Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The Chairperson may restrict participation in sub-groups dealing with critical and sensitive policy subjects that are directly relevant for the security of the Union.”
-Draft Commission Decision on setting up the group of experts ‘High-Level Forum on European Standardisation.’
Story of the week: The Commission will launch a “high-level forum on European standardisation”, a product of the European Standardisation Strategy presented in February. According to a draft decision seen by EURACTIV and set for adoption this week, the group will advise the EU executive on standardisation policy, support the identification of priorities and needs and help to coordinate EU interests and research partnerships.
The group will be formed by 60 experts, 30 of which come from national authorities, whereas the rest will be distributed across trade associations (but only those with a demonstrated interest in European standardisation), SME representatives, academia, and civil society. While the group will work through consensus, it will adopt recommendations and opinions via a simple majority, meaning the national representatives will have an easy game as long as they display a united front. Moreover, the draft includes a measure that would empower the Commission to exclude from the ‘sensitive policy subjects’ members under the control of a third-country organisation. Read more.
Don’t miss: The Czech Presidency circulated a new compromise text on the European Digital Identity (eIDs) proposal last week in an attempt to unlock a file that, so far, has experienced several technical and political hurdles. A major step forward (at least in theory) was achieved in July when all countries except France and Germany agreed to the European Digital Identity Wallet as a means of electronic identification, a principle included in the new text. However, the compromise has disappointed privacy advocates, as the Czechs have introduced an exception for the registration requirement for the organisations using the system and a potential loophole for using record-matching instead of a unique identifier. Read more.
Also this week:
- EURACTIV saw Germany’s draft cookie law.
- Lawmakers discussed the obligations of high-risk AI systems.
- The UK competition regulator decided to continue investigating the Microsoft-Activision deal.
- The Pegasus committee is at the centre of ‘political games’ to divert the attention.
- Ukraine passed a new media law as required by the EU, but not everyone likes it.
Before we start: The EU strives to set the international standard with its AI regulation. But how likely is it that the EU rules will become internationally adopted? And under which conditions could that happen? We discussed how the upcoming AI regulation would likely shape this technology’s future via the so-called ‘Brussels effect’ with Charlotte Siegmann, a predoctoral research fellow at Oxford University, and Markus Anderljung, head of policy at the Centre for the Governance of AI.
Today’s edition is powered by AWS
AWS and comprehensive data protection in the cloud
How do organisations successfully navigate compliance within Europe? What are the cross-border data transfer requirements? AWS experts Esther Stringham (AWS Legal) and Hans Bos (AWS Security Assurance) dive deeper into both topics.
Watch the webinars
Artificial Intelligence
All it’s good until it’s not. New compromise amendments to the AI Act were circulated last week, with lawmakers pitching changes to the provisions on high-risk obligations, distribution of responsibility within the AI supply chain, technical standards and administrative procedures for oversight bodies. The co-rapporteurs on the file, Brando Benifei and Dragos Tudorache, have focused their efforts on advancing the least controversial parts of the text, amendments that have passed with minor changes. The discussion might spice up next week when regulatory sandboxes are on the menu. Read more.
JURI’s vote. A final vote on the AI Act opinion in the JURI committee is scheduled for Monday (5 September). The agreement, brokered with the help of the social democrats, entails separate votes only for a handful of amendments related to military use and law enforcement.
The liability problem. The upcoming AI liability proposal is due to be a relatively short one, around 10 articles, EURACTIV has learned. The focus will be on causality and the burden of proof, with the reversal of the burden of proof being considered. The main issues will be the criteria and definitions, as the Commission must ensure the alignment of key concepts with the AI Act. Additionally, rumours would have the AI Directive postponed, as the Commission is waiting to see how the discussions on the regulation progress.
Competition
Slaying the (gaming) giant. The UK’s competition watchdog announced Thursday that it would advance its investigation into Microsoft’s acquisition of beleaguered gaming company Activision Blizzard. The Competition and Markets Authority identified several antitrust concerns in Phase 1 of its investigation and, pending Microsoft and Activision’s response, will push on to Phase 2 of the probe within the next five days. The merger is also under review in the US, where the Federal Trade Commission is investigating its potential impact on labour markets and Activision’s workers. Read more.
We had enough. The European Commission will not appeal a June ruling by the EU General Court that overturned its €997 million fine against American chipmaker Qualcomm. The court found that the EU’s handling of the case had contained several procedural errors and that the case’s conclusion and penalty were invalid. While appeal mechanisms are available, the EU’s antitrust department has reportedly decided not to launch an effort to overturn the decision, probably to avoid another burning defeat in court.
Change incoming. Changes are coming to Microsoft’s provisions for cloud service providers in an update to a shift launched earlier this year. The company this week announced amendments set to take effect from the start of October in areas including expanding the European cloud providers that customers can use their licences on. The original changes were announced in May, largely in response to competition complaints lodged with the EU by cloud providers in Germany, Denmark, Italy and France.
Cybersecurity
Cyberwarfare in the Balkans. Government institutions in Montenegro were hit by a major cyber-attack last week, with officials attributing blame to Russia. Authorities called on Balkan allies for assistance in containing the attack, which hit institutions including the finance ministry. Speaking to state television, Defence Minister Rasko Konjevic said evidence pointed toward Russia as the culprit, and media reports cite the National Security Agency as having echoed this. Read more.
Data & Privacy
An end to the cookie terror? Germany’s digital ministry is currently working on a draft law for a new cookie consent management regulation that aims to reduce the many pop-ups users encounter on websites. According to the draft, data custodians shall ensure users’ consent to cookies on one website is replicated for others so that users are not asked for their consent on every website. However, this would not apply to ad-financed websites, for which users will be asked for their consent each time if they keep declining consent. Read more.
Changes not needed. The current structure of EU data protection reform is working, and reform would take at least a decade, the chair of the European Data Protection Board said in an interview this week. The majority of cases considered by the authority, Andrea Jelinek added, have well-functioning cross-border cooperation and lengthy investigation and enforcement procedures are necessary for thorough and legal grounding in cases. These statements contradict the European Data Protection Supervisor’s push, who has asked if the GDPR needs to be reformed at least with some targeted changes.
Data Act – the timing question. The public hearing on the Data Act in ITRE has been moved to 26 October since the previous committee meetings were already full. The deadline for amendments was also changed to 28 October. Behind the scenes, a clash is ongoing between ITRE and IMCO over the timing, with the former pushing for quick adoption and the latter keen on taking its time. The new timeline, seen by EURACTIV, mentioned a committee vote in the first week of February, which would be earlier than the vote planned in IMCO. It is unclear if some obscure procedural rules in the Parliament would allow that or if it is a move meant to put political pressure on the other committee. Meanwhile, LIBE is also not planning to present its opinion before October, and JURI also feels the deadline to be too tight.
DPC steps in. The Irish Data Protection Commissioner (DPC) is set to play a role in handling the allegations made by Twitter whistleblower Peter Zatko, who last week alleged several security failings on the part of his former employer. Zatko has signalled his willingness to appear before the Irish Parliament and to meet with the DPC, which has already held a preliminary meeting with Twitter to discuss the accusations.
Stop profiling children. California’s state legislature this week passed a bill, with overwhelming support, that will oblige platforms to ensure privacy and safety-by-design for any services likely to be accessed by minors, modelled on a similar regulation already in place in the UK. The California Age-Appropriate Design Code will, if signed into law by the state’s Governor, require platforms to consider how elements of their sites could harm users under the age of 18 and take steps to address them. This includes a ban on the use of dark patterns, the restriction of detrimental data collection, and a ban on profiling children.
Digital Markets Act
Implementing acts in sight. The European Commission has published the webpage for its public consultation on the DMA implementing acts. This secondary legislation is due to defining critical aspects of the upcoming legislation, such as the way gatekeepers will have to notify the EU executive that they meet the quantitative criteria, how to conduct market investigations and the technical measures the gatekeepers will have to undertake to ensure compliance. The Commission is expected to publish the draft acts in the coming weeks.
Gig economy
Tell us where you stand. The Council’s Social Questions WP is due to meet on Monday (5 September) to discuss the mechanism of the rebuttable presumption in the platform workers’ directive. The discussion is expected to focus on the complexity of implementing the rebuttable presumption in member states’ national legislations. According to an internal note seen by EURACTIV, the Czech Presidency intends to clarify “the functioning of the presumption and to clear out interpretative doubts that could lead to substantial differences in the understanding of the text and its application.” In other words, the member states have been asked to take a clear position on the matter, which has proved the most controversial part of the proposal.
Industrial strategy
About time. Germany’s digital strategy was finally adopted on 31 August by the federal cabinet. After the responsibilities of the respective ministries have been clarified and the plans and timeframes have become more concrete, the task is to implement the strategy. While digital minister Volker Wissing keeps calling for a “digital awakening in Germany”, critics say the impact of this strategy will be limited, as the problems and potential solutions are largely known, but the implementation is lacking so far. Read more.
Law enforcement
Political games. The next PEGA committee meeting on 8 September will focus on Greece. However, one of the country’s wiretapping scandal’s central figures, the opposition leader and MEP Nikos Androulakis, will not be invited as a panellist following a push by the conservative EPP group to then also invite Catalan MEPs targeted with spyware. On the other hand, this would barely be welcomed by the Socialists and Democrats, Spanish Prime Minister Sánchez’s party. In the end, it was decided to postpone the hearing of MEPs to October, meaning that what some EU officials called “political games” are delaying the investigations into MEPs’ cases and protecting their respective political allegiances at home. Read more.
Incompetent or without competence? The issue of the EU’s competencies to scrutinise spyware use came to the forefront during a PEGA committee hearing on 30 August, where a Europol representative said the agency’s mandate was limited to supporting member states choosing to launch an investigation. However, the agency’s capabilities were just recently amended, thus providing the opportunity to ask member states to initiate investigations rather than wait for member states to act. With several national governments involved in spyware scandals, this option must be exploited by Europol, rapporteur Sophie in t’Veld argues. Read more.
Media
Good or bad law? The Ukrainian Parliament this week advanced a media law that Brussels singled out in its recommendations on EU accession, published earlier this year. The draft bill, first proposed by President Zelenskyy in 2019, has attracted some criticism from media groups within and beyond Ukraine, namely for the power it would hand the country’s regulator. Read more.
Platforms
Twitter leak fallout. Alexandra Geese and Kim van Sparrentak, MEPs for the Greens, have written to the Commission in light of the Twitter whistleblower’s revelations to ask the EU executive what it is doing to tackle fake accounts and bots on the platform, one of the issues identified in the allegations. In a letter, the two lawmakers asked the Commission whether it was looking into whether Twitter had violated the Code of Conduct on Disinformation, to which Twitter is a signatory, what the available options would be if it were, and how such behaviour could be compatible with signatory status.
Council’s sense for political ads. The Czech Presidency is set to continue negotiations on Chapters 3-5 of the regulation on Political Advertising at next week’s meetings of the Council’s General Affairs Group. These conversations will form the basis of the fourth revision of the text, which the Presidency aims to reach a general approach on by the autumn Council.
Telecom
UK’s fair share. According to indiscretions circulating this week, the UK government’s Department for Digital, Culture, Media and Sport has commissioned a report from a consultancy firm to confirm the need for tech companies to pay for infrastructure costs. This is a follow-up to a process initiated by the UK’s telecom regulator OFCOM started last year. The report is due to be published in the coming weeks and might provide the basis for a legislative proposal strongly wanted by BT.
Not fair for everyone. On the other side of the Channel, MVNO Europe, representing smaller telcos, has written to the Commission to express its concern about the executive’s ‘fair share’ initiative. The suggested legislation, the group’s members say, is based on “incomplete assumptions and insufficient understanding of the technical arrangements underpinning the exchange of internet traffic” and could, they fear, harm competition in telecom markets by doubling or even tripling the network services payments being received by the largest telecom providers.
What else we’re reading this week:
EU Wants Telecom Companies to Prove Netflix, YouTube Should Pay for Traffic (Bloomberg)
The metaverse is evolving from fiction into fact (FT)
What does GPT-3 “know” about me? (MIT Technology Review)
Laura Kabelka and Theo Bourgery-Gonse contributed to the reporting.
[Edited by Alice Taylor]