Tag: EU Council
22. February 2021
On February 10, 2021, representatives of the EU Member States have reached an agreement on a negotiating mandate for the draft ePrivacy Regulation.
The Council of the European Union’s (the Council) text approved by the EU Member States was prepared under Portugal’s Presidency. It will form the basis of the Council’s negotiations with the European Parliament as part of the trilogue process on the final terms of the ePrivacy Regulation, which will replace the current ePrivacy Directive.
The main key elements of the new draft are highlighted by the Council, and encompass the following points:
- Coverage of both electronic communications content and communications metadata – the text sticks with the general principle that electronic communications data is confidential, which means that any interference by anyone other than the parties involved in the communication is prohibited, except when given permission by the ePrivacy Regulation
- Machine-to-machine data transmitted via a public network, as this is deemed necessary to protect privacy rights in the context of Internet of Things applications
- The scope of application includes users located in the EU, regardless of whether the processing of their data takes place outside the EU or the service provider is located in a non-EU jurisdiction
- Regarding the use of cookies and other technologies involving the storage of information on or collection of information from a user’s device, the Council’s text provides that the use of these technologies will only be legitimate if the user has consented or for specific purposes laid down in the ePrivacy Regulation; however, users should be able to have genuine choice
In addition to broadening the scope of the current directive, the proposed regulation would most likely affect an advertising technology market that is already in the process of undergoing significant changes. As such, the European Commission is also working on the proposed Digital Service Act, Digital Governance Act and Digital Market Act.
However, the draft is presumed to initiate some arguments going forth into the next stage. Based on previous drafts, there are some differences which will need to be reconciled. Especially with regard to the permissions for accessing content and metadata of electronic communications, the two sides are somewhat divided. Where the European Parliament is pushing primarily for consent, the Council seems to have added some more permissions and exceptions to the consent rule. The content regarding data retention will be another point where intense arguments are predicted.
Criticism also comes from some countries, for example from the German Federal Commissioner for Data Protection, Ulrich Kelber. In a press release he attacked the new draft as “a severe blow to data protection”, mentioning that he is concerned by the “interference with the fundamental rights of European citizens”.
Although the new draft brings the erPrivacy Regulation back to life, it is still a long road before unison on its text is fully reached. It is certain that intense discussion in the upcoming trilogue process will continue, and the outcome will be closely watched by many.
8. December 2020
In November, the Austrian broadcasting network “Österreichischer Rundfunk” sparked a controversial discussion by publishing leaked drafts of the Council of the European Union (“EU Council”) on encryption (please see our blog post). After these drafts had been criticized by several politicians, journalists and NGOs, the EU Council published “Recommendations for a way forward on the topic of encryption” on December 1st, in which it considers it important to carefully balance between protecting fundamental rights with ensuring law enforcement investigative powers.
The EU Council sees a dilemma between the need for strong encryption in order to protect privacy on one hand, and the misuse of encryption by criminal subjects such as terrorists and organized crime on the other hand. They further note:
“We acknowledge this dilemma and are determined to find ways that will not compromise
either one, upholding the principle of security through encryption and security despite
encryption.”
The paper lists several intentions that are supposed to help find solutions to this dilemma.
First, it directly addresses EU institutions, agencies, and member states, asking them to coordinate their efforts in developing technical, legal and operational solutions. Part of this cooperation is supposed to be the joint implementation of standardized high-quality training programs for law enforcement officers that are tailored to the skilled criminal environment. International cooperation, particularly with the initiators of the “International Statement: End-to-End Encryption and Public Safety“, is proclaimed as a further intention.
Next the technology industry, civil society and academic world are acknowledged as important partners with whom EU institutions shall establish a permanent dialogue. The recommendations address internet service providers and social media platforms directly, noting that only with their involvement can the full potential of technical expertise be realized. Europol’s EU Innovation Hub and national research and development teams are named key EU institutions for maintaining this dialogue.
The EU Council concludes that the continuous development of encryption requires regular evaluation and review of technical, operational, and legal solutions.
These recommendations can be seen as a direct response to the discussion that arose in November. The EU Council is attempting to appease critics by emphasizing the value of encryption, while still reiterating the importance of law enforcement efficiency. It remains to be seen how willing the private sector will cooperate with the EU institutions and what measures exactly the EU Council intends to implement. This list of intentions lacks clear guidelines, recommendations or even a clearly formulated goal. Instead, the parties are asked to work together to find solutions that offer the highest level of security while maximizing law enforcement efficiency. In summary, these “recommendations” are more of a statement of intent than implementable recommendations on encryption.
27. November 2020
In the course of November 2020, the Council of the European Union issued several draft versions of a joint declaration with the working title “Security through encryption and security despite encryption”. The drafts were initially intended only for internal purposes, but leaked and first published by the Austrian brodcasting network “Österreichischer Rundfunk” (“ORF”) in an article by journalist Erich Möchel. Since then, the matter has sparked widespread public interest and media attention.
The controversy around the declaration arose when the ORF commentator Möchel presented further information from unknown sources that “compentent authorities” shall be given “exceptional access” to the end-to-end encryption of communications. This would mean that communications service providers like WhatsApp, Signal etc. would be obliged to allow a backdoor and create a general key to encrypted communications which they would deposit with public authorities. From comparing the version of the declaration from 6 November 2020 with the previous version from 21 October 2020, he highlighted that in the previous version it states that additional practical powers shall be given to “law enforcement and judicial authorities”, whereas in the more recent version, the powers shall be given to “competent authorities in the area of security and criminal justice”. He adds that the new broader wording would include European intelligence agencies as well and allow them to undermine end-to-end encryption. Furthermore, he also indicated that plans to restrict end-to-end encyption in Western countries are not new, but originally proposed by the “Five Eyes” intelligence alliance of the United States, Canada, United Kingdom, Australia and New Zealand.
As a result of the ORF article, the supposed plans to restrict or ban end-to-end encryption have been widely criticised by Politicians, Journalists, and NGOs stating that any backdoors to end-to-end encryption would render any secure encryption impossible.
However, while it can be verified that the “Five Eyes” propose the creation of general keys to access end-to-end encrypted communications, similar plans for the EU cannot be clearly deduced from the EU Council’s declaration at hand. The declaration itself recognises end-to-end encryption as highly beneficial to protect governments, critical infrastructures, civil society, citizens and industry by ensuring privacy, confidentiality and data integrity of communications and personal data. Moreover, it mentions that EU data protection authorities have identified it as an important tool in light of the Schrems II decision of the CJEU. At the same time, the Council’s declaration illustrates that end-to-end encryption poses large challenges for criminal investigations when gathering evidencein cases of cyber crime, making it at times “practically impossible”. Lastly, the Council calls for an open, unbiased and active discussion with the tech industry, research and academia in order to achieve a better balance between “security through encryption and security despite encryption”.
Möchel’s sources for EU plans to ban end-to-end encryption through general keys remain unknown and unverifiable. Despite general concerns for overarching surveillance powers of governments, the public can only approach the controversy around the EU Council’s declaration with due objectivity and remain observant on whether or how the EU will regulate end-to-end encryption and find the right balance between the privacy rights of European citizens and the public security and criminal justice interests of governments.
19. May 2016
The EU Council adopted this week the Network and Information Security Directive (NIS Directive) at first reading. The NIS Directive is part of the EU cyber security strategy, which main objective is to prevent and respond to disruptions and cyber-attacks in telecommunications systems located in the EU.
The Directive aims at achieving a minimum level of IT security and implementing an effective risk management culture for digital technologies. Furthermore, it also aims at dealing with IT security breaches by imposing the obligation to report significant incidents without delay, especially for business or organizations whose main activity is subject to a higher risk, such as cloud providers or social networks.
The five main goals of the NIS Directive are:
- To achieve cyber resilience
- To reduce cybercrime significantly
- To develop a cyber defense policy at EU level by creating authorities at national level
- To promote the development of technological resources
- To implement a solid international cyberspace policy
After the EU Council has adopted the NIS Directive at first reading, the draft must be approved by the EU Parliament at second reading. If the EU Parliament approves the Directive, it might enter into force in August 2016.