Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Digital Law Up(to)date: (1) Parliamentary initiatives about cyber att

Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

09.09.2021 BE law

In this blog, we briefly present three interesting news in the field of digital law:

(1) Parliamentary initiatives to tackle cyber attacks

(2) "Zero tariff" options and open internet access do not mix!

(3) Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

(1) Digital Law Up(to)date: Parliamentary initiatives to tackle cyber attacks

Certain members of the Belgian parliament (N-VA) have drafted a resolution (see here) to ensure that Belgium has the appropriate tools to fend off foreign cyber attacks. The objective is clear: to protect our national security and strategic independence. This proposal is concomitant with the publication on the website of the House of Representatives of a report on cyber attacks against the IT systems of the State and public services (see here). Both initiatives are based on an evolution of computer crime (cyber espionage, but also phishing, smishing, vishing, ransomware, sextortion, etc.), especially since the all-digital era imposed by the Covid crisis.

The draft resolution aims (i) to establish a list of suppliers of IT products considered "high-risk" in order to limit or prohibit the use of their services (ii) and, more broadly, to protect against offensive cyber strategies developed by certain States to sabotage or manipulate critical infrastructures. This initiative also falls within the scope of a recommendation made by the European Union, in its 5G toolbox, to apply relevant restrictions for such suppliers.

As for the report, it includes the content of the hearings conducted following the cyber attacks that our public services experienced in May 2021. Nearly ten people were heard, including the director of the Centre for Cyber Security Belgium, the federal prosecutor and the representative of the Federal Computer Crime Unit.

(2) Digital Law Up(to)date: “Zero tariff” options and open internet access do not mix!

On 2 September 2021, the Court of Justice of the European Union (CJEU) ruled in three judgments (cases C-854/19, C-5/20 and C-34/20) that “zero tariff’ options are contrary to EU law, and specifically to Regulation 2015/2120 laying down measures concerning open internet access. With such options, data used for a specific application are not deducted from the volume of data purchased in a package. They allow internet service providers to increase the attractiveness of their offer. In return, the providers either limit the bandwidth, exclude the zero tariff outside their borders (used when roaming), or apply limitations on tethering.

According to the CJEU, these options, based on commercial considerations, create a distinction within internet traffic: some data are deducted from the volume of data purchased, others are not. They violate the objective of Regulation 2015/2120 (which is to “safeguard equal and non-discriminatory treatment of traffic in the provision of internet access services and related end-users' rights”) and art. 3(3) (“[p]roviders of internet access services shall treat all traffic equally, when providing internet access services, without discrimination, restriction or interference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used”).

It is interesting to consider these three judgements in conjunction with a recent consultation on a set of draft guidelines of the Belgian Institute for Postal Services and Telecommunications (BIPT) for the provision of “unlimited” Internet (see here). In reality, “unlimited” internet is usually combined with a fair use policy or a volume limitation. The draft guidelines analyse this commercial practice with respect to art. 3(2) of Regulation 2015/2120 (“[a]greements between providers of internet access services and end-users on commercial and technical conditions and the characteristics of internet access services such as price, data volumes or speed, and any commercial practices conducted by providers of internet access services, shall not limit the exercise of the rights of end-users” to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice). The BIPT considers the commercial practice as valid if it meets certain conditions (transparency, no blocking, clear and understandable explanations, etc.).

(3) Digital Law Up(to)date: Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

The Belgian Council of State validates a decision by a Flemish governmental agency to contract with an EU branch of a US company that uses AWS (Amazon Web Services) cloud services. According to the Council of State, such decision does not breach the GDPR and in particular the provisions on transfers of data to the US since the Schrems II judgment (for short commentaries of this judgment, see on our Digital Law Blog, here, here and here).

The applicant, a Flemish company which was not awarded the contract, considered that the contract concluded with the EU branch breaches several provisions of the GDPR. It relied in particular

  • (i) on recommendations 01/2020 of the European Data Protection Board (EDPB) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (see here),
  • (ii) on recommendations 02/2020 of the EDPB on the European Essential Guarantees for surveillance measures (see here), and
  • (iii) on an opinion from the Flemish Supervisory Commission ("Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens") (see here).

According to the Council of State, these sources admit the use of encryption as a possible supplementary measure for the data transfers to the US in certain circumstances. They cannot be interpreted as indicating that the use of AWS under all circumstances would be non-compliant with the GDPR.

More information on this judgment of the Council of State coming soon on our Digital Law Blog.


By Edouard Cruysmans and Erik Valgaeren


Related news

03.08.2022 EU law
Gotta catch ‘em all? Upward referral of ‘killer acquisitions’ upheld

Short Reads - Companies involved in intended or completed M&A transactions falling below EU and national merger notification thresholds should beware that their deals may still catch the European Commission’s eye. The General Court has upheld the Commission’s decision to accept a national referral request regarding Illumina’s acquisition of Grail: a transaction not triggering any of the notification thresholds within the EEA.

Read more

28.07.2022 NL law
Purely commercial interest also a legitimate interest? Council of State leaves the question unanswered.

Short Reads - On 27 July 2022, the Council of State confirmed that the Dutch Data Protection Authority wrongly imposed a €575,000 fine on VoetbalTV. But the Council did not answer the question whether the AP rightly or wrongly believes that a purely commercial interest cannot be a legitimate interest within the meaning of the General Data Protection Regulation.

Read more

06.07.2022 NL law
Highest Dutch court: the postman may still ring twice?

Short Reads - The Dutch Minister of Economic Affairs and Climate Policy was wrong to unblock the ACM’s prohibited merger between postal operators PostNL and Sandd on grounds of public interest. According to the Trade and Industry Appeals Tribunal (CBb), the Minister cannot substitute the ACM’s assessment for its own when considering public interest reasons. Since the Minister did do so in this particular case, the CBb annulled the Minister’s merger clearance.

Read more

28.07.2022 NL law
Zuiver commercieel belang ook gerechtvaardigd belang: Raad van State laat zich er niet over uit

Short Reads - Op 27 juli 2022 heeft de Raad van State bevestigd dat de Autoriteit Persoonsgegevens onterecht een boete van € 575.000 aan VoetbalTV heeft opgelegd. De hoop bestond dat de Afdeling antwoord zou geven op de vraag of de AP terecht of onterecht meent dat een zuiver commercieel belang géén gerechtvaardigd belang kan zijn in de zin van de Algemene Verordening Gegevensbescherming. Het antwoord op deze vraag blijft echter uit.  

Read more

06.07.2022 NL law
Foreign Subsidies Regulation crosses the finish line

Short Reads - On 30 June 2022, the European Parliament and the European Council reached agreement on the final text of the Foreign Subsidies Regulation. Adding to the regulatory burdens, this Regulation creates a notification obligation for companies that receive subsidies from non-EU governments in transactions or public procurement procedures. 

Read more