In a nutshell: The President of the European Commission issued her State of the Union Letter of Intent for 2022, whilst the Czech Presidency outlined its priorities to committees of the European Parliament. The European Commission released its proposal for a Cyber Resilience Act and for an Artificial Intelligence Liability Act. The CJEU reaffirmed the prohibition of the general and indiscriminate retention of electronic communications data. IMCO released its opinion on the EUID proposal and the European Parliament issued a Study on Updating the European digital identity framework. The AGRI Committee published a Working Document on the proposal for the reform of geographical indications for wine, spirits drinks and agricultural products. The British National Cyber Security Centre issued guidance on the taking down of malicious content to protect brands.
The President of the European Commission issued her State of the Union Letter of Intent for 2022
On 14 September 2022, the President of the European Commission, Ursula von der Leyen, issued her State of the Union (SOTEU) Letter of Intent for 2022, highlighting that Europe’s resilience and security must be strengthened through increased cybersecurity and greater work in the field of defence. She also mentioned that “building a better future for the next generation” and making the EU prepared for challenges to come starts with the proper implementation of landmark agreements such as the Digital Markets Act (DMA) and Digital Services Act (DSA) which “saw the EU take global leadership in regulating the digital space to make it safer and more open”. The Commission President also mentioned the importance of finding agreements on legislative proposals already presented by the European Commission and praised the European Parliament and the Council of the EU’s work in rapidly finding agreements on key files such as those related to digital rules.
The Czech Presidency outlined its priorities to committees of the European Parliament
Over the course of September, Czech Ministers outlined the priorities of the Czech Presidency of the Council of the EU in a set of meetings with committees of the European Parliament. In its meeting with the Committee on the Internal Market and Consumer Protection (IMCO), the Czech Minister of Industry and Trade highlighted that the Czechs will pay “special attention to better enforcement of Single Market tools and services, deeper market integration and high consumer protection, including raising consumer awareness on sustainable consumption and online risks”. In its meeting with the Committee on Industry, Research and Energy, the Czech Deputy Prime Minister for Digitisation and Minister of Regional Development stressed that the Presidency aims to work on “the digital agenda, communication resilience, sustainable digital systems, cybersecurity in the EU, security of ICT supply chains, and digitisation of public services”. Their aim is also to find a general approach on the proposal for a European Digital identity (EUID) and to “reach an agreement in Council on the proposal to reinforce cybersecurity in the EU before the end of November”. Finally, in the Committee on Civil Liberties, Justice and Home Affairs (LIBE), MEPs called on the Presidency for “more engagement on e-Privacy and e-Evidence”.
The AGRI Committee published a Working Document on the proposal for the reform of geographical indications for wine, spirit drinks and agricultural products
On 29 September, the Rapporteur for the Committee on Agriculture and Rural Development (AGRI), which is in charge of leading the negotiations within the European Parliament on the proposal for a Regulation on geographical indications (GI) for wine, spirit drinks and agricultural products (so-called ‘agricultural’ proposal), published its Working Document on the file (see our previous reporting here). In the Working Document, the Rapporteur stresses that the measures proposed by the Commission would “increase the protection as regards online sales” with a focus on the Domain Name System. It will also “formalise the role of the European Union Intellectual Property Office (EUIPO) as a provider of technical assistance in the examination of applications, their publication, and handling of oppositions”. The Rapporteur also states that the proposal will introduce a GI certificate to be issued by national authorities upon request by a producer, and that a single Geographical Indications Committee for all GI products will be established to assist the European Commission. The Rapporteur has identified four main pillars to focus on: 1) strengthening the role of producer groups, 2) greater protection, 3) simplification and the role of the EUIPO and 4) sustainability. Regarding the ‘greater protection’ pillar, the Rapporteur states that “whenever domain names unfairly exploit a GI”, they shall be “immediately closed or assigned to the producer group” at the request of the producer group concerned or of a national competent authority. The document also states that clarification is required regarding the protection of .eu domains. It also stresses that provisions “should be made for rapid modifications to product specifications” in order to “include new translations and transcriptions of GIs, that are developing both offline and online” to strengthen international protection. Regarding EUIPO’s competence, the Rapporteur highlights that there is no need for an increased involvement from EUIPO in the scrutiny of GI registrations due to their lack of agricultural competences. Rather, EUIPO will contribute to the protection of GIs online, including by “adequately protecting GIs in the registration of online domains” and “developing a Union alert system to improve the fight against online counterfeiting of GIs”.
The European Commission released its proposal for a Cyber Resilience Act
On 15 September, the European Commission released its proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (so-called Cyber Resilience Act or ‘CRA’), which aims to “set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities” (see our previous reporting here). It will also “create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements”. According to the proposal, the Regulation will facilitate digital infrastructure providers’ compliance with NIS 2 supply chain requirements by ensuring that the products which contain digital elements that they use for the provision of their services “are developed in a secure manner”. Digital infrastructure providers should also “have access to timely security updates for such products”. As for its scope, the proposal stipulates that the Regulation will apply to products with digital elements “whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network”. Obligations put forward in the proposal mainly target manufacturers, who will have to ensure that products with digital elements placed on the market are designed, developed and produced in accordance with essential cybersecurity requirements (i.e. protect the availability of essential functions, ensure that vulnerabilities can be addressed through security updates…). They will also be subject to reporting obligations to ENISA within 24 hours of becoming aware of any incident having an impact on the security of the product with digital elements, who will then forward the notification to the single point of contact of the Member States concerned as designated under the NIS 2 Directive.
The European Commission released its proposal for an AI Liability Directive
On 28 September, the European Commission released its proposal for a Directive on adapting non-contractual civil liability rules to artificial intelligence (AI Liability Directive). The proposal aims to “reap the economic and societal benefits of AI and promote the transition to the digital economy” by adapting certain national civil liability rules “to those specific characteristics of certain AI systems”. These new sets of rules should ensure that victims of damage caused by AI are entitled to the same compensation as victims of damage caused by products without the involvement of AI. To achieve this goal, the Directive lays down a framework on 1) the disclosure of evidence on “high-risk AI systems to help claimants substantiate non-contractual fault-based civil law claims for damages” and on 2) the burden of proof “in the case of non-contractual fault-based civil law claims brought before national courts for damages caused by an AI system”. More specifically, the directive stipulates that potential claimants should be granted a right “to request a court to order the disclosure of relevant evidence before submitting a claim for damages”. The courts should nevertheless only be able to make such orders “where the potential claimant presents facts and information sufficient to support the plausibility of a claim for damages”. The claimant must have also made “a prior request to the provider, the person subject to the obligations of a provider or the user to disclose such evidence at their disposal about specific high-risk AI systems that are suspected of having caused damage which has been refused”. The Directive also explains that it will be for national courts to presume “the causal link between the fault of the defendant and the output produced by the AI system or the failure of the AI system to produce an output” provided that the following conditions are met: 1) the claimant or the court have demonstrated/presumed the fault of the defendant, 2) it can be considered reasonably likely that “the fault has influenced the output produced by the AI system or the failure of the AI system to produce an output”, and 3) “the claimant has demonstrated that the output produced by the AI system or the failure of the AI system to produce an output gave rise to damage”.
The CJEU reaffirmed the prohibition of the general and indiscriminate retention of electronic communications data
On 20 September, the CJEU reaffirmed that the general and indiscriminate retention of traffic and location data is only legal for the purpose of safeguarding national security where there is a “serious threat to national security that is shown to be genuine and present or foreseeable” (see our previous reporting on this here and here). The ruling also provides further clarification on the circumstance under which traffic and location data can be retained, by explaining that the decision imposing the instruction to retain data must be subject to an effective review conducted by courts or independent administrative bodies. The aim of such a review must be “to verify that one of those situations exists and that the conditions and safeguards which must be laid down are observed”. The ruling also states that instructions to generally and indiscriminately retain data can only be given “for a period that is limited in time to what is strictly necessary, but which may be extended if that threat persists”. The CJEU also explains that national legislative measures to generally and indiscriminately retain IP addresses are legal provided that they aim to safeguard national security, combat serious crime and prevent serious threats to public security, and that they are retained for a period “that is limited in time to what is strictly necessary”.
IMCO released its opinion on the EUID proposal
On 14 September, the Committee on the Internal Market and Consumer Protection (IMCO) released its opinion on the proposal for a regulation establishing a framework for a European Digital Identity (EUID proposal). In its opinion, IMCO suggests that EUID Wallet users should be able to use revocable pseudonyms as a form of authentication in order to access online services provided by very large online platforms. The EUID should also allow the “verification of attributes without revealing the source data, and without fully identifying the European Digital Identity Wallet holder, for example when proof of age is needed to access certain services”. Users of EUID Wallets should also be entitled to securely request and “obtain, store, select, combine and share the necessary legal person identification data, credentials and electronic attestation of attributes” to be able to electronically identify and “authenticate online and offline across borders in the Union”. IMCO also suggests that issuers of EUID Wallets should establish single points of contact for users to report infringements, security breaches, or to request the correction of inaccurate data. IMCO also encourages cooperation between Member States, the European Commission and relevant stakeholders in order to limit fragmentation obstacles and to encourage the cross-border use of the EUID Wallet.
The European Parliament issued a Study on Updating the European digital identity framework
On 29 September, the European Parliament issued a Study on Updating the European digital identity framework, summarising the co-legislators’ positions on the EUID proposal before moving on to changes that the proposal would bring (see our previous reporting here). According to the Study, the Commission aims to ensure a “high level of cybersecurity with respect to all aspects of digital identity provisioning”, including the infrastructure for the “collection, storage and disclosure of digital identity data”. The EUID Wallet would allow the provision of electronic attestations of attributes valid not only at national but also at EU level, and should be used in the private as well as the public sector. The Study also gives an overview of comments made by stakeholders on the EUID proposal. For instance, SIDN believes that “any solutions should allow end-users to manage and control their digital identity, associated attributes and credentials in a free and open manner”, and shared concerns regarding the fact that the proposal falls short in preventing “identification means that are not free of charge to qualified and non-qualified trust service providers”. Microsoft has also claimed that the EUID proposal should be coordinated with other pieces of legislation, such as the NIS 2 Directive and the Cybersecurity Act in order to avoid regulatory overlaps.
Outside the EU bubble
The British National Cyber Security Centre issued guidance on the taking down of malicious content
On 21 September, the British National Cyber Security Centre issued a guidance document entitled “Takedown: removing malicious content to protect your brand”, to help brand owners protect their products and services from false representations, fake endorsements, as well as the use of their brand in phishing or malware “to make fake campaigns look (and sound) credible”. The National Cyber Security Centre explains that when such events occur, anyone can contact hosting companies and domain registrars to request that “the service be withdrawn by removing either the domain name or the web hosting service”. It then provides more practical guidance on steps to be taken, such as identifying the domain name registrar for the domain by using whois tools, and reporting abusive domain names via designated abuse contacts.