Annexes to COM(2018)637 - Securing free and fair European elections - Contribution to the Leaders’ meeting, September 2018 - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2018)637 - Securing free and fair European elections - Contribution to the Leaders’ meeting, September 2018. |
---|---|
document | COM(2018)637 |
date | September 12, 2018 |
9 Regulation (EU, Euratom) No 1141/2014 of the European Parliament and of the Council of 22 October 2014 on the statute and funding of European political parties and European political foundations, (OJ L 317, 4.11.2014, p.1).
10 Commission Recommendation (EU) 2018/234 of 14 February 2018 on enhancing the European nature and efficient conduct of the 2019 elections to the European Parliament (OJ L 45, 17.2.2018, p. 40).
11 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
12 User consent is required before websites can access such information or track a user's online behaviour, such as by storing cookies on the user's device.
13 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017)10 final.
14 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: Tacking online disinformation: a European Approach (COM(2018) 236 final).
15 To prepare this Code of Practice, the Commission convened a Forum in May 2018, which consists of a “Working Group” (composed of the major online platforms and representatives of the advertising industry and major advertisers) and a “Sounding Board” (composed of representatives of the media and civil society).
16 After the Sounding Board has issued its opinion.
5
bots17
marking systems and rules for bots to ensure that their activities cannot be confused with human interactions and intensify efforts to close fake accounts. The signatories should also agree to facilitate user assessment of content by encouraging the development of indicators of trustworthiness of content sources, dilute the visibility of disinformation by improving the findability of trustworthy content and provide users information on prioritisation of content by algorithms. Further, signatories should provide trusted fact-checking organisations and academia with access to platform data. An assessment of the Code of Practice will be part of the work towards an action plan with specific proposals for a coordinated EU response to the challenge of disinformation, to be presented by the Commission and the High Representative before the end of the year.
As far as more “traditional” cyber incidents are concerned, such as hacking into IT systems or defacing websites, definitions of offences and minimum maximum levels of penalties for attacks against information system have been harmonised at European Union level by Directive 2013/40/EU on Attacks against information systems.
The Cooperation Group established under Directive (EU) 2016/1148 of the European Parliament and of the Council18, has identified cybersecurity of elections as a common challenge. This Cooperation Group, which comprises the national competent authorities responsible for cybersecurity, the Commission, and the European Union Agency for Network and Information Security (‘ENISA’) has mapped existing national initiatives on cybersecurity of network and information systems used for elections. It has identified risks associated with an insufficient level of cybersecurity potentially affecting the next elections to the European Parliament and has drawn up a Compendium on Cyber Security of Election Technology, including technical and organisation measures based on experiences and best practices. The Compendium provides practical guidance for cyber security authorities and election management bodies.
2. Further bolstering democratic resilience: enhancing cooperation networks, online transparency, protection against cybersecurity incidents and fighting
disinformation campaigns in the context of elections to the European Parliament
Given the magnitude of the challenge, and since formal responsibilities in this field are shared between multiple authorities, meaningful results will only be achieved if all the relevant actors work together.
This Communication is accompanied by a Recommendation on election cooperation networks, online transparency, protection against cybersecurity incidents and fighting
17 Bots include automated posting on social media platforms and more interactive applications such as chatbots, which interact directly with users.
18 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).
6
disinformation campaigns in the context of elections to the European Parliament. In order to ensure free and fair elections this Recommendation should be implemented by all actors in good time for the 2019 elections to the European Parliament.
In the Recommendation, we encourage each Member State to establish and support a national elections network. Member States authorities with competences in electoral matters should cooperate with authorities in connected fields (such as data protection authorities, media regulators, cyber security authorities etc.) timely and effectively. Where necessary, they should also engage with law enforcement authorities. This will enable them quickly to detect potential threats to the elections to the European Parliament and swiftly enforce existing rules, including available financial sanctions, such as reimbursement of the public contribution. EU and national legislation must be respected and enforced. In this perspective, the Commission calls upon Member States to promote, in compliance with the applicable national and Union law, the sharing of information by data protection authorities to authorities in charge of monitoring elections and the monitoring of political parties’ activities and financing where it follows from their decisions, or where there are otherwise reasonable grounds to believe, that an infringement is linked to political activities by national political parties or foundations in the context of elections to the European Parliament.
It is also recommended that Member States appoint contact points to take part in a European cooperation network for elections to the European Parliament. The Commission will support these cooperation networks by convening a first meeting of the designated contact points by January 2019. While respecting the national competences and the procedural requirements applicable to the concerned authorities, this forum will provide the nucleus for a real time European alert process and a forum for exchange of information and practices among Member State authorities.
Political parties, foundations and campaign organisations need to guarantee transparent practices in their political communications to citizens and to ensure that the European electoral process is not distorted by unfair practices. The Commission presents concrete measures to strengthen transparency so that citizens can see who is behind the political communication they receive and who is paying for it19. Member States should support and facilitate such transparency and the efforts of competent authorities in monitoring breaches and enforcing rules including by applying sanctions where necessary. Where relevant, law enforcement authorities should also be involved to ensure an appropriate response to incidents and the application of appropriate penalties20.
19 These proposals are complementary to the Code of Practice being elaborated by the multi-stakeholder Forum convened by the Commission following its Communication of 26 April 2018 on online disinformation.
20 This would concern in particular cases where an election process is targeted with malicious intent, including incidents based on attacks against information systems. Depending on the circumstances, criminal investigations that may result in criminal penalties may be appropriate. As noted above, definitions of offences and minimum maximum levels of penalties for attacks against information system have been harmonised by Directive 2013/40/EU.
7
Resilience, deterrence and defence are essential to building strong cybersecurity for the European Union21. Competent European and national authorities, political parties, foundations and campaign organisations should be fully aware of the risks for next year’s elections and deploy appropriate efforts to protect their network and information systems22.
3. Applying data protection rules in the electoral process
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)23, which became directly applicable across the Union on 25 May 2018, provides the Union with the tools necessary to address instances of unlawful use of personal data in the electoral context.
Since it is the very first time they will be applied in the European electoral context on the occasion of the forthcoming elections to the European Parliament, it is important for all actors involved in election processes – such as national electoral authorities, political parties, data brokers and analysts, social media platforms and online ad networks – to understand clearly how best to apply these rules and what is and is not allowed by them.
The Commission has thus prepared specific guidance to highlight the data protection obligations of relevance in the electoral context. In order to combat malicious attempts to abuse people's personal data, in particular for micro-targeting purposes, the national data protection authorities, as enforcers of the General Data Protection Regulation, have to make full use of their strengthened powers to address possible infringements.
4. Strengthening the rules on funding of European political parties
Political parties and foundations are of course the key actors in elections. They compete for the vote of the electorate through their campaigns. To ensure a level political playing field, and to protect all political parties and foundations from malfeasance it is essential to prevent
21 The September 2017 joint Communication of the High Representative of the Union for Foreign Affairs and Security Policy and the European Commission acknowledges the need for a comprehensive response for building strong cybersecurity for the Union that is based on resilience, deterrence and defence, JOIN(2017) 450 final.
22 The Compendium developed by the Cooperation Group established under Directive (EU) 2016/1148 provides useful guidance in this respect. Directive (EU) 2016/1148 aims at achieving a high common level of cybersecurity resilience across the Union. In order to meet this objective, the Directive supports the development of national cybersecurity capabilities and protects the provision of essential services in key sectors. In order to reinforce the efforts towards a proper implementation of the Directive, the Commission is providing over EUR 50 million in funding until 2020 through the Connecting Europe Facility (CEF) programme. The risk management measures of the Directive (EU) 2016/1148 are relevant benchmarks for the electoral process. The GDPR also provides for obligations to implement appropriate technical and organisational measures to ensure a level of security to personal data being processed. It is applicable to all actors involved in the electoral process and also contains an obligation to communicate personal data breaches to the competent data protection authorities and to the concerned individuals (see guidance issued by the Commission).
23 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
8
situations in which any one party can benefit from illegal practices infringing data protection rules. For these who do not only breach people's privacy, they could also potentially influence the outcome of elections to the European Parliament, should be sanctioned. Alongside a call for Member States to apply such sanctions for parties and foundations at national level where appropriate, the Commission is proposing to introduce a targeted amendment to Regulation (EU, Euratom) No 1141/2014 to provide for proportionate sanctions in cases involving European-level political parties and foundations. That amendment, which reinforces existing rules, aims to ensure that the elections to the European Parliament can be held under strong democratic rules and in full respect for the values on which the Union is founded, in particular democracy, fundamental rights and the rule of law.
The Commission urges the European Parliament and the Council to ensure that those focused changes are in place before the 2019 elections to the European Parliament.
5. Conclusions
Recent events have shown that the risks of manipulation of the electoral process, whether via attacks on information systems, misuse of personal data and opaque practices, are real and acute. The EU is not immune. Online activities in the electoral context present a novel threat and require specific protection. We serve the citizens and democracy best by preparing now. We cannot wait until after elections or referenda have taken place to discover such activities and respond to them only then.
Protecting democracy in the Union is a shared and solemn responsibility of the European Union and its Member States. It is also a matter of urgency. All involved actors have to step up their efforts and cooperate to deter, prevent and sanction malicious interference in the electoral system. The measures put forward by the Commission in this package support these efforts.
The Commission will report after the 2019 elections to the European Parliament on the implementation of this package of measures.
Next steps ahead of the 2019 electi o ns to the European Parliament
• The Commission urges the European Parliament and the Council to ensure that the
proposed targeted changes to Regulation (EU, Euratom) No 1141/2014 are in place in time for the 2019 elections to the European Parliament.
9
Together with the High Representative, the Commission will be supporting the preparation of common European responses addressing any foreign involvement in elections in the European Union24. As a follow up on the European Council Conclusions of June 2018, they will present in cooperation with Member States an action plan by December 2018 with specific proposals for a coordinated EU response to the challenge of disinformation.
The Commission will raise awareness and maintain its dialogue with Member States’ authorities through the high-level conference on cyber-enabled threats to elections on 15 and 16 October 2018, the outcome of which will feed into the next Colloquium on Fundamental Rights (26 and 27 November 2018), focused on "Democracy in the European Union".
24 This could also include the use of measures developed under the Framework for a Joint EU Diplomatic Response Malicious Cyber Activities.
10
to