EU Policy Update - February 2021
In a nutshell: Portugal is holding the presidency in the Council of the EU until the end of June 2021. Trilogue negotiations on the e-Evidence legislative package have started. The European Data Protection Board adopted the statement on the second additional protocol to the Budapest convention, outlining the problems with its domain name registration provisions. The Council of the EU adopted its position on ePrivacy. The Dutch government set out its position on the proposal of the EU Digital Services Act. The EU intends to criminalise hate speech and hate crime.
Portuguese priorities in the Council of the EU
Portugal took over the Presidency of the Council of the European Union from January to 30 June 2021. As one of its priorities, the Portuguese presidency promises to work “towards modernising European infrastructure and connectivity policies”. This is essential to “reduce external dependence on critical goods and technologies”. The Presidency also puts particular “importance to the fight against terrorism and hate”. The Portuguese presidency also pledges to “promote better access to and sharing of quality data and information to make citizens’ lives easier, in particular through the creation of a European digital identity”. As part of the EU Security Union Strategy, the Presidency pledges to “create conditions for implementing interoperability of information systems as a tool for police cooperation”.
Trilogue negotiations started on the e-Evidence proposal
As reported earlier, the European Parliament has approved its position on the proposal for a regulation on European Production and Preservation Orders for electronic evidence in criminal matters (e-Evidence). The co-legislator, the Council of the EU, approved its position back in 2018. The Final round of negotiations between the Council of the EU, the European Parliament and the European Commission (so-called trilogues) can start. These negotiations are not available for public scrutiny and oversight. However, Statewatch has published a few documents, primarily from the least transparent EU institution - the Council of the EU, showing the differences in the co-legislators’ positions regarding the legislative proposal. In the Presidency note from January, the Council of the EU is seeking Member States’ views on a few priority changes introduced by the European Parliament's position. Namely, the European Parliament position establishes an obligation for the issuing state to reimburse the justified costs borne by the service provider related to the execution of the European Production Order or the European Preservation Order, if claimed by the service provider. The European Parliament also considers IP addresses to fall under the notion of “traffic data” that is subject to a stricter protection regime than what is proposed by the European Commission and supported by the Council of the EU. In addition, Statewatch has also published a 4-column document that shows the differences between the texts produced by all three EU institutions.
The European Data Protection Board adopted the statement on the second additional protocol to the Budapest convention
On 2 February 2021, the European Data Protection Board (EDPB) adopted its statement on new draft provisions of the second additional protocol to the Council of Europe Convention on Cybercrime (Budapest Convention), in light of ensuring “that data protection considerations are duly taken into account in the overall drafting process of the additional protocol”. The EDPB considers that the new provisions of the second additional protocol proposed in November 2020 “are likely to affect the substantive and procedural conditions for access to personal data in the EU, including as a result of requests from third country authorities”. The EDPB urges the EU negotiating parties to “ensure that the provisions laid down in the additional protocol do comply with the EU acquis in the field of data protection in order to ensure its compatibility with EU primary and secondary law”. As the latest provisions proposed in November 2020 also concern cross-border requests for domain name registration information, the EDPB has taken a stance in regard to the disclosure requests of domain name registration data. Namely, the EDPB notes that the proposed provisions for domain name registration data requests are not sufficiently clear: the “grounds for refusal to comply with the request are not clearly defined”. The EDPB recalls that “the conditions under which the entity providing domain name services must grant such access must be provided by law, so as to ensure that the processing relies on a clear legal basis”. According to the case law of the European Court of Justice (CJEU), “the type of requesting authorities who may issue such requests should be limited to a prosecutor, a judicial authority or another independent authority”, according to the statement. The EDPB also stresses that domain name registration information includes personal data and that therefore, “any international instrument laying down substantive and procedural conditions for accessing such data” for EU members must be compliant with EU law.
The Council of the EU adopted its position on ePrivacy
The Dutch government set out its position on the proposal of the EU Digital Services Act
On 17 February, the Dutch government published a paper setting out the Dutch position on the proposal for the Digital Services Act (DSA). The Dutch position overall welcomes the DSA proposal, that aims for a safer online environment for European consumers and end-users. According to the Dutch position, “the government's first impression of the proposal is positive, though some aspects of it are still unclear”. The Dutch government supports a broad definition of the term ‘illegal content’, although the exact scope of that definition is not fully clear, according to the position paper. For example, according to the Dutch government, “it is unclear whether content that forms part of illegal actions but is not illegal in itself, such as phishing emails, comes under this definition”. According to the Dutch position, “the government feels this is important in combating cybercrime”.
The EU intends to criminalise hate speech and hate crime
According to the European Commission’s recent roadmap, the European Commission will present an initiative to extend the list of EU crimes to hate speech and hate crime by the end of 2021. Currently, the only EU instrument that harmonises the definition of, and criminal penalties for some specific forms of hate speech and hate crime is the Council Framework Decision 2008/913/JHA on combating racism and xenophobia by means of criminal law. This piece of EU legislation requires Member States to criminalise public incitement to violence or hatred on the grounds of race, colour, religion, descent and national or ethnic origin. As regards hate speech and hate crime on grounds other than those laid down in the Framework Decision, there is no harmonisation of the criminal offences and sanctions at EU level. It is up to Member States to provide for a criminal law response to other types of hate speech, on grounds like sex, sexual orientation, age and disability, according to the roadmap. According to the Commission, the inclusion of hate speech and hate crime in the list of EU crimes will enable the Commission to “establish minimum rules on the definition of criminal offences and sanctions in the areas of hate speech and hate crime” in a respective legal instrument, such as a directive.