Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The European Health Data Space is a health-specific data environment which comprises rules, common standards and practices, infrastructures and a governance framework for the use and reuse of electronic health data.
-Leaked communication introducing the European Health Data Space
Story of the week: EURACTIV got hold of a leaked draft of the European Commission’s proposal for a European Health Data Space, the first sectoral regulation that will build on the Data Governance Act and Data Act. The proposal is very articulated and includes a new governance framework for health data with cross-border interoperability requirements and a pan-European infrastructure. The data space is at the centre of the EU executive’s attempt to reshape the bloc’s healthcare operations in the post-COVID age.
Patients will have full control over their ‘primary use’ data, the one generated directly for medical reasons such as laboratory results and electronic prescriptions. Individuals will have the right to access their data, share or deny access to third parties. Cross-border access to medical records will be ensured via the European Digital Identity Framework. Interoperability will be ensured via harmonised standards or technical specifications and a pan-European infrastructure.
The data space will also enable the ‘secondary use’, in other words, allowing the re-use of medical data for activities such as research, policymaking, algorithm training and education. Activities such as commercial advertising, setting insurance premiums and re-selling data are explicitly forbidden. The Electronic Health Record (EHR) systems, the services to manage and store health data, will have to fulfil a set of binding requirements notably in terms of security and interoperability. The governance will be managed via European Digital and Health Data Board, to ensure cooperation between the competent authorities. Read more.
Don’t miss: Russia looks to be seeking to tighten its control over the internet through measures marketed as steps to bolster the country’s cyber defences. According to an internal government document reported by several media outlets, organisations are being encouraged to follow “a set of simple cyber hygiene recommendations” such as moving public resources under the Russian .ru domain. Some observers have interpreted the move as an attempt to escalate the country’s self-isolation from the global internet, but whether or not Russia has the capacity to do this securely remains to be seen. Overall, the initiative might be more about sending a message than anything else, internet expert Konstantinos Komaitis told EURACTIV. Read more.
Also this week:
- The French Presidency continues its rush to close the DMA
- Pressure grows for the EU to include Russian platform Yandex in the list of sanctions
- EU countries asked Big Tech to cover the Easter flank with appropriate fact-checking
- The Commission and UK’s competition authority opened parallel investigations on an alleged Google-Facebook
- Ukraine’s cyber army might have a counter-productive effect in the long run, expert says
- Russia opens criminal investigation on Meta, blocks Instagram and WhatsApp, over a change of policy allowing incitement of violence against Russia
Before we start: France, the country currently at the helm of the EU Council, is heading towards crucial elections next month. We discuss with EURACTIV France reporter Mathieu Pollet the role digital issues play in the presidential campaign, the impact of the Ukrainian conflict, and any potential changes in the handling of EU files after digital minister Cedric O announced he was stepping down.
Sandboxes revised. The French presidency has published yet another compromise text this week pursuing its bid to reach a general approach by the end of June. The articles concerned are those on regulatory sandboxes, clarifying the common conditions and potential cooperation across member states. A list of objectives has been included notably to foster innovation, accelerate the market uptake of AI systems, ensure legal certainty and contribute to the development of harmonised standards. Some practical aspects such as eligibility costs, conditions for participating have been further defined. The legal basis for processing personal data in the context of sandboxes for reasons of public interest was expanded to also include improving disease prevention and ensuring higher efficiency of the public administration. New measures include support for SMEs and start-ups, whereas microenterprises have been exempted from the obligations in article 17.
JURI draft report. The official draft of the JURI report was published this week. It includes a much more precise definition of high-risk systems as posing a risk of harm to health, safety and fundamental rights. There seems to be some consistency with the text from the French presidency, notably in terms of obligations for importers. In terms of enforcement, a system similar to the GDPR’s EDPB but the non-leading authorities will be able to have a more active role if they disagree with the leading one. For what concerns GDPR compliance, the users will not have to explain how the system reached a specific result but only provide the information received from the provider. Voluntary codes of conduct have also been introduced for what regards trustworthy AI. Fines have been reduced, and gross negligence will need to be proven.
Blue Jedi under scrutiny. The EU and UK have launched parallel competition investigations into a deal struck between Google and Meta over the bidding process for ad space. The agreement, already the subject of a lawsuit in the US, allegedly saw Meta agree to use Google’s Open Bidding programme, which the company saw as threatened by publishers’ use of the more lucrative header bidding method of auctioning off ad space. According to the lawsuit in Texas, the agreement was found at the highest level between the two advertising giants. If proven, the deal would have caused serious harm to rivals in the ad tech market, enabling the tech companies to further restrict competition in a highly concentrated market. Read more.
Another one to pass the test. The EU appears set to grant unconditional approval of Amazon’s $8.5bn purchase of MGM studios following its antitrust appraisal, Reuters reports. The deal would bolster Amazon’s streaming services, upping competition for rivals such as Netflix. The Commission is scheduled to formally announce its decision by 15 March; the US Federal Trade Commission is reportedly working to a similar deadline.
Ukraine’s IT army. There has been an upsurge in cyber-activism since the invasion of Ukraine, with groups such as Anonymous launching attacks on Russia and the Ukrainian Digital Minister declaring the formation of an “IT army” to wage cyberwar. However, the efficacy of these efforts is in doubt since the attacks are relatively low-level. Moreover, the open collaborative nature of the group behind them means that Russian authorities are very likely aware of their arrival in advance. While the cyber-army has been able to take down a number of sites belonging to Russian companies and the government, experts warn that they could have an unforeseen negative impact in the long-term by making Russia aware of where the weaknesses in its infrastructure lie and therefore allowing for its defences to be strengthened. Read more.
More funding for cybersecurity. European governments are seeking to bolster EU funding for national cybersecurity efforts, according to a declaration adopted at an informal meeting of telecoms ministers this week and anticipated by EURACTIV. The joint statements include a call for the Commission to set up an emergency fund to respond to large scale cyber-attacks, noting the increased volume in cyberattacks seen in the lead up to Russia’s invasion of Ukraine. The Commission, ENISA and European telecom regulators have been called to make an assessment on how to enhance the resilience of Europe’s digital infrastructure. Read more.
Data & privacy
One more against Clearview. Italy’s data protection watchdog has fined Clearview AI €20 million after the controversial facial recognition company was found to have breached the GDPR through the illegal processing of Italians’ biometric and geolocation data. The firm, which sells its software to law enforcement agencies, has been banned from processing Italians’ facial biometrics in the future and ordered to delete any data it holds on them. Clearview, the watchdog concluded, violated its transparency obligations under the GDPR and used data for purposes other than those they were intended, amongst other things, constituting overall a violation of “the freedoms of the data subjects, including the protection of confidentiality and the right not to be discriminated against.” Similar decisions were reached by regulators in France and UK.
Belgium joins the queue. The Belgian parliamentary body in charge of monitoring police activity found the use of Clearview AI for law enforcement unlawful. The Belgian police, which already used the database 78 times, will have to delete the submitted pictures and has been warned not to use similar technology again in the future.
EU-Big Tech collaboration. Telecoms ministers have urged digital platforms to review and strengthen their anti-disinformation capacity in Central Eastern Europe in response to concerns over the threat of Russian hybrid warfare directed at the region. At a meeting in France this week, EU governments met with representatives from major online platforms stressing that all EU languages should be properly covered and that the platforms should be more reactive in responding to government requests. While officials called for tech companies to bolster their efforts to combat disinformation, the companies appealed for a clearer regulatory framework to guide their actions in such situations – something which the DSA, not yet in action, is set to address. Read more.
Long in the making. Russia has for years been laying the groundwork for the disinformation currently seen playing out in relation to the war in Ukraine, EU lawmakers said this week in a parliamentary debate on a report on foreign interference. State-backed outlets such as RT and Sputnik had been preparing for the assault by providing an alternative narrative as to its cause, said EU foreign policy chief Josep Borrell, adding that a new mechanism for sanctioning actors found to be spreading malign information would be brought forward in response, including measures to strengthen media and civil society in third countries. Read more.
Digital Markets Act
Rush to the end. The French presidency has set up five Working Party meetings in the Council with a view to obtaining an updated mandate at the COREPER on 23 March, according to an internal document seen by EURACTIV. That is, just ahead of the next political trilogue on 24 March, the one that in the internal agenda is marked as ‘possible agreement’. The presidency has been making some significant progress this week, but it is still possible that one more trilogue might be needed on 5 April. Here are the main takeaways from this week, and potential stumbling blocks.
Governance. On Monday, the governance was discussed and the presidency’s proposal seems rather close to the initial mandate except for the inclusion of the high-level expert group, although with reduced competences. A key point around the group will be the level of transparency in its working method, a strong request from MEPs. For what concerns the cooperation mechanism, national authorities would still send their draft decision to the Commission but the majority of countries do not want the EU executive to have the power to veto national probes. It is still not clear how important this point might be for the Parliament. In terms of countries that might request the Commission to open an investigation, the lawmakers insist they want two, while the member states ask for three. A solution might be to use different thresholds based on the type of investigation. On fines, the Parliament proposed as a compromise to have the maximum at 10% and the minimum at 4%. However, many countries oppose the 4% minimum as they consider it disproportionate and believe a case by case assessment should be followed. For killer acquisitions, the Commission has stressed it should have full discretion for using such provisions.
Obligations. The French presidency got more room to negotiate on the obligations except at the Working Party meeting on Thursday, but on two crucial points, the Council’s position remains very sceptical. Interoperability is probably the most controversial part right now as many countries oppose having it even for messaging services because they fear it could be completely counterproductive. For critics, if only the gatekeeper service is interoperable with all the others, it would have competitive advantage respect other services, echoing an argument made in a Commission paper last week. EU countries are also resisting extending FRAND requirements from the app store to all core platform services. By contrast, most of the obligations that MEPs moved from Art. 6 to Art. 5 look like they will stay that way. The Parliament’s position on data-crossing seems more likely to be taken on board, as an indirect way to limit targeted ads. In terms of the ban on targeting minors, although in principle there is some support for it in the Council, member states stress that the DSA would be the right place for it to apply it to all platforms. However, the fact that the DSA is so far behind does not help reach such a package agreement.
Chips fallout. The war in Ukraine could cause disruption to the EU’s ambitions to increase its semiconductor production as many crucial components of chip manufacturing originate in Russia. The immediate impact on the EU industry might not be significant, experts have said, but in the long term, the crisis could temper the EU’s ambitions and the trajectory of growth that the industry is striving for. Read more.
Societal challenge. Tackling the gender gap in digital industries is “a major societal task”, the CEO of Infineon Technologies told EURACTIV this week. Diversity brings many benefits, said Sabine Herlitschka, and many organisations have understood this and are increasing their efforts to address the issue. However, she added, more action is needed, from early education to supporting women in later professional development. Read more.
Russia’s minister of truth. The Kremlin introduced a new law criminalising the spread of “false information” about the war in Ukraine last week, threatening up to 15 years in prison for anyone found to be disseminating it. Among the offences covered by the law is describing the conflict as a “war”. A number of major international outlets, including CNN, the New York Times and Bloomberg, withdrew their journalists from Russia following the passage of the law, and many independent Russian journalists also departed, further narrowing the country’s already constricted media landscape. Read more.
War crime against the media. Reporters Without Borders (RSF) this week filed a complaint with the International Criminal Court over Russian airstrikes on a number of TV and radio towers in Ukraine, which the media watchdog says constitute war crimes. At least 32 TV channels and several dozen radio stations have been affected by the attacks, RSF says. The targeting of these facilities, as well as the cutting of signals in several cities under Russian control, shows a deliberate effort by Russian forces to restrict the flow of information in Ukraine, RSF says. Strikes have targeted this infrastructure around the country, including in Kyiv, where an attack on the city’s TV tower killed five people, including a journalist.
Pressure over Yandex. A group of Spanish MEPs are preparing to ask the Commission why Yandex, Russia’s largest tech company, has so far escaped EU sanctions. Yandex has been noted as having worked in collaboration with the Kremlin to arrest dissidents in the past, and it currently offers ride-hailing services in a number of EU countries, though its licence has been revoked in others. Baltic states are also planning to request the Russian tech company be included in the list of sanctioned companies, although the proposal is not on the table yet. A few days after the Russian aggression on Ukraine, a former Yandex executive pointed the finger at the platform’s replicating the Kremlin’s propaganda, urging his former colleague to intervene or quit. Read more.
Violence against Russia is ok. Russia on Friday launched a criminal case against Meta after the company instituted a temporary change to its hate speech policy allowing for calls for violence against Russians in the context of the war in Ukraine. The policy change, only applicable in certain countries, also allows the praise of the far-right Azov battalion and threats against Vladimir Putin and Belarus’ President Alexander Lukashenko. In response, Russia is seeking to have Meta designated an “extremist organisation” and to ban all its activities in the country, a move that would primarily impact Instagram and WhatsApp, as the government has already blocked Facebook. Read more.
Geo-blocking porn. France’s audiovisual regulator has launched a suit to block five pornographic websites for failing to heed a requirement that their content be inaccessible to minors. The sites were all put on notice in December that they needed to ensure access was restricted but were found to have failed to comply. If the Paris judicial court rules in the regulator’s favour, the sites will no longer be available in France. Exactly how to verify the age of users and to block minors from accessing the content has been a subject of discussion, with France’s data watchdog warning that platforms must also be careful not to breach data protection laws when implementing age verification systems. Read more.
TikTok breaks ranks. TikTok announced this week that it would limit its services in Russia in response to a new law criminalising the spread of “false information” about the invasion of Ukraine, with a penalty of up to 15 years in prison. Users in Russia will no longer be able to livestream, post or view new content, a move the company said was to protect the safety of staff and users. Many international companies have withdrawn their services from Russia over the invasion, but China has so far refused to condemn the Kremlin’s actions or join sanctions against it. TikTok, owned by Beijing-based Byte Dance, is one of the first Chinese companies to restrict its offering in Russia since the invasion of Ukraine. Read more.
Right to repair lobbying. EU lawmakers are preparing a motion on the Commission’s right to repair proposal, which it pledged to put forward later this year. Anna Cavazzini, chair of the IMCO committee, told EURACTIV this week that MEPs want to influence the upcoming proposal and related legislation that taken together would provide a right to repair. The draft report focuses on the areas of modular design, planned obsolescence, availability of spare parts and consumer information. Read more.
What else we’re reading this week:
China’s tech platforms become propaganda tools in Putin’s war (FT)
TikTok nears Oracle deal in bid to allay U.S. data concerns-sources (Reuters)
Crypto platform blocks thousands of Russia-linked wallets (BBC)