This is the fifth in an ongoing series in which we give a brief overview of the most pertinent digital policies currently being proposed, debated and implemented in the European Union.
For background on how and why the RIPE NCC follows EU regulation, as well as general trends currently driving EU policymaking, please see the first RIPE Labs article on the topic.
The COVID-19 crisis has further highlighted topics around protecting critical infrastructure, boosting Europe's digital sovereignty, privacy concerns, and protecting Internet users from misinformation and online abuse.
Digital Services Act
This is the proposed regulation that everybody in Internet governance circles is talking about the most, as it will affect many different players in the Internet ecosystem. The European Commission is expected to put forward its draft text for the act sometime in December.
As a reminder, the Digital Services Act (DSA) is essentially an update to the E-Commerce Directive of 2000, which provides the legal framework regulating digital services in the EU and and sets out the liability regime for "information society service" providers, including Internet service providers, as well as those that act as "online intermediaries", such as hosting and cloud providers. (There's a good comprehensive background paper by the European Parliamentary Research Service that goes into depth about the current liability regime's aim and scope, as well as current implementation gaps that the new act should seek to address.)
The European Commission held an open consultation on the DSA, which closed on 8 September and which we encouraged all members of the RIPE community to contribute to. The RIPE NCC contributed to the consultation in two different capacities. First, we responded to the consultation's questionnaire in order to explain how the DSA will affect various aspects of the RIPE NCC's operations and the way we currently manage online content (which, for the purposes of the consultation, included RIPE community mailing lists and RIPE Labs).
Second, we also submitted a high-level position paper outlining what we see as the major issues in the existing directive that need to be addressed and the possible implications of this wide-reaching legislative proposal for the technical layers of the Internet. We wrote this not from our own personal operational perspective, but from that of a centre of technical expertise that has contributed to the development of the Internet in Europe for nearly thirty years, and which could perhaps offer some unique insights.
We also hosted a RIPE NCC Open House (an online community discussion) with a representative from the European Commission and an academic expert in July in order to discuss the DSA and its implications for the technical community. And we contributed to a panel discussion on the DSA and regulation of digital platforms during an ICANN 69 session.
Many other organisations also responded to the open consultation. A few that may be of particular interest to the RIPE community include BEREC (Body of European Regulators for Electronic Communications), which advocated for a regulatory framework that specifically targets digital platforms with "significant intermediation power" in order to encourage an open and competitive digital market in the EU. CENTR (Council of European National Top-Level Domain Registries) argued that, "ccTLDs, as technical actors responsible for crucial internet infrastructure, need to be explicitly exempted from the scope of the DSA and its potential liability rules." (The RIPE NCC and CENTR issued a joint press release about our response to the DSA, which resulted in articles in Circle ID and The Register.) Similarly, ICANN (Internet Corporation for Assigned Names and Numbers) also urged policymakers to separate the Internet's core infrastructure from the applications that run on top of it and not hold service providers operating at the core level liable for content they have no control over.
Recently, we've learned that the European Commission appears to favour a liability regime that would include different measures for very large online platforms, and would revise the current liability regime (as set out in the E-Commerce Directive) for services spanning the Internet's different layers. This would include content delivery networks, DNS registries and registrars, and search engines.
The Commission has also reportedly begun tackling the ex-ante rules for so-called "gatekeeper platforms", which they define as service providers that are essentially unavoidable in accessing the European market – including online marketplaces, apps stores, social media platforms, search engines, operating systems and cloud providers – and how to regulate "unfair practices" including "self-preferencing", "anti-steering", unfair "tying and bundling" and limited or non-existent data sharing.
On 20 October, the European Parliament adopted three own-initiative reports on the DSA by the JURI (Legal Affairs), LIBE (Civil Liberties, Justice and Home Affairs) and IMCO (Internal Markets and Consumers) Committees (these reports are not legally binding but do hold political sway with the Commission). The reports focus on large content hosting platforms rather than providers operating at the infrastructure level, and reject the idea of ex-ante measures, such as automated tools or upload filtering, to control content. However, they stress the need to further clarify the difference between active and passive services along with how different services fall under the scope, such as WiFi hotspots, cloud services, web hosting, content delivery networks and domain name services. They also support the idea of a (new or existing) European-wide oversight body to enforce the rules.
There will surely be more to discuss regarding the Digital Services Act once we actually see the proposed text from the Commission in the coming months.
Fighting Child Sexual Abuse Online
Another focus area of the European Commission has been on the fight against child sexual abuse material (CSAM) online, and on 10 September, the Commission presented Parliament with its strategy to fight CSAM and a new proposal for an interim regulation on processing personal data for the purpose of combatting child sexual abuse.
As part of this strategy, the Commission will propose mandatory monitoring obligations for online platforms to detect, remove and report CSAM. So far, mere conduit and caching service providers have not been mentioned as falling under these obligations.
Just when you might have thought there was nothing left to say about the GDPR, it's again making headlines...
EU-US Privacy Shield
Another big development since our last update has been the European Court of Justice's decision on 16 July to invalidate the EU-US Privacy Shield. The ruling was based on the argument that US surveillance laws are not equivalent to those offered by the European GDPR (General Data Protection Regulation). The Privacy Shield protects personal data sent from Europe to the US, and the ECJ's ruling has thrown thousands of companies in Europe into doubt over how to handle cross-Atlantic data sharing with the US.
Not all data flows are affected by the ruling, however, including cases where users give consent to share their data abroad, those that are required to fulfil contracts, and other instances deemed necessary under the GDPR.
The EU institutions are now in discussions with the US to explore their options and find a solution. In the short-term, that will largely involve administrative corrections and individual companies needing to take additional safeguards. New Standard Contractual Clauses (SCCs) are expected by mid-November and will be sent to the European Data Protection Board, which could take up to 14 weeks before offering its guidance. Member States will also need to approve the SCCs, which could take until early 2021.
In other GDPR news, the European Commission published an assessment of the regulation two years after the wide-reaching legislation came into force. While the report generally frames the GDPR as a success, it also identified several shortcomings around its fragmented implementation across different Member States.
The Commission is also carrying out an assessment of the future EU-UK relationship, under both the GDPR and the Data Protection Law Enforcement Directive, and is working with international partners to facilitate cooperation on data protection outside of the EU.
As a refresher, this regulation is the update to the current ePrivacy Directive, and will complement the GDPR by defining which data is covered. It's meant to include protections for communications data that currently isn't covered by the directive (including newer technologies such as Voice over IP and instant messaging), as well as privacy controls, cookies and spam. Like the GDPR, it has the potential to impact any operators and businesses with a presence in the EU. It's been stuck in Council for the past three years, as Member States haven't been able to agree on a common position.
As expected, the COVID-19 crisis meant that the Croatian Presidency of the Council was unable to make any progress on this file during its tenure in the first half of 2020. The German Presidency, however, which took over in the second half of 2020, has made the file a priority. With privacy now in the spotlight more than ever before thanks to COVID-19 and several Member States changing their position as a result, it's possible that negotiations might finally prove fruitful and an agreement could be reached ahead of the Council of telecom Ministers on 7 December, allowing the Commission, Parliament and Council to enter into trilogue negotiations (the next step in the legislative process) early next year, or perhaps even before the end of 2020.
European Data Strategy
The European Commission also held an open consultation on the European Data Strategy, aimed at creating a single market for European data in order to encourage the sharing of data between public and private sectors and which we reported on in our last update.
The outcome of the consultation was that an overarching data strategy for Europe is indeed seen as a priority for the vast majority of respondents, along with more ease in accessing data from other companies and standardisation to improve interoperability and facilitate data sharing across sectors.
The European Parliament published a draft own initiative report that argues that Europe is not realising its full potential when it comes to data use for three reasons: lack of understanding, lack of trust and lack of interoperability. It touches on a number of different ideas including certification frameworks, rules around data storage in the cloud, the potential of anonymised personal data, and creating both vertical and horizontal data spaces to facilitate business-to-business and business-to-government data sharing, with the possibility of mandatory data-sharing obligations for "global tech giants" in order to support a more level playing field. Parliament hopes to adopt the final report by 11 November.
Revision of the NIS Directive
As we reported in our last update, the European Commission is set to revise the Network and Information Security (NIS) Directive, which came into effect in May 2018. The revision is meant primarily to address inconsistencies and fragmentation that resulted from differences in Member States' implementation of the directive, as they were left to define for themselves who qualifies as an “essential service operator” and "digital service providers", which are subject to risk management and incident reporting obligations under the directive's scope.
The Commission held an open consultation on the topic, which closed on 2 October, and which the RIPE NCC contributed to by urging the Commission to develop, in cooperation with the technical community, more precise definitions for the terms included in Annex II of the NIS Directive, including such terms as “network and information systems”, “operator of essential services”, "digital service provider” and more.
Security Union Strategy
The European Commission released a Security Union Strategy on 24 July, which spans a broad range of topics including child protection, network resilience, encryption, Europol, as well as the DSA and the revision of the NIS Directive. The strategy identifies four priorities: a future-proof security environment, tackling online threats, protecting Europeans from terrorism and organised crime, and a strong European security ecosystem.
The European Commission put forward a tender for a study on DNS abuse. The study will define the scope of the problem, identify different categories of abuse, detail the impact of DNS abuse on the European economy and society, and outline existing laws, policies and industry practices that deal with DNS abuse in order to identify gaps. It will also provide recommendations for future policymaking. The Commission has planned for two stakeholders' workshops as part of the process, and we will alert the RIPE community about how to participate when possible.
Cooperation with Law Enforcement
Negotiations on the E-Evidence package are slowly resuming in the European Parliament with a number of technical meetings, but the COVID-19 crisis has continued to delay progress. The technical issues must first be solved before the political negotiations can begin, so we don't expect a lot of movement on this in the near future.
Work Program 2021
The European Commission adopted its work program for the upcoming year on 19 October, laying out a number of new initiatives. These include a proposal in Q1 for a revision of the eIDAS Regulation which will look at drivers and barriers for Europeans using national ID systems to access public services across the EU; 2030 digital targets that will include connectivity targets; a Data Act in Q3 in the context of the European Data Strategy (see above); and a proposal on data-sharing in cross-border terrorism cases in Q4. Stay tuned as we learn more about these initiatives and report back to you!
Did you find this update useful? Does EU regulation affect your work or operations? Please share your comments or questions below! And if you'd like to stay up to date on these and other government and regulation topics, consider joining the RIPE Cooperation Working Group Mailing List.