In recent years, there’s been a trend towards increased EU regulation with the potential to impact more actors across the Internet landscape. Here, we give a brief overview of the most pertinent policies currently being proposed, debated and implemented in the European Union.
One-hour deadlines for responding to take-down requests. Cross-border e-evidence access for law enforcement. Data collection restrictions that could hinder the development of AI and the IoT. These are some of the policies being discussed by the European Commission right now, many of which have the potential to affect a large number of our members, from service providers to ccTLD operators to governments to competent authorities – not to mention the RIPE NCC’s own operations.
To keep up with everything taking place in the European Commission, we’ve been working with an intelligence firm for the past few years and want to share with you the most important information we’ve learned in the past few months. (We also delivered this as a presentation at RIPE 77.)
In general, the EU is proposing more ICT regulation and is placing more responsibility on service providers than ever before. Governments are also becoming increasingly aware of the importance of protecting their critical infrastructure. In large part, this is being driven by concerns over cybersecurity, intermediary liability (i.e. defining who is responsible for online content), a desire for better cooperation among law enforcement in different Member States, and the need to ensure privacy rights in the data economy (which include emerging technologies like AI, the IoT and big data). If GDPR taught us anything, it’s that the EU isn’t afraid to pass regulations with far-reaching implications.
The big focus in cybersecurity at the moment is the Cybersecurity Act, which aims to create an EU-wide certification framework for ICT products, services and processes. It also gives ENISA an expanded mandate as a permanent EU agency.
The main points of discussion at the moment are whether “essential service operators” and those services considered “high risk” should be forced to adopt the framework, or whether this should be voluntary if a national framework is already in place. Parliament is pushing for a mandatory approach and Member States are generally supporting a voluntary approach here.
Similarly, Parliament would like to see ENISA have more autonomy, while Member States generally want it to act as a central coordinator and supporting entity.
The European Commission released its proposal for the Cybersecurity Act in September, and it’s currently in negotiations between the European Commission, Parliament and Council. It’s one of the priorities of the Austrian Presidency of the Council of the European Union, so it will be pushing for Member States to reach an agreement by the end of 2018.
A European Cybersecurity Industrial, Technology and Research Competence Centre and an EU Network of Cybersecurity Centres is also in the works for 2021, with the goal of coordinating existing efforts and boosting research and innovation in this field.
Also falling under the umbrella of cybersecurity is the directive on security of network and information systems, known as the NIS Directive. The directive’s goal is to improve cybersecurity at the national level and increase cooperation throughout the EU, and involves risk management and incident reporting obligations for essential service operators and digital service providers.
The directive came into effect on 9 May 2018, but Member States have been given an extension until 9 November to define for themselves who qualifies as an “essential service operator”. The Dutch regulator evaluated the RIPE NCC as a potential essential service operator in our capacity as K-root operator; however, we were given an opportunity to respond to the assessment and made the case that we don’t believe we meet this definition. We will have to wait until the official list is published to discover whether we are included or not.
Although many already have their own security provisions in place, ccTLD operators, which fall under the directive’s scope, will have to decide whether their existing safeguards satisfy the directive. It’s important to remember that even if you aren’t considered an essential service operator yourself, you may have clients who are, so it’s good to think about the entire service chain when considering the policy’s implications on your business operations.
This topic covers policy relating to who’s responsible for online content, and at the moment there are two major pieces: one focusing on copyrighted material and the other on terrorism.
The EU Copyright Directive is currently being negotiated. A highly criticised feature – by civil society groups, academia and parts of the Internet industry – is upload filters for copyrighted material. Despite this criticism, some Member States want to see stricter obligations on the Internet industry for protecting society from illegal content online.
The European Commission held a public consultation in June to assess whether current efforts to keep illegal content under control were sufficient, the results of which should be published in the coming months.
There is also a Proposal for Regulation on Preventing the Dissemination of Terrorist Content Online being negotiated, and the focus here is on service providers. The main elements include being subject to a one-hour deadline to respond to removal requests from judicial authorities, along with data preservation obligations.
It’s important to note that this proposal applies not just to the big content providers, but to micro, small and medium-sized enterprises alike. There are also high sanctions for systemic non-compliance, of up to 4% of global turnover.
Cooperation Among Law Enforcement
The desire for law enforcement agencies in one Member State to be able to cooperate more easily with their counterparts in other Member States has been growing, and one of the biggest things happening in this space is the E-evidence Proposal.
This proposal would make it easier for law enforcement to gather evidence across borders throughout the EU, allowing a judicial authority in one Member State to obtain electronic evidence directly from a service provider in another Member State.
For a time, real-time interception was being debated but was recently ruled out (although that doesn’t mean the concept won’t crop up in another policy proposal at some point), and Member States are now debating different models for a notification system between them.
The European Data Protection Board just released its opinion on the proposal, which highlights issues around unfeasible deadlines, a lack of judicial oversight, and the protection of fundamental rights. The opinion is non-binding, but it’s possible that some Member States will raise some of these issues moving forward.
There will be a public hearing on the E-evidence Proposal in the European Parliament on 27 November, and this is another of the Austrian Presidency’s priorities, so it’s hoping to get Member States to reach agreement before the end of its tenure this year.
Data economy covers everything that treats data as an economic asset, and the major focus at the moment is new ePrivacy text that takes a restrictive approach to metadata and content data processing, to the point that the current provisions would have a negative impact on the development of things like AI, IoT and big data business. The new text hasn’t been finalised yet, but it’s a good example of the continual struggle to balance privacy concerns with the economic potential being fuelled by the unprecedented amounts of data being collected today.
The European Commission also plans to release AI ethical guidelines by the end of the year as part of the European AI Alliance, an effort to bring together existing research centres working in the field. The Commission will also increase its funding for AI initiatives by €1.5 billion.
Finally, there is a proposal to update the .eu TLD legal framework, although this seems to be an effort to modernise the text rather than give it a substantial overhaul.
We’ve heard from you that these kinds of updates are useful, so we’ll continue to write RIPE Labs articles and give presentations at RIPE Meetings and other venues. If you have ideas about other ways you’d like to stay up to date or want to let us know which topics are of most interest to you, please comment below.