1032 Amendments of Marina KALJURAND
Amendment 11 #
2023/2501(RSP)
Recital F
F. whereas the ability to transfer personal data across borders has the potential to be a key driver of innovation, productivity and economic competitiveness as long as adequate safeguards are provided; whereas these transfers should be carried out in full respect for the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the Charter;
Amendment 22 #
2023/2501(RSP)
Paragraph 1
1. Recalls that the respect for privacyte and data protectionfamily life and the protection of personal data are legally enforceable fundamental rights enshrined in the Treaties, the Charter and the European Convention of Human Rights, as well as in laws and case-law; emphasises that they must be applied in a manner that does not unnecessarily hamper trade or international relations, but can be balanced only against other fundamental rights and not against commercial or political interests;
Amendment 30 #
2023/2501(RSP)
Paragraph 2
2. Acknowledges the efforts made in the EO to lay down limits on US Signals Intelligence Activities, by referring to the principles of proportionality and necessity, and providing a list of legitimate objectives for such activities; points out, however, that these principles are long-standing key elements of the EU data protection regime and that their substantive definitions in the EO are not in line with their definition under EU law and their interpretation by the CJEU; points out, furthermore, that for the purposes of the EU-US Data Privacy Framework, these principles will be interpreted solely in the light of US law and legal traditions, not those of the EU, and that the Data Protection Review Court’s interpretations will not be made public; points out that the EO requires that signals intelligence must be conducted in a manner proportionate to the ‘validated intelligence priority’, which appears to be a broad interpretation of proportionality;
Amendment 36 #
2023/2501(RSP)
Paragraph 3
3. Regrets the fact that the EO does not prohibit the bulk collection of data by signals intelligence, including the content of communications; notes that the list of legitimate national security objectives can be amended and expanded by the US President, who can determine notith no obligation to make the relevant updates public nor to inform EU counterparts; points out that this would undermine the purpose of the objectives as a safeguard to limit US intelligence activities;
Amendment 40 #
2023/2501(RSP)
Paragraph 3 a (new)
3 a. Stresses the EDPB’s concerns over the EO’s failure to provide safeguards in bulk data collection, namely the lack of independent prior authorisation, lack of clear and strict data retention rules and lack of stricter safeguards concerning dissemination of data collected in bulk; points particularly to the specific concern that without further restrictions on dissemination to US authorities, law enforcement authorities will be enabled to access data they would otherwise have been prohibited from collecting;
Amendment 43 #
2023/2501(RSP)
Paragraph 3 b (new)
Amendment 44 #
2023/2501(RSP)
Paragraph 3 c (new)
3 c. Reminds that onward transfers effectively multiply the risks to the protection of data and notes that the EDPB has called for the inclusion of a legally binding obligation to analyse and determine whether the third country offers an acceptable minimum level of safeguards while taking into account the effect of any existing international agreements that may provide for the transfer of personal data by intelligence services;
Amendment 45 #
2023/2501(RSP)
Paragraph 3 d (new)
3 d. Shares the calls from the EDPB that the entry into force and adoption of the adequacy decision be conditional upon, inter alia, the adoption of updated policies and procedures to implement the EO by all US intelligence agencies; calls on the Commission to assess these updated policies and procedures and share its assessment with the European Parliament and the EDPB;
Amendment 55 #
2023/2501(RSP)
Draft motion for a resolution
Paragraph 5
Paragraph 5
5. Points out that the decisions of the Data Protection Review Court (‘DPRC’) will be classified and not made public or available to the complainant and that they will be final and non-appealable with the DPRC; points out that the DPRC is part of the executive branch and not the judiciary; stresses that it should be prohibited for the US President to remove DPRC judges and calls on the Commission to clarify this matter; points out that a complainant will be represented by a ‘special advocate’ designated by the DPRC, for whom there is no requirement of independence; points out that the redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data; notes that the proposed redress process does not provide for an avenue for appeal in a federal court and therefore, among other things, does not provide any possibility for the complainant to claim damages; concludes that the DPRC does not meet the standards of independence and impartiality of Article 47 of the Charter and that it is not compatible with the basic principles of justice and due process;
Amendment 63 #
2023/2501(RSP)
Paragraph 7
7. Notes that European businesses need and deserve legal certainty; stresses that successive data transfer mechanisms, which were subsequently repealed by the CJEU, created additional costs for European businesses; notes that continuing uncertainty and the need to adapt to new legal solutions is particularly burdensome for micro, small and medium-sized enterprises; is concerned that the adequacy decision could (like its predecessors) be invalidated by the Court of Justice, leading to a continuing lack of legal certainty, further costs and disruption for European citizens and businesses;
Amendment 67 #
2023/2501(RSP)
Paragraph 8
8. Points out that, unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law; points out that the EO is not clear, precise or foreseeable in its application, as it can be amended at any time by the US President; is therefore, who is also empowered to issue secret executive orders; is concerned aboutregarding the absence of a sunset clause which could provide that the decision would automatically expire four years after its entry into force; after which the Commission would have to make a new determination; is concerned that the lack of a sunset clause in this adequacy decision represents a more lenient approach to the US, despite the fact that the US privacy framework is based on an Executive Order which allows for secret amendments, and which can be amended without consulting Congress or informing EU counterparts;
Amendment 80 #
2023/2501(RSP)
Paragraph 10
10. Recalls that, in its resolution of 20 May 2021, Parliament called on the Commission not to adopt any new adequacy decision in relation to the US, unless meaningful reforms were introduced, in particular for national security and intelligence purposes; reiterates that the Commission should not leave proper enforcement of EU data protection law to the Court of Justice of the European Union following complaints by individual citizens;
Amendment 88 #
2023/2501(RSP)
Paragraph 11
11. Concludes that the EU-US Data Privacy Framework fails to create actuessential equivalence in the level of protection; calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; urgescalls on the Commission not to adopt the adequacy finding;
Amendment 17 #
2023/0441(CNS)
Proposal for a directive
Recital 1 a (new)
Recital 1 a (new)
(1 a) The scope of the Directive (EU) 2015/637 should also be extended beyond citizens of the Union. In this sense, recognised refugees and other persons who are legally residing in a Member State and are holders of a travel document issued by that Member State should be entitled to consular protection under the same conditions as unrepresented citizens.
Amendment 17 #
2023/0441(CNS)
Proposal for a directive
Recital 1 a (new)
Recital 1 a (new)
(1 a) The scope of the Directive (EU) 2015/637 should also be extended beyond citizens of the Union. In this sense, recognised refugees and other persons who are legally residing in a Member State and are holders of a travel document issued by that Member State should be entitled to consular protection under the same conditions as unrepresented citizens.
Amendment 18 #
2023/0441(CNS)
Proposal for a directive
Recital 1 b (new)
Recital 1 b (new)
(1 b) Member states should take an intersectional approach when applying this Directive, including carrying out an intersectional analysis looking at the different needs of vulnerable groups in relation to ongoing and emerging crisis situations.
Amendment 18 #
2023/0441(CNS)
Proposal for a directive
Recital 1 b (new)
Recital 1 b (new)
(1 b) Member states should take an intersectional approach when applying this Directive, including carrying out an intersectional analysis looking at the different needs of vulnerable groups in relation to ongoing and emerging crisis situations.
Amendment 23 #
2023/0441(CNS)
Proposal for a directive
Recital 5
Recital 5
(5) As first criterion, consular authorities should take into account the difficulty for citizens to safely reach or be reached by the embassy or consulate of their Member State of nationality rapidly and within a reasonable period of time, taking into account the nature and urgency of the assistance requested and the means, notably financial resources, available to them. For example, the need for an EU Emergency Travel Document as a result of the loss of travel documents should, in principle, result in the citizen being considered as unrepresented if reaching the embassy or consulate of his or her Member State of nationality would require overnight or air travel, as he or she cannot be expected to travel under such circumstances.
Amendment 23 #
2023/0441(CNS)
Proposal for a directive
Recital 5
Recital 5
(5) As first criterion, consular authorities should take into account the difficulty for citizens to safely reach or be reached by the embassy or consulate of their Member State of nationality rapidly and within a reasonable period of time, taking into account the nature and urgency of the assistance requested and the means, notably financial resources, available to them. For example, the need for an EU Emergency Travel Document as a result of the loss of travel documents should, in principle, result in the citizen being considered as unrepresented if reaching the embassy or consulate of his or her Member State of nationality would require overnight or air travel, as he or she cannot be expected to travel under such circumstances.
Amendment 29 #
2023/0441(CNS)
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12 a) Union delegations should always provide consular assistance tasks where they are the only representation physically located in a third country or where there is an objective need for additional assistance to unrepresented citizens during a crisis situation due to insufficient capacity of Member States’ embassies and consulates.
Amendment 29 #
2023/0441(CNS)
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12 a) Union delegations should always provide consular assistance tasks where they are the only representation physically located in a third country or where there is an objective need for additional assistance to unrepresented citizens during a crisis situation due to insufficient capacity of Member States’ embassies and consulates.
Amendment 30 #
2023/0441(CNS)
Proposal for a directive
Recital 13
Recital 13
(13) When providing consular protection to unrepresented citizens, Member States should take into account the specific needs of vulnerable groups, such as unaccompanied minors, pregnant women, persons with reduced mobility, persons with disabilities or individuals at risk of discrimination on any ground such as those referred to in Article 21 of the Charter. The training provided to Union officials and Member States’ diplomatic and consular staff should include practical guidance on how to apply an intersectional approach to the specific needs of vulnerable groups.
Amendment 30 #
2023/0441(CNS)
Proposal for a directive
Recital 13
Recital 13
(13) When providing consular protection to unrepresented citizens, Member States should take into account the specific needs of vulnerable groups, such as unaccompanied minors, pregnant women, persons with reduced mobility, persons with disabilities or individuals at risk of discrimination on any ground such as those referred to in Article 21 of the Charter. The training provided to Union officials and Member States’ diplomatic and consular staff should include practical guidance on how to apply an intersectional approach to the specific needs of vulnerable groups.
Amendment 34 #
2023/0441(CNS)
Proposal for a directive
Recital 16 a (new)
Recital 16 a (new)
(16 a) Consular crisis preparedness and response training should be provided to Union officials and Member States’ diplomatic and consular staff by the EEAS, in close cooperation with Member States. In order to ensure protection of vulnerable groups, that training should cover practical guidance on how to apply an intersectional approach to the specific needs of vulnerable groups in a crisis situation.
Amendment 34 #
2023/0441(CNS)
Proposal for a directive
Recital 16 a (new)
Recital 16 a (new)
(16 a) Consular crisis preparedness and response training should be provided to Union officials and Member States’ diplomatic and consular staff by the EEAS, in close cooperation with Member States. In order to ensure protection of vulnerable groups, that training should cover practical guidance on how to apply an intersectional approach to the specific needs of vulnerable groups in a crisis situation.
Amendment 44 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 1
Article 1 – paragraph 1 – point 1
Directive (EU) 2015/637
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1 a. Recognised refugees and other persons who are legally residing in a Member State and are holders of a travel document issued by that Member State shall be entitled to consular protection under the same conditions as unrepresented citizens, if the Member State of residence is not represented by a diplomatic or consular authority.
Amendment 44 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 1
Article 1 – paragraph 1 – point 1
Directive (EU) 2015/637
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1 a. Recognised refugees and other persons who are legally residing in a Member State and are holders of a travel document issued by that Member State shall be entitled to consular protection under the same conditions as unrepresented citizens, if the Member State of residence is not represented by a diplomatic or consular authority.
Amendment 45 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 1
Article 1 – paragraph 1 – point 1
Directive (EU) 2015/637
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3 a. Where Union delegations are the only representation physically located in a third country, or where there is an objective need for additional assistance to unrepresented citizens during a crisis situation due to insufficient capacity of Member States’ embassies and consulates, Union delegations shall provide consular assistance, including issuing Emergency Travel Documents following the provisions set forth by directive 2019/997.
Amendment 45 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 1
Article 1 – paragraph 1 – point 1
Directive (EU) 2015/637
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3 a. Where Union delegations are the only representation physically located in a third country, or where there is an objective need for additional assistance to unrepresented citizens during a crisis situation due to insufficient capacity of Member States’ embassies and consulates, Union delegations shall provide consular assistance, including issuing Emergency Travel Documents following the provisions set forth by directive 2019/997.
Amendment 56 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 4 a (new)
Article 1 – paragraph 1 – point 4 a (new)
Directive (EU) 2015/637
Article 12a
Article 12a
(4 a) The following article 12a is inserted: ‘Article 12a Training 1. The EEAS, in close cooperation with Member States, shall provide consular crisis preparedness and response training to Union officials and Member States’ diplomatic and consular staff. That training shall include practical guidance on how to apply an intersectional approach to the specific needs of vulnerable groups in the event of a crisis.’;
Amendment 56 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 4 a (new)
Article 1 – paragraph 1 – point 4 a (new)
Directive (EU) 2015/637
Article 12a
Article 12a
(4 a) The following article 12a is inserted: ‘Article 12a Training 1. The EEAS, in close cooperation with Member States, shall provide consular crisis preparedness and response training to Union officials and Member States’ diplomatic and consular staff. That training shall include practical guidance on how to apply an intersectional approach to the specific needs of vulnerable groups in the event of a crisis.’;
Amendment 69 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 6
Article 1 – paragraph 1 – point 6
Directive (EU) 2015/637
Article 13c – paragraph 1 – point c a (new)
Article 13c – paragraph 1 – point c a (new)
(c a) developing automatic notification systems, such as short message systems via telephone networks, to provide all citizens of the Union with basic contact information for consular protection upon arrival to a third country, as well as warning messages in the event of a crisis;
Amendment 69 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 6
Article 1 – paragraph 1 – point 6
Directive (EU) 2015/637
Article 13c – paragraph 1 – point c a (new)
Article 13c – paragraph 1 – point c a (new)
(c a) developing automatic notification systems, such as short message systems via telephone networks, to provide all citizens of the Union with basic contact information for consular protection upon arrival to a third country, as well as warning messages in the event of a crisis;
Amendment 70 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 6
Article 1 – paragraph 1 – point 6
Directive (EU) 2015/637
Article 13c – paragraph 1 – point c b (new)
Article 13c – paragraph 1 – point c b (new)
(c b) developing a dedicated website with information on the right to consular protection and practical guidance for citizens in the event of a crisis;
Amendment 70 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 6
Article 1 – paragraph 1 – point 6
Directive (EU) 2015/637
Article 13c – paragraph 1 – point c b (new)
Article 13c – paragraph 1 – point c b (new)
(c b) developing a dedicated website with information on the right to consular protection and practical guidance for citizens in the event of a crisis;
Amendment 76 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 9
Article 1 – paragraph 1 – point 9
Directive (EU) 2015/637
Article 16a – Paragraph 1 – point f a (new)
Article 16a – Paragraph 1 – point f a (new)
(f a) process information and registrations of travels or residence provided in accordance with Article 13(4).
Amendment 76 #
2023/0441(CNS)
Proposal for a directive
Article 1 – paragraph 1 – point 9
Article 1 – paragraph 1 – point 9
Directive (EU) 2015/637
Article 16a – Paragraph 1 – point f a (new)
Article 16a – Paragraph 1 – point f a (new)
(f a) process information and registrations of travels or residence provided in accordance with Article 13(4).
Amendment 14 #
2023/0143(COD)
Proposal for a regulation
Recital 2
Recital 2
(2) Council Decision 2009/917/JHA10 on the use of information technology for customs purposes establishes the Customs Information System (CIS) to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680. In particular, the personal data protection rules should respect the principle of purpose specificlimitation, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision model as introduced by Article 62 of Regulation (EU) 2018/172511 . _________________ 10 Council Decision 2009/917/JHA on the use of information technology for customs purposes (OJ L 323, 10.12.2009, p. 20). 11 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Amendment 16 #
2023/0143(COD)
Proposal for a regulation
Recital 5
Recital 5
(5) To ensure the optimal preservation of the data while reducing the administrative burden for the competent authorities, the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review data annually and by setting a maximum retention period of fivthree years which can be increased, subject to justification, by an additional period of two years. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the need for the data for the conduct of joint customs operations and of investigations.
Amendment 18 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 2
Article 1 – paragraph 1 – point 2
Council Decision 2009/917/JHA
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) Point 2 of Article 2 is hereby deletedreplaced by the following: 2. “personal data” means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680.
Amendment 19 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 3
Article 1 – paragraph 1 – point 3
Council Decision 2009/917/JHA
Article 3 – paragraph 2
Article 3 – paragraph 2
In relation to the processing of personal data in the Customs Information System, the Commission shall be considered the processor, within the meaning of point (12) of Article 3 of Regulation (EU) 2018/1725, acting, in accordance with Article 29 of that Regulation, on behalf of the national authorities designated by each Member State, which shall be considered the controllers of the personal data.
Amendment 20 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 5
Article 1 – paragraph 1 – point 5
Council Decision 2009/917/JHA
Article 5 – paragraph 2
Article 5 – paragraph 2
2. For the purpose of the actions referred to in paragraph 1, personal data in any of the categories referred to in Article 3(1) may be entered into the Customs Information System only if there are reasonable and objective grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit criminal offences under national laws.
Amendment 21 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 6 – introductory part
Article 1 – paragraph 1 – point 6 – introductory part
(6) Paragraph 3 of Article 7 is replaced by the following:deleted.
Amendment 22 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 6
Article 1 – paragraph 1 – point 6
Council Decision 2009/917/JHA
Article 7 – paragraph 3
Article 7 – paragraph 3
Amendment 24 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Council Decision 2009/917/JHA
Article 8 – paragraph 1 – subparagraph 1
Article 8 – paragraph 1 – subparagraph 1
Member States, Europol and Eurojust may process personal data obtained from the Customs Information System only in order to achieve the aim stated in Article 1(2), in accordance with the applicable rules of Union law on the processingtection of personal data.
Amendment 25 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 8
Article 1 – paragraph 1 – point 8
Council Decision 2009/917/JHA
Article 8 – paragraph 4 – subparagraph 1 – point a
Article 8 – paragraph 4 – subparagraph 1 – point a
(a) transmitted to, and further processed by, national authorities other than those designated under paragraph 2, in accordance with the applicable rules of Union law on the processingtection of personal data; or
Amendment 26 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 8
Article 1 – paragraph 1 – point 8
Council Decision 2009/917/JHA
Article 8 – paragraph 4 – subparagraph 1 – point b
Article 8 – paragraph 4 – subparagraph 1 – point b
(b) transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Chapter V of Directive (EU) 2016/680 and, where relevant, with Chapters V and IX of Regulation (EU) 2018/1725.
Amendment 28 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 9
Article 1 – paragraph 1 – point 9
Council Decision 2009/917/JHA
Article 14
Article 14
Personal data entered into the Customs Information System shall be kept only for the time necessary to achieve the aim stated in Article 1(2) and may not be retained for more than fiv. The need for their retention shall be reviewed at least once every three years. However, exceptionally, that data may be kept for an additional period of at most two years, where and insofar as a strictly need to do socessary in order to achieve that aim is established in an individual case.
Amendment 30 #
2023/0143(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 11
Article 1 – paragraph 1 – point 11
Council Decision 2009/917/JHA
Article 20
Article 20
Directive (EU) 2016/680 and Regulation (EU) 2018/1725 shall apply to the processing of personal data under this Decision.
Amendment 28 #
2022/0425(COD)
Proposal for a regulation
Recital 1
Recital 1
(1) The transnational dimension of serious and organised crime and the continuous threat of terrorist attacks on European soil call for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on air travellers, such as Passenger Name Records (PNR) and in particular Advance Passenger Information (API), is essential in orderhelps to identify high-risk travellers, including those who are not otherwise known to law enforcement authorities, and to establish links between members of criminal groups, and countering terrorist activities.
Amendment 29 #
2022/0425(COD)
Proposal for a regulation
Recital 2
Recital 2
(2) While Council Directive 2004/82/EC27 establishes a legal framework for the collection and transfer of API data by air carriers with the aims of improving border controls and combating illegal immigration, it also states that Member States may use API data for law enforcement purposes. However, only creating such a possibility leads to several gaps and shortcomings. In particular, it means that, despite its relevance for law enforcement purposes,This means that API data is not in all casessystematically collected and transferred by air carriers for those purposes. It also means that, wlaw enforcement purposes. Where Member States have acted upon the possibility, air carriers are faced with diverging requirements under national law as regardsing when and how to collect and transfer API data for this purpose. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial tomay also complicate the Union’s internal security and effective cooperation between the competent law enforcement authorities of the Member States. Moreover, in view of the completely different nature of the purposes of facilitating border controls and law enforcement, it is appropriate to establish a distinct legal framework for the collection and transfer of API data for each of thoselaw enforcement purposes. _________________ 27 Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).
Amendment 32 #
2022/0425(COD)
Proposal for a regulation
Recital 3
Recital 3
(3) Directive (EU) 2016/681 of the European Parliament and of the Council28 (‘PNR Directive') lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under thatPNR Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crimfor the purposes of the Directive. In particular, such joint processing allows for the accurate identification of those passengers that may need to be further examined, in accordance with the applicable law, by those authorities. In addition, thate PNR Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which.These requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight. _________________ 28 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).
Amendment 34 #
2022/0425(COD)
Proposal for a regulation
Recital 4
Recital 4
(4) It is therefore necessary to establish at Union level clear, harmonised and effective rules at the Union level on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
Amendment 36 #
2022/0425(COD)
Proposal for a regulation
Recital 5
Recital 5
(5) Considering the close relationship between both acts, this Regulation should be understood as complementing the rules provided for in the PNR Directive (EU) 2016/681. Therefore, API data is to be collected and transferred in accordance with the specific requirements of this Regulation, including as regards to the situations and the manner in which that is to be done. However, the rules of thate PNR Directive apply in respect of matters not specifically covered by this Regulation, especially regarding the rules on the subsequent processing of the API data received by the PIUs, exchange of information between Member States, conditions of access by the European Union Agency for Law Enforcement Cooperation (Europol), transfers to third countries, retention and depersonalisation, as well as the protection of personal data. Insofar as those rules apply, the rules of that Directive on penalties and the national supervisory authorities apply as well. This Regulation should leave those rules unaffected.
Amendment 37 #
2022/0425(COD)
Proposal for a regulation
Recital 6
Recital 6
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the APIprocessing of any API data collected and transferred under this Regulation do not lead to any form of discrimination precluded by the Charter.
Amendment 44 #
2022/0425(COD)
Proposal for a regulation
Recital 7
Recital 7
(7) In view of the complementary nature of this Regulation in relation to the PNR Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under the Directive (EU) 2016/681, namely flights, including both scheduled and non- scheduled flights, both between Member States and third countries (extra-EU flights), and between severalcertain Member States (intra-EU flights) insofar as those flights have been selected in accordance with the PNR Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights.
Amendment 47 #
2022/0425(COD)
Proposal for a regulation
Recital 8
Recital 8
(8) Accordingly, given that the PNR Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights.
Amendment 49 #
2022/0425(COD)
Proposal for a regulation
Recital 9
Recital 9
(9) In view of the close relationship between the acts of Union law concerned and in the interest of consistency and coherence, the definitions set out in this Regulation should as much possible be aligned with, and be interpreted and applied in the light of, the definitions set out in the PNR Directive (EU) 2016/681 andand the Regulation (EU) [API border management] 29 . _________________ 29 OJ C , , p. .
Amendment 52 #
2022/0425(COD)
Proposal for a regulation
Recital 10
Recital 10
(10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be the same as those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable, that is, not when the API data relate to intra-EU flights.
Amendment 56 #
2022/0425(COD)
Proposal for a regulation
Recital 11
Recital 11
(11) In order to ensure as consistent approach as possible on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. Thatis concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data. The collection of API data by automated means should be strictly limited to the alphanumercial data contained in the travel document and should not lead to the collection of any biometric data from it. As the collection of API data is part of the check-in process, either online or at the airport, it should not imply any checks of the traveller at the moment of boarding. Compliance with this regulation should not imply any obligation to carry a travel document at the moment of boarding.
Amendment 62 #
2022/0425(COD)
Proposal for a regulation
Recital 12
Recital 12
(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union, and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the sole competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.
Amendment 67 #
2022/0425(COD)
Proposal for a regulation
Recital 13
Recital 13
(13) For the extra-EU flights, the PIU of the Member State on thwhose territory of which the flight will land and or from twhe territory of whichre the flight will depart should receive the API data from the router for all those flights, given that that PNR data is collected for all those flights, in accordance with the PNR Directive (EU) 2016/681. The router should identify the flight and the corresponding PIUs using the information contained in the PNR record locator, a data element common to both the API and PNR data sets allowing for the joint processing of API data and PNR data by the PIUs.
Amendment 68 #
2022/0425(COD)
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13a) In order to allow for the effective supervision of the compliance of the Member States with the requirements of the Court of Justice of the European Union (‘CJEU’) by the national data protection authorities, this Regulation lays down a common methodology for carrying out the threat assessment based on which the Member States should operate a selection of intra-EU flights. In order to avoid divergent practices among Member States, this Regulation also sets out a list of criteria, regarding both quantitative and qualitative evidence, to be used by Member States when carrying out such assessment. Given that API can be processed for the purpose of this Regulation only insofar as PNR data is processed, the outcome of the threat assessment should be valid for the transfer and processing of both API and PNR data.
Amendment 73 #
2022/0425(COD)
Proposal for a regulation
Recital 14
Recital 14
(14) As regards to the intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU)JEU, in order to avoid unduly interfering with the relevant fundamental rights of the travellers protected under the Charter and to ensure compliance with the requirements of the Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of the PNR Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of the PNR Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to thea regular review of that selection.
Amendment 78 #
2022/0425(COD)
Proposal for a regulation
Recital 15
Recital 15
(15) In order to enable the application of that selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up and submit to the eu-LISA the lists of the flights they selected, so that eu- LISA can ensure that API data of only for those flights API data is transmitted from the router to the relevant PIUs and that the API data on other intra-EU flights is immediately and permanently deleted.
Amendment 82 #
2022/0425(COD)
Proposal for a regulation
Recital 16
Recital 16
(16) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by Directive (EU) 2016/681, for the purpose of preventing, detecting, investigating and prosthe PNR Direcuting terrorist offences and serious crimve, in particular by creating the risk of circumvention, information on which intra- EU flights the Member States have selected should be treated in a confidential manner. For that reason, such information should not be shared with the air carriers and they should therefore be required to collect API data on all flights covered by this Regulation, including all intra-EU flights, and then transfer it to the router, where the necessary selection should be enacted. Moreover, by collecting API data on all intra-EU flights, passengers are not made aware on which selected intra-EU flights API data, and hence also PNR data, is transmitted to the PIUs in accordance with the assessment of Member States’ assessment. That approach also ensures that any changes relating to that selection can be implemented swiftly and effectively, without imposing any undue economic and operational burdens on the air carriers. Nonetheless, API data should not be collected and transferred on those flights where neither the Member State of departure nor the Member State of arrival of intra-EU flights have notified the Commission with their decision to apply PNR Directive to intra-EU flights, pursuant to Article 2 of that Directive. Since such notifications are published in the Official Journal of the Union, and hence known to the public, there is in these cases no risk of circumvention.
Amendment 84 #
2022/0425(COD)
Proposal for a regulation
Recital 17
Recital 17
(17) In the interest of ensuring compliance with the fundamental right tof the travellers to the protection of their personal data and in line with Regulation (EU) [API border management], this Regulation should identify the controllers. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council 30 , Directive (EU) 2016/680 of the European Parliament and the Council31 and Regulation (EU) 2018/1725 of the European Parliament and the Council32 . Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation. Taking due consideration of the right of the travellers to be informed of the processing of their personal data for the purposes of this Regulation, the air carriers should inform travellers, at the moment of booking and at the moment of check-in, of the purpose of the collection of their personal data and of their rights as data subjects. _________________ 30 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1. 31 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89. 32 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39
Amendment 87 #
2022/0425(COD)
Proposal for a regulation
Recital 18
Recital 18
Amendment 90 #
2022/0425(COD)
Proposal for a regulation
Recital 20
Recital 20
(20) In accordance with Regulation (EU) 2018/1726, Member States may entrust eu-LISA with the task of facilitating connectivity wiorder to allow both the air carriers and the PIUs to make the most efficient use of their connections to the router, to prevent any duplication of passenger data transfers and processing, and to ensure compliance with the CJEU case-law and enhance the related monitoring and supervision, this Regulation provides for the mandatory use of the router by the air carriers in order to assist Member States in the implementation of Directive (EU) 2016/681, particularly by collecting andfor transferring PNR data, and for the PIUs for receiving such data. This should constitute the only necessary and available means for the Member States to require air carriers to comply with the obligations related to transferring of PNR data via the routeras foreseen by the PNR Directive.
Amendment 92 #
2022/0425(COD)
Proposal for a regulation
Recital 21
Recital 21
(21) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation and, as regards the router, Regulation (EU) [API border management], the router or the systems or infrastructure connecting the PIUs and the air carriers thereto fail to function properly, thus leading to a technical impossibility to use the router to transmit API and PNR data. Given the unavailability of the router and that it will generally not be reasonably possible for air carriers to transfer the API and PNR data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer that API and PNR data to the router should cease to apply for as long as the technical impossibility persist. In order to minimise the duration and negative consequences thereof, the parties concerned should in such a case immediately inform each other and immediately take all necessary measures to address the technical impossibility. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as the fact that air carriers are subject to penalties when they fail to meet those obligations, including when they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.
Amendment 93 #
2022/0425(COD)
Proposal for a regulation
Recital 22
Recital 22
(22) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities charged with the supervision of those rules. The rules of this Regulation on such supervision, including as regards to the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 unaffected, including in relation to the processing of personal data under this Regulation.
Amendment 95 #
2022/0425(COD)
Proposal for a regulation
Recital 23
Recital 23
(23) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API and PNR data under this Regulation.
Amendment 96 #
2022/0425(COD)
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
Amendment 100 #
2022/0425(COD)
Proposal for a regulation
Recital 25
Recital 25
(25) All interested parties, and in particular the air carriers and the PIUs, should be afforded sufficient time to make the necessary preparations to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can only be finalised when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date at which the router starts operations, as specified by the Commission in accordance with this Regulation and the Regulation (EU) [API border management]. However, it should be possible for the Commission to adopt delegated acts under this Regulation already from an earlier date, so as to ensure that the system set up by this Regulation is operational as soon as possible.
Amendment 107 #
2022/0425(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data and PNR data on extra-EU flights and selected intra-EU flights.
Amendment 117 #
2022/0425(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point c
Article 3 – paragraph 1 – point c
(c) ‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681, with the exception of those flights for which neither the Member State from where the flight is scheduled to depart, nor the Member State where the flight is scheduled to land, have notified their decision to apply Directive 2016/681 to intra-EU flights, pursuant to Article 2 of that Directive;
Amendment 120 #
2022/0425(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point g
Article 3 – paragraph 1 – point g
(g) ‘crew’ means any person as defined in Article 3, point (hi), of Regulation (EU) [API border management];
Amendment 124 #
2022/0425(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point h
Article 3 – paragraph 1 – point h
(h) ‘traveller’ means any person as defined in Article 3, point (ij), of Regulation (EU) [API border management];
Amendment 125 #
2022/0425(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point i
Article 3 – paragraph 1 – point i
(i) ‘advance passenger information data’ or ‘API data’ means the data as defined in Article 3, point (jk), of Regulation (EU) [API border management];
Amendment 126 #
2022/0425(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point n
Article 3 – paragraph 1 – point n
(n) ‘the router’ means the router as defined in Article 5c (new) and Article 3, point (km) of Regulation (EU) [API border management];
Amendment 128 #
2022/0425(COD)
Proposal for a regulation
Article -4 (new)
Article -4 (new)
Amendment 129 #
2022/0425(COD)
Proposal for a regulation
Article 4 – title
Article 4 – title
Amendment 130 #
2022/0425(COD)
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
Amendment 138 #
2022/0425(COD)
Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 1
Article 4 – paragraph 3 – subparagraph 1
Air carriers shall collect the alphanumerical API data referred to in Article 43a(new)(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine- readable data of the travel document of the traveller concerned. Air carriers shall collect that data during the check-in procedures, either as part of the online check-in or as part of the check-in at the airport. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable. Specifically, the collection of API data with automated means shall not lead to the collection of any biometric data contained in the travel document. The collection of API data shall not imply any checks at the moment of boarding of the traveller. Compliance with this Regulation shall not imply any obligation to carry a travel document at the moment of boarding.
Amendment 143 #
2022/0425(COD)
Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 2
Article 4 – paragraph 3 – subparagraph 2
Amendment 148 #
2022/0425(COD)
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 43a(new)(2), points (a) to (d), of Regulation (EU) [API border management] using automated means in accordance with paragraphs 3 and 4 of this Article.
Amendment 161 #
2022/0425(COD)
Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 2
Article 4 – paragraph 8 – subparagraph 2
Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received thesuch API data transmitted through the router.
Amendment 164 #
2022/0425(COD)
Proposal for a regulation
Article 4 – paragraph 9 a (new)
Article 4 – paragraph 9 a (new)
9a. In accordance with Directive 2016/681, air carriers shall also transfer PNR data to the router, insofar as these data are collected in the normal course of their business, for the transmission of these data from the router to the respective PIUs in accordance with Article 5(4). This shall be the only necessary and available means for air carriers to transfer PNR data in accordance with Article 8(1) of Directive 2016/681.
Amendment 167 #
2022/0425(COD)
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1
Article 5 – paragraph 1 – subparagraph 1
The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on thwhose territory of which the flight will land or from the territory of which the flight will depart from, or to both in the case of intra- EU-flights. Where a flight has one or more stop-overs at the territory of another Member States than the one from which it departed, the router shall transmit the API data to the PIUs of all the Member States concerned.
Amendment 171 #
2022/0425(COD)
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 2
Article 5 – paragraph 1 – subparagraph 2
For the purpose of such transmissions, eu- LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong.
Amendment 175 #
2022/0425(COD)
Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
Article 5 – paragraph 1 – subparagraph 3
However, for intra-EU flights, the router shall only transmit theonly API data to that PIU in respect of the flights included in the list referred to in paragraph 2 to the applicable PIUs.
Amendment 184 #
2022/0425(COD)
Proposal for a regulation
Article 5 – paragraph 3 a (new)
Article 5 – paragraph 3 a (new)
3a. This provision shall apply mutatis mutandis to the transmission of PNR data from the router to the PIUs of the Member States in accordance with Article 8(1) of Directive 2016/681. This shall be the only means for PIUs to receive PNR data from air carriers.
Amendment 186 #
2022/0425(COD)
Proposal for a regulation
Article 5 a (new)
Article 5 a (new)
Article5a Methodology for the selection of intra-EU flights 1. For the purpose of establishing the list referred to in paragraph 2 of Article 5, Member States shall carry out a thorough threat assessment. 2. Such threat assessment shall be carried out in an objective, duly reasoned and non-discriminatory manner. In particular such assessment shall not be purely based on the nationality, sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers. 3. The outcome of that threat assessment shall be subject to regular review. Its validity shall be limited in time to what is strictly necessary and shall in any case not exceed 3 months unless it is extended, based on objective necessity. The frequency of the review shall reflect the nature of information referred to in 5b(new)(2)(b). 4. Member States shall keep all relevant documentation justifying the outcome of the threat assessment and its possible prolongation. In order to allow for effective supervision, Member States shall make that documentation available to the competent national data protection authorities referred to in article 41 of Directive 2016/680.
Amendment 188 #
2022/0425(COD)
Proposal for a regulation
Article 5 b (new)
Article 5 b (new)
Article5b Substantive criteria for the selection of intra-EU flights 1. Member States shall base their threat assessment, referred to in Article 5a(new) on information and considerations regarding: a. the proportionality of interferening with the fundamental rights laid down in Articles 7 and 8 of the Charter in relation to the importance of the objective of general interest;b. the duration of the selection and thus interference with fundamental rights;c. the general level of threat identified at national and Union level, solely in relation to terrorist and serious criminal offences within the scope of this Regulation; and d. the specific level of threat identified on a particular intra-EU flight, in the context of one or several terrorist and serious criminal offences within the scope of this Regulation, relating, inter alia, to a certain route, travel pattern or airport. 2. When assessing the specific level of threat identified on a particular flight, Member States shall use: a. Statistical information on the previous results of the automated processing of PNR data of passengers on that particular flight or route; b. Objective, duly reasoned, non- discriminatory and documented information received by their authorities competent for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, such as information on new criminal trends and changes in the modus operandi. Such assessment shall not be purely based on the nationality sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers.
Amendment 191 #
Amendment 192 #
2022/0425(COD)
Proposal for a regulation
Article -6 (new)
Article -6 (new)
Amendment 193 #
2022/0425(COD)
Proposal for a regulation
Article -6 a (new)
Article -6 a (new)
Article-6a Exclusive use of the router Notwithstanding the use of the router in Article 10 of Regulation (EU) [API border management], the router shall only be used by air carriers to transfer API and PNR data, and by PIUs to receive API and PNR data for extra-EU flights and selected intra-EU flights, in accordance with this Regulation.
Amendment 194 #
2022/0425(COD)
Proposal for a regulation
Article -6 b (new)
Article -6 b (new)
Amendment 195 #
2022/0425(COD)
Proposal for a regulation
Article 6 – paragraph -1 (new)
Article 6 – paragraph -1 (new)
Amendment 198 #
2022/0425(COD)
Proposal for a regulation
Article 6 – paragraph 4 – subparagraph 2
Article 6 – paragraph 4 – subparagraph 2
However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers mayshall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.
Amendment 201 #
2022/0425(COD)
Proposal for a regulation
Article 7 – paragraph 2 a (new)
Article 7 – paragraph 2 a (new)
Amendment 203 #
2022/0425(COD)
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article7a Personal data processor eu-LISA shall be the processor within the meaning of Article 3, point (9), of Directive 2016/680 (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation.
Amendment 205 #
2022/0425(COD)
Proposal for a regulation
Article 7 b (new)
Article 7 b (new)
Amendment 206 #
2022/0425(COD)
Proposal for a regulation
Article 7 c (new)
Article 7 c (new)
Article7c Fundamental Rights 1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
Amendment 207 #
2022/0425(COD)
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. PIUs and air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation.
Amendment 209 #
2022/0425(COD)
2. PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other and with eu- LISA to ensure such security.
Amendment 210 #
2022/0425(COD)
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu- LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
Amendment 211 #
2022/0425(COD)
Proposal for a regulation
Article 8 – paragraph 2 b (new)
Article 8 – paragraph 2 b (new)
2b. In particular, eu-LISA shall take the necessary measures to ensure the security of the router and the API data, in particular API data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to: (a) physically protect the router, including by making contingency plans for the protection of critical components thereof; (b) prevent any unauthorised processing of the API data, including any unauthorised access thereto and copying, modification or deletion thereof, both during the transfer of the API data to and from the router and during any storage of the API data on the router where necessary to complete the transmission, in particular by means of appropriate encryption techniques; (c) ensure that it is possible to verify and establish to which competent border authorities or PIUs the API data is transmitted through the router; (d) properly report to its Management Board any faults in the functioning of the router; (e) monitor the effectiveness of the security measures required under this Article and under Regulation (EU) 2018/1725, and assess and update those security measures where necessary in the light of technological or operational developments. The measures referred to in the first subparagraph of this paragraph shall not affect Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679.
Amendment 213 #
2022/0425(COD)
Proposal for a regulation
Article 9 a (new)
Article 9 a (new)
Article9a Personal data protection audits 1. The competent national data protection authorities referred to in Article 41 of Directive 2016/680 shall ensure that an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every two years. 2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted. 3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 6, and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.
Amendment 217 #
2022/0425(COD)
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article11a eu-LISA’s tasks relating to the design and development of the router 1. eu-LISA shall be responsible for the design of the physical architecture of the router, including defining the technical specifications. 2. eu-LISA shall be responsible for the development of the router, including for any technical adaptations necessary for the operation of the router. The development of the router shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination of the development phase. 3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation, and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in 4(5) and (9), Article 5(3), Article 10(2), Article 11(2). 4. Where eu-LISA considers that the development phase has been completed, it shall, without undue delay, conduct a comprehensive test of the router, in cooperation with the competent border authorities, PIUs and other relevant Member States’ authorities and air carriers and inform the Commission of the outcome of that test.
Amendment 219 #
2022/0425(COD)
Proposal for a regulation
Article 11 b (new)
Article 11 b (new)
Amendment 220 #
2022/0425(COD)
Proposal for a regulation
Article 11 c (new)
Article 11 c (new)
Article11c eu-LISA’s support tasks relating to the router 1. eu-LISA shall, upon their request, provide training to competent border authorities, PIUs and other relevant Member States’ authorities and air carriers on the technical use of the router. 2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation, in particular as regards the application of Articles 5 and 10 of this Regulation
Amendment 221 #
2022/0425(COD)
Proposal for a regulation
Article 12 – title
Article 12 – title
Costs of eu-LISA and of Member States’ costs
Amendment 222 #
2022/0425(COD)
Proposal for a regulation
Article 12 – paragraph 1 – subparagraph 1
Article 12 – paragraph 1 – subparagraph 1
Costs incurred by eu-LISA and the Member States in relation to their connections to and integration with the router referred to in Article 10 shall be borne by the general budget of the Union.
Amendment 226 #
2022/0425(COD)
Proposal for a regulation
Article 14 a (new)
Article 14 a (new)
Article14a Start of operations of the router The Commission shall determine, without undue delay, the date from which the router starts operations by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive test of the router referred to in Article 11a(new)(4). That implementing act shall be adopted in accordance with the examination procedure referred to in Article 18a(new)(2). The Commission shall set the date referred to in the first subparagraph to be no later than 30 days from the date of the adoption of that implementing act.
Amendment 227 #
2022/0425(COD)
Proposal for a regulation
Article 14 b (new)
Article 14 b (new)
Amendment 228 #
2022/0425(COD)
Proposal for a regulation
Article 14 c (new)
Article 14 c (new)
Article14c Use of the router for PNR data The provisions of Chapters 3 and 4 shall apply mutatis mutandis to the mandatory transfer and transmission of PNR data through the router.
Amendment 232 #
2022/0425(COD)
Proposal for a regulation
Article 16 a (new)
Article 16 a (new)
Amendment 237 #
2022/0425(COD)
Proposal for a regulation
Article 18 a (new)
Article 18 a (new)
Article18a Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.
Amendment 240 #
2022/0425(COD)
Proposal for a regulation
Article 20 – paragraph -1 (new)
Article 20 – paragraph -1 (new)
-1. eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs, and to monitor the functioning of the router in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.
Amendment 241 #
2022/0425(COD)
Proposal for a regulation
Article 20 – paragraph -1 a (new)
Article 20 – paragraph -1 a (new)
-1a. By [one year after the date of entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall produce a report, and submit it to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 12.
Amendment 242 #
2022/0425(COD)
Proposal for a regulation
Article 20 – paragraph -1 b (new)
Article 20 – paragraph -1 b (new)
-1b. Once the router starts operations, eu-LISA shall produce a report and submit it to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.
Amendment 247 #
2022/0425(COD)
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article 27 of Regulation (EU) [API border management]14a(new).
Amendment 248 #
2022/0425(COD)
However, Article 4(5) and (9), Article 5(3), Article 10(2), Article 11(2), Article 18a(new) and Article 19 shall apply from [Date of entry into force of this Regulation].
Amendment 72 #
2022/0424(COD)
Proposal for a regulation
Recital 2
Recital 2
(2) The use of traveller data and flight information transferred ahead of the arrival of travellers, known as advance passenger information (‘API’) data, contributes to the speeding up of the process of carrying out the required checks during the border- crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State not participating in this Regulation, on the one hand, and a Member State participating in this Regulation, on the other hand. Such use could strengthens checks at those external borders by providing sufficient time to enable detailed and comprehensive checks to be carried out on all travellers, without having a disproportionate negative effect on persons travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of travellers.
Amendment 74 #
2022/0424(COD)
Proposal for a regulation
Recital 5
Recital 5
(5) In order to ensure as consistent approach at internats possible at the Unional level as much as possible and in view of the rules on the collection of API data applicable at that level, the updated legal framework established by this Regulation should take into account the relevant practices internationally agreed with the air industry and, specifically in the context of the World Customs Organisation, International Aviation Transport Association and International Civil Aviation Organisation Guidelines on Advance Passenger Information.
Amendment 75 #
2022/0424(COD)
Proposal for a regulation
Recital 6
Recital 6
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the APIprocessing of any API data collected and transferred under this Regulation does not lead to any form of discrimination precluded by the Charter.
Amendment 77 #
2022/0424(COD)
Proposal for a regulation
Recital 7
Recital 7
(7) In order to achieve its objectives, this Regulation should apply to all air carriers conducting flights into the Union, as defined in this Regulation, covering both scheduled and non-scheduled flights, irrespective of the place of establishment of the air carriers conducting those flights.
Amendment 81 #
2022/0424(COD)
Proposal for a regulation
Recital 8
Recital 8
(8) In the interest of effectiveness and legal certainty, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each traveller and information on the flight oftaken by that traveller. Such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation, but that. However, such information should be collected only where applicable under Regulation (EU) [API law enforcement], that is, not when the API data relate to intra-EU flights.
Amendment 83 #
2022/0424(COD)
Proposal for a regulation
Recital 9
Recital 9
(9) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation. However, considering that suitable technological solutions exist that allow collecting certain API data automatically while guaranteeing that the API data concerned is accurate, complete and up-to- date, and having regard to the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect thate API data using automated means, specifically by reading information from the machine- readable data of the travel document. The collection of API data by automated means should be limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it.
Amendment 86 #
2022/0424(COD)
Proposal for a regulation
Recital 10
Recital 10
(10) Automated means enable travellers to provide certain API data themselves during an online check-in process. Such means could, for example, include a secure app on a travellers’ smartphone, computer or webcam with the capability to read the machine-readable data of the travel document. Where the travellers did not check-in online, air carriers should in practice provide them with the possibility to provide the required machine-readable API data concerned during the check-in at the airport, with the assistance of a self-service kiosk or of airline staff at the counter.
Amendment 88 #
2022/0424(COD)
Proposal for a regulation
Recital 11
Recital 11
(11) The Commission should be empowered to adopt technical requirements and procedural rules that air carriers are toshould comply with in connection toregarding the use of automated means for the collection of machine-readable API data under this Regulation, so as to increase clarity and legal certainty and to contribute to ensuring data quality and the responsible use of the automated means.
Amendment 101 #
2022/0424(COD)
Proposal for a regulation
Recital 17
Recital 17
(17) In order to avoid that air carriers have to establish and maintain multiple connections with the competent border authorities of the Member States’ for the transfer of API data collected under this Regulation and the related inefficiencies and security risks, provision should be made for a single router, created and operated at Union level, that serves as a connection and distribution point for those transfers. In the interest of efficiency and cost effectiveness, the router should, to the extent technically possible and in full respect of the rules of this Regulation and Regulation (EU) [API law enforcement], rely on technical components from other relevant systems created under Union law. To provide for the same level of clarity and certainty, the provisions related to the router, security and support tasks by eu- LISA should be mirrored in this Regulation and Regulation (EU) [API law enforcement], as eu-LISA should build and maintain only one router for the purposes of both Regulations.
Amendment 105 #
2022/0424(COD)
Proposal for a regulation
Recital 19
Recital 19
(19) The router should serve only to facilitate the transmission of API data from the air carriers to the competent border authorities in accordance with this Regulation and to PIUs in accordance with Regulation (EU) [API law enforcement], and should not be a repository of API data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, any storage of the API data on the router should remain limited to what is strictly necessary for technical purposes related to the transmission and the API data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed or, where relevant under Regulation (EU) [API law enforcement], the API data is not to be transmitted at all.
Amendment 113 #
2022/0424(COD)
Proposal for a regulation
Recital 23
Recital 23
(23) In view of the Union interests at stake, the costs incurred by eu-LISA for the performance of its tasks under this Regulation and Regulation (EU) [API law enforcement] in respect of the router should be borne by the Union budget. The same should go for appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation and in accordance with the applicable legislation, subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself.
Amendment 114 #
2022/0424(COD)
Proposal for a regulation
Recital 25
Recital 25
(25) In the interest of ensuring compliance with the fundamental right tof the travellers to the protection of their personal data, this Regulation should identify the controller and processor and set out rules on audits. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council34 and Regulation (EU) 2018/1725 of the European Parliament and the Council.35 Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation. Taking due consideration of the right of the travellers to be informed of the processing of their personal data for the purposes of this Regulation, the air carriers should inform travellers, at the moment of booking and at the moment of check-in, of the purpose of the collection of their personal data and of their rights as data subjects. _________________ 34 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 35 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Amendment 118 #
2022/0424(COD)
Proposal for a regulation
Recital 30
Recital 30
(30) As the router should be designed, developed, hosted and technically managed by the eu-LISA, established by Regulation (EU) 2018/1726 of the European Parliament and of the Council36 , it is necessary to amend that Regulation by adding that task to the tasks of eu-LISA. In order to store reports and statistics of the router on the Common Repository for Reporting and Statistics it is necessary to amend Regulation (EU) 2019/817 of the European Parliament and of the Council37 . The Common Repository for Reporting and Statistics should only provide statistics based on API data for the implementation and effective supervision of this Regulation. The data that the router automatically transmits to the Common Repository for Reporting and Statistics to that end should not allow for the identification of the travellers concerned. _________________ 36 Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99). 37 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).
Amendment 127 #
2022/0424(COD)
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
For the purposes of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on:
Amendment 150 #
2022/0424(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point l
Article 3 – paragraph 1 – point l
(l) ‘Passenger Information Unit’ or ‘PIU’ means the competent authority referred to in Article 3, point ik, of Regulation (EU) [API law enforcement];
Amendment 152 #
2022/0424(COD)
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with Article 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
Amendment 163 #
2022/0424(COD)
Proposal for a regulation
Article 5 – paragraph 2 – subparagraph 1
Article 5 – paragraph 2 – subparagraph 1
Air carriers shall collect the alphanumerical API data referred to Article 4(2), points (a) to (d), using automated means to collect the machine- readable data of the travel document of the traveller concerned. Air carriers shall collect that data during the check-in procedures, either as part of the online check-in or as part of the check-in at the airport. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 4, where such rules have been adopted and are applicable. Specifically, the collection of API data with automated means shall not lead to the collection of any biometric data from the travel document.
Amendment 168 #
2022/0424(COD)
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up- to-date. Air carriers shall ensure that API data is encrypted during the transmission of the data from the traveller to the air carriers.
Amendment 176 #
2022/0424(COD)
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
The competent border authorities shall process API data, transferred to them in accordance with this Regulation, solely for the purposes referred to in Article 1. The competent border authorities shall under no circumstances process API data for the purposes of profiling.
Amendment 181 #
2022/0424(COD)
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Air carriers shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they collected pursuant to Article 4. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 186 #
2022/0424(COD)
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The competent border authorities shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they received through the router pursuant to Article 11. They shall immediately and permanently delete that API data after the expiry of that time period.
Amendment 196 #
2022/0424(COD)
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. eu-LISA shall design, develop, host and technically manage, in accordance with Articles 22 and 23, a router for the purpose of facilitating the transfer of API data by the air carriers to the competent border authorities and to the PIUs in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively.
Amendment 203 #
2022/0424(COD)
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
3a. eu-LISA shall design and develop the router in a way that for any transfer of API data from the air carriers to the router in accordance with Article 6, and for any transmission of API data from the router to the competent border authorities in accordance with Article 11 and to the central repository for reporting and statistics in accordance with Article 31(2), the API data is encrypted during transit.
Amendment 206 #
2022/0424(COD)
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
Amendment 220 #
2022/0424(COD)
Proposal for a regulation
Article 12 – paragraph 1 – introductory part
Article 12 – paragraph 1 – introductory part
API data, transferred to the router pursuant to this Regulation and Regulation (EU) [API law enforcement], shall be stored on the router only insofar as necessary to complete the transmission to the relevant competent borders authorities or PIUs, as applicable, in accordance with those Regulations and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations:
Amendment 222 #
2022/0424(COD)
Proposal for a regulation
Article 12 – paragraph 1 – point a
Article 12 – paragraph 1 – point a
(a) where the transmission of the API data to the relevant competent border authorities or PIUs, as applicable, has been completed;
Amendment 223 #
2022/0424(COD)
Proposal for a regulation
Article 12 – paragraph 1 – point a a (new)
Article 12 – paragraph 1 – point a a (new)
(aa) in cases of technical impossibility of the router to subsequently transmit the API data to the competent national authorities, after 12 hours;
Amendment 226 #
2022/0424(COD)
Proposal for a regulation
Article 12 – paragraph 1 – point b
Article 12 – paragraph 1 – point b
Amendment 228 #
2022/0424(COD)
eu-LISA shall keep logs of all processing operations relating to the transfer of API data through the router under this Regulation and Regulation (EU) [API law enforcement]. Those logs shall cover the following:
Amendment 229 #
2022/0424(COD)
Proposal for a regulation
Article 13 – paragraph 1 – subparagraph 1 – point b
Article 13 – paragraph 1 – subparagraph 1 – point b
(b) the competent border authorities and PIUs to which the API data was transmitted through the router;
Amendment 232 #
2022/0424(COD)
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
3. The logs referred to in paragraphs 1 and 2 shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation and Regulation (EU) [API Law Enforcement], including proceedings for penalties for infringements of those requirements in accordance with Articles 29 and 30 of this Regulation.
Amendment 238 #
2022/0424(COD)
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
The competent border authorities shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, in relation to the processing of API data constituting personal data through the router , including the transmission of the data from the router to the authorities and the storage for technical reasons of that data in the router, as well as in relation to their processing of API data constituting personal data referred to in Article 7 of this Regulation.
Amendment 241 #
2022/0424(COD)
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
eu-LISA shall be the processor on behalf of the competent border authorities within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation and Regulation (EU) [API law enforcement].
Amendment 243 #
2022/0424(COD)
Proposal for a regulation
Article 16 a (new)
Article 16 a (new)
Article16a Information to travellers In accordance with the right of information in Article 13 of Regulation (EU) 2016/679, air carriers shall provide travellers, on flights covered by this Regulation, with information on the purpose of the collection of personal data, the type of data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to travellers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the data at the moment of check-in in accordance with Article 5.
Amendment 246 #
2022/0424(COD)
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
1. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation and Regulation (EU) [API law enforcement]. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu-LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
Amendment 250 #
2022/0424(COD)
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu- LISA for the purposes of this Regulation and Regulation (EU) [API law enforcement] is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted.
Amendment 251 #
2022/0424(COD)
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
Member States shall ensure that their competent border authorities are connected to the router. They shall ensure that the competent border authorities’ systems and infrastructure for the reception of API data transferred purpsuant to this Regulation are integrated with the router.
Amendment 255 #
2022/0424(COD)
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation and Regulation (EU) [API law enforcement], and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in Article 5(4), Article 6(3), Article 11(4), Article 20(2) and Article 21(2).
Amendment 256 #
2022/0424(COD)
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 1
Article 23 – paragraph 2 – subparagraph 1
eu-LISA shall be responsible for the technical management of the router, including its maintenance and technical developments, in such a manner as to ensure that the API data are securely, effectively and swiftly transmitted through the router, in compliance with this Regulation and Regulation (EU) [API law enforcement].
Amendment 257 #
2022/0424(COD)
Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
Article 23 – paragraph 2 – subparagraph 2
The technical management of the router shall consist of carrying out all the tasks and enacting all technical solutions necessary for the proper functioning of the router in accordance with this Regulation, Regulation (EU) [API law enforcement], in an uninterrupted manner, 24 hours a day, 7 days a week. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability, accuracy and reliability of the transmission of API data, in accordance with the technical specifications and, as much as possible, in line with the operational needs of the competent border authorities, PIUs and air carriers.
Amendment 259 #
2022/0424(COD)
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation and Regulation (EU) [API law enforcement], respectively, in particular as regards the application of Articles 11 and 20 of this Regulation and Articles 5 and 10 of Regulation (EU) [API law enforcement].
Amendment 262 #
2022/0424(COD)
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
1. Costs incurred by eu-LISA in relation to the design, development, hosting and technical management of the router under this Regulation and Regulation (EU) [API law enforcement] shall be borne by the general budget of the Union.
Amendment 271 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Every quarterTo support the implementation and supervision of this Regulation and based on the statistical information referred to in paragraph 5 of this Article, eu-LISA shall publish every quarter statistics on the functioning of the router, and on compliance by air carriers. The stastistics shall showing in particular, the number, the nationality and the country of departure of the travellers, and specifically of the of flights for which the router transmitted API data to competent border authorities. The statistics shall also show the number of flights for which air carriers did not transfer API data, and the number of travellers who boarded the aircraft with inaccurate, incomplete or no longer up-to-date API data, with a non- recognised travel document, without a valid visa, without a valid travel authorization, or reported as overstay, the number and nationality of travellers.
Amendment 274 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. eu-LISA shall store the daily statistics inFor the purposes set out in paragraph 1, the router shall automatically transmit the data listed in paragraph 5 to the central repository for reporting and statistics established in Article 39 of Regulation (EU) 2019/817 without the data allowing for the identification of the travellers concerned.
Amendment 275 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 3
Article 31 – paragraph 3
3. At the end of each year, to support the implementation and supervision of this Regulation, eu-LISA shall compile statistical data in an annual report for that year. It shall publish that annual report and transmit it to the European Parliament, the Council, the Commission, the European Data Protection Supervisor, the European Border and Coast Guard Agency and the national supervisory authorities referred to in Article 29.
Amendment 277 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation and Regulation (EU) [API Law enforcement] as well as the statistics pursuant to paragraph 3.
Amendment 278 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 5 – introductory part
Article 31 – paragraph 5 – introductory part
5. eu-LISA shall have the right to access the following API data transmitted through to the router, solely for the purposes ofThe central repository for reporting and statistics shall provide eu- LISA with the statistical information necessary for the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, without however such accessbased on the following data elements, and without the statistical information provided allowing for the identification of the travellers concerned:
Amendment 283 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 5 – point b
Article 31 – paragraph 5 – point b
(b) the nationality, sex and year of birth of the traveller;
Amendment 291 #
2022/0424(COD)
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. For the the purposes of the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, eu-LISA shall store the data referred to in paragraph 5 of this Article in the central repository for reporting and statistics established by Article 39 of Regulation (EU) 2019/817. The cross-system statistical data and analytical reporting referred to in Article 39(1) of that Regulation shall allow the competent border authorities and other relevant authorities of the Member States to obtain customisable reports and statistics, for the purposes referred to in Article 1 of this Regulationthe central repository for reporting and statistics shall store for a period of three years the data listed in paragraph 5 that it received automatically from the router in accordance with paragraph 2, without the data allowing for the identification of the travellers concerned.
Amendment 532 #
2022/0155(COD)
Proposal for a regulation
Article 1 – paragraph 3 a (new)
Article 1 – paragraph 3 a (new)
3a. This Regulation shall not prohibit, weaken or undermine end-to-end encryption, prohibit providers of information society services from providing their services applying end-to- end encryption, or be interpreted in that way.
Amendment 534 #
2022/0155(COD)
Proposal for a regulation
Article 1 – paragraph 3 b (new)
Article 1 – paragraph 3 b (new)
3b. This Regulation shall not undermine the prohibition of general monitoring under Union law or introduce general data retention obligations, or be interpreted in that way.
Amendment 608 #
2022/0155(COD)
Proposal for a regulation
Article -3 (new)
Article -3 (new)
Article-3 Protection of fundamental human rights and confidentiality in communications 1. Nothing in this Regulation shall prohibit, weaken or undermine end-to-end encryption, prohibit providers of information society services from providing their services applying end-to- end encryption or be interpreted in that way. 2. Nothing in this Regulation shall undermine the prohibition of general monitoring under Union law or introduce general data retention obligations.
Amendment 95 #
2022/0085(COD)
Proposal for a regulation
Recital 4
Recital 4
(4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through a cybersecurity baseline (a set of minimum cybersecurity rules with which network and information systems and their operators and users have to be compliant to minimise cybersecurity risks)the implementation of cybersecurity risk management measures commensurate to the respective risks posed, information exchange and collaboration.
Amendment 97 #
2022/0085(COD)
Proposal for a regulation
Recital 6
Recital 6
(6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The framework should lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment. The framework should be reviewed on a regular basis and at least every three years on the basis of key performance indicators to ensure that strategic objectives are met.
Amendment 99 #
2022/0085(COD)
Proposal for a regulation
Recital 7
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity plans. cybersecurity risk management measures and cybersecurity plans. Union institutions, bodies, offices and agencies should continuously evaluate the effectiveness of the adopted risk management measures and their proportionality relative to the identified risks, and where necessary, adjust and revise accordingly their frameworks and plans on the basis of the results of the cybersecurity maturity assessments.
Amendment 105 #
2022/0085(COD)
Proposal for a regulation
Recital 9
Recital 9
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baseline that shouldoversee the implementation of the provisions of this Regulation and approve the establishment, and any subsequent revisions thereof, of the risk management and control framework, the corresponding cybersecurity risk management measures addressing the risks identified underin the framework to be established by eachand the cybersecurity plans of each Union institution, body, office and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity, is an integral part of a cybersecurity baselinerisk management, governance and control framework and the corresponding cybersecurity risk management measures in all Union institutions, bodies, offices and agencies.
Amendment 110 #
2022/0085(COD)
Proposal for a regulation
Recital 11
Recital 11
(11) In May 2011, the Secretaries- General of the Union institutions and bodies decided to establish a pre- configuration team for a computer emergency response team for the Union’s institutions, bodies and agencies (CERT- EU) supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a Taskforce of the European Commission with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an interinstitutional arrangement on the organisation and operation of CERT-EU3 . This arrangement should continue to evolve to support the implementation of this Regulation and be evaluated on a regular basis in light of future negotiations of long-term budget frameworks allowing for further decisions to be made with respect to the functioning and institutional role of CERT-EU, including the possible establishment of CERT-EU as a Union office. _________________ 3 OJ C 12, 13.1.2018, p. 1–11.
Amendment 113 #
2022/0085(COD)
Proposal for a regulation
Recital 13
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, and recovery from significant incidents, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and and recovery from similar incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entitUnion institutions, bodies, offices and agencies become aware of a significant incident they should be required to submit an initial notificationearly warning to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union IT environments and the Union’s counterparts’ IT environments against similar incidents, threats and vulnerabilities.
Amendment 114 #
2022/0085(COD)
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13 a) This Regulation lays down a multiple-stages approach to reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting hat helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience of individual Union institutions, bodies, offices and agencies and contributes to increasing the overall cybersecurity posture of European administration. In this regard, the Regulation should also include reporting of incidents that, based on an initial assessment performed by the Union institution, body, office or agency, may be assumed to lead to severe operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. Such initial assessment should take into account, amongst other, the affected network and information systems and in particular their importance for the functioning and operations of the Union institution, body, office or agency, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the Union institution, body, office or agency’s experience with similar incidents. Indicators such as the extent to which the functioning of Union institution, body, office or agency is affected, the duration of an incident or the number of affected users could play an important role in defining whether the operational disruption of the service is of severe nature.
Amendment 116 #
2022/0085(COD)
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14 a) The IICB’s function is aimed at supporting Union institutions, bodies, offices and agencies in elevating their respective cybersecurity postures by implementing the provisions of this Regulation. In order to support Union institutions, bodies, office and agencies, the IICB could adopt guidance and recommendations towards Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments and cybersecurity plans, review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation.
Amendment 117 #
2022/0085(COD)
Proposal for a regulation
Recital 14 b (new)
Recital 14 b (new)
(14 b) In order to ensure alignment with Directive [proposal NIS 2], the IICB could adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security and develop guidelines for information sharing arrangements of Union institutions, bodies, offices and agencies relating to the voluntary notification of cyber threats, near misses and incidents to CERT-EU.
Amendment 119 #
2022/0085(COD)
Proposal for a regulation
Recital 16 a (new)
Recital 16 a (new)
(16 a) Where the IICB finds that Union institutions, bodies, offices or agencies have not effectively applied or implemented this Regulation it could, without prejudice to the internal procedures of the relevant Union institution, body, office or agency, request relevant and available documentation relating to the effective implementation of the provisions of this Regulation, communicate a reasoned opinion with observed gaps in the implementation of this Regulation, invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned and issue, in cooperation with CERT-EU, guidance to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations incompliance with this Regulation.
Amendment 123 #
2022/0085(COD)
Proposal for a regulation
Recital 20
Recital 20
(20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity (ENISA) through structured cooperation as provided for in Regulation (EU) 2019/881 of the European Parliament and of the Council5 . Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT- EU should cooperate with the European Union Agency for CybersecurityENISA on threat analysis and share its threat landscape report with the Agency on a regular basis. _________________ 5 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
Amendment 132 #
2022/0085(COD)
Proposal for a regulation
Article 1 – paragraph -1 (new)
Article 1 – paragraph -1 (new)
-1 This Regulation lays down measures aiming to achieve a high common level of cybersecurity within Union institutions, bodies, offices and agencies;
Amendment 133 #
2022/0085(COD)
Proposal for a regulation
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
Amendment 136 #
2022/0085(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework;
Amendment 137 #
2022/0085(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point b a (new)
Article 1 – paragraph 1 – point b a (new)
(b a) rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements for Union institutions, bodies, offices and agencies;
Amendment 138 #
2022/0085(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
Amendment 140 #
2022/0085(COD)
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies, offices and agencies and to the functioning, organisation and operation of CERT-EU and the Interinstitutional Cybersecurity BoardICB.
Amendment 141 #
2022/0085(COD)
Proposal for a regulation
Article 2 a (new)
Article 2 a (new)
Article 2 a Processing of Personal Data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
Amendment 143 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 2
Article 3 – paragraph 1 – point 2
(2) ‘network and information system’ means network and information system within the meaning ofas defined in Article 4(1) of Directive [proposal NIS 2];
Amendment 144 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 4
Article 3 – paragraph 1 – point 4
(4) ‘cybersecurity’ means cybersecurity within the meaning of Article 4(3) of Directive [proposal NIS 2]; as defined in Article 2(1) of Regulation (EU) 2019/881 of the European Parliament and of the Council7a; _________________ 7a Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p.15).
Amendment 147 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 5
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
Amendment 149 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 7
Article 3 – paragraph 1 – point 7
Amendment 152 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 8
Article 3 – paragraph 1 – point 8
(8) ‘major attack’incident' means any incident requiring more resources than are available at whose disruption exceeds CERT-EU’s or any individual Union institution, body,office or agency’s capacity to respond to it or withe affected significant impact on at least two Union institutions, body or agency and at CERT-EUies, offices and agencies;
Amendment 155 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 11
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incidentas defined in Article 4(7a) of Directive [proposal NIS 2];
Amendment 159 #
2022/0085(COD)
(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event havisk as defined ing a potential adverse effect on the security of network and information systemsrticle 4(7b) of Directive [proposal NIS 2];
Amendment 163 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 14 a (new)
Article 3 – paragraph 1 – point 14 a (new)
(14 a) ‘ICT environment’ means any on- premise or virtual ICT product, ICT service and ICT process as defined in Article 2 of Regulation (EU) 2019/881, and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;
Amendment 172 #
2022/0085(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 16
Article 3 – paragraph 1 – point 16
Amendment 174 #
2022/0085(COD)
Proposal for a regulation
Article 4 – title
Article 4 – title
Risk management, governance and control framework
Amendment 178 #
2022/0085(COD)
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
Amendment 180 #
2022/0085(COD)
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise IT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environmentUnion institution, body, office or agency. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks and all other relevant technical, operational and organisational risks that could impact the cybersecurity of the concerned Union institution, body or agency.
Amendment 181 #
2022/0085(COD)
Proposal for a regulation
Article 4 – paragraph 2 a (new)
Article 4 – paragraph 2 a (new)
2 a. The framework shall define strategic objectives to ensure a high level of cybersecurity in the Union institution, body, office or agency, The framework shall lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff tasked with ensuring the effective implementation of the provisions of this Regulation.
Amendment 182 #
2022/0085(COD)
Proposal for a regulation
Article 4 – paragraph 2 b (new)
Article 4 – paragraph 2 b (new)
2 b. The framework shall be reviewed on a regular basis and at least every three years on the basis of key performance indicators. Where appropriate and upon request of the IICB, a Union institution, body, office or agency’s framework shall be updated following guidance from CERT-EU on observed incidents or possible gaps in the implementation of the provisions of this Regulation.
Amendment 186 #
2022/0085(COD)
3. The highest level of management of each Union institution, body, office and agency shall provide oversight oversee the compliance of theirits organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility.
Amendment 187 #
2022/0085(COD)
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity.
Amendment 190 #
2022/0085(COD)
Proposal for a regulation
Article 5 – title
Article 5 – title
Cybersecurity baselinerisk management measures
Amendment 194 #
2022/0085(COD)
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baselinerisk management measures to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex IIHaving regard to the state of the art and, where applicable, relevant European and international standards, or available European cybersecurity certificates as defined in Article 2 of Regulation (EU) 2019/881, those risk management measures shall ensure a level of security of network and information systems across the entirety of the ICT environment commensurate to the risks identified under the framework referred to in Article 4(1). When assessing the proportionality of those measures, due account shall be taken of the degree of the Union institution, body, office or agency’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
Amendment 197 #
2022/0085(COD)
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1 a. Union institutions, bodies, offices and agencies shall include at least the following domains in the implementation of the cybersecurity risk management measures: (a) cybersecurity policy, including specification on the measures needed to reach objectives and priorities referred to in Article 4 and Article 5(2a); (b) policy objectives and priorities regarding the use of cloud computing services as defined in Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable and sustain teleworking; (c) organisation of cybersecurity, including definition of roles and responsibilities; (d) management of the ICT environment, including ICT inventory and network cartography; (e) access control, identity management and privileged access management; (f) operations security and human resources security; (g) communications security; (h) system acquisition, development and maintenance; (i) supply chain security and supplier relationships between each Union institution, body, office and agency with its direct suppliers and service providers; (j) incident handling, including approaches to improve the prevention, detection, analysis, and containment of, response to, and recovery from an incident and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (k) business continuity management and crisis management; (l) cybersecurity skills, education, awareness-raising, training programmes and exercises.
Amendment 199 #
2022/0085(COD)
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. The senior management of each Union institution, body, office and agency as well as all relevant staff tasked with implementing the cybersecurity risks management measures and obligations of this Regulation shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.
Amendment 201 #
2022/0085(COD)
Proposal for a regulation
Article 5 – paragraph 2 a (new)
Article 5 – paragraph 2 a (new)
Amendment 202 #
2022/0085(COD)
Proposal for a regulation
Article 5 – paragraph 2 b (new)
Article 5 – paragraph 2 b (new)
2 b. The IICB may recommend technical and methodological requirements of the domains and risk management measures referred to in paragraphs 1(a) and 2(a) of this Article and, where necessary, recommend adaptations to reflect developments in attack methods, cyber threats and advances in technology, for the purposes of the review of this Regulation in accordance with Article 24.
Amendment 203 #
Amendment 207 #
2022/0085(COD)
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
The IICB, after consulting the European Union Agency for Cybersecurity (ENISA) and upon receiving guidance from CERT- EU, shall recommend guidelines to Union institutions, bodies, offices and agencies for the carrying out of cybersecurity maturity assessments.
Amendment 209 #
2022/0085(COD)
Proposal for a regulation
Article 6 – paragraph 1 b (new)
Article 6 – paragraph 1 b (new)
Upon request of the IICB, and with the explicit consent of the Union institution, body, office or agency concerned, the results of a cybersecurity maturity assessment may be discussed within the IICB configuration or within the established network of Local Cybersecurity Officers with a view to learning from experiences in the implementation of this Regulation and sharing best practices and results of use cases.
Amendment 210 #
2022/0085(COD)
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity cybersecurity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body, office and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework, and the cybersecurity baseline. Therisk management measures. The cybersecurity plan shall aim at increasing the overall cybersecurity of the concerned entity Union institution, body, office or agency and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies, offices and agencies. To support the entity’Union institution, body, office or agency's mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well ascybersecurity risk management measures relatferred to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be revised at least every three years, following the Article 5 (1a) and 5(2a). The cybersecurity plan shall be revised at least every three years, or where necessary, with any substantial revision of the framework referred to in Article 4, following the cybersecurity maturity assessments carried out pursuant to Article 6.
Amendment 213 #
2022/0085(COD)
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. The cybersecurity plan shall include relevant staff members’ roles and responsibilities for its implementation, including detailed job descriptions for technical and operational staff as well as all relevant processes underpinning performance evaluation.
Amendment 215 #
2022/0085(COD)
Proposal for a regulation
Article 7 – paragraph 2 a (new)
Article 7 – paragraph 2 a (new)
Amendment 216 #
2022/0085(COD)
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The cybersecurity plan shall consider any applicable guidance documents and recommendations issued by CERT-EU in accordance with Article 13 and another applicable or targeted recommendations issued by the IICB and CERT-EU.
Amendment 218 #
2022/0085(COD)
1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit these to the Interinstitutional Cybersecurity Board. Upon completion of security planstheir respective cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7, the Union institutions, bodies, offices and agencies shall notify the Interinstitutional Cybersecurity Board of the completion. Upon request of the Board, they shall report on specific aspects of this Chaptersubmit these to the IICB.
Amendment 222 #
2022/0085(COD)
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k
Article 9 – paragraph 3 – subparagraph 1 – point k
(k) the European Union Agency for Cybersecurity (ENISA).
Amendment 233 #
2022/0085(COD)
Proposal for a regulation
Article 9 – paragraph 6
Article 9 – paragraph 6
6. The IICB shall meet at the initiative of its chair, and at least two times a year, at the request of CERT-EU or at the request of any of its members.
Amendment 240 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point -a (new)
Article 10 – paragraph 1 – point -a (new)
(-a) support Union institutions, bodies, offices and agencies in implementing this Regulation with the aim to raise their respective levels of cybersecurity;
Amendment 241 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point -a a (new)
Article 10 – paragraph 1 – point -a a (new)
(-a a) effectively monitor the implemenationof the obligations of this Regulation in Union institutions, bodies, offices and agencies without prejudice to their institutional autonomy and the overall institutional balance;
Amendment 242 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point a
Article 10 – paragraph 1 – point a
(a) review any reports requestedquest reports from CERT-EU on the state of implementation of this Regulation by the Union institutions, bodies and agencies;
Amendment 250 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i a (new)
Article 10 – paragraph 1 – point i a (new)
(i a) review and where requested, following relevant guidance from CERT- EU. provide feedback to Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7;
Amendment 252 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i b (new)
Article 10 – paragraph 1 – point i b (new)
(i b) review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and maintain an inventory of shared components of ICT products, ICT services andic processes;
Amendment 253 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i c (new)
Article 10 – paragraph 1 – point i c (new)
(i c) where appropriate, adopt recommendations on the interoperability of Union institutions, bodies, offices and agencies’ ICT environments or components thereof;
Amendment 254 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i d (new)
Article 10 – paragraph 1 – point i d (new)
(i d) support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation;
Amendment 255 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i e (new)
Article 10 – paragraph 1 – point i e (new)
(i e) develop an incident and response plan for major incidents at Union level referred to in Article 3(8) and coordinate the adoption of individual Union institutions, bodies, offices and agencies’ cyber crisis management plans referred to in Article 7(2a);
Amendment 256 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i f (new)
Article 10 – paragraph 1 – point i f (new)
(i f) adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article 19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security referred to in Article5(1ai);
Amendment 257 #
2022/0085(COD)
Proposal for a regulation
Article 10 – paragraph 1 – point i g (new)
Article 10 – paragraph 1 – point i g (new)
(i g) develop guidelines for information sharing arrangements referred to in Article 19;
Amendment 258 #
2022/0085(COD)
Proposal for a regulation
Article 11 – paragraph -1 (new)
Article 11 – paragraph -1 (new)
-1 The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies, offices and agencies.
Amendment 259 #
2022/0085(COD)
Proposal for a regulation
Article 11 – paragraph 1 – introductory part
Article 11 – paragraph 1 – introductory part
Amendment 261 #
2022/0085(COD)
Proposal for a regulation
Article 11 – paragraph 1 – point -a (new)
Article 11 – paragraph 1 – point -a (new)
(-a) request relevant and available documentation of the Union institution, body, office or agency concerned relating to the effective implementation of the provisions of this Regulation or the application of guidance documents, recommendations and calls for action issued in accordance with Article 13;
Amendment 262 #
2022/0085(COD)
Proposal for a regulation
Article 11 – paragraph 1 – point -a a (new)
Article 11 – paragraph 1 – point -a a (new)
(-a a) communicate a reasoned opinion to the Union institution, body, office or agency concerned with observed gaps in the implementation of this Regulation;
Amendment 263 #
2022/0085(COD)
Proposal for a regulation
Article 11 – paragraph 1 – point -a b (new)
Article 11 – paragraph 1 – point -a b (new)
(-a b) invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned opinion within a specified timeframe;
Amendment 264 #
2022/0085(COD)
Proposal for a regulation
Article 11 – paragraph 1 – point -a c (new)
Article 11 – paragraph 1 – point -a c (new)
(-a c) issue, in cooperation with CERT- EU, guidance to the individual Union institution, body, office or agency to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations in compliance with the provisions laid down in this Regulation in a specified manner and within a specified period;
Amendment 270 #
2022/0085(COD)
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
Amendment 274 #
2022/0085(COD)
Proposal for a regulation
Article 12 – paragraph 2 – point c a (new)
Article 12 – paragraph 2 – point c a (new)
(c a) act as the designated coordinator for all Union institutions, bodies, offices and agencies for the purposes of coordinated vulnerability disclosure to the European vulnerability registry referred to in Article 6 of Directive [proposal NIS2];
Amendment 286 #
2022/0085(COD)
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for CybersecurityENISA whenever applicable, to test the level of cybersecurity of the Union institutions, bodies and agencies.
Amendment 287 #
2022/0085(COD)
Proposal for a regulation
Article 12 – paragraph 7
Article 12 – paragraph 7
7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned. The provisions and obligations on all Union institutions, bodies, offices and agencies set out in Chapter V of this Regulation shall not apply to incidents in classified ICT environments unless an individual Union institution, body office or agency explicitly and voluntarily apply them in order to seek actionable assistance from CERT-EU or otherwise contribute to situational awareness at the Union level.
Amendment 290 #
2022/0085(COD)
Proposal for a regulation
Article 12 – paragraph 7 a (new)
Article 12 – paragraph 7 a (new)
7 a. CERT-EU shall cooperate with the European Data Protection Supervisor (EDPS) to support Union institutions, bodies, office and agencies in incidents entailing a personal data breach as defined in Article 3(16) of Regulation (EU) 2018/1725.
Amendment 296 #
2022/0085(COD)
Proposal for a regulation
Article 13 – paragraph 2 – point a
Article 13 – paragraph 2 – point a
(a) modalities for or improvements to cybersecurity risk management and the cybersecurity baselinerisk management measures;
Amendment 298 #
2022/0085(COD)
Proposal for a regulation
Article 13 – paragraph 2 – point b
Article 13 – paragraph 2 – point b
(b) modalities for cybersecurity maturity assessments and cybersecurity plans; and
Amendment 303 #
2022/0085(COD)
Proposal for a regulation
Article 14 – paragraph -1 (new)
Article 14 – paragraph -1 (new)
-1 The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
Amendment 304 #
2022/0085(COD)
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
The Head of CERT-EU shall regularly submit reports to the IICB and the IICB Chair, and submit ad-hoc reports to the IICB upon its request, on the performance of CERT-EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).
Amendment 306 #
2022/0085(COD)
Proposal for a regulation
Article 14 – paragraph 1 a (new)
Article 14 – paragraph 1 a (new)
The Head of CERT-EU shall compose and submit to the IICB an annual report encompassing CERT-EU’s work programme, the financial planning of revenue and expenditure, including staffing, for CERT-EU activities, any updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have on its financial planning of revenue and expenditure, staffing and management of funds.
Amendment 308 #
2022/0085(COD)
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
Amendment 322 #
2022/0085(COD)
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
Amendment 326 #
2022/0085(COD)
Proposal for a regulation
Article 19 – title
Article 19 – title
19 SharingCybersecurity information sharing arrangements and obligations
Amendment 327 #
2022/0085(COD)
Proposal for a regulation
Article 19 – paragraph -1 (new)
Article 19 – paragraph -1 (new)
-1. Union institutions, bodies, offices and agencies may voluntarily notify CERT-EU on cyber threats, incidents, near misses and vulnerabilities that affect them. CERT-EU shall ensure that effective measures are adopted to ensure the confidentiality and appropriate protection of the information provided by the reporting Union institution, body, office or agency. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union institution, body, office or agency to which it would not have been subject had it not submitted the notification.
Amendment 328 #
2022/0085(COD)
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerabileffectively perform itys management and incident responseission tasks in accordance with Article 12 of this Regulation, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT- EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
Amendment 334 #
2022/0085(COD)
Proposal for a regulation
Article 19 – paragraph 4
Article 19 – paragraph 4
4. The sharingcybersecurity information sharing arrangements and obligations obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
Amendment 336 #
Amendment 337 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
Amendment 338 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies, offices and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significreport, without undue delay to CERT-EU in accordance with paragraph 2(b) of anty incidents without undue delay and having any event no later than 24 hours after becoming aware of them significant impact.
Amendment 340 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 a (new)
Article 20 – paragraph 1 – subparagraph 1 a (new)
Amendment 341 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 b (new)
Article 20 – paragraph 1 – subparagraph 1 b (new)
Where a significant incident or significant cyber threat referred to in paragraph 1(a) is affecting a network and information system, or a component of a Union institution, body, office or agency's ICT environment that is knowingly connected with another Union institution, body, office and agency's ICT environment, CERT-EU shall notify, without undue delay, the affected Union institution, body, office or agency.
Amendment 342 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
Article 20 – paragraph 1 – subparagraph 2
Amendment 348 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 352 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2 a. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption to the Union institution, body, office or agency or financial losses thereto; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
Amendment 353 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 2 b (new)
Article 20 – paragraph 2 b (new)
2 b. All Union institutions, bodies, offices and agencies shall submit to CERT-EU: (a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has any or could have a cross-border or cross-institutional impact; (b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise; (c) upon the request of CERT-EU, an intermediate report on relevant status updates; (d) a final report not later than one month after the submission of the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-institutional impact of the significant incident; (e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
Amendment 356 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 2 c (new)
Article 20 – paragraph 2 c (new)
2 c. In duly justified cases and in agreement with CERT-EU, the Union institution, body, office or agency concerned can deviate from the deadline laid down in paragraph 2(b).
Amendment 358 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities and significant incidentincidents notified in accordance with paragraph 2(b) and cyber threats, incidents, near misses and vulnerabilities notified in accordance with paragraph 1Article 19(1).
Amendment 360 #
2022/0085(COD)
4. The IICB may issue guidance documents or recommendations concerning the modalities and content of the notification. When preparing such guidance documents or recommendations, the IICB shall take into account the specifications made by any implementing acts adopted by the Commission specifying the type of information, the format and the procedure of a notification submitted pursuant to Article 20 (11) of Directive [proposal NIS2]. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies, offices and agencies.
Amendment 363 #
2022/0085(COD)
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The notificationreporting obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
Amendment 366 #
2022/0085(COD)
Proposal for a regulation
Article 21 – paragraph 3
Article 21 – paragraph 3
3. CERT-EU, in cooperation with ENISA, shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities and incidents.
Amendment 367 #
Amendment 370 #
2022/0085(COD)
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major attackincidents. It shall maintain an inventory of technical expertise that would be needed for incident response in the event of such attacksmajor incidents and assist the IICB in coordinating Union institutions, bodies, offices and agencies’ cyber crisis management plans for major incidents referred to in Article 10(if).
Amendment 375 #
2022/0085(COD)
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attackincident in a Member State, in line with the Joint Cyber Unit’s operating procedures.
Amendment 386 #
2022/0085(COD)
Proposal for a regulation
Article 24 – paragraph 3
Article 24 – paragraph 3
3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no soonlater than five years after the date of entry into force.
Amendment 388 #
2022/0085(COD)
Proposal for a regulation
Annex I
Annex I
Amendment 394 #
2022/0085(COD)
Proposal for a regulation
Annex II
Annex II
Amendment 103 #
2022/0047(COD)
Proposal for a regulation
Recital 1
Recital 1
(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet of Things in particular has increased the volume and potential value of data for consumers, businesses and society. High quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity, while respecting users’ choices and applicable legislation to protect them.
Amendment 110 #
2022/0047(COD)
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a product or related service in the Union can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interestto respond to, prevent, or assist in the recovery from a public emergency. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by products or related services.
Amendment 112 #
2022/0047(COD)
(7) The fundamental right to the protection of personal data is safeguarded in particular under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non- personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail, except where explicitly foreseen otherwise under the body of this Regulation.
Amendment 116 #
2022/0047(COD)
Proposal for a regulation
Recital 8
Recital 8
(8) The principles of data minimisation and data protection by design and by default are essential when processing involves significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only anonymisation, pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselves.
Amendment 125 #
2022/0047(COD)
Proposal for a regulation
Recital 14
Recital 14
(14) Physical products that obtain, generate or collect, by means of their components, data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation unless that data are lawfully processed using the product’s own computing capacity. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question.
Amendment 129 #
2022/0047(COD)
Proposal for a regulation
Recital 17
Recital 17
(17) Data generated by the use of a product or related service include data recorded intentionally by the user. Such data include also data generated as a by- product of the user’s action, such as diagnostics data, and without any action by the user, such as when the product is in ‘standby mode’, and data recorded during periods when the product is switched off. Such data should include data in the form and format in which they are generated by the product, but not pertain to data resulting from any software process that calculates derivative data from such data as such software process may be subject to intellectual property rightsincluding data processed using the product’s own computing capacity.
Amendment 135 #
2022/0047(COD)
Proposal for a regulation
Recital 24
Recital 24
(24) This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, the data holder should be a controller under Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for the data holder to provide access to personal data or make it available to a third party when requested by a user that is not a data subject and should not be understood as conferring any new right on the data holder to use data generated by the use of a product or related service. This applies in particular where the manufacturer is the data holder. The performance of a contract can only be a legal ground for processing of personal data if the data subject is a party or if steps are being taken at the request of the data subject prior to entering into a contract. The necessity requirement for processing personal data for the performance of a contract pursuant to Article 6(1)(b) of Regulation (EU) 2016/679 cannot be fulfilled by merely providing for processing in a contractual clause. Assessing what is objectively necessary must be fact-based, and this legal ground shall be allowed only in situations where it is not possible to perform service or provide product which the data subject has actively requested or signed up for without processing of specific data. Personal data necessary for the controller’s wider business mode but not necessary for the individual services requested by the data subject, do not fulfil this requirement. In that case, the basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale, rent or lease agreement relating to the product. Any contractual term in the agreement stipulating that the data holder may use the data generated by the user of a product or related service should be transparent to the user, including as regards the purpose for which the data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by the data holder. This Regulation should also not prevent sector-specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well- defined public policy grounds.
Amendment 143 #
2022/0047(COD)
Proposal for a regulation
Recital 30
Recital 30
(30) The use of a product or related service may, in particular when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked64 . The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is under certain circumstances entitled under Regulation (EU) 2016/679 to access personal data concerning them, and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the product, personal and non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the product, the user will be a controller within the meaning of Regulation (EU) 2016/679. Accordingly, such a user as controller intending to request personal data generated by the use of a product or related service is required to have a legal basis for processing the data under Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or legitimate interest. This user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder, if they meet the criteria under this Regulation and thus become subject to the obligations to make data available under this Regulation. Where the user is a Union institution, agency or body, Regulation(EU) 2018/1725 should apply unprejudiced. _________________ 64 OJ L 303, 28.11.2018, p. 59–68.
Amendment 145 #
2022/0047(COD)
Proposal for a regulation
Recital 31
Recital 31
(31) Data generated by the use of a product or related service should only be made available to a third party at the request of the user. This Regulation accordingly complements the right provided under Article 20 of Regulation (EU) 2016/679. That Article provides for a right of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, and to port those data to other controllers, where those data are processed on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b). Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where technically feasible. Article 20 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a product or related service by its design observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The right under this Regulation complements the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in several ways. It grants users the right to access and make available to a third party to any data generated by the use of a product or related service, irrespective of its nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike the technical obligations provided for in Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data coming within its scope, whether personal or non-personal. It also allows the data holder to set reasonable compensation to be met by third parties, but not by the user, forwhich cannot exceed any cost incurred in providing direct access to the data generated by the user’s product. If a data holder and third party are unable to agree terms for such direct access, the data subject should be in no way prevented from exercising the rights contained in Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with that Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contractual agreement does not allow for the processing of special categories of personal data by the data holder or the third party.
Amendment 148 #
2022/0047(COD)
(17) Data generated by the use of a product or related service include data recorded intentionally by the user. Such data include also data generated as a by- product of the user’s action, such as diagnostics data, and without any action by the user, such as when the product is in ‘standby mode’, and data recorded during periods when the product is switched off. Such data should include data in the form and format in which they are generated by the product, but not pertain to data resulting from any softwaincluding data pre -process that calculates derivative data from such data as such software process may be subject to intellectual property rights.ed using the product’s own computing capacity
Amendment 148 #
2022/0047(COD)
Proposal for a regulation
Recital 34
Recital 34
(34) In line with the data minimisation principle, the third party should only access additional information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it exclusively for the purposes agreed with the user, without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. The data holder or the third party should not make the exercise of rights or choices of users unduly difficult, including by offering choices to users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or free choices of the user, including by means of a digital interface with the user. in this context,or a part thereof, including its structure, design, function or manner of operation. In this context, data holders and third parties should not rely on so-called dark patterns in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision-making and choice. Common and lLegitimate commercial practices that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Third parties should comply with their obligations under relevant Union law, in particular the requirements set out in Directive 2005/29/EC, Directive 2011/83/EU, Directive 2000/31/EC and Directive 98/6/EC.
Amendment 152 #
2022/0047(COD)
Proposal for a regulation
Recital 37
Recital 37
Amendment 154 #
2022/0047(COD)
Proposal for a regulation
Recital 41
Recital 41
(41) In order to compensate for the lack of information on the conditions of different contracts, which makes it difficult for the data recipient to assess if the terms for making the data available are non- discriminatory, it should be on the data holder to demonstrate that a contractual term is not discriminatory. It is not unlawful discrimination, where a data holder uses different contractual terms for making data available or different compensation, if those differences are justified by objective reasons. These obligations are without prejudice to Regulation (EU) 2016/679.
Amendment 155 #
2022/0047(COD)
Proposal for a regulation
Recital 42
Recital 42
(42) In order to incentivise the continued investment in generating valuable data, including investments in relevant technical tools, this Regulation contains the principle that the data holder may request reasonable compensation when legally obliged to make data available to the data recipient. These provisions should not be understood as paying for the data itself, but in the case of micro, small or medium-sized enterprises, for the costs incurred and investment required for making the data availableThis Regulation precludes the data holder or the third party from directly or indirectly charging users a fee, or any compensation of costs for sharing or accessing data.
Amendment 157 #
2022/0047(COD)
Proposal for a regulation
Recital 44
Recital 44
(44) To protect micro, small or medium-sized enterprises from excessive economic burdens which would make it commercially too difficult for them to develop and run innovative business modelsavoid directly or indirectly incentivising the commercialisation or trade of personal data, the compensation for making data available to be paid by them should not exceed the direct cost of making the data available and be non-discriminatory.
Amendment 158 #
2022/0047(COD)
Proposal for a regulation
Recital 46
Recital 46
Amendment 159 #
2022/0047(COD)
Proposal for a regulation
Recital 47
Recital 47
(47) Transparency is an important principle to ensure that the compensation requested by the data holder is reasonable, or, in case the data recipient is a micro, small or medium-sized enterprise, that the compensation does not exceed the costs directly related to making the data available to the data recipient and is attributable to the individual request. In order to put the data recipient in the position to assess and verify that the compensation complies with the requirements under this Regulation, the data holder should provide to the data recipient the information for the calculation of the compensation with a sufficient degree of detail.
Amendment 163 #
2022/0047(COD)
Proposal for a regulation
Recital 56
Recital 56
(56) In situations of exceptional need, it may be necessary for public sector bodies or Union institutions, agencies or bodies to use data held by an enterprise to respond to public emergencies or in other exceptional cases. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law. To limit the burden on businesses, micro and small enterprises should be exempted from the obligation to provide public sector bodies and Union institutions, agencies or bodies data in situations of exceptional need.
Amendment 173 #
2022/0047(COD)
Proposal for a regulation
Recital 58
Recital 58
(58) An exceptional need may also arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional need may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that no alternative means for obtaining the data requested exists and that the data cannot be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislation.
Amendment 177 #
2022/0047(COD)
Proposal for a regulation
Recital 61
Recital 61
(61) A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and to minimise the administrative burdens placed on businesses. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be transparent and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The request should also respect the legitimate interests of the businesses to whom the request is made. The burden on data holders should be minimised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency, data requests made by public sector bodies and by Union institutions, agencies or bodies should be made public without undue delay by the entity requesting the data and online public availability of all requests justified by a public emergency should be ensured.
Amendment 182 #
2022/0047(COD)
Proposal for a regulation
Recital 62
Recital 62
(62) The objective of the obligation to provide the data is to ensure that public sector bodies and Union institutions, agencies or bodies have the necessary knowledge to respond to, prevent or recover from public emergencies or to maintain the capacity to fulfil specific tasks explicitly provided by law. The data obtained by those entities may be commercially sensitive. Therefore, Directive (EU) 2019/1024 of the European Parliament and of the Council65 should not apply to data made available under this Regulation and should not be considered as open data available for reuse by third parties. This however should not affect the applicability of Directive (EU) 2019/1024 to the reuse of official statistics for the production of which data obtained pursuant to this Regulation was used, provided the reuse does not include the underlying data. In addition, it should not affect the possibility of sharing the data for conducting research or for the compilation of official statistics, provided the conditions laid down in this Regulation are met. Public sector bodies should also be allowed to exchange data obtained pursuant to this Regulation with other public sector bodies to address the exceptional needs for which the data has been requested. _________________ 65 Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).
Amendment 186 #
2022/0047(COD)
Proposal for a regulation
Recital 63
Recital 63
(63) Data holders should have the possibility to either ask for a modification of the request made by a public sector body or Union institution, agency and body or its cancellation in a period of 5 or 15 working days depending on the nature of the exceptional need invoked in the request. In case of requests motivated by a public emergency,A justified reason not to make the data available should exist if it can be shown that the request is similar or identical to a previously submitted request for the same purpose by another public sector body or by another Union institution, agency or body. A data holder rejecting the request or seeking its modification should communicate the underlying justification for refusing the request to the public sector body or to the Union institution, agency or body requesting the data. In case the sui generis database rights under Directive 96/6/EC of the European Parliament and of the Council66 apply in relation to the requested datasets, data holders should exercise their rights in a way that does not prevent the public sector body and Union institutions, agencies or bodies from obtaining the data, or from sharing it, in accordance with this Regulation. _________________ 66 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
Amendment 192 #
2022/0047(COD)
Proposal for a regulation
Recital 67
Recital 67
(67) When the safeguarding of a significant public good is at stake, such as is the case of responding to public emergencies, the public sector body or the Union institution, agency or body should not be expected to compensate enterprises for the data obtained. Public emergencies are rare events and not all such emergencies require the use of data held by enterprises. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies or Union institutions, agencies or bodies having recourse to this Regulation. However, as cases of an exceptional need other than responding to a public emergency might be more frequent, including cases of prevention of or recovery from a public emergency, data holders should in such cases be entitled to a reasonable compensation which should not exceed the technical and organisational costs incurred in complying with the request and the reasonable margin required for making the data available to the public sector body or to the Union institution, agency or body. The compensation should not be understood as constituting payment for the data itself and as being compulsory.
Amendment 196 #
2022/0047(COD)
Proposal for a regulation
Recital 81
Recital 81
(81) In order to ensure the efficient implementation of this Regulation, Member States should designate one or more competent authorities. If a Member State designates more than one competent authority, it should also designate a coordinating competent authority. Competent authorities should cooperate with each other. The authorities responsible for the supervision of compliance with data protection and competent authorities designated under sectoral legislation should have the responsibility for application of this Regulation in their areas of competence.
Amendment 202 #
2022/0047(COD)
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down harmonised rules on making data generated by the use of a product or related service available to the user of that product or service, on the making data available by data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interestdue to a public emergency:
Amendment 208 #
2022/0047(COD)
Proposal for a regulation
Article 1 – paragraph 2 – point d
Article 1 – paragraph 2 – point d
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interestdue to a public emergency explicitly provided by law, and the data holders that provide those data in response to such request;
Amendment 210 #
2022/0047(COD)
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. Union law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to personal data processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect the applicability of Union law on the protection of personal data, in particular Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities. Insofar as the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data subject to the rights and obligations under that Chapter, the provisions of this Regulation shall complement the right of data portability under Article 20 of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data shall prevail. However, insofar as the processing of personal data made available to a data recipient pursuant to Article 5 of this Regulation is restricted in line with Article 6 of this Regulation, these provisions should be understood as taking precedence over Article 6 of Regulation (EU) 2016/679. This Regulation does not create a legal basis for the processing of personal data and no provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications.
Amendment 225 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point(1), of Regulation (EU) 2016/679;
Amendment 227 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) 'non-personal data' means data other than personal data;
Amendment 229 #
2022/0047(COD)
(1 c) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
Amendment 232 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
Article 2 – paragraph 1 – point 1 d (new)
(1 d) 'data subject' means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 235 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘product’ means a tangible, movable item, including where incorporated in an immovable item, item that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data nor is it primarily designed to display or play content, or to record and transmit content;
Amendment 240 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or leases a product or receives a servicesrelated service, and the data subject;
Amendment 245 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following an explicit request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law, and including a third party to whom the data is directly made available by the user;
Amendment 246 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
Article 2 – paragraph 1 – point 8 a (new)
(8 a) ‘added value service’ means any service provided to the user that can be enabled or improved by access and use of data generated by the use of the product or related service, including personalised services which mean services that, based on the processing of data of the user, offer individualised services to the user such as diet plans, route planning, fitness training, electricity consumption optimisation. They do not include purposes of direct marketing or advertising, credit scoring or determining eligibility to insurances, to calculate or modify insurance premiums or the services of a data broker, even if the data broker shares data with others that provide personalised services;
Amendment 248 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘public sector body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies who have the ability to securely and reliably process the data requested from data holders;
Amendment 251 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation such as public health emergencies, major natural disasters, including those aggravated by climate change and environmental degradation, and major man-made disasters, such as major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s); and it is determined according to the respective procedures under Union or national law;
Amendment 260 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user in a structured, commonly used and machine-readable format, free of charge. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data subjects, irrespective of their legal title over the product, are offered the possibility to use the products covered by this Regulation anonymously or in the least privacy-intrusive way possible, such as by anonymising the data. Where users can reasonably expect it due to the nature of the product, products shall be designed and manufactured, and related services shall be provided, in such a manner that a basic set of functionalities is maintained when the product or related service is used offline.
Amendment 265 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
Amendment 268 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 1 b (new)
Article 3 – paragraph 1 b (new)
1 b. The data holder shall not incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 269 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or a related service, users should be presented with granular, meaningful consent options for data processing, within the meaning of Article 4(11) of Regulation (EU) 2016/679, differentiating between data that is essential for the functioning of the product and a related service and other types of data. In addition, at least the following information shall be provided to the user, in a timely and prominent manner, in an easily accessible, clear and comprehensible format:
Amendment 273 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access and request a copy of those data;
Amendment 277 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the identity of the third party and the purposes for which those data will be used;
Amendment 278 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, contact details and the geographical address at which it is established;
Amendment 283 #
2022/0047(COD)
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time in a structured, commonly used and machine-readable format. This shall be done on the basis of a simple request through electronic means where technically feasible.
Amendment 290 #
2022/0047(COD)
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 679 and Article 5(3) of Directive 2002/58/EC are fulfilled.
Amendment 293 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon explicit request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. and only for the purposes of:
Amendment 294 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point a (new)
Article 5 – paragraph 1 – point a (new)
(a) the provision of aftermarket services, such as the maintenance and repair of the product or related service, including aftermarket services in competition with a product or related service provided by the data holder;
Amendment 295 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point b (new)
Article 5 – paragraph 1 – point b (new)
(b) the provision of an added value service explicitly requested by the user;
Amendment 296 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point c (new)
Article 5 – paragraph 1 – point c (new)
(c) specific data intermediation services recognised in the Union or specific services provided by data altruism organisations recognised in the Union under the conditions and requirements of Chapters III and IV of Regulation (EU) 2022/868;
Amendment 297 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point d (new)
Article 5 – paragraph 1 – point d (new)
(d) research and innovation predominantly in the public interest;
Amendment 298 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point e (new)
Article 5 – paragraph 1 – point e (new)
(e) purposes of non-profit organisations predominantly in the public interest.
Amendment 304 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure.
Amendment 307 #
2022/0047(COD)
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
6. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the third party where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive2002/58/EC are fulfilled.
Amendment 313 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A third party shall process thepersonal data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user, and specific purposes mentioned in article 5, paragraph 1 and under the conditions agreed with the user, and where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6 of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled and subject to the rights of the data subject insofar as personal data are concerned, and shall delete the data when they are no longer necessary for the agreed purposeexplicitly requested purpose in line with paragraph 1 of article 5.
Amendment 318 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the useror a part thereof, including its structure, design, function or manner of operation;
Amendment 322 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is strictly necessary to provide the servicepecific service explicitly requested by the user;
Amendment 325 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) make the data available it receives to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user, and the user has explicitly been made aware of this in a clear, easily accessible and prominent way and, in the case of personal data, the rights and obligations of Regulation (EU) 2016/679 are respected;
Amendment 329 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 2 – point f a (new)
Article 6 – paragraph 2 – point f a (new)
Amendment 330 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 2 – point f b (new)
Article 6 – paragraph 2 – point f b (new)
(f b) incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 333 #
2022/0047(COD)
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations of this Chapter related to business to business data sharing shall not apply to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 335 #
2022/0047(COD)
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7 a Unfair contractual terms imposed on users Any contractual term by data holders, third parties or data recipients which, to the detriment of the user, excludes the application of this Chapter, derogates from it, or varies its effect, shall not be binding on that party.
Amendment 337 #
2022/0047(COD)
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
4. A data holder shall not make data available to a data recipient on an exclusive basis unless explicitly requested by the user under Chapter II.
Amendment 340 #
2022/0047(COD)
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable and shall not exceed the costs directly related to making the data available. The data holder or the third party may not directly or indirectly charge users a fee or any compensation of costs for sharing or accessing data.
Amendment 342 #
2022/0047(COD)
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
Amendment 345 #
2022/0047(COD)
Proposal for a regulation
Article 9 – paragraph 4
Article 9 – paragraph 4
4. The data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can verify that the requirements of paragraph 1 and, where applicable, paragraph 2 are met.
Amendment 347 #
2022/0047(COD)
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 and 9. This is without prejudice to the data subjects’ rights to seek redress before a supervisory authority, and to the controller’s data protection obligations.
Amendment 349 #
2022/0047(COD)
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to access data, obtain a copy or effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1). Where personal data is concerned, these technical measures shall be consistent with the obligation of the data controller to implement appropriate technical and organisational measures so as to ensure a level of security appropriate to the risk of the personal data processing pursuant to data protection legislation.
Amendment 352 #
2022/0047(COD)
Proposal for a regulation
Article 11 – paragraph 2 – introductory part
Article 11 – paragraph 2 – introductory part
2. A data recipient that has, for the purposes of obtaining data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation or in the case of personal data, an appropriate legal basis, shall without undue delay, unless the data holder or the user instruct otherwise:
Amendment 356 #
2022/0047(COD)
Proposal for a regulation
Article 11 – paragraph 3 – introductory part
Article 11 – paragraph 3 – introductory part
3. Paragraph 2, point (b), shall not apply in either of the following cases where non-personal data are concerned:
Amendment 359 #
2022/0047(COD)
2 a. Any contractual term in a data sharing agreement between data holders and data recipients which, to the detriment of the data subjects, undermines the application of their rights to privacy and data protection, derogates from it, or varies its effect, shall not be binding on that party.
Amendment 365 #
2022/0047(COD)
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2
Amendment 371 #
2022/0047(COD)
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
An exceptional need to use data within the meaning of this Chapter shall be deemed to exist in any of the following circumstances:
Amendment 372 #
2022/0047(COD)
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is necessary to respond tolimited in time and scope and necessary to respond to a public emergency or to help prevent a public emergency or to assist the recovery from a public emergency;
Amendment 374 #
2022/0047(COD)
Proposal for a regulation
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
Amendment 377 #
2022/0047(COD)
Proposal for a regulation
Article 15 – paragraph 1 – point c
Article 15 – paragraph 1 – point c
Amendment 385 #
2022/0047(COD)
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
1. This Chapter shall not affect obligations laid down in Union or national law for the purposes of reporting, complying with information requests or demonstrating or verifying compliance with legal obligations, including in relation to official statistics.
Amendment 395 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point(1), of Regulation (EU) 2016/679;
Amendment 398 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) 'non-personal data' means data other than personal data;
Amendment 410 #
2022/0047(COD)
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudonymised data.
Amendment 424 #
2022/0047(COD)
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 443 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 6 a (new)
Article 2 – paragraph 1 – point 6 a (new)
(6 a) 'data subject' means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 455 #
2022/0047(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters, including those exacerbated by climate change, and major man-made disasters, such as major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic and financial stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s); and which is determined according to the respective procedures under Union or national law.
Amendment 463 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Each Member State shall designate one or more competent authoritiesy as responsible for the application and enforcement of this Regulation. Member States may establish one or morea new authoritiesy or rely on existing authorities.
Amendment 464 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 1 a (new)
Article 31 – paragraph 1 a (new)
1 a. The independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Union institutions, bodies, offices and agencies. Where relevant, Article 62 of Regulation 2018/1725 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data.
Amendment 468 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 2 – point a
Article 31 – paragraph 2 – point a
Amendment 473 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 2 – point c
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experience, , sufficient technical and human resources and expertise in the field of data and electronic communications services.
Amendment 479 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 3 – point i a (new)
Article 31 – paragraph 3 – point i a (new)
(i a) ensuring data sharing is free of charge for users.
Amendment 480 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. Where a Member State designates more than one competent authority, tThe competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 3 of this Article, cooperate with each other, including, as appropriate, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679, to ensure the consistent application of this Regulation. In such cases, relevant Member States shall designate a coordinating competent authority.
Amendment 482 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
5. Member States shall communicate the name of the designated competent authorities and their respective tasks and powers and, where applicable, the name of the coordinating competent authority to the Commission. The Commission shall maintain a public register of those authorities.
Amendment 488 #
2022/0047(COD)
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. The Commission shall consult the European Data Protection Board when developing such model contractual terms, as far as personal data are concerned.
Amendment 521 #
2022/0047(COD)
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access those data delivered in a usable format and in a simple, clear and free manner for the user ;;
Amendment 650 #
2022/0047(COD)
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the end-users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user or a part thereof, including its structure, design, function or manner of operation;
Amendment 678 #
2022/0047(COD)
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations of this Chapter related to business-to-business data sharing shall not apply to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 699 #
2022/0047(COD)
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable and shall not exceed the costs directly related to making the data available.
Amendment 704 #
2022/0047(COD)
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Where the data recipient is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, aAny compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.
Amendment 1104 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 2 – point c
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have technical and human resources and experience in the field of data and electronic communications services.
Amendment 1107 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 3 – point b
Article 31 – paragraph 3 – point b
(b) handling complaints arising from alleged violations of this Regulation, and investigating, to the extent appropriate, the subject matter of the complaint and regularly and meaningfully informing the complainant of the progress and the outcome of the investigation swiftly within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary;
Amendment 1114 #
2022/0047(COD)
Proposal for a regulation
Article 31 – paragraph 3 – point f
Article 31 – paragraph 3 – point f
(f) cooperating with competent authorities of other Member States to ensure the consistent swift and effective application of this Regulation, including the exchange of all relevant information by electronic means, in a timely manner without undue delay;
Amendment 1127 #
2022/0047(COD)
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant , collectively, with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights or the obligations under this Regulation have been infringed.
Amendment 1143 #
2022/0047(COD)
The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. These non-binding contractual terms shall be openly freely available in easily usable electronic format.
Amendment 190 #
2021/2230(INI)
Motion for a resolution
Paragraph 12 a (new)
Paragraph 12 a (new)
Amendment 224 #
2021/2230(INI)
Motion for a resolution
Paragraph 16 a (new)
Paragraph 16 a (new)
16a. Calls on Armenia to ratify the Council of Europe Convention on preventing and combating violence against women and domestic violence;
Amendment 10 #
2021/2103(INI)
Motion for a resolution
Citation 15 a (new)
Citation 15 a (new)
— having regard to the Statement of the Commissioner for Human Rights of the Council of Europe of 16 May 2019 titled ‘Let’s defend LGBTI defenders’,1a _________________ 1a https://www.coe.int/en/web/commissioner/ -/let-s-defend-lgbti-defenders
Amendment 49 #
2021/2103(INI)
Motion for a resolution
Recital I a (new)
Recital I a (new)
I a. whereas the situation of LGBTI rights defenders in Europe was described as worrying by the Commissioner for Human Rights, who reported several instances of online and offline harassment, violent assaults, hate campaigns and death threats in Member States and neighbourhood countries; whereas this trend is interlinked with the scapegoating of other minority groups and it contravenes the principle that every person is born equal in dignity and rights;
Amendment 97 #
2021/2103(INI)
Motion for a resolution
Paragraph 2
Paragraph 2
2. Emphasises that for civil society organisations to thrive, civic space must be an enabling and safe environment free from undue interference, intimidation, harassment and chilling effects, such as SLAPPs, incitement to hatred and/or violence against rights defenders and organisations, and the creation of legal or administrative hurdles affecting their daily operations;
Amendment 130 #
2021/2103(INI)
Motion for a resolution
Paragraph 6 a (new)
Paragraph 6 a (new)
6 a. Recalls that the scapegoating of minorities and vulnerable groups such as women and LGBTI persons is not an isolated event, but functions as a premeditated and gradual dismantling of fundamental rights, which are protected in Article 2 TEU, constituting part of a larger political agenda which has been called ‘anti-gender’ campaigns; calls on Member States to be particularly cautious of initiatives that attempt to roll-back on acquired rights which were designed to prevent and protect persons from discrimination and to promote equality;
Amendment 185 #
2021/2103(INI)
Motion for a resolution
Paragraph 14 a (new)
Paragraph 14 a (new)
14 a. Restates that no proper response has yet been given to Parliament’s initiative on the establishment of an EU mechanism on democracy, the rule of law and fundamental rights to be governed by an interinstitutional agreement between Parliament, the Commission and the Council; calls on the Commission and the Council to immediately enter into negotiations with Parliament on an interinstitutional agreement pursuant to Article 295 TFEU; recalls that the monitoring of civic space is deeply linked with democracy and fundamental rights, and that a mechanism to monitor Article 2 TEU values is the best tool for a holistic approach in such respect;
Amendment 3 #
2021/0395(COD)
Proposal for a directive
Article 3 – paragraph -1 (new)
Article 3 – paragraph -1 (new)
-1 in Article 9, the following paragraph shall be added: “3a.The issuing judicial authority shall use the decentralised IT system referred to in Article 3(1) of Regulation (EU) .../... [Digitalisation Regulation], to provide the competent authority in the executing Member State with: a) the information required to enable the requested person to appoint a lawyer in the issuing state in accordance with Article 10(5) of Directive 2013/48/EU, and to apply for legal aid in the issuing state in accordance with Article 5 of Directive 2016/1919/EU; b) the material evidence that supports the cross-border cooperation request in due time before the hearing through videoconferencing or other distance communication technology, without prejudice to the procedure laid down in paragraph 2 in Article 15.
Amendment 183 #
2021/0394(COD)
Proposal for a regulation
Article 3 a (new)
Article 3 a (new)
Amendment 34 #
2021/0136(COD)
Proposal for a regulation
Recital 11
Recital 11
(11) European Digital Identity Wallets should ensure the highest level of security for the personal data used for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking into account the different levels of risk. Using biometrics to authenticate is one of the identifications methods providing a high level of confidence, in particular when used in combination with other elements oftwo-factor authentication. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organisational and security measures, commensurate to the risk that such processing may entail to the rights and freedoms of natural persons and in accordance with Regulation 2016/679. Authentication via biometrics should not be a precondition for using the European Digital Identity Wallet.
Amendment 36 #
2021/0136(COD)
Proposal for a regulation
Recital 11 a (new)
Recital 11 a (new)
(11 a) The obligation on the European Digital Identity Wallet to ensure effective portability of data under this Regulation complements the right to data portability under Regulation (EU) 2016/679.
Amendment 55 #
2021/0136(COD)
Proposal for a regulation
Recital 29
Recital 29
(29) The European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties. This feature should become a basic design feature thereby reinforcing convenience and personal data protection including minimisation of processing of personal data. The data requested from the user via the European Digital Identity Wallet have to be strictly necessary and proportionate for the intended use case of the relying party and follow the principle of data minimisation.
Amendment 74 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point b a (new)
Article 1 – paragraph 1 – point 3 – point b a (new)
Regulation (EU) No 910/2014
Article 3 – point 5
Article 3 – point 5
"(5) ‘authentication’ means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed; o verify the data presented" Or. en (32014R0910)
Amendment 123 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 4 – point a – point 2 a (new)
Article 6a – paragraph 4 – point a – point 2 a (new)
(2 a) for relying parties to be uniquely identified in order to be able to include their identification data, use cases and user data requests in a public register overseen by supervisory authorities established under Regulation (EU) 2016/679;
Amendment 125 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 4 – point a – point 3
Article 6a – paragraph 4 – point a – point 3
(3) for the presentation to relying parties of person identification data such as credentials, electronic attestation of attributes or other data such as credentials, in local mode not requiring internet access for the wallet and for the user to make an informed decision about the sharing of personal information with relying parties. This includes identification of the relying party, complete or partial refusal of information requests from relying parties, a full transaction history, the possibility to withdraw previously given consent to information requests for the walleand information about the exercise of rights as data subject;
Amendment 144 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 5a (new)
Article 6a – paragraph 5a (new)
5 a. Member States shall ensure that relevant information on the European Digital Identity Wallet is publicly available, including privacy protective settings, technical architecture, security frameworks, and where the processing of personal data is carried out.
Amendment 150 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 7
Article 6a – paragraph 7
7. The user shall be in full control of the European Digital Identity Wallet and their personal data. The issuer of the European Digital Identity Wallet or third- party services or the Member State shall not collect information about the use of the wallet by the user which are not strictly necessary and proportionate solely for the provision of the wallet services, nor shall it combine person identification data and any other personal data stored or relating to the use of the European Digital Identity Wallet with personal data from any other services offered by this issuer or from third-party services which are not necessarstrictly necessary and proportionate solely for the provision of the wallet services, unless the user has expressly requested it. The exchange of information via the European Digital Identity Wallet shall not allow providers of electronic attestations of attributes to track, link, correlate or otherwise obtain knowledge of transactions or user behaviour. Personal data relating to the provision of European Digital Identity Wallets shall be kept physically and logically separate from any other data held. If the European Digital Identity Wallet is provided by private parties in accordance to paragraph 1 (b) and (c), the provisions of article 45f paragraph 4 shall apply mutatis mutandis.
Amendment 154 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
7 a. The European Digital Identity Wallet shall request explicit prior consent of the user to perform any operations.
Amendment 155 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 7b (new)
Article 6a – paragraph 7b (new)
7 b. The European Digital Identity Wallet shall provide a state of the art mechanism to transmit all of the user’s data in the wallet from one device to another and from one wallet to another upon the user’s request and free of charge.
Amendment 156 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
7 c. The European Digital Identity Wallet shall provide a mechanism for the user to inform directly the supervisory body and the supervisory authorities established under Regulation (EU) 2016/679 about any relying party that appears to request a disproportionate amount of data.
Amendment 157 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 7d (new)
Article 6a – paragraph 7d (new)
7 d. Access to public and private services shall not be denied, hindered or made more costly for natural persons who choose not to use the European Digital Identity Wallet.
Amendment 158 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 7 Regulation (EU) No 910/2014
Article 1 – paragraph 1 – point 7 Regulation (EU) No 910/2014
7 e. The user shall be entitled to request a backup function of the data they have in their European Digital Identity Wallet from the wallet issuer in situations of unavailability of the wallet, and in case of loss or theft of their device. This backup function shall be enabled only with the explicit prior consent of the user and it shall be complemented with reinforced identity checks.
Amendment 179 #
2021/0136(COD)
1. When notified electronic identification means and the European Digital Identity Wallets are used for authidentification, Member States shall ensure unique identification.
Amendment 181 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 12
Article 1 – paragraph 1 – point 12
Regulation (EU) No 910/2014
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Member States shall, for the purposes of this Regulation, include in the minimum set of person identification data referred to in Article 12.4.(d), a unique and persistent identifier in conformity with Union law, to identify the user upon their request and only in those cases where identification of the user is required by law. Unique and persistent identifiers shall not be accessed for the purpose of user authentication.
Amendment 206 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 20 – point a – point 2
Article 1 – paragraph 1 – point 20 – point a – point 2
Regulation (EU) No 910/2014
Article 17 – paragraph 4 – point f
Article 17 – paragraph 4 – point f
(f) to cooperate with supervisory authorities established under Regulation (EU) 2016/679, in particular, by informing them without undue delay, about the results of audits of qualified trust service providers, where personal data protection rules have been breached and about security breaches which constitute whenever becoming aware of a personal data breaches;;
Amendment 215 #
2021/0136(COD)
Proposal for a regulation
Article 1 – paragraph 1 – point 22 – point b
Article 1 – paragraph 1 – point 22 – point b
Regulation (EU) No 910/2014
Article 20 – paragraph 2
Article 20 – paragraph 2
Where personal data protection rules appear to have been breached, the supervisory body shall inform the supervisory authorities under Regulation (EU) 2016/679 of the results of its audits.;
Amendment 921 #
2021/0106(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 1
Article 3 – paragraph 1 – point 1
(1) ‘'artificial intelligence system’ (AI system) means software that is developed with one or more of the techniques and approaches listcan for example perceive, learn, reason or model based ion Annex I and can, for a given set of human-defined objectives,machine and/or human based inputs, to generate outputs such as content, hypotheses, predictions, recommendations, or decisions influencing the real or virtual environments they interact with;
Amendment 1022 #
2021/0106(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 33
Article 3 – paragraph 1 – point 33
(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic dataas defined in Article 4, point (14) of Regulation (EU) 2016/679;
Amendment 1030 #
2021/0106(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 33 b (new)
Article 3 – paragraph 1 – point 33 b (new)
(33 b) ‘biometric identification’ means the use of AI-systems for the purpose of the automated recognition of physical, physiological, behavioural, and psychological human features such as the face, eye movement, facial expressions, body shape, voice, speech, gait, posture, heart rate, blood pressure, odour, keystrokes, psychological reactions (anger, distress, grief, etc.) for the purpose of verification of an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a database (one-to-many identification);
Amendment 1112 #
2021/0106(COD)
Proposal for a regulation
Article 3 – paragraph 1 – point 44 b (new)
Article 3 – paragraph 1 – point 44 b (new)
(44 b) ‘artificial intelligence system with indeterminate uses’ means an artificial intelligence system without specific and limited provider-defined purposes;
Amendment 1225 #
2021/0106(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point c a (new)
Article 5 – paragraph 1 – point c a (new)
(c a) the placing on the market, putting into service, or use of AI systems intended to be used as polygraphs and similar tools to detect the emotional state, trustworthiness or related characteristics of a natural person;
Amendment 1288 #
2021/0106(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point d a (new)
Article 5 – paragraph 1 – point d a (new)
(d a) the creation or expansion of biometric databases through the untargeted or generalised scraping of biometric data from social media profiles or CCTV footage, or equivalent methods;
Amendment 1307 #
2021/0106(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point d d (new)
Article 5 – paragraph 1 – point d d (new)
(d d) the placing on the market, putting into service or use of an AI system for making predictions, profiles or risk assessments based on data analysis or profiling of natural persons, groups or locations, for the purpose of predicting the occurrence or reoccurrence of an actual or potential criminal offence(s) or other criminalised social behaviour;
Amendment 1319 #
2021/0106(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point d f (new)
Article 5 – paragraph 1 – point d f (new)
(d f) the placing on the market, putting into service, or use of AI systems that are aimed at automating judicial or similarly intrusive binding decisions by state actors;
Amendment 1322 #
2021/0106(COD)
Proposal for a regulation
Article 5 – paragraph 1 – point d g (new)
Article 5 – paragraph 1 – point d g (new)
(d g) the placing on the market, putting into service or the use of AI systems by or on behalf of competent authorities in migration, asylum or border control management, to profile an individual or assess a risk, including a security risk, a risk of irregular immigration, or a health risk, posed by a natural person who intends to enter or has entered the territory of a Member State, on the basis of personal or sensitive data, known or predicted, except for the sole purpose of identifying specific care and support needs;
Amendment 1447 #
2021/0106(COD)
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2 a. An artificial intelligence system with indeterminate uses shall also be considered high risk if so identified per Article 9, paragraph 2, point (a).
Amendment 1452 #
2021/0106(COD)
Proposal for a regulation
Article 6 – paragraph 2 b (new)
Article 6 – paragraph 2 b (new)
2 b. In addition to the high-risk AI systems referred to in paragraph 1 and paragraph 2, AI systems that create foreseeable high-risks when combined shall also be considered high-risk.
Amendment 1563 #
2021/0106(COD)
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
2. The intended purpose of the high- risk AI system, the foreseeable uses and foreseeable misuses of AI systems with indeterminate uses and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.
Amendment 1583 #
2021/0106(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a
Article 9 – paragraph 2 – point a
(a) identification and analysis of the known and the reasonably foreseeable risks associated with each high-risk AI system;that the high-risk AI system, and AI systems with indeterminate uses, can pose to: (i) the health or safety of natural persons; (ii) the legal rights or legal status of natural persons; (iii) the fundamental rights; (iv) the equal access to services and opportunities of natural persons; (v) the Union values enshrined in Article 2 TEU.
Amendment 1701 #
2021/0106(COD)
Proposal for a regulation
Article 10 – paragraph 2 – point f
Article 10 – paragraph 2 – point f
(f) examination in view of possible biases, especially where data outputs are used as an input for future operations(‘feedback loops’);
Amendment 1729 #
2021/0106(COD)
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. Training, validation and testing dData sets shall take into account, to the extent required by the intended purpose, the foreseeable uses and reasonably foreseeable misuses of AI systems with indeterminate uses, the characteristics or elements that are particular to the specific geographical, ,behavioural or functional setting within which the high-risk AI system is intended to be used.
Amendment 1805 #
2021/0106(COD)
Proposal for a regulation
Article 13 – paragraph 3 – point b – point v
Article 13 – paragraph 3 – point b – point v
(v) when appropriate, specifications for the input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purposedata sets used, including their limitation and assumptions, taking into account the intended purpose, the foreseeable and reasonably foreseeable misuses of the AI system.
Amendment 1849 #
2021/0106(COD)
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracythe foreseeable uses and reasonably foreseeable misuses, an appropriate level of perfomance (such as accuracy, reliability and true positive rate), robustness and cybersecurity, and perform consistently in those respects throughout their lifecycle.
Amendment 1883 #
2021/0106(COD)
Proposal for a regulation
Article 16 – paragraph 1 – point a a (new)
Article 16 – paragraph 1 – point a a (new)
Amendment 1886 #
2021/0106(COD)
Proposal for a regulation
Article 16 – paragraph 1 – point a b (new)
Article 16 – paragraph 1 – point a b (new)
(a b) provide specifications for the input data, or any other relevant information in terms of the data sets used, including their limitation and assumptions, taking into account of the intended purpose and the foreseeable and reasonably foreseeable misuses of the AI system;
Amendment 2036 #
2021/0106(COD)
Proposal for a regulation
Article 29 – paragraph -1 (new)
Article 29 – paragraph -1 (new)
-1. Users of high-risk AI systems shall ensure that natural persons assigned to ensure or entrusted with human oversight for high-risk AI systems are competent, properly qualified and trained, free from external influence and neither seek nor take instructions from anybody. They shall have the necessary resources in order to ensure the effective supervision of the system in accordance with Article 14.
Amendment 2056 #
2021/0106(COD)
Proposal for a regulation
Article 29 – paragraph 4 – introductory part
Article 29 – paragraph 4 – introductory part
4. Users shall monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall immediately inform the provider or distributor and suspend the use of the system. They shall also immediately inform the provider or distributor when they have identified any serious incident or any malfunctioning, including near misses, within the meaning of Article 62 and interrupt the use of the AI system. In case the user is not able to reach the provider, Article 62 shall apply mutatis mutandis.
Amendment 2072 #
2021/0106(COD)
Proposal for a regulation
Article 29 – paragraph 6 a (new)
Article 29 – paragraph 6 a (new)
6 a. Users of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to an affected person, shall inform them that they are subject to the use of the high-risk AI system. This information shall include the type of the AI system used, its intended purpose and the type of decisions it makes.
Amendment 2078 #
2021/0106(COD)
Proposal for a regulation
Article 29 a (new)
Article 29 a (new)
Amendment 3067 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 1 – point a a (new)
Annex III – paragraph 1 – point 1 – point a a (new)
Amendment 3075 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 1 – point a b (new)
Annex III – paragraph 1 – point 1 – point a b (new)
(a b) AI systems that are or may be used for monitoring compliance with health and safety measures or inferring alertness /attentiveness for safety purposes, on the basis of biometric or biometrics-based data;
Amendment 3080 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 1 – point a c (new)
Annex III – paragraph 1 – point 1 – point a c (new)
(a c) AI systems that are or may be used to diagnose or support diagnosis of medical conditions or medical emergencies on the basis of biometric or biometrics-based data;
Amendment 3149 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 6 – point a
Annex III – paragraph 1 – point 6 – point a
Amendment 3160 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 6 – point b
Annex III – paragraph 1 – point 6 – point b
Amendment 3178 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 6 – point e
Annex III – paragraph 1 – point 6 – point e
Amendment 3194 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 7 – point a
Annex III – paragraph 1 – point 7 – point a
Amendment 3197 #
2021/0106(COD)
Proposal for a regulation
Annex III – paragraph 1 – point 7 – point b
Annex III – paragraph 1 – point 7 – point b
Amendment 3244 #
2021/0106(COD)
Proposal for a regulation
Annex IV – paragraph 1 – point 1 – point a
Annex IV – paragraph 1 – point 1 – point a
(a) its intended purpose or reasonably foreseeable use, the person/s developing the system, the date and the version of the system;
Amendment 3251 #
2021/0106(COD)
Proposal for a regulation
Annex IV – paragraph 1 – point 1 – point b
Annex IV – paragraph 1 – point 1 – point b
(b) how the AI system interacts or can be used to interact with hardware or software, including other AI systems, that isare not part of the AI system itself, where applicable;
Amendment 6 #
2020/2216(INI)
Draft opinion
Paragraph 1 a (new)
Paragraph 1 a (new)
1 a. Recommends that Europe must analyse the challenges for consumers created by AI and make the EU’s consumer rights standards fit for the 21st century. Therefore it must establish an AI European Certificate of Compliance with Ethical Principles to ensure European citizens trust on AI; This Certificate should be granted by an independent, public certification organisation after a thorough assessment of compliance with the Ethical Requirements put forward by the High Level Expert Group on AI. The certification criteria and requirements for assessing the compliance will be drawn by this body in cooperation with the Commission and the Member States. Suggests that certification and auditing mechanisms at both the national and EU levels for automated data processing and decision-making techniques should be developed to ensure their compliance with ethical principles and values. Monitoring of compliance should be proportionate to the nature and degree of risk associated with the operation of the artificial intelligence application or system;
Amendment 38 #
2020/2216(INI)
Draft opinion
Paragraph 3
Paragraph 3
3. Emphasises that the COVID crisis provides an opportunity to speed up digitalisation; calls for financial incentives for SMEs that want to enter new markets; calls for new and open frameworks of access to data for European SMEs and start-ups in order to support their growth by empowering the training, testing and development of AI-enabled systems and applications. Calls for an inclusive digitisation of our societies that will serve the interests of the citizens by taking into account accessibility and affordability considerations. Calls for coordinated actions to address Europe’s digital divide that has been worsened due to the COVID and for a fair and cooperative digital modernisation of the public sector that would aim at a value-based digital transformation by promoting fundamental rights and democratic values.
Amendment 64 #
2020/2216(INI)
Draft opinion
Paragraph 5
Paragraph 5
5. Calls on the Commission to stop funding big companies and distributing the remaining funds by a shotgun approach; calls for winners to be picked and grown larger; suggests prioritising future areas for digital economic structureshighlights that large technology companies and platforms with strategic market status in the DSM may leverage their positions not only in terms of the market but also in terms of access to and control of data, resulting in possible concentration of AI innovation and future imbalances in the DSM; calls for winners to be picked and grown larger; suggests prioritising future areas for digital economic structures; Highlights the need to support SMEs to master the twin transition to sustainability and digitalisation by safeguarding that they have access to the right skills, expertise and funding. Highlights the need for this support to acquire abroad geographical coverage across Europe, including remote, rural and island areas and aim at strengthening the digital capabilities and infrastructure in smaller places at the periphery of Europe;
Amendment 67 #
2020/2216(INI)
Draft opinion
Paragraph 5 a (new)
Paragraph 5 a (new)
5 a. Warns against the use of predictive technologies or perception manipulation techniques for market purposes from Big tech companies and pledges to safeguard that sensitive personal data, transactions data and metadata will not be used for profit by big corporations without citizens awareness and clear consent. Calls for these techniques to be classified in the highest category of the risk level scale proposed by the Commission given their specific and extremely sensitive nature as well as their potential misuses Calls the European Data Protection Board to issue Guidelines on this issue and highlights the need to safeguard algorithmic transparency of AI technologies and applications. Stresses the need for the establishment of a thorough system of traceability of AI systems that will be under human oversight, understandable by the consumers and which meets data subjects’ reasonable expectations;
Amendment 88 #
2020/2216(INI)
Draft opinion
Paragraph 8 a (new)
Paragraph 8 a (new)
8 a. Suggests that the EU must ensure minimum standards of fair working conditions for platform workers in line with the European Pillar of social rights as a requirement to allow access of platforms to the EU Digital single market. Suggests that the EU should introduce rules that control the growing digitisation of workplace monitoring and also to introduce mechanisms and methodologies that assess the relevant risks that have been augmented due to the increasing blurring between office and home environments. Calls for the EU to establish collective bargaining agreements and umbrella protection mechanisms for all platform workers;
Amendment 99 #
2020/2216(INI)
Draft opinion
Paragraph 9
Paragraph 9
9. Recognises that AI deployment is key to European competitiveness in the digital era; highlights that to facilitate the uptake of AI in Europe, a common European approach is needed to avoid internal market fragmentation, ensure the safety of data of Europeans and guarantee that they will not be processed by non-EU bodies for profit-making and/or political purposes or used to train algorithms shared with authoritarian regimes;
Amendment 115 #
2020/2216(INI)
Draft opinion
Paragraph 10
Paragraph 10
10. Considers that access to big data is key for the development of AI; calls for a new approach to data regulationreiterates the need for a new approach to data ownership by data subjects in the context of AI-enabled systems to ensure privacy and control of aggregated data or metadata built on data points containing information including, but not limited to, time, location, transactions; calls for a new approach to data regulation; stresses that privacy and data protection must be guaranteed at all stages of the AI system’s life cycle and notes that any big data processing operation should be subject to an ex-ante and extensive Data Protection Impact Assessment;
Amendment 118 #
2020/2216(INI)
Draft opinion
Paragraph 10 a (new)
Paragraph 10 a (new)
Amendment 122 #
2020/2216(INI)
Draft opinion
Paragraph 10 b (new)
Paragraph 10 b (new)
10 b. Demands that any artificial intelligence, robotics and related technologies system, shall be developed, deployed or used with "privacy by default" and in a manner that prevents the possible identification of individuals from data that were previously processed based on anonymity or pseudonymity, and the generation of new, inferred, potentially sensitive data and forms of categorisation through automated means (metadata). Calls the Commission to develop robust anonymisation and pseudonymisation techniques and identify best practices that will meet the processing requirements of the GDPR;
Amendment 126 #
2020/2216(INI)
Draft opinion
Paragraph 10 c (new)
Paragraph 10 c (new)
10 c. Strongly emphasises the need to protect consumers from microtargeting practises and suggests that it should be flagged and coupled with their right to request a report on the use of behavioural analytics that were used to achieve consumers targeting. Is of the opinion that targeted advertisement practises should be explainable and offer to consumers options of choosing the desired personalization level/percentage of microtargeting. (ex. on a scale 0-100%). Strongly considers that the use of these practices should be subject to specific safeguards such as the informed and explicit consent of their owner, who should have the right to access effective remedies in case of misuse;
Amendment 129 #
2020/2216(INI)
Draft opinion
Paragraph 11
Paragraph 11
11. Warns against overregulating AI and discourages any "one-size-fits-all" approach to regulation; recalls that regulation must be balanced, agile, permanently evaluroportionated , and based on soft regulation except for high-risk areasthe current legislative instruments and best practices except for high-risk areas where a new regulatory approach should be devised;
Amendment 135 #
2020/2216(INI)
Draft opinion
Paragraph 11 a (new)
Paragraph 11 a (new)
11 a. Recommends that determining the risk level and the classification of sectors as high or low-risk, should always derive from an impartial, regulated, inclusive, independent and external assessment that considers ethical harms that can arise from artificial intelligence, robotics and related technologies in society, either because of poor (unethical) design, inappropriate application, or misuse; Such an assessment needs to balance attention to abstract principles with specificity; Recommends that determining the risk level and the classification of sectors as high or low-risk, should always derive from an impartial, regulated, inclusive, independent and external assessment that considers ethical harms that can arise from artificial intelligence, robotics and related technologies in society, either because of poor (unethical) design, inappropriate application, or misuse; Such an assessment needs to balance attention to abstract principles with specificity; Strongly recommends that a broad and inclusive debate and stakeholder consultation will contribute to creating trust among citizens regarding the assessment and classification of risks;
Amendment 141 #
2020/2216(INI)
Draft opinion
Paragraph 11 b (new)
Paragraph 11 b (new)
11 b. Requests the Commission to determine the risk level of sectors by taking into account non-quantifiable risks and pay particular attention to the identification and characterisation of the hazard, the assessment of the likelihood of its occurrence and the characterisation of risk. Asks the Commission to pay particular attention to carefully evaluate all the uncertainties and transparently report on them, even when these cannot be modelled or expressed in quantitative terms. Requests the Commission to apply the Ethical Requirements put forward by the High Level Expert Group at the risk management level and consider the need for introducing a precautionary approach towards high level or potentially irreversible risks;
Amendment 151 #
2020/2216(INI)
Draft opinion
Paragraph 12 a (new)
Paragraph 12 a (new)
12 a. Calls on the Commission and the Member States to consider the creation of a European regulatory agency for AI and algorithmic decision-making tasked with 1) Auditing the AIAs of high-level impact systems to approve or reject the proposed uses of algorithmic decision-making in highly sensitive and/or safety-critical application domains (private health-care, for instance) 2) Investigating suspected cases of rights violations by algorithmic decision-making systems, for both individual decision instances (singular aberrant outcomes, for example) and statistical decision patterns (discriminatory bias, for instance) 3) Assessing compliance with the proposed Ethics Requirements and conduct periodical ethics reviews and audits;
Amendment 15 #
2020/2215(INI)
Motion for a resolution
Citation 5
Citation 5
— having regard to the 2030 Agenda for Sustainable Development, which was adopted on 25 September 2015 and entered into force on 1 January 2016, and in particular to Sustainable Development Goals (SDGs) 3, 5 and 16, and the related indicators,
Amendment 21 #
2020/2215(INI)
Motion for a resolution
Citation 7
Citation 7
— having regard to CEDAWto the Convention on the Elimination of All Forms od Discrimination Against Women (CEDAW) and its General Recommendations No. 21 (1994), No. 24 (1999), No. 28 (2010), No. 33 (2015) and No. 35 (2017),
Amendment 41 #
2020/2215(INI)
Motion for a resolution
Citation 16 a (new)
Citation 16 a (new)
- having regard to the report of the Council of Europe’s Committee on Equality and Non-Discrimination of 18 October 2017 on promoting the human rights of and eliminating discrimination against intersex people,
Amendment 43 #
2020/2215(INI)
Motion for a resolution
Citation 16 b (new)
Citation 16 b (new)
- having regard to the report of the Council of Europe’s Committee on Equality and Non-Discrimination of 22 April 2015 on discrimination against transgender people in Europe,
Amendment 77 #
2020/2215(INI)
Motion for a resolution
Citation 38 a (new)
Citation 38 a (new)
Amendment 78 #
2020/2215(INI)
Motion for a resolution
Citation 38 b (new)
Citation 38 b (new)
- having regard to its resolution of 26 November 2020 on abortion rights in Poland,
Amendment 79 #
2020/2215(INI)
Motion for a resolution
Citation 38 c (new)
Citation 38 c (new)
- having regard to IPPF EN/BZgA Report on Sexuality Education in Europe and Central Asia,
Amendment 80 #
2020/2215(INI)
- having regard to the IPPF EN partner survey Abortion legislation and its implementation in Europe and Central Asia,
Amendment 81 #
2020/2215(INI)
Motion for a resolution
Citation 38 e (new)
Citation 38 e (new)
- having regard to European Parliament Study The gendered impact of the COVID-19 crisis and post-crisis,
Amendment 82 #
2020/2215(INI)
Motion for a resolution
Citation 38 f (new)
Citation 38 f (new)
- having regard to the report of the European Institute for Gender Equality of 22 November 2019 on Beijing +25 – The 5th Review of the Implementation of the Beijing Platform for Action in the EU Member States,
Amendment 83 #
2020/2215(INI)
Motion for a resolution
Citation 38 g (new)
Citation 38 g (new)
- having regard to the Commission communication of 5 March 2020 entitled ‘A Union of Equality: Gender Equality Strategy 2020-2025’ (COM(2020)0152),
Amendment 84 #
2020/2215(INI)
Motion for a resolution
Citation 38 h (new)
Citation 38 h (new)
- having regard to the report by UN Women entitled ‘The Impact of COVID- 19 on Women’, published on 9 April 2020,
Amendment 85 #
2020/2215(INI)
Motion for a resolution
Citation 38 i (new)
Citation 38 i (new)
- having regard to the report by UN entitled “COVID-19 and Human Rights: We are all in this together”, published in April 2020,
Amendment 86 #
2020/2215(INI)
Motion for a resolution
Citation 38 j (new)
Citation 38 j (new)
- having regard to the UN Population Fund (UNFPA) report entitled ‘Impact of the COVID-19 Pandemic on Family Planning and Ending Gender- based Violence, Female Genital Mutilation and Child Marriage’, published on 27 April 2020,
Amendment 87 #
2020/2215(INI)
Motion for a resolution
Citation 38 k (new)
Citation 38 k (new)
- having regard to the statement by UNFPA entitled ‘Millions more cases of violence, child marriage, female genital mutilation, unintended pregnancy expected due to the COVID 19 pandemic’, published on 28 April 2020,
Amendment 88 #
2020/2215(INI)
Motion for a resolution
Citation 38 l (new)
Citation 38 l (new)
- having regard to the European Women’s Lobby policy brief entitled ‘Women must not pay the price for COVID-19!’,
Amendment 89 #
2020/2215(INI)
Motion for a resolution
Citation 38 m (new)
Citation 38 m (new)
- having regard to the study by Professor Sabine Oertelt-Prigione entitled ‘The impact of sex and gender in the COVID-19 pandemic’, published on 27 May 2020,
Amendment 90 #
2020/2215(INI)
Motion for a resolution
Citation 38 n (new)
Citation 38 n (new)
- having regard WHO`s Safe abortion: technical and policy guidance for health systems,
Amendment 91 #
2020/2215(INI)
Motion for a resolution
Citation 38 o (new)
Citation 38 o (new)
- having regard to WHO`s Global Strategy to Accelerate the Elimination of Cervical Cancer,
Amendment 92 #
2020/2215(INI)
Motion for a resolution
Citation 38 p (new)
Citation 38 p (new)
- having regard to the European Parliament resolution of 13 November 2020 on the impact of COVID-19 measures on democracy, the rule of law and fundamental rights,
Amendment 93 #
2020/2215(INI)
Motion for a resolution
Citation 38 q (new)
Citation 38 q (new)
- having regard to the European Parliamentary Forum for Sexual and Reproductive Health and Rights and International Planned Parenthood Federation European Network research andreport entitled “Sexual and Reproductive Health and Rights during the COVID-19 pandemic”, published on 22nd April 2020,
Amendment 96 #
2020/2215(INI)
Motion for a resolution
Recital A
Recital A
A. whereas sexual and reproductive health (SRH) is a state of physical, emotional, mental and social well-being in relation to all aspects of sexuality and reproduction, not merely the absence of dysfunction, infirmity or mortality, and whereas all individuals have a right to make decisions governing their bodies8 , free from discrimination, coercion and violence, and to access SRH services that support that right and give a positive approach to sexuality and reproduction, as sexuality is an integral part of human existence; _________________ 8 Guttmacher-Lancet Commission, Executive Summary on sexual and reproductive health and rights, The Lancet, London, 2018, https://www.guttmacher.org/guttmacher- lancet-commission/accelerate-progress- executive-summary
Amendment 113 #
2020/2215(INI)
Motion for a resolution
Recital B
Recital B
B. whereas sexual and reproductive health and rights (SRHR) are based on the rights of all individuals to have their bodily integrity, privacy and personal autonomy respected; definhave their sexual orientation and gender identity fully respected; decide whether, with whom and when to be sexually active; have safe sexual experiences, decide whether, when and who to marry and when, whether and by what means to have a child or children; have access to the information and support necessary to achieve all of the above9 ; _________________ 9 Guttmacher-Lancet Commission, Executive Summary on sexual and reproductive health and rights, The Lancet, London, 2018, https://www.guttmacher.org/guttmacher- lancet-commission/accelerate-progress- executive-summary and how many children; have access over their lifetime to the information, resources, services and support necessary to achieve all of the above free from discrimination, coercion, exploitation and violence;
Amendment 116 #
2020/2215(INI)
Motion for a resolution
Recital B
Recital B
B. whereas sexual and reproductive health and rights (SRHR) are based on the rights of all individuals to have their bodily integrity and personal autonomy respected; definhave their sexual orientation and gender identity fully respected; decide whether, with whom and when to be sexually active; decide whether, when and who to marry and when, whether and by what means to have a child or children; have access to the information and support necessary to achieve all of the above9 ; _________________ 9 Guttmacher-Lancet Commission, Executive Summary on sexual and reproductive health and rights, The Lancet, London, 2018, https://www.guttmacher.org/guttmacher- lancet-commission/accelerate-progress- executive-summary
Amendment 124 #
2020/2215(INI)
Motion for a resolution
Recital C
Recital C
C. whereas sexual and reproductive rights (SRR) are recognisprotected as human rights in international and European human rights law10 ; _________________ 10Council of Europe Commissioner for Human Rights, Women’s sexual and reproductive health and rights in Europe, Council of Europe, Strasbourg, 2017, https://www.coe.int/en/web/commissioner/ women-s-sexual-and-reproductive-rights- in-europe. such as the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights, the Convention on the Elimination of Discrimination Against Women and the European Convention on Human Rights,and constitute an essential element of comprehensive healthcare provision; whereas the realisation of SRHR is an essential element of human dignity and intrinsically linked to the achievement of gender equality and combatting gender-based violence;
Amendment 127 #
2020/2215(INI)
Motion for a resolution
Recital C a (new)
Recital C a (new)
C a. whereas gender-based violence is widespread and has been exacerbated by the Covid-19 pandemic; whereas an estimated 25 percent of women experience some form of gender based violence in their lifetimes and countless women experience sexual assault and harassment in the context of intimate partnerships and public life due to entrenched gender stereotypes and the resulting social norms;
Amendment 136 #
2020/2215(INI)
Motion for a resolution
Recital D
Recital D
D. whereas violations of SRHR constitute breaches of human rights, specifically the right to life, physical and mental integrity, equality, non- discrimination, health and education, education, dignity, privacy and freedom from inhumane and degrading treatment; whereas violations of women’s SRHR are a form of violence against women and girls; and hinder progress towards gender equality;
Amendment 146 #
2020/2215(INI)
Motion for a resolution
Recital E
Recital E
E. whereas although the EU has some of the highest SHRHR standards in the world, there are still challenges, a lack of access, gaps and inequalities and some Member States have implemented policies and programmes that uphold SRR, there are still challenges, a lack of access and affordability, gaps, disparities and inequalities in the realisation of SRHR, both across the EU and within Member States, based on age, sex, gender, race, ethnicity, class, religious affiliation or belief, marital status, socio-economic status, disability, HIV (or sexually transmitted infections, STIs) status, national or social origin, legal or migration status, language, sexual orientation or gender identity;
Amendment 150 #
2020/2215(INI)
Motion for a resolution
Recital F
Recital F
F. whereas SRHR challenges and obstacles include: a lack of access, denial of medical care based on personal beliefsuniversal access to high-quality and affordable SRHR services, a lack of comprehensive and evidence-based sexuality education, denial of access to information and education, a lack of available modern contraception methods, denial of medical care based on personal beliefs, legal restrictions and practical barriers in accessing abortion services, denial of abortion care, forced abortion, gender- based violence, gynaecological and obstetric violence, a lack of comprehensive sexuality education, denial of access to information/education, a lack of available contraception methods, limited access to medically assisted reproduction treatments, forced sterilisation, high rates of STIs and HIV, disparities in maternal mortalityforced sterilisation, intimidation, cruel and degrading treatment, disparities in maternal mortality rates, gaps in maternal mental health support, increasing caesarean section rates, a lack of access to treatment for cervical cancer, which causes the largely preventable deaths of over 25.000 European women per year, limited access to medically assisted reproduction and fertility treatments, high rates of STIs and HIV, especially in certain marginalised groups and/or regions, high adolescent pregnancy rates, harmful gender stereotypes and practices such as female genital mutilation, early, forced and child marriages and honour killings, outdated or ideologically driven legal provisions limiting SRHR;
Amendment 151 #
2020/2215(INI)
Motion for a resolution
Recital F
Recital F
F. whereas SRHR challenges and obstacles include: a lack of access, denial of medical care based on personal beliefs, gender-based violence, gynaecological and obstetric violence, a lack of comprehensive sexuality education, denial of access to information/education, a lack of available contraception methods, limited access to medically assisted reproduction treatments, forced sterilisation, including in the context of legal gender recognition, high rates of STIs and HIV, disparities in maternal mortality, high adolescent pregnancy rates, harmful gender stereotypes and practices such as female and intersex genital mutilation, early, forced and child marriages and honour killings; , honour killings and so-called “conversion therapy” practices, which can take the form of sexual violence such as “corrective rape” on lesbian and bisexual women and girls, as well as transgender persons; whereas the enjoyment of SRHR for LGBTI persons may be severely hindered due to the omission in sexual education curricula of the diversity of sexual orientation, gender identity, expression and sex characteristics;
Amendment 161 #
2020/2215(INI)
Motion for a resolution
Recital F a (new)
Recital F a (new)
Amendment 164 #
2020/2215(INI)
Motion for a resolution
Recital F b (new)
Recital F b (new)
F b. whereas in certain circumstances transgender men and non-binary persons may also undergo pregnancy and should, in such cases, benefit from measures for pregnancy and birth-related care without discrimination on the basis of their gender identity;
Amendment 166 #
2020/2215(INI)
Motion for a resolution
Recital G
Recital G
G. whereas the unavailability of scientifically accurate informand evidence-based information and education violates the rights of individuals to make informed choices about their own SRHR; and undermines healthy approaches to sexuality, family planning and gender equality;
Amendment 173 #
2020/2215(INI)
H. whereas the essential package of SRH measuresSRH services are essential healthcare services that should be available to all and they includes: comprehensive sexuality education; information, confidential and unbiased counselling and services for sexual and reproductive health and well-being; counselling and access to a wide range of modern contraceptives; antenatal, childbirth and postnatal care; midwifery; obstetric and newborn care; safe and legal abortion services and care and post- abortion care including treatment of complications of unsafe abortion; the prevention and treatment of HIV and other STIs; services aimed at detecting, preventing and treating sexual and gender- based violence; prevention, detection and treatment for reproductive cancers; and fertility services, especially cervical cancer; fertility care and fertility treatment;
Amendment 182 #
2020/2215(INI)
Motion for a resolution
Recital I
Recital I
I. whereas comprehensive sexuality education facilitates informed reproresponsible sexual behaviour, including reduced risk-taking, and increased use of condoms and other forms of contraception ; whereas according to the UNESCO International technical guidance on sexuality education, curriculum-based programmes on comprehensive sexuality educative choices; on (CSE) enables children and young people to develop accurate knowledge, attitudes and skills, including respect for human rights, gender equality, consent and diversity that contribute to safe, healthy, and respectful relations; whereas such education empowers children and young people as it provides with evidence and age-appropriate information on sexuality, addressing sexual and reproductive health issues, including, but not limited to: sexual and reproductive anatomy and physiology; consent, puberty and menstruation; reproduction, modern contraception, pregnancy and childbirth; STIs, including HIV and AIDS; andharmful practices such as child early and forced marriage (CEFM) and femalegenital mutilation (FGM); whereas still most adolescents do not have access to CSE ; whereas age-appropriate CSE, in this regard, is key to building children’s and young peoples’ skills to form healthy, equal, nurturing and safe relationships, notably by addressing gender norms, gender equality, power dynamics in relationships, consent, respect for one own’s and others’ boundaries;
Amendment 187 #
2020/2215(INI)
Motion for a resolution
Recital I a (new)
Recital I a (new)
I a. whereas SRH includes menstrual hygiene and sanitation as well as systemic and socio-economic factors of stigmatisation,discrimination linked to menstruation; whereas period poverty, which refers to the limited access to sanitary products, affects about 1 in 10 women in Europe, and is exacerbated by a gender-biased taxation on menstrual hygiene products in the EU; whereas shame, untreated menstrual pain and discriminatory traditions lead to school drop outs and lower attendance rates of girls at school and women at work; whereas existing negative attitudes and myths surrounding menstruation influence reproductive health decisions; whereas understanding the links between menstrual hygiene and maternal morbidity, mortality and infertility, STI/HIV and cervical cancer can support early detection and safe lives;
Amendment 189 #
2020/2215(INI)
Motion for a resolution
Recital I b (new)
Recital I b (new)
I b. whereas modern contraception plays a key role in achieving gender equality and preventing unintended pregnancies as well as realising the right of individuals to make decisions about their family choices by proactively and responsibly planning the number, timing and spacing of their children; whereas certain methods of modern contraception also reduce incidence of HIV/STIs, whereas access to it is still hindered by practical, financial, social and cultural barriers, including myths surrounding contraception, outdated attitudes towards female sexuality and contraception, as well as a stereotypical perception of women being the only ones responsible for contraception;
Amendment 193 #
2020/2215(INI)
Motion for a resolution
Recital J
Recital J
J. whereas some Member States still have highly restrictive laws prohibiting abortion except in strictly defined circumstances, forcing women to seek clandestine abortions, to travel to other countries or to carry their pregnancy to term against their will, which is a violation of human rights and a form of gender- based violence; affecting women’s and girls’ rights to life, physical and mental integrity, equality, non-discrimination, health, and freedom from inhuman and degrading treatment;
Amendment 201 #
2020/2215(INI)
Motion for a resolution
Recital K
Recital K
K. whereas even when abortion is legally available, there are often barriers to accessing it; range of legal, quasi-legal and informal barriers to accessing it, including: limited time periods and grounds on which to access abortion, medically unwarranted waiting periods, lack of trained and willing healthcare professionals and denial of medical care based on personalbeliefs, biased and mandatory counselling, deliberate misinformation or third party authorization, medically unnecessary tests, distress requirements, costs and lack of reimbursement;
Amendment 208 #
2020/2215(INI)
Motion for a resolution
Recital L
Recital L
L. whereas no woman should die in childbirth; and access to evidence-based, quality and affordable maternity care is a human right and must be ensured without any discrimination in all healthcare settings;
Amendment 210 #
2020/2215(INI)
Motion for a resolution
Recital L
Recital L
L. whereas no woman should die in childbirth and evidence-based maternity, pregnancy and birth-related care is a human right;
Amendment 212 #
2020/2215(INI)
Motion for a resolution
Recital L a (new)
Recital L a (new)
L a. whereas infertility and subfertility are affecting one in six people in Europe, are a global public health issue and there is a need to reduce inequalities in access to fertility information and treatments, and prohibiting discrimination on the grounds of sex, gender, sexual orientation, health or marital status;
Amendment 218 #
2020/2215(INI)
Motion for a resolution
Recital M
Recital M
M. whereas SRHR issues are often instrumentalised by opponents of reproductive rights who appeal to national interests in order to achieve demographic objectives, thus contributing to the erosion of democracy and personal freedomopponents of sexual and reproductive rights often instrumentalise issues such as the national interest or demographic change in order to undermine SRHR, thus contributing to the erosion of personal freedoms and democracy; whereas all policies addressing the demographic change must be rights-based, people-centered, tailor- made and evidence-based, and must uphold sexual and reproductive rights;
Amendment 221 #
2020/2215(INI)
Motion for a resolution
Recital M a (new)
Recital M a (new)
M a. whereas the COVID-19 pandemic has shown that there is a need to strengthen the resilience of health systems to such crises, with a specific focus on ensuring that SRH services continue to be fully available, that Member States do not instrumentalize the crisis to deprioritize or purposefully undermine access to these services;
Amendment 228 #
2020/2215(INI)
Motion for a resolution
Recital N
Recital N
N. whereas progress has been made in the areas of women’s rights and SRHR, but opponents of reproductive rights have nonetheless had an influence on national law and policyopponents of sexual and reproductive rights and women’s autonomy have had a significant influence on national law and policy with retrogressive initiatives taken in several Member States, seeking to undermine SRHR, as noted by the Parliament in its resolutions on experiencing backlash in women’s rights and gender equality in the EU and Abortion Rights in Poland, and by the European Institute for Gender Equality in its report of 22 November 2019 on Beijing +25 – The 5th Review of the Implementation of the Beijing Platform for Action in the EU Member States; whereas these initiatives and backsliding obstruct the realisation of people’s rights, countries’ development and undermines European values, fundamental rights;
Amendment 230 #
2020/2215(INI)
Motion for a resolution
Recital N a (new)
Recital N a (new)
N a. whereas the current COVID-19 pandemic is affecting the population’s health as a whole, women are not only affected by the direct health threat but also adversely through the reallocation of resources and priorities, including SRH services and this reversion of resources may result in increased rates of unintended pregnancies, higher maternal mortality and morbidity rates, as well as a spike in sexually transmitted disease and HIV;
Amendment 239 #
2020/2215(INI)
Motion for a resolution
Recital N b (new)
Recital N b (new)
N b. whereas numerous reports show that, during the COVID-19 pandemic and lockdown, SRHR services were limited and/or revoked, and there is a disruption in access to essential medical services such as contraception and abortion care, HIV and STI testingand reproductive cancer screenings, and respectful maternal healthcare;
Amendment 242 #
2020/2215(INI)
Motion for a resolution
Recital N c (new)
Recital N c (new)
N c. whereas there is a persisting effort to instrumentalize the COVID-19 health crisis as a pretext to adopt further restrictive measures in SRHR and that has a broad and long-term negative effect on the exercise of the fundamental right to health, gender equality andfight against discrimination and gender-based violence and is putting the well-being, health and lives of women and girls at risk;
Amendment 254 #
2020/2215(INI)
Motion for a resolution
Paragraph 1
Paragraph 1
1. Calls upon the EU, its bodies and agencies to support and promote access to SRHR services and calls upon the Member States to ensure access to a full range of SRHR, and to remove all barriers impeding full accessIn accordance with the principle of subsidiarity and in line with national competences, calls upon the Member States to safeguard the right of all persons to make their own informed choices with regard to SRHR;
Amendment 267 #
2020/2215(INI)
Motion for a resolution
Paragraph 2
Paragraph 2
2. In accordance with the principle of subsidiarity and in line with national competences, calls upon the Member States to safeguard the right of all persons to make their own informed choices with regard to SRHRCalls upon the EU, its bodies and agencies to support and promote full access to SRHR services by creating a culture of equality, respect for personal autonomy, accessibility, respect, informed choice and consent, non-discrimination and non-violence andcalls upon the Member States to ensure access to a full range of SRHR, and to remove all legal, policy, financial and other barriers impeding full access to SRHR for all persons, without discrimination on any ground;
Amendment 272 #
2020/2215(INI)
Motion for a resolution
Paragraph 2 a (new)
Paragraph 2 a (new)
2 a. Reaffirms that SRHR are key for gender equality, the elimination of gender-based violence, economic growth and development, child protection, elimination of human trafficking and poverty;
Amendment 274 #
2020/2215(INI)
Motion for a resolution
Paragraph 3
Paragraph 3
3. Calls upon the Member States to address the persisting challenges in accessing or exercising SRHR and ensure that no persin Europe and globally and to ensure that all persons have access to high-quality and affordable SRH services and that no one is left behind by being unable to exercise their right to health; Stresses that equal access to SRHR must be ensured for all persons, regardless of age, sex, gender, race, ethnicity, class, caste, religious affiliation and beliefs, marital status, socio- economic status, disability, HIV (or STI) status, national and social origin, legal and migration status, language, sexual orientation or gender identity;
Amendment 280 #
2020/2215(INI)
Motion for a resolution
Paragraph 4
Paragraph 4
4. Acknowledges the importance of public information on SRHR; Recalls that all policies relating to SRHR should be founded on reliable and objective evidence from organisations such as WHO, other UN agencies and the Council of Europe;
Amendment 287 #
2020/2215(INI)
Motion for a resolution
Paragraph 5
Paragraph 5
5. Reaffirms the Council of Europe’s Commissioner for Human Rights call on its member states11 to guarantee sufficient budgetary provision for SRHR and ensure the availability of adequate human resources across all levels of the health system, in both urban and rural areas; identify and address legal, policy and financial barriers that impede access to good quality SRH care and integrate SRHR services into existing public health insurance, subsidisation or reimbursement schemes in order to achieve Universal Health Coverage; _________________ 11Council of Europe Commissioner for Human Rights, Women’s sexual and reproductive health and rights in Europe, Council of Europe Commissioner for Human Rights, Council of Europe, 2017, https://www.coe.int/en/web/commissioner/ women-s-sexual-and-reproductive-rights- in-europe
Amendment 288 #
2020/2215(INI)
Motion for a resolution
Paragraph 5 a (new)
Paragraph 5 a (new)
5 a. Stresses the negative effects of the so-called “tampon tax” on gender equality; Calls upon the Member States to eliminate the so-called “tampon tax” by applying a 0% VAT rate on menstrual hygiene products and ensuring that this tax cut is effectively benefitting the consumers;
Amendment 290 #
2020/2215(INI)
Motion for a resolution
Paragraph 5 a (new)
Paragraph 5 a (new)
5 a. Recalls the views endorsed by the Committee of Ministers of the Council of Europe, which recommended trans- specific healthcare such as hormonal treatment and surgery to be accessible and reimbursed by public health insurance schemes;1a _________________ 1aCDDH Report on the implementation of Recommendation CM/Rec(2010)5 of the Committee of Ministers to Member States on measures to combat discrimination on grounds of sexual orientation or gender identity, ¶130, accessible at https://search.coe.int/cm/Pages/result_det ails.aspx?ObjectId=09000016809f9ba0
Amendment 292 #
2020/2215(INI)
Motion for a resolution
Paragraph 5 b (new)
Paragraph 5 b (new)
5 b. Stresses that in the time of the COVID-19 induced health crisis, it is essential that universalaccess to SRHR is guaranteed, in line with international human rights standards;
Amendment 298 #
2020/2215(INI)
Motion for a resolution
Paragraph 6
Paragraph 6
6. Calls upon the Member States to establish effective strategies and monitoring programmes that guarantee enjoyment and universal access to a full range of SRHR serviceshigh-quality and affordable SRHR services; regardless of financial, practical and social barriers, and free of discrimination, with special consideration of marginalised groups of women (including but not limited to women from ethnic, racial and religious minorities, migrant women, Roma women, women from ruralareas, women with disabilities, women without health insurance, LGBTI persons, victims of sexual and gender- based violence etc.);
Amendment 306 #
2020/2215(INI)
Motion for a resolution
Paragraph 6 a (new)
Paragraph 6 a (new)
6a. Urges the Member States to consider the health impact of COVID-19 through a gender-lens and ensure the continuing of provision of a full range of SRH services in all circumstances (e.g. lockdown), as well as direct additional efforts and resources to rebuild a health system which recognizes that SRHR are essential for the health and wellbeing of women and girls;
Amendment 311 #
2020/2215(INI)
Motion for a resolution
Paragraph 6 b (new)
Paragraph 6 b (new)
6b. Urges the Member States to collect reliable, disaggregated and robust statistics on all SRHR services so as to ensure that all women are getting the same access to high-quality services and to detect and address possible differences in outcomes;
Amendment 312 #
2020/2215(INI)
Motion for a resolution
Paragraph 6 c (new)
Paragraph 6 c (new)
Amendment 314 #
2020/2215(INI)
Motion for a resolution
Paragraph 7
Paragraph 7
7. Recalls that all medical interventions related to SRHR must be undertaken with fully informed consent; Calls on the Member States to combat gynaecological and obstetrical violence by reinforcing procedures that guarantee respect for free and prior informed consent and protection from inhumane and degrading treatment in healthcare settings, including through training of medical professionals; calls on the European Commission to tackle this specific form of gender-based violence in its activities;
Amendment 315 #
2020/2215(INI)
Motion for a resolution
Paragraph 7
Paragraph 7
7. Recalls that all medical interventions related to SRHR must be undertaken with prior, personal and fully informed consent;
Amendment 319 #
2020/2215(INI)
Motion for a resolution
Paragraph 7 a (new)
Paragraph 7 a (new)
7a. Reaffirms its call on Member States to adopt legislation ensuring that intersex persons are not subjected to non- vital medical or surgical treatment during infancy or childhood, and that their right to bodily integrity, autonomy, self- determination and informed consent is fully respected;
Amendment 322 #
2020/2215(INI)
Motion for a resolution
Paragraph 7 b (new)
Paragraph 7 b (new)
Amendment 334 #
2020/2215(INI)
Motion for a resolution
Paragraph 8
Paragraph 8
8. Urges the Member States to ensure universal access to scientifically accurate, evidence-based, age-appropriate, non- judgemental and comprehensive sexuality education and information for all primary and secondary school children in line with WHO standard, as well as children out of school, in line with WHO standards for Sexuality Education and its Action Plan on Sexual and Reproductive Health; without discrimination on any ground; Urges the Member States to ensure comprehensive education about menstruation and its links to sexuality and fertility; Calls upon the Member States to establish well-developed, well- funded and free of charge youth-friendly services;
Amendment 341 #
2020/2215(INI)
Motion for a resolution
Paragraph 8 a (new)
Paragraph 8 a (new)
8a. Recalls that the imparting of information should reflect the diversity of sexual orientations, gender identities, expressions and sex characteristics, so as to counter misinformation based on stereotypes or biases; calls on Member States to develop age-appropriate sexual education curricula inclusive of the former;
Amendment 346 #
2020/2215(INI)
Motion for a resolution
Paragraph 9
Paragraph 9
9. Calls upon the Member States to reject and combat the spread of discriminatory and unsafe misinformation on SRHR, as it endangers all persons, especially women, LGBTI persons and young people; Recalls that the imparting of information should reflect the diversity of sexual orientations, gender identities, expressions and sex characteristics, so as to counter misinformation based on stereotypes or biases; Calls on Member States to develop age-appropriate sexual education curricula inclusive of the former;
Amendment 358 #
2020/2215(INI)
Motion for a resolution
Paragraph 10
Paragraph 10
10. Calls upon the Member States to ensure access to contraceptive methods, thereby safeguarding the fundamental right to healthuniversal access to high-quality and affordable modern contraceptive methods, contraceptive supplies, family planning counselling and the provision of online information on contraception for all, thereby safeguarding the fundamental right to health; and to address all barriers impeding access to contraception such as financial and social barriers;
Amendment 367 #
2020/2215(INI)
Motion for a resolution
Paragraph 11
Paragraph 11
11. Calls upon the Member States to ensure that contraception is covered under national reimbursement schemes and healthcare policies andinsurance, and at least covered by reimbursement and subsidisation schemes and healthcare policies and ensure that these schemes are evidence- and research- based, taking into account efficiency and success rates in the long term; to recognise that this coverage should be extended to all people of reproductive age;
Amendment 370 #
2020/2215(INI)
Motion for a resolution
Paragraph 11 a (new)
Paragraph 11 a (new)
11a. Recalls that Member States and public authorities have a responsibility to provide evidence-based, accurate information about contraception and establish awareness-raising programmes and strategies to tackle and dispel barriers, myths, stigma and misconceptions;
Amendment 399 #
2020/2215(INI)
Motion for a resolution
Paragraph 13
Paragraph 13
13. Urges the Member States to regulmove and combate obstacles to legal abortion and recalls that they have a responsibility to ensure that women have access to the rights affordconferred to them by law;
Amendment 407 #
2020/2215(INI)
Motion for a resolution
Paragraph 14 a (new)
Paragraph 14 a (new)
14a. Underlines that all the rights afforded to women by law regarding abortion care must apply to all persons undergoing pregnancy, including transgender and non-binary persons, without discrimination on grounds of their gender identity or gender expression and in line with international human rights practices;
Amendment 410 #
2020/2215(INI)
Motion for a resolution
Subheading d
Subheading d
Maternity, pregnancy and birth-related care for all
Amendment 412 #
2020/2215(INI)
Motion for a resolution
Paragraph 15
Paragraph 15
15. Calls upon the Member States to adopt measures to ensure that all women have access to affordable, evidence-based maternity careaccess without discrimination to high-quality, affordable, evidence-based and respectful maternity care for all; including midwifery, antenatal, childbirth and postnatal care, and maternal mental health support in accordance with current WHO standards and evidence; and consequently, reform laws, policies and practices that exclude certain groups of women from access to maternity care, including by removing legal and policy restrictions that apply on grounds of nationality, ethnicity or migration status;
Amendment 414 #
2020/2215(INI)
Motion for a resolution
Paragraph 15
Paragraph 15
15. Calls upon the Member States to adopt measures to ensure that all women and pregnant persons have access to affordable, evidence-based maternity, pregnancy and birth-related care;
Amendment 426 #
2020/2215(INI)
Motion for a resolution
Paragraph 16
Paragraph 16
16. Calls upon the Member States to strongly condemn and combat physical and verbal abuse, including gynaecological and obstetric violence, whichinformal payments and bribes in antenatal, childbirth and postnatal care, which violate women’s human rights and may constitute forms of gender- based violence;
Amendment 428 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 – subparagraph 1 (new)
Paragraph 16 – subparagraph 1 (new)
Access to fertility treatments
Amendment 429 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 – indent 1 (new)
Paragraph 16 – indent 1 (new)
- Provision of SRHR services during the COVID-19 pandemic and in all other crisis related circumstances
Amendment 431 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 a (new)
Paragraph 16 a (new)
16a. Calls upon the Member States to ensure that maternity, pregnancy and birth-related care must be equally accessible to all persons undergoing pregnancy without discrimination of any kind, notably on grounds of sexual orientation or gender identity;
Amendment 432 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 a (new)
Paragraph 16 a (new)
16a. Calls upon Member States to encourage and ensure that healthcare providers have training in women’s human rights and principles of free and informed consent and informed choice in antenatal, childbirth and postnatal care;
Amendment 437 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 b (new)
Paragraph 16 b (new)
16b. Calls upon Member States to ensure that all persons of reproductive age have access to fertility treatments regardless of their marital status or sexual orientation;
Amendment 440 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 d (new)
Paragraph 16 d (new)
16d. Insists that SRH services are essential services; Calls upon Member States to ensure that the COVID-19 pandemic does not affect the right of all individuals to SRHR services and to ensure they are secured through the public health systems, and combat all efforts directed on using the pandemic as an pretext to further restrict SRHR;
Amendment 442 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 e (new)
Paragraph 16 e (new)
16e. Recognizes the effects that the COVID-19 pandemic has on the supply and access to contraceptives and reiterates projections of UNFPA from April 2020 which states that some 47 million women in 114 low and middle-income countries are projected to be unable to use modern contraceptives if the lockdown or supply chain disruption continues for 6 months;
Amendment 443 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 f (new)
Paragraph 16 f (new)
Amendment 444 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 g (new)
Paragraph 16 g (new)
16g. Stresses that access to safe and legal abortion continues to be limited during the COVID-19 pandemic, with examples of efforts to fully ban it under the pretence of less priority service; Urges the Member States to additionally implement safe, free and adjusted access to abortion during the circumstances of the COVID-19 pandemic and beyond, such as the abortion pill, and to recognize abortion care as urgent and medically necessary, thus also rejecting all limitation in accessing it;
Amendment 446 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 i (new)
Paragraph 16 i (new)
16i. Urges the Member States to ensure adequate resources for quality maternity care and guarantee that policies relating to maternity healthcare during the COVID pandemic are based on evidence and facts, not fears, and respect women’s human rights;
Amendment 448 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 k (new)
Paragraph 16 k (new)
16k. Calls on the European Commission to address the impact of COVID-19 on access to SRHR in the EU in its COVID-19 response, including by supporting actions by Member States and SRHR civil society organisations to guarantee full access to SRHR services, including through the EU4Health Programme and the European Social Fund Plus;
Amendment 449 #
2020/2215(INI)
Motion for a resolution
Paragraph 16 l (new)
Paragraph 16 l (new)
16l. Stresses that all above mentioned COVID-19 related notes and calls should apply for any other crisis related circumstances and calls upon Member States to ensure prioritization of SRHR services in all instances, without any discrimination;
Amendment 454 #
2020/2215(INI)
Motion for a resolution
Paragraph 17
Paragraph 17
17. Calls upon the Member States to exercise their competence in SRHR by striving to fully protect, respect and fulfil human rights, specifically the right to health, and implement a wide range of SRH services,in regards to SRHR, to guarantee a wide range of available, accessible, affordable, high-quality and non- discriminatory SRH services available for all without discrimination, to ensuringe that the principle of non- retrogression is respectedunder international human rights law is respected; condemns any attempt to limit access to SRHR through restrictive laws; strongly affirms that the denial of access to SRHR is a form of gender based violence;
Amendment 471 #
2020/2215(INI)
Motion for a resolution
Paragraph 18
Paragraph 18
18. Calls upon the Commissioner for Democracy and Demography to take an evidence and human-rights-based approach to tackling demographic challenges in the EU, ensuring that every EU resident can fully realise their SRHR, and to take special note and confront those who instrumentalise SRHR in order to undermine EU values and democracy;
Amendment 473 #
2020/2215(INI)
Motion for a resolution
Paragraph 19
Paragraph 19
19. Calls upon the Commissioner for Health and Food Safety to promote and protect SRHR and to include them in the next EU public health strategy; s a vital part of achieving the right to health, safety and gender equality, to monitor and promote the full implementation of SDG 3 including target 3.7 in the EU, using the UN global indicator framework; in partnership with Member States, to collect systematic, comparable, disaggregated data and conduct studies to better measure gender inequalities in health and unmet needs in access to SRH services in the EU with an intersectional perspective; to promote health information and education including on SRH; to support and harmonise national health systems and policies in order to reduce health inequalities within and between Member States; to include SRHR interventions in the EU4Health Programme, to support actions of Member States and SRHR civil society organisations in achieving full access to SRHR services through this Programme;
Amendment 479 #
2020/2215(INI)
Motion for a resolution
Paragraph 20
Paragraph 20
20. Calls upon the Commissioner for Equality to promote and protect SRHR and to include them in the next EU gender equality strategyimplementation of the EU Gender Equality strategy and the EU LGBTIQ Equality Strategy, to strongly condemn the backsliding in women’s rights and to develop concrete measures to counter it; to recognize the intrinsic links between realising SRHR and achieving gender equality and combating gender-based violence and to monitor and promote the full implementation of SDG 5 including target 5.6 in the EU; to successfully mainstream gender throughout all EU policies; to support the activities of SRHR civil society organisations;
Amendment 484 #
2020/2215(INI)
Motion for a resolution
Paragraph 20
Paragraph 20
20. Calls upon the Commissioner for Equality to promote and protect SRHR and to include them in the next EU gender equality simplementation of the EU gender equality strategy and the EU LGBTIQ Equality Strategy;
Amendment 490 #
2020/2215(INI)
Motion for a resolution
Paragraph 21
Paragraph 21
21. Calls upon the Commissioner for International Partnerships to uphold the European Consensus on Development and the SDGs, in particular targets 3.7,5.6 and 5.16, to ensure that SRHR remain a development priority in all EU external activities and relations, welcomes the strong language on SRHR in the new Gender Action Plan III, emphasises the need to prioritize the removal of all barriers in the access to SRHR services; calls upon the Commissioner for International Partnerships to strongly condemn the ‘global gag’ rule;
Amendment 493 #
2020/2215(INI)
Motion for a resolution
Paragraph 21 a (new)
Paragraph 21 a (new)
21a. Calls upon the Commissioner for Promoting our European Way of Life to ensure that the new Special Envoy for Freedom of Religion and Belief be dedicated to a human-rights based approach, thus respecting sexual and reproductive health and rights and dedicated to jointly working on guaranteeing the right to health for all, in the EU and globally, without any discrimination;
Amendment 494 #
2020/2215(INI)
Motion for a resolution
Paragraph 21 b (new)
Paragraph 21 b (new)
21b. Calls upon the Commissioner for Crisis Management to include a gender equality perspective in the EU and Member States ’humanitarian aid response, and a perspective on sexual and reproductive health and rights, as access to sexual and reproductive healthcare is a basic need for people in humanitarian settings;
Amendment 496 #
2020/2215(INI)
Motion for a resolution
Paragraph 22
Paragraph 22
22. Calls upon the Commission to strengthen its actions to counter the backlash against women’s rights; ongly condemn the backsliding in women’s rights and strengthen its actions to counter it; calls on the Commission and Member States to step up their support for women’s rights and SRHR organisations in the EU, which are key actors for gender-equal societies, and crucial providers of SRH services and information; and notably their financial support through the Citizens, Equality, Rights and Values Programme, the funding of which should be significantly increased as asked by the European Parliament;
Amendment 500 #
2020/2215(INI)
Motion for a resolution
Paragraph 22
Paragraph 22
22. Calls upon the Commission to strengthen its actions to counter the backlash against women’s rights and SRHR;
Amendment 502 #
2020/2215(INI)
Motion for a resolution
Paragraph 22 b (new)
Paragraph 22 b (new)
22b. Calls upon the Commission to implement gender budgeting throughout all the instruments of the MFF 2021- 2027, including the Citizens, Equality, Rights and Values, the European Social Fund + and the Neighbourhood, Development and International Cooperation Instrument;
Amendment 503 #
2020/2215(INI)
Motion for a resolution
Paragraph 22 c (new)
Paragraph 22 c (new)
22c. Calls upon the Commission to take concrete steps in protecting SRHR, starting with the establishment of an EU Special Envoy on Sexual and Reproductive Health and Right and the addition of a designated chapter on the State of play of SRHR in the EU Annual Report on Human Rights and Democracy;
Amendment 1 #
2020/2173(DEC)
Draft opinion
Recital A
Recital A
A. whereas, according to Article 8 TFEU, the Union is to aim to eliminate inequalities, and to promote equality, between men and women, thereby establishing the principle of gender mainstreaming;, which stipulates that gender equality must be incorporated into all EU policies, including via gender budgeting at all levels of the budgetary process
Amendment 7 #
2020/2173(DEC)
Draft opinion
Recital A a (new)
Recital A a (new)
Aa. whereas the Commission and European Court of Auditors (ECA) should ensure the principle of gender mainstreaming throughout the Union’s budgetary and legislative processes;
Amendment 9 #
2020/2173(DEC)
Draft opinion
Recital B
Recital B
B. whereas women are disproportionately affected by the COVID- 19 pandemic, particularly women working in precarious employment, feminised sectors and the informal economy; whereas gender-based violence has substantially increased as a result of the COVID-19 crisis and the measures designed to tackle the pandemic;
Amendment 13 #
2020/2173(DEC)
Draft opinion
Paragraph 1
Paragraph 1
1. Recalls that the European Institute for Gender Equality (EIGE) was established in order to contribute to and strengthen the promotion of gender equality in the Union, including gender mainstreaming in all Union policies and the resulting national policies, the fight against discrimination based on gender, and raising Union citizens’ awareness of gender equality;
Amendment 19 #
2020/2173(DEC)
Draft opinion
Paragraph 1 a (new)
Paragraph 1 a (new)
1a. Recalls that the Institute’s task is to collect, analyse and disseminate information as regards gender equality and to develop, analyse, evaluate and disseminate methodological tools in order to support the integration of gender equality into all Union policies and the resulting national policies.
Amendment 20 #
2020/2173(DEC)
Draft opinion
Paragraph 2
Paragraph 2
2. Welcomes the ongoing cooperation between the EIGE and the Committee on Women’s Rights and Gender Equality (FEMM), in particular the Institute’s contribution to the ongoing efforts of the Committee concerning the impact of the Covid-19 pandemic on women, gender- based violence, work-life balance, the gender pay and pension gap, gender budgeting and the development of a gender-sensitive parliament tool, strongly supports the work of the Institute, which, by means of studies, research and high- quality data enables the Committee to properly do its work; notes the valuable contribution the EIGE can make to all the European Parliaments’ Committees in order to better integrate gender mainstreaming in all EU policies;
Amendment 26 #
2020/2173(DEC)
Draft opinion
Paragraph 2 a (new)
Paragraph 2 a (new)
2a. Welcomes the Institute’s continuous work on the Gender Equality Index;
Amendment 27 #
2020/2173(DEC)
Draft opinion
Paragraph 4
Paragraph 4
4. Acknowledges a decrease in the EIGE’s carry-over operating expenditure to 28,01 % in 2019 (compared to 51,29 % in 2016); notes that for the first time the carry forward is below the ECA’s target threshold of 30%;
Amendment 30 #
2020/2173(DEC)
Draft opinion
Paragraph 5
Paragraph 5
5. Notes that the European Court of Auditors1CA confirmed that the EIGE’s annual accounts present fairly, in all material respects, its financial position as at 31 December 2019 and the results of its operations, its cash flows and the changes in net assets for the year then ended in accordance with the provisions of its Financial Regulation and the accounting rules adopted by the Commission's accounting officer; notes that, according to the Court, the revenue and payments underlying the EIGE’s annual accounts for the year ended 31 December 2019 are legal and regular in all material respects; _________________ 1 https://www.eca.europa.eu/Lists/ECADoc uments/EIGE_2019/EIGE_2019_EN.pdf
Amendment 31 #
2020/2173(DEC)
Draft opinion
Paragraph 5 a (new)
Paragraph 5 a (new)
5a. Raises concerns over irregularities found by the ECA regarding the EIGE’s selection of external experts, i.e. that the procedures used for selecting and contracting the external experts systematically lacked a solid audit trail; recalls that the Institute must comply with the principles of non-discrimination and equal treatment set out in Article 237 of Financial Regulation; takes note of EIGE’s commitment to apply improved procedures in new calls for expression of interest;
Amendment 33 #
2020/2173(DEC)
Draft opinion
Paragraph 5 b (new)
Paragraph 5 b (new)
5b. Notes that the Lithuanian Supreme Court asked the CJEU to assess whether the Directive 2008/104/EC on temporary agency work applies to EU Agencies in their capacity as public bodies engaged in economic activities and whether they must apply in full with the provisions of Article 5(1) of that Directive, which concern the rights of temporary agency workers to basic working and employment conditions, in particular as regards pay;
Amendment 36 #
2020/2173(DEC)
Draft opinion
Paragraph 5 c (new)
Paragraph 5 c (new)
5c. Calls for additional funding to be allocated to EIGE to increase the number and the quality of statutory workers by replacing the temporary contracts with statutory contracts;
Amendment 9 #
2020/2140(DEC)
Draft opinion
Recital B
Recital B
B. whereas this Parliament has repeatedly asked the Commission to promote and implement the use of gender mainstreaming, gender budgeting and gender impact assessments in all the Union policy areas and the European Court of Auditors (ECA) to incorporate a gender perspective, including gender- disaggregated data, into its reports on the implementation of the Union budget;
Amendment 11 #
2020/2140(DEC)
Draft opinion
Recital B a (new)
Recital B a (new)
Ba. whereas equality and the rule of law are founding values of the Union and the European institutions shall aim to promote them according to Article 13 of the Treaty on European Union (TEU); whereas this responsibility should be also shared by Member States according to the principle of sincere cooperation enshrined in Article 4(3) TEU;
Amendment 14 #
2020/2140(DEC)
Draft opinion
Recital B b (new)
Recital B b (new)
Bb. whereas women are disproportionately affected by the COVID-19 pandemic, particularly women working in precarious employment, feminised sectors and the informal economy;
Amendment 18 #
2020/2140(DEC)
Draft opinion
Paragraph 1
Paragraph 1
1. Stresses that women’s rights and a gender equality perspective should be integrated and ensured into all policy areas; reiterates therefore its call for the implementation of gender budgeting at all stages of the budgetary process; including the implementation of the budget and assessment of its implementation;
Amendment 30 #
2020/2140(DEC)
Draft opinion
Paragraph 3
Paragraph 3
3. Welcomes the fact that gender equality and mainstreaming has been introduced as one of the horizontal principles for Union funds in the new Multiannual Financial Framework (MFF) for 2021-2027, stipulating that gender equality and gender mainstreaming will now be prioritised in the MFF; through a thorough gender impact assessment and monitoring of the programmes;
Amendment 42 #
2020/2140(DEC)
Draft opinion
Paragraph 4 a (new)
Paragraph 4 a (new)
4a. Expresses its concern at the interrelation between the attacks on the rule of law and the backlash on gender equality and women’s rights; calls for this issue to be addressed through the Article 7 procedure against Member States concerned;
Amendment 43 #
2020/2140(DEC)
Draft opinion
Paragraph 4 b (new)
Paragraph 4 b (new)
4b. Strongly reiterates its demand to increase resources and for a budget line dedicated to preventing and combating gender-based violence under the Citizens, Equality, Rights and Values, especially following the escalation of violence against women during the COVID-19 crisis;
Amendment 44 #
2020/2140(DEC)
Draft opinion
Paragraph 4 c (new)
Paragraph 4 c (new)
4c. Stresses a need to further increase resources in European Social Fund Plus (EFS+) to allow inclusion in the labour market and adapted training, as the COVID-19 crisis affected women’s employment disproportionally, in particular women working in the informal economy and in precarious working conditions, and in some heavily impacted and highly feminised sectors;
Amendment 367 #
2020/2121(INI)
Motion for a resolution
Paragraph 32
Paragraph 32
32. Highlights the additional needs of minority groups, such as Roma women, who face challenges in maintaining hygiene and adhering to confinement measures due to a lack of access to basic infrastructure, services and information; especially during confinement;
Amendment 384 #
2020/2121(INI)
Motion for a resolution
Paragraph 35
Paragraph 35
35. Emphasises that the global nature of the COVID-19 pandemic requires a global response; highlights the vulnerable position of women and girls in many parts of the world - especially in fragile and conflict affected states - in relation to COVID-19, such as access to healthcare, including SRHR, vulnerability to violence, including FGM and child marriage, employment status, access to education and extreme poverty and hunger; underlines the importance of supporting women’s rights defenders and women’s rights organisations and their participation at all levels of decision-making;
Amendment 389 #
2020/2121(INI)
Motion for a resolution
Paragraph 35 a (new)
Paragraph 35 a (new)
35 a. Calls on the Commission and Member States to ensure that all financial support given to partner countries to cope with the crisis are properly allocated to support women and girls, such as to secure access to Sexual Reproductive Health and Rights (SRHR), avoid child labour, and avoid the lockdowns to lead to a loose of autonomy for women and girls worldwide;
Amendment 406 #
2020/2121(INI)
Motion for a resolution
Paragraph 37
Paragraph 37
37. Calls on the Commission and the Member States to fully assess the needs arising from the crisis and its socio- economic consequences, and to allocate adequate budgetary resources to tackling these needs; calls on the Commission and Member States to apply gender mainstreaming in all areas of the recovery strategy and to allocate extra budgetary resources through a Women Corona Fund to tackling the needs of women and girls, especially in the field of employment, violence and SRHR, as well as to the monitoring of this spending, following its commitments in the Gender Equality Strategy; emphasises that preparatory action is the best way to build resilience in all areas for future crises;
Amendment 6 #
2020/2035(INL)
Motion for a resolution
Citation 5 a (new)
Citation 5 a (new)
— having regard to the Commission communication of 12 November 2020 entitled ‘LGBTIQ Equality Strategy (2020-2025)’,
Amendment 9 #
2020/2035(INL)
Motion for a resolution
Citation 6
Citation 6
— having regard to the Council of Europe Convention on preventing and combating violence against women and domestic violence (“the Istanbul Convention”),
Amendment 19 #
2020/2035(INL)
Motion for a resolution
Citation 7 a (new)
Citation 7 a (new)
— having regard to its resolution of 11 March 2021 on the declaration of the EU as an LGBTIQ Freedom Zone,1a _________________ 1a Texts adopted, P9_TA(2021)0089
Amendment 41 #
2020/2035(INL)
Motion for a resolution
Citation 12 a (new)
Citation 12 a (new)
— having regard to the Convention on the Elimination of all Forms of Discrimination against Women of 18 December 1979,
Amendment 42 #
2020/2035(INL)
Motion for a resolution
Citation 12 b (new)
Citation 12 b (new)
— having regard to the UN Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment of 10 December 1984,
Amendment 44 #
2020/2035(INL)
Motion for a resolution
Citation 12 c (new)
Citation 12 c (new)
— having regards to its resolution of 21 January 2021 on closing the digital gender gap: women’s participation in the digital economy,
Amendment 47 #
2020/2035(INL)
Motion for a resolution
Citation 12 d (new)
Citation 12 d (new)
— having regard to the report by the European Union Agency for Fundamental Rights (FRA) of March 2014 entitled ‘Violence against women: an EU-wide survey’,
Amendment 48 #
2020/2035(INL)
Motion for a resolution
Citation 12 e (new)
Citation 12 e (new)
Amendment 50 #
2020/2035(INL)
Motion for a resolution
Citation 13 a (new)
Citation 13 a (new)
— having regards to resolution of 11 February 2021 on challenges ahead for women’s rights in Europe: more than 25 years after the Beijing Declaration and Platform for Action,
Amendment 52 #
2020/2035(INL)
Motion for a resolution
Citation 13 b (new)
Citation 13 b (new)
— having regard to its resolution of 17 April 2020 on EU coordinated action to combat the COVID-19 pandemic and its consequences,
Amendment 55 #
2020/2035(INL)
Motion for a resolution
Citation 13 c (new)
Citation 13 c (new)
— having regard to its resolution of 28 November 2019 on the EU’s accession to the Istanbul Convention and other measures to combat gender-based violence,
Amendment 56 #
2020/2035(INL)
Motion for a resolution
Citation 13 d (new)
Citation 13 d (new)
— having regard to its resolution of 13 February 2019 on experiencing a backlash in women’s rights and gender equality in the EU,
Amendment 57 #
2020/2035(INL)
Motion for a resolution
Citation 13 e (new)
Citation 13 e (new)
— having regard to its resolution of 11 September 2018 on measures to prevent and combat mobbing and sexual harassment at the workplace, in public spaces, and in political life in the EU,
Amendment 58 #
2020/2035(INL)
Motion for a resolution
Citation 14 a (new)
Citation 14 a (new)
— having regard to its resolution of 26 October 2017 on combating sexual harassment and abuse in the EU,
Amendment 59 #
2020/2035(INL)
Motion for a resolution
Citation 16 a (new)
Citation 16 a (new)
— having regard to the Fundamental Rights Agency’s ‘EU LGBTI Survey II: A long way to go for LGBTI equality',1a _________________ 1a https://fra.europa.eu/sites/default/files/fra _uploads/fra-2020-lgbti-equality-1_en.pdf
Amendment 63 #
2020/2035(INL)
Motion for a resolution
Recital A
Recital A
A. whereas the first objective of the Union’s Gender Equality Strategy 2020- 2025 focuses on ending gender-based violence and describes it as ‘one of our societies’ biggest challenges’; whereas the Union’s LGBTIQ Equality Strategy recalls that everyone has a right to safety, be it at home, in public or online;
Amendment 67 #
2020/2035(INL)
Motion for a resolution
Recital A a (new)
Recital A a (new)
A a. whereas in 2017 the EU signed the Istanbul Convention, which remains the benchmark for international standards for eradication of gender based violence, concluding the EU’s accession is a key priority for the Commission;
Amendment 71 #
2020/2035(INL)
Motion for a resolution
Recital B
Recital B
B. whereas violence against women and other forms of gender-based violence are widespread in the Union and are to be understood as an extreme form of discrimination; whereas gender-based violence is rooted in the unequal distribution of power between women and men, in sexism and gender norms and stereotypes, which have led to domination over and discrimination against women by menand girls in all their diversity by men; whereas gender-based violence also occurs due to perceived deviation from gender norms;
Amendment 85 #
2020/2035(INL)
Motion for a resolution
Recital C
Recital C
C. whereas violence against women and LGBTI persons and gender-based violence present different but not mutually exclusive forms and manifestations; whereas those different forms of violence are often interlinked with, and inseparable from, offline violence because they can precede, accompany or continue them;
Amendment 90 #
2020/2035(INL)
Motion for a resolution
Recital C a (new)
Recital C a (new)
C a. whereas innovation happens at a pace that often does not allow for reflection its long-term consequences, whereas rapid technological developments, such as the increasing reach of the internet, the spread of mobile information, and the widespread use of social media frequently give ground and generate new forms of gender-based violence online;
Amendment 99 #
2020/2035(INL)
Motion for a resolution
Recital D
Recital D
D. whereas currently there is no common definition or effective policy approach to combating gender-based cyber violence at EU or national level, whereas cyber harassment, cyber stalking, cyber bullying, trolling, online hate and sexist speech, flaming, doxxing and, impersonation, image- based sexual abuse and deep fakes are among the most common types of gender-based cyberviolence;, whereas some Member States have adopted specific legislation on some of those particular forms only; digital space is being used to lure women into pornography, prostitution and human trafficking, whereas several Member States have adopted specific legislation on some of those particular forms only, but the cross-border nature of gender-based cyber violence has yet to be properly addressed;
Amendment 103 #
2020/2035(INL)
Motion for a resolution
Recital D
Recital D
D. whereas cyber harassment, cyber stalking, cyber bullying, trolling, online hate speech, flaming, doxxing, dead- naming and image- based sexual abuse are among the most common types of gender- based cyberviolence; whereas some Member States have adopted specific legislation on some of those particular forms only;
Amendment 108 #
2020/2035(INL)
Motion for a resolution
Recital D a (new)
Recital D a (new)
D a. whereas hate speech against LGBTI persons is pervasively common, in particular online, and legislation is notably absent from some Member States’ legislative framework to prevent, address and sanction such forms of online abuse; whereas, at present, 15 Member States do not include gender identity in hate speech legislation; whereas the Commission has proposed to extend the list of ‘EU crimes’ under Article 83(1) TFEU to cover hate crime and hate speech, including when targeted at LGBTIQ people;
Amendment 120 #
2020/2035(INL)
Motion for a resolution
Recital E
Recital E
E. whereas, despite a growing awareness of the phenomenon of gender- based cyberviolence, the lack of collection of exhaustive and recent data and the underreporting of cases of gender-based cyberviolence prevents an accurate assessment of its prevalence; whereas the European added value assessment on gender-based cyberviolence estimates that between 4 and 7% of women in the Union have experienced cyber harassment during the past 12 months, while between 1 and 3% have experienced cyber stalking, whereas the prevalence of gender-based cyberviolence is likely to continue to rise in the coming years;
Amendment 129 #
2020/2035(INL)
Motion for a resolution
Recital F
Recital F
F. whereas women can be targeted by cyberviolence either individually or as members of a specific community;, including women from vulnerable groups, whereas intersectional forms of discrimination, including discrimination based on race, language, religion, belief, national or social origin, belonging to a national or ethnic minority, birth, sexual orientation, gender identity, gender expression or sex characteristics, age, state of health, disability, marital status or migrant or refugee status, can exacerbate the consequences of gender- based cyberviolence;
Amendment 130 #
2020/2035(INL)
Motion for a resolution
Recital F
Recital F
F. whereas women in all their diversity can be targeted by cyberviolence either individually or as members of a specific community; whereas intersectional forms of discriminationtargeting of LGBTI persons is often on the grounds of their gender identity, gender expression or sex characteristics; whereas intersectional forms of discrimination increase the exposure to violence for women belonging to ethnic minorities, with disabilities, as well as lesbian, bisexual, transgender and intersex women, and can exacerbate the consequences of gender- based cyberviolence;
Amendment 142 #
2020/2035(INL)
Motion for a resolution
Recital G
Recital G
G. whereas some women, such as feminist and LGBTIQ+ activists, politicians, women in public positions, journalists, bloggers and human rights defenders, are particularly impacted by gender-based cyberviolence, and whereas this is causing not only psychological harm and suffering to them but also deterring them from participating digitally in political, social and cultural life;
Amendment 144 #
2020/2035(INL)
Motion for a resolution
Recital G
Recital G
G. whereas some women and LGBTI persons, such as politicians, women in public positions, journalists, bloggers and human rights defenders, are particularly impacted by gender-based cyberviolence, and whereas this is causing not only psychological harm and suffering to them but also deterring them from participating digitally in political, social and cultural life;
Amendment 150 #
2020/2035(INL)
Motion for a resolution
Recital G a (new)
Recital G a (new)
G a. Whereas the Commission has committed in its Gender Equality Strategy 2020-2025 and in the LGBTIQ Equality Strategy 2020-2025 to present an initiative with a view to extending the areas of crime where harmonisation is possible to specific forms of gender-based violence in accordance with Article 83(1) TFEU, including hate crime and hate speech targeting LGBTIQ people;
Amendment 152 #
2020/2035(INL)
Motion for a resolution
Recital H
Recital H
H. whereas gender-based cyberviolence has a direct impacts on women's mental health, on the full exercise of fundamental rights and even on democracy, and has and well-being, reflected in an increased incidence of depression and anxiety disorders, as well as social and economic impacts, which may include labour market impacts, through lower presence at work, risk of job loss or lover productivity, whereas cyberviolence can have a negative impact on victim's ability to fully exercise their fundamental rights, therefore, having consequences on society, including an economic impact and on democracy as a whole;
Amendment 159 #
2020/2035(INL)
Motion for a resolution
Recital H a (new)
Recital H a (new)
H a. Whereas jobs increasingly involve and become dependent on the digital solutions leading to an increasing risks of women encountering gender-based cyber violence while engaging in the labour market and economic activity;
Amendment 163 #
2020/2035(INL)
Motion for a resolution
Recital H b (new)
Recital H b (new)
H b. Whereas the EPRS study Combating gender-based violence: Cyber violence’ estimates the overall costs of cyber harassment and cyber stalking at between €49.0 and €89.3 billion with the largest cost category being the value of the loss in terms of quality of life, which accounted for more than half of the overall costs (about 60 % for cyber harassment and about 50 % for cyberstalking);
Amendment 168 #
2020/2035(INL)
Motion for a resolution
Paragraph 1
Paragraph 1
1. Underlines that gender-based cyberviolence is a continuum of gender- based violence offline and that no policy alternative will be effective unlesshould be addressed by a set of legislative and non- legislative measures iat takes this reality into considerationhe EU level, as well as within Member States;
Amendment 186 #
2020/2035(INL)
Motion for a resolution
Paragraph 2 a (new)
Paragraph 2 a (new)
2 a. Welcomes the Commission’s commitments under the LGBTIQ Equality Strategy 2020-2025 concerning hate speech online, and the proposal to extend the list of ‘EU crimes’ under Article 83(1) TFEU to cover hate crime and hate speech, including when targeted at LGBTIQ people;
Amendment 190 #
2020/2035(INL)
Motion for a resolution
Paragraph 3
Paragraph 3
3. Stresses that the COVID-19 pandemic has increased the risk of domestic violence and abuse because victims are forced to spend more time with perpetrators and they tend to be more isolated from support networks; highlights that many LGBTI persons were forced to be confined with family members, legal guardians or co-habitants who harassed, abused or exposed them to violence; calls on Member States to increase the assistance they offer through specialised shelters, helplines and support services to protect victims and facilitate the reporting of gender-based violence;
Amendment 196 #
2020/2035(INL)
Motion for a resolution
Paragraph 3
Paragraph 3
3. Stresses that the COVID-19 pandemic has increased the risk of domestic violence and abuseintimate partner violence and abuse has escalated during the COVID-19 pandemic because victims are forced to spend more time with perpetrators and they tend to be more isolated from support networks; calls on Member States to increase the assistance they offer through shelters, helplines and support services to protect victims and facilitate the reporting of gender-based violence;
Amendment 201 #
2020/2035(INL)
Motion for a resolution
Paragraph 4
Paragraph 4
4. Underlines the transnational nature of gender-based cyberviolence, considering the cross-border dimension of the use of ICT, as well the rapid technological developments and digitalisation, generate new forms of gender-based cyberviolence, which undermines traceability and sanctioning of perpetrators;
Amendment 213 #
2020/2035(INL)
Motion for a resolution
Paragraph 5
Paragraph 5
5. Calls on the Member States to promote awareness raising, to implement national criminal justice laws and specific policies, and programmes well as trainings, educational programmes and campaigns to prevent gender-based cyber violence and to fight against impunity for those who commit such acts; highlights the importance of gender equality in education curriculums to address gender stereotypes that lead to harmful gender norms, while dealing with the root causes of gender-based violence, including cyberviolence, notes that particular attention should be given in this respect to education of boys and men;
Amendment 237 #
2020/2035(INL)
Motion for a resolution
Paragraph 6
Paragraph 6
6. Urges the Commission and the Member States to establish a reliable system for regularly collecting statistical disaggregated and comparable data on gender-based violence, including cyberviolence, including with the aim to conduct an EU wide study;
Amendment 246 #
2020/2035(INL)
Motion for a resolution
Paragraph 7
Paragraph 7
7. Notes that inter alia stress, concentration problems, anxiety, panic attacks, low self-esteem, depression, post- traumatic stress disorder, lack of trust and lack of sense of control, caused by cyberviolence, can have an impact on mental health and may have life-long consequences on health and well-being of women experiencing it;
Amendment 248 #
2020/2035(INL)
Motion for a resolution
Paragraph 7
Paragraph 7
7. Notes that inter alia stress, concentration problems, anxiety, panic attacks, low self-esteem, depression, post- traumatic stress disorder, lack of trust and lack of sense of control, caused by cyberviolence, can have an impact on mental health and may lead to self-harm and suicidal ideation;
Amendment 253 #
2020/2035(INL)
Motion for a resolution
Paragraph 8
Paragraph 8
8. Underlines that apart from psychological impacts gender-based cyberviolence generates psychological, social and economic consequencesimplications on women’s life both online and offline;
Amendment 264 #
2020/2035(INL)
Motion for a resolution
Paragraph 9
Paragraph 9
9. Calls on the Commission and the Member States to give particular attention to women belonging to groups put in a vulnerable situation as regards gender- based cyberviolence and to develop specific support services and educational programmes dedicated to those specific groups;
Amendment 271 #
2020/2035(INL)
Motion for a resolution
Paragraph 10
Paragraph 10
10. Deplores the fact that gender-based cyberviolence reduces the participation of women in public debate which, as a consequence, erodes the democratic principles of the Union; regrets that that ‘silencing effect’ has been particularly aimed at targeting women activists, including feminist women and girls, LGBTIQ+ activists, artists, women in male-dominated industries, journalists and politicians with the intention of discouraging the presence of women in political lifeublic life, including politics and decision- making spheres;
Amendment 283 #
2020/2035(INL)
Motion for a resolution
Paragraph 11
Paragraph 11
11. Recalls that gender stereotypes are at the core of gender discrimination and are one of the main barriers to the entry of women and girls in the ICT and digital fields; stresses the need to tackle the gender gap in the ICT sector through education, awareness-raising campaigns, professional trainings, appropriate funding and the promotion of the representation of women in the sector;
Amendment 285 #
2020/2035(INL)
Motion for a resolution
Paragraph 11
Paragraph 11
11. Recalls that gender norms and stereotypes are at the core of gender discrimination and are one of the main barriers to the entry of women and girls in the ICT and digital fields; stresses the need to tackle the gender gap in the ICT sector through education, awareness-raising campaigns and the promotion of the representation of women in the sector;
Amendment 289 #
2020/2035(INL)
Motion for a resolution
Paragraph 11 a (new)
Paragraph 11 a (new)
11 a. Recalls that the labelling of LGBTI persons as an ‘ideology’ is spreading in online and offline communication and the same is true with regard to ongoing campaigning against so-called ‘gender ideology’ or in favour of ‘anti-gender movements’; highlights that LGBTI activists are often the targets of defamation campaigns, online hate speech and cyberbullying and abuse due to their advocacy work for LGBTI equality;
Amendment 317 #
2020/2035(INL)
Motion for a resolution
Paragraph 13
Paragraph 13
13. RecCalls thaton the Council is to urgently conclude the Union’s ratification of the Council of Europe Convention on preventing and combating violence against women and domestic violence (the ‘Istanbul Convention’) on the basis of a broad accession without any limitations, and to advocate for its ratification, swift and proper implementation, and enforcement by all Member States; underlines that the Istanbul Convention is the most comprehensive international treaty addressing the root causes of gender- based violence in all its forms and should be understood as a minimum standard; highlights that this call does not detract from the call to adopt a Union legal act on combating gender-based violence but, rather, complements it;, recalls that new legislative measures should in any case be coherent with the rights and obligations set by the Istanbul Convention and should be complementary to its ratification.
Amendment 326 #
2020/2035(INL)
Motion for a resolution
Paragraph 14
Paragraph 14
14. Strongly reaffirms its commitment, as it has previously expressed, to tackle gender-based violence and to the need to have, reiterates its call for a comprehensive directive covering all its forms as the best way to put an end to gender-based violence;
Amendment 351 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 3
Annex I – Recommendation 2 – paragraph 3
The scope should cover any form of gender-based violence committed, assisted or aggravated in part or fully by the use of ICT, such as mobile phones and smartphones, the internet, social media platforms or email, against a woman because she is a woman, or affects women disproportionately. The scope should encompass gender-based violence against LGBTIQ persons, who are targeted because of their gender, gender identity, gender expression or sex characteristics.
Amendment 354 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 3
Annex I – Recommendation 2 – paragraph 3
The scope should cover anyll forms of gender-based violence committed, assisted or aggravated in part or fully by the use of ICT, such as mobile phones and smartphones, the internet, social media platforms or email, against a womaen because she is a woman, or affects women disproportionatelyof their gender.
Amendment 356 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 1
Annex I – Recommendation 2 – paragraph 4 – indent 1
- cyber harassment (including: cyberbullying, online sexual harassment, unsolicited receiving of sexually explicit material, mobbing);
Amendment 358 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 3
Annex I – Recommendation 2 – paragraph 4 – indent 3
- ICT-related violations of privacy (including the accessing, sharing and manipulation of private data or images, including intimate data without consent, image-based sexual abuse and non- consensual disclosure of sexual images, doxxing, dead-naming, identity theft);
Amendment 361 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 5
Annex I – Recommendation 2 – paragraph 4 – indent 5
- threats (including direct threats and threats of violence, extortion, sextortion, blackmail) directed at the victim, their children or relatives as well as other persons affected by second order violence;
Amendment 363 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 6
Annex I – Recommendation 2 – paragraph 4 – indent 6
- sexist, transphobic or interphobic hate speech (including: posting and sharing violent content, use of sexist or gendered comments and insults, abusing women for expressing their own views and for turning away sexual advances, inciting to hatred against individuals on grounds of their gender identity, expression or sex characteristics);
Amendment 367 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 9
Annex I – Recommendation 2 – paragraph 4 – indent 9
- "Real-World Attacks" (cyber violence having repercussions in “real life”), hacking and unlawful access to mobile, email, instant messaging messages or social media accounts;
Amendment 369 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 11
Annex I – Recommendation 2 – paragraph 4 – indent 11
- direct violence., including trafficking of women using technological means such as recruitment, luring women into prostitution and sharing stolen graphical content to advertise for prostitution, sexualised extortion (sextortion) and identity theft, as well as online grooming in order to bring the child into sexual abuse or child- trafficking situations;
Amendment 373 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 3 – paragraph 1 – introductory part
Annex I – Recommendation 3 – paragraph 1 – introductory part
Member States should implement a series of measures in order to prevent gender- based cyberviolence, having an intersectional approach:
Amendment 374 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 3 – paragraph 1 – indent 1
Annex I – Recommendation 3 – paragraph 1 – indent 1
- awareness-raising and educational programmes, including programmes addressed to boys and men, as well as campaigns involving all relevant actors and stakeholders to address the root causes of gender-based cyberviolence, within the general context of gender-based violence in order to bring about changes in social and cultural attitudes and remove gender stereotypes, while promoting responsible behaviour on social media and increasing literacy about the safe use of the internet;
Amendment 376 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 3 – paragraph 1 – indent 1
Annex I – Recommendation 3 – paragraph 1 – indent 1
- awareness-raising and educational programmes involving all relevant actors and stakeholders to address the root causes of gender-based cyberviolence, within the general context of gender-based violence in order to bring about changes in social and cultural attitudes and remove gender norms and stereotypes, while promoting responsible behaviour on social media and increasing literacy about the safe use of the internet;
Amendment 428 #
2020/2035(INL)
Motion for a resolution
Annex I – Recommendation 5 – paragraph 1 – indent 4
Annex I – Recommendation 5 – paragraph 1 – indent 4
- aggravating circumstances, depending on the profile of the women and, girls and LGBTI victims (exploiting specific characteristics, vulnerabilities of women and girl, girls and LGBTI persons online);
Amendment 1 #
2020/2022(INI)
Motion for a resolution
Citation 3
Citation 3
— having regard to the Charter of Fundamental Rights of the European Union, in particular Article 6, Article 7, Article 8, Article 11, Article 13, Article 221, Article 22, Article 23, Article 24, Article 25 and Article 246 thereof,
Amendment 4 #
2020/2022(INI)
Motion for a resolution
Citation 6 a (new)
Citation 6 a (new)
— having regard to Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive)3a, _________________ 3a OJ L 95, 15.4.2010, p. 1–24
Amendment 12 #
2020/2022(INI)
Motion for a resolution
Citation 7 a (new)
Citation 7 a (new)
— having regard to the judgement of the Court of Justice of 24 November 2011 in case C-70/105a, _________________ 5aJudgement of the Court of Justice of 24 November 2011, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM)
Amendment 16 #
2020/2022(INI)
Motion for a resolution
Recital -A (new)
Recital -A (new)
-A. whereas fundamental rights, such as protection of privacy and personal data, the principle of non-discrimination, as well as freedom of expression and information, need to be ingrained at the core of a successful and durable European policy on digital services; whereas these rights need to be seen both in the letter of the law, as well as the spirit of their implementation;
Amendment 17 #
2020/2022(INI)
Motion for a resolution
Recital A b (new)
Recital A b (new)
Ab. recital -Aa whereas the trust of users can only be gained by digital services that respect their fundamental rights, thus ensuring both uptake of services, as well as a competitive advantage and stable business models for companies;
Amendment 20 #
2020/2022(INI)
Motion for a resolution
Recital B a (new)
Recital B a (new)
Ba. whereas the privacy rules in the electronic communication sector, as set out in the Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector, are currently under revision;
Amendment 25 #
2020/2022(INI)
Motion for a resolution
Recital C
Recital C
C. whereas the amount of all types of user- generated content, including harmful and illegal content, shared via cloud services or online platforms has increased exponentially;
Amendment 27 #
2020/2022(INI)
Motion for a resolution
Recital C a (new)
Recital C a (new)
Ca. whereas the use of personal data for the purposes of individual profiling, and its subsequent repurposing, even when seemingly innocuous data is collected from the digital traces of individuals, can be mined in a way that can generate insights that can enable very intimate personal information to be inferred at a very high level of accuracy, especially when these data are merged with other data sets;
Amendment 28 #
2020/2022(INI)
Motion for a resolution
Recital C b (new)
Recital C b (new)
Cb. whereas social media and other content distribution platforms utilise profiling techniques to target and distribute their content, as well as advertisements; whereas the automated algorithms decide how to handle, prioritise, distribute and delete third-party content on online platforms, including during political and electoral campaigns;
Amendment 29 #
2020/2022(INI)
Motion for a resolution
Recital C c (new)
Recital C c (new)
Cc. whereas the proliferation of disinformation, even propaganda online, has been aided by platforms whose very business model is based on profiting from collection and analysis of user data; whereas consequently promoting spreadable, sensationalist content forms part of their business logic, and pushes them to generate more traffic and ‘clicks’, and, in turn, generate more profiling data and thus more profit;
Amendment 30 #
2020/2022(INI)
Motion for a resolution
Recital C d (new)
Recital C d (new)
Cd. whereas the Cambridge Analytica and Facebook scandals revealed how user data had been used to micro-target certain voters with political advertising, and at times, even with targeted disinformation, therefore showing the danger of opaque data processing operations of online platforms;
Amendment 31 #
2020/2022(INI)
Ce. whereas the widespread use of algorithms for content filtering and content removal processes also raises rule of law concerns, questions of legality, legitimacy and proportionality;
Amendment 39 #
2020/2022(INI)
Motion for a resolution
Recital E
Recital E
E. whereas the political approach to tackle harmful and illegal content online in the EU has mainly focused on voluntary cooperation thus faris based on court order mandated takedowns, but a growing number of Member States are adopting further national legislation to address illegal content;
Amendment 45 #
2020/2022(INI)
Motion for a resolution
Recital F
Recital F
F. whereas some forms of harmful content may be legal, yet detrimental to society or democracy, yet be legal, with examples such as opaque political advertising and disinformation on COVID-19 causes and remedies;
Amendment 47 #
2020/2022(INI)
Motion for a resolution
Recital G
Recital G
G. whereas a pure self-regulatory approach of platforms does not provide legitimacy or adequate transparency and proper information to public authorities, civil society and users on how platforms address illegal and harmful contentcontent and content that is deleted against violations of terms and conditions; whereas such an approach does not guarantee compliance with fundamental rights; and creates a risk of excessive interference with the right of freedom of expression and creates a problematic situation where law enforcement responsibilities are handed over to private parties;
Amendment 52 #
2020/2022(INI)
Motion for a resolution
Recital H
Recital H
H. whereas regulatory oversight and supervision of platforms lacks horizontalis sector-specific in the EU; whereas further and more comprehensive coordination between the different oversight bodies across the EU would be beneficial;
Amendment 54 #
2020/2022(INI)
Motion for a resolution
Recital I
Recital I
Amendment 58 #
2020/2022(INI)
Motion for a resolution
Recital J
Recital J
J. whereas the lack of comparable, robust public data on the prevalence and both court mandated and self-regulatory removal of illegal and harmful content online creates a deficit of transparency and accountability;
Amendment 66 #
2020/2022(INI)
Motion for a resolution
Recital K
Recital K
K. whereas child sexual exploitation online is one of the forms of illegal content shaped by technological developments; whereas the vast amount of child sexual abuse material circulating online poses serious challenges for detection, investigation and, most of all, victim identification efforts;
Amendment 68 #
2020/2022(INI)
Motion for a resolution
Recital L
Recital L
L. whereas according to the Court of Justice of the European Union (CJEU), jurisprudence host providers may have recourse to automated search tools and technologies to assess if content is equivalent to content previously declared unlawful, and should thuss long as it does not result in monitoring generally the information which it stores, or in actively seeking facts or circumstances indicating illegal activity, as provided for in Article 15(1) of Directive 2000/31; whereas such content should be removed following an court order from a Member State;
Amendment 71 #
2020/2022(INI)
Motion for a resolution
Recital L a (new)
Recital L a (new)
La. whereas a trusted electronic identification is elementary to ensure secure access to digital services and to carry out electronic transactions in a safer way; whereas currently only 15 Member States have notified an electronic identity scheme for cross-border recognition in the framework of the Regulation (EU) 910/2014;
Amendment 81 #
2020/2022(INI)
Motion for a resolution
Paragraph 1
Paragraph 1
1. Stresses that illegal content online should be tackled with the same rigour as illegal content offlineis the same as illegal content offline; takes therefore the position that any legally mandated content moderation measure in the Digital Services Act should concern only illegal content, as it is defined in European or national law, and the legislative text should not include any legally vague and undefined terms, such as “harmful content”, as targeting such content would put fundamental rights and freedom of speech at serious risk and put the service providers in a legally unclear position;
Amendment 85 #
2020/2022(INI)
Motion for a resolution
Paragraph 1 a (new)
Paragraph 1 a (new)
1a. Paragraph -1. Underlines that the modernisation of current e-Commerce rules can inevitably affect fundamental rights, including the protection of privacy and personal data, the freedom of expression and information, equality and non-discrimination, freedom of thought, conscience and religion, freedom of assembly and association, freedom of the arts and sciences, and the right to an effective remedy; therefore urges the Commission to be extremely vigilant in its approach and also integrate international human rights standards into its revision;
Amendment 87 #
2020/2022(INI)
Motion for a resolution
Paragraph 1 b (new)
Paragraph 1 b (new)
1b. Paragraph -1a. Notes how the current digital ecosystem encourages also problematic behaviour, such as hate speech and disinformation; is concerned how promoting controversial content has become the key to the targeted advertisement-based business models, where sensational and polarising content maximises the screen time of users, generating more profiling data, more advertising hours, and therefore more profits; underlines how this type of a business model can have very intrusive and negative effects, not only on individuals and their fundamental rights, but societies as a whole;
Amendment 95 #
2020/2022(INI)
Motion for a resolution
Paragraph 2
Paragraph 2
2. Believes in the clear economic benefits of a functioning digital single market for the EU and its Member States; stresses the important obligation to ensure a fair digital ecosystem in which fundamental rights and, especially data protection are respected; calls for a minimum level of intervention based on the principles of necessity and proportionality, privacy and non- discrimination are at its core;
Amendment 104 #
2020/2022(INI)
Motion for a resolution
Paragraph 3
Paragraph 3
3. Deems it necessary that illegal content is removed swiftly and consistently in order to address crimes and fundamental rights violation, through a clear and harmonised notice-and-action procedure with the necessary safeguards in place, such as transparency of the process, the right to appeal and access to effective judicial redress; considers that voluntary codes of conduct only partially address the issue;
Amendment 114 #
2020/2022(INI)
Motion for a resolution
Paragraph 4
Paragraph 4
4. Recalls that illegal content online should not only bebe just removed by online platforms, but should be followed up by law enforcement and, where needed, the judiciary; finds, in this regard, that a key issue in some Member States is not that they just have unresolved cases but rather unopened ones; calls for barriers to filing complaints with competent authorities to be removed; is convinced that, given the borderless nature of the internet and the fast dissemination of illegal content online, cooperation between service providers and national competent authorities should be improvedalso unopened ones;
Amendment 117 #
2020/2022(INI)
Motion for a resolution
Paragraph 4 – subparagraph 1 (new)
Paragraph 4 – subparagraph 1 (new)
Is convinced that, given the borderless nature of the internet and the fast dissemination of illegal content online, cooperation between service providers and national competent authorities should be improved;
Amendment 122 #
2020/2022(INI)
Motion for a resolution
Paragraph 5
Paragraph 5
5. Acknowledges the fact that, while the illegal nature of certain types of content can be easily established, the decision is more difficult for other types of content as it requires contextualisation; warns that some automated tools are not sophisticated enough to take contextualisation into account, which could lead to unnecessary restrictions being placed on the freedom of expressionreminds in this regard of the incapacity of current automated tools in grasping the importance of context for specific pieces of content, underlines that algorithms are not currently capable of critical analysis, and takes therefore the view that the Digital Services Act should not contain any obligation for compulsory use of automated tools in content moderation; believes that any voluntary automated measures put in place by the content hosting platforms should be subject to extensive human oversight and to full transparency of design and performance;
Amendment 134 #
2020/2022(INI)
Motion for a resolution
Paragraph 7
Paragraph 7
7. Strongly believes that the current EU legal framework governing digital services should be updated with a view to addressing the challenges posed by new technologies such as the prevalence of all- encompassing profiling and algorithmic decision-making that permeates all areas of life, and ensuring legal clarity and respect for fundamental rights; considers that the reform should build on the solid foundation of and full compliance with existing EU law, especially the General Data Protection Regulation and the Directive on privacy and electronic communications;
Amendment 139 #
2020/2022(INI)
Motion for a resolution
Paragraph 7 a (new)
Paragraph 7 a (new)
7a. Highlights that the practical capacity of individuals to understand and navigate the complexity of the data ecosystems in which they are embedded is extremely limited, as is their ability to identify whether the information they receive and services they use are made available to them on the same terms as to other users; Calls on the Commission therefore to place transparency and non- discrimination at the heart of the Digital Services Act;
Amendment 143 #
2020/2022(INI)
Motion for a resolution
Paragraph 8
Paragraph 8
8. Deems it indispensable to have the widest-possiblefull harmonisation of rules on liability exemptions and content moderation at EU level to guarantee the respect of fundamental rights and the freedoms of users across the EU; expresses its concern that recent national laws to tackle hate speech and disinformation lead to a fragmentation of rules;
Amendment 148 #
2020/2022(INI)
Motion for a resolution
Paragraph 9
Paragraph 9
9. Calls, to this end, for legislative proposals that keepthat the digital single market is kept open and competitive by requiring digital service providers to apply effective, coherent, transparent and fair procedures andwith robust procedural safeguards to remove illegal content in line with European values; firmly believes that this should be harmonised within the digital single marketvia a harmonised notice-and-action procedure in line with European legislation;
Amendment 155 #
2020/2022(INI)
Motion for a resolution
Paragraph 10
Paragraph 10
10. Believes, in this regard, that online platforms that are actively hosting or moderating content should bear more, yet proportionate, responsibility for the infrastructure they provide and the content on it; emphasises that this should be achieved without resorting toit is crucial for online platforms to have clarity provided for by setting clear rules, requirements and safeguards for a harmonised notice-and-action procedure; emphasises that any measure put in place for the removal of illegal content cannot constitute or imply a general monitoring requirements;
Amendment 158 #
2020/2022(INI)
Motion for a resolution
Paragraph 11
Paragraph 11
11. Highlights that this should include rules on the notice-and-action mechanisms and requirements for platforms to take proactive measures that are proportionate to their scale of reach and operational capacities in order to address the appearance of illegal content on their services; supports a balanced duty-of-care approach andSupports a clear chain of responsibility to avoid unnecessary regulatory burdens for the platforms and unnecessary and disproportionate restrictions on fundamental rights, including the freedom of expression;
Amendment 167 #
2020/2022(INI)
Motion for a resolution
Paragraph 12
Paragraph 12
12. Stresses the need for appropriate safeguards and due process obligations, including human oversight and verification, in addition to counter notice procedures, to ensure that removal or blocking decisions are accuratelegal, well- founded and respect fundamental rights; recalls that the possibility of judicial rwhile counter-notice proceduress should be mad, complaint mechanisms and out-of-court dispute settlements can be availuable to satisfy the right to effectiveols in protecting fundamental rights of the users of digital services, they cannot preclude access to effective judicial redress and remedy;
Amendment 178 #
2020/2022(INI)
Motion for a resolution
Paragraph 13
Paragraph 13
13. Supports limited liability for contentexemption for all types of intermediaries and the country of origin principle, butand considers improved coordination for removal requests between national competent authorities to be essential; emphasises that such orders should be subject to legal safeguards in order to prevent abuse and ensure full respect of fundamental rights; stresses that sanctions should apply only to those service providers that fail to comply with legitimate orders;
Amendment 192 #
2020/2022(INI)
Motion for a resolution
Paragraph 14
Paragraph 14
14. Believes that the terms of services of digital service providers should be clear, transparent and fair; deplores the fact that some terms of servrecalls that any take- down-notices from content platforms do not allow law enforcement to use non-personal accounts, which poses a threat both to possible investigations and to personal safetyan authority has to always be based on law, not on the terms of service of the service providers;
Amendment 195 #
2020/2022(INI)
Motion for a resolution
Paragraph 15
Paragraph 15
15. Underlines that certain types of legal, yet harmful, content should also be addressed to ensure a fair digital ecosystem; expects guidelines to include increased transparency rules on content moderation or political advertising policy to ensure that removals and the blocking of harmful content are limited to the absolute necessarye need to regulate content curation and tracking-based targeted advertisement through giving more choice and control to users; emphasises that users should be able to choose to opt out completely of any content curation, decide whether to opt in to tracking, and have more options on the way content is ranked to them, including a ranking outside their ordinary content consumption habits; strongly believes that the design and performance of such recommendation systems should be subject to full transparency, presented in a user-friendly manner;
Amendment 205 #
2020/2022(INI)
Motion for a resolution
Paragraph 15 a (new)
Paragraph 15 a (new)
15a. Highlights how the personalisation of informational environments that data- driven profiling makes possible brings with it new capacities to manipulate individuals in subtle, yet highly effective ways; underlines that when the profiling is deployed at scale for political micro targeting to manipulate voting behaviour, it can seriously undermine the foundations of democracy; therefore expects the Commission to provide guidelines on the use of such persuasive digital technologies in electoral campaigns and political advertising policy;
Amendment 208 #
2020/2022(INI)
Motion for a resolution
Paragraph 15 b (new)
Paragraph 15 b (new)
15b. Is concerned of platforms and services that deliberately lock in their users onto that specific platform, thus amplifying their dominant market power and their ability to profile their users even more thoroughly, creating extremely invasive and revealing profiles of their users; calls therefore on the Commission to guarantee the interoperability of digital services; considers in this regard the application programming interfaces (APIs), enabling a user to interconnect between platforms and to import content moderation rules on the content they view on a platform, to be useful tools in bringing true interoperability to users and thus increasing their options to choose between different kinds of recommendation systems and services;
Amendment 210 #
2020/2022(INI)
Motion for a resolution
Paragraph 15 c (new)
Paragraph 15 c (new)
15c. Notes that policies for monetisation of content affect what kind of content is seen by users and therefore finally also what kind of content will be uploaded by users; calls therefore for online content hosting platforms to be required to have transparent, non- discriminatory content demonetisation policies in order to guarantee fully the right to freedom of expression online;
Amendment 211 #
2020/2022(INI)
Motion for a resolution
Paragraph 16
Paragraph 16
16. Deems that accountability- andUnderlines the wedge between the speed and capacity of machines relative to the capacity of humans to monitor these machines; therefore deems that accountability always lies with the human overseers - and calls for evidence-based policy making, requiresing robust data on the prevalence and removal of illegal content online, in order to ensure a transparent system that can be trusted by all;
Amendment 220 #
2020/2022(INI)
Motion for a resolution
Paragraph 17
Paragraph 17
17. Calls, in this regard, for a regular public reporting for large commercial obnligation for platforms, proportionate to their scale of reach and operational capacitiesne platforms to make their procedures and decisions to remove content publicly available;
Amendment 224 #
2020/2022(INI)
Motion for a resolution
Paragraph 18
Paragraph 18
18. Calls, moreover, for a regular public reporting obligation for national authorities on their requests for deletion of illegal content from digital platforms;
Amendment 226 #
2020/2022(INI)
Motion for a resolution
Paragraph 19
Paragraph 19
19. Expresses its concern regarding the fragmentation of public oversight and supervision of platforms and the frequentdocumented lack of financial and human resources for the supervision and oversight bodies needed to properly fulfil their tasks; calls for increased cooperation with regard to regulatory oversight of digital services;
Amendment 228 #
2020/2022(INI)
Motion for a resolution
Paragraph 19 a (new)
Paragraph 19 a (new)
19a. Considers that in order to guarantee proper enforcement of the Digital Services Act, the oversight of compliance with this Act should be entrusted in an independent authority, while any decisions relating to content should always remain with the judiciary; emphasises in this regard that sanctioning for non-compliance with the Digital Services Act should be based on an assessment of a clearly defined set of factors, such as proportionality, technical and organisational measures and negligence, and the resulting sanctions should be based on a percentage of the annual global turnover of a company;
Amendment 230 #
2020/2022(INI)
Motion for a resolution
Paragraph 20
Paragraph 20
Amendment 236 #
2020/2022(INI)
Motion for a resolution
Paragraph 21
Paragraph 21
Amendment 243 #
2020/2022(INI)
Motion for a resolution
Paragraph 22
Paragraph 22
Amendment 257 #
2020/2022(INI)
Motion for a resolution
Paragraph 23 a (new)
Paragraph 23 a (new)
23a. Emphasises the indispensability of agreed standards of essential security in cyberspace in order for digital services to provide their full benefits to citizens; notes therefore the urgent need for Member States to take coordinated action to ensure basic cyber hygiene and to prevent avoidable dangers in cyberspace, including through legislative measures;
Amendment 261 #
2020/2022(INI)
Motion for a resolution
Paragraph 23 b (new)
Paragraph 23 b (new)
23b. Stresses that the only way for digital services to achieve their full potential is to enable users to be identified unambiguously in an equivalent manner to offline services; notes that online identification can be improved by enforcing eIDAS Regulation’s cross- border interoperability of electronic identifications across the European Union; reminds that Member States and European institutions have to guarantee that the electronic identifications are secure, enable data minimisation and comply with all other aspects of GDPR;
Amendment 12 #
2020/2018(INL)
Draft opinion
Paragraph 1 a (new)
Paragraph 1 a (new)
1 a. Notes that transparency in an algorithm used for digital products and services is a significant characteristic; upon request of the competent authorities, digital service providers should be obliged to make their proprietary algorithms available, explain the intended goal and compare this goal with the actual outcome; digital service providers should amend and adapt their algorithms immediately when the intended outcome is deemed unlawful or unethical; open- source algorithm libraries should be encouraged as an instrument that increases transparency and accelerates both the technology adoption and the quality of the architecture;
Amendment 15 #
2020/2018(INL)
Draft opinion
Paragraph 1 b (new)
Paragraph 1 b (new)
1 b. Underlines that in cases of denial of access to a digital product or service, consumers should always be able to inquire about the logic of the decision and the decision-making process; further notes that consumers should always be explicitly informed whether their engagement is with a human or with a machine; emphasises that humans should always have the final responsibility; calls on the Commission to determine the significant role of human operators in the material execution of a decision made by an artificial intelligence (AI) system;
Amendment 27 #
2020/2018(INL)
Draft opinion
Paragraph 2 a (new)
Paragraph 2 a (new)
2 a. Calls on the Commission to provide a clearly defined notice-and- action framework for the content hosting platforms to use in the fight against illegal content; stresses that such a framework has to guarantee fundamental rights of users through access to judicial redress and the right to appeal;
Amendment 33 #
2020/2018(INL)
Draft opinion
Paragraph 2 b (new)
Paragraph 2 b (new)
2 b. Reminds of the incompetence of current automated tools in grasping the importance of context for specific pieces of content; takes therefore the view that the Digital Services Act should not contain any obligation for the use of automated tools in content moderation; believes that any voluntary automated measures put in place by the content hosting platforms should be subject to human oversight and to full transparency of design and performance;
Amendment 39 #
2020/2018(INL)
Draft opinion
Paragraph 2 c (new)
Paragraph 2 c (new)
2 c. Takes the position that any content moderation measure in the Digital Services Act should concern illegal content only as it is defined in national jurisdictions and should not include legally vague and undefined terms, such as “harmful content”, as targeting such content would put fundamental rights and freedom of speech at serious risk;
Amendment 40 #
2020/2018(INL)
Draft opinion
Paragraph 2 d (new)
Paragraph 2 d (new)
2 d. Emphasises the need to regulate content curation through giving more control to users on the way content is ranked to them, including options to a ranking outside their ordinary content consumption habits and to opt out completely of any content curation; strongly believes that the design and performance of such recommendation systems should be subject to transparency;
Amendment 43 #
2020/2018(INL)
Draft opinion
Paragraph 2 e (new)
Paragraph 2 e (new)
2 e. Considers that content hosting platforms should be obliged to report any illegal content constituting a serious crime to the relevant law enforcement authorities upon becoming aware of it;
Amendment 49 #
2020/2018(INL)
Draft opinion
Paragraph 3 – subparagraph 1 (new)
Paragraph 3 – subparagraph 1 (new)
Underlines that the only way for users of digital services to be identified in an equivalent manner compared to offline services is the recognition of a pan- European digital identification; reminds in this regard that Member States and European institutions have to guarantee the security of the European digital identification;
Amendment 20 #
2020/2016(INI)
Motion for a resolution
Recital A
Recital A
A. whereas digital technologies in general and artificial intelligence (AI) in particular bring with them extraordinary promise; whereas AI iscould be one of the strategic technologies of the 21st century, that may generatinge substantial benefits in efficiency, accuracy, and convenience, and thus bringing positive change to the European economy; whereas AI should not be seen as an end in itself, but as a tool for serving people, with the ultimate aim of increasing human well-being;
Amendment 21 #
2020/2016(INI)
Motion for a resolution
Recital A a (new)
Recital A a (new)
A a. whereas AI can be seen as the ability of a system to correctly interpret external data, to learn from such data, and to use those learnings to achieve specific goals and tasks through flexible adaptation; Whereas the key components of development in AI are the availability of vast quantities of: data, computing power, and human capital and talent;
Amendment 24 #
2020/2016(INI)
Motion for a resolution
Recital A b (new)
Recital A b (new)
A b. whereas, despite continuing advances in computer processing speed and memory capacity, there are as yet no programs that can match human flexibility over wider domains or in tasks requiring understanding of context or critical analysis; whereas, some AI applications have attained the performance levels of human experts and professionals in performing certain specific tasks, and can provide results in a completely different speed and scale;
Amendment 26 #
2020/2016(INI)
Motion for a resolution
Recital A c (new)
Recital A c (new)
A c. whereas several Member States use the application of embedded artificial intelligence (AI) systems in the field of law enforcement;
Amendment 31 #
2020/2016(INI)
Motion for a resolution
Recital B a (new)
Recital B a (new)
B a. whereas the use of AI technology should be developed in such a way as to put people at its center and therefore to be worth of public trust;
Amendment 36 #
2020/2016(INI)
Motion for a resolution
Recital C a (new)
Recital C a (new)
C a. whereas AI systems always have to be in the service of humans and have the ultimate safety valve of being designed so that they can always be shut down by a human operator;
Amendment 43 #
2020/2016(INI)
Motion for a resolution
Recital E
Recital E
E. whereas AI applications may offer great opportunities in the field of law enforcement, in particular in improving the working methods of law enforcement agencies and judicial authorities, and combating certain types of crime more efficiently, in particular financial crime, money laundering and terrorist financing, as well as certain types of cybercrime; while at the same time entailing significant risks for the fundamental rights of people;
Amendment 58 #
2020/2016(INI)
Motion for a resolution
Recital G
Recital G
G. whereas AI applications in use by law enforcement include applications such as facial recognition technologies, automated number plate recognition, speaker identification, speech identification, lip-reading technologies, aural surveillance (i.e. gunshot detection algorithms), autonomous research and analysis of identified databases, forecasting (predictive policing and crime hotspot analytics), behaviour detection tools, autonomous tools to identify financial fraud and terrorist financing, social media monitoring (scraping and data harvesting for mining connections), international mobile subscriber identity (IMSI) catchers, and automated surveillance systems incorporating different detection capabilities (such as heartbeat detection and thermal cameras); whereas the aforementioned applications have vastly varying degrees of reliability and accuracy as well as potentially significant effects on the protection of fundamental rights;
Amendment 69 #
2020/2016(INI)
Motion for a resolution
Recital I
Recital I
I. whereas use of AI in law enforcement entails a number of phigh risks for the protenctial riskon of fundamental rights of individuals, such as opaque decision- making, different types of discrimination, and risks to the protection of privacy and personal data, the protection of freedom of expression and information, and the presumption of innocence;
Amendment 102 #
2020/2016(INI)
Motion for a resolution
Paragraph 3
Paragraph 3
3. Considers, in this regard, that any AI tool either developed or used by law enforcement or judiciary should, as a minimum, be safe, secure and fit for purpose, respect the principles of data minimisation, fairness, accountability, transparency and explainability, with their deploymentvelopment, deployment and use subject to a strict necessity and proportionality test;
Amendment 115 #
2020/2016(INI)
Motion for a resolution
Paragraph 4
Paragraph 4
4. Sees with great concern the potential of mass surveillance by means of AI technologies in the law enforcement sector; Highlights the importanceerative need of preventing such mass surveillance by means of AI technologies, and of banning any applications that would result in it;
Amendment 149 #
2020/2016(INI)
Motion for a resolution
Paragraph 9 a (new)
Paragraph 9 a (new)
9 a. Highlights how individuals have become overly trusting in the seemingly objective and scientific nature of AI tools and thus fail to consider the possibility of their results being incorrect, incomplete or irrelevant, with potentially grave adverse consequences specifically in the area of law enforcement and justice; Emphasises the over-reliance on the results provided for by AI systems, and notes with concern the lack of confidence and knowledge, by authorities, to question or override an algorithmic recommendation;
Amendment 153 #
2020/2016(INI)
Motion for a resolution
Paragraph 10
Paragraph 10
10. Underlines that in judicial and law enforcement contexts, the final decision always needs to be taken by a human, who can be held accountable for the decisions made, and include the possibility of a recourse for a remedy; reminds that under EU law, automated individual decision making shall not be based on special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), unless suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place; highlights that EU law prohibits profiling that results in discrimination against natural persons on the basis of special categories of personal data;
Amendment 164 #
2020/2016(INI)
Motion for a resolution
Paragraph 11 a (new)
Paragraph 11 a (new)
11 a. Calls for, in order to guarantee the algorithmic explainability and transparency of law enforcement AI systems, only such tools to be allowed to be purchased by the law enforcement in the Union, which algorithms and logic are open, to at least the police forces themselves, that can be audited, evaluated and vetted by them, and not closed and labelled proprietary by the vendors;
Amendment 168 #
2020/2016(INI)
Motion for a resolution
Paragraph 12 a (new)
Paragraph 12 a (new)
12 a. calls for clear and appropriate time limits to be established for the erasure of personal data or for a periodic review of the need for the storage of personal data processed or generated by AI technologies for law enforcement purposes;
Amendment 170 #
2020/2016(INI)
Motion for a resolution
Paragraph 13
Paragraph 13
13. CallsReminds that EU law (Directive (EU) 2016/680) already foresees a mandatory data protection impact assessment for any type of processing, in particular, using new technologies, that is likely to result in a high risk to the rights and freedoms of natural persons and is of the opinion that this is the case for all AI technologies in the area of law enforcement; Calls in addition for a compulsory fundamental rights impact assessment to be conducted prior to the implementation or deployment of any AI systems for law enforcement or judiciary, in order to assess any potential risks to fundamental rights;
Amendment 185 #
2020/2016(INI)
Motion for a resolution
Paragraph 15
Paragraph 15
15. Calls for a moratorium on the deployment of facial recognition systems for specific law enforcement operations, until the technical standards can be considered fully fundamental rights compliant, results derived are non- discriminatory, and there is public trust in the necessity and proportionality for the deployment of such technologies; calls for a ban of the use of facial recognition in the public sphere where not used in specific law enforcement operations;
Amendment 198 #
2020/2016(INI)
Motion for a resolution
Paragraph 16 a (new)
Paragraph 16 a (new)
16 a. Calls for the Fundamental Rights Agency, in collaboration with the European Data Protection Board and the European Data Protection Supervisor to draft comprehensive guidelines for the development, use and deployment of AI applications and solutions for the use by law enforcement and judicial authorities;
Amendment 24 #
2020/2012(INL)
Draft opinion
Paragraph 1
Paragraph 1
1. Believes that any ethical framework shouldthere is a difference between ethics and law and the role they play in our societies; any framework of ethical principles for the development, deployment and use of Artificial Intelligence (AI), robotics and related technologies should complement the EU Charter of Fundamental Rights and thereby seek to respect human dignity and autonomy, prevent harm, promote fairness, and transparency, respect the principle of explicability of technologies; and guarantee that the technologies are there to serve people, with the ultimate aim of increasing human well-being for everybody;
Amendment 39 #
2020/2012(INL)
Draft opinion
Paragraph 2
Paragraph 2
2. SHighlights the power asymmetry between those who employ AI technologies and those who interact and are subject to them; in this context stresses the importance of developing an “ethics-by-default and by design” framework which fully respect the Charter of Fundamental Rights of the European Union, Union law and the Treaties;
Amendment 44 #
2020/2012(INL)
Draft opinion
Paragraph 3
Paragraph 3
3. Considers that the current Union legalislative framework will need to be updaon protection of privacy and personal data fully applies to AI, robotics and related technologies, however could benefit from being supplemented with guidingrobust ethical principlguidelines; points out that, where it would be premature to adopt legal acts, a soft law framework should be used;
Amendment 68 #
2020/2012(INL)
Draft opinion
Paragraph 5 b (new)
Paragraph 5 b (new)
5b. Promotes Corporate Digital Responsibility on a voluntary basis; the EU should support corporations, who by choice use digital technologies and AI ethically within their companies; the EU should encourage corporations to become proactive by establishing a platform for companies to share their experiences with ethical digitalization, as well as coordinating the actions and strategies of participating companies;
Amendment 76 #
2020/2012(INL)
Draft opinion
Paragraph 6
Paragraph 6
6. Stresses that the protection of networks of interconnected AI and robotics mustis important, and strong measures must be taken to prevent security breaches, cyber- attacks and the misuse of personal data;
Amendment 78 #
2020/2012(INL)
Draft opinion
Paragraph 6 a (new)
Paragraph 6 a (new)
6a. Calls for a comprehensive risk assessment of AI, robotics and related technologies in addition to the impact assessment provided by Article 35 GDPR (Article 27 of Directive (EU) 2016/680 and Article 39 of Regulation (EU) 2018/1725); the more impact an algorithm has, the more transparency, auditability, accountability and regulation is needed; where an algorithmic decision leads to a limitation of fundamental rights, there needs to be a very robust assessment in place; in highly critical fields - when health, freedom or human autonomy are directly endangered - the implementation of AI should be prohibited;
Amendment 91 #
2020/2012(INL)
Draft opinion
Paragraph 7
Paragraph 7
7. Notes that AI and robotic technology are used more and more in the area of law enforcement and border control could enhance public safety and security; stresses that its use must respect the principles of proportionality and necessity; , often with adverse effects on individuals when it comes to their rights to privacy, data protection and non- discrimination; stresses that the deployment and use of these technologies must respect the principles of proportionality and necessity, the Charter of Fundamental Rights, in particular the rights to data protection, privacy and non- discrimination, as well as the relevant secondary Union law such as EU data protection rules;
Amendment 98 #
2020/2012(INL)
Draft opinion
Paragraph 8
Paragraph 8
8. Stresses that AI and robotics are not immune from making mistakes and can easily have inherent bias; notes that biases can be inherent in the underlying datasets, especially when historical data is being used, introduced by the developers of the algorithms, or generated when the systems are implemented in the real world setting; considers the need for legislators to reflect upon the complex issue of liability in the context of criminal justice.
Amendment 139 #
2020/0361(COD)
Proposal for a regulation
Recital 12
Recital 12
(12) In order to achieve the objective of ensuring a safe, predictable and trusted online environment, for the purpose of this Regulation the concept of “illegal content” should be defined broadappropriately and also covers information relating to illegal content, products, services and activities where such information is itself illegal. In particular, that concept should be understood to refer to information, irrespective of its form, that under the applicable law is either itself illegal, such as illegal hate speech or terrorist content and unlawful discriminatory content, or that relates to activities that are illegal, such as the sharing of images depicting child sexual abuse, unlawful non- consensual sharing of private images, online stalking, the sale of non-compliant or counterfeit products, the non-authorised use of copyright protected material or activities involving infringements of consumer protection law. In this regard, it is immaterial whether the illegality of the information or activity results from Union law or from national law that is consistent with Union law and what the precise nature or subject matter is of the law in question.
Amendment 150 #
2020/0361(COD)
Proposal for a regulation
Recital 14
Recital 14
(14) The concept of ‘dissemination to the public’, as used in this Regulation, should entail the making available of information to a potentially unlimited number of persons, that is, making the information easily accessible to users in general without further action by the recipient of the service providing the information being required, irrespective of whether those persons actually access the information in question. The mere possibility to create groups of users of a given service should not, in itself, be understood to meanAccordingly, where access to information requires registration or admittance to a group of users, that the information disseminated in that manner is not disseminated to the public. However, the concept should exclude dissemination of information within closed groups consisting of a finite number of pre- determined personshould be considered to be disseminated to the public only where users seeking to access the information are automatically registered or admitted without a human decision or selection of whom to grant access. Interpersonal communication services, as defined in Directive (EU) 2018/1972 of the European Parliament and of the Council,39 such as emails or private messaging services, fall outside the scope of this Regulationare not considered disseminated to the public. Information should be considered disseminated to the public within the meaning of this Regulation only where that occurs upon the direct request by the recipient of the service that provided the information. _________________ 39Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), OJ L 321, 17.12.2018, p. 36
Amendment 153 #
2020/0361(COD)
Proposal for a regulation
Recital 18
Recital 18
(18) The exemptions from liability established in this Regulation should not apply where, instead of confining itself to providing the services neutrally, by a merely technical and automatic processing of the information provided by the recipient of the service, the provider of intermediary services plays an active role of such a kind as to give it the provider of intermediary services has knowledge of, or control over, that information. Those exemptions should accordingly not be available in respect of liability relating to information provided not by the recipient of the service but by the provider of intermediary service itself, including where the information has been developed under the editorial responsibility of that provider. The exemptions from liability established in this Regulation should not depend on uncertain notions such as an ‘active’, ‘neutral’ or ‘passive’ role of providers.
Amendment 158 #
2020/0361(COD)
Proposal for a regulation
Recital 22
Recital 22
(22) In order to benefit from the exemption from liability for hosting services, the provider should, upon obtaining actual knowledge or awareness of illegalafter having become aware of the unlawful nature of content, act expeditiously to remove or to disable access to that content. The removal or disabling of access should be undertaken in the observance of the principle of freedom of expression. The provider can obtain such actual knowledge or awareness through, in particular, its own-initiative investigations or notices submitted to it by individuals or entities in accordance with this Regulation in so far as those notices are sufficiently precise and adequately substantiated to allow a diligent economic operator to reasonably identify, assess and where appropriate act against the allegedly illegal content.
Amendment 281 #
2020/0361(COD)
Proposal for a regulation
Article 1 – paragraph 5 – point i a (new)
Article 1 – paragraph 5 – point i a (new)
(i a) Directive 2002/58/EC.
Amendment 282 #
2020/0361(COD)
Proposal for a regulation
Article 1 – paragraph 5 – subparagraph 1 (new)
Article 1 – paragraph 5 – subparagraph 1 (new)
This Regulation shall not apply to matters relating to information society services covered by Regulation (EU) 2016/679and Directive 2002/58/EC.
Amendment 296 #
2020/0361(COD)
Proposal for a regulation
Article 2 a (new)
Article 2 a (new)
Article 2 a Digital privacy Where technically possible, a provider of an information society service shall enable the use of and payment for that service without collecting personal data of the recipient. A provider of an information society service shall process personal data concerning the use of the service by a recipient only to the extent strictly necessary to enable the recipient to use the service or to charge the recipient for the use of the service. An operator of an online platform shall be allowed to process personal data concerning the use of the service by a recipient for the sole purpose of operating a recommender system if the recipient has given his or her explicit consent, as defined in Article 4(11) of Regulation (EU) 2016/679. Member States shall not require a provider of information society services to retain personal data concerning the use of the service by all recipients. A provider of an information society service shall have the right to provide and support end-to-end encryption services.
Amendment 298 #
2020/0361(COD)
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
Amendment 305 #
2020/0361(COD)
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
Amendment 313 #
2020/0361(COD)
Proposal for a regulation
Article 5 – paragraph 4
Article 5 – paragraph 4
4. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
Amendment 315 #
2020/0361(COD)
Proposal for a regulation
Article 6 – title
Article 6 – title
Amendment 316 #
2020/0361(COD)
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
Providers of intermediary services shall not be deemed ineligible for the exemptions from liability referred to in Articles 3, 4 and 5 solely because they carry out voluntary own-initiative investigations or other activities aimed at detecting, identifying and removing, or disabling of access to, illegal content, or take the necessatake the compulsory measures to comply with the requirements of Union law, including those set out in this Regulation.
Amendment 321 #
2020/0361(COD)
Proposal for a regulation
Article 7 – title
Article 7 – title
No general monitoring or, active fact- finding or automated content moderation obligations
Amendment 324 #
2020/0361(COD)
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
No general obligation shall be imposed to monitor the information which providers of intermediary services transmit or store, nor actively to seek facts or circumstances indicating illegal activity shall be imposed on those providers.
Amendment 325 #
2020/0361(COD)
Proposal for a regulation
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
Providers of intermediary services shall not be obliged to use automated tools for content moderation.
Amendment 333 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. Providers of intermediary services shall, upon the receipt of an, via a secure communications channel, of an authenticated order to act against a specific item of illegal content, issued by the relevanta national judicial or administrative authoritiesy, on the basis of the applicable Union or national law, in conformity with Union law, inform the authority issuing the order of the effect given to the orders, without undue delay, specifying the action taken and the moment when the action was taken.
Amendment 336 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 2 – point a – indent 1
Article 8 – paragraph 2 – point a – indent 1
— the identification details of the judicial authority issuing the order and a statement of reasons explaining why the information is illegal content, by reference to the specific provision of Union or national law infringed;
Amendment 340 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 2 – point a – indent 3
Article 8 – paragraph 2 – point a – indent 3
— information about redress mechanisms available to the provider of the service and to the recipient of the service who provided the content;
Amendment 347 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 2 – point a a (new)
Article 8 – paragraph 2 – point a a (new)
(a a) the order is securely and easily authenticated;
Amendment 349 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 2 – point b a (new)
Article 8 – paragraph 2 – point b a (new)
(b a) the territorial scope of an order addressed to a provider that has its main establishment, or, if not established in the Union,its legal representation in another Member State is limited to the issuing Member State;
Amendment 351 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 2 – point b b (new)
Article 8 – paragraph 2 – point b b (new)
(b b) where addressed to a provider that has its main establishment outside the Union, the territorial scope of the order, where Union law is infringed, is limited to the territory of the Union or, where national law is infringed, to the territory of the Member State issuing the order;
Amendment 354 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
3. The Digital Services Coordinator from the Member State of the judicial or administrative authority issuing the order shall, without undue delay, transmit a copy of the orders referred to in paragraph 1 to all other Digital Services Coordinators through the system established in accordance with Article 67.
Amendment 358 #
2020/0361(COD)
Proposal for a regulation
Article 8 – paragraph 4 a (new)
Article 8 – paragraph 4 a (new)
4 a. The Commission shall, by means of implementing acts, define a European technical standard for the secure communication channels that also provide for the authentication of the orders.
Amendment 360 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Providers of intermediary services shall, upon receipt of an, via a secure communications channel, of an authenticated order to provide a specific item of information about one or more specific individual recipients of the service, issued by the relevanta national judicial or administrative authoritiesy on the basis of the applicable Union or national law, in conformity with Union law, for the purpose of preventing serious threats to public security, inform without undue delay the authority of issuing the order of its receipt and the effect given to the order via a secure communications channel.
Amendment 364 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a – indent 1
Article 9 – paragraph 2 – point a – indent 1
— the identification details of the judicial authority issuing the order, a statement of reasons explaining the objective for which the information is required and why the requirement to provide the information isthe grounds for the necessarity and proportionate to determine compliance by the recipielity of the request, taking due accounts of the intermediary services with applicable Union or national rules, unless such a statement cannot be provided for reasons related to the prevention, investigation, detection and prosecution of criminalits impact on the fundamental rights of the specific recipient of the service whose data is sought and the seriousness of the offences;
Amendment 369 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a – indent 1 a (new)
Article 9 – paragraph 2 – point a – indent 1 a (new)
- a unique identifier of the recipients about whom information is sought;
Amendment 371 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a – indent 2
Article 9 – paragraph 2 – point a – indent 2
— information about redress mechanisms available to the provider and to the recipients of the service concerned;
Amendment 376 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a a (new)
Article 9 – paragraph 2 – point a a (new)
(a a) the order is securely and easily authenticated;
Amendment 377 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a b (new)
Article 9 – paragraph 2 – point a b (new)
(a b) the order is issued for the purpose of preventing serious threats to public security;
Amendment 378 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point a c (new)
Article 9 – paragraph 2 – point a c (new)
(a c) the order seeks information on a suspect or suspects of a serious threat to public security;
Amendment 379 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) the order only requires the provider to provide information already legally collected for the purposes of providing the service and which lies within its control;
Amendment 382 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
3. The Digital Services Coordinator from the Member State of the national judicial or administrative authority issuing the order shall, without undue delay, transmit a copy of the order referred to in paragraph 1 to all Digital Services Coordinators through the system established in accordance with Article 67.
Amendment 383 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 3 a (new)
Article 9 – paragraph 3 a (new)
3 a. The provider shall inform the recipient whose data is being sought without undue delay. As long as necessary and proportionate, in order to protect the fundamental rights of another person, the issuing judicial authority, taking into due account the impact of the request on the fundamental rights of the person whose data is sought, may request the provider to delay informing the recipient. Such a request shall be duly justified, specify the duration of the obligation of confidentiality and shall be subject to periodic review.
Amendment 384 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 3 b (new)
Article 9 – paragraph 3 b (new)
3 b. This Article shall apply, mutatis mutandis, to competent administrative authorities ordering online platforms to provide the information listed in Article 22.
Amendment 385 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 3 c (new)
Article 9 – paragraph 3 c (new)
3 c. Where information is sought for the purpose of criminal proceedings, Regulation (EU) 2021/XXXX on access to electronic evidence shall apply.
Amendment 386 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 3 d (new)
Article 9 – paragraph 3 d (new)
3 d. Providers of intermediary services shall transfer the personal data on recipients of their service requested by public authorities only where the conditions of this article are met.
Amendment 387 #
2020/0361(COD)
Proposal for a regulation
Article 9 – paragraph 3 e (new)
Article 9 – paragraph 3 e (new)
3 e. The Commission shall, by means of implementing acts, establish a common European information exchange system with secure channels for the handling of authorised cross-border communications, authentication and transmission of the order referred to in paragraph 1 and, where applicable, of the requested data between the competent judicial authority and the provider.
Amendment 429 #
2020/0361(COD)
Proposal for a regulation
Article 13 a (new)
Article 13 a (new)
Article 13 a Online advertising transparency Providers of intermediary services that display advertising on their online interfaces shall ensure that the recipients of the service can identify, for each specific advertisement displayed to each individual recipient, in a clear, concise and unambiguous manner and in real time: (a) that the information displayed on the interface or parts thereof is an online advertisement, including through prominent and harmonised marking; (b) the natural or legal person on whose behalf the advertisement is displayed and the natural or legal person who finances the advertisement; (c) clear, meaningful and uniform information about the parameters used to determine the recipient to whom the advertisement is displayed; and (e) if the advertisement was displayed using an automated tool and the identity of the person responsible for that tool. 2. The Commission shall adopt an implementing act establishing harmonised specifications for the marking referred to in paragraph 1(a)of this Article. 3. Providers of intermediary services shall inform the natural or legal person on whose behalf the advertisement is displayed where the advertisement has been displayed. They shall also inform public authorities, upon their request. 4. Providers of intermediary services that display advertising on their online interfaces shall be able to give easy access to public authorities, NGOs, and researchers, upon their request, to information related to direct and indirect payments or any other remuneration received to display the corresponding advertisement on their online interfaces.
Amendment 431 #
2020/0361(COD)
Proposal for a regulation
Article 13 b (new)
Article 13 b (new)
Article 13 b Targeting of digital advertising 1. Providers of intermediary services shall not collect or process personal data as defined by Regulation (EU) 2016/679 for the purpose of showing digital advertising to recipients of their service, of other information society services, or directly to the public. 2. Providers of intermediary services may show targeted digital advertising based on contextual information. 3. The use of the contextual information referred to in paragraph 2 shall be permissible only if it does not allow for the direct or indirect identification of a natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Amendment 432 #
2020/0361(COD)
Proposal for a regulation
Article 13 c (new)
Article 13 c (new)
Article 13 c Recipients’ consent for advertising practices 1. Providers of intermediary services shall not, by default, subject the recipients of their services to targeted, micro-targeted and behavioural advertisement, unless the recipient of the service has expressed a freely given, specific, informed and unambiguous consent to receiving such advertising. Providers of intermediary services shall ensure that recipients of services can easily make an informed choice when expressing their consent by providing them with meaningful information about the use of their personal data. 2. When processing personal data for targeted, micro-targeted and behavioural advertising, where consent has been received, online intermediaries shall comply with relevant Union law and shall not engage in activities that can lead to pervasive tracking, such as disproportionate combination of data collected by platforms, or disproportionate processing of special categories of personal data. 3. Providers of intermediary services shall organise their online interface in a way that provides clear information regarding the advertising parameters and allows the recipients of services to easily and efficiently access and modify those advertising parameters. Providers of intermediary services shall regularly monitor the use of advertising parameters by the recipients of services and make improvements to their use where necessary.
Amendment 442 #
2020/0361(COD)
Proposal for a regulation
Article 14 – paragraph 2 – point c
Article 14 – paragraph 2 – point c
Amendment 447 #
2020/0361(COD)
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Notices that include the elements referred to in paragraph 2 shall be considered to give rise to actual knowledge or awareness for the purposes of Article 5 in respect of the specific item of information concernedThe individual or entity submitting the notice may choose to provide their name and an electronic mail address that shall not be disclosed to the content provider except in cases of alleged violations of intellectual property rights.
Amendment 449 #
2020/0361(COD)
4 a. Upon receipt of the notice and using available contact details, the service provider shall notify the provider of the information regarding the elements referred to in paragraph 2 and give them the opportunity to reply before taking a decision.
Amendment 450 #
2020/0361(COD)
Proposal for a regulation
Article 14 – paragraph 4 b (new)
Article 14 – paragraph 4 b (new)
4 b. Notified information shall remain accessible until a decision is taken in respect of that information.
Amendment 451 #
2020/0361(COD)
Proposal for a regulation
Article 14 – paragraph 4 c (new)
Article 14 – paragraph 4 c (new)
4 c. The provider shall ensure that decisions on notices are taken by qualified staff, to whom adequate initial and ongoing training on the applicable legislation and fundamental rights standards as well as appropriate working conditions are to be provided, including, where necessary, the opportunity to seek qualified legal advice.
Amendment 453 #
2020/0361(COD)
Proposal for a regulation
Article 14 – paragraph 5
Article 14 – paragraph 5
5. The provider shall also, without undue delay, notify thate individual or entity that provided the notification, as well as the provider or the information, of its decision in respect of the information to which the notice relates, as well as providing information on the redress possibilities in respect of that decision.
Amendment 459 #
2020/0361(COD)
Proposal for a regulation
Article 14 – paragraph 6
Article 14 – paragraph 6
6. Providers of hosting services shall process any notices that they receive under the mechanisms referred to in paragraph 1, and take their decisions in respect of the information to which the notices relate, in a timely, diligent and objectivenon-arbitrary manner. Where they use automated means for that processing or decision-making, they shall include information on such useuse of such automated means in the notification referred to in paragraph 4.
Amendment 467 #
2020/0361(COD)
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
1. Where a provider of hosting services decides to remove or disable access to specific items of information provided by the recipients of the service, irrespective of the means used for detecting, identifying or removing or disabling access to that information and of the reason for its decisionit, and where the notifier chose to provide contact details, it shall inform the recipientm, at the latest at the time of the removal or disabling of access, of the decision and provide a clear and specific statement of reasons for that decision.
Amendment 475 #
2020/0361(COD)
Proposal for a regulation
Article 15 – paragraph 2 – point c
Article 15 – paragraph 2 – point c
(c) where applicable, information on the use made of automated means used in taking the decision, including where the decision was taken in respect of content detected or identified using automated means;
Amendment 483 #
2020/0361(COD)
Proposal for a regulation
Article 15 a (new)
Article 15 a (new)
Article 15 a Content moderation 1. Providers of hosting services shall not use ex-ante control measures based on automated tools or upload-filtering of content for content moderation. Where providers of hosting services otherwise use automated tools for content moderation, they shall ensure that qualified staff decide on any action to be taken and that legal content which does not infringe the terms and conditions set out by the providers is not affected. The provider shall ensure that adequate initial and ongoing training on the applicable legislation and international human rights standards as well as appropriate working conditions are provided to staff, including, where necessary, the opportunity to seek professional support, qualified psychological assistance and qualified legal advice. This paragraph shall not apply where information has likely been provided by automated tools. 2. Providers of hosting services shall act in a fair, transparent, coherent, predictable, non-discriminatory, diligent, non-arbitrary and proportionate manner when moderating content, with due regard to the rights and legitimate interests of all parties involved, including the fundamental rights of the recipients of the service as enshrined in the Charter.
Amendment 515 #
2020/0361(COD)
Proposal for a regulation
Article 18 – paragraph 1 – subparagraph 1
Article 18 – paragraph 1 – subparagraph 1
The first subparagraph is without prejudice to the right of the recipient concerned to seek redress against the decision before a court in accordance with the applicable law.
Amendment 519 #
2020/0361(COD)
Proposal for a regulation
Article 18 – paragraph 2 – point a a (new)
Article 18 – paragraph 2 – point a a (new)
(a a) it includes legal experts;
Amendment 521 #
2020/0361(COD)
Proposal for a regulation
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) it has the necessary expertise in relation to the issues arising issues concerning one or more particular areas of illegal content, or in relation to the application and enforcement of terms and conditions of one or more types of online platforms, therefore allowing the body to contribute effectively to the settlement of a dispute;
Amendment 522 #
2020/0361(COD)
Proposal for a regulation
Article 18 – paragraph 2 – point d
Article 18 – paragraph 2 – point d
(d) it is capable of settling disputes in a swift, efficient and cost-effective manner and in at least one official language of the Union;
Amendment 527 #
2020/0361(COD)
Proposal for a regulation
Article 18 – paragraph 3 – subparagraph 2
Article 18 – paragraph 3 – subparagraph 2
Certified out-of-court dispute settlement bodies shall make the fees, or the mechanisms used to determine the fees, known to the recipient of the services and the online platform concerned before engaging in the dispute settlementpublicly available.
Amendment 550 #
2020/0361(COD)
Proposal for a regulation
Article 19 – paragraph 5
Article 19 – paragraph 5
5. Where an online platform has information indicating that a trusted flagger submitted a significant number of insufficiently precise or, inadequately substantiated noticesor incorrect notices, or notices regarding legal content, through the mechanisms referred to in Article 14, including information gathered in connection to the processing of complaints through the internal complaint-handling systems referred to in Article 17(3), it shall communicate that information to the Digital Services Coordinator that awarded the status of trusted flagger to the entity concerned, providing the necessary explanations and supporting documents.
Amendment 553 #
2020/0361(COD)
Proposal for a regulation
Article 19 – paragraph 6
Article 19 – paragraph 6
6. The Digital Services Coordinator that awarded the status of trusted flagger to an entity shall revoke that status if it determines, following an investigation either on its own initiative or on the basis information received byfrom third parties, including the information provided by an online platform pursuant to paragraph 5, that the entity no longer meets the conditions set out in paragraph 2. Before revoking that status, the Digital Services Coordinator shall afford the entity an opportunity to react to the findings of its investigation and its intention to revoke the entity’s status as trusted flagger
Amendment 558 #
2020/0361(COD)
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Online platforms shall suspend, for a reasonable period of time and after having issued a prior warning, the provision of their services to recipients of the service that frequently provide manifestly illegal contenthas received two or more orders to act regarding illegal content in the previous 12 months.
Amendment 569 #
2020/0361(COD)
Proposal for a regulation
Article 20 – paragraph 3 – point a
Article 20 – paragraph 3 – point a
(a) the absolute numbers of items of manifestly illegal contentsuspensions of service and items orf manifestly unfounded notices or complaints, submitted in the past year;
Amendment 580 #
2020/0361(COD)
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take placeis imminent, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its reasoned suspicion and provide all relevantthe information availablegiving rise to it.
Amendment 585 #
2020/0361(COD)
For the purpose of this Article, the Member State concerned shall be the Member State where the offence is suspected to have taken place, be taking place andor likely to take place, or the Member State where thea suspected offender resides or is located, or the Member State where thea victim of the suspected offence resides or is located.
Amendment 588 #
2020/0361(COD)
Proposal for a regulation
Article 22 – paragraph 1 – point b
Article 22 – paragraph 1 – point b
(b) a copy of the identification document of the trader or any other electronic identification as defined by Article 3 of Regulation (EU) No 910/2014 of the European Parliament and of the Council50 ; _________________ 50 Regthe number of suspensions imposed pursuant to Article 20, distinguishing between suspensions enacted after the receipt of mulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/ECple orders to act, the submission of manifestly unfounded notices and the submission of manifestly unfounded complaints;
Amendment 623 #
2020/0361(COD)
Proposal for a regulation
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Very large online platforms shall identify, analyse and assess, from the date of application referred to in the second subparagraph of Article 25(4), at least once a year thereafter,on an ongoing basis, the probability and severity of any significant systemic risks stemming from the design, functioning and use made of their services in the Union. This risk assessment shall be specific to their services and shall include the following systemic risks:
Amendment 624 #
2020/0361(COD)
Proposal for a regulation
Article 26 – paragraph 1 – point b
Article 26 – paragraph 1 – point b
(b) any negative effects for the exercise of the fundamental rights to respect for private and family life, freedom of expression and information, the prohibition ofprivacy, protection of personal data, discrimination, equality and the rights of the child,ren as enshprescrinbed in Articles 7, 11, 21 and 24 of the Charter respectivelyUnion or Member State law;
Amendment 628 #
2020/0361(COD)
Proposal for a regulation
Article 26 – paragraph 1 – point c
Article 26 – paragraph 1 – point c
(c) malfunctioning or intentional manipulation of their service, including by means of inauthentic use, undisclosed paid influence, or automated exploitation of the service, with an actual or foreseeable negative effect on the protection of public health, minors, and other categories of vulnerable service users, civic discourse, or actual or foreseeable effects related to electoral processes and public security.
Amendment 633 #
2020/0361(COD)
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
2. When conducting risk assessments, very large online platforms shall take into account, in particular, how their content moderation systems, recommender systems and systems for selecting, targeting, and displaying advertisement influence any of the systemic risks referred to in paragraph 1, including the potentially rapid and wide dissemination of illegal content and of information that is incompatible with their terms and conditions.
Amendment 636 #
Amendment 639 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – introductory part
Article 27 – paragraph 1 – introductory part
1. Very large online platforms shall put in place transparent, reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified pursuant to Article 26. Such measures mayshall include, where applicable:
Amendment 643 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – introductory part
Article 27 – paragraph 1 – introductory part
1. Very large online platforms shallmay put in place reasonable, proportionate and effective mitigationspecific measures, tailored to the specific systemic risks identified pursuant to Article 26o address the dissemination of illegal content through their services. Such measures may include, where applicable:
Amendment 646 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – point a a (new)
Article 27 – paragraph 1 – point a a (new)
(a a) appropriate technical and operational measures or capacities, such as appropriate staffing or technical means to expeditiously remove or disable access to illegal content the platform is aware of, or has received an order to act upon;
Amendment 647 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – point a b (new)
Article 27 – paragraph 1 – point a b (new)
(a b) easily accessible and user-friendly mechanisms for users to report or flag allegedly illegal content, and mechanisms for user moderation;
Amendment 651 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – point c
Article 27 – paragraph 1 – point c
(c) reinforcing the internal processes or supervision of any of their activities in particular as regards detection of systemic risk;
Amendment 655 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – point e
Article 27 – paragraph 1 – point e
Amendment 658 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 – point e
Article 27 – paragraph 1 – point e
(e) initiating or adjusting cooperation with other online platforms and stakeholders through the codes of conduct and the crisis protocols referred to in Article 35 and 37 respectively.
Amendment 660 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 1 a (new)
Article 27 – paragraph 1 a (new)
1 a. Where a very large online platform decides not to put in place any of the mitigating measures listed in article 27.1, it shall provide a written explanation that describes the reasons why those measures were not put in place, which shall be provided to the independent auditors in order to prepare the audit report in article 28.3.
Amendment 662 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 2
Article 27 – paragraph 2
Amendment 670 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 2 – point b
Article 27 – paragraph 2 – point b
(b) best practices and recommendations for very large online platforms to effectively mitigate the systemic risks identified.
Amendment 675 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 3
Article 27 – paragraph 3
3. The Commission, in cooperation with the Digital Services Coordinators, may issue general guidelinerecommendations on the application of paragraph 1 in relation to specific risks, in particular to present best practices and recommendpropose possible measures, having due regard to the possible consequences of the measures on fundamental rights enshrined in the Charter of all parties involved. When preparing those guidelinerecommendations the Commission shall organise public consultations.
Amendment 676 #
2020/0361(COD)
Proposal for a regulation
Article 27 – paragraph 3 a (new)
Article 27 – paragraph 3 a (new)
3 a. After establishing that a very large online platform has received a substantial number of orders to act, the competent Digital Services Coordinator may request necessary, proportionate and effective additional specific measures that the platform is obliged to implement. The competent Digital Services Coordinator shall not impose a general monitoring obligation or the use of automated tools. The request shall take into account, in particular, the technical feasibility of the measures, the size and economic capacity of the platform and the effect of such measures on the fundamental rights of the users and on the freedom of expression and the freedom to receive and impart information and ideas in an open and democratic society. Such a request shall be sent by the Digital Services Coordinator of the Member State in which the platform has its main establishment, or, if not established in the Union, its legal representative. The platform may, at any time, request the competent Digital Services Coordinator to review and, where appropriate, revoke such request.
Amendment 678 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – introductory part
Article 28 – paragraph 1 – introductory part
1. Very large online platforms shall be subject, at their own expense and at least once a year, to external independent audits to assess compliance with the following:
Amendment 679 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – introductory part
Article 28 – paragraph 1 – introductory part
1. Very large online platforms shall be subject, at their own expense and at least once a year, to independent audits to assess compliance with the following:
Amendment 681 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – introductory part
Article 28 – paragraph 1 – introductory part
1. Very large online platforms shall be subject, at their own expense and at least once a year, to audits to assess compliance with the following:
Amendment 684 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – point a
Article 28 – paragraph 1 – point a
(a) Compliance with the obligations set out in Chapter III;
Amendment 685 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – point a a (new)
Article 28 – paragraph 1 – point a a (new)
(a a) Adequacy of the risk assessment undertaken pursuant to Article 26.1 and the corresponding risk mitigation measures undertaken pursuant to Article 27.1;
Amendment 686 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – point b
Article 28 – paragraph 1 – point b
(b) Compliance with any commitments undertaken pursuant to the codes of conduct referred to in Articles 35 and 36 and the crisis protocols referred to in Article 37.
Amendment 687 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 1 – point b
Article 28 – paragraph 1 – point b
(b) any commitments undertaken pursuant to the codes of conduct referred to in Articles 35 and 36 and the crisis protocols referred to in Article 37and self- or co-regulatory actions that they have undertaken.
Amendment 688 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. Audits performed pursuant to paragraph 1 shall be performed by expert organisations, previously vetted by the Board, which:
Amendment 689 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. Audits performed pursuant to paragraph 1 shall be performed by organisations, vetted by the Board, which:
Amendment 690 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 2 – point a
Article 28 – paragraph 2 – point a
(a) are independent from the very large online platform concerned as well as from other very large online platforms;
Amendment 691 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 2 – point a
Article 28 – paragraph 2 – point a
(a) are independent from and do not have conflicts of interest with the very large online platform concerned;
Amendment 692 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 2 – point b
Article 28 – paragraph 2 – point b
(b) have provendemonstrated expertise in the area of risk management, technical competence and capabilities, and, where applicable, can demonstrably draw upon expertise in fields related to the risks investigated or related research methodologies;
Amendment 693 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 2 – point c
Article 28 – paragraph 2 – point c
(c) have provendemonstrated objectivity and professional ethics, based in particular on adherence to relevant codes of practice or appropriate standards.
Amendment 694 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 3 – introductory part
Article 28 – paragraph 3 – introductory part
3. The organisations that perform the audits shall establish an meaningful, granular, comprehensive and independent audit report for each audit. The report shall be in writing and include at least the following:
Amendment 695 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 3 – introductory part
Article 28 – paragraph 3 – introductory part
3. The organisations that perform the audits shall establish an meaningful, granular, comprehensive audit report for each audit. The report shall be in writing and include at least the following:
Amendment 696 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 3 – point d
Article 28 – paragraph 3 – point d
(d) a description of the main findings drawn from the audit and a summary of the main findings;
Amendment 697 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 3 – point d a (new)
Article 28 – paragraph 3 – point d a (new)
Amendment 698 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 3 – point d b (new)
Article 28 – paragraph 3 – point d b (new)
(d b) a description of the third-parties consulted to inform the audit;
Amendment 699 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 3 – point e
Article 28 – paragraph 3 – point e
(e) an audit opinion on whether the very large online platform subject to the audit meaningfully complied with the obligations and with the commitments referred to in paragraph 1, either positive, positive with comments or negative;
Amendment 704 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 4
Article 28 – paragraph 4
4. Very large online platforms receiving an audit report that is not positive shall take due account of any operationalshall ensure auditors have access to all relevant information to perform their duties. Very large online platforms receiving an audit report that contains evidence of wrongdoings shall ensure to apply the recommendations addressed to them with a view to take all the necessary measures to implement them. They shall, within one month from receiving those recommendations, adopt an audit implementation report setting out those measures. Where they do not implement the operational recommendations, they shall justify in the audit implementation report the reasons for not doing so and set out any alternative measures they may have taken to address any instances of non- compliance identified.
Amendment 705 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 4 – subparagraph 1 (new)
Article 28 – paragraph 4 – subparagraph 1 (new)
Auditors shall submit their audit report to the Board at the same time as the very large online platform concerned. Within a reasonable period of time, the Board shall issue recommendations, monitor the implementation of the report and suggest the adoption of sanctions by the competent Digital Service Coordinator when the very large online platform fails to abide by the Regulation.
Amendment 706 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 4 – point 1 (new)
Article 28 – paragraph 4 – point 1 (new)
(1) The Board, after consulting stakeholders and the Commission, shall publish guidelines about how audits should be conducted by the auditors, how they should be implemented by very large online platforms and how authorities will monitor and enforce the Regulation in this regard.
Amendment 707 #
2020/0361(COD)
Proposal for a regulation
Article 28 – paragraph 4 – point 2 (new)
Article 28 – paragraph 4 – point 2 (new)
(2) The Board shall publish and regularly update a list of vetted auditors that very large online platforms can resort to. The Board shall publish and regularly review detailed criteria auditors need to meet.
Amendment 709 #
2020/0361(COD)
Proposal for a regulation
Article 29 – paragraph 1
Article 29 – paragraph 1
1. Very large online platforms that use recommender systems shall set out in their terms and conditions, in a clear, accessible and easily comprehensible manner, meaningful information about the logic involved and the main parameters used in their recommender systems, as well as any options for the recipients of the service to modify or influence those main parameters that they may have made available, including the provision of at least one option which is not based on profiling, within the meaning of Article 4 (4) of Regulation (EU) 2016/679. Basing recommender systems on profiling shall require the explicit consent of the recipient, as defined in Article 4, point (11), of Regulation (EU) 2016/679.
Amendment 716 #
2020/0361(COD)
Proposal for a regulation
Article 29 – paragraph 1 a (new)
Article 29 – paragraph 1 a (new)
1 a. Very large online platforms that use recommender systems shall allow the recipient of the service to have information presented to them in a chronological order only and alternatively, where technically possible, to use third-party recommender systems. Third-party recommender systems shall have access to the same information that is available to the recommender systems used by the platform.
Amendment 738 #
2020/0361(COD)
Proposal for a regulation
Article 31 – paragraph 2
Article 31 – paragraph 2
2. Upon a reasoned request from the Digital Services Coordinator of establishment or the Commission, very large online platforms shall, within a reasonable period, as specified in the request, provide access to data to vetted researchers who meet the requirements in paragraphs 4 of this Article, for the sole purpose of conducting research that contributes to the identification and understanding of systemic risks as set out in Article 26(1)in the public interest.
Amendment 743 #
2020/0361(COD)
Proposal for a regulation
Article 31 – paragraph 3
Article 31 – paragraph 3
3. Very large online platforms shall provide access to data pursuant to paragraphs 1 and 2 through online databases or application programming interfaces, as appropriate. This shall include personal data only where it is lawfully accessible by the public.
Amendment 758 #
2020/0361(COD)
Proposal for a regulation
Article 31 – paragraph 7 a (new)
Article 31 – paragraph 7 a (new)
7 a. Upon completion of their research, the vetted researchers, who have been granted access to the data, shall publish their findings.
Amendment 760 #
2020/0361(COD)
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. Very large online platforms shall only designate as compliance officers persons who have the professional qualifications, knowledge, experience and ability necessary to fulfil the tasks referred to in paragraph 3 as compliance officers. Compliance officers may either be staff members of, or fulfil those tasks on the basis of a contract with, the very large online platform concerned.
Amendment 765 #
2020/0361(COD)
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
Amendment 766 #
2020/0361(COD)
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) the related risk mitigation measures identified andspecific measures implemented pursuant to Article 27;
Amendment 769 #
2020/0361(COD)
Proposal for a regulation
Article 33 a (new)
Article 33 a (new)
Article 33 a Interoperability 1. By 31 December 2024 very large online platforms shall make the main functionalities of their services interoperable with other online platforms to enable cross-platform exchange of information. This obligation shall not limit, hinder or delay their ability to solve security issues. Very large online platforms shall publicly document all application programming interfaces they make available. 2. The Commission shall adopt implementing measures specifying the nature and scope of the obligations set out in paragraph 1.
Amendment 782 #
2020/0361(COD)
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
Amendment 783 #
2020/0361(COD)
Proposal for a regulation
Article 36 – paragraph 2 – introductory part
Article 36 – paragraph 2 – introductory part
2. The Commission shall aim to ensure that the codes of conduct pursue an effective transmission of information, in full respect for the rights and interests of all parties involved, and a competitive, transparent and fair environment in online advertising, in accordance with Union and national law, in particular on competition and the protection of privacy and personal data. The Commission shall aim to ensure that the codes of conduct address at least:
Amendment 784 #
2020/0361(COD)
Proposal for a regulation
Article 36 – paragraph 2 – point a
Article 36 – paragraph 2 – point a
(a) the transmission of information held by providers of online advertising intermediaries to recipients of the service with regard to requirements set in Articles 13a(new), 13b(new) and points (b) and (c) of Article 24;
Amendment 786 #
Amendment 799 #
2020/0361(COD)
Proposal for a regulation
Article 41 – paragraph 1 – point a
Article 41 – paragraph 1 – point a
(a) the power to require those providers, as well as any other persons acting for purposes related to their trade, business, craft or profession that may reasonably be aware of information relating to a suspected infringement of this Regulation, including, organisations performing the audits referred to in Articles 28 and 50(3), to provide such information within a reasonable time period, with the exception of information covered by professional secrecy requirements;
Amendment 812 #
2020/0361(COD)
Proposal for a regulation
Article 44 – paragraph 2 – point a
Article 44 – paragraph 2 – point a
(a) the number and subject matter of orders to act against illegal content and orders to provide information issued in accordance with Articles 8 and 9 by any national judicial or administrative authority of the Member State of the Digital Services Coordinator concerned;
Amendment 95 #
2020/0359(COD)
Proposal for a directive
Recital 7
Recital 7
(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The ruleisk management requirements and reporting obligations should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.
Amendment 97 #
2020/0359(COD)
Proposal for a directive
Recital 11
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. The provisions of this Directive apply to entities with complex business models or operating environments, whereby an entity may simultaneously fulfil the criteria assigned to both essential and important entities. In order to enable the effective supervision and enforcement of risk management measures and reporting obligations for entities falling within the scope of this Directive, competent authorities or CSIRTs shall enforce the provisions of this Directive to a function or unit level within an entity, in order to appropriately and sufficiently address the level of criticality.
Amendment 102 #
2020/0359(COD)
Proposal for a directive
Recital 12
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Sector- specific legislation and instruments that require essential or important entities to adopt cybersecurity risk management measures, or impose reporting obligations for significant incidents, shall, where possible, be consistent with the terminology, and refer to the definitions in Article 4 of this Directive. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, and apply to the entirety of the security aspects of the operations and services provided by essential and important entities, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
Amendment 108 #
2020/0359(COD)
Proposal for a directive
Recital 15
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative nametop-level- domain (TLD) name servers, public and open recursive domain name resolution services, and authoritative domain name resolution services. This Directive should not apply to decentralised servicers for domain names and recursive resolwhich centralised administration does not exist, such as the root name servers.
Amendment 111 #
2020/0359(COD)
Proposal for a directive
Recital 17 a (new)
Recital 17 a (new)
(17a) The edge ecosystem is an emerging vector susceptible to cyber threats and a growing trend with attacks targeting devices — such as routers, switches, and firewalls — is having a significant impact to both enterprises and to the connected digital ecosystem in its entirety. Edge computing ecosystems delivered in a highly distributed form are essential for the development of the Internet of Things (IoT), the Industrial Internet of Things (IIoT) and the sectoral ecosystems of connected devices such as connectivity infrastructure and autonomous vehicles. IoT devices may potentially offer additional attack surfaces and allow threats and attacks to trickle from the device to the network or the cloud. Poor security of IoT devices or IoT gateways can potentially hinder the security of the entire connectivity chain and the data flows towards the edge and the cloud, consequentially affecting the overall security of the ecosystem.
Amendment 112 #
2020/0359(COD)
Proposal for a directive
Recital 17 b (new)
Recital 17 b (new)
(17b) The continuous increase of computing power combined with the rising levels of maturity of exponential technologies such as machine learning (ML) and artificial intelligence (AI) enable the development of advanced cybersecurity capabilities for real-time detection, analysis, containment and response to cyber threats in a rapidly evolving threat landscape. AI tools and applications are used to develop security controls including, but not limited to, active firewalls, smart antivirus, automated CTI (cyber threat intelligence) operations, AI fuzzing, smart forensics, email scanning, adaptive sandboxing, and automated malware analysis.
Amendment 113 #
2020/0359(COD)
Proposal for a directive
Recital 17 c (new)
Recital 17 c (new)
(17c) Data-driven tools and applications powered by AI-enabled systems require the processing of large amounts of data, which may include personal data. Risks persist in the entire lifecycle of AI- enabled systems in cybersecurity- enhancing tools and applications, and in order to mitigate risks of unduly interference with the rights and freedoms of individuals, the requirements of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 shall be applied. Integrating appropriate safeguards such as pseudonymisation, encryption, data accuracy, and data minimisation in the design and use of AI-enabled systems deployed in cybersecurity applications and processes is essential to mitigate the risks that such systems may pose on personal data.
Amendment 114 #
2020/0359(COD)
Proposal for a directive
Recital 17 d (new)
Recital 17 d (new)
(17d) Member States should adopt policies on the promotion and integration of AI-enabled systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies. Such policies should emphasise the technological and operational measures including, but not limited to, workflow automation, streaming analytics, active monitoring, intelligent prediction and advanced network threat detection, in order to accelerate the analysis, validation and prioritisation of threats. ENISA’s National Capabilities Assessment Framework (NCAF) can assist in the evaluation and alignment of Member States’ policies building on available use cases and key performance indicators. Moreover, an assessment of Member States’ capabilities and overall level of maturity as regards the integration of AI- enabled systems in cybersecurity should be factored in the methodological construction of the cybersecurity index within the meaning of ENISA’s report on the state of cybersecurity in the Union under Article 15 of this Directive.
Amendment 115 #
2020/0359(COD)
Proposal for a directive
Recital 17 e (new)
Recital 17 e (new)
(17e) Open-source cybersecurity tools contribute to a higher degree of transparency and have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders, enabling the diversification of reliance from a single supplier or vendor, and leading to a more comprehensive CTI framework. Semi-automation of CTI production is an important tool to reduce the number of manual steps underpinning the analysis of CTI. The use of AI and ML within CTI should be further explored to increase the value of machine learning functions within CTI activities.
Amendment 116 #
2020/0359(COD)
Proposal for a directive
Recital 17 f (new)
Recital 17 f (new)
(17f) Member States should develop a policy for the integration of open-source tools in public administration, and further explore measures to incentivise the wider adoption of open-source software by developing strategies to address and minimise the legal and technical risks that entities are faced with, as regards licensing and the necessary levels of technical support. Such policies are of particular importance for small and medium-sized enterprises (SMEs) facing significant costs for implementation, which can be minimised by reducing the need for specific applications or tools.
Amendment 121 #
2020/0359(COD)
Proposal for a directive
Recital 21 a (new)
Recital 21 a (new)
(21a) Public-Private Partnerships (PPPs) in the field of cybersecurity can provide the right framework for knowledge exchange, sharing of best practices and the establishment of a common level of understanding amongst all stakeholders. Goal-oriented and service outsourcing PPPs foster a culture of cybersecurity at the Member State level, and leverage the exchange and transfer of expertise, thus raising cybersecurity awareness and the overall level of reciprocal support between public and private entities. Hybrid PPPs enable governments to assign either the operation, or the delivery of service- specific functions, of a CSIRT to an experienced entity facilitating the access of public administrations to private sector resources, and increasing the levels of trust between stakeholders by establishing a proactive attitude in case of incidents or crises.
Amendment 122 #
2020/0359(COD)
Proposal for a directive
Recital 21 b (new)
Recital 21 b (new)
(21b) Member States should adopt policies underpinning the establishment of cybersecurity-specific PPPs as part of their national cybersecurity strategies. These policies should clarify, among others, the scope and stakeholders involved, the governance model, the available funding options, and the interaction among participating stakeholders. PPPs can leverage the expertise of private sector entities to support Member States’ competent authorities in developing state-of-the art services and processes including, but not limited to, information exchange, early warnings, cyber threat and incident exercises, crisis management, and resilience planning.
Amendment 130 #
2020/0359(COD)
Proposal for a directive
Recital 26 a (new)
Recital 26 a (new)
(26a) Cyber hygiene policies provide the foundations for protecting network and information system infrastructures, hardware, software and online application security, and business or end-user data which entities rely on. Cyber hygiene policies comprising a common baseline set of practices including, but not limited to, software and hardware updates, password changes, management of new installs, limitation of administrator-level access accounts, and backing up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or threats.
Amendment 131 #
2020/0359(COD)
Proposal for a directive
Recital 26 b (new)
Recital 26 b (new)
(26b) Member States should adopt policies to promote cyber hygiene as part of their national cybersecurity strategies. Such policies should build on cyber hygiene controls and programmes that are affordable and accreditable in order to minimise the cost of implementation, especially for SMEs, and encourage wider compliance thereto by both public and private entities. ENISA should monitor and assess Member States’ cyber hygiene policies, and explore EU wide schemes to enable cross-border checks ensuring equivalence independent of Member State requirements.
Amendment 132 #
2020/0359(COD)
Proposal for a directive
Recital 28
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. CVoluntary coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities. Strengthening the coordination and timely exchange of relevant information between the manufacturer or provider of ICT products or services and the reporting entities is essential to facilitate the voluntary framework of vulnerability disclosure.
Amendment 133 #
2020/0359(COD)
Proposal for a directive
Recital 29
Recital 29
(29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services, where necessarythe reporting entity, or the manufacturer or the provider of ICT products or services, engages a third-party coordinator to assist with the disclosure process. The tasks of the CSIRT coordinator should, in particular, include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi- party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.
Amendment 139 #
2020/0359(COD)
Proposal for a directive
Recital 31
Recital 31
(31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries in third country jurisdictions. ENISA could play a more central management role either by exploring the option of becoming a “Root CVE Numbering Authority” in the global Common Vulnerabilities and Exposures (CVE) registry, or setting up a database to leverage the existing CVE programme for vulnerability identification and registration to enable interoperability and reference between the European and third country jurisdiction registries.
Amendment 142 #
2020/0359(COD)
Proposal for a directive
Recital 35
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States, within structured rules and mechanisms underpinning the scope and, where applicable, the required security clearance of officials participating in such exchange schemes, in order to improve cooperation. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
Amendment 144 #
2020/0359(COD)
Proposal for a directive
Recital 38
Recital 38
Amendment 145 #
2020/0359(COD)
Proposal for a directive
Recital 39
Recital 39
Amendment 147 #
2020/0359(COD)
Proposal for a directive
Recital 40
Recital 40
(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle, respond to, attribute, and recover from incidents, and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data.
Amendment 149 #
2020/0359(COD)
Proposal for a directive
Recital 43
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should thereforeevaluate their own cybersecurity capabilities and pursue the integration of cybersecurity enhancing technologies driven by AI or machine learning systems to automate their capabilities and the protection of network architectures. Entities should also assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
Amendment 153 #
2020/0359(COD)
Proposal for a directive
Recital 44
Recital 44
(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP, not only in terms of the close operational integration but also as regards the need for such outsourced activities involving personal data by a controller to be in full compliance with Regulation (EU) 2016/679, in particular the processing by a processor on behalf of a controller.
Amendment 156 #
2020/0359(COD)
Proposal for a directive
Recital 46
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, and in consultation with the European Data Protection Board (EDPB), should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Particular emphasis should be placed on ICT services, systems or products subject to specific requirements, in particular in third country jurisdictions serving as the country of origin. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
Amendment 160 #
2020/0359(COD)
Proposal for a directive
Recital 47
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events across the entire lifecycle of the service, system or product and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities. Such risk assessments should identify best practices for managing risks associated with risks in the ICT supply chain and explore ways to further incentivise their wider adoption by entities within each sector under examination.
Amendment 164 #
2020/0359(COD)
Proposal for a directive
Recital 50
Recital 50
(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk to network security for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission. However, as the attack surface continues to expand, number-independent interpersonal communications services including, but not limited to, social media messengers, are becoming popular attack vectors. Malicious actors use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and by extension, the security of information systems.
Amendment 173 #
2020/0359(COD)
Proposal for a directive
Recital 54
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting the privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored or exploited by actors, regardless of their legitimacy or intent.
Amendment 175 #
2020/0359(COD)
Proposal for a directive
Recital 54 a (new)
Recital 54 a (new)
(54a) Any measures aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption code, or monitoring of electronic communications outside clear legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases where encryption can be used to mitigate risks related to non-compliant data transfers as presented in EDPB Recommendations 01/2020 may enable stronger encryption, whether in transit or at rest, for providers of such services and networks for the purposes of Article 18.
Amendment 177 #
2020/0359(COD)
Proposal for a directive
Recital 55
Recital 55
(55) This Directive lays down a twohree- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, theycompanies and entire sectors. In this regard, the Directive should also include reporting of incidents that, based on an initial assessment performed by the entity, may be assumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account amongst others, the affected network and information systems and, in particular, their importance in the provision of the entity’s services, the severity and technical characteristics of the cyber threat, and any underlying vulnerabilities that are being exploited, as well as the entity’s experience with similar incidents. Where entities become aware of an incident, they should provide an early warning within 24 hours, without any obligation to disclose additional information. Entities should be required to submit an initial notification within 724 hours, followed by a finalcomprehensive report not later than one month after the incident has been handled. The initial incident notification should only include the information strictly necessary to make the competent authorities aware of the incident antimeline of 72 hours should not preclude entities from reporting incidents earlier, therefore allowing entities to seek support from competent authorities or CSIRTs swiftly, and enabling competent authorities or CSIRTs to mitigate the potential spread of the reported incident. Where an incident requires a longer period to be handled, an entity should be required to submit regular reports on the mitigation measures in place to contain, respond to, attribute and recover from the incident, and a comprehensive report not later than one month after the incident has been handled. The initial notification should allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and one month for the finalcomprehensive report.
Amendment 183 #
2020/0359(COD)
Proposal for a directive
Recital 60
Recital 60
(60) The availability and timely accessibility of these data to public authorities, domain name registration data to legitimate access seekers is essential to protect the online ecosystem, prevent DNS abuse, detect and prevent crime and fraud, protect minors, protect intellectual property, and protect against hate speech. For the purposes of this Directive, legitimate access seekers are natural or legal persons making a justified request on the basis of a legitimate interest under Union or national law to access DNS data, and they may includinge competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to, providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.
Amendment 185 #
2020/0359(COD)
Proposal for a directive
Recital 61
Recital 61
(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.
Amendment 187 #
2020/0359(COD)
Proposal for a directive
Recital 62
Recital 62
(62) TLD registries and the entities providing domain name registration services for them shouldshould be required to make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concernof legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delayin 72 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board. _________________ 25REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.
Amendment 195 #
2020/0359(COD)
Proposal for a directive
Recital 69
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by essential and important entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services shoulis necessary to comply with a legal obligation under this Directive and constitutes a legitimate interest of the data controller concerned, as referred to in point (c) paragraph 1, and point (f) paragraph 1 respectively of Article 6 of Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
Amendment 199 #
2020/0359(COD)
Proposal for a directive
Recital 71
Recital 71
(71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred or potential damage or losses that could have been triggered, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.
Amendment 201 #
2020/0359(COD)
Proposal for a directive
Recital 76
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the, where applicable, the temporary suspension of a certification or authorisation concerning part or all the services provided by an essential entity, and the imposition of a temporary ban from the exercise of managerial functions by a natural personagainst any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in this Directive. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
Amendment 206 #
2020/0359(COD)
Proposal for a directive
Recital 79
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and provide an effective path for the transfer of cybersecurity-enhancing technologies, mechanisms and processes between and among competent authorities or CSIRTs.
Amendment 231 #
2020/0359(COD)
Proposal for a directive
Article 2 – paragraph 5 a (new)
Article 2 – paragraph 5 a (new)
5a. As regards the processing of personal data, essential and important entities as well as competent authorities, CERTs, and CSIRTs, shall process personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, that processing is considered necessary for compliance with a legal obligation in accordance with paragraph1(c) of Article 6 of Regulation (EU) 2016/679.
Amendment 233 #
2020/0359(COD)
Proposal for a directive
Article 2 – paragraph 5 b (new)
Article 2 – paragraph 5 b (new)
5b. For the purposes of arrangements underpinning cybersecurity information- sharing and voluntary notification of information as set out in Articles 26 and 27 of this Directive, the processing of personal data constitutes a legitimate interest of the data controller concerned in accordance with paragraph 1(f) of Article 6 of Regulation (EU) 2016/679.
Amendment 235 #
2020/0359(COD)
Proposal for a directive
Article 2 – paragraph 5 c (new)
Article 2 – paragraph 5 c (new)
5c. As regards the processing of personal data from essential entities providing services of public electronic communications networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph2(1), such processing of personal data required for the purposes of ensuring network and information security shall be in compliance with the provisions set out in Directive 2002/58/EC.
Amendment 238 #
2020/0359(COD)
Proposal for a directive
Article 2 – paragraph 6
Article 2 – paragraph 6
6. Sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, shall, where possible, refer to the definitions in Article 4 of this Directive. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
Amendment 243 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 4 a (new)
Article 4 – paragraph 1 – point 4 a (new)
(4a) ‘near miss’ means an event which could have caused harm, but was successfully prevented from fully transpiring;
Amendment 247 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 6
Article 4 – paragraph 1 – point 6
(6) ‘incident handling’ means all actions and procedures aiming at prevention, detection, analysis, attribution, and containment of and a response to an incident;
Amendment 248 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 7 a (new)
Article 4 – paragraph 1 – point 7 a (new)
(7a) ‘risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;
Amendment 250 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which allows end-users to reach services and resources on the internetenables the identification of internet services and resources, allowing end-user devices to utilise internet routing and connectivity services, to reach those services and resources;
Amendment 253 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 14
Article 4 – paragraph 1 – point 14
(14) ‘DNS service provider’ means an entity that provides recursive or authoritative domain name resolution services to internet end-users and other DNS service provider: a) open and public recursive domain name resolution services; or b) authoritative domain name resolution services as a service procurable by third-party entities;
Amendment 255 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 15
Article 4 – paragraph 1 – point 15
(15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are being performed by the entity or are outsourced;
Amendment 256 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 15 a (new)
Article 4 – paragraph 1 – point 15 a (new)
(15a) ‘legitimate access seekers’ means any natural or legal person, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CSIRTs, CERTs, providers of electronic communications networks and services, and providers of cybersecurity technologies and services, seeking DNS data upon a justified request on the basis of Union or national law for the purposes of preventing DNS abuse, detecting and preventing crime and fraud, protecting minors, protecting intellectual property, and protecting against hate speech;
Amendment 257 #
2020/0359(COD)
Proposal for a directive
Article 4 – paragraph 1 – point 22
Article 4 – paragraph 1 – point 22
(22) ‘social networking services platform’ means a platform that enables end-users to connect, share, discover and communicate with each other via number- independent interpersonal communications services across multiple devices, and in particular, via chats, posts, videos and recommendations);
Amendment 272 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and, the required technical, organisational, and financial resources to achieve those objectives, and the appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:
Amendment 277 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 1 – point b
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2, and an appropriate framework defining the roles and responsibilities of public bodies and entities as well as other relevant actors, underpinning the cooperation and coordination, at the national level, between the competent authorities designated under Articles 7(1) and 8(1), the single point of contact designated under Article 8(3), and the CSIRTs designated under Article 9;
Amendment 284 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
Article 5 – paragraph 2 – point a a (new)
(aa) guidelines addressing cybersecurity in the supply chain for ICT products and services used by entities outside the scope of this Directive, and in particular supply chain challenges faced by SMEs;
Amendment 287 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 2 – point d a (new)
Article 5 – paragraph 2 – point d a (new)
(da) a policy on promoting the integration of open-source tools and applications;
Amendment 288 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 2 – point d b (new)
Article 5 – paragraph 2 – point d b (new)
(db) a policy to promote and support the development and integration of AI and other emerging technologies in cybersecurity-enhancing tools and applications;
Amendment 289 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 2 – point e
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developing cybersecurity skills, awareness raising and research and development initiatives, including targeted policies addressing issues relating to gender representation and balance in the aforementioned areas;
Amendment 290 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 2 – point e a (new)
Article 5 – paragraph 2 – point e a (new)
(ea) a policy to promote cyber hygiene programmes comprising a baseline set of practices and controls;
Amendment 293 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 2 – point f a (new)
Article 5 – paragraph 2 – point f a (new)
(fa) a policy, including relevant procedures and governance frameworks, to support and promote the establishment of cybersecurity PPPs;
Amendment 301 #
2020/0359(COD)
3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is strictly necessary to preserve national security.
Amendment 302 #
2020/0359(COD)
Proposal for a directive
Article 5 – paragraph 4
Article 5 – paragraph 4
4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy. ENISA shall provide guidance to Member States in order to align their already formulated national cybersecurity strategies with the requirements and obligations set out in this Directive.
Amendment 311 #
2020/0359(COD)
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and the necessary technical and organisational measures to ensure the security and integrity of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities excluded from the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties, enabling all parties and in particular, the users of the ICT products or ICT services concerned to adopt appropriate mitigating measures. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, and the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
Amendment 314 #
2020/0359(COD)
Proposal for a directive
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1a. Where a Member State designates more than one competent authorities referred to in paragraph1, it should clearly indicate which of these competent authorities shall serve as the main point of contact for the management of large- scale incidents and crises.
Amendment 320 #
2020/0359(COD)
Proposal for a directive
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Member States shall ensure that each CSIRT has adequate resources and the technical capabilities necessary to carry out effectively their tasks as set out in Article 10(23).
Amendment 325 #
2020/0359(COD)
Proposal for a directive
Article 10 – paragraph 1 – point c
Article 10 – paragraph 1 – point c
(c) CSIRTs shall be equipped with an appropriate system for managclassifying, routing, and routtracking requests, in particular, to facilitate effective and efficient handovers;
Amendment 326 #
2020/0359(COD)
(ca) CSIRTs shall have appropriate codes of conduct in place to ensure the confidentiality and trustworthiness of their operations;
Amendment 327 #
2020/0359(COD)
Proposal for a directive
Article 10 – paragraph 1 – point e
Article 10 – paragraph 1 – point e
(e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services, including full-spectrum connectivity across networks, information systems and services, and devices;
Amendment 328 #
2020/0359(COD)
Proposal for a directive
Article 10 – paragraph 1 – point e a (new)
Article 10 – paragraph 1 – point e a (new)
(ea) CSIRTs shall have appropriate descriptions of the skillsets required by staff to meet the technical capabilities necessary to perform assigned tasks;
Amendment 329 #
2020/0359(COD)
Proposal for a directive
Article 10 – paragraph 1 – point e b (new)
Article 10 – paragraph 1 – point e b (new)
(eb) CSIRTs shall have appropriate internal training frameworks and, where suitable, relevant policies to support external technical training of staff in order to reinforce a culture of continuous improvement;
Amendment 330 #
2020/0359(COD)
Proposal for a directive
Article 10 – paragraph 1 a (new)
Article 10 – paragraph 1 a (new)
1a. CSIRTs shall develop the following technical capabilities to perform their tasks: (a) The ability to conduct real-time monitoring of networks and information systems, and anomaly detection; (b) The ability to support penetration prevention operations including, in particular, the detection and analysis of sophisticated cyber threats; (c) The ability to collect and conduct complex forensic data analysis, and reverse engineering of cyber threats; (d) The ability to filter harmful communication content including, but not limited to, malicious e-mails; (e) The ability to protect data, including personal and sensitive data, from unauthorised exfiltration; (f) The ability to enforce strong authentication and access privileges; (g) The ability to analyse and attribute cyber threats.
Amendment 352 #
2020/0359(COD)
Proposal for a directive
Article 13 – paragraph 3 – point a a (new)
Article 13 – paragraph 3 – point a a (new)
(aa) facilitating the transfer of technology and relevant measures, policies and frameworks among the CSIRTs;
Amendment 353 #
2020/0359(COD)
Proposal for a directive
Article 13 – paragraph 3 – point g – point v
Article 13 – paragraph 3 – point g – point v
(v) contribution to the national cybersecurity incident and crisis response plan referred to in Article 7 (34);
Amendment 364 #
2020/0359(COD)
Proposal for a directive
Article 15 – paragraph 1 – point a a (new)
Article 15 – paragraph 1 – point a a (new)
(aa) the general level of cybersecurity awareness amongst citizens and consumers, the security of consumer- facing connected devices, and the security of digital public services and the respective digital infrastructures through which such services are offered to citizens;
Amendment 368 #
2020/0359(COD)
Proposal for a directive
Article 15 – paragraph 1 – point c b (new)
Article 15 – paragraph 1 – point c b (new)
(cb) the alignment of Member States’ national cybersecurity strategies referred to in Article 5, including the level of convergence of key performance indicators for the assessment of the strategies.
Amendment 369 #
2020/0359(COD)
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The report shall include the obstacles identified at the national level, particular policy recommendations for increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the Agency’s EU Cybersecurity Technical Situation Reports issued by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.
Amendment 370 #
2020/0359(COD)
Proposal for a directive
Article 15 – paragraph 2 a (new)
Article 15 – paragraph 2 a (new)
2a. ENISA, in cooperation with the Commission and with guidance from the Cooperation Group and the CSIRTs network, shall prepare the methodological specifications, including the relevant variables underpinning the scoring and validation of the cybersecurity index referred to in paragraph 1(e).
Amendment 372 #
2020/0359(COD)
Proposal for a directive
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. ENISA shall develop templates for the self-assessment of the reviewed aspects, which Member States being reviewed shall complete and provide to designated experts prior to the commencement of the peer-review process. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and at least two Member States different than the one reviewed and shall cover at least the following:
Amendment 374 #
2020/0359(COD)
Proposal for a directive
Article 16 – paragraph 1 – point iii
Article 16 – paragraph 1 – point iii
(iii) the operationtechnical capabilities and effectiveness of CSIRTs; in executing their tasks;
Amendment 375 #
2020/0359(COD)
Proposal for a directive
Article 16 – paragraph 2
Article 16 – paragraph 2
2. The methodology shall include objective, non-discriminatory, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. The Commission, supported by ENISA, shall develop appropriate codes of conduct underpinning the work methods of designated experts participating in peer- reviews to safeguard the confidentiality of information obtained through the peer- review process, and the non-disclosure of such information to any third parties. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
Amendment 376 #
2020/0359(COD)
Proposal for a directive
Article 16 – paragraph 4
Article 16 – paragraph 4
4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the designated experts tasked with carrying out the peer-review shall communicate the aspects under review as referred to in paragraph 1, including any additional targeted issues specific to the Member State or sectors referred to in paragraph 3, and request a corresponding self-assessment report from the Member States being reviewed. The Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. Any information obtained through the peer review process shall be used solely for that purpose. The experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that review to any third parties.
Amendment 378 #
2020/0359(COD)
Proposal for a directive
Article 16 – paragraph 6
Article 16 – paragraph 6
6. Member States shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA without undue delay, before the designation of experts referred to in paragraphs 1 and 2.
Amendment 379 #
2020/0359(COD)
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall include recommendations to enable improvement on the aspects covered by the peer-review process, including recommendations on the transfer of technologies, tools, measures, and processes from Member States carrying out the peer-review to the Member State being reviewed. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.
Amendment 383 #
2020/0359(COD)
Proposal for a directive
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body follow specific trainingof essential and important entities follow specific trainings, and shall encourage essential and important entities to offer similar trainings to all employees, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.
Amendment 389 #
2020/0359(COD)
Proposal for a directive
Article 18 – paragraph 1
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use infor their operations or for the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
Amendment 391 #
2020/0359(COD)
Proposal for a directive
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) incident handling (prevention, detection, andmitigation, response to, recovery from, and attribution of incidents);
Amendment 394 #
2020/0359(COD)
Proposal for a directive
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) business continuity, disaster recovery and crisis management;
Amendment 399 #
2020/0359(COD)
Proposal for a directive
Article 18 – paragraph 2 – point f a (new)
Article 18 – paragraph 2 – point f a (new)
(fa) deployment of secured voice, video and text communications, and of secured emergency communications systems within the entity;
Amendment 424 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 32 and 43 of any incident having a significant impact on. Where the incident concerns the provisions of their services. Where appropriate, those entities shall notify, without undue delay, the recipientsentities’ services, those entities shall notify affected users about the unavailability or underlying risks of use of their services of incidents that are likely to adversely affect the provision of that service in order to mitigate the adverse effects of the incident. Essential and important entities may deviate from notifying affected users in case of overriding reasons inducing, but not limited to, that notification worsening the impact of an ongoing incident. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. The notification shall not make the notifying entity subject to increased liability.
Amendment 431 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
Article 20 – paragraph 2 – subparagraph 1
Amendment 433 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 2 – subparagraph 2
Article 20 – paragraph 2 – subparagraph 2
Amendment 445 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
Amendment 448 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
Amendment 453 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (a), including at least the following:
Amendment 463 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 43, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
Amendment 471 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 8
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraphs 1 and 2 1 to the single points of contact of other affected Member States. In compliance with Union law, or in accordance with Member State legislation compliant with Union law, the single point of contact shall preserve the security and commercial interests of the essential or important entity reporting the incident, including the confidentiality of the information provided by the reporting entity in the notification of the incident, when forwarding the notification to the single points of contact of other affected Member States.
Amendment 475 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 9
Article 20 – paragraph 9
9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on incidents, significant cyber threats and near misses notified in accordance with paragraphs 1 and 2 and in accordance withof this Article, and Article 27. In order to contribute to the provision of comparable information, ENISA may issue technical guidance on the parameters of the information included in the summary report.
Amendment 478 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 10
Article 20 – paragraph 10
10. Competent authorities shall provide to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threats notified in accordance with paragraphs 1 and 2 by essential entities identified as critical entities, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive].
Amendment 481 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 10 a (new)
Article 20 – paragraph 10 a (new)
10a. ENISA, in cooperation with the Cooperation Group, shall develop common incident notification templates by [date of transposition deadline of the Directive], to streamline the reporting obligations of essential and important entities, and simplify the sharing of relevant information referred to in point (b) of paragraph 1 of this Article.
Amendment 483 #
2020/0359(COD)
Proposal for a directive
Article 20 – paragraph 11
Article 20 – paragraph 11
11. The Commission, may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing shall be empowered to adopt delegated acts to further specifying the cases in which an incident shall be considered significant as referred to in paragraph 3. Those implementing acts shall be adopte2, and in accordance with the examination procedureercise of delegation power referred to in Article 37(2)6.
Amendment 488 #
2020/0359(COD)
Proposal for a directive
Article 21 – paragraph 1
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or under equivalent and internationally accepted certification schemes.
Amendment 502 #
2020/0359(COD)
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
Amendment 505 #
2020/0359(COD)
Proposal for a directive
Article 23 – paragraph 4
Article 23 – paragraph 4
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delaymake publicly available, within 72 hours after the registration of a domain name, domain registration data which are not personal dataof legal persons as registrants.
Amendment 507 #
2020/0359(COD)
Proposal for a directive
Article 23 – paragraph 5
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and, including personal data, upon duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delayreply within 72 hours to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available. The Commission may adopt implementing acts laying out the requirements to be demonstrated by legitimate access seekers to TLD registries and entities providing domain name registration services before access to specific domain name registration data is granted. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
Amendment 518 #
2020/0359(COD)
Proposal for a directive
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). ENISA shall establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information, and restrict the access, storage, and transmission of such information to intended users. The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
Amendment 523 #
2020/0359(COD)
Proposal for a directive
Article 26 – paragraph 1 – introductory part
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, near misses, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
Amendment 528 #
2020/0359(COD)
Proposal for a directive
Article 26 – paragraph 2
Article 26 – paragraph 2
2. Member States shall ensure thfacilitate the exchange of information takes place withinby enabling the establishment of trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
Amendment 529 #
2020/0359(COD)
Proposal for a directive
Article 26 – paragraph 3
Article 26 – paragraph 3
3. Member States shall set out rules specifying the procedure,facilitate information sharing by making operational elements (including the use of dedicated ICT platforms), and content and conditionsvailable of the information sharing arrangements referred to in paragraph 2. Such rul, and may impose certain conditions on the information made available by competent authorities or CSIRTs. Member States shall also lay down the details of the involvement of public authorities in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g(l).
Amendment 546 #
2020/0359(COD)
Proposal for a directive
Article 29 – paragraph 2 – point c
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments orperformed by the competent authorities, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
Amendment 552 #
2020/0359(COD)
Proposal for a directive
Article 29 – paragraph 4 – point i
Article 29 – paragraph 4 – point i
Amendment 557 #
2020/0359(COD)
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) where applicable, temporarily suspend or request a certification or authorisation body to temporarily suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied;
Amendment 565 #
2020/0359(COD)
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
Article 29 – paragraph 5 – subparagraph 1 – point b
(b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in point (23) of Article 4.
Amendment 566 #
2020/0359(COD)
Proposal for a directive
Article 29 – paragraph 5 – subparagraph 2
Article 29 – paragraph 5 – subparagraph 2
Amendment 570 #
2020/0359(COD)
Proposal for a directive
Article 29 – paragraph 7 – point c
Article 29 – paragraph 7 – point c
(c) the actual damage caused or losses incurred or potential damage or losses that could have been triggered, insofar as they can be determined. Where evaluating this aspect, account shall be taken, amongst others, of actual or potentialincluding financial or economic losses, effects on other services, and the number of users affected or potentially affected;
Amendment 574 #
2020/0359(COD)
Proposal for a directive
Article 30 – paragraph 2 – point b
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments orperformed by the competent authority, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
Amendment 575 #
2020/0359(COD)
Proposal for a directive
Article 30 – paragraph 2 – point c
Article 30 – paragraph 2 – point c
(c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria;
Amendment 577 #
2020/0359(COD)
Proposal for a directive
Article 30 – paragraph 4 – point h
Article 30 – paragraph 4 – point h
Amendment 582 #
2020/0359(COD)
Proposal for a directive
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
Amendment 586 #
2020/0359(COD)
Proposal for a directive
Article 35 – paragraph 1 a (new)
Article 35 – paragraph 1 a (new)
As regards Digital Providers referred to in point (6) of Annex II, where platforms operated by such important entities are classified as very large online platforms within the meaning of Article 25 of Regulation (EU) XXXX/XXXX [Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC], or where the providers of core platform services are designated as gatekeepers within the meaning of Article 3 of Regulation (EU) XXXX/XXXX [Contestable and fair markets in the digital sector (Digital Markets Act)], these providers shall be designated as essential entities within the meaning of this Directive to adequately address the functioning of the economy and society in relation to cybersecurity, given the systemic risk stemming from the functioning and use made of their services in the Union, or the important gateway function that their core platform services serve for business users to reach end users.
Amendment 264 #
2020/0340(COD)
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1). All processing of personal data shall occur in full compliance with the GDPR and be accompanied by appropriate data protection safeguards. Re-use of data must be conditional on the signature by the re-user of a confidentiality agreement as set out in recital 11.
Amendment 322 #
2020/0340(COD)
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
(3) The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. The data protection authorities shall be designated as the main competent authorities for the supervision and enforcement of the provisions under Chapter IV of the Regulation.
Amendment 390 #
2020/0340(COD)
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1). All processing of personal data shall occur in full compliance with the GDPR and be accompanied by appropriate data protection safeguards. Re-use of data must be conditional on the signature by the re-user of a confidentiality agreement as set out in Recital 11.
Amendment 534 #
2020/0340(COD)
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
(3) The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. The data protection authorities shall be designated as the main competent authorities for the supervision and enforcement of the provisions under Chapter IV of the Regulation.
Amendment 632 #
2020/0340(COD)
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
(3) The competent authority shall undertake its tasks in cooperation with the data protection authority, where such tasks are related to processing of personal data, and with relevant sectoral bodies of the same Member State. For any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority shall first seek an opinion or decision by the competent supervisory authority established pursuant to that Regulation and comply with that opinion or decision. The data protection authorities shall be designated as the main competent authorities for the supervision and enforcement of the provisions under Chapter IV of the Regulation.
Amendment 23 #
2019/2166(INI)
Motion for a resolution
Citation 15 a (new)
Citation 15 a (new)
— having regards to its resolution of 21 January 2021 on the EU Strategy for Gender Equality (2019/2169(INI)),
Amendment 88 #
2019/2166(INI)
Motion for a resolution
Recital E a (new)
Recital E a (new)
E a. Whereas education plays a fundamental role in building children’s and young peoples’ skills to form healthy relationships, notably by addressing gender norms, gender equality, power dynamics in relationships, consent, respect for boundaries, and helps to combat gender-based violence; whereas according to the UNESCO International technical guidance on sexuality education, curriculum-based programmes on comprehensive sexuality education (CSE) enable children and young people to develop knowledge, attitudes and skills, including respect for human rights, gender equality, consent and diversity and it empowers children and young people;
Amendment 115 #
2019/2166(INI)
Motion for a resolution
Recital H a (new)
Recital H a (new)
H a. Whereas anonymous complaints and complaints later retired by victims may hamper further investigation by the authorities and present an obstacle to the prevention of further violence;
Amendment 155 #
2019/2166(INI)
Motion for a resolution
Recital P a (new)
Recital P a (new)
P a. Whereas article 83(1) of the TFEU provides for the possibility to establish minimum rules concerning the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension resulting from the nature or impact of such offences or from a special need to combat them on a common basis; whereas on the basis of developments in crime, the Council may adopt a decision identifying other areas of crime that meet the criteria specified in the paragraph, after obtaining the consent of the European Parliament. Whereas article 83 (2) of the TFEU provides for the possibility to establish minimum rules with regard to the definition of criminal offences and sanctions, in order to ensure the effective implementation of a Union policy in an area which has been subject to harmonisation measures
Amendment 161 #
2019/2166(INI)
Motion for a resolution
Paragraph 1
Paragraph 1
1. Strongly condemnCondemns in the strongest possible terms all forms of violence against women and deplores the fact that women continue to be exposed to intimate partner violence which constitutes a serious violation of their human rights and dignity;
Amendment 164 #
2019/2166(INI)
Motion for a resolution
Paragraph 1 a (new)
Paragraph 1 a (new)
1 a. Points out that the Istanbul Convention is a pivotal instrument against gender-based violence; deplores the fact that the Convention has not been ratified by the European Union yet; regrets that to this date only 21 EU Member States have ratified it; notes with great concern that the effective implementation of the Convention is still patchy across Europe; calls therefore on the Member States that ratified the Convention to step up their efforts in ensuring its full implementation;condemns the attempts at setting back progresses made in the fight against gender-based violence, including domestic violence, that are going on in some Member states; supports the Commission’s plan to continue pushing for the EU-wide ratification of the Istanbul Convention; calls on remaining Member States to swiftly complete the ratification process; underlines, in this context, the need for specific measures to address the existing disparities in laws, policies and services between Member States and the increase in domestic and gender-based violence during the COVID- 19 pandemic; warmly welcomes, therefore, the Commission’s intention to propose a directive to tackle all forms of gender-based violence to complement and achieve the objectives of the Istanbul Convention, as the EU’s accession remains blocked; calls on the Council to add gender-based violence to the list of criminal offences in the EU;
Amendment 172 #
2019/2166(INI)
Motion for a resolution
Paragraph 1 b (new)
Paragraph 1 b (new)
1 b. Welcomes the EU Strategy on victims’ rights (2020-2025) which will address the specific needs of victims of gender-based violence, in particular a specific approach for psychological violence against women and the impact on their mental health on the long run; stresses the need to address the current gaps in the EU legislation and asks the Commission to put forward, without delay, a proposal for a review of the Victims’ Rights Directive with regard to international standards on violence against women, such as the Istanbul Convention, with a view to enhancing the legislation on victims’ rights and the protection and compensation of victims; stresses the need for all victims to have effective access to justice through the implementation of the Victims’ Rights Directive, which is still lacking in some Member States; asks for the continued promotion of victims’ rights also through existing instruments such as the European Protection Order;
Amendment 175 #
2019/2166(INI)
Motion for a resolution
Paragraph 1 c (new)
Paragraph 1 c (new)
1 c. Calls on the Commission to develop a European Union protocol on violence against women in times of crisis and emergency to prevent violence against women and to support victims of gender- based violence during emergencies such as the COVID-19 pandemic; highlights that this protocol should include essential protection services for victims; Calls on the Commission to coordinate the sharing of best practices between the Member States, to promote accurate and comparative data collection, to accurately measure the extent of such violence, to consider the possibility of producing forecasts, and to assess the impact of COVID-19 on the provision of key services to victims; stresses the need to urgently collect harmonised data on gender-based violence and calls on the Member States to collect and provide the relevant data when requested, including to Eurostat; welcomes the Commission’s commitment to carry out a new EU survey on gender-based violence with the results to be presented in 2023; underlines the urgency of completing such a survey due to the spike in gender-based violence, and especially domestic violence, during the COVID-19 pandemic;
Amendment 178 #
2019/2166(INI)
Motion for a resolution
Paragraph 1 d (new)
Paragraph 1 d (new)
1 d. Encourages the exchange between Member States of guidelines, good practices and protocols that have resulted to be effective in addressing intimate partner violence, especially during emergencies; stresses that arrest in flagrante delicto should be compulsory and that, if legal conditions for arrest are not met, the alleged abuser should nonetheless be immediately removed from the victim's house and kept away from the victim's workplace to prevent the risk of further violence;
Amendment 182 #
2019/2166(INI)
Motion for a resolution
Paragraph 1 e (new)
Paragraph 1 e (new)
1 e. Points out that education is pivotal to eradicate gender based violence, and intimate partner violence in particular; calls on Member States to include issues such as equality between women and men, non-stereotyped gender roles, mutual respect, non-violent conflict resolution in interpersonal relationships, gender-based violence against women and the right to personal integrity, age appropriate sexuality education, adapted to the evolving capacity of learners, in formal curricula and at all levels of education;
Amendment 183 #
2019/2166(INI)
Motion for a resolution
Paragraph 1 f (new)
Paragraph 1 f (new)
1 f. Urges the Member States to continue analysing data on and tendencies in the prevalence of and reporting on domestic violence, as well as the consequences for children; asks the Member States to establish safe and flexible emergency warning systems, offer new assistance services by phone, email and text message for direct police outreach and online services such as helplines, concealed apps, digital platforms, pharmacy networks, and provide emergency funding to support services, non-governmental organisations and civil society organisations (CSOs); calls on the Member States to ensure that support services take a coordinated approach to identifying women at risk, to ensure that all these measures are available and accessible to all women and girls within their jurisdiction; invites the Member States to share national innovations and best practices in addressing gender-based violence to better identify and promote efficient practices, and calls on the Commission to promote those practices;
Amendment 285 #
2019/2166(INI)
Motion for a resolution
Paragraph 10
Paragraph 10
Amendment 320 #
2019/2166(INI)
Motion for a resolution
Paragraph 11 a (new)
Paragraph 11 a (new)
Amendment 331 #
2019/2166(INI)
Motion for a resolution
Paragraph 11 b (new)
Paragraph 11 b (new)
11 b. Encourages good practices already existing in some Member States to prevent further violence, such as the recording of the victims' telephone numbers in special lists related to stalking and intimate partner violence, in order to give absolute priority to possible future calls during emergencies and facilitate effective law- enforcement interventions;
Amendment 333 #
2019/2166(INI)
Motion for a resolution
Paragraph 11 c (new)
Paragraph 11 c (new)
11 c. Emphasises that the certainty of punishment of abusers is essential to both deter further violence, and reinforce trust in public authorities especially by the victims; however, further points out that prison term by itself is not enough to prevent future violence and that specific rehabilitation and re-education programs are necessary; calls on the Member States to set up or support programmes aimed at teaching perpetrators of domestic violence to adopt non-violent behaviour in interpersonal relationships with a view to preventing further violence and changing violent behavioural patterns; highlights that the safety of, support for and the human rights of victims are of primary concern and that, where appropriate, these programmes should be set up and implemented in close coordination with specialist support services for victims
Amendment 362 #
2019/2166(INI)
Motion for a resolution
Paragraph 14 a (new)
Paragraph 14 a (new)
14 a. Points out that fair remuneration and economic independence are key factors for enabling women to leave abusive and violent relationships; calls on the Commission and the Member States to promote and support such an independence, including through the support of women entrepreneurs and workers; welcomes the proposal for a directive on adequate minimum wages and the proposal for binding pay transparency measures;
Amendment 9 #
2019/2164(INI)
Motion for a resolution
Citation 10 a (new)
Citation 10 a (new)
- having regard to the 2020 Women in Digital Scoreboard1a , _________________ 1a https://ec.europa.eu/digital-single- market/en/news/digital-economy- scoreboard-shows-women-europe-are- less-likely-work-or-be-skilled-ict
Amendment 25 #
2019/2164(INI)
Motion for a resolution
Recital B
Recital B
B. whereas the EU is facing an unparalleled shortage of women in science, technology, engineering and mathematics (STEM) careers and education, particularly considering that women make up 52 % of the European population, yet only account for 2 out of 5 scientists and engineers6 ; whereas although there has been a positive trend in the involvement and interest of girls in STEM education, the percentages remain insufficient; whereas attitudes towards STEM do not differ between boys and girls through primary education, and in many cases girls often outperform boys in STEM and ICT-related tasks7 ; whereas, however, girls fear that they will be less successful than boys in STEM-related careers; whereas women are under- represented at all levels in the digital sector in Europe, from students (32% at Bachelor, Master or equivalent level) up to top academic positions (15%); whereas the gap is largest in ICT specialist skills and employment, where only 18% are women in the EU7a ; _________________ 6 Eurostat, Human resources in science and technology, annual average data 2016- 2020. 7 O’Dea, R.E., Lagisz, M., Jennions, M.D. et al., Gender differences in individual variation in academic grades fail to fit expected patterns for STEM, Nature Communications 9, 3777, 2018. 7a https://ec.europa.eu/digital-single- market/en/news/digital-economy- scoreboard-shows-women-europe-are- less-likely-work-or-be-skilled-ict
Amendment 37 #
2019/2164(INI)
Motion for a resolution
Recital C a (new)
Recital C a (new)
C a. whereas gender stereotypes greatly influence subject choices; whereas very few teenage girls in EU Member States (less than 3 %) express an interest in working as an ICT professional at the age of 30 1a; whereas teachers and parents can deepen gender stereotypes by discouraging girls from pursuing a career in ICT; whereas eliminating gender- specific expectations about professions and fostering female role models in science, technology, engineering and mathematics (STEM) and ICT can encourage girls to study ICT; _________________ 1a2018 International Computer and Information Literacy Study (ICILS).
Amendment 44 #
2019/2164(INI)
Motion for a resolution
Recital D
Recital D
D. whereas the low numbers of women who work in innovative technologies, such as artificial intelligence (AI), can negatively affect the design, development and implementation of these technologies, causing the replication of existing discriminatory practices and stereotypes, and the development of ‘gender-biased algorithms’; whereas efforts to tackle gender bias and inequality in the digital sector are insufficient; whereas the gender gap persists across all digital technology domains and especially with regard to AI, thereby solidifying a male- biased trajectory for the digital sector in the foreseeable future;
Amendment 59 #
2019/2164(INI)
Motion for a resolution
Recital E a (new)
Recital E a (new)
E a. whereas that 30% of entrepreneurs are women in Europa, but they only receive 2%of the non-bank financing available 1a; whereas this figure seems to has dropped to 1% with the pandemic; _________________ 1aFunding women entrepreneurs. How to empower growth. European Commission, 2018
Amendment 62 #
2019/2164(INI)
Motion for a resolution
Recital E b (new)
Recital E b (new)
E b. whereas the COVID19 crisis is likely to result in permanent changes to life in Europe, in which digitalisation will have a major role; whereas COVID 19 is also widening the digital gender gap 1a, as women's digital literacy is lacking and majority of services are digitalized; _________________ 1ahttp://www.oecd.org/digital/bridging- the-digital-gender-divide.pdf
Amendment 65 #
2019/2164(INI)
Motion for a resolution
Recital E c (new)
Recital E c (new)
E c. whereas the FRA’s survey on violence against women shows that 14 % of women have experienced cyber harassment since the age of 15; whereas high incidences of sexual harassment have been reported in STEM education sites, which further excludes women from the sector; whereas many women have been the victims of new forms of online sexual and psychological harassment during the COVID-19 period; whereas measures to address these new forms of sexual and psychological harassment are urgently needed; whereas the hyper- sexualisation and exploitation of women online, in particular via internet pornography, have a devastating effect on the construction of sexuality and on gender equality;
Amendment 98 #
2019/2164(INI)
Motion for a resolution
Paragraph 5
Paragraph 5
5. Calls on the Member States to combat gendered labour market segmentation in STEM careers by investing in formal, informal and non- formal education, lifelong learning and vocational training for women to ensure their access to high-quality employment and opportunities to re- and up-skill for future labour market demand and avoiding the present vicious circle of segregation of labour; calls, in particular, for greater promotion of entrepreneurship, STEM subjects and digital education for girls from an early age, in order to combat existing educational stereotypes and ensure more women enter developing and well- paid sectors;
Amendment 102 #
2019/2164(INI)
Motion for a resolution
Paragraph 5 a (new)
Paragraph 5 a (new)
5 a. Emphasizes that the COVID 19 is opening a new stage in the world of work, education, governance and everyday life. Therefore, digital literacy and capabilities are becoming very important, as well as new conditions on teleworking that have shown an important gender divide during the pandemic and lockdowns; highlights the urgency to promote gender balance in the digital sector due the way that people and companies use ICT and other digital technologies to work and interact for the new digital society;
Amendment 109 #
2019/2164(INI)
Motion for a resolution
Paragraph 6
Paragraph 6
6. Welcomes the Digital Education Action Plan 2021-2027 and its action to ‘Encourage women’s participation in STEM’, and hopes that it will help to develop more attractive and creative ways to encourage girls to pursue STEM studies, as well as to boost women’s self- confidence in their digital skills; stresses thar girls only represent 36% of STEM graduates 1a, despite the fact that girls outperform boys in digital literacy 1b; _________________ 1ahttps://op.europa.eu/en/publication- detail/-/publication/9540ffa1-4478-11e9- a8ed-01aa75ed71a1/language-en. 1b2018 International Computer and Information Literacy Study (ICILS).
Amendment 113 #
2019/2164(INI)
Motion for a resolution
Paragraph 6 a (new)
Paragraph 6 a (new)
6 a. Highlights that participation of girls and women in the field of science, technology, engineering, arts and mathematics (STEAM) must be actively promoted through concrete policy action to foster their full participation and inclusion in the digital economy;
Amendment 119 #
2019/2164(INI)
Motion for a resolution
Paragraph 7
Paragraph 7
7. Recognises the role of school and teachers in eliminating the gender gap in STEM education, and highlights the role of education in promoting the presence of girls in STEM-related courses and in establishing benchmarks to monitor female recruitment and retention; highlights that education systems and the overall learning environment play a pivotal role in determining girls’ interests in STEAM -including Arts- subjects and in providing equal opportunities to access high quality STEAM education;
Amendment 136 #
2019/2164(INI)
Motion for a resolution
Paragraph 8 a (new)
Paragraph 8 a (new)
8 a. Emphasises the need for investment in education and training and gender-sensitive recruitment and selection processes across private and public sectors, and particularly in future- oriented sectors such as STEM and the digital sector where women are underrepresented; highlights in that regard that discrimination on grounds of gender damages not only the individual but also society as a whole;
Amendment 201 #
2019/2164(INI)
Motion for a resolution
Paragraph 15
Paragraph 15
15. Highlights that one of AI’s most critical weaknesses relates to certain types of biases such as gender, race or sexual orientation as a result of humans’ inherent biases; encourages the relevant actors to take action and promote a greater role for women in the design, development and implementation of machine learning, natural language processing and AI; underlines that AI must not reinforce gender inequalities and stereotypes by transforming analogue biases and prejudices into digital ones through algorithms;
Amendment 203 #
2019/2164(INI)
Motion for a resolution
Paragraph 15 a (new)
Paragraph 15 a (new)
15 a. Stresses the need for social dialogue as regards the implementation of AI in general and ahead of any AI deployment at company level in particular; calls on the Commission and the Member States to ensure trade union access to workplaces, albeit in digital form, in order to promote collective bargaining and guarantee a human- centred approach to AI at work;
Amendment 205 #
2019/2164(INI)
Motion for a resolution
Paragraph 16
Paragraph 16
16. Recognises that AI, if it is free of underlying biases, can be a powerful tool to overcome gender inequalities and stereotypes through the development of unbiased algorithms that contribute to overall fairness and well-being; stresses the importance of a common European approach with regard to the ethical aspects of AI; underlines that any regulatory framework for AI in the European Union must ensure that consumer and workers’ rights are fully respected in the digital economy, and contribute to better working and employment conditions, including a better work-life balance ; stresses, in addition, that the European AI framework must respect European values, Union rules and the principles of the European Pillar of Social Rights;
Amendment 213 #
2019/2164(INI)
Motion for a resolution
Paragraph 17 a (new)
Paragraph 17 a (new)
17 a. Calls on the Commission to assist Member States’ competent authorities to pay special attention to new forms of violence against women and girls such as cyber harassment, and cyberstalking 1a and to carry out ongoing evaluations and address them more effectively; _________________ 1aViolence against women: an EU-wide survey. Main results - report by FRA, p. 87
Amendment 41 #
2018/0330B(COD)
Proposal for a regulation
Recital 81 a (new)
Recital 81 a (new)
(81 a) FADO is specifically created for the purpose of hosting specimen documents and examples of falsified documents that include descriptions of methods of falsification and forgery provided by Member States, and might also host such documents originating from third countries, territorial entities, international organisations and other entities subject to international law. As a direct consequence of that purpose, it should be possible to store personal data in the form of facial images in FADO in so far as the security features of a document cannot be separated from those facial images, or where a false, forged, counterfeit or pseudo document imitates security features that cannot be separated from a facial image. No alphanumeric personal data should be stored in FADO. The European Border and Coast Guard Agency established by Regulation (EU) 2019/... of the European Parliament and of the Council (‘the Agency’) should take the necessary steps to anonymise all elements of personal data which is not necessary in relation to the purposes for which the data is processed in accordance with the principle of data minimisation, provided for in point (c) of Article 4(1) of Regulation (EU) 2018/1725. It should not be possible to retrieve or search any elements of personal data in FADO.
Amendment 45 #
2018/0330B(COD)
Proposal for a regulation
Recital 81 b (new)
Recital 81 b (new)
(81 b) FADO should contain information on all types of genuine travel, identity, residence and civil status documents, driving licenses and vehicle licenses issued by Member States and falsified versions of such documents in their possession, and might also contain other related official documents that are used when applying for travel, residence or identity documents issued by Member States. It might also contain any such documents issued by third countries, territorial entities, international organisations and other entities subject to international law.
Amendment 46 #
2018/0330B(COD)
Proposal for a regulation
Recital 81 c (new)
Recital 81 c (new)
(81 c) While Member States can maintain or develop their national systems containing information on genuine and false documents, they should be obliged to provide the Agency with information on genuine travel, identity, residence and civil status documents, driving licenses and vehicle licenses which they issue, and falsified versions of such documents in their possession. The Agency should upload that information to FADO in order to guarantee the uniformity and quality of the information. In particular, Member States should provide all security features of new versions of genuine documents issued by Member States that are covered by this Regulation.
Amendment 47 #
2018/0330B(COD)
(81 d) In order to ensure a high level of control of document fraud by Member States, the Member States’ authorities competent in the area of document fraud such as border police, other law enforcement authorities or certain other third parties should be provided with differing levels of access to FADO, depending on their requirements. As the conditions and measures for granting such access are non-essential elements supplementing this Regulation, they should be laid down by means of delegated acts. Equally, FADO should enable certain users to have at their disposal information on any new forgery methods that are detected and on new genuine documents that are in circulation.
Amendment 51 #
2018/0330B(COD)
Proposal for a regulation
Recital 101 a (new)
Recital 101 a (new)
Amendment 52 #
2018/0330B(COD)
Proposal for a regulation
Article 80
Article 80
Amendment 58 #
2018/0330B(COD)
Proposal for a regulation
Article 80 a (new)
Article 80 a (new)
Amendment 61 #
2018/0330B(COD)
Proposal for a regulation
Article 80 b (new)
Article 80 b (new)
Amendment 65 #
2018/0330B(COD)
Proposal for a regulation
Article 80 c (new)
Article 80 c (new)
Article 80 c Responsibilities of the Agency 1. The Agency shall be responsible for establishing FADO in accordance with this Regulation. The Agency shall ensure the functioning of FADO 24 hours a day, 7 days a week and provide for its maintenance and updating. 2. The Agency shall provide the Member States’ competent authorities with near real-time assistance in the detection and identification of falsified documents. 3. The Agency shall be responsible for uploading the information received from the Member States in a timely and efficient manner in order to guarantee the uniformity and quality of the data while ensuring the respect for the principle of data minimisation provided for in point (c) of Article 4(1) of Regulation (EU) 2018/1725. 4. The Agency shall be responsible for uploading information on documents from third countries, territorial entities, international organisations and other entities subject to international law, and information on falsifications thereof .
Amendment 68 #
2018/0330B(COD)
Proposal for a regulation
Article 80 d (new)
Article 80 d (new)
Article 80 d FADO architecture and access to the system The FADO architecture shall enable: (a) document experts of the Member States’ authorities competent in the area of document fraud, such as border police and other law enforcement authorities, to access the system in an unrestricted manner; (b) Member States’ authorities and third parties, such as Union institutions, bodies, offices and agencies, to access the system in a restricted manner where they require access to limited information regarding the security features and falsification of documents; (c) third parties, such as airlines, third countries or international organisations that do not require detailed information regarding the security features and falsification of documents to access the system in a restricted manner, but shall not grant them access to any personal data that are not subject to the consent of the individual concerned; (d) the public to access the system in a restricted manner for specimen documents but shall not grant it access to personal data that are not subject to the consent of the individual concerned; the public shall only be provided with access to public information on security features.
Amendment 71 #
2018/0330B(COD)
Proposal for a regulation
Article 80 e (new)
Article 80 e (new)
Article 80 e Processing of personal data by the Agency The Agency shall apply Regulation (EU) 2018/1725 when processing personal data. In accordance with Article 80b, the Agency shall upload personal data, in the form of facial images, only to the extent that those images are strictly necessary to describe or illustrate the security feature or the method of falsification.
Amendment 72 #
2018/0330B(COD)
Proposal for a regulation
Article 80 f (new)
Article 80 f (new)
Article 80 f Delegated and implementing acts 1. The Commission shall adopt delegated acts in accordance with Article 80g acts concerning: (a) the establishment of measures granting access to FADO to Member States’ authorities competent in the area of document fraud; (b) the establishment of measures granting restricted access to FADO to third parties such as airlines, Union institutions, bodies, offices and agencies, third countries or international organisations. 2. The Commission shall adopt implementing acts in accordance with Article X concerning the establishment of: (a) the technical specifications for entering and storing information into the system; (b) the procedures for controlling and verifying the information contained in the system; (c) the determination of the date of the effective implementation of FADO by the Agency. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article X.
Amendment 73 #
2018/0330B(COD)
Proposal for a regulation
Article 80 g (new)
Article 80 g (new)
Article 80 g Exercise of delegation 1. The power to adopt delegated acts is conferred on to the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 80f(1) shall be conferred on the Commission for an indeterminate period of time from … [date of entry into force of this Regulation]. 3. The delegation of power referred to in Article 80f(1) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 80f(1) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.
Amendment 287 #
2018/0108(COD)
Proposal for a regulation
Recital 11 a (new)
Recital 11 a (new)
(11 a) The respect for private and family life and the protection of natural persons regarding the processing of personal data are fundamental rights. In accordance with Articles 7 and 8(1) of the Charter and Article 16(1) of the TFEU, everyone has the right to respect for his or her private and family life, home and communications and to the protection of personal data concerning them. When implementing this Regulation, Member States should ensure that privacy and personal data are protected and processed only in accordance with Regulation (EU) 2016/679, Directive (EU) 2016/680 and Directive 2002/58/EC.
Amendment 344 #
2018/0108(COD)
Proposal for a regulation
Recital 40
Recital 40
(40) The requested data should be transmitted to the authorities at the latest within 10 days upon receipt of the EPOC. Shorter time limUpon receipt of the European Production Order Certificate (EPOC), the executing authority shall recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary, and ensure its execution in an identical manner and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 10 days upon receipt of the EPOC. Within that period of 10 days, the executing authoritsy should be respected by the provider in emergency cases and if the issuing authority indicates other reasons to depart from the 10 day deadline. In addition to the imminent danger of the deletion of the requested data, such reasons could include circumstances that are related toable to object to the European Production Order and invoke one of the grounds for non- recognition or non-execution provided for in this Regulation, while the service provider should preserve the requested data. Where the executing authority objects, it should inform the issuing authority, the service provider and, where applicable, the affected authority of such decision. If the executing authority has not invoked any ongoing investigation, for example where the requested data is associated to other urgent investigative meaf the grounds listed in this Regulation within that 10 days period, the service provider to which the order is addressed should be required to immediately ensures that cannot be conducted withoutthe requested data is transmitted directly to the missuing data or are otherwise dependent on itauthority or to the law enforcement authorities as indicated in the EPOC.
Amendment 346 #
2018/0108(COD)
Proposal for a regulation
Recital 40 a (new)
Recital 40 a (new)
(40 a) In emergency cases, the executing authority should recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 24 hours upon receipt of the EPOC, while the service provider should preserve the requested data. If the executing authority has not invoked any of the grounds listed in this Regulation within that 24 hours period, the service provider to which the order is addressed should immediately ensure that the requested data is transmitted directly to the issuing authority or to the law enforcement authorities as indicated in the EPOC.
Amendment 352 #
2018/0108(COD)
Proposal for a regulation
Recital 42
Recital 42
(42) Upon receipt of a European Preservation Order Certificate (‘EPOC- PR’), the service providerexecuting authority should preserve requested data for a maximum of 60 days unless the issuing authority informs the service provider that it has launched the procedure for issuing a subsequent request for production, in which case the preservation should be continued. The 60 day period is calculated to allow for the launch of an official request. This requicognise the EPOC-PR, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 10 days upon receipt of the EPOC-PR. Within that 10 days period, the executing authority should be able to object to the European Preservation Order and invoke one of the grounds for non-recognition or non-execution provided for in this Regulation, while the service provider should preserve the requested data. Wheres that at least some formal steps have been taken, for example by sending a mutual legal assistance request to translation. Following receipt of that ie executing authority objects, it should inform the issuing authority and the service provider of such decision and the preservation should cease immediately. If the executing authority has not invoked any of the grounds listed in this Regulation within that 10 days period, the service provider to which the order is addressed should continue to preserve the data for a 30 days period, renewable once. If the issuing authority confoirmation, the datas within that 30 days period that the subsequent EPOC has been issued, the service provider should be preserved the data as long as necessary until the data is produced in the framework of a subsequent request for productionfor the execution of the European Production Order. If the preservation is no longer necessary, the issuing authority should inform the addressees without undue delay.
Amendment 445 #
2018/0108(COD)
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional datathe content stored, transmitted, distributed or exchanged by means of electronic communications services, such as text, voice, videos, images, and sound; where metadata of other electronic communications services or protocols are stored, transmitted, distributed or exchanged by using the respective services, they are to be considered content data for the respective service;
Amendment 495 #
2018/0108(COD)
Proposal for a regulation
Article 5 – paragraph 4 – introductory part
Article 5 – paragraph 4 – introductory part
4. European Production Orders to produce transactionalffic data or content data may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 5 years, except for IP addresses.
Amendment 583 #
2018/0108(COD)
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Upon receipt of the EPOC, the addressee shall ensure that the requested data is transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC at the lexecuting authority shall recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing Statest, within 10 days upon receipt of the EPOC, unless the issuing authority indicates reasons for earlier disclosure.
Amendment 592 #
2018/0108(COD)
Proposal for a regulation
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
1 a. Within the period of 10 days referred to in paragraph 1, while the service provider shall preserve the requested data, the executing authority may object to the EPOC and invoke one of the grounds for non-recognition or non-execution provided for in Article 10a. In that case, it shall inform the issuing authority, the service provider and, where applicable, the affected authority of such decision.
Amendment 594 #
2018/0108(COD)
Proposal for a regulation
Article 9 – paragraph 1 b (new)
Article 9 – paragraph 1 b (new)
1 b. If the executing authority has not invoked any of the grounds listed in Article 10a within the 10-day period, the service provider to which the order is addressed shall ensure that the requested data is immediately transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC.
Amendment 595 #
2018/0108(COD)
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. In emergency cases, the addressee shall transmit the requested data without undue delay, at the lexecuting authority shall recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing Statest, within 624 hours upon receipt of the EPOC, while the service provider shall preserve the requested data.
Amendment 602 #
2018/0108(COD)
Proposal for a regulation
Article 9 – paragraph 2 a (new)
Article 9 – paragraph 2 a (new)
2 a. If the executing authority has not invoked any of the grounds listed in Article 10a within the 24-hour period referred to in paragraph 2, the addressed service provider shall ensure that the requested data is immediately transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC.
Amendment 603 #
2018/0108(COD)
Proposal for a regulation
Article 9 – paragraph 2 b (new)
Article 9 – paragraph 2 b (new)
2 b. Where it is clear that the person whose data is sought is residing neither in the issuing State nor in the executing State, and the affected authority believes that one of the grounds for non- recognition or non-execution listed in Article 10a exists, it shall immediately inform the executing authority, based on a reasoned opinion. The executing authority shall take this reasoned opinion duly into account.
Amendment 625 #
2018/0108(COD)
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Upon receipt of the EPOC-PR, the addressee shall, without undue delay, preserve the data requested. The preservation shall cease after 60 days, unless the issuing authority confirms that the subsequent request for production has been launchedexecuting authority shall recognise the EPOC-PR, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 10 days of receipt of the EPOC-PR.
Amendment 633 #
2018/0108(COD)
Proposal for a regulation
Article 10 – paragraph 1 a (new)
Article 10 – paragraph 1 a (new)
1 a. Within the 10-day period referred to in paragraph 1, while the service provider shall preserve the requested data, the executing authority may object to the EPOC-PR and invoke one of the grounds for non-recognition or non-execution provided for in Article 10a. In that case, it shall inform the issuing authority and the service provider of such decision and the preservation shall cease immediately.
Amendment 636 #
2018/0108(COD)
Proposal for a regulation
Article 10 – paragraph 1 b (new)
Article 10 – paragraph 1 b (new)
1 b. If the executing authority has not invoked any of the grounds listed in Article 10a within the 10 days period, the service provider to which the order is addressed shall continue to preserve the data for a period of 30 days, renewable once.
Amendment 639 #
2018/0108(COD)
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
2. If the issuing authority confirms within the time30-day period set outreferred to in paragraph 1b that the subsequent request for pEuropean Production Order has been launchissued, the addresseeservice provider shall preserve the data as long as necessary to produce the data once the subsequent request for production is servedfor the execution of that European Production Order pursuant to Article 9.
Amendment 640 #
2018/0108(COD)
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. If the preservation is no longer necessary, the issuing authority shall inform the addressees without undue delay and the preservation shall cease immediately.
Amendment 665 #
2018/0108(COD)
Amendment 666 #
2018/0108(COD)
Proposal for a regulation
Article 11 – title
Article 11 – title
Amendment 674 #
2018/0108(COD)
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. AThe addressees and, if different, service providersshall inform the person whose data is being sought, without undue delay. When informing the person, the addressees shall include information about any available remedies as referred to in Article 17 and shall take the necessary measures to ensure the confidentiality of the EPOC or the EPOC- PR and of the data produced or preserved and where requested by the issuing authority, shall refrain from informing the person whose data is being sought in order not to obstruct the relevant criminal proceedings.
Amendment 677 #
2018/0108(COD)
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
1 a. Upon a duly justified request by the issuing authority, based on a court order, addressees shall refrain from informing the person whose data is being sought, in order not to obstruct the relevant criminal proceedings.
Amendment 680 #
2018/0108(COD)
Proposal for a regulation
Article 11 – paragraph 2
Article 11 – paragraph 2
2. Where the issuing authority requested the addressees to refrain from informing the person whose data is being sought, upon a duly justified request, based on a court order, the issuing authority shall inform the person whose data is being sought by the EPOC or the EPOC-PR without undue delay about the data production or preservation. This information may be delayed as long as necessary and proportionate to avoid obstructing the relevant criminal proceedings, taking into account the rights of the suspected and accused person and without prejudice to defence rights and effective legal remedies.
Amendment 694 #
2018/0108(COD)
Proposal for a regulation
Article 11 a (new)
Article 11 a (new)
Article 11 a Limitations to the use of information obtained Electronic information which has been produced or preserved by an EPOC or EPOC-PR shall not be used for the purpose of proceedings other than those for which it was obtained in accordance with this Regulation.
Amendment 696 #
2018/0108(COD)
Proposal for a regulation
Article 11 b (new)
Article 11 b (new)
Article 11 b Admissibility and erasure of electronic information 1. Electronic information that has been gathered in breach of this Regulation shall not be admissible before a court and shall immediately be erased. 2. Electronic information that is no longer necessary for the investigation or prosecution for which it was produced or preserved, shall immediately be erased. For this, Member States shall provide for appropriate time limits to be established for the erasure of electronic information produced or preserved or for a periodic review of the need of the storage of the electronic information. Procedural measures shall ensure that those time limits are observed. 3. The affected person shall be informed about the erasure.
Amendment 717 #
2018/0108(COD)
Proposal for a regulation
Article 14 a (new)
Article 14 a (new)