EU Tech Policy Brief: October 2017

This is the October issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.

Copyright DSM: No Compromise on Article 13

The Civil Liberties (LIBE) Committee of the European Parliament was originally scheduled to vote on MEP Michal Boni’s Opinion (focused entirely on Article 13, concerning upload filtering) on 5 October, but the vote has been postponed again due to the controversial nature of the issue. The upload filtering proposal is based on the so-called ‘value gap’ assumption, or the idea that that video hosting sites displace revenues for copyright owners, but a study ordered by the European Commission (EC) finds no evidence of such displacement. The study, whose results did not support the Commission’s political line, was initially withheld by the EC and only released in response to a freedom of information request by MEP Julia Reda.

ePrivacy: Leading EP Committee Delays Vote, While Opinions Are Adopted With Diverging Outcomes

Parliamentary committees have delivered Opinions on the ePrivacy Regulation proposal, while the lead Committee, LIBE, is delayed. Several committees contradict each other on important points. While the Legal Affairs (JURI) Committee adopted amendments for a ‘privacy by default’ approach, the Industry Committee (ITRE) supported the Commission’s proposal for users to select their privacy settings from a list of options. ITRE also strongly supported effective encryption, echoing our analysis of the proposal. While JURI specified that the Regulation applies to data in storage and transit, the Internal Market (IMCO) committee limited the scope to data in transit and exempted further processing from consent. Meanwhile, the Estonian Presidency and the European Data Protection Supervisor (EDPS) weighed in with their opinions. The EDPS recommendations align with the draft Report of LIBE rapporteur, MEP Marju Lauristin. The Presidency issued its first redraft of the proposal, suggesting among other things legitimate interest as a legal basis for processing of data, in line with the GDPR. Difficult negotiations lie ahead, within Parliament and between the institutions.

Data Flows: EC Proposal to End Forced Data Localisation in Member States

On 13 September, the European Commission published its long-awaited proposal on the free flow of non-personal data in the EU. The proposed Regulation aims “to achieve a more competitive and integrated internal market for data storage and other processing services by ensuring the free movement of data within the Union“. Towards this goal, Article 4 of the proposal says that Member States cannot force companies to keep their data within national borders, with the main exception being matters involving public security cases. In view of achieving a true European Digital Single Market, we welcome the establishment of the principle of free movement of non-personal data in the EU. The proposal was watered down from previous drafts, particularly when it comes to how European companies and consumers can take their data with them when they switch cloud service providers (Article 6). In this respect, the proposal encourages “self-regulatory” codes of conduct in order to define guidelines on best practices. Overall, the measure should be supported by a wide range of stakeholders.

Privacy Bridges report on User Controls Presented at 39th ICDPPC

CDT hosted a side event, ‘Privacy Bridges / User Controls’, at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong. The event was focused on presentation and discussion of a report, “A Roadmap to Enhancing User Control via Privacy Dashboards”, that examines existing dashboards, recommends regulatory convergence between regions to accelerate use, and discusses prospective privacy solutions such as AI assistants and other tools. The report, drafted by researchers at the University of Amsterdam and Hong Kong University, was the result of cooperation between CDT, the universities, and an advisory board of privacy experts and regulators that were involved in the 2015 Privacy Bridges project. The project identified ten privacy challenges for regulators, industry and experts, and the present report focuses on one of those challenges: solutions that give users understanding and control of how their personal data is processed.

Illegal Content: EC Communication Encourages Privatized Enforcement

On 28 September 2017, the European Commission released a set of guidelines and principles for how online platforms should address illegal online content. While we hoped to see clear guidance on ‘notice and action’ procedures under the E-Commerce Directive, the Commission’s guidelines urge companies to ‘voluntarily’ install automated filtering, endorse ‘trusted flagger’ systems, and encourage faster takedown of flagged material, with no judicial oversight. The Commission will carefully assess the ‘progress’ intermediaries make in remover more disputed content, faster – and may move to legislate if it is not satisfied. CDT takes the position that policies concerning illegal content must not incentivize censorship and the removal of legal content. The interests of online free expression and innovation must be protected as the problem of online illegal content is tackled, and the EC guidelines fail to do this.

EC Publishes EC Cybersecurity Strategy

In late September, the European Commission released a proposal for a Regulation on ENISA (the “Cybersecurity Agency”), repealing Regulation (EU) 526/2013, and on the Information and Communication Technology Cybersecurity Certification (“Cybersecurity act”). These initiatives form part of the review of the Cybersecurity Strategy of the EU. The Commission aims to create a centralized cybersecurity agency for cybersecurity research and countering cybercrime, as well as other “centres” that will help in the mission to proactively counter increasing threats of cybercrime. The Commission suggests: executing the goal of strengthening cybersecurity through education; establishing conformity bodies; increasing department budgets; sharing best cybersecurity practices and tools; establishing an EU-wide certification scheme for cybersecurity; increasing disincentives; deepening cybersecurity relations with NATO; and increasing the responsibilities and reach of ENISA. CDT supports security by design, and most of the proposed methods of addressing cybercrime and strengthening cybersecurity.

EU-US Data Transfers: Irish High Court refers Schrems II to the CJEU

On 3 October, the Irish High Court ruled in the Schrems II case, which involves personal data transferred from the EU to the US under Standard Contractual Clauses. The Court  concluded that well-founded concerns were raised regarding the lack of effective remedies under US law compatible with the EU Charter of Fundamental Rights. It also concluded that there is a risk that when protected personal data transferred to the US, it could be processed by US authorities in a way that is inconsistent with EU fundamental rights. The Court further referred the matter to the CJEU. For now, EU Standard Contractual Clauses and the Privacy Shield remain in effect. However, whether the CJEU will ultimately find that US surveillance law and practice provides adequate remedies for EU citizens is an open question.