This is the fourth in an ongoing series in which we give a brief overview of the most pertinent digital policies currently being proposed, debated and implemented in the European Union.
For the background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policymaking, please see the first RIPE Labs article on the topic.
The new European Commission officially assumed office on 1 December 2019, and since that time, has been busy on a number of fronts with the potential to impact the telecommunications sector, including the RIPE NCC and many of our members. In addition to the files that were already underway, the Commission has proposed a whole new digital and data strategy for Europe. But before diving into the new initiatives, let's start where we left off last time with the files we've been following for some time now...
Cooperation Among Law Enforcement
The E-Evidence Proposal continues to work its way through the system, with different parties weighing in. The European Parliament's LIBE Committee (Civil Liberties, Justice and Home Affairs) published amendments to the proposed package in December, and the Commission launched a study in December to look at how ISPs and law enforcement agencies in ten different Member States implement data retention, with the results to be published in June. At this point, negotiations on the proposal aren't expected until later in 2020.
Meanwhile, the e-Evidence Digital Exchange System (eEDES) is ready to be rolled out, starting with select Member States in the first half of 2020. The system is meant to increase efficiency in obtaining electronic evidence via mutual legal assistance treaties (MLATs) between Member States.
As a refresher, this regulation is the update to the current ePrivacy legislation, and will complement the GDPR by defining which data is covered - so it has the potential to impact a lot of operators and businesses, not just those located in Europe, but any that are operating within the EU as well. It will include stronger rules covering data retention, spam, cookies and opt-outs.
This is also the file that the Parliament and Member States (i.e. Council) haven't been able to agree on. Parliament decided its position back in November 2017, but the Member States just haven't been able to agree on a position. Despite making strides with an updated text, the Finnish Presidency couldn't get Council to reach an agreement by the end of 2019, and the Croatian Presidency carried on the work with new amendments published in February to try to find a common stance. The timeline for this file, however, has been affected by COVID-19, so we expect further delays and only time will tell if it's a priority for the German Presidency in the second half of 2020. Stay tuned...
Two years after coming into force on 25 May 2018, the GDPR is under review. The Commission held a public consultation on the application of the GDPR (General Data Protection Regulation) in April and is also seeking the opinions of the Council (which already gave its input), the European Parliament, national Data Protection Authorities, the EDPB (European Data Protection Board) and the GDPR Multi-Stakeholder Group to evaluate its implementation. The report is expected on 25 May.
However, we don't expect a revision of the GDPR as long as efforts continue with regards to the updated ePrivacy Regulation.
In its position, the Council stated that GDPR has been a success but there’s room for improvement; that more emphasis should be placed on large tech companies, given their influence; that there's a need for more guidance from the Commission and EDPB, especially on protecting children’s personal data; and that there's a need for clarification on how GDPR applies to new technologies.
In January, the Commission published a toolbox on cybersecurity and 5G networks and a communication on the secure deployment of 5G networks across the EU. The toolbox outlines general risks and offers mitigation recommendations, and includes strategic and technical measures that can be taken (e.g. stronger regulatory oversight, ensuring diversity of suppliers, establishing security requirements, update and patch management, 5G certification for non-5G ICT services such as IoT and cloud, etc.).
Member States are expected to release a report by 30 June, via the NIS (Network and Information Security) Coordination Group, on the state of implementation in each Member State of the measures described in the toolbox. (The NIS Coordination Group was established as part of the NIS Directive in 2016 to enhance cooperation across Member States on the topic of cybersecurity. You can find our update on the NIS Directive below.)
In March, ENISA (the EU’s cybersecurity agency) published a report titled, “Stock taking of security requirements set by different legal frameworks on OES and DSPs” that provides guidance on the security responsibilities of operators of essential services (OESs) under the NIS Directive and digital service providers (DSPs) under the GDPR.
New European Commission
And now on to the new stuff!
The new European Commission published its 2020 work programme in January, and it includes several new initiatives that will almost certainly affect a majority of the RIPE NCC's members, including:
New Digital Services Act
This newly proposed legislation was included under the Commission's theme of "A Europe fit for the digital age" and is meant to support a single market for digital services, including levelling the playing field and providing legal clarity for small businesses (specifically, by addressing notice-and-takedown procedures under a European system, which includes the idea of a European regulator).
It will also look at how online platforms can mitigate the trade of counterfeit and unsafe products, although it won't address the market dominance of online platforms (this issue will be left to competition rules to address, which will be re-evaluated by 2021).
The act has the potential to influence a lot of different service providers, as it's expected to include all digital services - including content delivery and DNS services.
So far, it seems that many key principles from the E-Commerce Directive will be preserved, including the country-of-origin principle, the ban on general monitoring obligations and the exemption for intermediaries from liability for stored content.
However, the Commission believes that the E-Commerce Directive itself needs to be revised because Member States are eroding this principle through national initiatives, and updated to include new business models.
Member States are set to have their first "exchange of views" on the Digital Services Act in June. Parliament has already published its draft recommendations to the Commission. The Commission originally planned to put forward its proposal for the new act before the end of 2020, but that timeline may be delayed to early 2021 now due to COVID-19.
The Commission plans on holding an open consultation on the Digital Services Act that was originally scheduled for March, but the timeline has been delayed due to the COVID-19 situation. We encourage members of the RIPE community to respond with their input and will keep you informed as soon as the consultation is open so you can ensure your voice is heard.
Revision of the NIS Directive
The Network and Information Security (NIS) Directive, which came into effect in May 2018, meant that Member States had to define for themselves who qualifies as an “essential service operator” and "digital service providers", as these bodies were subject to risk management and incident reporting obligations under the directive's scope. As we previously reported, the Dutch regulator evaluated the RIPE NCC as a potential essential service operator in our capacity as K-root operator; however, we have so far not appeared on its list of operators who fall under the scope of the directive.
However, the Commission is now reviewing the directive as part of its new digital strategy (more details below) in order to address "consistency gaps" in the approaches taken by different Member States in its implementation. It expects to have a proposal ready by November 2020.
As many of our members fall under the scope of the NIS Directive (in the Netherlands, for example, Internet exchange points, TLD operators with more than one million domains, and access providers with more than one million customers are all subject to the directive), we will continue to follow these developments closely.
European Data Strategy
The Commission's new European data strategy is aimed at creating a single market for European data in order to encourage the sharing of data between public and private sectors for the social and economic benefit of Europeans.
The strategy will tackle cross-border data use, interoperability, and legal issues such as liability and intellectual property rights. It also includes a proposal to create a linked European federation of cloud infrastructures to share data on healthcare, environment, mobility, etc., between businesses and between businesses and government. The strategy comes with a €1.5 trillion investment.
There is an open consultation on the European Data Strategy until 31 May.
More details of the European Data Strategy were revealed in February as part of the Commission's “Shaping Europe’s digital future”, a roadmap for Europe’s digital policy initiatives for the new legislature. The plan is built around three pillars:
- Technology that works for people
- Includes initiatives on infrastructure (5G), smart energy, transport infrastructures, digital skills, the gig economy and AI
- Involves plans for establishing a joint Cybersecurity Unit and reviewing the Security of Network and Information Systems (NIS) Directive by the end of 2020
- A fair and competitive digital economy
- Focus on Europe being independent from other global powers, including the creation of a “European Data Space”, updating competition rules, work on digital taxation, and exploring ex ante rules to tackle the role of large online platforms to ensure new entrants can compete in the digital single market
- A digital and sustainable society
- Includes green ICTs
In terms of how we and/or our members might be affected by these grand ambitions, the focus remains on online platforms (rather than telcos or infrastructure) for now - but this could change depending on how the Digital Services Act develops.
The other trend we see as a main driver behind the digital plan is the notion of maintaining (or establishing) digital sovereignty - an idea that we see highlighted more and more in Internet governance and policy discussions.
Internet Use in the Time of COVID-19
Of course, the one unforeseen twist in the EU's plans (okay - all of our plans!) is, of course, the COVID-19 crisis. Like the rest of us, much of the EU's work has moved online and things are still progressing - although some timelines have definitely been pushed back as other issues take priorities. There are increased concerns over privacy and data processing in light of contact-tracing apps, for example, along with increased pressure on illegal or harmful online content, such as misinformation around the virus. On the other hand, discussions on the cross-border exchange of electronic evidence have been put on hold and are now not expected to resume until later in the year, at the earliest.
The European Commission and BEREC (Body of European Regulators for Electronic Communications) have been monitoring Internet traffic in response to the widespread increase in the number of people working from home during the pandemic. The Commission has advised streaming platforms to offer standard- rather than high-definition video, while users have been encouraged to reduce their data consumption, such as by limiting their use of Wi-Fi and lowering the resolution on content they consume. So far, BEREC reports that Europe’s connectivity remains robust.
Did you find this update useful? Does EU regulation affect your work or operations? Please share your comments or questions below! And if you'd like to stay up to date on these and other government and regulation topics, consider joining the RIPE Cooperation Working Group Mailing List.