Articles

Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Digital Law Up(to)date: (1) Parliamentary initiatives about cyber att

Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

09.09.2021 BE law

In this blog, we briefly present three interesting news in the field of digital law:

(1) Parliamentary initiatives to tackle cyber attacks

(2) "Zero tariff" options and open internet access do not mix!

(3) Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

(1) Digital Law Up(to)date: Parliamentary initiatives to tackle cyber attacks

Certain members of the Belgian parliament (N-VA) have drafted a resolution (see here) to ensure that Belgium has the appropriate tools to fend off foreign cyber attacks. The objective is clear: to protect our national security and strategic independence. This proposal is concomitant with the publication on the website of the House of Representatives of a report on cyber attacks against the IT systems of the State and public services (see here). Both initiatives are based on an evolution of computer crime (cyber espionage, but also phishing, smishing, vishing, ransomware, sextortion, etc.), especially since the all-digital era imposed by the Covid crisis.

The draft resolution aims (i) to establish a list of suppliers of IT products considered "high-risk" in order to limit or prohibit the use of their services (ii) and, more broadly, to protect against offensive cyber strategies developed by certain States to sabotage or manipulate critical infrastructures. This initiative also falls within the scope of a recommendation made by the European Union, in its 5G toolbox, to apply relevant restrictions for such suppliers.

As for the report, it includes the content of the hearings conducted following the cyber attacks that our public services experienced in May 2021. Nearly ten people were heard, including the director of the Centre for Cyber Security Belgium, the federal prosecutor and the representative of the Federal Computer Crime Unit.

(2) Digital Law Up(to)date: “Zero tariff” options and open internet access do not mix!

On 2 September 2021, the Court of Justice of the European Union (CJEU) ruled in three judgments (cases C-854/19, C-5/20 and C-34/20) that “zero tariff’ options are contrary to EU law, and specifically to Regulation 2015/2120 laying down measures concerning open internet access. With such options, data used for a specific application are not deducted from the volume of data purchased in a package. They allow internet service providers to increase the attractiveness of their offer. In return, the providers either limit the bandwidth, exclude the zero tariff outside their borders (used when roaming), or apply limitations on tethering.

According to the CJEU, these options, based on commercial considerations, create a distinction within internet traffic: some data are deducted from the volume of data purchased, others are not. They violate the objective of Regulation 2015/2120 (which is to “safeguard equal and non-discriminatory treatment of traffic in the provision of internet access services and related end-users' rights”) and art. 3(3) (“[p]roviders of internet access services shall treat all traffic equally, when providing internet access services, without discrimination, restriction or interference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used”).

It is interesting to consider these three judgements in conjunction with a recent consultation on a set of draft guidelines of the Belgian Institute for Postal Services and Telecommunications (BIPT) for the provision of “unlimited” Internet (see here). In reality, “unlimited” internet is usually combined with a fair use policy or a volume limitation. The draft guidelines analyse this commercial practice with respect to art. 3(2) of Regulation 2015/2120 (“[a]greements between providers of internet access services and end-users on commercial and technical conditions and the characteristics of internet access services such as price, data volumes or speed, and any commercial practices conducted by providers of internet access services, shall not limit the exercise of the rights of end-users” to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice). The BIPT considers the commercial practice as valid if it meets certain conditions (transparency, no blocking, clear and understandable explanations, etc.).

(3) Digital Law Up(to)date: Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

The Belgian Council of State validates a decision by a Flemish governmental agency to contract with an EU branch of a US company that uses AWS (Amazon Web Services) cloud services. According to the Council of State, such decision does not breach the GDPR and in particular the provisions on transfers of data to the US since the Schrems II judgment (for short commentaries of this judgment, see on our Digital Law Blog, here, here and here).

The applicant, a Flemish company which was not awarded the contract, considered that the contract concluded with the EU branch breaches several provisions of the GDPR. It relied in particular

  • (i) on recommendations 01/2020 of the European Data Protection Board (EDPB) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (see here),
  • (ii) on recommendations 02/2020 of the EDPB on the European Essential Guarantees for surveillance measures (see here), and
  • (iii) on an opinion from the Flemish Supervisory Commission ("Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens") (see here).

According to the Council of State, these sources admit the use of encryption as a possible supplementary measure for the data transfers to the US in certain circumstances. They cannot be interpreted as indicating that the use of AWS under all circumstances would be non-compliant with the GDPR.

More information on this judgment of the Council of State coming soon on our Digital Law Blog.

 

By Edouard Cruysmans and Erik Valgaeren

Team

Related news

26.08.2021 EU law
Facebook/Belgian DPA: Landmark ruling on cross-border enforcement under the GDPR

Short Reads - On 15 June 2021, the CJEU delivered an important judgment on the one-stop-shop mechanism. While the CJEU reinforced that the lead supervisory authority is the sole interlocutor in cross-border processing operations, it also contributed to the effective enforcement of the GDPR by reiterating the conditions under which supervisory authorities other than the lead supervisory authority can bring enforcement actions against such processing operations.

Read more

13.09.2021 NL law
Adopting the new Standard Contractual Clauses to secure international personal data transfers

Short Reads - Recently, the European Commission issued an implementing decision on standard new contractual clauses (“SCCs”) for the transfer of personal data to countries outside the European Economic Area. Organisations need to use the new SCCs from 27 September 2021 and onwards. Transitional periods apply for existing international data transfer agreements. To meet their obligations under the General Data Protection Regulation, organisations need to make the appropriate changes in time.

Read more

26.08.2021 BE law
Sarah De Wulf and Malik Baba co-authored a book dedicated to the legal aspects of the video-game industry

Articles - The book, entitled 'Legal Aspects of the video-game industry', provides a first answer to the most important legal questions that might arise in the lifecycle of a video-game company. These insights are intended to be applicable irrespective of jurisdictions, illustrated by real-life situations and easy to read for individuals without a legal background.

Read more