Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Pushing everything to the last minute is not a good approach. It means taking risks.”
-An EU official on the AI Act’s trilogues
Story of the week: EU policymakers met Tuesday evening for the fourth trilogue on the AI Act. Despite some unwary press statements, none of those involved seriously expected a political compromise at this stage. The only point on the agenda the negotiators managed to close for good was on classifying high-risk AI systems (Art. 6), with a filtering system that was maintained despite a negative legal opinion from the European Parliament Euractiv revealed last week. The compromise largely maintains the text circulated before the trilogue, with some minor modifications, such as the fact that the Commission is to provide a list of practical examples. The list of high-risk use cases (Annex III) is not closed yet as MEPs asked to discuss it as part of a package deal involving the law enforcement aspect, prohibited practices (Art. 5) and probably also the fundamental rights impact assessment and environmental dispositions. Both the Council and Parliament stuck to their positions on the thorny issue of real-time Remote Biometric Identification, while the Commission is exploring some technical solutions with targeted exceptions.
For foundation models, the tiered approach was largely agreed on with the view of introducing horizontal transparency obligations for all foundation models and additional risk-management rules for ‘high impact’ foundation models. However, how models will qualify as ‘high impact’ is still to be seen, but it seems clear that it will be a combination of thresholds policymakers are still trying to figure out with the help of researchers from Stanford University. Parliamentarians opposed the creation of a separate category of general-purpose AI at scale, preferring to associate GPAI with obligations towards downstream economic operators. Following the DSA model, the AI Office will supervise foundation models with ‘systemic risk’. Parliament agreed to make the Office a part of the Commission, but with a distinct budget line that should not be financed by a management fee. The objective is to reach a final agreement at the trilogue on 6 December. Expect some hectic weeks of intense drafting ahead.
Don’t miss: The European Parliament has officially thrown the gauntlet at the Commission on cloud certification schemes. Following the politicisation of the European Cloud Services scheme, MEPs want to turn these schemes from implementing to delegated acts to make sure they have a say in adopting or rejecting them. Other amendments tabled by Bart Groothuis and other influential MEPs, which received the support of all the main political groups in the house, would force the Commission and ENISA to conduct an impact assessment and public consultation before a scheme is adopted. Ironically, these amendments were introduced in the Managed Security Services, a targeted revision of the Cybersecurity Act the Commission proposed with the Cyber Resilience Act – a rookie mistake considering how many grudges the EU executive managed to prompt with its secretive handling of EUCS. Not all MEPs involved are necessarily against the French-pushed sovereignty requirements, but the way the Commission tried to quietly sneak them in hardly won them any support. Groothuis’ amendments will certainly find support in the Netherlands and other EU countries, but the Managed Security Services makes little sense without the Cyber Solidarity Act, which is so unpopular in the Council it has barely been touched so far. Therefore, the question might be more to send a political message to the Commission since the Cybersecurity Act is up for review next year anyway. Read more.
Also this week:
- The European Data Protection Supervisor issued an opinion on the AI Act asking to provide the secretariat for the AI Office.
- Amendments to the Competition Policy report were tabled to remove any ‘naming and shaming’ of Big Tech and references to the senders-pay.
- The French digital space bill might be at odds with EU law.
- MEPs reached an agreement on the draft law to prevent the dissemination of online child sexual abuse material.
- The Spanish presidency provided an overview of initial compromises and tension points in the trilogues on the Media Freedom Act.
- Telecom ministers met in Leon and certified broad opposition to the senders-pay and spectrum reform.
Before we start: If you want even more tech analysis, tune in to our weekly podcast.
Today’s edition is powered by Google
Fighting Misinformation Online
Hear from VP Jourová, Nobel Peace Prize laureate Maria Ressa, Google’s VP of Trust & Safety Laurie Richardson, and many more experts address the issue of misinformation by catching up on yesterday’s Fighting Misinformation Online event.
Artificial Intelligence
Another opinion to ignore. Just before Tuesday’s trilogue, the European Data Protection Supervisor published an opinion on the AI Act “in the light of legislative developments”. On enforcement, the EDPS argued for a more prominent role in the AI Office, so it would have voting rights and equal status to conduct investigations as national authorities but also to provide the secretariat per the EDPB model. The Supervisor also reiterated its support for banning unacceptable practices like biometric identification, emotion recognition and predictive policing.
French datasets. Last week, the CNIL, the French data protection authority, published some of its first answers to AI developers and stakeholders on how to develop AI systems in accordance with EU privacy rules, namely defining lawful data-set building and data processing. The CNIL has been one of the most active DPAs in this area, aiming to lead the way in building the bridge between the GDPR and the upcoming AI Act.
AI meets cyber security concerns. According to new research conducted by consultancy firm Gemserv, 83% of survey respondents expect generative AI to be implicated in more cyberattacks, with 38% anticipating a significant increase in cyberattacks utilising deep fake AI technologies over the next five years. “AI is reshaping the contours of cyber defence by augmenting human capabilities, predicting threats, and fortifying organisations against the volatile cyber threat landscape,” commented Gemserv’s cyber director Mandeep Thandi.
Competition
Competition policy report. The amendments to the 2023 competition policy report were published earlier this week. The rapporteur, Stéphanie Yon-Courtin, a supporter of the senders-pay principle, removed her own references to fair contribution for telecom networks since the initiative has lost momentum and might have monopolised the discussion. Several amendments tabled from centre-to-right MEPs try to delete references to specific cases like Spotify’s complaint against Apple and the iMessage investigation, while Yon-Courtin proposed adding a reference to the Google Shopping case. The Internal Market Committee also provided its opinion to the Economic Affairs Committee, stressing several references to the DMA and pushing the Commission to consider expanding the interoperability provisions to social media.
Cybersecurity
A riddle wrapped in a mystery inside an enigma. It is no surprise that MEPs want more transparency on EUCS, considering the level of secrecy surrounding the European Cybersecurity Certification Group that took place last Friday. The political stalemate continued with France insisting on the sovereignty requirements and the Netherlands-led camp pushing against them. A possible compromise floating around would involve excluding like-minded countries, NATO partners or jurisdictions that received a data adequacy decision from the sovereignty requirements. The Commission is expected to come forward with a new proposal by the time of the next ECCG meeting, tentatively scheduled for 20 November.
Lobbying battle continues. The European Centre for International Political Economy published a study funded by the trade association CCIA on the potential economic impact of the EUCS’ exclusionary requirements. Disclaimer: the impact is considered extremely significant and disproportionately affecting smaller countries.
Did you see it coming? The European Commission opened a public consultation on cybersecurity rules for cross-border electricity flows, including cybersecurity risk assessment, common minimum cybersecurity requirements, planning, reporting and monitoring, and crisis management. Buried in Electricity Regulation, this delegated act surprised many cybersecurity experts.
Czech Republic under cyber-attack. The pro-Russian hacking group NoName057 attacked multiple websites of the Czech government. The targeted websites include the Interior Ministry, police force, Prague Airport, and the lower and upper houses of parliament. The hacking group used DDoS attacks, which flood the server with many requests, thereby overwhelming the website and putting it out of service.
Cyber threat from Kazakhstan. The espionage-focused threat actor, YoroTrooper, which routes their attacks via Azerbaijan, stems from Kazakhstan, a new analysis published by Cisco revealed.
Digital diplomacy
Get a helmet, Germany! Germany aims to boost its international competitiveness with a new digital strategy spanning several ministries, while experts have warned of a growing geopolitical race for technological supremacy and the need to defend liberal values and human rights in the digital space. Last week, the Bundestag’s Digital Committee held a public hearing to discuss the strategy, which Germany’s Digital Ministry will present before the end of the year. Read more.
A neurotechnology declaration. The highlight of the León informal ministerial meeting on telecommunications on 23 and 24 October was its declaration on European neurotechnology, calling for “a human-focused and rights-oriented approach”. Remarkably, one of the calls for action asks the Commission to ask about possible regulatory gaps in this area precisely when the EU executive starts thinking about the next legislative agenda.
Digital Services Act
Conflicts of digital laws. Although the French Digital Minister Jean-Noël Barrot, spearheading the French bill promising to “secure and regulate the digital space”, stated that his “red line” was to respect EU legislation, the draft law came under criticism by the European Commission in a reasoned opinion, emphasising the fact that France should not overregulate age verification schemes before the EU does and should lighten its provisions over possible mass surveillance measures over online banning of harassers and preliminary flagging of pornographic content before accessing them. A spokesperson from the French Digital Ministry told Euractiv they welcomed the Commission’s opinion, saying it confirmed France’s capacity to act in its willingness to un-list websites that expose children to pornographic content. The spokesperson explained that only “marginal modification” will be issued. Additionally, a French MP told Euractiv that although this inter-institutional dialogue should be happening now, it had been postponed to 2024 because the French government is waiting for a second reasoned opinion from the Commission, as large chunks of the bill were modified after review by the National Assembly.
Transparency reports incoming. The first transparency reports of very large online platforms, namely Amazon, LinkedIn, TikTok, Pinterest, Snapchat, Zalando, and Bing, have already published their report before the 6 November deadline. The reports, which must include content moderation information, vary significantly in quality and details, and it will take some time to digest.
Partnering up. The Commission signed arrangements with the French and Irish media regulators to support DSA enforcement. This follows the Commission’s recommendation for member states to coordinate and strengthen the answer of systemic platforms to disseminating illegal content, notably following the renewal of the Israeli-Palestinian conflict.
Audits delegated act. The Commission published its delegated act outlining the framework for independent audits under the DSA. In July, Euractiv highlighted several criticalities in this fundamental aspect of DSA enforcement.
Gig economy
Short Term trilogues for Short-Term Rental regulation. On Wednesday, rapporteur Kim van Sparrentak gave an overview of the trilogue negotiations in a hearing of the Internal Market Committee, mentioning active hosts, verification by national authorities, compliance by design, information and monitoring and entry into force as the main points of divergences with the Council. A second trilogue on the file, expected to be closed under the Spanish EU Council presidency, is planned for 15 November.
Law enforcement
MEPs’ agreement on CSAM. The main political groups of the EU Parliament reached an agreement on the draft law to prevent the dissemination of online child sexual abuse material (CSAM) on Tuesday. The agreed text, seen by Euractiv, focuses on the EU Centre and detection orders but also includes changes in encryption, reporting and removing orders, as well as app stores and age verification. Parliament’s Committee on Civil Liberties, Justice and Home Affairs is expected to adopt the file on 13 November, paving the way for the last stage of the legislative process. Read more.
Press conference of a united Parliament. Following the agreement, the rapporteur and shadows showed a united front in a joint press conference on Thursday. MEP Javier Zarzalejos emphasised that there is “no massive scanning or general monitoring” in the file and that the agreement is the result of the work of all political parties. Paul Tang talked about the changes in safety-by-design measures, age verification, user reports, the protection of end-to-end encryption, and web crawling. Vautmans believes they managed to balance child protection while protecting privacy, also mentioning that she hopes they can do more on grooming in the future.
Europol and Johansson grilled by MEPs. On Wednesday, Commissioner Ylva Johansson attended the Civil Liberties Committee hearing and was questioned about the news on microtargeting ads on Twitter/X. She said she had no information on the matter, but DG HOME will provide more information to the Parliament. One of the authors of the Balkan Insight article that drew some controversial connections between HOME and these organisations also participated in the hearing, as did Europol. Europol was also questioned about connections between them and child protection organisations through links with former colleagues. MEPs said Europol was lobbying for the Commission by supporting the proposal. Previously, the LIBE committee requested that DG HOME provide all communications with Thorn and other child protection organisations, which they have not done so far.
The point of no return? The European Data Supervisor held a seminar on Monday about the CSAM regulation, titled “The point of no return?”. During the event, which took place before the Parliament agreed on the file, several experts were questioned, mainly about the technical aspects of the file, who emphasised that detecting child sexual abuse material in communications without breaking encryption is impossible.
Media
EMFA trilogue debrief. Following the first trilogue on Media Freedom Act, the Spanish presidency briefed COREPER on Wednesday on the emerging compromises and tension points. The first aspects that have been closed are regulatory cooperation and the right of customisation. A preliminary exchange of views took place on the more sensitive aspects of the law, such as the rights of recipients and funding for public media. The presidency’s post-trilogue debrief was preceded by an updated version of the compromise text, dated 20 October and seen by Euractiv. The next political trilogues will take place on 29 November and 5 December. However, some of the most controversial parts of the text, such as the national measures affecting media services and market concentration dispositions, are still to be discussed. Read more.
Platforms
Acting against addictive design. In a report adopted with a broad majority in Parliament’s Internal Market Committee, lawmakers argue that digital platforms should be less addictive, focusing on child protection and the harms of social media. “The IMCO Committee is united: no self-discipline can beat the addictive design tricks we all face online today”, rapporteur Kim Van Sparrentak told Euractiv. “This can have a huge impact on mental health and even brain development. If we do not act now, this will impact generations to come. The EU needs to lead the way and act against the addictive design of online services”, she explained. The lawmakers want the Commission to take their recommendations on board in the ongoing fitness check of the current consumer law. While there is no exact date for the plenary vote yet, it will most likely occur in December or January. Read more.
Blowing (up) Musk’s one-year Twitter takeover. “On 27 October, we will not tweet, we will not retweet, we will not log in to X. Before and after this date, let’s promote the hashtag #notwitterday”, several French disinformation experts and journalists wrote in an op-ed in Le Monde. The reasons invoked are the rise of disinformation, quality and integrity of news on Twitter, now X, since Elon Musk took over on 27 October 2022. Additionally, they condemned “Elon Musk’s positions […] where he stands out with strong support for fake and dangerous conspiracy theories, including those related to public health”.
Product liability
PLD first trilogue. The first ‘hand-shake’ trilogue on the Product Liability Directive took place on Monday. The most significant divergences relate to the provisions on accessing evidence, the threshold for data leaks, the reversal of the burden of proof, scientific complexity and latent damages. While the Spanish presidency seems determined to close the file, no schedule of technical meetings has been shared with the shadows yet.
Telecom
Take no as an answer. The León informal ministerial meeting on telecommunications on Monday and Tuesday certified Commissioner Thierry Breton’s backpedalling on the senders-pay initiative. The French commissioner underestimated the backlash from the industry and member states, including the opposition from Germany. Moreover, some saw Breton’s eating his words as a way to make peace with the former ALDE countries, whose support he will need if he is to stay in the next Commission mandate, also considering that President Emmanuel Macron’s Renaissance is not headed for a stellar performance in the European elections. In another major setback, Breton took another overwhelming ‘no’ to the power grab of the Commission in the area of radio spectrum. Meanwhile, the Commission services already working on the Telecom Act are now redrafting it in the white paper expected early next year.
A marriage and a third wheel. According to Reuters, Romanian operator Digi is to acquire assets that might be able to address the European Commission’s competition concerns in the landmark Orange-MasMovil merger case. Digi might also be offered access to infrastructure, but reportedly, the package is yet to be finalised. Many in the telecom sector hope that the Orange-MasMovil marriage will mark a discontinuity in the Commission’s market concentration doctrine, especially now that Margrethe Vestager has left the helm of the EU competition department after a decade.
Subsea cables’ fragility. In Leon, telecom ministers also discussed the security situation of submarine cables following several ‘incidents’ in the Baltic Sea. While the Commission is working on a recommendation for the resilience of subsea fibre cables for next year, without increasing the scarce resources in this area, smaller countries with plenty of submarine infrastructure in their territorial waters (i.e. Ireland) will not be able to ensure its security.
“Tacit approval”: the apple of discord. Breton urged ministers in León to find a compromise on the Gigabit Infrastructure Act. However, the question of tacit approval is proving extremely controversial, with some member states that already have a similar mechanism or want to introduce it to speed up network deployment, while for others, it would be highly problematic from an administrative point of view. According to an EU official, the number of countries that oppose the measure has now grown to 10, well above a ‘blocking minority’.
Mind the resilience of your networks. Making Ukraine’s telecommunications infrastructure resilient is key to the fight against Russian aggression and the country’s future EU integration, the telecom chief specialist at the Ukrainian digital ministry told Euractiv in an interview. As both a strategic target of the Russian army and a stronghold of Ukrainian resilience, the defence of telecommunications is crucial for Ukraine, Nadia Babych said, urging EU countries that share a border with Russia to take an example from Ukraine. Read more.
Twin transitions
Right to Repair, a step closer to the finish line. On Wednesday, Parliament’s Internal Market Committee adopted its version of the Right to Repair directive, including bicycles in its scope, as well as other options to help consumers with a defective product. Read more.
What else we’re reading this week:
Gary Gensler urges regulators to tame AI risks to financial stability (FT)
This new data poisoning tool lets artists fight back against generative AI (MIT Technology Review)
[Edited by Zoran Radosavljevic]
