In a nutshell: EU ambassadors and LIBE endorsed a political agreement on e-Evidence. Europol and Eurojust published a situation report on access to electronic evidence by law enforcement and judicial authorities in 2022. IMCO adopted its opinion on the proposal for a regulation on GI protection for craft and industrial products, while JURI adopted its opinion on the proposal for a regulation on GI protection for agricultural products. MEPs in AGRI expressed concerns over EUIPO’s increased competence within the GI reform. The EDPB adopted reports on cookie banners and the use of cloud services by the public sector. A 2022 consumer protection “sweep” identified an increase of dark patterns within web shops.
EU ambassadors and LIBE endorsed a political agreement on the e-Evidence package
On 25 January, the EU Member States' ambassadors confirmed the interinstitutional agreement on the e-Evidence package, reached with the European Parliament at the end of 2022 (see our previous reporting here). The e-Evidence regulation will make it possible for the relevant authorities to request electronic evidence directly from service providers, including domain name registries and registrars, in another Member State. On 31 January, the agreement was also endorsed by members of the European Parliament in the Civil Liberties Committee (LIBE). The regulation establishes European Production and Preservation Orders that can be issued by judicial authorities towards service providers across all EU Member States, in order to obtain or preserve e-evidence regardless of the location of the data. These orders may cover any category of data, including subscriber, traffic and content data. For traffic and content data, a notification system to inform the authorities in the Member State where the service provider is established will be put in place. For subscriber data, including domain name registration data, no such notification is needed according to the latest text. In cases where the enforcing state’s authorities do not need to be notified, service providers would need to transmit the requested data at the latest within 10 days upon receipt of the European Production Order, and within 8 hours in case of an emergency. In principle all European Production and Preservations Orders need to be validated by judicial authorities (or the public prosecutor in case of subscriber data) before the order is issued, except for emergency cases of “imminent threat”. Appropriate channels should be developed to ensure that all parties can efficiently cooperate in a digital way, through a “decentralised information technology (IT) system that allows for the swift, direct interoperable, sustainable, reliable and secure cross-border electronic exchange of case-related forms, data and information”.
Europol and Eurojust issued a joint SIRIUS e-Evidence Situation Report for 2022
On 22 December 2022, Europol and Eurojust published a joint report on the SIRIUS project, dedicated to fostering “faster and more effective” cross-border access to electronic evidence stored by online service providers (OSPs) in the context of criminal investigations. According to the report, “digital data held by OSPs is essential to nearly all criminal investigations into any crime area”. User data that is not publicly available, such as connection logs, IP addresses, contact details or payment data “may be key elements for competent authorities to investigate and prosecute criminal offences or save lives in imminent danger”. In most EU criminal investigations, non-content data is considered more important than content data, according to the report. The report also states that the invalidation of the Data Retention Directive and the fact of limiting the scope of national data retention legal frameworks by the European Court of Justice (CJEU) “has left law enforcement and judicial authorities uncertain about the possibilities to obtain data from private companies”. The report encourages EU law enforcement agencies to create or expand the capacity of units for cross-border data disclosure requests under voluntary cooperation, include training on cross-border access to electronic evidence, and ensure the security of e-mail by strong passwords and two factor authentication. OSPs are encouraged to take measures to identify and prevent fake requests for data disclosure, and consider the impact on electronic evidence when launching new products and services, especially in relation to AI.
Geographical indications: IMCO adopted its Opinion on the crafts/industrial products proposal
On 24 January, the Committee on the Internal Market and Consumer Protection (IMCO) adopted its Opinion on the proposal for a regulation on the geographical indication (GI) protection for craft and industrial products (see our previous reporting here). The IMCO opinion expands the GI protection to “both modern and historical names, symbols, and characteristics” of regional products, and asks authorities to provide small and medium-sized enterprises with “all necessary support and financial assistance” during the GI registration process. When it comes to domain name related provisions, the IMCO Opinion clarifies that only holders of a registered GI or a producer group with a legitimate interest in it should be empowered to request the revocation or the transfer of the conflicting domain name. In case of conflicts “on domain names with non-EU Country-codes, or with EU country codes concerning non-EU geographical indications, the dispute settlement should be conducted by the EUIPO in cooperation with the international dispute settlement systems already in place, such as the ones managed by WIPO and ICANN”, according to the IMCO Opinion. Regarding the “domain name information and alert system”, the IMCO opinion limits the scope of domain name alerts to registered GIs only, as opposed to applicants for a GI. EUIPO shall be given the possibility to extend the domain name information and alert system to other TLDs administered and managed by a registry established in the Union, according to the IMCO Opinion.
Geographical indications: JURI adopted its Opinion on the agricultural products proposal
On 24 January, the Committee on Legal Affairs (JURI) adopted its Opinion on the proposal for a regulation on GI protection for wine, spirits drinks, agricultural products. According to the JURI opinion, the role of the EUIPO within the GI application process needs to be clarified: the EUIPO should be tasked with assisting the European Commission in examining applications and in the opposition procedure. Regarding the domain name related provisions and similarly to the IMCO opinion (see above), the JURI Opinion also includes amendments on the dispute settlement of domain names “with non-EU Country-codes, or with EU country codes concerning non-EU geographical indications” that should be conducted by the EUIPO in cooperation with WIPO and ICANN. However, JURI suggests expanding the scope of the Regulation to all TLDs established in the Union, as opposed to limiting it only to EU ccTLDs. The JURI Opinion also suggests that the EUIPO should be empowered “to monitor registration of domain names in the Union which could conflict with the names included in the Union register of geographical indications”.
Geographical indications: MEPs in AGRI expressed concerns over EUIPO’s increased competence within the GI reform
On 31 January, the Committee on Agriculture and Rural Development (AGRI) exchanged views on the proposed amendments on the agricultural products proposal for a regulation on GI protection for wine, spirits drinks, agricultural products. During the debate, several MEPs voiced their concerns about expanding the competences of the EUIPO beyond purely administrative tasks to support the European Commission in the GI registration process. Several MEPs called for the introduction of a clear distinction between the European Commission's and the EUIPO’s tasks when handling GI applications, reserving substance and political decisions to the Commission; and questioned the EUIPO’s competence in dealing with GIs altogether, due to its primary task to support brand owners. The Rapporteur Paolo De Castro promised to take the feedback on board and ensure that the EUIPO does not acquire any “political tasks” regarding GI protection.
The EDPB adopted a report on cookie banners
On 17 January, the European Data Protection Board adopted its report on the use of cookie banners. According to the report, a vast majority of data protection authorities consider that the “absence of refuse/reject/not consent options on any layer with a consent button of the cookie consent banner is not in line with the requirements for a valid consent” under their respective national laws transposing the ePrivacy Directive and the GDPR. The task force members also confirmed that pre-ticked boxes to opt-in, that may appear on the second layer of a cookie banner, do not lead to valid consent as referred to either in the GDPR or in Article 5(3) of the ePrivacy Directive. Deceptive link design that contains a link as an option to reject cookies also does not lead to valid consent in case the link is provided without sufficient visual support to draw attention to this alternative action, or is placed outside the cookie banner, according to the report.
The EDPB adopted a report on the use of cloud by the public sector
On 17 January, the European Data Protection Board adopted a report stemming from the coordinated investigations of the use of cloud-based services by the public sector, conducted by supervisory authorities across the EEA. As a result of the investigations, several challenges were identified by supervisory authorities, including issues at the pre-contractual phase relating to the performance of a Data Protection Impact Assessment (and/or a risk assessment). With regard to the contracts with cloud service providers, issues such as the lack of contract and the difficulty to negotiate a tailored contract were identified, as well as the public bodies’ or control over sub-processors. The report findings include public bodies’ lesser bargaining power when it comes to negotiating tailored contracts with cloud service providers; their inability to meaningfully object to the use of sub-processors without risking a potentially critical loss of service; unclarity on the precise locations and purposes of international transfers, as a result of the use of non EU-based cloud service providers; and the inability of conducting specific and direct audits on cloud service providers.
A 2022 consumer protection “sweep” identified an increase of "dark patterns" used by traders
In 2022, under the coordination of the European Commission, consumer protection authorities of 23 Member States, Norway and Iceland carried out a "sweep" to identify manipulative practices called “dark patterns” designed to push consumers into making choices that may not be in their best interest. Such manipulative practices include fake countdown timers urging consumers to purchase a product; the design of interfaces that direct consumers towards certain choices; and hidden essential information on a product or service by using very small fonts or non-contrasting colours. As a result of the dark pattern sweep, authorities checked 399 websites and applications of retail sellers. Consumer protection authorities found that 148 out of 399 webshops screened include one of the aforementioned dark patterns, and concluded that at least 37% of the checked websites potentially violate the Unfair Commercial Practices Directive.