BETA

1008 Amendments of Marina KALJURAND

Amendment 11 #

2023/2501(RSP)


Recital F
F. whereas the ability to transfer personal data across borders has the potential to be a key driver of innovation, productivity and economic competitiveness as long as adequate safeguards are provided; whereas these transfers should be carried out in full respect for the right to the protection of personal data and the right to privacy; whereas one of the fundamental objectives of the EU is the protection of fundamental rights, as enshrined in the Charter;
2023/03/09
Committee: LIBE
Amendment 22 #

2023/2501(RSP)


Paragraph 1
1. Recalls that the respect for privacyte and data protectionfamily life and the protection of personal data are legally enforceable fundamental rights enshrined in the Treaties, the Charter and the European Convention of Human Rights, as well as in laws and case-law; emphasises that they must be applied in a manner that does not unnecessarily hamper trade or international relations, but can be balanced only against other fundamental rights and not against commercial or political interests;
2023/03/09
Committee: LIBE
Amendment 30 #

2023/2501(RSP)


Paragraph 2
2. Acknowledges the efforts made in the EO to lay down limits on US Signals Intelligence Activities, by referring to the principles of proportionality and necessity, and providing a list of legitimate objectives for such activities; points out, however, that these principles are long-standing key elements of the EU data protection regime and that their substantive definitions in the EO are not in line with their definition under EU law and their interpretation by the CJEU; points out, furthermore, that for the purposes of the EU-US Data Privacy Framework, these principles will be interpreted solely in the light of US law and legal traditions, not those of the EU, and that the Data Protection Review Court’s interpretations will not be made public; points out that the EO requires that signals intelligence must be conducted in a manner proportionate to the ‘validated intelligence priority’, which appears to be a broad interpretation of proportionality;
2023/03/09
Committee: LIBE
Amendment 36 #

2023/2501(RSP)


Paragraph 3
3. Regrets the fact that the EO does not prohibit the bulk collection of data by signals intelligence, including the content of communications; notes that the list of legitimate national security objectives can be amended and expanded by the US President, who can determine notith no obligation to make the relevant updates public nor to inform EU counterparts; points out that this would undermine the purpose of the objectives as a safeguard to limit US intelligence activities;
2023/03/09
Committee: LIBE
Amendment 40 #

2023/2501(RSP)


Paragraph 3 a (new)
3 a. Stresses the EDPB’s concerns over the EO’s failure to provide safeguards in bulk data collection, namely the lack of independent prior authorisation, lack of clear and strict data retention rules and lack of stricter safeguards concerning dissemination of data collected in bulk; points particularly to the specific concern that without further restrictions on dissemination to US authorities, law enforcement authorities will be enabled to access data they would otherwise have been prohibited from collecting;
2023/03/09
Committee: LIBE
Amendment 43 #

2023/2501(RSP)


Paragraph 3 b (new)
3 b. Shares the concern of the EDPB regarding the use of temporary bulk data collection as an additional ground for collecting data in bulk; is particularly concerned over the vaguely defined notion of “temporarily” in this context, and the fact that the safeguards concerning bulk data collection provided by the EO would not apply when data is collected in bulk temporarily;
2023/03/09
Committee: LIBE
Amendment 44 #

2023/2501(RSP)


Paragraph 3 c (new)
3 c. Reminds that onward transfers effectively multiply the risks to the protection of data and notes that the EDPB has called for the inclusion of a legally binding obligation to analyse and determine whether the third country offers an acceptable minimum level of safeguards while taking into account the effect of any existing international agreements that may provide for the transfer of personal data by intelligence services;
2023/03/09
Committee: LIBE
Amendment 45 #

2023/2501(RSP)


Paragraph 3 d (new)
3 d. Shares the calls from the EDPB that the entry into force and adoption of the adequacy decision be conditional upon, inter alia, the adoption of updated policies and procedures to implement the EO by all US intelligence agencies; calls on the Commission to assess these updated policies and procedures and share its assessment with the European Parliament and the EDPB;
2023/03/09
Committee: LIBE
Amendment 55 #

2023/2501(RSP)

Draft motion for a resolution
Paragraph 5
5. Points out that the decisions of the Data Protection Review Court (‘DPRC’) will be classified and not made public or available to the complainant and that they will be final and non-appealable with the DPRC; points out that the DPRC is part of the executive branch and not the judiciary; stresses that it should be prohibited for the US President to remove DPRC judges and calls on the Commission to clarify this matter; points out that a complainant will be represented by a ‘special advocate’ designated by the DPRC, for whom there is no requirement of independence; points out that the redress process provided by the EO is based on secrecy and does not set up an obligation to notify the complainant that their personal data has been processed, thereby undermining their right to access or rectify their data; notes that the proposed redress process does not provide for an avenue for appeal in a federal court and therefore, among other things, does not provide any possibility for the complainant to claim damages; concludes that the DPRC does not meet the standards of independence and impartiality of Article 47 of the Charter and that it is not compatible with the basic principles of justice and due process;
2023/03/09
Committee: LIBE
Amendment 63 #

2023/2501(RSP)


Paragraph 7
7. Notes that European businesses need and deserve legal certainty; stresses that successive data transfer mechanisms, which were subsequently repealed by the CJEU, created additional costs for European businesses; notes that continuing uncertainty and the need to adapt to new legal solutions is particularly burdensome for micro, small and medium-sized enterprises; is concerned that the adequacy decision could (like its predecessors) be invalidated by the Court of Justice, leading to a continuing lack of legal certainty, further costs and disruption for European citizens and businesses;
2023/03/09
Committee: LIBE
Amendment 67 #

2023/2501(RSP)


Paragraph 8
8. Points out that, unlike all other third countries that have received an adequacy decision under the GDPR, the US still does not have a federal data protection law; points out that the EO is not clear, precise or foreseeable in its application, as it can be amended at any time by the US President; is therefore, who is also empowered to issue secret executive orders; is concerned aboutregarding the absence of a sunset clause which could provide that the decision would automatically expire four years after its entry into force; after which the Commission would have to make a new determination; is concerned that the lack of a sunset clause in this adequacy decision represents a more lenient approach to the US, despite the fact that the US privacy framework is based on an Executive Order which allows for secret amendments, and which can be amended without consulting Congress or informing EU counterparts;
2023/03/09
Committee: LIBE
Amendment 80 #

2023/2501(RSP)


Paragraph 10
10. Recalls that, in its resolution of 20 May 2021, Parliament called on the Commission not to adopt any new adequacy decision in relation to the US, unless meaningful reforms were introduced, in particular for national security and intelligence purposes; reiterates that the Commission should not leave proper enforcement of EU data protection law to the Court of Justice of the European Union following complaints by individual citizens;
2023/03/09
Committee: LIBE
Amendment 88 #

2023/2501(RSP)


Paragraph 11
11. Concludes that the EU-US Data Privacy Framework fails to create actuessential equivalence in the level of protection; calls on the Commission to continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU; urgescalls on the Commission not to adopt the adequacy finding;
2023/03/09
Committee: LIBE
Amendment 14 #

2023/0143(COD)

Proposal for a regulation
Recital 2
(2) Council Decision 2009/917/JHA10 on the use of information technology for customs purposes establishes the Customs Information System (CIS) to assist in preventing, investigating and prosecuting serious contraventions of national laws by making information available more rapidly and increase the effectiveness of the customs administrations. In order to ensure a consistent approach to the protection of personal data in the Union, that Decision should be amended to align it with Directive (EU) 2016/680. In particular, the personal data protection rules should respect the principle of purpose specificlimitation, be limited to specified categories of data subjects and categories of personal data, respect data security requirements, include additional protection for special categories of personal data and respect the conditions for subsequent processing. Moreover, provision should be made for the coordinated supervision model as introduced by Article 62 of Regulation (EU) 2018/172511 . _________________ 10 Council Decision 2009/917/JHA on the use of information technology for customs purposes (OJ L 323, 10.12.2009, p. 20). 11 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
2023/11/06
Committee: LIBE
Amendment 16 #

2023/0143(COD)

Proposal for a regulation
Recital 5
(5) To ensure the optimal preservation of the data while reducing the administrative burden for the competent authorities, the procedure governing the retention of personal data in the CIS should be simplified by removing the obligation to review data annually and by setting a maximum retention period of fivthree years which can be increased, subject to justification, by an additional period of two years. That retention period is necessary and proportionate in view of the typical length of criminal proceedings and the need for the data for the conduct of joint customs operations and of investigations.
2023/11/06
Committee: LIBE
Amendment 18 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 2
Council Decision 2009/917/JHA
Article 2 – paragraph 1 – point 2
(2) Point 2 of Article 2 is hereby deletedreplaced by the following: 2. “personal data” means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680.
2023/11/06
Committee: LIBE
Amendment 19 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 3
Council Decision 2009/917/JHA
Article 3 – paragraph 2
In relation to the processing of personal data in the Customs Information System, the Commission shall be considered the processor, within the meaning of point (12) of Article 3 of Regulation (EU) 2018/1725, acting, in accordance with Article 29 of that Regulation, on behalf of the national authorities designated by each Member State, which shall be considered the controllers of the personal data.
2023/11/06
Committee: LIBE
Amendment 20 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 5
Council Decision 2009/917/JHA
Article 5 – paragraph 2
2. For the purpose of the actions referred to in paragraph 1, personal data in any of the categories referred to in Article 3(1) may be entered into the Customs Information System only if there are reasonable and objective grounds, in particular on the basis of prior illegal activities, to suggest that the person concerned has committed, is in the act of committing or will commit criminal offences under national laws.
2023/11/06
Committee: LIBE
Amendment 21 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 6 – introductory part
(6) Paragraph 3 of Article 7 is replaced by the following:deleted.
2023/11/06
Committee: LIBE
Amendment 22 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 6
Council Decision 2009/917/JHA
Article 7 – paragraph 3
3. Notwithstanding paragraphs 1 and 2, the Council may exceptionally, by a unanimous decision and after consultation of the European Data Protection Board, permit access to the Customs Information System by international or regional organisations, provided that both of the following conditions are met: (a) the access complies with the general principles for transfers of personal data set out in Article 35 or, where applicable, Article 39 of Directive (EU) 2016/680; (b) the access is based either on an adequacy decision adopted under Article 36 of that Directive or is subject to appropriate safeguards under Article 37 thereof.deleted
2023/11/06
Committee: LIBE
Amendment 24 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Council Decision 2009/917/JHA
Article 8 – paragraph 1 – subparagraph 1
Member States, Europol and Eurojust may process personal data obtained from the Customs Information System only in order to achieve the aim stated in Article 1(2), in accordance with the applicable rules of Union law on the processingtection of personal data.
2023/11/06
Committee: LIBE
Amendment 25 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 8
Council Decision 2009/917/JHA
Article 8 – paragraph 4 – subparagraph 1 – point a
(a) transmitted to, and further processed by, national authorities other than those designated under paragraph 2, in accordance with the applicable rules of Union law on the processingtection of personal data; or
2023/11/06
Committee: LIBE
Amendment 26 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 8
Council Decision 2009/917/JHA
Article 8 – paragraph 4 – subparagraph 1 – point b
(b) transferred to, and further processed by, the competent authorities of third countries and international or regional organisations, in accordance with Chapter V of Directive (EU) 2016/680 and, where relevant, with Chapters V and IX of Regulation (EU) 2018/1725.
2023/11/06
Committee: LIBE
Amendment 28 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 9
Council Decision 2009/917/JHA
Article 14
Personal data entered into the Customs Information System shall be kept only for the time necessary to achieve the aim stated in Article 1(2) and may not be retained for more than fiv. The need for their retention shall be reviewed at least once every three years. However, exceptionally, that data may be kept for an additional period of at most two years, where and insofar as a strictly need to do socessary in order to achieve that aim is established in an individual case.
2023/11/06
Committee: LIBE
Amendment 30 #

2023/0143(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 11
Council Decision 2009/917/JHA
Article 20
Directive (EU) 2016/680 and Regulation (EU) 2018/1725 shall apply to the processing of personal data under this Decision.
2023/11/06
Committee: LIBE
Amendment 28 #

2022/0425(COD)

Proposal for a regulation
Recital 1
(1) The transnational dimension of serious and organised crime and the continuous threat of terrorist attacks on European soil call for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on air travellers, such as Passenger Name Records (PNR) and in particular Advance Passenger Information (API), is essential in orderhelps to identify high-risk travellers, including those who are not otherwise known to law enforcement authorities, and to establish links between members of criminal groups, and countering terrorist activities.
2023/09/06
Committee: LIBE
Amendment 29 #

2022/0425(COD)

Proposal for a regulation
Recital 2
(2) While Council Directive 2004/82/EC27 establishes a legal framework for the collection and transfer of API data by air carriers with the aims of improving border controls and combating illegal immigration, it also states that Member States may use API data for law enforcement purposes. However, only creating such a possibility leads to several gaps and shortcomings. In particular, it means that, despite its relevance for law enforcement purposes,This means that API data is not in all casessystematically collected and transferred by air carriers for those purposes. It also means that, wlaw enforcement purposes. Where Member States have acted upon the possibility, air carriers are faced with diverging requirements under national law as regardsing when and how to collect and transfer API data for this purpose. Those divergences lead not only to unnecessary costs and complications for the air carriers, but they are also prejudicial tomay also complicate the Union’s internal security and effective cooperation between the competent law enforcement authorities of the Member States. Moreover, in view of the completely different nature of the purposes of facilitating border controls and law enforcement, it is appropriate to establish a distinct legal framework for the collection and transfer of API data for each of thoselaw enforcement purposes. _________________ 27 Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (OJ L 261, 6.8.2004, p. 24).
2023/09/06
Committee: LIBE
Amendment 32 #

2022/0425(COD)

Proposal for a regulation
Recital 3
(3) Directive (EU) 2016/681 of the European Parliament and of the Council28 (‘PNR Directive') lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national Passenger Information Unit (‘PIU’) established under thatPNR Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not guarantee the collection and transfer of API data in all cases, as air carriers do not have any business purpose to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent law enforcement authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crimfor the purposes of the Directive. In particular, such joint processing allows for the accurate identification of those passengers that may need to be further examined, in accordance with the applicable law, by those authorities. In addition, thate PNR Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which.These requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight. _________________ 28 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119, 4.5.2016, p. 132).
2023/09/06
Committee: LIBE
Amendment 34 #

2022/0425(COD)

Proposal for a regulation
Recital 4
(4) It is therefore necessary to establish at Union level clear, harmonised and effective rules at the Union level on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.
2023/09/06
Committee: LIBE
Amendment 36 #

2022/0425(COD)

Proposal for a regulation
Recital 5
(5) Considering the close relationship between both acts, this Regulation should be understood as complementing the rules provided for in the PNR Directive (EU) 2016/681. Therefore, API data is to be collected and transferred in accordance with the specific requirements of this Regulation, including as regards to the situations and the manner in which that is to be done. However, the rules of thate PNR Directive apply in respect of matters not specifically covered by this Regulation, especially regarding the rules on the subsequent processing of the API data received by the PIUs, exchange of information between Member States, conditions of access by the European Union Agency for Law Enforcement Cooperation (Europol), transfers to third countries, retention and depersonalisation, as well as the protection of personal data. Insofar as those rules apply, the rules of that Directive on penalties and the national supervisory authorities apply as well. This Regulation should leave those rules unaffected.
2023/09/06
Committee: LIBE
Amendment 37 #

2022/0425(COD)

Proposal for a regulation
Recital 6
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the APIprocessing of any API data collected and transferred under this Regulation do not lead to any form of discrimination precluded by the Charter.
2023/09/06
Committee: LIBE
Amendment 44 #

2022/0425(COD)

Proposal for a regulation
Recital 7
(7) In view of the complementary nature of this Regulation in relation to the PNR Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under the Directive (EU) 2016/681, namely flights, including both scheduled and non- scheduled flights, both between Member States and third countries (extra-EU flights), and between severalcertain Member States (intra-EU flights) insofar as those flights have been selected in accordance with the PNR Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights.
2023/09/06
Committee: LIBE
Amendment 47 #

2022/0425(COD)

Proposal for a regulation
Recital 8
(8) Accordingly, given that the PNR Directive (EU) 2016/681 does not cover domestic flights, that is, flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be covered by this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights.
2023/09/06
Committee: LIBE
Amendment 49 #

2022/0425(COD)

Proposal for a regulation
Recital 9
(9) In view of the close relationship between the acts of Union law concerned and in the interest of consistency and coherence, the definitions set out in this Regulation should as much possible be aligned with, and be interpreted and applied in the light of, the definitions set out in the PNR Directive (EU) 2016/681 andand the Regulation (EU) [API border management] 29 . _________________ 29 OJ C , , p. .
2023/09/06
Committee: LIBE
Amendment 52 #

2022/0425(COD)

Proposal for a regulation
Recital 10
(10) In particular, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be the same as those listed clearly and exhaustively in Regulation (EU) API [border management], covering both information relating to each passenger and information on the flight of that traveller. Under this Regulation, such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned only where applicable, that is, not when the API data relate to intra-EU flights.
2023/09/06
Committee: LIBE
Amendment 56 #

2022/0425(COD)

Proposal for a regulation
Recital 11
(11) In order to ensure as consistent approach as possible on the collection and transfer of API data by air carriers as much as possible, the rules set out in this Regulation should be aligned with those set out in the Regulation (EU) [API border management] where appropriate. Thatis concerns, in particular, the rules on data quality, the air carriers’ use of automated means for such collection, the precise manner in which they are to transfer the collected API data to the router and the deletion of the API data. The collection of API data by automated means should be strictly limited to the alphanumercial data contained in the travel document and should not lead to the collection of any biometric data from it. As the collection of API data is part of the check-in process, either online or at the airport, it should not imply any checks of the traveller at the moment of boarding. Compliance with this regulation should not imply any obligation to carry a travel document at the moment of boarding.
2023/09/06
Committee: LIBE
Amendment 62 #

2022/0425(COD)

Proposal for a regulation
Recital 12
(12) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union, and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the sole competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) in accordance with Regulation (EU) [API border management], should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner.
2023/09/06
Committee: LIBE
Amendment 67 #

2022/0425(COD)

Proposal for a regulation
Recital 13
(13) For the extra-EU flights, the PIU of the Member State on thwhose territory of which the flight will land and or from twhe territory of whichre the flight will depart should receive the API data from the router for all those flights, given that that PNR data is collected for all those flights, in accordance with the PNR Directive (EU) 2016/681. The router should identify the flight and the corresponding PIUs using the information contained in the PNR record locator, a data element common to both the API and PNR data sets allowing for the joint processing of API data and PNR data by the PIUs.
2023/09/06
Committee: LIBE
Amendment 68 #

2022/0425(COD)

Proposal for a regulation
Recital 13 a (new)
(13a) In order to allow for the effective supervision of the compliance of the Member States with the requirements of the Court of Justice of the European Union (‘CJEU’) by the national data protection authorities, this Regulation lays down a common methodology for carrying out the threat assessment based on which the Member States should operate a selection of intra-EU flights. In order to avoid divergent practices among Member States, this Regulation also sets out a list of criteria, regarding both quantitative and qualitative evidence, to be used by Member States when carrying out such assessment. Given that API can be processed for the purpose of this Regulation only insofar as PNR data is processed, the outcome of the threat assessment should be valid for the transfer and processing of both API and PNR data.
2023/09/06
Committee: LIBE
Amendment 73 #

2022/0425(COD)

Proposal for a regulation
Recital 14
(14) As regards to the intra-EU flights, in line with the case law of the Court of Justice of the European Union (CJEU)JEU, in order to avoid unduly interfering with the relevant fundamental rights of the travellers protected under the Charter and to ensure compliance with the requirements of the Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of the PNR Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of the PNR Directive (EU) 2016/681. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to thea regular review of that selection.
2023/09/06
Committee: LIBE
Amendment 78 #

2022/0425(COD)

Proposal for a regulation
Recital 15
(15) In order to enable the application of that selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up and submit to the eu-LISA the lists of the flights they selected, so that eu- LISA can ensure that API data of only for those flights API data is transmitted from the router to the relevant PIUs and that the API data on other intra-EU flights is immediately and permanently deleted.
2023/09/06
Committee: LIBE
Amendment 82 #

2022/0425(COD)

Proposal for a regulation
Recital 16
(16) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by Directive (EU) 2016/681, for the purpose of preventing, detecting, investigating and prosthe PNR Direcuting terrorist offences and serious crimve, in particular by creating the risk of circumvention, information on which intra- EU flights the Member States have selected should be treated in a confidential manner. For that reason, such information should not be shared with the air carriers and they should therefore be required to collect API data on all flights covered by this Regulation, including all intra-EU flights, and then transfer it to the router, where the necessary selection should be enacted. Moreover, by collecting API data on all intra-EU flights, passengers are not made aware on which selected intra-EU flights API data, and hence also PNR data, is transmitted to the PIUs in accordance with the assessment of Member States’ assessment. That approach also ensures that any changes relating to that selection can be implemented swiftly and effectively, without imposing any undue economic and operational burdens on the air carriers. Nonetheless, API data should not be collected and transferred on those flights where neither the Member State of departure nor the Member State of arrival of intra-EU flights have notified the Commission with their decision to apply PNR Directive to intra-EU flights, pursuant to Article 2 of that Directive. Since such notifications are published in the Official Journal of the Union, and hence known to the public, there is in these cases no risk of circumvention.
2023/09/06
Committee: LIBE
Amendment 84 #

2022/0425(COD)

Proposal for a regulation
Recital 17
(17) In the interest of ensuring compliance with the fundamental right tof the travellers to the protection of their personal data and in line with Regulation (EU) [API border management], this Regulation should identify the controllers. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council 30 , Directive (EU) 2016/680 of the European Parliament and the Council31 and Regulation (EU) 2018/1725 of the European Parliament and the Council32 . Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation. Taking due consideration of the right of the travellers to be informed of the processing of their personal data for the purposes of this Regulation, the air carriers should inform travellers, at the moment of booking and at the moment of check-in, of the purpose of the collection of their personal data and of their rights as data subjects. _________________ 30 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1. 31 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4.5.2016, p. 89. 32 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, OJ L 295, 21.11.2018, p. 39
2023/09/06
Committee: LIBE
Amendment 87 #

2022/0425(COD)

Proposal for a regulation
Recital 18
(18) The router to be created and (18) operated underIn order to avoid that air carriers have to establish and maintain multiple connections with the competent border authorities of the Member States’ for the transfer of API data and PNR data collected under this Regulation, and to avoid the related inefficiencies and security risks, provision should be made for a single router, created and operated at the Union level, that should serve as a connection and distribution point for those transfers. The router to be created and operated under this Regulation and Regulation (EU) [API border management] should reduce and simplify the technical connections needed to transfer API and PNR data, limiting them to a single connection per air carrier and per PIU. Therefore, this Regulation provides for the obligation for the PIUs and air carriers to each establish such a connection to, and achieve the required integration with, the router, so as to ensure that the system for transferring API and PNR data established by this Regulation can function properly. To provide for the same level of clarity and certainty, the provisions related to the router, security and support tasks by the eu-LISA should be mirrored in this Regulation and Regulation (EU) [API border management], as eu-LISA should build and maintain only one router for the purposes of both Regulations.
2023/09/06
Committee: LIBE
Amendment 90 #

2022/0425(COD)

Proposal for a regulation
Recital 20
(20) In accordance with Regulation (EU) 2018/1726, Member States may entrust eu-LISA with the task of facilitating connectivity wiorder to allow both the air carriers and the PIUs to make the most efficient use of their connections to the router, to prevent any duplication of passenger data transfers and processing, and to ensure compliance with the CJEU case-law and enhance the related monitoring and supervision, this Regulation provides for the mandatory use of the router by the air carriers in order to assist Member States in the implementation of Directive (EU) 2016/681, particularly by collecting andfor transferring PNR data, and for the PIUs for receiving such data. This should constitute the only necessary and available means for the Member States to require air carriers to comply with the obligations related to transferring of PNR data via the routeras foreseen by the PNR Directive.
2023/09/06
Committee: LIBE
Amendment 92 #

2022/0425(COD)

Proposal for a regulation
Recital 21
(21) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation and, as regards the router, Regulation (EU) [API border management], the router or the systems or infrastructure connecting the PIUs and the air carriers thereto fail to function properly, thus leading to a technical impossibility to use the router to transmit API and PNR data. Given the unavailability of the router and that it will generally not be reasonably possible for air carriers to transfer the API and PNR data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer that API and PNR data to the router should cease to apply for as long as the technical impossibility persist. In order to minimise the duration and negative consequences thereof, the parties concerned should in such a case immediately inform each other and immediately take all necessary measures to address the technical impossibility. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as the fact that air carriers are subject to penalties when they fail to meet those obligations, including when they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.
2023/09/06
Committee: LIBE
Amendment 93 #

2022/0425(COD)

Proposal for a regulation
Recital 22
(22) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities charged with the supervision of those rules. The rules of this Regulation on such supervision, including as regards to the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 unaffected, including in relation to the processing of personal data under this Regulation.
2023/09/06
Committee: LIBE
Amendment 95 #

2022/0425(COD)

Proposal for a regulation
Recital 23
(23) Effective, proportionate and dissuasive penalties, including financial ones, should be provided for by Member States against those air carriers failing to meet their obligations regarding the collection and transfer of API and PNR data under this Regulation.
2023/09/06
Committee: LIBE
Amendment 96 #

2022/0425(COD)

Proposal for a regulation
Recital 23 a (new)
(23a) In order to store reports and statistics of the router on the Common Repository for Reporting and Statistics, it is necessary to amend Regulation (EU) 2019/817 of the European Parliament and of the Council.1a The Common Repository for Reporting and Statistics should only provide statistics based on API data for the implementation and effective supervision of this Regulation. The data that the router automatically transmits to the Common Repository for Reporting and Statistics to that end should not allow for the identification of the travellers concerned. The router should not transmit any data to the Common Repository for Reporting and Statistics for those intra-EU flights that have not been selected by a Member State based on an assessment in compliance with the criteria and methodology for the selection of intra-EU flights set out in this Regulation. _________________ 1a Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).
2023/09/06
Committee: LIBE
Amendment 100 #

2022/0425(COD)

Proposal for a regulation
Recital 25
(25) All interested parties, and in particular the air carriers and the PIUs, should be afforded sufficient time to make the necessary preparations to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can only be finalised when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date at which the router starts operations, as specified by the Commission in accordance with this Regulation and the Regulation (EU) [API border management]. However, it should be possible for the Commission to adopt delegated acts under this Regulation already from an earlier date, so as to ensure that the system set up by this Regulation is operational as soon as possible.
2023/09/06
Committee: LIBE
Amendment 107 #

2022/0425(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point c
(c) the transmission from the router to the Passenger Information Units (‘PIUs’) of the API data and PNR data on extra-EU flights and selected intra-EU flights.
2023/09/06
Committee: LIBE
Amendment 117 #

2022/0425(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point c
(c) ‘intra-EU flight’ means any flight as defined in Article 3, point (3), of Directive (EU) 2016/681, with the exception of those flights for which neither the Member State from where the flight is scheduled to depart, nor the Member State where the flight is scheduled to land, have notified their decision to apply Directive 2016/681 to intra-EU flights, pursuant to Article 2 of that Directive;
2023/09/06
Committee: LIBE
Amendment 120 #

2022/0425(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point g
(g) ‘crew’ means any person as defined in Article 3, point (hi), of Regulation (EU) [API border management];
2023/09/06
Committee: LIBE
Amendment 124 #

2022/0425(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point h
(h) ‘traveller’ means any person as defined in Article 3, point (ij), of Regulation (EU) [API border management];
2023/09/06
Committee: LIBE
Amendment 125 #

2022/0425(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point i
(i) ‘advance passenger information data’ or ‘API data’ means the data as defined in Article 3, point (jk), of Regulation (EU) [API border management];
2023/09/06
Committee: LIBE
Amendment 126 #

2022/0425(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point n
(n) ‘the router’ means the router as defined in Article 5c (new) and Article 3, point (km) of Regulation (EU) [API border management];
2023/09/06
Committee: LIBE
Amendment 128 #

2022/0425(COD)

Proposal for a regulation
Article -4 (new)
Article-4 API data to be collected by air carriers 1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with Article 4(6). 2. The API data shall consist of the following traveller data relating to each traveller on the flight: (a) the surname (family name), first name or names (given names); (b) the date of birth, sex and nationality; (c) the type and number of the travel document and the three-letter code of the issuing country of the travel document; (d) the date of expiry of the validity of the travel document; (e) whether the traveller is a passenger or a crew member (traveller’s status); (f) the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator); (g) the seating information, such as the number of the seat in the aircraft assigned to a passenger, where the air carrier collects such information; (h) baggage information, such as number of checked bags, where the air carrier collects such information. 3. The API data shall also consist of the following flight information relating to the flight of each traveller: (a) the flight identification number or, if no such number exists, other clear and suitable means to identify the flight; (b) when applicable, the border crossing point of entry into the territory of the Member State; (c) the code of the airport of entry into the territory of the Member State; (d) the initial point of embarkation; (e) the local date and estimated time of departure; (f) the local date and estimated time of arrival.
2023/09/06
Committee: LIBE
Amendment 129 #

2022/0425(COD)

Proposal for a regulation
Article 4 – title
Collection, tTransfer and deletion of API data by air carriers
2023/09/06
Committee: LIBE
Amendment 130 #

2022/0425(COD)

Proposal for a regulation
Article 4 – paragraph 1
1. Air carriers shall collect API data of travellers on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with paragraph 6. Where the flight is code-shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.deleted
2023/09/06
Committee: LIBE
Amendment 138 #

2022/0425(COD)

Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 1
Air carriers shall collect the alphanumerical API data referred to in Article 43a(new)(2), points (a) to (d), of Regulation (EU) [API border management] using automated means to collect the machine- readable data of the travel document of the traveller concerned. Air carriers shall collect that data during the check-in procedures, either as part of the online check-in or as part of the check-in at the airport. They shall do so in accordance with the detailed technical requirements and operational rules referred paragraph 5, where such rules have been adopted and are applicable. Specifically, the collection of API data with automated means shall not lead to the collection of any biometric data contained in the travel document. The collection of API data shall not imply any checks at the moment of boarding of the traveller. Compliance with this Regulation shall not imply any obligation to carry a travel document at the moment of boarding.
2023/09/06
Committee: LIBE
Amendment 143 #

2022/0425(COD)

Proposal for a regulation
Article 4 – paragraph 3 – subparagraph 2
However, wWhere suchthe use of automated means is not possible due to the travel document not containing machine-readable data, air carriers shall collect that data manually, in such a manner as to ensure compliance with paragraph 2.
2023/09/06
Committee: LIBE
Amendment 148 #

2022/0425(COD)

Proposal for a regulation
Article 4 – paragraph 5
5. The Commission is empowered to adopt delegated acts in accordance with Article 19 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in Article 43a(new)(2), points (a) to (d), of Regulation (EU) [API border management] using automated means in accordance with paragraphs 3 and 4 of this Article.
2023/09/06
Committee: LIBE
Amendment 161 #

2022/0425(COD)

Proposal for a regulation
Article 4 – paragraph 8 – subparagraph 2
Where the air carriers obtain the awareness referred to in point (a) of the first subparagraph of this paragraph after having completed the transfer of the data in accordance with paragraph 6, they shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIUs that received thesuch API data transmitted through the router.
2023/09/06
Committee: LIBE
Amendment 164 #

2022/0425(COD)

Proposal for a regulation
Article 4 – paragraph 9 a (new)
9a. In accordance with Directive 2016/681, air carriers shall also transfer PNR data to the router, insofar as these data are collected in the normal course of their business, for the transmission of these data from the router to the respective PIUs in accordance with Article 5(4). This shall be the only necessary and available means for air carriers to transfer PNR data in accordance with Article 8(1) of Directive 2016/681.
2023/09/06
Committee: LIBE
Amendment 167 #

2022/0425(COD)

Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 1
The router shall, immediately and in an automated manner, transmit the API data, transferred to it by air carriers pursuant to Article 4, to the PIUs of the Member State on thwhose territory of which the flight will land or from the territory of which the flight will depart from, or to both in the case of intra- EU-flights. Where a flight has one or more stop-overs at the territory of another Member States than the one from which it departed, the router shall transmit the API data to the PIUs of all the Member States concerned.
2023/09/06
Committee: LIBE
Amendment 171 #

2022/0425(COD)

Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 2
For the purpose of such transmissions, eu- LISA shall establish and keep up-to-date a table of correspondence between the different airports of origin and destination and the countries to which they belong.
2023/09/06
Committee: LIBE
Amendment 175 #

2022/0425(COD)

Proposal for a regulation
Article 5 – paragraph 1 – subparagraph 3
However, for intra-EU flights, the router shall only transmit theonly API data to that PIU in respect of the flights included in the list referred to in paragraph 2 to the applicable PIUs.
2023/09/06
Committee: LIBE
Amendment 184 #

2022/0425(COD)

Proposal for a regulation
Article 5 – paragraph 3 a (new)
3a. This provision shall apply mutatis mutandis to the transmission of PNR data from the router to the PIUs of the Member States in accordance with Article 8(1) of Directive 2016/681. This shall be the only means for PIUs to receive PNR data from air carriers.
2023/09/06
Committee: LIBE
Amendment 186 #

2022/0425(COD)

Proposal for a regulation
Article 5 a (new)
Article5a Methodology for the selection of intra-EU flights 1. For the purpose of establishing the list referred to in paragraph 2 of Article 5, Member States shall carry out a thorough threat assessment. 2. Such threat assessment shall be carried out in an objective, duly reasoned and non-discriminatory manner. In particular such assessment shall not be purely based on the nationality, sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers. 3. The outcome of that threat assessment shall be subject to regular review. Its validity shall be limited in time to what is strictly necessary and shall in any case not exceed 3 months unless it is extended, based on objective necessity. The frequency of the review shall reflect the nature of information referred to in 5b(new)(2)(b). 4. Member States shall keep all relevant documentation justifying the outcome of the threat assessment and its possible prolongation. In order to allow for effective supervision, Member States shall make that documentation available to the competent national data protection authorities referred to in article 41 of Directive 2016/680.
2023/09/06
Committee: LIBE
Amendment 188 #

2022/0425(COD)

Proposal for a regulation
Article 5 b (new)
Article5b Substantive criteria for the selection of intra-EU flights 1. Member States shall base their threat assessment, referred to in Article 5a(new) on information and considerations regarding: a. the proportionality of interferening with the fundamental rights laid down in Articles 7 and 8 of the Charter in relation to the importance of the objective of general interest;b. the duration of the selection and thus interference with fundamental rights;c. the general level of threat identified at national and Union level, solely in relation to terrorist and serious criminal offences within the scope of this Regulation; and d. the specific level of threat identified on a particular intra-EU flight, in the context of one or several terrorist and serious criminal offences within the scope of this Regulation, relating, inter alia, to a certain route, travel pattern or airport. 2. When assessing the specific level of threat identified on a particular flight, Member States shall use: a. Statistical information on the previous results of the automated processing of PNR data of passengers on that particular flight or route; b. Objective, duly reasoned, non- discriminatory and documented information received by their authorities competent for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, such as information on new criminal trends and changes in the modus operandi. Such assessment shall not be purely based on the nationality sex, age, race, colour, ethnic origin, language, religion or belief, or membership of a national minority of the travellers.
2023/09/06
Committee: LIBE
Amendment 191 #

2022/0425(COD)

Proposal for a regulation
Chapter 2 a (new)
2a PROVISIONS RELATING TO THE ROUTER
2023/09/06
Committee: LIBE
Amendment 192 #

2022/0425(COD)

Proposal for a regulation
Article -6 (new)
Article-6 The router 1. eu-LISA shall design, develop, host and technically manage, in accordance with Articles 11a(new) and 11b(new), a router for the purpose of facilitating the transfer of API and PNR data by the air carriers to the PIUs in accordance with this Regulation. 2. The router shall be composed of: (a) a central infrastructure, including a set of technical components enabling the transmission of API and PNR data; (b) a secure communication channel between the central infrastructure and the competent border authorities and the PIUs, and a secure communication channel between the central infrastructure and the air carriers, for the transfer of API and PNR data and for any communications relating thereto. 3. Without prejudice to Article 5d(new) of this Regulation, the router shall, to the extent technically possible, share and re- use the technical components, including hardware and software components, of the web service referred to in Article 13 of Regulation (EU) 2017/2226 of the European Parliament and of the Council1a, the carrier gateway referred to in Article 6(2), point (k), of Regulation (EU) 2018/1240, and the carrier gateway referred to in Article 2a, point (h), of Regulation (EC) 767/2008 of the European Parliament and of the Council1b. 4. eu-LISA shall design and develop the router in a way that for any transfer of API and PNR data from the air carriers to the router in accordance with Article 4, and for any transmission of API and PNR data from the router to the PIUs in accordance with Article 5 and to the central repository for reporting and statistics in accordance with Article 16a(new)(2), the API and PNR data is end-to-end encrypted during transit. _________________ 1a Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (OJ L 327, 9.12.2017, p. 20). 1b Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).
2023/09/06
Committee: LIBE
Amendment 193 #

2022/0425(COD)

Proposal for a regulation
Article -6 a (new)
Article-6a Exclusive use of the router Notwithstanding the use of the router in Article 10 of Regulation (EU) [API border management], the router shall only be used by air carriers to transfer API and PNR data, and by PIUs to receive API and PNR data for extra-EU flights and selected intra-EU flights, in accordance with this Regulation.
2023/09/06
Committee: LIBE
Amendment 194 #

2022/0425(COD)

Proposal for a regulation
Article -6 b (new)
Article-6b Deletion of API data from the router API data, transferred to the router pursuant to this Regulation, shall be stored on the router only insofar as necessary to complete the transmission to the PIUs and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations: (a) where the transmission of the API data to the relevant PIUs has been completed; (b) where the API data relates to other intra-EU flights than those included the lists referred to in Article 5(2) of that Regulation. The router shall automatically inform eu-LISA of the immediate deletion of these intra-EU flights for the purposes of the statistics referred to in Article 16a(1).
2023/09/06
Committee: LIBE
Amendment 195 #

2022/0425(COD)

Proposal for a regulation
Article 6 – paragraph -1 (new)
-1. eu-LISA shall keep logs of all processing operations relating to the transfer of API data through the router under this Regulation. Those logs shall cover the following: (a) the air carrier that transferred the API data to the router; (b) the competent authorities and PIUs to which the API data was transmitted through the router; (c) the date and time of the transfers referred to in points (a) and (b), and place of transfer; (d) any access by staff of eu-LISA necessary for the maintenance of the router, as refererred to in Article 11b(3); (e) any other information relating to those processing operations necessary to monitor the security and integrity of the API data and the lawfulness of those processing operations. Those logs shall not include any personal data, other than the information necessary to identify the relevant member of the staff of eu-LISA, referred to in point (d) of the first subparagraph.
2023/09/06
Committee: LIBE
Amendment 198 #

2022/0425(COD)

Proposal for a regulation
Article 6 – paragraph 4 – subparagraph 2
However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 2, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph, air carriers mayshall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.
2023/09/06
Committee: LIBE
Amendment 201 #

2022/0425(COD)

Proposal for a regulation
Article 7 – paragraph 2 a (new)
1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
2023/09/06
Committee: LIBE
Amendment 203 #

2022/0425(COD)

Proposal for a regulation
Article 7 a (new)
Article7a Personal data processor eu-LISA shall be the processor within the meaning of Article 3, point (9), of Directive 2016/680 (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation.
2023/09/06
Committee: LIBE
Amendment 205 #

2022/0425(COD)

Proposal for a regulation
Article 7 b (new)
Article7b Information to travellers In accordance with the right of information in Article 13 of Regulation (EU) 2016/679, air carriers shall provide travellers, on flights covered by this Regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to travellers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the personal data at the moment of check-in, in accordance with Article 4.
2023/09/06
Committee: LIBE
Amendment 206 #

2022/0425(COD)

Proposal for a regulation
Article 7 c (new)
Article7c Fundamental Rights 1. Collection and processing of personal data in accordance with this Regulation and Regulation (EU) [API border management] by air carriers and competent authorities shall not result in discrimination against persons on the grounds of sex and gender, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation. 2. This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter of Fundamental Rights of the European Union, including the right to respect for one’s private life, to the protection of personal data and to freedom of movement. 3. Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.
2023/09/06
Committee: LIBE
Amendment 207 #

2022/0425(COD)

Proposal for a regulation
Article 8 – paragraph 1
1. PIUs and air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation.
2023/09/06
Committee: LIBE
Amendment 209 #

2022/0425(COD)

2. PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other and with eu- LISA to ensure such security.
2023/09/06
Committee: LIBE
Amendment 210 #

2022/0425(COD)

Proposal for a regulation
Article 8 – paragraph 2 a (new)
2a. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu- LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
2023/09/06
Committee: LIBE
Amendment 211 #

2022/0425(COD)

Proposal for a regulation
Article 8 – paragraph 2 b (new)
2b. In particular, eu-LISA shall take the necessary measures to ensure the security of the router and the API data, in particular API data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to: (a) physically protect the router, including by making contingency plans for the protection of critical components thereof; (b) prevent any unauthorised processing of the API data, including any unauthorised access thereto and copying, modification or deletion thereof, both during the transfer of the API data to and from the router and during any storage of the API data on the router where necessary to complete the transmission, in particular by means of appropriate encryption techniques; (c) ensure that it is possible to verify and establish to which competent border authorities or PIUs the API data is transmitted through the router; (d) properly report to its Management Board any faults in the functioning of the router; (e) monitor the effectiveness of the security measures required under this Article and under Regulation (EU) 2018/1725, and assess and update those security measures where necessary in the light of technological or operational developments. The measures referred to in the first subparagraph of this paragraph shall not affect Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/679.
2023/09/06
Committee: LIBE
Amendment 213 #

2022/0425(COD)

Proposal for a regulation
Article 9 a (new)
Article9a Personal data protection audits 1. The competent national data protection authorities referred to in Article 41 of Directive 2016/680 shall ensure that an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation is carried out, in accordance with relevant international auditing standards, at least once every two years. 2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu-LISA for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted. 3. In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 6, and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.
2023/09/06
Committee: LIBE
Amendment 217 #

2022/0425(COD)

Proposal for a regulation
Article 11 a (new)
Article11a eu-LISA’s tasks relating to the design and development of the router 1. eu-LISA shall be responsible for the design of the physical architecture of the router, including defining the technical specifications. 2. eu-LISA shall be responsible for the development of the router, including for any technical adaptations necessary for the operation of the router. The development of the router shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination of the development phase. 3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation, and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in 4(5) and (9), Article 5(3), Article 10(2), Article 11(2). 4. Where eu-LISA considers that the development phase has been completed, it shall, without undue delay, conduct a comprehensive test of the router, in cooperation with the competent border authorities, PIUs and other relevant Member States’ authorities and air carriers and inform the Commission of the outcome of that test.
2023/09/06
Committee: LIBE
Amendment 219 #

2022/0425(COD)

Proposal for a regulation
Article 11 b (new)
Article11b eu-LISA’s tasks relating to the hosting and technical management of the router 1. eu-LISA shall host the router in its technical sites. 2. eu-LISA shall be responsible for the technical management of the router, including its maintenance and technical developments, in such a manner as to ensure that the API data are securely, effectively and swiftly transmitted through the router, in compliance with this Regulation . The technical management of the router shall consist of carrying out all the tasks and enacting all technical solutions necessary for the proper functioning of the router in accordance with this Regulation, in an uninterrupted manner, 24 hours a day, 7 days a week. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability, accuracy and reliability of the transmission of API data, in accordance with the technical specifications and, as much as possible, in line with the operational needs of the competent border authorities, PIUs and air carriers. 3. eu-LISA shall not have access to any of the API data that is transmited through the router. However, that prohibition shall not preclude eu-LISA from having such access insofar as strictly necessary for the maintenance of the router. 4. Without prejudice to paragraph 3 of this Article and to Article 17 of Council Regulation (EEC, Euratom, ECSC) No 259/681a, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with API data transmitted through the router. This obligation shall also apply after such staff leave office or employment or after the termination of their activities. _________________ 1a Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (OJ L 56, 4.3.1968, p. 1).
2023/09/06
Committee: LIBE
Amendment 220 #

2022/0425(COD)

Proposal for a regulation
Article 11 c (new)
Article11c eu-LISA’s support tasks relating to the router 1. eu-LISA shall, upon their request, provide training to competent border authorities, PIUs and other relevant Member States’ authorities and air carriers on the technical use of the router. 2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation, in particular as regards the application of Articles 5 and 10 of this Regulation
2023/09/06
Committee: LIBE
Amendment 221 #

2022/0425(COD)

Proposal for a regulation
Article 12 – title
Costs of eu-LISA and of Member States’ costs
2023/09/06
Committee: LIBE
Amendment 222 #

2022/0425(COD)

Proposal for a regulation
Article 12 – paragraph 1 – subparagraph 1
Costs incurred by eu-LISA and the Member States in relation to their connections to and integration with the router referred to in Article 10 shall be borne by the general budget of the Union.
2023/09/06
Committee: LIBE
Amendment 226 #

2022/0425(COD)

Proposal for a regulation
Article 14 a (new)
Article14a Start of operations of the router The Commission shall determine, without undue delay, the date from which the router starts operations by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive test of the router referred to in Article 11a(new)(4). That implementing act shall be adopted in accordance with the examination procedure referred to in Article 18a(new)(2). The Commission shall set the date referred to in the first subparagraph to be no later than 30 days from the date of the adoption of that implementing act.
2023/09/06
Committee: LIBE
Amendment 227 #

2022/0425(COD)

Proposal for a regulation
Article 14 b (new)
Article14b Voluntary use of the router in application of Directive 2004/82/EC 1. Air carriers shall be entitled to use the router to transmit the information referred to in Article 3(1) of Directive 2004/82/EC to one or more of the responsible authorities referred to therein, in accordance with that Directive, provided that the responsible authority concerned has agreed with such use, from an appropriate date set by that authority. That authority shall only agree after having established that, in particular as regards both its own connection to the router and that of the air carrier concerned, the information can be transmitted in a lawful, secure, effective and swift manner. 2. Where an air carrier starts using the router in accordance with paragraph 1, it shall continue using the router to transmit such information to the responsible authority concerned until the date of application of this Regulation referred to in Article 39, second subparagraph. However, that use shall be discontinued, from an appropriate date set by that authority, where that authority considers that there are objective reasons that require such discontinuation and has informed the air carrier accordingly. 3. The responsible authority concerned shall: (a) consult eu-LISA before agreeing with the voluntary use of the router in accordance with paragraph 1; (b) except in situations of duly justified urgency, afford the air carrier concerned an opportunity to comment on its intention to discontinue such use in accordance with paragraph 2 and, where relevant, also consult eu-LISA thereon; (c) immediately inform eu-LISA and the Commission of any such use to which it agreed and any discontinuation of such use, providing all necessary information, including the date of the start of the use, the date of the discontinuation and the reasons for the discontinuation, as applicable.
2023/09/06
Committee: LIBE
Amendment 228 #

2022/0425(COD)

Proposal for a regulation
Article 14 c (new)
Article14c Use of the router for PNR data The provisions of Chapters 3 and 4 shall apply mutatis mutandis to the mandatory transfer and transmission of PNR data through the router.
2023/09/06
Committee: LIBE
Amendment 232 #

2022/0425(COD)

Proposal for a regulation
Article 16 a (new)
Article16a Statistics 1. To support the implementation and supervision of this Regulation, and based on the statistical information referred to in paragraph 5 of this Article and the information referred to in Article 5e(new)(b), eu-LISA shall publish statistics every quarter on the functioning of the router and on compliance by air carriers. The stastistics shall show, in particular, the number of flights for which the router transmitted API and PNR data to the PIUs, indicating the number of intra-EU flights. The statistics shall also show the number of flights for which the air carriers did not transfer API or PNR data, and the number of the travellers who boarded the aircraft with inaccurate, incomplete or no longer up- to-date API or PNR data. 2. For the purposes set out in paragraph 1, the router shall automatically transmit the data listed in paragraph 5 to the central repository for reporting and statistics established in Article 39 of Regulation (EU) 2019/817 without the data allowing for the identification of the travellers concerned. This automated transmission shall take place after the immediate deletion of the API and PNR data of those intra-EU flights that have not been selected by a Member State in accordance with Article 5e(new)(b). No data collected on those non-selected intra- EU flights shall be transmitted to the central repository for reporting and statistics. 3. At the end of each year, to support the implementation and supervision of this Regulation, eu-LISA shall compile statistical data in an annual report for that year. It shall publish that annual report and transmit it to the European Parliament, the Council, the Commission, the European Data Protection Supervisor, and the national supervisory authorities referred to in Article 29. 4. At the request of the Commission, eu- LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation as well as the statistics pursuant to paragraph 3. 5. The central repository for reporting and statistics shall provide eu-LISA with the statistical information necessary for the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, based on the following data element, and without such statistical information allowing for the identification of the travellers concerned: (a) whether the traveller is passenger or a crew member; (b) the date and initial point of embarkation, and the date and point of arrival; (c) the number of travellers checked-in on the same flight; (d) whether the flight is a scheduled or a non-scheduled flight; (e) whether the personal data of the traveller is accurate, complete and up-to- date. 6. For the the purposes of the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, the central repository for reporting and statistics shall store for a period of three years the data listed in paragraph 5 that it received automatically from the router in accordance with paragraph 2, without the data allowing for the identification of the travellers concerned. 7. The procedures put in place by eu- LISA to monitor the development and the functioning of the router referred to in Article 39(1) of Regulation (EU) 2019/817 shall include the possibility to produce regular statistics to ensure that monitoring. 8. The use of statistical data referred to in this Article for risk analysis, profiling or predictive risk assessment shall be prohibited.
2023/09/06
Committee: LIBE
Amendment 237 #

2022/0425(COD)

Proposal for a regulation
Article 18 a (new)
Article18a Committee procedure 1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.
2023/09/06
Committee: LIBE
Amendment 240 #

2022/0425(COD)

Proposal for a regulation
Article 20 – paragraph -1 (new)
-1. eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs, and to monitor the functioning of the router in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.
2023/09/06
Committee: LIBE
Amendment 241 #

2022/0425(COD)

Proposal for a regulation
Article 20 – paragraph -1 a (new)
-1a. By [one year after the date of entry into force of this Regulation] and every year thereafter during the development phase of the router, eu-LISA shall produce a report, and submit it to the European Parliament and to the Council on the state of play of the development of the router. That report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 12.
2023/09/06
Committee: LIBE
Amendment 242 #

2022/0425(COD)

Proposal for a regulation
Article 20 – paragraph -1 b (new)
-1b. Once the router starts operations, eu-LISA shall produce a report and submit it to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved as well as justifying any divergences.
2023/09/06
Committee: LIBE
Amendment 247 #

2022/0425(COD)

Proposal for a regulation
Article 21 – paragraph 2
It shall apply from two years from the date at which the router starts operations, specified by the Commission in accordance with Article 27 of Regulation (EU) [API border management]14a(new).
2023/09/06
Committee: LIBE
Amendment 248 #

2022/0425(COD)

However, Article 4(5) and (9), Article 5(3), Article 10(2), Article 11(2), Article 18a(new) and Article 19 shall apply from [Date of entry into force of this Regulation].
2023/09/06
Committee: LIBE
Amendment 72 #

2022/0424(COD)

Proposal for a regulation
Recital 2
(2) The use of traveller data and flight information transferred ahead of the arrival of travellers, known as advance passenger information (‘API’) data, contributes to the speeding up of the process of carrying out the required checks during the border- crossing process. For the purposes of this Regulation that process concerns, more specifically, the crossing of borders between a third country or a Member State not participating in this Regulation, on the one hand, and a Member State participating in this Regulation, on the other hand. Such use could strengthens checks at those external borders by providing sufficient time to enable detailed and comprehensive checks to be carried out on all travellers, without having a disproportionate negative effect on persons travelling in good faith. Therefore, in the interest of the effectiveness and efficiency of checks at external borders, an appropriate legal framework should be provided for to ensure that Member States’ competent border authorities at such external border crossing points have access to API data prior to the arrival of travellers.
2023/09/06
Committee: LIBE
Amendment 74 #

2022/0424(COD)

Proposal for a regulation
Recital 5
(5) In order to ensure as consistent approach at internats possible at the Unional level as much as possible and in view of the rules on the collection of API data applicable at that level, the updated legal framework established by this Regulation should take into account the relevant practices internationally agreed with the air industry and, specifically in the context of the World Customs Organisation, International Aviation Transport Association and International Civil Aviation Organisation Guidelines on Advance Passenger Information.
2023/09/06
Committee: LIBE
Amendment 75 #

2022/0424(COD)

Proposal for a regulation
Recital 6
(6) The collection and transfer of API data affects the privacy of individuals and entails the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (‘Charter’), adequate limits and safeguards should be provided for. In particular, any processing of API data and, in particular, API data constituting personal data, should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the APIprocessing of any API data collected and transferred under this Regulation does not lead to any form of discrimination precluded by the Charter.
2023/09/06
Committee: LIBE
Amendment 77 #

2022/0424(COD)

Proposal for a regulation
Recital 7
(7) In order to achieve its objectives, this Regulation should apply to all air carriers conducting flights into the Union, as defined in this Regulation, covering both scheduled and non-scheduled flights, irrespective of the place of establishment of the air carriers conducting those flights.
2023/09/06
Committee: LIBE
Amendment 81 #

2022/0424(COD)

Proposal for a regulation
Recital 8
(8) In the interest of effectiveness and legal certainty, the items of information that jointly constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each traveller and information on the flight oftaken by that traveller. Such flight information should cover information on the border crossing point of entry into the territory of the Member State concerned in all cases covered by this Regulation, but that. However, such information should be collected only where applicable under Regulation (EU) [API law enforcement], that is, not when the API data relate to intra-EU flights.
2023/09/06
Committee: LIBE
Amendment 83 #

2022/0424(COD)

Proposal for a regulation
Recital 9
(9) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation. However, considering that suitable technological solutions exist that allow collecting certain API data automatically while guaranteeing that the API data concerned is accurate, complete and up-to- date, and having regard to the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect thate API data using automated means, specifically by reading information from the machine- readable data of the travel document. The collection of API data by automated means should be limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it.
2023/09/06
Committee: LIBE
Amendment 86 #

2022/0424(COD)

Proposal for a regulation
Recital 10
(10) Automated means enable travellers to provide certain API data themselves during an online check-in process. Such means could, for example, include a secure app on a travellers’ smartphone, computer or webcam with the capability to read the machine-readable data of the travel document. Where the travellers did not check-in online, air carriers should in practice provide them with the possibility to provide the required machine-readable API data concerned during the check-in at the airport, with the assistance of a self-service kiosk or of airline staff at the counter.
2023/09/06
Committee: LIBE
Amendment 88 #

2022/0424(COD)

Proposal for a regulation
Recital 11
(11) The Commission should be empowered to adopt technical requirements and procedural rules that air carriers are toshould comply with in connection toregarding the use of automated means for the collection of machine-readable API data under this Regulation, so as to increase clarity and legal certainty and to contribute to ensuring data quality and the responsible use of the automated means.
2023/09/06
Committee: LIBE
Amendment 101 #

2022/0424(COD)

Proposal for a regulation
Recital 17
(17) In order to avoid that air carriers have to establish and maintain multiple connections with the competent border authorities of the Member States’ for the transfer of API data collected under this Regulation and the related inefficiencies and security risks, provision should be made for a single router, created and operated at Union level, that serves as a connection and distribution point for those transfers. In the interest of efficiency and cost effectiveness, the router should, to the extent technically possible and in full respect of the rules of this Regulation and Regulation (EU) [API law enforcement], rely on technical components from other relevant systems created under Union law. To provide for the same level of clarity and certainty, the provisions related to the router, security and support tasks by eu- LISA should be mirrored in this Regulation and Regulation (EU) [API law enforcement], as eu-LISA should build and maintain only one router for the purposes of both Regulations.
2023/09/06
Committee: LIBE
Amendment 105 #

2022/0424(COD)

Proposal for a regulation
Recital 19
(19) The router should serve only to facilitate the transmission of API data from the air carriers to the competent border authorities in accordance with this Regulation and to PIUs in accordance with Regulation (EU) [API law enforcement], and should not be a repository of API data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, any storage of the API data on the router should remain limited to what is strictly necessary for technical purposes related to the transmission and the API data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed or, where relevant under Regulation (EU) [API law enforcement], the API data is not to be transmitted at all.
2023/09/06
Committee: LIBE
Amendment 113 #

2022/0424(COD)

Proposal for a regulation
Recital 23
(23) In view of the Union interests at stake, the costs incurred by eu-LISA for the performance of its tasks under this Regulation and Regulation (EU) [API law enforcement] in respect of the router should be borne by the Union budget. The same should go for appropriate costs incurred by the Member States in relation to their connections to, and integration with, the router, as required under this Regulation and in accordance with the applicable legislation, subject to certain exceptions. The costs covered by those exceptions should be borne by each Member State concerned itself.
2023/09/06
Committee: LIBE
Amendment 114 #

2022/0424(COD)

Proposal for a regulation
Recital 25
(25) In the interest of ensuring compliance with the fundamental right tof the travellers to the protection of their personal data, this Regulation should identify the controller and processor and set out rules on audits. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be understood as complementing the generally applicable acts of Union law on the protection of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council34 and Regulation (EU) 2018/1725 of the European Parliament and the Council.35 Those acts, which also apply to the processing of personal data under this Regulation in accordance with the provisions thereof, should not be affected by this Regulation. Taking due consideration of the right of the travellers to be informed of the processing of their personal data for the purposes of this Regulation, the air carriers should inform travellers, at the moment of booking and at the moment of check-in, of the purpose of the collection of their personal data and of their rights as data subjects. _________________ 34 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 35 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
2023/09/06
Committee: LIBE
Amendment 118 #

2022/0424(COD)

Proposal for a regulation
Recital 30
(30) As the router should be designed, developed, hosted and technically managed by the eu-LISA, established by Regulation (EU) 2018/1726 of the European Parliament and of the Council36 , it is necessary to amend that Regulation by adding that task to the tasks of eu-LISA. In order to store reports and statistics of the router on the Common Repository for Reporting and Statistics it is necessary to amend Regulation (EU) 2019/817 of the European Parliament and of the Council37 . The Common Repository for Reporting and Statistics should only provide statistics based on API data for the implementation and effective supervision of this Regulation. The data that the router automatically transmits to the Common Repository for Reporting and Statistics to that end should not allow for the identification of the travellers concerned. _________________ 36 Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99). 37 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27).
2023/09/06
Committee: LIBE
Amendment 127 #

2022/0424(COD)

Proposal for a regulation
Article 1 – paragraph 1 – introductory part
For the purposes of enhancing and facilitating the effectiveness and efficiency of border checks at external borders and of combating illegal immigration, this Regulation lays down the rules on:
2023/09/06
Committee: LIBE
Amendment 150 #

2022/0424(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point l
(l) ‘Passenger Information Unit’ or ‘PIU’ means the competent authority referred to in Article 3, point ik, of Regulation (EU) [API law enforcement];
2023/09/06
Committee: LIBE
Amendment 152 #

2022/0424(COD)

Proposal for a regulation
Article 4 – paragraph 1
1. Air carriers shall collect API data of travellers, consisting of the traveller data and the flight information specified in paragraphs 2 and 3 of this Article, respectively, on the flights referred to in Article 2, for the purpose of transferring that API data to the router in accordance with Article 6. Where the flight is code- shared between one or more air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.
2023/09/06
Committee: LIBE
Amendment 163 #

2022/0424(COD)

Proposal for a regulation
Article 5 – paragraph 2 – subparagraph 1
Air carriers shall collect the alphanumerical API data referred to Article 4(2), points (a) to (d), using automated means to collect the machine- readable data of the travel document of the traveller concerned. Air carriers shall collect that data during the check-in procedures, either as part of the online check-in or as part of the check-in at the airport. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 4, where such rules have been adopted and are applicable. Specifically, the collection of API data with automated means shall not lead to the collection of any biometric data from the travel document.
2023/09/06
Committee: LIBE
Amendment 168 #

2022/0424(COD)

Proposal for a regulation
Article 5 – paragraph 3
3. Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up- to-date. Air carriers shall ensure that API data is encrypted during the transmission of the data from the traveller to the air carriers.
2023/09/06
Committee: LIBE
Amendment 176 #

2022/0424(COD)

Proposal for a regulation
Article 7 – paragraph 1
The competent border authorities shall process API data, transferred to them in accordance with this Regulation, solely for the purposes referred to in Article 1. The competent border authorities shall under no circumstances process API data for the purposes of profiling.
2023/09/06
Committee: LIBE
Amendment 181 #

2022/0424(COD)

Proposal for a regulation
Article 8 – paragraph 1
1. Air carriers shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they collected pursuant to Article 4. They shall immediately and permanently delete that API data after the expiry of that time period.
2023/09/06
Committee: LIBE
Amendment 186 #

2022/0424(COD)

Proposal for a regulation
Article 8 – paragraph 2
2. The competent border authorities shall store, for a time period of 248 hours from the moment of departure of the flight, the API data relating to that passenger that they received through the router pursuant to Article 11. They shall immediately and permanently delete that API data after the expiry of that time period.
2023/09/06
Committee: LIBE
Amendment 196 #

2022/0424(COD)

Proposal for a regulation
Article 9 – paragraph 1
1. eu-LISA shall design, develop, host and technically manage, in accordance with Articles 22 and 23, a router for the purpose of facilitating the transfer of API data by the air carriers to the competent border authorities and to the PIUs in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively.
2023/09/06
Committee: LIBE
Amendment 203 #

2022/0424(COD)

Proposal for a regulation
Article 9 – paragraph 3 a (new)
3a. eu-LISA shall design and develop the router in a way that for any transfer of API data from the air carriers to the router in accordance with Article 6, and for any transmission of API data from the router to the competent border authorities in accordance with Article 11 and to the central repository for reporting and statistics in accordance with Article 31(2), the API data is encrypted during transit.
2023/09/06
Committee: LIBE
Amendment 206 #

2022/0424(COD)

Proposal for a regulation
Article 10 – paragraph 1
TNotwithstanding the use of the router in Article 5d of Regulation (EU) [API law enforcement], the router shall only be used by air carriers to transfer API data and by competent border authorities and PIUs to receive API data, in accordance with this Regulation and Regulation (EU) [API law enforcement], respectively.
2023/09/06
Committee: LIBE
Amendment 220 #

2022/0424(COD)

Proposal for a regulation
Article 12 – paragraph 1 – introductory part
API data, transferred to the router pursuant to this Regulation and Regulation (EU) [API law enforcement], shall be stored on the router only insofar as necessary to complete the transmission to the relevant competent borders authorities or PIUs, as applicable, in accordance with those Regulations and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations:
2023/09/06
Committee: LIBE
Amendment 222 #

2022/0424(COD)

Proposal for a regulation
Article 12 – paragraph 1 – point a
(a) where the transmission of the API data to the relevant competent border authorities or PIUs, as applicable, has been completed;
2023/09/06
Committee: LIBE
Amendment 223 #

2022/0424(COD)

Proposal for a regulation
Article 12 – paragraph 1 – point a a (new)
(aa) in cases of technical impossibility of the router to subsequently transmit the API data to the competent national authorities, after 12 hours;
2023/09/06
Committee: LIBE
Amendment 226 #

2022/0424(COD)

Proposal for a regulation
Article 12 – paragraph 1 – point b
(b) in respect of Regulation (EU) [API law enforcement], where the API data relates to other intra-EU flights than those included the lists referred to in Article 5(2) of that Regulation.deleted
2023/09/06
Committee: LIBE
Amendment 228 #

2022/0424(COD)

eu-LISA shall keep logs of all processing operations relating to the transfer of API data through the router under this Regulation and Regulation (EU) [API law enforcement]. Those logs shall cover the following:
2023/09/06
Committee: LIBE
Amendment 229 #

2022/0424(COD)

Proposal for a regulation
Article 13 – paragraph 1 – subparagraph 1 – point b
(b) the competent border authorities and PIUs to which the API data was transmitted through the router;
2023/09/06
Committee: LIBE
Amendment 232 #

2022/0424(COD)

Proposal for a regulation
Article 13 – paragraph 3
3. The logs referred to in paragraphs 1 and 2 shall be used only for ensuring the security and integrity of the API data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation and Regulation (EU) [API Law Enforcement], including proceedings for penalties for infringements of those requirements in accordance with Articles 29 and 30 of this Regulation.
2023/09/06
Committee: LIBE
Amendment 238 #

2022/0424(COD)

Proposal for a regulation
Article 15 – paragraph 1
The competent border authorities shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, in relation to the processing of API data constituting personal data through the router , including the transmission of the data from the router to the authorities and the storage for technical reasons of that data in the router, as well as in relation to their processing of API data constituting personal data referred to in Article 7 of this Regulation.
2023/09/06
Committee: LIBE
Amendment 241 #

2022/0424(COD)

Proposal for a regulation
Article 16 – paragraph 1
eu-LISA shall be the processor on behalf of the competent border authorities within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of API data constituting personal data through the router in accordance with this Regulation and Regulation (EU) [API law enforcement].
2023/09/06
Committee: LIBE
Amendment 243 #

2022/0424(COD)

Proposal for a regulation
Article 16 a (new)
Article16a Information to travellers In accordance with the right of information in Article 13 of Regulation (EU) 2016/679, air carriers shall provide travellers, on flights covered by this Regulation, with information on the purpose of the collection of personal data, the type of data collected, the recipients of the personal data and the means to exercise the data subject rights. This information should be communicated to travellers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the data at the moment of check-in in accordance with Article 5.
2023/09/06
Committee: LIBE
Amendment 246 #

2022/0424(COD)

Proposal for a regulation
Article 17 – paragraph 1
1. eu-LISA shall ensure the security of the API data, in particular API data constituting personal data, that it processes pursuant to this Regulation and Regulation (EU) [API law enforcement]. The competent border authorities and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu-LISA, the competent border authorities and the air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.
2023/09/06
Committee: LIBE
Amendment 250 #

2022/0424(COD)

Proposal for a regulation
Article 19 – paragraph 2
2. The European Data Protection Supervisor shall ensure that an audit of processing operations of API data constituting personal data performed by eu- LISA for the purposes of this Regulation and Regulation (EU) [API law enforcement] is carried out in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted.
2023/09/06
Committee: LIBE
Amendment 251 #

2022/0424(COD)

Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
Member States shall ensure that their competent border authorities are connected to the router. They shall ensure that the competent border authorities’ systems and infrastructure for the reception of API data transferred purpsuant to this Regulation are integrated with the router.
2023/09/06
Committee: LIBE
Amendment 255 #

2022/0424(COD)

Proposal for a regulation
Article 22 – paragraph 3
3. eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation and Regulation (EU) [API law enforcement], and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in Article 5(4), Article 6(3), Article 11(4), Article 20(2) and Article 21(2).
2023/09/06
Committee: LIBE
Amendment 256 #

2022/0424(COD)

Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 1
eu-LISA shall be responsible for the technical management of the router, including its maintenance and technical developments, in such a manner as to ensure that the API data are securely, effectively and swiftly transmitted through the router, in compliance with this Regulation and Regulation (EU) [API law enforcement].
2023/09/06
Committee: LIBE
Amendment 257 #

2022/0424(COD)

Proposal for a regulation
Article 23 – paragraph 2 – subparagraph 2
The technical management of the router shall consist of carrying out all the tasks and enacting all technical solutions necessary for the proper functioning of the router in accordance with this Regulation, Regulation (EU) [API law enforcement], in an uninterrupted manner, 24 hours a day, 7 days a week. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability, accuracy and reliability of the transmission of API data, in accordance with the technical specifications and, as much as possible, in line with the operational needs of the competent border authorities, PIUs and air carriers.
2023/09/06
Committee: LIBE
Amendment 259 #

2022/0424(COD)

Proposal for a regulation
Article 24 – paragraph 2
2. eu-LISA shall provide support to the competent border authorities and PIUs regarding the reception of API data through the router pursuant to this Regulation and Regulation (EU) [API law enforcement], respectively, in particular as regards the application of Articles 11 and 20 of this Regulation and Articles 5 and 10 of Regulation (EU) [API law enforcement].
2023/09/06
Committee: LIBE
Amendment 262 #

2022/0424(COD)

Proposal for a regulation
Article 25 – paragraph 1
1. Costs incurred by eu-LISA in relation to the design, development, hosting and technical management of the router under this Regulation and Regulation (EU) [API law enforcement] shall be borne by the general budget of the Union.
2023/09/06
Committee: LIBE
Amendment 271 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 1
1. Every quarterTo support the implementation and supervision of this Regulation and based on the statistical information referred to in paragraph 5 of this Article, eu-LISA shall publish every quarter statistics on the functioning of the router, and on compliance by air carriers. The stastistics shall showing in particular, the number, the nationality and the country of departure of the travellers, and specifically of the of flights for which the router transmitted API data to competent border authorities. The statistics shall also show the number of flights for which air carriers did not transfer API data, and the number of travellers who boarded the aircraft with inaccurate, incomplete or no longer up-to-date API data, with a non- recognised travel document, without a valid visa, without a valid travel authorization, or reported as overstay, the number and nationality of travellers.
2023/09/06
Committee: LIBE
Amendment 274 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 2
2. eu-LISA shall store the daily statistics inFor the purposes set out in paragraph 1, the router shall automatically transmit the data listed in paragraph 5 to the central repository for reporting and statistics established in Article 39 of Regulation (EU) 2019/817 without the data allowing for the identification of the travellers concerned.
2023/09/06
Committee: LIBE
Amendment 275 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 3
3. At the end of each year, to support the implementation and supervision of this Regulation, eu-LISA shall compile statistical data in an annual report for that year. It shall publish that annual report and transmit it to the European Parliament, the Council, the Commission, the European Data Protection Supervisor, the European Border and Coast Guard Agency and the national supervisory authorities referred to in Article 29.
2023/09/06
Committee: LIBE
Amendment 277 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 4
4. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation and Regulation (EU) [API Law enforcement] as well as the statistics pursuant to paragraph 3.
2023/09/06
Committee: LIBE
Amendment 278 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 5 – introductory part
5. eu-LISA shall have the right to access the following API data transmitted through to the router, solely for the purposes ofThe central repository for reporting and statistics shall provide eu- LISA with the statistical information necessary for the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, without however such accessbased on the following data elements, and without the statistical information provided allowing for the identification of the travellers concerned:
2023/09/06
Committee: LIBE
Amendment 283 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 5 – point b
(b) the nationality, sex and year of birth of the traveller;
2023/09/06
Committee: LIBE
Amendment 291 #

2022/0424(COD)

Proposal for a regulation
Article 31 – paragraph 6
6. For the the purposes of the reporting referred to in Article 38 and for generating statistics in accordance with the present Article, eu-LISA shall store the data referred to in paragraph 5 of this Article in the central repository for reporting and statistics established by Article 39 of Regulation (EU) 2019/817. The cross-system statistical data and analytical reporting referred to in Article 39(1) of that Regulation shall allow the competent border authorities and other relevant authorities of the Member States to obtain customisable reports and statistics, for the purposes referred to in Article 1 of this Regulationthe central repository for reporting and statistics shall store for a period of three years the data listed in paragraph 5 that it received automatically from the router in accordance with paragraph 2, without the data allowing for the identification of the travellers concerned.
2023/09/06
Committee: LIBE
Amendment 532 #

2022/0155(COD)

Proposal for a regulation
Article 1 – paragraph 3 a (new)
3a. This Regulation shall not prohibit, weaken or undermine end-to-end encryption, prohibit providers of information society services from providing their services applying end-to- end encryption, or be interpreted in that way.
2023/07/28
Committee: LIBE
Amendment 534 #

2022/0155(COD)

Proposal for a regulation
Article 1 – paragraph 3 b (new)
3b. This Regulation shall not undermine the prohibition of general monitoring under Union law or introduce general data retention obligations, or be interpreted in that way.
2023/07/28
Committee: LIBE
Amendment 608 #

2022/0155(COD)

Proposal for a regulation
Article -3 (new)
Article-3 Protection of fundamental human rights and confidentiality in communications 1. Nothing in this Regulation shall prohibit, weaken or undermine end-to-end encryption, prohibit providers of information society services from providing their services applying end-to- end encryption or be interpreted in that way. 2. Nothing in this Regulation shall undermine the prohibition of general monitoring under Union law or introduce general data retention obligations.
2023/07/28
Committee: LIBE
Amendment 95 #

2022/0085(COD)

Proposal for a regulation
Recital 4
(4) The Union institutions, bodies and agencies are attractive targets who face highly skilled and well-resourced threat actors as well as other threats. At the same time, the level and maturity of cyber resilience and the ability to detect and respond to malicious cyber activities varies significantly across those entities. It is thus necessary for the functioning of the European administration that the institutions, bodies and agencies of the Union achieve a high common level of cybersecurity through a cybersecurity baseline (a set of minimum cybersecurity rules with which network and information systems and their operators and users have to be compliant to minimise cybersecurity risks)the implementation of cybersecurity risk management measures commensurate to the respective risks posed, information exchange and collaboration.
2022/10/28
Committee: ITRE
Amendment 97 #

2022/0085(COD)

Proposal for a regulation
Recital 6
(6) To reach a high common level of cybersecurity, it is necessary that each Union institution, body and agency establishes an internal cybersecurity risk management, governance and control framework that ensures an effective and prudent management of all cybersecurity risks, and takes account of business continuity and crisis management. The framework should lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment. The framework should be reviewed on a regular basis and at least every three years on the basis of key performance indicators to ensure that strategic objectives are met.
2022/10/28
Committee: ITRE
Amendment 99 #

2022/0085(COD)

Proposal for a regulation
Recital 7
(7) The differences between Union institutions, bodies and agencies require flexibility in the implementation since one size will not fit all. The measures for a high common level of cybersecurity should not include any obligations directly interfering with the exercise of the missions of Union institutions, bodies and agencies or encroaching on their institutional autonomy. Thus, those institutions, bodies and agencies should establish their own frameworks for cybersecurity risk management, governance and control, and adopt their own baselines and cybersecurity plans. cybersecurity risk management measures and cybersecurity plans. Union institutions, bodies, offices and agencies should continuously evaluate the effectiveness of the adopted risk management measures and their proportionality relative to the identified risks, and where necessary, adjust and revise accordingly their frameworks and plans on the basis of the results of the cybersecurity maturity assessments.
2022/10/28
Committee: ITRE
Amendment 105 #

2022/0085(COD)

Proposal for a regulation
Recital 9
(9) A high common level of cybersecurity requires cybersecurity to come under the oversight of the highest level of management of each Union institution, body and agency, who should approve a cybersecurity baseline that shouldoversee the implementation of the provisions of this Regulation and approve the establishment, and any subsequent revisions thereof, of the risk management and control framework, the corresponding cybersecurity risk management measures addressing the risks identified underin the framework to be established by eachand the cybersecurity plans of each Union institution, body, office and agency. Addressing the cybersecurity culture, i.e. the daily practice of cybersecurity, is an integral part of a cybersecurity baselinerisk management, governance and control framework and the corresponding cybersecurity risk management measures in all Union institutions, bodies, offices and agencies.
2022/10/28
Committee: ITRE
Amendment 110 #

2022/0085(COD)

Proposal for a regulation
Recital 11
(11) In May 2011, the Secretaries- General of the Union institutions and bodies decided to establish a pre- configuration team for a computer emergency response team for the Union’s institutions, bodies and agencies (CERT- EU) supervised by an inter-institutional Steering Board. In July 2012, the Secretaries-General confirmed the practical arrangements and agreed to maintain CERT-EU as a permanent entity to continue to help improve the overall level of information technology security of the Union’s institutions, bodies and agencies as an example of visible inter-institutional cooperation in cybersecurity. In September 2012, CERT-EU was established as a Taskforce of the European Commission with an interinstitutional mandate. In December 2017, the Union institutions and bodies concluded an interinstitutional arrangement on the organisation and operation of CERT-EU3 . This arrangement should continue to evolve to support the implementation of this Regulation and be evaluated on a regular basis in light of future negotiations of long-term budget frameworks allowing for further decisions to be made with respect to the functioning and institutional role of CERT-EU, including the possible establishment of CERT-EU as a Union office. _________________ 3 OJ C 12, 13.1.2018, p. 1–11.
2022/10/28
Committee: ITRE
Amendment 113 #

2022/0085(COD)

Proposal for a regulation
Recital 13
(13) Many cyberattacks are part of wider campaigns that target groups of Union institutions, bodies and agencies or communities of interest that include Union institutions, bodies and agencies. To enable proactive detection, incident response or mitigating measures, and recovery from significant incidents, Union institutions, bodies and agencies should notify CERT- EU of significant cyber threats, significant vulnerabilities and significant incidents and share appropriate technical details that enable detection or mitigation of, as well as response to, similar cyber threats, vulnerabilities and and recovery from similar incidents in other Union institutions, bodies and agencies. Following the same approach as the one envisaged in Directive [proposal NIS 2], where entitUnion institutions, bodies, offices and agencies become aware of a significant incident they should be required to submit an initial notificationearly warning to CERT- EU within 24 hours. Such information exchange should enable CERT-EU to disseminate the information to other Union institutions, bodies and agencies, as well as to appropriate counterparts, to help protect the Union IT environments and the Union’s counterparts’ IT environments against similar incidents, threats and vulnerabilities.
2022/10/28
Committee: ITRE
Amendment 114 #

2022/0085(COD)

Proposal for a regulation
Recital 13 a (new)
(13 a) This Regulation lays down a multiple-stages approach to reporting of significant incidents in order to strike the right balance between, on the one hand, swift reporting hat helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience of individual Union institutions, bodies, offices and agencies and contributes to increasing the overall cybersecurity posture of European administration. In this regard, the Regulation should also include reporting of incidents that, based on an initial assessment performed by the Union institution, body, office or agency, may be assumed to lead to severe operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. Such initial assessment should take into account, amongst other, the affected network and information systems and in particular their importance for the functioning and operations of the Union institution, body, office or agency, the severity and technical characteristics of a cyber threat and any underlying vulnerabilities that are being exploited as well as the Union institution, body, office or agency’s experience with similar incidents. Indicators such as the extent to which the functioning of Union institution, body, office or agency is affected, the duration of an incident or the number of affected users could play an important role in defining whether the operational disruption of the service is of severe nature.
2022/10/28
Committee: ITRE
Amendment 116 #

2022/0085(COD)

Proposal for a regulation
Recital 14 a (new)
(14 a) The IICB’s function is aimed at supporting Union institutions, bodies, offices and agencies in elevating their respective cybersecurity postures by implementing the provisions of this Regulation. In order to support Union institutions, bodies, office and agencies, the IICB could adopt guidance and recommendations towards Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments and cybersecurity plans, review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation.
2022/10/28
Committee: ITRE
Amendment 117 #

2022/0085(COD)

Proposal for a regulation
Recital 14 b (new)
(14 b) In order to ensure alignment with Directive [proposal NIS 2], the IICB could adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security and develop guidelines for information sharing arrangements of Union institutions, bodies, offices and agencies relating to the voluntary notification of cyber threats, near misses and incidents to CERT-EU.
2022/10/28
Committee: ITRE
Amendment 119 #

2022/0085(COD)

Proposal for a regulation
Recital 16 a (new)
(16 a) Where the IICB finds that Union institutions, bodies, offices or agencies have not effectively applied or implemented this Regulation it could, without prejudice to the internal procedures of the relevant Union institution, body, office or agency, request relevant and available documentation relating to the effective implementation of the provisions of this Regulation, communicate a reasoned opinion with observed gaps in the implementation of this Regulation, invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned and issue, in cooperation with CERT-EU, guidance to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations incompliance with this Regulation.
2022/10/28
Committee: ITRE
Amendment 123 #

2022/0085(COD)

Proposal for a regulation
Recital 20
(20) In supporting operational cybersecurity, CERT-EU should make use of the available expertise of the European Union Agency for Cybersecurity (ENISA) through structured cooperation as provided for in Regulation (EU) 2019/881 of the European Parliament and of the Council5 . Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities. CERT- EU should cooperate with the European Union Agency for CybersecurityENISA on threat analysis and share its threat landscape report with the Agency on a regular basis. _________________ 5 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
2022/10/28
Committee: ITRE
Amendment 132 #

2022/0085(COD)

Proposal for a regulation
Article 1 – paragraph -1 (new)
-1 This Regulation lays down measures aiming to achieve a high common level of cybersecurity within Union institutions, bodies, offices and agencies;
2022/10/28
Committee: ITRE
Amendment 133 #

2022/0085(COD)

Proposal for a regulation
Article 1 – paragraph 1 – introductory part
T2. To that end, this Regulation lays down:
2022/10/28
Committee: ITRE
Amendment 136 #

2022/0085(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point a
(a) obligations on Union institutions, bodies, offices and agencies to establish an internal cybersecurity risk management, governance and control framework;
2022/10/28
Committee: ITRE
Amendment 137 #

2022/0085(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point b a (new)
(b a) rules underpinning information sharing obligations and the facilitation of voluntary information sharing arrangements for Union institutions, bodies, offices and agencies;
2022/10/28
Committee: ITRE
Amendment 138 #

2022/0085(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point c
(c) rules on the organisation, tasks and operation of the Cybersecurity Centre for the Union institutions, bodies, offices and agencies (CERT-EU) and on the functioning, organisation and operation of the Interinstitutional Cybersecurity Board (IICB).
2022/10/28
Committee: ITRE
Amendment 140 #

2022/0085(COD)

Proposal for a regulation
Article 2 – paragraph 1
This Regulation applies to the management, governance and control of cybersecurity risks by all Union institutions, bodies, offices and agencies and to the functioning, organisation and operation of CERT-EU and the Interinstitutional Cybersecurity BoardICB.
2022/10/28
Committee: ITRE
Amendment 141 #

2022/0085(COD)

Proposal for a regulation
Article 2 a (new)
Article 2 a Processing of Personal Data The processing of personal data under this Regulation by CERT-EU, the IICB and all Union institutions, bodies, offices and agencies shall be carried out in compliance with Regulation (EU) 2018/1725 of the European Parliament and of the Council.
2022/10/28
Committee: ITRE
Amendment 143 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 2
(2) ‘network and information system’ means network and information system within the meaning ofas defined in Article 4(1) of Directive [proposal NIS 2];
2022/10/28
Committee: ITRE
Amendment 144 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 4
(4) ‘cybersecurity’ means cybersecurity within the meaning of Article 4(3) of Directive [proposal NIS 2]; as defined in Article 2(1) of Regulation (EU) 2019/881 of the European Parliament and of the Council7a; _________________ 7a Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p.15).
2022/10/28
Committee: ITRE
Amendment 147 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 5
(5) ‘highest level of management’ means a manager, management or coordination and oversight body at the most senior administrative level with a mandate to make or authorise decisions, taking account of the high-level governance arrangements in each Union institution, body or agency;
2022/10/28
Committee: ITRE
Amendment 149 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 7
(7) ‘significant incident’ means any incident unless it has limited impact and is likely to be already well understood in terms of method or technology;deleted
2022/10/28
Committee: ITRE
Amendment 152 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 8
(8) ‘major attack’incident' means any incident requiring more resources than are available at whose disruption exceeds CERT-EU’s or any individual Union institution, body,office or agency’s capacity to respond to it or withe affected significant impact on at least two Union institutions, body or agency and at CERT-EUies, offices and agencies;
2022/10/28
Committee: ITRE
Amendment 155 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 11
(11) ‘significant cyber threat’ means a cyber threat with the intention, opportunity and capability to cause a significant incidentas defined in Article 4(7a) of Directive [proposal NIS 2];
2022/10/28
Committee: ITRE
Amendment 159 #

2022/0085(COD)

(14) ‘cybersecurity risk’ means any reasonably identifiable circumstance or event havisk as defined ing a potential adverse effect on the security of network and information systemsrticle 4(7b) of Directive [proposal NIS 2];
2022/10/28
Committee: ITRE
Amendment 163 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 14 a (new)
(14 a) ‘ICT environment’ means any on- premise or virtual ICT product, ICT service and ICT process as defined in Article 2 of Regulation (EU) 2019/881, and any network and information system whether owned and operated by a Union institution, body, office or agency, or hosted or operated by a third party, including mobile devices, corporate networks, and business networks not connected to the internet and any devices connected to the ICT environment;
2022/10/28
Committee: ITRE
Amendment 172 #

2022/0085(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 16
(16) ‘cybersecurity baseline’ means a set of minimum cybersecurity rules with which network and information systems and their operators and users must be compliant, to minimise cybersecurity risks.deleted
2022/10/28
Committee: ITRE
Amendment 174 #
2022/10/28
Committee: ITRE
Amendment 178 #

2022/0085(COD)

Proposal for a regulation
Article 4 – paragraph 1
1. Each Union institution, body and agency shall establish its own internal cybersecurity risk management, governance and control framework (‘the framework’) in support of the entity’s mission and exercising its institutional autonomy. This work shall be overseen by the entity’s highest level of management to ensure an effective and prudent management of all cybersecurity risks. The framework shall be in place by …. at the latest [15 months after the entry into force of this Regulation].
2022/10/28
Committee: ITRE
Amendment 180 #

2022/0085(COD)

Proposal for a regulation
Article 4 – paragraph 2
2. The framework shall cover the entirety of the ICT environment of the concerned institution, body or agency, including any on-premise IT environment, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to the IT environmentUnion institution, body, office or agency. The framework shall take account of business continuity and crisis management and it shall consider supply chain security as well as the management of human risks and all other relevant technical, operational and organisational risks that could impact the cybersecurity of the concerned Union institution, body or agency.
2022/10/28
Committee: ITRE
Amendment 181 #

2022/0085(COD)

Proposal for a regulation
Article 4 – paragraph 2 a (new)
2 a. The framework shall define strategic objectives to ensure a high level of cybersecurity in the Union institution, body, office or agency, The framework shall lay down cybersecurity policies and priorities for the security of network and information systems encompassing the entirety of the ICT environment, and define the roles and responsibilities of staff tasked with ensuring the effective implementation of the provisions of this Regulation.
2022/10/28
Committee: ITRE
Amendment 182 #

2022/0085(COD)

Proposal for a regulation
Article 4 – paragraph 2 b (new)
2 b. The framework shall be reviewed on a regular basis and at least every three years on the basis of key performance indicators. Where appropriate and upon request of the IICB, a Union institution, body, office or agency’s framework shall be updated following guidance from CERT-EU on observed incidents or possible gaps in the implementation of the provisions of this Regulation.
2022/10/28
Committee: ITRE
Amendment 186 #

2022/0085(COD)

3. The highest level of management of each Union institution, body, office and agency shall provide oversight oversee the compliance of theirits organisation with the obligations related to cybersecurity risk management, governance, and control, without prejudice to the formal responsibilities of other levels of management for compliance and risk management in their respective areas of responsibility.
2022/10/28
Committee: ITRE
Amendment 187 #

2022/0085(COD)

Proposal for a regulation
Article 4 – paragraph 4
4. Each Union institution, body and agency shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity.
2022/10/28
Committee: ITRE
Amendment 190 #
2022/10/28
Committee: ITRE
Amendment 194 #

2022/0085(COD)

Proposal for a regulation
Article 5 – paragraph 1
1. The highest level of management of each Union institution, body and agency shall approve the entity’s own cybersecurity baselinerisk management measures to address the risks identified under the framework referred to in Article 4(1). It shall do so in support of its mission and exercising its institutional autonomy. The cybersecurity baseline shall be in place by …. at the latest [18 months after the entry into force of this Regulation] and shall address the domains listed in Annex I and the measures listed in Annex IIHaving regard to the state of the art and, where applicable, relevant European and international standards, or available European cybersecurity certificates as defined in Article 2 of Regulation (EU) 2019/881, those risk management measures shall ensure a level of security of network and information systems across the entirety of the ICT environment commensurate to the risks identified under the framework referred to in Article 4(1). When assessing the proportionality of those measures, due account shall be taken of the degree of the Union institution, body, office or agency’s exposure to risks, its size, the likelihood of occurrence of incidents and their severity, including their societal, economic and interinstitutional impact.
2022/10/28
Committee: ITRE
Amendment 197 #

2022/0085(COD)

Proposal for a regulation
Article 5 – paragraph 1 a (new)
1 a. Union institutions, bodies, offices and agencies shall include at least the following domains in the implementation of the cybersecurity risk management measures: (a) cybersecurity policy, including specification on the measures needed to reach objectives and priorities referred to in Article 4 and Article 5(2a); (b) policy objectives and priorities regarding the use of cloud computing services as defined in Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable and sustain teleworking; (c) organisation of cybersecurity, including definition of roles and responsibilities; (d) management of the ICT environment, including ICT inventory and network cartography; (e) access control, identity management and privileged access management; (f) operations security and human resources security; (g) communications security; (h) system acquisition, development and maintenance; (i) supply chain security and supplier relationships between each Union institution, body, office and agency with its direct suppliers and service providers; (j) incident handling, including approaches to improve the prevention, detection, analysis, and containment of, response to, and recovery from an incident and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (k) business continuity management and crisis management; (l) cybersecurity skills, education, awareness-raising, training programmes and exercises.
2022/10/28
Committee: ITRE
Amendment 199 #

2022/0085(COD)

Proposal for a regulation
Article 5 – paragraph 2
2. The senior management of each Union institution, body, office and agency as well as all relevant staff tasked with implementing the cybersecurity risks management measures and obligations of this Regulation shall follow specific trainings on a regular basis to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risk and management practices and their impact on the operations of the organisation.
2022/10/28
Committee: ITRE
Amendment 201 #

2022/0085(COD)

Proposal for a regulation
Article 5 – paragraph 2 a (new)
2 a. Union institutions, bodies, offices and agencies shall address at least the following specific measures and sub- controls in the implementation of the cybersecurity risk management measures in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB: (a) concrete steps for moving towards Zero Trust Architecture, within the meaning of a security model comprised of a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries; (b) the adoption of multifactor authentication as a norm across network and information systems; (c) the use of cryptography and encryption, and in particular end-to-end encryption, encryption in transit, and encryption at rest; (d) secured voice, video and text communications, and secured emergency communications systems, where appropriate; (e) the establishment of frequent and ad- hoc scanning capabilities of endpoint devices and other components of the ICT environment to detect and remove malware software such as spyware; (f) the establishment of software supply chain security through criteria for secure software development and evaluation; (g) the enhancement of procurement rules to facilitate a high common level of cybersecurity through: (i) the removal of contractual barriers that limit information sharing from ICT service providers about incidents, vulnerabilities and cyber threats with CERT-EU; (ii) the contractual obligation to report incidents, vulnerabilities and cyber threats as well as to have appropriate incident response mechanisms and monitoring in place; (h) the establishment and adoption of training curricula on cybersecurity commensurate to the prescribed tasks and expected capabilities for the highest level of management and technical and operational staff;
2022/10/28
Committee: ITRE
Amendment 202 #

2022/0085(COD)

Proposal for a regulation
Article 5 – paragraph 2 b (new)
2 b. The IICB may recommend technical and methodological requirements of the domains and risk management measures referred to in paragraphs 1(a) and 2(a) of this Article and, where necessary, recommend adaptations to reflect developments in attack methods, cyber threats and advances in technology, for the purposes of the review of this Regulation in accordance with Article 24.
2022/10/28
Committee: ITRE
Amendment 203 #
2022/10/28
Committee: ITRE
Amendment 207 #

2022/0085(COD)

Proposal for a regulation
Article 6 – paragraph 1 a (new)
The IICB, after consulting the European Union Agency for Cybersecurity (ENISA) and upon receiving guidance from CERT- EU, shall recommend guidelines to Union institutions, bodies, offices and agencies for the carrying out of cybersecurity maturity assessments.
2022/10/28
Committee: ITRE
Amendment 209 #

2022/0085(COD)

Proposal for a regulation
Article 6 – paragraph 1 b (new)
Upon request of the IICB, and with the explicit consent of the Union institution, body, office or agency concerned, the results of a cybersecurity maturity assessment may be discussed within the IICB configuration or within the established network of Local Cybersecurity Officers with a view to learning from experiences in the implementation of this Regulation and sharing best practices and results of use cases.
2022/10/28
Committee: ITRE
Amendment 210 #

2022/0085(COD)

Proposal for a regulation
Article 7 – paragraph 1
1. Following the conclusions derived from the maturity cybersecurity assessment and considering the assets and risks identified pursuant to Article 4, the highest level of management of each Union institution, body, office and agency shall approve a cybersecurity plan without undue delay after the establishment of the risk management, governance and control framework, and the cybersecurity baseline. Therisk management measures. The cybersecurity plan shall aim at increasing the overall cybersecurity of the concerned entity Union institution, body, office or agency and shall thereby contribute to the achievement or enhancement of a high common level of cybersecurity among all Union institutions, bodies, offices and agencies. To support the entity’Union institution, body, office or agency's mission on the basis of its institutional autonomy, the plan shall at least include the domains listed in Annex I, the measures listed in Annex II, as well ascybersecurity risk management measures relatferred to incident preparedness, response and recovery, such as security monitoring and logging. The plan shall be revised at least every three years, following the Article 5 (1a) and 5(2a). The cybersecurity plan shall be revised at least every three years, or where necessary, with any substantial revision of the framework referred to in Article 4, following the cybersecurity maturity assessments carried out pursuant to Article 6.
2022/10/28
Committee: ITRE
Amendment 213 #

2022/0085(COD)

Proposal for a regulation
Article 7 – paragraph 2
2. The cybersecurity plan shall include relevant staff members’ roles and responsibilities for its implementation, including detailed job descriptions for technical and operational staff as well as all relevant processes underpinning performance evaluation.
2022/10/28
Committee: ITRE
Amendment 215 #

2022/0085(COD)

Proposal for a regulation
Article 7 – paragraph 2 a (new)
2 a. The cybersecurity plan shall include the Union institution, body, office and agency’s cyber crisis management plan for major incidents referred to in Article 3(8).
2022/10/28
Committee: ITRE
Amendment 216 #

2022/0085(COD)

Proposal for a regulation
Article 7 – paragraph 3
3. The cybersecurity plan shall consider any applicable guidance documents and recommendations issued by CERT-EU in accordance with Article 13 and another applicable or targeted recommendations issued by the IICB and CERT-EU.
2022/10/28
Committee: ITRE
Amendment 218 #

2022/0085(COD)

1. Upon completion of maturity assessments, the Union institutions, bodies and agencies shall submit these to the Interinstitutional Cybersecurity Board. Upon completion of security planstheir respective cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7, the Union institutions, bodies, offices and agencies shall notify the Interinstitutional Cybersecurity Board of the completion. Upon request of the Board, they shall report on specific aspects of this Chaptersubmit these to the IICB.
2022/10/28
Committee: ITRE
Amendment 222 #

2022/0085(COD)

Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k
(k) the European Union Agency for Cybersecurity (ENISA).
2022/10/28
Committee: ITRE
Amendment 233 #

2022/0085(COD)

Proposal for a regulation
Article 9 – paragraph 6
6. The IICB shall meet at the initiative of its chair, and at least two times a year, at the request of CERT-EU or at the request of any of its members.
2022/10/28
Committee: ITRE
Amendment 240 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point -a (new)
(-a) support Union institutions, bodies, offices and agencies in implementing this Regulation with the aim to raise their respective levels of cybersecurity;
2022/10/28
Committee: ITRE
Amendment 241 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point -a a (new)
(-a a) effectively monitor the implemenationof the obligations of this Regulation in Union institutions, bodies, offices and agencies without prejudice to their institutional autonomy and the overall institutional balance;
2022/10/28
Committee: ITRE
Amendment 242 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point a
(a) review any reports requestedquest reports from CERT-EU on the state of implementation of this Regulation by the Union institutions, bodies and agencies;
2022/10/28
Committee: ITRE
Amendment 250 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i a (new)
(i a) review and where requested, following relevant guidance from CERT- EU. provide feedback to Union institutions, bodies, offices and agencies’ cybersecurity maturity assessments referred to in Article 6 and cybersecurity plans referred to in Article 7;
2022/10/28
Committee: ITRE
Amendment 252 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i b (new)
(i b) review possible interconnections between Union institutions, bodies, offices and agencies’ ICT environments and maintain an inventory of shared components of ICT products, ICT services andic processes;
2022/10/28
Committee: ITRE
Amendment 253 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i c (new)
(i c) where appropriate, adopt recommendations on the interoperability of Union institutions, bodies, offices and agencies’ ICT environments or components thereof;
2022/10/28
Committee: ITRE
Amendment 254 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i d (new)
(i d) support the establishment of a Cybersecurity Officers Group under ENISA, gathering the Local Cybersecurity Officers of all Union institutions, bodies, offices and agencies with an aim to facilitate the sharing of best practices and experiences gained from the implementation of this Regulation;
2022/10/28
Committee: ITRE
Amendment 255 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i e (new)
(i e) develop an incident and response plan for major incidents at Union level referred to in Article 3(8) and coordinate the adoption of individual Union institutions, bodies, offices and agencies’ cyber crisis management plans referred to in Article 7(2a);
2022/10/28
Committee: ITRE
Amendment 256 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i f (new)
(i f) adopt recommendations based on the results of EU coordinated risk assessments of critical supply chains referred to in Article 19 of Directive [proposal NIS 2] to support Union institutions, bodies, offices and agencies in adopting effective and proportionate risk management measures relating to supply chain security referred to in Article5(1ai);
2022/10/28
Committee: ITRE
Amendment 257 #

2022/0085(COD)

Proposal for a regulation
Article 10 – paragraph 1 – point i g (new)
(i g) develop guidelines for information sharing arrangements referred to in Article 19;
2022/10/28
Committee: ITRE
Amendment 258 #

2022/0085(COD)

Proposal for a regulation
Article 11 – paragraph -1 (new)
-1 The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies, offices and agencies.
2022/10/28
Committee: ITRE
Amendment 259 #

2022/0085(COD)

Proposal for a regulation
Article 11 – paragraph 1 – introductory part
The IICB shall monitor the implementation of this Regulation and of adopted guidance documents, recommendations and calls for action by the Union institutions, bodies and agencies. Where the IICB finds that Union institutions, bodies or agencies have not effectively applied or implemented this Regulation or guidance documents, recommendations and calls for action issued under this Regulation, it may, without prejudice to the internal procedures of the relevant Union institution, body or agency:
2022/10/28
Committee: ITRE
Amendment 261 #

2022/0085(COD)

Proposal for a regulation
Article 11 – paragraph 1 – point -a (new)
(-a) request relevant and available documentation of the Union institution, body, office or agency concerned relating to the effective implementation of the provisions of this Regulation or the application of guidance documents, recommendations and calls for action issued in accordance with Article 13;
2022/10/28
Committee: ITRE
Amendment 262 #

2022/0085(COD)

Proposal for a regulation
Article 11 – paragraph 1 – point -a a (new)
(-a a) communicate a reasoned opinion to the Union institution, body, office or agency concerned with observed gaps in the implementation of this Regulation;
2022/10/28
Committee: ITRE
Amendment 263 #

2022/0085(COD)

Proposal for a regulation
Article 11 – paragraph 1 – point -a b (new)
(-a b) invite the Union institution, body, office or agency concerned to provide a self-assessment on its reasoned opinion within a specified timeframe;
2022/10/28
Committee: ITRE
Amendment 264 #

2022/0085(COD)

Proposal for a regulation
Article 11 – paragraph 1 – point -a c (new)
(-a c) issue, in cooperation with CERT- EU, guidance to the individual Union institution, body, office or agency to bring its respective risk management, governance and control framework, cybersecurity risk management measures, cybersecurity plans and reporting obligations in compliance with the provisions laid down in this Regulation in a specified manner and within a specified period;
2022/10/28
Committee: ITRE
Amendment 270 #

2022/0085(COD)

Proposal for a regulation
Article 12 – paragraph 1
1. The mission of CERT-EU, the autonomous interinstitutional Cybersecurity Centre for all Union institutions, bodies and agencies, shall be to contribute to the security of the unclassified ICT environment of all Union institutions, bodies and agencies by advising them on cybersecurity, by helping them to prevent, detect, mitigate and respond to and recover from incidents and by acting as their cybersecurity information exchange and incident response coordination hub.
2022/10/28
Committee: ITRE
Amendment 274 #

2022/0085(COD)

Proposal for a regulation
Article 12 – paragraph 2 – point c a (new)
(c a) act as the designated coordinator for all Union institutions, bodies, offices and agencies for the purposes of coordinated vulnerability disclosure to the European vulnerability registry referred to in Article 6 of Directive [proposal NIS2];
2022/10/28
Committee: ITRE
Amendment 286 #

2022/0085(COD)

Proposal for a regulation
Article 12 – paragraph 6
6. CERT-EU may organise cybersecurity exercises or recommend participation in existing exercises, in close cooperation with the European Union Agency for CybersecurityENISA whenever applicable, to test the level of cybersecurity of the Union institutions, bodies and agencies.
2022/10/28
Committee: ITRE
Amendment 287 #

2022/0085(COD)

Proposal for a regulation
Article 12 – paragraph 7
7. CERT-EU may provide assistance to Union institutions, bodies and agencies regarding incidents in classified ICT environments if it is explicitly requested to do so by the constituent concerned. The provisions and obligations on all Union institutions, bodies, offices and agencies set out in Chapter V of this Regulation shall not apply to incidents in classified ICT environments unless an individual Union institution, body office or agency explicitly and voluntarily apply them in order to seek actionable assistance from CERT-EU or otherwise contribute to situational awareness at the Union level.
2022/10/28
Committee: ITRE
Amendment 290 #

2022/0085(COD)

Proposal for a regulation
Article 12 – paragraph 7 a (new)
7 a. CERT-EU shall cooperate with the European Data Protection Supervisor (EDPS) to support Union institutions, bodies, office and agencies in incidents entailing a personal data breach as defined in Article 3(16) of Regulation (EU) 2018/1725.
2022/10/28
Committee: ITRE
Amendment 296 #

2022/0085(COD)

Proposal for a regulation
Article 13 – paragraph 2 – point a
(a) modalities for or improvements to cybersecurity risk management and the cybersecurity baselinerisk management measures;
2022/10/28
Committee: ITRE
Amendment 298 #

2022/0085(COD)

Proposal for a regulation
Article 13 – paragraph 2 – point b
(b) modalities for cybersecurity maturity assessments and cybersecurity plans; and
2022/10/28
Committee: ITRE
Amendment 303 #

2022/0085(COD)

Proposal for a regulation
Article 14 – paragraph -1 (new)
-1 The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.
2022/10/28
Committee: ITRE
Amendment 304 #

2022/0085(COD)

Proposal for a regulation
Article 14 – paragraph 1
The Head of CERT-EU shall regularly submit reports to the IICB and the IICB Chair, and submit ad-hoc reports to the IICB upon its request, on the performance of CERT-EU, financial planning, revenue, implementation of the budget, service level agreements and written agreements entered into, cooperation with counterparts and partners, and missions undertaken by staff, including the reports referred to in Article 10(1).
2022/10/28
Committee: ITRE
Amendment 306 #

2022/0085(COD)

Proposal for a regulation
Article 14 – paragraph 1 a (new)
The Head of CERT-EU shall compose and submit to the IICB an annual report encompassing CERT-EU’s work programme, the financial planning of revenue and expenditure, including staffing, for CERT-EU activities, any updates of CERT-EU’s service catalogue and an assessment of the expected impact that such updates may have on its financial planning of revenue and expenditure, staffing and management of funds.
2022/10/28
Committee: ITRE
Amendment 308 #

2022/0085(COD)

Proposal for a regulation
Article 15 – paragraph 1
1. The Commission, after having obtained the unanimous approval of the IICB, shall appoint the Head of CERT- EU. The IICB shall be consulted at all stages of the procedure prior to the appointment of the Head of CERT-EU, in particular in drafting vacancy notices, examining applications and appointing selection boards in relation to this post.deleted
2022/10/28
Committee: ITRE
Amendment 322 #

2022/0085(COD)

Proposal for a regulation
Article 18 – paragraph 3
3. The processing of personal data carried out under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council.deleted
2022/10/28
Committee: ITRE
Amendment 326 #

2022/0085(COD)

Proposal for a regulation
Article 19 – title
19 SharingCybersecurity information sharing arrangements and obligations
2022/10/28
Committee: ITRE
Amendment 327 #

2022/0085(COD)

Proposal for a regulation
Article 19 – paragraph -1 (new)
-1. Union institutions, bodies, offices and agencies may voluntarily notify CERT-EU on cyber threats, incidents, near misses and vulnerabilities that affect them. CERT-EU shall ensure that effective measures are adopted to ensure the confidentiality and appropriate protection of the information provided by the reporting Union institution, body, office or agency. When processing notifications, CERT-EU may prioritise the processing of mandatory notifications over voluntary notifications. Voluntary notification shall not result in the imposition of any additional obligations upon the reporting Union institution, body, office or agency to which it would not have been subject had it not submitted the notification.
2022/10/28
Committee: ITRE
Amendment 328 #

2022/0085(COD)

Proposal for a regulation
Article 19 – paragraph 1
1. To enable CERT-EU to coordinate vulnerabileffectively perform itys management and incident responseission tasks in accordance with Article 12 of this Regulation, it may request Union institutions, bodies and agencies to provide it with information from their respective ICT system inventories that is relevant for the CERT- EU support. The requested institution, body or agency shall transmit the requested information, and any subsequent updates thereto, without undue delay.
2022/10/28
Committee: ITRE
Amendment 334 #

2022/0085(COD)

Proposal for a regulation
Article 19 – paragraph 4
4. The sharingcybersecurity information sharing arrangements and obligations obligations shall not extend to EU Classified Information (EUCI) and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
2022/10/28
Committee: ITRE
Amendment 336 #
2022/10/28
Committee: ITRE
Amendment 337 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and in any event no later than 24 hours after becoming aware of them.deleted
2022/10/28
Committee: ITRE
Amendment 338 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1
All Union institutions, bodies, offices and agencies shall make an initial notification to CERT-EU of significant cyber threats, significant vulnerabilities and significreport, without undue delay to CERT-EU in accordance with paragraph 2(b) of anty incidents without undue delay and having any event no later than 24 hours after becoming aware of them significant impact.
2022/10/28
Committee: ITRE
Amendment 340 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 a (new)
Where applicable, Union institutions, bodies, offices and agencies shall communicate, without undue delay, to the users of the affected network and information systems, or other components of the ICT environment, that are potentially affected by a significant incident or a significant cyber threat of any measures or remedies that can be taken in response to the incident or threat. Where appropriate, Union institutions, bodies, offices and agencies shall inform users of the threat itself.
2022/10/28
Committee: ITRE
Amendment 341 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 1 b (new)
Where a significant incident or significant cyber threat referred to in paragraph 1(a) is affecting a network and information system, or a component of a Union institution, body, office or agency's ICT environment that is knowingly connected with another Union institution, body, office and agency's ICT environment, CERT-EU shall notify, without undue delay, the affected Union institution, body, office or agency.
2022/10/28
Committee: ITRE
Amendment 342 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 1 – subparagraph 2
In duly justified cases and in agreement with CERT-EU, the Union institution, body or agency concerned can deviate from the deadline laid down in the previous paragraph.deleted
2022/10/28
Committee: ITRE
Amendment 348 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 2
2. The Union institutions, bodies and agencies shall further notify to CERT-EU without undue delay appropriate technical details of cyber threats, vulnerabilities and incidents that enable detection, incident response or mitigating measures. The notification shall include if available: (a) relevant indicators of compromise; (b) relevant detection mechanisms; (c) potential impact; (d) relevant mitigating measures.deleted
2022/10/28
Committee: ITRE
Amendment 352 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 2 a (new)
2 a. An incident shall be considered significant if: (a) the incident has caused or is capable of causing severe operational disruption to the Union institution, body, office or agency or financial losses thereto; (b) the incident has affected or is capable of affecting other natural or legal persons by causing considerable material or non- material losses.
2022/10/28
Committee: ITRE
Amendment 353 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 2 b (new)
2 b. All Union institutions, bodies, offices and agencies shall submit to CERT-EU: (a) without undue delay and in any event within 24 hours after having become aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is presumably caused by unlawful or malicious action and has any or could have a cross-border or cross-institutional impact; (b) without undue delay and in any event within 72 hours after having become aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in subparagraph (a) and indicate an initial assessment of the significant incident, its severity and impact, as well as where available, the indicators of compromise; (c) upon the request of CERT-EU, an intermediate report on relevant status updates; (d) a final report not later than one month after the submission of the significant incident notification under point (b), including at least the following: (i) a detailed description of the significant incident, its severity and impact; (ii) the type of threat or root cause that likely triggered the significant incident; (iii) applied and ongoing mitigation measures; (iv) where applicable, the cross-border or cross-institutional impact of the significant incident; (e) in cases of ongoing significant incidents at the time of the submission of the final report referred to in point (d), a progress report at that time and a final report within one month after the incident has been handled.
2022/10/28
Committee: ITRE
Amendment 356 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 2 c (new)
2 c. In duly justified cases and in agreement with CERT-EU, the Union institution, body, office or agency concerned can deviate from the deadline laid down in paragraph 2(b).
2022/10/28
Committee: ITRE
Amendment 358 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 3
3. CERT-EU shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on significant cyber threats, significant vulnerabilities and significant incidentincidents notified in accordance with paragraph 2(b) and cyber threats, incidents, near misses and vulnerabilities notified in accordance with paragraph 1Article 19(1).
2022/10/28
Committee: ITRE
Amendment 360 #

2022/0085(COD)

4. The IICB may issue guidance documents or recommendations concerning the modalities and content of the notification. When preparing such guidance documents or recommendations, the IICB shall take into account the specifications made by any implementing acts adopted by the Commission specifying the type of information, the format and the procedure of a notification submitted pursuant to Article 20 (11) of Directive [proposal NIS2]. CERT-EU shall disseminate the appropriate technical details to enable proactive detection, incident response or mitigating measures by Union institutions, bodies, offices and agencies.
2022/10/28
Committee: ITRE
Amendment 363 #

2022/0085(COD)

Proposal for a regulation
Article 20 – paragraph 5
5. The notificationreporting obligations shall not extend to EUCI and to information that a Union institution, body or agency has received from a Member State Security or Intelligence Service or law enforcement agency under the explicit condition that it will not be shared with CERT-EU.
2022/10/28
Committee: ITRE
Amendment 366 #

2022/0085(COD)

Proposal for a regulation
Article 21 – paragraph 3
3. CERT-EU, in cooperation with ENISA, shall support Union institutions, bodies and agencies regarding situational awareness of cyber threats, vulnerabilities and incidents.
2022/10/28
Committee: ITRE
Amendment 370 #

2022/0085(COD)

Proposal for a regulation
Article 22 – paragraph 1
1. CERT-EU shall coordinate among Union institutions, bodies and agencies responses to major attackincidents. It shall maintain an inventory of technical expertise that would be needed for incident response in the event of such attacksmajor incidents and assist the IICB in coordinating Union institutions, bodies, offices and agencies’ cyber crisis management plans for major incidents referred to in Article 10(if).
2022/10/28
Committee: ITRE
Amendment 375 #

2022/0085(COD)

Proposal for a regulation
Article 22 – paragraph 3
3. With the approval of the concerned Union institutions, bodies and agencies, CERT-EU may also call on experts from the list referred to in paragraph 2 for contributing to the response to a major attackincident in a Member State, in line with the Joint Cyber Unit’s operating procedures.
2022/10/28
Committee: ITRE
Amendment 386 #

2022/0085(COD)

Proposal for a regulation
Article 24 – paragraph 3
3. The Commission shall evaluate the functioning of this Regulation and report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions no soonlater than five years after the date of entry into force.
2022/10/28
Committee: ITRE
Amendment 388 #

2022/0085(COD)

Proposal for a regulation
Annex I
The following domains shall be addressed in the cybersecurity baseline: (1) cybersecurity policy, including objectives and priorities for security of network and information systems, in particular regarding the use of cloud computing services (within the meaning of Article 4(19) of Directive [proposal NIS 2]) and technical arrangements to enable teleworking; (2) organisation of cybersecurity, including definition of roles and responsibilities; (3) asset management, including IT asset inventory and IT network cartography; (4) access control; (5) operations security; (6) communications security; (7) system acquisition, development and maintenance; (8) supplier relationships; (9) incident management, including approaches to improve the preparedness, response to and recovery from incidents and cooperation with CERT-EU, such as the maintenance of security monitoring and logging; (10) business continuity management and crisis management; and (11) cybersecurity education, awareness- raising and training programmes.deleted
2022/10/28
Committee: ITRE
Amendment 394 #

2022/0085(COD)

Proposal for a regulation
Annex II
Union institutions, bodies and agencies shall address at least the following specific cybersecurity measures in the implementation of the cybersecurity baseline and in their cybersecurity plans, in line with the guidance documents and recommendations from the IICB: (1) concrete steps for moving towards Zero Trust Architecture (meaning a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries); (2) the adoption of multifactor authentication as a norm across network and information systems; (3) the establishment of software supply chain security through criteria for secure software development and evaluation; (4) the enhancement of procurement rules to facilitate a high common level of cybersecurity through: (a) the removal of contractual barriers that limit information sharing from IT service providers about incidents, vulnerabilities and cyber threats with CERT-EU; (b) the contractual obligation to report incidents, vulnerabilities and cyber threats as well as to have appropriate incidents response and monitoring in place.deleted
2022/10/28
Committee: ITRE
Amendment 103 #

2022/0047(COD)

Proposal for a regulation
Recital 1
(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet of Things in particular has increased the volume and potential value of data for consumers, businesses and society. High quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity, while respecting users’ choices and applicable legislation to protect them.
2022/11/17
Committee: LIBE
Amendment 110 #

2022/0047(COD)

Proposal for a regulation
Recital 5
(5) This Regulation ensures that users of a product or related service in the Union can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interestto respond to, prevent, or assist in the recovery from a public emergency. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by products or related services.
2022/11/17
Committee: LIBE
Amendment 112 #

2022/0047(COD)

(7) The fundamental right to the protection of personal data is safeguarded in particular under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non- personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail, except where explicitly foreseen otherwise under the body of this Regulation.
2022/11/17
Committee: LIBE
Amendment 116 #

2022/0047(COD)

Proposal for a regulation
Recital 8
(8) The principles of data minimisation and data protection by design and by default are essential when processing involves significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only anonymisation, pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselves.
2022/11/17
Committee: LIBE
Amendment 125 #

2022/0047(COD)

Proposal for a regulation
Recital 14
(14) Physical products that obtain, generate or collect, by means of their components, data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation unless that data are lawfully processed using the product’s own computing capacity. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question.
2022/11/17
Committee: LIBE
Amendment 129 #

2022/0047(COD)

Proposal for a regulation
Recital 17
(17) Data generated by the use of a product or related service include data recorded intentionally by the user. Such data include also data generated as a by- product of the user’s action, such as diagnostics data, and without any action by the user, such as when the product is in ‘standby mode’, and data recorded during periods when the product is switched off. Such data should include data in the form and format in which they are generated by the product, but not pertain to data resulting from any software process that calculates derivative data from such data as such software process may be subject to intellectual property rightsincluding data processed using the product’s own computing capacity.
2022/11/17
Committee: LIBE
Amendment 135 #

2022/0047(COD)

Proposal for a regulation
Recital 24
(24) This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, the data holder should be a controller under Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for the data holder to provide access to personal data or make it available to a third party when requested by a user that is not a data subject and should not be understood as conferring any new right on the data holder to use data generated by the use of a product or related service. This applies in particular where the manufacturer is the data holder. The performance of a contract can only be a legal ground for processing of personal data if the data subject is a party or if steps are being taken at the request of the data subject prior to entering into a contract. The necessity requirement for processing personal data for the performance of a contract pursuant to Article 6(1)(b) of Regulation (EU) 2016/679 cannot be fulfilled by merely providing for processing in a contractual clause. Assessing what is objectively necessary must be fact-based, and this legal ground shall be allowed only in situations where it is not possible to perform service or provide product which the data subject has actively requested or signed up for without processing of specific data. Personal data necessary for the controller’s wider business mode but not necessary for the individual services requested by the data subject, do not fulfil this requirement. In that case, the basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale, rent or lease agreement relating to the product. Any contractual term in the agreement stipulating that the data holder may use the data generated by the user of a product or related service should be transparent to the user, including as regards the purpose for which the data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by the data holder. This Regulation should also not prevent sector-specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well- defined public policy grounds.
2022/11/17
Committee: LIBE
Amendment 143 #

2022/0047(COD)

Proposal for a regulation
Recital 30
(30) The use of a product or related service may, in particular when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked64 . The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is under certain circumstances entitled under Regulation (EU) 2016/679 to access personal data concerning them, and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the product, personal and non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the product, the user will be a controller within the meaning of Regulation (EU) 2016/679. Accordingly, such a user as controller intending to request personal data generated by the use of a product or related service is required to have a legal basis for processing the data under Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or legitimate interest. This user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder, if they meet the criteria under this Regulation and thus become subject to the obligations to make data available under this Regulation. Where the user is a Union institution, agency or body, Regulation(EU) 2018/1725 should apply unprejudiced. _________________ 64 OJ L 303, 28.11.2018, p. 59–68.
2022/11/17
Committee: LIBE
Amendment 145 #

2022/0047(COD)

Proposal for a regulation
Recital 31
(31) Data generated by the use of a product or related service should only be made available to a third party at the request of the user. This Regulation accordingly complements the right provided under Article 20 of Regulation (EU) 2016/679. That Article provides for a right of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, and to port those data to other controllers, where those data are processed on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b). Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where technically feasible. Article 20 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a product or related service by its design observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The right under this Regulation complements the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in several ways. It grants users the right to access and make available to a third party to any data generated by the use of a product or related service, irrespective of its nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike the technical obligations provided for in Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data coming within its scope, whether personal or non-personal. It also allows the data holder to set reasonable compensation to be met by third parties, but not by the user, forwhich cannot exceed any cost incurred in providing direct access to the data generated by the user’s product. If a data holder and third party are unable to agree terms for such direct access, the data subject should be in no way prevented from exercising the rights contained in Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with that Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contractual agreement does not allow for the processing of special categories of personal data by the data holder or the third party.
2022/11/17
Committee: LIBE
Amendment 148 #

2022/0047(COD)

(17) Data generated by the use of a product or related service include data recorded intentionally by the user. Such data include also data generated as a by- product of the user’s action, such as diagnostics data, and without any action by the user, such as when the product is in ‘standby mode’, and data recorded during periods when the product is switched off. Such data should include data in the form and format in which they are generated by the product, but not pertain to data resulting from any softwaincluding data pre -process that calculates derivative data from such data as such software process may be subject to intellectual property rights.ed using the product’s own computing capacity
2022/11/14
Committee: ITRE
Amendment 148 #

2022/0047(COD)

Proposal for a regulation
Recital 34
(34) In line with the data minimisation principle, the third party should only access additional information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it exclusively for the purposes agreed with the user, without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. The data holder or the third party should not make the exercise of rights or choices of users unduly difficult, including by offering choices to users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or free choices of the user, including by means of a digital interface with the user. in this context,or a part thereof, including its structure, design, function or manner of operation. In this context, data holders and third parties should not rely on so-called dark patterns in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision-making and choice. Common and lLegitimate commercial practices that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. Third parties should comply with their obligations under relevant Union law, in particular the requirements set out in Directive 2005/29/EC, Directive 2011/83/EU, Directive 2000/31/EC and Directive 98/6/EC.
2022/11/17
Committee: LIBE
Amendment 152 #

2022/0047(COD)

Proposal for a regulation
Recital 37
(37) Given the current state of technology, it is overly burdensome to impose further design obligations in relation to products manufactured or designed and related services provided by micro and small enterprises. That is not the case, however, where a micro or small enterprise is sub-contracted to manufacture or design a product. In such situations, the enterprise, which has sub- contracted to the micro or small enterprise, is able to compensate the sub- contractor appropriately. A micro or small enterprise may nevertheless be subject to the requirements laid down by this Regulation as data holder, where it is not the manufacturer of the product or a provider of related services.deleted
2022/11/17
Committee: LIBE
Amendment 154 #

2022/0047(COD)

Proposal for a regulation
Recital 41
(41) In order to compensate for the lack of information on the conditions of different contracts, which makes it difficult for the data recipient to assess if the terms for making the data available are non- discriminatory, it should be on the data holder to demonstrate that a contractual term is not discriminatory. It is not unlawful discrimination, where a data holder uses different contractual terms for making data available or different compensation, if those differences are justified by objective reasons. These obligations are without prejudice to Regulation (EU) 2016/679.
2022/11/17
Committee: LIBE
Amendment 155 #

2022/0047(COD)

Proposal for a regulation
Recital 42
(42) In order to incentivise the continued investment in generating valuable data, including investments in relevant technical tools, this Regulation contains the principle that the data holder may request reasonable compensation when legally obliged to make data available to the data recipient. These provisions should not be understood as paying for the data itself, but in the case of micro, small or medium-sized enterprises, for the costs incurred and investment required for making the data availableThis Regulation precludes the data holder or the third party from directly or indirectly charging users a fee, or any compensation of costs for sharing or accessing data.
2022/11/17
Committee: LIBE
Amendment 157 #

2022/0047(COD)

Proposal for a regulation
Recital 44
(44) To protect micro, small or medium-sized enterprises from excessive economic burdens which would make it commercially too difficult for them to develop and run innovative business modelsavoid directly or indirectly incentivising the commercialisation or trade of personal data, the compensation for making data available to be paid by them should not exceed the direct cost of making the data available and be non-discriminatory.
2022/11/17
Committee: LIBE
Amendment 158 #

2022/0047(COD)

Proposal for a regulation
Recital 46
(46) It is not necessary to intervene in the case of data sharing between large companies, or when the data holder is a small or medium-sized enterprise and the data recipient is a large company. In such cases, the companies are considered capable of negotiating any compensation if it is reasonable, taking into account factors such as the volume, format, nature, or supply of and demand for the data as well as the costs for collecting and making the data available to the data recipient.deleted
2022/11/17
Committee: LIBE
Amendment 159 #

2022/0047(COD)

Proposal for a regulation
Recital 47
(47) Transparency is an important principle to ensure that the compensation requested by the data holder is reasonable, or, in case the data recipient is a micro, small or medium-sized enterprise, that the compensation does not exceed the costs directly related to making the data available to the data recipient and is attributable to the individual request. In order to put the data recipient in the position to assess and verify that the compensation complies with the requirements under this Regulation, the data holder should provide to the data recipient the information for the calculation of the compensation with a sufficient degree of detail.
2022/11/17
Committee: LIBE
Amendment 163 #

2022/0047(COD)

Proposal for a regulation
Recital 56
(56) In situations of exceptional need, it may be necessary for public sector bodies or Union institutions, agencies or bodies to use data held by an enterprise to respond to public emergencies or in other exceptional cases. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law. To limit the burden on businesses, micro and small enterprises should be exempted from the obligation to provide public sector bodies and Union institutions, agencies or bodies data in situations of exceptional need.
2022/11/17
Committee: LIBE
Amendment 173 #

2022/0047(COD)

Proposal for a regulation
Recital 58
(58) An exceptional need may also arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional need may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that no alternative means for obtaining the data requested exists and that the data cannot be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislation.
2022/11/17
Committee: LIBE
Amendment 177 #

2022/0047(COD)

Proposal for a regulation
Recital 61
(61) A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and to minimise the administrative burdens placed on businesses. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be transparent and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The request should also respect the legitimate interests of the businesses to whom the request is made. The burden on data holders should be minimised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency, data requests made by public sector bodies and by Union institutions, agencies or bodies should be made public without undue delay by the entity requesting the data and online public availability of all requests justified by a public emergency should be ensured.
2022/11/17
Committee: LIBE
Amendment 182 #

2022/0047(COD)

Proposal for a regulation
Recital 62
(62) The objective of the obligation to provide the data is to ensure that public sector bodies and Union institutions, agencies or bodies have the necessary knowledge to respond to, prevent or recover from public emergencies or to maintain the capacity to fulfil specific tasks explicitly provided by law. The data obtained by those entities may be commercially sensitive. Therefore, Directive (EU) 2019/1024 of the European Parliament and of the Council65 should not apply to data made available under this Regulation and should not be considered as open data available for reuse by third parties. This however should not affect the applicability of Directive (EU) 2019/1024 to the reuse of official statistics for the production of which data obtained pursuant to this Regulation was used, provided the reuse does not include the underlying data. In addition, it should not affect the possibility of sharing the data for conducting research or for the compilation of official statistics, provided the conditions laid down in this Regulation are met. Public sector bodies should also be allowed to exchange data obtained pursuant to this Regulation with other public sector bodies to address the exceptional needs for which the data has been requested. _________________ 65 Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).
2022/11/17
Committee: LIBE
Amendment 186 #

2022/0047(COD)

Proposal for a regulation
Recital 63
(63) Data holders should have the possibility to either ask for a modification of the request made by a public sector body or Union institution, agency and body or its cancellation in a period of 5 or 15 working days depending on the nature of the exceptional need invoked in the request. In case of requests motivated by a public emergency,A justified reason not to make the data available should exist if it can be shown that the request is similar or identical to a previously submitted request for the same purpose by another public sector body or by another Union institution, agency or body. A data holder rejecting the request or seeking its modification should communicate the underlying justification for refusing the request to the public sector body or to the Union institution, agency or body requesting the data. In case the sui generis database rights under Directive 96/6/EC of the European Parliament and of the Council66 apply in relation to the requested datasets, data holders should exercise their rights in a way that does not prevent the public sector body and Union institutions, agencies or bodies from obtaining the data, or from sharing it, in accordance with this Regulation. _________________ 66 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
2022/11/17
Committee: LIBE
Amendment 192 #

2022/0047(COD)

Proposal for a regulation
Recital 67
(67) When the safeguarding of a significant public good is at stake, such as is the case of responding to public emergencies, the public sector body or the Union institution, agency or body should not be expected to compensate enterprises for the data obtained. Public emergencies are rare events and not all such emergencies require the use of data held by enterprises. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies or Union institutions, agencies or bodies having recourse to this Regulation. However, as cases of an exceptional need other than responding to a public emergency might be more frequent, including cases of prevention of or recovery from a public emergency, data holders should in such cases be entitled to a reasonable compensation which should not exceed the technical and organisational costs incurred in complying with the request and the reasonable margin required for making the data available to the public sector body or to the Union institution, agency or body. The compensation should not be understood as constituting payment for the data itself and as being compulsory.
2022/11/17
Committee: LIBE
Amendment 196 #

2022/0047(COD)

Proposal for a regulation
Recital 81
(81) In order to ensure the efficient implementation of this Regulation, Member States should designate one or more competent authorities. If a Member State designates more than one competent authority, it should also designate a coordinating competent authority. Competent authorities should cooperate with each other. The authorities responsible for the supervision of compliance with data protection and competent authorities designated under sectoral legislation should have the responsibility for application of this Regulation in their areas of competence.
2022/11/17
Committee: LIBE
Amendment 202 #

2022/0047(COD)

Proposal for a regulation
Article 1 – paragraph 1
1. This Regulation lays down harmonised rules on making data generated by the use of a product or related service available to the user of that product or service, on the making data available by data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interestdue to a public emergency:
2022/11/17
Committee: LIBE
Amendment 208 #

2022/0047(COD)

Proposal for a regulation
Article 1 – paragraph 2 – point d
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interestdue to a public emergency explicitly provided by law, and the data holders that provide those data in response to such request;
2022/11/17
Committee: LIBE
Amendment 210 #

2022/0047(COD)

Proposal for a regulation
Article 1 – paragraph 3
3. Union law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to personal data processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect the applicability of Union law on the protection of personal data, in particular Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities. Insofar as the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data subject to the rights and obligations under that Chapter, the provisions of this Regulation shall complement the right of data portability under Article 20 of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data shall prevail. However, insofar as the processing of personal data made available to a data recipient pursuant to Article 5 of this Regulation is restricted in line with Article 6 of this Regulation, these provisions should be understood as taking precedence over Article 6 of Regulation (EU) 2016/679. This Regulation does not create a legal basis for the processing of personal data and no provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications.
2022/11/17
Committee: LIBE
Amendment 225 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point(1), of Regulation (EU) 2016/679;
2022/11/17
Committee: LIBE
Amendment 227 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
(1 b) 'non-personal data' means data other than personal data;
2022/11/17
Committee: LIBE
Amendment 229 #

2022/0047(COD)

(1 c) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
2022/11/17
Committee: LIBE
Amendment 232 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
(1 d) 'data subject' means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
2022/11/17
Committee: LIBE
Amendment 235 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 2
(2) ‘product’ means a tangible, movable item, including where incorporated in an immovable item, item that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data nor is it primarily designed to display or play content, or to record and transmit content;
2022/11/17
Committee: LIBE
Amendment 240 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or leases a product or receives a servicesrelated service, and the data subject;
2022/11/17
Committee: LIBE
Amendment 245 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following an explicit request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law, and including a third party to whom the data is directly made available by the user;
2022/11/17
Committee: LIBE
Amendment 246 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
(8 a) ‘added value service’ means any service provided to the user that can be enabled or improved by access and use of data generated by the use of the product or related service, including personalised services which mean services that, based on the processing of data of the user, offer individualised services to the user such as diet plans, route planning, fitness training, electricity consumption optimisation. They do not include purposes of direct marketing or advertising, credit scoring or determining eligibility to insurances, to calculate or modify insurance premiums or the services of a data broker, even if the data broker shares data with others that provide personalised services;
2022/11/17
Committee: LIBE
Amendment 248 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 9
(9) ‘public sector body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies who have the ability to securely and reliably process the data requested from data holders;
2022/11/17
Committee: LIBE
Amendment 251 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation such as public health emergencies, major natural disasters, including those aggravated by climate change and environmental degradation, and major man-made disasters, such as major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s); and it is determined according to the respective procedures under Union or national law;
2022/11/17
Committee: LIBE
Amendment 260 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user in a structured, commonly used and machine-readable format, free of charge. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data subjects, irrespective of their legal title over the product, are offered the possibility to use the products covered by this Regulation anonymously or in the least privacy-intrusive way possible, such as by anonymising the data. Where users can reasonably expect it due to the nature of the product, products shall be designed and manufactured, and related services shall be provided, in such a manner that a basic set of functionalities is maintained when the product or related service is used offline.
2022/11/17
Committee: LIBE
Amendment 265 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 1 a (new)
1 a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
2022/11/17
Committee: LIBE
Amendment 268 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 1 b (new)
1 b. The data holder shall not incentivise, directly or indirectly, the commercialisation and trade of personal data.
2022/11/17
Committee: LIBE
Amendment 269 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or a related service, users should be presented with granular, meaningful consent options for data processing, within the meaning of Article 4(11) of Regulation (EU) 2016/679, differentiating between data that is essential for the functioning of the product and a related service and other types of data. In addition, at least the following information shall be provided to the user, in a timely and prominent manner, in an easily accessible, clear and comprehensible format:
2022/11/17
Committee: LIBE
Amendment 273 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 2 – point c
(c) how the user may access and request a copy of those data;
2022/11/17
Committee: LIBE
Amendment 277 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the identity of the third party and the purposes for which those data will be used;
2022/11/17
Committee: LIBE
Amendment 278 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, contact details and the geographical address at which it is established;
2022/11/17
Committee: LIBE
Amendment 283 #

2022/0047(COD)

Proposal for a regulation
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time in a structured, commonly used and machine-readable format. This shall be done on the basis of a simple request through electronic means where technically feasible.
2022/11/17
Committee: LIBE
Amendment 290 #

2022/0047(COD)

Proposal for a regulation
Article 4 – paragraph 5
5. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 679 and Article 5(3) of Directive 2002/58/EC are fulfilled.
2022/11/17
Committee: LIBE
Amendment 293 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 1
1. Upon explicit request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. and only for the purposes of:
2022/11/17
Committee: LIBE
Amendment 294 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point a (new)
(a) the provision of aftermarket services, such as the maintenance and repair of the product or related service, including aftermarket services in competition with a product or related service provided by the data holder;
2022/11/17
Committee: LIBE
Amendment 295 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point b (new)
(b) the provision of an added value service explicitly requested by the user;
2022/11/17
Committee: LIBE
Amendment 296 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point c (new)
(c) specific data intermediation services recognised in the Union or specific services provided by data altruism organisations recognised in the Union under the conditions and requirements of Chapters III and IV of Regulation (EU) 2022/868;
2022/11/17
Committee: LIBE
Amendment 297 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point d (new)
(d) research and innovation predominantly in the public interest;
2022/11/17
Committee: LIBE
Amendment 298 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point e (new)
(e) purposes of non-profit organisations predominantly in the public interest.
2022/11/17
Committee: LIBE
Amendment 304 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure.
2022/11/17
Committee: LIBE
Amendment 307 #

2022/0047(COD)

Proposal for a regulation
Article 5 – paragraph 6
6. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the third party where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive2002/58/EC are fulfilled.
2022/11/17
Committee: LIBE
Amendment 313 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 1
1. A third party shall process thepersonal data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user, and specific purposes mentioned in article 5, paragraph 1 and under the conditions agreed with the user, and where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6 of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled and subject to the rights of the data subject insofar as personal data are concerned, and shall delete the data when they are no longer necessary for the agreed purposeexplicitly requested purpose in line with paragraph 1 of article 5.
2022/11/17
Committee: LIBE
Amendment 318 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the useror a part thereof, including its structure, design, function or manner of operation;
2022/11/17
Committee: LIBE
Amendment 322 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 2 – point b
(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is strictly necessary to provide the servicepecific service explicitly requested by the user;
2022/11/17
Committee: LIBE
Amendment 325 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 2 – point c
(c) make the data available it receives to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user, and the user has explicitly been made aware of this in a clear, easily accessible and prominent way and, in the case of personal data, the rights and obligations of Regulation (EU) 2016/679 are respected;
2022/11/17
Committee: LIBE
Amendment 329 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 2 – point f a (new)
(f a) make the usability of the product or related service dependent on the user allowing it to process data not required for the purposes or services explicitly requested by the user;
2022/11/17
Committee: LIBE
Amendment 330 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 2 – point f b (new)
(f b) incentivise, directly or indirectly, the commercialisation and trade of personal data.
2022/11/17
Committee: LIBE
Amendment 333 #

2022/0047(COD)

Proposal for a regulation
Article 7 – paragraph 1
1. The obligations of this Chapter related to business to business data sharing shall not apply to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
2022/11/17
Committee: LIBE
Amendment 335 #

2022/0047(COD)

Proposal for a regulation
Article 7 a (new)
Article 7 a Unfair contractual terms imposed on users Any contractual term by data holders, third parties or data recipients which, to the detriment of the user, excludes the application of this Chapter, derogates from it, or varies its effect, shall not be binding on that party.
2022/11/17
Committee: LIBE
Amendment 337 #

2022/0047(COD)

Proposal for a regulation
Article 8 – paragraph 4
4. A data holder shall not make data available to a data recipient on an exclusive basis unless explicitly requested by the user under Chapter II.
2022/11/17
Committee: LIBE
Amendment 340 #

2022/0047(COD)

Proposal for a regulation
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable and shall not exceed the costs directly related to making the data available. The data holder or the third party may not directly or indirectly charge users a fee or any compensation of costs for sharing or accessing data.
2022/11/17
Committee: LIBE
Amendment 342 #

2022/0047(COD)

Proposal for a regulation
Article 9 – paragraph 2
2. Where the data recipient is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.deleted
2022/11/17
Committee: LIBE
Amendment 345 #

2022/0047(COD)

Proposal for a regulation
Article 9 – paragraph 4
4. The data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can verify that the requirements of paragraph 1 and, where applicable, paragraph 2 are met.
2022/11/17
Committee: LIBE
Amendment 347 #

2022/0047(COD)

Proposal for a regulation
Article 10 – paragraph 1
1. Data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 and 9. This is without prejudice to the data subjects’ rights to seek redress before a supervisory authority, and to the controller’s data protection obligations.
2022/11/17
Committee: LIBE
Amendment 349 #

2022/0047(COD)

Proposal for a regulation
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to access data, obtain a copy or effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1). Where personal data is concerned, these technical measures shall be consistent with the obligation of the data controller to implement appropriate technical and organisational measures so as to ensure a level of security appropriate to the risk of the personal data processing pursuant to data protection legislation.
2022/11/17
Committee: LIBE
Amendment 352 #

2022/0047(COD)

Proposal for a regulation
Article 11 – paragraph 2 – introductory part
2. A data recipient that has, for the purposes of obtaining data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation or in the case of personal data, an appropriate legal basis, shall without undue delay, unless the data holder or the user instruct otherwise:
2022/11/17
Committee: LIBE
Amendment 356 #

2022/0047(COD)

Proposal for a regulation
Article 11 – paragraph 3 – introductory part
3. Paragraph 2, point (b), shall not apply in either of the following cases where non-personal data are concerned:
2022/11/17
Committee: LIBE
Amendment 359 #

2022/0047(COD)

2 a. Any contractual term in a data sharing agreement between data holders and data recipients which, to the detriment of the data subjects, undermines the application of their rights to privacy and data protection, derogates from it, or varies its effect, shall not be binding on that party.
2022/11/17
Committee: LIBE
Amendment 365 #

2022/0047(COD)

Proposal for a regulation
Article 14 – paragraph 2
2. This Chapter shall not apply to small and micro enterprises as defined in Article 2 of the Annex to Recommendation 2003/361/EC.deleted
2022/11/17
Committee: LIBE
Amendment 371 #

2022/0047(COD)

Proposal for a regulation
Article 15 – paragraph 1 – introductory part
An exceptional need to use data within the meaning of this Chapter shall be deemed to exist in any of the following circumstances:
2022/11/17
Committee: LIBE
Amendment 372 #

2022/0047(COD)

Proposal for a regulation
Article 15 – paragraph 1 – point a
(a) where the data requested is necessary to respond tolimited in time and scope and necessary to respond to a public emergency or to help prevent a public emergency or to assist the recovery from a public emergency;
2022/11/17
Committee: LIBE
Amendment 374 #

2022/0047(COD)

Proposal for a regulation
Article 15 – paragraph 1 – point b
(b) where the data request is limited in time and scope and necessary to prevent a public emergency or to assist the recovery from a public emergency;deleted
2022/11/17
Committee: LIBE
Amendment 377 #

2022/0047(COD)

Proposal for a regulation
Article 15 – paragraph 1 – point c
(c) where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest that has been explicitly provided by law; and (1) the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or (2) obtaining the data in line with the procedure laid down in this Chapter would substantively reduce the administrative burden for data holders or other enterprises.deleted
2022/11/17
Committee: LIBE
Amendment 385 #

2022/0047(COD)

Proposal for a regulation
Article 16 – paragraph 1
1. This Chapter shall not affect obligations laid down in Union or national law for the purposes of reporting, complying with information requests or demonstrating or verifying compliance with legal obligations, including in relation to official statistics.
2022/11/17
Committee: LIBE
Amendment 395 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point(1), of Regulation (EU) 2016/679;
2022/11/14
Committee: ITRE
Amendment 398 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
(1 b) 'non-personal data' means data other than personal data;
2022/11/14
Committee: ITRE
Amendment 410 #

2022/0047(COD)

Proposal for a regulation
Article 18 – paragraph 5
5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudonymised data.
2022/11/17
Committee: LIBE
Amendment 424 #

2022/0047(COD)

Proposal for a regulation
Article 20 – paragraph 2
2. Where the data holder claims compensation for making data available in compliance with a request made pursuant to Article 15, points (b) or (c), such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.deleted
2022/11/17
Committee: LIBE
Amendment 443 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 6 a (new)
(6 a) 'data subject' means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
2022/11/14
Committee: ITRE
Amendment 455 #

2022/0047(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters, including those exacerbated by climate change, and major man-made disasters, such as major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic and financial stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s); and which is determined according to the respective procedures under Union or national law.
2022/11/14
Committee: ITRE
Amendment 463 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 1
1. Each Member State shall designate one or more competent authoritiesy as responsible for the application and enforcement of this Regulation. Member States may establish one or morea new authoritiesy or rely on existing authorities.
2022/11/17
Committee: LIBE
Amendment 464 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 1 a (new)
1 a. The independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Union institutions, bodies, offices and agencies. Where relevant, Article 62 of Regulation 2018/1725 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data.
2022/11/17
Committee: LIBE
Amendment 468 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 2 – point a
(a) the independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data;deleted
2022/11/17
Committee: LIBE
Amendment 473 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experience, , sufficient technical and human resources and expertise in the field of data and electronic communications services.
2022/11/17
Committee: LIBE
Amendment 479 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 3 – point i a (new)
(i a) ensuring data sharing is free of charge for users.
2022/11/17
Committee: LIBE
Amendment 480 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 4
4. Where a Member State designates more than one competent authority, tThe competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 3 of this Article, cooperate with each other, including, as appropriate, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679, to ensure the consistent application of this Regulation. In such cases, relevant Member States shall designate a coordinating competent authority.
2022/11/17
Committee: LIBE
Amendment 482 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 5
5. Member States shall communicate the name of the designated competent authorities and their respective tasks and powers and, where applicable, the name of the coordinating competent authority to the Commission. The Commission shall maintain a public register of those authorities.
2022/11/17
Committee: LIBE
Amendment 488 #

2022/0047(COD)

Proposal for a regulation
Article 34 – paragraph 1
The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. The Commission shall consult the European Data Protection Board when developing such model contractual terms, as far as personal data are concerned.
2022/11/17
Committee: LIBE
Amendment 521 #

2022/0047(COD)

Proposal for a regulation
Article 3 – paragraph 2 – point c
(c) how the user may access those data delivered in a usable format and in a simple, clear and free manner for the user ;;
2022/11/14
Committee: ITRE
Amendment 650 #

2022/0047(COD)

Proposal for a regulation
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the end-users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user or a part thereof, including its structure, design, function or manner of operation;
2022/11/14
Committee: ITRE
Amendment 678 #

2022/0047(COD)

Proposal for a regulation
Article 7 – paragraph 1
1. The obligations of this Chapter related to business-to-business data sharing shall not apply to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
2022/11/14
Committee: ITRE
Amendment 699 #

2022/0047(COD)

Proposal for a regulation
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable and shall not exceed the costs directly related to making the data available.
2022/11/14
Committee: ITRE
Amendment 704 #

2022/0047(COD)

Proposal for a regulation
Article 9 – paragraph 2
2. Where the data recipient is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, aAny compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.
2022/11/14
Committee: ITRE
Amendment 1104 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have technical and human resources and experience in the field of data and electronic communications services.
2022/11/14
Committee: ITRE
Amendment 1107 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 3 – point b
(b) handling complaints arising from alleged violations of this Regulation, and investigating, to the extent appropriate, the subject matter of the complaint and regularly and meaningfully informing the complainant of the progress and the outcome of the investigation swiftly within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary;
2022/11/14
Committee: ITRE
Amendment 1114 #

2022/0047(COD)

Proposal for a regulation
Article 31 – paragraph 3 – point f
(f) cooperating with competent authorities of other Member States to ensure the consistent swift and effective application of this Regulation, including the exchange of all relevant information by electronic means, in a timely manner without undue delay;
2022/11/14
Committee: ITRE
Amendment 1127 #

2022/0047(COD)

Proposal for a regulation
Article 32 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant , collectively, with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights or the obligations under this Regulation have been infringed.
2022/11/14
Committee: ITRE
Amendment 1143 #

2022/0047(COD)

The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. These non-binding contractual terms shall be openly freely available in easily usable electronic format.
2022/11/14
Committee: ITRE
Amendment 190 #

2021/2230(INI)

Motion for a resolution
Paragraph 12 a (new)
12 a. Supports Armenia’s efforts at maintaining the Euronest Parliamentary Assembly as an important forum for political dialogue with neighbouring countries and therefore encourages Armenia to continue making full use of it;
2022/11/24
Committee: AFET
Amendment 224 #

2021/2230(INI)

Motion for a resolution
Paragraph 16 a (new)
16a. Calls on Armenia to ratify the Council of Europe Convention on preventing and combating violence against women and domestic violence;
2022/11/24
Committee: AFET
Amendment 10 #

2021/2103(INI)

Motion for a resolution
Citation 15 a (new)
— having regard to the Statement of the Commissioner for Human Rights of the Council of Europe of 16 May 2019 titled ‘Let’s defend LGBTI defenders’,1a _________________ 1a https://www.coe.int/en/web/commissioner/ -/let-s-defend-lgbti-defenders
2021/11/16
Committee: LIBE
Amendment 49 #

2021/2103(INI)

Motion for a resolution
Recital I a (new)
I a. whereas the situation of LGBTI rights defenders in Europe was described as worrying by the Commissioner for Human Rights, who reported several instances of online and offline harassment, violent assaults, hate campaigns and death threats in Member States and neighbourhood countries; whereas this trend is interlinked with the scapegoating of other minority groups and it contravenes the principle that every person is born equal in dignity and rights;
2021/11/16
Committee: LIBE
Amendment 97 #

2021/2103(INI)

Motion for a resolution
Paragraph 2
2. Emphasises that for civil society organisations to thrive, civic space must be an enabling and safe environment free from undue interference, intimidation, harassment and chilling effects, such as SLAPPs, incitement to hatred and/or violence against rights defenders and organisations, and the creation of legal or administrative hurdles affecting their daily operations;
2021/11/16
Committee: LIBE
Amendment 130 #

2021/2103(INI)

Motion for a resolution
Paragraph 6 a (new)
6 a. Recalls that the scapegoating of minorities and vulnerable groups such as women and LGBTI persons is not an isolated event, but functions as a premeditated and gradual dismantling of fundamental rights, which are protected in Article 2 TEU, constituting part of a larger political agenda which has been called ‘anti-gender’ campaigns; calls on Member States to be particularly cautious of initiatives that attempt to roll-back on acquired rights which were designed to prevent and protect persons from discrimination and to promote equality;
2021/11/16
Committee: LIBE
Amendment 185 #

2021/2103(INI)

Motion for a resolution
Paragraph 14 a (new)
14 a. Restates that no proper response has yet been given to Parliament’s initiative on the establishment of an EU mechanism on democracy, the rule of law and fundamental rights to be governed by an interinstitutional agreement between Parliament, the Commission and the Council; calls on the Commission and the Council to immediately enter into negotiations with Parliament on an interinstitutional agreement pursuant to Article 295 TFEU; recalls that the monitoring of civic space is deeply linked with democracy and fundamental rights, and that a mechanism to monitor Article 2 TEU values is the best tool for a holistic approach in such respect;
2021/11/16
Committee: LIBE
Amendment 3 #

2021/0395(COD)

Proposal for a directive
Article 3 – paragraph -1 (new)
-1 in Article 9, the following paragraph shall be added: “3a.The issuing judicial authority shall use the decentralised IT system referred to in Article 3(1) of Regulation (EU) .../... [Digitalisation Regulation], to provide the competent authority in the executing Member State with: a) the information required to enable the requested person to appoint a lawyer in the issuing state in accordance with Article 10(5) of Directive 2013/48/EU, and to apply for legal aid in the issuing state in accordance with Article 5 of Directive 2016/1919/EU; b) the material evidence that supports the cross-border cooperation request in due time before the hearing through videoconferencing or other distance communication technology, without prejudice to the procedure laid down in paragraph 2 in Article 15.
2022/11/24
Committee: JURILIBE
Amendment 183 #

2021/0394(COD)

Proposal for a regulation
Article 3 a (new)
Article 3 a Communication between competent authorities in criminal matters Without prejudice to Article 3, for the purposes of a European Arrest Warrant issued pursuant to Council Framework Decision 2002/584/JHA, the issuing Member State authority shall use the decentralised IT system referred to in Article 3(1), to provide the competent authority in the executing Member State with: a) the information required to enable the suspect, accused or convicted person to appoint a lawyer in the issuing state in accordance with Article 10(5) of Directive 2013/48/EU and apply for legal aid in the issuing state in accordance with Article 5 of Directive 2016/1919/EU; b) the material evidence that supports the cross-border cooperation request in accordance with Article 7(2), of Directive 2012/13/EU, in due time before the hearing through videoconferencing or other distance communication technology.
2022/11/24
Committee: JURILIBE
Amendment 34 #

2021/0136(COD)

Proposal for a regulation
Recital 11
(11) European Digital Identity Wallets should ensure the highest level of security for the personal data used for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking into account the different levels of risk. Using biometrics to authenticate is one of the identifications methods providing a high level of confidence, in particular when used in combination with other elements oftwo-factor authentication. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organisational and security measures, commensurate to the risk that such processing may entail to the rights and freedoms of natural persons and in accordance with Regulation 2016/679. Authentication via biometrics should not be a precondition for using the European Digital Identity Wallet.
2022/06/13
Committee: LIBE
Amendment 36 #

2021/0136(COD)

Proposal for a regulation
Recital 11 a (new)
(11 a) The obligation on the European Digital Identity Wallet to ensure effective portability of data under this Regulation complements the right to data portability under Regulation (EU) 2016/679.
2022/06/13
Committee: LIBE
Amendment 55 #

2021/0136(COD)

Proposal for a regulation
Recital 29
(29) The European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties. This feature should become a basic design feature thereby reinforcing convenience and personal data protection including minimisation of processing of personal data. The data requested from the user via the European Digital Identity Wallet have to be strictly necessary and proportionate for the intended use case of the relying party and follow the principle of data minimisation.
2022/06/13
Committee: LIBE
Amendment 74 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point b a (new)
Regulation (EU) No 910/2014
Article 3 – point 5
"(5) ‘authentication’ means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed; o verify the data presented" Or. en (32014R0910)
2022/06/13
Committee: LIBE
Amendment 123 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 4 – point a – point 2 a (new)
(2 a) for relying parties to be uniquely identified in order to be able to include their identification data, use cases and user data requests in a public register overseen by supervisory authorities established under Regulation (EU) 2016/679;
2022/06/13
Committee: LIBE
Amendment 125 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 4 – point a – point 3
(3) for the presentation to relying parties of person identification data such as credentials, electronic attestation of attributes or other data such as credentials, in local mode not requiring internet access for the wallet and for the user to make an informed decision about the sharing of personal information with relying parties. This includes identification of the relying party, complete or partial refusal of information requests from relying parties, a full transaction history, the possibility to withdraw previously given consent to information requests for the walleand information about the exercise of rights as data subject;
2022/06/13
Committee: LIBE
Amendment 144 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 5a (new)
5 a. Member States shall ensure that relevant information on the European Digital Identity Wallet is publicly available, including privacy protective settings, technical architecture, security frameworks, and where the processing of personal data is carried out.
2022/06/13
Committee: LIBE
Amendment 150 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 7
7. The user shall be in full control of the European Digital Identity Wallet and their personal data. The issuer of the European Digital Identity Wallet or third- party services or the Member State shall not collect information about the use of the wallet by the user which are not strictly necessary and proportionate solely for the provision of the wallet services, nor shall it combine person identification data and any other personal data stored or relating to the use of the European Digital Identity Wallet with personal data from any other services offered by this issuer or from third-party services which are not necessarstrictly necessary and proportionate solely for the provision of the wallet services, unless the user has expressly requested it. The exchange of information via the European Digital Identity Wallet shall not allow providers of electronic attestations of attributes to track, link, correlate or otherwise obtain knowledge of transactions or user behaviour. Personal data relating to the provision of European Digital Identity Wallets shall be kept physically and logically separate from any other data held. If the European Digital Identity Wallet is provided by private parties in accordance to paragraph 1 (b) and (c), the provisions of article 45f paragraph 4 shall apply mutatis mutandis.
2022/06/13
Committee: LIBE
Amendment 154 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
7 a. The European Digital Identity Wallet shall request explicit prior consent of the user to perform any operations.
2022/06/13
Committee: LIBE
Amendment 155 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 7b (new)
7 b. The European Digital Identity Wallet shall provide a state of the art mechanism to transmit all of the user’s data in the wallet from one device to another and from one wallet to another upon the user’s request and free of charge.
2022/06/13
Committee: LIBE
Amendment 156 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
7 c. The European Digital Identity Wallet shall provide a mechanism for the user to inform directly the supervisory body and the supervisory authorities established under Regulation (EU) 2016/679 about any relying party that appears to request a disproportionate amount of data.
2022/06/13
Committee: LIBE
Amendment 157 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7
Regulation (EU) No 910/2014
Article 6a – paragraph 7d (new)
7 d. Access to public and private services shall not be denied, hindered or made more costly for natural persons who choose not to use the European Digital Identity Wallet.
2022/06/13
Committee: LIBE
Amendment 158 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 7 Regulation (EU) No 910/2014
7 e. The user shall be entitled to request a backup function of the data they have in their European Digital Identity Wallet from the wallet issuer in situations of unavailability of the wallet, and in case of loss or theft of their device. This backup function shall be enabled only with the explicit prior consent of the user and it shall be complemented with reinforced identity checks.
2022/06/13
Committee: LIBE
Amendment 179 #

2021/0136(COD)

1. When notified electronic identification means and the European Digital Identity Wallets are used for authidentification, Member States shall ensure unique identification.
2022/06/13
Committee: LIBE
Amendment 181 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 12
Regulation (EU) No 910/2014
Article 11 – paragraph 2
2. Member States shall, for the purposes of this Regulation, include in the minimum set of person identification data referred to in Article 12.4.(d), a unique and persistent identifier in conformity with Union law, to identify the user upon their request and only in those cases where identification of the user is required by law. Unique and persistent identifiers shall not be accessed for the purpose of user authentication.
2022/06/13
Committee: LIBE
Amendment 206 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 20 – point a – point 2
Regulation (EU) No 910/2014
Article 17 – paragraph 4 – point f
(f) to cooperate with supervisory authorities established under Regulation (EU) 2016/679, in particular, by informing them without undue delay, about the results of audits of qualified trust service providers, where personal data protection rules have been breached and about security breaches which constitute whenever becoming aware of a personal data breaches;;
2022/06/13
Committee: LIBE
Amendment 215 #

2021/0136(COD)

Proposal for a regulation
Article 1 – paragraph 1 – point 22 – point b
Regulation (EU) No 910/2014
Article 20 – paragraph 2
Where personal data protection rules appear to have been breached, the supervisory body shall inform the supervisory authorities under Regulation (EU) 2016/679 of the results of its audits.;
2022/06/13
Committee: LIBE
Amendment 921 #

2021/0106(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 1
(1) 'artificial intelligence system’ (AI system) means software that is developed with one or more of the techniques and approaches listcan for example perceive, learn, reason or model based ion Annex I and can, for a given set of human-defined objectives,machine and/or human based inputs, to generate outputs such as content, hypotheses, predictions, recommendations, or decisions influencing the real or virtual environments they interact with;
2022/06/13
Committee: IMCOLIBE
Amendment 1022 #

2021/0106(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 33
(33) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic dataas defined in Article 4, point (14) of Regulation (EU) 2016/679;
2022/06/13
Committee: IMCOLIBE
Amendment 1030 #

2021/0106(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 33 b (new)
(33 b) ‘biometric identification’ means the use of AI-systems for the purpose of the automated recognition of physical, physiological, behavioural, and psychological human features such as the face, eye movement, facial expressions, body shape, voice, speech, gait, posture, heart rate, blood pressure, odour, keystrokes, psychological reactions (anger, distress, grief, etc.) for the purpose of verification of an individual’s identity by comparing biometric data of that individual to stored biometric data of individuals in a database (one-to-many identification);
2022/06/13
Committee: IMCOLIBE
Amendment 1112 #

2021/0106(COD)

Proposal for a regulation
Article 3 – paragraph 1 – point 44 b (new)
(44 b) ‘artificial intelligence system with indeterminate uses’ means an artificial intelligence system without specific and limited provider-defined purposes;
2022/06/13
Committee: IMCOLIBE
Amendment 1225 #

2021/0106(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point c a (new)
(c a) the placing on the market, putting into service, or use of AI systems intended to be used as polygraphs and similar tools to detect the emotional state, trustworthiness or related characteristics of a natural person;
2022/06/13
Committee: IMCOLIBE
Amendment 1288 #

2021/0106(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point d a (new)
(d a) the creation or expansion of biometric databases through the untargeted or generalised scraping of biometric data from social media profiles or CCTV footage, or equivalent methods;
2022/06/13
Committee: IMCOLIBE
Amendment 1307 #

2021/0106(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point d d (new)
(d d) the placing on the market, putting into service or use of an AI system for making predictions, profiles or risk assessments based on data analysis or profiling of natural persons, groups or locations, for the purpose of predicting the occurrence or reoccurrence of an actual or potential criminal offence(s) or other criminalised social behaviour;
2022/06/13
Committee: IMCOLIBE
Amendment 1319 #

2021/0106(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point d f (new)
(d f) the placing on the market, putting into service, or use of AI systems that are aimed at automating judicial or similarly intrusive binding decisions by state actors;
2022/06/13
Committee: IMCOLIBE
Amendment 1322 #

2021/0106(COD)

Proposal for a regulation
Article 5 – paragraph 1 – point d g (new)
(d g) the placing on the market, putting into service or the use of AI systems by or on behalf of competent authorities in migration, asylum or border control management, to profile an individual or assess a risk, including a security risk, a risk of irregular immigration, or a health risk, posed by a natural person who intends to enter or has entered the territory of a Member State, on the basis of personal or sensitive data, known or predicted, except for the sole purpose of identifying specific care and support needs;
2022/06/13
Committee: IMCOLIBE
Amendment 1447 #

2021/0106(COD)

Proposal for a regulation
Article 6 – paragraph 2 a (new)
2 a. An artificial intelligence system with indeterminate uses shall also be considered high risk if so identified per Article 9, paragraph 2, point (a).
2022/06/13
Committee: IMCOLIBE
Amendment 1452 #

2021/0106(COD)

Proposal for a regulation
Article 6 – paragraph 2 b (new)
2 b. In addition to the high-risk AI systems referred to in paragraph 1 and paragraph 2, AI systems that create foreseeable high-risks when combined shall also be considered high-risk.
2022/06/13
Committee: IMCOLIBE
Amendment 1563 #

2021/0106(COD)

Proposal for a regulation
Article 8 – paragraph 2
2. The intended purpose of the high- risk AI system, the foreseeable uses and foreseeable misuses of AI systems with indeterminate uses and the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with those requirements.
2022/06/13
Committee: IMCOLIBE
Amendment 1583 #

2021/0106(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a
(a) identification and analysis of the known and the reasonably foreseeable risks associated with each high-risk AI system;that the high-risk AI system, and AI systems with indeterminate uses, can pose to: (i) the health or safety of natural persons; (ii) the legal rights or legal status of natural persons; (iii) the fundamental rights; (iv) the equal access to services and opportunities of natural persons; (v) the Union values enshrined in Article 2 TEU.
2022/06/13
Committee: IMCOLIBE
Amendment 1701 #

2021/0106(COD)

Proposal for a regulation
Article 10 – paragraph 2 – point f
(f) examination in view of possible biases, especially where data outputs are used as an input for future operations(‘feedback loops’);
2022/06/13
Committee: IMCOLIBE
Amendment 1729 #

2021/0106(COD)

Proposal for a regulation
Article 10 – paragraph 4
4. Training, validation and testing dData sets shall take into account, to the extent required by the intended purpose, the foreseeable uses and reasonably foreseeable misuses of AI systems with indeterminate uses, the characteristics or elements that are particular to the specific geographical, ,behavioural or functional setting within which the high-risk AI system is intended to be used.
2022/06/13
Committee: IMCOLIBE
Amendment 1805 #

2021/0106(COD)

Proposal for a regulation
Article 13 – paragraph 3 – point b – point v
(v) when appropriate, specifications for the input data, or any other relevant information in terms of the training, validation and testing data sets used, taking into account the intended purposedata sets used, including their limitation and assumptions, taking into account the intended purpose, the foreseeable and reasonably foreseeable misuses of the AI system.
2022/06/13
Committee: IMCOLIBE
Amendment 1849 #

2021/0106(COD)

Proposal for a regulation
Article 15 – paragraph 1
1. High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracythe foreseeable uses and reasonably foreseeable misuses, an appropriate level of perfomance (such as accuracy, reliability and true positive rate), robustness and cybersecurity, and perform consistently in those respects throughout their lifecycle.
2022/06/13
Committee: IMCOLIBE
Amendment 1883 #

2021/0106(COD)

Proposal for a regulation
Article 16 – paragraph 1 – point a a (new)
(a a) ensure that the performance of their high-risk AI system is measured appropriately, including its level of accuracy, robustness and cybersecurity;
2022/06/13
Committee: IMCOLIBE
Amendment 1886 #

2021/0106(COD)

Proposal for a regulation
Article 16 – paragraph 1 – point a b (new)
(a b) provide specifications for the input data, or any other relevant information in terms of the data sets used, including their limitation and assumptions, taking into account of the intended purpose and the foreseeable and reasonably foreseeable misuses of the AI system;
2022/06/13
Committee: IMCOLIBE
Amendment 2036 #

2021/0106(COD)

Proposal for a regulation
Article 29 – paragraph -1 (new)
-1. Users of high-risk AI systems shall ensure that natural persons assigned to ensure or entrusted with human oversight for high-risk AI systems are competent, properly qualified and trained, free from external influence and neither seek nor take instructions from anybody. They shall have the necessary resources in order to ensure the effective supervision of the system in accordance with Article 14.
2022/06/13
Committee: IMCOLIBE
Amendment 2056 #

2021/0106(COD)

Proposal for a regulation
Article 29 – paragraph 4 – introductory part
4. Users shall monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall immediately inform the provider or distributor and suspend the use of the system. They shall also immediately inform the provider or distributor when they have identified any serious incident or any malfunctioning, including near misses, within the meaning of Article 62 and interrupt the use of the AI system. In case the user is not able to reach the provider, Article 62 shall apply mutatis mutandis.
2022/06/13
Committee: IMCOLIBE
Amendment 2072 #

2021/0106(COD)

Proposal for a regulation
Article 29 – paragraph 6 a (new)
6 a. Users of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to an affected person, shall inform them that they are subject to the use of the high-risk AI system. This information shall include the type of the AI system used, its intended purpose and the type of decisions it makes.
2022/06/13
Committee: IMCOLIBE
Amendment 2078 #

2021/0106(COD)

Proposal for a regulation
Article 29 a (new)
Article 29 a Fundamental rights impact assessment for a high-risk AI system 1. Prior to putting a high-risk AI system into use, as defined in Article 6(2), the user shall conduct an assessment of the system’s impact in the context of use. This assessment shall consist of, but not limited to, the following elements: (a) a clear outline of the intended purpose for which the system will be used; (b) a clear outline of the intended geographic and temporal scope of the system’s use; (c) verification that the use of the system is compliant with Union and national law; (d) categories of natural persons and groups likely to be affected by the use of the system; (e) the foreseeable direct and indirect impact on fundamental rights of putting the high-risk AI system into use; (f) any specific risk of harm likely to impact marginalised persons or vulnerable groups; (g) the foreseeable impact of the use of the system on the environment, including, but not limited to, energy consumption; (h) any other negative impact on the protection of the values enshrined in Article 2 TEU; (i) in the case of public authorities, any other impact on democracy, rule of law and allocation of public funds; and (j) detailed plan on how the risk of harm or the negative direct and indirect impact on fundamental rights identified will be mitigated. 2. If a detailed plan to mitigate the risks outlined in the course of the assessment in paragraph 1 cannot be identified, the user shall refrain from putting the high-risk AI system into use and inform the provider, the national supervisory authority and market surveillance authority without undue delay. Market surveillance authorities or, where relevant, national supervisory authorities, pursuant to their capacity under Articles 65, 67 and 67a, shall take this information into account when investigating systems which present a risk at national level. 3. The obligations as per paragraph 1 apply for each new deployment of the high-risk AI system. 4. In the course of the impact assessment, the user shall notify the national supervisory authority, the market surveillance authority and the relevant stakeholders. and involve representatives of the foreseeable persons or groups of persons affected by the high-risk AI system, as identified in paragraph 1, including but not limited to: equality bodies, consumer protection agencies, social partners and data protection agencies, with a view to receiving input into the impact assessment. The user must allow a period of six weeks for bodies to respond. 5. The user shall publish the results of the impact assessment as part of the registration of use pursuant to their obligation under Article 51(2). 6. Where the user is already required to carry out a data protection impact assessment pursuant to Article 29(6), the impact assessment outlined in paragraph 1 shall be conducted in conjunction to the data protection impact assessment.
2022/06/13
Committee: IMCOLIBE
Amendment 3067 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 1 – point a a (new)
(a a) AI systems that are or may be used for the detection of a person’s presence, in workplaces, in educational settings, and in border surveillance, including in the virtual / online version of these spaces, on the basis of their biometric or biometrics-based data;
2022/06/13
Committee: IMCOLIBE
Amendment 3075 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 1 – point a b (new)
(a b) AI systems that are or may be used for monitoring compliance with health and safety measures or inferring alertness /attentiveness for safety purposes, on the basis of biometric or biometrics-based data;
2022/06/13
Committee: IMCOLIBE
Amendment 3080 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 1 – point a c (new)
(a c) AI systems that are or may be used to diagnose or support diagnosis of medical conditions or medical emergencies on the basis of biometric or biometrics-based data;
2022/06/13
Committee: IMCOLIBE
Amendment 3149 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 6 – point a
(a) AI systems intended to be used by law enforcement authorities for making individual risk assessments of natural persons in order to assess the risk of a natural person for offending or reoffending or the risk for potential victims of criminal offences;deleted
2022/06/13
Committee: IMCOLIBE
Amendment 3160 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 6 – point b
(b) AI systems intended to be used by law enforcement authorities as polygraphs and similar tools or to detect the emotional state of a natural person;deleted
2022/06/13
Committee: IMCOLIBE
Amendment 3178 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 6 – point e
(e) AI systems intended to be used by law enforcement authorities for predicting the occurrence or reoccurrence of an actual or potential criminal offence based on profiling of natural persons as referred to in Article 3(4) of Directive (EU) 2016/680 or assessing personality traits and characteristics or past criminal behaviour of natural persons or groups;deleted
2022/06/13
Committee: IMCOLIBE
Amendment 3194 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 7 – point a
(a) AI systems intended to be used by competent public authorities as polygraphs and similar tools or to detect the emotional state of a natural person;deleted
2022/06/13
Committee: IMCOLIBE
Amendment 3197 #

2021/0106(COD)

Proposal for a regulation
Annex III – paragraph 1 – point 7 – point b
(b) AI systems intended to be used by competent public authorities to assess a risk, including a security risk, a risk of irregular immigration, or a health risk, posed by a natural person who intends to enter or has entered into the territory of a Member State;deleted
2022/06/13
Committee: IMCOLIBE
Amendment 3244 #

2021/0106(COD)

Proposal for a regulation
Annex IV – paragraph 1 – point 1 – point a
(a) its intended purpose or reasonably foreseeable use, the person/s developing the system, the date and the version of the system;
2022/06/13
Committee: IMCOLIBE
Amendment 3251 #

2021/0106(COD)

Proposal for a regulation
Annex IV – paragraph 1 – point 1 – point b
(b) how the AI system interacts or can be used to interact with hardware or software, including other AI systems, that isare not part of the AI system itself, where applicable;
2022/06/13
Committee: IMCOLIBE
Amendment 6 #

2020/2216(INI)

Draft opinion
Paragraph 1 a (new)
1 a. Recommends that Europe must analyse the challenges for consumers created by AI and make the EU’s consumer rights standards fit for the 21st century. Therefore it must establish an AI European Certificate of Compliance with Ethical Principles to ensure European citizens trust on AI; This Certificate should be granted by an independent, public certification organisation after a thorough assessment of compliance with the Ethical Requirements put forward by the High Level Expert Group on AI. The certification criteria and requirements for assessing the compliance will be drawn by this body in cooperation with the Commission and the Member States. Suggests that certification and auditing mechanisms at both the national and EU levels for automated data processing and decision-making techniques should be developed to ensure their compliance with ethical principles and values. Monitoring of compliance should be proportionate to the nature and degree of risk associated with the operation of the artificial intelligence application or system;
2020/12/21
Committee: ITRE
Amendment 38 #

2020/2216(INI)

Draft opinion
Paragraph 3
3. Emphasises that the COVID crisis provides an opportunity to speed up digitalisation; calls for financial incentives for SMEs that want to enter new markets; calls for new and open frameworks of access to data for European SMEs and start-ups in order to support their growth by empowering the training, testing and development of AI-enabled systems and applications. Calls for an inclusive digitisation of our societies that will serve the interests of the citizens by taking into account accessibility and affordability considerations. Calls for coordinated actions to address Europe’s digital divide that has been worsened due to the COVID and for a fair and cooperative digital modernisation of the public sector that would aim at a value-based digital transformation by promoting fundamental rights and democratic values.
2020/12/21
Committee: ITRE
Amendment 64 #

2020/2216(INI)

Draft opinion
Paragraph 5
5. Calls on the Commission to stop funding big companies and distributing the remaining funds by a shotgun approach; calls for winners to be picked and grown larger; suggests prioritising future areas for digital economic structureshighlights that large technology companies and platforms with strategic market status in the DSM may leverage their positions not only in terms of the market but also in terms of access to and control of data, resulting in possible concentration of AI innovation and future imbalances in the DSM; calls for winners to be picked and grown larger; suggests prioritising future areas for digital economic structures; Highlights the need to support SMEs to master the twin transition to sustainability and digitalisation by safeguarding that they have access to the right skills, expertise and funding. Highlights the need for this support to acquire abroad geographical coverage across Europe, including remote, rural and island areas and aim at strengthening the digital capabilities and infrastructure in smaller places at the periphery of Europe;
2020/12/21
Committee: ITRE
Amendment 67 #

2020/2216(INI)

Draft opinion
Paragraph 5 a (new)
5 a. Warns against the use of predictive technologies or perception manipulation techniques for market purposes from Big tech companies and pledges to safeguard that sensitive personal data, transactions data and metadata will not be used for profit by big corporations without citizens awareness and clear consent. Calls for these techniques to be classified in the highest category of the risk level scale proposed by the Commission given their specific and extremely sensitive nature as well as their potential misuses Calls the European Data Protection Board to issue Guidelines on this issue and highlights the need to safeguard algorithmic transparency of AI technologies and applications. Stresses the need for the establishment of a thorough system of traceability of AI systems that will be under human oversight, understandable by the consumers and which meets data subjects’ reasonable expectations;
2020/12/21
Committee: ITRE
Amendment 88 #

2020/2216(INI)

Draft opinion
Paragraph 8 a (new)
8 a. Suggests that the EU must ensure minimum standards of fair working conditions for platform workers in line with the European Pillar of social rights as a requirement to allow access of platforms to the EU Digital single market. Suggests that the EU should introduce rules that control the growing digitisation of workplace monitoring and also to introduce mechanisms and methodologies that assess the relevant risks that have been augmented due to the increasing blurring between office and home environments. Calls for the EU to establish collective bargaining agreements and umbrella protection mechanisms for all platform workers;
2020/12/21
Committee: ITRE
Amendment 99 #

2020/2216(INI)

Draft opinion
Paragraph 9
9. Recognises that AI deployment is key to European competitiveness in the digital era; highlights that to facilitate the uptake of AI in Europe, a common European approach is needed to avoid internal market fragmentation, ensure the safety of data of Europeans and guarantee that they will not be processed by non-EU bodies for profit-making and/or political purposes or used to train algorithms shared with authoritarian regimes;
2020/12/21
Committee: ITRE
Amendment 115 #

2020/2216(INI)

Draft opinion
Paragraph 10
10. Considers that access to big data is key for the development of AI; calls for a new approach to data regulationreiterates the need for a new approach to data ownership by data subjects in the context of AI-enabled systems to ensure privacy and control of aggregated data or metadata built on data points containing information including, but not limited to, time, location, transactions; calls for a new approach to data regulation; stresses that privacy and data protection must be guaranteed at all stages of the AI system’s life cycle and notes that any big data processing operation should be subject to an ex-ante and extensive Data Protection Impact Assessment;
2020/12/21
Committee: ITRE
Amendment 118 #

2020/2216(INI)

Draft opinion
Paragraph 10 a (new)
10 a. Suggests that public and private sector actors should develop and document internal processes to ensure that their design, development and ongoing deployment of algorithmic systems is transparent, explainable, auditable and continuously evaluated and tested, not only to detect possible technical errors but also identify possible legal, social and ethical impacts that the systems may generate;
2020/12/21
Committee: ITRE
Amendment 122 #

2020/2216(INI)

Draft opinion
Paragraph 10 b (new)
10 b. Demands that any artificial intelligence, robotics and related technologies system, shall be developed, deployed or used with "privacy by default" and in a manner that prevents the possible identification of individuals from data that were previously processed based on anonymity or pseudonymity, and the generation of new, inferred, potentially sensitive data and forms of categorisation through automated means (metadata). Calls the Commission to develop robust anonymisation and pseudonymisation techniques and identify best practices that will meet the processing requirements of the GDPR;
2020/12/21
Committee: ITRE
Amendment 126 #

2020/2216(INI)

Draft opinion
Paragraph 10 c (new)
10 c. Strongly emphasises the need to protect consumers from microtargeting practises and suggests that it should be flagged and coupled with their right to request a report on the use of behavioural analytics that were used to achieve consumers targeting. Is of the opinion that targeted advertisement practises should be explainable and offer to consumers options of choosing the desired personalization level/percentage of microtargeting. (ex. on a scale 0-100%). Strongly considers that the use of these practices should be subject to specific safeguards such as the informed and explicit consent of their owner, who should have the right to access effective remedies in case of misuse;
2020/12/21
Committee: ITRE
Amendment 129 #

2020/2216(INI)

Draft opinion
Paragraph 11
11. Warns against overregulating AI and discourages any "one-size-fits-all" approach to regulation; recalls that regulation must be balanced, agile, permanently evaluroportionated , and based on soft regulation except for high-risk areasthe current legislative instruments and best practices except for high-risk areas where a new regulatory approach should be devised;
2020/12/21
Committee: ITRE
Amendment 135 #

2020/2216(INI)

Draft opinion
Paragraph 11 a (new)
11 a. Recommends that determining the risk level and the classification of sectors as high or low-risk, should always derive from an impartial, regulated, inclusive, independent and external assessment that considers ethical harms that can arise from artificial intelligence, robotics and related technologies in society, either because of poor (unethical) design, inappropriate application, or misuse; Such an assessment needs to balance attention to abstract principles with specificity; Recommends that determining the risk level and the classification of sectors as high or low-risk, should always derive from an impartial, regulated, inclusive, independent and external assessment that considers ethical harms that can arise from artificial intelligence, robotics and related technologies in society, either because of poor (unethical) design, inappropriate application, or misuse; Such an assessment needs to balance attention to abstract principles with specificity; Strongly recommends that a broad and inclusive debate and stakeholder consultation will contribute to creating trust among citizens regarding the assessment and classification of risks;
2020/12/21
Committee: ITRE
Amendment 141 #

2020/2216(INI)

Draft opinion
Paragraph 11 b (new)
11 b. Requests the Commission to determine the risk level of sectors by taking into account non-quantifiable risks and pay particular attention to the identification and characterisation of the hazard, the assessment of the likelihood of its occurrence and the characterisation of risk. Asks the Commission to pay particular attention to carefully evaluate all the uncertainties and transparently report on them, even when these cannot be modelled or expressed in quantitative terms. Requests the Commission to apply the Ethical Requirements put forward by the High Level Expert Group at the risk management level and consider the need for introducing a precautionary approach towards high level or potentially irreversible risks;
2020/12/21
Committee: ITRE
Amendment 151 #

2020/2216(INI)

Draft opinion
Paragraph 12 a (new)
12 a. Calls on the Commission and the Member States to consider the creation of a European regulatory agency for AI and algorithmic decision-making tasked with 1) Auditing the AIAs of high-level impact systems to approve or reject the proposed uses of algorithmic decision-making in highly sensitive and/or safety-critical application domains (private health-care, for instance) 2) Investigating suspected cases of rights violations by algorithmic decision-making systems, for both individual decision instances (singular aberrant outcomes, for example) and statistical decision patterns (discriminatory bias, for instance) 3) Assessing compliance with the proposed Ethics Requirements and conduct periodical ethics reviews and audits;
2020/12/21
Committee: ITRE
Amendment 15 #

2020/2215(INI)

Motion for a resolution
Citation 5
— having regard to the 2030 Agenda for Sustainable Development, which was adopted on 25 September 2015 and entered into force on 1 January 2016, and in particular to Sustainable Development Goals (SDGs) 3, 5 and 16, and the related indicators,
2020/12/14
Committee: FEMM
Amendment 21 #

2020/2215(INI)

Motion for a resolution
Citation 7
— having regard to CEDAWto the Convention on the Elimination of All Forms od Discrimination Against Women (CEDAW) and its General Recommendations No. 21 (1994), No. 24 (1999), No. 28 (2010), No. 33 (2015) and No. 35 (2017),
2020/12/14
Committee: FEMM
Amendment 41 #

2020/2215(INI)

Motion for a resolution
Citation 16 a (new)
- having regard to the report of the Council of Europe’s Committee on Equality and Non-Discrimination of 18 October 2017 on promoting the human rights of and eliminating discrimination against intersex people,
2020/12/14
Committee: FEMM
Amendment 43 #

2020/2215(INI)

Motion for a resolution
Citation 16 b (new)
- having regard to the report of the Council of Europe’s Committee on Equality and Non-Discrimination of 22 April 2015 on discrimination against transgender people in Europe,
2020/12/14
Committee: FEMM
Amendment 77 #

2020/2215(INI)

Motion for a resolution
Citation 38 a (new)
- having regard to the decision of the CEDAW Committee in the case S.F.M. v. Spain of 28 February 2020, UN. Doc. CEDAW/C/76/D/188/2018,
2020/12/14
Committee: FEMM
Amendment 78 #
2020/12/14
Committee: FEMM
Amendment 79 #
2020/12/14
Committee: FEMM
Amendment 80 #
2020/12/14
Committee: FEMM
Amendment 81 #

2020/2215(INI)

Motion for a resolution
Citation 38 e (new)
- having regard to European Parliament Study The gendered impact of the COVID-19 crisis and post-crisis,
2020/12/14
Committee: FEMM
Amendment 82 #

2020/2215(INI)

Motion for a resolution
Citation 38 f (new)
- having regard to the report of the European Institute for Gender Equality of 22 November 2019 on Beijing +25 – The 5th Review of the Implementation of the Beijing Platform for Action in the EU Member States,
2020/12/14
Committee: FEMM
Amendment 83 #

2020/2215(INI)

Motion for a resolution
Citation 38 g (new)
- having regard to the Commission communication of 5 March 2020 entitled ‘A Union of Equality: Gender Equality Strategy 2020-2025’ (COM(2020)0152),
2020/12/14
Committee: FEMM
Amendment 84 #

2020/2215(INI)

Motion for a resolution
Citation 38 h (new)
- having regard to the report by UN Women entitled ‘The Impact of COVID- 19 on Women’, published on 9 April 2020,
2020/12/14
Committee: FEMM
Amendment 85 #

2020/2215(INI)

Motion for a resolution
Citation 38 i (new)
- having regard to the report by UN entitled “COVID-19 and Human Rights: We are all in this together”, published in April 2020,
2020/12/14
Committee: FEMM
Amendment 86 #

2020/2215(INI)

Motion for a resolution
Citation 38 j (new)
- having regard to the UN Population Fund (UNFPA) report entitled ‘Impact of the COVID-19 Pandemic on Family Planning and Ending Gender- based Violence, Female Genital Mutilation and Child Marriage’, published on 27 April 2020,
2020/12/14
Committee: FEMM
Amendment 87 #

2020/2215(INI)

Motion for a resolution
Citation 38 k (new)
- having regard to the statement by UNFPA entitled ‘Millions more cases of violence, child marriage, female genital mutilation, unintended pregnancy expected due to the COVID 19 pandemic’, published on 28 April 2020,
2020/12/14
Committee: FEMM
Amendment 88 #

2020/2215(INI)

Motion for a resolution
Citation 38 l (new)
- having regard to the European Women’s Lobby policy brief entitled ‘Women must not pay the price for COVID-19!’,
2020/12/14
Committee: FEMM
Amendment 89 #

2020/2215(INI)

Motion for a resolution
Citation 38 m (new)
- having regard to the study by Professor Sabine Oertelt-Prigione entitled ‘The impact of sex and gender in the COVID-19 pandemic’, published on 27 May 2020,
2020/12/14
Committee: FEMM
Amendment 90 #

2020/2215(INI)

Motion for a resolution
Citation 38 n (new)
- having regard WHO`s Safe abortion: technical and policy guidance for health systems,
2020/12/14
Committee: FEMM
Amendment 91 #
2020/12/14
Committee: FEMM
Amendment 92 #

2020/2215(INI)

Motion for a resolution
Citation 38 p (new)
- having regard to the European Parliament resolution of 13 November 2020 on the impact of COVID-19 measures on democracy, the rule of law and fundamental rights,
2020/12/14
Committee: FEMM
Amendment 93 #

2020/2215(INI)

Motion for a resolution
Citation 38 q (new)
- having regard to the European Parliamentary Forum for Sexual and Reproductive Health and Rights and International Planned Parenthood Federation European Network research andreport entitled “Sexual and Reproductive Health and Rights during the COVID-19 pandemic”, published on 22nd April 2020,
2020/12/14
Committee: FEMM
Amendment 96 #

2020/2215(INI)

Motion for a resolution
Recital A
A. whereas sexual and reproductive health (SRH) is a state of physical, emotional, mental and social well-being in relation to all aspects of sexuality and reproduction, not merely the absence of dysfunction, infirmity or mortality, and whereas all individuals have a right to make decisions governing their bodies8 , free from discrimination, coercion and violence, and to access SRH services that support that right and give a positive approach to sexuality and reproduction, as sexuality is an integral part of human existence; _________________ 8 Guttmacher-Lancet Commission, Executive Summary on sexual and reproductive health and rights, The Lancet, London, 2018, https://www.guttmacher.org/guttmacher- lancet-commission/accelerate-progress- executive-summary
2020/12/14
Committee: FEMM
Amendment 113 #

2020/2215(INI)

Motion for a resolution
Recital B
B. whereas sexual and reproductive health and rights (SRHR) are based on the rights of all individuals to have their bodily integrity, privacy and personal autonomy respected; definhave their sexual orientation and gender identity fully respected; decide whether, with whom and when to be sexually active; have safe sexual experiences, decide whether, when and who to marry and when, whether and by what means to have a child or children; have access to the information and support necessary to achieve all of the above9 ; _________________ 9 Guttmacher-Lancet Commission, Executive Summary on sexual and reproductive health and rights, The Lancet, London, 2018, https://www.guttmacher.org/guttmacher- lancet-commission/accelerate-progress- executive-summary and how many children; have access over their lifetime to the information, resources, services and support necessary to achieve all of the above free from discrimination, coercion, exploitation and violence;
2020/12/14
Committee: FEMM
Amendment 116 #

2020/2215(INI)

Motion for a resolution
Recital B
B. whereas sexual and reproductive health and rights (SRHR) are based on the rights of all individuals to have their bodily integrity and personal autonomy respected; definhave their sexual orientation and gender identity fully respected; decide whether, with whom and when to be sexually active; decide whether, when and who to marry and when, whether and by what means to have a child or children; have access to the information and support necessary to achieve all of the above9 ; _________________ 9 Guttmacher-Lancet Commission, Executive Summary on sexual and reproductive health and rights, The Lancet, London, 2018, https://www.guttmacher.org/guttmacher- lancet-commission/accelerate-progress- executive-summary
2020/12/14
Committee: FEMM
Amendment 124 #

2020/2215(INI)

Motion for a resolution
Recital C
C. whereas sexual and reproductive rights (SRR) are recognisprotected as human rights in international and European human rights law10 ; _________________ 10Council of Europe Commissioner for Human Rights, Women’s sexual and reproductive health and rights in Europe, Council of Europe, Strasbourg, 2017, https://www.coe.int/en/web/commissioner/ women-s-sexual-and-reproductive-rights- in-europe. such as the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights, the Convention on the Elimination of Discrimination Against Women and the European Convention on Human Rights,and constitute an essential element of comprehensive healthcare provision; whereas the realisation of SRHR is an essential element of human dignity and intrinsically linked to the achievement of gender equality and combatting gender-based violence;
2020/12/14
Committee: FEMM
Amendment 127 #

2020/2215(INI)

Motion for a resolution
Recital C a (new)
C a. whereas gender-based violence is widespread and has been exacerbated by the Covid-19 pandemic; whereas an estimated 25 percent of women experience some form of gender based violence in their lifetimes and countless women experience sexual assault and harassment in the context of intimate partnerships and public life due to entrenched gender stereotypes and the resulting social norms;
2020/12/14
Committee: FEMM
Amendment 136 #

2020/2215(INI)

Motion for a resolution
Recital D
D. whereas violations of SRHR constitute breaches of human rights, specifically the right to life, physical and mental integrity, equality, non- discrimination, health and education, education, dignity, privacy and freedom from inhumane and degrading treatment; whereas violations of women’s SRHR are a form of violence against women and girls; and hinder progress towards gender equality;
2020/12/14
Committee: FEMM
Amendment 146 #

2020/2215(INI)

Motion for a resolution
Recital E
E. whereas although the EU has some of the highest SHRHR standards in the world, there are still challenges, a lack of access, gaps and inequalities and some Member States have implemented policies and programmes that uphold SRR, there are still challenges, a lack of access and affordability, gaps, disparities and inequalities in the realisation of SRHR, both across the EU and within Member States, based on age, sex, gender, race, ethnicity, class, religious affiliation or belief, marital status, socio-economic status, disability, HIV (or sexually transmitted infections, STIs) status, national or social origin, legal or migration status, language, sexual orientation or gender identity;
2020/12/14
Committee: FEMM
Amendment 150 #

2020/2215(INI)

Motion for a resolution
Recital F
F. whereas SRHR challenges and obstacles include: a lack of access, denial of medical care based on personal beliefsuniversal access to high-quality and affordable SRHR services, a lack of comprehensive and evidence-based sexuality education, denial of access to information and education, a lack of available modern contraception methods, denial of medical care based on personal beliefs, legal restrictions and practical barriers in accessing abortion services, denial of abortion care, forced abortion, gender- based violence, gynaecological and obstetric violence, a lack of comprehensive sexuality education, denial of access to information/education, a lack of available contraception methods, limited access to medically assisted reproduction treatments, forced sterilisation, high rates of STIs and HIV, disparities in maternal mortalityforced sterilisation, intimidation, cruel and degrading treatment, disparities in maternal mortality rates, gaps in maternal mental health support, increasing caesarean section rates, a lack of access to treatment for cervical cancer, which causes the largely preventable deaths of over 25.000 European women per year, limited access to medically assisted reproduction and fertility treatments, high rates of STIs and HIV, especially in certain marginalised groups and/or regions, high adolescent pregnancy rates, harmful gender stereotypes and practices such as female genital mutilation, early, forced and child marriages and honour killings, outdated or ideologically driven legal provisions limiting SRHR;
2020/12/14
Committee: FEMM
Amendment 151 #

2020/2215(INI)

Motion for a resolution
Recital F
F. whereas SRHR challenges and obstacles include: a lack of access, denial of medical care based on personal beliefs, gender-based violence, gynaecological and obstetric violence, a lack of comprehensive sexuality education, denial of access to information/education, a lack of available contraception methods, limited access to medically assisted reproduction treatments, forced sterilisation, including in the context of legal gender recognition, high rates of STIs and HIV, disparities in maternal mortality, high adolescent pregnancy rates, harmful gender stereotypes and practices such as female and intersex genital mutilation, early, forced and child marriages and honour killings; , honour killings and so-called “conversion therapy” practices, which can take the form of sexual violence such as “corrective rape” on lesbian and bisexual women and girls, as well as transgender persons; whereas the enjoyment of SRHR for LGBTI persons may be severely hindered due to the omission in sexual education curricula of the diversity of sexual orientation, gender identity, expression and sex characteristics;
2020/12/14
Committee: FEMM
Amendment 161 #

2020/2215(INI)

Motion for a resolution
Recital F a (new)
F a. whereas the World Health Organisation defines infertility as “a disease of the reproductive system defined by the failure to achieve a clinical pregnancy after 12 months or more of regular unprotected sexual intercourse”; whereas this definition fails to encompass the reality of lesbian and bisexual women as well as transgender persons in same- sex couples or single women interested in fertility options, worsening the socio-legal challenges in access to Assisted Reproductive Technologies (ART) they already face as a result of the focus on countering infertility; whereas lesbian and bisexual women may be unable to prove their “infertility” and therefore be denied access to ART;1a _________________ 1a https://www.who.int/reproductivehealth/to pics/infertility/definitions/en/
2020/12/14
Committee: FEMM
Amendment 164 #

2020/2215(INI)

Motion for a resolution
Recital F b (new)
F b. whereas in certain circumstances transgender men and non-binary persons may also undergo pregnancy and should, in such cases, benefit from measures for pregnancy and birth-related care without discrimination on the basis of their gender identity;
2020/12/14
Committee: FEMM
Amendment 166 #

2020/2215(INI)

Motion for a resolution
Recital G
G. whereas the unavailability of scientifically accurate informand evidence-based information and education violates the rights of individuals to make informed choices about their own SRHR; and undermines healthy approaches to sexuality, family planning and gender equality;
2020/12/14
Committee: FEMM
Amendment 173 #

2020/2215(INI)

H. whereas the essential package of SRH measuresSRH services are essential healthcare services that should be available to all and they includes: comprehensive sexuality education; information, confidential and unbiased counselling and services for sexual and reproductive health and well-being; counselling and access to a wide range of modern contraceptives; antenatal, childbirth and postnatal care; midwifery; obstetric and newborn care; safe and legal abortion services and care and post- abortion care including treatment of complications of unsafe abortion; the prevention and treatment of HIV and other STIs; services aimed at detecting, preventing and treating sexual and gender- based violence; prevention, detection and treatment for reproductive cancers; and fertility services, especially cervical cancer; fertility care and fertility treatment;
2020/12/14
Committee: FEMM
Amendment 182 #

2020/2215(INI)

Motion for a resolution
Recital I
I. whereas comprehensive sexuality education facilitates informed reproresponsible sexual behaviour, including reduced risk-taking, and increased use of condoms and other forms of contraception ; whereas according to the UNESCO International technical guidance on sexuality education, curriculum-based programmes on comprehensive sexuality educative choices; on (CSE) enables children and young people to develop accurate knowledge, attitudes and skills, including respect for human rights, gender equality, consent and diversity that contribute to safe, healthy, and respectful relations; whereas such education empowers children and young people as it provides with evidence and age-appropriate information on sexuality, addressing sexual and reproductive health issues, including, but not limited to: sexual and reproductive anatomy and physiology; consent, puberty and menstruation; reproduction, modern contraception, pregnancy and childbirth; STIs, including HIV and AIDS; andharmful practices such as child early and forced marriage (CEFM) and femalegenital mutilation (FGM); whereas still most adolescents do not have access to CSE ; whereas age-appropriate CSE, in this regard, is key to building children’s and young peoples’ skills to form healthy, equal, nurturing and safe relationships, notably by addressing gender norms, gender equality, power dynamics in relationships, consent, respect for one own’s and others’ boundaries;
2020/12/14
Committee: FEMM
Amendment 187 #

2020/2215(INI)

Motion for a resolution
Recital I a (new)
I a. whereas SRH includes menstrual hygiene and sanitation as well as systemic and socio-economic factors of stigmatisation,discrimination linked to menstruation; whereas period poverty, which refers to the limited access to sanitary products, affects about 1 in 10 women in Europe, and is exacerbated by a gender-biased taxation on menstrual hygiene products in the EU; whereas shame, untreated menstrual pain and discriminatory traditions lead to school drop outs and lower attendance rates of girls at school and women at work; whereas existing negative attitudes and myths surrounding menstruation influence reproductive health decisions; whereas understanding the links between menstrual hygiene and maternal morbidity, mortality and infertility, STI/HIV and cervical cancer can support early detection and safe lives;
2020/12/14
Committee: FEMM
Amendment 189 #

2020/2215(INI)

Motion for a resolution
Recital I b (new)
I b. whereas modern contraception plays a key role in achieving gender equality and preventing unintended pregnancies as well as realising the right of individuals to make decisions about their family choices by proactively and responsibly planning the number, timing and spacing of their children; whereas certain methods of modern contraception also reduce incidence of HIV/STIs, whereas access to it is still hindered by practical, financial, social and cultural barriers, including myths surrounding contraception, outdated attitudes towards female sexuality and contraception, as well as a stereotypical perception of women being the only ones responsible for contraception;
2020/12/14
Committee: FEMM
Amendment 193 #

2020/2215(INI)

Motion for a resolution
Recital J
J. whereas some Member States still have highly restrictive laws prohibiting abortion except in strictly defined circumstances, forcing women to seek clandestine abortions, to travel to other countries or to carry their pregnancy to term against their will, which is a violation of human rights and a form of gender- based violence; affecting women’s and girls’ rights to life, physical and mental integrity, equality, non-discrimination, health, and freedom from inhuman and degrading treatment;
2020/12/14
Committee: FEMM
Amendment 201 #

2020/2215(INI)

Motion for a resolution
Recital K
K. whereas even when abortion is legally available, there are often barriers to accessing it; range of legal, quasi-legal and informal barriers to accessing it, including: limited time periods and grounds on which to access abortion, medically unwarranted waiting periods, lack of trained and willing healthcare professionals and denial of medical care based on personalbeliefs, biased and mandatory counselling, deliberate misinformation or third party authorization, medically unnecessary tests, distress requirements, costs and lack of reimbursement;
2020/12/14
Committee: FEMM
Amendment 208 #

2020/2215(INI)

Motion for a resolution
Recital L
L. whereas no woman should die in childbirth; and access to evidence-based, quality and affordable maternity care is a human right and must be ensured without any discrimination in all healthcare settings;
2020/12/14
Committee: FEMM
Amendment 212 #

2020/2215(INI)

Motion for a resolution
Recital L a (new)
L a. whereas infertility and subfertility are affecting one in six people in Europe, are a global public health issue and there is a need to reduce inequalities in access to fertility information and treatments, and prohibiting discrimination on the grounds of sex, gender, sexual orientation, health or marital status;
2020/12/14
Committee: FEMM
Amendment 218 #

2020/2215(INI)

Motion for a resolution
Recital M
M. whereas SRHR issues are often instrumentalised by opponents of reproductive rights who appeal to national interests in order to achieve demographic objectives, thus contributing to the erosion of democracy and personal freedomopponents of sexual and reproductive rights often instrumentalise issues such as the national interest or demographic change in order to undermine SRHR, thus contributing to the erosion of personal freedoms and democracy; whereas all policies addressing the demographic change must be rights-based, people-centered, tailor- made and evidence-based, and must uphold sexual and reproductive rights;
2020/12/14
Committee: FEMM
Amendment 221 #

2020/2215(INI)

Motion for a resolution
Recital M a (new)
M a. whereas the COVID-19 pandemic has shown that there is a need to strengthen the resilience of health systems to such crises, with a specific focus on ensuring that SRH services continue to be fully available, that Member States do not instrumentalize the crisis to deprioritize or purposefully undermine access to these services;
2020/12/14
Committee: FEMM
Amendment 228 #

2020/2215(INI)

Motion for a resolution
Recital N
N. whereas progress has been made in the areas of women’s rights and SRHR, but opponents of reproductive rights have nonetheless had an influence on national law and policyopponents of sexual and reproductive rights and women’s autonomy have had a significant influence on national law and policy with retrogressive initiatives taken in several Member States, seeking to undermine SRHR, as noted by the Parliament in its resolutions on experiencing backlash in women’s rights and gender equality in the EU and Abortion Rights in Poland, and by the European Institute for Gender Equality in its report of 22 November 2019 on Beijing +25 – The 5th Review of the Implementation of the Beijing Platform for Action in the EU Member States; whereas these initiatives and backsliding obstruct the realisation of people’s rights, countries’ development and undermines European values, fundamental rights;
2020/12/14
Committee: FEMM
Amendment 230 #

2020/2215(INI)

Motion for a resolution
Recital N a (new)
N a. whereas the current COVID-19 pandemic is affecting the population’s health as a whole, women are not only affected by the direct health threat but also adversely through the reallocation of resources and priorities, including SRH services and this reversion of resources may result in increased rates of unintended pregnancies, higher maternal mortality and morbidity rates, as well as a spike in sexually transmitted disease and HIV;
2020/12/14
Committee: FEMM
Amendment 239 #

2020/2215(INI)

Motion for a resolution
Recital N b (new)
N b. whereas numerous reports show that, during the COVID-19 pandemic and lockdown, SRHR services were limited and/or revoked, and there is a disruption in access to essential medical services such as contraception and abortion care, HIV and STI testingand reproductive cancer screenings, and respectful maternal healthcare;
2020/12/14
Committee: FEMM
Amendment 242 #

2020/2215(INI)

Motion for a resolution
Recital N c (new)
N c. whereas there is a persisting effort to instrumentalize the COVID-19 health crisis as a pretext to adopt further restrictive measures in SRHR and that has a broad and long-term negative effect on the exercise of the fundamental right to health, gender equality andfight against discrimination and gender-based violence and is putting the well-being, health and lives of women and girls at risk;
2020/12/14
Committee: FEMM
Amendment 254 #

2020/2215(INI)

Motion for a resolution
Paragraph 1
1. Calls upon the EU, its bodies and agencies to support and promote access to SRHR services and calls upon the Member States to ensure access to a full range of SRHR, and to remove all barriers impeding full accessIn accordance with the principle of subsidiarity and in line with national competences, calls upon the Member States to safeguard the right of all persons to make their own informed choices with regard to SRHR;
2020/12/14
Committee: FEMM
Amendment 267 #

2020/2215(INI)

Motion for a resolution
Paragraph 2
2. In accordance with the principle of subsidiarity and in line with national competences, calls upon the Member States to safeguard the right of all persons to make their own informed choices with regard to SRHRCalls upon the EU, its bodies and agencies to support and promote full access to SRHR services by creating a culture of equality, respect for personal autonomy, accessibility, respect, informed choice and consent, non-discrimination and non-violence andcalls upon the Member States to ensure access to a full range of SRHR, and to remove all legal, policy, financial and other barriers impeding full access to SRHR for all persons, without discrimination on any ground;
2020/12/14
Committee: FEMM
Amendment 272 #

2020/2215(INI)

Motion for a resolution
Paragraph 2 a (new)
2 a. Reaffirms that SRHR are key for gender equality, the elimination of gender-based violence, economic growth and development, child protection, elimination of human trafficking and poverty;
2020/12/14
Committee: FEMM
Amendment 274 #

2020/2215(INI)

Motion for a resolution
Paragraph 3
3. Calls upon the Member States to address the persisting challenges in accessing or exercising SRHR and ensure that no persin Europe and globally and to ensure that all persons have access to high-quality and affordable SRH services and that no one is left behind by being unable to exercise their right to health; Stresses that equal access to SRHR must be ensured for all persons, regardless of age, sex, gender, race, ethnicity, class, caste, religious affiliation and beliefs, marital status, socio- economic status, disability, HIV (or STI) status, national and social origin, legal and migration status, language, sexual orientation or gender identity;
2020/12/14
Committee: FEMM
Amendment 280 #

2020/2215(INI)

Motion for a resolution
Paragraph 4
4. Acknowledges the importance of public information on SRHR; Recalls that all policies relating to SRHR should be founded on reliable and objective evidence from organisations such as WHO, other UN agencies and the Council of Europe;
2020/12/14
Committee: FEMM
Amendment 287 #

2020/2215(INI)

Motion for a resolution
Paragraph 5
5. Reaffirms the Council of Europe’s Commissioner for Human Rights call on its member states11 to guarantee sufficient budgetary provision for SRHR and ensure the availability of adequate human resources across all levels of the health system, in both urban and rural areas; identify and address legal, policy and financial barriers that impede access to good quality SRH care and integrate SRHR services into existing public health insurance, subsidisation or reimbursement schemes in order to achieve Universal Health Coverage; _________________ 11Council of Europe Commissioner for Human Rights, Women’s sexual and reproductive health and rights in Europe, Council of Europe Commissioner for Human Rights, Council of Europe, 2017, https://www.coe.int/en/web/commissioner/ women-s-sexual-and-reproductive-rights- in-europe
2020/12/14
Committee: FEMM
Amendment 288 #

2020/2215(INI)

Motion for a resolution
Paragraph 5 a (new)
5 a. Stresses the negative effects of the so-called “tampon tax” on gender equality; Calls upon the Member States to eliminate the so-called “tampon tax” by applying a 0% VAT rate on menstrual hygiene products and ensuring that this tax cut is effectively benefitting the consumers;
2020/12/14
Committee: FEMM
Amendment 290 #

2020/2215(INI)

Motion for a resolution
Paragraph 5 a (new)
5 a. Recalls the views endorsed by the Committee of Ministers of the Council of Europe, which recommended trans- specific healthcare such as hormonal treatment and surgery to be accessible and reimbursed by public health insurance schemes;1a _________________ 1aCDDH Report on the implementation of Recommendation CM/Rec(2010)5 of the Committee of Ministers to Member States on measures to combat discrimination on grounds of sexual orientation or gender identity, ¶130, accessible at https://search.coe.int/cm/Pages/result_det ails.aspx?ObjectId=09000016809f9ba0
2020/12/14
Committee: FEMM
Amendment 292 #

2020/2215(INI)

Motion for a resolution
Paragraph 5 b (new)
5 b. Stresses that in the time of the COVID-19 induced health crisis, it is essential that universalaccess to SRHR is guaranteed, in line with international human rights standards;
2020/12/14
Committee: FEMM
Amendment 298 #

2020/2215(INI)

Motion for a resolution
Paragraph 6
6. Calls upon the Member States to establish effective strategies and monitoring programmes that guarantee enjoyment and universal access to a full range of SRHR serviceshigh-quality and affordable SRHR services; regardless of financial, practical and social barriers, and free of discrimination, with special consideration of marginalised groups of women (including but not limited to women from ethnic, racial and religious minorities, migrant women, Roma women, women from ruralareas, women with disabilities, women without health insurance, LGBTI persons, victims of sexual and gender- based violence etc.);
2020/12/14
Committee: FEMM
Amendment 306 #

2020/2215(INI)

Motion for a resolution
Paragraph 6 a (new)
6a. Urges the Member States to consider the health impact of COVID-19 through a gender-lens and ensure the continuing of provision of a full range of SRH services in all circumstances (e.g. lockdown), as well as direct additional efforts and resources to rebuild a health system which recognizes that SRHR are essential for the health and wellbeing of women and girls;
2020/12/14
Committee: FEMM
Amendment 311 #

2020/2215(INI)

Motion for a resolution
Paragraph 6 b (new)
6b. Urges the Member States to collect reliable, disaggregated and robust statistics on all SRHR services so as to ensure that all women are getting the same access to high-quality services and to detect and address possible differences in outcomes;
2020/12/14
Committee: FEMM
Amendment 312 #

2020/2215(INI)

Motion for a resolution
Paragraph 6 c (new)
6c. Urges the European Commission to make full use of its competence in Health Policy, and provide support to Member States in collecting systematic, comparable, disaggregated data and conduct regular studies to better measure gender inequalities in health and unmet needs in access to SRH services in the EU; in promoting health information and education; strengthening national health systems, and harmonising health policies to reduce health inequalities within and between Member States, and facilitating the exchange of best practices among Member States with regard to SRHR; calls on the European Commission to support the actions of Member States and SRHR civil society organisations, in order to achieve universal access to SRHR, and calls on Member States and the Commission to progress towards Universal Health Coverage, of which SRHR are an essential component, including through the EU4Health Programme and the European Social Fund Plus;
2020/12/14
Committee: FEMM
Amendment 314 #

2020/2215(INI)

Motion for a resolution
Paragraph 7
7. Recalls that all medical interventions related to SRHR must be undertaken with fully informed consent; Calls on the Member States to combat gynaecological and obstetrical violence by reinforcing procedures that guarantee respect for free and prior informed consent and protection from inhumane and degrading treatment in healthcare settings, including through training of medical professionals; calls on the European Commission to tackle this specific form of gender-based violence in its activities;
2020/12/14
Committee: FEMM
Amendment 319 #

2020/2215(INI)

Motion for a resolution
Paragraph 7 a (new)
7a. Reaffirms its call on Member States to adopt legislation ensuring that intersex persons are not subjected to non- vital medical or surgical treatment during infancy or childhood, and that their right to bodily integrity, autonomy, self- determination and informed consent is fully respected;
2020/12/14
Committee: FEMM
Amendment 322 #

2020/2215(INI)

Motion for a resolution
Paragraph 7 b (new)
7b. Recalls the decision of the European Court of Human Rights in A.P. Gaçon and Nicot v. France, where it recognised that a Member State’s requirement of sterilisation ahead of allowing legal gender recognition procedures amounted to a failure to secure the right to respect for the private life of the applicant; recalls the UN’s acknowledgement that forced sterilisation is a violation of the right to be free from torture and other cruel, inhuman, or degrading treatment or punishment;1a deplores that sterilisation remains a sine qua non condition for access to legal gender recognitions in some EU Member States; calls upon the Member States to abolish the sterilisation requirement and to protect transgender persons' right to self-determination;1b _________________ 1a https://www.ohchr.org/Documents/HRBo dies/HRCouncil/RegularSession/Session2 2/A.HRC.22.53_English.pdf 1bEuropean Court of Human Rights, Case of A.P., Garçon and Nicot v.France (application nos. 79885/12, 52471/13 and 52596/13).
2020/12/14
Committee: FEMM
Amendment 334 #

2020/2215(INI)

Motion for a resolution
Paragraph 8
8. Urges the Member States to ensure universal access to scientifically accurate, evidence-based, age-appropriate, non- judgemental and comprehensive sexuality education and information for all primary and secondary school children in line with WHO standard, as well as children out of school, in line with WHO standards for Sexuality Education and its Action Plan on Sexual and Reproductive Health; without discrimination on any ground; Urges the Member States to ensure comprehensive education about menstruation and its links to sexuality and fertility; Calls upon the Member States to establish well-developed, well- funded and free of charge youth-friendly services;
2020/12/14
Committee: FEMM
Amendment 341 #

2020/2215(INI)

Motion for a resolution
Paragraph 8 a (new)
8a. Recalls that the imparting of information should reflect the diversity of sexual orientations, gender identities, expressions and sex characteristics, so as to counter misinformation based on stereotypes or biases; calls on Member States to develop age-appropriate sexual education curricula inclusive of the former;
2020/12/14
Committee: FEMM
Amendment 346 #

2020/2215(INI)

Motion for a resolution
Paragraph 9
9. Calls upon the Member States to reject and combat the spread of discriminatory and unsafe misinformation on SRHR, as it endangers all persons, especially women, LGBTI persons and young people; Recalls that the imparting of information should reflect the diversity of sexual orientations, gender identities, expressions and sex characteristics, so as to counter misinformation based on stereotypes or biases; Calls on Member States to develop age-appropriate sexual education curricula inclusive of the former;
2020/12/14
Committee: FEMM
Amendment 358 #

2020/2215(INI)

Motion for a resolution
Paragraph 10
10. Calls upon the Member States to ensure access to contraceptive methods, thereby safeguarding the fundamental right to healthuniversal access to high-quality and affordable modern contraceptive methods, contraceptive supplies, family planning counselling and the provision of online information on contraception for all, thereby safeguarding the fundamental right to health; and to address all barriers impeding access to contraception such as financial and social barriers;
2020/12/14
Committee: FEMM
Amendment 367 #

2020/2215(INI)

Motion for a resolution
Paragraph 11
11. Calls upon the Member States to ensure that contraception is covered under national reimbursement schemes and healthcare policies andinsurance, and at least covered by reimbursement and subsidisation schemes and healthcare policies and ensure that these schemes are evidence- and research- based, taking into account efficiency and success rates in the long term; to recognise that this coverage should be extended to all people of reproductive age;
2020/12/14
Committee: FEMM
Amendment 370 #

2020/2215(INI)

Motion for a resolution
Paragraph 11 a (new)
11a. Recalls that Member States and public authorities have a responsibility to provide evidence-based, accurate information about contraception and establish awareness-raising programmes and strategies to tackle and dispel barriers, myths, stigma and misconceptions;
2020/12/14
Committee: FEMM
Amendment 399 #

2020/2215(INI)

Motion for a resolution
Paragraph 13
13. Urges the Member States to regulmove and combate obstacles to legal abortion and recalls that they have a responsibility to ensure that women have access to the rights affordconferred to them by law;
2020/12/14
Committee: FEMM
Amendment 407 #

2020/2215(INI)

Motion for a resolution
Paragraph 14 a (new)
14a. Underlines that all the rights afforded to women by law regarding abortion care must apply to all persons undergoing pregnancy, including transgender and non-binary persons, without discrimination on grounds of their gender identity or gender expression and in line with international human rights practices;
2020/12/14
Committee: FEMM
Amendment 412 #

2020/2215(INI)

Motion for a resolution
Paragraph 15
15. Calls upon the Member States to adopt measures to ensure that all women have access to affordable, evidence-based maternity careaccess without discrimination to high-quality, affordable, evidence-based and respectful maternity care for all; including midwifery, antenatal, childbirth and postnatal care, and maternal mental health support in accordance with current WHO standards and evidence; and consequently, reform laws, policies and practices that exclude certain groups of women from access to maternity care, including by removing legal and policy restrictions that apply on grounds of nationality, ethnicity or migration status;
2020/12/14
Committee: FEMM
Amendment 414 #

2020/2215(INI)

Motion for a resolution
Paragraph 15
15. Calls upon the Member States to adopt measures to ensure that all women and pregnant persons have access to affordable, evidence-based maternity, pregnancy and birth-related care;
2020/12/14
Committee: FEMM
Amendment 426 #

2020/2215(INI)

Motion for a resolution
Paragraph 16
16. Calls upon the Member States to strongly condemn and combat physical and verbal abuse, including gynaecological and obstetric violence, whichinformal payments and bribes in antenatal, childbirth and postnatal care, which violate women’s human rights and may constitute forms of gender- based violence;
2020/12/14
Committee: FEMM
Amendment 429 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 – indent 1 (new)
- Provision of SRHR services during the COVID-19 pandemic and in all other crisis related circumstances
2020/12/14
Committee: FEMM
Amendment 431 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 a (new)
16a. Calls upon the Member States to ensure that maternity, pregnancy and birth-related care must be equally accessible to all persons undergoing pregnancy without discrimination of any kind, notably on grounds of sexual orientation or gender identity;
2020/12/14
Committee: FEMM
Amendment 432 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 a (new)
16a. Calls upon Member States to encourage and ensure that healthcare providers have training in women’s human rights and principles of free and informed consent and informed choice in antenatal, childbirth and postnatal care;
2020/12/14
Committee: FEMM
Amendment 437 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 b (new)
16b. Calls upon Member States to ensure that all persons of reproductive age have access to fertility treatments regardless of their marital status or sexual orientation;
2020/12/14
Committee: FEMM
Amendment 440 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 d (new)
16d. Insists that SRH services are essential services; Calls upon Member States to ensure that the COVID-19 pandemic does not affect the right of all individuals to SRHR services and to ensure they are secured through the public health systems, and combat all efforts directed on using the pandemic as an pretext to further restrict SRHR;
2020/12/14
Committee: FEMM
Amendment 442 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 e (new)
16e. Recognizes the effects that the COVID-19 pandemic has on the supply and access to contraceptives and reiterates projections of UNFPA from April 2020 which states that some 47 million women in 114 low and middle-income countries are projected to be unable to use modern contraceptives if the lockdown or supply chain disruption continues for 6 months;
2020/12/14
Committee: FEMM
Amendment 443 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 f (new)
16f. Urges the Member States to ensure full access to contraception during the COVID-19 pandemic and, through joint efforts, prevent the disruptions in production and supply chains which may lead to negative effects such as higher rates of sexually transmitted disease, unintended pregnancies and use of less effective short-term contraceptive methods; emphasises examples of good practice such as free contraceptives for all women below a certain age group and/or teleconsultations in accessing contraceptives;
2020/12/14
Committee: FEMM
Amendment 444 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 g (new)
16g. Stresses that access to safe and legal abortion continues to be limited during the COVID-19 pandemic, with examples of efforts to fully ban it under the pretence of less priority service; Urges the Member States to additionally implement safe, free and adjusted access to abortion during the circumstances of the COVID-19 pandemic and beyond, such as the abortion pill, and to recognize abortion care as urgent and medically necessary, thus also rejecting all limitation in accessing it;
2020/12/14
Committee: FEMM
Amendment 446 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 i (new)
16i. Urges the Member States to ensure adequate resources for quality maternity care and guarantee that policies relating to maternity healthcare during the COVID pandemic are based on evidence and facts, not fears, and respect women’s human rights;
2020/12/14
Committee: FEMM
Amendment 448 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 k (new)
16k. Calls on the European Commission to address the impact of COVID-19 on access to SRHR in the EU in its COVID-19 response, including by supporting actions by Member States and SRHR civil society organisations to guarantee full access to SRHR services, including through the EU4Health Programme and the European Social Fund Plus;
2020/12/14
Committee: FEMM
Amendment 449 #

2020/2215(INI)

Motion for a resolution
Paragraph 16 l (new)
16l. Stresses that all above mentioned COVID-19 related notes and calls should apply for any other crisis related circumstances and calls upon Member States to ensure prioritization of SRHR services in all instances, without any discrimination;
2020/12/14
Committee: FEMM
Amendment 454 #

2020/2215(INI)

Motion for a resolution
Paragraph 17
17. Calls upon the Member States to exercise their competence in SRHR by striving to fully protect, respect and fulfil human rights, specifically the right to health, and implement a wide range of SRH services,in regards to SRHR, to guarantee a wide range of available, accessible, affordable, high-quality and non- discriminatory SRH services available for all without discrimination, to ensuringe that the principle of non- retrogression is respectedunder international human rights law is respected; condemns any attempt to limit access to SRHR through restrictive laws; strongly affirms that the denial of access to SRHR is a form of gender based violence;
2020/12/14
Committee: FEMM
Amendment 471 #

2020/2215(INI)

Motion for a resolution
Paragraph 18
18. Calls upon the Commissioner for Democracy and Demography to take an evidence and human-rights-based approach to tackling demographic challenges in the EU, ensuring that every EU resident can fully realise their SRHR, and to take special note and confront those who instrumentalise SRHR in order to undermine EU values and democracy;
2020/12/14
Committee: FEMM
Amendment 473 #

2020/2215(INI)

Motion for a resolution
Paragraph 19
19. Calls upon the Commissioner for Health and Food Safety to promote and protect SRHR and to include them in the next EU public health strategy; s a vital part of achieving the right to health, safety and gender equality, to monitor and promote the full implementation of SDG 3 including target 3.7 in the EU, using the UN global indicator framework; in partnership with Member States, to collect systematic, comparable, disaggregated data and conduct studies to better measure gender inequalities in health and unmet needs in access to SRH services in the EU with an intersectional perspective; to promote health information and education including on SRH; to support and harmonise national health systems and policies in order to reduce health inequalities within and between Member States; to include SRHR interventions in the EU4Health Programme, to support actions of Member States and SRHR civil society organisations in achieving full access to SRHR services through this Programme;
2020/12/14
Committee: FEMM
Amendment 479 #

2020/2215(INI)

Motion for a resolution
Paragraph 20
20. Calls upon the Commissioner for Equality to promote and protect SRHR and to include them in the next EU gender equality strategyimplementation of the EU Gender Equality strategy and the EU LGBTIQ Equality Strategy, to strongly condemn the backsliding in women’s rights and to develop concrete measures to counter it; to recognize the intrinsic links between realising SRHR and achieving gender equality and combating gender-based violence and to monitor and promote the full implementation of SDG 5 including target 5.6 in the EU; to successfully mainstream gender throughout all EU policies; to support the activities of SRHR civil society organisations;
2020/12/14
Committee: FEMM
Amendment 484 #

2020/2215(INI)

Motion for a resolution
Paragraph 20
20. Calls upon the Commissioner for Equality to promote and protect SRHR and to include them in the next EU gender equality simplementation of the EU gender equality strategy and the EU LGBTIQ Equality Strategy;
2020/12/14
Committee: FEMM
Amendment 490 #

2020/2215(INI)

Motion for a resolution
Paragraph 21
21. Calls upon the Commissioner for International Partnerships to uphold the European Consensus on Development and the SDGs, in particular targets 3.7,5.6 and 5.16, to ensure that SRHR remain a development priority in all EU external activities and relations, welcomes the strong language on SRHR in the new Gender Action Plan III, emphasises the need to prioritize the removal of all barriers in the access to SRHR services; calls upon the Commissioner for International Partnerships to strongly condemn the ‘global gag’ rule;
2020/12/14
Committee: FEMM
Amendment 493 #

2020/2215(INI)

Motion for a resolution
Paragraph 21 a (new)
21a. Calls upon the Commissioner for Promoting our European Way of Life to ensure that the new Special Envoy for Freedom of Religion and Belief be dedicated to a human-rights based approach, thus respecting sexual and reproductive health and rights and dedicated to jointly working on guaranteeing the right to health for all, in the EU and globally, without any discrimination;
2020/12/14
Committee: FEMM
Amendment 494 #

2020/2215(INI)

Motion for a resolution
Paragraph 21 b (new)
21b. Calls upon the Commissioner for Crisis Management to include a gender equality perspective in the EU and Member States ’humanitarian aid response, and a perspective on sexual and reproductive health and rights, as access to sexual and reproductive healthcare is a basic need for people in humanitarian settings;
2020/12/14
Committee: FEMM
Amendment 496 #

2020/2215(INI)

Motion for a resolution
Paragraph 22
22. Calls upon the Commission to strengthen its actions to counter the backlash against women’s rights; ongly condemn the backsliding in women’s rights and strengthen its actions to counter it; calls on the Commission and Member States to step up their support for women’s rights and SRHR organisations in the EU, which are key actors for gender-equal societies, and crucial providers of SRH services and information; and notably their financial support through the Citizens, Equality, Rights and Values Programme, the funding of which should be significantly increased as asked by the European Parliament;
2020/12/14
Committee: FEMM
Amendment 502 #

2020/2215(INI)

Motion for a resolution
Paragraph 22 b (new)
22b. Calls upon the Commission to implement gender budgeting throughout all the instruments of the MFF 2021- 2027, including the Citizens, Equality, Rights and Values, the European Social Fund + and the Neighbourhood, Development and International Cooperation Instrument;
2020/12/14
Committee: FEMM
Amendment 503 #

2020/2215(INI)

Motion for a resolution
Paragraph 22 c (new)
22c. Calls upon the Commission to take concrete steps in protecting SRHR, starting with the establishment of an EU Special Envoy on Sexual and Reproductive Health and Right and the addition of a designated chapter on the State of play of SRHR in the EU Annual Report on Human Rights and Democracy;
2020/12/14
Committee: FEMM
Amendment 1 #

2020/2173(DEC)

Draft opinion
Recital A
A. whereas, according to Article 8 TFEU, the Union is to aim to eliminate inequalities, and to promote equality, between men and women, thereby establishing the principle of gender mainstreaming;, which stipulates that gender equality must be incorporated into all EU policies, including via gender budgeting at all levels of the budgetary process
2021/02/10
Committee: FEMM
Amendment 7 #

2020/2173(DEC)

Draft opinion
Recital A a (new)
Aa. whereas the Commission and European Court of Auditors (ECA) should ensure the principle of gender mainstreaming throughout the Union’s budgetary and legislative processes;
2021/02/10
Committee: FEMM
Amendment 9 #

2020/2173(DEC)

Draft opinion
Recital B
B. whereas women are disproportionately affected by the COVID- 19 pandemic, particularly women working in precarious employment, feminised sectors and the informal economy; whereas gender-based violence has substantially increased as a result of the COVID-19 crisis and the measures designed to tackle the pandemic;
2021/02/10
Committee: FEMM
Amendment 13 #

2020/2173(DEC)

Draft opinion
Paragraph 1
1. Recalls that the European Institute for Gender Equality (EIGE) was established in order to contribute to and strengthen the promotion of gender equality in the Union, including gender mainstreaming in all Union policies and the resulting national policies, the fight against discrimination based on gender, and raising Union citizens’ awareness of gender equality;
2021/02/10
Committee: FEMM
Amendment 19 #

2020/2173(DEC)

Draft opinion
Paragraph 1 a (new)
1a. Recalls that the Institute’s task is to collect, analyse and disseminate information as regards gender equality and to develop, analyse, evaluate and disseminate methodological tools in order to support the integration of gender equality into all Union policies and the resulting national policies.
2021/02/10
Committee: FEMM
Amendment 20 #

2020/2173(DEC)

Draft opinion
Paragraph 2
2. Welcomes the ongoing cooperation between the EIGE and the Committee on Women’s Rights and Gender Equality (FEMM), in particular the Institute’s contribution to the ongoing efforts of the Committee concerning the impact of the Covid-19 pandemic on women, gender- based violence, work-life balance, the gender pay and pension gap, gender budgeting and the development of a gender-sensitive parliament tool, strongly supports the work of the Institute, which, by means of studies, research and high- quality data enables the Committee to properly do its work; notes the valuable contribution the EIGE can make to all the European Parliaments’ Committees in order to better integrate gender mainstreaming in all EU policies;
2021/02/10
Committee: FEMM
Amendment 26 #

2020/2173(DEC)

Draft opinion
Paragraph 2 a (new)
2a. Welcomes the Institute’s continuous work on the Gender Equality Index;
2021/02/10
Committee: FEMM
Amendment 27 #

2020/2173(DEC)

Draft opinion
Paragraph 4
4. Acknowledges a decrease in the EIGE’s carry-over operating expenditure to 28,01 % in 2019 (compared to 51,29 % in 2016); notes that for the first time the carry forward is below the ECA’s target threshold of 30%;
2021/02/10
Committee: FEMM
Amendment 30 #

2020/2173(DEC)

Draft opinion
Paragraph 5
5. Notes that the European Court of Auditors1CA confirmed that the EIGE’s annual accounts present fairly, in all material respects, its financial position as at 31 December 2019 and the results of its operations, its cash flows and the changes in net assets for the year then ended in accordance with the provisions of its Financial Regulation and the accounting rules adopted by the Commission's accounting officer; notes that, according to the Court, the revenue and payments underlying the EIGE’s annual accounts for the year ended 31 December 2019 are legal and regular in all material respects; _________________ 1 https://www.eca.europa.eu/Lists/ECADoc uments/EIGE_2019/EIGE_2019_EN.pdf
2021/02/10
Committee: FEMM
Amendment 31 #

2020/2173(DEC)

Draft opinion
Paragraph 5 a (new)
5a. Raises concerns over irregularities found by the ECA regarding the EIGE’s selection of external experts, i.e. that the procedures used for selecting and contracting the external experts systematically lacked a solid audit trail; recalls that the Institute must comply with the principles of non-discrimination and equal treatment set out in Article 237 of Financial Regulation; takes note of EIGE’s commitment to apply improved procedures in new calls for expression of interest;
2021/02/10
Committee: FEMM
Amendment 33 #

2020/2173(DEC)

Draft opinion
Paragraph 5 b (new)
5b. Notes that the Lithuanian Supreme Court asked the CJEU to assess whether the Directive 2008/104/EC on temporary agency work applies to EU Agencies in their capacity as public bodies engaged in economic activities and whether they must apply in full with the provisions of Article 5(1) of that Directive, which concern the rights of temporary agency workers to basic working and employment conditions, in particular as regards pay;
2021/02/10
Committee: FEMM
Amendment 36 #

2020/2173(DEC)

Draft opinion
Paragraph 5 c (new)
5c. Calls for additional funding to be allocated to EIGE to increase the number and the quality of statutory workers by replacing the temporary contracts with statutory contracts;
2021/02/10
Committee: FEMM
Amendment 9 #

2020/2140(DEC)

Draft opinion
Recital B
B. whereas this Parliament has repeatedly asked the Commission to promote and implement the use of gender mainstreaming, gender budgeting and gender impact assessments in all the Union policy areas and the European Court of Auditors (ECA) to incorporate a gender perspective, including gender- disaggregated data, into its reports on the implementation of the Union budget;
2021/02/01
Committee: FEMM
Amendment 11 #

2020/2140(DEC)

Draft opinion
Recital B a (new)
Ba. whereas equality and the rule of law are founding values of the Union and the European institutions shall aim to promote them according to Article 13 of the Treaty on European Union (TEU); whereas this responsibility should be also shared by Member States according to the principle of sincere cooperation enshrined in Article 4(3) TEU;
2021/02/01
Committee: FEMM
Amendment 14 #

2020/2140(DEC)

Draft opinion
Recital B b (new)
Bb. whereas women are disproportionately affected by the COVID-19 pandemic, particularly women working in precarious employment, feminised sectors and the informal economy;
2021/02/01
Committee: FEMM
Amendment 18 #

2020/2140(DEC)

Draft opinion
Paragraph 1
1. Stresses that women’s rights and a gender equality perspective should be integrated and ensured into all policy areas; reiterates therefore its call for the implementation of gender budgeting at all stages of the budgetary process; including the implementation of the budget and assessment of its implementation;
2021/02/01
Committee: FEMM
Amendment 30 #

2020/2140(DEC)

Draft opinion
Paragraph 3
3. Welcomes the fact that gender equality and mainstreaming has been introduced as one of the horizontal principles for Union funds in the new Multiannual Financial Framework (MFF) for 2021-2027, stipulating that gender equality and gender mainstreaming will now be prioritised in the MFF; through a thorough gender impact assessment and monitoring of the programmes;
2021/02/01
Committee: FEMM
Amendment 42 #

2020/2140(DEC)

Draft opinion
Paragraph 4 a (new)
4a. Expresses its concern at the interrelation between the attacks on the rule of law and the backlash on gender equality and women’s rights; calls for this issue to be addressed through the Article 7 procedure against Member States concerned;
2021/02/01
Committee: FEMM
Amendment 43 #

2020/2140(DEC)

Draft opinion
Paragraph 4 b (new)
4b. Strongly reiterates its demand to increase resources and for a budget line dedicated to preventing and combating gender-based violence under the Citizens, Equality, Rights and Values, especially following the escalation of violence against women during the COVID-19 crisis;
2021/02/01
Committee: FEMM
Amendment 44 #

2020/2140(DEC)

Draft opinion
Paragraph 4 c (new)
4c. Stresses a need to further increase resources in European Social Fund Plus (EFS+) to allow inclusion in the labour market and adapted training, as the COVID-19 crisis affected women’s employment disproportionally, in particular women working in the informal economy and in precarious working conditions, and in some heavily impacted and highly feminised sectors;
2021/02/01
Committee: FEMM
Amendment 367 #

2020/2121(INI)

Motion for a resolution
Paragraph 32
32. Highlights the additional needs of minority groups, such as Roma women, who face challenges in maintaining hygiene and adhering to confinement measures due to a lack of access to basic infrastructure, services and information; especially during confinement;
2020/09/16
Committee: FEMM
Amendment 384 #

2020/2121(INI)

Motion for a resolution
Paragraph 35
35. Emphasises that the global nature of the COVID-19 pandemic requires a global response; highlights the vulnerable position of women and girls in many parts of the world - especially in fragile and conflict affected states - in relation to COVID-19, such as access to healthcare, including SRHR, vulnerability to violence, including FGM and child marriage, employment status, access to education and extreme poverty and hunger; underlines the importance of supporting women’s rights defenders and women’s rights organisations and their participation at all levels of decision-making;
2020/09/16
Committee: FEMM
Amendment 389 #

2020/2121(INI)

Motion for a resolution
Paragraph 35 a (new)
35 a. Calls on the Commission and Member States to ensure that all financial support given to partner countries to cope with the crisis are properly allocated to support women and girls, such as to secure access to Sexual Reproductive Health and Rights (SRHR), avoid child labour, and avoid the lockdowns to lead to a loose of autonomy for women and girls worldwide;
2020/09/16
Committee: FEMM
Amendment 406 #

2020/2121(INI)

Motion for a resolution
Paragraph 37
37. Calls on the Commission and the Member States to fully assess the needs arising from the crisis and its socio- economic consequences, and to allocate adequate budgetary resources to tackling these needs; calls on the Commission and Member States to apply gender mainstreaming in all areas of the recovery strategy and to allocate extra budgetary resources through a Women Corona Fund to tackling the needs of women and girls, especially in the field of employment, violence and SRHR, as well as to the monitoring of this spending, following its commitments in the Gender Equality Strategy; emphasises that preparatory action is the best way to build resilience in all areas for future crises;
2020/09/16
Committee: FEMM
Amendment 6 #

2020/2035(INL)

Motion for a resolution
Citation 5 a (new)
— having regard to the Commission communication of 12 November 2020 entitled ‘LGBTIQ Equality Strategy (2020-2025)’,
2021/07/12
Committee: LIBEFEMM
Amendment 9 #

2020/2035(INL)

Motion for a resolution
Citation 6
— having regard to the Council of Europe Convention on preventing and combating violence against women and domestic violence (“the Istanbul Convention”),
2021/07/12
Committee: LIBEFEMM
Amendment 19 #

2020/2035(INL)

Motion for a resolution
Citation 7 a (new)
— having regard to its resolution of 11 March 2021 on the declaration of the EU as an LGBTIQ Freedom Zone,1a _________________ 1a Texts adopted, P9_TA(2021)0089
2021/07/12
Committee: LIBEFEMM
Amendment 41 #

2020/2035(INL)

Motion for a resolution
Citation 12 a (new)
— having regard to the Convention on the Elimination of all Forms of Discrimination against Women of 18 December 1979,
2021/07/12
Committee: LIBEFEMM
Amendment 42 #

2020/2035(INL)

Motion for a resolution
Citation 12 b (new)
— having regard to the UN Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment of 10 December 1984,
2021/07/12
Committee: LIBEFEMM
Amendment 44 #

2020/2035(INL)

Motion for a resolution
Citation 12 c (new)
— having regards to its resolution of 21 January 2021 on closing the digital gender gap: women’s participation in the digital economy,
2021/07/12
Committee: LIBEFEMM
Amendment 47 #

2020/2035(INL)

Motion for a resolution
Citation 12 d (new)
— having regard to the report by the European Union Agency for Fundamental Rights (FRA) of March 2014 entitled ‘Violence against women: an EU-wide survey’,
2021/07/12
Committee: LIBEFEMM
Amendment 48 #

2020/2035(INL)

Motion for a resolution
Citation 12 e (new)
— having regard to the Commission communication of 12 November 2020 entitled ‘LGBTIQ Equality Strategy(2020- 2025)’,
2021/07/12
Committee: LIBEFEMM
Amendment 50 #

2020/2035(INL)

Motion for a resolution
Citation 13 a (new)
— having regards to resolution of 11 February 2021 on challenges ahead for women’s rights in Europe: more than 25 years after the Beijing Declaration and Platform for Action,
2021/07/12
Committee: LIBEFEMM
Amendment 52 #

2020/2035(INL)

Motion for a resolution
Citation 13 b (new)
— having regard to its resolution of 17 April 2020 on EU coordinated action to combat the COVID-19 pandemic and its consequences,
2021/07/12
Committee: LIBEFEMM
Amendment 55 #

2020/2035(INL)

Motion for a resolution
Citation 13 c (new)
— having regard to its resolution of 28 November 2019 on the EU’s accession to the Istanbul Convention and other measures to combat gender-based violence,
2021/07/12
Committee: LIBEFEMM
Amendment 56 #

2020/2035(INL)

Motion for a resolution
Citation 13 d (new)
— having regard to its resolution of 13 February 2019 on experiencing a backlash in women’s rights and gender equality in the EU,
2021/07/12
Committee: LIBEFEMM
Amendment 57 #

2020/2035(INL)

Motion for a resolution
Citation 13 e (new)
— having regard to its resolution of 11 September 2018 on measures to prevent and combat mobbing and sexual harassment at the workplace, in public spaces, and in political life in the EU,
2021/07/12
Committee: LIBEFEMM
Amendment 58 #

2020/2035(INL)

Motion for a resolution
Citation 14 a (new)
— having regard to its resolution of 26 October 2017 on combating sexual harassment and abuse in the EU,
2021/07/12
Committee: LIBEFEMM
Amendment 59 #

2020/2035(INL)

Motion for a resolution
Citation 16 a (new)
— having regard to the Fundamental Rights Agency’s ‘EU LGBTI Survey II: A long way to go for LGBTI equality',1a _________________ 1a https://fra.europa.eu/sites/default/files/fra _uploads/fra-2020-lgbti-equality-1_en.pdf
2021/07/12
Committee: LIBEFEMM
Amendment 63 #

2020/2035(INL)

Motion for a resolution
Recital A
A. whereas the first objective of the Union’s Gender Equality Strategy 2020- 2025 focuses on ending gender-based violence and describes it as ‘one of our societies’ biggest challenges’; whereas the Union’s LGBTIQ Equality Strategy recalls that everyone has a right to safety, be it at home, in public or online;
2021/07/12
Committee: LIBEFEMM
Amendment 67 #

2020/2035(INL)

Motion for a resolution
Recital A a (new)
A a. whereas in 2017 the EU signed the Istanbul Convention, which remains the benchmark for international standards for eradication of gender based violence, concluding the EU’s accession is a key priority for the Commission;
2021/07/12
Committee: LIBEFEMM
Amendment 71 #

2020/2035(INL)

Motion for a resolution
Recital B
B. whereas violence against women and other forms of gender-based violence are widespread in the Union and are to be understood as an extreme form of discrimination; whereas gender-based violence is rooted in the unequal distribution of power between women and men, in sexism and gender norms and stereotypes, which have led to domination over and discrimination against women by menand girls in all their diversity by men; whereas gender-based violence also occurs due to perceived deviation from gender norms;
2021/07/12
Committee: LIBEFEMM
Amendment 85 #

2020/2035(INL)

Motion for a resolution
Recital C
C. whereas violence against women and LGBTI persons and gender-based violence present different but not mutually exclusive forms and manifestations; whereas those different forms of violence are often interlinked with, and inseparable from, offline violence because they can precede, accompany or continue them;
2021/07/12
Committee: LIBEFEMM
Amendment 90 #

2020/2035(INL)

Motion for a resolution
Recital C a (new)
C a. whereas innovation happens at a pace that often does not allow for reflection its long-term consequences, whereas rapid technological developments, such as the increasing reach of the internet, the spread of mobile information, and the widespread use of social media frequently give ground and generate new forms of gender-based violence online;
2021/07/12
Committee: LIBEFEMM
Amendment 99 #

2020/2035(INL)

Motion for a resolution
Recital D
D. whereas currently there is no common definition or effective policy approach to combating gender-based cyber violence at EU or national level, whereas cyber harassment, cyber stalking, cyber bullying, trolling, online hate and sexist speech, flaming, doxxing and, impersonation, image- based sexual abuse and deep fakes are among the most common types of gender-based cyberviolence;, whereas some Member States have adopted specific legislation on some of those particular forms only; digital space is being used to lure women into pornography, prostitution and human trafficking, whereas several Member States have adopted specific legislation on some of those particular forms only, but the cross-border nature of gender-based cyber violence has yet to be properly addressed;
2021/07/12
Committee: LIBEFEMM
Amendment 103 #

2020/2035(INL)

Motion for a resolution
Recital D
D. whereas cyber harassment, cyber stalking, cyber bullying, trolling, online hate speech, flaming, doxxing, dead- naming and image- based sexual abuse are among the most common types of gender- based cyberviolence; whereas some Member States have adopted specific legislation on some of those particular forms only;
2021/07/12
Committee: LIBEFEMM
Amendment 108 #

2020/2035(INL)

Motion for a resolution
Recital D a (new)
D a. whereas hate speech against LGBTI persons is pervasively common, in particular online, and legislation is notably absent from some Member States’ legislative framework to prevent, address and sanction such forms of online abuse; whereas, at present, 15 Member States do not include gender identity in hate speech legislation; whereas the Commission has proposed to extend the list of ‘EU crimes’ under Article 83(1) TFEU to cover hate crime and hate speech, including when targeted at LGBTIQ people;
2021/07/12
Committee: LIBEFEMM
Amendment 120 #

2020/2035(INL)

Motion for a resolution
Recital E
E. whereas, despite a growing awareness of the phenomenon of gender- based cyberviolence, the lack of collection of exhaustive and recent data and the underreporting of cases of gender-based cyberviolence prevents an accurate assessment of its prevalence; whereas the European added value assessment on gender-based cyberviolence estimates that between 4 and 7% of women in the Union have experienced cyber harassment during the past 12 months, while between 1 and 3% have experienced cyber stalking, whereas the prevalence of gender-based cyberviolence is likely to continue to rise in the coming years;
2021/07/12
Committee: LIBEFEMM
Amendment 129 #

2020/2035(INL)

Motion for a resolution
Recital F
F. whereas women can be targeted by cyberviolence either individually or as members of a specific community;, including women from vulnerable groups, whereas intersectional forms of discrimination, including discrimination based on race, language, religion, belief, national or social origin, belonging to a national or ethnic minority, birth, sexual orientation, gender identity, gender expression or sex characteristics, age, state of health, disability, marital status or migrant or refugee status, can exacerbate the consequences of gender- based cyberviolence;
2021/07/12
Committee: LIBEFEMM
Amendment 130 #

2020/2035(INL)

Motion for a resolution
Recital F
F. whereas women in all their diversity can be targeted by cyberviolence either individually or as members of a specific community; whereas intersectional forms of discriminationtargeting of LGBTI persons is often on the grounds of their gender identity, gender expression or sex characteristics; whereas intersectional forms of discrimination increase the exposure to violence for women belonging to ethnic minorities, with disabilities, as well as lesbian, bisexual, transgender and intersex women, and can exacerbate the consequences of gender- based cyberviolence;
2021/07/12
Committee: LIBEFEMM
Amendment 142 #

2020/2035(INL)

Motion for a resolution
Recital G
G. whereas some women, such as feminist and LGBTIQ+ activists, politicians, women in public positions, journalists, bloggers and human rights defenders, are particularly impacted by gender-based cyberviolence, and whereas this is causing not only psychological harm and suffering to them but also deterring them from participating digitally in political, social and cultural life;
2021/07/12
Committee: LIBEFEMM
Amendment 144 #

2020/2035(INL)

Motion for a resolution
Recital G
G. whereas some women and LGBTI persons, such as politicians, women in public positions, journalists, bloggers and human rights defenders, are particularly impacted by gender-based cyberviolence, and whereas this is causing not only psychological harm and suffering to them but also deterring them from participating digitally in political, social and cultural life;
2021/07/12
Committee: LIBEFEMM
Amendment 150 #

2020/2035(INL)

Motion for a resolution
Recital G a (new)
G a. Whereas the Commission has committed in its Gender Equality Strategy 2020-2025 and in the LGBTIQ Equality Strategy 2020-2025 to present an initiative with a view to extending the areas of crime where harmonisation is possible to specific forms of gender-based violence in accordance with Article 83(1) TFEU, including hate crime and hate speech targeting LGBTIQ people;
2021/07/12
Committee: LIBEFEMM
Amendment 152 #

2020/2035(INL)

Motion for a resolution
Recital H
H. whereas gender-based cyberviolence has a direct impacts on women's mental health, on the full exercise of fundamental rights and even on democracy, and has and well-being, reflected in an increased incidence of depression and anxiety disorders, as well as social and economic impacts, which may include labour market impacts, through lower presence at work, risk of job loss or lover productivity, whereas cyberviolence can have a negative impact on victim's ability to fully exercise their fundamental rights, therefore, having consequences on society, including an economic impact and on democracy as a whole;
2021/07/12
Committee: LIBEFEMM
Amendment 159 #

2020/2035(INL)

Motion for a resolution
Recital H a (new)
H a. Whereas jobs increasingly involve and become dependent on the digital solutions leading to an increasing risks of women encountering gender-based cyber violence while engaging in the labour market and economic activity;
2021/07/12
Committee: LIBEFEMM
Amendment 163 #

2020/2035(INL)

Motion for a resolution
Recital H b (new)
H b. Whereas the EPRS study Combating gender-based violence: Cyber violence’ estimates the overall costs of cyber harassment and cyber stalking at between €49.0 and €89.3 billion with the largest cost category being the value of the loss in terms of quality of life, which accounted for more than half of the overall costs (about 60 % for cyber harassment and about 50 % for cyberstalking);
2021/07/12
Committee: LIBEFEMM
Amendment 168 #

2020/2035(INL)

Motion for a resolution
Paragraph 1
1. Underlines that gender-based cyberviolence is a continuum of gender- based violence offline and that no policy alternative will be effective unlesshould be addressed by a set of legislative and non- legislative measures iat takes this reality into considerationhe EU level, as well as within Member States;
2021/07/12
Committee: LIBEFEMM
Amendment 186 #

2020/2035(INL)

Motion for a resolution
Paragraph 2 a (new)
2 a. Welcomes the Commission’s commitments under the LGBTIQ Equality Strategy 2020-2025 concerning hate speech online, and the proposal to extend the list of ‘EU crimes’ under Article 83(1) TFEU to cover hate crime and hate speech, including when targeted at LGBTIQ people;
2021/07/12
Committee: LIBEFEMM
Amendment 190 #

2020/2035(INL)

Motion for a resolution
Paragraph 3
3. Stresses that the COVID-19 pandemic has increased the risk of domestic violence and abuse because victims are forced to spend more time with perpetrators and they tend to be more isolated from support networks; highlights that many LGBTI persons were forced to be confined with family members, legal guardians or co-habitants who harassed, abused or exposed them to violence; calls on Member States to increase the assistance they offer through specialised shelters, helplines and support services to protect victims and facilitate the reporting of gender-based violence;
2021/07/12
Committee: LIBEFEMM
Amendment 196 #

2020/2035(INL)

Motion for a resolution
Paragraph 3
3. Stresses that the COVID-19 pandemic has increased the risk of domestic violence and abuseintimate partner violence and abuse has escalated during the COVID-19 pandemic because victims are forced to spend more time with perpetrators and they tend to be more isolated from support networks; calls on Member States to increase the assistance they offer through shelters, helplines and support services to protect victims and facilitate the reporting of gender-based violence;
2021/07/12
Committee: LIBEFEMM
Amendment 201 #

2020/2035(INL)

Motion for a resolution
Paragraph 4
4. Underlines the transnational nature of gender-based cyberviolence, considering the cross-border dimension of the use of ICT, as well the rapid technological developments and digitalisation, generate new forms of gender-based cyberviolence, which undermines traceability and sanctioning of perpetrators;
2021/07/12
Committee: LIBEFEMM
Amendment 213 #

2020/2035(INL)

Motion for a resolution
Paragraph 5
5. Calls on the Member States to promote awareness raising, to implement national criminal justice laws and specific policies, and programmes well as trainings, educational programmes and campaigns to prevent gender-based cyber violence and to fight against impunity for those who commit such acts; highlights the importance of gender equality in education curriculums to address gender stereotypes that lead to harmful gender norms, while dealing with the root causes of gender-based violence, including cyberviolence, notes that particular attention should be given in this respect to education of boys and men;
2021/07/12
Committee: LIBEFEMM
Amendment 237 #

2020/2035(INL)

Motion for a resolution
Paragraph 6
6. Urges the Commission and the Member States to establish a reliable system for regularly collecting statistical disaggregated and comparable data on gender-based violence, including cyberviolence, including with the aim to conduct an EU wide study;
2021/07/12
Committee: LIBEFEMM
Amendment 246 #

2020/2035(INL)

Motion for a resolution
Paragraph 7
7. Notes that inter alia stress, concentration problems, anxiety, panic attacks, low self-esteem, depression, post- traumatic stress disorder, lack of trust and lack of sense of control, caused by cyberviolence, can have an impact on mental health and may have life-long consequences on health and well-being of women experiencing it;
2021/07/12
Committee: LIBEFEMM
Amendment 248 #

2020/2035(INL)

Motion for a resolution
Paragraph 7
7. Notes that inter alia stress, concentration problems, anxiety, panic attacks, low self-esteem, depression, post- traumatic stress disorder, lack of trust and lack of sense of control, caused by cyberviolence, can have an impact on mental health and may lead to self-harm and suicidal ideation;
2021/07/12
Committee: LIBEFEMM
Amendment 253 #

2020/2035(INL)

Motion for a resolution
Paragraph 8
8. Underlines that apart from psychological impacts gender-based cyberviolence generates psychological, social and economic consequencesimplications on women’s life both online and offline;
2021/07/12
Committee: LIBEFEMM
Amendment 264 #

2020/2035(INL)

Motion for a resolution
Paragraph 9
9. Calls on the Commission and the Member States to give particular attention to women belonging to groups put in a vulnerable situation as regards gender- based cyberviolence and to develop specific support services and educational programmes dedicated to those specific groups;
2021/07/12
Committee: LIBEFEMM
Amendment 271 #

2020/2035(INL)

Motion for a resolution
Paragraph 10
10. Deplores the fact that gender-based cyberviolence reduces the participation of women in public debate which, as a consequence, erodes the democratic principles of the Union; regrets that that ‘silencing effect’ has been particularly aimed at targeting women activists, including feminist women and girls, LGBTIQ+ activists, artists, women in male-dominated industries, journalists and politicians with the intention of discouraging the presence of women in political lifeublic life, including politics and decision- making spheres;
2021/07/12
Committee: LIBEFEMM
Amendment 283 #

2020/2035(INL)

Motion for a resolution
Paragraph 11
11. Recalls that gender stereotypes are at the core of gender discrimination and are one of the main barriers to the entry of women and girls in the ICT and digital fields; stresses the need to tackle the gender gap in the ICT sector through education, awareness-raising campaigns, professional trainings, appropriate funding and the promotion of the representation of women in the sector;
2021/07/12
Committee: LIBEFEMM
Amendment 285 #

2020/2035(INL)

Motion for a resolution
Paragraph 11
11. Recalls that gender norms and stereotypes are at the core of gender discrimination and are one of the main barriers to the entry of women and girls in the ICT and digital fields; stresses the need to tackle the gender gap in the ICT sector through education, awareness-raising campaigns and the promotion of the representation of women in the sector;
2021/07/12
Committee: LIBEFEMM
Amendment 289 #

2020/2035(INL)

Motion for a resolution
Paragraph 11 a (new)
11 a. Recalls that the labelling of LGBTI persons as an ‘ideology’ is spreading in online and offline communication and the same is true with regard to ongoing campaigning against so-called ‘gender ideology’ or in favour of ‘anti-gender movements’; highlights that LGBTI activists are often the targets of defamation campaigns, online hate speech and cyberbullying and abuse due to their advocacy work for LGBTI equality;
2021/07/12
Committee: LIBEFEMM
Amendment 317 #

2020/2035(INL)

Motion for a resolution
Paragraph 13
13. RecCalls thaton the Council is to urgently conclude the Union’s ratification of the Council of Europe Convention on preventing and combating violence against women and domestic violence (the ‘Istanbul Convention’) on the basis of a broad accession without any limitations, and to advocate for its ratification, swift and proper implementation, and enforcement by all Member States; underlines that the Istanbul Convention is the most comprehensive international treaty addressing the root causes of gender- based violence in all its forms and should be understood as a minimum standard; highlights that this call does not detract from the call to adopt a Union legal act on combating gender-based violence but, rather, complements it;, recalls that new legislative measures should in any case be coherent with the rights and obligations set by the Istanbul Convention and should be complementary to its ratification.
2021/07/12
Committee: LIBEFEMM
Amendment 326 #

2020/2035(INL)

Motion for a resolution
Paragraph 14
14. Strongly reaffirms its commitment, as it has previously expressed, to tackle gender-based violence and to the need to have, reiterates its call for a comprehensive directive covering all its forms as the best way to put an end to gender-based violence;
2021/07/12
Committee: LIBEFEMM
Amendment 351 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 3
The scope should cover any form of gender-based violence committed, assisted or aggravated in part or fully by the use of ICT, such as mobile phones and smartphones, the internet, social media platforms or email, against a woman because she is a woman, or affects women disproportionately. The scope should encompass gender-based violence against LGBTIQ persons, who are targeted because of their gender, gender identity, gender expression or sex characteristics.
2021/07/12
Committee: LIBEFEMM
Amendment 354 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 3
The scope should cover anyll forms of gender-based violence committed, assisted or aggravated in part or fully by the use of ICT, such as mobile phones and smartphones, the internet, social media platforms or email, against a womaen because she is a woman, or affects women disproportionatelyof their gender.
2021/07/12
Committee: LIBEFEMM
Amendment 356 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 1
- cyber harassment (including: cyberbullying, online sexual harassment, unsolicited receiving of sexually explicit material, mobbing);
2021/07/12
Committee: LIBEFEMM
Amendment 358 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 3
- ICT-related violations of privacy (including the accessing, sharing and manipulation of private data or images, including intimate data without consent, image-based sexual abuse and non- consensual disclosure of sexual images, doxxing, dead-naming, identity theft);
2021/07/12
Committee: LIBEFEMM
Amendment 361 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 5
- threats (including direct threats and threats of violence, extortion, sextortion, blackmail) directed at the victim, their children or relatives as well as other persons affected by second order violence;
2021/07/12
Committee: LIBEFEMM
Amendment 363 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 6
- sexist, transphobic or interphobic hate speech (including: posting and sharing violent content, use of sexist or gendered comments and insults, abusing women for expressing their own views and for turning away sexual advances, inciting to hatred against individuals on grounds of their gender identity, expression or sex characteristics);
2021/07/12
Committee: LIBEFEMM
Amendment 367 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 9
- "Real-World Attacks" (cyber violence having repercussions in “real life”), hacking and unlawful access to mobile, email, instant messaging messages or social media accounts;
2021/07/12
Committee: LIBEFEMM
Amendment 369 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 2 – paragraph 4 – indent 11
- direct violence., including trafficking of women using technological means such as recruitment, luring women into prostitution and sharing stolen graphical content to advertise for prostitution, sexualised extortion (sextortion) and identity theft, as well as online grooming in order to bring the child into sexual abuse or child- trafficking situations;
2021/07/12
Committee: LIBEFEMM
Amendment 373 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 3 – paragraph 1 – introductory part
Member States should implement a series of measures in order to prevent gender- based cyberviolence, having an intersectional approach:
2021/07/12
Committee: LIBEFEMM
Amendment 374 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 3 – paragraph 1 – indent 1
- awareness-raising and educational programmes, including programmes addressed to boys and men, as well as campaigns involving all relevant actors and stakeholders to address the root causes of gender-based cyberviolence, within the general context of gender-based violence in order to bring about changes in social and cultural attitudes and remove gender stereotypes, while promoting responsible behaviour on social media and increasing literacy about the safe use of the internet;
2021/07/12
Committee: LIBEFEMM
Amendment 376 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 3 – paragraph 1 – indent 1
- awareness-raising and educational programmes involving all relevant actors and stakeholders to address the root causes of gender-based cyberviolence, within the general context of gender-based violence in order to bring about changes in social and cultural attitudes and remove gender norms and stereotypes, while promoting responsible behaviour on social media and increasing literacy about the safe use of the internet;
2021/07/12
Committee: LIBEFEMM
Amendment 428 #

2020/2035(INL)

Motion for a resolution
Annex I – Recommendation 5 – paragraph 1 – indent 4
- aggravating circumstances, depending on the profile of the women and, girls and LGBTI victims (exploiting specific characteristics, vulnerabilities of women and girl, girls and LGBTI persons online);
2021/07/12
Committee: LIBEFEMM
Amendment 1 #

2020/2022(INI)

Motion for a resolution
Citation 3
— having regard to the Charter of Fundamental Rights of the European Union, in particular Article 6, Article 7, Article 8, Article 11, Article 13, Article 221, Article 22, Article 23, Article 24, Article 25 and Article 246 thereof,
2020/06/24
Committee: LIBE
Amendment 4 #

2020/2022(INI)

Motion for a resolution
Citation 6 a (new)
— having regard to Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (Audiovisual Media Services Directive)3a, _________________ 3a OJ L 95, 15.4.2010, p. 1–24
2020/06/24
Committee: LIBE
Amendment 12 #

2020/2022(INI)

Motion for a resolution
Citation 7 a (new)
— having regard to the judgement of the Court of Justice of 24 November 2011 in case C-70/105a, _________________ 5aJudgement of the Court of Justice of 24 November 2011, Scarlet Extended SA v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM)
2020/06/24
Committee: LIBE
Amendment 16 #

2020/2022(INI)

Motion for a resolution
Recital -A (new)
-A. whereas fundamental rights, such as protection of privacy and personal data, the principle of non-discrimination, as well as freedom of expression and information, need to be ingrained at the core of a successful and durable European policy on digital services; whereas these rights need to be seen both in the letter of the law, as well as the spirit of their implementation;
2020/06/24
Committee: LIBE
Amendment 17 #

2020/2022(INI)

Motion for a resolution
Recital A b (new)
Ab. recital -Aa whereas the trust of users can only be gained by digital services that respect their fundamental rights, thus ensuring both uptake of services, as well as a competitive advantage and stable business models for companies;
2020/06/24
Committee: LIBE
Amendment 20 #

2020/2022(INI)

Motion for a resolution
Recital B a (new)
Ba. whereas the privacy rules in the electronic communication sector, as set out in the Directive concerning the processing of personal data and the protection of privacy in the electronic communications sector, are currently under revision;
2020/06/24
Committee: LIBE
Amendment 25 #

2020/2022(INI)

Motion for a resolution
Recital C
C. whereas the amount of all types of user- generated content, including harmful and illegal content, shared via cloud services or online platforms has increased exponentially;
2020/06/24
Committee: LIBE
Amendment 27 #

2020/2022(INI)

Motion for a resolution
Recital C a (new)
Ca. whereas the use of personal data for the purposes of individual profiling, and its subsequent repurposing, even when seemingly innocuous data is collected from the digital traces of individuals, can be mined in a way that can generate insights that can enable very intimate personal information to be inferred at a very high level of accuracy, especially when these data are merged with other data sets;
2020/06/24
Committee: LIBE
Amendment 28 #

2020/2022(INI)

Motion for a resolution
Recital C b (new)
Cb. whereas social media and other content distribution platforms utilise profiling techniques to target and distribute their content, as well as advertisements; whereas the automated algorithms decide how to handle, prioritise, distribute and delete third-party content on online platforms, including during political and electoral campaigns;
2020/06/24
Committee: LIBE
Amendment 29 #

2020/2022(INI)

Motion for a resolution
Recital C c (new)
Cc. whereas the proliferation of disinformation, even propaganda online, has been aided by platforms whose very business model is based on profiting from collection and analysis of user data; whereas consequently promoting spreadable, sensationalist content forms part of their business logic, and pushes them to generate more traffic and ‘clicks’, and, in turn, generate more profiling data and thus more profit;
2020/06/24
Committee: LIBE
Amendment 30 #

2020/2022(INI)

Motion for a resolution
Recital C d (new)
Cd. whereas the Cambridge Analytica and Facebook scandals revealed how user data had been used to micro-target certain voters with political advertising, and at times, even with targeted disinformation, therefore showing the danger of opaque data processing operations of online platforms;
2020/06/24
Committee: LIBE
Amendment 31 #

2020/2022(INI)

Ce. whereas the widespread use of algorithms for content filtering and content removal processes also raises rule of law concerns, questions of legality, legitimacy and proportionality;
2020/06/24
Committee: LIBE
Amendment 39 #

2020/2022(INI)

Motion for a resolution
Recital E
E. whereas the political approach to tackle harmful and illegal content online in the EU has mainly focused on voluntary cooperation thus faris based on court order mandated takedowns, but a growing number of Member States are adopting further national legislation to address illegal content;
2020/06/24
Committee: LIBE
Amendment 45 #

2020/2022(INI)

Motion for a resolution
Recital F
F. whereas some forms of harmful content may be legal, yet detrimental to society or democracy, yet be legal, with examples such as opaque political advertising and disinformation on COVID-19 causes and remedies;
2020/06/24
Committee: LIBE
Amendment 47 #

2020/2022(INI)

Motion for a resolution
Recital G
G. whereas a pure self-regulatory approach of platforms does not provide legitimacy or adequate transparency and proper information to public authorities, civil society and users on how platforms address illegal and harmful contentcontent and content that is deleted against violations of terms and conditions; whereas such an approach does not guarantee compliance with fundamental rights; and creates a risk of excessive interference with the right of freedom of expression and creates a problematic situation where law enforcement responsibilities are handed over to private parties;
2020/06/24
Committee: LIBE
Amendment 52 #

2020/2022(INI)

Motion for a resolution
Recital H
H. whereas regulatory oversight and supervision of platforms lacks horizontalis sector-specific in the EU; whereas further and more comprehensive coordination between the different oversight bodies across the EU would be beneficial;
2020/06/24
Committee: LIBE
Amendment 54 #

2020/2022(INI)

Motion for a resolution
Recital I
I. whereas the absence of uniform and transparent rules for procedural safeguards across the EU is a key obstacle for persons affected by illegal content online and content providers seeking to exercise their rights;deleted
2020/06/24
Committee: LIBE
Amendment 58 #

2020/2022(INI)

Motion for a resolution
Recital J
J. whereas the lack of comparable, robust public data on the prevalence and both court mandated and self-regulatory removal of illegal and harmful content online creates a deficit of transparency and accountability;
2020/06/24
Committee: LIBE
Amendment 66 #

2020/2022(INI)

Motion for a resolution
Recital K
K. whereas child sexual exploitation online is one of the forms of illegal content shaped by technological developments; whereas the vast amount of child sexual abuse material circulating online poses serious challenges for detection, investigation and, most of all, victim identification efforts;
2020/06/24
Committee: LIBE
Amendment 68 #

2020/2022(INI)

Motion for a resolution
Recital L
L. whereas according to the Court of Justice of the European Union (CJEU), jurisprudence host providers may have recourse to automated search tools and technologies to assess if content is equivalent to content previously declared unlawful, and should thuss long as it does not result in monitoring generally the information which it stores, or in actively seeking facts or circumstances indicating illegal activity, as provided for in Article 15(1) of Directive 2000/31; whereas such content should be removed following an court order from a Member State;
2020/06/24
Committee: LIBE
Amendment 71 #

2020/2022(INI)

Motion for a resolution
Recital L a (new)
La. whereas a trusted electronic identification is elementary to ensure secure access to digital services and to carry out electronic transactions in a safer way; whereas currently only 15 Member States have notified an electronic identity scheme for cross-border recognition in the framework of the Regulation (EU) 910/2014;
2020/06/24
Committee: LIBE
Amendment 81 #

2020/2022(INI)

Motion for a resolution
Paragraph 1
1. Stresses that illegal content online should be tackled with the same rigour as illegal content offlineis the same as illegal content offline; takes therefore the position that any legally mandated content moderation measure in the Digital Services Act should concern only illegal content, as it is defined in European or national law, and the legislative text should not include any legally vague and undefined terms, such as “harmful content”, as targeting such content would put fundamental rights and freedom of speech at serious risk and put the service providers in a legally unclear position;
2020/06/24
Committee: LIBE
Amendment 85 #

2020/2022(INI)

Motion for a resolution
Paragraph 1 a (new)
1a. Paragraph -1. Underlines that the modernisation of current e-Commerce rules can inevitably affect fundamental rights, including the protection of privacy and personal data, the freedom of expression and information, equality and non-discrimination, freedom of thought, conscience and religion, freedom of assembly and association, freedom of the arts and sciences, and the right to an effective remedy; therefore urges the Commission to be extremely vigilant in its approach and also integrate international human rights standards into its revision;
2020/06/24
Committee: LIBE
Amendment 87 #

2020/2022(INI)

Motion for a resolution
Paragraph 1 b (new)
1b. Paragraph -1a. Notes how the current digital ecosystem encourages also problematic behaviour, such as hate speech and disinformation; is concerned how promoting controversial content has become the key to the targeted advertisement-based business models, where sensational and polarising content maximises the screen time of users, generating more profiling data, more advertising hours, and therefore more profits; underlines how this type of a business model can have very intrusive and negative effects, not only on individuals and their fundamental rights, but societies as a whole;
2020/06/24
Committee: LIBE
Amendment 95 #

2020/2022(INI)

Motion for a resolution
Paragraph 2
2. Believes in the clear economic benefits of a functioning digital single market for the EU and its Member States; stresses the important obligation to ensure a fair digital ecosystem in which fundamental rights and, especially data protection are respected; calls for a minimum level of intervention based on the principles of necessity and proportionality, privacy and non- discrimination are at its core;
2020/06/24
Committee: LIBE
Amendment 104 #

2020/2022(INI)

Motion for a resolution
Paragraph 3
3. Deems it necessary that illegal content is removed swiftly and consistently in order to address crimes and fundamental rights violation, through a clear and harmonised notice-and-action procedure with the necessary safeguards in place, such as transparency of the process, the right to appeal and access to effective judicial redress; considers that voluntary codes of conduct only partially address the issue;
2020/06/24
Committee: LIBE
Amendment 114 #

2020/2022(INI)

Motion for a resolution
Paragraph 4
4. Recalls that illegal content online should not only bebe just removed by online platforms, but should be followed up by law enforcement and, where needed, the judiciary; finds, in this regard, that a key issue in some Member States is not that they just have unresolved cases but rather unopened ones; calls for barriers to filing complaints with competent authorities to be removed; is convinced that, given the borderless nature of the internet and the fast dissemination of illegal content online, cooperation between service providers and national competent authorities should be improvedalso unopened ones;
2020/06/24
Committee: LIBE
Amendment 117 #

2020/2022(INI)

Motion for a resolution
Paragraph 4 – subparagraph 1 (new)
Is convinced that, given the borderless nature of the internet and the fast dissemination of illegal content online, cooperation between service providers and national competent authorities should be improved;
2020/06/24
Committee: LIBE
Amendment 122 #

2020/2022(INI)

Motion for a resolution
Paragraph 5
5. Acknowledges the fact that, while the illegal nature of certain types of content can be easily established, the decision is more difficult for other types of content as it requires contextualisation; warns that some automated tools are not sophisticated enough to take contextualisation into account, which could lead to unnecessary restrictions being placed on the freedom of expressionreminds in this regard of the incapacity of current automated tools in grasping the importance of context for specific pieces of content, underlines that algorithms are not currently capable of critical analysis, and takes therefore the view that the Digital Services Act should not contain any obligation for compulsory use of automated tools in content moderation; believes that any voluntary automated measures put in place by the content hosting platforms should be subject to extensive human oversight and to full transparency of design and performance;
2020/06/24
Committee: LIBE
Amendment 134 #

2020/2022(INI)

Motion for a resolution
Paragraph 7
7. Strongly believes that the current EU legal framework governing digital services should be updated with a view to addressing the challenges posed by new technologies such as the prevalence of all- encompassing profiling and algorithmic decision-making that permeates all areas of life, and ensuring legal clarity and respect for fundamental rights; considers that the reform should build on the solid foundation of and full compliance with existing EU law, especially the General Data Protection Regulation and the Directive on privacy and electronic communications;
2020/06/24
Committee: LIBE
Amendment 139 #

2020/2022(INI)

Motion for a resolution
Paragraph 7 a (new)
7a. Highlights that the practical capacity of individuals to understand and navigate the complexity of the data ecosystems in which they are embedded is extremely limited, as is their ability to identify whether the information they receive and services they use are made available to them on the same terms as to other users; Calls on the Commission therefore to place transparency and non- discrimination at the heart of the Digital Services Act;
2020/06/24
Committee: LIBE
Amendment 143 #

2020/2022(INI)

Motion for a resolution
Paragraph 8
8. Deems it indispensable to have the widest-possiblefull harmonisation of rules on liability exemptions and content moderation at EU level to guarantee the respect of fundamental rights and the freedoms of users across the EU; expresses its concern that recent national laws to tackle hate speech and disinformation lead to a fragmentation of rules;
2020/06/24
Committee: LIBE
Amendment 148 #

2020/2022(INI)

Motion for a resolution
Paragraph 9
9. Calls, to this end, for legislative proposals that keepthat the digital single market is kept open and competitive by requiring digital service providers to apply effective, coherent, transparent and fair procedures andwith robust procedural safeguards to remove illegal content in line with European values; firmly believes that this should be harmonised within the digital single marketvia a harmonised notice-and-action procedure in line with European legislation;
2020/06/24
Committee: LIBE
Amendment 155 #

2020/2022(INI)

Motion for a resolution
Paragraph 10
10. Believes, in this regard, that online platforms that are actively hosting or moderating content should bear more, yet proportionate, responsibility for the infrastructure they provide and the content on it; emphasises that this should be achieved without resorting toit is crucial for online platforms to have clarity provided for by setting clear rules, requirements and safeguards for a harmonised notice-and-action procedure; emphasises that any measure put in place for the removal of illegal content cannot constitute or imply a general monitoring requirements;
2020/06/24
Committee: LIBE
Amendment 158 #

2020/2022(INI)

Motion for a resolution
Paragraph 11
11. Highlights that this should include rules on the notice-and-action mechanisms and requirements for platforms to take proactive measures that are proportionate to their scale of reach and operational capacities in order to address the appearance of illegal content on their services; supports a balanced duty-of-care approach andSupports a clear chain of responsibility to avoid unnecessary regulatory burdens for the platforms and unnecessary and disproportionate restrictions on fundamental rights, including the freedom of expression;
2020/06/24
Committee: LIBE
Amendment 167 #

2020/2022(INI)

Motion for a resolution
Paragraph 12
12. Stresses the need for appropriate safeguards and due process obligations, including human oversight and verification, in addition to counter notice procedures, to ensure that removal or blocking decisions are accuratelegal, well- founded and respect fundamental rights; recalls that the possibility of judicial rwhile counter-notice proceduress should be mad, complaint mechanisms and out-of-court dispute settlements can be availuable to satisfy the right to effectiveols in protecting fundamental rights of the users of digital services, they cannot preclude access to effective judicial redress and remedy;
2020/06/24
Committee: LIBE
Amendment 178 #

2020/2022(INI)

Motion for a resolution
Paragraph 13
13. Supports limited liability for contentexemption for all types of intermediaries and the country of origin principle, butand considers improved coordination for removal requests between national competent authorities to be essential; emphasises that such orders should be subject to legal safeguards in order to prevent abuse and ensure full respect of fundamental rights; stresses that sanctions should apply only to those service providers that fail to comply with legitimate orders;
2020/06/24
Committee: LIBE
Amendment 192 #

2020/2022(INI)

Motion for a resolution
Paragraph 14
14. Believes that the terms of services of digital service providers should be clear, transparent and fair; deplores the fact that some terms of servrecalls that any take- down-notices from content platforms do not allow law enforcement to use non-personal accounts, which poses a threat both to possible investigations and to personal safetyan authority has to always be based on law, not on the terms of service of the service providers;
2020/06/24
Committee: LIBE
Amendment 195 #

2020/2022(INI)

Motion for a resolution
Paragraph 15
15. Underlines that certain types of legal, yet harmful, content should also be addressed to ensure a fair digital ecosystem; expects guidelines to include increased transparency rules on content moderation or political advertising policy to ensure that removals and the blocking of harmful content are limited to the absolute necessarye need to regulate content curation and tracking-based targeted advertisement through giving more choice and control to users; emphasises that users should be able to choose to opt out completely of any content curation, decide whether to opt in to tracking, and have more options on the way content is ranked to them, including a ranking outside their ordinary content consumption habits; strongly believes that the design and performance of such recommendation systems should be subject to full transparency, presented in a user-friendly manner;
2020/06/24
Committee: LIBE
Amendment 205 #

2020/2022(INI)

Motion for a resolution
Paragraph 15 a (new)
15a. Highlights how the personalisation of informational environments that data- driven profiling makes possible brings with it new capacities to manipulate individuals in subtle, yet highly effective ways; underlines that when the profiling is deployed at scale for political micro targeting to manipulate voting behaviour, it can seriously undermine the foundations of democracy; therefore expects the Commission to provide guidelines on the use of such persuasive digital technologies in electoral campaigns and political advertising policy;
2020/06/24
Committee: LIBE
Amendment 208 #

2020/2022(INI)

Motion for a resolution
Paragraph 15 b (new)
15b. Is concerned of platforms and services that deliberately lock in their users onto that specific platform, thus amplifying their dominant market power and their ability to profile their users even more thoroughly, creating extremely invasive and revealing profiles of their users; calls therefore on the Commission to guarantee the interoperability of digital services; considers in this regard the application programming interfaces (APIs), enabling a user to interconnect between platforms and to import content moderation rules on the content they view on a platform, to be useful tools in bringing true interoperability to users and thus increasing their options to choose between different kinds of recommendation systems and services;
2020/06/24
Committee: LIBE
Amendment 210 #

2020/2022(INI)

Motion for a resolution
Paragraph 15 c (new)
15c. Notes that policies for monetisation of content affect what kind of content is seen by users and therefore finally also what kind of content will be uploaded by users; calls therefore for online content hosting platforms to be required to have transparent, non- discriminatory content demonetisation policies in order to guarantee fully the right to freedom of expression online;
2020/06/24
Committee: LIBE
Amendment 211 #

2020/2022(INI)

Motion for a resolution
Paragraph 16
16. Deems that accountability- andUnderlines the wedge between the speed and capacity of machines relative to the capacity of humans to monitor these machines; therefore deems that accountability always lies with the human overseers - and calls for evidence-based policy making, requiresing robust data on the prevalence and removal of illegal content online, in order to ensure a transparent system that can be trusted by all;
2020/06/24
Committee: LIBE
Amendment 220 #

2020/2022(INI)

Motion for a resolution
Paragraph 17
17. Calls, in this regard, for a regular public reporting for large commercial obnligation for platforms, proportionate to their scale of reach and operational capacitiesne platforms to make their procedures and decisions to remove content publicly available;
2020/06/24
Committee: LIBE
Amendment 224 #

2020/2022(INI)

Motion for a resolution
Paragraph 18
18. Calls, moreover, for a regular public reporting obligation for national authorities on their requests for deletion of illegal content from digital platforms;
2020/06/24
Committee: LIBE
Amendment 226 #

2020/2022(INI)

Motion for a resolution
Paragraph 19
19. Expresses its concern regarding the fragmentation of public oversight and supervision of platforms and the frequentdocumented lack of financial and human resources for the supervision and oversight bodies needed to properly fulfil their tasks; calls for increased cooperation with regard to regulatory oversight of digital services;
2020/06/24
Committee: LIBE
Amendment 228 #

2020/2022(INI)

Motion for a resolution
Paragraph 19 a (new)
19a. Considers that in order to guarantee proper enforcement of the Digital Services Act, the oversight of compliance with this Act should be entrusted in an independent authority, while any decisions relating to content should always remain with the judiciary; emphasises in this regard that sanctioning for non-compliance with the Digital Services Act should be based on an assessment of a clearly defined set of factors, such as proportionality, technical and organisational measures and negligence, and the resulting sanctions should be based on a percentage of the annual global turnover of a company;
2020/06/24
Committee: LIBE
Amendment 230 #

2020/2022(INI)

Motion for a resolution
Paragraph 20
20. Supports the creation of an independent EU body to exercise effective oversight of compliance with the applicable rules; believes that it should enforce procedural safeguards and transparency and provide quick and reliable guidance on contexts in which legal content is to be considered harmful;deleted
2020/06/24
Committee: LIBE
Amendment 236 #

2020/2022(INI)

Motion for a resolution
Paragraph 21
21. Considers that the transparency reports drawn up by platforms and national competent authorities should be made available to this EU body, which should be tasked with drawing up yearly reports that provide a structured analysis of illegal content removal and blocking at EU level;deleted
2020/06/24
Committee: LIBE
Amendment 243 #

2020/2022(INI)

Motion for a resolution
Paragraph 22
22. Stresses that this EU body should not take on the role of content moderator, but that it should analyse, upon complaint or on its own initiative, whether and how digital service providers amplify illegal content; calls for this regulator to have the power to impose proportionate fines or other corrective actions when platforms do not provide sufficient information on their procedures or algorithms in a timely manner;deleted
2020/06/24
Committee: LIBE
Amendment 257 #

2020/2022(INI)

Motion for a resolution
Paragraph 23 a (new)
23a. Emphasises the indispensability of agreed standards of essential security in cyberspace in order for digital services to provide their full benefits to citizens; notes therefore the urgent need for Member States to take coordinated action to ensure basic cyber hygiene and to prevent avoidable dangers in cyberspace, including through legislative measures;
2020/06/24
Committee: LIBE
Amendment 261 #

2020/2022(INI)

Motion for a resolution
Paragraph 23 b (new)
23b. Stresses that the only way for digital services to achieve their full potential is to enable users to be identified unambiguously in an equivalent manner to offline services; notes that online identification can be improved by enforcing eIDAS Regulation’s cross- border interoperability of electronic identifications across the European Union; reminds that Member States and European institutions have to guarantee that the electronic identifications are secure, enable data minimisation and comply with all other aspects of GDPR;
2020/06/24
Committee: LIBE
Amendment 12 #

2020/2018(INL)

Draft opinion
Paragraph 1 a (new)
1 a. Notes that transparency in an algorithm used for digital products and services is a significant characteristic; upon request of the competent authorities, digital service providers should be obliged to make their proprietary algorithms available, explain the intended goal and compare this goal with the actual outcome; digital service providers should amend and adapt their algorithms immediately when the intended outcome is deemed unlawful or unethical; open- source algorithm libraries should be encouraged as an instrument that increases transparency and accelerates both the technology adoption and the quality of the architecture;
2020/05/27
Committee: LIBE
Amendment 15 #

2020/2018(INL)

Draft opinion
Paragraph 1 b (new)
1 b. Underlines that in cases of denial of access to a digital product or service, consumers should always be able to inquire about the logic of the decision and the decision-making process; further notes that consumers should always be explicitly informed whether their engagement is with a human or with a machine; emphasises that humans should always have the final responsibility; calls on the Commission to determine the significant role of human operators in the material execution of a decision made by an artificial intelligence (AI) system;
2020/05/27
Committee: LIBE
Amendment 27 #

2020/2018(INL)

Draft opinion
Paragraph 2 a (new)
2 a. Calls on the Commission to provide a clearly defined notice-and- action framework for the content hosting platforms to use in the fight against illegal content; stresses that such a framework has to guarantee fundamental rights of users through access to judicial redress and the right to appeal;
2020/05/27
Committee: LIBE
Amendment 33 #

2020/2018(INL)

Draft opinion
Paragraph 2 b (new)
2 b. Reminds of the incompetence of current automated tools in grasping the importance of context for specific pieces of content; takes therefore the view that the Digital Services Act should not contain any obligation for the use of automated tools in content moderation; believes that any voluntary automated measures put in place by the content hosting platforms should be subject to human oversight and to full transparency of design and performance;
2020/05/27
Committee: LIBE
Amendment 39 #

2020/2018(INL)

Draft opinion
Paragraph 2 c (new)
2 c. Takes the position that any content moderation measure in the Digital Services Act should concern illegal content only as it is defined in national jurisdictions and should not include legally vague and undefined terms, such as “harmful content”, as targeting such content would put fundamental rights and freedom of speech at serious risk;
2020/05/27
Committee: LIBE
Amendment 40 #

2020/2018(INL)

Draft opinion
Paragraph 2 d (new)
2 d. Emphasises the need to regulate content curation through giving more control to users on the way content is ranked to them, including options to a ranking outside their ordinary content consumption habits and to opt out completely of any content curation; strongly believes that the design and performance of such recommendation systems should be subject to transparency;
2020/05/27
Committee: LIBE
Amendment 43 #

2020/2018(INL)

Draft opinion
Paragraph 2 e (new)
2 e. Considers that content hosting platforms should be obliged to report any illegal content constituting a serious crime to the relevant law enforcement authorities upon becoming aware of it;
2020/05/27
Committee: LIBE
Amendment 49 #

2020/2018(INL)

Draft opinion
Paragraph 3 – subparagraph 1 (new)
Underlines that the only way for users of digital services to be identified in an equivalent manner compared to offline services is the recognition of a pan- European digital identification; reminds in this regard that Member States and European institutions have to guarantee the security of the European digital identification;
2020/05/27
Committee: LIBE
Amendment 20 #

2020/2016(INI)

Motion for a resolution
Recital A
A. whereas digital technologies in general and artificial intelligence (AI) in particular bring with them extraordinary promise; whereas AI iscould be one of the strategic technologies of the 21st century, that may generatinge substantial benefits in efficiency, accuracy, and convenience, and thus bringing positive change to the European economy; whereas AI should not be seen as an end in itself, but as a tool for serving people, with the ultimate aim of increasing human well-being;
2020/07/20
Committee: LIBE
Amendment 21 #

2020/2016(INI)

Motion for a resolution
Recital A a (new)
A a. whereas AI can be seen as the ability of a system to correctly interpret external data, to learn from such data, and to use those learnings to achieve specific goals and tasks through flexible adaptation; Whereas the key components of development in AI are the availability of vast quantities of: data, computing power, and human capital and talent;
2020/07/20
Committee: LIBE
Amendment 24 #

2020/2016(INI)

Motion for a resolution
Recital A b (new)
A b. whereas, despite continuing advances in computer processing speed and memory capacity, there are as yet no programs that can match human flexibility over wider domains or in tasks requiring understanding of context or critical analysis; whereas, some AI applications have attained the performance levels of human experts and professionals in performing certain specific tasks, and can provide results in a completely different speed and scale;
2020/07/20
Committee: LIBE
Amendment 26 #

2020/2016(INI)

Motion for a resolution
Recital A c (new)
A c. whereas several Member States use the application of embedded artificial intelligence (AI) systems in the field of law enforcement;
2020/07/20
Committee: LIBE
Amendment 31 #

2020/2016(INI)

Motion for a resolution
Recital B a (new)
B a. whereas the use of AI technology should be developed in such a way as to put people at its center and therefore to be worth of public trust;
2020/07/20
Committee: LIBE
Amendment 36 #

2020/2016(INI)

Motion for a resolution
Recital C a (new)
C a. whereas AI systems always have to be in the service of humans and have the ultimate safety valve of being designed so that they can always be shut down by a human operator;
2020/07/20
Committee: LIBE
Amendment 43 #

2020/2016(INI)

Motion for a resolution
Recital E
E. whereas AI applications may offer great opportunities in the field of law enforcement, in particular in improving the working methods of law enforcement agencies and judicial authorities, and combating certain types of crime more efficiently, in particular financial crime, money laundering and terrorist financing, as well as certain types of cybercrime; while at the same time entailing significant risks for the fundamental rights of people;
2020/07/20
Committee: LIBE
Amendment 58 #

2020/2016(INI)

Motion for a resolution
Recital G
G. whereas AI applications in use by law enforcement include applications such as facial recognition technologies, automated number plate recognition, speaker identification, speech identification, lip-reading technologies, aural surveillance (i.e. gunshot detection algorithms), autonomous research and analysis of identified databases, forecasting (predictive policing and crime hotspot analytics), behaviour detection tools, autonomous tools to identify financial fraud and terrorist financing, social media monitoring (scraping and data harvesting for mining connections), international mobile subscriber identity (IMSI) catchers, and automated surveillance systems incorporating different detection capabilities (such as heartbeat detection and thermal cameras); whereas the aforementioned applications have vastly varying degrees of reliability and accuracy as well as potentially significant effects on the protection of fundamental rights;
2020/07/20
Committee: LIBE
Amendment 69 #

2020/2016(INI)

Motion for a resolution
Recital I
I. whereas use of AI in law enforcement entails a number of phigh risks for the protenctial riskon of fundamental rights of individuals, such as opaque decision- making, different types of discrimination, and risks to the protection of privacy and personal data, the protection of freedom of expression and information, and the presumption of innocence;
2020/07/20
Committee: LIBE
Amendment 102 #

2020/2016(INI)

Motion for a resolution
Paragraph 3
3. Considers, in this regard, that any AI tool either developed or used by law enforcement or judiciary should, as a minimum, be safe, secure and fit for purpose, respect the principles of data minimisation, fairness, accountability, transparency and explainability, with their deploymentvelopment, deployment and use subject to a strict necessity and proportionality test;
2020/07/20
Committee: LIBE
Amendment 115 #

2020/2016(INI)

Motion for a resolution
Paragraph 4
4. Sees with great concern the potential of mass surveillance by means of AI technologies in the law enforcement sector; Highlights the importanceerative need of preventing such mass surveillance by means of AI technologies, and of banning any applications that would result in it;
2020/07/20
Committee: LIBE
Amendment 149 #

2020/2016(INI)

Motion for a resolution
Paragraph 9 a (new)
9 a. Highlights how individuals have become overly trusting in the seemingly objective and scientific nature of AI tools and thus fail to consider the possibility of their results being incorrect, incomplete or irrelevant, with potentially grave adverse consequences specifically in the area of law enforcement and justice; Emphasises the over-reliance on the results provided for by AI systems, and notes with concern the lack of confidence and knowledge, by authorities, to question or override an algorithmic recommendation;
2020/07/20
Committee: LIBE
Amendment 153 #

2020/2016(INI)

Motion for a resolution
Paragraph 10
10. Underlines that in judicial and law enforcement contexts, the final decision always needs to be taken by a human, who can be held accountable for the decisions made, and include the possibility of a recourse for a remedy; reminds that under EU law, automated individual decision making shall not be based on special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation), unless suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place; highlights that EU law prohibits profiling that results in discrimination against natural persons on the basis of special categories of personal data;
2020/07/20
Committee: LIBE
Amendment 164 #

2020/2016(INI)

Motion for a resolution
Paragraph 11 a (new)
11 a. Calls for, in order to guarantee the algorithmic explainability and transparency of law enforcement AI systems, only such tools to be allowed to be purchased by the law enforcement in the Union, which algorithms and logic are open, to at least the police forces themselves, that can be audited, evaluated and vetted by them, and not closed and labelled proprietary by the vendors;
2020/07/20
Committee: LIBE
Amendment 168 #

2020/2016(INI)

Motion for a resolution
Paragraph 12 a (new)
12 a. calls for clear and appropriate time limits to be established for the erasure of personal data or for a periodic review of the need for the storage of personal data processed or generated by AI technologies for law enforcement purposes;
2020/07/20
Committee: LIBE
Amendment 170 #

2020/2016(INI)

Motion for a resolution
Paragraph 13
13. CallsReminds that EU law (Directive (EU) 2016/680) already foresees a mandatory data protection impact assessment for any type of processing, in particular, using new technologies, that is likely to result in a high risk to the rights and freedoms of natural persons and is of the opinion that this is the case for all AI technologies in the area of law enforcement; Calls in addition for a compulsory fundamental rights impact assessment to be conducted prior to the implementation or deployment of any AI systems for law enforcement or judiciary, in order to assess any potential risks to fundamental rights;
2020/07/20
Committee: LIBE
Amendment 185 #

2020/2016(INI)

Motion for a resolution
Paragraph 15
15. Calls for a moratorium on the deployment of facial recognition systems for specific law enforcement operations, until the technical standards can be considered fully fundamental rights compliant, results derived are non- discriminatory, and there is public trust in the necessity and proportionality for the deployment of such technologies; calls for a ban of the use of facial recognition in the public sphere where not used in specific law enforcement operations;
2020/07/20
Committee: LIBE
Amendment 198 #

2020/2016(INI)

Motion for a resolution
Paragraph 16 a (new)
16 a. Calls for the Fundamental Rights Agency, in collaboration with the European Data Protection Board and the European Data Protection Supervisor to draft comprehensive guidelines for the development, use and deployment of AI applications and solutions for the use by law enforcement and judicial authorities;
2020/07/20
Committee: LIBE
Amendment 24 #

2020/2012(INL)

Draft opinion
Paragraph 1
1. Believes that any ethical framework shouldthere is a difference between ethics and law and the role they play in our societies; any framework of ethical principles for the development, deployment and use of Artificial Intelligence (AI), robotics and related technologies should complement the EU Charter of Fundamental Rights and thereby seek to respect human dignity and autonomy, prevent harm, promote fairness, and transparency, respect the principle of explicability of technologies; and guarantee that the technologies are there to serve people, with the ultimate aim of increasing human well-being for everybody;
2020/06/15
Committee: LIBE
Amendment 39 #

2020/2012(INL)

Draft opinion
Paragraph 2
2. SHighlights the power asymmetry between those who employ AI technologies and those who interact and are subject to them; in this context stresses the importance of developing an “ethics-by-default and by design” framework which fully respect the Charter of Fundamental Rights of the European Union, Union law and the Treaties;
2020/06/15
Committee: LIBE
Amendment 44 #

2020/2012(INL)

Draft opinion
Paragraph 3
3. Considers that the current Union legalislative framework will need to be updaon protection of privacy and personal data fully applies to AI, robotics and related technologies, however could benefit from being supplemented with guidingrobust ethical principlguidelines; points out that, where it would be premature to adopt legal acts, a soft law framework should be used;
2020/06/15
Committee: LIBE
Amendment 68 #

2020/2012(INL)

Draft opinion
Paragraph 5 b (new)
5b. Promotes Corporate Digital Responsibility on a voluntary basis; the EU should support corporations, who by choice use digital technologies and AI ethically within their companies; the EU should encourage corporations to become proactive by establishing a platform for companies to share their experiences with ethical digitalization, as well as coordinating the actions and strategies of participating companies;
2020/06/15
Committee: LIBE
Amendment 76 #

2020/2012(INL)

Draft opinion
Paragraph 6
6. Stresses that the protection of networks of interconnected AI and robotics mustis important, and strong measures must be taken to prevent security breaches, cyber- attacks and the misuse of personal data;
2020/06/15
Committee: LIBE
Amendment 78 #

2020/2012(INL)

Draft opinion
Paragraph 6 a (new)
6a. Calls for a comprehensive risk assessment of AI, robotics and related technologies in addition to the impact assessment provided by Article 35 GDPR (Article 27 of Directive (EU) 2016/680 and Article 39 of Regulation (EU) 2018/1725); the more impact an algorithm has, the more transparency, auditability, accountability and regulation is needed; where an algorithmic decision leads to a limitation of fundamental rights, there needs to be a very robust assessment in place; in highly critical fields - when health, freedom or human autonomy are directly endangered - the implementation of AI should be prohibited;
2020/06/15
Committee: LIBE
Amendment 91 #

2020/2012(INL)

Draft opinion
Paragraph 7
7. Notes that AI and robotic technology are used more and more in the area of law enforcement and border control could enhance public safety and security; stresses that its use must respect the principles of proportionality and necessity; , often with adverse effects on individuals when it comes to their rights to privacy, data protection and non- discrimination; stresses that the deployment and use of these technologies must respect the principles of proportionality and necessity, the Charter of Fundamental Rights, in particular the rights to data protection, privacy and non- discrimination, as well as the relevant secondary Union law such as EU data protection rules;
2020/06/15
Committee: LIBE
Amendment 98 #

2020/2012(INL)

Draft opinion
Paragraph 8
8. Stresses that AI and robotics are not immune from making mistakes and can easily have inherent bias; notes that biases can be inherent in the underlying datasets, especially when historical data is being used, introduced by the developers of the algorithms, or generated when the systems are implemented in the real world setting; considers the need for legislators to reflect upon the complex issue of liability in the context of criminal justice.
2020/06/15
Committee: LIBE
Amendment 139 #

2020/0361(COD)

Proposal for a regulation
Recital 12
(12) In order to achieve the objective of ensuring a safe, predictable and trusted online environment, for the purpose of this Regulation the concept of “illegal content” should be defined broadappropriately and also covers information relating to illegal content, products, services and activities where such information is itself illegal. In particular, that concept should be understood to refer to information, irrespective of its form, that under the applicable law is either itself illegal, such as illegal hate speech or terrorist content and unlawful discriminatory content, or that relates to activities that are illegal, such as the sharing of images depicting child sexual abuse, unlawful non- consensual sharing of private images, online stalking, the sale of non-compliant or counterfeit products, the non-authorised use of copyright protected material or activities involving infringements of consumer protection law. In this regard, it is immaterial whether the illegality of the information or activity results from Union law or from national law that is consistent with Union law and what the precise nature or subject matter is of the law in question.
2021/06/10
Committee: LIBE
Amendment 150 #

2020/0361(COD)

Proposal for a regulation
Recital 14
(14) The concept of ‘dissemination to the public’, as used in this Regulation, should entail the making available of information to a potentially unlimited number of persons, that is, making the information easily accessible to users in general without further action by the recipient of the service providing the information being required, irrespective of whether those persons actually access the information in question. The mere possibility to create groups of users of a given service should not, in itself, be understood to meanAccordingly, where access to information requires registration or admittance to a group of users, that the information disseminated in that manner is not disseminated to the public. However, the concept should exclude dissemination of information within closed groups consisting of a finite number of pre- determined personshould be considered to be disseminated to the public only where users seeking to access the information are automatically registered or admitted without a human decision or selection of whom to grant access. Interpersonal communication services, as defined in Directive (EU) 2018/1972 of the European Parliament and of the Council,39 such as emails or private messaging services, fall outside the scope of this Regulationare not considered disseminated to the public. Information should be considered disseminated to the public within the meaning of this Regulation only where that occurs upon the direct request by the recipient of the service that provided the information. _________________ 39Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), OJ L 321, 17.12.2018, p. 36
2021/06/10
Committee: LIBE
Amendment 153 #

2020/0361(COD)

Proposal for a regulation
Recital 18
(18) The exemptions from liability established in this Regulation should not apply where, instead of confining itself to providing the services neutrally, by a merely technical and automatic processing of the information provided by the recipient of the service, the provider of intermediary services plays an active role of such a kind as to give it the provider of intermediary services has knowledge of, or control over, that information. Those exemptions should accordingly not be available in respect of liability relating to information provided not by the recipient of the service but by the provider of intermediary service itself, including where the information has been developed under the editorial responsibility of that provider. The exemptions from liability established in this Regulation should not depend on uncertain notions such as an ‘active’, ‘neutral’ or ‘passive’ role of providers.
2021/06/10
Committee: LIBE
Amendment 158 #

2020/0361(COD)

Proposal for a regulation
Recital 22
(22) In order to benefit from the exemption from liability for hosting services, the provider should, upon obtaining actual knowledge or awareness of illegalafter having become aware of the unlawful nature of content, act expeditiously to remove or to disable access to that content. The removal or disabling of access should be undertaken in the observance of the principle of freedom of expression. The provider can obtain such actual knowledge or awareness through, in particular, its own-initiative investigations or notices submitted to it by individuals or entities in accordance with this Regulation in so far as those notices are sufficiently precise and adequately substantiated to allow a diligent economic operator to reasonably identify, assess and where appropriate act against the allegedly illegal content.
2021/06/10
Committee: LIBE
Amendment 281 #

2020/0361(COD)

Proposal for a regulation
Article 1 – paragraph 5 – point i a (new)
(i a) Directive 2002/58/EC.
2021/06/10
Committee: LIBE
Amendment 282 #

2020/0361(COD)

Proposal for a regulation
Article 1 – paragraph 5 – subparagraph 1 (new)
This Regulation shall not apply to matters relating to information society services covered by Regulation (EU) 2016/679and Directive 2002/58/EC.
2021/06/10
Committee: LIBE
Amendment 296 #

2020/0361(COD)

Proposal for a regulation
Article 2 a (new)
Article 2 a Digital privacy Where technically possible, a provider of an information society service shall enable the use of and payment for that service without collecting personal data of the recipient. A provider of an information society service shall process personal data concerning the use of the service by a recipient only to the extent strictly necessary to enable the recipient to use the service or to charge the recipient for the use of the service. An operator of an online platform shall be allowed to process personal data concerning the use of the service by a recipient for the sole purpose of operating a recommender system if the recipient has given his or her explicit consent, as defined in Article 4(11) of Regulation (EU) 2016/679. Member States shall not require a provider of information society services to retain personal data concerning the use of the service by all recipients. A provider of an information society service shall have the right to provide and support end-to-end encryption services.
2021/06/10
Committee: LIBE
Amendment 298 #

2020/0361(COD)

Proposal for a regulation
Article 3 – paragraph 3
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.deleted
2021/06/10
Committee: LIBE
Amendment 305 #

2020/0361(COD)

Proposal for a regulation
Article 4 – paragraph 2
2. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
2021/06/10
Committee: LIBE
Amendment 313 #

2020/0361(COD)

Proposal for a regulation
Article 5 – paragraph 4
4. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement.
2021/06/10
Committee: LIBE
Amendment 315 #

2020/0361(COD)

Proposal for a regulation
Article 6 – title
Voluntary own-initiative investigations and lLegal compliance
2021/06/10
Committee: LIBE
Amendment 316 #

2020/0361(COD)

Proposal for a regulation
Article 6 – paragraph 1
Providers of intermediary services shall not be deemed ineligible for the exemptions from liability referred to in Articles 3, 4 and 5 solely because they carry out voluntary own-initiative investigations or other activities aimed at detecting, identifying and removing, or disabling of access to, illegal content, or take the necessatake the compulsory measures to comply with the requirements of Union law, including those set out in this Regulation.
2021/06/10
Committee: LIBE
Amendment 321 #

2020/0361(COD)

Proposal for a regulation
Article 7 – title
No general monitoring or, active fact- finding or automated content moderation obligations
2021/06/10
Committee: LIBE
Amendment 324 #

2020/0361(COD)

Proposal for a regulation
Article 7 – paragraph 1
No general obligation shall be imposed to monitor the information which providers of intermediary services transmit or store, nor actively to seek facts or circumstances indicating illegal activity shall be imposed on those providers.
2021/06/10
Committee: LIBE
Amendment 325 #

2020/0361(COD)

Proposal for a regulation
Article 7 – paragraph 1 a (new)
Providers of intermediary services shall not be obliged to use automated tools for content moderation.
2021/06/10
Committee: LIBE
Amendment 333 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 1
1. Providers of intermediary services shall, upon the receipt of an, via a secure communications channel, of an authenticated order to act against a specific item of illegal content, issued by the relevanta national judicial or administrative authoritiesy, on the basis of the applicable Union or national law, in conformity with Union law, inform the authority issuing the order of the effect given to the orders, without undue delay, specifying the action taken and the moment when the action was taken.
2021/06/10
Committee: LIBE
Amendment 336 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 2 – point a – indent 1
the identification details of the judicial authority issuing the order and a statement of reasons explaining why the information is illegal content, by reference to the specific provision of Union or national law infringed;
2021/06/10
Committee: LIBE
Amendment 340 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 2 – point a – indent 3
— information about redress mechanisms available to the provider of the service and to the recipient of the service who provided the content;
2021/06/10
Committee: LIBE
Amendment 347 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 2 – point a a (new)
(a a) the order is securely and easily authenticated;
2021/06/10
Committee: LIBE
Amendment 349 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 2 – point b a (new)
(b a) the territorial scope of an order addressed to a provider that has its main establishment, or, if not established in the Union,its legal representation in another Member State is limited to the issuing Member State;
2021/06/10
Committee: LIBE
Amendment 351 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 2 – point b b (new)
(b b) where addressed to a provider that has its main establishment outside the Union, the territorial scope of the order, where Union law is infringed, is limited to the territory of the Union or, where national law is infringed, to the territory of the Member State issuing the order;
2021/06/10
Committee: LIBE
Amendment 354 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 3
3. The Digital Services Coordinator from the Member State of the judicial or administrative authority issuing the order shall, without undue delay, transmit a copy of the orders referred to in paragraph 1 to all other Digital Services Coordinators through the system established in accordance with Article 67.
2021/06/10
Committee: LIBE
Amendment 358 #

2020/0361(COD)

Proposal for a regulation
Article 8 – paragraph 4 a (new)
4 a. The Commission shall, by means of implementing acts, define a European technical standard for the secure communication channels that also provide for the authentication of the orders.
2021/06/10
Committee: LIBE
Amendment 360 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 1
1. Providers of intermediary services shall, upon receipt of an, via a secure communications channel, of an authenticated order to provide a specific item of information about one or more specific individual recipients of the service, issued by the relevanta national judicial or administrative authoritiesy on the basis of the applicable Union or national law, in conformity with Union law, for the purpose of preventing serious threats to public security, inform without undue delay the authority of issuing the order of its receipt and the effect given to the order via a secure communications channel.
2021/06/10
Committee: LIBE
Amendment 364 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a – indent 1
the identification details of the judicial authority issuing the order, a statement of reasons explaining the objective for which the information is required and why the requirement to provide the information isthe grounds for the necessarity and proportionate to determine compliance by the recipielity of the request, taking due accounts of the intermediary services with applicable Union or national rules, unless such a statement cannot be provided for reasons related to the prevention, investigation, detection and prosecution of criminalits impact on the fundamental rights of the specific recipient of the service whose data is sought and the seriousness of the offences;
2021/06/10
Committee: LIBE
Amendment 369 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a – indent 1 a (new)
- a unique identifier of the recipients about whom information is sought;
2021/06/10
Committee: LIBE
Amendment 371 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a – indent 2
— information about redress mechanisms available to the provider and to the recipients of the service concerned;
2021/06/10
Committee: LIBE
Amendment 376 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a a (new)
(a a) the order is securely and easily authenticated;
2021/06/10
Committee: LIBE
Amendment 377 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a b (new)
(a b) the order is issued for the purpose of preventing serious threats to public security;
2021/06/10
Committee: LIBE
Amendment 378 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point a c (new)
(a c) the order seeks information on a suspect or suspects of a serious threat to public security;
2021/06/10
Committee: LIBE
Amendment 379 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 2 – point b
(b) the order only requires the provider to provide information already legally collected for the purposes of providing the service and which lies within its control;
2021/06/10
Committee: LIBE
Amendment 382 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 3
3. The Digital Services Coordinator from the Member State of the national judicial or administrative authority issuing the order shall, without undue delay, transmit a copy of the order referred to in paragraph 1 to all Digital Services Coordinators through the system established in accordance with Article 67.
2021/06/10
Committee: LIBE
Amendment 383 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 3 a (new)
3 a. The provider shall inform the recipient whose data is being sought without undue delay. As long as necessary and proportionate, in order to protect the fundamental rights of another person, the issuing judicial authority, taking into due account the impact of the request on the fundamental rights of the person whose data is sought, may request the provider to delay informing the recipient. Such a request shall be duly justified, specify the duration of the obligation of confidentiality and shall be subject to periodic review.
2021/06/10
Committee: LIBE
Amendment 384 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 3 b (new)
3 b. This Article shall apply, mutatis mutandis, to competent administrative authorities ordering online platforms to provide the information listed in Article 22.
2021/06/10
Committee: LIBE
Amendment 385 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 3 c (new)
3 c. Where information is sought for the purpose of criminal proceedings, Regulation (EU) 2021/XXXX on access to electronic evidence shall apply.
2021/06/10
Committee: LIBE
Amendment 386 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 3 d (new)
3 d. Providers of intermediary services shall transfer the personal data on recipients of their service requested by public authorities only where the conditions of this article are met.
2021/06/10
Committee: LIBE
Amendment 387 #

2020/0361(COD)

Proposal for a regulation
Article 9 – paragraph 3 e (new)
3 e. The Commission shall, by means of implementing acts, establish a common European information exchange system with secure channels for the handling of authorised cross-border communications, authentication and transmission of the order referred to in paragraph 1 and, where applicable, of the requested data between the competent judicial authority and the provider.
2021/06/10
Committee: LIBE
Amendment 429 #

2020/0361(COD)

Proposal for a regulation
Article 13 a (new)
Article 13 a Online advertising transparency Providers of intermediary services that display advertising on their online interfaces shall ensure that the recipients of the service can identify, for each specific advertisement displayed to each individual recipient, in a clear, concise and unambiguous manner and in real time: (a) that the information displayed on the interface or parts thereof is an online advertisement, including through prominent and harmonised marking; (b) the natural or legal person on whose behalf the advertisement is displayed and the natural or legal person who finances the advertisement; (c) clear, meaningful and uniform information about the parameters used to determine the recipient to whom the advertisement is displayed; and (e) if the advertisement was displayed using an automated tool and the identity of the person responsible for that tool. 2. The Commission shall adopt an implementing act establishing harmonised specifications for the marking referred to in paragraph 1(a)of this Article. 3. Providers of intermediary services shall inform the natural or legal person on whose behalf the advertisement is displayed where the advertisement has been displayed. They shall also inform public authorities, upon their request. 4. Providers of intermediary services that display advertising on their online interfaces shall be able to give easy access to public authorities, NGOs, and researchers, upon their request, to information related to direct and indirect payments or any other remuneration received to display the corresponding advertisement on their online interfaces.
2021/06/10
Committee: LIBE
Amendment 431 #

2020/0361(COD)

Proposal for a regulation
Article 13 b (new)
Article 13 b Targeting of digital advertising 1. Providers of intermediary services shall not collect or process personal data as defined by Regulation (EU) 2016/679 for the purpose of showing digital advertising to recipients of their service, of other information society services, or directly to the public. 2. Providers of intermediary services may show targeted digital advertising based on contextual information. 3. The use of the contextual information referred to in paragraph 2 shall be permissible only if it does not allow for the direct or indirect identification of a natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2021/06/10
Committee: LIBE
Amendment 432 #

2020/0361(COD)

Proposal for a regulation
Article 13 c (new)
Article 13 c Recipients’ consent for advertising practices 1. Providers of intermediary services shall not, by default, subject the recipients of their services to targeted, micro-targeted and behavioural advertisement, unless the recipient of the service has expressed a freely given, specific, informed and unambiguous consent to receiving such advertising. Providers of intermediary services shall ensure that recipients of services can easily make an informed choice when expressing their consent by providing them with meaningful information about the use of their personal data. 2. When processing personal data for targeted, micro-targeted and behavioural advertising, where consent has been received, online intermediaries shall comply with relevant Union law and shall not engage in activities that can lead to pervasive tracking, such as disproportionate combination of data collected by platforms, or disproportionate processing of special categories of personal data. 3. Providers of intermediary services shall organise their online interface in a way that provides clear information regarding the advertising parameters and allows the recipients of services to easily and efficiently access and modify those advertising parameters. Providers of intermediary services shall regularly monitor the use of advertising parameters by the recipients of services and make improvements to their use where necessary.
2021/06/10
Committee: LIBE
Amendment 442 #

2020/0361(COD)

Proposal for a regulation
Article 14 – paragraph 2 – point c
(c) the name and an electronic mail address of the individual or entity submitting the notice, except in the case of information considered to involve one of the offences referred to in Articles 3 to 7 of Directive 2011/93/EU;deleted
2021/06/10
Committee: LIBE
Amendment 447 #

2020/0361(COD)

Proposal for a regulation
Article 14 – paragraph 3
3. Notices that include the elements referred to in paragraph 2 shall be considered to give rise to actual knowledge or awareness for the purposes of Article 5 in respect of the specific item of information concernedThe individual or entity submitting the notice may choose to provide their name and an electronic mail address that shall not be disclosed to the content provider except in cases of alleged violations of intellectual property rights.
2021/06/10
Committee: LIBE
Amendment 449 #

2020/0361(COD)

4 a. Upon receipt of the notice and using available contact details, the service provider shall notify the provider of the information regarding the elements referred to in paragraph 2 and give them the opportunity to reply before taking a decision.
2021/06/10
Committee: LIBE
Amendment 450 #

2020/0361(COD)

Proposal for a regulation
Article 14 – paragraph 4 b (new)
4 b. Notified information shall remain accessible until a decision is taken in respect of that information.
2021/06/10
Committee: LIBE
Amendment 451 #

2020/0361(COD)

Proposal for a regulation
Article 14 – paragraph 4 c (new)
4 c. The provider shall ensure that decisions on notices are taken by qualified staff, to whom adequate initial and ongoing training on the applicable legislation and fundamental rights standards as well as appropriate working conditions are to be provided, including, where necessary, the opportunity to seek qualified legal advice.
2021/06/10
Committee: LIBE
Amendment 453 #

2020/0361(COD)

Proposal for a regulation
Article 14 – paragraph 5
5. The provider shall also, without undue delay, notify thate individual or entity that provided the notification, as well as the provider or the information, of its decision in respect of the information to which the notice relates, as well as providing information on the redress possibilities in respect of that decision.
2021/06/10
Committee: LIBE
Amendment 459 #

2020/0361(COD)

Proposal for a regulation
Article 14 – paragraph 6
6. Providers of hosting services shall process any notices that they receive under the mechanisms referred to in paragraph 1, and take their decisions in respect of the information to which the notices relate, in a timely, diligent and objectivenon-arbitrary manner. Where they use automated means for that processing or decision-making, they shall include information on such useuse of such automated means in the notification referred to in paragraph 4.
2021/06/10
Committee: LIBE
Amendment 467 #

2020/0361(COD)

Proposal for a regulation
Article 15 – paragraph 1
1. Where a provider of hosting services decides to remove or disable access to specific items of information provided by the recipients of the service, irrespective of the means used for detecting, identifying or removing or disabling access to that information and of the reason for its decisionit, and where the notifier chose to provide contact details, it shall inform the recipientm, at the latest at the time of the removal or disabling of access, of the decision and provide a clear and specific statement of reasons for that decision.
2021/06/10
Committee: LIBE
Amendment 475 #

2020/0361(COD)

Proposal for a regulation
Article 15 – paragraph 2 – point c
(c) where applicable, information on the use made of automated means used in taking the decision, including where the decision was taken in respect of content detected or identified using automated means;
2021/06/10
Committee: LIBE
Amendment 483 #

2020/0361(COD)

Proposal for a regulation
Article 15 a (new)
Article 15 a Content moderation 1. Providers of hosting services shall not use ex-ante control measures based on automated tools or upload-filtering of content for content moderation. Where providers of hosting services otherwise use automated tools for content moderation, they shall ensure that qualified staff decide on any action to be taken and that legal content which does not infringe the terms and conditions set out by the providers is not affected. The provider shall ensure that adequate initial and ongoing training on the applicable legislation and international human rights standards as well as appropriate working conditions are provided to staff, including, where necessary, the opportunity to seek professional support, qualified psychological assistance and qualified legal advice. This paragraph shall not apply where information has likely been provided by automated tools. 2. Providers of hosting services shall act in a fair, transparent, coherent, predictable, non-discriminatory, diligent, non-arbitrary and proportionate manner when moderating content, with due regard to the rights and legitimate interests of all parties involved, including the fundamental rights of the recipients of the service as enshrined in the Charter.
2021/06/10
Committee: LIBE
Amendment 515 #

2020/0361(COD)

Proposal for a regulation
Article 18 – paragraph 1 – subparagraph 1
The first subparagraph is without prejudice to the right of the recipient concerned to seek redress against the decision before a court in accordance with the applicable law.
2021/06/10
Committee: LIBE
Amendment 519 #

2020/0361(COD)

Proposal for a regulation
Article 18 – paragraph 2 – point a a (new)
(a a) it includes legal experts;
2021/06/10
Committee: LIBE
Amendment 521 #

2020/0361(COD)

Proposal for a regulation
Article 18 – paragraph 2 – point b
(b) it has the necessary expertise in relation to the issues arising issues concerning one or more particular areas of illegal content, or in relation to the application and enforcement of terms and conditions of one or more types of online platforms, therefore allowing the body to contribute effectively to the settlement of a dispute;
2021/06/10
Committee: LIBE
Amendment 522 #

2020/0361(COD)

Proposal for a regulation
Article 18 – paragraph 2 – point d
(d) it is capable of settling disputes in a swift, efficient and cost-effective manner and in at least one official language of the Union;
2021/06/10
Committee: LIBE
Amendment 527 #

2020/0361(COD)

Proposal for a regulation
Article 18 – paragraph 3 – subparagraph 2
Certified out-of-court dispute settlement bodies shall make the fees, or the mechanisms used to determine the fees, known to the recipient of the services and the online platform concerned before engaging in the dispute settlementpublicly available.
2021/06/10
Committee: LIBE
Amendment 550 #

2020/0361(COD)

Proposal for a regulation
Article 19 – paragraph 5
5. Where an online platform has information indicating that a trusted flagger submitted a significant number of insufficiently precise or, inadequately substantiated noticesor incorrect notices, or notices regarding legal content, through the mechanisms referred to in Article 14, including information gathered in connection to the processing of complaints through the internal complaint-handling systems referred to in Article 17(3), it shall communicate that information to the Digital Services Coordinator that awarded the status of trusted flagger to the entity concerned, providing the necessary explanations and supporting documents.
2021/06/10
Committee: LIBE
Amendment 553 #

2020/0361(COD)

Proposal for a regulation
Article 19 – paragraph 6
6. The Digital Services Coordinator that awarded the status of trusted flagger to an entity shall revoke that status if it determines, following an investigation either on its own initiative or on the basis information received byfrom third parties, including the information provided by an online platform pursuant to paragraph 5, that the entity no longer meets the conditions set out in paragraph 2. Before revoking that status, the Digital Services Coordinator shall afford the entity an opportunity to react to the findings of its investigation and its intention to revoke the entity’s status as trusted flagger
2021/06/10
Committee: LIBE
Amendment 558 #

2020/0361(COD)

Proposal for a regulation
Article 20 – paragraph 1
1. Online platforms shall suspend, for a reasonable period of time and after having issued a prior warning, the provision of their services to recipients of the service that frequently provide manifestly illegal contenthas received two or more orders to act regarding illegal content in the previous 12 months.
2021/06/10
Committee: LIBE
Amendment 569 #

2020/0361(COD)

Proposal for a regulation
Article 20 – paragraph 3 – point a
(a) the absolute numbers of items of manifestly illegal contentsuspensions of service and items orf manifestly unfounded notices or complaints, submitted in the past year;
2021/06/10
Committee: LIBE
Amendment 580 #

2020/0361(COD)

Proposal for a regulation
Article 21 – paragraph 1
1. Where an online platform becomes aware of any information giving rise to a suspicion that a serious criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take placeis imminent, it shall promptly inform the law enforcement or judicial authorities of the Member State or Member States concerned of its reasoned suspicion and provide all relevantthe information availablegiving rise to it.
2021/06/10
Committee: LIBE
Amendment 585 #

2020/0361(COD)

For the purpose of this Article, the Member State concerned shall be the Member State where the offence is suspected to have taken place, be taking place andor likely to take place, or the Member State where thea suspected offender resides or is located, or the Member State where thea victim of the suspected offence resides or is located.
2021/06/10
Committee: LIBE
Amendment 588 #

2020/0361(COD)

Proposal for a regulation
Article 22 – paragraph 1 – point b
(b) a copy of the identification document of the trader or any other electronic identification as defined by Article 3 of Regulation (EU) No 910/2014 of the European Parliament and of the Council50 ; _________________ 50 Regthe number of suspensions imposed pursuant to Article 20, distinguishing between suspensions enacted after the receipt of mulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/ECple orders to act, the submission of manifestly unfounded notices and the submission of manifestly unfounded complaints;
2021/06/10
Committee: LIBE
Amendment 623 #

2020/0361(COD)

Proposal for a regulation
Article 26 – paragraph 1 – introductory part
1. Very large online platforms shall identify, analyse and assess, from the date of application referred to in the second subparagraph of Article 25(4), at least once a year thereafter,on an ongoing basis, the probability and severity of any significant systemic risks stemming from the design, functioning and use made of their services in the Union. This risk assessment shall be specific to their services and shall include the following systemic risks:
2021/06/10
Committee: LIBE
Amendment 624 #

2020/0361(COD)

Proposal for a regulation
Article 26 – paragraph 1 – point b
(b) any negative effects for the exercise of the fundamental rights to respect for private and family life, freedom of expression and information, the prohibition ofprivacy, protection of personal data, discrimination, equality and the rights of the child,ren as enshprescrinbed in Articles 7, 11, 21 and 24 of the Charter respectivelyUnion or Member State law;
2021/06/10
Committee: LIBE
Amendment 628 #

2020/0361(COD)

Proposal for a regulation
Article 26 – paragraph 1 – point c
(c) malfunctioning or intentional manipulation of their service, including by means of inauthentic use, undisclosed paid influence, or automated exploitation of the service, with an actual or foreseeable negative effect on the protection of public health, minors, and other categories of vulnerable service users, civic discourse, or actual or foreseeable effects related to electoral processes and public security.
2021/06/10
Committee: LIBE
Amendment 633 #

2020/0361(COD)

Proposal for a regulation
Article 26 – paragraph 2
2. When conducting risk assessments, very large online platforms shall take into account, in particular, how their content moderation systems, recommender systems and systems for selecting, targeting, and displaying advertisement influence any of the systemic risks referred to in paragraph 1, including the potentially rapid and wide dissemination of illegal content and of information that is incompatible with their terms and conditions.
2021/06/10
Committee: LIBE
Amendment 636 #

2020/0361(COD)

Proposal for a regulation
Article 27 – title
Mitigation of riskSpecific measures
2021/06/10
Committee: LIBE
Amendment 639 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – introductory part
1. Very large online platforms shall put in place transparent, reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified pursuant to Article 26. Such measures mayshall include, where applicable:
2021/06/10
Committee: LIBE
Amendment 643 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – introductory part
1. Very large online platforms shallmay put in place reasonable, proportionate and effective mitigationspecific measures, tailored to the specific systemic risks identified pursuant to Article 26o address the dissemination of illegal content through their services. Such measures may include, where applicable:
2021/06/10
Committee: LIBE
Amendment 646 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – point a a (new)
(a a) appropriate technical and operational measures or capacities, such as appropriate staffing or technical means to expeditiously remove or disable access to illegal content the platform is aware of, or has received an order to act upon;
2021/06/10
Committee: LIBE
Amendment 647 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – point a b (new)
(a b) easily accessible and user-friendly mechanisms for users to report or flag allegedly illegal content, and mechanisms for user moderation;
2021/06/10
Committee: LIBE
Amendment 651 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – point c
(c) reinforcing the internal processes or supervision of any of their activities in particular as regards detection of systemic risk;
2021/06/10
Committee: LIBE
Amendment 655 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – point e
(e) initiating or adjusting cooperation with other online platforms through the codes of conduct and the crisis protocols referred to in Article 35 and 37 respectively.deleted
2021/06/10
Committee: LIBE
Amendment 658 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 – point e
(e) initiating or adjusting cooperation with other online platforms and stakeholders through the codes of conduct and the crisis protocols referred to in Article 35 and 37 respectively.
2021/06/10
Committee: LIBE
Amendment 660 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 1 a (new)
1 a. Where a very large online platform decides not to put in place any of the mitigating measures listed in article 27.1, it shall provide a written explanation that describes the reasons why those measures were not put in place, which shall be provided to the independent auditors in order to prepare the audit report in article 28.3.
2021/06/10
Committee: LIBE
Amendment 662 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 2
2. The Board, in cooperation with the Commission, shall publish comprehensive reports, once a year, which shall include the following: (a) identification and assessment of the most prominent and recurrent systemic risks reported by very large online platforms or identified through other information sources, in particular those provided in compliance with Article 31 and 33; (b) best practices for very large online platforms to mitigate the systemic risks identified.deleted
2021/06/10
Committee: LIBE
Amendment 670 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 2 – point b
(b) best practices and recommendations for very large online platforms to effectively mitigate the systemic risks identified.
2021/06/10
Committee: LIBE
Amendment 675 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 3
3. The Commission, in cooperation with the Digital Services Coordinators, may issue general guidelinerecommendations on the application of paragraph 1 in relation to specific risks, in particular to present best practices and recommendpropose possible measures, having due regard to the possible consequences of the measures on fundamental rights enshrined in the Charter of all parties involved. When preparing those guidelinerecommendations the Commission shall organise public consultations.
2021/06/10
Committee: LIBE
Amendment 676 #

2020/0361(COD)

Proposal for a regulation
Article 27 – paragraph 3 a (new)
3 a. After establishing that a very large online platform has received a substantial number of orders to act, the competent Digital Services Coordinator may request necessary, proportionate and effective additional specific measures that the platform is obliged to implement. The competent Digital Services Coordinator shall not impose a general monitoring obligation or the use of automated tools. The request shall take into account, in particular, the technical feasibility of the measures, the size and economic capacity of the platform and the effect of such measures on the fundamental rights of the users and on the freedom of expression and the freedom to receive and impart information and ideas in an open and democratic society. Such a request shall be sent by the Digital Services Coordinator of the Member State in which the platform has its main establishment, or, if not established in the Union, its legal representative. The platform may, at any time, request the competent Digital Services Coordinator to review and, where appropriate, revoke such request.
2021/06/10
Committee: LIBE
Amendment 678 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – introductory part
1. Very large online platforms shall be subject, at their own expense and at least once a year, to external independent audits to assess compliance with the following:
2021/06/10
Committee: LIBE
Amendment 679 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – introductory part
1. Very large online platforms shall be subject, at their own expense and at least once a year, to independent audits to assess compliance with the following:
2021/06/10
Committee: LIBE
Amendment 681 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – introductory part
1. Very large online platforms shall be subject, at their own expense and at least once a year, to audits to assess compliance with the following:
2021/06/10
Committee: LIBE
Amendment 684 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – point a
(a) Compliance with the obligations set out in Chapter III;
2021/06/10
Committee: LIBE
Amendment 685 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – point a a (new)
(a a) Adequacy of the risk assessment undertaken pursuant to Article 26.1 and the corresponding risk mitigation measures undertaken pursuant to Article 27.1;
2021/06/10
Committee: LIBE
Amendment 686 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – point b
(b) Compliance with any commitments undertaken pursuant to the codes of conduct referred to in Articles 35 and 36 and the crisis protocols referred to in Article 37.
2021/06/10
Committee: LIBE
Amendment 687 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 1 – point b
(b) any commitments undertaken pursuant to the codes of conduct referred to in Articles 35 and 36 and the crisis protocols referred to in Article 37and self- or co-regulatory actions that they have undertaken.
2021/06/10
Committee: LIBE
Amendment 688 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 2 – introductory part
2. Audits performed pursuant to paragraph 1 shall be performed by expert organisations, previously vetted by the Board, which:
2021/06/10
Committee: LIBE
Amendment 689 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 2 – introductory part
2. Audits performed pursuant to paragraph 1 shall be performed by organisations, vetted by the Board, which:
2021/06/10
Committee: LIBE
Amendment 690 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 2 – point a
(a) are independent from the very large online platform concerned as well as from other very large online platforms;
2021/06/10
Committee: LIBE
Amendment 691 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 2 – point a
(a) are independent from and do not have conflicts of interest with the very large online platform concerned;
2021/06/10
Committee: LIBE
Amendment 692 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 2 – point b
(b) have provendemonstrated expertise in the area of risk management, technical competence and capabilities, and, where applicable, can demonstrably draw upon expertise in fields related to the risks investigated or related research methodologies;
2021/06/10
Committee: LIBE
Amendment 693 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 2 – point c
(c) have provendemonstrated objectivity and professional ethics, based in particular on adherence to relevant codes of practice or appropriate standards.
2021/06/10
Committee: LIBE
Amendment 694 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 3 – introductory part
3. The organisations that perform the audits shall establish an meaningful, granular, comprehensive and independent audit report for each audit. The report shall be in writing and include at least the following:
2021/06/10
Committee: LIBE
Amendment 695 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 3 – introductory part
3. The organisations that perform the audits shall establish an meaningful, granular, comprehensive audit report for each audit. The report shall be in writing and include at least the following:
2021/06/10
Committee: LIBE
Amendment 696 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 3 – point d
(d) a description of the main findings drawn from the audit and a summary of the main findings;
2021/06/10
Committee: LIBE
Amendment 697 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 3 – point d a (new)
(d a) a description of specific elements that could not be audited to the auditor’s satisfaction, and an explanation of why these elements could not be audited;
2021/06/10
Committee: LIBE
Amendment 698 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 3 – point d b (new)
(d b) a description of the third-parties consulted to inform the audit;
2021/06/10
Committee: LIBE
Amendment 699 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 3 – point e
(e) an audit opinion on whether the very large online platform subject to the audit meaningfully complied with the obligations and with the commitments referred to in paragraph 1, either positive, positive with comments or negative;
2021/06/10
Committee: LIBE
Amendment 704 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 4
4. Very large online platforms receiving an audit report that is not positive shall take due account of any operationalshall ensure auditors have access to all relevant information to perform their duties. Very large online platforms receiving an audit report that contains evidence of wrongdoings shall ensure to apply the recommendations addressed to them with a view to take all the necessary measures to implement them. They shall, within one month from receiving those recommendations, adopt an audit implementation report setting out those measures. Where they do not implement the operational recommendations, they shall justify in the audit implementation report the reasons for not doing so and set out any alternative measures they may have taken to address any instances of non- compliance identified.
2021/06/10
Committee: LIBE
Amendment 705 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 4 – subparagraph 1 (new)
Auditors shall submit their audit report to the Board at the same time as the very large online platform concerned. Within a reasonable period of time, the Board shall issue recommendations, monitor the implementation of the report and suggest the adoption of sanctions by the competent Digital Service Coordinator when the very large online platform fails to abide by the Regulation.
2021/06/10
Committee: LIBE
Amendment 706 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 4 – point 1 (new)
(1) The Board, after consulting stakeholders and the Commission, shall publish guidelines about how audits should be conducted by the auditors, how they should be implemented by very large online platforms and how authorities will monitor and enforce the Regulation in this regard.
2021/06/10
Committee: LIBE
Amendment 707 #

2020/0361(COD)

Proposal for a regulation
Article 28 – paragraph 4 – point 2 (new)
(2) The Board shall publish and regularly update a list of vetted auditors that very large online platforms can resort to. The Board shall publish and regularly review detailed criteria auditors need to meet.
2021/06/10
Committee: LIBE
Amendment 709 #

2020/0361(COD)

Proposal for a regulation
Article 29 – paragraph 1
1. Very large online platforms that use recommender systems shall set out in their terms and conditions, in a clear, accessible and easily comprehensible manner, meaningful information about the logic involved and the main parameters used in their recommender systems, as well as any options for the recipients of the service to modify or influence those main parameters that they may have made available, including the provision of at least one option which is not based on profiling, within the meaning of Article 4 (4) of Regulation (EU) 2016/679. Basing recommender systems on profiling shall require the explicit consent of the recipient, as defined in Article 4, point (11), of Regulation (EU) 2016/679.
2021/06/10
Committee: LIBE
Amendment 716 #

2020/0361(COD)

Proposal for a regulation
Article 29 – paragraph 1 a (new)
1 a. Very large online platforms that use recommender systems shall allow the recipient of the service to have information presented to them in a chronological order only and alternatively, where technically possible, to use third-party recommender systems. Third-party recommender systems shall have access to the same information that is available to the recommender systems used by the platform.
2021/06/10
Committee: LIBE
Amendment 738 #

2020/0361(COD)

Proposal for a regulation
Article 31 – paragraph 2
2. Upon a reasoned request from the Digital Services Coordinator of establishment or the Commission, very large online platforms shall, within a reasonable period, as specified in the request, provide access to data to vetted researchers who meet the requirements in paragraphs 4 of this Article, for the sole purpose of conducting research that contributes to the identification and understanding of systemic risks as set out in Article 26(1)in the public interest.
2021/06/10
Committee: LIBE
Amendment 743 #

2020/0361(COD)

Proposal for a regulation
Article 31 – paragraph 3
3. Very large online platforms shall provide access to data pursuant to paragraphs 1 and 2 through online databases or application programming interfaces, as appropriate. This shall include personal data only where it is lawfully accessible by the public.
2021/06/10
Committee: LIBE
Amendment 758 #

2020/0361(COD)

Proposal for a regulation
Article 31 – paragraph 7 a (new)
7 a. Upon completion of their research, the vetted researchers, who have been granted access to the data, shall publish their findings.
2021/06/10
Committee: LIBE
Amendment 760 #

2020/0361(COD)

Proposal for a regulation
Article 32 – paragraph 2
2. Very large online platforms shall only designate as compliance officers persons who have the professional qualifications, knowledge, experience and ability necessary to fulfil the tasks referred to in paragraph 3 as compliance officers. Compliance officers may either be staff members of, or fulfil those tasks on the basis of a contract with, the very large online platform concerned.
2021/06/10
Committee: LIBE
Amendment 765 #

2020/0361(COD)

Proposal for a regulation
Article 33 – paragraph 2 – point a
(a) a report setting out the results of the risk assessment pursuant to Article 26;deleted
2021/06/10
Committee: LIBE
Amendment 766 #

2020/0361(COD)

Proposal for a regulation
Article 33 – paragraph 2 – point b
(b) the related risk mitigation measures identified andspecific measures implemented pursuant to Article 27;
2021/06/10
Committee: LIBE
Amendment 769 #

2020/0361(COD)

Proposal for a regulation
Article 33 a (new)
Article 33 a Interoperability 1. By 31 December 2024 very large online platforms shall make the main functionalities of their services interoperable with other online platforms to enable cross-platform exchange of information. This obligation shall not limit, hinder or delay their ability to solve security issues. Very large online platforms shall publicly document all application programming interfaces they make available. 2. The Commission shall adopt implementing measures specifying the nature and scope of the obligations set out in paragraph 1.
2021/06/10
Committee: LIBE
Amendment 782 #

2020/0361(COD)

Proposal for a regulation
Article 36 – paragraph 1
1. The Commission shall encourage 1. and facilitate the drawing up of codes of conduct at Union level between, online platforms and other relevant service providers, such as providers of online advertising intermediary services or organisations representing recipients of the service and civil society organisations or relevant authorities to contribute to further transparency in online advertising beyond the requirements of Articles 13a (new), 24 and 30.
2021/06/10
Committee: LIBE
Amendment 783 #

2020/0361(COD)

Proposal for a regulation
Article 36 – paragraph 2 – introductory part
2. The Commission shall aim to ensure that the codes of conduct pursue an effective transmission of information, in full respect for the rights and interests of all parties involved, and a competitive, transparent and fair environment in online advertising, in accordance with Union and national law, in particular on competition and the protection of privacy and personal data. The Commission shall aim to ensure that the codes of conduct address at least:
2021/06/10
Committee: LIBE
Amendment 784 #

2020/0361(COD)

Proposal for a regulation
Article 36 – paragraph 2 – point a
(a) the transmission of information held by providers of online advertising intermediaries to recipients of the service with regard to requirements set in Articles 13a(new), 13b(new) and points (b) and (c) of Article 24;
2021/06/10
Committee: LIBE
Amendment 786 #

2020/0361(COD)

Proposal for a regulation
Article 37
[...]deleted
2021/06/10
Committee: LIBE
Amendment 799 #

2020/0361(COD)

Proposal for a regulation
Article 41 – paragraph 1 – point a
(a) the power to require those providers, as well as any other persons acting for purposes related to their trade, business, craft or profession that may reasonably be aware of information relating to a suspected infringement of this Regulation, including, organisations performing the audits referred to in Articles 28 and 50(3), to provide such information within a reasonable time period, with the exception of information covered by professional secrecy requirements;
2021/06/10
Committee: LIBE
Amendment 812 #

2020/0361(COD)

Proposal for a regulation
Article 44 – paragraph 2 – point a
(a) the number and subject matter of orders to act against illegal content and orders to provide information issued in accordance with Articles 8 and 9 by any national judicial or administrative authority of the Member State of the Digital Services Coordinator concerned;
2021/06/10
Committee: LIBE
Amendment 95 #

2020/0359(COD)

Proposal for a directive
Recital 7
(7) With the repeal of Directive (EU) 2016/1148, the scope of application by sectors should be extended to a larger part of the economy in light of the considerations set out in recitals (4) to (6). The sectors covered by Directive (EU) 2016/1148 should therefore be extended to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. The ruleisk management requirements and reporting obligations should not be different according to whether the entities are operators of essential services or digital service providers. That differentiation has proven obsolete, since it does not reflect the actual importance of the sectors or services for the societal and economic activities in the internal market.
2021/06/03
Committee: ITRE
Amendment 97 #

2020/0359(COD)

Proposal for a directive
Recital 11
(11) Depending on the sector in which they operate or the type of service they provide, the entities falling within the scope of this Directive should be classified into two categories: essential and important. That categorisation should take into account the level of criticality of the sector or of the type of service, as well as the level of dependency of other sectors or types of services. Both essential and important entities should be subject to the same risk management requirements and reporting obligations. The supervisory and penalty regimes between these two categories of entities should be differentiated to ensure a fair balance between requirements and obligations on one hand, and the administrative burden stemming from the supervision of compliance on the other hand. The provisions of this Directive apply to entities with complex business models or operating environments, whereby an entity may simultaneously fulfil the criteria assigned to both essential and important entities. In order to enable the effective supervision and enforcement of risk management measures and reporting obligations for entities falling within the scope of this Directive, competent authorities or CSIRTs shall enforce the provisions of this Directive to a function or unit level within an entity, in order to appropriately and sufficiently address the level of criticality.
2021/06/03
Committee: ITRE
Amendment 102 #

2020/0359(COD)

Proposal for a directive
Recital 12
(12) Sector-specific legislation and instruments can contribute to ensuring high levels of cybersecurity, while taking full account of the specificities and complexities of those sectors. Sector- specific legislation and instruments that require essential or important entities to adopt cybersecurity risk management measures, or impose reporting obligations for significant incidents, shall, where possible, be consistent with the terminology, and refer to the definitions in Article 4 of this Directive. Where a sector–specific Union legal act requires essential or important entities to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats of at least an equivalent effect to the obligations laid down in this Directive, and apply to the entirety of the security aspects of the operations and services provided by essential and important entities, those sector-specific provisions, including on supervision and enforcement, should apply. The Commission may issue guidelines in relation to the implementation of the lex specialis. This Directive does not preclude the adoption of additional sector- specific Union acts addressing cybersecurity risk management measures and incident notifications. This Directive is without prejudice to the existing implementing powers that have been conferred to the Commission in a number of sectors, including transport and energy.
2021/06/03
Committee: ITRE
Amendment 108 #

2020/0359(COD)

Proposal for a directive
Recital 15
(15) Upholding and preserving a reliable, resilient and secure domain name system (DNS) is a key factor in maintaining the integrity of the Internet and is essential for its continuous and stable operation, on which the digital economy and society depend. Therefore, this Directive should apply to all providers of DNS services along the DNS resolution chain, including operators of root name servers, top-level-domain (TLD) name servers, authoritative nametop-level- domain (TLD) name servers, public and open recursive domain name resolution services, and authoritative domain name resolution services. This Directive should not apply to decentralised servicers for domain names and recursive resolwhich centralised administration does not exist, such as the root name servers.
2021/06/03
Committee: ITRE
Amendment 111 #

2020/0359(COD)

Proposal for a directive
Recital 17 a (new)
(17a) The edge ecosystem is an emerging vector susceptible to cyber threats and a growing trend with attacks targeting devices — such as routers, switches, and firewalls — is having a significant impact to both enterprises and to the connected digital ecosystem in its entirety. Edge computing ecosystems delivered in a highly distributed form are essential for the development of the Internet of Things (IoT), the Industrial Internet of Things (IIoT) and the sectoral ecosystems of connected devices such as connectivity infrastructure and autonomous vehicles. IoT devices may potentially offer additional attack surfaces and allow threats and attacks to trickle from the device to the network or the cloud. Poor security of IoT devices or IoT gateways can potentially hinder the security of the entire connectivity chain and the data flows towards the edge and the cloud, consequentially affecting the overall security of the ecosystem.
2021/06/03
Committee: ITRE
Amendment 112 #

2020/0359(COD)

Proposal for a directive
Recital 17 b (new)
(17b) The continuous increase of computing power combined with the rising levels of maturity of exponential technologies such as machine learning (ML) and artificial intelligence (AI) enable the development of advanced cybersecurity capabilities for real-time detection, analysis, containment and response to cyber threats in a rapidly evolving threat landscape. AI tools and applications are used to develop security controls including, but not limited to, active firewalls, smart antivirus, automated CTI (cyber threat intelligence) operations, AI fuzzing, smart forensics, email scanning, adaptive sandboxing, and automated malware analysis.
2021/06/03
Committee: ITRE
Amendment 113 #

2020/0359(COD)

Proposal for a directive
Recital 17 c (new)
(17c) Data-driven tools and applications powered by AI-enabled systems require the processing of large amounts of data, which may include personal data. Risks persist in the entire lifecycle of AI- enabled systems in cybersecurity- enhancing tools and applications, and in order to mitigate risks of unduly interference with the rights and freedoms of individuals, the requirements of data protection by design and by default laid down in Article 25 of Regulation (EU) 2016/679 shall be applied. Integrating appropriate safeguards such as pseudonymisation, encryption, data accuracy, and data minimisation in the design and use of AI-enabled systems deployed in cybersecurity applications and processes is essential to mitigate the risks that such systems may pose on personal data.
2021/06/03
Committee: ITRE
Amendment 114 #

2020/0359(COD)

Proposal for a directive
Recital 17 d (new)
(17d) Member States should adopt policies on the promotion and integration of AI-enabled systems in the prevention and detection of cybersecurity incidents and threats as part of their national cybersecurity strategies. Such policies should emphasise the technological and operational measures including, but not limited to, workflow automation, streaming analytics, active monitoring, intelligent prediction and advanced network threat detection, in order to accelerate the analysis, validation and prioritisation of threats. ENISA’s National Capabilities Assessment Framework (NCAF) can assist in the evaluation and alignment of Member States’ policies building on available use cases and key performance indicators. Moreover, an assessment of Member States’ capabilities and overall level of maturity as regards the integration of AI- enabled systems in cybersecurity should be factored in the methodological construction of the cybersecurity index within the meaning of ENISA’s report on the state of cybersecurity in the Union under Article 15 of this Directive.
2021/06/03
Committee: ITRE
Amendment 115 #

2020/0359(COD)

Proposal for a directive
Recital 17 e (new)
(17e) Open-source cybersecurity tools contribute to a higher degree of transparency and have a positive impact on the efficiency of industrial innovation. Open standards facilitate interoperability between security tools, benefitting the security of industrial stakeholders, enabling the diversification of reliance from a single supplier or vendor, and leading to a more comprehensive CTI framework. Semi-automation of CTI production is an important tool to reduce the number of manual steps underpinning the analysis of CTI. The use of AI and ML within CTI should be further explored to increase the value of machine learning functions within CTI activities.
2021/06/03
Committee: ITRE
Amendment 116 #

2020/0359(COD)

Proposal for a directive
Recital 17 f (new)
(17f) Member States should develop a policy for the integration of open-source tools in public administration, and further explore measures to incentivise the wider adoption of open-source software by developing strategies to address and minimise the legal and technical risks that entities are faced with, as regards licensing and the necessary levels of technical support. Such policies are of particular importance for small and medium-sized enterprises (SMEs) facing significant costs for implementation, which can be minimised by reducing the need for specific applications or tools.
2021/06/03
Committee: ITRE
Amendment 121 #

2020/0359(COD)

Proposal for a directive
Recital 21 a (new)
(21a) Public-Private Partnerships (PPPs) in the field of cybersecurity can provide the right framework for knowledge exchange, sharing of best practices and the establishment of a common level of understanding amongst all stakeholders. Goal-oriented and service outsourcing PPPs foster a culture of cybersecurity at the Member State level, and leverage the exchange and transfer of expertise, thus raising cybersecurity awareness and the overall level of reciprocal support between public and private entities. Hybrid PPPs enable governments to assign either the operation, or the delivery of service- specific functions, of a CSIRT to an experienced entity facilitating the access of public administrations to private sector resources, and increasing the levels of trust between stakeholders by establishing a proactive attitude in case of incidents or crises.
2021/06/03
Committee: ITRE
Amendment 122 #

2020/0359(COD)

Proposal for a directive
Recital 21 b (new)
(21b) Member States should adopt policies underpinning the establishment of cybersecurity-specific PPPs as part of their national cybersecurity strategies. These policies should clarify, among others, the scope and stakeholders involved, the governance model, the available funding options, and the interaction among participating stakeholders. PPPs can leverage the expertise of private sector entities to support Member States’ competent authorities in developing state-of-the art services and processes including, but not limited to, information exchange, early warnings, cyber threat and incident exercises, crisis management, and resilience planning.
2021/06/03
Committee: ITRE
Amendment 130 #

2020/0359(COD)

Proposal for a directive
Recital 26 a (new)
(26a) Cyber hygiene policies provide the foundations for protecting network and information system infrastructures, hardware, software and online application security, and business or end-user data which entities rely on. Cyber hygiene policies comprising a common baseline set of practices including, but not limited to, software and hardware updates, password changes, management of new installs, limitation of administrator-level access accounts, and backing up of data, enable a proactive framework of preparedness and overall safety and security in the event of incidents or threats.
2021/06/03
Committee: ITRE
Amendment 131 #

2020/0359(COD)

Proposal for a directive
Recital 26 b (new)
(26b) Member States should adopt policies to promote cyber hygiene as part of their national cybersecurity strategies. Such policies should build on cyber hygiene controls and programmes that are affordable and accreditable in order to minimise the cost of implementation, especially for SMEs, and encourage wider compliance thereto by both public and private entities. ENISA should monitor and assess Member States’ cyber hygiene policies, and explore EU wide schemes to enable cross-border checks ensuring equivalence independent of Member State requirements.
2021/06/03
Committee: ITRE
Amendment 132 #

2020/0359(COD)

Proposal for a directive
Recital 28
(28) Since the exploitation of vulnerabilities in network and information systems may cause significant disruption and harm, swiftly identifying and remedying those vulnerabilities is an important factor in reducing cybersecurity risk. Entities that develop such systems should therefore establish appropriate procedures to handle vulnerabilities when they are discovered. Since vulnerabilities are often discovered and reported (disclosed) by third parties (reporting entities), the manufacturer or provider of ICT products or services should also put in place the necessary procedures to receive vulnerability information from third parties. In this regard, international standards ISO/IEC 30111 and ISO/IEC 29417 provide guidance on vulnerability handling and vulnerability disclosure respectively. As regards vulnerability disclosure, coordination between reporting entities and manufacturers or providers of ICT products or services is particularly important. CVoluntary coordinated vulnerability disclosure specifies a structured process through which vulnerabilities are reported to organisations in a manner allowing the organisation to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. Coordinated vulnerability disclosure should also comprise coordination between the reporting entity and the organisation as regards the timing of remediation and publication of vulnerabilities. Strengthening the coordination and timely exchange of relevant information between the manufacturer or provider of ICT products or services and the reporting entities is essential to facilitate the voluntary framework of vulnerability disclosure.
2021/06/03
Committee: ITRE
Amendment 133 #

2020/0359(COD)

Proposal for a directive
Recital 29
(29) Member States should therefore take measures to facilitate coordinated vulnerability disclosure by establishing a relevant national policy. In this regard, Member States should designate a CSIRT to take the role of ‘coordinator’, acting as an intermediary between the reporting entities and the manufacturers or providers of ICT products or services, where necessarythe reporting entity, or the manufacturer or the provider of ICT products or services, engages a third-party coordinator to assist with the disclosure process. The tasks of the CSIRT coordinator should, in particular, include identifying and contacting concerned entities, supporting reporting entities, negotiating disclosure timelines, and managing vulnerabilities that affect multiple organisations (multi- party vulnerability disclosure). Where vulnerabilities affect multiple manufacturers or providers of ICT products or services established in more than one Member State, the designated CSIRTs from each of the affected Member States should cooperate within the CSIRTs Network.
2021/06/03
Committee: ITRE
Amendment 139 #

2020/0359(COD)

Proposal for a directive
Recital 31
(31) Although similar vulnerability registries or databases do exist, these are hosted and maintained by entities which are not established in the Union. A European vulnerability registry maintained by ENISA would provide improved transparency regarding the publication process before the vulnerability is officially disclosed, and resilience in cases of disruptions or interruptions on the provision of similar services. To avoid duplication of efforts and seek complementarity to the extent possible, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries in third country jurisdictions. ENISA could play a more central management role either by exploring the option of becoming a “Root CVE Numbering Authority” in the global Common Vulnerabilities and Exposures (CVE) registry, or setting up a database to leverage the existing CVE programme for vulnerability identification and registration to enable interoperability and reference between the European and third country jurisdiction registries.
2021/06/03
Committee: ITRE
Amendment 142 #

2020/0359(COD)

Proposal for a directive
Recital 35
(35) The competent authorities and CSIRTs should be empowered to participate in exchange schemes for officials from other Member States, within structured rules and mechanisms underpinning the scope and, where applicable, the required security clearance of officials participating in such exchange schemes, in order to improve cooperation. The competent authorities should take the necessary measures to enable officials from other Member States to play an effective role in the activities of the host competent authority or CSIRT.
2021/06/03
Committee: ITRE
Amendment 144 #

2020/0359(COD)

Proposal for a directive
Recital 38
(38) For the purposes of this Directive, the term ‘risk’ should refer to the potential for loss or disruption caused by a cybersecurity incident and should be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of said incident.deleted
2021/06/03
Committee: ITRE
Amendment 145 #

2020/0359(COD)

Proposal for a directive
Recital 39
(39) For the purposes of this Directive, the term ‘near misses’ should refer to an event which could potentially have caused harm, but was successfully prevented from fully transpiring.deleted
2021/06/03
Committee: ITRE
Amendment 147 #

2020/0359(COD)

Proposal for a directive
Recital 40
(40) Risk-management measures should include measures to identify any risks of incidents, to prevent, detect and handle, respond to, attribute, and recover from incidents, and to mitigate their impact. The security of network and information systems should comprise the security of stored, transmitted and processed data.
2021/06/03
Committee: ITRE
Amendment 149 #

2020/0359(COD)

Proposal for a directive
Recital 43
(43) Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services. Entities should thereforeevaluate their own cybersecurity capabilities and pursue the integration of cybersecurity enhancing technologies driven by AI or machine learning systems to automate their capabilities and the protection of network architectures. Entities should also assess and take into account the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures.
2021/06/03
Committee: ITRE
Amendment 153 #

2020/0359(COD)

Proposal for a directive
Recital 44
(44) Among service providers, managed security services providers (MSSPs) in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect and respond to incidents. Those MSSPs have however also been the targets of cyberattacks themselves and through their close integration in the operations of operators pose a particular cybersecurity risk. Entities should therefore exercise increased diligence in selecting an MSSP, not only in terms of the close operational integration but also as regards the need for such outsourced activities involving personal data by a controller to be in full compliance with Regulation (EU) 2016/679, in particular the processing by a processor on behalf of a controller.
2021/06/03
Committee: ITRE
Amendment 156 #

2020/0359(COD)

Proposal for a directive
Recital 46
(46) To further address key supply chain risks and assist entities operating in sectors covered by this Directive to appropriately manage supply chain and supplier related cybersecurity risks, the Cooperation Group involving relevant national authorities, in cooperation with the Commission and ENISA, and in consultation with the European Data Protection Board (EDPB), should carry out coordinated sectoral supply chain risk assessments, as was already done for 5G networks following Recommendation (EU) 2019/534 on Cybersecurity of 5G networks21 , with the aim of identifying per sector which are the critical ICT services, systems or products, relevant threats and vulnerabilities. Particular emphasis should be placed on ICT services, systems or products subject to specific requirements, in particular in third country jurisdictions serving as the country of origin. _________________ 21Commission Recommendation (EU) 2019/534 of 26 March 2019 Cybersecurity of 5G networks (OJ L 88, 29.3.2019, p. 42).
2021/06/03
Committee: ITRE
Amendment 160 #

2020/0359(COD)

Proposal for a directive
Recital 47
(47) The supply chain risk assessments, in light of the features of the sector concerned, should take into account both technical and, where relevant, non- technical factors including those defined in Recommendation (EU) 2019/534, in the EU wide coordinated risk assessment of 5G networks security and in the EU Toolbox on 5G cybersecurity agreed by the Cooperation Group. To identify the supply chains that should be subject to a coordinated risk assessment, the following criteria should be taken into account: (i) the extent to which essential and important entities use and rely on specific critical ICT services, systems or products; (ii) the relevance of specific critical ICT services, systems or products for performing critical or sensitive functions, including the processing of personal data; (iii) the availability of alternative ICT services, systems or products; (iv) the resilience of the overall supply chain of ICT services, systems or products against disruptive events across the entire lifecycle of the service, system or product and (v) for emerging ICT services, systems or products, their potential future significance for the entities’ activities. Such risk assessments should identify best practices for managing risks associated with risks in the ICT supply chain and explore ways to further incentivise their wider adoption by entities within each sector under examination.
2021/06/03
Committee: ITRE
Amendment 164 #

2020/0359(COD)

Proposal for a directive
Recital 50
(50) Given the growing importance of number-independent interpersonal communications services, it is necessary to ensure that such services are also subject to appropriate security requirements in view of their specific nature and economic importance. Providers of such services should thus also ensure a level of security of network and information systems appropriate to the risk posed. Given that providers of number-independent interpersonal communications services normally do not exercise actual control over the transmission of signals over networks, the degree of risk to network security for such services can be considered in some respects to be lower than for traditional electronic communications services. The same applies to interpersonal communications services which make use of numbers and which do not exercise actual control over signal transmission. However, as the attack surface continues to expand, number-independent interpersonal communications services including, but not limited to, social media messengers, are becoming popular attack vectors. Malicious actors use platforms to communicate and attract victims to open compromised web pages, therefore increasing the likelihood of incidents involving the exploitation of personal data, and by extension, the security of information systems.
2021/06/03
Committee: ITRE
Amendment 173 #

2020/0359(COD)

Proposal for a directive
Recital 54
(54) In order to safeguard the security of electronic communications networks and services, the use of encryption, and in particular end-to-end encryption, should be promoted and, where necessary, should be mandatory for providers of such services and networks in accordance with the principles of security and privacy by default and by design for the purposes of Article 18. The use of end-to-end encryption should be reconciled with the Member State’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offences in compliance with Union law. Solutions for lawful access to information in end-to-end encrypted communications should maintain tThe effectiveness of encryption in protecting the privacy and security of communications, while provid must not be undermined ing an effective response to crimey circumstance, as any loophole in encryption is open to be explored or exploited by actors, regardless of their legitimacy or intent.
2021/06/03
Committee: ITRE
Amendment 175 #

2020/0359(COD)

Proposal for a directive
Recital 54 a (new)
(54a) Any measures aimed at weakening encryption or circumventing the technology’s architecture may incur significant risks to the effective protection capabilities it entails, thus inevitably compromising the protection of personal data and privacy, resulting in an overall loss of trust in security controls. Any unauthorised decryption, reverse engineering of encryption code, or monitoring of electronic communications outside clear legal authorities should be prohibited to ensure the effectiveness of the technology and its wider use. The cases where encryption can be used to mitigate risks related to non-compliant data transfers as presented in EDPB Recommendations 01/2020 may enable stronger encryption, whether in transit or at rest, for providers of such services and networks for the purposes of Article 18.
2021/06/03
Committee: ITRE
Amendment 177 #

2020/0359(COD)

Proposal for a directive
Recital 55
(55) This Directive lays down a twohree- stage approach to incident reporting in order to strike the right balance between, on the one hand, swift reporting that helps mitigate the potential spread of incidents and allows entities to seek support, and, on the other hand, in-depth reporting that draws valuable lessons from individual incidents and improves over time the resilience to cyber threats of individual companies and entire sectors. Where entities become aware of an incident, theycompanies and entire sectors. In this regard, the Directive should also include reporting of incidents that, based on an initial assessment performed by the entity, may be assumed to lead to substantial operational disruption or financial losses or affect other natural or legal persons by causing considerable material or non- material losses. The initial assessment should take into account amongst others, the affected network and information systems and, in particular, their importance in the provision of the entity’s services, the severity and technical characteristics of the cyber threat, and any underlying vulnerabilities that are being exploited, as well as the entity’s experience with similar incidents. Where entities become aware of an incident, they should provide an early warning within 24 hours, without any obligation to disclose additional information. Entities should be required to submit an initial notification within 724 hours, followed by a finalcomprehensive report not later than one month after the incident has been handled. The initial incident notification should only include the information strictly necessary to make the competent authorities aware of the incident antimeline of 72 hours should not preclude entities from reporting incidents earlier, therefore allowing entities to seek support from competent authorities or CSIRTs swiftly, and enabling competent authorities or CSIRTs to mitigate the potential spread of the reported incident. Where an incident requires a longer period to be handled, an entity should be required to submit regular reports on the mitigation measures in place to contain, respond to, attribute and recover from the incident, and a comprehensive report not later than one month after the incident has been handled. The initial notification should allow the entity to seek assistance, if required. Such notification, where applicable, should indicate whether the incident is presumably caused by unlawful or malicious action. Member States should ensure that the requirement to submit this initial notification does not divert the reporting entity’s resources from activities related to incident handling that should be prioritised. To further prevent that incident reporting obligations either divert resources from incident response handling or may otherwise compromise the entities efforts in that respect, Member States should also provide that, in duly justified cases and in agreement with the competent authorities or the CSIRT, the entity concerned can deviate from the deadlines of 724 hours for the initial notification and one month for the finalcomprehensive report.
2021/06/03
Committee: ITRE
Amendment 183 #

2020/0359(COD)

Proposal for a directive
Recital 60
(60) The availability and timely accessibility of these data to public authorities, domain name registration data to legitimate access seekers is essential to protect the online ecosystem, prevent DNS abuse, detect and prevent crime and fraud, protect minors, protect intellectual property, and protect against hate speech. For the purposes of this Directive, legitimate access seekers are natural or legal persons making a justified request on the basis of a legitimate interest under Union or national law to access DNS data, and they may includinge competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CERTs, (CSIRTs, and as regards the data of their clients to, providers of electronic communications networks and services and providers of cybersecurity technologies and services acting on behalf of those clients, is essential to prevent and combat Domain Name System abuse, in particular to prevent, detect and respond to cybersecurity incidents. Such access should comply with Union data protection law insofar as it is related to personal data.
2021/06/03
Committee: ITRE
Amendment 185 #

2020/0359(COD)

Proposal for a directive
Recital 61
(61) In order to ensure the availability of accurate and complete domain name registration data, TLD registries and the entities providing domain name registration services for the TLD (so-called registrars) should collect and guarantee the integrity and availability of domain names registration data. In particular, TLD registries and the entities providing domain name registration services for the TLD should establish policies and procedures to collect and maintain accurate and complete registration data, as well as to prevent and correct inaccurate registration data in accordance with Union data protection rules.
2021/06/03
Committee: ITRE
Amendment 187 #

2020/0359(COD)

Proposal for a directive
Recital 62
(62) TLD registries and the entities providing domain name registration services for them shouldshould be required to make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concernof legal persons25 . TLD registries and the entities providing domain name registration services for the TLD should also enable lawful access to specific domain name registration data concerning natural persons to legitimate access seekers, in accordance with Union data protection law. Member States should ensure that TLD registries and the entities providing domain name registration services for them should respond without undue delayin 72 hours to requests from legitimate access seekers for the disclosure of domain name registration data. TLD registries and the entities providing domain name registration services for them should establish policies and procedures for the publication and disclosure of registration data, including service level agreements to deal with requests for access from legitimate access seekers. The access procedure may also include the use of an interface, portal or other technical tool to provide an efficient system for requesting and accessing registration data. With a view to promoting harmonised practices across the internal market, the Commission may adopt guidelines on such procedures without prejudice to the competences of the European Data Protection Board. _________________ 25REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL recital (14) whereby “this Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person”.
2021/06/03
Committee: ITRE
Amendment 195 #

2020/0359(COD)

Proposal for a directive
Recital 69
(69) The processing of personal data, to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by essential and important entities, public authorities, CERTs, CSIRTs, and providers of security technologies and services shoulis necessary to comply with a legal obligation under this Directive and constitutes a legitimate interest of the data controller concerned, as referred to in point (c) paragraph 1, and point (f) paragraph 1 respectively of Article 6 of Regulation (EU) 2016/679. That should include measures related to the prevention, detection, analysis and response to incidents, measures to raise awareness in relation to specific cyber threats, exchange of information in the context of vulnerability remediation and coordinated disclosure, as well as the voluntary exchange of information on those incidents, as well as cyber threats and vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools. Such measures may require the processing of the following types of personal data: IP addresses, uniform resources locators (URLs), domain names, and email addresses.
2021/06/03
Committee: ITRE
Amendment 199 #

2020/0359(COD)

Proposal for a directive
Recital 71
(71) In order to make enforcement effective, a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations provided by this Directive should be laid down, setting up a clear and consistent framework for such sanctions across the Union. Due regard should be given to the nature, gravity and duration of the infringement, the actual damage caused or losses incurred or potential damage or losses that could have been triggered, the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered, the degree of responsibility or any relevant previous infringements, the degree of cooperation with the competent authority and any other aggravating or mitigating factor. The imposition of penalties including administrative fines should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection and due process.
2021/06/03
Committee: ITRE
Amendment 201 #

2020/0359(COD)

Proposal for a directive
Recital 76
(76) In order to further strengthen the effectiveness and dissuasiveness of the penalties applicable to infringements of obligations laid down pursuant to this Directive, the competent authorities should be empowered to apply sanctions consisting of the, where applicable, the temporary suspension of a certification or authorisation concerning part or all the services provided by an essential entity, and the imposition of a temporary ban from the exercise of managerial functions by a natural personagainst any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in this Directive. Given their severity and impact on the entities’ activities and ultimately on their consumers, such sanctions should only be applied proportionally to the severity of the infringement and taking account of the specific circumstances of each case, including the intentional or negligent character of the infringement, actions taken to prevent or mitigate the damage and/or losses suffered. Such sanctions should only be applied as ultima ratio, meaning only after the other relevant enforcement actions laid down by this Directive have been exhausted, and only for the time until the entities to which they apply take the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied. The imposition of such sanctions shall be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including effective judicial protection, due process, presumption of innocence and right of defence.
2021/06/03
Committee: ITRE
Amendment 206 #

2020/0359(COD)

Proposal for a directive
Recital 79
(79) A peer-review mechanism should be introduced, allowing the assessment by experts designated by the Member States and ENISA of the implementation of cybersecurity policies, including the level of Member States’ capabilities and available resources, and provide an effective path for the transfer of cybersecurity-enhancing technologies, mechanisms and processes between and among competent authorities or CSIRTs.
2021/06/03
Committee: ITRE
Amendment 231 #

2020/0359(COD)

Proposal for a directive
Article 2 – paragraph 5 a (new)
5a. As regards the processing of personal data, essential and important entities as well as competent authorities, CERTs, and CSIRTs, shall process personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security in accordance with the obligations set out in this Directive. Where the processing of personal data is required for the purpose of cybersecurity and network and information security in accordance with the provisions set out in Article 18 and Article 20 of the Directive, including the provisions set out in Article 23, that processing is considered necessary for compliance with a legal obligation in accordance with paragraph1(c) of Article 6 of Regulation (EU) 2016/679.
2021/06/03
Committee: ITRE
Amendment 233 #

2020/0359(COD)

Proposal for a directive
Article 2 – paragraph 5 b (new)
5b. For the purposes of arrangements underpinning cybersecurity information- sharing and voluntary notification of information as set out in Articles 26 and 27 of this Directive, the processing of personal data constitutes a legitimate interest of the data controller concerned in accordance with paragraph 1(f) of Article 6 of Regulation (EU) 2016/679.
2021/06/03
Committee: ITRE
Amendment 235 #

2020/0359(COD)

Proposal for a directive
Article 2 – paragraph 5 c (new)
5c. As regards the processing of personal data from essential entities providing services of public electronic communications networks or publicly available electronic communications referred to in point 8 of Annex I and point (a)(i) of paragraph2(1), such processing of personal data required for the purposes of ensuring network and information security shall be in compliance with the provisions set out in Directive 2002/58/EC.
2021/06/03
Committee: ITRE
Amendment 238 #

2020/0359(COD)

Proposal for a directive
Article 2 – paragraph 6
6. Sector-specific acts that require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, shall, where possible, refer to the definitions in Article 4 of this Directive. Where provisions of sector–specific acts of Union law require essential or important entities either to adopt cybersecurity risk management measures or to notify incidents or significant cyber threats, and where those requirements are at least equivalent in effect to the obligations laid down in this Directive, the relevant provisions of this Directive, including the provision on supervision and enforcement laid down in Chapter VI, shall not apply.
2021/06/03
Committee: ITRE
Amendment 243 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 4 a (new)
(4a) ‘near miss’ means an event which could have caused harm, but was successfully prevented from fully transpiring;
2021/06/03
Committee: ITRE
Amendment 247 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 6
(6) ‘incident handling’ means all actions and procedures aiming at prevention, detection, analysis, attribution, and containment of and a response to an incident;
2021/06/03
Committee: ITRE
Amendment 248 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 7 a (new)
(7a) ‘risk’ means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of that incident;
2021/06/03
Committee: ITRE
Amendment 250 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 13
(13) ‘domain name system (DNS)’ means a hierarchical distributed naming system which allows end-users to reach services and resources on the internetenables the identification of internet services and resources, allowing end-user devices to utilise internet routing and connectivity services, to reach those services and resources;
2021/06/03
Committee: ITRE
Amendment 253 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 14
(14) ‘DNS service provider’ means an entity that provides recursive or authoritative domain name resolution services to internet end-users and other DNS service provider: a) open and public recursive domain name resolution services; or b) authoritative domain name resolution services as a service procurable by third-party entities;
2021/06/03
Committee: ITRE
Amendment 255 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 15
(15) ‘top–level domain name registry’ means an entity which has been delegated a specific TLD and is responsible for administering the TLD including the registration of domain names under the TLD and the technical operation of the TLD, including the operation of its name servers, the maintenance of its databases and the distribution of TLD zone files across name servers, irrespective of whether any of those operations are being performed by the entity or are outsourced;
2021/06/03
Committee: ITRE
Amendment 256 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 15 a (new)
(15a) ‘legitimate access seekers’ means any natural or legal person, including competent authorities under Union or national law for the prevention, investigation or prosecution of criminal offences, CSIRTs, CERTs, providers of electronic communications networks and services, and providers of cybersecurity technologies and services, seeking DNS data upon a justified request on the basis of Union or national law for the purposes of preventing DNS abuse, detecting and preventing crime and fraud, protecting minors, protecting intellectual property, and protecting against hate speech;
2021/06/03
Committee: ITRE
Amendment 257 #

2020/0359(COD)

Proposal for a directive
Article 4 – paragraph 1 – point 22
(22) ‘social networking services platform’ means a platform that enables end-users to connect, share, discover and communicate with each other via number- independent interpersonal communications services across multiple devices, and in particular, via chats, posts, videos and recommendations);
2021/06/03
Committee: ITRE
Amendment 272 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 1 – introductory part
1. Each Member State shall adopt a national cybersecurity strategy defining the strategic objectives and, the required technical, organisational, and financial resources to achieve those objectives, and the appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cybersecurity strategy shall include, in particular, the following:
2021/06/03
Committee: ITRE
Amendment 277 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 1 – point b
(b) a governance framework to achieve those objectives and priorities, including the policies referred to in paragraph 2, and an appropriate framework defining the roles and responsibilities of public bodies and entities as well as other relevant actors, underpinning the cooperation and coordination, at the national level, between the competent authorities designated under Articles 7(1) and 8(1), the single point of contact designated under Article 8(3), and the CSIRTs designated under Article 9;
2021/06/03
Committee: ITRE
Amendment 284 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 2 – point a a (new)
(aa) guidelines addressing cybersecurity in the supply chain for ICT products and services used by entities outside the scope of this Directive, and in particular supply chain challenges faced by SMEs;
2021/06/03
Committee: ITRE
Amendment 287 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 2 – point d a (new)
(da) a policy on promoting the integration of open-source tools and applications;
2021/06/03
Committee: ITRE
Amendment 288 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 2 – point d b (new)
(db) a policy to promote and support the development and integration of AI and other emerging technologies in cybersecurity-enhancing tools and applications;
2021/06/03
Committee: ITRE
Amendment 289 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 2 – point e
(e) a policy on promoting and developing cybersecurity skills, awareness raising and research and development initiatives, including targeted policies addressing issues relating to gender representation and balance in the aforementioned areas;
2021/06/03
Committee: ITRE
Amendment 290 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 2 – point e a (new)
(ea) a policy to promote cyber hygiene programmes comprising a baseline set of practices and controls;
2021/06/03
Committee: ITRE
Amendment 293 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 2 – point f a (new)
(fa) a policy, including relevant procedures and governance frameworks, to support and promote the establishment of cybersecurity PPPs;
2021/06/03
Committee: ITRE
Amendment 301 #

2020/0359(COD)

3. Member States shall notify their national cybersecurity strategies to the Commission within three months from their adoption. Member States may exclude specific information from the notification where and to the extent that it is strictly necessary to preserve national security.
2021/06/03
Committee: ITRE
Amendment 302 #

2020/0359(COD)

Proposal for a directive
Article 5 – paragraph 4
4. Member States shall assess their national cybersecurity strategies at least every four years on the basis of key performance indicators and, where necessary, amend them. The European Union Agency for Cybersecurity (ENISA) shall assist Member States, upon request, in the development of a national strategy and of key performance indicators for the assessment of the strategy. ENISA shall provide guidance to Member States in order to align their already formulated national cybersecurity strategies with the requirements and obligations set out in this Directive.
2021/06/03
Committee: ITRE
Amendment 311 #

2020/0359(COD)

Proposal for a directive
Article 6 – paragraph 2
2. ENISA shall develop and maintain a European vulnerability registry. To that end, ENISA shall establish and maintain the appropriate information systems, policies and procedures, and the necessary technical and organisational measures to ensure the security and integrity of the registry, with a view in particular to enabling important and essential entities and their suppliers of network and information systems, as well as entities excluded from the scope of this Directive, and their suppliers, to disclose and register vulnerabilities present in ICT products or ICT services, as well as to provide access to the information on vulnerabilities contained in the registry to all interested parties, enabling all parties and in particular, the users of the ICT products or ICT services concerned to adopt appropriate mitigating measures. The registry shall, in particular, include information describing the vulnerability, the affected ICT product or ICT services and the severity of the vulnerability in terms of the circumstances under which it may be exploited, and the availability of related patches and, in the absence of available patches, guidance addressed to users of vulnerable products and services as to how the risks resulting from disclosed vulnerabilities may be mitigated.
2021/06/03
Committee: ITRE
Amendment 314 #

2020/0359(COD)

Proposal for a directive
Article 7 – paragraph 1 a (new)
1a. Where a Member State designates more than one competent authorities referred to in paragraph1, it should clearly indicate which of these competent authorities shall serve as the main point of contact for the management of large- scale incidents and crises.
2021/06/03
Committee: ITRE
Amendment 320 #

2020/0359(COD)

Proposal for a directive
Article 9 – paragraph 2
2. Member States shall ensure that each CSIRT has adequate resources and the technical capabilities necessary to carry out effectively their tasks as set out in Article 10(23).
2021/06/03
Committee: ITRE
Amendment 325 #

2020/0359(COD)

Proposal for a directive
Article 10 – paragraph 1 – point c
(c) CSIRTs shall be equipped with an appropriate system for managclassifying, routing, and routtracking requests, in particular, to facilitate effective and efficient handovers;
2021/06/03
Committee: ITRE
Amendment 326 #

2020/0359(COD)

(ca) CSIRTs shall have appropriate codes of conduct in place to ensure the confidentiality and trustworthiness of their operations;
2021/06/03
Committee: ITRE
Amendment 327 #

2020/0359(COD)

Proposal for a directive
Article 10 – paragraph 1 – point e
(e) CSIRTs shall be equipped with redundant systems and backup working space to ensure continuity of its services, including full-spectrum connectivity across networks, information systems and services, and devices;
2021/06/03
Committee: ITRE
Amendment 328 #

2020/0359(COD)

Proposal for a directive
Article 10 – paragraph 1 – point e a (new)
(ea) CSIRTs shall have appropriate descriptions of the skillsets required by staff to meet the technical capabilities necessary to perform assigned tasks;
2021/06/03
Committee: ITRE
Amendment 329 #

2020/0359(COD)

Proposal for a directive
Article 10 – paragraph 1 – point e b (new)
(eb) CSIRTs shall have appropriate internal training frameworks and, where suitable, relevant policies to support external technical training of staff in order to reinforce a culture of continuous improvement;
2021/06/03
Committee: ITRE
Amendment 330 #

2020/0359(COD)

Proposal for a directive
Article 10 – paragraph 1 a (new)
1a. CSIRTs shall develop the following technical capabilities to perform their tasks: (a) The ability to conduct real-time monitoring of networks and information systems, and anomaly detection; (b) The ability to support penetration prevention operations including, in particular, the detection and analysis of sophisticated cyber threats; (c) The ability to collect and conduct complex forensic data analysis, and reverse engineering of cyber threats; (d) The ability to filter harmful communication content including, but not limited to, malicious e-mails; (e) The ability to protect data, including personal and sensitive data, from unauthorised exfiltration; (f) The ability to enforce strong authentication and access privileges; (g) The ability to analyse and attribute cyber threats.
2021/06/03
Committee: ITRE
Amendment 352 #

2020/0359(COD)

Proposal for a directive
Article 13 – paragraph 3 – point a a (new)
(aa) facilitating the transfer of technology and relevant measures, policies and frameworks among the CSIRTs;
2021/06/03
Committee: ITRE
Amendment 353 #

2020/0359(COD)

Proposal for a directive
Article 13 – paragraph 3 – point g – point v
(v) contribution to the national cybersecurity incident and crisis response plan referred to in Article 7 (34);
2021/06/03
Committee: ITRE
Amendment 364 #

2020/0359(COD)

Proposal for a directive
Article 15 – paragraph 1 – point a a (new)
(aa) the general level of cybersecurity awareness amongst citizens and consumers, the security of consumer- facing connected devices, and the security of digital public services and the respective digital infrastructures through which such services are offered to citizens;
2021/06/03
Committee: ITRE
Amendment 368 #

2020/0359(COD)

Proposal for a directive
Article 15 – paragraph 1 – point c b (new)
(cb) the alignment of Member States’ national cybersecurity strategies referred to in Article 5, including the level of convergence of key performance indicators for the assessment of the strategies.
2021/06/03
Committee: ITRE
Amendment 369 #

2020/0359(COD)

Proposal for a directive
Article 15 – paragraph 2
2. The report shall include the obstacles identified at the national level, particular policy recommendations for increasing the level of cybersecurity across the Union, and a summary of the findings for the particular period from the Agency’s EU Cybersecurity Technical Situation Reports issued by ENISA in accordance with Article 7(6) of Regulation (EU) 2019/881.
2021/06/03
Committee: ITRE
Amendment 370 #

2020/0359(COD)

Proposal for a directive
Article 15 – paragraph 2 a (new)
2a. ENISA, in cooperation with the Commission and with guidance from the Cooperation Group and the CSIRTs network, shall prepare the methodological specifications, including the relevant variables underpinning the scoring and validation of the cybersecurity index referred to in paragraph 1(e).
2021/06/03
Committee: ITRE
Amendment 372 #

2020/0359(COD)

Proposal for a directive
Article 16 – paragraph 1 – introductory part
1. The Commission shall establish, after consulting the Cooperation Group and ENISA, and at the latest by 18 months following the entry into force of this Directive, the methodology and content of a peer-review system for assessing the effectiveness of the Member States’ cybersecurity policies. ENISA shall develop templates for the self-assessment of the reviewed aspects, which Member States being reviewed shall complete and provide to designated experts prior to the commencement of the peer-review process. The reviews shall be conducted by cybersecurity technical experts drawn from ENISA and at least two Member States different than the one reviewed and shall cover at least the following:
2021/06/03
Committee: ITRE
Amendment 374 #

2020/0359(COD)

Proposal for a directive
Article 16 – paragraph 1 – point iii
(iii) the operationtechnical capabilities and effectiveness of CSIRTs; in executing their tasks;
2021/06/03
Committee: ITRE
Amendment 375 #

2020/0359(COD)

Proposal for a directive
Article 16 – paragraph 2
2. The methodology shall include objective, non-discriminatory, fair and transparent criteria on the basis of which the Member States shall designate experts eligible to carry out the peer reviews. The Commission, supported by ENISA, shall develop appropriate codes of conduct underpinning the work methods of designated experts participating in peer- reviews to safeguard the confidentiality of information obtained through the peer- review process, and the non-disclosure of such information to any third parties. ENISA and the Commission shall designate experts to participate as observers in the peer-reviews. The Commission, supported by ENISA, shall establish within the methodology as referred to in paragraph 1 an objective, non-discriminatory, fair and transparent system for the selection and the random allocation of experts for each peer review.
2021/06/03
Committee: ITRE
Amendment 376 #

2020/0359(COD)

Proposal for a directive
Article 16 – paragraph 4
4. Peer reviews shall entail actual or virtual on-site visits and off-site exchanges. In view of the principle of good cooperation, the designated experts tasked with carrying out the peer-review shall communicate the aspects under review as referred to in paragraph 1, including any additional targeted issues specific to the Member State or sectors referred to in paragraph 3, and request a corresponding self-assessment report from the Member States being reviewed. The Member States being reviewed shall provide the designated experts with the requested information necessary for the assessment of the reviewed aspects. Any information obtained through the peer review process shall be used solely for that purpose. The experts participating in the peer review shall not disclose any sensitive or confidential information obtained in the course of that review to any third parties.
2021/06/03
Committee: ITRE
Amendment 378 #

2020/0359(COD)

Proposal for a directive
Article 16 – paragraph 6
6. Member States shall ensure that any risk of conflict of interests concerning the designated experts are revealed to the other Member States, the Commission and ENISA without undue delay, before the designation of experts referred to in paragraphs 1 and 2.
2021/06/03
Committee: ITRE
Amendment 379 #

2020/0359(COD)

Proposal for a directive
Article 16 – paragraph 7
7. Experts participating in peer reviews shall draft reports on the findings and conclusions of the reviews. The reports shall include recommendations to enable improvement on the aspects covered by the peer-review process, including recommendations on the transfer of technologies, tools, measures, and processes from Member States carrying out the peer-review to the Member State being reviewed. The reports shall be submitted to the Commission, the Cooperation Group, the CSIRTs network and ENISA. The reports shall be discussed in the Cooperation Group and the CSIRTs network. The reports may be published on the dedicated website of the Cooperation Group.
2021/06/03
Committee: ITRE
Amendment 383 #

2020/0359(COD)

Proposal for a directive
Article 17 – paragraph 2
2. Member States shall ensure that members of the management body follow specific trainingof essential and important entities follow specific trainings, and shall encourage essential and important entities to offer similar trainings to all employees, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.
2021/06/03
Committee: ITRE
Amendment 389 #

2020/0359(COD)

Proposal for a directive
Article 18 – paragraph 1
1. Member States shall ensure that essential and important entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use infor their operations or for the provision of their services. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk presented.
2021/06/03
Committee: ITRE
Amendment 391 #

2020/0359(COD)

Proposal for a directive
Article 18 – paragraph 2 – point b
(b) incident handling (prevention, detection, andmitigation, response to, recovery from, and attribution of incidents);
2021/06/03
Committee: ITRE
Amendment 394 #

2020/0359(COD)

Proposal for a directive
Article 18 – paragraph 2 – point c
(c) business continuity, disaster recovery and crisis management;
2021/06/03
Committee: ITRE
Amendment 399 #

2020/0359(COD)

Proposal for a directive
Article 18 – paragraph 2 – point f a (new)
(fa) deployment of secured voice, video and text communications, and of secured emergency communications systems within the entity;
2021/06/03
Committee: ITRE
Amendment 424 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 1
1. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT in accordance with paragraphs 32 and 43 of any incident having a significant impact on. Where the incident concerns the provisions of their services. Where appropriate, those entities shall notify, without undue delay, the recipientsentities’ services, those entities shall notify affected users about the unavailability or underlying risks of use of their services of incidents that are likely to adversely affect the provision of that service in order to mitigate the adverse effects of the incident. Essential and important entities may deviate from notifying affected users in case of overriding reasons inducing, but not limited to, that notification worsening the impact of an ongoing incident. Member States shall ensure that those entities report, among others, any information enabling the competent authorities or the CSIRT to determine any cross-border impact of the incident. The notification shall not make the notifying entity subject to increased liability.
2021/06/03
Committee: ITRE
Amendment 431 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 2 – subparagraph 1
2. Member States shall ensure that essential and important entities notify, without undue delay, the competent authorities or the CSIRT of any significant cyber threat that those entities identify that could have potentially resulted in a significant incident.deleted
2021/06/03
Committee: ITRE
Amendment 433 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 2 – subparagraph 2
Where applicable, those entities shall notify, without undue delay, the recipients of their services that are potentially affected by a significant cyber threat of any measures or remedies that those recipients can take in response to that threat. Where appropriate, the entities shall also notify those recipients of the threat itself. The notification shall not make the notifying entity subject to increased liability.deleted
2021/06/03
Committee: ITRE
Amendment 445 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point -a (new)
(-a) an early warning within 24 hours after having become aware of an incident, without any obligations on the entity concerned to disclose additional information regarding the incident;
2021/06/03
Committee: ITRE
Amendment 448 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point a
(a) without undue delay and in any event within 724 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action;
2021/06/03
Committee: ITRE
Amendment 453 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 4 – subparagraph 1 – point c – introductory part
(c) a finalcomprehensive report not later than one month after the submission of the report under point (a), including at least the following:
2021/06/03
Committee: ITRE
Amendment 463 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 5
5. The competent national authorities or the CSIRT shall provide, within 24 hours after receiving the initial notification referred to in point (ab) of paragraph 43, a response to the notifying entity, including initial feedback on the incident and, upon request of the entity, guidance on the implementation of possible mitigation measures. Where the CSIRT did not receive the notification referred to in paragraph 1 , the guidance shall be provided by the competent authority in collaboration with the CSIRT. The CSIRT shall provide additional technical support if the concerned entity so requests. Where the incident is suspected to be of criminal nature, the competent national authorities or the CSIRT shall also provide guidance on reporting the incident to law enforcement authorities.
2021/06/03
Committee: ITRE
Amendment 471 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 8
8. At the request of the competent authority or the CSIRT, the single point of contact shall forward notifications received pursuant to paragraphs 1 and 2 1 to the single points of contact of other affected Member States. In compliance with Union law, or in accordance with Member State legislation compliant with Union law, the single point of contact shall preserve the security and commercial interests of the essential or important entity reporting the incident, including the confidentiality of the information provided by the reporting entity in the notification of the incident, when forwarding the notification to the single points of contact of other affected Member States.
2021/06/03
Committee: ITRE
Amendment 475 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 9
9. The single point of contact shall submit to ENISA on a monthly basis a summary report including anonymised and aggregated data on incidents, significant cyber threats and near misses notified in accordance with paragraphs 1 and 2 and in accordance withof this Article, and Article 27. In order to contribute to the provision of comparable information, ENISA may issue technical guidance on the parameters of the information included in the summary report.
2021/06/03
Committee: ITRE
Amendment 478 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 10
10. Competent authorities shall provide to the competent authorities designated pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive] information on incidents and cyber threats notified in accordance with paragraphs 1 and 2 by essential entities identified as critical entities, or as entities equivalent to critical entities, pursuant to Directive (EU) XXXX/XXXX [Resilience of Critical Entities Directive].
2021/06/03
Committee: ITRE
Amendment 481 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 10 a (new)
10a. ENISA, in cooperation with the Cooperation Group, shall develop common incident notification templates by [date of transposition deadline of the Directive], to streamline the reporting obligations of essential and important entities, and simplify the sharing of relevant information referred to in point (b) of paragraph 1 of this Article.
2021/06/03
Committee: ITRE
Amendment 483 #

2020/0359(COD)

Proposal for a directive
Article 20 – paragraph 11
11. The Commission, may adopt implementing acts further specifying the type of information, the format and the procedure of a notification submitted pursuant to paragraphs 1 and 2. The Commission may also adopt implementing shall be empowered to adopt delegated acts to further specifying the cases in which an incident shall be considered significant as referred to in paragraph 3. Those implementing acts shall be adopte2, and in accordance with the examination procedureercise of delegation power referred to in Article 37(2)6.
2021/06/03
Committee: ITRE
Amendment 488 #

2020/0359(COD)

Proposal for a directive
Article 21 – paragraph 1
1. In order to demonstrate compliance with certain requirements of Article 18, Member States may requirand following guidance from ENISA, the Commission, and the Cooperation Group, Member States shall encourage essential and important entities to certify certain ICT products, ICT services and ICT processes, developed either by the essential and important entities or procured from third parties, under specific European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation (EU) 2019/881. The products, services and processes subject to certification may be developed by an essential or important entity or procured from third parti, or under equivalent and internationally accepted certification schemes.
2021/06/03
Committee: ITRE
Amendment 502 #

2020/0359(COD)

Proposal for a directive
Article 23 – paragraph 1
1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services for the TLD shall collect and maintain accurate and complete domain name registration data in a dedicated database facility with due diligence subject to Union data protection law as regards data which are personal data.
2021/06/03
Committee: ITRE
Amendment 505 #

2020/0359(COD)

Proposal for a directive
Article 23 – paragraph 4
4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delaymake publicly available, within 72 hours after the registration of a domain name, domain registration data which are not personal dataof legal persons as registrants.
2021/06/03
Committee: ITRE
Amendment 507 #

2020/0359(COD)

Proposal for a directive
Article 23 – paragraph 5
5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and, including personal data, upon duly justified requests of legitimate access seekers, in compliance with Union data protection law. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delayreply within 72 hours to all requests for access. Member States shall ensure that policies and procedures to disclose such data are made publicly available. The Commission may adopt implementing acts laying out the requirements to be demonstrated by legitimate access seekers to TLD registries and entities providing domain name registration services before access to specific domain name registration data is granted. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 37(2).
2021/06/03
Committee: ITRE
Amendment 518 #

2020/0359(COD)

Proposal for a directive
Article 25 – paragraph 1 – introductory part
1. ENISA shall create and maintain a registry for essential and important entities referred to in Article 24(1). ENISA shall establish appropriate information classification and management protocols to ensure the security and confidentiality of disclosed information, and restrict the access, storage, and transmission of such information to intended users. The entities shall submit the following information to ENISA by [12 months after entering into force of the Directive at the latest]:
2021/06/03
Committee: ITRE
Amendment 523 #

2020/0359(COD)

Proposal for a directive
Article 26 – paragraph 1 – introductory part
1. Without prejudice to Regulation (EU) 2016/679, Member States shall ensure that essential and important entities may exchange relevant cybersecurity information among themselves including information relating to cyber threats, near misses, vulnerabilities, indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, where such information sharing:
2021/06/03
Committee: ITRE
Amendment 528 #

2020/0359(COD)

Proposal for a directive
Article 26 – paragraph 2
2. Member States shall ensure thfacilitate the exchange of information takes place withinby enabling the establishment of trusted communities of essential and important entities. Such exchange shall be implemented through information sharing arrangements in respect of the potentially sensitive nature of the information shared and in compliance with the rules of Union law referred to in paragraph 1.
2021/06/03
Committee: ITRE
Amendment 529 #

2020/0359(COD)

Proposal for a directive
Article 26 – paragraph 3
3. Member States shall set out rules specifying the procedure,facilitate information sharing by making operational elements (including the use of dedicated ICT platforms), and content and conditionsvailable of the information sharing arrangements referred to in paragraph 2. Such rul, and may impose certain conditions on the information made available by competent authorities or CSIRTs. Member States shall also lay down the details of the involvement of public authorities in such arrangements, as well as operational elements, including the use of dedicated IT platforms. Member States shall offer support to the application of such arrangements in accordance with their policies referred to in Article 5(2) (g(l).
2021/06/03
Committee: ITRE
Amendment 546 #

2020/0359(COD)

Proposal for a directive
Article 29 – paragraph 2 – point c
(c) targeted security audits based on risk assessments orperformed by the competent authorities, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
2021/06/03
Committee: ITRE
Amendment 552 #

2020/0359(COD)

Proposal for a directive
Article 29 – paragraph 4 – point i
(i) make a public statement which identifies the legal and natural person(s) responsible for the infringement of an obligation laid down in this Directive and the nature of that infringement;deleted
2021/06/03
Committee: ITRE
Amendment 557 #

2020/0359(COD)

Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point a
(a) where applicable, temporarily suspend or request a certification or authorisation body to temporarily suspend a certification or authorisation concerning part or all the services or activities provided by an essential entity until the entity takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied;
2021/06/03
Committee: ITRE
Amendment 565 #

2020/0359(COD)

Proposal for a directive
Article 29 – paragraph 5 – subparagraph 1 – point b
(b) impose or request the imposition by the relevant bodies or courts according to national laws of a temporary ban against any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity, and of any other natural person held responsible for the breach, from exercising managerial functions in that entity from exercising managerial functions in that entity. This provision shall not apply to public administration entities as referred to in point (23) of Article 4.
2021/06/03
Committee: ITRE
Amendment 566 #

2020/0359(COD)

Proposal for a directive
Article 29 – paragraph 5 – subparagraph 2
These sanctions shall be applied only until the entity takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority for which such sanctions were applied.deleted
2021/06/03
Committee: ITRE
Amendment 570 #

2020/0359(COD)

Proposal for a directive
Article 29 – paragraph 7 – point c
(c) the actual damage caused or losses incurred or potential damage or losses that could have been triggered, insofar as they can be determined. Where evaluating this aspect, account shall be taken, amongst others, of actual or potentialincluding financial or economic losses, effects on other services, and the number of users affected or potentially affected;
2021/06/03
Committee: ITRE
Amendment 574 #

2020/0359(COD)

Proposal for a directive
Article 30 – paragraph 2 – point b
(b) targeted security audits based on risk assessments orperformed by the competent authority, risk assessments performed by the audited entity, or in the absence thereof, risk-related available information;
2021/06/03
Committee: ITRE
Amendment 575 #

2020/0359(COD)

Proposal for a directive
Article 30 – paragraph 2 – point c
(c) security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria;
2021/06/03
Committee: ITRE
Amendment 577 #

2020/0359(COD)

Proposal for a directive
Article 30 – paragraph 4 – point h
(h) make a public statement which identifies the legal and natural person(s) responsible for the infringement of an obligation laid down in this Directive and the nature of that infringement;deleted
2021/06/03
Committee: ITRE
Amendment 582 #

2020/0359(COD)

Proposal for a directive
Article 32 – paragraph 1
1. Where the competent authorities have indications that the infringement by an essential or important entity of the obligations laid down in Articles 18 and 20 entails a personal data breach, as defined by Article 4(12) of Regulation (EU) 2016/679 which shall be notified pursuant to Article 33 of that Regulation, they shall inform the supervisory authorities competent pursuant to Articles 55 and 56 of that Regulation within a reasonable period of timeout undue delay.
2021/06/03
Committee: ITRE
Amendment 586 #

2020/0359(COD)

Proposal for a directive
Article 35 – paragraph 1 a (new)
As regards Digital Providers referred to in point (6) of Annex II, where platforms operated by such important entities are classified as very large online platforms within the meaning of Article 25 of Regulation (EU) XXXX/XXXX [Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC], or where the providers of core platform services are designated as gatekeepers within the meaning of Article 3 of Regulation (EU) XXXX/XXXX [Contestable and fair markets in the digital sector (Digital Markets Act)], these providers shall be designated as essential entities within the meaning of this Directive to adequately address the functioning of the economy and society in relation to cybersecurity, given the systemic risk stemming from the functioning and use made of their services in the Union, or the important gateway function that their core platform services serve for business users to reach end users.
2021/06/03
Committee: ITRE
Amendment 264 #

2020/0340(COD)

Proposal for a regulation
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1). All processing of personal data shall occur in full compliance with the GDPR and be accompanied by appropriate data protection safeguards. Re-use of data must be conditional on the signature by the re-user of a confidentiality agreement as set out in recital 11.
2021/06/07
Committee: LIBE
Amendment 322 #

2020/0340(COD)

Proposal for a regulation
Article 12 – paragraph 3
(3) The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. The data protection authorities shall be designated as the main competent authorities for the supervision and enforcement of the provisions under Chapter IV of the Regulation.
2021/06/07
Committee: LIBE
Amendment 390 #

2020/0340(COD)

Proposal for a regulation
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1). All processing of personal data shall occur in full compliance with the GDPR and be accompanied by appropriate data protection safeguards. Re-use of data must be conditional on the signature by the re-user of a confidentiality agreement as set out in Recital 11.
2021/04/28
Committee: ITRE
Amendment 534 #

2020/0340(COD)

Proposal for a regulation
Article 12 – paragraph 3
(3) The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. The data protection authorities shall be designated as the main competent authorities for the supervision and enforcement of the provisions under Chapter IV of the Regulation.
2021/04/28
Committee: ITRE
Amendment 632 #

2020/0340(COD)

Proposal for a regulation
Article 20 – paragraph 3
(3) The competent authority shall undertake its tasks in cooperation with the data protection authority, where such tasks are related to processing of personal data, and with relevant sectoral bodies of the same Member State. For any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority shall first seek an opinion or decision by the competent supervisory authority established pursuant to that Regulation and comply with that opinion or decision. The data protection authorities shall be designated as the main competent authorities for the supervision and enforcement of the provisions under Chapter IV of the Regulation.
2021/04/28
Committee: ITRE
Amendment 23 #

2019/2166(INI)

Motion for a resolution
Citation 15 a (new)
— having regards to its resolution of 21 January 2021 on the EU Strategy for Gender Equality (2019/2169(INI)),
2021/03/02
Committee: JURIFEMM
Amendment 88 #

2019/2166(INI)

Motion for a resolution
Recital E a (new)
E a. Whereas education plays a fundamental role in building children’s and young peoples’ skills to form healthy relationships, notably by addressing gender norms, gender equality, power dynamics in relationships, consent, respect for boundaries, and helps to combat gender-based violence; whereas according to the UNESCO International technical guidance on sexuality education, curriculum-based programmes on comprehensive sexuality education (CSE) enable children and young people to develop knowledge, attitudes and skills, including respect for human rights, gender equality, consent and diversity and it empowers children and young people;
2021/03/02
Committee: JURIFEMM
Amendment 115 #

2019/2166(INI)

Motion for a resolution
Recital H a (new)
H a. Whereas anonymous complaints and complaints later retired by victims may hamper further investigation by the authorities and present an obstacle to the prevention of further violence;
2021/03/02
Committee: JURIFEMM
Amendment 155 #

2019/2166(INI)

Motion for a resolution
Recital P a (new)
P a. Whereas article 83(1) of the TFEU provides for the possibility to establish minimum rules concerning the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension resulting from the nature or impact of such offences or from a special need to combat them on a common basis; whereas on the basis of developments in crime, the Council may adopt a decision identifying other areas of crime that meet the criteria specified in the paragraph, after obtaining the consent of the European Parliament. Whereas article 83 (2) of the TFEU provides for the possibility to establish minimum rules with regard to the definition of criminal offences and sanctions, in order to ensure the effective implementation of a Union policy in an area which has been subject to harmonisation measures
2021/03/02
Committee: JURIFEMM
Amendment 161 #

2019/2166(INI)

Motion for a resolution
Paragraph 1
1. Strongly condemnCondemns in the strongest possible terms all forms of violence against women and deplores the fact that women continue to be exposed to intimate partner violence which constitutes a serious violation of their human rights and dignity;
2021/03/02
Committee: JURIFEMM
Amendment 164 #

2019/2166(INI)

Motion for a resolution
Paragraph 1 a (new)
1 a. Points out that the Istanbul Convention is a pivotal instrument against gender-based violence; deplores the fact that the Convention has not been ratified by the European Union yet; regrets that to this date only 21 EU Member States have ratified it; notes with great concern that the effective implementation of the Convention is still patchy across Europe; calls therefore on the Member States that ratified the Convention to step up their efforts in ensuring its full implementation;condemns the attempts at setting back progresses made in the fight against gender-based violence, including domestic violence, that are going on in some Member states; supports the Commission’s plan to continue pushing for the EU-wide ratification of the Istanbul Convention; calls on remaining Member States to swiftly complete the ratification process; underlines, in this context, the need for specific measures to address the existing disparities in laws, policies and services between Member States and the increase in domestic and gender-based violence during the COVID- 19 pandemic; warmly welcomes, therefore, the Commission’s intention to propose a directive to tackle all forms of gender-based violence to complement and achieve the objectives of the Istanbul Convention, as the EU’s accession remains blocked; calls on the Council to add gender-based violence to the list of criminal offences in the EU;
2021/03/02
Committee: JURIFEMM
Amendment 172 #

2019/2166(INI)

Motion for a resolution
Paragraph 1 b (new)
1 b. Welcomes the EU Strategy on victims’ rights (2020-2025) which will address the specific needs of victims of gender-based violence, in particular a specific approach for psychological violence against women and the impact on their mental health on the long run; stresses the need to address the current gaps in the EU legislation and asks the Commission to put forward, without delay, a proposal for a review of the Victims’ Rights Directive with regard to international standards on violence against women, such as the Istanbul Convention, with a view to enhancing the legislation on victims’ rights and the protection and compensation of victims; stresses the need for all victims to have effective access to justice through the implementation of the Victims’ Rights Directive, which is still lacking in some Member States; asks for the continued promotion of victims’ rights also through existing instruments such as the European Protection Order;
2021/03/02
Committee: JURIFEMM
Amendment 175 #

2019/2166(INI)

Motion for a resolution
Paragraph 1 c (new)
1 c. Calls on the Commission to develop a European Union protocol on violence against women in times of crisis and emergency to prevent violence against women and to support victims of gender- based violence during emergencies such as the COVID-19 pandemic; highlights that this protocol should include essential protection services for victims; Calls on the Commission to coordinate the sharing of best practices between the Member States, to promote accurate and comparative data collection, to accurately measure the extent of such violence, to consider the possibility of producing forecasts, and to assess the impact of COVID-19 on the provision of key services to victims; stresses the need to urgently collect harmonised data on gender-based violence and calls on the Member States to collect and provide the relevant data when requested, including to Eurostat; welcomes the Commission’s commitment to carry out a new EU survey on gender-based violence with the results to be presented in 2023; underlines the urgency of completing such a survey due to the spike in gender-based violence, and especially domestic violence, during the COVID-19 pandemic;
2021/03/02
Committee: JURIFEMM
Amendment 178 #

2019/2166(INI)

Motion for a resolution
Paragraph 1 d (new)
1 d. Encourages the exchange between Member States of guidelines, good practices and protocols that have resulted to be effective in addressing intimate partner violence, especially during emergencies; stresses that arrest in flagrante delicto should be compulsory and that, if legal conditions for arrest are not met, the alleged abuser should nonetheless be immediately removed from the victim's house and kept away from the victim's workplace to prevent the risk of further violence;
2021/03/02
Committee: JURIFEMM
Amendment 182 #

2019/2166(INI)

Motion for a resolution
Paragraph 1 e (new)
1 e. Points out that education is pivotal to eradicate gender based violence, and intimate partner violence in particular; calls on Member States to include issues such as equality between women and men, non-stereotyped gender roles, mutual respect, non-violent conflict resolution in interpersonal relationships, gender-based violence against women and the right to personal integrity, age appropriate sexuality education, adapted to the evolving capacity of learners, in formal curricula and at all levels of education;
2021/03/02
Committee: JURIFEMM
Amendment 183 #

2019/2166(INI)

Motion for a resolution
Paragraph 1 f (new)
1 f. Urges the Member States to continue analysing data on and tendencies in the prevalence of and reporting on domestic violence, as well as the consequences for children; asks the Member States to establish safe and flexible emergency warning systems, offer new assistance services by phone, email and text message for direct police outreach and online services such as helplines, concealed apps, digital platforms, pharmacy networks, and provide emergency funding to support services, non-governmental organisations and civil society organisations (CSOs); calls on the Member States to ensure that support services take a coordinated approach to identifying women at risk, to ensure that all these measures are available and accessible to all women and girls within their jurisdiction; invites the Member States to share national innovations and best practices in addressing gender-based violence to better identify and promote efficient practices, and calls on the Commission to promote those practices;
2021/03/02
Committee: JURIFEMM
Amendment 285 #

2019/2166(INI)

Motion for a resolution
Paragraph 10
10. Calls on the Member States to 10. promote better access to legal protection, effective hearings and restraining orders, counselling and victim funds for women victims of intimate partner violence, and to apply particular procedures and give support to mothers who are victims of domestic violence, in order to prevent them from becoming victims again as a result of losing custody of their children; condemns the use, assertion and acceptance of non- scientific theories in custody cases in order to prevent mothers from obtaining custody, including the disproved theory of Parental Alienation Syndrome, which has no scientific validity or reliability and has been refuted by the scientific community;
2021/03/02
Committee: JURIFEMM
Amendment 320 #

2019/2166(INI)

Motion for a resolution
Paragraph 11 a (new)
11 a. Underlines the paramount importance of establishing training, procedures and guidelines for all professionals dealing with the victims in order to individuate markers of intimate partner violence even without explicit complaints by the victims; calls on the Commission and the Member States to tackle the issue of anonymous complaints and complaints later retired by the victims; stresses that anonymous complaints and complaints later retired may derive from a lack of trust in authorities by the victims and that such a phenomenon can be addressed by guaranteeing effective and rapid procedures to protect the victims, as well as by ensuring the accountability of violent partners; encourages the creation of law enforcement's databases that keep record of all details pertaining to intimate partner violence operations even without an explicit complaint by the victim, in order to monitor and prevent further episodes of violence;
2021/03/02
Committee: JURIFEMM
Amendment 331 #

2019/2166(INI)

Motion for a resolution
Paragraph 11 b (new)
11 b. Encourages good practices already existing in some Member States to prevent further violence, such as the recording of the victims' telephone numbers in special lists related to stalking and intimate partner violence, in order to give absolute priority to possible future calls during emergencies and facilitate effective law- enforcement interventions;
2021/03/02
Committee: JURIFEMM
Amendment 333 #

2019/2166(INI)

Motion for a resolution
Paragraph 11 c (new)
11 c. Emphasises that the certainty of punishment of abusers is essential to both deter further violence, and reinforce trust in public authorities especially by the victims; however, further points out that prison term by itself is not enough to prevent future violence and that specific rehabilitation and re-education programs are necessary; calls on the Member States to set up or support programmes aimed at teaching perpetrators of domestic violence to adopt non-violent behaviour in interpersonal relationships with a view to preventing further violence and changing violent behavioural patterns; highlights that the safety of, support for and the human rights of victims are of primary concern and that, where appropriate, these programmes should be set up and implemented in close coordination with specialist support services for victims
2021/03/02
Committee: JURIFEMM
Amendment 362 #

2019/2166(INI)

Motion for a resolution
Paragraph 14 a (new)
14 a. Points out that fair remuneration and economic independence are key factors for enabling women to leave abusive and violent relationships; calls on the Commission and the Member States to promote and support such an independence, including through the support of women entrepreneurs and workers; welcomes the proposal for a directive on adequate minimum wages and the proposal for binding pay transparency measures;
2021/03/02
Committee: JURIFEMM
Amendment 9 #

2019/2164(INI)

Motion for a resolution
Citation 10 a (new)
- having regard to the 2020 Women in Digital Scoreboard1a , _________________ 1a https://ec.europa.eu/digital-single- market/en/news/digital-economy- scoreboard-shows-women-europe-are- less-likely-work-or-be-skilled-ict
2021/02/02
Committee: FEMM
Amendment 25 #

2019/2164(INI)

Motion for a resolution
Recital B
B. whereas the EU is facing an unparalleled shortage of women in science, technology, engineering and mathematics (STEM) careers and education, particularly considering that women make up 52 % of the European population, yet only account for 2 out of 5 scientists and engineers6 ; whereas although there has been a positive trend in the involvement and interest of girls in STEM education, the percentages remain insufficient; whereas attitudes towards STEM do not differ between boys and girls through primary education, and in many cases girls often outperform boys in STEM and ICT-related tasks7 ; whereas, however, girls fear that they will be less successful than boys in STEM-related careers; whereas women are under- represented at all levels in the digital sector in Europe, from students (32% at Bachelor, Master or equivalent level) up to top academic positions (15%); whereas the gap is largest in ICT specialist skills and employment, where only 18% are women in the EU7a ; _________________ 6 Eurostat, Human resources in science and technology, annual average data 2016- 2020. 7 O’Dea, R.E., Lagisz, M., Jennions, M.D. et al., Gender differences in individual variation in academic grades fail to fit expected patterns for STEM, Nature Communications 9, 3777, 2018. 7a https://ec.europa.eu/digital-single- market/en/news/digital-economy- scoreboard-shows-women-europe-are- less-likely-work-or-be-skilled-ict
2021/02/02
Committee: FEMM
Amendment 37 #

2019/2164(INI)

Motion for a resolution
Recital C a (new)
C a. whereas gender stereotypes greatly influence subject choices; whereas very few teenage girls in EU Member States (less than 3 %) express an interest in working as an ICT professional at the age of 30 1a; whereas teachers and parents can deepen gender stereotypes by discouraging girls from pursuing a career in ICT; whereas eliminating gender- specific expectations about professions and fostering female role models in science, technology, engineering and mathematics (STEM) and ICT can encourage girls to study ICT; _________________ 1a2018 International Computer and Information Literacy Study (ICILS).
2021/02/02
Committee: FEMM
Amendment 44 #

2019/2164(INI)

Motion for a resolution
Recital D
D. whereas the low numbers of women who work in innovative technologies, such as artificial intelligence (AI), can negatively affect the design, development and implementation of these technologies, causing the replication of existing discriminatory practices and stereotypes, and the development of ‘gender-biased algorithms’; whereas efforts to tackle gender bias and inequality in the digital sector are insufficient; whereas the gender gap persists across all digital technology domains and especially with regard to AI, thereby solidifying a male- biased trajectory for the digital sector in the foreseeable future;
2021/02/02
Committee: FEMM
Amendment 59 #

2019/2164(INI)

Motion for a resolution
Recital E a (new)
E a. whereas that 30% of entrepreneurs are women in Europa, but they only receive 2%of the non-bank financing available 1a; whereas this figure seems to has dropped to 1% with the pandemic; _________________ 1aFunding women entrepreneurs. How to empower growth. European Commission, 2018
2021/02/02
Committee: FEMM
Amendment 62 #

2019/2164(INI)

Motion for a resolution
Recital E b (new)
E b. whereas the COVID19 crisis is likely to result in permanent changes to life in Europe, in which digitalisation will have a major role; whereas COVID 19 is also widening the digital gender gap 1a, as women's digital literacy is lacking and majority of services are digitalized; _________________ 1ahttp://www.oecd.org/digital/bridging- the-digital-gender-divide.pdf
2021/02/02
Committee: FEMM
Amendment 65 #

2019/2164(INI)

Motion for a resolution
Recital E c (new)
E c. whereas the FRA’s survey on violence against women shows that 14 % of women have experienced cyber harassment since the age of 15; whereas high incidences of sexual harassment have been reported in STEM education sites, which further excludes women from the sector; whereas many women have been the victims of new forms of online sexual and psychological harassment during the COVID-19 period; whereas measures to address these new forms of sexual and psychological harassment are urgently needed; whereas the hyper- sexualisation and exploitation of women online, in particular via internet pornography, have a devastating effect on the construction of sexuality and on gender equality;
2021/02/02
Committee: FEMM
Amendment 98 #

2019/2164(INI)

Motion for a resolution
Paragraph 5
5. Calls on the Member States to combat gendered labour market segmentation in STEM careers by investing in formal, informal and non- formal education, lifelong learning and vocational training for women to ensure their access to high-quality employment and opportunities to re- and up-skill for future labour market demand and avoiding the present vicious circle of segregation of labour; calls, in particular, for greater promotion of entrepreneurship, STEM subjects and digital education for girls from an early age, in order to combat existing educational stereotypes and ensure more women enter developing and well- paid sectors;
2021/02/02
Committee: FEMM
Amendment 102 #

2019/2164(INI)

Motion for a resolution
Paragraph 5 a (new)
5 a. Emphasizes that the COVID 19 is opening a new stage in the world of work, education, governance and everyday life. Therefore, digital literacy and capabilities are becoming very important, as well as new conditions on teleworking that have shown an important gender divide during the pandemic and lockdowns; highlights the urgency to promote gender balance in the digital sector due the way that people and companies use ICT and other digital technologies to work and interact for the new digital society;
2021/02/02
Committee: FEMM
Amendment 109 #

2019/2164(INI)

Motion for a resolution
Paragraph 6
6. Welcomes the Digital Education Action Plan 2021-2027 and its action to ‘Encourage women’s participation in STEM’, and hopes that it will help to develop more attractive and creative ways to encourage girls to pursue STEM studies, as well as to boost women’s self- confidence in their digital skills; stresses thar girls only represent 36% of STEM graduates 1a, despite the fact that girls outperform boys in digital literacy 1b; _________________ 1ahttps://op.europa.eu/en/publication- detail/-/publication/9540ffa1-4478-11e9- a8ed-01aa75ed71a1/language-en. 1b2018 International Computer and Information Literacy Study (ICILS).
2021/02/02
Committee: FEMM
Amendment 113 #

2019/2164(INI)

Motion for a resolution
Paragraph 6 a (new)
6 a. Highlights that participation of girls and women in the field of science, technology, engineering, arts and mathematics (STEAM) must be actively promoted through concrete policy action to foster their full participation and inclusion in the digital economy;
2021/02/02
Committee: FEMM
Amendment 119 #

2019/2164(INI)

Motion for a resolution
Paragraph 7
7. Recognises the role of school and teachers in eliminating the gender gap in STEM education, and highlights the role of education in promoting the presence of girls in STEM-related courses and in establishing benchmarks to monitor female recruitment and retention; highlights that education systems and the overall learning environment play a pivotal role in determining girls’ interests in STEAM -including Arts- subjects and in providing equal opportunities to access high quality STEAM education;
2021/02/02
Committee: FEMM
Amendment 136 #

2019/2164(INI)

Motion for a resolution
Paragraph 8 a (new)
8 a. Emphasises the need for investment in education and training and gender-sensitive recruitment and selection processes across private and public sectors, and particularly in future- oriented sectors such as STEM and the digital sector where women are underrepresented; highlights in that regard that discrimination on grounds of gender damages not only the individual but also society as a whole;
2021/02/02
Committee: FEMM
Amendment 201 #

2019/2164(INI)

Motion for a resolution
Paragraph 15
15. Highlights that one of AI’s most critical weaknesses relates to certain types of biases such as gender, race or sexual orientation as a result of humans’ inherent biases; encourages the relevant actors to take action and promote a greater role for women in the design, development and implementation of machine learning, natural language processing and AI; underlines that AI must not reinforce gender inequalities and stereotypes by transforming analogue biases and prejudices into digital ones through algorithms;
2021/02/02
Committee: FEMM
Amendment 203 #

2019/2164(INI)

Motion for a resolution
Paragraph 15 a (new)
15 a. Stresses the need for social dialogue as regards the implementation of AI in general and ahead of any AI deployment at company level in particular; calls on the Commission and the Member States to ensure trade union access to workplaces, albeit in digital form, in order to promote collective bargaining and guarantee a human- centred approach to AI at work;
2021/02/02
Committee: FEMM
Amendment 205 #

2019/2164(INI)

Motion for a resolution
Paragraph 16
16. Recognises that AI, if it is free of underlying biases, can be a powerful tool to overcome gender inequalities and stereotypes through the development of unbiased algorithms that contribute to overall fairness and well-being; stresses the importance of a common European approach with regard to the ethical aspects of AI; underlines that any regulatory framework for AI in the European Union must ensure that consumer and workers’ rights are fully respected in the digital economy, and contribute to better working and employment conditions, including a better work-life balance ; stresses, in addition, that the European AI framework must respect European values, Union rules and the principles of the European Pillar of Social Rights;
2021/02/02
Committee: FEMM
Amendment 213 #

2019/2164(INI)

Motion for a resolution
Paragraph 17 a (new)
17 a. Calls on the Commission to assist Member States’ competent authorities to pay special attention to new forms of violence against women and girls such as cyber harassment, and cyberstalking 1a and to carry out ongoing evaluations and address them more effectively; _________________ 1aViolence against women: an EU-wide survey. Main results - report by FRA, p. 87
2021/02/02
Committee: FEMM
Amendment 41 #

2018/0330B(COD)

Proposal for a regulation
Recital 81 a (new)
(81 a) FADO is specifically created for the purpose of hosting specimen documents and examples of falsified documents that include descriptions of methods of falsification and forgery provided by Member States, and might also host such documents originating from third countries, territorial entities, international organisations and other entities subject to international law. As a direct consequence of that purpose, it should be possible to store personal data in the form of facial images in FADO in so far as the security features of a document cannot be separated from those facial images, or where a false, forged, counterfeit or pseudo document imitates security features that cannot be separated from a facial image. No alphanumeric personal data should be stored in FADO. The European Border and Coast Guard Agency established by Regulation (EU) 2019/... of the European Parliament and of the Council (‘the Agency’) should take the necessary steps to anonymise all elements of personal data which is not necessary in relation to the purposes for which the data is processed in accordance with the principle of data minimisation, provided for in point (c) of Article 4(1) of Regulation (EU) 2018/1725. It should not be possible to retrieve or search any elements of personal data in FADO.
2019/10/17
Committee: LIBE
Amendment 45 #

2018/0330B(COD)

Proposal for a regulation
Recital 81 b (new)
(81 b) FADO should contain information on all types of genuine travel, identity, residence and civil status documents, driving licenses and vehicle licenses issued by Member States and falsified versions of such documents in their possession, and might also contain other related official documents that are used when applying for travel, residence or identity documents issued by Member States. It might also contain any such documents issued by third countries, territorial entities, international organisations and other entities subject to international law.
2019/10/17
Committee: LIBE
Amendment 46 #

2018/0330B(COD)

Proposal for a regulation
Recital 81 c (new)
(81 c) While Member States can maintain or develop their national systems containing information on genuine and false documents, they should be obliged to provide the Agency with information on genuine travel, identity, residence and civil status documents, driving licenses and vehicle licenses which they issue, and falsified versions of such documents in their possession. The Agency should upload that information to FADO in order to guarantee the uniformity and quality of the information. In particular, Member States should provide all security features of new versions of genuine documents issued by Member States that are covered by this Regulation.
2019/10/17
Committee: LIBE
Amendment 47 #

2018/0330B(COD)

(81 d) In order to ensure a high level of control of document fraud by Member States, the Member States’ authorities competent in the area of document fraud such as border police, other law enforcement authorities or certain other third parties should be provided with differing levels of access to FADO, depending on their requirements. As the conditions and measures for granting such access are non-essential elements supplementing this Regulation, they should be laid down by means of delegated acts. Equally, FADO should enable certain users to have at their disposal information on any new forgery methods that are detected and on new genuine documents that are in circulation.
2019/10/17
Committee: LIBE
Amendment 51 #

2018/0330B(COD)

Proposal for a regulation
Recital 101 a (new)
(101 a)In order to ensure the effective implementation of the FADO system, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission in respect of the establishment of measures granting access to FADO to Member States’ authorities competent in the area of document fraud, and the establishment of measures granting restricted access to FADO to third parties such as airlines, Union institutions, bodies, offices and agencies, third countries or international organisations. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making1a. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council should receive all documents at the same time as Member States' experts, and that their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. _________________ 1a OJ L 123, 12.5.2016, p.1
2019/10/17
Committee: LIBE
Amendment 52 #

2018/0330B(COD)

Proposal for a regulation
Article 80
1. The Agency shall take over and operate False and Authentic Documents Online (FADO) which is a database that shall contain information on genuine travel and residence documents issued by Member States, third countries, territorial entities, international organisations and other entities subjects of international law and on falsifications thereof. The FADO system shall not contain any personal data. The Member States shall transmit the data currently in FADO to the new system. 2. The Commission shall adopt implementing acts in accordance with the procedure referred to in Article 117(2) in order to: (a) establish the technical specifications of FADO according to high standards; (b) set up the procedures for controlling and verifying the information contained in FADO.Article 80 deleted
2019/10/17
Committee: LIBE
Amendment 58 #

2018/0330B(COD)

Proposal for a regulation
Article 80 a (new)
Article 80 a Scope FADO shall contain information on genuine travel, identity, residence and civil status documents, driving licenses, vehicle licenses issued by Member States and falsified versions of such documents in their possession, and may also contain other related official documents that are used when applying for travel, residence or identity documents issued by Member States, and where applicable, by third countries, territorial entities, international organisations and other entities subject to international law, and information on falsifications thereof.
2019/10/17
Committee: LIBE
Amendment 61 #

2018/0330B(COD)

Proposal for a regulation
Article 80 b (new)
Article 80 b Categories of documents and data contained in FADO 1. FADO shall include the following: (a) information, including images, on genuine documents and their security features; (b) information, including images on false, forged, counterfeit or pseudo documents and their fraud characteristics; (c) summary information on forgery techniques; (d) summary information on the security features of the genuine documents; (e) statistics on detected false documents; (f) recommendations on effective ways of detecting specific methods of forgery. FADO may also contain handbooks, contact lists and information on valid travel documents and their recognition by Member States, as well as other useful related information. FADO shall not contain personal data, except for facial images in so far as the security features of a document cannot be separated from those facial images, or where the false, forged, counterfeit or pseudo document imitates security features that cannot be separated from a facial image. No alphanumeric personal data shall be stored in FADO. Member States shall ensure that individuals whose personal data is contained in specimen documents have given their consent, including for processing of their personal data in FADO. 2. Member States shall transmit the data on genuine and fraudulent travel, identity, residence and civil status documents, driving licenses and vehicle licenses that they possess to the European Border and Coast Guard Agency (‘the Agency’). Member States may also transmit to the Agency data on other genuine official documents that are used when applying for travel, residence or identity documents issued by Member States or falsifications of any of those documents.
2019/10/17
Committee: LIBE
Amendment 65 #

2018/0330B(COD)

Proposal for a regulation
Article 80 c (new)
Article 80 c Responsibilities of the Agency 1. The Agency shall be responsible for establishing FADO in accordance with this Regulation. The Agency shall ensure the functioning of FADO 24 hours a day, 7 days a week and provide for its maintenance and updating. 2. The Agency shall provide the Member States’ competent authorities with near real-time assistance in the detection and identification of falsified documents. 3. The Agency shall be responsible for uploading the information received from the Member States in a timely and efficient manner in order to guarantee the uniformity and quality of the data while ensuring the respect for the principle of data minimisation provided for in point (c) of Article 4(1) of Regulation (EU) 2018/1725. 4. The Agency shall be responsible for uploading information on documents from third countries, territorial entities, international organisations and other entities subject to international law, and information on falsifications thereof .
2019/10/17
Committee: LIBE
Amendment 68 #

2018/0330B(COD)

Proposal for a regulation
Article 80 d (new)
Article 80 d FADO architecture and access to the system The FADO architecture shall enable: (a) document experts of the Member States’ authorities competent in the area of document fraud, such as border police and other law enforcement authorities, to access the system in an unrestricted manner; (b) Member States’ authorities and third parties, such as Union institutions, bodies, offices and agencies, to access the system in a restricted manner where they require access to limited information regarding the security features and falsification of documents; (c) third parties, such as airlines, third countries or international organisations that do not require detailed information regarding the security features and falsification of documents to access the system in a restricted manner, but shall not grant them access to any personal data that are not subject to the consent of the individual concerned; (d) the public to access the system in a restricted manner for specimen documents but shall not grant it access to personal data that are not subject to the consent of the individual concerned; the public shall only be provided with access to public information on security features.
2019/10/17
Committee: LIBE
Amendment 71 #

2018/0330B(COD)

Proposal for a regulation
Article 80 e (new)
Article 80 e Processing of personal data by the Agency The Agency shall apply Regulation (EU) 2018/1725 when processing personal data. In accordance with Article 80b, the Agency shall upload personal data, in the form of facial images, only to the extent that those images are strictly necessary to describe or illustrate the security feature or the method of falsification.
2019/10/17
Committee: LIBE
Amendment 72 #

2018/0330B(COD)

Proposal for a regulation
Article 80 f (new)
Article 80 f Delegated and implementing acts 1. The Commission shall adopt delegated acts in accordance with Article 80g acts concerning: (a) the establishment of measures granting access to FADO to Member States’ authorities competent in the area of document fraud; (b) the establishment of measures granting restricted access to FADO to third parties such as airlines, Union institutions, bodies, offices and agencies, third countries or international organisations. 2. The Commission shall adopt implementing acts in accordance with Article X concerning the establishment of: (a) the technical specifications for entering and storing information into the system; (b) the procedures for controlling and verifying the information contained in the system; (c) the determination of the date of the effective implementation of FADO by the Agency. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article X.
2019/10/17
Committee: LIBE
Amendment 73 #

2018/0330B(COD)

Proposal for a regulation
Article 80 g (new)
Article 80 g Exercise of delegation 1. The power to adopt delegated acts is conferred on to the Commission subject to the conditions laid down in this Article. 2. The power to adopt delegated acts referred to in Article 80f(1) shall be conferred on the Commission for an indeterminate period of time from … [date of entry into force of this Regulation]. 3. The delegation of power referred to in Article 80f(1) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4. Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. 5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 6. A delegated act adopted pursuant to Article 80f(1) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.
2019/10/17
Committee: LIBE
Amendment 287 #

2018/0108(COD)

Proposal for a regulation
Recital 11 a (new)
(11 a) The respect for private and family life and the protection of natural persons regarding the processing of personal data are fundamental rights. In accordance with Articles 7 and 8(1) of the Charter and Article 16(1) of the TFEU, everyone has the right to respect for his or her private and family life, home and communications and to the protection of personal data concerning them. When implementing this Regulation, Member States should ensure that privacy and personal data are protected and processed only in accordance with Regulation (EU) 2016/679, Directive (EU) 2016/680 and Directive 2002/58/EC.
2019/12/11
Committee: LIBE
Amendment 344 #

2018/0108(COD)

Proposal for a regulation
Recital 40
(40) The requested data should be transmitted to the authorities at the latest within 10 days upon receipt of the EPOC. Shorter time limUpon receipt of the European Production Order Certificate (EPOC), the executing authority shall recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary, and ensure its execution in an identical manner and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 10 days upon receipt of the EPOC. Within that period of 10 days, the executing authoritsy should be respected by the provider in emergency cases and if the issuing authority indicates other reasons to depart from the 10 day deadline. In addition to the imminent danger of the deletion of the requested data, such reasons could include circumstances that are related toable to object to the European Production Order and invoke one of the grounds for non- recognition or non-execution provided for in this Regulation, while the service provider should preserve the requested data. Where the executing authority objects, it should inform the issuing authority, the service provider and, where applicable, the affected authority of such decision. If the executing authority has not invoked any ongoing investigation, for example where the requested data is associated to other urgent investigative meaf the grounds listed in this Regulation within that 10 days period, the service provider to which the order is addressed should be required to immediately ensures that cannot be conducted withoutthe requested data is transmitted directly to the missuing data or are otherwise dependent on itauthority or to the law enforcement authorities as indicated in the EPOC.
2019/12/11
Committee: LIBE
Amendment 346 #

2018/0108(COD)

Proposal for a regulation
Recital 40 a (new)
(40 a) In emergency cases, the executing authority should recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 24 hours upon receipt of the EPOC, while the service provider should preserve the requested data. If the executing authority has not invoked any of the grounds listed in this Regulation within that 24 hours period, the service provider to which the order is addressed should immediately ensure that the requested data is transmitted directly to the issuing authority or to the law enforcement authorities as indicated in the EPOC.
2019/12/11
Committee: LIBE
Amendment 352 #

2018/0108(COD)

Proposal for a regulation
Recital 42
(42) Upon receipt of a European Preservation Order Certificate (EPOC- PR), the service providerexecuting authority should preserve requested data for a maximum of 60 days unless the issuing authority informs the service provider that it has launched the procedure for issuing a subsequent request for production, in which case the preservation should be continued. The 60 day period is calculated to allow for the launch of an official request. This requicognise the EPOC-PR, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 10 days upon receipt of the EPOC-PR. Within that 10 days period, the executing authority should be able to object to the European Preservation Order and invoke one of the grounds for non-recognition or non-execution provided for in this Regulation, while the service provider should preserve the requested data. Wheres that at least some formal steps have been taken, for example by sending a mutual legal assistance request to translation. Following receipt of that ie executing authority objects, it should inform the issuing authority and the service provider of such decision and the preservation should cease immediately. If the executing authority has not invoked any of the grounds listed in this Regulation within that 10 days period, the service provider to which the order is addressed should continue to preserve the data for a 30 days period, renewable once. If the issuing authority confoirmation, the datas within that 30 days period that the subsequent EPOC has been issued, the service provider should be preserved the data as long as necessary until the data is produced in the framework of a subsequent request for productionfor the execution of the European Production Order. If the preservation is no longer necessary, the issuing authority should inform the addressees without undue delay.
2019/12/11
Committee: LIBE
Amendment 445 #

2018/0108(COD)

Proposal for a regulation
Article 2 – paragraph 1 – point 10
(10) ‘content data’ means any stored data in a digital format such as text, voice, videos, images, and sound other than subscriber, access or transactional datathe content stored, transmitted, distributed or exchanged by means of electronic communications services, such as text, voice, videos, images, and sound; where metadata of other electronic communications services or protocols are stored, transmitted, distributed or exchanged by using the respective services, they are to be considered content data for the respective service;
2019/12/11
Committee: LIBE
Amendment 495 #

2018/0108(COD)

Proposal for a regulation
Article 5 – paragraph 4 – introductory part
4. European Production Orders to produce transactionalffic data or content data may only be issued for criminal offences punishable in the issuing State by a custodial sentence of a maximum of at least 5 years, except for IP addresses.
2019/12/11
Committee: LIBE
Amendment 583 #

2018/0108(COD)

Proposal for a regulation
Article 9 – paragraph 1
1. Upon receipt of the EPOC, the addressee shall ensure that the requested data is transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC at the lexecuting authority shall recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing Statest, within 10 days upon receipt of the EPOC, unless the issuing authority indicates reasons for earlier disclosure.
2019/12/11
Committee: LIBE
Amendment 592 #

2018/0108(COD)

Proposal for a regulation
Article 9 – paragraph 1 a (new)
1 a. Within the period of 10 days referred to in paragraph 1, while the service provider shall preserve the requested data, the executing authority may object to the EPOC and invoke one of the grounds for non-recognition or non-execution provided for in Article 10a. In that case, it shall inform the issuing authority, the service provider and, where applicable, the affected authority of such decision.
2019/12/11
Committee: LIBE
Amendment 594 #

2018/0108(COD)

Proposal for a regulation
Article 9 – paragraph 1 b (new)
1 b. If the executing authority has not invoked any of the grounds listed in Article 10a within the 10-day period, the service provider to which the order is addressed shall ensure that the requested data is immediately transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC.
2019/12/11
Committee: LIBE
Amendment 595 #

2018/0108(COD)

Proposal for a regulation
Article 9 – paragraph 2
2. In emergency cases, the addressee shall transmit the requested data without undue delay, at the lexecuting authority shall recognise the EPOC, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing Statest, within 624 hours upon receipt of the EPOC, while the service provider shall preserve the requested data.
2019/12/11
Committee: LIBE
Amendment 602 #

2018/0108(COD)

Proposal for a regulation
Article 9 – paragraph 2 a (new)
2 a. If the executing authority has not invoked any of the grounds listed in Article 10a within the 24-hour period referred to in paragraph 2, the addressed service provider shall ensure that the requested data is immediately transmitted directly to the issuing authority or the law enforcement authorities as indicated in the EPOC.
2019/12/11
Committee: LIBE
Amendment 603 #

2018/0108(COD)

Proposal for a regulation
Article 9 – paragraph 2 b (new)
2 b. Where it is clear that the person whose data is sought is residing neither in the issuing State nor in the executing State, and the affected authority believes that one of the grounds for non- recognition or non-execution listed in Article 10a exists, it shall immediately inform the executing authority, based on a reasoned opinion. The executing authority shall take this reasoned opinion duly into account.
2019/12/11
Committee: LIBE
Amendment 625 #

2018/0108(COD)

Proposal for a regulation
Article 10 – paragraph 1
1. Upon receipt of the EPOC-PR, the addressee shall, without undue delay, preserve the data requested. The preservation shall cease after 60 days, unless the issuing authority confirms that the subsequent request for production has been launchedexecuting authority shall recognise the EPOC-PR, when transmitted in accordance with this Regulation, without any measure or formality being necessary and ensure its execution in the same way and under the same modalities as if the investigative measure concerned had been ordered by an authority of the executing State, within 10 days of receipt of the EPOC-PR.
2019/12/11
Committee: LIBE
Amendment 633 #

2018/0108(COD)

Proposal for a regulation
Article 10 – paragraph 1 a (new)
1 a. Within the 10-day period referred to in paragraph 1, while the service provider shall preserve the requested data, the executing authority may object to the EPOC-PR and invoke one of the grounds for non-recognition or non-execution provided for in Article 10a. In that case, it shall inform the issuing authority and the service provider of such decision and the preservation shall cease immediately.
2019/12/11
Committee: LIBE
Amendment 636 #

2018/0108(COD)

Proposal for a regulation
Article 10 – paragraph 1 b (new)
1 b. If the executing authority has not invoked any of the grounds listed in Article 10a within the 10 days period, the service provider to which the order is addressed shall continue to preserve the data for a period of 30 days, renewable once.
2019/12/11
Committee: LIBE
Amendment 639 #

2018/0108(COD)

Proposal for a regulation
Article 10 – paragraph 2
2. If the issuing authority confirms within the time30-day period set outreferred to in paragraph 1b that the subsequent request for pEuropean Production Order has been launchissued, the addresseeservice provider shall preserve the data as long as necessary to produce the data once the subsequent request for production is servedfor the execution of that European Production Order pursuant to Article 9.
2019/12/11
Committee: LIBE
Amendment 640 #

2018/0108(COD)

Proposal for a regulation
Article 10 – paragraph 3
3. If the preservation is no longer necessary, the issuing authority shall inform the addressees without undue delay and the preservation shall cease immediately.
2019/12/11
Committee: LIBE
Amendment 665 #

2018/0108(COD)

Article 10 a Grounds for non-recognition or non- execution 1. Without prejudice to Article 1(2), recognition or execution of the EPOC or EPOC-PR shall be refused by the executing authority, where: (a) the execution of the European Production Order or European Preservation Order would be contrary to the principle of ne bis in idem; (b) there are substantial grounds to believe that the execution of the European Production Order or European Preservation Order would be incompatible with Member State's obligations in accordance with Article 6 TEU and the Charter; or (c) there is an immunity or a privilege under the law of the executing State, or, where applicable, the affected State; 2. In addition to paragraph 1, recognition or execution of the EPOC or EPOC-PR may be refused by the executing authority, where: (a) the conditions for issuing a European Production Order or European Preservation Order, as laid down in Articles 5 and 6 of this Regulation are not fulfilled; (b) the EPOC or the EPOC-PR is incomplete or manifestly incorrect, inform or content, and has not been completed or corrected following the consultations referred to in Article 9 (3)and (4) and Article 10 (4) and (5) of this Regulation; (c) the execution of the European Production Order or European Preservation Order would harm essential national security interests, jeopardise the source of the information or involve the use of classified information relating to specific intelligence activities; (d) the European Production Order or European Preservation Order relates to a criminal offence which is alleged to have been committed outside the territory of the issuing State and the law of the executing State does not allow prosecution for the same offences when committed outside its territory; or EPOC or the EPOC-PR relates to a criminal offence which is alleged to have been committed wholly or partially on the territory of the executing State; (e) the conduct for which the EPOC or the EPOC-PR has been issued does not constitute an offence under the law of the executing State, unless it concerns an offence listed within the categories of offences set out in Annex IIIa, as indicated by the issuing authority in the EPOC or the EPOC-PR, if it is punishable in the issuing State by a custodial sentence or a detention order for a maximum period of at least three years; (f) the execution of the European Production Order or European Preservation Order is restricted under the law of the executing State to a list or category of offences or to offences punishable by a higher threshold; or (g) compliance with the European Production Order or the European Preservation Order would conflict with applicable laws of a third country that prohibits disclosure of the data concerned in accordance with national law of the executing state. 3. Where it is clear that the person whose data is sought is residing neither in the issuing State nor in the executing State, and the affected authority believes that one of the grounds listed in Article 10a exists, it shall immediately inform the executing authority, based on a reasoned opinion. The executing authority shall take that reasoned opinion duly into account. 4. Points (e) and (f) of paragraph 2 shall not apply to subscriber data and IP addresses. 5. Point (g) of paragraph 1 shall be applied in accordance with the procedure set out in Article 15. 6. Where the European Production Order or European Preservation Order concerns an offence in connection with taxes or duties, customs and exchange, the executing authority shall not refuse recognition or execution on the ground that the law of the executing State does not impose the same kind of tax or duty or does not contain a tax, duty, customs and exchange regulation of the same kind as the law of the issuing State. 7. In the cases referred to in paragraphs 1 and 2 of this Article, before deciding not to recognise or not to execute a European Production Order or European Preservation Order, either in whole or in part ,the executing authority shall consult the issuing authority, by any appropriate means, and shall, where appropriate, request the issuing authority to supply any necessary information without delay. 8. In the case referred to in point (c) of paragraph 1, and where power to waive the privilege or immunity lies with an authority of the executing State, the executing authority shall request it to exercise that power forthwith. Where power to waive the privilege or immunity lies with an authority of another State or international organisation, it shall be for the issuing authority to request the authority concerned to exercise that power. 9. The executing authority shall inform the issuing authority about the use of any of the grounds for non-recognition or non-execution as listed in paragraphs 1and 2 of this Article, by using the form set out in Annex III.
2019/12/11
Committee: LIBE
Amendment 666 #

2018/0108(COD)

Proposal for a regulation
Article 11 – title
Confidentiality and user informationUser information and confidentiality
2019/12/11
Committee: LIBE
Amendment 674 #

2018/0108(COD)

Proposal for a regulation
Article 11 – paragraph 1
1. AThe addressees and, if different, service providersshall inform the person whose data is being sought, without undue delay. When informing the person, the addressees shall include information about any available remedies as referred to in Article 17 and shall take the necessary measures to ensure the confidentiality of the EPOC or the EPOC- PR and of the data produced or preserved and where requested by the issuing authority, shall refrain from informing the person whose data is being sought in order not to obstruct the relevant criminal proceedings.
2019/12/11
Committee: LIBE
Amendment 677 #

2018/0108(COD)

Proposal for a regulation
Article 11 – paragraph 1 a (new)
1 a. Upon a duly justified request by the issuing authority, based on a court order, addressees shall refrain from informing the person whose data is being sought, in order not to obstruct the relevant criminal proceedings.
2019/12/11
Committee: LIBE
Amendment 680 #

2018/0108(COD)

Proposal for a regulation
Article 11 – paragraph 2
2. Where the issuing authority requested the addressees to refrain from informing the person whose data is being sought, upon a duly justified request, based on a court order, the issuing authority shall inform the person whose data is being sought by the EPOC or the EPOC-PR without undue delay about the data production or preservation. This information may be delayed as long as necessary and proportionate to avoid obstructing the relevant criminal proceedings, taking into account the rights of the suspected and accused person and without prejudice to defence rights and effective legal remedies.
2019/12/11
Committee: LIBE
Amendment 694 #

2018/0108(COD)

Proposal for a regulation
Article 11 a (new)
Article 11 a Limitations to the use of information obtained Electronic information which has been produced or preserved by an EPOC or EPOC-PR shall not be used for the purpose of proceedings other than those for which it was obtained in accordance with this Regulation.
2019/12/11
Committee: LIBE
Amendment 696 #

2018/0108(COD)

Proposal for a regulation
Article 11 b (new)
Article 11 b Admissibility and erasure of electronic information 1. Electronic information that has been gathered in breach of this Regulation shall not be admissible before a court and shall immediately be erased. 2. Electronic information that is no longer necessary for the investigation or prosecution for which it was produced or preserved, shall immediately be erased. For this, Member States shall provide for appropriate time limits to be established for the erasure of electronic information produced or preserved or for a periodic review of the need of the storage of the electronic information. Procedural measures shall ensure that those time limits are observed. 3. The affected person shall be informed about the erasure.
2019/12/11
Committee: LIBE
Amendment 717 #

2018/0108(COD)

Proposal for a regulation
Article 14 a (new)
Article 14 a Review procedure in case of conflicting obligations with third country law 1. Where the executing authority, either on its own or at the request of the service provider or, where applicable, based on a justified opinion from the affected authority, considers that compliance with the European Production Order or the European Preservation Order would conflict with applicable laws of a third country prohibiting disclosure of the data concerned, it shall inform the issuing authority within 10 days from the receipt of the order. 2. Such notice shall include all relevant details on the law of the third country, its applicability to the case at hand and the nature of the conflicting obligation. 3. The issuing authority shall review the European Production Order or the European Preservation Order and inform the addressees, within 10 days after receiving the notice, on the basis of the following criteria: (a) the interests protected by the relevant law of the third country, including fundamental rights as well as other interests preventing disclosure of the data, in particular national security interests of the third country; (b) the degree of connection of the criminal case for which the Order was issued to the jurisdiction of the issuing State and the third country, as indicated inter alia by: (i) the location, nationality and residence of the person whose data is being sought and/or of the victim(s); (ii) the place where the criminal offence in question was committed; (c) the degree of connection between the service provider and the third country in question; the data storage location by itself shall not suffice in establishing a substantial degree of connection; (d) the interests of the issuing State in obtaining the electronic information concerned, based on the seriousness of the offence and the importance of obtaining the electronic information in an expeditious manner; (e) the possible consequences for the addressees of complying with the European Production Order or the European Preservation Order, including the sanctions that may be imposed against the service providers. 4. Within 10 days after receiving the notice, the issuing authority may withdraw, uphold or adapt the Order where necessary, to give effect to these criteria. To this end, the issuing authority may seek information from the competent authority of the third country, in compliance with Directive (EU) 2016/680, to the extent that this does not obstruct the deadlines provided for in this Regulation. In the event of withdrawal, the issuing authority shall immediately inform the addressees of the withdrawal. 5. Where the issuing authority decides to uphold the Order, it shall inform the addressees of its decision. The executing authority, while duly taking into account the decision of the issuing authority, shall take a final decision based on the criteria listed in paragraph 3, within 10 days after receiving the decision of the issuing authority, and inform the issuing authority, the service provider and, where applicable, the affected State of its final decision. The executing authority may seek information from the competent authority of the third country, in compliance with Directive (EU) 2016/680,t o the extent that this does not obstruct the deadlines provided in this Regulation. 6. For the duration of the procedure referred to in Article 14a , the service provider shall preserve the data requested.
2019/12/11
Committee: LIBE