an EU excellence hub on standards, which will “bring together the standardisation expertise”. The hub is intended to support a better response to public sector requests for the development of guidelines and specifications in areas like eID, eGovernment or the European Blockchain Service Infrastructure. Secondly, the Commission intends to “set up a mechanism with EU Member States and national standardisation bodies to monitor, share information, coordinate and strengthen the European approach to international standards […], including within ITU, ISO and the IEC, but also other international standardisation fora like IETF, W3C, 3GPP, OneM2M, IEEE, OASIS and others. The Commission also promises to work on solutions and set clear targets to accelerate every step of the development of standards that underpin the implementation of EU legislation and promises to “foster the development and deployment of international standards for a free, open, accessible and secure global internet”, including establishing an EU internet standard monitoring website.   

Intellectual Property

The European Commission issued a call for evidence on the EU Toolbox against counterfeiting

On 3 February, the European Commission issued a call for evidence on the upcoming initiative for an EU Toolbox against Counterfeiting to gather feedback from stakeholders (see our previous reporting here). According to the call for evidence, counterfeiting is still thriving in the European Union, with imports of counterfeit goods representing up to 5.8% of EU imports in 2019. Criminals use increasingly sophisticated means to operate such activities by “globally tapping all the potential of physical markets and the digital economy, as well as playing on supply chain vulnerabilities”. The upcoming EU Toolbox against counterfeiting will therefore aim to “set out coherent, effective and coordinated action against counterfeiting, both online and offline”, through the clarification of the roles of rightsholders and intermediaries, and mutual cooperation and information sharing “between right holders, intermediaries and national and EU public authorities”. The call for evidence also states that measures for online and offline intermediaries, including domain registrars and registries, could include 1) “appointing a single contact point for IP enforcement”; 2) “taking specific proactive and proportionate actions, and developing tools to be used voluntarily by intermediaries” and 3) “coordinating legal action with right holders against the most harmful IP infringers”.

The European Parliament issued a study on the Cross Border Enforcement of Intellectual Property Rights in the EU

In December 2021, the European Parliament issued a study on the Cross Border Enforcement of Intellectual Property Rights in the EU. The study finds that although the nature of most online infringements is cross-border, their enforcement is a “rare phenomenon” and that some stakeholders avoid initiating proceedings in multiple Member states “on the basis of perceived costs involved and potentially lengthy timeframe”. The study puts forward a range of recommendations to improve the cross-border enforcement of intellectual property rights (IPR). For example, it states that “EU-wide enforcement blocking against infringing websites already blocked by courts” in several Member States can be one starting point to consider. Furthermore, the Study recommends clarifying legal concepts such as ‘obvious infringement’ or ‘manifestly illegal content’ and that a “mutually-recognised EU blocking order for certain cases involving “obvious” infringements” should be created. This would mean that if rightsholders successfully obtain a blocking order in one Member State, they will benefit from a ‘fast track’ to recognise and enforce the judicial order in other Member States “where the same infringements are at stake”. Another recommendation put forward by the study is to increase coordination “on the formation of best practices for important elements of cross-border enforcement” through the establishment of a ‘contact committee’, which would include competent national authorities of different Member States. Finally, the study explains that a long-term objective should be the harmonisation and unification of EU copyright law, e.g. through the development of a uniform copyright code. 

Data protection

The EDPB launched a coordinated enforcement action on the use of cloud services by the public sector

On 15 February, the European Data Protection Board (EDPB) launched the first coordinated enforcement action to investigate the use of cloud-based services by the public sector. The coordinated action includes 22 supervisory authorities across the EEA (including EDPS). According to EuroStat, cloud uptake by enterprises has doubled across the EU in the last 6 years, and the COVID-19 pandemic sparked many public sector organisations to move to cloud services. According to the EDPB, national and EU public bodies are facing difficulties in obtaining ICT services that comply with EU data protection rules. Through coordinated guidance and action, the supervisory authorities “aim to foster best practices and thereby ensure the adequate protection of personal data”, according to the EDPB. In the following months, supervisory authorities will explore challenges with GDPR compliance when using cloud-based services within national and EU public bodies across many sectors, including “the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.” The EDPB will publish a report on the outcome of this analysis before the end of 2022.


The co-legislators reached a provisional agreement on amending the Europol regulation

On 1 February, the French Presidency in the Council of the EU and the European Parliament reached a provisional agreement on a draft regulation amending the Europol regulation (see our previous reporting here and here). The provisional agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure. Under the draft regulation, Europol will be able to receive personal data directly from private parties and service providers, with the purpose of providing Member States with the information necessary to establish the jurisdiction and to investigate cybercrimes under their respective jurisdictions. Furthermore, Europol will be able to send reasoned requests to Member States to obtain additional information from private parties to identify all relevant Member States concerned. Additionally, Europol will be given an additional support role for Member States in “the use of emerging technologies and in exploring new approaches and developing common technological solutions[...] to better prevent and counter terrorism and crimes falling within the scope of Europol’s objectives”. To that end, Europol will be allowed to process more personal information “for research purposes”. Since Europol’s revised mandate includes the processing of a significantly large amount of personal information, its Management Board should appoint “a Fundamental Rights Officer who should be responsible to support Europol in safeguarding the respect for fundamental rights in all its activities and tasks”. On the same day, the European Data Protection Supervisor (EDPS) held a speech expressing his “serious concerns” with the direction that the negotiations on the Draft Regulation had taken. Primarily, the EDPS is concerned that the extension of Europol’s powers does not go hand in hand with the strengthened scrutiny of Europol's actions.


IMCO published its Draft Opinion on the EUID proposal

On 8 February, the European Parliament's Committee on the Internal Market and Consumer Protection (IMCO) published its Draft Opinion on the proposal for a Regulation to set up a framework for a European Digital Identity (‘EUID Regulation’)(see our previous reporting here). MEP Andrus Ansip (Renew), the Rapporteur in IMCO who is responsible for the Draft Opinion, considers “the implementation of a cross-border legal framework for trusted digital identities to be an essential tool to strengthen the European Single Market and consumer protection”. According to the Rapporteur, “the current situation with weak or non-existent digital verification represents a considerable burden” on European businesses spending on average “six to seven weeks verifying the identity of potential business partners or clients before starting to conduct business”. Amendments proposed in IMCO’s Draft Opinion suggest including software-based technologies with high security and privacy standards that could be the basis for the European Digital Identity Wallets whose aim is to provide each EU citizen with a digital passport.

Published By Polina Malaja
Polina Malaja is the Policy Director at CENTR, leading its policy work and liaising with governments, institutions and other organisations in the internet ecosystem.

Related News

EU Policy Updates 31-01-2022
EU Policy Update – Outlook to 2022

EU Policy Update – Outlook to 2022

Polina Malaja
EU Policy Updates 13-12-2021
EU Policy Update – November 2021

EU Policy Update – November 2021

Polina Malaja
EU Policy Updates 08-04-2021
EU Policy Update – March 2021

EU Policy Update – March 2021

Polina Malaja