Tuesday, 29 November 2022

Provisional Agreement on the recast Reception Conditions Directive: Preventing ‘Asylum Shopping’ and ‘Secondary Movements’ as the Ultimate Goal?

 



Vasiliki Apatzidou, legal practitioner in the field of EU Asylum Law and PhD Student, Queen Mary University of London.

Photo credit: Rebecca Harms, via wikicommons

The current instruments of the Common European Asylum System (CEAS), which include the recast Reception Conditions Directive, are applicable since 2013, meaning for nearly a decade. However, already in 2015, the high number of arrivals of asylum-seekers in the European Union (EU) exposed a series of deficiencies, divergencies and gaps in the EU legislation on asylum matters. The harmonization objective lost much of its relevance in the context of the response to the refugee ‘crisis’.[i] The paradox is that the so-called ‘crisis’ happened just two years after the completion of the reform of the CEAS in the summer of 2013. Therefore, the Commission presented in 2015 a new European Agenda on Migration that included both short-term measures and proposals for the long-term.

In the long-term, the European Commission proposed in May and July 2016 a third package of legislation with the aim of strengthening protection for asylum-seekers and imposing greater uniformity in rules and procedures in different Member States. The Commission highlighted in 2016 that the prevention of ‘asylum shopping’ and ‘secondary movements’ was among the top priorities that it aimed to achieve through the reform of the CEAS. In 2016, the Commission presented the second package to reform the CEAS and one of these proposals was the 2016 proposal for a recast Reception Conditions Directive (RCD).[ii] The negotiations started in 2016, and a political agreement between the Council and the European Parliament was reached in 2018. Further attempts at the technical level were made during the Austrian Presidency, but the proposal, as of today, has not been adopted. Actually, none of the 2016 proposed instruments is adopted, to date (besides the EU Asylum Agency), and the negotiations were stalled.

Thus, the Commission in 2020 presented the new Pact on Migration and Asylum in order to boost the negotiations in the Council and propose a ‘fresh start’ on migration. As the recast RCD was one of the instruments where a provisional agreement was reached, the Commission did not amend at all this text through the proposed 2020 Pact on Migration and Asylum. As the Council is currently getting prepared to open again the discussions with the European Parliament on the recast RCD, this blogpost aims to examine the most important amendments of the recast RCD mainly regarding the proposed measures that aim to prevent ‘secondary movements’ and ‘asylum shopping’ which is at the epicenter of the proposed legislation.

To achieve this objective, on the one hand, measures that improve the dignity and integration prospects for asylum-seekers are proposed to ensure that a dignified standard of living is provided in all Member States, and secondly new measures to constrain autonomy and impose sanctions to asylum-seekers are proposed to ensure that the asylum applications will be examined in the ‘first country of asylum’ and ‘asylum shopping’ will be prevented. Specifically, in recital 13 of the recast RCD, it is explicitly mentioned that ‘applicants do not have the right to choose the Member State of application. An applicant must apply for international protection in accordance with the Dublin Regulation’. It is worth clarifying here that the Commission proposed in 2020 to replace the Dublin III Regulation with an Asylum and Migration Management Regulation, but as this has not yet been agreed, I will refer to the Dublin III Regulation for the scope of this blogpost.

Measures to enhance Integration Prospects

It is apparent in the provisional agreement that the aim of the proposed Directive is to enhance integration measures for asylum-seekers and ensure that there are inclusion prospects for them wherever they are required to apply for asylum. In this way, the Commission aims to ensure dignified standards and equal integration prospects in all Member States to ensure the prevention of ‘asylum shopping’ and ‘secondary movements’. For this reason, asylum-seekers will be allowed to work 6 months after requesting asylum, instead of the current 9-month framework (Art. 15). Moreover, it is required to enjoy equal treatment with the nationals as regards the terms of employment and other conditions (art.15 para.3). Asylum-seekers will also have access to vocational training and language courses from day one (art. 15a).  Moreover, those applying for international protection will be entitled to primary and secondary health care, including mental as well as sexual and reproductive health care (art.16). In addition, children should enter the school system no later than 2 months after arrival (Art.14), instead of the current framework that foresees 3 months. All the above-mentioned measures aim to enhance the integration prospects of asylum-seekers to ensure that they will not choose to illegally move to other countries in order to find job or access education. These measures are overall assessed as beneficial for those seeking international protection. However, integration is also dependent on actual employment opportunities, inclusion prospects and the economic situation in the responsible Member State, something that may also be influenced by large-scale arrivals of third-country nationals often witnessed in the EU external border countries.

Sanctions for being present on the territory of a ‘non-responsible’ Member State

The most striking example that proves that the main aim of the recast RCD is the prevention of ‘asylum shopping’ and ‘secondary movements’ can be found in the proposed article 17a which explicitly states that where an applicant is present in another Member State from the one that he or she is required to be present, the applicant should not be entitled to material reception conditions, access to labour marker, language courses and vocational training from the moment a transfer decision has been notified to this person. Thus, the reception conditions may actually be reduced or withdrawn with the notice of the transfer decision even if the transfer in reality is taking place later, in some cases even months after the notification of the decision. The only guarantee here is that the withdrawal of the reception conditions should be without prejudice to the need to ensure ‘a dignified standard of living’ including access to necessary health care something which has been reaffirmed from the European Court of Justice. However, how this can be achieved in practice remains controversial.

Furthermore, the possibility of reducing or withdrawing the material reception conditions in case the applicant is required to be present in a specific Member State according to the Dublin Regulation, can be found in the new paragraph 1 of article 19 that concerns the reduction or withdrawal of material reception conditions. Thus, once again it is stated that if the asylum-seeker has ‘illegally’ left the ‘first country of asylum’ and moved to another Member State, she or he may be sanctioned with even the full withdrawal of reception conditions, on the basis of the above-mentioned provision. It becomes evident that the applicant of international protection will be subject to the full benefits and guarantees envisaged in the recast RCD only when she or he is present on the territory of the Member State that the Dublin Regulation defines. In this way, the Commission hopes to discourage ‘secondary movements’ to other Member States as asylum-seekers can enjoy the full sets of rights provided in the recast RCD when they are in the ‘responsible’ Member State in accordance with the Dublin Regulation.

Restrictions on the Freedom of Movement: Prevention of ‘absconding’

Except of the proposed sanctions for the applicants that are required to be present in other Member States on the basis of the Dublin Regulation, the Commission proposes to allow states to have the possibility to decide that an applicant is only allowed to reside in a specific place that is adapted for housing applicants, where the is a risk of absconding, in particular when it concerns a) applicants who are required to be present in another Member State and b) applicants who have been transferred to the Member State where they are required to be present in accordance with the Dublin Regulation after having absconded to another Member State (Art.7). Thus, we notice that a restriction of freedom of movement is allowed to prevent ‘absconding’ and subsequently preventing asylum-seekers from illegally moving to another Member State, even in cases where there is a ‘risk’ of absconding. To add to this, in the definitions envisaged in the proposed Directive, the ‘absconding’ and ‘risk of absconding’ are defined for the first time in the asylum acquis (art.2 (10) and (11)) as until now the ‘risk of absconding’ was defined in the Return Directive. Not only restriction of movement, but even detention may be allowed in accordance with the Dublin Regulation (art.8g).

It is worth mentioning here that the proposal does not only provide for punishments for applicants who are subject to a Dublin transfer, but in the recast RDC, we witness that there are different kinds of residence restrictions that are regulated (see new proposed articles 6a and 6b), which is a novelty in comparison to the current Directive, but the analysis of these restrictions fall outside the scope of this blogpost and have been extensively examined here.

Conclusion

Although in the provisional agreement for a recast RCD, the guarantees are enhanced, and even a ‘dignified living’ shall be ensured in every case, even when the asylum applicant is present in the territory of a ‘non-responsible’ Member State, the possibility of reducing material reception conditions and integration prospects to prevent ‘secondary movements’ should not be underestimated. In the EU asylum policy debate, it is well known that external border countries such as Greece, Italy and Spain insist on more solidarity, mentioning that they cannot shoulder the burden without adequate support, while northern European countries such as Germany or the Netherlands insist on enhancing measures to prevent secondary movements. This was also apparent in the negotiations for the proposed Reception Conditions Directive. However, now that the 2020 asylum and migration instruments are under negotiations, it is important to realise that there should not be a dichotomy between ‘less secondary movements’ or ‘more solidarity’. The discussions over less secondary movements should take place in conjunction with discussions over more solidarity. In the context of enhanced solidarity, the negotiations over the recast Reception Conditions Directive should take place, if the Council decides to open again the consultations, before finally adopting the Directive which contains overall positive amendments that enhance integration prospects, safeguard a dignified standard of living and increase procedural guarantees for applicants with special reception needs.

Endnotes



[i] Giulia Vicini, ‘The EU Refugee Crisis and the ‘Third-Phase’ Asylum Legislation: The End of the Harmisation Approach or Its Revival’ in Valsamis Mitsilegas, Violeta Moreno-Lax and Niovi Vavoula (eds.) Securitising Asylum Flows: Deflection, Criminalisation and Challenges for Human Rights (Brill 2020)

[ii] Jens Vedsted-Hansen, ‘Reception Conditions as Human Rights: Pan-European Standard or Systemic Deficiencies’ in Vincent Chetail, Philippe De Bruycker and Fransesco Maiani (Eds.) Reforming the Common European Asylum System: The New European Refugee Law (Brill Nijhoff 2016).

 

 

Monday, 21 November 2022

The EU Commission’s proposal on Media Freedom Regulation


 


Lorna Woods, Professor of Internet Law, University of Essex

 

Photo credit: Bin im Garten, via Wikimedia Commons

 

In her 2021 State of the Union address, EU Commission President von der Leyen stated:

 

Media companies cannot be treated as just another business. Their independence is essential. Europe needs a law that safeguards this independence – and the Commission will deliver a Media Freedom Act in the next year.

 

The resulting Proposal sits against a network of existing rules – notably the long-standing Audiovisual Media Services Directive (AVMSD) and the e-Commerce Directive as well as the recently agreed Digital Services Act (DSA) and Digital Markets Act (DMA).  It will be accompanied by a Recommendation. The Proposal is a significant step; the Commission is entering new regulatory terrain here. This move indicates concerns not just about the state of the media but about public discourse more generally, but how has the Commission sought to transfer this high level concern into specific rules?

 

Outline of the Proposal

 

The Proposal can be said to be divided into roughly five elements (in addition to the definitions and scope), reflecting the fact that the concerns around media freedom have different aspects and need a response that itself is multifaceted. 

 

1 Media Freedoms

 

The first is about media freedom (and the recommendation is relevant for this issue too as it focuses on internal safeguards for editorial independence and ownership transparency). The Proposal introduces rights and obligations on media service providers in Chapter II. Specifically, it provides them the right to exercise their “economic activities in the internal market without restrictions other than those allowed under [EU] law” (Article 4(1)).  Article 4(2) then provides more detail. It specifies that Member States are prohibited from:

 

-          interfering with editorial policies and decisions by media service providers (Article 4(2)(a));

 

-          detaining, sanctioning, intercepting, subjecting to surveillance or search and seizure or inspecting media service providers, their employees, their families or their premises “on the ground that they refuse to disclose information on their sources, unless this is justified by an overriding requirement in the public interest” (Article 4(2)(b)); and

 

-          deploying spyware in any device or machine used by media service providers, their employees or their families other than in certain narrowly-defined circumstances (Article 4(2)(c)).

 

According to the Q&A document, this is to “protect them from unjustified, disproportionate and discriminatory national measures”.  There are provisions dealing specifically with “public service media providers”, reflecting their “societal role as a public good” (Recital 14) but also their “institutional proximity to the State, which puts them at peculiar risk of interference (Recital 18): they are obliged to provide “in an impartial manner a plurality of information and opinions to their audiences, in accordance with their public service mission” (Article 5(1)), although what “plurality” means for these purposes is not defined. It seems that public service media cannot be self-declared as such – the definition of “public service media provider” requires the media service either to be “entrusted with a public service mission under national law” or receives national funding for the fulfilment of such a mission (Art 2(3)). 

 

There are some ownership transparency obligations on media service providers who “provid[e] news and current affairs content”. They must provide the provider’s name and contact details, and details relating to certain shareholders and beneficial owners (Article 6(1)). They must also “take measures that they deem appropriate with a view to guaranteeing the independence of individual editorial decisions” (Article 6(2)).

 

The proposal also sets out the right of the audience (“recipients of media services”) the right to “receive a plurality of news and current affairs content, produced with respect for editorial freedom of media service providers, to the benefit of the public discourse” (Article 3(1)). Recital 11, however, clarifies that this right “does not entail any correspondent obligation on any given media service provider to adhere to standards not set out explicitly by law.”

 

2. VLOPS

 

Secondly, there are obligations on Very Large Online Platforms (VLOPs), which are in addition to those in the DSA. These provide additional rights to media service providers on VLOPs. Specifically, VLOPs must provide certain mechanisms to deal with the media (including applications of the requirements of the Platform to Business Regulation – see Article 17 MFA, and Articles 11 P2B Regulation).

 

3. Media Regulation and Institutions

 

A third element concerns the institutional set up of media regulation. There are provisions around cooperation of national regulators. The Proposal expands the scope of the existing European Regulators Group for Audiovisual Media Services (ERGA), replacing it with the European Board for Media Services (EBMS) which - with the European Commission - is to ensure the consistent application of the MFA and the wider EU media law framework (perhaps in a similar fashion to the EDPB in relation to the GDPR). Specifically, the EBMS will

 

-          advise the Commission on the implementation of the Regulation, for example, providing expertise on regulatory, technical, or practical aspects concerning the identification of audiovisual media services of general interest under Article 7a of the AVMSD;

-          mediate between the regulatory bodies of the Member States;

-          assess areas of interest such as the functioning of media markets and the potential impact of national measures; and

-          take a position if the functioning of the internal market appears to be affected.

 

4. Media markets

 

A fourth element deals with the market and includes requirements for Member States to put in place rules for assessing media market concentrations (Articles 20-22). In addition for setting rules for when concentrations must be notified, Member States should also set out criteria for assessing the impact of a concentration on media pluralism and editorial independence, an assessment which is distinct from that under competition law.

 

5. Resources and Audience measurement

 

Finally, there are rules relating to measurements of audience and to criteria for allocating resources to media outlets. The Commission notes that ‘opaque and unfair allocation of economic resources’ contribute not only to an uneven playing field but also to internal market barriers. The “opacity of and biases inherent to proprietary systems of audience measurement skew advertising revenue flows”, and the way state advertising revenue is allocated is also problematic. The Proposal therefore mandates transparent, non-discriminatory and objective measures and allocation of resources.

 

Comment

 

Competence

 

The Proposal builds on the Commission’s Rule of Law Report 2020 and the European Democracy Action Plan, and seems to aim at some worthy objectives. Despite this, the Proposal is not framed as directly protecting democracy.   The Proposal frames issues as media companies facing

 

“obstacles hindering their operation and impacting investment conditions in the internal market such as different national rules and procedures related to media freedom and pluralism”.

 

This would seem to be aimed at tackling concerns around competence and the fact that culture is typically for Member States, not the EU. To be sure, there are often special ownership and merger regimes for media undertakings, but these are often based on not on economic considerations but on non-market concerns. The emphasis on the impact that disparate rules have on media undertakings is used to justify the use of Article 114 TFEU as the legal basis for the proposal. This re-emphasises that this in not a specific piece of media policy, fields in which the EU has limited competence and has no competence to harmonise (Article 167 TFEU), but market regulation.  The Commission has pushed the extent of its harmonising powers before; while the AVMSD may have started off dealing with restrictions on cross-border advertising, it has also got a distinct cultural aspect (eg EU quotas). In this proposal, it is not clear how the measures listed actually map on to addressing the internal market problems identified in the Explanatory Memorandum. The extent to which a harmonising measure has to deal directly with the eradication of barriers to trade and the degree to which it may be directed at other policy issues has been the subject of a certain amount of jurisprudence, as the examples of Titanium Dioxide case (Case 300/89), Tobacco Advertising I (Case C-376/98), Swedish Match (Case C-210/03) and Vodafone (Case C-58/08) illustrate, and a cottage industry in legal commentary. On first glance, this proposal lies quite close to the boundary.  It is noteworthy that the justification given in recital 6 – that the audience should be able to receive cross boarder information flows – is linked to the satisfaction of the requirement in Article 11 of the Charter on Fundamental Rights. Yet, the Charter in itself is not a legal base for harmonising legislation. It is likely that this issue of competence may lead to legal challenge in the measure is enacted.

 

Place in the Digital Regulation Landscape

 

There will be a question of the interplay between this measure and others impacting on publicly available content. The measure is to a large part aware of this and cross refers to some of these relevant measures. It replicates some definitions from the AVMSD, albeit slightly tweaked. For instance the definition of ‘programme’ is in its base element the same that in the ADMSD (Art 1(b)) but excludes the reference in the AVMSD to “including feature-length films, video clips, sports events, situation comedies, documentaries, children's programmes and original drama”.  It is also notable that the definition of “media service” moves the focus of the service on to the provision  of programmes or press publications (Article 2(1), emphasis added); traditionally publications might have been thought to be goods! The definition of audiovisual media service remains the same as in the AVMSD. The terms “editorial decision” (Art 2(8)) and “editorial responsibility” (art 2(9)) seem to be aimed at drawing the boundary of these terms in the same place as the analogous terms in the AVMSD, though the language has been revised to reflect the broader scope of the Proposal.

 

The Proposal also notes the currently limited scope for the ERGA to take action; currently it is limited to audio-visual media services only.   The development of EBMS, however, follows the approaches taken in the DSA and also found in the EU’s approach to disinformation. Extending ERGA’s remit beyond audiovisual media services brings into question the historic difference in approach between broadcasting (and subsequently video on demand) and the print media, even in their online formats. It has long been accepted that regulation of broadcast entities is legitimate (even if different justifications might be given for that regulation) whereas the press has typically been subject to self-regulation. Giving ERGA (or the EBMS as it would become under the Proposal) a role starts to challenge that settlement.  It is worth reminding ourselves that the national regulatory bodies making up ERGA must meet certain independence requirements (and ERGA itself emphasises the importance of independence – as well as adequate resources!) – these independent bodies might start to have oversight over the press (in the areas covered by the proposal).  Again, this is a sensitive topic.

 

Media Independence

 

The Proposal does contain some important provisions that should benefit the maintenance of media independence – though of course the inclusion of these provisions recognises the distinctive nature of the media and the important role they play in an informed, democratic society. There are specific provisions on editorial independence and for public service media providers Member States will be under an obligation to ensure they have “have adequate and stable financial resources to fulfill their public service remit. These resources shall be such that editorial independence is preserved.” (Article 5).

 

This requirement for sufficient funding brings into law a principle long found in the Council of Europe recommendations on this area. Indeed, EU state aid law has also long recognised the need for State support (and the definition for public service media to a large extent reflects the position under Article 106(2) TFEU). How this is to be calculated or assessed however is not specified in the Proposal (the Recitals merely noting that a multi- year funding model is desirable – see Recital 18) and may cause tensions given the different levels of resources available and funding models used across the various Member States.  The Recitals are anxious to emphasise that this obligation does “not affect the competence of Member States to provide for the funding of public service media”, though it would seem that there is a shift from the permissive regime envisaged by Protocol 29 and the mandatory rule envisaged here. Currently Member States may provide such funding (subject to competition law and state aid rules in particular); this Proposal suggests that in future Member States must do so.

 

Moreover the Proposal introduces obligations so that the senior management is to be appointed according to transparent, non-discriminatory and objective procedures. They will also have term limits and can only be dismissed if it is determined that they are no longer fulfilling their legal duties. The rules around non-dismissal are commonly found to ensure institutional independence in regulators but are here extended to the media (though the Commission has noted that concerns remain regarding the independence of some regulators - Rule of Law Report (3.3) despite the provisions introduced by the 2018 amendments to the AVMSD). 

 

The specific obligations in Article 4(2) follow the lines set doewn in standard freedom of expression case law concerning journalists – notably the protection of journalists sources, and the importance of journalists’ communications remaining confidential, as noted in Recital 16. In this, the prohibition of spyware in Article 4(2)(c) seems to be a specific response to recent scandals showing the use of these technologies.

 

Transparency

 

The lack of transparency in media ownership has been seen as an issue specifically in relation to assessing plurality of the media as well as for users to make assessments as to likely bias in the information and opinions published by a media outlet, a point recognised in Recital 19. This was an issue on which there was little action in the individual Member States. The Commission’s Rule of Law report also noted “The transparency of media ownership continues to present on average a medium risk across Member States, due to a lack of effectiveness of legal provisions and to the fact that information is provided only to public bodies, but not to the public” (3.3). Against this background, the requirements to give information to the public is a step forward; it might be questioned how effective it will be, however, in the case of highly complex corporate structures. Moreover, the transparency obligations are limited in to those providing news and current affairs content.  This term, however, is not defined in the proposal – nor is it defined in the AVMSD.  There is a question as to whether the rules apply only to those whose purpose is to provide news and current affairs, or whether it includes providers whose offering includes news and current affairs. If so, how big a proportion of the offering should news and current affairs constitute to trigger the obligation? This of course assumes we know what news and current affairs comprises; but does this term encompass, for example, celebrity gossip? Broader aspects are contained in the recommendation and are therefore not binding.

 

Rules on VLOPs

 

It is unclear what the obligations on VLOPs add to the the obligations in the Platform to Business Regulation (“P2B Regulation”) – which could apply to VLOPs anyway – indeed, may apply much more broadly than to VLOPs or how the relationship between the two measures might be managed. 

 

VLOPs are likely to satisfy the definition of “online intermediation service providers” within the meaning of the P2B Regulation and therefore owe certain obligations to “business users”. It seems also likely that media service providers using VLOPs (or other platforms) to reach their audiences would constitute such “business users”, though perhaps some citizen journalists might fall outside this definition.  Having said that, would “citizen journalists” fall within the definition of media service for the purpose of the Proposal; ‘services’ within the TFEU are limited to economic activity – as Recital 7 to the Proposal recognises. It specifically notes that

 

[t]his definition should exclude user-generated content uploaded to an online platform unless it constitutes a professional activity normally provided for consideration (be it of financial or of other nature).

 

This might adversely affect charitable foundations and the like by contrast with influencers. Note, however, that the recital specifically excludes ‘[c]orporate communication and distribution of informational or promotional materials for public or private entities”.

 

Article 17(3) deals with complaints lodged by media organisations “with priority” and “without undue delay”, yet Article 11 of P2B requires online intermediation service providers to handle complaints “swiftly and effectively”. It is hard to see what added benefit is from the requirement in Article 17 regarding “undue delay” adds – indeed, it might be seen to be a lower standard than “swiftly”. The obligation to give media entities priority does seem to suggest that their complaints be dealt with in some sort of differentiated way.  This could be justified by the public interest in news and its perishable nature; however, it seems less good if such claims – no matter their merit - are automatically dealt with over other serious claims. While there might be specified time limits for dealing with certain sorts of content (notably terrorism), prioritising journalism leaves the victim of revenge porn, for example, relatively unprotected. This may of course be the nature of a legislative measure dealing with one type of content; specifying time scales that are not comparative in nature (implicitly ‘with priority’ is whereas ‘swiftly’, for example, is not) could avoid that problem.  Insofar as the Proposal envisages a separate mechanism for media entities, there is a risk of confusion as to which mechanisms for dispute resolution – whether those in the DSA or those envisaged here – should be used.

 

There is also a concern about the definition of media services which receive the benefit of this special treatment as it covers what have been termed ‘self-declared media’. This recalls the debates in the DSA’s legislative process to create a media exemption, but which was ultimately rejected.  The concern is that a wide range of actors could self declare as media entities for the purpose of this clause – perhaps benefitting those who spread disinformation. 

 

VLOPs are also required to allow their users to customise the audiovisual media offer (subject to Art 7a AVMSD) (Article 19). It is not clear the extent to which this overlaps with Article 27 DSA, which provides for recommender system transparency, and Article 38 to allow recommender systems not based on profiling.

 

Media Concentration

 

In the Commission’s Rule of Law Report, it notes that the media market is at risk from high levels of concentration. This seems to be a consequence of the dominance of online platforms in digital advertising and the adverse impact that has had on the financial stability of many media entities, a situation worsened during COVID. Against this background some controls on media concentration are required – though that then leaves the question of how the media entities are expected to survive in an environment dominated by clickbait content especially when the market dominance of the platforms and similar services are taken into account. This Proposal does not include those services into account. While the DMA provides some controls, it is not clear how the two sets of provisions will work together and whether there would be gaps (think for example of a cross media merger involving a platform and a content provider).  Finally, these questions seem to be dealt with at national level; rules may differ between Member States. The EBMS and the Commission are envisaged as having advisory roles. While this may respect divisions of competence, there are question about equality of enforcement – it remains to be seen (in the light of the experience of the GDPR) how well the co-operation provisions (Article 13, Article 14) work.

 

Resources

 

The final section relates to the measuring of audiences (indirectly affecting resources) and the allocation of State advertising – which is an important source of revenue in many places. Recital 29 notes that state advertising can be used as a form of covert public subsidy. Article 2(15) defines “State advertising” to mean the “placement, publication or dissemination … of a promotional or self-promotional message, normally in return for payment of for any other consideration, for or on behalf or any national or regional public authority” – this includes state-owned enterprises or other state-controlled entities.  This is a broad definition although there are limits on those subject to the obligation. For example, there is a de minimis threshold of local authorities with less than 1 million inhabitants. Recital 10 excludes “emergency messages by public authorities which are necessary, for example, in cases of natural or sanitary disasters, accidents or other sudden incidents that can cause harm to individuals”.  Although the Proposal envisages that the reporting on advertising spend should be monitored, it does not specify by which body.

 

Enforcement

 

One final point to note is that the Proposal does not include a specific mechanism for enforcement; the presumption seems to be that national mechanisms should be relied on (see eg Article 4(3)) (and the Q&A doc notes that any claimed breaches can be brought before national courts since the proposal – as a regulation – is directly applicable). This may, for example, give a route to relief for those subject to spyware – though the route to CJEU itself through the national courts – especially when those courts form part of the regime deploying the spyware and therefore may be unlikely to provide adequate relief themselves - may be long. It is also unclear what the precise role of the EBMS is in ensuring the consistent application of the Proposal.

 

Conclusion

 

In conclusion, the Proposal marks a significant shift in the current status quo and attempts the important job of safeguarding media independence – independence which has come under increasing threat in recent years. In so doing, however, pushes at the edges of EU competence. Moreover, some of the measures proposed may prove controversial as they seek to support the media against authoritarian regimes seeking to control them, not least with some Member States. The passage of this proposal is unlikely therefore to be smooth or easy; whether it achieves its stated aims is yet another question.





Friday, 18 November 2022

The Cyber Resilience Act in the context of the Internet of Things

 



Mattis van ’t Schip, PhD candidate, Radboud University

Image credit: Grafiker61, via Wikicommons Media

 

In our homes and across industries, the use of Internet of Things (IoT) devices is increasing. These devices integrate hardware and software elements (e.g., a ‘smart’ watch, a WiFi-connected security camera). The cybersecurity of these connected devices is a growing issue. In the ‘Mirai botnet’, hackers accessed thousands of devices and, together, used them to bring down websites and companies, while other attackers accessed the cash registers of Target supermarkets by hacking into their network-connected air-conditioning systems. As evident from the Target hack, attackers can easily access these devices as they are always connected, through WiFi or BlueTooth. Companies and consumers now use billions of IoT devices, which thus creates an expanding cybersecurity threat. The European legislator struggled with this cybersecurity issue for a long time, as existing legislation (e.g., product safety law) did not sufficiently cover the cybersecurity of IoT devices. A recent legislative proposal, however, now intends to address this legal gap.

On 15 September 2022, the European Commission published the proposal for the Cyber Resilience Act (CRA). The Cyber Resilience Act intends to protect the European Union’s market from insecure products. The Act addresses four central themes, according to Article 1:

1) rules for placing products with digital elements on the European Union’s market to ensure the cybersecurity of such products;

2) essential requirements for the design, development, and production of products with digital elements;

3) requirements for vulnerability handling processes by manufacturers to ensure cybersecurity throughout the whole lifecycle of products with digital elements; and

4) market surveillance and enforcement.

This blog post gives a short overview of the new rules on the cybersecurity of products with digital elements (points 1-3). First, I address the framework of the Act by focusing on its scope and cybersecurity provisions. Second, I shortly examine how the Act fits within and adapts the existing regulatory landscape for the cybersecurity of products with digital elements, especially Internet of Things devices.

Products with digital elements

The Cyber Resilience Act will apply to ‘products with digital elements’. Article 3(1) clarifies that such products can be software, hardware, and remote data processing solutions. The Act does thus not only apply to software applications, but also applies to certain hardware objects that are not traditionally digital (e.g., routers, microcontrollers). A connected security camera is an example of a product with digital elements. The camera integrates a traditional camera system (the hardware) with software that, for instance, allows users to access the device’s camera from anywhere in the world.

The European Commission mainly hints at IoT devices as the main focus of the Act, but these devices are not the only products in scope. The Commission includes two additional categories of products with digital elements. These categories are based on the ‘criticality’ of the products. All ‘critical products with digital elements’ are listed in Annex III and mainly include products which have privileged access to networks or security. For example, Annex III includes password managers, identity management software, and network monitoring systems. Such critical systems present a cybersecurity risk, according to Article 3(3), and therefore must adhere to stricter cybersecurity requirements, which I discuss below. An additional category exists for ‘highly critical products with digital elements’, which present even more serious cybersecurity risks (e.g., network management software used by energy providers).

The Commission can amend the list of critical and highly critical products based on the cybersecurity risks those products pose, according to Article 6(2) and 6(5). Criteria for the assessment of those risks include whether the products have privileged access, control access to data, or perform critical trust-based functions in networks or security. The Commission uses additional criteria for highly critical products (e.g., the use of the product within critical sectors). (See also the NIS2 proposal for the cybersecurity requirements of devices employed in those sectors: Proposal for a Directive for a high common level of cybersecurity, which is about to be adopted)

Cybersecurity requirements

For all products with digital elements, the Cyber Resilience Act prescribes baseline cybersecurity requirements. Only products with digital elements that adhere to those requirements can be placed on the European market, similar to earlier IoT related product rules, such as the Radio Equipment Directive.

The cybersecurity requirements are listed in Annex I Section 1. The requirements must be met on the condition that devices are properly installed, maintained, used, and updated, according to Article 5(1). The provision is not clear on who should actually ensure these pre-conditions. The responsibility could shift between the manufacturer and user based on the action; for example, proper use is most likely a condition for the user, while proper maintenance is a condition for the manufacturer. Article 10(10) seems to indicate that the manufacturer must document the conditions under which the user can ensure proper installation, operation, and use. In a broader sense, these conditions could also indicate that the user, for instance as part of proper installation, should change the default password of their device before using it.

Next to the cybersecurity requirements, manufacturers must comply with certain vulnerability handling requirements, listed in Annex I Section 2. These vulnerability handling requirements address the large number of devices which do not receive sufficient updates during their lifecycle. Without sufficient updates, devices become security threats, as the manufacturers do not ‘patch’ the latest security issues.

Manufacturers must now provide regular security updates which address any vulnerabilities in their products. This obligation exists for the expected lifetime of the product, or up to five years, according to Article 10(6). In addition, the vulnerability handling processes are meant to ensure transparency about the vulnerabilities that manufacturers discover and patch. Here, the Commission aims to solve two problems: a lack of security updates for devices that manufacturers disregard (e.g., because they brought a newer device to the market) and a lack of transparency on any vulnerabilities the manufacturer or third parties find in their products. The latter can put devices from other manufacturers at risk. For example, if company Eppla finds a vulnerability in their BlueTooth protocol and patch it, this patch could help other companies, such as Geeglo, who use the same protocol. If Eppla is not transparent about the vulnerability, they might put Geeglo at risk of security breaches too.

Through the cybersecurity requirements and vulnerability handling processes, the Cyber Resilience Act thus addresses quite a broad range of cybersecurity related issues.

Economic operators

The Cyber Resilience Act introduces product requirements to protect the European Union’s market. Therefore, most of its rules apply to manufacturers that bring devices to the Union’s market. In addition, the rules apply to any other actors, including importers and distributors, that place a product with digital elements on the market with their name or trademark on it, or if they carry out a substantial modification of a product which is already on the market (Article 15). The same condition of a substantial modification applies to any natural or legal person (Article 16). The scope of the Act is thus broad: any entity that brings the product to the market or modifies a product on the market to the extent that it can be considered a ‘new’ product, falls within the scope of the Act.

The rules of the Cyber Resilience Act mostly apply to manufacturers. Article 10 lists several of the most important obligations for the manufacturers. Most of these obligations also apply to importers and distributors. Manufacturers must primarily ensure security-by-design (Article 10(2)). They must ensure this secure design by conducting a risk assessment for their device. Subsequently, the manufacturers must implement the results of that assessment throughout the entire production process of the device, from planning to delivery and maintenance. Manufacturers must include certain information in the technical documentation, including this risk assessment (Article 10(3)). The rules for technical documentation are part of a set of obligations for manufacturers to provide clear and intelligible information to users about different aspects of the device (Article 10(10)).

Finally, Article 10(14) includes an obligation for manufacturers to notify market surveillance authorities (a type of regulatory agencies) and users of their product when they cease operations. This obligation might help mitigate a problem in the IoT industry where manufacturers who, for instance, go bankrupt or sell their company to a competitor, disregard their existing devices on the market. As a result, consumers are left with devices that no longer receive regular updates or stop working entirely. In some cases, consumers are not aware of this problem. This new obligation can help mitigate this problem as manufacturers must inform market surveillance authorities and users of this situation, which can lead to a more secure end of service for existing devices on the market.

A new approach

The Cyber Resilience Act will contain the most important cybersecurity requirements for Internet of Things devices. Existing legislation does apply to the cybersecurity of Internet of Things, but only through particular criteria.

The closest piece of legislation to the Act is the Radio Equipment Directive (RED), a type of product safety legislation. The Directive establishes requirements for radio equipment before it can be placed on the Union’s market. The approach is thus quite similar to the Cyber Resilience Act: economic operators must comply with specific requirements before they can place their products on the market of the EU.

In terms of cybersecurity requirements, the Radio Equipment Directive, however, is much more limited than the Cyber Resilience Act. The Directive contains two main cybersecurity requirements in Article 3(3): 1) radio equipment must ‘not harm the network or its functioning nor misuse network resources’ (3(3)(d)); and 2) radio equipment must contain safeguards to protect the personal data and privacy of its users (3(3)(e)). These cybersecurity requirements also apply to Internet of Things devices, pursuant to a recent Delegated Act from the Commission. These general cybersecurity requirements are much more limited than the list of requirements in the Cyber Resilience Act, which, crucially, also includes requirements for vulnerability handling processes. Recital 15 of the Act notes on these differences: ‘The essential requirements laid down by [the Cyber Resilience Act] include all the elements of the essential requirements referred to in [the Radio Equipment Directive].’ The Cyber Resilience Act, therefore, will be much more in the forefront concerning cybersecurity requirements for Internet of Things devices than the Radio Equipment Directive.

The Radio Equipment Directive is quite similar in its product safety provisions; it includes, for example, rules on technical documentation. However, the Cyber Resilience Act includes broader obligations for the manufacturer that focus on cybersecurity, for instance with the requirement to notify the market surveillance authorities when they cease their operations. While, from the outset, the Directive might seem partially redundant due to its similarities with the Act, the approach of both pieces of legislation is different. The Radio Equipment Directive focuses on rules that ensure radio equipment is safe, broadly speaking, when placed on the European Union’s market. These safety requirements are different from cybersecurity requirements. For instance, the Radio Equipment Directive requires devices to ensure access to emergency services, to facilitate users with certain disabilities, and to work with commonly used chargers. The Cyber Resilience Act, instead, fully focuses on the cybersecurity of devices.

The foundation of the Cyber Resilience Act also differs from the General Data Protection Regulation, another relevant piece of legislation in the context of cybersecurity for Internet of Things devices. The GDPR applies to processing of personal data, which only partially covers the security requirements of the Act. The GDPR, foundationally, focuses on protecting people against misuse of their personal data. The Cyber Resilience Act, therefore, as with the Radio Equipment Directive, supports the aim of the GDPR with its cybersecurity requirements. The Cyber Resilience Act notes, in Recital 17, that ‘the essential cybersecurity requirements laid down in this Regulation, are also to contribute to enhancing the protection of personal data and privacy of individuals.’

The Cyber Resilience Act will provide a comprehensive framework for cybersecurity requirements, which supports the aims of similar legislation, such as the Radio Equipment Directive and the General Data Protection Regulation. Therefore, the Act gives substance to the growing number of cybersecurity requirements for Internet of Things devices in currently scattered pieces of legislation.

Conclusion

The Cyber Resilience Act offers a more comprehensive set of cybersecurity requirements for Internet of Things devices than existing legislation. Furthermore, its rules offer answers to many lingering questions on the security of IoT, such as what should happen when manufacturers cease their operations or when new vulnerabilities require updates from the manufacturer.

In relation to existing legislation, the Cyber Resilience Act will provide a comprehensive overview of cybersecurity requirements. Existing cybersecurity-related legislation often contained open norms and required specific operations (e.g., personal data processing in the General Data Protection Regulation). The Cyber Resilience Act will support the aims of this related set of legislation, while offering the primary set of cybersecurity requirements modern software and hardware must adhere to.