This is the July 2019 recap issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.
CDT comments on the UK White Paper on Online Harms
On 1 July, CDT submitted comments on the UK Department of Culture, Media, and Sport’s Consultation on Online Harms. We emphasise that the “duty of care” concept advanced in the white paper, and in particular the contemplation of legal duties for intermediaries to police speech that is “legal but harmful”, pose significant risks to individuals’ fundamental rights to freedom of expression and access to information. Human rights-respecting limitations on freedom of expression must be clearly and precisely prescribed by law. However, the white paper proposes an extremely broad and vague concept of “online harms”, and proposes empowering a regulator to set standards for restricting information that intermediaries must follow or face fines. The lawful expression and access to information of individuals around the world would be the collateral damage of such a regulatory approach. We argue that the government will need to narrow significantly the scope of the regulator’s activity to ensure that any limitations on freedom of expression meet the standards of legality, necessity, and proportionality.
CDT comments on CJEU AG opinion in Austrian online defamation case
CDT commented on the CJEU Advocate General’s opinion in a controversial case on defamatory comments about an Austrian politician posted online. The CJEU was asked questions about the territorial reach of judicial decisions on removal of online content, and questions about interpretation of the E-Commerce Directive. In our comments, we oppose the notion in the AG’s opinion that one country’s authorities can demand that its restrictions on free expression be applied beyond its borders, let alone worldwide. This would be a dangerous precedent for free expression and access to information on the internet. CDT encourages the CJEU to take a stronger line on this point and instructs courts to limit explicitly any speech restrictions to apply only in their own country, or possibly within the EU.
Furthermore, we question the AG’s conclusions about monitoring obligations the court imposed on the content host, for “identical” or ‘equivalent’ content. The AG seems to suggest that simply filtering content for matching keywords can do this job. However, as research shows, even the most advanced technologies are incapable of understanding with any precision the context, intent, and meaning of posts. These are matters the CJEU should consider carefully in its deliberations on a final ruling.
Irish Broadcasting Authority issues proposal on regulating online content
In the context of the implementation of the EU Audio-Visual Media Services (AVMS) Directive, the Irish Broadcasting Authority has issued a proposal requesting additional powers to supervise content shared online, not only in Ireland, but across Europe. The proposal is consequential as the leading social media companies have their European headquarters in Ireland. These powers would include the ability to issue takedown notices compelling social media companies like Facebook, Twitter, and YouTube to remove content the regulator deems harmful. The Irish authority also proposes establishing codes of practices and age verification checks for media shared online, as well as a new role for itself in promoting awareness of online safety issues. Concerns about the proposal include the feasibility of expanding broadcast regulation to communications between individuals on social media platforms. CDT will be watching closely implementation of the AVMS Directive’s provisions on regulation of “harmful” content. There is a very real risk that codes of conduct supervised by regulators will lead to undue restrictions on online content.
European Commission expert group on AI publishes policy recommendations
On June 26, the European Commission High-Level Expert Group on Artificial Intelligence (AI HLEG) published its “Policy and investment recommendations for trustworthy Artificial Intelligence”. This is the second deliverable of the AI HLEG and follows the April 2019 publication of the group’s Ethics Guidelines for Trustworthy AI. The new recommendations focus on four main areas: humans and society at large, the private sector, the public sector, and research and academia. The HLEG’s recommendations reflect an appreciation of both the opportunities for AI technologies to drive economic growth, prosperity, and innovation, as well as the potential risks involved. The European Union has an ambition to lead the framing of policies governing AI globally. However, unless Europe accelerates deployment and uptake and builds industrial, research, and development capabilities, its ability to do so will be limited.
French National Assembly gives green light to anti-hate speech proposal
On July 3, the French National Assembly voted on legislation against online hate speech. The text requires digital platforms to delete within 24 hours content that is “manifestly unlawful on grounds of race, religion, sex, sexual orientation or disability.” Critics have raised multiple concerns about the potential censorship effects of this legislation. In particular, the scope of content covered by the law has been broadened significantly, relative to earlier versions. Combined with the very rapid takedown required, and the significant fines that may be imposed for non-compliance, the vague and broad scope may capture content that is lawful and legitimate, with little scope for redress. The legislation is on a fast track, with only one reading in each legislative chamber. Adoption by the French Senate is scheduled for September.
Hearing held in Max Schrems vs. Facebook before the CJEU
On 9 July, a hearing was held by the CJEU on the Schrems II case (C-311/18) on Facebook Ireland’s use of standard contractual clauses for data transfers to the U.S. The Schrems II (C-311/18) hearing before the Court of Justice of the EU investigated “whether the transfer of data to the U.S. with standard contract clauses violates fundamental rights”. Schrems II is the second chapter of the legal challenge launched by digital rights activist Max Schrems in 2013, following Edward Snowden’s disclosures about access to Europeans’ personal data by U.S. intelligence agencies under U.S. law. The case follows the 2015 ruling by the CJEU that the existing data transfer framework, the “Safe Harbor”, did not ensure adherence to European fundamental rights standards. The Safe Harbor was replaced by the “Privacy Shield”, whose functioning is reviewed annually by the European Data Protection Board. The case could have very significant implications for companies transferring European data to the U.S. on the basis of either standard contractual clauses or the Privacy Shield. The Advocate General will publish his opinion on 12 December 2019, while the CJEU’s final decision is expected in early 2020.
New Commission President Von Der Leyen sets out digital policy priorities: AI regulation and Digital Services Act
On 16 July, Ursula Von Der Leyen, former German Defense Minister, was elected new President of the European Commission. Her mandate will officially start on 1 November, once the new European Commission will be appointed. Her program includes some significant digital policy priorities. One is the launch of a Digital Services Act, which is intended to “upgrade the liability and safety rules for digital platforms, services and products”. This initiative is important in that it will amend the existing legal framework underpinning the hosting of third-party content. In addition, within 100 days of taking office, she intends to draft legislation for “a coordinated European approach on the human and ethical implications of Artificial Intelligence”. Further, Von Der Leyen will put forward a European Democracy Action Plan that will include legislative proposals to ensure greater transparency on paid political advertising and clearer rules on the financing of European political parties.
After one year of GDPR, European Commission publishes its report
On 24 July, the European Commission published a report on the first year since the adoption of the GDPR. According to it, by the end of June 2019, the cooperation mechanism among the national Data Protection Authorities had managed 516 cross-border cases. However, the Commission hopes that the European Data Protection Board will “step up its leadership and continue building an EU-wide data protection culture.” To help businesses facilitate compliance, the Commission will support the adoption of standard contractual clauses, codes of conduct, and a new certification mechanism. In addition, the Commission will continue supporting small and medium-sized enterprises in applying the rules. Currently, only 20 percent of Europeans know which public authority is responsible for protecting their data. Therefore, this summer the European Commission launched a new campaign to encourage Europeans to familiarise themselves with privacy statements and use take advantage of possibilities to optimise their privacy settings.