Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“This lead with regulation is dangerous. European tech companies are going to become regulated regional champions. They will not drive global platforms, and that’s where the game is won.”
– Google’s former CEO Eric Schmidt at the annual forum of the Center for European Policy Analysis (CEPA).
Story of the week: The inaugural meeting of the new EU-US Trade and Technology Council (TTC) went ahead in Pittsburgh this week, despite continuing tensions over the disruptive AUKUS submarine deal.
High on the list of priorities for discussion were AI, the global semiconductor shortage, and tech competition. Not everyone went into the meeting or left happy, however.
The gathering took place in the shadow of the recent fracture in France’s relationship with the US. The former was pushed out of a lucrative defence deal which led to calls to strike out references to a second meeting next year.
Some of the TTC’s plans have already fallen short of expectations. The European Digital SME Alliance has warned that the Working Group on SME Digitalisation misses the potential for digital empowerment of SMEs and lacks the inclusive approach needed to fuel development.
Following the summit, business and political actors from the US and EU called again for joint action to curb China’s growing influence on the tech sector. Acknowledging that strategies might differ, particularly regarding the volume of legislation each side sees as acceptable, several figures urged governments on both sides of the Atlantic to look to shared values to check China’s dominance.
Eric Schmidt, the former CEO of Google, raised concerns that the EU digital regulatory agenda might drive the two regions apart, leaving the technological lead firmly in the hands of China.
“It seems to me that the third prize in the competition is you become the regulator. And in my world, first and second are the only positions that matter,” Schmidt said. Read more.
Don’t miss: The European Parliament and Council might be on a collision course over their contrasting views on which core platform services should define “gatekeeper” platforms, according to an internal Council document seen by EURACTIV.
Gatekeepers, a key concept for the operation of the Digital Markets Act, are described in the Commission’s proposal based on financial terms and the number of users accessing “core platform services”.
The Parliament’s draft report splits app stores and online marketplaces, whereas the Council follows the Commission in considering them both under online intermediation services. The EU member states seem to consider search engines a category per se, whereas the IMCO text puts them along with e-commerce platforms.
The Council defines active users for advertising services, something the parliamentary report fails to provide. Conversely, the Parliament defines active users for cloud computing services but only for professional use, whereas the Council’s draft does not mention cloud services. Some significant differences are also present in the way active users are defined. Read more.
Also, this week:
- Council adopts general approach on Data Governance Act
- The Netherlands publishes non-paper on upcoming Data Act
- DSA report approved in the JURI committee
- Russia ready to retaliate over YouTube’s ban of Russia Today
Before we start: After having heard the views of European tech companies on the Digital Markets Act (DMA), we have spoken to Adam Cohen, Google’s director of economic policy, to hear the perspective of what is likely to be labelled as a ‘gatekeeper’. The discussion focuses on the difference between legitimate competition and what constitutes an abuse of market dominance, as well as how to conciliate technological innovation with antitrust regulation.
Fuel to the AI engine. AI and data were the topics of an exchange of views between the Commission, MEPs and a panel with industry and civil society figures this week. The importance of data in training AI was the key takeaway, with Data Strategy rapporteur Miapetra Kumpula-Natri describing it as the fuel to an AI-algorithm engine. She also emphasised the crucial task of ensuring that existing data protection rules, such as the GDPR, applied to AI.
Attacks condemned. In the final stretch before the German elections this week, the EU called for an immediate cessation of malicious cyberattacks by the Russian-linked “Ghostwriter” group. The network has been accused of carrying out recent attacks in several EU countries, including against German policymakers in recent months. Following a request from Poland, also among those targeted, the EU declared the assaults “unacceptable” and a threat to security and democratic functioning. Read more.
Amnesty ambush. Malicious cyber actors have set up a fake Amnesty International website and impersonate the NGO to deliver malware to users. Those behind the scam are using a promise to protect against the Pegasus spyware, which Amnesty recently revealed was being used by governments worldwide to spy on journalists, politicians and members of civil society. Once the user accesses the site and clicks a link, Sarwent malware is installed. The malware is a potential gateway for the operator to directly access the target’s desktop and a means for the immediate exfiltration of data.
Think Before U Click. ENISA, the EU’s cybersecurity agency, has launched its annual month-long cybersecurity awareness campaign. Efforts will centre around promoting up-to-date recommendations on cybersecurity, something which the agency notes has never been more critical than in the increasingly digitised pandemic world. The message of this year’s campaign, “Think Before U Click”, focuses on proactive cybersecurity from the home and reactive steps for anyone who a cyberattack has impacted.
Data & privacy
Ready for trilogue. The COREPER adopted the Data Governance Act on Friday as expected. The differences with the Parliament’s text are not dramatic but still significant. In the list of organisations that cannot be considered data intermediaries, the member states removed the reference to cloud service providers because it was deemed redundant. EU countries also proposed the creation of codes of conduct for data altruism organisations. The Council’s text allows more flexibility for public administrations to share public-held data. The fees and sanctions for violation of the EU law should remain at the discretion of national authorities, the governments say. The first trilogue is planned for 20 October, and parties involved expect an agreement will be found relatively quickly. Read more.
Dutch push on data. The Netherlands is calling for greater access to and use of data by individuals and smaller companies, something it considers to be currently limited to larger entities, according to a non-paper circulated on Friday. In the document, the Dutch government pushes for improvements in data sharing, interoperability and standardisation, and access for the public sector. All measures it says will ensure that everyone can participate in and benefit from the data economy in a secure way. The paper comes as the Commission finalises the text of the proposed Data Act, the publication of which is expected by the end of the year. Read more.
Adequacy approval. This week, the European Data Protection Board (EDPB) issued a non-binding and generally positive opinion on the adequacy of South Korea’s privacy law. The EDPB found the country to be mainly in step with the European data protection framework. This judgement will likely be adopted as a formal adequacy decision by the European Commission. However, some see the caveats on the access by law enforcement authorities as a severe obstacle to the data protection adequacy decision. Read more.
Shield on its way. The negotiations on the Privacy Shield agreement between the United States and the European Union are at a very advanced stage. The most sceptical side of the two, the European Commission is now expecting the agreement to be finalised by the end of the year, EURACTIV has learned. The IAPP and EY have published a survey this week that shows 10% of respondents have chosen to stop data transfer activities since last year’s Schrems II ruling.
GDPR revisited. The European Data Protection Supervisor (EDPS) plans to gather privacy regulation experts at a conference next year to discuss how enforcement of the GDPR might be improved and potentially centralised. GDPR implementation has been a controversial topic since the law’s introduction, with criticism levelled at regulators in some countries, particularly Ireland, over hold-ups and meagre levels of enforcement. Reaction to the initiative has been mixed; while some are keen to see improvements, others argue this is not the moment to consider revisions.
Data security failures. The French data protection commission (CNIL) has issued a series of injunctions against the Ministry of the Interior over charges that it has failed to maintain its digital fingerprint database to an adequate standard. Among criticisms levelled at the Ministry by CNIL were the retention of data for much more extended periods than was authorised under the database’s founding legislation, the keeping of physical copies of what was supposed to be digitised files, and a lack of sufficient security to protect records. Read more.
Listening carefully. Italy’s privacy authority has launched an investigation into the use of data collected via smartphone microphones, covertly picking up snippets of people’s conversations. Among the body’s concerns is that users are unaware that the microphones on their devices may be activated through apps they have downloaded and therefore can register and return content to them based on things they have said.
Cookie control. Facebook has announced changes to its cookie consent controls in Europe, adding a new settings menu to Facebook and Instagram. People will now have a “more granular level of control over their cookie choices”. The shift, says the company, is part of a broader effort to hand people greater control over their privacy and comply with regulations such as the GDPR and the ePrivacy Directive.
Taskforce, assemble. The EDPB will also set up a task force to respond to cookie banner-related complaints submitted by privacy group NOYB to several EEA countries’ supervisory authorities (SAs). The group will coordinate the SAs’ actions by supporting communication, national-level activities, and legal discussions to promote cooperation and share information and best practices.
YT takes on RT. YouTube permanently removed the account of the German branch of Russia Today (RT) this week in response to repeated violations of the platform’s community guidelines on disinformation. This latest move followed an initial suspension for spreading COVID-19 misinformation. RT’s attempts to get around the suspension by creating an additional account led to the company’s decision to place a permanent ban. RT has denied YouTube’s charges, and Moscow described it as an “unprecedented information aggression” against Russia, announcing retaliatory measures against both German media and YouTube. Read more.
Misinformation management. As of Wednesday, YouTube instituted a ban on content that spreads misinformation about any approved vaccine, expanding a policy previously limited to COVID-19 jabs. Under the platform’s previous approach, such material would have been hidden rather than removed. Still, awareness of the effect of generalised vaccine misinformation on the willingness of people to get vaccinated against Coronavirus led the company to reassess, its global head of trust and safety said. The streaming service will also remove several channels run by prominent anti-vaccine activists.
Australia to follow? Australia’s antitrust authorities are aligning themselves with the EU and UK with calls to check Google’s ability to use internet data to sell targeted ads. This week, the country’s watchdog warned in a report that the tech giant dominates the market to the detriment of publishers, advertisers and consumers. This view is shared by international partners. Google and Australia have already butted heads this year, with the company threatening to withdraw its services over a law requiring it to pay media organisations for content that drives traffic to its search engine. Australia has shown its willingness to confront big tech in recent months, taking steps that led to the temporary suspension of Facebook’s news feed to users in the country.
Onwards to IMCO. All amendments to the DSA submitted by the JURI Committee were adopted this week, which rapporteur Geoffroy Didier described as a “first decisive step.” Among the changes proposed were measures requiring platforms to permanently remove illegal content within 30 minutes in the case of live sports or entertainment broadcasts; clarifying terms such as “private messaging service” and “online marketplace”; and adding extensive new provisions for platforms in terms of regulating the sale of products. The report was criticised by EDRi, as the NGO argues that it failed to address the root causes of polarisation, such as the monetisation of harmful content and micro-targeting. The proposal will now move to the IMCO committee, with a vote expected on 8 November.
Influential counterfeits. Amazon’s Counterfeit Crimes Unit has settled with two influencers who used a number of social media platforms to promote and direct users to the fake luxury fashion items they were selling on Amazon’s store and other online marketplaces. The products sold avoided detection by Amazon’s counterfeit measures by appearing to be non-infringing items; Amazon has pledged to donate the influencers’ payments to an organisation that educates young people on the importance of intellectual property rights. The detection of and measures to guard against illegal activity in online marketplaces is one area currently under scrutiny in the EU’s DSA proposal.
Files moving forward. This week, the Parliament’s Committee on Culture and Education (CULT) adopted five digital and media files with widespread support across political groups. The 2022 General Budget, the Situation of Artists and the Cultural Recovery, Europe’s Media in the Digital Decade, and DSA and DMA were all on the table and passed by comfortable margins. The DSA was the online file to receive any outright opposition, with two members voting “no” alongside the 23 of their colleagues who voted “yes” and four who abstained.
STA leader resigns. The head of Slovenia’s STA news agency resigned on Thursday over government efforts to restrict funding to the organisation. STA’s government funding has been on hold since last December, part of what is seen as a broader effort by Janez Janša’s government to clamp down on press freedom. The EU previously called for a resumption in payments, but when these were delivered, it turned out that they only covered funds withheld in 2020. STA turned to crowdfunding this year to keep its doors open. Brussels has expressed “serious concern” over the situation, which STA’s head said was an attempt to “subordinate the agency.”
Ownership oversight. This week saw the launch of the Euromedia Ownership Monitor, an EU-funded tool for collating country-specific data on media ownership, assessing legal frameworks and identifying potential risks to ownership transparency. The instrument is the latest instalment of the Commission’s focus on media freedom and pluralism, as outlined in the 2020 European Democracy Action Plan.
Antitrust appeals. A week-long battle between Google and the European Commission commenced this week at the European Court of Justice, as the tech giant seeks to scrap a 2018 ruling that it abused the dominance of its Android operating system, which came with a hefty and record fine of €4.34bn. The Commission argued that Google sought to consolidate its dominant position in search, citing its “carrot and stick” approach to Android contacts, as outlined in internal company documents. Meanwhile, Google emphasised the benefits of Android and defended its actions as necessary to serve users and developers and to compete with its key rival, Apple. The company said the Commission had overlooked this aspect of the case. The case will conclude on Friday, but Google’s antitrust troubles won’t: in just a few weeks, it will return to Luxembourg to mount a similar challenge to the €2.42 bn antitrust penalty it was hit with in 2017.
Accelerating efforts and hitting the breaks. Facebook is hitting back against the Wall Street Journal’s damaging revelations that the company withheld internal research on how Instagram impacted the mental health of teenage girls. The authors have since published the internal documents detailing the contents of the research, some of which were published by the platform hours after being asked for comment by the journalists. The company’s Global Head of Safety will appear before a US Senate Committee this week. Ahead of the hearing, they are arguing that contrary to the WSJ’s reporting, Instagram helped many girls struggling with mental health issues and that body image was the only area in which the platform was found to have had a negative impact. A study by Panoptykon Foundation released this week found that the algorithms used by the tech giant may exploit the mental vulnerabilities of users by targeting them with disturbing personalised content. Separately, Facebook has also decided to pause its work on “Instagram Kids”, a version of the platform for those under 13, to allow more time for consulting parents, experts and policymakers on its development.
Connection denied? European regulatory eyes are on Apple again, this time concerning whether it has put barriers to the relationship between its own devices, such as the iPhone or iPad, and the wearable tech of other companies. The Commission is reportedly looking into whether the tech giant is making access to its devices, for purposes such as responding to messages or using contactless payments, more challenging to prevent the rise of rivals to its products such as the AppleWatch or AirPods.
Greenlight granted. The UK’s Competition and Markets Authority has cleared Facebook’s acquisition of software company Kustomer Inc. following an investigation into the merger. The CMA scrutinised, in particular, the potential dominance of Business to Customer messaging services that would result from the acquisition but concluded that the acquisition would not give rise to a substantial lessening of competition in any UK market.
Funding research. The Commission has launched a €1.9bn plan for five research missions under the Horizon Europe Programme. The plans will cover key contemporary challenges such as COVID-19 and the climate crisis and will extend over the next decade, acting as vehicles for the delivery of EU policy. Their announcement has been long anticipated, with the first drafts of the missions submitted by researchers in September last year.
Cloud commitments. This week, Microsoft, Amazon, and Google launched a new initiative, Trusted Cloud Principles, in partnership with several other companies. The project is designed to safeguard the rights of organisations and individuals when it comes to the secure use of cloud services in an increasingly digitalised age. Signatories to the principles will be expected to abide by a set of commitments and rights, including a requirement that governments address conflicts of law and support cross-border data flows, that customers have a right to notice, and that cloud providers have a right to protect customers’ interests.
4G/5G race. The Finance Committee of the French Senate has published its report on 4G development in the country. It applauded the progress made in terms of coverage but regretted that French mayors had been excluded from many aspects of the process. This, the committee said, has hampered rollout efforts. While France’s 4G network is improving, it now has to contend with the concurrent extension of 5G, on which the European Commission wants to have reached full capacity by 2030. Read more.
What else we’re reading this week: