Digital Brief: DSA agreement, upload filters safeguards, GDPR redress

The Digital Brief is EURACTIV's weekly tech newsletter.

Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here


“The DSA will upgrade the ground rules for all online services in the EU. It will ensure that the online environment remains a safe space, safeguarding freedom of expression and opportunities for digital businesses.”

European Commission President Ursula von der Leyen


Story of the week: A deal was reached by EU legislators on the DSA in the early hours of Saturday morning, finalising an agreement on the flagship legislation. After 16 hours of negotiations, legislators settled a number of last-minute complexities after months of debate. The measures against revenge porn were added in the assessment of systemic risks very large online platforms will have to carry out. Very large online platforms will also have to provide an alternative recommender system not based on profiling. The crisis management mechanism was included, with the Commission triggering the crisis status upon recommendation of the Board of national authorities, adopted by a simple majority. The notion that trusted flaggers would have to represent ‘collective interests’ was removed, meaning everyone will now be able to be nominated as a trusted flagger, including private companies that want to track down counterfeit goods.

The last-minute attempt to include a Notice and Action mechanism for search engines, an initiative of the Commission to please rightsholders, was bounced back by virtually all political groups in the Parliament. Rapporteur Schaldemose reportedly did not even let JURI’s Geoffroy Didier, one of the rightsholders’ ambassadors in the Parliament, speak during the trilogue. The ban on advertising targeting minors was included, alongside the ban on profiling based on sensitive data. According to documents obtained by Corporate Europe Observatory and Global Witness, the proposal for the ban on sensitive data to be limited to profiling (i.e. not covering statistical inferring) corresponds to an argument made by Google, as its new system based on Topics would not be covered.

The DSA will be applied 15 months after it comes into force or 1 January 2024, whichever is later. However, very large online platforms will have two months for designation, and four months for the new rules to apply to them. Between 20 and 30 platforms are expected to fall into such category, and most of them will also be gatekeepers under the DMA. Besides the gatekeepers, Wikipedia and several porn websites are expected to fall within the scope.

On Thursday, the first technical meeting following the political agreement took place, and it is also the last one since the one planned for today was cancelled. The French Presidency opposed any last-minute change to the agreed text, whereas the rapporteur asked for the written procedure for the recitals, which might be agreed as early as next week. Few weeks of technical work to fine-tune the text are expected ahead of a final IMCO vote in June. If everything goes well the DSA will be voted in the plenary session on 4 July alongside the DMA.


Don’t miss: The EU Court of Justice (CJEU) has dismissed a case brought by Poland which aimed to see the controversial Article 17 of the Copyright Directive struck down. Warsaw contested the article making content-sharing service providers liable for copyrighted content posted on their platform, as it likely entails the introduction of automated systems to detect and remove it. The discussion is a long-standing one on so-called upload filters and their potential threat to freedom of expression and information. The CJEU’s ruling recognised the potential risks of ex-ante content-blocking, pointing in particular to the fact that they might not always adequately make a distinction between illegal and legal content. At the same time, the court did not throw away the article altogether as it concluded that sufficient safeguards were in place. Read more.


Also this week:

  • Consumer groups will be able to sue platforms like Facebook for GDPR infringements even when not directly representing data subjects
  • The French Presidency strives for more flexibility in the AI Act enforcement
  • Council prepares key concessions on NIS2 to close the negotiations in May
  • 41% of child pornography is hosted in the Netherlands
  • The TTC summit will be full-on anti-Russian, as controversial topics were taken off the table
  • The Commission presented its directive to fight abusive lawsuits against journalists and activists


Before we start: A new Trade and Technology Council between the EU and India has been announced, as Commission President Ursula von der Leyen visited India this week for the relaunch of long-stalled negotiations on a trade deal. We discuss what we know and can expect from this initiative with our Global Europe & Defence Reporter Alexandra Brzozowski, who was in India to cover the summit.

The EU's tech diplomacy and the Indian TTC

A new Trade and Technology Council between the EU and India has been announced as Commission President Ursula von der Leyen visited New Delhi this week for the relaunch of long-stalled negotiations on a trade deal. We discuss what we know and …


Today’s edition is powered by Summit. Summit – Where European Tech comes together
Join us for the #TechEUSummit on 17 May in Brussels to help carve a path of sustainable growth for the European tech scene and innovation ecosystems! Learn More >>


Artificial Intelligence

More flexibility for us. The French Presidency proposed several changes to the AI Act this week, aiming to ensure better alignment with the new legislative framework, the EU legislation regulating market surveillance and conformity assessment procedures. The changes cover areas including the notified bodies and their role in enforcing the AI Act, the role of the national authorities as well as the reporting and organising of data on high-risk AI systems. The overall purpose seems to be to provide the member states more flexibility in relation to pre-market controls and supervisory arrangements. Read more.

One to watch. These provisions might seem dull and they hardly make the headlines. Still, the debate can heat up and become highly political given the key role notified bodies will have in ensuring the systems that are launched into the market are safe. A frequent criticism about this kind of setting is that it promotes ‘forum shopping’, as there will be an incentive to apply to the notified bodies that apply the standards less strictly. Another potential issue could be if there are too few notified bodies compared to the demand, which could lead to bottlenecks and slower market deployment as it has been the case in the MedTech field. At the same time, the role of notified bodies is (at least for now) limited to high-risk applications in the areas of biometric identification and categorisation, and only before harmonised standards or common specifications covering these systems are approved, following which only self-assessment is needed.

What to expect. There were no major changes to this latest compromise text in the Telecom Working Party on Thursday, as only technical questions were raised. At the meeting, the French Presidency clarified it only aims to deliver a progress report before passing the ball to the Czechs. The compromise texts will be annexed to the progress report, but they won’t be binding. There will be at least two more WP meetings dedicated to the AI Act on the articles 63 to 69 and 70 to 75 respectively. The articles from 1 to 7 will not be touched, signalling that the French were happy with the work of the Slovenian Presidency on this part.


More Apple probes. Apple will face a new set of EU competition charges as early as next week related to the way in which it blocks rivals such as PayPal from accessing Apple Pay, the Financial Times reports. Just a year on from the first antitrust case opened by the EU against the tech giant, Apple is facing a number of investigations in Brussels, including into its App Store book and music services. If the new case against it succeeds, the company could be fined up to 10% of its annual global turnover.


Final rush. The French Presidency is keen to reach an agreement with the NIS2 directive in the next political trilogue on 12 May. There is an intensive schedule of technical meetings in preparation for the trilogue, and France has already made a significant concession regarding what concerns the reporting deadlines (see below). The Presidency seems convinced that an agreement cannot be reached without including regional administrations in the scope, but Germany has strongly opposed that until now. Other key contention points include the peer review mechanism, cybersecurity certification and the exclusion clause.

Reporting deadlines. The compromise text is based on the Parliament’s position and requires that a cyberattack or ransomware that compromises the availability of an essential service to be reported within 24 hours. For any other incident such as the confidentiality of a network or the integrity of the data in possession of the organisation, the deadline would be 72 hours. Moreover, the Parliament obtained that a final report would have to be submitted one month after the formal notification of the incident. If after one month the incident is still ongoing, there would need to be a provisional report to be complemented by a final report once it has ended. At the same time, the EU countries obtained that the notification in itself does not affect the liability of the impacted organisation.

Speaking of reporting. The EU cybersecurity agency’s (ENISA) reporting system does not work and a more resilient alternative, along with a more cooperative environment, needs to be built, according to the authority’s head. Experts have raised similar concerns over the mechanism for reporting cyber threats, and many echo the view that better legislation and strengthened information sharing are needed. These issues are set to be addressed in the EU’s upcoming NIS2 which includes mandatory reporting of potential threats. However, NIS2 rapporteur Bart Groothuis stressed to EURACTIV that the point here will be about the significance of the data that is shared and putting in place an ecosystem that acts upon that data. Read more.

Undersea threats. Submarine cables account for 99% of the world’s digital communications, but they are also among the most vulnerable types of infrastructure. That is the conclusion of a yet-to-be-published study commissioned by the European Parliament’s Security and Defence Committee (SEDE), as anticipated by the authors in a hearing on Monday. Cybersecurity researcher Tobias Liebetrau, one of the authors, dismissed a ‘doomsday scenario’, but warned about the possibility of symbolic attacks or acts of provocations from hostile powers such as China and Russia, as well as terrorist groups and criminal organisations. Meanwhile, no EU agency has a clear mandate to monitor the safety of this backbone infrastructure, and Europe’s capacity is limited or inexistent for what concerns repair and undersea monitoring.

Data & privacy

Class action allowed. The EU Court of Justice (CJEU) ruled on Thursday that consumer groups can bring class-action suits for alleged breaches of data protection rules even when not directly mandated by affected individuals, as long as it is allowed by national law. The ruling was made in a case brought by a German consumer group against Facebook over its failure to provide a clear explanation of its data processing on the App Centre. The tech giant argued that such class actions were prohibited under the GDPR, but the CJEU struck down this argument noting how the right to redress was a key part of ensuring a high level of protection of personal data, which is the core objective of the GDPR. The ruling might lead to consumer groups forum shopping the jurisdictions that provide for the most favourable consumer laws, but it is set to become irrelevant as soon as the EU’s Representative Actions Directive enters application on June 2023 (as long as it is transposed in due time). Read more.

Privacy Shield? Not so fast. The US 9th Circuit Appeal Court, which has jurisdiction over the Western states including California, ruled this week that the US government was free to order the copying and preservation of any user’s internet account, without reason, as this would not constitute a seizure of property. The precedent was set as part of a broader criminal ruling on a case to do with the sexual exploitation of a child. Legal experts note that the court likely did not fully understand the legal implications of the ruling, which is now likely to affect any future legislation in the area of that protection and privacy. That includes any possible arrangement for the new Privacy Shield intended to provide a legal basis for the EU-US data transfers, as meaningful safeguards now seem nearly impossible.

Cookies are coming back. Significant progress has been made on the ePrivacy Regulation in the last weeks, with Chapters I and III virtually closed. This week, rapporteur Birgit Sippel publicly called out on the French Presidency to organize at least two technical meetings per month and another political trilogue before the end of June. Next on the menu is the infamous Chapter II, which includes the most controversial parts of the proposal such as the cookie provisions. Word is the Czech might make closing the file one of their top priorities, which might not be so unrealistic if the French manage to make some progress on these key parts. However, clashes between the Council and Parliament have already unfolded regarding what concerns the confidentiality of electronic communications (Art.5), where France has pushed back on the MEPs’ request to remove the exceptions.

Strategic cooperation. The European Data Protection Board’s (EDPB) members have agreed to strengthen their cooperation on strategic cases and to diversify their methods following a high-level meeting in Vienna. Among the commitments made by EDPB members were increased information exchanges on national enforcement strategies, the identification of ways in which procedures could be better harmonised at the EU level to strengthen GDPR enforcement and the collective identification of cross-border data protection cases of strategic importance to the member states.

Airbnb’s setback. Belgian legislation requiring online accommodation platforms to provide tax authorities with data concerning tourist accommodation transactions does not violate EU law, the EU Court of Justice ruled this week. Airbnb Ireland had brought the case, arguing that the obligation to report this information in the Brussels Capital Region contravened the EU’s eCommerce Directive; the court rejected the claim, however, finding that this data still fell within the Directive’s scope.

The cost of delays. The Irish Data Protection Commission (DPC) has settled a case with rights group noyb over delays in GDPR enforcement on Instagram and WhatsApp. The case was brought by noyb after it took four years for a draft decision to be reached on Facebook’s “consent bypass”, where the GDPR requires such issues to be resolved “without delay”. The DPC will now have to pay tens of thousands to noyb in compensation for legal costs accrued.

Gig economy

Wait and see. MEP Elisabetta Gualmini’s report for the EMPL committee on the directive on platform workers is expected to be sent to translation on Monday. “We need to make sure it’s workable, the aim is to create legal certainty,” Kim van Sparrentak, shadow rapporteur for the Greens, told EURACTIV, welcoming the fact that the future directive also tackles “algorithmic management” for the first time.

Industrial strategy

Czech priorities. The Chips Act will be a top priority for the Czech Presidency, alongside the refugee crisis and energy independence, the European Affairs minister Mikuláš Bek told our colleagues in Prague. “The Chips Act could become one of the flagships of our agenda, there is a great opportunity for Czech companies as well,” he added. The file will be at the centre of a policy discussion at the COMPET Council in June. EURACTIV understands the Czech Presidency will aim to reach a general approach by the end of its semester. Other digital priorities are expected to be cybersecurity and AI Act.


Anti-SLAPP Directive. On Wednesday, the Commission presented its long-awaited directive on SLAPPs, or Strategic Lawsuits Against Public Participation. The proposal aims to stem the tide of these abusive legal actions, which aim to silence journalists and activists, a phenomenon on the rise in Europe. The directive deals with cases that have “cross-border implications”, but the Coalition Against SLAPPs in Europe noted that those account for only 11% of the total SLAPP cases. The directive was accompanied by a recommendation to member states on how they can implement similar measures at the national level to tackle domestic equivalents, which means it will be up to the goodwill of the national governments to put a legal framework in place to fight the remaining 89% of cases. Read more.

Alerting news. Press freedom alerts recorded by the Council of Europe’s (CoE) platform rose by 41% in 2021, a year which saw six journalists killed in Europe. Almost half the alerts involved state actors and the CoE warns that the type and severity, not just the number, of alerts, should be of concern. A report released this week examining the alerts recorded also looks at structural threats to the press, including the export of models of media capture and threats to the independence of public service media. Read more.

Look who’s talking. Russian President Vladimir Putin this week accused the West of planning to kill Russian journalists, saying the Kremlin’s Federal Security Service had averted an attack on a famous TV anchor, Vladimir Solovyev, whose Italian villa was damaged earlier this month. No evidence was immediately provided to back up the claims of the alleged plot. Read more.


The Dutch problem. Europe is the “global hub” for online child sexual abuse material (CSAM), with 62% of all such content globally hosted in the EU in 2021, according to the Internet Watch Foundation’s annual report. The bulk of child pornography is concentrated in the Netherlands, which is estimated to host 41% of the world’s material. The reason seems to be a combination of the internet infrastructure, low cost hosting solutions and a favourable legal framework. The report comes ahead of a proposal by the European Commission to tackle CSAM, expected in May after months of delays. Read more.

Twitter spat. Billionaire Elon Musk reached a deal to buy Twitter for $44 billion in cash this week, promising to prioritise free speech on the platform. Musk has criticised Twitter’s approach to moderation and has pledged to make the platform’s algorithm public moving forward. To that, commissioner Breton felt the need to remind the world’s richest person that Twitter will have to comply with the EU’s content moderation rules as set in the recently agreed DSA. The warning seems rather superfluous since the EU’s rules apply to all platforms regardless of who owns them. EVP Margrethe Vestager tried to put the (ironically Twitter-centric) polemic to rest telling the German newspaper Die Zeit that she didn’t care who owned Twitter as long as the rules governing the digital world were followed. At the same time, the EU competition chief stressed that problems would only arise if he decided to buy other social media platforms.

The EU goes social. The European Data Protection Supervisor (EDPS) has launched the pilot phase of two social media platforms. EU Voice and EU Video are part of a programme to offer alternative platforms that the EDPS says will “prioritise individuals and their rights to privacy and data protection”, namely by not relying on data transfers to countries outside of the European Economic Area. EU institutions and organisations will be able to use the platforms to share content and interact with the public.


Italy’s 5G scheme. The Commission has approved an Italian scheme to roll out high performing 5G mobile networks as part of the country’s strategy for digitalisation. The Scheme will total €2 billion made available via the Recovery and Resilience Facility and will run until mid-2026 with the aim of providing consumers and businesses with the infrastructure needed to participate in the country’s digital transition.

WRC preparation. A call for evidence will soon be launched to establish a common EU position at the 2023 World Radiocommunication Conference. The event, organised by the UN’s International Telecommunication Union to review radio regulations, is due to start next November, with the common position established by early next year. The WRC’s agenda includes 10 items. In November, the Commission and the European Conference of Postal and Telecommunications (CEPT) will hold a public workshop with stakeholders that want to express their views. Based on the supporting documents, the main issues for discussions seem to be the sharing of radio spectrum between mobile and broadcasters in the 470-960mhz, the allocation of the 3, 6 and 7 GHz bands to mobile and satellite authorisations.

A new chapter. The French telecommunications and postal watchdog (Arcep) recommended yesterday to set the minimum delivery charge for books at €3. This proposal follows the law on the book economy adopted at the end of 2021, which aimed at putting an end to the “distortion of competition” between the giant Amazon, which is able to offer free delivery of books, and smaller booksellers. This minimum tariff is now open to consultation until 27 May. After that, Arcep will officially submit its proposal to the government, which should validate it.

Transatlantic ties

Anti-Russian summit. The EU-US Trade and Technology Council summit, that will take place on 16 May, is expected to be heavily focused on Russia, according to a consolidated draft version of the conclusions seen by EURACTIV. In the conclusions, the transatlantic partners emphasize how the TTC provided a platform for collaboration in the light of “Russia’s unlawful military aggression against Ukraine”, especially for what concerns supply chain disruptions, high-risk vendors, information manipulation, export control. The two blocs envisage the setup of a crisis response protocol in the context of the Working Group 5 on data governance and technology platforms.

Read between the lines. The focus on Russia is a deliberate choice to stick to the arguments were both Washington and Brussels can certainly agree on. The Europeans made several attempts to also discuss the DMA, DSA, AI and cloud, but the Americans turned down such invitations. According to a source informed on the matter, the Commission fears that, without the US administration on board with its policy agenda, it will lose its clout as an international standard-setter.

What do you have to show? The bulk of the work of the TTC has been going on behind closed doors at the Working Group level, with mixed results. As predicted, the topics relevant to the war in Ukraine have made some good progress, notably in terms of export control, supply chain cooperation and the fight against disinformation. The progress has been slower in relation to technology standards, AI, and investment screening. A big focus for EU countries is the part on global trade, but there the debate has barely moved as Washington is stuck on anti-Chinese rhetoric whereas the Europeans are asking for more concrete initiatives to prevent trade barriers and distortive practices. Member states also showed interest in cooperation with regard to digital connectivity, notably for 5G and Open RAN equipment. Supply chain resilience for undersea cables and cloud services is also a point where discussions are progressing. A joint statement on the need to keep 5G technologically neutral is under consideration.

Future of the internet. As anticipated by EURACTIV last week, the US, EU and 30 more countries have signed up to a declaration for the future of the internet.

Twin transitions

Raw materials needed. There can be no green or digital transition without the raw materials needed for manufacturing products such as chips and electric vehicles, said internal market commissioner Thierry Breton, adding that a more strategic approach is needed to developing Europe’s capacity in these areas. Breton’s comments came alongside the release of a new report detailing the huge amounts of raw materials that will be required annually if the EU is to meet its 2050 digital and green goals. Read more.


What else we’re reading this week:

Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document (Vice)

The problems with Elon Musk’s plan to open-source the Twitter algorithm (MIT Technology Review)

NASA’s New AI Will Terrify Putin (Medium)

Daily Facebook users up again after first-ever decline (BBC)


Mathieu Pollet contributed to the reporting.

[Edited by Nathalie Weatherald]

Subscribe to our newsletters