Key European legislation in the technology and communications sector faces uncertainty pending the European Parliamentary elections although some legislation has just been squeezed through.
What's the issue?
The European Commission has, in the last few years, published a significant amount of key draft legislation which it hoped to get through before the European Parliamentary elections in May this year. Some of this has proved highly contentious and the Commission has been largely unsuccessful in its attempts. The Data Protection Regulation, the Connected Continent proposals, the Network Information Security Directive, the e-Signatures Regulation and the Broadband Directive have all reached varying stages but only the last two of these looks to be in final form. In addition, the Court of Justice of the European Union recently declared the enacted Data Retention Directive to be invalid.
What's the development?
The European Parliament has been busy trying to finalise legislation in some cases and adopt various bits of legislation at first reading in others, so as to clarify its position pending hand-over the new Parliament.
What does this mean for you?
In short – more waiting in most cases. Even legislation which is relatively far advanced could be changed following the elections if it requires further Parliamentary approval and the make-up of the Parliament changes significantly as a result of the elections. For the less advanced legislation, it is possible that re-negotiations will begin, setting back enactment or leading to further compromises.
Draft EC data protection Regulation
The European Parliament has approved an amended version of the draft EC data protection Regulation intended to overhaul the European data protection framework. Parliamentary approval has come just in time before the elections in May but it is still possible that the new Parliament could have an opportunity to make further changes. If the Council and Parliament fail to agree on a compromise text, the draft Bill will be sent back to the Parliament for a second reading, at which point, the new Parliament may take a very different view to the current one and we could go back to the drawing board.
EU Justice Ministers met in March to discuss the draft EU data protection Regulation. Reportedly there was widespread support for the law to apply to any company located outside the EU which targets EU citizens although some countries commented that this would be difficult to enforce, particularly where national laws conflicted. The subject of transfers outside Europe was another hot topic with some Member States pushing for further tightening of the provisions while others, including the UK's Chris Grayling, argued that overly prescriptive rules would be damaging to services such as cloud computing. In addition, the issue of how to handle pseudonymisation was discussed. There appears to be an acceptance by Ministers that the concept of pseudonymised data should be included in the draft Regulation. Where the Council may depart from the views of the EU Parliament is over the extent to which reduced compliance obligations should apply to the processing of this data.
The next meeting to discuss this will be in June. However, the Greek Presidency of the European Union has reportedly abandoned attempts to agree the new draft data protection Regulation by then. Instead, the focus is on a "partial general approach" to reach consensus on a few key provisions including the data portability clause and the one stop shop. Even this reduced scope was described as "a Herculean task" by Greek Official Lilian Mitrou while addressing a conference in Brussels.
Connected Continent proposals
The Connected Continent proposals were originally intended to harmonise various areas of communications law in the European Union, particularly in relation to regulators, spectrum allocation, roaming charges and net neutrality.
Since publication of the proposals, various European Parliamentary committees have been giving their Opinions which culminated in an adoption of a consolidated position at first reading by the European Parliament in April.
The Opinion of the Committee for Civil Liberties, Justice and Home Affairs (LIBE) supports legislating on net neutrality and says rules should prevent ISPs from agreeing specialised services agreements which ensure a quality of service level beyond what is "technically necessary" for content services to function. In addition, specialised services service level agreements should not be permitted to have an impact on the quality of other internet access services.
LIBE proposes that specialised services be considered as any electronic communication service within a closed network where access is controlled and where that service is not advertised or used as an internet access service and is not functionally identical to services available over the public internet. The LIBE Opinion also recommends regulators establish clear and comprehensible notification and redress mechanisms for consumers who have been subjected to "discrimination, restriction, or interference of online content, services or applications". ISPs should not be able to offer services to consumers where there is discrimination over the speed and volume of content provided unless they have gained free, explicit and informed consent. The exception would be for reasonable traffic management measures.
ITRE (the Industry, Research and Energy Committee) has backed plans to abolish retail roaming charges for voice, SMS and data by December 2015, and backed amended proposals for spectrum management and boosting net neutrality. It also voted to water down a proposal for a single telecoms regulator and for the Commission to take over powers from the regulator BEREC and it did not back the proposals to regulate prices for international phone calls made from the caller's home country.
The Committee of the Regions (Comittee) is a committee of local and regional representatives which must be consulted by the European Commission and Council when new proposals are made in areas which have repercussions at a regional or local level. In its Opinion, it broadly welcomes the proposals but warns that Europe is not currently a level playing field with respect to developments in telecoms so a gradual multi-speed approach would be preferable to a unilateral one. It supports the roaming proposals more or less in full but has reservations about the transfer of competences in the proposals relating to a single European regulatory regime and in relation to spectrum allocation. As far as net neutrality is concerned, the Committee is in favour of legislating to preserve it but has concerns that too many exceptions are allowed under current proposals and that certain terms are too vague.
The April vote took place mainly in order to consolidate work so far prior to the elections. The proposals still have to be agreed on by the Council but the hope is that they will be adopted some time during 2014. The Commission has said the Connected Continent proposals will be top of the legislative agenda after the May elections.
Network Information Security Directive
The European Parliament has approved an amended version of the Cyber Security Bill which is intended to reduce the impact of cyber attacks in Europe and save billions of Euros. Under the Parliment's version, online companies would not be required to report cyber incidents and nor would government bodies. This is a very different proposition from the original draft which would have imposed reporting requirements on both these categories.
The Parliamentary version of the draft law looks likely to be unpopular with the Council. EU governments continue to disagree about breach reporting requirements and about the extent of their application, even to the point that they should be voluntary rather than mandatory.
The EC has admitted that it is unlikely to enact the Network Information Security Directive before the end of 2014. Even this timeline could prove ambitious though following reports that the UK, Belgium, Finland, France, Germany, Ireland, the Netherlands and Sweden, are pressing to drop plans for a formal cooperation network and make it optional (rather than mandatory) to share some information in order to introduce some discretion where information is commercially sensitive or relevant to national security.
The European Parliament and Council have agreed a common position on the proposal for a Regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and the Parliament adopted the text in April 2014. The aim is to ensure secure and seamless electronic transactions between businesses, individuals and public authorities. E-signatures will have the equivalent legal effect of a handwritten signature and there will be a new optional framework for authenticating electronic IDs across national borders. EU Member States will be required to opt-in to the scheme so that their e-ID schemes are mutually recognised across borders. EU governments will have to make sure that personal data is “attributed unambiguously to the natural or legal person” using the e-ID system. In addition, individuals will be able to sue the government if their ID has been used by the wrong person.
The Regulation now awaits formal adoption by the Council but it is likely to pass without further disruption and apply from July 2016.
Data Retention Directive R.I.P.
The Court of Justice of the European Union (CJEU) has declared the Data Retention Directive (Directive) "invalid". The Directive was introduced in the wake of the London and Madrid bombings but has come under renewed scrutiny following the Snowden revelations. The Directive requires telecoms companies and ISPs to retain certain traffic and location data for a period for up to two years for the purposes of investigation, detection and prosecution of serious crime. While the retained data does not include personal data such as subscriber names or the content of the communications, privacy campaigners have long argued that the Directive infringes the fundamental European rights to respect for private life and protection of personal data and the High Court of Ireland and the Constitutional Court of Austria asked the CJEU to examine the validity of the Directive in the light of these fundamental rights.
In an emphatic ruling, the CJEU has found that the Directive "entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary" and that it is, therefore, invalid. The reasoning was that the data retained does enable identification of the person with whom a subscriber or registered user had communicated with, as well as the time and place of the communication and the number of communications during a given period. This, "taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented".
The CJEU goes on to consider whether such interference with fundamental rights is justified. It finds that the level of data retention under the Directive does not adversely affect the essence of the fundamental rights to respect for private life and to the protection of personal data and that the retention of the data does "genuinely satisfy an objective of general interest, namely the fight against serious crime and, ultimately, public security". However, the CJEU finds that in view of the seriousness of the interference with fundamental rights, the EU legislature's discretion was reduced and that by adopting the Data Retention Directive, it exceeded the limits imposed by compliance with the principle of proportionality.
The CJEU points to a number of areas where the Directive goes beyond what was strictly necessary to achieve its aims:
- the Directive is too general – it covers all individuals and all traffic data without any differentiation, limitation or exception;
- the Directive fails to lay down any objective criterion which would ensure that the national authorities which have access to the data can only use it for the purposes of serious crime detection, prevention and prosecution. In addition, it does not set out procedural steps for accessing data, for example, by applying for a court order;
- the six month minimum retention period applies unilaterally to data without any distinction and there are no objective criteria to help determine the length of time for which it is strictly necessary to retain the data;
- there are insufficient safeguards against the risk of abuse and unlawful access to data and there is no requirement to destroy the data irreversibly at the end of the retention period;
- the Directive does not require retained data to be held within the EU which means it does not ensure the protection and security of the data which is often transferred outside the EU.
The EU is already working on a replacement for the Directive but this will become all the more urgent following the CJEU ruling. The ruling will result in a period of uncertainty for telecoms companies and ISPs and will no doubt present a problem for national security agencies but it has been welcomed by data protection stakeholders.
The Broadband Directive on measures to reduce the cost of deploying high-speed electronic communications networks has been adopted by the European Parliament following the agreement of a compromise text with the Council. The Directive is intended to facilitate and incentivise the rollout of high-speed electronic communications networks by promoting the joint use of physical infrastructure and by enabling a more efficient deployment of new infrastructure in order to reduce costs. It also introduces measures to ensure co-operation and streamlining of procedures. The Council is expected to adopt the Directive in June 2015 without further amendments.
Trade Secrets Directive
The Commission announced on 28 November 2013 a proposal for a Directive on Trade Secrets and Confidential Business Information (PDF).
The proposed Trade Secrets Directive (full title: "Proposal for a Directive on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure") seeks to harmonise national laws of EU member countries by establishing:
- common definitions of trade secrets and confidential business information and circumstances when the acquisition, use and disclosure of a trade secret is unlawful;
- measures, procedures and remedies that should be made available to the holder of a trade secret in case of unlawful acquisition, use or disclosure of that trade secret; and
- sanctions in case of non-compliance with the measures provided and provisions on monitoring and reporting.
The proposal for a Trade Secrets Directive follows surveys and consultations in 2011/12 which concluded, amongst other things, that trade secrets effectively fill the gap between copyright and patent protection, but that the levels of protection / remedies afforded are uneven across the EU and this impacts on business decisions.
The Commission's proposal will be transmitted to the Council of Ministers and the European Parliament for adoption under the ordinary legislative procedure and is still in its infancy.
The European Parliament has voted to adopt the proposed Directive on actions for damages for infringements of competition law which is intended to remove national procedural obstacles and legal uncertainty in relation to damages actions. The Directive will now pass to the Council for approval. In addition, the Council has adopted the Directive on e-invoicing in public procurement. The new technology transfer block exemptions and guidelines are now law as are the Public Procurement Directives.
Contract / Commercial
Just when you think the Common European Sales Law has sunk into obscurity, the European Parliament voted in favour of introducing an optional pan-European contract law for distance business to consumer and consumer to consumer sales in the EU in order to reduce the costs of cross-border transactions, especially for SMEs. Many governments and other stakeholders have criticised the proposals for introducing yet another contract regime to the EU and one which may create more problems than it solves. In particular, the UK has noted that in Member States which use case law to interpret contract law, a new regime is likely to result in increased litigation due to a lack of legal precedent. The CESL now has to go to the European Council for approval.
Another piece of legislation which the Parliament has adopted a first reading position on, amending the Commission's proposals, is the draft Regulation on consumer product safety. This is one of the measures of the Product Safety and Market Surveillance Package which was adopted by the Commission on 13 February 2013. The European Parliament backed the Commission's proposals for mandatory "made-in" labelling to be used to improve traceability of goods and strengthen consumer protection on non-food products and said it should apply to virtually all products sold in the internal market, subject to certain exceptions including medicines. They also proposed the Commission set up a public blacklist of firms which are "repeatedly found to intentionally infringe" EU product safety rules.