GDPR harmonisation, competition authorities on data protection
Hello and welcome to the Tech Brief by EURACTIV. This is your weekly roundup of news related to digital advancements in the European Union. Don't forget to sign up for our newsletter to stay updated.
"We can additionally enhance the facilitation of procedures across borders among data protection authorities. Our aim is to guarantee prompt resolutions, even for intricate cases."
-Didier Reynders, the Justice Commissioner of the European Union
The latest news: On Tuesday (4 July), the Commission put forward a new proposal to make the process of dealing with cross-border data protection cases more consistent and easier. The aim of this proposed law is to make it simpler for people to file complaints and for those complaints to be handled effectively throughout the EU. The hope is that this will lead to a resolution that both parties involved can agree on, with the complainant given two weeks to raise any objections they may have. In general, complainants will only have the right to be heard if their complaint is rejected either fully or partially. The proposal also includes stricter rules on keeping information confidential, which means that the party being investigated can ask for their sensitive commercial information to be protected. Additionally, the documents relating to the case will not be made available for anyone to request until the investigation is finished.
The Commission believes that intra-authority cooperation should occur at an earlier stage, where the European Data Protection Board (EDPB) will make an immediate and legally binding decision. However, this means that once the leading authority comes to a preliminary conclusion, the scope of the investigation cannot be challenged. This initial draft has already faced criticism for giving too much power to the leading authority (such as the Irish and Luxembourgish data protection authorities) and the parties being investigated. Some argue that this actually creates more issues than it solves. It is likely that significant changes will be made, particularly by the European Parliament. To learn more, click here.
Don't forget: The European Court of Justice has decided that national competition authorities can uncover violations of GDPR while investigating instances of market dominance abuse. According to EU judges, personal data holds great importance in the digital economy, making it a significant factor in the competition between technology companies. This ruling came from a lawsuit against Meta regarding the handling of personal data, and it implies that consent might be the only acceptable legal grounds for such data processing. This decision weakens the company's claims that the law can be interpreted more broadly. Find out more by clicking here.
Before we proceed: If you simply crave more in-depth examination of technology, listen to our weekly podcast.
The European Union has been focusing on creating rules for private entities to report actively exploited vulnerabilities and cybersecurity incidents. They are also looking to establish systems that facilitate the sharing of highly sensitive information regarding cyber threats. We assessed the progress made in these areas.
The present release is made possible by Google
A guideline for promoting AI development with ethics: Potential, Accountability, Safety
Google has a positive outlook on a future where AI is widely used. We are committed to advancing AI in a manner that is daring yet responsible. For us, this entails ensuring that the development of AI brings about the greatest advantages for society, while also working together with others to tackle the obstacles. Our agenda for responsible AI progress outlines our commitment to this cause.
Discussion on options for the Working Party. The Spanish presidency presented various possibilities for handling sensitive aspects of the AI Act that were discussed in the Telecom Working Party on Wednesday. Concerning the definition of AI, 12 member states chose to maintain the Council's text, while eight believed it might be better to wait for development at the OECD level in September. Regarding the classification of high-risk systems (Art. 6), 11 countries preferred to stick to the general approach. However, six countries may be open to accepting the Parliament's version without the notification mechanism, and one country supported the mandatory criteria. Nine national representatives urged the presidency to defend the Council's stance on the list of high-risk use cases in Annexe III. On the other hand, five were more receptive to the MEPs' text but requested further analysis. Some countries, notably France, found the inclusion of biometrics problematic. Concerning the assessment of fundamental rights impact, five member states were against it, while five showed interest in the proposal. However, some countries, like Germany, did not have enough time to form a position. Regarding the incorporation of concepts such as democracy, the rule of law, and sustainability in AI regulation, seven countries supported the idea, while six opposed it.
Progress has been made on the ground this week with technical work focusing on less controversial aspects of the text, particularly notified bodies and obligations for providers. The work has been going smoothly so far, but there may be challenges when the final provisions are presented, as they address sensitive issues like fines, implementation, and the inclusion of large-scale IT systems. In addition, both shadow rapporteurs and member states have raised concerns about the text being imposed on them, as it has been prearranged between the presidency and the co-rapporteurs before technical meetings. Although this approach may currently be effective for drafting less controversial sections like the innovation chapter, it may not work as well for the more disputed parts.
The European Court of Human Rights (ECHR) has determined that in 2019, the Russian authorities violated the rights to privacy and freedom of speech by utilizing facial recognition technology to identify a peaceful protester in the Moscow subway, named Nikolay Sergeyevich Glukhin. After conducting an investigation involving advanced methods, Glukhin was prosecuted. The Court has recently declared that the handling of his personal information during a peaceful protest, as well as the use of facial recognition technology, were excessively invasive and violated the European Convention on Human Rights. It is noteworthy that Russia was still bound by this convention when the incident took place.
Don't limit it. Non-governmental organizations demanded a wide range and interpretation of AI systems and no sweeping exceptions for AI systems used in national defense during the Council of Europe's AI Convention. The declaration was endorsed by groups including Access Now and BEUC. This appeal follows EURACTIV's disclosure that the United States is advocating for the exclusion of private companies from this enforceable global agreement.
A new tool for competition is making a comeback. Germany is proposing changes to its competition law that will give more power to its national antitrust authority and broaden its scope. State Secretary for Economy, Sven Giegold, believes that these reforms could serve as a blueprint for similar changes in the rest of the European Union. Negotiators in Berlin have already reached an agreement on the reform plans. Under these changes, the Bundeskartellamt will be able to take action against markets with insufficient competition, even if there is no proven illegal behavior. Giegold hopes that this proposal will be adopted across Europe, but businesses have expressed their concerns about it.
Investigation underway for acquisition. The Commission is currently examining in detail Amazon's planned purchase of iRobot, a manufacturer of intelligent vacuum cleaners. This transaction had received approval from the UK's Competition and Markets Authority. However, Brussels is now apprehensive that this deal may limit competition within the smart vacuum market, enabling Amazon to exclude competitors of iRobot from participating in this market.
Microsoft is about to undergo a thorough examination by European Union (EU) competition authorities due to their bundling tactics. This legal case stems from a complaint filed by Slack, a workplace platform, in 2020. In an effort to prevent an official investigation, Microsoft engaged in discussions with the Commission last year and offered potential solutions. However, it seems that the EU remains dissatisfied with the proposed remedies, and they are therefore moving forward with a comprehensive inquiry.
Taking a closer look at Adobe's union. A review of Adobe's plan to acquire Figma, a design software company, worth $20 billion is about to commence by authorities in Brussels. They have until 7 August to decide whether to proceed with a thorough investigation. The acquisition is already being examined by the competition body in the UK, and the parties involved are also seeking approval from the US Department of Justice.
The European Parliament's Industry Committee has given political support to the Cyber Resilience Act (CRA) after just over two months of negotiations. EURACTIV had already predicted most of the details of the CRA, but there were a few changes made to the scope, responsibilities, supply chain, support period, reporting obligations, and wording about high-risk vendors. The most significant changes made on Wednesday were that the CRA will take effect in 36 months, with reporting obligations starting after 18 months, and it will only apply to free and open-source software when it is used for commercial purposes. The committee will vote on the CRA on 19 July and an announcement is expected at the full session in September.
The latest report by the European Union Agency for Cybersecurity (ENISA) shed light on the potential dangers the health sector faces in the digital realm. This study, which spanned over a period of two years, examined various cyberattacks and delved into the key threats, culprits, consequences, and emerging patterns within the industry. The findings were drawn from an analysis of 215 reported incidents across the EU and nearby nations. According to the report, an alarming 54% of cybersecurity threats in the health sector can be attributed to ransomware attacks.
Workshops on the cookie pledge were held this week, discussing how to provide this to consumers without overwhelming them with information about cookies. The Commission did not want to discuss potential limits on contextual advertising in the second workshop, where civil society groups felt they were not represented. Unanswered questions from this session include whether Privacy Enhancing Technologies can prevent consumers from feeling intrusive when they see personalized ads, and how the pledge can differentiate between tracking for advertising and measurement purposes. The industry highlighted issues with automated systems for managing consumer choices during the third workshop, and different companies and organizations advocated for different control approaches. Key questions from this meeting include how to enable direct communication between publishers and users without causing fatigue, concerns about consent for advertising cookies when automated choices are in use, and whether these automated systems provide enough detail for legal consent.
Our job is finished. The United States has honored its obligations in creating the EU-US Data Privacy Framework, stated US Secretary of Commerce Gina Raimondo. This marks the end of efforts made over the past year to enable the movement of data between the two countries. Additionally, this update follows the US classifying EU and EEA countries as "qualifying states" in terms of executing the redress mechanism outlined in the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. The decision to accept the data adequacy is anticipated in the upcoming weeks.
Pay attention to the sufficiency of data. A group of 28 specialists and non-governmental organizations have written a public letter to Commissioners Jourová and Reynders, conveying their worries regarding the UK's suggested reforms on data protection. According to them, these reforms contradict the EU-UK adequacy decision made in 2021. The letter warns that these reforms would diminish the data protection standards in the UK and transform it into a platform for testing data misuse. Consequently, this would jeopardize the data of EU citizens while also permitting London to legalize intrusive surveillance methods.
Breton's shift towards Asia. The European Union and Japan have decided to strengthen their partnership in the field of semiconductors, while also collaborating on underwater cables and cybersecurity. This announcement comes as Internal Market Commissioner Thierry Breton visited Japan. The two parties will work together to monitor chip supply chains, exchange knowledge, and diversify chokepoints. This plan is part of Europe's effort to decrease reliance on China. Additionally, they signed a Memorandum of Understanding regarding underwater cables, where they agreed to take concrete actions to ensure secure connectivity. However, no specific information was given regarding the Arctic cable connecting Europe and Japan.
Declaration of gatekeepers. Google's Alphabet, Amazon, Apple, TikTok's ByteDance, Meta, Microsoft, and Samsung have all informed the Commission that they fulfill the criteria for being classified as gatekeepers under the Digital Markets Act. However, the specific Core Platform Services reported by these companies will not be disclosed until the Commission publishes its final evaluation in September. Notably absent from the list is Booking.com, which explained in a statement that, due to the effects of COVID-19, it did not meet the required threshold of monthly active users for the current round of designations. However, the company expects to surpass this threshold by the end of the year.
Discussion on government-controlled cloud services. A total of €506 billion will be invested in cloud computing by the end of this year. Nevertheless, only 41% of companies are currently utilizing cloud software, even though it is essential for the successful adoption of technologies like blockchain and AI. Pearse O'Donohue, the Director of Future Networks, mentioned during the VMware Sovereign Cloud Day that there is no specific definition of sovereign cloud from the Commission's perspective. He added that they are currently revising the guidelines on public procurement.
Key priorities for the Spanish EU Council presidency in the digital and telecommunication sectors include: enhancing fair and inclusive digitalization, promoting entrepreneurship in the tech industry, collaborating with countries in Latin America and the Caribbean, and considering new regulations for electronic communications. The Spanish presidency aims to finalize negotiations on important acts such as the AI Act, Cyber Resilience Act, and Interoperable Europe Act before their term ends. Additionally, they are committed to making progress on acts like the Gigabit Infrastructure Act, Cyber Solidarity Act, and Revision of the Cybersecurity Act.
Spain has recently shared its initial proposal for the regulation on Child Sexual Abuse Material (CSAM) as they have assumed the presidency of the Council. The proposal concentrates on evaluating and minimizing risks associated with CSAM. On the 29th of June, EURACTIV had the opportunity to view this document, which also discusses important aspects like ensuring compliance, reporting efficiency, issuing detection orders, audio communications, and age verification. Madrid's objective is to have a unified Council stance on this matter by the 28th of September. However, some doubt the feasibility of this timeline due to existing disagreements concerning age verification. For further information, please refer to the full article.
Poland compared to CSAM. The suggested law to combat CSAM is not needed, and its roles are already covered by other current laws, according to Paweł Lewandowski, who holds the position of Poland's deputy minister at the chancellery of the Prime Minister. In a recent interview with EURACTIV, Lewandowski emphasized the significance of online privacy, but also stressed that Poland firmly opposes any endangerment of end-to-end encryption or granting governments the authority to intercept communications in any manner. For further details, click here.
Meanwhile, in the Parliament. The next item on the Parliament's schedule is the implementation of detection orders. These orders are anticipated to be more focused and incorporate certain aspects from the Committee on Internal Market and Consumer Protection's (IMCO) viewpoint. It appears that there is consensus about using detection as a final option.
Listen up. A collective declaration by experts and scholars regarding CSAM was released recently, cautioning that the proposed legislation relies on tools that are fundamentally inappropriate and poses a risk to encryption. By 6 July, the public letter has garnered support from 390 individuals representing 34 different nations.
The blog post focuses on the topic of online safety, specifically discussing the concerns expressed by a group of around 70 researchers from UK universities. These researchers have recently penned an open letter expressing their apprehension towards the proposed Online Safety Bill in the UK, which bears similarities to the EU's DSA (Digital Services Act). Their primary worry revolves around the potential threats to privacy and online safety, particularly with regards to the concept of end-to-end encryption.
A leaked draft of the metaverse strategy reveals that the Commission's approach to this new technology is lacking in specific plans. Instead, it seems to just repackage existing programs and statements of intent on new tools and partnerships. The strategic document will be presented on Tuesday, but it does not address the need for regulations to tackle emerging threats. Despite emphasizing the importance of interoperability and openness in the metaverse, the Commission chooses to use the term 'virtual worlds' instead. To learn more, click here.
Unrest continues to escalate. It is reported that French President Emmanuel Macron has proposed limiting the use of social media during times of turmoil like the recent protests. During a meeting with mayors, Macron suggested the possibility of restricting access to platforms that are used to coordinate riots when the authorities have lost control of the situation. However, this proposal has been met with resistance, as some consider it to be against the law. In addition to the country's internal conflicts, a French senator has introduced an amendment to a proposed law that aims to regulate the digital sphere. This amendment would require the prompt removal of hateful content online within two hours of its initial posting, with the intention of enabling law enforcement to respond swiftly to online organization by protestors.
The EU observed the launch of Threads, Meta's response to a declining Twitter, from a distance this week due to legal concerns that caused a pause in its release. European users will need to wait until issues regarding GDPR and DMA compliance are resolved, while the new text-based social networking platform has been made available in other regions. This service is being positioned as an alternative to a troubled Twitter, which has experienced significant instability since Elon Musk's acquisition last year, but it seems that Twitter will not give up easily. Just a few hours after Threads' debut, Musk threatened to take legal action against Meta, claiming that the company had hired former Twitter employees and unlawfully gained access to trade secrets and intellectual property.
A report from the French Senate has raised concerns about TikTok's potential to jeopardize national security, suggesting that a ban should be contemplated. The report, spanning 183 pages and produced following a comprehensive investigation lasting four months, highlights that both TikTok and its parent company, ByteDance, rely on China for legal and technical aspects. It puts forward 21 recommendations, with the most significant proposal being the suspension of TikTok by early 2024 should it fail to furnish senators with additional details about its financial structure and data management practices. For more information, please refer to the complete article.
Take a break from Google Ads. A group of twenty-four Members of the European Parliament (MEPs) have written an open letter to Roberta Metsola, the President of the European Parliament, urging her to cease utilizing Google's advertising services. This request comes after a study revealed that 80% of the tech giant's video advertisements on external websites were being displayed on dishonest platforms, some of which are owned by Russian propaganda sites under state control. These findings have sparked concerns that European Union funds might inadvertently support the dissemination of false information by the Kremlin's propaganda outlets. To learn more, click here.
Consultation on digital equity. The Commission has initiated a specific questionnaire regarding its research for the assessment of EU consumer law in terms of digital equity and the implementation of the EU's modernization directive. This study, done in partnership with a group of tech companies, will analyze the effectiveness of three directives in guaranteeing consumer protection and fairness in the digital realm. It is anticipated to serve as the foundation for a Digital Fairness Act to be proposed in the future, which will incorporate the cookie pledge initiative.
Facing difficulties in moving the process forward. The lawmakers responsible for the revision of the European Union's product liability framework have shared the initial revised version of the document. However, very little advancement was made during the technical meeting on Monday and the shadow meeting on Thursday. As a result, the committee vote on the matter has been postponed until approximately 20th September, due to significant disagreements among political groups regarding crucial aspects addressed in the document, such as defects, disclosure of evidence, burden of proof, and liability exemptions. For more information, click here.
Amendments to the GIA are causing a lot of discussion and debate in Parliament. Tower companies and permitting rules are particularly hot topics, with over 400 amendments being proposed. Additionally, there is controversy surrounding the issue of who pays for the service, but it has been agreed to keep this debate separate from the main file. Other topics up for discussion include terminology, satellite communication, and a central location for information and procedures. A vote on the file is set to take place on September 19th.
The alliance between NATO and the EU remains dedicated to enhancing the strength of essential infrastructure, technology, and supply chains amidst ongoing challenges. This commitment is reinforced in the concluding evaluation report of the EU-NATO Task Force on the Resilience of Critical Infrastructure, which was initiated earlier this year. The report examines the energy, transportation, digital infrastructure, and space sectors, and offers suggested measures that could be implemented to reinforce this resilience.
Here's a roundup of what we've been immersing ourselves in this week:
Suppressing Opposition, Russia Cultivates an Infrastructure of Surveillance (The New York Times)
Surprising Revelation on the Future Global Superpower (Foreign Policy)
Julia Tar participated in the reporting.
[Revised by Nathalie Weatherald]
