This is the third in an ongoing series in which we give a brief overview of the most pertinent digital policies currently being proposed, debated and implemented in the European Union.
For the background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policymaking, please see the first RIPE Labs article on the topic.
The five months since our last update have been relatively quiet in terms of policy development thanks to the EU elections that took place in May. Since that time, the EU has been selecting new people for the top jobs and the new European Commission is set to take office 1 November (although the rejection of proposed candidates for some of the senior positions may delay things).
In the meantime, here's what's been happening with regards to the main regulation being debated and proposed that could affect the technical community. In general, we continue to see a focus on more liability being placed on operators, increased security, and an effort for better cooperation among law enforcement.
The Finnish Presidency’s Priorities
The Finnish Presidency of the Council (which holds the presidency for the second half of 2019) has signalled the following topics as its primary focus:
- Strengthening digital services, high-speed connects and the data economy
- Advancing negotiations on the ePrivacy Regulation
- Ensuring the swift deployment of 5G in Europe; security will be a primary focus, as set out by the European Commission
The New European Commission President’s Priorities
European Commission President-elect, Ursula von der Leyen, included the concept of “a Europe fit for the digital age” in the political guidelines she published.
The guidelines mention a new Digital Services Act, with a focus on “upgraded liability” and safety for digital platforms, services and products. However, work on this isn’t expected to start until the end of 2020.
She also mentioned a “joint cyber unit” to “speed up information sharing and better protect ourselves” without giving further details on its goals or mission.
As a refresher, this regulation is the update to the current ePrivacy legislation, and will complement the GDPR by defining which data is covered - so it has the potential to impact a lot of operators and businesses, not just those located in Europe but any that are operating within the EU as well. It will include stronger rules covering data retention, spam, cookies and opt-outs.
This is also the file that the Parliament and Member States (i.e. Council) haven't been able to agree on. Parliament decided its position back in November 2017 and the Member States have been debating it ever since.
However, the Finnish Presidency of the Council has made some strides with an updated version of the text that it published in September, which addresses the main issues causing the deadlock. It allows an exception for processing electronic communications data for the purpose of fighting child sexual abuse and other illegal content (one of the most contentious issues among Member States); otherwise, consent remains the only legal ground for processing content data. It also allows Members States to retain data for a longer period than initially proposed, and defines four different categories of data processing in order to bring it in line with the GDPR.
If the new text manages to appease the Member States and Council can agree on its position, trilogue negotiations (the last stage of the legislative process) can begin early next year. If not, then the text might be withdrawn altogether – ePrivacy didn’t come up in any of the hearings for candidate Commissioners, so it simply may not be a big focus for the incoming European Commission.
Either way, we’ll stay on top of it and report back on any relevant developments.
Cooperation Among Law Enforcement
As mentioned in our last update, negotiations to reach a common position between the Council, Parliament and Commission won't take place until after the new institutions are in place. Council adopted its position in 2018, and Parliament plans to produce a draft text in November in order to start trilogue negotiations in early 2020.
In the meantime, Parliament has expressed concerns over several aspects of the Commission’s proposal (including tight deadlines, unclear data categories, and the threshold for issuing production orders for the processing of content data, among others), while the Commission is working on the development of an eEvidence Digital Exchange System, at the request of Member States, as well as negotiations for an EU-US agreement.
Cross-Border Access to Electronic Evidence
In June, the Council authorised the start of negotiations between the EU and the US on cross-border access to electronic evidence. A major topic of discussion is a real-time interception, which is neither explicitly included nor excluded from the current text and has divided Member States.
In July, the European Data Protection Board and the European Data Protection Supervisor published a legal assessment of the impact of the US Cloud Act on the European legal framework for personal data protection. (The US Cloud Act allows American law enforcement authorities to compel US companies to hand over data, regardless of where that data is stored.)
They noted some ambiguities with regards to the GDPR and have called for the next generation of MLATs (Mutual Legal Assistance Treaties), allowing for much faster and more secure processing of requests.
This is another topic we will continue to follow closely as negotiations proceed; however, this will likely be a lengthy process with no immediate impact on the technical community.
BEREC (Body of European Regulators for Electronic Communications) is currently undertaking a public consultation on their draft guidelines for interpreting the “network termination point (NTP)”. These guidelines have been designed in accordance with the European Electronic Communications Code to provide national regulatory authorities with guidance on how to interpret the EU directives and implement them in their national legislation.
The RIPE NCC has no particular position on this topic, but we think it is important for the RIPE community to consider the impact of these guidelines, which could influence both our members’ operations and the RIPE NCC’s engagement strategy on a number of topics including IPv6 and IoT security.
We've invited the Connect Working Group to discuss the proposed guidelines. If it reaches a rough consensus as determined by the chairs, the RIPE NCC will submit that opinion as a response on behalf of the RIPE community. If consensus cannot be reached, we would instead encourage individual members to provide their own responses to the consultation.
For more information, please follow the discussion on the Connect Working Group mailing list.
Did you find this update useful? What topics are of interest to you? How would you like to hear from the RIPE NCC about the latest European regulation developments? Please share your comments or questions below!