EU Tech Policy Brief: June 2018 Recap
Written by Jens-Henrik Jeppesen, Laura Blanco
This is the June recap issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.
CDT’s President & CEO Visited Brussels for Talks on Privacy and Security Policy
CDT’s President & CEO, Nuala O’Connor, travelled this month to Belgium at the invitation of the German Marshall Fund of the United States as part of a program with the U.S. Embassy to strengthen the Belgium-U.S. dialogue on data protection. Nuala met representatives from the Belgian government, industry, and academia in Brussels, Namur, and Leuven to exchange ideas about transatlantic shared values and objectives on data privacy. She also participated in a panel hosted by EURACTIV and Microsoft to discuss the ePrivacy Regulation proposal, encryption, and interception of electronic communications. The Brussels Privacy Hub also hosted Nuala for a roundtable on “Current Privacy and Security Challenges in the United States, Belgium, and the EU”.
Copyright: EP Legal Affairs Committee Votes for Upload Filters and Publishers’ Rights
On 20 June, the Legal Affairs (JURI) committee adopted its Report on the Commission’s proposal for a Directive on Copyright in the Digital Single Market. To our disappointment and against all academic and expert advice, Article 11 (press publishers’ right) and Article 13 (upload filters) were both adopted with a narrow majority. JURI also agreed to grant the Rapporteur a mandate to negotiate with EU Member States. We support the efforts of leading MEPs to oppose this mandate and secure full plenary debate on the Directive. We launched the CopyRight or CopyWrong initiative, which shows MEPs firsthand how filtering and the ‘link tax’ could affect speech on platforms such as Facebook and Twitter.
CDT Responds to EC Public Consultation on Tackling Illegal Content Online
A recent leaked letter from the Interior Ministers of Germany and France addressed to several European Commissioners shows the pressure on online platforms to take down more allegedly illegal content, faster. France and Germany push for legislation requiring some content to be taken down by platforms within an hour of its upload. This idea was floated first in the Commission’s March Recommendation on tackling illegal content. Despite having already stated its policy, the Commission issued a Public Consultation with deadline this month aiming to ‘gather evidence and data on current practices, respondents’ experiences and organisations’ policies for tackling illegal content online’. In our response, we once again highlight the risks to free speech of assessing progress in terms of the number and speed of takedowns.
Civil Liberties Parliamentary Sends Signal on Privacy Shield
On 11 June, the Civil Liberties (LIBE) Committee in the European Parliament voted on its non-binding resolution on the adequacy of the protection afforded by the EU-U.S. Privacy Shield. LIBE concluded that the current agreement does not provide the adequate level of protection for EU citizens, and asks the Commission to suspend the arrangement until the U.S. authorities comply with its terms. LIBE’s concerns include the privacy risks of the U.S. Cloud Act on cross-border access to data, as well as data breaches as most recently exemplified by the Cambridge Analytica/Facebook scandal. The resolution, to be voted on in Plenary, is intended to feed into the European Commission’s annual review, coming up in the autumn.
EU Ministers and the Council of Europe Discuss Cross-border Access to Electronic Data
In early June, national representatives in the EU Council (Justice & Home Affairs ministers) discussed the E-Evidence proposals on cross-border law enforcement access to data. There was general consensus amongst Member States to pass the Commission’s proposals as quickly as possible, but they disagreed mainly on substance. Some Member States would like to see far more intrusive measures included in the proposal, such as direct access to and real-time interception of data. The Commission’s draft proposals already give very broad access to data and should not be expanded further, and its fundamental rights safeguards should be strengthened. We make similar arguments in our recent response to the Council of Europe public consultation on the ongoing preparation of a 2nd Additional Protocol to the Budapest Convention. The consultation precedes the Octopus Conference in Strasbourg in July.
Controversial French ‘Fake News’ Law in the Making
Early this year, French President Emmanuel Macron announced plans for a new law to tackle ‘fake news’ in France. The idea comes with great risks to free expression. A concrete legislative proposal was discussed in the French National Assembly this month, but members of the parliament could not finalise their assessments of amendments. The debate is expected to continue in July, with the aim of adopting this controversial proposal ahead of the 2019 European elections. Policymakers should acknowledge that the lack of European data in this area is a poor basis for policymaking. Meanwhile, the Commission has given online platforms until July to draft a code of conduct to limit disinformation online. We recommend caution in any self-regulatory scheme to avoid nominating private companies as de facto arbiters of ‘truth’.
Political Agreement Reached on AVMSD Revision
Member States reached political agreement on the revision of the Audiovisual Media Services (AVMS) Directive. The adopted text expanded the scope of the current Directive, covering television and video-on-demand (VOD) services, to video-sharing platforms (VSPs) such as YouTube, and also includes ‘audiovisual content on social networks’. We have long argued that the proposal should have recognised the differences between types of services. Social media sites and VSPs are intermediaries, and as such are required to respond to notifications of illegal content on their platforms. This is in line with the e-Commerce directive — a fundamental pillar of the open internet.
Council Fails to Reach Agreement on the Draft ePrivacy Regulation
In late May there were speculations that the Bulgarian Presidency would get the mandate to start negotiating with the European Parliament on the proposal to update current ePrivacy rules. However, during June’s Transport, Telecommunications and Energy (TTE) Council meeting, ministers decided to continue discussions on the file. Member States are far from consensus on the Regulation’s relationship with the GDPR, and need more discussion ‘on the list of permitted cases of processing of metadata, and the protection of terminal equipment and privacy settings’. Our recommendations on the ePrivacy Regulation have been to focus the debate on communications confidentiality and information security.
CJEU Rules on Privacy Responsibilities Around Platforms
The Court of Justice of the EU (CJEU) has ruled that the the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page. Critics argue platforms such as Facebook or Google could now face more challenges from European data protection authorities. At the same time, ‘anyone piggybacking on or plugging into platform services in Europe shouldn’t imagine they can just pass responsibility to the platforms for ensuring they are compliant with privacy rules’. The ruling also states that ‘the data protection authority of the Member State in which the administrator has its seat may act both against the administrator and against the Facebook subsidiary established in that Member State’. It now therefore remains to be seen whether this ruling will lead to more enforcement of EU data protection rules at Member State level.
CEPS Presents Final Report on Software Vulnerabilities Disclosure
In September 2017, the Centre for European Policy Studies (CEPS) launched a Task Force on “Software Vulnerability Disclosure in Europe”. The final report, presented on 28 June, looks at the key elements of this debate and attempts to create guidelines for the process of Coordinated Vulnerability Disclosure (CVD) in Europe. Moreover, it attempts to outline principles for Member States to develop a European vulnerability equity process. These recommendations may be used in cybersecurity policy discussions, particularly those looking at tackling ransomware incidents and the rapid development of the Internet of Things. Drawing on existing CDT work in this area, we joined the Task Force earlier this year.