Cybersec + Egov = Estonia

Next week, the European Commission will release a batch of new proposals on the digital single market, among the last legislative proposals the Juncker Commission will make, right before we begin discussions on the next EU budget in May. But next week’s announcements should not overshadow a string of new Commission ideas since January that make these perhaps the most active months of digital policy yet.

The table below lists proposals with a strong digital component the Commission has made in the last three months, covering health, education, labor, security and law enforcement, financial services, taxation and more. Some observations:

·      Much of this is outside of the aegis of the Digital Single Market and DG Connect. It’s becoming a normal part of work for the rest of the Commission to think about the implications the digital revolution has on their policy domain.

·      The discussion isn’t just about economics and markets. The Commission as a whole is taking the broader societal challenges (future of work, security…) to heart.

·      There is a lot of non-legislative action. Skills, education, labor and social rights are key to getting the digital revolution right. They are also areas where Brussels has little direct competence. I would expect some of the ideas in both the Digital Education Action Plan to wind their way into the MFF. Additionally, remember that non-legislative action often begets legislation. I’m curious to see how Member States react to these proposals, and whether there is an appetite for more Europe in some of these areas.

·      Overall, I am impressed by the rising level of maturity in some of the thinking on digital across the board. I think the Fintech Action Plan is particularly noteworthy. It contains some interesting new ideas, e.g. regulatory sandboxing (inspired by what the UK banking regulatory authority is talking about). And there are detailed plans to ensure a proper sectoral implementation of the NIS directive and GDPR. This is something we need more of – the Commission considering in detail how to use the regulatory powers it already has in a joined up and strategic way.

Yesterday, I spoke with the Economists and Corporate Strategists Council and the Chief Audit Executives Council of The Conference Board on the subject privacy, cyber security and data flows. It was a fascinating conversation, and I appreciating seeing what happens to our laws after they leave the chambers of the co-legislator in Brussels.

I gave a brief overview of the GDPR and NIS directives, and ongoing discussions on data flows. I emphasized that the GDPR and NIS were both born out of market failure - market pressures alone have not sufficed to ensure either data protection or cyber security. The ongoing litany of data breaches and incidents, often involving poor cyber security and hygiene practices, only confirms that some kind of regulation is warranted - Nevertheless, we should take advantage of market based forces to make these regulations work now. This means thinking about how industry can participate in standard setting and how we can incentivize industry to adopt new technologies and techniques that make data more secure.

Some notes on the discussion:

Chief economists and audit officers were quite familiar with the GDPR, their companies are quite far long in preparing for compliance. Indeed, there was even praise for the GDPR, hopefulness that it would help companies realize better data governance and understand the economic value of the data that they have.

Companies are worried about ambiguity in GDPR rules, noting in particular employee data and informed consent. The other issues is fragmentation, which could still be a problem for the GDPR (different implementing laws, different practices by DPAs), and is certainly a concern for the NIS directive, which does not harmonise much at all. An unexpected dimension that came up is M&A risk - companies need to look closely at the data practices of companies they are acquiring.

Making new information systems and tech GDPR compliant is less costly, but adapting legacy systems is quite difficult.

US companies - even those not directly serving EU - are worrying about GDPR and taking its principles on board voluntarily. I’m reminded of SIFMA, which will soon be adopting a code of conduct on data protection quite similar to GDPR.

On data flows, companies were curioous about how the global landscape would develop. I predicted the EU would uiltimately be successful at eliminating nearly all intra-eu localisation, on the flip side, we would never have adequacy decisions with Russia and ismilar regimes.

Yesterday evening, I spoke at a panel on regulation and tech at the Afore Fintech conference. 

The conference reaffirmed for me something I’ve seen time and again in the last few years - the banking financial services and fintech sector is 5 years ahead of much of the rest of the digital economy in wrestling with some of the thornier digital policy and regulatory questions of the day.

Some examples:

e-ID. Banks have always been motivated to authentication right - the downside is criminals walking away with customers’ money. Additionally, strict know-your-customer (KYC) requirements have given banks another incentive to not only have technically secure authentication means, but ones that are tied real identities. My panel seemed to agree that broad uptake of eIDAS by the private sector would be a great idea. 

Banking and financial services also take cybersecurity seriously. They have been leaders in industry cooperation (e.g. thru FS-ISAC), and the ECB has probably gone further than any other EU-level regulator to push strong cybersecurity practices (https://www.ecb.europa.eu/press/key/date/2017/html/ecb.sp170619.en.html and http://pubdocs.worldbank.org/en/654021432913967471/Helmut-Wacket-ECB-FinSAC-Cyber-Seminar-18-19-May.pdf).

Discussions on consumers ownership, access and reuse of their data are politically still in their infancy, again with the exception of the financial sector, where Payments Services Directive 2 has created a regulatory and technical framework for access to account, allowing other service providers to access account information directly. This is also the first area where data ownership and reuse are sprouting major business cases: https://equensworldline.com/en/home/solutions/payments/open-banking/m-access-to-account-services.html 

On a more ominous note, the financial services sector is also ahead of everyone else when it comes to high compliance costs. One speaker yesterday, from Western Union, said 1/3 of their workforce deals with compliance. 

This has lead FS companies to think a lot about shaving regulatory costs, e.g. with automated processing and AI. Sectoral regulators are also quite far along in analyzing how to support distributed ledger technology (blockchain). Discussions on regulatory sandboxing have also gone pretty far: http://www.mondaq.com/uk/x/676340/Financial+Services/FCA+Seeks+Feedback+On+Its+Ideas+For+A+Global+Sandbox+Investment+Management+Brief+22+February+2018

Why this precociousness?

Probably a host of reasons. Financial services are the purest example of an information sector - today, almost their only job is manipulating the bits and bites. Failures in the banking sector are pretty easy to quantify in financial terms, and there have been a number of shakeups in the last decade. And the regulatory environment is probably on of the most centrally driven and harmonized in the EU.

Last week was a big week for digital Europe. Coreper confirmed the agreement reached on geo-blocking the previous week, and the Compet council approved a general approach on the Single Digital Gateway.

This week could be even bigger:

On Monday, the TTE Telecoms Council has a full agenda:

A policy debate on the proposed Free flow of data regulation’

A lunch debate on the future of EU investments and state aid for telecoms, egovernment and cyber security

Ministers will adopt a general approach on BEREC, consider the state of play of trilogues on the telecoms code, and endorse a roadmap for 5G spectrum harmonisation

Cybersecurity and e-privacy

On Tuesday:

The TTE Transport Council will adopt conclusions on the digitisation of transport

The Commission will host a high-level meeting of Member States representatives on cyber 

The Postal working party will prepare the second and hopefully final trilogue on Parcel delivery

On Wednesday:

We will hold the second trilogue on the Telecoms Code and the first trilogue on BEREC. Our focus will be on spectrum, and we hope to make significant progress

The Cyber Working Party will continue work on the Cyber Action Plan requested by the European Council

On Thursday:

The Justice and Home Affairs Council should endorse a general approach on a renewed mandate for eu-LISA, the “Schengen IT agency” (though it does so much more, and will be doing even more!). They will also hold policy debates on data retention and encryption.

The Estonian Presidency hosts an event on embedding digital into societal challenges (link).

I’m speaking at an EU Commission conference on e-Government Building Blocks (link)

On Friday:

The Telecoms working party discusses the first Presidency proposal on the Free flow of Data

It has been a month since I last posted an update, and lots has happened:

European Council and extra-ordinary TTE. 

On 19 October, EuCo followed up to the Tallinn Digital Summit, and adopted lengthy conclusions on Digital Europe. Among other things, the Prime Ministers instructed us to finish work on parcels, geoblocking and AVMS this year and Free flow of data and the telecoms code by June ‘18, and to achieve consistent regulatory and economic conditions for 5G rollout by 2020.

A week later, telecoms ministers followed up with an extra Council in Luxembourg. In addition to debating the Digital Single Market, they launched work on a roadmap for 5G spectrum harmonisation and talked talked cyber.

Cyber. Tomorrow, the General Affairs Council should adopt Conclusions on the Commission’s renewed Cyber Strategy. But the rest of the year will be busy - we’re working to develop an Action Plan to implement the Strategy, and we’re continuing to work on the new ENISA regulation.

Telecoms. Back in the end of October, the European Parliament finally adopted its position, and we had our opening trilogue in Strasbourg on October 26. The next trilogue on 6 December will focus on Spectrum, but we’ll also start work on BEREC (we’re agreeing the general approach at the Council on 4 December) and keep the ball rolling on end-user rights and the EP’s positions on intra-EU calls and reverse-112.

In the beginning of November, Telecoms directors met in Tallinn to develop a political roadmap for 5G spectrum. This should also be agreed by the time we get to the Council.

Parcels. The first trilogue is tomorrow, and we’re still on track to finish by the end of the year.

Free flow of Data. We’ve started article-by-article examination in the Working Party and will have a Policy Debate in the Council on 4.12. Hoping for clear guidance from ministers. We’ll also have a progress report on e-privacy. 

Some other cool stuff has happened too:

On 25 October, our EU Minister and EP President Tajani for the first time enacted EU legislation using digital signatures. link

Colleagues are hard at work on other digital files. Tomorrow is a crucial trilogue on Geoblocking.

Time for the usual weekly round-up. It’s a PACKED week!

On Monday, the Friends of Presidency group on data retention and the telecoms working party will discuss elements of e-privacy relevant to data retention.

On Tuesday, the Telecoms working party will examine the impact assessment for the Free flow of data regulation. (TBC) our DPR Clyde will give a media briefing on next week’s Telecoms council.

On Wednesday, we continue work on e-Privacy. Coreper will also look at the discussion papers for the policy debates at next week’s Telecoms Council.

On Thursday, the European Council will take the first steps to follow-up to the Tallinn Digital Summit. Expect the Conclusions to drive work in the Council for the rest of the year.

On Friday, the Horisontal Cyber working party will continue its work on the September cyber package.

Tallinn also sees one of the highlights of our Presidency, the e-Health week.

Some speaking engagements too:

Siim Sikkut, our government CIO, will speak Wednesday at a Euractiv event on e-government.

On Wednesday, I’ll be speaking to Insurance Europe about our priorities for Cyber Security.

On Saturday, I’ll be speaking about data on a panel at the Reinventing Europe conference at the College of Europe in Bruges

I missed last week’s update, so a bit more info this time. 

First off, it has been a whirlwind of activity over the last few weeks, and things are only going to pick up in tempo. Last week was e-government week in Tallinn, which culminated in EU and EFTA countries’ e-government ministers signing the Tallinn Declaration friday (link). Last Friday, our PM also sent out the final version of his conclusions from the Tallinn Digital Summit (link), which will find their way into the conclusions of next week’s European Council.

On Friday, we also agreed the agenda for an additional Telecoms Council to be held on October 24 in Luxembourg. We will follow up on the European Council’s instructions on DSM, hold a policy debate on cybersecurity, and an informal lunch discussion on connectivity.

This week, the big day is Wednesday, when we ask the ambassadors in Coreper for a mandate to start trilogues on the Telecoms Code. On Tuesday and Wednesday, the telecoms working party will also start examination of the BEREC Regulation, and on Friday the Horisontal Cyber working party will continue work on the September cyber package. 

We will also be following several votes in the European Parliament - the TRAN committee will be voting on the parcel delivery regulation, and the LIBE committee on e-Privacy. What happens will have a definite impact on the rest of our Presidency.

Other things to follow include the JHA Council on Thursday-Friday, which include several digital points. My boss Urve Palo will be in town Friday for an informal meeting of EU trade ministers.

Finally, some speaking engagements:

Monday, I’ll be speaking at a pre-event to EU Week of Regions and Cities organised by the Oslo city region on the e-Government declaration. Tuesday, I’ll be on a panel on the Data Union (link) . And on Friday, I’ll be talking to the Young European Federalists about our Presidency.

We round out September with one of the busiest weeks to date for the cyber/egov/telecoms/data/postal team:

On Monday, we conclude the first round of examination of the Presidency’s first compromise text on e-Privacy. In the afternoon, the Commission will present its new regulatory proposal on the Free Flow of Data. 

On Tuesday, the Commission and EEAS will present their new Cyber package to a high-level meeting of the Cyber working party, and work will also continue on  implementing guidelines for the Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities. 

On Wednesday, we begin examining the first consolidated Presidency text of the Electronic Communications Code (link to a corrected, up to date version). 

We might also be getting an announcement from the Commission on Wednesday, and our colleagues working on AVMS have their second trilogue Thursday.

Friday sees the kickoff of EU Cybersecurity Month in Tallinn.

A quick round-up of what is happening in the Council on telecoms, cyber, information society and e-government.

After last week’s marathon of new announcements, we’re studying the Commission’s proposals on data flows and cyber, and will get cracking on both in the Council soon.

The Telecoms Working Party will discuss the Presidency first revision of e-Privacy on Tuesday and Wednesday. On Friday, the ambassadors in Coreper 1 will discuss the state of play of the DSM strategy. In the mean time, we’re preparing an update to the draft ECC text as we get closer to agreeing a Council position.

I’ll also be speaking in a few places:

to GSMA on the telecoms code

at a Euractiv / EU Presidency event on the data economy

to the Working Party on Frontiers/False Documents about Estonian e-government 

All of this is in the run-up to a packed schedule next week (i.e. the Digital Summit in Tallinn).

Today brought some major announcements from the Commission as part of Juncker’s annual State of the Union Speech in front of the European Parliament.

Several of these on the Digital Single Market, in particular a new EU Cyber Security strategy and a regulation on the Free flow of data. Estonia has a fair bit of history with both topics. There is lots of time ahead to talk about the details of these proposals, right now a few words about how we got to where we are.

In part 1, on the free flow of data:

After over a year of political wrangling, the Commission has presented a legal act regulating the free flow of data - or, more specifically, intra-EU restrictions on the localization of data.  We did not get to this point easily. 

The free flow of data (FFD) - in a broad sense, looking not just at localization but also ownership and reuse of data - was part of the initial DSM strategy proposed by the Commission in 2015. This was one of the most forward-looking parts of the strategy, a topic on which Andrus Ansip took plenty of inspiration from the country he knows best. Taavi Kotka, our then government CIO and a special advisor to Ansip, was a particularly strong proponent of FFD.

However, as the deadline for presenting a proposal in 2016 approached, the Commission seemed to get cold feet about presenting a legislative proposal on data localization. Regulation on this question was not without controversy. Estonia joined together with over a dozen other Member States in favor of legislative action, and what followed was a year-long campaign to convince the Commission to propose legislation. Every six months or so, my minister joined colleagues in sending the Commission and Presidency a letter encouraging action; there were also several Prime Ministers’ letters and countless working level meetings. 

There was a silver lining to this delay. What followed was one of the most extensive and multifaceted public debates I have seen on any policy issue in Brussels. At countless conferences and seminars, over the pages of numerous policy papers and op-eds, we debated the evidence on data localization restrictions and the benefits of data flows. The Commission also organized a series of structured dialogues with Member States, which also allowed us to work through some of the more sensitive aspects of such a proposal, including questions of national security and jurisdiction.

This was much more than the usual somewhat perfunctory and not-very-interactive Commission consultation, and an example the Commission would do well to follow when considering legislation on other controversial questions.

The culmination of these efforts came in July during an informal meeting of telecoms and competitiveness ministers in Tallinn, where we held a lunch debate on the free flow of data. There was unanimous support for legislation on data localization. 

The Commission has completed the hardest part of its job - putting the proposal on the table, now it’s the turn of the Council and Parliament. As a country, Estonia was a strong advocate of getting this proposal on the table. Now, as EU Council President, we will serve as an honest broker in negotiations on this important file. 

As a reward for reading this far, a rare photo of me in a moustache, from the informal telecoms and compet ministerial in July.

Last week, the Council got back to business. This week, we’re already plowing forward at full speed.

On Tuesday and Wednesday, we’ll be working through the institutional and access chapters of the telecoms code. Expecting lots of comments and some quite serious debate, especially on access. Once we’re done, our ECC team will go into drafting mode. Next week, we take a break to focus on e-privacy - for two days in a row!

It’s also an exciting cyber week in Tallinn. Our two-day Cybersecurity conference (link) has one of the best lineups I have seen in years, and should jump-start debate on the new EU Cybersecurity strategy. The conference will be preceded by several pre-meetings, including of the NIS cooperation group.

On Wednesday, we’ll all be following Juncker’s State of the Union speech. We’re hoping for some exciting digital developments. That same afternoon, our free flow of data guru Kaspar Kala will be participating in a debate at Confrontations Europe (link).

With the Digital Agenda being a key part of the Juncker commission's drive for jobs and growth and Commissioner Oettinger promising copyright reform and an end of geo-blocking, a group of business and foundations have written to Jean-Marie Cavada MEP (ALDE, FR), the chair of the European Parliament's Copyright Working Group demanding that he open up consultations to a wider range of stakeholders. New Europe has seen the letter.

Europe's economy and science ministers met last week for a Competitiveness Council that was soaked full of "digital" questions (program here).

Professing the importance of "digital" has become an article of faith in Brussels. Some years ago, Estonia stood out just for raising the issue; universal acceptance of the topic is a first step. Now, we are starting to argue about where exactly we will go with "digital policy", and there are some tensions brewing beneath the surface: