Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“We call for a new Declaration for the Future of the Internet that includes all partners who actively support a future for the Internet that is open, free, global, interoperable, reliable, and secure.”
– A Declaration for the Future of the Internet, draft version seen by EURACTIV
Story of the week: The Biden administration is set to launch a declaration on the future of the internet next Thursday (28 April). The initiative was initially meant for the Summit for Democracy in December, but it now has a newfound momentum in the context of the war in Ukraine and Russia’s recent threat to disconnect from the global internet. The declaration is set to receive the support of the EU, UK, Japan, Canada and South Korea initially, with Ukraine also likely to join according to two sources familiar with the matter. Although not directly mentioned, Russia and China provide the backdrop for the initiative.
A key point concerns defending the current internet architecture, as an open space managed via multi-stakeholder governance, a not so subtle reference to the authoritarian proposals in ITU. There is also direct criticism of online platforms which have increasingly concentrated the internet economy and provided a vehicle for the dissemination of illegal and harmful content that can undermine democratic processes and lead to real-world violence. The text also emphasises the importance of privacy, free data flows and consumer protection. Read more.
Don’t miss: The Commission is stalling from giving the European Cybersecurity Competence Centre (ECCC) full autonomy, several sources told EURACTIV. Several member states, Romania in particular, are frustrated at the fact that the Commission cancelled the selection procedure for the new executive director, contesting the justification that the candidates did not ensure enough gender balance. Instead, the EU executive has nominated an interim executive director from its ranks, a move diplomats think is motivated by the fact it wants to retain control over the new EU body, and in particular the funding it is managing. “This is a ‘chicken and the egg’ type of problem because as long as the ECCC does not have a permanent executive director, it is not autonomous from the Commission. However, the Commission is responsible for filling this position, which it keeps delaying,” Dan Cimpean, the Romanian representative of the ECCC Governing Board, told EURACTIV. Read more.
Also this week:
- The questions still open on the Digital Services Act
- More details on the AI Act draft report emerge as the proposal is made public
- Leading lawmakers push back at pressure to change the DMA’s data provisions
- Deliveroo suffers massive legal defeat in France over workers’ status
- IMCO approves common charger directive with a broader scope
Before we start: The DSA is approaching a final agreement in inter-institutional negotiations. We discuss key aspects of the flagship legislation with Tanya O’Carroll, an independent expert coordinating the People vs Big Tech coalition. On the menu: content moderation, risk assessment, recommender systems, dark patterns and targeted advertising.
Today’s edition is powered by Google.
Join the Consumer Empowerment Project, April 28th
CEP, founded by Euroconsumers & Google, aims to help improve the digital ecosystem for consumers. A space where consumer organizations, industry and civil society can jointly address key issues relating to consumer empowerment. Join here.
Chase the draft. The draft report for the AI Act was expected to be officially published earlier this week, but it was delayed over technical problems. The text was finally leaked by Politico yesterday, ending a frustrating (and largely pointless) wait. The main chunks of the reports were anticipated by EURACTIV last week, notably in terms of broad definition, and prohibited practices. These are some additional points and details we have learned.
Commission’s powers. As anticipated, the Commission will be in charge of cross-border cases, which apply with an AI system that can lead to a widespread infringement with an EU dimension, a risk to 45 million citizens (i.e. 10% of the EU population), or infringements in at least three member states. The powers to request information, take interviews and statements and conduct inspections were similarly strengthened. Moreover, new provisions give the EU executive additional power to fine operators up to 2% of their global turnover if they have intentionally or negligently failed to provide information by set deadlines, submitted inaccurate/incomplete information or refused inspections. The Commission could go as far as imposing interim measures on non-compliant operators and prohibiting or restricting the placement of non-compliant AI systems on the market.
Predictive policing. This technique was added to the list of prohibited practices, with the relief of civil society organisations. However, the way the practice is defined prompts discussions, as the wording only covers the risk assessment of individuals. According to EDRi, that could leave open the possibility of conductive predictive policing based on groups or locations such as less privileged neighbourhoods.
General-purpose AI. Not only has the definition of AI systems remained largely untouched, but no amendment has been included on general-purpose systems. The explanatory statement says that “no AI system should be excluded ex-ante, either from the definition of “artificial intelligence” or by carving out exceptions for particular types of AI systems, including general-purpose AI”.” This is a likely point of contention with the centre-right MEPs and the Council.
No exemptions. The derogation for high-risk AI systems that could be put in place without a conformity assessment for public interest reasons has been removed. By contrast, the EU Council’s compromise text has further expanded these provisions. Similarly, the exemption for small-scale providers of creditworthiness systems was also removed.
Protecting IP. A new paragraph has been added on confidentiality, which would require the enforcing authorities to put in place adequate security measures to protect the information and data obtained.
Datasets. The language on AI datasets has been strengthened, requiring them to be up-to-date “to the best extent possible.” However, the way this is worded suggests it is an overall objective, not a strict requirement, as the industry warned that error-free datasets do not exist.
CatalanGate. Calls are growing for the EU to increase its efforts to prevent high-profile figures from being targeted by foreign spyware after revelations this week that the devices of more than 65 Catalan politicians and activists were hacked between 2015 and 2020 using Pegasus tools produced by NSO Group. The office of UK Prime Minister Boris Johnson and the UK Foreign Office were also this week found to have been targeted by the tech. In response to the news about the targeting of Catalan figures, Amnesty International called on the Spanish government to “come clean” over whether it was an NSO customer and to conduct a thorough investigation into the use of the tech against Catalan targets. Work by the Parliamentary committee established to investigate the use of Pegasus in the EU also got underway this week and is set to examine which European governments may have purchased and deployed the tools. Read more.
Eyes on Russia. The cybersecurity authorities of the Five Eyes intelligence network – composed of the US, UK, Canada, Australia and New Zealand – issued a joint warning this week against the threat of increased cyberattacks by Russia. The malicious activity, the governments warned, could occur in retaliation against sanctions imposed on the country in response to the war in Ukraine, and might be directed towards critical infrastructure. The bodies also cautioned that cybercrime groups acting on behalf of the Kremlin could carry target Western entities for digital extortion. Read more.
Data & privacy
Privacy forum. A Global Forum for Cross-Border Privacy Rules was established this week to better facilitate multilateral cooperation when it comes to promoting trusted data flows. The forum, which includes the US, Canada, Japan, South Korea, the Philippines, Singapore and Chinese Taipei (i.e. Taiwan), is set to establish rules governing these transfers, establish certifications for the international recognition of privacy standards and boost international trade and data flows, US Secretary of State Gina Raimondo said at the forum’s launch. The initiative is likely to give impetus to the expansion of the CBPR systems developed in the context of the Asia-Pacific Economic Cooperation (APEC), in what seems to be a rivalling system to the GDPR data adequacy model based on baseline data protection standards interoperable across different jurisdictions.
Another file, another fight. The by-now usual competency fight has reached also the Data Act. ITRE’s leadership has been challenged by three other committees, all of which are trying to carve out some exclusive competences. LIBE is probably the most likely to win the day, as it already had exclusive competences on the Data Governance Act for all things GDPR-related. JURI might all grab the parts related to the database directive. For IMCO, it is not clear what they could get, as the part on interoperability is mainly meant for Business-to-Business (B2B) rather than Business-to-Costumer (B2C). Other committees are getting a bit exasperated at IMCO, as it got most of the important digital files and keeps on pushing to get more. “IMCO hasn’t really been playing fair here and, if they stick to it, it could take quite a while,” a parliamentary official told EURACTIV. A second official noted that the IMCO lead is with ECR, which will not help the committee’s fight for competencies.
Summer reading. If all this fighting doesn’t rock her boat, the Data Act rapporteur Pilar del Castillo aims to present her draft report by the end of the summer, EURACTIV has learned. The provisional timeline also includes getting the file voted on by the end of the year, perhaps an overambitious target.
Digital Markets Act
No more changes. The EU legislators resisted stakeholders’ pressure to change the data-related provisions of the DMA final text, according to an email seen by EURACTIV. High-profile privacy advocates, competition experts and publishers have been warning against the final wording, which came as a surprise after the last political trilogue on 24 March. Two leading lawmakers, however, have confirmed that the text will not be amended, dismissing concerns that the article might open a loophole as unfounded. For ICCL’s Johnny Ryan, the main driver of the initiative to make the wording more restrictive on gatekeepers, the responsibility now lies in how the European Commission will interpret the measure at the implementation stage. Read more.
Digital Services Act
DSA in the endgame. The EU co-legislators are discussing the DSA at the time of the publication, with strong feelings an agreement could be reached (at least until they walked into the meeting). Indeed, the presidency, the rapporteur and the Commission all have good reasons to close the agreement today. Further pressure was added by none less than Hilary Clinton, while Barack Obama’s recent statements against disinformation contribute to political backing on the other side of the Atlantic. The programme is an initial exchange of views on the agenda and then discussing the three ‘package deals’.
What’s on the menu. On protection of users and systemic risks, the questions open regard the risk assessment and risk mitigation measures, the crisis response mechanism, the protection of minors, search engines and online marketplaces. On marketplaces, the EU countries are divided on what constitutes random checks, but the Commission is confident that these could take place via new technologies (i.e. NFTs, blockchain) as long as the checks are limited to the documentation and not the physical product. In terms of societal challenges, the issues on the table are compensation, trusted flaggers, dark patterns, online advertising, accessibility, revenge porn, automated tools and anonymity. Finally, on enforcement, an agreement needs to be found on the supervisory fee, the SME exemption – a big priority for the EPP group – and the entry into force timeline, an important point for the member states.
The search engine question. A controversial point in the run-up to the negotiations has been the liability regime for search engines, with the Commission proposing a Notice and Action mechanism (N&A). The move, supported by the French Presidency, is seen as a way to enable rightsholders to send their request directly to Google and the likes instead of taking action against the website hosting illegal content. Moreover, JURI’s Geoffroy Didier circulated a proposal even more stringent for search engines, which would require the delisting of an entire website instead of the relevant webpage. However, the French MEP found himself isolated, and according to a media report, he was even silenced by Schaldemose during the trilogue.
Chips Act planning. According to a provision timetable seen by EURACTIV, the draft report for the Chips Act might be ready as early as the end of June, to be discussed by mid-July. The committee vote in ITRE is expected in December.
Stay tuned. The Commission is set to release its long-awaited anti-SLAPP ‘package’ next Wednesday (27 April). The most relevant part of the package is going to be a directive, which however will not cover domestic cases but those with a cross-border impact. How such scope will be defined will be a determining factor in the legislation’s implications. SLAPP stands for Strategic Lawsuits Against Public Participation, legal proceedings targeting journalists and right defenders by drawing them into lengthy and costly litigation often backed by governments or powerful business figures. The SLAPP issue has been high on the agenda for media and civil society groups in recent years, as their use in the EU has climbed.
Hefty fines. The Paris Criminal Court fined Deliveroo €375,000 this week for abuse of labour regulations by hiring people as self-employed rather than employed, and accordingly salaried, workers. The prosecutor’s ruling, that the platform had engaged in “systemic concealment” of independent delivery jobs that should have been salaried, comes ahead of the release of the Commission’s directive on improving platform workers’ conditions, which is expected to clarify the criteria that would automatically grant workers full employment status. Alongside the fine – the maximum allowed – the court also handed out 12-month suspended prison sentences, €30,000 fines and five-year bans on running a company to two of Deliveroo’s former directors. Read more.
One charger to rule them all. The IMCO committee this week adopted the Commission’s proposal for a common charger directive, which would see the production of a single connection needed to charge devices including smartphones, tablets, cameras and headphones in the next two years. The proposal was adopted with a large majority and includes a number of important changes with regard to the directive’s provisions on scope, bundling and consumer information. In particular, low-voltage laptops, e-readers, keyboards, mice, screens, printers, portable navigations, digital radios, electronic toys, smartwatches and other wearables were covered. The Commission is also called to assess the market of wireless chargers by the end of 2026 and review the list of devices by the end of 2028. No plenary vote is expected. Read more.
What else we’re reading this week:
Amazon Europe Unit Paid No Taxes on $55 Billion Sales in 2021 (Bloomberg)
How Democracies Spy on Their Citizens (The New Yorker)
[Edited by Nathalie Weatherald]