Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Due to the fact that the discussion has also reached a political dimension, we see a high common demand to discuss the issue of transparency regarding the drafting process as well as the need and the kind of implementation of such immunity or sovereignty requirements.”
-Letter from the German government addressed to the European Commission
Story of the week: Germany has written to the Commission requesting a political discussion on the sovereignty requirements that the EU executive seeks to include in its cybersecurity cloud certification scheme (EUCS). In a letter to Roberto Viola, the director general of DG CNECT, the director generals of three German ministries call for an opportunity to discuss transparency of the drafting process and the implementation of immunity or sovereignty requirements contained within the Cybersecurity Act, which is intended to set up an EU-wide certification scheme. The letter signals a choice of camp for Germany as the country grew increasingly conflicted during the summer.
The calls for political discussion on the file, which so far has been presented as a purely technical initiative, were vehemently pushed by a growing coalition of countries led by the Netherlands. In particular, they ask for a debate in the Telecom Working Party, where the focus would be on the economic and trade implications of the sovereignty requirements. However, the move is set to be opposed not only by the other camp, led by France but also by the European Commission and the Czech Presidency, who are well aware that things would get even messier if that happened. It remains to be seen if this spat will remain localised or if it will be the start of Berlin drifting apart from France’s idea of technological sovereignty. Read more.
Don’t miss: The Commission’s criteria for the rebuttable presumption of worker status have been retained in the Czech presidency’s first compromise text on the platform worker directive, albeit with some tweaking to make them more restrictive. However, Prague suggests some important derogations to the principle, which would not apply to tax and criminal proceedings or cases where employment status is not the central question. Moreover, it would be up to the member states to decide whether the legal presumption would apply in social security proceedings. In terms of algorithm management, the presidency added transparency requirements, strengthened the references to the GDPR and introduced safeguards for the mental and physical health of the worker. Read more.
Also this week:
- The Czech Presidency pushes an additional layer for high-risk AI designation.
- The European Data Protection Supervisor sued the EU co-legislators over the revamped Europol mandate.
- The Commission mulls setting the world’s security standards for the Internet of Things with the Cyber Resilience Act.
- The EU top court’s legal advisor issued an opinion that might pave the way to breaking the silos between competition investigations and data protection breaches.
- Disinformation around the Italian snap elections is mainly fostered by domestic actors.
- EURACTIV got hold of IMCO’s amendments on the political ads regulation.
Before we start: The Commission has finally released its long-awaited European Media Freedom Act, but it has stirred controversy in several directions. Renate Schroeder, Director of the European Federation of Journalists, and Ilias Konteas, Executive Director of EMMA-ENPA, join this week’s podcast to discuss its contents and implications.
This episode is powered by Google
Join the next Fighting Misinformation Online summit
Join the EUI, the Calouste Gulbenkian Foundation, Google and YouTube for the Fighting Misinformation Online summit on 29 November, bringing together policymakers and experts in Brussels and online so that we can tackle misinformation together.
High-risk layer. The Czech Presidency continues pushing for adding an additional layer to the designation of high-risk AI systems in its latest partial compromise, seen by EURACTIV on Friday. The Czechs want to avoid that AI systems that play a ‘purely accessory’ role in the final decision do not fall under this category and could find significant support in the Council for their approach. The text also proposes an exception to the four eyes principle in border control and stronger wording on the national security exemption. These topics are likely to prompt strong reactions from the Parliament. The definition of AI and manipulative techniques have been tweaked, whereas R&D has been more strongly excluded from the scope of the regulation. The next compromise will touch upon the remainder of the text, including general-purpose AI. Read more.
Algorithms cost lives. An inaccurate weather-forecasting algorithm left authorities and citizens in Italy unprepared for floods that claimed the lives of at least 11 people and wrought significant damage this weekend. People in the Marche region were surprised after a violent storm forecast to hit neighbouring Tuscany landed on them instead, bringing major flooding. Weather officials have attributed the shock to the inaccuracy of the forecasting system, which still seems inadequate to meet the rising challenge of disastrous events caused by climate change. Read more.
Breaking the silos. Antitrust watchdogs may be handed the power to assess compliance with data protection rules following an opinion issued by the European Court of Justice’s advocate general. In response to a case concerning Meta and the German federal competition authority, the non-binding opinion found that, while competition authorities do not have direct jurisdiction over GDPR enforcement, they may still consider them in exercising their powers. The opinion of the influential court advisor might be the first step toward breaking the enforcement silos that have so far prevented effective enforcement in the digital economy. Read more.
UK’s antitrust push. The UK’s communications regulator, Ofcom, will investigate the country’s cloud services market and the dominant position of “hyperscalers” Amazon, Microsoft and Google. It will also inquire into other digital markets over the next year, including messaging services such as WhatsApp, Facebook and Zoom. Read more.
Setting the internal standards. The Commission is pitching its new cybersecurity proposal to set the world’s bar for security in the Internet of Things and give European manufacturers a competitive edge. The Cyber Resilience Act was presented last week, centred on a security-by-design principle that would see manufacturers required to address vulnerabilities in their digital products throughout their lifecycle to boost consumer uptake. The Commission envisioned the legislation as spread via the “Brussels effect”, whereby companies adopting these rules within the EU also do so globally out of convenience, creating a higher level of cybersecurity worldwide. As the legislative process proceeds, expect intense lobbying on the items under the list of critical products. Read more.
Google’s white paper. Google made several recommendations to the Commission in response to its plan to centre cybersecurity in digital transformation. Among them, the tech giant has called on the EU executive to develop a “security impact assessment” for new regulation, prioritise strong encryption over data location and engage industry and international partners to share intelligence about and combat cybercrime.
We have a winner. Denmark has been crowned the winner of this year’s European Cybersecurity Challenge, an annual contest run by ENISA, the EU’s cybersecurity agency. Held in Vienna, this year’s challenge saw 33 teams from EU, EEA and other states compete to solve security challenges in areas such as forensics, mobile security and crypto puzzles. Denmark was followed by Germany and France in second and third place, respectively.
Data & Privacy
See you in court. The European Data Protection Supervisor (EDPS) has filed a suit against EU co-legislators over the recently-adopted expanded mandate for EU law enforcement agency Europol. The EDPS’ complaint lies in the fact that the new mandate annulled the authority’s ruling that Europol should delete datasets over which it had no contemporary jurisdiction. However, the adopted mandate meant that this decision was de facto overruled, allowing the processing of this data to continue. For the EU privacy watchdog, this case would set a precedent if the co-legislators can void the work of independent authorities based on their political will, which would put them under undue political pressure. The EU Court of Justice will now examine the situation. Read more.
LIBE in Dublin. The European Parliament’s relationship with Ireland’s Data Protection Commissioner is “not always easy”, representatives of the LIBE committee told the Irish Times this week. Speaking to the Irish parliament’s justice committee about GDPR enforcement on Thursday, lawmakers said they were “not very happy” with Ireland’s Data Protection Commission (DPC), which has been accused of being a “bottleneck” for data protection in the EU. MEPs called for an investigation into why the DPC was not delivering results at the same rate as other authorities and said they were not reassured by “how nice” TikTok and Meta had been about the watchdog. Meanwhile, the Irish government is afraid to take any action, fearing it would threaten the authority’s independence. MEP Paul Tang told EURACTIV he found the meeting with Big Tech companies such as Meta and TikTok ‘disturbing’, as they were in ‘denial’ that their data processing practices are at odds with the EU privacy rules.
Illegal means illegal. On Tuesday, the European Court of Justice expressed its long-awaited ruling on the German data retention regulation, which has suspended traffic data storage for several years. As expected, the verdict stated that indiscriminate data retention is incompatible with EU law, which is nothing new. Still, it needs to be repeated over and over since the European government seems not to like that answer. For the EU court, targeted retention is the answer, but it is up to the national legislators to figure out how to do it. The federal minister of justice, the liberal Marco Buschmann, said following the ruling, they will present a proposal for quick freezes of data in the next two weeks. By contrast, the federal minister of interior, the social democrat Nancy Faeser, stressed she was not happy with the court’s decision and that data retention is a necessary tool to fight crime. Several liberals and greens publicly reminded the SPD that the coalition agreement said data storage must end.
Four and counting. Denmark’s Data Protection Agency has concluded a review into Google Analytics, finding that introducing supplementary measures in addition to existing settings will require the tool to be used lawfully. Danish organisations using the tool must now assess whether their continued use would comply with data protection law. The ruling follows decisions by the Austrian, Italian and French data watchdogs this year, which all found that using Google Analytics in the context of their enquiries was unlawful.
Digital Markets Act
Web browsers competition. New research by Mozilla has found that web browsers are highly important to consumers but that many people lack knowledge on how to install alternative browsers or change their default one, despite knowing how to do so in theory. And while people were shown to raise concerns about privacy and security, many similarly failed to take steps to address them. The report also examines the role of online choice architecture in consumer behaviour, pointing to the lack of choice and lower quality of products offered to consumers when operating systems are designed to undermine the provision of options. The company that owns the web browser Firefox hopes the DMA will rebalance the market.
The disinfluencer game. Domestic actors with a self-interested agenda are the main vectors of disinformation in Italy’s upcoming parliamentary election, according to research seen by EURACTIV. The bulk of this content, the study found, spreads via Telegram and Facebook at the hands of “disinfluencers” and has been relied upon by some political parties to attract voters. Fact-checkers looking at the feasibility of political parties’ proposals have also raised concerns over the fact that 96% of those put forward across the political spectrum lack financial backing. Read more.
Too close for comfort. A stark split is emerging within EPP ranks as negotiations over the platform workers’ directive continue. EPP members accuse the shadow Dennis Radtke of being too lenient with Social Democrat rapporteur Elisabetta Gualmini. Pieces of the centre-right are becoming increasingly vocal on the key issue of worker status. An internal email between Ratdke and EPP colleague Aldo Patriciello states that “we will be unable to support a Directive in plenary along the lines of the current negotiations.” Disagreements remain over the wording of the criteria, which liberal MEPs and industry representatives worry would lead to a too broad automatic reclassification of platform workers. Read more.
Trade unions on a war footing. Following the Czech compromise, the confederal secretary of the European Trade Union Confederation warned that the platform workers directive must not become “an empty shell” in a letter sent to the member states and seen by EURACTIV. The trade unions back the Parliament rapporteur’s call for removing criteria to determine whether a worker is considered an employee. Ludovic Voet also called for action to address the position of undocumented workers in the context of the directive, arguing that if the regulation is too closely tied to migration policy, undocumented workers might refrain from asking for the rights they are entitled to under the directive and accept precarious working conditions, for fear of jeopardising their positions.
Hefty fines in Spain. Deliver service Glovo has been fined €79 million by Spanish authorities for alleged violations of labour laws, it was announced this week. The company is charged with failing to make social security and other payments between 2018 and 2021 due to not having hired its delivery riders on formal contracts. The ruling comes after the May 2021 passage of a Spanish law requiring food delivery riders to be given formal labour contracts, making them official employees. Some riders, however, say they still have not been offered such agreements, despite the law, one of the first of its kind in Europe, having taken effect in August this year. Glovo denies the charges and has said it will appeal.
CSAM first compromise. The Czech Presidency shared its first compromise text on the CSAM proposal, which has been moving slowly in the EU Council. The main proposal is empowering national authorities to require online search engines to delist websites to prevent the dissemination of child pornography – a practice already widely used voluntarily. Regarding the detection orders for grooming, the wording has been adjusted to apply only to conversations between a child and an adult. The requirement for human intervention when a potential solicitation of children is detected has been deleted. Regarding governance, the new wording has moved the power to issue removal and blocking orders from the coordinating authority to the national competent authority, with the former now relegated to an advisory role.
Too busy for you. This week, a delegation of MEPs from the Parliament’s Pegasus committee travelled to Poland as part of their investigation into the use of spyware within the EU. On the agenda for the trip, which is one of a series of visits to various countries implicated in the scandal, were meetings with victims, members of the Polish government, judges and experts. Notably absent from the schedule were appointments with the Ministries of Justice and the Interior, both of which declined the lawmakers’ requests to meet, to the condemnation of Parliament political groups.
Please do something. A group of MEPs from the Greens/EFE group have written to the Commission seeking more information on the EU’s purchase of Centaur and Hyperion surveillance technology and their deployment by Greece. The two systems, the MEPs say, have been used without adequate data safeguards, and the EU’s data protection watchdogs have recommended a ban on such behavioural recognition technologies because they pose a risk to people’s fundamental rights. The lawmakers also ask how the Commission plans to investigate compliance in these areas, accusing the Greek government of being unwilling or unable to conduct an independent investigation, and how the EU executive will screen the funding of similar systems in the future.
Fighting with information. The annual M100 media award was given to the people of Ukraine collectively last week in honour of the work of journalists covering the war. Speaking at the awards ceremony in Potsdam, German Chancellor Olaf Scholz praised the work of those covering the war and warned of the effects of misinformation. Accepting the award on behalf of the Ukrainian people, former boxing champion and high-profile voice on the war, Dr Wladimir Klitschko, similarly applauded the work of the media, describing it as “one of the most powerful weapons in this modern world.” Read more.
It was not meant to be. The findings of two French regulators on the merger of channels TF1 and M6 were published this week, despite the deal having been abandoned just days earlier. In an opinion written earlier this year and presented this week, the media authority Arcom notes the historic nature of the deal in a changing market dominated by US tech giants but also notes that the acquisition would hand the new body an exceptional position. The telecom regulator Arcep, however, is much more critical, concluding that the merger would have posed significant risks to the internet market, to the detriment of users, and calling for remedying commitments from those involved.
Media projects. Fourteen winners have been selected as part of the Stars4Media News project, kicking off a period in which the winning projects can test their ideas for at least four months. The contest received 48 applicant projects, and the winners span 20 countries and is split between two focus tracks: newsroom and business transformation. Five winning projects are centred on Eastern Europe, using Ukrainian, Russian and Belarusian languages.
IMCO amendments on political ads. The creation of a regulatory network, support for ad libraries and the extension of the information retention period are among the features included in amendments offered by MEPs from the IMCO committee. Moreover, left-to-centre MEPs are pushing to include remuneration in kind in the definition, which would also cover influencers. Having influencers in the scope might prove problematic for the platforms, which fear they would need a human review of all the influencers’ content, going against the ban on general monitoring obligations. In addition, lawmakers recommended provisions covering minimum fines for regulation violations, the powers of national regulators and ad repositories. Read more.
Your views don’t matter. Mozilla has conducted what it says is the largest experimental audit of YouTube by independent researchers, following a 2021 study of the platform’s recommender system, from which it was concluded that there was a range of problems. Using a tool built specifically to study YouTube’s recommendation algorithm, Mozilla looked at the effectiveness of the controls in place, finding truth in people’s impression that the platform’s user controls did not impact the content they were recommended.
The race is on. The elections for the secretary-general of the International Telecommunication Union (ITU), the UN’s telecom agency, will take place during the Plenipotentiary Conference kicking off in Bucharest on Sunday. The two candidates for the agency’s highest post are an American and a Russian, so expect emotions to run high. The Europeans have committed their support to the US candidate Doreen Bogdan-Martin, obtaining support for its candidate for the deputy post, Tomas Lamanauskas. However, the fact that an American and a European take the top posts might be difficult to swallow for other regions, as the agency usually tries to provide geographical representation. For Western stakeholders, the election is a done deal also because the Russian candidate, Rashid Ismailov, is a hard sell. Still, US President Joe Biden felt the need to throw his weight in support of Bogdan-Martin, suggesting the race might still be open.
It’s not just about that. ITU has become the central playground for authoritarian countries like China and Russia to push for increasing state control of the internet. These efforts put forth under a Chinese secretary general have been pushed back thanks to a growing engagement of the West, which has led Beijing to take a less high-profile approach. While the election of the secretary-general is catching most of the attention, the plenipotentiary will also decide on plenty of procedural aspects that might be even more important: the working groups’ chairs, frequency of the meetings, whether the industry and civil society should be more involved (and given voting rights). Many resolutions are on the table that will influence the way the standardisation body will work for the next four years.
More 5G delays. European telecom operators will likely force a delay in the rollout of 5G due to spiking energy bills, the head of Vodafone’s Italian operations has said. Speaking last week, Aldo Bisio said he could not see any other solution to the energy crisis but to postpone investments, a move that could widen the existing gap between Europe and the US and Asia regarding the deployment of the technology.
Whenever we’ll get there. The potential of 5G-Advanced in improving global mobility, minimising energy consumption and enabling new B2B business models were among the topics covered by a GSMA whitepaper launched this week. 5G-Advanced, a bandwidth set to connect the gap between 5G and 6G, will also help support low-cost, low-power devices, time-sensitive networks and precise network-based positioning based on global satellite systems, according to the document.
What else we’re reading this week:
Facebook report concludes company censorship violated Palestinian human rights (The Intercept)
Inside Russia’s Vast Surveillance State: ‘They Are Watching’ (The New York Times)
Laura Kabelka and Theo Bourgery-Gonse contributed to the reporting.
[Edited by Alice Taylor]