Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Providers of electronic communications networks and services shall be permitted to process electronic communications data only if it is strictly necessary.”
-Join non-paper on the ePrivacy Regulation by the European Parliament’s rapporteur and Czech Presidency of the EU Council
Story of the week: After months of slow-cooking technical discussions, the Czech Presidency and Parliament rapporteur tried to tackle the core of the ePrivacy Regulation, Chapter 2, with a joint non-paper on the articles related to electronic communications data, metadata and content, obtained in exclusive by EURACTIV. Metadata is a particularly contentious issue, in particular, location data that member states want to be able to access in some cases like emergencies. The article on compatible processing of electronic communications metadata was put off the table following opposition from Birgit Sippel. At the same time, the thorny issue of data retention was also put on hold.
Still, the question is whether the leading negotiators can push the much-delayed file out of its deadlock. The momentum is not on their side: on Wednesday, there was a shadow meeting to discuss the compromise, and only two shadows showed up. The political groups had until today to provide written comments, which are expected to be extensive. The coming months will be decisive if the file is to see the light before the end of the mandate or face a likely withdrawal by the next Commission.
Don’t miss: In the wake of a major scandal in the Netherlands, in which a faulty algorithm led authorities to accuse thousands of fraud falsely, the Hague is pushing for several early measures for the public sector ahead of the new EU’s rulebook that will also apply to private entities. As part of an expansive working agenda, the Dutch minister for digitalisation told EURACTIV that the Netherlands would anticipate essential aspects of the AI Act, in terms of transparency, human rights vetting right to complain for algorithms used by the public sectors, which will need to be registered on a public database and be subject to a new supervisory authority. Read more.
Also, this week:
- The Czech Presidency introduced some last-minute changes to the AI Act’s text ahead of COREPER’s green light.
- No general approach to the Data Act is expected under this Presidency, as the Czechs will have to settle for a progress report.
- There might be a compromise in sight on the controversial cybersecurity cloud certification scheme.
- Tensions are coming to a head on the platform worker file as both co-legislators try to finalise their positions.
- Enforcement and scope of the political ads regulation were at the centre of a new EU Council’s text.
- EU institutions reached an agreement on the new satellite-based communications system.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Today’s edition is powered by CEN CENELEC
Workshop “Trusted Chips: standardisation landscape and opportunities for Europe”
Microchips are a strategic asset to power the EU’s technology ambitions. But how to build a system ensuring trust, security, and quality?
On 2 December, participate to a CEN and CENELEC workshop to learn more about the role of standardisation in developing chips that are secure, authentic and reliable.
Council’s last-minute changes. The Council’s position on the AI Act was shared with member states last Friday, featuring some last-minute changes introduced by the Czech presidency, which aims to reach a general approach by the Telecoms Council meeting on 6 December. Among the topics to which amendments were made are creditworthiness and insurance, critical infrastructure and governance. Read more.
An agent of chaos. A rumour began circulating on Wednesday that Germany had released a non-paper for a law enforcement derogation in the AI Act, a long-standing plaint from Berlin. However, four EU diplomats told EURACTIV that they received no such document, with one saying that it was a rumour to spread chaos ahead of the COREPER approval on Friday. Putting forth such a different position at this stage of the negotiations would indeed be highly unusual.
Parliamentary updates. On Monday, parliamentary officials went halfway through the text for an AI Office, a proposal championed by Dragoș Tudorache that has received support from most political groups. As the discussions continue on the technical level, the shadow meeting scheduled for last Wednesday was cancelled. Next week’s agenda includes two technical meetings on Tuesday and Wednesday and a shadow meeting on Thursday.
eTravely-Booking deal. The Commission opened an in-depth investigation into the proposed purchase of eTraveli by Booking on Wednesday over concerns it could pose a competitive threat to the online travel agency industry. The Commission sees Booking as already having a dominant position in the travel tech market, which could be added to by eTraveli’s flight services, posing a barrier to entry and expansion of rivals. Booking has declined to submit preliminary commitments in response to the concerns. The Commission has until the end of March to decide whether to initiate an in-depth inquiry.
Transposition flaws. On Tuesday, the French Conseil d’État annulled part of the transposition of the EU’s Copyright Directive into national law. France was a top promoter of the legislation intended to allow publishers to be remunerated for their online editorial content. The transposed rules led to huge fines by French competition authorities against Google. According to the top administrative court, the French version of the directive failed to ensure appropriate remuneration for authors.
EUCS compromise. EU cyber attachés paid a visit to the headquarters of ENISA last week, with much focus on its cloud cybersecurity scheme. ENISA anticipated that a possible compromise to get the scheme could require splitting the level of assurance high into two subgroups, one which would have strict security and transparency requirements and a second, stronger level, which would include strengthened versions of both, in addition to the controversial sovereignty requirements. However, which group could become mandatory under legislation such as NIS2 remains to be seen.
Temperature rising. Things might get clearer at the next ECCG meeting on Friday, but since the scheme will be ‘presented’ rather than discussed, it is unclear if a new draft will be circulated. On Wednesday’s COREPER, the Netherlands mentioned that they might raise this during the December Telecom Council as a point under Any Other Business (AOB). If that is the case, expect the countries opposing the scheme to follow suit. Moreover, the scheme is also expected to be raised by the US administration during the next TTC ministerial meeting.
Money for the Cyber Shield. A call for proposals to finance the capacity building of Security Operation Centres (SOCs) was launched under the Digital Europe Programme, the first €170 million for a total of €269 million. SOCs are control rooms that monitor and respond to cyber threats for their client organisations. The Commission plans to create intelligence-sharing platforms for SOCs, which, gathered at the national level, would create a ‘Cyber Shield’.
Not so fast. IMCO has officially contested the preliminary allocation of the Cyber Resilience Act to ITRE. Although cybersecurity files are typically the domain of the industry committee, some note that the CRA is essentially product legislation that regulates market access.
Data & Privacy
No general approach. The Czech Presidency’s ambition to reach a Council position on the Data Act seems derailed as several member states opposed a COREPER mandate. EU countries have until today to submit their comments, with the cloud interoperability and B2G parts still far from being agreed upon and new concepts like multi-cloud and egress fees that continue to enter the discussion. Prague will present a progress report at the Telecom Council.
Meta’s data systems. The Irish Council for Civil Liberties obtained tons of Meta’s internal documents that, in the NGO’s view, show the tech company’s internal data systems are in complete chaos and breach of the GDPR. Meta dismissed the argument, saying, “our systems are sophisticated and it shouldn’t be a surprise that no single company engineer can answer every question about where each piece of user information is stored.” ICCL wrote a letter to the Commission with four immediate actions it could undertake, including collaborating with the Irish DPA to obtain Meta’s Record of Processing Activities (ROPA). For Johnny Ryan, the revelations also provide helpful ammunition for when the Commission will discuss how to apply the DMA’s data provisions to Meta.
Make an example. Twitter is no longer ticking all the boxes required to claim Ireland as its main establishment, according to Tech Crunch, potentially throwing its GDPR one-stop-shop status into jeopardy, which would mean putting the platform at risk of regulatory scrutiny in every member state. Twitter does not even have a Data Protection Officer, a basic requirement of the EU regime, and for this, the Irish DPA has already put the platform under notice. Some say that the Dublin-based authority might see it as a good opportunity to dismiss its criticism of not enforcing the GDPR enough.
Meta faces penalties. Facebook, Instagram and WhatsApp are all to face sanctions in the coming months, Helen Dixon told Politico this week. According to the Irish DPA, the first enforcement action regarded the massive data leak from Facebook in 2021. In the pipeline, there are three more decisions against Meta’s services originating from Max Schrems’ 2018 complaints on ‘force consent’, which are currently going through the EDPB’s dispute resolution mechanism.
APD’s priorities. The Belgian Data Protection Authority (APD) is set to focus most of its energy on cookies, data protection officers (DPOs) and smart cities in the upcoming year. Moreover, the authority is interested in diving deeper into the opaque world of data brokers. In its 2023 budget request, defined this week, the APD called for additional funds to work on these priority areas and increase collaboration on cross-border cases.
Non-cookie guidelines. The EDPB unanimously adopted a mandate request for guidelines related to the article regulating the conditions for accessing and storing electronic communications information of the existing ePrivacy Directive. The proposed guidelines approved by the EDPB would be designed to describe which technical operations, beyond cookies, would fall within the scope of the article. An open question remains if the guidelines will cover IP addresses as well, as there does not seem to be a consensus among DPAs.
No World Cup for privacy. Data watchdogs in Croatia and the Netherlands have joined warnings against downloading Qatar’s World Cup apps over significant privacy concerns. The two authorities joined counterparts in Norway, France and Germany in warning that Qatari authorities could use the apps to monitor users and access their data. Norway went as far as to suggest purchasing a burner phone. At the same time, France recommends travelling with a blank or resetting the device and not violating the country’s morality laws when taking pictures or videos.
Digital Markets Act
Experts called. A Commission call for tenders, published this week, is looking for technical experts in investigations and compliance enforcement related to digital services to support the DMA enforcement. Specifically, the EU executive is searching for experts specialised in access and data-related issues in digital services markets. The deadline is 10 January 2023.
Declaration agreed. A political agreement on the European Declaration on Digital Rights and Principles was reached on Monday. The final draft includes reference to universal human rights, wording against unlawful surveillance of workers, protection against pervasive tracking, AI in the work environment and commitments on forced labour. The part anticipating the ‘fair share’ principle was largely untouched. Not everyone is impressed, however. NGO confederation CONCORD called for a robust monitoring system for the declaration to have any impact.
Digital citizenship rethought. A new non-paper by a working group made up of researchers, civil society organisations, and tech companies have put forward five pillars on which they say a reimagined concept of digital citizenship should rest. From digital empowerment to digital opportunities, the pillars are designed to guide policymaking to ensure that the digital age’s opportunities can be seized by all while maintaining people’s safety and well-being online. Read more.
COREPER approval. The Digital Identity file is set to receive the rubber stamp from ambassadors today. There might still be some last-minute statements of objection, particularly on the level of assurance from France and health data from Germany. But the general approach on 6 December is now primarily expected.
Ex-ante checks. A minority of member states are seeking to introduce random checks on online marketplaces before the launch of products, according to a non-paper obtained by EURACTIV. The document, dated 11 November, is an initiative of Spain, with the support of five other governments who can form a blocking minority together. The group’s proposal could also introduce a conditionality for the DSA’s liability exemption. While the member states involved are trying to win MEPs over, the ex-ante checks face the hostility of most member states and the Parliament’s rapporteur. The attempt is a last-minute push ahead of the next (and possibly last) trilogue on 28 November. Read more.
Go big or go home. The platform worker rapporteur Elisabetta Gualmini circulated a new set of compromise amendments that would extend the scope of the directive to any worker subject to automated monitoring and decision-making systems, notably in terms of transparency, personal data processing and human oversight. Significant changes were also applied to the definition of digital labour platforms and automated systems. The EMPL committee vote is still scheduled for 30 November.
Meanwhile, the Council. The Czech Presidency is pushing hard to get a general approach, trying to get France and Poland to support its text. The countries opposing the Presidency’s pro-business approach felt even more alienated by the latest compromise text and will likely stick to the line that is ‘better no deal than a bad deal’. A critical question mark remains Germany, which remained silent in the last weeks. Due to internal divergences, it is not excluded that Berlin will abstain, which would mean the text would not have a majority. Another consideration is whether Italy will remain with the pro-worker countries under the new conservative government or flip sides. A new compromise is now expected, with the view of going to COREPER on 8 December.
COREPER postponed. The Czech Presidency postponed the COREPER discussions on the Chips Act next week, initially planned for this Wednesday. The Czechs plan to circulate a new compromise to smooth out the last issues about consortia (ECICs) and the budget.
Design centre in Spain. Cisco revealed last week its plans to develop a centre for the design of next-generation semiconductor devices in the context of broader efforts by the EU to boost Europe’s global competitiveness and resilience in chip production. The centre will be located in Spain and will be part of a programme to train and reskill 40,000 students, workers and unemployed people in digital technologies over the next year.
Spyware protection. The European Data Protection Supervisor stated that the Media Freedom Act does not sufficiently protect journalists from spyware and surveillance. While welcoming the proposal in principle, the EDPS called for more significant safeguards and legal clarity. He also recommended an expansion of the legislation’s scope to ensure that its protections would expand to all journalists, including freelancers, and clarification on the protection of personal data in some of its provisions. Read more.
The Worst of the Worst. A study by the Internet Watch Foundation (IWF), released today, has recorded almost 900 instances of the most severe types of sexual abuse material, including penetration, bestiality and sadism, online over five days. Nearly 60% of this online content was hosted in EU countries, the organisation found, demonstrating that efforts to curb this kind of abuse could be thwarted by criminals able to relocate material to servers in other countries to evade detection.
Protocol is no more. US tech news site Protocol closed its doors on Thursday, laying off many of its staff after a turbulent few years following its establishment in early 2020, just ahead of the pandemic’s onset. The dismissal follows a problematic moment for tech firms, which has led to a drop in advertising revenue and a general rethinking of the Politico Media Group, of which the publication was part after it was acquired by the German publishing giant Axel Springer.
Political ads enforcement. Enforcement responsibility and what does not count as a political advertisement are the subjects covered in a compromise text on the proposed political advertising regulation the Czech Council Presidency put forward this week. The text circulated ahead of Friday’s Council General Affairs Working Group meeting covers where the responsibility for enforcement should be located includes a clarified list of what isn’t covered by the term “political advertising”, and adds further detail to provisions on targeting and amplification. Read more.
Self-regulation vs greenwashing. Demand for sustainable products from consumers is growing as awareness of the climate crisis continues, but public trust in environmental claims in advertising is low. While legislation is essential to avoiding greenwashing and promoting confidence in climate labels, stakeholders at an event hosted by the European Advertising Standards Alliance said this week that self-regulation with broad industry involvement, including by platforms, will be crucial to ensuring success. Read more.
$3 billion and counting. Following Google’s $391.5 million settlement of a lawsuit in the US, the total amount of fines against Big Tech reached $3 billion in 2022. For Proton, this is a sign that “Big Tech has calculated that it’s more costly to change their business models than it is for them to pay the fines.”
Research & Innovation
EIC investments. The European Innovation Council (EIC) Fund has taken 35 investment decisions, Commissioner Mariya Gabriel announced this week. Totally €190 million, the investments are the first round under the Horizon Europe programme, with decisions on a further 24 deals set for the upcoming weeks.
IRIS² set for launch. A deal reached between lawmakers and diplomats on Thursday has given the green light to launch a new satellite constellation, IRIS², which will provide secure connectivity for EU government services. The €2.4 billion project, presented by the Commission in February, aims to have the system operational by 2024 and is intended to contribute to the EU’s strategic autonomy objectives and bolster the resilience of critical infrastructure at a time of heightened attention to cyber threats. Read more.
IMCO’s draft report. This week, Adam Bielan’s draft report on the European standardisation strategy was published. The conservative lawmakers included most of the industry views. For instance, on the high-level forum, he stated that the expert group should not lose “sight of the bottom-up, market-driven nature of standardisation activities.” The draft report also invites the Commission to reconsider its standardisation approach following the James Elliot case to avoid overly prescriptive requirements.
ETNO fights back. The trade association ETNO, the main driver of the ‘fair share’ proposal, sent a list of comments to BEREC, the body that gathers telecom regulators and that in October issued a strongly critical assessment of the initiative. In particular, the industry organisation invited the EU body to expand the scope of its analysis, engaging with all actors in the internet ecosystem, looking more broadly at market dynamics, and considering the impact of horizontal policies related to the twin transitions. Perhaps most importantly, ETNO told BEREC to “shift from a historical analysis to a forward-looking approach.”
What else we’re reading this week:
Pour une souveraineté européenne sur le Cloud et les données (Terra Nova)
The Brief — Big Tech and the Big Ego trap (EURACTIV)
Tech job cuts a wake-up call to Ireland’s economy (FT)