EU Tech Policy Brief: November 2017

This is the November issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.

ePrivacy Regulation: Parliament Adopts Restrictive Report and Endorses Encryption

While the proposal for a ePrivacy Regulation (ePR) has passed its initial phase in the European Parliament (EP) relatively quickly, Member States remain far from reaching a shared position. The Estonian Presidency issued its first redraft of the proposal last month, indicating a very different direction to that taken by Parliament. Among other things, the Presidency is suggesting legitimate interest as a legal basis for processing of data, in alignment with the GDPR; a proposal we discussed in our recent analysis. Conversely, the Parliament Report drafted by the Civil Liberties (LIBE) committee does not allow any basis for data processing other than consent. We think that this may be too restrictive given the Regulation’s broad coverage, and that it may inhibit uses of data that have societal benefits. The Parliament took on board our recommendations, endorsing strong encryption and ruling out “backdoors”. We agree the ePR should recognize the ability of users and providers to use strong encryption technology to protect communications confidentiality; however, many Member States will likely take a different view.

Copyright DSM: CDT and 50+ Groups Caution Against Upload Filters

The copyright reform debate continues on the controversial proposal to force website operators to use content filtering technology to systematically monitor all user uploads and screen for unlicensed copyrighted content. While the European Parliament has, again, postponed committee votes, Member State continue their discussions, but it is hard to tell where they are headed. This is reflected in the leaked joint proposal by Spain, France and Portugal to amend Article 13 and corresponding Recitals, and a new Estonian Presidency “compromise” proposal. Essentially, both proposals take a similar direction, going drastically further than the Commission’s proposal itself in that they attempt to rewrite the concept of ‘communication to the public’ and the application of the intermediary liability exemptions in the eCommerce Directive. These substantial amendments at a minimum merit an impact assessment and public consultation before they are taken any further. We also believe the proposal will aversely impact fundamental rights. Last month, we joined more than 50 human rights, media freedom, and press organisations in a joint letter calling on European lawmakers to reject Article 13.

Cross-Border E-Evidence: European Commission Proposal Expected by January 2018

A senior European Commission official said at a recent conference that the EC is working on a legislative proposal that would allow European law enforcement agencies to issue cross-border production orders to communications service providers. This was one of the options laid out in the EC’s August 2017 ‘Inception Impact Assessment’ and a consultation document to gather further input and data from a wide range of stakeholders.  CDT has participated actively in the open process on this topic, and have briefed EC officials bilaterally on technical and legal issues. In our consultation response submitted on 27 October, along with a short paper, we refrain from endorsing either of the options laid out by the EC. Rather, we push for robust privacy safeguards, judicial oversight, and transparency in any legislative proposal that the EC intends to put forward in 2018. Further, we highlight the security and privacy risks inherent to the forms of ‘direct access’ (also known as ‘government hacking’) discussed in the EC consultation document.

Encryption: EC Does Not Mandate Backdoors, But Does not Stop Member States from Acting

In late October, the European Commission (EC) issued a package of counter-terrorism measures as part of its European Agenda on Security initiative, including practical “measures to support law enforcement and judicial authorities when they encounter the use of encryption in criminal investigations”. Leading up to the package, CDT participated actively in stakeholder discussions led by the EC’s Directorate-General for Migration and Home Affairs (HOME). We welcome the explicit recognition by the Commission that backdoors, or any type of general weakening of encryption, would be detrimental to the security of online communications and commerce. Nonetheless, the EC’s position does not dissuade Member States from taking such counterproductive measures of their own accord. A constructive proposal by the EC is the establishment of a ’structured dialogue’ with industry and other parties. We are hopeful this dialogue will be transparent and inclusive, with a focus on the public interest.

EU-U.S. Privacy Shield: EC Endorses the Shield, with Recommendations for Improvement

On 18 October, the European Commission published its first annual report on the status of the EU-U.S. Privacy Shield. Overall, the report concludes that the U.S. “continues to ensure an adequate level” of protection of personal data transferred from the EU to the U.S. under the agreement. Yet, the EC highlights numerous areas for improvement. Several recommendations are directly relevant to the ongoing US Congressional deliberations on re-authorisation of Section 702 of the Foreign Intelligence Surveillance Act (FISA), set to expire on 31 December 2017. Substantive reform of FISA Section 702 would help strengthen the Privacy Shield framework, without which there is a considerable likelihood that the CJEU would strike down the Privacy Shield. CDT continues to push for a set of changes that would constitute meaningful improvements to 702 to protect privacy and civil liberties.