Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“These measures will help persons seeking compensation for damage caused by AI systems to handle their burden of proof so that justified liability claims can be successful.”
-A leaked draft of the AI Liability Directive
Story of the week: The upcoming EU liability regime focused on the damage caused by AI and would place a presumption of causality on the defendant, according to an early copy of the proposal seen by EURACTIV. The AI Liability Directive, due for publication on 28 September, is intended to accompany the AI Act by establishing how someone damaged in an accident where AI was involved can make a civil lawsuit to claim damages. On the same day, the Commission is also due to present the Product Liability Directive, horizontal legislation that will cover all kinds of software. Criminal law, the transport sectors and contractual obligations are excluded from the scope.
The provisions will not change the existing liability regimes in member states but will introduce harmonised measures to deal with civil lawsuits that cannot be fully solved without explaining the AI’s internal logic. In these cases, if the complainant can prove that the AI provider or user, according to the situation, has breached the AI Act requirements or any other EU or national rule, it will fall on the defendant to prove that there is no causal relation between non-compliance and the damage. A judge might also force providers of high-risk systems to disclose the documentation they must keep under the upcoming AI regulation. Read more.
Don’t miss: The European Commission is set to present a plan for the digitalisation of the energy sector, connecting the dots with existing initiatives and introducing new ones, according to a draft obtained by EURACTIV. The most relevant new project is the creation of a digital twin for the electricity grid. In the draft, the EU executive also gives more details on the European energy data space. The plan is the first attempt to concretely align the green and digital transition and deals with the fundamental aspect of the energy consumption in the ICT sector. Before the end of the year, the Commission plans to present requirements for the use of waste heat from data centres, something which might come in handy as Europe will struggle to keep its households warm this winter. Labelling schemes for data centres, computers and crypto are also mentioned. Read more.
Also, this week:
- Google lost its appeal against the EU’s largest-ever competition fine.
- The Cyber Resilience Act was not officially out yet, but three countries have already asked to raise the security bar.
- The Commission presented its proposal for a European Media Freedom Act.
- The Data Act rapporteur proposed exempting medium-sized companies from the regulation’s data sharing obligations.
- EU data protection authorities warn they will lose the battle with Big Tech if they don’t receive more resources.
- The EU executive will launch an initiative to regulate the metaverse next year.
- Breton admitted that more time would be needed to present an initiative on senders-pay.
Before we start: We discussed the annual State of the Union speech by European Commission President Ursula von der Leyen and its implications for the tech sector with Cecilia Bonefeld-Dahl, Director-General of DIGITALEUROPE, and Scott Marcus, Senior Fellow at Bruegel.
A message by Google
YouTube Kids a safer place for young minds.
YouTube Kids is a dedicated app that lets parents set content levels for a self-contained, age-appropriate experience. It’s packed with features to help parents get things right for their families, and we’re continually evolving it to give kids a safer place to continue playing and learning.
Continue reading >>
Artificial Intelligence
Legal basis has some basis. The EU Council’s legal service has confirmed the legal bases of the AI Act, according to a legal opinion seen by EURACTIV. The proposed regulation is based on Articles 114 for (internal market) and 16 (data protection) TFEU. It was precisely the part on the protection of data that targeted some national representatives from the area of Justice and Home Affairs, who were generally disgruntled with the fact that the AI Act stepped on their toes. Instead, they tried to change that legal basis with Art. 87(2) TFEU, on police cooperation, which the legal experts rejected. The legal opinions from the EU Council are not a formal process, nor are they infrequent. However, they are highly influential, especially when put in writing, to the point they almost become ‘case law’ to be pulled out of a drawer whenever a similar argument comes up again, an EU diplomat told EURACTIV.
Competition
Commission 1, Google nil. Google was dealt a significant blow by the Commission this week as its appeal against the EU’s biggest antitrust sanction was levied against the tech giant for its unlawful restriction of competition through its mobile operating system, Android. Initially set for €4.34 billion, the fine was reduced by 4% to a total of €4.125 billion by the EU’s General Court, concluding an investigation that began in 2015. The win was much-needed for the EU executive after several high-profile tech competition cases, including those against Intel and Qualcomm, were recently thrown out. The only dismissed part of the Commission’s case regarded the abusive nature of its exclusive agreements, a line of argument that has hardly seen any success. Moreover, the court’s ruling upheld essential parts of the legal reasoning behind the Digital Markets Act, which are now more likely to stand in future litigations. Read more.
More troubles ahead. Google could be required to pay damages of up to €25 billion due to claims filed in both UK and Dutch courts. The suits will see publishers seek compensation over what they say is the damage the tech giant’s digital advertising practices have done to their industry. The cases come amid mounting scrutiny of the firm’s ad practices, with an investigation by EU competition authorities currently underway.
Cybersecurity
The proposal’s out, lobbying already started. The Commission has proposed a Cyber Resilience Act, which will introduce cybersecurity obligations for all products with digital elements, including hardware and software, in the EU market. The requirements, anticipated by EURACTIV last week, are designed to enhance consumer trust and confidence, cover the product’s properties, handling and vulnerabilities, and include specifications related to transparency and user information. Even before the proposal was out, lobbying had started behind the scenes, with Denmark, Germany and the Netherlands sharing a non-paper on Tuesday to push for stricter security requirements for all digital products, processes and services with different levels of assurance, which would then inform the customers’ choice. The non-paper, seen by EURACTIV, also makes the case to include Software-as-a-Service (SaaS) in the scope. This proposal is likely to be met with stark opposition from businesses. Read more.
Uber’s annus horribilis. This week, Uber was hit by a cybersecurity incident that took down multiple internal communications and engineering systems. The hack reportedly began via an Uber employee’s Slack app, which was subsequently used to inform other workers of the breach and to compromise the company’s broader systems. After the attack was first reported by the New York Times, Uber said it responded to the incident and that employees had been instructed to stop using Slack.
Cyber destabilisation. Officials say that the coordinated cyberattack on Montenegro that led to a tech blackout at government headquarters was likely conducted by Russian hackers. The incident that took most of the government offline began on 20 August and was described as unprecedented. The country is still working on getting back online. Still, its national security agency has placed blame for the attack, seen as part of broader efforts to destabilise the region at Russia’s door.
Data & Privacy
Let’s not burden SMEs. The file’s rapporteur has made several critical changes to the proposed Data Act in a draft report seen this week by EURACTIV. In her report, Conservative MEP Pilar del Castillo Vera suggested clarifying the applicability of each of the regulation’s chapters concerning different data categories, strengthening oversight cooperation between different competent authorities, and contractually enshrining the data sharing agreements between companies, among other measures. Also included in the report was a proposed exemption for SMEs from data-sharing obligations towards both users and the public sector, which del Castillo argues risks over-burdening small and medium-sized enterprises. This aspect might prove controversial with the Council, where the discussions are going in the opposite direction, Read more.
First round completed. The Czech Presidency circulated a new partial compromise on the Data Act, completing the presidency’s first revision of the proposal. On the scope, the new text clarifies that virtual assistants are covered and that the provisions on cloud switching only concern infrastructure-as-a-service (Iaas) but also cover metadata. Among the measures included in the text is a potential extension of the period for switching cloud service providers, additional provisions covering governance and differing approaches for harmonising the rights of creators of databases ineligible for copyright protection. The compromise was discussed at the Council’s Telecom Working Party on Thursday. Read more.
A new choke point? In an exclusive this week, EURACTIV saw a letter from the heads of the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) to the EU Parliament and Council, calling for the dedication of additional resources for the next year’s budget. In its message, the EDPB and EDPS express concern that, without an expanded allocation of resources in 2023, the two bodies will be unable to carry out their responsibilities. As a result, they would be unable to protect users’ rights, and the overall reputation of the EU’s data protection regime, particularly vis-à-vis their growing number of cross-border cases against Big Tech, would be at risk. The lack of resources has long plagued the work of privacy regulators at the national level. A new bottleneck might materialise in Brussels when things seemed to be moving on the GDPR enforcement. Read more.
Privacy front grows. Italy is backing a total ban on targeted political advertising based on pervasive tracking of users, Rome said in response to questions from the Czech presidency this week. In a follow-up to replies already submitted by 16 other countries on the proposed regulation on political advertising, a new document, seen this week by EURACTIV, outlines the positions of Austria, Italy and France. While the former two make their support of differentiation between the use of observed and inferred sensitive data and other forms of data in political ads clear, France is much less blatant regarding where it stands on the issues, seemingly remaining on the fence on several topics. Read more.
Sharing is caring. The Parliament’s LIBE committee will share responsibility for the European Health Data Space with ENVI, the committee for health. Despite the file, which builds on the Data Governance and Data Acts to address the limited use of digital health data within the EU, having initially been assigned solely to LIBE, competency has now been shared. The decision has drawn support from stakeholders in the health field who had never dealt with LIBE lawmakers. Read more.
Digital Markets Act
Monitoring working group. The initiative to set up a working group to monitor the implementation of the DMA and DSA is going ahead this week; a new mechanism intended to have regular exchanges with the Commission and keep up the pressure to deliver on the enforcement. The working group will be a purely informal body with none of the competencies of a subcommittee. The initiative was not met with universal approval, as some see it as a way for some MEPs to maintain a high profile in the crucial year that precedes the European elections.
Digital Services Act
Keeping us waiting. The European Commission published the consultation page for the DSA’s implementing acts, covering fundamental aspects such as the EU executive’s investigatory and enforcement powers, the hearings and the disclosure of information. The draft acts are due to be presented in the fourth quarts of the year. Meanwhile, a tentative date for the EU Council’s adoption of the Economic and Financial Affairs meeting on 4 October.
eGovernance
Preservation vs archiving. The eIDAS proposal should deal with “long-term preservation” rather than “e-archiving”, Slovenia said this week in a non-paper obtained by EURACTIV to prevent the undermining of national public e-archiving services. At the same time, the country supports the addition of e-archiving provisions to the regulation, the centre of its concerns on the potential to undermine the legal status of national bodies and is proposing the terminological change. Concerns are also raised about a potential over-reliance on technological means of preservation in the 3rd compromise text of the proposal.
IMCO’s opinion is out. In the European Parliament, the three opinion Committee’s votes are spread over September and October, where IMCO already voted this week on 12 September. IMCO’s compromise amendments remain in line with the Commission’s proposal, but the text also adds new safeguards for users regarding inclusion and security. Concerning Article 45 and QWACs, the tabled amendments would allow browsers to refuse the certificate if it harms users’ safety. Some organisations, such as Mozilla, have been campaigning to delete Article 45.
The other fronts. LIBE and JURI are expected to vote on their opinions in early October. The leading ITRE Committee is set to hold their report vote on 23 November, but it remains to be seen if it will be confirmed since the first batch of compromise amendments is only to be discussed at the end of September. Meanwhile, the Czech presidency is reworking the text after its initial compromise shared in late August to include the discussions and written comments from the past week.
Gig economy
Something is moving. A possible compromise is on the horizon for the platform workers directive, as MEPs approach, a potential agreement on the legal presumption of employment and synergies begin to emerge within the Council. New compromise amendments, seen by EURACTIV this week, contain explicit wording to clarify that the legal presumption of employment will not lead to automatic classification of all persons performing work as platform workers, a significant ask from Renew and the EPP lawmakers. The question remains if the shadows of the conservative group fully represent the views of its entire group. For instance, the platforms are strongly concerned that voluntary provision of insurance and other benefits would be considered a matter of control over the workers. In the Council, while divergences remain on some points, member states appear to be in general alignment on several text elements. Read more.
Industrial strategy
Italy’s electoral programmes for digital. The creation of a single structure to unify digital networks, the digitalisation of public administration and approaches to cybersecurity are all topics where divergences between the Italian political parties are becoming apparent as the 25 September elections approach. On the public administration, the favourite Brothers of Italy has proposed the digitalisation of public procedures and the introduction of compulsory efficiency objectives for public bodies, in contrast to the centrist party Azione, which has placed a focus on addressing the digital divide by ensuring a single interface for all public services. On other topics, however, some groups have remained vague or silent. The centre-left Democratic Party, likely to emerge as the leading opposition actor, has spoken little about cybersecurity. The anti-establishment 5 Star Movement refers only broadly to any digitisation issues, despite being digital-native. Read more.
Law enforcement
So much for transparency. On Monday evening, the use of surveillance technologies in the EU was on the agenda of the European Parliament’s plenary session in Strasbourg. While several speakers stated that both the EU and member states should investigate the misuse of spyware and that measures should be taken to prevent illegal purchasing and deployments against opposition politicians or journalists, the Commission itself is not transparent about surveillance practices. In a letter of response sent to the PEGA inquiry committee, the Commission was unwilling to provide information on how many times it was hacked and by whom. According to information by netzpolitik.org, there were more than 50 cases of infected devices inside the Commission.
Uncooperative Poland. On Thursday (15 September), PEGA Committee coordinators published a statement on the Polish authorities’ refusal to cooperate. The committee is preparing for its fact-finding mission to Poland between 19-21 September. Still, it laments that the Polish government has declined the invitation to the hearing and refused to meet for the mission. “Nevertheless, the Committee will continue to work diligently and transparently in uncovering abusive spyware practices in the European Union, even if a Member State government fails to comply with its duty to cooperate with an EP committee of inquiry”, the statement reads.
Media
The Commission released its Media Freedom Act on Friday, with no major change to the leaked text EURACTIV reported on last week. The proposal’s publication was met with mixed reactions by stakeholders, with some voicing outright opposition and others calling for its amendment and strengthening. In acknowledgement of the incoming array of responses, Commissioner Věra Jourová stressed that “for some, it will be too much, for some, it will be too little. For some who say the EU should not regulate the media landscape in Europe, we have a message: we believe the opposite”. Read more.
Platforms
The EU’s metaverse temptations. The Commission will present an initiative centred on the metaverse next year. While tech was not a dominant theme in this year’s State of the Union of Commission President Ursula von der Leyen, the announcement was made in a letter of intent released alongside the speech to continue to examine “new digital opportunities and trends, such as the metaverse”. Internal Market Commissioner Thierry Breton threw his hat into the ring, taking ownership of the initiative and outlining what he sees as its three crucial elements: people, technologies and infrastructure. More importantly, though, Breton mentioned the magic words’ rules’, hinting that the initiative will be binding. Finally, he did not miss the chance to reiterate the need to ensure sufficient connectivity infrastructure in the future, (not so) indirectly referring to his pet project on senders-pay. Read more.
Telecom
It will be a long battle. Breton’s activism does not stop there. After unleashing a storm with his announcement on a proposal based on the senders-pay principle in an interview at Les Echoes in May, the Commissioner seemed to have changed to a more realistic timeline. Again in an interview with another French media, Le Monde, the former telco CEO, said that the public consultation will only be launched in the first half of 2023, which would mean the file will not see an end under this legislative mandate. The question is if Breton will be there in the next Commission to continue what seems to be primarily a personal battle.
The lobbying continues. Still, initiatives, stunts, letters and non-papers continue to flourish on both sides of the fence. This week, a group of MEPs have written to the Commission expressing their support for and calling for the Commission to take swift action on the promised initiative. The lawmakers say they are stepping up efforts to meet the 2030 Digital Decade targets, but the surge in data traffic triggered by the pandemic has thrown their achievement into doubt. They say the Commission should prioritise gathering information from stakeholders “to ensure all the relevant market players…contribute fairly and proportionately to the development and sustainability of gigabit networks in Europe.”
What else we’re reading this week:
The Merge: a blockchain revolution or just more hype? (FT)
Big Tech Critics in Senate Struggle to Turn Talk Into Action (Bloomberg)
California’s New Online Child Protection Law Will Challenge Companies (WSJ)
Laura Kabelka contributed to the reporting.
[Edited by Alice Taylor]