This is the October 2019 issue of CDT’s monthly EU Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them.
CJEU ruling troubling for free expression
In a crucial Austrian court case concerning defamatory statements about a politician posted on Facebook, the Court of Justice of the European Union (CJEU) issued a ruling that raises significant free expression concerns. The CJEU said that a content host must remove content that has been deemed illegal, and filter and monitor for statements that are either ‘identical’ or ‘equivalent’ to the original content. The ruling seems based on the dubious assumption that content moderation technology can understand the context and discern the meaning of online statements, and then determine whether they express views that are ‘equivalent’ to one that has been ruled illegal. The CJEU also said that nothing in European legislation precludes courts from issuing injunctions with global reach. In our analysis of the ruling, we set out the free expression concerns that arise from both aspects of the Court’s decision.
Copyright Directive: European Commission hosts Stakeholder Dialogue on Article 17
The European Commission has initiated a Stakeholder Dialogue to inform Member States’ implementation of Article 17, with representatives of rightholders, service providers, and civil society organisations. The Dialogue is intended to identify practical solutions for the application of the Directive’s provisions on licensing arrangements between rightholders and hosting service providers covered by the Article; whether it will do so remains to be seen. CDT and other public interest groups participating in the dialogue continue to raise concerns that the filtering technologies service providers will need to deploy to comply with Article 17 will interfere with uses of content that are covered by exceptions, and that strong user safeguards and redress mechanisms are necessary. Free expression concerns were also raised by the Polish government in the complaint about Article 17 it filed with the Court of Justice of the EU in May 2019.
The US, UK and Australian governments call for encryption ‘backdoors’
The governments of the United States, the United Kingdom, and Australia published an open letter to Mark Zuckerberg requesting that Facebook halt plans to apply end-to-end encryption across all its services. The letter, which is the latest push in the long-running international debate over law enforcement access to encrypted communications, calls for ‘responsible’ encryption that foresees lawful access mechanisms for law enforcement agencies. In response to the letter, CDT and more than 100 other digital policy organisations sent an open letter to Facebook urging the company to proceed with its encryption strategy, noting that ‘backdoors’ or ‘exceptional access’ would harm privacy and weaken security in online communications overall.
The CJEU rules that pre-checked boxes do not provide valid consent under data protection law
The Court of Justice of the European Union (has ruled in an important case concerning what constitutes valid consent for placing cookies on users’ devices under EU data protection law. In the ruling, the CJEU decided that the widespread practice of assuming consent when users access and navigate on a website without unchecking pre-checked boxes does not constitute valid consent. The ruling applies to personal and non-personal data, and sets requirements for the information that websites must include in cookie policies. An important question the CJEU did not address (because it was not asked) is whether requiring users to consent to gathering of data for advertising purposes to use a service meets the condition in data protection legislation that consent must be ‘freely given.’ How this question is answered in future cases will have wide-ranging consequences for the online advertising ecosystem.
U.S. and U.K. bilateral CLOUD Act Agreement
The U.K. and the U.S. have concluded the first bilateral agreement under the U.S. CLOUD Act. The agreement will allow law enforcement agencies in both countries to request evidence directly from service providers located in the other country without going through existing Mutual Legal Assistance procedures. As the first of its kind, the agreement is likely to set standards for similar agreements between the U.S. and other countries. CDT is currently analysing the agreement and will comment on the privacy and procedural safeguards it contains. Earlier this year, the European Commission announced the beginning of negotiations for a bilateral agreement between the EU and the U.S., complementing the draft EU legislation on electronic evidence that focuses on intra-EU cross-border access to electronic data for criminal investigations. CDT is working actively on these proposals.
CoE releases draft text for Cybercrime Convention additional protocol on subscriber information
The Council of Europe (CoE) has released draft text for an additional protocol that is intended to enable law enforcement authorities in one CoE signatory state to demand subscriber information from communications providers in other signatory states, in connection with criminal investigations. The CoE set out the terms of reference for its work on cross-border access to data for law enforcement purposes in 2017. CDT provided input into the CoE stakeholder consultation on this issue in 2018 and will submit written comments on the recently released draft text. CDT’s objective is to ensure that new data access tools for law enforcement authorities are accompanied by strong procedural and data protection safeguards.
‘Trilogue’ negotiations on the draft Terrorist Content Online regulation begin
The trilogue negotiations on the proposed Regulation on Terrorist Content Online have begun. According to the timetable, the negotiations are expected to last until mid-December. However, the negotiations are expected to be difficult. The European Parliament’s position differs significantly, and is a considerable improvement on, the Commission’s draft text and the Council (Member States) Common Position. Among the key issues in these negotiations will be upload filters and proactive measures, how Member States can appoint ‘competent authorities,’ whether ‘referrals’ will be part of the Regulation, and the how the definition of ‘terrorist content’ will be shaped. CDT will be following the negotiations closely.