Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“For the purposes of the notifications […], a single reporting platform shall be established, managed and maintained by ENISA.”
-EU Council’s compromise text on the Cyber Resilience Act dated 15 June
Story of the week: The issue of the reporting obligations for actively exploited vulnerabilities in the Cyber Resilience Act is coming to a head, with the latest Council text proposing a pan-European platform managed by ENISA, with national endpoints. A critical aspect concerns the issue of which national Computer Security Incident Response Team receives the first notification, which is vaguely defined as “where the decisions related to cybersecurity of its products with digital elements are predominantly taken.” The text also gives the CSIRTs some discretion on when they have to notify their peers if they see cybersecurity risks. The other main point still up for discussion is the highly critical products and related certification schemes, for which the Commission will be obliged to conduct impact assessments. Some further tweaks were made to the essential requirements, Commission’s delegated powers and entry into application. Whilst it’s clear the Swedes will not achieve a general approach, they want to complete as much technical work as possible ahead of the Spanish presidency, with a provisional date for COREPER approval set on 17 July. Read more.
Don’t miss: EU institutions are on track to conclude negotiations on the Data Act as early as next Tuesday, with a revised negotiating mandate for the Swedish Council presidency set to be adopted by COREPER today. The data-sharing obligations, cloud provisions and B2G obligations are largely agreed upon. The political trilogue will seek to reach an agreement on trade secrets, governance, territorial scope, product safety and the date of application. EURACTIV obtained the presidency’s note to the member states, which points to the potential landing zones of the new data law. Read more.
Also this week:
- Data protection authorities from G7 countries outlined their shared concerns on generative AI.
- The Bundeskartellamt took aim at Google’s bundling of services for smart vehicles.
- EURACTIV obtained the first drafts of the voluntary pledges for the Commission’s initiative to phase out cookies.
- The Commission presented its economic security strategy and Strategic Technologies for Europe Platform (previously known as EU Sovereignty Fund).
- EU countries endorsed their version of the European Media Freedom Act.
- The rapporteur on the Gigabit Infrastructure Act is bringing back the debate on abolishing the fees for intra-EU calls.
Before we start: If you really can’t get enough tech analysis, tune in to our weekly podcast.
Artificial Intelligence
G7 DPAs on generative AI. The data protection and privacy authorities of the G7 countries met this week to discuss data flows, enforcement cooperation and emerging technologies. A specific statement was released on generative AI, and anticipated by EURACTIV, to set out a common vision of the data protection challenges of generative AI models. The statement details the risks of the technology from a privacy perspective, including those related to the legal basis for processing personal information in training datasets, the potential extraction or reproduction of personal information, discrimination and evasion of privacy safeguards. Read more.
Trilogue schedule. The first ‘substantial’ political trilogue on the AI rulebook will take place on 18 July, when co-rapporteur Brando Benifei aims to propose anticipating the obligations for foundation models or generative AI. The idea is to close the parts on notified bodies, standards, conformity assessment, transparency, and innovation before the summer break. The other two official trilogues are planned on 26 September and 26 October, with two backup ones also scheduled.
Think about consumers. Consumer associations from 13 EU countries and the US have published a joint statement calling on regulators to intervene to address the risks of generative AI, outlined in a report published by the Norwegian Forbrukerrådet. The report points to concerns about potential manipulation and harm against people as well as disinformation, biases, discrimination and fraud. Read more.
Regulate AI in the workplace. MEP Brando Benifei is backing up a call of the European Trade Union Confederation to put forth an EU directive to regulate the use of Artificial Intelligence specifically in the workplace. The Socialists and Democrats already pushed for stricter measures, not only in this field in the context of the AI regulation but also in the Platform Workers Directive via the rapporteur Elisabetta Gualmini.
AI Pact, AI what? Kosma Złotowski, ECR shadow for the AI Act, has written to the Commission seeking further information on the scope and timetable of Commissioner Thierry Breton’s AI Pact and details of the public consultation on the measure. The questions come after concerns were raised that the array of stakeholders being consulted was too small, the scope unclear, and the lack of transparency.
OpenAI’s AI Act position. Time obtained OpenAI’s position paper on the AI Act which, expectedly, argued against classifying General Purpose AI as high-risk systems.
Competition
Google’s automotive bundle. Germany’s competition authority, the Bundeskartellamt, has published a preliminary legal opinion finding that Google bundled licenses for vehicle manufacturers in its Google Automotive Service, which includes Google Maps, Google Play and Google Assistant. The watchdog criticised the fact that only three services are offered to vehicle manufacturers as part of a product bundle, warning that Google could expand its powerful position to other markets. Concerns surrounding contractual arrangements and interoperability were also raised. Read more.
Cybersecurity
Mind the hybrid threats. A report published this week by the German domestic intelligence service BfV revealed that espionage, illegitimate influence peddling, disinformation campaigns, and cyber-attacks increased in Germany in 2022. The country’s Federal Office for the Protection of the Constitution linked the increase in hybrid threats to Russia’s war against Ukraine and China’s increasingly confrontational approach to the West. The report also warned that companies and research institutions in Germany are likely to be increasingly vulnerable due to an increased attack surface. Read more.
Lifetime non-paper. The “support period” in which manufacturers are required to provide effective vulnerability handling proposed by the Commission in its Cyber Resilience Act, would not cover the entire duration of the product’s expected lifetime, rendering it insufficient in delivering security, according to a non-paper by the Netherlands, Denmark, Belgium, Austria, Italy, and Finland. The countries have set out a number of recommendations for improving protections, including that the support period covers the entire expected product lifetime and that users be informed about the guaranteed cybersecurity support period and its exact end point.
Speaking of vulnerabilities. DIGITALEUROPE, together with 34 other organisations, shared a joint statement about the Cyber Resilience Act, expressing their concerns about the extension of vulnerability reporting to ‘unpatched’ vulnerabilities, referring to those to which there is no fix. The organisations believe that this will harm cybersecurity because if the information falls into the wrong hands, it would expose products to cyberattacks. “Oversharing is not caring,” the statement reads.
CySol. The Spanish Council Presidency plans the first workshop on the dossier of the Cyber Solidarity Act to be organised after the summer. At the start of this month, the Commission was invited to present the main elements of the regulation after two first general presentations, notably to discuss the role of ENISA and the European Cyber Competence Centre.
UN consultation on Cybercrime. This week, the UN hosted the inter-sessional consultation on the UN Cybercrime Convention in Vienna, providing a chance for stakeholders to raise their concerns, with the European ones concerned the international treaty might undermine privacy and data protection safeguards, aspects the EU representatives said they are committed to defence. The zero draft of the convention will be negotiated in New York at the end of August.
Massive hack in the US. Some 3.5 million people in Louisiana and Oregon with driver’s licenses or state ID cards have had their data compromised in a cyberattack that has also hit the US federal government.
Data & Privacy
First Cookie pledges. The Commission has circulated initial draft pledges as part of its proposed initiative to fight “cookie fatigue”. Last week, notes setting out the draft pledges, seen by EURACTIV, were shared with participants of three working groups formed from a stakeholder roundtable held in April, which were given only five working days to send their inputs. The pledges relate to information for consumers, alternatives to tracking and tracking-free solutions. Read more.
Territorial scope question. EURACTIV obtained the Commission’s non-paper on the territorial scope of the Data Act’s data-sharing provisions, which argues that “extending the scope to third parties outside of the Union creates more risks than it solves.” The question related as to whether data holders should be obliged to share data with recipients that are outside of the EU jurisdiction, hence might not be bound by the regulation’s obligations. The question was discussed at a technical meeting on Wednesday, but no final decision was taken as it was left for the political level to decide. However, an EU official told EURACTIV that differentiation might be introduced for countries in the EEA or having a trade agreement with the EU.
Don’t touch complainants’ rights. Civil society groups from across Europe have joined together in the defence of the rights of complainants to be full parties in cross-border cases concerning data privacy violations. The move stems from concerns that such protections could be removed as part of the Commission’s proposed harmonisation of administrative procedures for cross-border cases linked to GDPR violations. To support their argument, the groups, coordinated by the Irish Council of Civil Liberties, shared a legal opinion on the status of complaints with the Commission. Read more.
Trade secrets warning. Business Europe penned a letter addressed to EU ambassadors ahead of the COREPER, set to provide the Swedish presidency with an updated mandate on the Data Act. The trade organisation expressed “serious concerns over the prospects of lowering the protection of trade secrets”.
Criteo €40m fine. The French data protection authority CNIL sanctioned CRITEO, a company specialised in online advertising and tracking in Europe, with a fine amounting to €40 million. The infringements include the lack of evidence of the consent of individuals to the processing of their data, information and transparency, as well as respect for the rights of individuals. The size of the fine relates to data of 370 million people across the European Union.
LIBE worries on UK bill. MEP Juan Fernando López Aguilar has written to Justice Commissioner Didier Reynders following a hearing in the Parliament’s civil liberties (LIBE) committee last month, during which the UK Information Commissioner was quizzed on London’s planned data protection reforms. The letter, first reported by MLex and seen by EURACTIV, notes LIBE members’ particular concern about the reforms’ impact on the independence of the Information Commission and the implications of the UK government’s pointed marketing of the Bill as a departure from EU regulation.
Digital Services Act
Breton in the Valley. Internal Market Commissioner Thierry Breton has warned Twitter owner Elon Musk that the company must ramp up its content moderation resources to comply with the DSA, following a two-days stress test on the platform. Breton is touring the West Coast to meet a number of Big Tech leaders and inaugurate the EU’s new San Francisco office, meant to act as a hub for digital diplomacy. Today, Breton is meeting with Meta CEO Mark Zuckerberg to discuss his new AI Pact and the DSA, followed by meetings with Jensen Huang, CEO of chipmaker NVIDIA, and Sam Altman, CEO of ChatGPT’s provider OpenAI, to discuss the Chips Act and AI Act respectively. Read more.
Success equals responsibility. Before flying to Cali, Breton met with Robert Genz, CEO of online retailer Zalando, this week to discuss preparedness for the DSA’s upcoming entry into force. Zalando was amongst the first batch of big tech companies declared to be Very Large Online Platforms (VLOPs) and therefore subject to stricter requirements, but it has previously objected to this designation, arguing that it should not be listed alongside major players such as Amazon and Meta. “With its millions of users, Zalando is a European success story”, Breton said on Tuesday, following the meeting. “And with success comes responsibility.”
Implementing acts adopted. The Commission has approved and published implementing regulations for the DSA’s provisions covering Commission intervention. In particular, the areas touched on are the procedure for certain aspects of the EU executive’s investigative and enforcement powers, hearings, and the negotiated disclosure of information.
Database consultation. The Commission has launched a public consultation on the DSA provisions that require the Commission to establish and maintain a transparent database of platforms’ content moderation decisions. Platforms will be invited to submit declarations as soon as the database is established to allow for “near real-time updates”. The window for submissions is open until 17 July.
Platforms are complex. The German think tank SNV analysed the possible risks related to YouTube in light of the DSA, finding considerable differences in various components of the platform and their varying levels of associated risks. In other words, YouTube is made up of multiple components and different algorithms, which need to be fully understood for accurate risk assessments.
Disinformation
Moscow à la Françafrique. Paris is increasing its efforts to counter Moscow’s influence in a number of African countries, where it says the Kremlin and the Wagner mercenary group are seeking to amplify criticism of France. Complicating efforts to counter disinformation from Moscow are legitimate criticisms of the country’s past and current presence in African nations’ affairs. Read more.
eGovernance
eIDs endgame. A political agreement on the European Digital Identity might be reached as early as next Wednesday, as COREPER is expected to adopt the renewed mandate for the Swedish presidency in the morning, and the potential last trilogue is taking place in the afternoon. The open questions mostly related to the wallet, notably concerning whether it should be free for use, the unique identifier, and the level of assurance.
Think twice. 24 civil society organisations, academics, and research institutions sent an open letter to EU policymakers involved in the file, urging them to introduce stronger safeguards on privacy and non-discrimination. Otherwise, the eIDs might lead to risks for Europeans both in their online and offline life.
Romania’s digital plan. Romania’s new Minister for Digitisation, Bogdan Gruia Ivan, has set out his priorities for accelerating the country’s digital transition, including through rapid action in areas such as digital infrastructures, interoperability, government cloud and AI. Read more.
Gig economy
STR dividing lines. While there is broad consensus within the EU Parliament over the legislative proposal to regulate short-term rental platforms, the main points for discussions are set to concern the notion of ‘compliance by design’, the relation between authorisation and registration procedures, and the governance, according to the amendments published this week. Read more.
PWD trilogue schedule. The first trialogue of the Platform Work Directive is scheduled for 11 July, EURACTIV learned. Two more might follow on 5 and 26 September.
Industrial strategy
Another misSTEP. The Commission finally unveiled its much-hyped EU Sovereignty Fund, meant to finance strategic projects aimed at strengthening Europe’s strategic autonomy. However, the new Strategic Technologies for Europe Platform (STEP), will not receive any new money. It consists (as usual, one might say) of a repackaging of existing funding with a €10 billion top-up from member states and a brand-new website. The fund’s scope has also been narrowed to three sectors deemed the most critical: deep tech, clean tech and biotech. Read more.
De-risking strategy. The EU is weighing up various tools that could be used to counter the increasing readiness of China and Russia to use trade and control over critical supply chains to their geopolitical advantage. The Economic Security Strategy, seen by EURACTIV ahead of its presentation on Tuesday, aims at tightening the screws of inbound investment screening from foreign companies seeking to buy Europe’s critical infrastructure or technologies, prevent selling sensitive techs such as weapons or spyware to China and other hostile powers and put a stop to businesses outsourcing critical supply chains outside of Europe. Read more.
Intel’s German investment signed off. A deal signed by Berlin and Intel this week has cemented an exchange of a more than €30 billion investment in chips plants in Saxony-Anhalt for €10 billion in government subsidies. The agreement was signed following months of negotiations and marked a major step up from previous agreements, which saw a €17 billion investment traded for €6.8 billion in subsidies. The facilities are set to be more modern than initially planned, featuring next-generation systems, and have received support from officials in the country’s governing coalition. Read more.
Law enforcement
EU-US e-evidence sharing. Access to electronic evidence was one of the points of focus during a press conference on 21 June for the EU-US Justice and Home Affairs Ministerial meeting, which took place in Stockholm on 20-21 June. justice Commissioner Didier Reynders said that since e-evidence is now “fixed” within the EU, negotiations with the US can also start. Alejandro Mayorkas, US Secretary of Homeland Security, confirmed that two new initiatives were endorsed to improve information sharing about terrorism and drug cases, and they also agreed to constitute a third information project.
Not gonna happen. The Swedes have definitively passed the baton to the Spaniards on the draft law to fight child sexual abuse material. Disagreement continues as the likes of the Netherlands, Finland, Poland, and Ireland would like to see grooming and new CSAM out of the scope of the Detection Orders, with similar discussions taking place in the Parliament. As Sweden takes off the clothes of the honest broker, Stockholm might become more critical of the proposal.
Meanwhile, in the Parliament. Next up on the MEPs’ agenda are the provisions on risk assessment, risk mitigation, risk reporting, and detection orders. According to a parliamentary official, agreements can be expected on risk assessment, but there are disagreements on nearly every other part of the file.
Media
EMFA Council position. The EU Council agreed on a mandate for negotiations on the Media Freedom Act at the COREPER level on Wednesday, with trilogues set to start once the Parliament has agreed on its position in autumn. Ahead of the deal, the Swedish presidency circulated a final text on the proposal, seen by EURACTIV, which included some significant changes meant to increase the independence of the Board, vehemently demanded by the likes of Portugal, which, however, regrets that the Commission maintains a veto power on inviting independent experts. The presidency also did not include the principle of comparability of audience measurement systems, which for some might lead to Big Tech’s too much discretion. France’s controversial carve out on national security was maintained. Read more.
Media’s systemic crises. Europe’s media are facing the effects of multiple crises that have unfolded over the past decade. A holistic response is needed to address these issues, according to a new report on the European media landscape by the think-tank Freedom House. The problems range from financial challenges to intentional obstruction by political actors, and the report also sets out a number of recommendations on how to overcome them, including at the EU level, via the proposed European Media Freedom Act and the anti-SLAPPs Directive. Read more.
Platforms
More TikTok auditions. French Digital Minister Jean-Noël Barrot was invited on Monday to an audition about TikTok at the French Senate, where he said that “the existence of [Chinese extra-territorial] laws do not constitute a proof of cooperation” and reinforced his position by explaining that TikTok already had to abide by the GDPR, and, as of August, by the DSA.
Twitter’s Australian problem. Twitter is facing a potential fine from Australia’s internet safety watchdog over what the authority says is the platform’s failure to tackle online abuse. The platform now has 28 days to demonstrate its seriousness in addressing the issue, or else it could be liable for fines of Aus$ 700,000 per day. Read more.
Geo-blocking porn. France plans to block pornographic sites that do not impose real age verification of visitors, on 7 July. MindGeek, which also owns Youporn and Pornhub, has not ruled out making its video platforms inaccessible in the country, according to an executive of its new shareholder.
Standards
Strong AG opinion. Harmonised technical standards should be freely available given their legal nature as acts that form part of EU law, according to an opinion by the EU Court of Justice’s Advocate General. The legal opinion, which is not binding but which often indicates the direction the Court will officially take, might be good news for companies that will no longer have to pay €100 or so for each of these documents, but would also go against the argument from parts of the industry that harmonised technical standards do not equate to EU laws.
Telecom
Intra-EU calls are back. The EU Parliament’s rapporteur on the Gigabit Infrastructure Act has proposed abolishing fees for intra-EU calls and introducing further harmonisation of provisions concerning broadband rollout. Ahead of the publication of his draft report on the GIA, MEP Alin Mituţa spoke to EURACTIV about his legislative priorities on the file, emphasising that he is seeking to maintain the same overall structure as the Commission’s original proposal. Read more.
Bad news incoming? French telecoms provider Orange and Spanish MasMovil may receive an EU antitrust warning about their €18.6-billion merger being anti-competitive. The Commission will decide on the case that is largely regarded as a testbed of its doctrine to maintain four mobile operators in a national market on 4 September.
Kloc confirmed. The Commission has appointed Kamila Kloc as DG CNECT’s director of “Digital Decade and Connectivity”. Kloc, who is the current Acting Director in this role, was previously deputy director and as such has coordinated the Commission’s Digital Policy Programme and worked across several departments in the EU executive and the Polish competition authority.
EU comes in 4th. Western Europe’s 5G subscription growth accounted for 13% at the end of 2022, lagging behind North America, North East Asia, and the Gulf Cooperation Council, reports the Ericsson Mobility Report 2023 published this week.
Germany catches up. On the topic of the fibre networks roll-out Germany performs better than expected. “As of April 2023, 87% of Germany is covered with fibre glass,” stated Oliver Luksic, German parliamentary state secretary to the federal minister for digital and transport, at an IT event on Thursday.
Testing resilience. The results of stress tests conducted as part of the Council’s 2022 Recommendation on an EU-wide coordinated response to strengthen the resilience of critical infrastructure have been positive and feature several encouraging aspects, the Swedish presidency has said in its report on the state of play of the tests.
Joint venture green-lighted. The Commission has approved the creation of a joint venture between Sumitomo and Vodafone to develop and commercialise “Economy of Things” products and services to enable connected devices, vehicles, and machines to communicate and trade with each other. The Commission deemed that the project, DABCO Limited, does not raise competition concerns in the EEA.
What else we’re reading this week:
A new threat to financial stability lurks in the cloud (FT)
AI Is an Existential Threat to Itself (The Atlantic)
How AI could spark the next pandemic (Vox)
Julia Tar, Théophane Hartmann and Alina Clasen contributed to the reporting.
