EU Policy Update - June 2021
In a nutshell: The European Commission published a proposal on European Digital Identity, and adopted new sets of standard contractual clauses to provide more guidance on compliance with Schrems II. The European Parliament adopted a resolution on the EU Cybersecurity Strategy for the Digital Decade. Members of the European Parliament proposed amendments to the Draft report on the NIS2 proposal and numerous opinions on the DSA and the NIS2 proposals throughout different committees. The European Court of Justice delivered judgments in cases concerning platforms’ liability for copyright infringements, copyright infringements through peer-to-peer networks, and in a jurisdictional dispute over the ‘one-stop shop’ mechanism in the GDPR.
The European Commission published a proposal on European Digital Identity regulation
On 3 June, the European Commission unveiled its proposal for the regulation on European Digital Identity (EUID). The EUID proposal requires Member States to issue a “European Digital Identity Wallet under a notified eID scheme[...] following compulsory compliance assessment and voluntary certification within the European cybersecurity certification framework” under the EU Cybersecurity Act. Since the current eIDAS framework did not achieve its intended aim to ensure all Member States have functioning cross-border eID schemes, the EUID proposal requires Member States to notify of at least one eID scheme. In order to ensure that users can identify who is behind a website, the EUID proposal requires providers of web browsers to facilitate the use of qualified certificates for website authentication. When it comes to the use of the European Digital Identity Wallets by private parties, digital infrastructure and other service providers “should accept the use of European Digital Identity Wallets for the provision of services where strong user authentication for online identification is required by national or Union law or by contractual obligation”.
The European Parliament adopted a resolution on the EU Cybersecurity Strategy for the Digital Decade
On 10 June, the European Parliament adopted a resolution on the EU Cybersecurity Strategy, calling for inter alia “a new robust security framework for EU critical infrastructures in order to safeguard EU security interests”. The resolution calls on the European Commission to “prepare provisions to ensure the accessibility, availability and integrity of the public core of the internet and, therefore, the stability of cyber-space, particularly as regards the EU’s access to the global DNS root system”. The Resolution also “welcomes the proposal for a European Domain Name System (DNS4EU) as a tool for a more resilient internet core” and “asks the Commission to evaluate how this DNS4EU could use the latest technologies, security protocols and cyber-threats expertise in order to offer a fast, secure and resilient DNS for all Europeans”. The resolution also “recalls the necessity of better protection of the Border Gateway Protocol (BGP) in order to prevent BGP hijacks; recalls its support for a multi-stakeholder model for internet governance, of which cyber-security should represent one of the core topics; underlines that the EU should speed up implementation of IPv6; recognises the open source model which, as the basis for the internet’s functioning, has proven efficient and effective; encourages, therefore, its use”.
LIBE issued a Draft Opinion on NIS2
On 10 June, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) issued its Draft Opinion on the NIS2 Directive proposal. The Draft Opinion takes on board numerous recommendations made by the EDPS in its opinion on the EU Cybersecurity Strategy and the NIS2 proposal (see our previous reporting here). In relation to the registration data accuracy obligation applicable to domain name registries and registrars, the Draft Opinion suggests amendments to data categories subject to publication (i.e. domain name and the name of the legal person), and limits the ‘legitimate access seekers’ to national competent authorities. Proposed amendments in the Draft Report also specify that ‘relevant information’ collected by registries and registrars should contain name, physical address, e-mail address and the phone number of domain name holders.
ITRE Draft Report on NIS2 received amendments
Members of the European Parliament’s Committee on Industry, Research and Energy (ITRE) proposed amendments to its Draft Report on the NIS2 Directive proposal: see here and here (see our previous reporting for more background information). With regard to the registration data accuracy obligation applicable to domain name registries and registrars (Article 23), the proposed amendments reflect both the concerns with the potential inconsistency with the GDPR, as well as the suggestion to omit the obligation from the NIS2 altogether. Other amendments in Article 23 include a more stringent registration data verification requirement, including an obligation to respond to legitimate access seekers requests within 72 hrs. One amendment also requires TLD registries and registrars to publish “fees” in the context of registration data.
IMCO Draft Opinion on NIS2 received amendments
Members of the European Parliament’s Committee on the Internal Market and Consumer Protection (IMCO) proposed amendments to its Draft Opinion on the NIS2 Directive proposal (see our previous reporting for more background information). The amendments include diverging views on data accuracy obligation imposed on registries and registrars. Some amendments attempt to further align the data accuracy obligation with the GDPR and limit the legitimate access seekers pool to competent national authorities. Other proposed amendments include a registration data verification obligation and a requirement to collect and verify registrants’ name, physical address, email address and phone number.
LIBE Draft Opinion on the Digital Services Act received amendments
Members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) filed their amendments to the LIBE Draft Opinion on the Digital Services Act (DSA) proposal (see our previous reporting here). Some notable amendments include prohibition of imposing general obligation to limit the anonymous or pseudonymous use of intermediary services, and an obligation to conduct “child impact assessment” for any systemic risks stemming from the functioning and use of their services by children.
ITRE Draft Opinion on the Digital Services Act received amendments
Members of the European Parliament’s ITRE committee filed their amendments to the ITRE Draft Opinion on the DSA proposal: see here, here, and here. Some notable amendments include an obligation of ‘Know-Your-Business-Customer’ principle on all intermediaries, including domain name registrars.
JURI issued a Draft Opinion on the Digital Services Act
On 22 June, the European Parliament’s Committee on Legal Affairs (JURI) published its Draft Opinion on the DSA proposal. The Draft Opinion attempts to deprive intermediaries from the liability exemptions in cases of non-compliance with the due diligence obligations under the DSA.
The European Court of Justice ruled in a case concerning platform’s liability for copyright infringements
On 22 June, the Court of Justice of the European Union (CJEU) delivered its judgment in a consolidated case between intellectual property (IP) rightsholders vs YouTube (Google) and Uploaded (Cyando). The CJEU ruled that by merely acting as an intermediary, and as such playing a role that is indispensable when its users make potentially illegal content available via its services, online platforms like YouTube or Uploaded cannot be considered making ‘communication to the public’, which is an exclusive right reserved for IP rightsholders. However, the platform operator is expected to put in place “the appropriate technological measures that can be expected from a reasonably diligent operator[...] to counter credibly and effectively copyright infringements on that platform”, according to the CJEU. The platform can be held responsible for an IP infringement, when it has specific knowledge that protected content is available illegally on its platform and refrains from expeditiously deleting it or blocking access to it, or where it refrains from putting in place the appropriate technological measures that can be expected from a reasonably diligent operator in its situation, or where it participates in selecting protected content, provides tools on its platform specifically intended for the illegal sharing of such content or knowingly promotes such sharing, according to the CJEU.
The European Court of Justice ruled in a jurisdictional dispute over ‘one-stop shop’ mechanism in the GDPR
On 15 June, the CJEU delivered its ruling in a jurisdictional dispute between the Belgian data protection authority and Facebook. The case concerns injunction proceedings brought by the Belgian data protection authority seeking to end Facebook’s processing of personal data of Belgian internet users using cookies, social plug-ins and pixels. The main question before the CJEU was whether the Belgian data protection authority can bring a legal action against a company not based in its jurisdiction. Under ‘one-stop shop’ mechanism in the GDPR, Facebook claimed that only Ireland’s data protection authorities are competent to bring injunction proceedings against Facebook Ireland, which is the sole controller of the personal data of Facebook users in the EU. The CJEU held that the DPAs, in principle, have the power to bring any alleged infringement of the GDPR to the attention of a court of its Member State and to initiate or engage in legal proceedings, in relation to cross‑border data processing, despite not being the ‘lead supervisory authority’. However, these DPAs need to make sure that the cooperation and consistency procedures under the GDPR are respected.
The European Commission adopted new sets of standard contractual clauses to reflect Schrems II
On 4 June, the European Commission adopted two sets of standard contractual clauses (SCC) for the use between controllers and processors, and for the transfer of personal data to third countries (see our previous reporting here and here). The new SCC include a “practical toolbox” to help companies comply with the Schrems II judgment. The toolbox is expected to provide “i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may take if necessary”. For controllers and processors that are currently using previous sets of SCC a transition period of 18 months is provided.
The European Court of Justice ruled in a case concerning peer-to-peer networks and copyright infringements
On 17 June, the CJEU delivered its judgment in a case concerning copyright infringements via peer-to-peer networks against internet access providers. First, the referring Belgian court asked the CJEU whether the concept of ‘communication to the public’ covers sharing on a peer-to-peer network, of sometimes very fragmentary pieces of a media file containing a protected work. The CJEU ruled that “uploading, from the terminal equipment of a user of a peer-to-peer network[...] of pieces, previously downloaded by that user, of a media file containing a protected work, even though those pieces are usable in themselves only as from a certain download rate, constitutes making available to the public[...]”. Other questions to the CJEU included whether EU data protection rules preclude “systematic registration” of IP addresses of users of peer-to-peer networks and their disclosure to third parties for claims for damages allegedly caused by those users. As the GDPR allows data processing for “legitimate interest”, the CJEU held that “the interest of the controller or of a third party in obtaining the personal information of a person who allegedly damaged their property in order to sue that person for damages can be qualified as a legitimate interest”. However, the CJEU was unable to assess whether systematic registration of IP addresses in the present case satisfied all data protection requirements, such as the balance with the fundamental rights to respect for private life and the protection of personal data and left this for the referring court to analyse. With regard to internet access providers’ processing of IP addresses used in infringing activities, there is no obligation for communicating internet users’ personal data to private persons for the purpose of prosecuting copyright infringements, nor is there anything in the EU law that can preclude Member States from imposing such obligations to disclose personal data for the same reasons. Thus, an internet service provider could be obliged to disclose users’ personal data (including IP addresses) on the basis of a legislative measure that provides the legal basis for private parties to request such information, provided such request is justified, proportionate and not abusive.