In a nutshell: the European Commission published its Work Programme for 2022. Discussions continued within the co-legislators to reach a position on the DSA and a consensus on e-Evidence. October, as the official “European Cybersecurity month”, lived up to its status with many updates on cybersecurity. LIBE adopted its opinion on NIS 2 and its report on CER, while ITRE adopted its position on NIS 2. Member State leaders adopted their conclusions following the European Council meeting, highlighting cybersecurity as one of the key priorities for the EU. The European Data Protection Board adopted its Guidelines on restrictions of data subject rights under Article 23 of the GDPR. The Slovenian Presidency emphasised the fight against child sexual abuse as one of its key priorities.
The European Commission published its Work Programme for 2022
On 19 October, the European Commission presented its 2022 Work Programme, highlighting its intention to “reach an agreement on and implement [...]proposals for a safe and secure internet”. The Commission also reiterated its commitment to move forward regarding EU digital identity. The Work Programme also announces that in 2022 the Commission will propose a European Cyber Resilience Act to limit the “hacking of connected products and associated services”, and “establish common cybersecurity standards for products”. According to the Commission’s plans, a new EU space-based global secure communications system will also be built to offer “EU-wide broadband connectivity” and “secure and independent communications to Member States”. The Commission also stressed that cybersecurity is a “crucial building block of the Security Union” and that new steps will be taken to “improve the secure exchange of key information with third countries”. Finally, the Work Programme highlights that “better regulation” is also fundamental in supporting the digital transformation, and that the “digital-by-default” principle will become more prominent when proposing new legislative initiatives.
The European Parliament adopted its position on NIS 2
On 28 October, the European Parliament’s Committee for Industry, Research and Energy (ITRE) adopted its Report on the Proposal for a directive on measures for high common level of cybersecurity (NIS 2). The Report adds an additional registration data verification requirement for registries and registrars as part of their data accuracy obligation in Article 23 (see our previous reporting here). The report also states that verified datasets under Article 23 will have to include at least the registrants’ “name, their physical and email address as well as their telephone number”. It also stresses that the verification process should use a “best efforts” approach, reflecting the best practices used within the industry. For legal persons as registrants, registries and registrars shall make publicly available “at least least” the registrants’ name, physical address, email address and phone number. The deadline for registries and registrars to respond to data access requests by “legitimate access seekers” is extended to 72 hours. The report also suggests that the pool of legitimate access seekers could include “competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, and national CERTS or CSIRTS”. Finally the additional technical and organisational measures that essential and important entities under the scope of the NIS 2 Directive will have to take should include basic computer hygiene practices; cybersecurity training; the use of multi-factor authentication solutions; secured voice, video, text communication; and secured emergency communications. European and international standards will also have to be considered when putting in place these measures, according to the ITRE Report.
LIBE adopted its Opinion on NIS 2
On 15 October 2021, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) adopted its Opinion on NIS 2 (see our previous reporting here). The LIBE opinion suggests that “relevant” information collected by registries and registrars in Article 23 should contain registrants’ “name, their physical and email address as well as their telephone number”. The LIBE opinion points out that TLD registries and registrars “should make publicly available certain domain name registration data specified in the Member State law[...], such as the domain name and the name of the legal person”. The opinion also suggests extending the deadline to respond to data access request to 72 hours and limiting the scope of legitimate access seekers to competent and supervisory authorities.
LIBE adopted its Report on a directive on the resilience of critical entities
On 15 October 2021, LIBE adopted its Report on the proposal for a directive on the resilience of critical entities (CER Directive). The Report states that entities falling under the scope of NIS 2 which are likely to be subject to CER should benefit from “a single point of contact and a common set of rules” (see our previous reporting here). These entities should also be supervised by the “competent authorities designated under the NIS 2 Directive”, according to the LIBE Report. LIBE also highlights the importance of taking measures at Member State level to avoid double reporting and checks in order to avoid unnecessary and disproportionate burdens on critical entities which fall under the scope of both directives. Entities under the scope of NIS 2 which do not fall under CER should nevertheless “enhance the resilience of their physical infrastructure”. According to the LIBE Report, the European Commission shall also set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under the NIS 2 Directive in order to better accommodate communication between the two groups of national supervisory authorities, established under both Directives.
Member State leaders adopted their conclusions following the European Council meeting
On 22 October, the European Council adopted its conclusions following a meeting between Member State leaders. The European Council reaffirmed the “EU’s commitment to an open, free, stable and secure cyberspace” and urged countries around the globe “to adhere to and enforce these norms”. The conclusions also highlight Member States’ will to agree “on a coordinated approach for a European Digital Identity framework”. The European Council also reiterated its commitment to tackle cyber threats and called for progress on both the NIS 2 and the CER Directives, as well as on the Cyber Diplomacy toolbox, emphasising “the need for effective coordination and preparedness in the face of cybersecurity threats”.
Discussions continued within the European Parliament and the Council of the European Union to reach a position on the DSA
Debates in the European Parliament’s Committee for Internal Market and Consumer Protection (IMCO) seem to be taking longer than planned regarding the Digital Services Act (DSA) as the Rapporteur Christel Schaldemose (S&D) announced in a tweet that the committee had “decided to postpone the votes on the DSA”, which was initially scheduled in IMCO for 8 November. A new date will be announced later for the Parliament to adopt its final position. On the Member States’ side, Slovenian Prime Minister Janez Janša highlighted in a press conference that digital transformation remains a crucial chapter and that despite challenges regarding the DSA, “there is a fairly high degree of unanimity on what needs to be done”.
Member States and the European Parliament continued negotiating for consensus on e-Evidence
The trilogue discussions on the e-Evidence Regulation are advancing, according to the notes from the Council of the EU (see our previous reporting here). The note from 16 September reveals that both co-legislators seem to agree that the notification obligation of receiving Member State authorities will only include cross-border data access orders to content and real traffic data. Regarding subscriber and identification data, the Council would like to replace the notification regime with “an obligation to transfer certain data to the enforcing authorities once a year” in the form of compiled information. The note also explains that the European Parliament favours a stricter regime regarding safeguards for the data subject concerned. This would include informing the data subject without undue delay when access to their data is ordered from a service provider by a foreign law enforcement authority. A second note from 30 September reveals that there is no consensus regarding the grounds for refusal of cross-border data access orders which could potentially be raised by authorities in the receiving state. The co-legislators seem to have agreed that “grounds for refusal will be optional” and there would be no obligation imposed by the Regulation itself to check orders.
The European Data Protection Board adopted its Guidelines on restrictions of data subject rights under Article 23 GDPR
On 13 October, the European Data Protection Board (EDPB) adopted its Guidelines on restrictions of data subject rights under Article 23 of the GDPR. Article 23 of the GDPR provides for situations where data subject rights under the GDPR can be limited (e.g. national and public security; investigation of criminal offences etc). In its Guidelines, the EDPB recalls that the protection of personal data “cannot be restricted in its entirety”, even in exceptional situations. According to the EDPB, the restrictions based on Article 23 of the GDPR must always be proportionate and limited to what is strictly necessary. Furthermore, in cases where EU or national law allows restrictions to data subjects’ rights or to obligations of the controllers/processors, the accountability principle under Article 5(2) of the GDPR is still applicable. This means that the controller is responsible for and shall be able to demonstrate to the data subjects their compliance with the EU data protection framework. The EDPB also emphasises that restrictions shall be provided for in a legislative measure and concern a limited number of data subject rights and/or controllers’ obligations to be consistent with the GDPR. The measures shall also include “safeguards to prevent abuse or unlawful access or transfer” of personal information. Notably, the EDPB recalls that the principles in Article 5 of the GDPR “can be only restricted in so far as its provisions correspond to the rights and obligations provided in Articles 12 to 22 GDPR”. Any other data subjects’ or other controllers’ obligations cannot be restricted, according to the EDPB.
The Slovenian Presidency emphasised the fight against child sexual abuse as a key priority
On 28 September 2021, the Slovenian Presidency circulated a note within the Council of the EU on the “digital dimension of investigating child sexual abuse”, stressing that countering child sexual abuse online is one of its key priorities. According to the note, “it is essential to focus on the digital dimension of this criminal phenomenon”, due to the challenges in accessing data by competent authorities “in their daily work”. To tackle such abuse, the Presidency aims to “strengthen the framework for the proactive detection and reporting” of child sexual abuse online. The note highlights that “a number of Member States are currently reflecting on ways to strengthen the framework for the proactive detection and reporting of child sexual abuse online”. The note also stresses that a “possible next step could be a discussion on the role of proactive measures”, extended “above and beyond” the DSA. The Presidency also raised concerns regarding countering child sexual abuse online when privacy and security measures, such as end-to-end encryption, are in place. The Presidency called for further coordination and for a discussion at the “highest political level” to concretely decide “what is required in order to ensure an operationally sufficient level of access to data for authorities”. According to the Council Presidency’s press release on the European Council’s meeting, Member States stressed the “importance of adequate data access for law enforcement authorities and advocated for a stronger role of social media, hosting services and electronic communications services in the protection of children”.