EU Tech Policy Brief: March 2017
- European Union
- Free Expression
- Internet Architecture
- Privacy & Data
- Section 702 of FISA
- Security & Surveillance
Written by Jens-Henrik Jeppesen, Laura Blanco
This is the March issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the US, and internationally, and gives CDT’s perspective on them.
The List-Building Has Begun: How the Tech Sector Should Respond
Many actions and announcements by the US Administration have organisations like CDT worried about the state’s imminent power to deprive individuals of their rights and freedoms. Latest of concern were the comments made by Department of Homeland Security Secretary John Kelly suggesting that DHS could require US non-citizens to provide the passwords to their social media accounts as a condition of entering the country. CDT and a long list of human rights and civil liberties organizations, trade associations, and experts in security, technology, and the law are leading a campaign against password coercion at the border, warning that these actions would constitute “a direct assault on fundamental rights.” In response to these developments, CDT President & CEO Nuala O’Connor commented on the crucial role of the technology sector to reinforce policies and technologies to limit unwanted government data collection by 1) deleting data, 2) making strong technical security the default, and 3) rejecting overbroad government requests.
Copyright Reform — CULT and IMCO Publish Contrasting Draft Opinions
CDT continues to engage intensively with members of the European Parliament and Council of the EU in the ongoing discussions around the proposed Directive on Copyright in the Digital Single Market. We have particular concerns around Article 13, which erodes the liability protections in the E-Commerce Directive; Article 11, which gives news publishers ancillary rights for online use of content; and Article 3, which proposes a much too narrow Text and Data Mining (TDM) exception. These concerns are reflected in an open letter recently presented by EU Research Centres to the European Parliament and in a new study by Dr. Christina Angelopoulos, an independent expert of intermediary liability at the Centre for Intellectual Property and Information Law (CIPIL) at the University of Cambridge. The Culture and Education Committee (CULT) and the Internal Market Committee (IMCO) published their respective draft Opinions in February, which put forward rather contrasting amendments to the Commission’s proposal. While the CULT draft Opinion adds complexity to and fails to address the problems that the Commission’s proposal already presents, we welcome IMCO’s draft Opinion as a step in the right direction towards a balanced European copyright framework.
French and German Ministers Push for EU Legislation on Encryption by October 2017
The issue of encryption has been under discussion among EU institutions and Member States for some time. A Slovak Presidency consultation of Member States did not result in consensus that EU legislative measures are warranted. Indeed, many Member States have stressed the crucial importance of encryption in enabling secure commerce and communications, as have Europol and ENISA in a recent joint statement. French and German Ministers have now written to the Commission and requested legislative action by October 2017, but the letter is short on detail on how exactly the Ministers would propose to oblige providers to facilitate access to encrypted data. The European Commission is initiating a reflection process on legal and technical aspects of the issue with the aim of putting conclusions and policy options before Home Affairs Ministers by December 2017.
LIBE Committee Weighs in on AVMSD Debate
The Civil Liberties, Justice, and Home Affairs Committee (LIBE) of the European Parliament adopted its Opinion on the review of the Audio Visual Media Services Directive (AVMSD) in February. The Opinion by MEP Angelika Mlinar (Austria/ALDE) will be taken into consideration by the Culture and Education Committee (CULT) leading this debate in Parliament. We welcome LIBE’s Opinion, since it highlights elements for which we advocate in this debate: the importance of protecting freedom of expression and information in the context of a fast-evolving media landscape, maintaining the liability protections in the E-Commerce Directive, and ensuring prior judicial authorisation when determining the illegality of content.
The Max Schrems-Facebook case & the review of FISA Section 702
The Max Schrems-Facebook (Schrems II) case is the latest in a line of cases in the EU involving challenges on privacy grounds to the approaches by which companies transfer the personal data of EU citizens abroad, mainly in the US. The Irish Data Protection Commissioner (DPC) is asking the High Court to refer to the Court of Justice of the European Union (CJEU) on the question of whether standard contractual clauses (SCCs) used by companies are valid as one of the methods to transfer personal data. The hearing of these proceedings commenced on February 7 and is currently ongoing, as it is estimated to take slightly longer than expected. Another surveillance programme of concern that is currently under heated debate in the US is that of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Section 702 is under review, as it expires on 31 December 2017 unless reauthorized. CDT has highlighted the need for meaningful reforms to 702 to protect privacy and civil liberties. Of particular concern in the EU is the broad scope of the authorised surveillance under 702, which means that many non-US persons who are not connected to terrorism or pose no threat to national security can nevertheless be targeted for surveillance. We hope to see more attention on this particular issue in the reform of 702, particularly in view of the “Privacy Shield” debate and maintaining the adequacy test of the EU in international data transfers.
Aligning Users’ and Companies’ Concept of ‘Data Deletion’
The notion of ‘deletion’ online seems to be understood differently from user and company perspectives. With the rise of cloud computing, the meaning of deletion is further obscured, with the user’s files saved somewhere in ‘the cloud’ until requested. Consequently, our digital files are almost never truly ‘put in the recycle bin.’ In a recent paper, CDT argues that companies should reconsider their approach towards deletion and “implement sound technical and policy processes to formalise their practices.” This should be thoroughly considered, particularly in view of the fact that the retention of large amounts of data increases the potential damage resulting from data breaches. This only creates an overall lose-lose situation, where reputations of organisations are damaged and individuals lose trust in the organisation’s security efforts.
CDT Delegation @ RightsCon 2017
This year’s RightsCon Summit, convening stakeholders from across the board, will take place March 29-31 in Brussels. A sizeable CDT delegation of technology policy and communications experts from our Washington, DC office will be present and contribute to many of the debates on topics such as data localization, data portability, US surveillance and the Privacy Shield, ethics in coding, and government use of companies’ Terms of Service to censor online speech. From the DC office, Emma Llansó, Greg Nojeim, Joe Jerome, Taylor Moore, and Natasha Duarte will all participate in panels at the conference, and the DC and EU teams will host a happy hour in Brussels at 18:30 on 29 March. To request more information about the event, please email Elizabeth Seeger at [email protected].