In a nutshell: The GI proposal for agricultural products is expected to be finalised during the Spanish Presidency. JURI approved new competences for EUIPO to manage the registration of crafts/industrial GIs. The Council of the EU adopted the e-Evidence Regulation, as well as establishing a High-Level Expert Group on access to data for effective law enforcement. The European Parliament and the Council of the EU have reached a provisional political agreement on the European Digital Identity Framework. The European Commission launched four projects to test the European Digital Identity Wallet, published a proposal to review the GDPR, and plans to publish a Recommendation on integrated child protection systems in the EU. ENISA issued recommendations on Digital Identity Standards. IMCO adopted its opinion on the Cyber Resilience Act and approved its draft opinion on the Proposal to combat child sexual abuse online. LIBE published a draft report on the proposal to extend the list of EU crimes to hate speech and hate crime.
The agricultural geographical indications proposal is expected to be finalised during the Spanish Presidency
As Spain took over the presidency in the Council of the EU from 1 July, the Council issued a state of play overview concerning a number of ongoing legislative initiatives, including on the proposal for a regulation on geographical indication (GI) protection for wine, spirit drinks and agricultural products (see our previous reporting here). According to the state of play document, at the first trilogue on 6 June, the representatives of the Council of the EU, the European Parliament and the European Commission presented their positions and mandated experts to launch work on finalising the legislative negotiations. Among the key elements of the Council’s position, the outgoing Swedish Presidency stressed the obligation “for country-code top-level domain name registries to recognise registered geographical indications as a right that can be invoked in alternative dispute resolution procedures”. Building on the existing work done by the preceding presidencies, the Swedish Presidency expressed their full trust in the Spanish Presidency to conclude negotiations on this file before the end of 2023. During the Agriculture and Fisheries Council’s meeting on 29 June, several Member States expressed their key positions on the file, including their stance on the domain name related provisions. Italy expressed its support of expanding GI protection to domain names, while Estonia, Germany and the Netherlands expressed their strong support for maintaining the Council’s position on domain names. Spain considers the GI file to be a priority during its Presidency and aims to reach an agreement with the European Parliament in the autumn.
JURI approved new competences for EUIPO to manage the registration of crafts/industrial geographical indications
On 27 June, the European Parliament's Legal Affairs Committee (JURI) voted in favour of the European Union Intellectual Property Office (EUIPO) becoming the responsible authority for the protection of EU industrial products and crafts under the Geneva Act. This step is part of a series of legislative initiatives aimed at ensuring the “global recognition” of EU crafts and industrial products. This legislative initiative complements the trilogue agreement reached on the proposal for a regulation on the GI protection for craft and industrial products (see our previous reporting here). EUIPO will be in charge of the registration process of EU crafts/industrial GIs, while for agricultural GIs the European Commission should remain the responsible authority.
The Council of the EU adopted the e-Evidence Regulation
On 27 June, the Council of the EU adopted a regulation on cross-border access to electronic evidence (e-Evidence Regulation, see our previous reporting here). According to the new rules, judicial authorities will be able to directly request subscriber, traffic and content data from service providers, including domain registries, based in another Member State. The service providers will be obliged to respond within 10 days, or 8 hours in emergency cases. Non-EU service providers that offer their services in the EU must appoint a legal representative or designate an establishment to which judicial authorities can send data production and preservation orders. The legal representative will have to be physically present in the EU. Both the designated establishment or legal representative and the service provider itself can be held liable if they do not comply with the orders. Member States must make sure that there are penalties in place in case of non-compliance. The e-Evidence Regulation is binding in all Member States and will become applicable 36 months after its entry into force. The directive on the designation of establishments and appointment of legal representatives must be transposed within 30 months of its entry into force. Prior to its adoption, several Member States issued statements reasoning their lack of support for the new e-Evidence rules, including the lack of balance with fundamental rights’ protection and unclear recitals.
Council establishes a High-Level Expert Group on access to data for effective law enforcement
On 8 June 2023, the Justice and Home Affairs Council, made up of EU Member States' justice and home affairs ministers, endorsed a proposal by the Swedish Council presidency to establish a High-Level Expert Group (HLEG) on access to data for effective law enforcement. The overarching objective of this group is to identify problems faced by law enforcement practitioners in the digital environment, and to identify potential solutions to overcome them. A strong emphasis is placed on data access, with four challenges having already been identified as being most pressing: (i) encryption (access to stored content and digital communication data); (ii) data retention; (iii) localisation data and roaming data; and (iv) anonymisation, including VPNs and darknets. In terms of technological aspects, the Swedish Presidency proposal highlights the need for foresight activities, such as in Europol's report on new technologies and future threats. The scoping paper further identifies IP addresses, contact details and payment data which is not publicly available as key for authorities to investigate and prosecute criminal offences or save lives in imminent danger. The paper also stresses the importance of cooperation between public and private parties towards the end of investigations securing access to such data to ensure their effectiveness. The HLEG is expected to explore further synergies with “existing structures and fora”, such as ENISA’s work on cybersecurity and “the Commission’s work on the way forward on encryption”. In addition, the HLEG will explore how security by design could be a standard requirement in the development of new technologies in the European standardisation fora. The HLEG is intended to run for a year, from June 2023 to mid-2024, with the possibility of extension.
The European Parliament and the Council of the EU reached a provisional political agreement on the EUID Regulation
On 29 June, the European Parliament and the Council of the EU reached a provisional political agreement on a proposal for the European Digital Identity Framework ('EUID Regulation', see our previous reporting here). The proposal revises the existing eIDAS Regulation, with the main objective to provide all EU citizens and residents with a harmonised European digital identity ('EUID Wallet'). The EUID Wallet must be issued within an electronic identification system that meets the ‘high’ assurance level. The provisional agreement also clarifies that the issuing, as well as authentication and revocation of EUID Wallets should be free of charge to natural persons. The EUID Wallet will also provide the possibility of e-signatures to natural persons free of charge. The EUID Regulation aims to provide a “common technical architecture and reference framework and common standards” for European identity solutions to be developed with Member States. The EUID Regulation also envisages mandating the use of “relevant and existing” certification schemes under the Cybersecurity Act, to certify the compliance of EUID Wallets with the cybersecurity requirements. Technical work will continue to complete the legal text in accordance with the political agreement, according to the Council’s press release.
The European Commission launched four projects to test EUID Wallet
At the end of May, the European Commission publicised its investment plans in projects to develop the European Digital Identity Wallet (EUID Wallet). €46 million investment is supporting four pan-European pilot projects that will develop and test the usage of the EUID Wallet for individuals and businesses around everyday use-cases, including providing identification to online and offline public and private services, and signing documents electronically. The aim is that the four pilot projects work in synergy with each other and with the European Commission. Their results will feed into the ongoing development of technical specifications for the EUID Wallet by the eIDAS expert group. Additionally, the European Commission is developing an open-source prototype of the EUID Wallet.
ENISA issues recommendations in a report on Digital Identity Standards
On 3 July 2023, ENISA published a report on Digital Identity Standards. The report is intended to serve as an overview of the most important standards and standardisation organisations in the area of digital identity, for newcomers and more experienced practitioners. In addition to analysing the available standards, the report issues a set of recommendations on digital identity standardisation, including to EU policymakers. Recommendations include references to the revision of the eIDAS Regulation to define 'Digital Identity' inspired by the current ISO/IEC 24760-1:2019 standard. Regarding the EU Digital Identity Wallet, the report recommends to create a new mandate requiring European standardisation organisations to standardise a privacy evaluation methodology for the Wallet.
The European Parliament’s Internal Market and Consumer Protection Committee adopted its opinion on the Cyber Resilience Act
On 29 June 2023, the European Parliament's Internal Market and Consumer Protection Committee (IMCO) adopted its opinion on the Cyber Resilience Act (CRA). The short justification authored by the rapporteur for opinion, MEP Morten Løkkegaard, states that some aspects of the proposed CRA require improvement to ensure legal clarity and coherence between other pieces of legislation, foremost the NIS 2 Directive. Notably, the opinion inserts a clarification that the CRA "does not apply to free and open-source software, including its source code and modified versions, unless the software is provided in the course of commercial activity"; the compliance of free and open-source components of products shall be ensured by the product manufacturer. The opinion also stresses that free and open-source software contribute billions to the EU's GDP and provide significant growth opportunities for the EU economy. In terms of the CRA's interaction with the NIS 2 Directive, the IMCO opinion clarifies that "essential entities or important entities under the NIS 2[…] who submit their incident notification pursuant to the NIS 2 should be deemed compliant" with the reporting obligations of manufacturers under the CRA. The IMCO opinion foregrounds ENISA's coordinating role, including that when a notified vulnerability has no corrective or mitigating measures available, "information about the notified vulnerability is shared in line with strict security protocols and on a need-to-know-basis". Finally, the opinion introduces a regulatory sandbox, in which manufacturers of products with digital elements may participate voluntarily, in order to develop, test and validate their design in a controlled environment.
The European Parliament’s IMCO Committee approved its draft opinion on the Proposal to combat child sexual abuse online
On 29 June 2023, the associated IMCO Committee approved its Opinion on the Proposal for a Regulation laying down rules to prevent and combat child sexual abuse ('CSAM Regulation'). The most notable inclusions in the opinion include an explicit protection of end-to-end encryption and a clarification that the CSAM Regulation should not undermine the prohibition of general monitoring under EU law. Simultaneously, the proposal exempts information society services from liability, should "they carry out, in good faith and in a diligent manner, voluntary own-initiative investigations or take other measures […] aimed at detecting, identifying, removing, disabling of access to, blocking or reporting online child sexual abuse". The IMCO opinion leaves the Commission's provisions on the blocking of CSAM via uniform resource locators (URLs) almost unchanged, whereas the leading Civil Liberties, Justice and Home Affairs (LIBE) Committee's draft report opted for the potentially more specific 'uniform resource identifiers' (see our previous reporting here). One change concerns data collection in the EU Centre on Child Sexual Abuse, which shall generate statistics on "still active" URLs. Another change concerns the identification of CSAM which coordinating authorities must submit to the EU Centre; they shall forward the "exact uniform resource locators indicating specific items of material related to a specific person, specific group of people, or specific incident". Identified URLs shall be maintained in a database of indicators, compiled for the purpose of delisting orders. Unlike the LIBE report or the Council's compromise text (see previous reporting here), the IMCO opinion does not include an additional article on the delisting of CSAM on search engines, but rather refers to risk assessments under the Digital Services Act and clarifies that "they should be subject to tailored obligations, namely delisting of instances of confirmed online child sexual abuse".
The Commission plans to publish a Recommendation on integrated child protection systems in the EU
The European Commission is planning to open a public consultation for an upcoming Recommendation on the development and strengthening of integrated child protection systems in the EU. The call for evidence is upcoming, and a public consultation is planned for the second quarter of 2023, with the Commission intending to adopt the Recommendation in the first quarter of 2024. The Recommendation seeks "to encourage all relevant authorities and services to work together in a holistic way, from preventing abuse of and violence towards children, to protecting them." The Recommendation is also intended to explore how to improve the use of existing EU tools across law and funding opportunities, to break down silos and make child protection more integrated and robust.
LIBE published a draft report on the proposal to extend the list of EU crimes to hate speech and hate crime
On 28 June, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) published a Draft Report on the proposal for a Council decision on extending the list of EU crimes to hate speech and hate crime (see our previous reporting here). According to the Draft Report, “[...]in the last few decades there has been a sharp rise in discrimination, hate crime and hate speech across the EU[...] and an alarming spike in online and offline hate speech and incitement” that is being exacerbated in many Member States by “the multiplier effect of the online environment and social media”. The Draft Report advocates for a common legal framework to combat hate speech and hate crime “on a common European basis” and highlights that “some Member States have been blocking concrete progress on this specific file in the Council”. The Draft Report urges the Council to adopt a decision including hate speech and hate crime as a criminal offence within the list under Article 83(1) TFEU, “so that the Commission can initiate the second stage of the procedure”. The Draft Report also calls on the Commission to “take additional measures in countering the dissemination of illegal hate speech in online content on account of the impact of the multiplier effect of the online environment” and to “establish adequate data collection systems for obtaining solid and homogenous data on anonymous hate incidents”.
The Commission published a Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR
On 4 July 2023, the Commission proposed a new law to streamline the cooperation between data protection authorities (DPAs) when enforcing the General Data Protection Regulation (GDPR) in cross-border cases. The Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR aims to tackle several issue areas, including the position of complainants and form of complaints in cross-border issues, the targeted harmonisation of procedural rights of parties under investigation, as well as necessary improvements to streamline cooperation and dispute resolution among DPAs. The latter has been addressed by, among others, clarifying the lead supervisory authority's role in updating other supervisory authorities on ongoing complaints. Once the lead supervisory authority has formed a preliminary view on the main issues under investigation, it must provide other supervisory authorities with a summary of key issues, in order for them to provide comments. In cases of disagreement between the lead and other supervisory authorities, the latter may make a request to reach consensus. Where consensus cannot be reached, the European Data Protection Board shall be requested to issue an urgent binding decision on the basis of the supervisory authorities' prior work.