Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“We need to prevent “dark patterns”. The Commission should be able to assess algorithms and impose measures in case a service does not respect fundamental rights.”
-Christel Schaldemose, Rapporteur for the Digital Services Act (DSA)
Story of the week: MEP Christel Schaldemose presented her draft report on the Digital Services Act to the European Parliament’s Internal Market and Consumer Protection (IMCO). What is perhaps the most relevant addition in her proposal is a provision for algorithm accountability, not only asking online platforms to disclose their internal mechanisms, but also putting the European Commission in a condition to scrutinise them to ensure the respect of fundamental rights.
The Danish MEP also proposes turning off targeted ads and recommender systems. The latter proposal is particularly significant, as recommender systems allow algorithms to offer a tailored experience based on users’ past interactions through machine learning. These mechanisms have recently come under criticism for constituting echo chambers, allegedly contributing to polarisation and the dissemination of fake news.
Additional consumer protection measures were also added, in particular ensuring a remedy system for platforms decision and extending the availability of the single point of contact also to users. In terms of enforcement, Schaldemose suggests that the European Commission and the Digital Service Coordinator could take direct action against repeated infringements of the regulation, to avoid that certain EU countries provide “a safe haven for online platforms”.
Conservative MEPs criticised some of the new measures, contending they would create an overly bureaucratic burden for small businesses. Furthermore, Green and leftist MEPs made the case for further strengthening the consumer protection provisions, calling for a complete ban of targeted advertising in favour of contextual ads. Read more.
Don’t miss: The rapporteur for the Digital Markets Act (DMA), Andreas Schwab (EPP, Germany), also presented his draft report to the IMCO committee. Once again, this is just the beginning of a long legislative process, and the text might change significantly from here onward. Still, the initial reactions can give a sense of what will be the central points of the parliamentary debate. More on this below.
Also this week: new data protection standards, copyright earmarked, privacy in COVID tracing, investment gap in AI and blockchain, and much more.
A message from Google
Artificial intelligence for climate action
Through its Impact Challenge on Climate, Google.org committed €10 million to fund bold technology projects for a greener, more resilient Europe. Learn more about the work of the 11 selected organisations in the Planet Progress Podcast.
Targeting GAFAM. In an interview, Schwab suggested tailoring the DMA to Google, Apple, Facebook, Amazon and Microsoft, with the potential addition of Alibaba. The German MEP considers that these Big Tech companies are those posing the most challenges to a competitive digital market in Europe. Schwab also called for increasing transparency requirements for gatekeepers, obliging them to provide “free of charge, effective, high-quality, continuous and real-time information” on their advertising services.
Gatekeeper definition. In his draft report, Schwab proposes raising the threshold for defining a company as a gatekeeper, passing from €65 bn to €100 bn in terms of market capitalisation and from €6.5 bn to €10 bn for the turnover in the last three financial years. In his tighter definition of gatekeeper, he also added the requirement that the online platform would need to have at least two “core platform services”. In justifying this provision, the draft report argues that “the DMA should be clearly targeted to those platforms that play an unquestionable role as gatekeepers due to their size and their impact on the internal market.”
Scope. Tiemo Wölken (S&D, Germany) contests the more restrictive definition of the gatekeepers, arguing that in more limited markets online platforms might effectively act as gatekeepers. Quite the opposite, the socialist MEP is pushing for enlarging the scope, allowing the supervisory authority to determine the gatekeeping role of the platform. A similar complaint on the scope of the proposal was voiced by Marcel Kolaja (Greens, Czechia), who deems that limiting the regulation application would be at the detriment of European consumers and small businesses. Schwab told EURACTIV all major actors would still be covered with the new threshold, and that the provisions in Art. 3(6) allows the European Commission sufficient flexibility to identify emerging gatekeepers.
Remedies. Rasmus Andresen (Greens, Germany) appreciates the strengthening of the remedy provisions against platforms that are systematically non-compliant, which might lead to splitting up the gatekeeper. The structural remedy clause was already present in Art 16(1), Schwab reinforced it defining its measures as “effective”, in what it considers a political signal to uncompliant platforms. Andresen however criticised the draft reports’ provisions on pre-installed apps because limited to the operating system and the lack of mention for interoperability of services. Similarly, Evelyne Gebhardt (S&D, Germany) also greeted the speeding up of procedures but argued for strengthening consumer protection. She also made the point for the need to include provisions to prevent systemic mergers, echoing a Dutch-French-German letter published last week.
Enforcement. Virginie Joron (ID, France) welcomes the proposal for a High-Level Group of Digital Regulators, estimating it an important step to enhance Member States’ involvement in the implementation. By contrast, for Markus Ferber (EPP, Germany), the European Commission should be in charge of the implementation, otherwise, large platforms “will pit national regulators against each other.” As EURACTIV reported last week, enforcement of the DMA is a key power struggle between Brussels and key EU capitals.
Data & privacy
Data protection standards. The European Commission adopted two sets of standard contractual clauses (SCCs) on Friday (4 June). The two sets relate to data processors/controllers and the transfers of personal data to third countries. The SCCs provide a template for data protection provisions that should be included in business-to-business agreements that involve the processing of personal data, hereby supporting European companies in general and SMEs in particular to be GDPR compliant in their contractual arrangements. The new SCCs were largely expected to better comply with GDPR requirements following the Schrems II ruling of the EU Court of Justice. While these standards and pre-approved provisions are meant to favour legal predictability for data transfers, it does not completely halt the uncertainty generated by the Schrems II decision, which also requires companies to run a case-by-case for third countries where GDPR adequacy is not ensured. Thus, the SCCs come with a ‘practical toolbox’ that is meant to guide organisations on how to comply with the Schrems II case law.
Who protects your privacy? The Civil Liberties Union For Europe (Liberties) published a study on the COVID contact-tracing apps and their risks for privacy. The NGO considers that the risk of mass surveillance was avoided, but thanks to Google and Apple that refused to collect the GPS and Bluetooth data through their operating system, in spite of several governments’ requests. The study also criticises the lack of transparency and absence of public debate around the contact-tracing apps, which resulted in low download rates. As these apps are now going to be redeployed for the implementation of the Digital Green Pass, privacy concerns remain very relevant. Listen to the podcast for more.
The cookie monster. NOYB (acronym for “none of your business”), the Austrian group led by activist Max Schrems, launched a campaign against what they call “cookie banner terror”. The NGO has filed over 500 complaints against cookie banners deemed not compliant with GDPR, as they do not provide an easy way to opt-out from tracking. The activists accuse companies to use “dark patterns” to extort consent, with the result that users lose the control over their personal data that GDPR should ensure. NOYB says they have developed a software that automatically flags unlawful cookie banners and hereby generates complaints. The relevant organisations will have a one month “grace period” to adjust their cookie banner, after which a legal complaint will be issued to the relevant data protection authority.
Filtering out. Monday (7 June) is the deadline for EU countries to transpose the Copyright Directive in their national legal framework. The directive is intended to ensure that content creators and rightsholders are fairly compensated for their work, notably when this is shared or used online. Its most controversial part is Article 17, which disciplines the relation between online content-sharing service providers and rightsholders. To ensure the correct transposition of this key provision, the European Commission adopted a Guidance on Art. 17. The guidance contains an automated content recognition mechanism for online platforms to earmark content that can “cause significant economic harm to rightsholders”. Several trade associations and NGOs have criticised the provision, saying it gives rightsholders the power to decide what content can or cannot be uploaded and shared online. The organisations also regret that the provision was not part of the text during the public consultation and was added at the last minute. The Polish government has legally challenged Art. 17 in front of the European Court of Justice. Critics of the earmarking mechanism consider that the new guidance might have made it more likely that the court overrules the Copyright Directive. An initial opinion of the Attorney General is expected before the end of the month.
Mind the gap. The United States and China form 80% of global equity investments in Artificial Intelligence and blockchain technology. A joint report by the European Investment Bank (EIB) and the European Commission estimates that for the EU to catch up with these international competitors on such critical technologies, it needs to increase its investments by €5-10 bn per year. To make things worse, 70% of EU investments in this area come from France and Germany, suggesting a fragmented innovation ecosystem in other countries. Among the reasons mentioned for underinvestment, beyond the well-known skills gap, is the lack of available data, a barrier that the Data Governance Act is meant to address. Read more.
Not with my face. Privacy International and three other organisations initiated a number of complaints against Clearview AI to the Austrian, French, Greek, Italian and UK data protection watchdogs. Clearview AI boasts having the “largest known database of 3+ billion facial images”, built through a facial recognition software that automatically crawls the internet to detect and gather images of human faces. This data is then sold to private companies or law enforcement authorities. For digital activists, this practice violates EU data protection law. Following an article from the New York Times in January 2020, several countries have opened investigations against Clearview, including Australia, Canada and the UK.
Evidence not found. The European Parliament’s Panel for the Future of Science and Technology presented the results of two studies on the health and environmental impact of 5G on Monday (31 May). On health, the study investigated a report from the International Agency for Research on Cancer (IARC), which considers that exposure to lower frequencies is ” perhaps” carcinogenic to humans. The study assessed that there is “limited evidence” that this was the case, and called for further research to analyse the risks of long-term exposure to frequencies above 24 GHz. Similarly, the study on the environment regretted the lack of literature on the potential 5G consequences for non-vertebrates. Read more.
Reconverting. Huawei rolled out HarmonyOS, its own operating system, to Asian markets on Wednesday (2 June). The Chinese telecommunications company was hardly hit by US sanction since the Trump administration included it in the export blacklist in 2019. The ban prevented Android from properly working on Huawei devices blocking access to apps such as Gmail. The move marks a strategic reconverting from hardware (i.e. devices) to software (i.e. operating system), directly competing with the Apple-Google duopoly. HarmonyOS is a unified system capable to connect a wide range of devices, including smartphones, smartwatches, tablets and smart TVs. Uptake from consumers and app-makers will determine if Huawei bid to compete with the US Big Tech will be successful.
Step it up. The European Court of Auditors (ECA) published a report arguing that the EU should enhance its efforts to counter disinformation. The report provides an independent assessment of the EU action plan against disinformation, operational since December 2018. While considering the action plan relevant, the report points to the lack of a monitoring framework and of cross-border coordination for anti-disinformation activities, calling for an overall update of the plan since “disinformation tactics, actors and technology are constantly evolving”. The auditors also stressed the progress made by the European External Action Service (EEAS) strategic communications task force but called for an increase of funding and an expansion of their mandate to address emerging threats.
Same, but different. Katherine Tai, US trade representative, announced on Wednesday (2 June) that Washington will impose 25% trade tariffs against a selection of goods produced in Austria, India, Italy, Spain, Turkey and UK. The sanctions are retaliation for these countries’ taxes on digital services and were immediately suspended, to “allow time” for a global solution. International negotiations are ongoing at the OECD level. The move echoes a tactic already applied to France earlier this year, and it is meant to apply economic pressure as leverage in the negotiations. It also shows the continuity between the Trump and Biden administration, insofar Washington continues to see taxing Big Tech as harming American interests. In previous instances, European leaders made clear that the EU will go ahead with a web tax even if international efforts were to fail.
Show us what you got. In this tense climate, the EU institutions worked out an agreement on the country-by-country report (CBCR) after five years of negotiations. The new directive will force multinational corporations with a yearly turnover that exceeds €750 million for two consecutive years to declare how much they earn in profits, how much they pay in tax and how many employees they have in the EU countries and jurisdictions, as well as jurisdictions that the EU has included in their ‘blacklist’ and ‘greylist’ because deemed non-cooperative in tax matters. Big Tech companies are of course going to be heavily affected by these transparency requirements, as they will be required for the first time to publish a breakdown of profits and tax declared by country.
Hit where it hurts. A cyber-attack has hit JBS, the world’s largest meatpacker, on Sunday (30 May). The US and Australian supply chains of the meat processing company were disrupted, although the company says they have resumed most of its operations by Wednesday. Once again, the attack has been attributed to a Russia-linked hacker collective, REvil. Only one month after the Colonial Pipeline shut down the petrol supply to the West Coast for several days, an overall strategy seems to emerge to attack US consumers precisely on those goods that are dearest to them. US authorities are now raising the level of priority of cyberattacks almost to that of terrorism.
What else I’m reading this week:
- Asia Times offers interesting insights on China’s head start on 5G, looking in particular to its application to automated factories and logistics.
- BBC took a closer look at how the future of cloud technology (and data management in general) is being decided under water.
- The European Data Protection Board (EDPB) published its annual report. Spoiler alert: the main challenges mentioned are the COVID-related disruptions, Schrems II ruling and GDPR enforcement.