News

EU Policy Update - February 2021

2021-03-08 EU Policy Updates

In a nutshell: Portugal is holding the presidency in the Council of the EU until the end of June 2021. Trilogue negotiations on the e-Evidence legislative package have started. The European Data Protection Board adopted the statement on the second additional protocol to the Budapest convention, outlining the problems with its domain name registration provisions. The Council of the EU adopted its position on ePrivacy. The Dutch government set out its position on the proposal of the EU Digital Services Act. The EU intends to criminalise hate speech and hate crime.

Portuguese priorities in the Council of the EU

Portugal took over the Presidency of the Council of the European Union from January to 30 June 2021. As one of its priorities, the Portuguese presidency promises to work “towards modernising European infrastructure and connectivity policies”. This is essential to “reduce external dependence on critical goods and technologies”. The Presidency also puts particular “importance to the fight against terrorism and hate”. The Portuguese presidency also pledges to “promote better access to and sharing of quality data and information to make citizens’ lives easier, in particular through the creation of a European digital identity”. As part of the EU Security Union Strategy, the Presidency pledges to “create conditions for implementing interoperability of information systems as a tool for police cooperation”.

e-Evidence

Trilogue negotiations started on the e-Evidence proposal

As reported earlier, the European Parliament has approved its position on the proposal for a regulation on European Production and Preservation Orders for electronic evidence in criminal matters (e-Evidence). The co-legislator, the Council of the EU, approved its position back in 2018. The Final round of negotiations between the Council of the EU, the European Parliament and the European Commission (so-called trilogues) can start. These negotiations are not available for public scrutiny and oversight. However, Statewatch has published a few documents, primarily from the least transparent EU institution - the Council of the EU, showing the differences in the co-legislators’ positions regarding the legislative proposal. In the Presidency note from January, the Council of the EU is seeking Member States’ views on a few priority changes introduced by the European Parliament's position. Namely, the European Parliament position establishes an obligation for the issuing state to reimburse the justified costs borne by the service provider related to the execution of the European Production Order or the European Preservation Order, if claimed by the service provider. The European Parliament also considers IP addresses to fall under the notion of “traffic data” that is subject to a stricter protection regime than what is proposed by the European Commission and supported by the Council of the EU. In addition, Statewatch has also published a 4-column document that shows the differences between the texts produced by all three EU institutions.

The European Data Protection Board adopted the statement on the second additional protocol to the Budapest convention

On 2 February 2021, the European Data Protection Board (EDPB) adopted its statement on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), in light of ensuring “that data protection considerations are duly taken into account in the overall drafting process of the additional protocol”. The EDPB considers that the new provisions of the second additional protocol proposed in November 2020 “are likely to affect the substantive and procedural conditions for access to personal data in the EU, including as a result of requests from third country authorities”. The EDPB urges the EU negotiating parties to “ensure that the provisions laid down in the additional protocol do comply with the EU acquis in the field of data protection in order to ensure its compatibility with EU primary and secondary law”. As the latest provisions proposed in November 2020 also concern cross-border requests for domain name registration information, the EDPB has taken a stance in regard to the disclosure requests of domain name registration data. Namely, the EDPB notes that the proposed provisions for domain name registration data requests are not sufficiently clear: the “grounds for refusal to comply with the request are not clearly defined”. The EDPB recalls that “the conditions under which the entity providing domain name services must grant such access must be provided by law, so as to ensure that the processing relies on a clear legal basis”. According to the case law of the European Court of Justice (CJEU), “the type of requesting authorities who may issue such requests should be limited to a prosecutor, a judicial authority or another independent authority”, according to the statement. The EDPB also stresses that domain name registration information includes personal data and that therefore, “any international instrument laying down substantive and procedural conditions for accessing such data” for EU members must be compliant with EU law.

Data protection

The Council of the EU adopted its position on ePrivacy

On 10 February, after years of negotiations between the EU Member States, the Council of the EU adopted its position on the ePrivacy Regulation proposal, after the text was presented by the European Commission on January 2017. The trilogue negotiations between the European Commission, the European Parliament and the Council of the EU can start. The ePrivacy Regulation is lex specialis to the GDPR, aimed at clarifying rules for processing personal information by the electronic communications sector. Most notably, the agreed text by the Council of the EU permits the processing of electronic communications data without the consent of the user for the purpose of “ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states’ law for the prosecution of criminal offences or prevention of threats to public security”. In addition, metadata, such as location and traffic data can also be processed to detect or stop fraudulent use, and to protect “users’ vital interests, including for monitoring epidemics and their spread or in humanitarian emergencies”, according to the Council of the EU. When it comes to cookie walls, the Council of the EU text makes “access to a website dependent on consent to the use of cookies for additional purposes as an alternative to a paywall”, if the user is able to choose between consenting to cookies or accessing the website behind a paywall (i.e. “an equivalent offer”).

Content moderation

The Dutch government set out its position on the proposal of the EU Digital Services Act

On 17 February, the Dutch government published a paper setting out the Dutch position on the proposal for the Digital Services Act (DSA). The Dutch position overall welcomes the DSA proposal, that aims for a safer online environment for European consumers and end-users. According to the Dutch position, “the government's first impression of the proposal is positive, though some aspects of it are still unclear”. The Dutch government supports a broad definition of the term ‘illegal content’, although the exact scope of that definition is not fully clear, according to the position paper. For example, according to the Dutch government, “it is unclear whether content that forms part of illegal actions but is not illegal in itself, such as phishing emails, comes under this definition”. According to the Dutch position, “the government feels this is important in combating cybercrime”.

The EU intends to criminalise hate speech and hate crime

According to the European Commission’s recent roadmap, the European Commission will present an initiative to extend the list of EU crimes to hate speech and hate crime by the end of 2021. Currently, the only EU instrument that harmonises the definition of, and criminal penalties for some specific forms of hate speech and hate crime is the Council Framework Decision 2008/913/JHA on combating racism and xenophobia by means of criminal law. This piece of EU legislation requires Member States to criminalise public incitement to violence or hatred on the grounds of race, colour, religion, descent and national or ethnic origin. As regards hate speech and hate crime on grounds other than those laid down in the Framework Decision, there is no harmonisation of the criminal offences and sanctions at EU level. It is up to Member States to provide for a criminal law response to other types of hate speech, on grounds like sex, sexual orientation, age and disability, according to the roadmap. According to the Commission, the inclusion of hate speech and hate crime in the list of EU crimes will enable the Commission to “establish minimum rules on the definition of criminal offences and sanctions in the areas of hate speech and hate crime” in a respective legal instrument, such as a directive.