EU Tech Policy Brief: May 2020 Recap

This is the May 2020 recap issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy matters under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.

Open position: CDT is recruiting a new EU Affairs Director

CDT has opened a position for a new Director of CDT’s European team. We are looking for a talented and experienced leader with strong established networks, understanding of international technology policy, and affinity for CDT’s mission and approach to it. The successful candidate will interface with senior government and elected officials, conveying CDT’s positions with credibility and authority, and set and execute strategy for reinforcing and growing CDT’s European engagement. Jens-Henrik Jeppesen will be leaving CDT to take on a new position with Workday, a leading provider of cloud-based enterprise applications.  

CDT meets European Commissioner for Justice Didier Reynders

This month, CDT had the opportunity to meet virtually with European Commissioner for Justice Didier Reynders. We had a wide-ranging discussion with Commissioner Reynders, his Cabinet, and DG Justice staff. We exchanged views on several issues of common interest: the Commission’s E-Evidence Proposals, the Terrorist Content Online Regulation, the Artificial Intelligence White Paper, and the Democracy Action Plan. We also took this opportunity to commend the Commission for its approach to COVID-19-related mobility data collection and contact tracing initiatives, and briefed the Commissioner on CDT’s Data for Life and Liberty Taskforce, comparing experiences from the U.S. and Europe. Finally, we touched on lessons learned on online content moderation during the pandemic. We look forward to working with the Commissioner and his staff on the right solutions to the multiple technology policy issues on the Commission’s agenda.

Launching the Global Encryption Coalition

CDT joined more than 30 other civil society organizations in launching the Global Encryption Coalition to promote and defend encryption in key countries and multilateral gatherings where it is under threat. CDT will lead this coalition alongside the Internet Society and Global Partners Digital. The coalition was launched with a series of webinars across the globe, and recordings are available. CDT’s Director for European Affairs, Jens-Henrik Jeppesen, joined Europe’s panel on ‘Online Trust and COVID-19: What’s next for Encryption in Europe?‘ together with representatives from the European Commission, eco – Association of the Internet Industry, and the Internet Society. The discussion highlighted the critical role of encryption in enabling online commerce and communications during the pandemic, and reviewed the current encryption debate in the EU. We encouraged the European Commission to continue to ensure that European citizens and businesses continue to have access to the best possible solutions to secure online transactions and communications. And, we applauded the Commission’s consultative and thorough approach to policymaking that is informed by solid legal and technical input from industry, civil society, and the technical community. 

Ten EU Member States issue recommendations for the Digital Services Act

Countries forming the so-called Digital 9+ group (Belgium, Czech Republic, Denmark, Estonia, Finland, Ireland, Luxembourg, Netherlands, Poland and Sweden) published a discussion paper in which they reflected on the upcoming Digital Services Act (DSA) proposal and reviewed the current legislation, in particular the e-Commerce Directive (ECD). The countries acknowledged that the current legal environment no longer reflects today’s online services, and requires updating. They set out a number of goals the reform should aim for: “promoting single market measures, economic growth, innovation, respect for human rights and the effective protection of public interests.” The document echoes views CDT has put forward, arguing that certain key elements of the ECD should be maintained: the country of origin principle, the limited liability provisions, and the prohibition on imposing a general monitoring obligation on internet society services. It concludes that while maintaining these principles, the DSA should among other things introduce a framework for notice-and-action mechanisms.

CDT joins the Twitch Safety Advisory Council to advocate for users’ rights, transparency and accountability in content moderation 

Twitch announced the creation of its Safety Advisory Council, a group of experts and users who will provide input and feedback about content moderation issues, user safety, emerging digital trends and possible policy updates. This is a welcome move from the growing platform with over 17 million daily active users, and CDT is pleased to participate as one of the Council’s inaugural members. In this role, CDT will continue to advocate transparency and accountability in content moderation and focus on the implications of Twitch’s policies for users’ freedom of expression, privacy, and other human rights. Facebook recently established its Oversight Board, which will aim to exercise independent judgment over the most difficult and significant content moderation decisions. TikTok recently announced a Content Advisory Council after facing many questions about its approach to content moderation, and Twitter recently revamped its Trust & Safety Council, which CDT joined in 2016 when it first launched.

Interoperability guidelines for approved contact tracing mobile applications in the EU

As explained in our recent paper, several EU Member States intend to launch mobile contact tracing apps as part of their COVID-19 management strategies to support the gradual lifting of lockdowns and travel restrictions. The European Commission’s eHealth Network published guidelines to ensure interoperability between mobile tracing and warning apps across the EU. The document is a follow-up action to the recent joint EU toolbox ensuring common standards to develop contact tracing applications across Europe and the Commission guidance on data protection. The guidelines stress that tracing apps must be voluntary, transparent, temporary, and secure, using temporary and pseudonymised data, and rely on Bluetooth technology – and approved by national health authorities. The Commission’s guidelines are not binding on Member States, and whether they will follow the guidelines remains to be seen. 

Hungarian government suspends EU data protection rights

On 30 March, the Hungarian Parliament passed the so-called “Enabling Act”, granting the government the authority to rule through government decrees for as long as the current state of emergency is in effect. In Decree No. 179/2020 issued on 4 May, the Hungarian government restricted data protection and privacy rights laid down in the GDPR and the Hungarian Act on Freedom of information and data protection, in the context of measures to combat the pandemic. Another measure makes the spreading of misinformation an offence punishable with up to five years’ imprisonment. The European Data Protection Board signalled its concern with the suspension of privacy rights. European Commission Vice-President Vera Jourová stated that the Commission is monitoring the situation in Hungary as regards detention of individuals accused of spreading misinformation.

European Commission publishes a Study assessing the EU’s Code of Practice on Disinformation

The European Commission published a Study for the assessment of the implementation of the Code of Practice on Disinformation, a voluntary framework by which leading online services agreed to address online disinformation on a self-regulatory basis. The study analyses the companies’ policies and tools adopted to implement the commitments made in the Code, summarizes the state of play one year after its implementation, and draws several conclusions. The Code of Practice is seen as a first and crucial step in the fight against disinformation, its aims and activities are considered highly relevant, and the results are seen as positive. The perceived drawbacks, on the other hand, relate to its self-regulatory nature, the lack of uniform implementation, and the lack of clarity around its scope and some of the key concepts. In the future, the implementation of the Code should continue and its effectiveness could be strengthened by agreeing on terminology and definitions. Online disinformation is generally lawful speech, protected under human rights treaties. It is very difficult to address without violating fundamental free expression rights. 

The GDPR: Two-year anniversary

May 25th marked the two-year anniversary of the EU General Data Protection Regulation, which has had significant global impact. It inspired similar laws in several countries, such as Brazil, and India, as well as in the state of California. It also helped create fresh impetus for passing federal-level privacy legislation in the U.S., a longstanding CDT objective. The Regulation spurred companies operating globally to set up processes and programs for implementing GDPR provisions, and to apply them globally. In this way, people across the globe have benefited from the enhanced protections the GDPR offers. The past two years have also shown challenges authorities face in enforcing the regulation, such as lack of appropriate staff and funding for most data protection authorities (DPAs). Some Member State DPAs have yet to issue their first fine despite receiving thousands of complaints. However, over the long term, the GDPR is likely to remain a strong factor in setting global privacy norms and shaping companies’ data governance practices.