Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Coordinated actions around an agreed topic will allow them to learn from each other’s expertise, harmonise their approaches and increase their impact. In the medium term, this will thus level up enforcement.”
– Gwendal Le Grand, head of activity for enforcement support and coordination at the European Data Protection Board (EDPB)
Story of the week: The European Data Protection Board (EDPB) launched its first joint investigation on Tuesday, involving 22 national data protection authorities to examine the use of cloud services by the public sector. The initiative is being run as part of the EDPB’s Coordinated Enforcement Framework programme, which aims to conduct annual comprehensive probes into issues of cross-border significance. The topic is particularly timely, as public institutions are increasingly expected to provide their services online, while the enforcement on the Schrems II ruling is starting to bite platforms that are much less intrusive than cloud. International data transfers are a focus of the investigation, together with the GDPR-related safeguards in place and legal obligations on controllership. However, for more sceptical voices, this push toward more synchronised actions will result in the more influential authorities trying to dictate the agenda. The joint probes follow a similar initiative launched by the EDPS last year, and it is expected to scrutinise more than 80 public bodies. Read more.
Don’t miss: On the same day, as part of a larger defence package, the Commission set out its €6 billion plan for upgrading satellite communications in a bid to increase Europe’s independence vis-à-vis the Americans and the Chinese. Under the proposals, the EU will push for more secure and widespread connectivity, with the core aim of safeguarding systems against outside interference and reducing reliance on foreign companies. Particularly relevant in that sense is a ‘sovereign’ system with encryption that will be available for European governments and companies. Also set to increase is the EU’s focus on Space Traffic Management, a new strategy that will seek to set out norms and rules on controlling the growing volume of satellites and debris in orbit. Read more.
Also this week:
- The French Presidency presented its third partial compromise on the AI Act
- French lawmakers reached an agreement on the new law on parental control
- European telecoms want content platforms to contribute to infrastructural investments
Before we start: The EU has a growing base of startups, but accessing funding can present a crucial challenge in a large and diverse market. In this episode, Thanos Paraschos, co-founder of the European Startup Universe, and Robbert van der Meer, co-founder and CEO of bFlex, discuss the obstacles startups face and how to create networks to link entrepreneurs and investors could help to address them.
New week, new text. The French EU Council Presidency seems determined to release further partial compromises, even when there was not enough time to discuss the previous one. This week’s new text reflects the ECB’s concerns that it is not designated as a market surveillance authority and better defines its role and the procedures on conformity assessment. Provisions on technical standards have been changed to consider digital sovereignty, in line with the Commission’s recently presented standardisation strategy.
Prepare for battle. On both standard-setting and conformity assessment, the Presidency is pitching a stronger involvement of the member states in the Commission’s adoption of the delegated acts via the AI board. That would provide a significant point of tension with the Parliament, where many MEPs seem more inclined towards a new European agency. Paris is also trying to carve out public security as an exception for not conducting a conformity assessment on high-risk AI systems. The conformity self-assessment requirements for biometric systems have also been relaxed.
There is more. France’s text indicates that a presumption of conformity will apply to high-risk AI systems that used a representative dataset or one aligned with the intended use. For what concerns chatbots and other AI-powered tools designed for human interaction, there should be a disclosure that it is an automated system unless it is evident for a ‘reasonable person’. On general purpose AI, member states have welcomed the idea of an exception. Still, they have been asking for a formal definition to avoid creating a loophole for the regulation’s requirements.
Will get there, eventually. LIBE rapporteur Dragos Tudorache expects the trilogue negotiations on the AI Act to last a year and a half, stressing that the main reasons for delays might be the ideological divisions over the biometric recognition issue. The Parliament is planning to adopt the AI regulation in November, which means the file will be closed just before the end of the mandate in spring 2024. That is, if everything goes well. Read more.
Cyber skills. France’s Cyber Campus opened on Tuesday, a year on from the country’s cybersecurity strategy launch. The Campus will gather companies and government bodies to monitor and combat cyber threats and provide training and raise awareness. The Paris-based centre is intended as the first in a network of similar campuses, with branches in different regions of France planned for the future. Cybersecurity has been cited as a critical priority by President Emmanuel Macron; the 2021 strategy promised a total of €1 billion of investment and a doubling of the number of jobs in the industry. Read more.
Data & privacy
Sandboxing Android. Google has announced its Privacy Sandbox to cover Android devices. Although the initiative is still to be defined, the declared aim is to increase privacy by limiting tracking via third-party cookies on the web browser Chrome. Stakeholder consultation to gather input on how that would work in practice has been launched, with a beta version expected by the end of the year. However, the example not to follow is Apple’s App Tracking Transparency system, which Google not so subtly bashed as ‘blunt’ and ‘ineffective’. As per the web case, the changes Google plans are likely to draw the attention of competition authorities, as the company could use its dominant position to up its ad revenues. Following an investigation opened by the UK’s Competition and Markets Authority (CMA) last year, Google offered several commitments, including giving the CMA a supervisory role in the process and the capacity to reject the final arrangement if not all the competition concerns are fully addressed. Google pledged to keep the same commitments for Android too. Read more.
CNIL strategic plan. The French privacy watchdog CNIL published its “strategic plan” for 2022-2024. The priorities include ensuring data protection rights and supporting organisations in their compliance efforts and legal understanding with specific tools. More specific topics, such as the onboard cameras for cars, apps’ data collection practices, and data transfers to the cloud, are also on the menu. “The implementation of this action plan should enable the CNIL to act in an agile manner, alongside citizens, companies, associations and administrations, to build a digital society of trust,” Marie-Laure Denis, president of the CNIL, declared on this occasion.
Spyware ban. The development and deployment of spyware tools such as the controversial Pegasus tech should be banned in the EU, the European Data Protection Supervisor said. Last year, Pegasus was revealed to have been used by governments worldwide to access the phones of journalists, politicians, and activists, which is now the subject of an investigation by the European Parliament. Such software, the EU watchdog ruled, could cause “an unprecedented level of intrusiveness” and pose a fundamental threat to the right to privacy.
GDPR reflection. The EDPS published the initial line-up for its conference to review the functioning of the GDPR. The event will take place in June, a decade on from the legislation’s first draft. The event will focus on the law’s functioning so far and how it could be improved, specifically regarding enforcement. In a press briefing on Thursday, Supervisor Wojciech Wiewiórowski told EURACTIV he was happy that a discussion on the enforcement status was ongoing inside the Commission. However, he said he is not aware of the direction that conversation was taking. Commissioners Margrethe Vestager, Didier Reynders and Vera Jourová are all expected to attend. On the list of subjects to be covered are alternative enforcement models, including a more centralised approach than the current framework.
Digital Markets Act
Secret obligations. The DMA negotiations have by and large gone dark this week, as lawmakers were busy during the plenary session. Word is that the French Presidency is working on a compromise on the gatekeeper obligations (Art. 5 & 6) with the utmost secrecy in order not to spoil the negotiations. On Tuesday, the technical meeting was cancelled as several members of the technical staff work on both files. In parallel, a rumour spread that the DMA negotiators were a potential trade-horse: moving the ban on the targeted ads to the DSA in exchange for keeping the interoperability in the DMA. However, given that the Council is still sceptical of the security implications of the interoperability obligations, some considered it a manoeuvre to get rid of the ban on targeted ads.
End in sight? The DMA could be finalised as soon as April, MEP Andreas Schwab has said, though the Parliament and Council have yet to resolve a disagreement over the Commission’s role should be in enforcing the landmark law. While lawmakers are pushing for the EU executive to act alone and hold veto power, European countries want to hand more implementation power to national authorities and block the Commission’s veto. Read more.
Digital Services Act
Trilogue two out. The second political trilogue on the DSA took place on Tuesday. An EP source described the meeting as “pointless” stressing that nothing was agreed and that even the most controversial points were sent back to the technical discussions. MEP Schaldemose tried to put back on the table the know-your-business-customer obligation for all hosting services, an attempt to expand the provisions to social media like Instagram. Curiously, the leading MEP was isolated by the other political groups but received some opening from the Council on this matter. Asked by the lawmakers whether the Commission would be ready to enforce the DSA on very large online platforms (VLOPs), Commissioner Breton said that the Commission was already working in that sense, several sources told EURACTIV.
Summer thoughts. MEP Christel Schaldemose said this week that a deal could be reached on the legislation by the end of June, acknowledging that finalising the agreement before the French elections is no longer realistic (if ever was). She blamed the Council for being much less willing than the Parliament and Commission to go after large platforms on issues such as dark patterns. However, growing noises in the Council indicate that privacy-friendly countries like Germany and Spain are increasingly lobbying for the Parliament’s provisions on targeted advertising, in particular, for what concerns the transparency obligations (Art. 24.1a & 1b) and the conditions against dark patterns (Art. 13a). However, even these more sympathetic countries do not favour the measure that would allow denying consent via automated means (Art. 13a(e)), which is regarded as a return of the discussion on Art. 10 of the ePrivacy Regulation.
Let’s not leave anyone behind. France’s Défenseur des droits (DDD), the independent authority responsible for ensuring that the rights of French citizens are respected, raised the alarm against the “fast-track” dematerialisation of public services. Three years after a previous report on the subject and while the health crisis has accelerated the digitisation of our societies, the DEE stressed that “many difficulties remain in accessing public services and digitalised procedures”. As the process of digitisation was going too quickly, rights were being denied, the authority warned. For instance, only 40% of public websites are accessible to people with disabilities, and one in seven elderly people abandon online procedures because of the difficulties they encounter. Therefore, the DDD recommended preserving several methods of access to public services to reach as many people as possible, implementing actions to support people in difficulty and setting up mechanisms to monitor the compliance of websites with accessibility rules.
FB News launch. Facebook News has been launched in France, the fifth country to which Meta has extended the news aggregation service. The tool will offer users content from over 100 media partners with a generalised and personalised option available. The launch comes against the backdrop of France’s long-standing neighbouring rights issue, which has seen publishers go up against tech giants over their right to remuneration for the online sharing of their content. Read more.
Responsibility of all. Stakeholders have said that action to improve diversity and inclusion (D&I) in the media and audio-visual sector must come from both government and industry. D&I must focus on the entertainment industry, those working in it have urged, and time and money must be spent to ensure this. On the legislative side, one lawmaker said, the EU should use its power as both carrots and stick to push for positive change while ensuring that industry is supported in pursuing this. Read more.
No longer welcome. Greece’s ruling New Democracy party has expelled an MEP, Giorgios Kyrtos, who described the country as heading towards “Orbanisation”. Kyrtos made his comments after Prime Minister Kyriakos Mitsotakis described the two journalists now facing prosecution for revealing the Novartis bribery scandal as a “gang”. New Democracy accused Kyrtos, who has also been critical of the government’s pandemic response, of having discredited Greece and said the comparison with Poland and Hungary could not be accepted. Read more.
Funding declined. After the question was put to a referendum, the Swiss electorate rejected a proposal to increase state funding for the media this week. Some 55% voted against the plan proposed by the government last year to significantly increase financial support for private media organisations in response to years’ worth of declining advertising revenues. Opponents of the funding increase had argued that it would primarily benefit the wealthiest publishers and would impact the independence of the media. At the same time, those in favour said it was a vital measure after years’ worth of declining advertising revenues.
Parental control. French deputies and senators agreed yesterday on the future law requiring the installation of parental controls by default on equipment intended to be used online like tablets, PCs, smartphones, game consoles, etc. This tool will not be installed by default, but its activation will be proposed to the users when they first start using it. The final version of the text also still provides that the personal data of minors “collected or generated during activation” may not be used for commercial purposes. The elected representatives also decided that this installation obligation will not apply to equipment placed on the market without an operating system. However, it will apply to second-hand equipment – retailers will thus have to ensure that parental controls are present.
What about the single market? An outstanding point is whether the European Commission will consider if the measure puts the EU single market at risk of fragmentation, since this obligation will apply to all products destined for France. The rapporteur of the text in the National Assembly, Bruno Studer, told EURACTIV that he was “very confident” of Brussels’ approval.
Sharing the burden. The heads of four of the largest European telecom companies have written to the Commission calling for large digital content providers to be made to contribute to infrastructural investments. In an open letter, the CEOs of Telefónica, Vodafone, Deutsche Telekom, and Orange said they’d had to make huge upgrades to their capacity during the pandemic and that “the investment burden must be shared in a more proportionate way.” The argument is long-standing and regularly comes back as telecom operators have seen their profit margins steadily decline in recent years. The Copyright Directive might provide a good precedent for the initiative, but the starting conditions do not seem comparable, at least for now. The practical problems related to the initiative are also not minor ones. Read more.
Suing China. The EU has filed a case against China at the World Trade Organisation (WTO) over allegations that the country limits the ability of EU companies to protect their products from illegal use by preventing them from taking their cases to court or fining them when they do. The focus is on patent rights for the high-tech sectors, such as 3G, 4G and 5G. The EU seeks a dispute resolution from the WTO, with a panel to rule on the complaint as a secondary option if no solution is found.
What else we’re reading this week:
The innocent have paid a high price for the Post Office scandal. The guilty have not (The Guardian)
What the history of AI tells us about its future (MIT Technology Review)
Forces driving semiconductor boom are far from over (FT)
*Mathieu Pollet contributed to the reporting.