EU Policy Update – Summer 2019
In a nutshell: On 2 July, the 9th legislature of the European Parliament was officially constituted, with the new MEPs taking their seats. The European Parliament elected the President of the European Commission, who will lead the work of the Commission for the next five years starting from 1 November 2019. The European Data Protection Board, together with the European Data Protection Supervisor issued their joint assessment on the US CLOUD Act and its impact on the EU. The European Commission outlined its future plans for cybersecurity certification under the EU Cybersecurity Act that entered into force on 27 June 2019. The European Commission published its study on the legal framework of notice-and-action procedures within Member States that was conducted last year. A new study for the European Parliament on challenges between blockchain technologies and GDPR was published. The European Court of Justice delivered a judgment on the notion of joint controllership under EU data protection legislation.
European Parliament elected President of the European Commission
On 16 July, the European Parliament elected Ursula von der Leyen as the President of the next European Commission. She is set to lead the work of the European Commission in the next five-year term starting from 1 November 2019. Ahead of the election, Ursula von der Leyen published her political guidelines for the next European Commission 2019-2024. Her "digital agenda" strives for developing joint standards for European 5G networks and for Europe to lead on standardising other new generation technologies, such as blockchain, high-performance computing, algorithms and tools for data sharing and usage. In her first 100 days in office, von der Leyen promises to put forward legislation for a "coordinated European approach on the human and ethical implications of Artificial Intelligence". Furthermore, von der Leyen is set on putting forwards a new "Digital Services Act" that, according to the newly-elected President of the European Commission will "upgrade our liability and safety rules for digital platforms, services and products, and complete our Digital Single Market".
European Data Protection authorities assessed the implications of US law on access to electronic evidence in the EU
On 12 July, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published their joint assessment on the US CLOUD Act and its impact on EU legal framework for the protection of personal data. The US CLOUD Act was enacted in March 2018 to allow US law enforcement authorities to obtain personal data held by the service providers who fall under US jurisdiction, irrespective of where the data is stored. Effectively, the US CLOUD Act seeks access to non-US citizens’ data, bypassing any existing international instruments in the sphere of mutual legal assistance between countries and applies US law in an extra-territorial manner. According to the joint assessment, this puts the US CLOUD Act in conflict with the GDPR. While assessing different existing legal bases for data transfer to the third countries under the GDPR, the EDPB and EDPS noted that "public interest" for such data transfers cannot be invoked in order to allow US law enforcement authorities to request personal data processed within the EU. According to the EDPB and EDPS, "the public interest of a third country as such is of no incidence".
European Commission's plans for EU-wide cybersecurity certification
On 23 July, the European Commission updated the newly elected MEPs in the European Parliament Committee on Industry, Research and Energy (ITRE) on its plans regarding the upcoming cybersecurity certification under the newly adopted EU Cybersecurity Act, that entered into force on 27 June 2019. The new law establishes a first EU-wide cybersecurity certification framework for digital products, services and processes. According to the legislation, the EU cybersecurity agency, ENISA, is equipped to develop the EU cybersecurity certification schemes at the request of the European Commission. According to the European Commission's presentation during the hearing in ITRE, 5G remains one of the top priorities for the upcoming work on cybersecurity certification. In addition, the EU-wide certification of Internet of Things (IoT) was triggered by corresponding developments within the Member States that are looking into certified IoT. The certification of critical digital infrastructure (such as ccTLDs), will be decided upon once the new European Commission is in place in November 2019, and priorities will be established therewith. According to the European Commission, the EU Cybersecurity Act is expected to encourage "operators of essential services" to seek certification to comply with the obligations set in the Directive on the security of network and information systems (NIS Directive).
European Commission's report on identification of "operators of essential services" is delayed
The NIS Directive was supposed to be transposed into national law of Member States by 9 May 2018. According to the European Commission's Progress Report towards an effective and genuine Security Union of 24 July, 26 Member States have notified the Commission of the full transposition and 2 Member States have partially transposed the Directive (Belgium and Hungary respectively). By 9 May 2019, the Commission was supposed to submit a report to the European Parliament and the EU Council assessing the consistency of the approach in the identification of operators of essential services (OES) within their territory. However, due to the fact that a number of Member States had yet to submit complete information on the identification process of OES, the Commission has had to delay its report.
European Commission published a study on the legal framework of notice-and-action procedures
The European Commission has recently published a study from July 2018 that looks into the hosting service providers' liability regime and notice-and-action procedures within Member States. The study has identified that there is no common notice-and-action procedure, nor is there a common standard for minimum notice requirements for removal of content online. The study also shows that some hosting service providers have granted a special status to organisations (so-called "trusted flaggers") for notifying allegedly illegal content. The survey amongst hosting service providers suggests that "trusted flaggers" typically benefit from a variety of exemptions when flagging allegedly illegal content, such as "an ability to submit large volumes of notices and URLs pointing to allegedly illegal content; exemption from captcha; exemption from the need to provide contact information, statement and signature for each request; submission via an Application Programme Interface (API); and access to administrative controls and a dashboard." The survey has also indicated that "notices submitted by trusted flaggers are not always accurate".
European Parliament commissioned a study on challenges posed by blockchain and GDPR
A study commissioned by the European Parliament on the challenges posed by blockchain in the context of EU data protection legislation observed that blockchain technologies, indeed, raise a number of difficult questions when it comes to their compliance with the GDPR. However, these challenges are not unique to blockchain and can be considered as a broader phenomenon that can be applied to "other expressions of the contemporary data economy", such as big data. Despite the fact that blockchain technologies challenge core assumptions of European data protection law, such as data minimisation and purpose limitation, the study concluded that it is not necessary to revise the GDPR. What is needed to increase legal certainty is regulatory guidance regarding how specific concepts of the GDPR should apply when blockchain technologies are used. In this context, both certification and codes of conduct can be used to ensure that the principles of data protection law are upheld where personal data is processed. For example, this has been achieved in relation to cloud computing which also raised many similar challenges in connection to the GDPR.
ECJ gives guidance on a concept of joint controllership
The European Court of Justice (ECJ) has ruled on the concept of "joint controller" in the EU data protection legislation for cases where a website operator embeds a social media plugin, such as a Facebook "like" to its website. According to the ECJ judgment, both website operator (in the present case German company Fashion ID which incorporated the "like" button on its website) and Facebook Ireland (to which the personal data of website visitors was transmitted) are joint controllers of personal data for Fashion ID website visitors. Furthermore, the fact that a website operator does not itself have access to the personal data collected and transmitted to the provider of the social plugin does not preclude it from being a controller, according to the ECJ. When it comes to a legitimate purpose for processing personal data of website visitors, it is necessary that each of those controllers should pursue a legitimate interest under EU data protection legislation. The ECJ also ruled that it is necessary for the website operator to obtain consent from website visitors for processing and further transmitting their personal data to third parties, in case social media plugins are embedded into its website.