Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“We heard several times from presidencies that the world would end if we didn’t take a deal. Eventually, we got a better deal with the following presidency.”
-Brando Benifei, European Parliament’s co-rapporteur for the AI Act
Story of the week: After 22 hours of intense negotiations, exhausted EU policymakers called for a recess until Friday morning. Despite the outstanding reservations of France and Germany, the co-legislators have managed to solve one of the two main hurdles: the rules for foundation models and related governance architecture. As Euractiv reported, the provisional agreement maintains the tiered approach and most obligations seen in the Commission/presidency texts. The model evaluation requirement was moved to the top tier, whereas the obligation to publish a sufficiently detailed summary of the training data now includes a trade secret caveat. The models will be automatically deemed systemic if trained with computing power above 10~25. Still, the AI Office will also have significant latitude to make qualitative designations based on criteria like the number of business users or the model’s parameters. Exemptions for open-source software were introduced for both the system and model levels.
While around ten open issues remain on the agenda, the real political hurdle is on a law enforcement package that includes the banned application, Remoted Biometric Identification and the national security exemption. The Spanish presidency presented a text very close to the Council’s position and pressured MEPs to accept it. The centre-right European People’s Party, traditionally close to the law and order agenda, and co-rapporteur Dragoș Tudorache also pushed to accept the text, which contains provisions extremely difficult to accept for progressive lawmakers like a blank carveout for military applications and giving to police forces tools like emotion recognition and racial profiling. The President of the social democratic group, Iratxe García, who belongs to the same party that is in power in Madrid, further added to the pressure. However, co-rapporteur Brando Benifei and the centre-left did not budge, and a recess was called. After yesterday’s trilogue, Benifei attended an event of the S&D group’s think tank, repeating several times that an agreement doesn’t need to be found today, throwing the gauntlet to the Spanish presidency.
Don’t miss: The Netherlands again leads the charge against the Commission’s French-led push for sovereignty requirements in the European Cloud Services scheme. Using the agenda point on the targeted revision of the Cybersecurity Act, Dutch state secretary Alexandra van Huffelen opened the dances by criticising the Commission’s approach to the scheme and was followed by the ministers of Poland, Germany, Ireland, Romania, Czechia, Finland, and Estonia. Czech Deputy Prime Minister Ivan Bartoš hinted at using GDPR’s data adequacy decision as a compromise to identify trusted partners. The Hague also gathered the support of 11 governments to its feedback on the last draft of EUCS, revealed by Euractiv two weeks ago. Meanwhile, Euractiv understands that ENISA is preparing a revised draft based on the countries’ feedback. The EU agency is also discussing the matter with cloud services providers: last week with European and this week with American hyperscalers. Read more.
Also this week:
- A last-minute attempt to narrow the definition of AI was prevented ahead of the trilogue.
- The EU Parliament’s Economy Committee adopted its annual competition report with a strong focus on digital markets.
- The Industry Committee adopted the Cyber Solidarity Act on Thursday.
- The EU court issued two landmark rulings on the General Data Protection Regulation this week.
- The Commission’s competition department gave the node to the cloud IPCEI to receive €1.2 billion in state aid.
Today’s edition is powered by Instagram
Family Centre has resources to support parents
Family Centre on Instagram helps parents keep their family safer, with an Education Hub featuring expert advice and Supervision parents can set up with their teenager.
Find out more
Artificial Intelligence
ADM dropped. In a last-minute attempt, the Council tried to exclude Automated Decision-Making from the scope of the AI Act, which would have meant a significant carve-out for systems not based on machine learning. However, the Parliament managed to push back at the technical, and the agreement was to clarify the notion of ‘inference’.
Google’s foundation model move. Google announced Gemini, their “largest and most capable AI model”, in a post on Wednesday by Sundar Pichai, CEO of Google and Alphabet, and Demis Hassabis, CEO and co-founder of Google DeepMind. According to AI expert Gary Marcus, Gemini matches or slightly outperforms OpenAI’s GPT-4 on most tasks but does not outclass it dramatically, which might suggest large language models are approaching a plateau. Still, its launch might cause trouble for OpenAI following the drama on the ousting and reappointment of Sam Altman.
Mistral AI’s positive outlook. Six months after its birth, Mistral AI, the French start-up heavily lobbying to exclude foundation models from the AI Act and throwing the gauntlet to Big Tech, has raised €105 million. Yet, the three original co-founders will sell company shares in exchange for €325 million cash, mostly from the US fund Andreessen Horowitz and €120 million of convertible bonds from US tech giants Nvidia and Salesforce. Mistral AI’s total valorisation should rapidly exceed €2 billion, Bloomberg says.
AI open source community. IBM and Meta launched a collaboration with over “50 Founding Members and Collaborators globally” called the AI Alliance, as announced on Wednesday. The alliance is focused on “fostering an open community and enabling developers and researchers to accelerate responsible innovation in AI while ensuring scientific rigour, trust, safety, security, diversity and economic competitiveness”.
UN AI advisory body kicks off. The United Nations’ Envoy on Technology announced on Wednesday that they were “getting ready for the first in-person meeting of the AI Advisory Body” in the UN Headquarters in New York with “leading experts from across the world”.
Think about the metaverse. A joint statement on the biometric categorisation in the AI Act by DOT Europe and other organisations was published last Thursday, warning EU policymakers that wording meant to limit law enforcement activities might have unintended consequences for immersive technologies.
Competition
2023 competition policy report. The European Parliament’s Economic Affairs Committee adopted the annual competition policy report with a broad majority on Monday, suggesting expanding the reach of the Digital Markets Act to the cloud and Artificial Intelligence sectors. The report mentions more or less explicitly several ongoing investigations, from Apple’s iMessage to Microsoft Teams. Lawmakers also called on the Commission to make better use of structural remedies and for a legislative proposal in the digital advertising sector. Read more.
CMA wins appeal. The UK’s Competition and Markets Authority won an appeal after a tribunal initially sided with Apple against its decision to launch a market investigation into mobile browsers and cloud gaming. Contrary to the previous decision, the court ruled that “the principal purpose of the [Enterprise] Act is to promote competition and protect consumers,” and, in its view, the first Tribunal “lost sight of this consideration”.
Cybersecurity
Cyber Solidarity Act in ITRE. The Industry Committee adopted the draft report of the Cyber Solidarity Act on Thursday. The text includes amendments addressing budget issues, stronger links to support public-private threat information sharing, and cross-links with other initiatives. While the Parliament wants to kick off the trilogues in January, the bill languishes in the Council. At the Telecom Council on Tuesday, EU ministers did not hide their scepticism about the law, which duplicated the existing structures. Read more.
CRA – what now? Following last week’s trilogue agreement on the Cyber Resilience Act, technical meetings are ongoing until 15 December. The intention is to finalise the text by the end of December and have the committee vote in January, followed by the check of lawyer linguists. The plenary vote is expected in April. Euractiv saw a new four-column document dated 5 December with no major surprise from the political agreement.
Facebook and Messenger become encrypted. WhatsApp’s parent company, Meta, announced on Wednesday that it will expand the end-to-end encryption of messages and calls to Messenger and Facebook. The new features will be available by default on the apps rather than optional, as they have been on Messenger since 2016. Similarly, as in the case of other already encrypted messaging platforms, child protection organisations raised their concerns over the decision to make the detection of online child sexual abuse material more difficult.
Threat Landscape for DoS Attacks. ENISA, the EU’s cybersecurity agency, published a new report on the Denial-of-Service (DoS) attacks on Wednesday. With an analysis of 310 verified DoS incidents from January 2022 to August 2023, ENISA found the public administration sector is the most affected, getting hit by 46% of attacks. While half of the attacks can be traced back to the Russian war of aggression against Ukraine, six out of ten attacks are politically motivated.
ENISA-CISA cooperation. In the context of the EU-US Cyber Dialogue on Thursday, ENISA and the American Cybersecurity and Infrastructure Security Agency (CISA) signed a Working Arrangement to boost cooperation in capacity-building, best practices exchange and situational awareness.
Data & Privacy
Automated decision-making. On Thursday, the EU Court of Justice ruled that decision-making by scoring systems using personal data needs to follow specific conditions. This judgement could have significant spillover effects for social security and credit agencies. In particular, this type of algorithm will have to be based on national legislation and follow the GDPR, in particular in terms of legal basis for data processing that cannot include legitimate interest. Years after the EU’s data protection law started to take effect, the verdict is the first seminal case law in the article on automated individual decision-making. Read more.
Sanctions become easier. The European Court of Justice issued a landmark ruling on Tuesday that is set to facilitate the imposition of fines for infringements of the General Data Protection Regulation (GDPR). The verdict at the EU level results from two national courts from Lithuania and Germany asking for guidance on the conditions for sanctioning data controllers. According to the decision, a fine for infringement on data controllers can be imposed when “that infringement was committed wrongfully, that is to say, intentionally or negligently”. Read more.
EDPB ban on Meta. On Thursday, the European Data Protection Board decided to ban Meta’s platforms from processing personal data for behavioural advertising. Thursday’s decision comes after, starting in early August, Meta-owned platforms faced a temporary three-month ban on behavioural advertising based on extensive user profiling in Norway, as Euractiv reported. The EDPB’s decision also follows the Norwegian Data Protection Authority’s request to order a ban for the whole European Economic Area rather than a temporary ban on a national level. Read more.
Digital Markets Act
iMessage, you’re free to go. According to Bloomberg, the European Commission will likely decide that Apple’s iMessage is not covered under the Digital Markets Act because the messaging app is not popular enough in the EU. The official market investigation will be concluded in February 2024.
May I be excluded? TikTok asked the EU’s General Court to suspend its designation as a gatekeeper under the DMA until there is a decision on the tech company’s challenge to remove itself from the gatekeepers list, filed last month.
Compliance day is coming. While gatekeepers will have to officially comply with the DMA’s obligations as of 7 March, Olivier Guersent, the EU’s top competition enforcer, said this week that for Google, Apple, Amazon, Microsoft, TikTok, and Meta’s platforms, obligations may take more time to take effect. Meanwhile, the Commission is working on 150 gatekeeper compliance files, Guersent said on Wednesday.
Insights on DMA compliance. The Centre on Regulation in Europe published a study on how the “gatekeepers” should design their services to fully comply with the EU antitrust rules, detailing three legal and three economic principles that core platform services should follow.
Digital Services Act
Database launch. Last Friday, the Commission launched its Digital Services Terms and Conditions Database, focusing on, among others, social media platforms, app stores, and marketplaces. The database complements the DSA’s transparency requirements and will be a “go-to resource for users” as well as for stakeholders and regulators. Open Terms Archive developed its open-source software.
Tell me more. The Commission sent a request for information to Meta, under the DSA, to provide information on the measures taken to comply with the obligations of the risk assessment and mitigation measures. These include minors’ protection and the prevention of self-generated child sexual abuse material’s circulation on Instagram. Meta must also provide information on Instagram’s amplification of harmful content and recommender system. This is the third request for information Meta received under the DSA. The first in October concerned the spreading of terrorist and violent content following the deflagration of the Israeli-Palestinian war, and the second in November related to the protection of minors.
eGovernance
eIDAs adopted in ITRE. The European Digital Identity framework was adopted in the Industry Committee following the political agreement with 35 votes in favour, 13 against and six abstentions.
Gig economy
France’s STR law postponed. French socialist MP Iñaki Echaniz and centrist Annaïg Le Meur suggested a short-term rental bill to balance legislation between long-term and short-term rentals where renting capabilities are scarce. The text was presented in a plenary session of the National Assembly on Wednesday but was not conclusive, which irked the rapporteurs. They jointly published a declaration pointing towards right’s The Republicans and far-right’s National Rally MPs who allegedly “monopolised speech times for more than four hours”, therefore de facto impeaching a conclusive vote. Members of the Parliament might consider the text again next year in January.
To deal or not to deal. Platform work directive negotiators will be meeting next Tuesday (12 December) again for the sixth trilogue since July – in the hope that a final deal will finally be reached. The Spanish Presidency will not present a new text to ambassadors, hoping to find common grounds on Tuesday. “Spain is finally emancipating itself from the Council mandate” and trying to go solo without previous member states’ approval, several sources told Euractiv. It’s not clear whether a deal can be secured then, but “chances are higher than even two weeks ago,” an EU diplomat said.
Left goes right. As always, the hottest chapter of the platform work directive remains the legal presumption of employment. Through several non-papers, seen by Euractiv, Parliament rapporteur Elisabetta Gualmini seems willing to depart from the Parliament’s mandate and re-introduce the criteria, which she dubs as ‘indicators’. However, this has had The Left and Green MEPs see red, for whom even a loose recognition of criteria, named ‘indicators’, is a no-go. The last non-paper, shared ahead of a trilogue in late November, had the Green and The Left vote opposed at a technical meeting, while all other groups spoke in favour, Euractiv has learned.
Define and penalise. Beyond the presumption, an agreement remains to be found on key definitions – including that of a digital platform, trade unions, and workers’ representatives – and penalties that would apply. On the other hand, both Council and Parliament sources confirm the algorithmic management chapter is now closed and largely agreed upon.
Industrial strategy
Cloud IPCEI gets nod. The EU executive gave the green light to public spending up to €1.2 billion by seven member states for an Important Project of Common European Interest on interoperable cloud and edge computing. The authorisation took the Commission over a year and a half to green-light the process. Euractiv understands that this delay was because Margrethe Vestager, formerly in charge of the EU competition department, was not fully convinced by the project. However, her portfolio was taken over by Justice Commissioner Didier Reynders in September. This project will allow in the future to support innovative applications such as “automatic vehicles or real-time remote patient monitoring” and “will reduce the need to transmit large volumes of data to centralised servers”, Reynders said on Tuesday. Read more.
Quantum valley. To ensure the EU’s leading role in quantum technologies, the Spanish presidency coordinated a joint declaration on quantum technology on Wednesday. Spain presented the Quantum Pact during the Telecom Council in a last-minute move, following fears the announcement might have to be postponed. 11 countries have undersigned the initiative. Still, key quantum players like Germany, the Netherlands and Denmark did not. Read more.
Chips JU launch. Last Thursday, the Commission launched the Semiconductor Joint Undertaking (Chips JU) under the Microchip Regulation. The first call is receiving €1.67 billion in EU funding. The aim is to bridge the gap between research, innovation and production. The European Semiconductor Board also had its first meeting on the same day, with member states discussing implementing the Chips Act.
Media
No exemptions. The Committee to Protect Journalists (CPJ) called on the Commission on Wednesday to “include effective legal safeguards in its planned legislation to rein in the abusive use of spyware against journalists”. The CPJ is concerned that member states requested, in the European Media Freedom Act, a “national security” exemption to be included, which could result in the justification of using spyware against journalists.
Media progress. Vice-President Vera Jourová opened the fourth European News Media Forum in Brussels on Monday. National representatives, journalists, and members of the news media industry looked at the EU countries’ progress in implementing the 2021 Commission Recommendation on the protection, safety and empowerment of journalists.
Platforms
New subscriptions. Facebook and Instagram will offer subscriptions to avoid ads for EU, European Economic Area, and Switzerland users, as announced on Monday. Meta’s post added that regardless of what the users choose, they “are committed to keeping people’s information private and secure, under our own policies as well as the EU’s General Data Protection Regulation.”
Porn guidelines. Ofcom, the UK’s online safety regulator, published its draft guidance and consultation on age assurance for service providers publishing pornographic content on Tuesday. The deadline to submit responses is 5 March 2024. Ofcom is planning to publish four such consultations. This is the second part of establishing regulations under the British Online Safety Act.
Telecom
GIA trilogues start. On 5 December, EU ministers gathered for the Telecom Council adopted the general approach of the Gigabit Infrastructure Act, with the first ‘hand-shake’ trilogue taking place on the same day. During the meeting, Germany and the Netherlands positioned themselves against the end of surcharges for intra-EU calls that the European Parliament included in its mandate. The Netherlands instead suggested extending the price caps, which will end in May 2024. By contrast, Poland stated that his country was “flexible to find a compromise” on this topic. According to rapporteur Alin Mituța talking on Thursday at the Parliament’s Industry Committee, a deal should be reached by 25 January or 5 February.
Leon’s déjà vu. During the Telecom Council on Tuesday, ministers discussed the future of telecom networks behind closed doors. Similarly to what ministers said at the informal Council of Ministers in León in October, a majority of EU countries called for prioritising the implementation of the current policy frameworks, such as the EU Electronic Communications Code and the Gigabit Infrastructure Act, and warned against using the Digital Networks Act as a way to review the current telecommunications competition policy without evidence of market failures. By contrast, they supported the recommendation on submarine cables that will be published with the white paper early next year and should include advice on adequate funding and governance structures.
EU telcos disapprove. In a joint statement published Tuesday, ECTA, ETNO, GIGAEurope, and GSMA disapproved of the Council’s draft general approach to the Gigabit Infrastructure Act. They expressed the importance of shorter permit-granting processes, concerns over removing the ‘tacit approval’ clause and the dilution of the process to define exemptions on the permit granting. Moreover, they are safeguarding technology neutrality, avoiding regulatory fragmentation in certain cases, and advocating for the swift adoption of the act.
Hutchison-Vodafone merger cleared. The EU competition department has given the green light to the merger of CK Hutchison and Vodafone on Thursday.
What else we’re reading this week:
How Nations Are Losing a Global Race to Tackle A.I.’s Harms (The New York Times)
Early impressions of Google’s Gemini aren’t great (TechCrunch)
Spotify Is Losing Top Marketer Amid Restructuring (Bloomberg)
Alina Clasen and Théophane Hartmann contributed to the reporting.
[Edited by Alice Taylor]