EU Policy Update - September 2020
In a nutshell: Three European Parliament committees adopted their own-initiative reports on the Digital Services Act. The European Parliament's Committee on Industry, Research and Energy (ITRE) published its Draft Report on the European strategy for data. The European Commission proposed a temporary e-Privacy Directive derogation to combat child sexual abuse, and published its first report on the status of the rule of law across the EU. The European Data Protection Board published guidelines on the concepts of “data controller” and “data processor”. The Advocate General (AG) of the European Court of Justice (CJEU) Szpunar issued a non-binding opinion in a case concerning hyperlinking.
The European Parliament's own-initiative reports on the Digital Services Act are adopted within the committees
The European Parliament is steadily advancing on its numerous own-initiative reports to give more context and drive the legislative debate on the Digital Services Act (DSA). See our previous reporting here, here, here and here. In the course of September, all three main own-initiative reports by three parliamentary committees were adopted within their respective committees. To be fully adopted by the European Parliament, all three reports need to be voted by the Members of the European Parliament (MEPs) in plenary. Some notable principles from the respective texts (and accompanying opinions) are highlighted below:
- Report by the Committee on the Internal Market and Consumer Protection (IMCO): IMCO agreed on introducing a “Know-Your-Business-Customer” principle limited to the direct commercial relationships of the hosting provider and its business users. This principle will require hosting service providers to check and stop fraudulent use of their services to sell illegal and unsafe products and content. According to the agreed text, hosting service providers “should ask their business users to ensure that all information provided is accurate and up-to-date” and “should not be allowed to provide their services to business users when that information is incomplete”. IMCO also calls on the Commission to maintain the exemptions from liability for “backend and infrastructure services, which are not party to the contractual relations between online intermediaries and their customers and which merely implement decisions taken by the online intermediaries or their customers”.
- Report by the Committee on Legal Affairs (JURI): JURI urges the Commission to draw a clear distinction between illegal and harmful content. According to the agreed text, JURI stresses that the responsibility for enforcing the law must rest with public authorities; and that the final decision on the legality of user-generated content must be made by an independent judiciary and not a private commercial entity. JURI calls for the scope of the DSA to apply to “content hosting platforms that host and manage content that is accessible to the public on websites or through applications in the Union”, that are of a commercial nature or have more than 100 000 users.
- Report by the Committee on Civil Liberties, Justice and Home Affairs (LIBE): LIBE stresses that the ultimate responsibility for enforcing the law, deciding on the legality of online activities and ordering hosting service providers to remove or disable access to illegal content rests with independent competent authorities. LIBE underlines that “illegal content should be removed where it is hosted, and that mere conduit intermediaries should not be required to block access to content”. In terms of electronic identification needed for some type of digital service providers, LIBE “asks the Commission to explore the creation of a single European sign-in system as an alternative to private single sign-in systems”.
- Opinion of the Committee on Legal Affairs (JURI) for the Committee on the Internal Market and Consumer Protection (IMCO): JURI stresses that wherever it is technically and legally possible and reasonable, intermediaries should be required to enable the anonymous use of their services; it notes that where EU law requires commercial traders to communicate their identity, providers of dominant or systemic market places could be obliged to verify the identity of the traders. JURI is “concerned that single sign-on services can be used to track users across platforms”. JURI underlines that “illegal content should be removed where it is hosted, and that access providers shall not be required to block access to content”.
The European Commission proposed temporary e-Privacy Directive derogation to combat child sexual abuse
On 10 September, the European Commission presented a temporary derogation from Directive 2002/58/EC (e-Privacy Directive) for the purposes of combatting child sexual abuse. The e-Privacy Directive ensures the protection of private life, confidentiality of communications and personal data in the electronic communications sector when processing communications data. According to the European Commission, the e-Privacy Directive does not contain an explicit legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse online, while some “number-independent interpersonal communications services” are already using “specific technologies” to detect child sexual abuse on their services and report it to law enforcement authorities. The scope of these services includes “voice over IP, messaging and web-based e-mail services”. The voluntary measures taken by the service providers therefore go against the e-Privacy Directive. In the absence of any specific legislation targeting this matter, the “Commission considers that it is essential to take immediate action” in the form of a Regulation. No public consultation, nor an impact assessment conducted in advance of a legislative proposal was deemed to be necessary, due to “the time-sensitive nature of the issue”. However, on 30 September, contrary to earlier statements, the European Commission published a public consultation on the interim Regulation. The interim Regulation shall apply from 21 December 2020 until 31 December 2025. By the second quarter of 2021, the Commission will propose another legislative instrument that would require “relevant online services providers to detect known child sexual abuse material and oblige them to report that material to public authorities” that would replace the interim Regulation. In order to be effective from its intended starting date in December 2020, the proposed Regulation needs to be approved by the European Parliament and the Council of the EU beforehand.
The European Data Protection Board published guidelines on data controller and data processor
The European Data Protection Board (EDPB) published its guidelines on the concepts of “data controller” and “data processor” under the GDPR. The guidelines clarify that the status of “controller” is a functional concept that is based on “a factual rather than a formal analysis”. This means that it is not enough to simply allocate the responsibilities between parties in contractual terms that need to reflect the factual circumstances and activities when processing personal data. According to the EDPB, “it is not possible either to become a controller or to escape controller obligations simply by shaping the contract in a certain way where the factual circumstances say something else.” The same principle also applies to the notion of “joint controllership”. According to the EDPB, “the overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation”, either “in the form of a common decision taken by two or more entities or result from converging decisions”. According to the guidelines, “an important criterion to identify converging decisions[...] is whether the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked”. When choosing processors (e.g. cloud providers) the controller has a duty to use “only processors providing sufficient guarantees to implement appropriate technical and organisational measures”, so that processing meets the requirements of the GDPR.
The European Parliament published Draft Report on the European strategy for data
The European Parliament's Committee on Industry, Research and Energy (ITRE) published its Draft Report on the European strategy for data. The Draft Report calls on the European Commission and the Member States to “strengthen the EU technological sovereignty, to work on technologies that facilitate data sharing and analytics, and to invest in capacity building and high-impact projects to promote research, innovation and deployment of digital technologies”. ITRE also calls on the European Commission to develop “a 'cloud rule book' that will inter alia oblige service providers to reveal where data is stored and ensure users have sovereignty over their data”. When it comes to the free flow of data with the third countries, ITRE calls on the European Commission “to negotiate new rules for the global digital economy, including the prohibition of unjustified data localisation requirements”.
Rule of law
The European Commission assessed the situation on rule of law across the EU
On 30 September the European Commission published its 2020 Rule of Law Report that assesses the situation of the independence of the judiciary across the EU. The Report also highlights the challenges the judiciary faced during the COVID-19 pandemic. For example, it identifies that “the COVID-19 pandemic has further highlighted the importance of digitalisation of justice systems”. The report also highlights the risk of increased concerns over the rule of law in case of “excessive use of accelerated and emergency legislation”. During the COVID-19 pandemic, “reactions to the crisis showed overall strong resilience in national systems”, according to the Report. The Report also mentions the existence of ex post checks in relation to several emergency laws introduced due to the health crisis across the EU. The Report is the first step in the European Commission's plans “towards strengthening a common understanding of the rule of law in the EU” and as a basis for further inter-institutional work with the European Parliament and the Member States. For the analysis on specific EU Member States and their justice systems please see here.
The Advocate General of the European Court of Justice: case-law regarding hyperlinking needs to be adjusted
The Advocate General (AG) of the European Court of Justice (CJEU) Szpunar issued a non-binding opinion in a case concerning hyperlinking. The case concerns the technique of embedding protected work made freely available on one website “by way of framing” via hyperlink to another website, and whether such hyperlinking requires an additional authorisation from the rightholder. In his analysis the AG looks at existing CJEU case-law on the matter and summarises it in way that the communication of works to the public on the internet must be understood as “meaning that a copyright holder, in giving consent for his or her work to be made freely available to the public on a webpage, takes into account the entire public likely to access that webpage, including by means of hyperlinks”. Consequently, those links are in principle covered by the authorisation given by the copyright holder at the time of the initial publication of the work and do not require additional authorisation. The AG finds this interpretation by the ECJ to be partially outdated and proposes to revise the concept to make a distinction between “clickable links” that redirect to the original website on one hand, and “automatic links” that “are embedded in a webpage in such a way that those works are automatically displayed on that webpage as soon as it is opened, without any further action on the part of the user (inline links)” on the other. In the case of inline links, it is “possible to exploit, without authorisation, another person’s work on the internet”, making it a new communication to the public not intended by the copyright holder. Therefore, anyone who wishes to use such a hyperlinking technique should seek additional authorisation from the rightholder.