Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The cases against TikTok on the risk of addictiveness of the platform continue,” which includes “the investigation to establish whether the launch of TikTok Lite was done in compliance with the DSA.”
– said European Commissioner for Internal Market Thierry Breton on Wednesday, following TikTok’s decision to suspend TikTok Lite’s “Task and Reward Program.”
Story of the week: On Monday, the European Commission initiated a second round of formal proceedings against TikTok under the Digital Services Act (DSA) over the launch of TikTok Lite, signalling intentions to suspend the app’s reward program. The Commission expressed concerns about TikTok Lite’s “Task and Reward Program”, which allows users to earn points for engaging in activities like watching videos and liking content. On Wednesday, TikTok announced that they are “voluntarily” suspending the rewards functions in TikTok Lite. “TikTok always seeks to engage constructively with the European Commission and other regulators,” so it is suspending the rewards functions the TikTok Policy Europe account posted on X on Wednesday. In response to TikTok’s announcement, the Commissioner for Internal Market Thierry Breton said he “takes note” of TikTok’s decision and added that “The cases against TikTok on the risk of addictiveness of the platform continue,” which includes “the investigation to establish whether the launch of TikTok Lite was done in compliance with the DSA.” Read more.
Don’t miss: In October 2023, mobility company Bolt, headquartered in Estonia, offered to draft a letter on behalf of the Estonian government to push back against the platform work directive, addressing a government official who used to work for Bolt. According to a series of email exchanges and confidential documents secured by the non-profit Corporate Europe Observatory (CEO) through a Freedom of Information (FOI) request and obtained by Euractiv, Bolt went to great lengths to ensure Estonia would speak in favour of platforms and fight to weaken the proposed directive. Read more.
Also this week:
- EU adopts platform work directive;
- EU Parliament overwhelmingly approves key telecoms regulation;
- EU Parliament ratifies Right to Repair Directive;
- Amazon’s Anthropic investment latest to face antitrust headwinds with UK Competition inquiry;
- EU Space Law: Commission official reveals details on cybersecurity aspects.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Google powers today’s edition
2024 Voices – Citizens Speak Up!
“Nowadays, conditioned by the digital transformation and the development of generative AI, it is essential to support the higher education and science sector. Science is innovation. Innovation is a competitive advantage.” Piotr from Poland.
Find out more!
Artificial Intelligence
Bipartisan AI innovation bill introduced in DC. Four US Senators from both sides of the house introduced a bill to boost innovation in artificial intelligence. The legislation encourages public-private partnerships in AI research, authorises two government institutes to create voluntary standards, and creates testbeds in national labs for “groundbreaking AI innovation.”
Funding for AI startup infants. Six-month-old Cognition Labs, a startup that released an AI coding assistant a few weeks ago, is now valued at $2 billion, The Information reported. The valuation comes after a $175 million investment, led by Peter Thiel’s Founders Fund. Following the launch of Devin, which took the internet by storm, the startup was accused of deceptive practices by internet sleuths.
AI Policy recommendations. BSA, an industry association for software companies, released a list of policy recommendations for AI. The list is focused around harmonising standards, pursuing interoperability between different rules.
Competition
Amazon-Anthropic partnership on CMA’s horizon. Amazon’s investment into Anthropic is the latest cooperation of big tech companies with AI startups to face antitrust headwinds, since the UK’s Competition Market Authority (CMA) announced an inquiry into the partnership on Wednesday. The e-commerce giant said it is pouring $4 billion into the US startup in September 2023, along with a “strategic collaboration” between the two. The CMA is concerned that the transaction might classify as a merger, or that it could lead to adverse effects on competition in the UK, the authority said on Wednesday. Read more.
Right to Repair Directive adopted. MEPs voted in favour of the Right to Repair Directive on Tuesday, aimed at improving consumer access to repair services to reduce waste. The measures passed aim to enhance consumer access to repair services, clarify member states’ regulatory power and mandate that repairers disclose crucial information before repair contracts. Read more.
Cybersecurity
EU Space Law. A Commission official revealed key details of the upcoming Space Law’s cybersecurity aspects at an event in Paris on Wednesday. “We need to recognise that space infrastructures are not only crucial but critical,” said the European Commission’s head of innovation and NewSpace unit, Guillaume de la Brosse. He was speaking at the Cybersecurity for the Space Industry (CYSAT) event in Paris on Wednesday. During his presentation, de la Brosse said the EU needs “a proper regulatory framework that will set common rules, and avoid fragmentation.” Read more.
An EU Space Law with worldwide benefits. EU Agency for the Space Programme (EUSPA) director Rodrigo da Costa thinks an EU space law would have GDPR-style outsized impact, told Euractiv in an interview on Wednesday (24 April). Space debris orbiting the Earth is a growing risk for functioning satellites because as the amount of debris increases, so does the threat of collision. To tackle this sustainability challenge, as well as cybersecurity issues, the European Commission has been in the process of drafting an EU Space Law, expected to be released during the summer. Read more.
Cyber Solidarity Act adopted. On Wednesday, the Parliament adopted the Cyber Solidarity Act to strengthen its response to cyber threats. It aims to improve detection, preparation, and response capabilities across member states while promoting European technological sovereignty. “This regulation will protect our institutions and critical infrastructure by strengthening our capabilities to detect, prepare and respond to cyber threats and cyber attacks through cooperation between member states,” said MEP Lina Gálvez Muñoz (S&D).
Data & Privacy
Data on sexual orientation. In 2018, Facebook introduced new terms in the EU requiring user consent for access. Activist Max Schrems sued the platform over data processing practices. The Austrian Supreme Court asked the Court of Justice of the EU (CJEU) if Facebook can indefinitely process data for targeted ads and if a public statement about one’s sexual orientation allows data processing for ads. Advocate General Athanasios Rantos now suggested on Thursday that the EU’s General Data Protection Regulation (GDPR) may limit indefinite data processing and a public statement might make related data public, but this does not justify processing for ads. CJEU will issue a judgement later, but Katharina Raabe-Stuppnig, the lawyer representing Schrems already said that they “are very pleased by the opinion, even though this result was very much expected.”
Data flows to Israel. A coalition of civil society groups, led by EDRi and Access Now, urged the European Commissioner for Justice to reconsider renewing Israel’s data protection adequacy status due to concerns about compliance with GDPR and EU rights standards. In an open letter, published on Monday, they highlight issues such as the rule of law, data protection laws, national security, and stakeholder participation. Amidst heightened concerns about human rights violations, they emphasise the need for transparent reassessment to ensure strong legal foundations for data transfers, subject to EU Court of Justice scrutiny.
Dating apps’ privacy risks. According to a Mozilla study, published on Tuesday, dating apps performed poorly in privacy and security evaluations in 2021 and have since worsened, with 88% of reviewed apps failing privacy standards. Despite claiming to use personal data for matchmaking purposes, they often mishandle it, exploiting it for unrelated reasons, according to the foundation.
“A tech and economic regulator of personal data.” These were the words of Marie-Laure Denis, President of the French data privacy authority CNIL to describe the administration while she presented the annual report on the organisation’s activities. CNIL received more than 16,000 complaints in 2023, an all-time high and a 35% increase compared to 2022. More than 4,500 accesses to personal data have been notified to CNIL, half due to hacking activities such as phishing or ransomwares. Furthermore, CNIL announced it sanctioned 42 entities in 2023, including 36 fines, totalling €90 million. Moreover, the CNIL announced that close to 100,000 organisations now designated a data protection officer, who are responsible for independently ensuring the enforcement of privacy laws, including EU’s landmark General Data Protection Regulation (GDPR).
Digital Markets Act
Google search rankings criticised yet again. Tuta Mail, a major German email service, complained to the EU about Google search rankings drop coinciding with new regulations. The service urged the DMA task force to include their data in the investigation, Reuters reported on Wednesday.
Digital Services Act
Porn sites must comply. As of this week, pornography platforms Pornhub, Stripchat, and Xvideos are required to comply with the strictest requirements outlined in the DSA. These obligations entail submitting risk assessment reports to the Commission, implementing measures to mitigate systemic risks associated with their services, adhering to enhanced transparency rules, particularly regarding advertisements, and granting researchers access to their data. This comes after in December, the three pornography websites were included on the DSA’s very large online platforms list.
DSA enforcement problems. The European Commission has initiated legal action against six EU countries for their insufficient enforcement of the DSA. Specifically, Poland, Slovakia, and Estonia lack DSA watchdogs. Cyprus, Czechia, and Portugal designated their coordinating regulators, but they don’t have the necessary powers to fine companies, the Commission said on Wednesday.
By the way, funding for trusted flaggers is raising questions. According to Contexte, the European executive commissioned a study on civil society organisations that could become trusted flaggers under the DSA. Content flagged by these organisations will be issued a moderation decision by VLOPs and VOSEs in priority. Yet the financing of these numerous organisations is in question. The study will focus on designation of these organisations, the flagging process and on the challenges faced by these organisations. As for now, only one official trusted flagger appears on the Commission’s website.
Gig economy
Platform work directive adopted. The European Parliament overwhelmingly approved a watered-down version of the EU’s long-awaited platform work directive at a plenary on Wednesday, ending two years of intense negotiations. Wednesday’s adoption marks the end of a long cycle of intense negotiations, often loaded with concerns that the file might not even see the light of day by the end of this legislature. Read more.
Industrial strategy
For a European industrial policy. Industry organisation France Industrie published a plea on Monday in favour of a European industrial strategy “serving competitiveness and strategic autonomy.” It says that its company members are in favour of decarbonisation and lowering the regulatory burden, a suggestion that Italian, German and French Economy Ministers made earlier this month.
Law enforcement
Europol against encryption. On Sunday, Europol published a joint declaration the European Police Chiefs call for industry and governments to take action against end-to-end encryption roll-out, saying that this technology will stop law enforcement from obtaining and using evidence against criminals. End-to-end encryption has also been at the heart of the controversy of the EU draft law aiming to detect and remove online child sexual abuse material (CSAM), with some agreeing with Europol’s views while others see encryption as a measure to support data privacy.
AI-generated CSAM. Thorn and All Tech Is Human, together with big tech companies, Amazon, Anthropic, Civitai, Google, Meta, Metaphysic, Microsoft, Mistral AI, OpenAI, and Stability AI, stressed the urgency of addressing the misuse of generative AI to prevent child sexual abuse, in a post published on Tuesday. Thorn also released a whitepaper the same day called “Safety by Design for Generative AI: Preventing Child Sexual Abuse,” which outlines collectively defined principles and provides mitigations and actionable strategies for AI developers, providers, data-hosting platforms, social platforms, and search engines to prevent the creation and spread of AI-generated CSAM.
IWF annual report. The UK’s Internet Watch Foundation (IWF), which receives reports globally and assesses them for CSAM, assessed 392,665 reports, according to their 2023 annual report, confirming 275,652 URLs containing such imagery, however, no UK-hosted non-photographic material was found. Reports are “actioned” if they contain abuse material, with age and severity classifications based on the youngest child and the most severe abuse visible.
Platforms
Dutch government vs. Facebook. The Dutch Data Protection Authority urged the Dutch government to ensure data protection compliance and advised against using Facebook if data handling is uncertain, Euronews reported on Monday. Meta disagreed, claiming compliance with laws. This echoes a previous recommendation to stop the use of Facebook pages due to privacy risk. But some ministries see Facebook as vital for communication with Dutch citizens.
Meta’s feature sparks criticism. Meta is facing criticism over its upcoming feature on Instagram, aimed at blurring naked photos sent in private messages to teenagers, Bloomberg reported on Wednesday. The feature, set to be tested next month, is meant to prevent online sextortion crimes linked to teen suicides. However, users can easily bypass the blur with a single tap, raising doubts about its effectiveness, Bloomberg wrote.
Meanwhile in the US. The US Congress approved a bill aimed at either banning TikTok or compelling its sale. This condemnation of the video-sharing platform’s Chinese ownership is the result of longstanding concerns over national security, The Washington Post reported on Tuesday. The legislation is expected to encounter legal challenges in court, difficulties in finding suitable buyers, and opposition from Beijing.
Tightening grip. An article published by the Financial Times on Thursday reported how ByteDance, TikTok’s parent company in Beijing, has tightened control over its US operations despite pressure to separate. The FT reported increased integration between the two entities, including staff transfers and centralised decision-making in China.
GDPR fruits. According to Surfshark, the EU’s General Data Protection Regulation (GDPR) has transformed data handling practices and enforcement. According to their research, half of them have been fined €2.9 billion since 2018, primarily Meta-owned platforms (Facebook, Instagram, Whatsapp), with TikTok receiving significant fines. Notably, €765 million of these fines relate to mishandling children’s data, especially by TikTok and Instagram.
Telecom
Telecom regulation approved. The European Parliament approved on Tuesday (23 April) the EU’s broadband act, the Gigabit Infrastructure Act (GIA), which aims to accelerate the deployment of high-capacity networks and reduce prices for consumers. The new act is the biggest telecoms file for the 2019-2024 mandate. During the legal-linguistic verification process by the Parliament and Council services, the deadline for the text’s entry into force was changed from 20 days to three days after publication in the official journal of the EU. Read more.
Towards an extension of US capacity to collect data. US lawmakers are in the process of revising the Foreign Intelligence Surveillance Act (FISA), including the contentious 702 section which allows its national security agencies to collect data from non-US citizens. After a first vote by the House of Representatives, US Senators backed the two-year extension of section 702 last Friday. This decision could restart the debate over sovereign requirements on the European Cloud Certification Scheme (EUCS), where France is already questioning the latest compromise. Paris has been a fervent advocate for “immunity criteria” against extraterritoriality of foreign laws.
Broadcom saga. EU cloud association CISPE, which includes hyperscale Amazon Web Services, slammed Broadcom for a blog post aiming to calm down the market and the European Commission. The US chipmaker previously announced a series of changes to the licensing of cloud infrastructure provider VMWare after a $69 billion acquisition. But business associations say these changes are only leading to price increases and unfair licensing terms. The EU Commission is questioning Broadcom’s changes. In a blog, CEO and Chairman of Broadcom Hock Tan tried to quell concerns, arguing that the moves actually boost competition. CISPE was not convinced, insisting that Tann’s post completely missed the point, focusing on subscription licences when other issues are threatening the “the economic viability” of EU cloud providers.
What else we’re reading this week:
How fraudsters are getting fake articles onto Facebook (BBC)
Congress Passed a Bill That Could Ban TikTok. Now Comes the Hard Part. (The New York Times)
Microsoft’s AI lead puts Amazon cloud dominance on watch (Reuters)
[Edited by Alice Taylor]
