In recent years, there’s been a trend towards increased EU regulation with the potential to impact more actors across the Internet landscape. This is the second in an ongoing series in which we give a brief overview of the most pertinent policies currently being proposed, debated and implemented in the European Union.
For the background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policy-making, please see the first RIPE Labs article on the topic.
In the six months since our last update, one thing has become clearer than ever: Internet regulation is a hot topic and shows no signs of slowing down. President Emmanuel Macron called for more Internet regulation during his opening speech at the Internet Governance Forum in Paris last November, Facebook CEO Mark Zuckerberg wrote an op-ed in March asking for governments and regulators to help develop standards for online content, and the UK released a white paper last month calling for stricter regulation of online content.
Within the EU, elections are taking place in May and so there's likely to be a lot of turnover in the different policy-making institutions - the new Commission won't set out its new direction until the autumn.
In the meantime, the EU has been pushing ahead with its various regulatory proposals - some of which have now been adopted. Keep reading to find out the current state of play on each of the big topics, including cybersecurity, intermediary liability (i.e. who's responsible for online content), cooperation among law enforcement, and the data economy (including AI, IoT and big data).
The Cybersecurity Act came into effect on 1 April 2019 and has a 24-month implementation period. As a reminder, this legislation aims to create an EU-wide certification framework for ICT products, services and processes. It also gives ENISA (the EU's cybersecurity agency) an expanded mandate as a permanent EU agency.
In the end, the legislation allows Member States to take a voluntary approach in determining who should be considered an "essential service operator" and which services should be considered "high risk" within their own borders.
The other big component in EU cybersecurity regulation is the directive on security of network and information systems, known as the NIS Directive. The directive’s goal is to improve cybersecurity at the national level and increase cooperation throughout the EU, and involves risk management and incident reporting obligations for essential service operators and digital service providers.
The directive came into effect in May 2018, but Member States were given an extension until 9 November 2018 to define for themselves who qualifies as an “essential service operator”. As we previously reported, the Dutch regulator evaluated the RIPE NCC as a potential essential service operator in our capacity as K-root operator; however, we were given an opportunity to respond to the assessment and made the case that we didn’t believe we met that definition. We can now report that we were not included in their official list of essential service operators, and so our operations do not fall under the scope of the directive.
On the other hand, Internet Exchange Points, TLD operators with more than one million domains, and access providers with more than one million customers are all subject to the directive in the Netherlands (these were existing categories under other legislation that the NIS Directive will now apply to).
The highly controversial Copyright Directive reform, which aims to pay creators (including artists, musicians and news outlets) more fairly for the use of the content they produce, was approved by the European Parliament in March and by the Council in April (although six Member States voted against it). Member States now have 24 months to implement it.
Many civil society groups, industries and academics raised concerns over the directive's potential impact on freedom of expression online. The inventor of the World Wide Web, Sir Tim Berners-Lee, and Wikipedia co-founder Jimmy Wales both spoke out against it, and more than five million people worldwide signed an online petition against it.
Two of the directive's provisions in particular drew a lot of attention. Article 11 (which became Article 15 in the final version), was dubbed the "link tax" and requires content platforms to obtain licences to link to and use snippets from news articles. Article 13 (which became Article 17), makes content hosting providers responsible for securing the rights to the content they host, necessitating the use of upload filters.
Some concessions were made in the end, however: memes and GIFs were excluded from the directive's scope, in addition to open-source platforms like Wikipedia and GitHub, and there is less onus on start-ups as opposed to more established platforms.
Still, although the directive aims to make content providers who currently benefit from third-party content, such as Google, Facebook, YouTube and Instagram, more responsible for the content they host, some argued that the legislation will make it so onerous for smaller companies to comply with the regulation that they will be edged out by those giants that can afford the substantial resources required to monitor vast amounts of user-generated content.
The Proposal for Regulation on Preventing the Dissemination of Terrorist Content Online is still being negotiated by the Parliament and Council, so there's nothing new to report that wasn't covered in our last RIPE Labs article.
Cooperation Among Law Enforcement
As mentioned in our last update, the former presidency of the Council of the European Union considered the E-evidence Proposal one of its priorities in 2018. And indeed, the Council adopted the same position on the proposal in December of last year. The proposal would drastically reduce the time it takes for a judicial authority in one Member State to obtain e-evidence directly from a service provider in another Member State through a new system of production and preservation orders. The scope covers all categories of data, including subscriber, access, transactional and content data.
However, Parliament is still debating the proposal's various aspects through a series of working papers, so negotiations to reach a common position between the Council, Parliament and Commission won't take place until the autumn, after the EU elections have taken place and the new institutions are in place. Stay tuned!
The EU is currently working to update its existing ePrivacy legislation, and that update will become the new ePrivacy Regulation (just as the update to the previous data protection legislation became the new GDPR). The new regulation will complement the GDPR by defining which data is covered.
It will include stronger rules covering data retention, spam, cookies and opt-outs, and will apply to "new" players like Facebook Messenger, WhatsApp and Skype.
Just like the GDPR, this new regulation is going to have a huge impact across the EU (and beyond, as any businesses offering services within the EU will be affected). However, it's not going to happen immediately. While Parliament adopted its position back in November of 2017, Member States (i.e. the Council) are still debating the proposal's different elements. If they can find a common position by the end of the current term, negotiations could begin when the new Commission is in place this autumn, meaning the regulation could be adopted at the earliest by the end of 2020 (and would enter into force six to twelve months after that date).
Data retention in general is a big focus in the EU at the moment, affecting the existing ePrivacy Directive, the negotiations over the new ePrivacy Regulation, the GDPR, and law enforcement cooperation. We'll have to wait and see whether the new Commission will also choose to focus on this topic.
The Commission's High-Level Expert Group on Artificial Intelligence published its guidelines for ethical AI in April. They'll now conduct a pilot phase soliciting feedback about its implementation from industry stakeholders, and hope to eventually take the guidelines to international forums.
The Council has adopted its position on the proposed update to the .eu TLD legal framework, but Parliament has yet to do so, so there's not much new to report on that front.
As always, we hope that these updates are useful to you and would love to hear what topics in particular are of interest, ideas about how (or how frequently) you'd like to hear about EU regulatory news, or any questions you may have. Please leave your comments below.