Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The basic concepts from the OECD definition of an AI system have been kept, and additionally the concept of autonomy has been included in the definition, as per the specific request of a number of delegations.”
-Czech Presidency’s compromise text on the Artificial Intelligence Act
Story of the week: The Czech EU Council Presidency has shown its hand on the AI Act, presenting its first compromise proposal, seen by EURACTIV. The changes focus on the four priority issues identified in June and have been positively received in the Telecom Working Party on Wednesday – perhaps also because many national experts are already on holiday. The definition of AI has been narrowed down significantly to introduce the elements of ‘autonomy’ and machine learning or knowledge-based techniques. The only vocal opponent of this wording was the Netherlands, which said the definition is now not concrete enough. A definition of general-purpose AI has also been added, whereas Annex I has been removed.
The list of high-risk systems has been shortened, with France calling for an even stronger reduction on the critical infrastructure part. However, some deletions, such as biometric categorisation and insurance, can be seen as potential bargaining chips for the negotiations with the European Parliament. On governance, the role of the Board has been enhanced following the same lines as the GDPR, to provide guidance and a pool of experts. The national security exemption has also been extended to private contractors, but the deletion of the word ‘exclusively’ was not universally well received. The member states will now have until 2 September to provide written comments, following which the Czechs will provide a new compromise.
Don’t miss: The Commission is set to face legal action over alleged violations of its own data protection laws regarding data transfers to the US. The executive is charged with transferring the personal data of EU citizens, collected from the Conference on the Future of Europe website, to the US in contravention of the Schrems II ruling, in which the EU Court of Justice found American data protection measures to be inadequate and therefore data transfers to the jurisdiction illegal. Although the EU institutions are not bound to the GDPR but to similar legislation, the ruling is expected to clarify that Schrems II also applies to them as there cannot be double standards regarding data protection safeguards. The suit, which is being brought by a German citizen, also alleges that the Commission has failed to disclose enough information on its data processing practices. A verdict from the Court is expected to land within 12 to 18 months. Read more.
Also this week:
- EU lawmakers will visit Ireland to inquire about the state of GDPR enforcement.
- The UK released a strategy for regulating Artificial Intelligence.
- The French data protection authority called for clear rules on facial recognition technology.
- Google made some concessions for the payment systems on Android.
- Seven member states urged the Commission not to rush things on fair share.
Before we start: As the DSA will enter into force soon, the next question is how companies will comply with it. Louis-Victor de Franssu made DSA compliance his very business model and co-founded the start-up Tremau, which supports start-ups and scale-ups in meeting the new requirements. He guides us through his work, the main compliance challenges for small as well as large companies, and the guidance that the European Commission is due to provide.
AI the British way. The UK released a strategy for regulating AI this week, along with its new Data Protection and Digital Information Bill. The strategy, which follows the release of the National AI Strategy last year, focuses on high-risk applications, promoting innovation and reducing red tape within the industry. While the plan bears resemblances to the EU’s AI Act in many respects, there are a few areas of divergence, including when it comes to enforcement responsibilities, which will be distributed between a number of regulators, rather than concentrated in one. Read more.
Ruleless facial recognition. Regulation of surveillance tech must be updated to account for the rise of AI-powered “smart cameras”, the French privacy authority, CNIL, has said. These devices, which use AI to process images without uniquely identifying subjects, are not banned in France, but a CNIL opinion published this week argues that the regulatory framework surrounding them should be revised to ensure that organisations are using them proportionately, having met strict criteria and with a strong legal grounding, to be determined on a case-by-case basis. Read more.
Not an EU monopoly. The UK’s Competition and Markets Authority (CMA) will conduct another review of Meta’s $400 million purchase of image platform Giphy after the watchdog’s original decision to block it was overturned by an appeals tribunal. The tribunal concluded that the CMA had not properly consulted on and “excised portions” from its decision and would therefore require a second review. The CMA has said it will begin the process soon.
Apple Music probe expanded. The Commission will expand its ongoing investigation into Apple’s App Store following the emergence of new evidence in the case, according to Reuters. The probe was initiated following complaints by Spotify that the company had restricted rivals to the use of its own music streaming service, Apple Music, and will not feature new charges as of yet. Instead, a letter of facts, laying out new evidence to support the existing charges, is set to be sent to the firm, which risks a fine of up to 10% of annual turnover if ruled against.
Amazon’s healthcare move. US Senator Amy Klobuchar has called on the Federal Trade Commission (FTC) to launch an investigation into Amazon’s purchase of healthcare provider One Medical, citing the tech company’s “history of engaging in business practices that raise serious anticompetitive concerns”. In a letter to FTC Chair Lina Khan, Klobuchar asked that the role of sensitive personal health data, and its potential use as a barrier to entry, be examined in particular, ahead of the closing of the $3.9 billion all-cash acquisition, which will position Amazon as a key player in the healthcare sector.
Warning of spillover effects. Malicious cyber activities have increased significantly since Russia’s invasion of Ukraine, the European Council said in a statement this week, adding that many had been carried out by a “striking and concerning number of hackers and hacker groups indiscriminately targeting essential entities globally.” In response to recent such attacks, the EU’s high representative Josep Borrell stressed the need for all UN member states to adhere to the UN framework of responsible state behaviour in cyberspace to ensure peace. A “concerning” number of hackers and hacker groups have recently targeted essential entities globally, which creates the risk of spillover effects and possible escalation.
Cybersecurity on the agenda. A delegation of MEPs of the Committee on Industry, Research and Energy (ITRE) visited the EU Agency for Cybersecurity (ENISA) on 18 and 19 July to discuss cybersecurity policy challenges and recent developments. The programme included discussions with the agency’s chief Juhan Lepassaar and ENISA’s experts talked about their major activities, such as the launch of the European Cybersecurity Month this October or the preparations for the next European Cybersecurity Challenge in September in Vienna.
Data & privacy
LIBE’s Dublin trip. Seven MEPs are headed for Dublin in September to discuss GDPR enforcement in the country, which critics see as a bottleneck in the implementation of European data protection law. The lawmakers, all from the LIBE committee, are set to meet with policymakers, big tech companies and other stakeholders as well as with the Irish data protection authority, according to the draft programme seen by EURACTIV this week. The mission is intended to follow up on a resolution from last year that called on the European Commission to open an infringement procedure against Ireland for failing to enforce the GDPR. Read more.
Data Act discussions. The Telecom Working Party discussed the compromise text on the Data Act this week. A key point of the lively debate was if the regulation needs to make a list of concrete products (as the Czech Presidency introduced the mention of smartwatches), which would then become the target of lobbying, or rather focus on the type of data. Member states also asked for a clarification on the relation with the regulation on the Free flow of non-personal data. As regards the compensation for data sharing, the Commission is conducting a study due to be ready in Autumn. Surprisingly, given its usual stance on Big Tech, Spain joined the coalition of countries against the restriction for gatekeepers. At the same time, Denmark and Finland voiced concerns that the SME exemptions are unreasonably disproportionate, as even a small company can hold very significant data. New text is expected in August on Chapters V and VI.
Regulators’ independence. In its opinion on the Data Act opinion published this week, the Body of European Regulators for Electronic Communications (BEREC) called for additional safeguards for ensuring the independence of the actors tasked with overseeing its implementation, including the establishment of permanent cross-border cooperation mechanisms and the eventual removal of switching charges to increase cooperation and ensure freedom of choice for users.
14 and counting. A nine-member delegation of MEPs from the Inquiry Committee on Pegasus and other spyware visited Israel this week to discuss with industry figures, stakeholders and experts. While the Israeli company NSO group is not the only vendor, it is one of the biggest, with 14 EU governments now confirmed as having bought its Pegasus spyware compared to two from when the committee started its work. But this fact-finding mission still left many questions unanswered, according to the head of the delegation, Jeroen Lenaers, who stressed that “this visit underlined the need for additional efforts at the European level to prevent the abuse of such technology in the future.”
Investigation unfounded. The Hungarian data protection (NAIH) authority admitted this week that its investigation of a journalist targeted with the Pegasus spyware was unfounded, four months after the inquiry was launched. The watchdog initiated the investigation into Szabolcs Panyi after he was found to have the phone number of a secret service employee, obtained as part of his own enquiries into the use of the Pegasus tech, which was used to monitor his phone. Hungary, it was revealed last year, was among the EU governments that purchased and used the spyware and is under investigation by the European Parliament’s Pegasus committee.
CSAM scanning’s support grows. Client-side scanning for child abuse images stored on users’ phones has been given the green light by GCHQ, the UK’s communications intelligence agency, and the National Cybersecurity Centre. The heads of each organisation backed the idea that tech companies should be allowed to deploy software to monitor communications for an activity that might indicate child abuse, without collecting the contents of messages. The technique is controversial, with critics contending that it will undermine End-to-End Encryption and destroy online privacy, an argument that has already led to the halting of plans by Apple to scan iPhones for known child abuse images.
US-UK law enforcement cooperation. The US and UK have signed a Data Access Agreement, allowing law enforcement in each country to ask the other for telecoms data for use in investigations or prosecutions. The deal reached this week means that, as of October, authorities in each country will be able to request data from telecoms companies based in the other’s jurisdiction, previously prohibited under US law. To manage the deployment of the agreement, the UK says, new legislation has been passed giving statutory oversight remit to the UK’s Investigatory Powers Commissioner’s Officer (IPCO).
Digital Markets Act
3% discount. Google announced this week that it would open its systems to competing app stores and lower fees by 3%, but stakeholders remain unconvinced. The move has been criticised by some as failing to address Google’s alleged abuse of its market position, since using an alternative payment system would still require paying a certain percentage to Google. Both stakeholders and lawmakers are calling for the Commission to ensure that the DMA, which will oblige Google Play and similar platforms to adjust their operating models, is robustly enforced. Read more.
DG CNECT restructuring. In line with a recent announcement from Commissioner Breton, the European Commission’s service for digital, DG CNECT, has been undergoing significant restructuring. While a single unit was previously in charge of both the DMA and DSA, the files have been split. F2 will remain under the leadership of Prabhat Agarwal and will focus on the DSA and the societal aspects. F3 remains under the leadership of the acting head of unit, Helen Kopman, but has changed completely focus from blockchain and innovation to the DMA, in particular to economic relationships, technology, interoperability and safety. On a separate note, Christian D’Cunha, who was previously in charge of the Data Act, has been promoted to acting head of the new cyber coordination task force. There is still no replacement for Gerard de Graaf, the director for digital transformation that will lead the soon-to-be-established EU office in San Francisco.
New pact, new skills. The EU has launched a new skills partnership aimed at up- and reskilling those working in the digital ecosystem. The partnership falls under the EU Pact for Skills and will involve the creation of concrete skills commitments and knowledge-sharing. The plans will come in response to a number of issues identified as key in the digital landscape, including the underrepresentation of women in the ICT sector, which was emphasised as an area in need of attention by speakers at an event on female digital leadership hosted by Huawei in Prague this week. Read more.
DSA amended. The European Council adopted its mandate on the General Product Safety Regulation (GPSR) on Wednesday. The general approach includes stricter measures to curtail the selling of illegal products online (customer-to-customer platforms are excluded), namely empowering online marketplaces to request more information on the traders’ self-certification and the market surveillance authorities to issue removal orders of specific products within two working days. The Council’s version of the file also includes stronger information requirements on the marketplace platforms, notably to inform current customers or potential ones of product safety recalls and notifying the authorities about illegal products via the Safety Gateway.
Amazon goes after fake reviews. Amazon is suing the administrators of 10,000 Facebook groups who failed to act against fake product reviews. In recent years, a thriving market for fake reviews has developed because products and retailers with good reviews can hope for higher sales. Although a specialised Amazon team has identified such groups in recent years and forwarded them to Facebook, only about half of the groups have been blocked so far. With the lawsuit filed in the US, Amazon says it wants to force the administrators of these groups to provide information about their business and identify fake reviews.
The Franco-German brakes. The European Digital Identity (eIDs) was also on the table at the last Telecom WP meetings before the summer break. Almost all EU countries, with the notable exceptions of France and Germany, agreed that the European digital wallet needs to be an identification means in its own right, rather than an empty shell. For what concerns the unique identifier, also in this case it has the support of almost all member states, except for France, Germany and Hungary, which have a constitutional problem with that. The Czech Presidency is currently looking into a technical solution, with a new compromise expected by the end of August.
Microchips shortage. In Germany, the supply bottlenecks for microchips also have an impact on the issuing of electronic health cards. In the answer to a parliamentary question of the conservative CDU/CSU group, the federal government assured that close contact with the telematics company is maintained. In case of delay in the exchange of invalid cards, replacement certificates will be issued. From the end of the third quarter of this year, subsequent deliveries of chip modules are expected, so that the supply bottleneck will be minimised.
LIBE AMs on political ads. The deadline for amendments to the LIBE draft opinion on political advertising passed this week, with hundreds of changes proposed despite the committee’s relatively narrow competencies on the file. Yet to be made public, the amendments are set to cement the movement away from the term “amplification” and, in an echo of the DSA debates, to also feature strong opposition to the processing of personal data in ad deployment from a coalition including the Greens and S&D.
You’re cancelled. As part of a bill on purchasing power, members of the new French assembly have voted for a provision to make it easier to cancel subscriptions taken out online. In concrete terms, the government has proposed that any subscription taken out in three clicks online can be cancelled in the same way. This measure will only apply to “day-to-day contracts”, said Olivia Grégoire, minister delegate to the minister for the economy, because “if we imposed this electronic cancellation on all contracts concluded at a distance, this could force some companies, particularly very small businesses or SMEs, to make significant investments”. The article, however, does not currently provide for any sanctions in case of non-compliance.
CIA, more no than yes. Seven EU countries have written to the Commission over concerns that the executive’s “fair share” proposal, which would see large platforms required to contribute to digital infrastructure costs, might be rushed. In the letter, seen by EURACTIV, the signatories stressed that the issue is a complex one, and called for an open and transparent debate. The member states joined progressive lawmakers in calling for a stakeholder consultation to elaborate on the proposal. The Commission is expected to conduct a ‘targeted’ consultation rather than a public one, but none has received the related questionnaire yet – and it is expected only by September at this point. Therefore, the timing for including the ‘fair share’ in the Connectivity Infrastructure Act is extremely tight (if not unrealistic), but EURACTIV understands that all options are still open. The seven member states also asked the EU executive to wait for BEREC’s assessment of the proposal, expected in October.
Rules of the art. A French senator wants to force internet service providers to radically change their practices in deploying the fibre optic network, as damage to fibre-optic equipment is being repeatedly reported on the ground. With a bill he tabled this week, he aims to ensure the “quality and durability of networks”, improving the transparency and conformity requirements. End-users would also be allowed to suspend their subscription payment in case their internet access is interrupted for a prolonged period.
What else we’re reading this week:
A deepening digital divide requires us all to challenge Big Tech (FT)
Apple CEO Cook Uses His Star Power to Fend Off Antitrust Threat (Bloomberg)
**Mathieu Pollet and Laura Kabelka contributed to the reporting.
[Edited by Zoran Radosavljevic]