From:
To:
Cc:
BUCHTA Anna;
Subject:
Emailing: onlineT.31.1.2019revABu.doc (CMS case file 2018-0822)
Date:
01 February 2019 12:40:15
Attachments:
onlineT.31.1.2019revABu.doc
Dear,
We will soon receive a request for
EDPS formal comments by LIBE on this legislative proposal
(Regulation on prevention of dissemination of terrorist content online),
DL could be 12 Feb (final
DL for LIBE on this for amendments is
15 Feb).
I prepared a draft, reviewed by Anna, which I hope takes fully into account Giovanni's
suggestion/guidance of the past meeting on this.
I remain available for any query on this file.
PS. Dear
some formatting is needed, I apologize and kindly ask you to address this (I'll
come to you so we can do this together, i have some instructions from Anna on lay out).
Formal comments of the EDPS on the Proposal for a Regulation of the European
Parliament and of the Council on preventing the dissemination of terrorist content
online
1. Introduction and background
•
These formal comments are in reply to a consultation of the EDPS by the European
Parliament on [..] February 2019, following a request from the Chair of the Committee
on Civil Liberties, Justice and Home Affairs (LIBE), on the proposal for a Regulation
of the European Parliament and of the Council on preventing the dissemination of
terrorist content online (hereinafter, ‘the Proposal’)1, adopted by the European
Commission on 12 September 2018, and are issued by the EDPS in accordance with
Article 57(1)(g) and 58(3)(c) of Regulation (EU) 2018/17252.
•
The aim of the Proposal is to establish harmonized rules for hosting service providers
(hereinafter, ‘HSPs’) who offer their services within the Union, regardless of their
place of establishment, to prevent the dissemination of terrorist content through their
services and to ensure its swift removal.
•
The Proposal establishes a set of duties of care for HSPs and sets out various
obligations for competent authorities of the Member States relating to the enforcement
of the Proposal. In particular, the Proposal introduces the following measures:
-
HSPs would have to take appropriate, reasonable and proportionate actions
against the dissemination of terrorist content, in particular to protect users from
terrorist content (Article 3);
-
HSPs would have to remove or disable access to terrorist content within one
hour upon receipt of a removal order issued by a competent authority of a
Member State (Article 4);
-
HSPs would have to assess, on the basis of referrals sent by Member States’
competent authorities or by Union bodies (such as Europol) whether the
content identified in the referral is in breach of the HSPs’ respective terms and
conditions and decide whether or not to remove that content or disable access
to it (Article 5);
-
HSPs would have to implement proactive measures to protect their services
against the dissemination of terrorist content, inter alia by using automated
tools to assess the stored content (Article 6);
-
HSPs would have to preserve the content that has been removed and related
data which are necessary for the purposes of subsequent administrative
proceedings, judicial review and the prevention, detection, investigation or
prosecution of terrorist offences (Article 7);
1 COM (2018) 640 final, Proposal for a Regulation of the European Parliament and of the Council on preventing
the dissemination of terrorist content online
2 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the
protection of natural persons with regard to the processing of personal data by the Union institutions, bodies,
offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and
Decision No 1247/2002/EC, L295, 21 11 2018
Postal address: rue Wiertz 60 - B-1047 Brussels
Offices: rue Montoyer 30
E-mail : edps@edps europa eu - Website: www edps europa eu
Tel : 02-283 19 00 - Fax : 02-283 19 50
• The EDPS also notes that, pursuant to Article 6(2), HSPs should submit a
report on the
proactive measures taken, including the ones based on automated tools, to the authority
competent to oversee the implementation of proactive measures
under Article 17(1)(c).
The EDPS recommends specifying in the Proposal, under Recital 18, that HSPs should
provide the competent authorities with all necessary information about the automated tools
used to allow a thorough public oversight on the
effectiveness of the tools and to ensure that
the latters
do not produce discriminatory, untargeted, unspecific or unjustified results21.
4. Mandatory preservation of content and related data by the HSPs
• Pursuant to Article 7, HSPs would be required to
preserve terrorist content (removed or
disabled as a result of any of the three possible sets of actions under the Proposal, i.e.,
executing removal orders, referrals or proactively)
and related data22 for the purpose of
subsequent administrative proceedings and judicial review (as a safeguard in cases of
erroneous removal), as well as for the purpose of prevention, detection, investigation or
prosecution of terrorist offences23.
• The EDPS notes that the imposition of such a data retention obligation on HSPs entails that
private entities are required to retain data (including personal data relating to the uploaders
and concerning offences, ‘terrorist offences’, having a criminal law nature) for law
enforcement purposes for the period of six months.24 In this respect, the EDPS recalls that
pursuant to Article 10 of the GDPR the processing of personal data relating to criminal
offences should be carried out only under the control of official authority
or when the
content analysis, November 2017, CDT, at page 21: “any use of automated content analysis tools should be
accompanied by human review of the output/conclusions of the tool ”
available at: https://cdt org/files/2017/11/Mixed-Messages-Paper pdf
Another key point highlighted by this paper is the need to provide
clear, consistent, precise definition of the
type of content to be identified
21 See the
Declaration on Ethics and Data Protection in Artificial Intelligence, adopted at the 40th International
Conference of Data Protection & Privacy Commissioners, 23 October 2018, available at:
https://icdppc org/wp-content/uploads/2018/10/20180922 ICDPPC-40th AI-Declaration ADOPTED p
See, in particular, point 3, letter (c): “Artificial intelligence systems transparency and intelligibility
should be
improved, with the objective of effective implementation, in particular by:
making organizations’ practices
more transparent, notably by promoting algorithmic transparency and the auditability of systems, while
ensuring meaningfulness of the information provided ”
In other words, we consider that
the accountability of the HSP shall be strengthened This calls for a high level
of
transparency on how the possible ‘take down’ of uploaded content’ takes place (clear guidance on the
circumstances under which content is blocked, removed or restricted) In any case, it seems common
understanding that decisions on take down should be
subject to human verification, and that HSPs should
provide
meaningful explanations and reporting on the functioning and effectiveness of the envisaged
measures This would also allow to
check and ensure that any measure put in place by the HSP: a) strictly
complies with the purpose limitation principle (it is not used for other ‘aims’); b) does not produce
discriminatory, unspecific or unjustified results (also taking into account of the ‘distribution’ of false positives,
not just of their quantity)
22 On the need to define ‘related data’, see considerations made under Section 2 2 of these formal comments
23 See Recital 21
24 In particular Recital 22 provides: “To ensure proportionality, the period of preservation should be limited to
six months to allow the content providers sufficient time to initiate the review process
and to enable law
enforcement access to relevant data for the investigation and prosecution of terrorist offences However,
this period may be prolonged for the period that is necessary in case the review proceedings are initiated
but not finalised within the six months period upon request by the authority carrying out the review. This
duration should be sufficient to allow law enforcement authorities to preserve the necessary evidence in
relation to investigations, while ensuring the balance with the fundamental rights concerned” (emphasis added)
8
processing is authorised by Union or Member State law providing for
appropriate
safeguards for the rights and freedoms of data subjects.
• Since the processing in question (preservation of terrorist content and related data) would
not be under the control of official authority, the appropriate level of safeguards to be ensured
is a key issue. The EDPS observes that Article 7(3) provides that HSPs should “ensure that
the terrorist content and related data [...] are subject to appropriate technical and
organisational safeguards” and these “technical and organisational safeguards shall ensure
that the preserved terrorist content and related data is only accessed and processed for the
[relevant] purposes [...] and ensure a high level of security of the personal data concerned.”
• The EPDS recalls that Article 7 of the repealed Directive 2006/24 (hereinafter, ‘the Data
Retention Directive’)25 provided, with a wording similar to the one of the Proposal, that: “the
data shall be subject to appropriate technical and organisational measures to protect the data
against accidental or unlawful destruction, accidental loss or alteration, or unauthorised or
unlawful storage, processing, access or disclosure” and “the data shall be subject to
appropriate technical and organisational measures to ensure that they can be accessed by
specially authorised personnel only”. However, the CJEU concluded, in
Digital Rights
Ireland, that the Data Retention Directive did
not provide sufficient safeguards to ensure
effective protection of the retained data against the risk of abuse, unlawful access and
subsequent use of the data.26
• The EDPS observes that it can be argued that the Proposal, similarly to the Data Retention
Directive, does
not lay down substantive and procedural conditions relating to
the access and
the subsequent use of the preserved data by “competent authorities”, as required by the
CJEU in
Digital Rights Ireland.27 The mere mention, in Recital 23, that the Proposal “does
25 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of
data generated or processed in connection with the provision of publicly available electronic communications
services or of public communications networks and amending Directive 2002/58/EC, OJ L 105, 13 4 2006, p
54-63
26 Joined Cases C-293/12 and C-594/12
, Digital Rights Ireland, see in particular at paras 54-55 and 65-67 We
point out specifically to para 55: “The need for such safeguards is all the greater where, as laid down in
Directive 2006/24, personal data are subjected to
automatic processing and where there is a significant risk of
unlawful access to those data”, as well as to para 67: “Article 7 of Directive 2006/24 ( ) does not ensure that a
particularly high level of protection and security is applied by those providers by means of technical and
organisational measures, but permits those providers in particular to have regard to ec onomic considerations
when determining the level of security which they apply, as regards the costs of implementing security measures
In particular, Directive 2006/24 does not ensure the irreversible destruction of the data at the end of the data
retention period ” (emphasis added)
27 See
Digital Rights Ireland, para 61-62, “( ) Directive 2006/24 does not contain substantive and procedural
conditions relating to the access of the competent national authorities to the data and to their subsequent use
Article 4 of the directive, which governs the access of those authorities to the data retained, does not expressly
provide that that access and the subsequent use of the data in question must be strictly restricted to the purpose of
preventing and detecting precisely defined serious offences or of conducting criminal prosecutions relating
thereto; it
merely provides that each Member State is to define the procedures to be followed and the
conditions to be fulfilled in order to gain access to the retained data in accordance with necessity and
proportionality requirements (62) In particular, Directive 2006/24 does not lay down any objective criterion by
which the number of persons authorised to access and subsequently use the data retained is limited to what is
strictly necessary in the light of the objective pursued Above all, the access by the competent national
authorities to the data retained is not made dependent on a prior review carried out by a court or by an
independent administrative body whose decision seeks to limit access to the data and their use to what is strictly
necessary for the purpose of attaining the objective pursued and which intervenes following a reasoned request
of those authorities submitted within the framework of procedures of prevention, detection or criminal
prosecutions Nor does it lay down a specific obligation on Member States designed to establish such limits ”
(emphasis added)
9
