Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“We can further facilitate cross-border procedures between data protection authorities. We want to ensure quicker decisions. Also in complex cases.”
-Didier Reynders, European Commissioner for Justice
Story of the week: The Commission presented on Tuesday (4 July) a legislative proposal to harmonise administrative procedures to facilitate the enforcement of cross-border data protection cases. The draft law seeks to streamline how complaints are filed and handled across the EU, promoting an amicable solution to which the complainant will have two weeks to object. More generally, complainants only have the right to be heard if their complaint is fully or partially rejected. The proposal also places stricter confidentiality rules, allowing the investigated party to require the protection of commercially-sensitive information and placing the case documents outside the reach of access to document requests until the investigation is concluded.
The Commission’s idea is that intra-authority cooperation should happen earlier in the process, with the European Data Protection Board (EDPB) taking an urgent binding decision in the preliminary phase. However, that means the scope of the investigation cannot be contested once the leading authority reaches a draft conclusion. This initial draft has already attracted criticism of giving more leeway to the leading authority (i.e. the Irish, and to a lesser extent, the Luxembourgish data protection authorities) and the investigated parties, to the point some say it creates more problems than it fixes. Hefty amendments are to be expected, especially on the side of the European Parliament. Read more.
Don’t miss: The European Court of Justice has ruled that national competition authorities may identify GDPR violations as part of investigations into abuses of market dominance. The EU judges pointed to the important value of personal data in the digital economy, meaning it is also a significant parameter of competition between tech companies. The finding, which originated in a case brought against Meta over its processing of personal data, also suggested that consent might be the only viable legal basis for that processing, dealing a blow to the company’s arguments in favour of more expansive interpretations of the law. Read more.
Also this week:
- The EU Council exchanged views on four critical issues of the AI Act.
- Germany is putting the discussions for a new competition tool back on the table.
- MEPs reached a political agreement on the Cyber Resilience Act.
- The first seven gatekeeper companies were made public.
- The Spanish presidency circulated its first text on the Child Sexual Abuse Regulation.
- EURACTIV obtained an early version of the Commission’s metaverse strategy.
- Turmoil in France prompted Macron to suggest social media shutdowns when the situation gets out of hand.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Today’s edition is powered by Google
Being bold on AI means being responsible from the start
Google is optimistic about a world with AI. We believe our approach to AI must be both bold and responsible. To us that means developing AI in a way that maximises the positive benefits to society while addressing the challenges in partnership with others as outlined in our policy agenda for responsible AI progress.
Artificial Intelligence
Working Party option discussion. The Spanish presidency set out some options for dealing with sensitive parts of the AI Act that were discussed in the Telecom Working Party on Wednesday. On the AI definition, 12 member states asked to maintain the Council’s text, whilst eight considered it might make sense to wait for September for any development at the OECD level. Regarding classifying high-risk systems (Art. 6), 11 countries want to keep the general approach. At the same time, six might be open to accepting the Parliament’s version without the notification mechanism, and one supported the mandatory criteria. Nine national representatives urged the presidency to defend the Council’s position on the list of high-risk use cases in Annexe III. At the same time, five were more open to the MEPs’ text but asked for further analysis and a few countries, most notably France, deemed including biometrics problematic. Regarding the fundamental rights impact assessment, five member states were against and five expressed interest in the proposal. However, some countries, like Germany, did not have the time to form a position. Concerning the inclusion of concepts like democracy, the rule of law and sustainability in AI regulation, seven countries supported the idea, while six opposed it.
Work on the ground. Meanwhile, this week, technical work on less controversial parts of the text kicked off, starting with notified bodies and obligations for providers. So far, the work has progressed smoothly, but things might heat up when the final provisions are put on the table as they touch upon spicy issues such as fines, entry into application and the inclusion of large-scale IT systems. At the same time, both shadow rapporteurs and member states have started complaining that the text is being forced on them, as it is ‘precooked’ between the presidency and the co-rapporteurs ahead of technical meetings. This approach might work for now as only less controversial parts of the file, such as the innovation chapter, are being drafted.
ECHR on facial recognition. The European Court of Human Rights (ECHR) has ruled that in 2019 Russian authorities violated the rights to respect for private life and freedom of expression when they used facial-recognition technology to identify a protestor who is carrying out a peaceful demonstration in the Moscow underground. Nikolay Sergeyevich Glukhin was prosecuted after being found using advanced technologies. The Court this week concluded that the processing of his personal data in the context of a peaceful protest, and the use of facial recognition technology, were particularly intrusive and in breach of the European Convention on Human Rights, to which Russia was still a party when the incident occurred.
Don’t narrow it. Civil society called for a broad scope and definition of AI systems and no blanket exemptions for AI systems for national defence in the Council of Europe’s AI Convention. The statement was signed by organisations such as Access Now and BEUC. The call comes after EURACTIV revealed that the United States is pushing to keep private companies from the binding international treaty.
Competition
New competition tool is back. Proposals to reform Germany’s competition law, expanding its scope and the powers of the national antitrust authority, could serve as a model for wider EU changes, State Secretary for Economy, Sven Giegold, has said. Negotiators in Berlin this week reached an agreement on the reform plans, which will allow the Bundeskartellamt to act upon findings of insufficient competition in markets following sectoral investigations – even where no illegal behaviour has been proven. Speaking this week, Giegold said that the proposal should become a model for Europe more broadly, though this idea received significant pushback from business. Read more.
Takeover investigated. The Commission has opened an in-depth investigation into Amazon’s proposed acquisition of smart vacuum maker iRobot, a deal which was cleared by the UK’s Competition and Markets Authority. Brussels is concerned that the deal would restrict competition in the smart vacuum market and could allow Amazon to exclude iRobot’s rivals from that market.
Teams investigation ahead. Microsoft appears set to face a full investigation by EU competition authorities over its product bundling practices, a case based on a complaint launched by the workplace platform Slack in 2020. Microsoft began discussions with the Commission last year in an attempt to propose remedies and avoid an official probe. Still, unsatisfied with what’s on the table, Brussels is reportedly pushing ahead with a full enquiry.
Adobe’s marriage in review. Brussels authorities are set to launch a review of Adobe’s proposed $20 billion acquisition of design software firm Figma, with a deadline of 7 August for determining whether or not to press ahead with a full-scale investigation. The deal is already under scrutiny by the UK’s competition body, and the parties involved are also seeking a green light from the US Department of Justice.
Cybersecurity
CRA EP text closed. In just over two months of negotiations, EURACTIV largely anticipated the text of the Cyber Resilience Act (CRA) that received political endorsement in the European Parliament’s Industry Committee on Wednesday. The final changes regarded the scope, responsibilities alongside the supply chain, support period, reporting obligations and wording on high-risk vendors. The only significant changes introduced on Wednesday were the entry into application set to 36 months, with 18 months for reporting obligations, and a specification that the regulation only applies to free and open-source software when made available during a commercial activity. The committee vote will be on 19 July, with a mere announcement expected for the plenary in September.
Health sector’s threat landscape. The European Union Agency for Cybersecurity (ENISA) released a cyber threat landscape for the health sector on Wednesday (5 July). The analysis studied cyberattacks, identifying prime threats, actors, impacts, and trends for over 2 years. It is based on 215 publicly reported incidents in the EU and neighbouring countries. The report shows that ransomware is responsible for 54% of cybersecurity threats in the health sector.
Data & Privacy
Cookie pledge workshops. The three working groups of the Commission’s proposed cookies pledge took place this week, with stakeholders emphasising that the key challenge remains providing this to consumers without exacerbating their current cookie-based information overload. The Commission apparently did not want to engage on potential limits on contextual advertising during the second working group, where civil society groups say they were underrepresented. Unanswered questions from this session include whether Privacy Enhancing Technologies can avoid consumers from feeling a sense of intrusiveness when exposed to personalised ads and how the pledge can separate tracking used for advertising from that used for measurement. During the third working group, the industry pointed out the problems with automated systems for handling consumer choices, and different companies and organisations advocated for various control approaches. Outstanding issues from this gathering include how to facilitate direct communication between publishers and users without exacerbating fatigue, questions of consent for advertising cookies when the automated choice collection is in action and whether these automated systems ensure enough granularity for legal consent.
Our work is done. The US has fulfilled its commitments to implementing the EU-US Data Privacy Framework, US Secretary of Commerce Gina Raimondo said this week, concluding work undertaken over the past year to facilitate data flows between the two countries. The announcement also comes a week after the US designated EU and EEA countries “qualifying states” about implementing the redress mechanism under the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. The adoption of the data adequacy decision is expected later this month.
Mind the data adequacy. Twenty-eight experts and civil society organisations have penned an open letter to Commissioners Jourová and Reynders expressing their concern about the UK’s proposed data protection reform, which they say “flies in the face” of the 2021 EU-UK adequacy decision. The reform, they warn, will weaken the UK’s data protection standards and turn it into a testing ground for data abuse, putting at risk EU citizens’ data and also allowing London to legalise invasive surveillance practices.
Digital diplomacy
Breton’s pivot to Asia. The EU and Japan will deepen their cooperation on semiconductors and collaborate on undersea cables and cybersecurity, it was announced this week on Internal Market Commissioner Thierry Breton’s visit to the country. The two will coordinate on monitoring chip supply chains, knowledge exchanges and chokepoint diversification, and the plan comes as part of a push by Europe to reduce dependence on China. Also signed was a Memorandum of Understanding on undersea cables, where the two agreed to take concrete steps to support secure connectivity, but nothing concrete on the Arctic cable to announce Europe to Japan was announced.
Digital Markets Act
Gatekeepers self-declaration. Google’s Alphabet, Amazon, Apple, TikTok’s ByteDance, Meta, Microsoft and Samsung have all notified the Commission that they meet the threshold for gatekeeper status under the Digital Markets Act. However, no information will be released yet on which Core Platform Services they reported until the Commission releases its final assessment in September. Notably missing from the list is Booking.com, which said in a statement that, due to the impacts of COVID-19, the company had not met the monthly active user threshold required for this current round of designations. It added, however, that it likely would have reached it by the end of the year.
Industrial strategy
Sovereign cloud talks. €506 billion will be spent on cloud computing by the end of the year. Still, only 41% of businesses are using cloud software, despite its uptake being crucial to the implementation of tools such as blockchain and AI, according to Pearse O’Donohue, Director of Future Networks, who also said at the VMware Sovereign Cloud Day on Wednesday that the Commission does not have a definition of sovereign cloud and that they are in the process or reviewing the guidelines on public procurement.
Institutional corner
Spanish EU Council presidency priorities. Boosting ethical and inclusive digitalisation, promoting tech entrepreneurship, cooperating with Latin American and Caribbean countries and reflecting on new regulatory policy for electronic communications are the key lines of action for the new Spanish Council Presidency in the areas of digital and telco, according to the presentation the incoming presidency gave on Wednesday and seen by EURACTIV. Madrid is aiming to conclude trilogue negotiations on the AI Act, Cyber Resilience Act and Interoperable Europe Act before the end of its tenure, and move talks forward as much as possible on the Gigabit Infrastructure Act, Cyber Solidarity Act and Revision of the Cybersecurity Act.
Law enforcement
First Spanish text. Spain has circulated its first compromise text on the Child Sexual Abuse Material (CSAM) regulation since taking over the presidency of the Council, focusing on risk assessment and mitigation measures. The text, dated 29 June and seen by EURACTIV, also covers topics including the sign of compliance, expedited reporting, detection orders, audio communications and age verification. Madrid aims to reach a Council position on the file on 28 September, but some regard this timeframe as unlikely as divisions remain on issues such as age verification. Read more.
Poland vs CSAM. The proposed regulation to tackle CSAM is unnecessary, and its functions are being carried out by other existing regulations, Paweł Lewandowski, Poland’s undersecretary of states at the chancellery of the Prime Minister, told EURACTIV this week. Online privacy is important, Lewandowski said but added that Poland was firm that the controversial regulation should not threaten end-to-end encryption or give governments the right to intercept communications in any way. Read more.
Meanwhile, in the Parliament. Next up on the Parliament’s agenda are the detection orders, which are expected to become even more targeted and integrate some elements from the Committee on Internal Market and Consumer Protection’s (IMCO) opinion text. There seem to be agreements about detection being the last resort.
I’m warning you. A joint statement of scientists and researchers on CSAM was published this week, warning that the draft law relies on fundamentally unsuitable tools and threatens encryption. As of 6 July, the open letter counts 390 signatories from 34 countries.
Online (un)safety. Almost 70 researchers from UK universities have signed an open letter expressing their concern over the country’s proposed Online Safety Bill, similar to the EU’s DSA, warning that the bill threatens privacy and online safety, particularly on the issues of end-to-end encryption.
Metaverse
Metaverse strategy leaked. While the Commission’s metaverse strategy touches upon many of the pain points of this new technology, it falls short of putting forth anything concrete except repackaging existing programmes and statements of intent on new toolboxes and partnerships, according to an early draft seen by EURACTIV. The strategic document is set to be presented on Tuesday and does not envisage any regulatory gap to face emerging threats. While preaching the need for the metaverse to be interoperable and open, the Commission refuses to even use the term in favour of a rather odd ‘virtual worlds’ terminology. Read more.
Platforms
Civil disorders spillover. French President Emmanuel Macron has reportedly suggested limiting access to social media in times of crisis, such as during the recent protests. Meeting with mayors this week, Macron suggested that access to platforms used to coordinate riots could be cut when authorities lost control of the situation. However, this has been met with pushback, with some describing it as illegal. The country’s internal turmoil also pushed a French senator to table an amendment to a draft law regulating the digital space that would require the blocking of hateful content online within two hours of it having been posted, intended to allow law enforcement to mobilise more quickly in reaction to protestors organising online.
The Threads’ drama. The EU watched the launch of Threads, Meta’s answer to a Twitter in decline, from the sidelines this week after legal questions led its release to be paused. EU users will have to wait until queries around the platform’s GDPR and DMA compliance are resolved, whereas the new text-based social networking site has been rolled out elsewhere. The service has been cast as an alternative to an embattled Twitter, which has seen great volatility since the takeover of Elon Musk last year, but seemingly will not go down without a fight. Just hours after the Threads’ launch, Musk threatened to sue Meta, accusing the company of having hired former Twitter employees and, therefore, illegally accessing trade secrets and intellectual property.
Damning report. TikTok amounts to a national security threat and a ban should be considered, according to a new report by the French Senate, which warned that the platform and its parent company, ByteDance, depend on China from the legal and technical levels. The 183-page document is the result of a four-month-long committee investigation. It includes 21 recommendations, the most notable of which is that the platform be suspended by early 2024 if it fails to provide senators with further information on its financial makeup and data handling. Read more.
Pause Google Ads. Twenty-four MEPs have published an open letter to European Parliament President Roberta Metsola, calling on her to stop using Google’s advertising services. The plea followed a report suggesting that 80% of the company’s video advertisements on third-party sites were displayed on deceptive websites, including those owned by state-controlled Russian propaganda websites, raising fears that EU money could end up financing the Kremlin’s misinformation machine. Read more.
Digital fairness consultation. The Commission launched a targeted survey on its study to support the fitness check of EU consumer law on digital fairness and the report on applying the EU’s modernisation directive. The study, conducted in collaboration with a consortium of tech organisations, will examine the appropriateness of three directives to ensure digital fairness and high levels of consumer protection. It will likely form the basis of a Digital Fairness Act that will be presented in the next mandate, integrating the cookie pledge initiative.
Product liability
Struggling to accelerate. The first substantial rewrite of the EU’s product liability framework has been circulated by lawmakers leading on the file. Still, little progress was made during a Monday technical meeting and the Thursday shadow meeting. A committee vote was postponed until around 20 September, as key divergences remain amongst political groups on critical questions within the file. Defectiveness, disclosure of evidence, burden of proof and liability exemptions were among the topics covered by the text. Read more.
Telecom
GIA amendments. Dealing with tower companies and permitting rules have emerged as some of the key debates within the Parliament’s discussions on the Gigabit Infrastructure Act (GIA), where more than 400 amendments have been tabled. Beyond this, the senders-pay controversy also looms, with a gentlemen’s agreement to keep this controversial debate outside of the file to be tested. Also up for debate have been questions on topics including terminology, satellite communication and a one-stop-shop information and procedures point. The committee is scheduled to vote on the file on 19 September. Read more.
Critical infrastructure taskforce. NATO and the EU will continue to work on improving the resilience of critical infrastructure, technology and supply chains in a context of evolving challenges, the two bodies have said in the final assessment report on the EU-NATO Task Force on the Resilience of Critical Infrastructure, which was launched in January. The report explores four key sectors focused on by the Task Force – energy, transport, digital infrastructure and space – and presents recommended actions that could be taken to contribute to strengthening this resilience.
What else we’re reading this week:
Cracking Down on Dissent, Russia Seeds a Surveillance Supply Chain (The New York Times)
The Next Global Superpower Isn’t Who You Think (Foreign Policy)
Julia Tar contributed to the reporting.
[Edited by Nathalie Weatherald]
