EU Tech Policy Brief: April 2017

This is the April issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the US, and internationally, and gives CDT’s perspective on them.

Wide CDT Representation & Engagement @ RightsCon 2017

CDT was out in force at this year’s RightsCon in Brussels, organised by Access Now. We led and participated in tech policy panels on Privacy Shield; data localisation and portability; cybersecurity; ethics in coding and algorithmic fairness; encryption; cross-border access to data; and government use of platform Terms of Service. In addition, we hosted a reception with our Washington, DC-based policy experts, EU officials, academics, and company and NGO representatives. Our “Tech Talk” podcast crew also captured insights from various participants into the current trends and developments in the field, including leading Dutch MEP Marietje Schaake (listen here). All in all, a very fruitful RightsCon!

Bertelsmann Foundation and CDT Release Paper on Future of Big Data Policy Regimes

In collaboration with the Bertelsmann Foundation, CDT released a report on “Rethinking Privacy Self-Management and Data Sovereignty in the Age of Big Data”. The report draws on the current trend of connected technologies, which generate vast amounts of data and enable new insights and solutions to societal and business problems but also challenge privacy principles such as data minimization and purpose specification. The paper examines different aspects of the data protection and compliance regimes in the US, the EU, and Germany in this light, and concludes that achieving the ideal level of data sovereignty requires a blend of approaches: individual empowerment through education and data portability; voluntary industry self-regulation; and finally, state-mandated third-party impact assessments of data-management practices.

German Minister Proposes “Censorship” Law on Social Media Platforms

German Minister of Justice and Consumer Protection Heiko Maas proposed a new law to combat hate speech and “fake news” online, which has now been notified to the European Commission. The proposed rules target social media networks such as Facebook and Twitter, imposing fines up to €50 million for not acting swiftly enough to remove illegal “hate speech” on their platforms. Mr. Maas argues that “too little criminal content is being deleted, and it’s not being deleted sufficiently quickly”. This is based on the results of the report presented alongside the draft law, which found that criminal content is taken down by Facebook in 39% of the cases, and 1% by Twitter. The proposal requires such platforms to provide users with clear and easily accessible channels to file complaints, review them promptly, and remove blatantly illegal content within 24 hours and offensive content within seven days upon receipt of the complaint. There are many fundamental rights concerns with the draft law on lack of transparency, lack of judicial oversight, access to remedies, and skewed incentives. These problems are similar to the concerns we raised about the Commission’s Code of Conduct on Countering Illegal Hate Speech Online.

CDT and EDPS Caution Against (Personal) Data Being Used as “Counter-performance”

In a recent Opinion, the European Data Protection Supervisor (EDPS) raised concerns regarding ongoing policy discourse on the “commoditization” of personal data. Of particular concern is the proposed Digital Contracts Directive (DCD). Article 3 of the DCD introduced the notion of providing personal data in return for access to or ownership of digital content or services in contracts between businesses and consumers. The EDPS warned that “individuals should not be required to disclose personal data in ‘payment’ for an online service”. The German Minister for the Interior, Thomas de Maizière, also stated that this notion could lead to the danger of privacy “being up for sale”. We echo these concerns and believe that the notion of data as “counter-performance” may lead to over-regulation and challenge individual privacy and many common online business models. All in all, the GDPR already sets strict conditions for the processing of personal data. Article 3 of the DCD may risk interfering with these protections, causing serious legal uncertainty for industry and harming core privacy rights of consumers in the process.

Leading Parliamentary Committee on Copyright Reform Takes Balanced Approach

Last month, Member of the European Parliament (MEP) Therese Comodini Cachia published her Draft Report on the European Commission’s proposal for a Directive on Copyright in the Digital Single Market. We welcome the balanced approach the rapporteur has taken in tackling the most problematic and controversial provisions of the Commission’s proposal, proposing amendments on the provisions of particular concern for us. MEP Comodini’s solutions reflect the importance of protecting users’ rights and freedoms in Article 13; providing an enforcement solution to an enforcement problem in Article 11; and ensuring the advancement of EU competitiveness and research in Article 3.

The European Commission Begins Work on Policy Recommendations for Encryption

The recent Westminster terror attack has renewed European politicians’ focus on encryption. UK Home Secretary Amber Rudd was quick to demand access to encrypted communications services like WhatsApp for law enforcement and counterterrorism investigations. She convened a meeting with major technology companies to discuss the matter. Her public statements seemed somewhat confused and did not reflect the technological reality of end-to-end encryption. At the European level, the European Commission is taking a more considered approach. Based on Justice and Home Affairs Council Conclusions in December 2016, a task force led by the European Commission’s DG Home is beginning to analyse technical and legal aspects of this issue. The European Commission intends to bring conclusions and policy options to Ministers by the end of 2017.

Cybersecurity: the “Vault 7” Release & Hard Questions in the World of Cybersecurity Research

Early last month, WikiLeaks released a cache of documents (aka “Vault 7”) containing information about hacking tools (“cyber weapons”) used by the Central Intelligence Agency (CIA). WikiLeaks claims this release is 1% of the total archive. This development sheds light on both the CIA’s cyber capabilities and vulnerabilities. That this cache was acquired reflects on the ability to exfiltrate malicious malware and a large amount of documents from the CIA. Moreover, knowing that these cyber weapons can have widespread and systemically dangerous implications depending on who uses them and for what purpose, the release also raises concerns around government process for discovery and disclosure of vulnerabilities, as well the risks that the Internet of Things will create.

These developments bring to the surface the importance of researchers who identify and mitigate cybersecurity vulnerabilities. Unfortunately, the security researchers that we rely on to identify security flaws in various technologies face a series of legal and policy challenges. These need to be addressed to encourage and protect responsible security research. In this respect, CDT has been involved in exploring the landscape of computer information security research and released a comprehensive white paper to help frame these conversations going forward. In a series of posts, we are summarising each of the “hard questions” facing cyber policy today (please find the first post on the legal impediments to security research here, the second here, and the third here.)