Digital Law Up(to)date: (1) Parliamentary initiatives about cyber attacks; (2) ‘Zero tariff’ options before the CJEU; and (3) Council of State, GDPR and encryption

Parliamentary initiatives to tackle cyber attacks

Certain members of the Belgian parliament (N-VA) have drafted a resolution (see here) to ensure that Belgium has the appropriate tools to fend off foreign cyber attacks. The objective is clear: to protect our national security and strategic independence. This proposal is concomitant with the publication on the website of the House of Representatives of a report on cyber attacks against the IT systems of the State and public services (see here). Both initiatives are based on an evolution of computer crime (cyber espionage, but also phishing, smishing, vishing, ransomware, sextortion, etc.), especially since the all-digital era imposed by the Covid crisis.

The draft resolution aims (i) to establish a list of suppliers of IT products considered "high-risk" in order to limit or prohibit the use of their services (ii) and, more broadly, to protect against offensive cyber strategies developed by certain States to sabotage or manipulate critical infrastructures. This initiative also falls within the scope of a recommendation made by the European Union, in its 5G toolbox, to apply relevant restrictions for such suppliers.

As for the report, it includes the content of the hearings conducted following the cyber attacks that our public services experienced in May 2021. Nearly ten people were heard, including the director of the Centre for Cyber Security Belgium, the federal prosecutor and the representative of the Federal Computer Crime Unit.

'Zero tariff' options and open internet access do not mix!

On 2 September 2021, the Court of Justice of the European Union (CJEU) ruled in three judgments (cases C-854/19, C-5/20 and C-34/20) that 'zero tariff' options are contrary to EU law, and specifically to Regulation 2015/2120 laying down measures concerning open internet access. With such options, data used for a specific application are not deducted from the volume of data purchased in a package. They allow internet service providers to increase the attractiveness of their offer. In return, the providers either limit the bandwidth, exclude the zero tariff outside their borders (used when roaming), or apply limitations on tethering.

According to the CJEU, these options, based on commercial considerations, create a distinction within internet traffic: some data are deducted from the volume of data purchased, others are not. They violate the objective of Regulation 2015/2120 (which is to “safeguard equal and non-discriminatory treatment of traffic in the provision of internet access services and related end-users' rights”) and art. 3(3) (“[p]roviders of internet access services shall treat all traffic equally, when providing internet access services, without discrimination, restriction or interference, and irrespective of the sender and receiver, the content accessed or distributed, the applications or services used or provided, or the terminal equipment used”).

It is interesting to consider these three judgements in conjunction with a recent consultation on a set of draft guidelines of the Belgian Institute for Postal Services and Telecommunications (BIPT) for the provision of “unlimited” Internet (see here). In reality, “unlimited” internet is usually combined with a fair use policy or a volume limitation. The draft guidelines analyse this commercial practice with respect to art. 3(2) of Regulation 2015/2120 (“[a]greements between providers of internet access services and end-users on commercial and technical conditions and the characteristics of internet access services such as price, data volumes or speed, and any commercial practices conducted by providers of internet access services, shall not limit the exercise of the rights of end-users” to access and distribute information and content, use and provide applications and services, and use terminal equipment of their choice). The BIPT considers the commercial practice as valid if it meets certain conditions (transparency, no blocking, clear and understandable explanations, etc.).

Council of State, GDPR and encryption: validation of a decision of the Flemish Authorities

The Belgian Council of State validates a decision by a Flemish governmental agency to contract with an EU branch of a US company that uses AWS (Amazon Web Services) cloud services. According to the Council of State, such decision does not breach the GDPR and in particular the provisions on transfers of data to the US since the Schrems II judgment (for short commentaries of this judgment, see on our Digital Law Blog, here, here and here).

The applicant, a Flemish company which was not awarded the contract, considered that the contract concluded with the EU branch breaches several provisions of the GDPR. It relied in particular

• (i) on recommendations 01/2020 of the European Data Protection Board (EDPB) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (see here),
• (ii) on recommendations 02/2020 of the EDPB on the European Essential Guarantees for surveillance measures (see here), and
• (iii) on an opinion from the Flemish Supervisory Commission ("Vlaamse Toezichtcommissie voor de verwerking van persoonsgegevens") (see here).

According to the Council of State, these sources admit the use of encryption as a possible supplementary measure for the data transfers to the US in certain circumstances. They cannot be interpreted as indicating that the use of AWS under all circumstances would be non-compliant with the GDPR.

More information on this judgment of the Council of State coming soon on our Digital Law Blog.

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.