News

EU Policy Update - October 2020

2020-11-05 EU Policy Updates

In a nutshell: The European Commission published its 2021 work programme and announced its plans for the Digital Markets Act. The European Parliament adopted all three of its own-initiative reports on the Digital Services Act. Europol published the Internet Organised Crime Threat Assessment for 2020. The Council of the EU agreed on the negotiation mandate on the temporary e-Privacy derogation. The European Data Protection Supervisor issued advice for the EU institutions on complying with Schrems II and issued a decision on Europol’s “big data challenge”. The European Court of Justice held that mass retention of electronic communication metadata is against fundamental rights.

The European Commission published its 2021 Work Programme

On 19 October, the European Commission published its 2021 Work Programme, highlighting the areas of focus for the European Commission in 2021. In the digital area, the Work Programme outlines the need for “a new European digital identity to make it easier to do tasks and access services online across Europe and ensure people have greater control and peace of mind over what data they share and how it is used” (a so-called “trusted and secure European e-ID”). The Commission will also continue the review of competition rules to ensure these are “fit for the changing market environment, including the accelerating digitalisation[...]”. In addition, the upcoming Data Act is expected to “set the right conditions for better control and conditions for data sharing for citizens and businesses”. The annexes of the Work Programme include the anticipated timing of different legislative and policy initiatives for 2021 and pending priority legislative proposals.

Content moderation

The European Parliament adopted all three own-initiative reports on the Digital Services Act

The European Parliament approved its three non-binding own-initiative reports on the Digital Services Act. The final texts of the reports are here (led by JURI), here (led by IMCO) and here (led by LIBE). On the specific provisions within these reports, see our previous reporting here.

The European Commission is planning a Digital Markets Act for gatekeeper platforms

In addition to the revision of the intermediary liability framework and rules for content moderation in the upcoming Digital Services Act, the Commission is also planning to tackle the issue of large digital platforms and their significant market power. The new competition rules reserved for the so-called gatekeeper platforms will be enshrined in another upcoming legislative initiative - the Digital Markets Act (DMA). According to the Commission, the DMA will create so-called “ex-ante rules to ensure that markets characterised by large platforms with significant network effects acting as gatekeepers remain fair and contestable for innovators, businesses and new market entrants”. The Commission is currently evaluating which gatekeeper practices should be clearly required or prohibited by the up-coming legislation.

Cybersecurity

Europol published the Internet Organised Crime Threat Assessment for 2020

On 5 October, Europol published the latest edition of its annual Internet Organised Crime Threat Assessment (IOCTA). As in previous years (see our previous reporting here and here), the IOCTA names “ransomware as a top priority threat”. Besides that, malware is another type reported by the European law enforcement as “widely present in cybercrime cases”. According to the IOCTA, there is a need to foster a culture of acceptance and transparency when falling victim to cybercrime. Law enforcement needs companies and individuals who have been subject of a crime to come forward, as “this can help resolve the challenges in reporting”. The IOCTA also underlines “the importance of the responsibility of industry in integrating security and privacy in their design as fundamental principles”. The IOCTA claims that “the number of new domains and websites related to COVID-19 soared at the start of the pandemic”, meaning that targeting vulnerable public during the COVID-19 outbreak was lucrative for cybercriminals. According to the IOCTA, certain technological developments have complicated the ability of law enforcement to get access to relevant data for investigations. One of the “most prominent examples” in this regard remains the use of encryption, including within “one of the most important databases in the internet infrastructure” - the DNS. Due to the recent developments within encryption of the DNS traffic - DNS over HTTPS (DoH) – “access to the network traffic between the criminal source and the remote DNS service provider[...] will now barely be possible[...], which will make the detection and blocking of malicious traffic, botnets and other malicious applications impossible”. Furthermore, the high likelihood of the DoH provider having a privacy policy in place “will make it even more difficult for law enforcement to receive the necessary information for crime investigations”. One of the recommendations the IOCTA makes is the need for “more relevant and focused legislation addressing bulletproof hosts and registrars”. In addition, as Dark Web threat actors increase their reliance on encrypted email services, privacy-enhanced cryptocurrencies and bulletproof hosting providers, increased Know-Your-Customer type policies are called for, according to the IOCTA.

Child protection

 The Council of the EU agreed on the negotiation mandate on the temporary e-Privacy derogation

As reported earlier, the European Commission presented a temporary derogation from Directive 2002/58/EC (e-Privacy Directive) for the purposes of combatting child sexual abuse. The Member States’ ambassadors agreed on a negotiating mandate on these temporary rules to allow providers of communications services such as web-based email and messaging services to continue detecting child sexual abuse online. These temporary rules will have to be in place by 21 December 2020. The approved mandate allows the presidency to start negotiations with the European Parliament on the final text of the temporary measures, as soon as the latter adopts its version of the text. In order to be effective from its intended starting date in December 2020, the proposed Regulation needs to be approved by the European Parliament and the Council of the EU beforehand.

Data protection

The European Data Protection Supervisor issued advice for EU institutions on complying with the Schrems II ruling

The European Data Protection Supervisor (EDPS) issued its advice to the EU institutions, following the European Court of Justice judgement in the Schrems II case. The judgement concerns the European Commission Decision 2010/87/EC on Standard Contractual Clauses (‘SCCs’) for data transfers to third countries, and in particular, the level of protection ensured in the United States. The EDPS ordered the EU institutions to complete a mapping exercise identifying which ongoing contracts, procurement procedures and other types of cooperation involve data transfers. The EU institutions are expected to report to the EDPS on certain types of data transfers, such as transfers without a legal basis, transfers that are based on derogations and transfers to private entities in the United States presenting high risks for data subjects. Regarding new processing operations or new contracts with service providers, the EDPS “strongly encourages” the EU institutions to avoid processing activities that involve the transfer of personal data to the United States. The EU institutions will also be asked to carry out case-by-case Transfer Impact Assessments to identify whether “an essentially equivalent level of protection”, as provided in the EU, is also afforded in the third country of destination for all data transfers in question. Based on these assessments, the EU institutions should reach a decision as to whether it is possible to continue each data transfer identified by the mapping exercise.

The European Data Protection Supervisor issued a decision on Europol’s “big data challenge”

The EDPS issued a decision concerning the processing of “large datasets” received as contributions from Member States and other operational partners and on the “use of Big Data Analytics” by Europol for the purpose of strategic and operational analysis. According to the EDPS, the evolution of Europol’s personal data processing activities towards Big Data Analytics raised concerns over “the compliance with the Europol’s data protection framework, in particular with the principles of purpose limitation, data minimisation, data accuracy, storage limitation, with the impact of potential data breaches, location of storage, general management and information security”. The inquiry by the EDPS has shown that when receiving large datasets it is not possible for Europol to ascertain that all the information contained in these datasets comply with the data protection limitations. The EDPS has, therefore, decided that the processing of large datasets by Europol does not comply with the data protection framework enshrined in the Europol Regulation. With its decision, the EDPS admonished Europol and urged Europol to implement all the necessary and appropriate measures to mitigate the risks to data subjects.

The European Court of Justice held that the mass retention of electronic communication metadata is against fundamental rights

The European Court of Justice (CJEU) delivered its judgment in three cases concerning national mass data retention laws in France, Belgium and the United Kingdom for the purposes of ‘national security’. The data in question of is the metadata collected by electronic communication service providers, such as traffic and location data, including IP addresses. For the traffic and location data, the CJEU held in the French and Belgian case that the general and indiscriminate retention of this data for the purposes of protecting national security and combating crime is not allowed under EU law. The CJEU held that traffic and location data can reveal information on a significant number of aspects of the private life of concerned individuals, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and health status, aspects that enjoy special protection under EU law. Taken as a whole, that data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. As such, this data provides the means to profile the individuals based on information that is no less sensitive than the actual content of the communications. Therefore, any national legislation that obliges electronic communication service providers to retain traffic and location data generally and indiscriminately must only apply to “situations where the Member State is confronted with a serious threat to national security that is shown to be genuine and present or foreseeable”, subject to effective judicial and administrative review and is limited in time. IP addresses, on the other hand, while being part of traffic data, “serve to identify, through providers of electronic communications services, the natural person who owns the terminal equipment from which an Internet communication is made”. According to the CJEU, these do not disclose any information about third parties who were in contact with the person who made the communication, making IP addresses less sensitive than other traffic data. Following this logic, national legislation may allow “the retention of the IP addresses of all natural persons who own terminal equipment permitting access to the Internet” but only for the purpose of combatting serious crime, the prevention of serious threats to public security and the safeguarding of national security, provided that the retention period is strictly limited. Finally, according to the CJEU, the retention of IP addresses for the purposes identified above “must establish strict conditions and safeguards concerning the use of that data, particularly via tracking”. In the UK ruling, the CJEU held that EU law precludes national legislation enabling a national authority to require providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security. For the full judgments, see here and here.