Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“To clarify the process ahead, following the discussions in the WP, the Presidency will ask the delegations to provide feedback on any remaining priority by  February 2023.”
-Fourth Presidency compromise text on the Data Act
Story of the week: The Swedish presidency of the EU Council circulated a new compromise on the Data Act on Wednesday (25 January), obtained by EURACTIV. The new text tries to clarify the regulation’s scope, includes a right to seek compensation for data holders whose trade secrets have been breached, and extends business-to-government (B2G) data-sharing obligations to micro and small companies for public emergencies. It also includes elements on how to assess ‘reasonable’ compensation for releasing data, extends the fairness check to all contractual arrangements and adds a transparency obligation for cloud services on the location of their infrastructure and measures to prevent foreign jurisdictions’ access to data. The compromise will be discussed at the Telecom Working Party on Tuesday, with feedback on the remaining issues due on 3 February. The idea is to match the Parliament’s schedule with the view of launching trilogues as early as March. Read more.
Don’t miss: The UN’s International Telecommunication Union (ITU) is considering launching an office in Brussels in an overall effort to enhance regional engagement with participating countries. The UN telecom agency has been at the centre of political struggles as China used it as a platform to push for its vision for a more state-controlled internet. EU countries have been pushing for a more coordinated approach vis-à-vis ITU, which many consider can only take place in Brussels. Read more.
Mark your calendar: EURACTIV obtained a (very) early draft of the Spanish presidency’s draft agenda. An informal Telecom Council is expected on 23-24 October, with a formal one scheduled for 5 December. Informal Competitiveness Council meetings are set for the week starting 24 July, and formal ones on 25-26 September.
Also this week:
- EURACTIV obtained a leaked version of the Gigabit Infrastructure Act.
- AI Act’s discussions on high-risk classification and obligations are progressing in the European Parliament.
- Twitter has been sued in Germany for failing to take down anti-Semitic content in a case that might set a landmark legal precedent.
- The IMCO committee adopted its report on the political advertising regulation, with alternative amendments looming in plenary.
- MEPs are set to adopt a series of recommendations on approaching spyware tech.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Technical work continues. The European Parliament marked some progress on the AI Act with two technical meetings this week. A rough agreement has been found on the compliance requirements for high-risk AI systems, risk management and data governance. Of particular relevance is the inclusion in the latest compromise amendments of a provision pushed by the Greens that would make the AI developer responsible for verifying the legality of the source of the data used to train the model. The part on regulatory sandboxes is also largely agreed, except for the article that would allow reusing data, included if covered by Intellectual Property rights, for developing AI systems in the public interest, like disease detection. The compromises obtained by EURACTIV also include the measures to classify AI systems at high-risk, to be discussed on Monday, which would allow AI developers to self-assess the risk of their systems, including by applying to a sandbox. In case the providers consider their system does not pose significant risks, they would have to inform the competent national authority or the AI Office if it is meant for more than one country. Read more.
Not even present-proof? According to a new analysis, changes to both the Digital Services Act (DSA) and AI Act will be needed to ensure adequate regulation of large generative AI models like ChatGPT. The argument is made that the current formulation of the two pieces of regulation will not adequately account for the complexities of these tools, meaning changes in risk management, transparency obligations and content moderation will all be required to ensure protection.
Sony pays a visit. Sony’s CEO Jim Ryan was in Brussels this week to meet with EU competition chief Margrethe Vestager and her team dealing with the Microsoft-Activision acquisition case. The PlayStation maker, perhaps the most affected party from the takeover, has made its position clear time and again: the deal should be rejected as conditional measures would be nearly impossible to enforce before irreparable damage is done. At stake is the Call of Duty franchise, the most lucrative of the gaming market that counts for two-thirds of PlayStation’s revenues.
What’s coming? The odds for Microsoft’s $69 billion acquisition, the largest in the company’s history, do not seem particularly bright. In the next two weeks, both the UK’s and the EU’s competition authorities are expected to issue their preliminary findings and decide whether to move the probe to a ‘phase two’. Meanwhile, the US’s Federal Trade Commission sued Microsoft before its own court, with the trial scheduled for August. Timing is important as Microsoft has until July to close the transaction it agreed with Activision or walk out of the deal paying a $3 billion penalty. Activision might agree to postpone this deadline, but it won’t be for free.
Unbundle your Teams. To make things worst for Microsoft, the Commission’s competition service is launching an inquiry into its Teams service based on a 2020 complaint by the workplace messaging service Slack. As first reported by Politico, the probe will reportedly focus on whether the tech company unfairly ties Teams with its Office suite, and the Commission is reportedly preparing a statement of objections.
AdTech is next. A US competition case against Google could have wider implications for the company’s rivals in the ad space market. The US Justice Department is pushing for the company to divest its Ad Manager, which could be a positive for opponents such as Apple and publishers seeking to use their services.
Danti meets the industry. Nicola Danti, ITRE’s rapporteur for the Cyber Resilience Act (CRA), organised a stakeholder workshop on Wednesday with trade associations like ETNO and Business Europe and individual companies like IBM and Ericsson. The discussion was essentially a tour de table where every organisation set its position. The points that came up repeatedly were the need to ensure consistency with NIS2 and avoid duplication and red tape. Danti aims to have the European Parliament’s position finalised by July or September, with the view of concluding the trilogues before the European elections. However, the dispute resolution with IMCO is still looming, but a final decision might be reached as early as the next plenary.
Digital Europe’s recommendations. Just ahead of the workshop, Digital Europe published a paper on the CRA. An interesting idea put forth by the trade association is introducing a new category of products based on the Machinery Regulation, the partially completed product. The idea is to slash the red tape requiring products integrated into a broader process, a different assessment and a declaration of incorporation. They also ask for a regulatory expert group to contribute to developing guidelines that would define in which cases software falls under the scope of the regulation. Other aspects touched upon are repealing the RED delegated acts and incident reporting.
Phishing national security. Russia-based hacking group Cold River is responsible for an information-gathering campaign targeting and impersonating those working in sectors from government and defence to journalism and academia, UK officials said this week. The group operates through fake email addresses and social media profiles, used to send malicious links to targets that provide access to victims’ inboxes when clicked. Cold River is said to be the group behind the breaches of three nuclear research facilities in the US last year. Read more.
Data & Privacy
One more dispute. Ireland’s data protection authority has reportedly initiated a dispute resolution mechanism in relation to the recent case that saw Meta fined heavily for data transfers. Last year, the company warned to suspend Facebook and Instagram in Europe if forced to relocate its data processing to the EU. European leaders were hardly impressed by the threat, following which Meta backpedalled. The triggering of the resolution comes after the Irish Data Protection Commissioner (DPC) butted heads with other EU regulators, and a consensus could not be reached. Its EU peers have already overruled the DPC four times.
EHDS’s secondary use. The EU Council is nearing a position on the European Health Data Space (EHDS), with a compromise discussed at the Working Party on Public Health this week. The changes focus on the secondary use of health data and include a national security carve out, the definition of “health data holder’, and a new approach to intellectual property rights. Read more.
Don’t let it slide. The President of France’s data protection authority has expressed concerns about using smart cameras at the 2024 Paris Olympics as legislative scrutiny of a bill that could authorise the use of facial recognition software gets underway.
Digital Markets Act
Mark your calendar. The Commission published plans for its next two workshops to collect stakeholders’ views on the Digital Market Act’s (DMA) implementation. On 27 February, a workshop will be organised on the interoperability of messaging services, addressing issues such as end-to-end encryption, security and user identification. On 6 March, the focus will be on app stores, notably looking at alternative payment systems, unfair commercial practices and sideloading.
Speaking of app stores. Apple and Google are firmly entrenched as app gatekeepers and the DMA is unlikely to substantively change this, according to research by Bruegel. Full implementation of the legislation will probably not succeed in creating the open and equitable app-services market it was intended to, meaning revisions may be needed, the authors warn.
ITRE’s eIDs report finalisation. Lawmakers in the ITRE committee have reached a political agreement on the European Digital Identity (eIDs) at the last shadow meeting on Wednesday. Technical meetings have been ongoing on Thursday and Friday to polish the text, with the view of finalising it by Monday. The question of the unique identifier was solved by limiting it to cross-border authentication for accessing public and financial services. The other open question was on the Qualified website authentication certificate (QWAC), which prompt web browsers like Mozilla to mobilise against potential governmental control over internet access. The compromise found is somewhat aligned with the Council’s general approach as it mandates a less prescriptive approach that lets the browsers disregard the obligation if they think it endangers security, privacy and loss of integrity. However, in these cases, they would have to inform the Commission.
How to do it right. The Council of Europe’s Consultative Committee on data protection has published new guidelines on how governments and other authorities can apply data protection principles, or ‘Convention 108’, when establishing legal identity authentication systems. To mark data protection Day, the Committee’s president emphasised the need to ensure the rights to privacy and data protection were prioritised in these contexts.
You have been advised. A set of recommendations presented by Pegasus committee lawmaker Sophie In ‘t Veld this week detail the measures that could be taken to combat the abuse and export of spyware, detailing in particular country-specific recommendations for Poland, Hungary, Greece, Spain and Cyprus. In the text, In ‘t Veld slates the response of the EU institutions and calls on the Commission to develop a legislative proposal based on the committee’s findings. Read more.
CSAM’s timeline. The LIBE committee’s draft report on the CSAM proposal is set for presentation on 14 April, with the deadline for amendments on 19 May and a vote set on 21 September, moving to plenary in October. Meanwhile, the committee has been organising a series of explanatory sessions, the latest on Tuesday, with Europol and law enforcement experts. Two more workshops have been planned: one with industry representatives and the US National Center for Missing & Exploited Children, the other with legal experts, EDRi and the EU’s fundamental rights agency. The European Parliament commissioned an external study to assess the impact of the proposal – a first summary is expected by mid-February, with the full report to be published after one month.
First tour de table. Last week, during the discussion on the CSAM proposal, attaches of the Justice and Home Affairs Working Party were asked to express their position on the encryption question. Written comments are currently expected by virtually all EU countries, with the most pressing issue remaining the technical feasibility of the measure.
Tit-for-tat. Retaliation will follow the closure of Kremlin-backed media outlet RT’s French wing, Russian media have reported, citing an unnamed foreign ministry source. French authorities froze the assets of RT as part of the EU’s sanctions against Russia over the war against Ukraine, forcing the outlet to close its doors in France. Moscow will reportedly launch retaliatory measures against French media in Russia, with the Kremlin source accusing Paris of “terrorising Russian journalists”. Read more.
Speaking of terrorising. Russian authorities have effectively outlawed independent news outlet Meduza, branding it an ‘undesirable organisation’ and barring Russians from cooperating with it or its journalists. The move is the latest in a series of shutdowns of independent media since the invasion of Ukraine. The designation comes with the threat of felony prosecution for violations. Read more.
Taking back control. Academic, digital, and media freedom have declined significantly in the UK, according to new rankings released by the Index on Censorship and Liverpool John Moores University, which classified the country as only “partially open” in every category measured. The “Index Index”, which uses machine learning to map freedom of expression across the globe, found that the most ‘open’ countries were clustered in Western Europe and Australasia, with the UK, US, Czechia, Greece and Romania amongst those deemed ‘partially open’.
Morocco pushes back. Morocco’s Parliament voted this week to review the country’s ties with the EU after the latter issued a non-binding resolution criticising the former’s declining press freedom. Lawmakers unanimously supported the motion on Monday, saying the European Parliament’s statement had “seriously harmed the fundamental trust” between Rabat and the EU. Read more.
Pol ads’ crunch time. A draft report on the regulation of political advertising was approved by the EU Parliament’s IMCO committee this week. Key changes to the Commission’s original proposal were made in areas including transparency, ad repositories, sensitive data and enforcement. The question is how much of the report will survive in the plenary, for which the deadline for amendment was postponed to Monday. The most contentious part is the restrictions on personal data, notably the ban on inferred and observed data, that IMCO picked up from LIBE and pushed half of the rapporteur Sandro Gozi’s own group Renew to vote against in the committee vote. Similarly, the European People’s Party MEPs in IMCO were not pleased that their group colleagues in LIBE accepted these restrictions. Expect a messy plenary vote next week.
We take that seriously here. A lawsuit has been filed against Twitter in Berlin over the platform’s failure to remove antisemitic content, including posts related to Holocaust denial. HateAid and the European Union of Jewish Students launched the suit on Wednesday, in part to clarify whether a contract between users and the company over the enforcement of its rules and policies had been broken, something which could determine whether users could, in future, launch legal action over non-removals of violating material. Read more.
The Donald is back. Meta has reinstated Donald Trump’s Facebook and Instagram accounts, two years after suspending them in response to the former president’s support of the storming of the US Capitol on 6 January 2021. In a statement, the company said it deemed the public risk sufficiently receded and had put new safeguards in place to deter potential repetitions. In response, the Facebook Oversight Board said Meta had made progress on introducing new protections but called for further information on how this week’s decision was made and noted that the guardrails tied by the company to the reinstatement were not new, but had been initially announced in 2021.
Google’s concessions. Google has committed to introducing changes in many of its products and services to better align with EU consumer protection law. The changes, which will occur across Google Store, Play Store, Hotels and Flights, follow a dialogue with the Consumer Protection Cooperation Network, which began in 2021.
TikTok’s blacklist. Dutch officials have been told to stop using TikTok over concerns about the platform’s approach to privacy, a move which echoes that of the US House of Representatives in December. The warning comes amid growing concerns over the company’s handling of personal data and news that it tracked journalists via their accounts to identify leaks within the company.
Research & Innovation
Go fund yourself. The first EU-funded projects as part of the new European Innovation Agenda were launched this week, along with a new European Innovation Ecosystems Data Hub, to provide greater information on EU-funded projects in the ecosystem.
GIA leak. Brussels is set to present a new regulation, a revision of the Broadband Cost Reduction Directive, aimed at cutting costs and increasing the speed of deploying high-capacity gigabit electronic communications networks, such as 5G. According to a draft copy of the Gigabit Infrastructure Act, obtained by EURACTIV, the regulation will force public buildings and existing providers to provide access to network operators that want to roll out their infrastructure, transparency on the existing infrastructure and planned civil works, streamlining of permit granting procedures an obligation to include fibre in new and renovated buildings. Read more.
The internet black sheep. Belgium’s internet value is the worst in Western Europe, Surfshark’s Global Internet Value Index has found, 26% lower than the European average. The ranking, which is based on internet speed and affordability, found that 8 out of 10 Europeans get their internet at fair prices, with Denmark scoring the highest.
Mind your traffic. Global internet traffic and consumer demand are projected to surge in the coming years. Still, telecom companies will need to implement some changes to see profit margins match this increase, according to a new report by Sandvine.
What else we’re reading this week:
China Is the World’s Biggest Face Recognition Dealer (Wired)
Privacy and data protection too often suspended at EU borders (EURACTIV)
Head of Israeli Cyber Firm NSO Group Reaffirms Company Commitment to Spyware (The Wall Street Journal)
[Edited by Nathalie Weatherald]