Digital Brief: Google’s new cookies policy, CJEU slams data retention in Ireland, France

The Digital Brief is EURACTIV's weekly tech newsletter.

Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here


“Narratives borrowed from the Kremlin’s playbook [have] resurfaced in Chinese state-controlled channels”



Story of the week: Google is about to conduct a major u-turn in its cookies policy and plans to introduce a “reject all” button on cookie banners. The internet giant has faced major backlash in recent years for making it too complicated for users to reject cookies and to lure them into consenting to them.

However, the announcement didn’t come from Google itself. Instead, it was the Commissioner for Data Protection of the German state of Hamburg who dropped the news during his presentation of his data protection report. According to him, Google promised to introduce the “reject all” button “step by step in the European Union, Switzerland and the UK.” He stated that Google already submitted a written commitment to make the button available soon.

The move comes after the Hamburg Data Protection Authority asked Google last week to revise its cookie banner policy, arguing that it does not live up to EU data protection requirements.

Other data protection authorities have already taken more severe steps – most notably, the French CNIL, which fined Google €150 million over its use of cookies.

While data activists have long lobbied for such a step, Google’s policy change does not come without a grain of salt, as the new measure will likely only have an effect in the interim period before Google introduces its new tracking technology.

Google has already announced that it is planning to face out cookies from third-party providers altogether by 2023 and plans to rely on in-house tracking technology Topics API in the future. Read more.


Don’t miss: A ruling by the EU Court of Justice this week sought to remind Ireland and France of their obligations concerning the use of connection data, which includes for example IP addresses. The court ruled that member states cannot indiscriminately retain traffic and location data as a preventative measure, even where it is used to combat serious crime.

In Ireland, the Court was ruling on a case in which a man was convicted of murder based on his mobile data, a judgement which was ruled to have violated EU law. While the court did not address France directly, experts say that it conveys a clear message to Paris, whose data retention laws, that aim at fighting terrorism, have already come under scrutiny. According to digital lawyers, the country is “far from ticking all the boxes” listed by the CJEU, which include the definition of purposes, the seriousness of offences and the modulation of effects over time, and will not be able to avoid a reform of its system. Read more.


Also this week: 

  • French Presidency pitches changes to law enforcement provisions in the AI Act
  • German investigators have shut down the servers of Hydra Market, considered to be the biggest marketplace in the darknet
  • MEPs boost measures on targeted ads in new compromise proposal of the DSA


Before we start: China has sought to position itself as neutral in relation to the war in Ukraine, but recent analysis by EUvsDisinfo notes substantial alignment with the Kremlin when it comes to the messaging being shared by the country’s state-backed media. This week’s podcast looks more closely at this alignment: the common narratives, how they’re being shared and where the two countries diverge.

Disinformation and war narratives in China and Russia

China has sought to position itself as neutral in relation to the war in Ukraine but recent analysis by EUvsDisinfo notes substantial alignment with the Kremlin when it comes to the messaging being shared by the country’s state-backed media. This …

Artificial Intelligence

Another compromise. The French presidency has circulated a new compromise text on the AI Act in the past week, covering the use of the tech by law enforcement. The text was discussed in a meeting with justice and home affairs representatives on Thursday, with the presidency aiming for the adoption of a general approach by the Telecom Council on 3 June. Included in its provisions are measures on biometrics, transparency obligations and an EU database for high-risk AI systems. Read more. 

Twin transition. Sustainability must be integrated into digital technologies in order to combat, rather than accelerate, climate change, a UN Environment Programme official has said. AI can offer a number of opportunities to combat the climate crisis, but without sufficient attention to the environmental impact of these tools, they may have unintended consequences. To achieve the goals of the twin transition, therefore, officials say, the green and digital transformations must be fully combined. Read more.

Emotion recognition. Hungary’s data protection authority has issued a record penalty in response to an unidentified bank’s use of an AI speech recognition and evaluation system to determine customers’ mood. The system was used to prevent complaints and with the aim of retaining customers, but the watchdog ruled that this analysis of emotional state constituted multiple violations of the GDPR. 

Green light for fundamental rights. The Dutch parliament has adopted a motion to give the government a mandate to implement mandatory fundamental rights impact assessments on high-risk AI applications. Proposed by the Greens, the initiative passed with broad support and will be incorporated via national-level legislation if not included in the EU’s upcoming AI Act. 


You shall pay. Google will indeed have to pay the fine of €150 million imposed by the French competition authority in December 2019, after the decision was confirmed on appeal Thursday. The French watchdog had blamed the company for the operating rules of its advertising platform Google Ads, which were “opaque and difficult to understand” and applied “unfairly and randomly”. “This will set a very important precedent for the effective competition in digital platforms; recognition of the dominant position, and characterization of an exploitative abuse,” said the president of the competition authority at the time, Isabelle de Silva, on Twitter.


Trans-Atlantic talks. Commissioner for the Internal Market, Thierry Breton, visited Washington D.C. this week for a number of meetings on cybersecurity and the upcoming European Chips Act. The EU last month committed to advancing cooperation with the US on cybersecurity issues, particularly in the context of the war in Ukraine. Breton also met with US counterparts to discuss the pandemic, in his capacity as leader of the EU Task Force for Industrial Scale-Up of COVID-19 Vaccines. 

Data & privacy

Data delays. The German Data Protection Authority has criticised the government for delaying the implementation of the EU’s data protection directive in a new report presented to the Bundestag this week. The report singled out justice and home affairs in particular as areas in which the law’s implementation was lagging and follows a previous trend of slow enforcement of EU-level data protection rules. Read more. 

Data Act moves forwards. A timeline is emerging for the progress of the EU’s Data Act, as member states continue to finalise their positions. The legislation’s first reading is reportedly moving fast, with initially positive reactions. With workshops being pushed for at the end of this month or beginning of May, France is aiming for a compromise on the legislation by the end of the country’s Council presidency. 

Agreement in principle. A new Trans-Atlantic Data Privacy Framework has been agreed in principle by the EU and US. The US has committed to establishing “unprecedented” privacy and protection measures for the data of users in the EEA, a move described by the European Data Protection Board (EDPB) as “a positive first step in the right direction”. The framework has not been finalised yet, meaning that data transfers via the US are still prohibited under the 2020 Schrems II ruling, but the announcement signals a shift towards agreement.

Independence at risk? The EDPB also raised concerns this week over the implications of a law approved by the Belgian Council of Ministers in January for the country’s data protection authority. The legislation is set to reform the 2017 law that established the watchdog, altering its governance, structure and staff. In particular, the EDPB says it’s concerned over the impact the changes may have on the authority’s independent functioning.

Digital Currencies

Darknet raided. German investigators have shut down the servers of Hydra Market, the Russian language darknet marketplace. The platform, which is said to have the world’s highest darknet turnover, has around 17 million customers and its 2020 sales were estimated to amount to at least €1.23 billion. German authorities announced on Tuesday that they had seized Hydra and the criminal content of its market, including cryptocurrencies valued at approximately €23 million, as part of an international coordinated law enforcement operation. Read more.

Crypto harassment. EU lawmakers have been receiving unprecedented levels of online harassment as they seek to regulate the crypto industry. Two female MEPs spoke to EURACTIV this week about the racist and sexist abuse and threats they’ve been subject to as a result of recent discussions in the Parliament about adapting anti-money laundering rules to make it more difficult for cryptocurrencies to be used as a loophole. Read more.

Euro views wanted. The Commission has launched a targeted consultation on the digital euro, an initiative which it says could foster cross-border solutions for payments and a system of instant payments as well as strengthen the EU’s strategic autonomy. The Commission and European Central Bank are currently jointly examining the political, legal and technical aspects of its establishment, but stakeholders can now submit their views for the next 10 weeks.


Common narratives. Despite seeking to position itself as neutral when it comes to the war in Ukraine, China has been aligning itself with Kremlin narratives and amplifying Russian disinformation about the conflict, the European External Action Service’s disinformation analysis project says. Central to this are the content-sharing agreements that have existed between Russian and Chinese state media outlets for a number of years and have led to what one analyst described to EURACTIV as the “copy-pasting” of Russian media material. Read more. 

Digital Services Act

Targeted ads under scrutiny. MEPs are working on a new proposal to include a ban on the targeting of minors and the processing of sensitive personal data in the DSA. Unsatisfied with previous agreements reached in trilogues, lawmakers have drafted a new proposal which would see the targeting of ads at minors and advertising on the basis of information about categories such as race, sexual orientation or religion prohibited. Read more. 

Compliance costs. The DSA is set to include a yearly fee of up to 0.1% of annual net income for major online platforms to cover the costs incurred via monitoring their compliance with the legislation. Competition Commissioner Margrethe Vestager said last month that the fee could raise between €20 million and €30 million per year, according to Reuters, and is expected to be approved at the next round of negotiations.

KYBC. Extending the scope of the DSA’s Know Your Business Customer principle will continue to be considered at a technical level, but is less likely to become to focus of a political trilogue and is reportedly unlikely to become a priority in discussions. The French presidency has said it supports an expansion in principle, but has not been pushing for it in practice, meaning a broader shift will likely need to be instigated from the top.


Journalism schemes launched. The European Parliament has announced two new programmes for journalists to be piloted later this year in a number of member states. The first, which is set to be named after the Parliament’s late President David Sassoli, who died in January and who worked as a journalist for three decades, will be a year-long programme in which participants will gain experience reporting in EU-based outlets. The second will consist of training sessions for young journalists on national and EU level knowledge and media. 


€19 million short. Corint Media has launched legal action against Microsoft over its press content use, after reports that the platform offered €700,000 remuneration for the use of content in 2022, far short of the €20 million Corint requested. The case is being made in line with the EU’s Copyright Directive, which affords press publishers the right to fair financial remuneration for the licensing of their content and has been at the centre of a number of contentious publisher-platform disputes across Europe in recent years. Read more. 

Hashtags restricted. Meta briefly blocked hashtags to do with the killings discovered in Bucha, Ukraine this week. A company spokesperson confirmed that automated systems had restricted the use of the hashtags due to the graphic content being posted under them, but said that the limit was removed once discovered. Read more. 

Online guidance. The Council of Europe has issued a recommendation establishing a set of principles aimed at ensuring the fairness and legitimacy of electoral processes created by new digital political communication techniques. The guidelines, according to the Council, were created in light of the growing prevalence of online electoral campaigning and cover issues including disinformation and the potential abusive use of microtargeting, personal data, bots and algorithms. 

Third time could be the charm. TikTok has delayed the launch of its first EU data centre for another year. Plans have been in place to store EU, EEA and UK users’ data within the EU for a number of years, and the centre was supposed to open its doors in Dublin in early 2022, before being delayed until later this year. Now, the launch has been again pushed back until 2023, until which point user data will remain in Singapore or the US, where it is currently stored.


Starlinked no more. France’s highest administrative court has overturned a 2021 ruling by the country’s electronic communications regulator (ARCEP), which had handed Starlink, SpaceX’s satellite internet constellation, frequency authorisations to provide high-speed connections throughout France. The court ruled that the ARCEP had failed to do its due diligence by granting the authorisations without public consultation, despite the technology’s “significant market impact”, thereby stripping Starlink of the frequencies. Read more.

Standardise the standardisation. With its standardisation strategy, presented earlier this year, the Commission is looking to prevent European companies from lagging behind but there’s a risk that it will lead to the fragmentation and regionalisation of international standards. The open nature of standard-setting bodies’ membership means that companies with more resources can send higher numbers to join them and influence their action, a dynamic that risks under-representation of European representatives in comparison to counterparts from wealthier American and Asian companies. Read more. 

Merger concerns. Vodafone will reportedly soon announce a merger with UK operator Three, a move that has raised concerns over user costs. The merger will reduce the number of major mobile network operators in the UK from four to three and, while the networks says it will increase investment, others have warned that it could raise monthly costs for users in the UK by between £5 and £25 in the midst of a cost of living crisis. 

Satellite sanctions. A petition published this week is calling on the EU and the European Telecoms Satellite Organisation (Eutelsat) to introduce sanctions on two major Russian pay-TV platforms after they excluded the foreign news channels they’d previously hosted in response to Kremlin restrictions linked to reporting on the war in Ukraine. The petition, the initial signatories to which include the chair, deputy chair and other members of Ukraine’s National Council of TV and Radio Broadcasting and the former executive director of the European Audiovisual Observatory, says it is “paradoxical and inadmissible that European satellites are used for the sole broadcasting of Russian channels, which only propagate the official state propaganda of the Kremlin”. 


What else we’re reading this week:

Europe Is Building a Huge International Facial Recognition System (Wired)

How to Unionize at Amazon (The New Yorker)


[Edited by Nathalie Weatherald]

Subscribe to our newsletters