Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“It is just a very bad precedent if we leave the substance aside for a second: an agreement in a political trilogue is worth nothing if we can go back and change the text afterwards. If the political agreement in trilogue is only worth something for the MEPs and Ministers involved so that they can tweet, it’s really the worst.”
-An EU official on the Digital Services Act
Story of the week: The adoption of the Digital Services Act was not without some last-minute drama this week. MEPs have been waiting for three weeks to hear back from the French Presidency on two contested recitals: recital 28 on a so-called ‘stay-down mechanism’ and recital 29 on a carve-out for gambling websites from cross-border orders. The reply came last Friday, and it was the opposite of what the lawmakers wanted: only aesthetic changes to the text, take it or leave it. Given just a few hours for the political groups to decide whether to go ahead with the vote in IMCO on Thursday, Renew, the Greens and the Left straight out said they would not vote on the text. The rapporteur with the social-democrat group stood by the text, making the conservatives’ votes decisive to reaching a majority. Initially, centre-right lawmakers bought time and requested a deadline extension. Finally, the EPP also rejected the text.
Several catastrophic scenarios opened up from there, with delays that could last six months in case a second reading was needed. However, first thing on Monday, the French Presidency gave in and removed all contested parts of recital 28, although recital 29 was maintained. The schedule then became very tight, as the Parliament could not vote on the text before the member states’ adoption. With a quick change of agenda, the French Presidency scheduled a WP virtual meeting on Tuesday and COREPER vote on Wednesday. The tight schedule and the fact that such a lengthy and important document was sent a few hours before the meeting caused widespread resentment among the other countries.
Tensions that built up throughout the Presidency came to a head at the ambassadors’ meeting, where several member states criticised the French working method of sending documents at the last minute. Belgium, in particular, noted that the requirement for providers to justify their inaction had been deleted from the text (Art. 8), one of the many surprises from the text that changed without Paris requesting a new mandate. Still, the text went through COREPER and was adopted with a very large majority in IMCO. It is now scheduled for a plenary vote on 4 July, according to the draft agenda, following which EU ministers will be able to formally adopt it after the summer.
Don’t miss: The long-awaited revised Code of Practice on Disinformation was published on Thursday, concluding an update process that lasted a year and was delayed multiple times. The Code now totals 33 signatories, with more invited to join. It contains 44 commitments and 128 measures to which they can sign up, a major increase on the 21 included in the original 2018 version. The tool is envisioned as a co-regulatory instrument for very large online platforms under the DSA, meaning that actors can sign up to and comply with it to explicitly meet the systemic risk mitigation obligations imposed by the EU content moderation rulebook. While the DSA and its penalties for non-compliance only apply to the largest online platforms, the Code is open to a range of organisations, from smaller tech companies to NGOs and research organisations.
As anticipated by EURACTIV, the Code’s commitments address the issue of monetising from disinformation, political ads, manipulative techniques, transparency and the empowerment of citizens, researchers and fact-checkers. Ironically, external stakeholders lamented that they were not sufficiently involved in the drafting. However, the Code establishes a permanent task force to oversee its implementation, which leads to wider involvement. In addition, platforms will have to take safe design and algorithmic accountability measures and report on them breaking down per language or member state, a fundamental point since they are often criticised for focusing their content moderation efforts only on the main countries and languages.
Also this week:
- ENISA’s cloud certification scheme continues to contain sovereignty requirements despite the backlash, according to a draft seen by EURACTIV.
- The Commission lost a landmark €1 bn case against Qualcomm in court.
- The French Presidency circulated one last compromise on the AI Act’s innovation section.
- The enforcement of the GDPR was at the centre of the EDPS conference.
- The metaverse is expected to be a massive market soon, and French companies want a piece of it.
Before we start: Scandinavian countries are well-known for having their own approach to social affairs. As regulating the working conditions of platform workers is now a hot topic in Brussels, we got a non-EU perspective to the issue in this discussion with Norway’s Minister of Labour and Social Inclusion, Marte Mjøs Persen.
Last but not least. The French Presidency circulated its consolidated version of the AI Act ahead of the last Telecom Working Party on Friday, putting together the partial compromises it provided throughout its semester and making some final changes to the part on innovation. The overall approach was to make the text less prescriptive, giving member states more flexibility in the implementation of regulatory sandboxes while also making testing in such controlled environments more appealing for companies, as it would be taken into consideration when assessing their compliance with the regulation. The legal basis for collecting personal data was also removed as it was likely to lead to legal disputes, the document added. Read more.
ITRE’s opinion is in. The ITRE committee this week adopted its draft opinion report on the AI Act, with backing from all major political groups. The definition of AI systems has been aligned with the OECD, in line with the EPP’s approach to making the AI Act a global standard. At the same time, more progressive MEPs obtained the removal of the related annexe. The text maintains the previous definition of high-risk AI systems but puts in place more realistic requirements for developers in areas including accuracy, robustness, cybersecurity and data. It also hands the Commission oversight of setting up regulatory sandboxes, on which there is a new annexe included, providing stronger indications on what these tools should deliver, an approach that clashes with the one suggested by France. In support of SMEs and start-ups, the opinion reports call for strengthening their involvement in the standardisation process and for the Commission to seek ways to lower compliance fees. The report also includes a “research exemption”, meaning that the regulation would not apply to AI systems developed for research purposes.
CULT joins too. The CULT committee also adopted its AI Act opinion this week. MEPs agreed on an updated list of high-risk applications in the educational sector. The report’s updated list includes e-proctoring systems used for monitoring and detecting prohibited behaviour of students during tests. The classification rules for high-risk AI system is the only shared competence of the CULT committee.
Widespread surveillance. Without adequate safeguards, AI surveillance systems pose a threat to core democratic principles but their human rights impacts remain under-scrutinised in the AI strategies of governments around the world, according to a new report by the National Endowment for Democracy (NED). While the serious human rights implications of these tools can be seen in illiberal and autocratic states, the NED warns that exporting this tech to places with more political freedom can also present key challenges. The report concludes that the public and private sectors need to work to promote a more democratic and regulated deployment of these increasingly complex systems.
Another one bites the dust. The Commission’s €1 billion case against US chipmaker Qualcomm was dismissed by the European General Court in another major blow to the EU competition authority. In 2018, the EU executive ruled that the company had breached competition law by offering customers a financial incentive in exchange for their commitment to rely exclusively on Qualcomm for the chipsets used to connect smartphones and tablets to 3G and 4G networks. The General Court, however, overturned the decision this week, finding that the EU antitrust regulator made procedural errors that negatively impacted Qualcomm’s right of defence and that the Commission’s ruling applied to a much narrower set of products than had been included in the scope of its original investigation, disadvantaging Qualcomm in its response. Even more worryingly, the judges rejected the entire logic of the case, as during the time Qualcomm-Apple deal, there was no competing chip supplier that could fulfil the iPhone-maker’s strict requirements. Read more.
Self-preferencing tracking. Germany’s competition authority has launched a probe into Apple to determine whether it is giving itself preferential treatment regarding its tracking regulation and app tracking transparency framework. The investigation is the second targeting the company since the amendment of a key antitrust law in January last year, which allows for earlier and more effective intervention against tech companies. Read more.
Still not off the hook. Google’s parent company, Alphabet, has agreed to allow rival ad providers to place their content on YouTube to address a competition inquiry opened by the Commission last year into whether the platform was self-preferencing by restricting other advertisers’ access to user data. The concession will be insufficient to address the Commission’s concerns and will likely require further action if the tech giant is to avoid a potential fine of 10% of its annual turnover, Reuters reports. The EU watchdog is not the only body interested in Google’s ad practices; the UK’s Competition and Markets Authority also has launched an investigation on this matter.
Not so fast. Meta’s appeal against a ruling by the UK’s Competition and Markets Authority (CMA) that it must sell image platform Giphy has failed after the Competition Appeals Tribunal dismissed almost all parts of its case. The landmark decision was the first of its kind in stopping the acquisition of a Big Tech company. The Tribunal ruled this week that the CMA’s finding that Meta’s acquisition of Giphy would harm competition in the UK’s display advertising market was justified, but it did decide that the CMA had withheld information from the tech giant that could have proved beneficial to its appeal, necessitating further review.
Moving on. The French competition authority is dropping the Facebook ad tech investigation after it accepted on Thursday the platform’s commitments to open its advertisements services up to competitors. The probe was opened in 2019 following a complaint by French advertising company Criteo and led to concerns over practices likely to affect the conditions of competition between providers of advertising intermediation services and Meta. “Following this process and substantial improvements, the Authority accepted and made binding the proposed commitments and thus closed the procedure”, said the competition watchdog, stressing that “this is the first time that a competition authority has accepted commitments from Meta in an antitrust proceeding”.
Technical or political requirements? EURACTIV got hold of the draft Cybersecurity Certification Scheme for Cloud Services. The scheme has been at the centre of controversy, as the Commission and France pushed to include sovereignty requirements such as data localisation in Europe, immunity from non-EU jurisdictions, and strict requirements for non-EU contractors. Even companies with a European headquarter but under control -intended as a decisive influence- of a non-EU company will not fulfil the requirements. The move is seen as intentionally excluding the American hyperscalers, restricting the offer to a handful of European providers. Some member states and trade associations are already on the warpath and accuse the Commission of trying to pursue political objectives via what should be a technical certification.
NIS2 getting close. A final four-column document on NIS2, seen by EURACTIV, was up for discussion in the EU Council this week. The majority of the work took place in the recitals, which were better aligned with other legislation such as DORA, GDPR and eIDs. The most significant change means that member states can implement mechanisms to finance the additional tasks required by public entities to put the NIS2 Directive into practice. Detail has also been added to provisions covering the reporting process that countries must undertake to allow bodies to raise the alarm over “significant” incidents and a recital has been included to specify that organisations’ business operations must not be unduly disrupted when carrying out supervisory actions. The text was agreed upon in the last technical meeting on Thursday, and it is expected to be adopted in COREPER on 22 June. However, the MEPs are cautious about approving it in ITRE, as they first want to see the text that comes out of DORA and the Critical Entities Resilience Directive, which means the plenary vote is likely to slide until after the summer.
No time for complacency. At the European Cyber Agora workshop on lessons for the EU’s cyber diplomacy amidst the war in Ukraine on Wednesday, cyber experts discussed the EU’s role in cyberspace and how cyber diplomacy can be used to better prevent, deter and respond to cyber operations. Monica Kaminska, a postdoctoral researcher at Leiden University, pointed out: “as the war drags on, Russia might rely more on cyber operations, and we know it has the capability to do so.” Participants also discussed the possibility of learning too much from the war in Ukraine, meaning that other countries and actors use different strategies that the EU also needs to prepare for.
Data & privacy
Reform or not reform. The enforcement of the GDPR was at the centre of the conference organised by the European Data Protection Supervisor this week. Three commissioners took the stage, all more or less saying that no change to the data protection law is in store. Justice Commissioner Didier Reynders reiterated that enforcement is picking up the pace, pointing to the WhatsApp case as an example of EDPB cooperation. Speaking to reporters, supervisor Wiewiórowski questioned the narrative that all is good, asking why the Commission has kept away from an enforcement architecture like the GDPR’s in consequent legislative proposals. Similarly, the President of the French authority Marie-Laure Denis put it bluntly when she said, “we do not consider status quo as an option.” Vice-President Jourová showed more openness to targeted improvements, namely in terms of harmonisation of the administrative procedures, more centralised enforcement on cross-border cases and cooperation with other authorities such as competition ones. Still, it is clear that the door will not open at least until the next Commission.
Another file, another fight. The ITRE committee agreed with LIBE on the competencies regarding the Data Act, giving the civil liberties committee exclusive competencies on all aspects of privacy and data protection. The rapporteur for the LIBE opinion has been found in Green MEP Sergey Lagodinsky. However, the partition has already been challenged by JURI, which under the leadership of the S&D coordinator Ibán Garcia del Blanco, is pushing to obtain a chunk of GDPR-related provisions alongside the parts regarding Intellectual Property rights. The picture is further complicated by IMCO’s request to be assigned the interoperability provisions.
Decide or not decide. The Conference of Committee Chairs is expected to provide an opinion on the allocation by mid-next week, to land on the desk of the Conference of Presidents on 30 June. Whether it is likely that the dispute will be solved then depends on who you ask. ITRE is pushing for a quick arrangement with the rapporteur Pilar del Castillo Vera, aiming to deliver her draft report by the end of July. JURI seems to think the solution will only be solved after the summer break.
e-Evidence (little) progress. A political trilogue on the e-Evidence took place this week. The Parliament’s rapporteur Birgit Sippel made a step in the Council’s direction by proposing to accept the residence criterion for the ground of refusal for traffic and content data. In other words, the authority of the executing member state would still have to be notified but will not be able to refuse the order when the residence criterion applies. In exchange, the leading MEP is asking that, when the ground for refusals does apply, the notification has a suspensive effect, leaving 10 days to the executing authority to verify if, for instance, the person in question belongs to a protected category such as a lawyer or journalist. Some lawmakers requested for a second trilogue to take place on the last day of the French Presidency, as they fear that the Czech Presidency might be less active on the file and that France’s position might become more rigid after taking off the role of the ‘honest broker’.
Look at the demand side. An array of Big Tech companies told EU lawmakers that governments must stop investing in surveillance companies and crack down on the use of technologies such as Pegasus. The hearing took place in the context of the ad hoc Pegasus committee, following the scandal that revealed that the spyware had been used to infiltrate the phones of high-profile figures. Appearing before MEPs, representatives of Google, Meta and Microsoft said the apparently “thriving” surveillance tech industry was being “fuelled by demand from governments”. The companies called on European governments to do more to address the issues created by the technologies, arguing that greater attention to due diligence and “know your client” obligations would be a good place to start. Read more.
Digital Services Act
Reports are the new black. As the DSA approaches formal adoption, many are now looking at what its implementation will actually entail. In the new EU’s rulebook for the online sphere, there are no less than 13 reports. These are distributed to all platforms for things like transparency, to very large online platforms, for instance, on the risk assessment, mitigation risks, implementation, to the (yet inexistent) Digital Services Coordinators on their activities, the Board on recurrent systemic risks and to the Commission for matters related to delegating powers and evaluation. There is even a report on reports, as the Commission will have to evaluate the annual reports provided by the national authorities. “Reporting is the new way to regulate,” an EU official told EURACTIV, stressing how this was part of a broader trend. “It’s also one way of finding compromises. If you can’t agree on a rule, then put transparency requirements, i.e. reports.”
Trillion-dollar market. The metaverse could generate as much as $5 trillion for the economy by the end of the decade, according to a study by consulting firm McKinsey & Co., which warned that companies and governments should be careful not to miss out on the opportunities this would provide. Announced by Meta CEO Mark Zuckerberg last year, the Metaverse “is simply too big to be ignored”, according to McKinsey, which estimates that the e-commerce industry will likely be its main beneficiary, with a projected market impact of between $2 trillion and $2.6 trillion by 2030. Read more.
Surfing the wave. With such golden expectations, it is unsurprising that French tech companies are scrambling to cash in on the metaverse, expected to produce major rewards for firms that can harness its potential. Even insurance companies are set to seek a piece of the action, but given the uncertainty about what the metaverse will actually become and how deployable it will be on a large scale, there is also some hesitancy, particularly amongst public authorities.
Computing power boost. As of 2023, Germany will become host to Europe’s first supercomputer with exascale capabilities, it was announced this week. As part of the European High-Performance Computing Joint Undertaking, Germany is set to be home to the most powerful of the new five supercomputers that will be used to tackle societal challenges and facilitate advanced research in areas such as engineering and climate change, Commissioner Margrethe Vestager said on Wednesday. The other four mid-range supercomputers will be hosted by Greece, Hungary, Ireland and Poland. Read more.
Europe’s start-up concentration. European venture capital funding rose by 128% between 2020 and 2021, but start-ups and scaleups are still heavily concentrated in a few countries, with almost ⅔ having been founded in the UK, Germany or France, continental rankings within a new report by Startup Genome has found. The volume of capital invested in start-ups, deal volumes and exits were all found to have reached record levels in 2021, with over 10,000 venture deals totalling almost €103 billion, up from 2,400 amounting to €3.6 billion the year before.
Tight path to the path. The trilogue scheduled for the Path to the Digital Decade programme is extremely tight, according to an internal email seen by EURACTIV. The first trilogue will take place next Thursday (23 June), followed by three interinstitutional technical meetings in a row the following week, the last of which is ‘open-ended’, meaning it is over only when all the outstanding issues have been cleared. The idea is to clear the path for the Czech Presidency to reach an agreement at the second trilogue on 13 July.
Speaking of Digital Decade. Accelerated achievement of the Commission’s Digital Decade goals could unlock more than €2.8 trillion in economic value by 2030, the equivalent of 21% of the EU’s current economy, according to a report published this week by PublicFirst and sponsored by AWS. If progress continues at its current speed, it’s unlikely that the targets will be met before 2040, the consultancy says, and although the EU is on course to unlock €1.3 trillion by the end of the decade as it stands, pushing forwards at a more rapid pace could more than double this figure, with an estimated 55% of this value reliant on cloud computing.
The cost of truth. Wikipedia owner, the Wikimedia Foundation, has been fined 5 million rubles by a Moscow court for refusing an order to remove information about Russia’s invasion of Ukraine. Wikipedia is one of the few major fact-checked Russian-language outlets that remain in operation in the country following the Kremlin’s crackdown on media. The Russian media regulator launched the case against the site for pushing back against an order to delete banned information, which the court found constituted a spread of disinformation and a threat to public order. Read more.
Trust issues. Trust in the news has fallen, and the number of people who sometimes or often avoid it has risen, according to the annual Reuters Digital News Report, released this week. Interest in the news, in general, is on the decline, particularly in terms of the consumption of traditional media such as TV and print. Facebook was found to be the most-used social network for accessing news in the year covered, with TikTok becoming the fastest-growing platform in this area. Read more.
Clearer responsibilities. A new compromise text on the political advertising regulation proposed by the French Presidency pushes for greater attention to the specificities of different subjects of the regulation, such as SMEs, and the medium of publication being used, for instance, in adaptation to TV, radio and newspaper. The text, leaked by Contexte, also clarifies the points at which providers of political advertising services are deemed to have become aware of information needing updating and are therefore required to act on it.
Research & Innovation
Auditors reprimand the member states. “Widening measures” included in the Horizon 2020 programme to address disparities between member states in research and innovation (R&I) performance were well designed, but reform on the national level is what is needed to ensure long-term improvements, the European Court of Auditors (ECA) concluded in a report published this week. The ECA offered recommendations to the Commission on how it could improve its oversight of R&I, which were accepted across the board, but stressed that “genuine sustainable change is dependent on national governments fully playing their part”. Read more.
Transformation Alliance. A new “Alliance for Transformation” has been launched by business and political leaders in Germany to make the country more internationally competitive and facilitate the focus on climate and digital that were at the centre of the new coalition government’s funding agreement. The Alliance’s first meeting was held this week, attended by representatives of business associations, trade unions, and federal ministers, and is set to meet four times a year from now on. Read more.
They should go together. The digital revolution poses potentially serious environmental harm, and EU regulation is needed to offset its risks, an MEP has warned. Speaking at an event on Green ICT this week, David Cormand described the digital revolution as being, at the moment, “an ecological catastrophe” due to the materials required and the lack of a circular economy to ensure their reuse. Fellow speakers similarly emphasised the need to take steps to ensure that the digital strand of the twin transitions does not negatively impact its green counterpart and ensure that SMEs are incorporated, sooner rather than later, into the process of achieving targets. Read more.
What else we’re reading this week:
The high price society pays for social media (FT)
Big Tech’s political ad bans are a big charade (Protocol)
[Edited by Alice Taylor]