The Developers Alliance Summer 2020 European Policy Update 🌞
This image was taken via The Submarine Cable Map, a free and regularly updated resource from TeleGeography.
For all of you coming back (safe we hope!) from vacation, here’s what happened during the last two months in the EU and UK.
Your Number One Takeaway: Huge Uncertainty Regarding EU-US Data Transfers
On July 16th, the EU Court of Justice issued its decision in the Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (Schrems II case). The Court invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield. The Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries was considered to still be valid however.
On August 10, the U.S. Department of Commerce and the European Commission announced that they have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework to comply with the Court judgement
Developers Alliance Joins Global Privacy And Data Experts Asking EU and U.S. For Legal Certainty In Cross-Border Data Transfers
An international group of seventeen trade associations urged U.S. and European regulators to swiftly begin negotiations on a successor agreement to the EU-U.S. Privacy Shield. In a letter led by the Information Technology Industry Council (ITI) and sent to European Justice Commissioner Didier Reynders, U.S. Secretary of Commerce Wilbur Ross, and European Data Protection Board Chairwoman Dr. Andrea Jelinek, the associations also welcomed the Court’s upholding of Standard Contractual Clauses (SCCs) as a valid transfer mechanism and encouraged the U.S. and EU governments to work together to ensure the long-term viability of SCCs. The entire letter can be read here.
Noyb Continues Anti-Data Transfer Crusade
Noyb, the digital rights NGO led by the activist Max Schrems, are continuing their ‘battle’ against EU-US data transfers, one month after the Schrems II decision. They have filed complaints in all 30 EU and EEA member states against a total of 101 European companies. All of these companies forward data about their visitors to Google and Facebook, using either the Google Analytics or Facebook Connect platforms. Complaints were also brought against Google and Facebook in the US, for continuing data transfers. TechCrunch details the situation further here.
Online Platforms Regulation
P2B Comes To Bear, Effective Now
The Platform-to-business Regulation (P2B Regulation) took effect on 12 July 2020. On July 10 the Commission published a Q&A document to “serve as a checklist for online platforms and search engines, particularly smaller ones when implementing the new requirements.” They continued with “It will help businesses get information on their new rights and the options available to resolve problems that may arise in their commercial relationships with online platforms.” The Commission is running late however in presenting the promised guidelines on ranking transparency.
Commission Expert Group Publishes Progress Reports On Online Platform Economy
On 10 July the independent expert group of the Observatory on the Online Platform Economy published three separate draft progress reports. The reports detailed data access, differentiated treatment, and methodological ideas relating to the question of how best to measure key aspects of the online platform economy. The progress reports will feed into the Commission’s ongoing work on the Digital Services Act and other legislative initiatives related to the digital economy.
Regulation Of Future Past
We’re covering for you all the ongoing stakeholder consultations on future regulations that will impact the tech industry. You can also provide direct feedback to the European Commission. If, for example, however, your time is limited and doesn’t allow you to fill out the Commission’s long questionnaire on the future Digital Services Act package, please let us know. We would like to understand the acute issues affecting your business when it comes to online platforms competition, privacy, data protection, data access and interoperability, artificial intelligence, intellectual property, cybersecurity and so forth. Don’t hesitate to reach out if you’re concerned about current or future regulations, we’re happy to answer your questions.
EU Court Of Justice Has Its Say On Copyright
On 9 July 2020 the EU Court of Justice delivered its judgment in Constantin Film Verleih GmbH v YouTube LLC and Google Inc.(C-264/19). In it, the court states that “when a film is unlawfully uploaded onto an online platform, such as YouTube, the right holder may, under the directive on the enforcement of intellectual property rights, require the operator to provide only the postal address of the user concerned, but not his or her email, IP address or telephone number.” The full statement can be read here.
Advocate General Saugmandsgaard Øe Says Rights Holders Should Seek Injunctions
According to Advocate General’s Opinion in Joined Cases C-682/18 Frank Peterson v Google LLC, YouTube LLC, YouTube Inc., Google Germany GmbH and C-683/18 Elsevier Inc. v Cyando AG, as EU law currently stands, online platform operators, such as YouTube and Uploaded, are not directly liable for the illegal uploading of protected works by the users of those platforms.
The Advocate General Saugmandsgaard Øe is of the opinion however that irrespective of the question of liability, right holders may obtain, under EU law, injunctions against the operators of online platforms, imposing obligations on the latter. Rightsholders must be able to apply for such an injunction where it is established that third parties have infringed upon their rights through the service provided by platform operators. They do not need to wait for infringement to take place again or to show improper conduct by the intermediary. The opinion can be read in its entirety here.
IoT Market Antitrust Investigation
On July 16 the European Commission launched an antitrust competition inquiry into the sector of the Internet of Things (IoT). The Commission gathers market information on a particular sector of the economy and into types of agreements across various sectors when it believes that a market is underperforming and suspects a breach of competition rules. The Commission expects to publish a preliminary report in the spring of 2021, and the final report in the summer of 2022.
German National Cybersecurity Agency To Launch In 2023
On August 11 the German government announced it had set up a federal cybersecurity agency to combat cyberthreats to the country’s security and strengthen its digital sovereignty. The project was initially funded with €350 million ($412 million or £309 million). Defense Minister Annegret Kramp-Karrenbauer called the agency’s creation a “milestone” and that the “development of ideas and innovative approaches particularly in the field of digital security deserves our special commitment.” The organization will launch and will (eventually) operate out of the Leipzig/Halle airport.
NIS Directive Receives Public Consultation In Advance Of Update
The European Commission has launched a public consultation on the revision of the Directive On Security Of Network And Information Systems, otherwise known as the NIS Directive. The consultation will be open until 2 October 2020. The Commission seeks to gather stakeholders’ feedback on possible solutions to address the shortcomings in the implementation of the directive, but also on its intention to extend the scope to cover other sectors and services (e.g. social media), which means additional regulatory compliance obligations for many tech businesses.
ENISA Holds 1st Meeting
The Advisory Group of the EU’s cybersecurity agency ENISA met for the first time on July 20 to discuss the Agency’s new strategy (published on July 17) and the current political landscape of Europe’s cybersecurity ecosystem.
Women4Cyber Partners With DG CNECT For Women4Cyber Registry
DG CNECT together with the Women4Cyber initiative from the European Cybersecurity Organisation (ECSO) committed last year to create a registry of European women in cybersecurity. The Women4Cyber Registry was created to identify and build the community of women professionals in the field of cybersecurity. The EU Cybersecurity: Commission “aims to become a reference point for expert groups, event organisers, media, as well as collaboration and potentially business opportunities.”
Coronavirus Is Still Kicking
EU Commissioner For Trade, Phil Hogan, Resigns After Corona Controversy
The EU Commissioner for Trade, Phil Hogan, resigned on August 26, following a controversy related to an alleged breach of COVID-19 restrictions. Hogan attended an Oireachtas Golf Society dinner on August 19. The 80 attendee event was in conflict with COVID-19 restrictions on large gatherings, leading to the controversy known as “Golfgate.”
Dara Calleary, the Irish Minister for Agriculture, Food and the Marine was also forced to resign. Calleary was only recently appointed to the position on July 15 2020, holding it for barely over a month after the previous holder was dismissed.
New Guidelines For Future Outbreaks
On 15 July the European Commission issued a set of guidelines for future outbreaks of coronavirus, particularly on the looming potential of a second major outbreak in the Fall. The new guidelines touch on the efforts of various science and technology-focused industries, including contact tracing and app interoperability.
Commission Signs SAP/Deutsche Telekom Platform Contract
Speaking of tracing apps, the European Commission has signed a contract for SAP and Deutsche Telekom to build a software platform that would enable the various member states’ nat
ional coronavirus contact tracing apps to be interoperable. France’s and Hungary’s apps are excluded from the project as they were built on a rejected alternative approach, the centralized model.
French CNIL Takes Issue With StopCovid App Irregularities
France’s data protection authority, the CNIL (National Commission for Data Protection) urged the French government to fix irregularities found within its StopCovid app. These issues were related to the impact analysis, the use of Google’s reCAPTCHA technology and information is given to users and contained in sub-processing contracts. France (in)famously rejected the decentralized model agreed upon by the rest of the EU member states, except Hungary. Instead, it opted for a model where all individuals’ data is kept in a centralized location maintained and owned by the government. The announcement has led to some highlighting these irregularities as proof of the centralized system’s flaws.
UK National App Begins Trials
Meanwhile, the revamped UK tracing app has begun public trial testing. The UK (in)famously reversed directions earlier this summer and began development of an app/system based upon Google and Apple’s iOS/Android privacy-focused, cross-platform tools. Testing will be held on the Isle Of Wight and will be focused on reducing false-exposures due to Bluetooth inaccuracies.
Prepare For A Hard Brexit
Past The Seventh Round
The European Union’s chief Brexit negotiator Michel Barnier stated “There can’t be any surprise concerning the EU’s priorities because they have been the same since 2017, We will continue to patiently repeat them until the end.”
The UK’s Chief Negotiator of Task Force Europe, David Frost, stated that “When the EU accepts this reality in all areas of the negotiation, it will be much easier to make progress.”
Sweeping Rule Changes To UK Law Coming Jan 21
For those of you living in, doing business in/with the UK, or in any other relation with the UK, please prepare (if you haven’t already) for new rules in all areas, as from 1 January 2021. We’ll keep you posted and we’ll also continue to cover UK tech-related issues.
👉 A Few Upcoming (Virtual) Events
Future Tech Week 2020 | Shaping Europe’s digital future , organized by the European Commision and – September 21-25
Cybersec Global 2020 – September 28-30
The Next Web (TNW) – October 1&2
Second European AI Alliance Assembly, for the members of the European AI Alliance – October 9
4th IoT Security Conference, a series of webinars organized by ENISA, Europol and CERT-EU – October 7 – 21
Annual Privacy Forum 2020, organized by ENISA, DG CONNECT and the Católica University of Portugal, Lisbon School of Law- October 22-23