Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The protection of the fundamental right to respect for private life at EU level requires, in accordance with settled case-law of the Court, that derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary.”
– Judgement of the Court of Justice of the European Union on the Ligue des droits humains case
Story of the week: With a landmark ruling, the EU’s top court significantly limited the application of the Passenger Name Record (PNR) Directive. The EU legislation was adopted in 2016 and introduced obligations for airlines to hand over the data of passengers entering or exiting the bloc’s borders to detect individuals suspected of being part of terrorist networks or organised crime. The directive also offered the option of applying the same screening to intra-EU flights, something which 25 member states showed the intention of doing.
The court did not annul the PNR directive completely, as some human rights activists had requested, but imposed strict limitations on the surveillance mechanism. The EU judges clarified that surveillance cannot be systemic and untargeted, but instead must be strictly necessary to respond to a genuine threat. The verdict also stated that automated systems that identify suspicious persons must be based on objective criteria and under human review. Read more
Don’t miss: The EU is planning to rely on digital commons in the overarching battle for digital sovereignty. 19 member states contributed to a new report, published on Tuesday (21 June), which called for the establishment of a brand-new foundation that would act as a facilitator between ecosystem actors and public authorities in the continent. “The digital revolution is a revolution of open standards,” said France’s digital ambassador Henri Verdier, adding that he is concerned that mass digitalisation is now “threatened by malicious actors, by states that have never liked the flow of freedom and innovation not controlled by the state and by monopolies.” Read more.
Also this week:
- The Czech Presidency set the tone of the debate on the AI Act
- Google Maps is under the scrutiny of the German competition authority
- Google solved its long-standing dispute with the French publishers
- The Italian data protection authority stroke another major blow to Google Analytics
Before we start: The Von der Leyen Commission recently passed its mid-term. With Andrea Garcia Rodriguez, the lead digital policy analyst at the European Policy Centre, we discussed what the EU executive has achieved in this first half of the mandate and potential perspectives for the future.
Today’s edition is powered by Google.
In times of crisis, technology can support democracy
Google is working with governments, NGOs and experts in Europe to protect citizens and the public space. Project Shield is defending the sites of more than 200 organizations in Ukraine. We have committed $10 billion by 2026 to strengthen cybersecurity.
Discussions to come. The Czech Presidency circulated a discussion paper on “four high-level outstanding issues which require more thorough discussion,” namely the definition of AI, the categorisation of high-risk systems, the governance structure and the national security exemption. In the document, the Czechs set out different scenarios on each topic, which range from maintaining the status quo (i.e. the French compromise) via moderate changes to more significant redesigns of the provisions. The member states have been asked to express their preferred options and provide a justification. The paper indicates that the upcoming Presidency will act in continuity with the French one, but will show flexibility on the more contentious points. However, reading between the lines, it is clear that the national security exemption is a red line for Prague. The paper will be discussed at the Telecom Working Party on 5 July, to inform a new compromise text that will circulate by 20 July. The member states will then have until 2 September to provide written comments. Read more.
Liability split. The liability rules for AI systems will be covered in an Artificial Intelligence Directive, in other words separately from the revision of the Product Liability Directive. Both proposals are scheduled for 28 September, according to an internal Commission’s timeline seen by EURACTIV. Having separate legislation for AI raises the question of whether it would have not made more sense to include the liability rules directly in the AI Act, since MEPs are (expectedly) pushing to include collective redress amendments in the regulation. The only plausible answer is that the Commission had to present something on AI since it had announced it, and the liability part was not ready yet. The political motives might go to the detriment of legal certainty if the two files are not properly aligned. For what concerns the revamped Product Liability Directive, the question remains on whether its scope will be extended to digital services and software products.
Bundeskartellamt strikes again. Germany’s competition authority, the German Federal Cartel Office initiated new anti-trust proceedings against the US digital giant Google because its mapping application, Google Maps, cannot be combined with other map services. As a result, Google might be harming rival mapping services by restricting the possibility include its location data. These proceedings are based on the revamped Section 19a of the Act against Restraints of Competition (GWB), which since the start of 2021, allows Germany’s antitrust body to intervene earlier and more effectively against behaviour by large tech companies that have an “overriding impact on competition across markets.” Read more.
Payback, with interest. Intel has filed to recover €593 million in damages from the European Commission. The filling is the consequence of a ruling of the EU’s General Court that annulled a $1.2 billion EU antitrust fine. In January 2021, the EU Court of Justice established that the European Commission has to pay default interest on reimbursed fines.
Moving on. After 2 years of proceedings, the French competition watchdog accepted Google’s commitments to negotiate “in good faith” with French publishers about their compensation for the re-use of their journalistic content by the American giant – the “neighbouring rights”. Google agreed to extend the scope of negotiations to all publishers, including news agencies, to share the information necessary for a “transparent” evaluation of remuneration and to conduct discussions “on the basis of transparent, objective and non-discriminatory criteria”. It also gave up on contesting the €500 million fine that the competition authority ordered last July. Read more.
Guess who’s back. Google News has returned to Spain eight years after the service was suspended in the country. The decision is the result of a change of legislation related to copyright, as the Spanish legislator aligned its legislative framework to the EU’s Copyright Directive allowing publishers to negotiate with the platforms directly. Google pointed to research that indicates that when Google News withdrew from the country, publishers suffered a loss in traffic of about 10%, with the strongest impact on the small actors. Read more.
NIS2 final steps. The final version of the NIS2 Directive was adopted by COREPER on Wednesday. The next step is now the vote in ITRE, followed by the plenary’s green light. However, before the text moves ahead MEPs want to make sure it is fully aligned with DORA and the Critical Entities Directive. While for DORA the last technical meeting to fine-tune the text was this week, policymakers still have to reach an agreement on the CER Directive, with the next political trilogue scheduled for next Tuesday (28 June). The ITRE vote is therefore expected on 13 or 14 July, with the plenary approval that might slip to October.
Ukraine’s “secret of success”. Ukraine was in focus at hub.berlin, the digital business festival in Berlin. On Wednesday, Ukraine’s Minister of Digital Transformation Mykhailo Fedorov held a keynote speech on how the country has used digital tools in the war. He made the example of how the Diia app, integrated with all state registers, is used to distribute information on where Russian troops are or to help Ukrainian citizens if their property gets destroyed. Biometrics are used to create electronic signatures or to identify deceased and inform relatives. Fedorov also said that efforts in coordination with businesses have helped to become technologically resilient which is why “cyberinfrastructure is in a fully operative mode”.
Inaugural meeting. The governing board of the European Cybersecurity Competence Centre met for the first time in person in Bucharest this week. Romanian PM Nicolae Ciucă welcomed the board members, indicating the level of importance Romania attributes to the first EU body hosted in its territory. The centre has been the object of tensions between national governments and the European Commission, with the EU executive accused of deliberately postponing the appointment of its executive director to remain in control of the new body. The application process for recruiting the agency’s head has been recently re-opened.
Data & privacy
Google Analytics’ row continues. The Italian authority joined the club of the data protection watchdogs that consider Google Analytics illegal. Formed by the French and Austrian authorities, the club seems to be growing every few weeks. Importantly, the Italian Garante dismissed Google’s argument that the data transferred to the United States is being anonymised by only transferring parts of the users’ IP addresses. The capacity of Google to combine vast amounts of data has in this case backfired against the tech giant since it gives the company the ability to identify the users for example by looking at their email addresses. Google pushed back, arguing that it should be the actual record of government access to personal data that should be looked at, instead of just hypothetical situations – in the 15 years since its analytics tool existed, there has not been a single case. Moreover, the company is optimistic that its recent updates will address these concerns. Read more.
More questions than answers. The inquiry committee to investigate the use of the Pegasus spyware and similar technologies scrutinised the representative of the NSO Group, Chaim Gelfand, in a debate on Tuesday (21 June). MEP’s questions revolved around what control mechanisms the company has in place to decide what country can purchase its powerful surveillance tools and what steps are taken when breaches of use are reported. Due to the way Gelfand responded to or declined to answer several questions, rapporteur Sophie in ‘t Veld said that there was a “complete disconnect between reality and what you are saying” and that it was “an insult to our intelligence”. Detailed responses are expected in writing and there will be a mission to Israel as part of the committee’s investigations. Gelfand did confirm that at least five European member states have used the Pegasus software. Read more.
Data Act competency split. The Conference of Committee Chairs shared its recommendation for the allocation of competencies across the different committees involved. The opinion states that JURI and IMCO should have shared competencies on the entire file. The legal affairs committee would get exclusive competencies on the protection of Intellectual Property rights and the provisions regarding private contracts, whereas the internal market committee would lead on the part related to interoperability and cloud switching. The division of tasks with LIBE was maintained, but the big loser is ITRE which sees its role significantly downsized. The Conference of Presidents will take the final decision next Thursday (30 June).
ePrivacy dragging on. A technical meeting next week started addressing the article on the permitted processing of electronic communications data, but the discussion only scratched the surface of very distant opinions. Speaking at an event, the Parliament’s rapporteur Birgit Sippel regretted that the pace of the negotiation consisted of one political trilogue per presidency.
No party, no right. The NGO NOYB has filed a lawsuit against the Swedish data protection authority because it denied data subjects the right to complain, which is provided under the GDPR. The case concerns Spotify, which NOYB laments only partially responded to an access request. The Swedish authority refused to share information on the data subject, by stating that the complaint is being handled as part of a broader investigation on Spotify, which has been ongoing for three years now.
Retention of IP addresses. The Bundestag has rejected a motion by the conservative parliamentary group asking for six-month retention of IP addresses to fight child sexual abuse online. All other parliamentary groups voted against it, criticising the conservative opposition party for not suggesting measures that are not based on mass surveillance, such as preventive education. However, the issue remains hot. The Social Democratic Party, from which Interior Minister Nancy Faeser has spoken out in favour of the retention, has announced that there will be further discussions within the governing coalition.
Digital Markets Act (DMA)
What’s to come. The European Commission intends to start with the enforcement of the DMA by focusing on seven companies considered the real trouble-makers, while up to 15 gatekeepers are expected in total, EURACTIV has learned. While the number seven does not say much per se, the word is that the EU executive also expects a European and a Chinese company to fall into the scope. Therefore, having the GAFAM plus these two companies would help the argument that the DMA is not ‘anti-American’, as some elements of the US administration vocally contested. The machinery is already in motion to put the notification process in place before the DMA enters into force in autumn, with the implementing acts expected to take precedence over the delegated acts. On the obligations (Art. 5 & 6), the Commission is already working with the industry stakeholders to define the guidelines, involving business users and civil society representatives to fill in potential loopholes.
Step by step. The Bundestag adopted a bill in the early hours of Friday, allowing more companies to register online as of 1 August 2022. The bill supplements the laws transposing the EU Digitalisation Directive. With it, the online certification of commercial register applications will be expanded, and restrictions that previously applied to some legal entities will be removed. Certification will also be made possible via video call. The implementation is entirely in the spirit of the coalition agreement. There, the digitalisation of company law is already anchored. This should make it much easier to set up a company. Read more.
Agree to disagree. The first political trilogue on the Path to the Digital Decade took place on Thursday. The main differences between the institutions related to the Council’s position on Art. 9, which empowers the European Commission to give member states additional recommendations in case the country has ignored the previous ones, following which the national government would have to update its strategy taking them into the ‘utmost account’. The EU Council found the provisions such a nuisance that it removed the entire article, but MEPs (supported by the Commission) are ready to battle for it. Similarly, the member states removed any reference to radio spectrum from the file, since allocating spectrum is a lucrative exercise they hardly want to be lectured about. The Czech Presidency aims to reach a political agreement on the policy programme already by the next trilogue on 13 July, but these contentious points can hardly be ironed down at the technical level.
Chips Act competencies. The Conference of Committee Chairs (CCCs) also provided its recommendation for the allocation of competencies on the Chips Act. The opinion confirms ITRE’s lead, with shared competencies for JURI and IMCO. The internal market committee got competencies over the provisions related to the emergency mechanism, the activation of the crisis stage and public procurement. The legal affairs committee did not receive exclusive competencies as requested but might end up sharing the part on the right to be heard, treatment of confidential information and the European Semiconductor Board. For the CCCs, the budget committee should give an opinion but also attend all the shadow meetings and trilogues. Also, in this case, the final word is with the Conference of Presidents on 30 July.
Outsourcing hotspot. As the EU is struggling to meet its growing demand for IT experts, Eastern European countries are happy to provide. Europe’s poorest country, Moldova, has increased its export of IT services multiply by five in the last five years, thanks to a government policy of tax breaks for its IT Park. Moldovan IT experts are competitive as they are relatively cheap by European standards, still, they can make up to four times more a member of the national parliament. Read more.
Digitalisation in Germany. “We need a digital awakening, and we need it in all areas,” said Digital Minister Volker Wissing at an event organised by the digital association Bitkom. According to Wissing, the government’s digital strategy, which is expected to be presented at the beginning of July, should set the course for this approach. The government is working on three levers. First, broadband expansion and data, because fast internet and the availability of data are the basic prerequisites for digital services. In addition, more focus is to be placed on digital identities and, thirdly, uniform technical standards shall be designed.
Women in (deep) tech. The European Commission opened a new call offering funding and acceleration services for 130 deep-tech start-ups led by women. The call follows what the EU executive defines as a successful pilot phase, whereby it received almost 400 applications for 50 successful applicants that received a €75,000 grant together with coaching and mentoring on business strategies. With this initiative, the Commission is trying to compensate for the fact that less than 15% of European start-ups are initiated by women.
Execution proved. Reporters Without Borders (RSF) has verified that the death of Ukrainian journalist Maks Levin, together with his bodyguard, was an execution of the Russian army. RSF sent investigators to the forest near Kyiv, who collected evidence that the journalist might have even been interrogated and tortured before the murder. Read more.
First of a kind. The ‘media’ ministers of the G7 countries met in Bonn on Sunday and produced the first joint statement on the media policy. The statement pays particular tribute to the protection of journalists, the economic conditions for media independence and the technological conditions for media convergence. The governments of the seven countries committed to establishing a continuous dialogue within the G7 to develop shared solutions.
CSAM quiz time. The German government seems determined not to let the European Commission off the hook on its proposal to fight child pornography. Two weeks ago, Berlin sent the EU executive a massive list of 61 questions on the proposal, published by Netzpolitik. The questions include technical aspects such as the methods of age verification, risk mitigation measures, detection orders, obligations, penalties, information-sharing and how the new centre would cooperate with existing EU bodies. One question for all summarises the mood of the discussion: “does the COM share the view that recital 26 indicates that the use of end-to-end-encryption technology is an important tool to guarantee the security and confidentiality of the communications of users means that technologies used to detect child abuse shall not undermine end-to-end-encryption?”
Regulate the unexpected. Regulators and lawmakers are having a hard time anticipating the challenges that will arise with the forthcoming metaverse. “We have worked hard to ensure that the European regulatory framework is adequate,” Thierry Breton said at the Digital Assembly organised by the French Presidency that was held this week in Toulouse, referring to the Digital Markets Act (DMA) and the Digital Services Act (DSA), adding that Brussels does not intend to “wait for the damage to be done before intervening.” But risks like cyberbullying and hate speech could take on a whole new dimension in this yet-to-come, entirely virtual world. Read more.
TikTok meets EU consumer law. TikTok has agreed to align its commercial practices to the EU rules related to advertising and consumer protection following a dialogue with the European Commission and national consumer protection authorities, the EU executive said on Tuesday. The dialogue started with a complaint filed by BEUC, the European consumer umbrella organisation, which accused TikTok of failing to protect minors from hidden advertising and inappropriate content. The commitments include more transparency for sponsored content, protection from inappropriate products such as alcohol and cigarettes and human review for influencers.
The complainer keeps complaining. However, BEUC is not fully satisfied with the way the investigation was closed. According to the association, several issues pointed out in the initial complaint have not been addressed. Particular points of concern relate to TikTok’s copyright clause. that gives the social media license over user-generated content, the profiling and targeting of minors for advertising and the potential abuses by influencers urging users to purchase ‘virtual coins’. On the aspect of targeted advertising, Euroconsumers is preparing to battle over the fact that TikTok processes personal data no longer based on the users’ consent but on the notion of ‘legitimate interest’. Euroconsumers is expected to send a formal injunction to TikTok on the matter next week, the first step to initiating a case before the Irish Data Protection Commissioner.
One year later. Meta’s Oversight Board published its first annual report this week. The Board received more than one million cases by users and Meta, and eight out of 10 user appeals regarded bullying, hate speech and incitement to violence. However, the Board only published 20 decisions, overturning Meta’s take in 70% of the cases. The most significant of these decisions was regarded as the confirmation of the suspension of former US President Donald Trump. The body also made 86 recommendations to Meta, two-thirds of which have either been implemented or are currently in progress. The recommendations include translating Meta’s rules into more languages, explaining to users whether the content moderation decision was taken automatically or by a human and adopting a new Crisis Policy Protocol.
Age verification tests. Instagram is testing new options for verifying users’ age, a necessary step to allow more ‘age-appropriate experiences’, the social network said on Thursday. The new policy will be initially rolled out in the United States for people that try to edit their date of birth from a minor to over 18. Besides the traditional upload of an ID, Instagram will allow offering the option to take a video selfie that will use the software provided by Yoti to verify the age. Alternatively, users can opt for social vouching, asking three mutual followers that are not minors to verify their age.
Looking ahead. Tech giants are forming the Metaverse Standards Forum, a new standardisation body to ensure the arising digital worlds will be compatible with each other and prevent the creation of the so-called ‘walled gardens’. The organisation will include a whole range of companies, from Meta and Microsoft to chipmakers to the gaming industry. Apple is conspicuously absent from the list of participants. While analysts promise a bright future for the US company in the metaverse, it has yet to position itself in the virtual reality field, with the launch of a brand-new headset already in the pipeline.
We’ll know soon. Orange’s bid to acquire a majority stake in the Belgian cable company VOO is currently under the scrutiny of the European Commission, which is set to provide a decision based on its preliminary review by 28 July. If completed, the deal would put Orange in control of the cable network of Belgian’s Wallonia region and parts of the city of Brussels.
Mathieu Pollet and Laura Kabelka contributed to the reporting.
What else we’re reading this week:
Publishers grapple with younger audiences avoiding the news (Digiday)
Microsoft to retire controversial facial recognition tool that claims to identify emotion (The Verge)
Lessons for Elon Musk from Meta’s content moderation (FT)
Defending Ukraine: Early Lessons from the Cyber War (Microsoft)
[Edited by Nathalie Weatherald]