Digital Brief, powered by Facebook: Europol’s decryption platform, Bundeskartellamt Vs Facebook, Section 230

Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here


“The Irish data protection authority generally closes most cases with a settlement instead of a sanction.”

– European Parliament resolution on the Commission’s GDPR evaluation.



Story of the week: EU lawmakers have said that “a lack of political will and resources” had resulted in a laggard approach to enforcement of the EU’s general data protection regulation (GDPR), singling out in particular the lack of sanctions dished out by the Irish data protection authority. Read more below.

Podcast: This week, we take a look at the latest hearing of Big Tech’s Zuckerberg, Pichai, and Dorsey in Thursday’s Energy and Commerce committee session, and the different opinions at play with regards to the infamous Section 230 of the US Communications Decency Act.


Also this week: Europol’s decryption platform, Bundeskartellamt Vs Facebook sent to ECJ, DMA divisions in Parliament,  Portugal rebuts Vestager’s claims on ePrivacy regulation, MEPs rue lack of sanctions issued by Irish DPC, APT31 accused of cyber attack on Finnish parliament, Big Tech at odds over Section 230, Online marketplace tax clampdown, Italian Press Publishers in Google win, and more…


What next for Section 230?

In a resolution on the Commission’s GDPR resolution adopted on Thursday (25 March) by 483 votes to 96 and 108 abstentions, MEPs were “particularly concerned that the Irish data protection authority generally closes most cases with a settlement instead of a sanction,” and that certain cases dating back to 2018 “have not even reached the stage of a draft decision.”

Ireland’s Data Protection Commission (DPC) declined to respond immediately to the resolution.

To date, the Irish DPC has issued six fines for GDPR breaches. These include three against Tusla, the country’s Child and Family Agency, a €65,000 penalty issued against Cork University Maternity Hospital, a €70,000 fine for University College Dublin, and, in the first fine for a cross-border case, a €450,000 charged levied against Twitter for falling short of data breach notification obligations.

In 2020, the authority disclosed that 4,660 complaints had been received under the GDPR, but that at the close of the year it only had 83 statutory inquiries on hand, which comprised 56 domestic inquiries and 27 cross-border probes. Read more here.


A message from FACEBOOK:

Facebook partnerships to fight against COVID-19

Working together is more important than ever in the fight against COVID-19. In Spain, the World Bank is using Facebook’s Disease Prevention Maps to forecast needs for COVID-19 testing and hospital beds. Learn more about how we’re collaborating to keep communities safe and informed at


Portugal rebuts Vestager’s claims on ePrivacy regulation. The Portuguese presidency of the EU has rebutted claims from the European Commission’s Executive Vice-President for Digital, Margrethe Vestager, that Portugal’s proposed text for the ePrivacy regulation poses a risk to EU data protection standards as outlined in the General Data Protection Regulation (GDPR).

Vestager said recently that the EU executive has “reservations about the Council agreement”, due to her reading that it “is not fully in line with the General Data Protection Regulation.” Read more.

Europol’s decryption platform. The European Commission has issued assurances to MEPs that Europol’s new decryption platform will not be used to abuse data protection standards and will maintain closely guarded access rights over the data retrieved.

However, some MEPs remain unconvinced that the operation of Europol’s technology will be completely free from abuse, particularly in countries where the rule of law and the independence of the judiciary has been called into question. Read more.

Europol’s Big Data concerns. Dutch Senate committees have serious questions for the Commission regarding Europol’s’s bid to take advantage of Big Data, noting surveillance concerns and risks to encryption. A letter was penned to the EU Home Affairs Commissioner in early March with these concerns. See here.

ePrivacy derogation latest. Trilogue negotiations have continued this week on the hotly debated ePrivacy derogation to allow platforms to continue to detect child sexual abuse material. A source close to the talks informed EURACTIV that Parliament has had to capitulate on a number of key points, including allowing for the storing of communications content and metadata for a period of 12 months as well as ceding on the obligation for data protection authorities to give prior authorization for scanning content.

Tough lobbying for new rules. As tough inter-institutional negotiations continue in Brussels, Maud de Boer Buquicchio, former UN Special Rapporteur on the sale and sexual exploitation of children, and current president of Missing Children Europe, says the EU must continue to allow companies to detect and report child sexual abuse online – both known and new images – as well as instances of grooming.

Data strategy report approved. MEPs endorsed on Thursday a report on the EU’s data strategy, led by S&D MEP Miapetra Kumpula-Natri, by 602 votes to 8 and 78 abstentions. The text sought to highlight the importance of the free flow of data for industrial purposes, in order to help Europe remain more competitive in the area.

“Europe needs decentralised and interoperable data sharing society and economy that allows all players – big or small – to be a part of and gain benefit from European data ecosystems,” Kumpula-Natri said after the vote.

Privacy shield talks ‘intensify’. The US administration and the European Commission have decided to intensify negotiations on an enhanced EU-US Privacy Shield framework, in order to comply with the July 2020 judgment of the Court of Justice of the European Union in the Schrems II case, a joint statement on Thursday read.

Estonia’s digital vaccine certificate. Kalle Killar, undersecretary for E-Health and Innovation at Estonia’s Ministry of Social Affairs, stressed earlier this week that privacy and security should be ensured in order to gain trust from citizens in plans to roll out vaccine certificates across the EU.

Speaking as part of Estonia’s e-Governance Academy online event this week, Killar said that vaccine certificates “give a perfect opportunity to take digitalisation in healthcare forward. We must aim higher, as this sense of urgency opens up a lot more opportunities for cross-border data exchange,” he stressed, adding that Estonia is going to have a digital vaccine certificate ready in April.

French association files case against government for ‘favouring’ anti-COVID app. French association Anticor has filed a complaint against the government before the court established to try ministerial misconduct cases, blaming it for not having submitted the management of the application through a call for tenders, an obligatory procedure for public supply and service contracts exceeding €139,000.

Since the cost of running the application is being estimated at €200,000 to €300,000 per month, the association believes competitive tendering was mandatory to “guarantee transparency (…) in the use of public money”. The government’s failure in this matter would have an “impact on democratic life but also on public accounts”, the association added.


Digital Markets Act / Digital Services Act

Lead committee divisions on DMA continue. Negotiations between committee chairs of Parliament’s Internal Market and Economy committees are ongoing for lead competence over the Digital Markets Act.

The Internal Market committee argues that because the legal basis of the text is Article 114 of the treaty, it should be regarded as a harmonisation instrument and therefore fall under their committee’s remit. On the other hand, the Economy committee believes that due to the competition element of the file, it should fall under their purview.

As part of a Conference of Committee Chairs (CCC) meeting this week, no final decision was made but EURACTIV understands that a recommendation from CCC Chair Antonio Tajani will be forwarded on to Parliament’s Conference of Presidents soon. One source close to the talks informed EURACTIV that a solution could be found “in the coming days.”

Breton’s ‘myth-busting’ bonanza. Even though the EU’s internal market chief has been busy with vaccines this week, he hasn’t taken his eye off the ball with regards to the Digital Services Act and the Digital Markets Act. The Frenchman has embarked on a Digital Markets Act ‘myth busting’ series. The first one was published this week and appeared to be aimed at the platform lobby and certain claims that the DMA stifles innovation.

DMA to capture more platforms than UK approach? Mike Walker, chief economic adviser at UK competition authority, became the latest to draw the differences between the UK and the EU’s efforts in the field of digital competitiveness. Speaking recently, he said that “relatively few firms” will have “significant market status” under UK’s digital market plans, and added that the EU’s Digital Markets Act ‘will capture more platforms.’



Bundeskartellamt Vs Facebook sent to ECJ. The European Court of Justice has been asked to clarify whether Germany’s competition authority was right to order Facebook to halt its data collection practices, due to concerns over alleged abuse of its dominant market position and violations of EU data protection law.

UK CMA takes Norton to court. The UK’s competition authority announced this week that it is taking anti-virus software firm Norton to court after it refused to provide certain information for an investigation into auto-renewing contracts.

“It is completely unacceptable that a leading anti-virus software firm has refused to supply all the information we asked for, which is why we’re taking the firm to court,” Andrea Coscelli, CMA chief executive, said.

“Our unprecedented decision in this case reflects the serious impact of Norton’s refusal, which is delaying a CMA investigation intended to protect UK consumers.”

Facebook-Giphy under microscope of UK CMA. It’s been a busy week for the UK competition authority, which also found that Facebook’s completed acquisition of Giphy raises competition concerns in relation to digital advertising and the supply of GIFs. Facebook is now required to respond to the findings and offer legally binding proposals to the CMA to address the competition concerns identified. Should they fail to do so, the CMA may escalate the probe to a level 2 investigation.



TERREG letter to MEPs. With the proposed regulation on online terrorist content heading for a plenary vote in April, a contingent of civil society groups have called upon MEPs to reject the plan “as it poses serious threats to freedom of expression and opinion, freedom to access information, the right to privacy, and the rule of law.”

Big Tech at odds over Section 230. As part of a congressional hearing on disinformation and online extremism on Thursday, the heads of Facebook, Google and Twitter tried to bat away accusations that they played a heavy part in the January uprising on Capitol Hill. Moreover, Facebook’s Mark Zuckerberg took the opportunity to rally his support for reform to Section 230 of the Communications Decency Act, which provides immunity for platforms from third-party content hosted online. “My primary goal would be to help update section 230 to reflect the modern reality and what we’ve learned over 25 years,” he said.

Zuckerberg pitched revisions in the field of transparency – obliging platforms with reporting responsibilities for harmful content, as well as introducing a ‘new standard’ for policing how platforms deal with illegal content hosted online.

“Platforms should have to issue transparency reports that state the prevalence of harmful content, everything from child exploitation to terrorism to incitement of violence to intellectual property violations to pornography, whatever the different harms are,” Zuckerberg said.

“The second change that I would propose is creating accountability for the large platforms to have effective systems in place to moderate and remove clearly illegal content, things like sex trafficking or child exploitation or terrorist content,” he said.

Zuckerberg added, however, that small platforms should be exempt from such new rules.

“We need to find a way to exempt small platforms, so that way you know when I was getting started with Facebook if we’d gotten hit with a lot of lawsuits around content, it might have been prohibitive to get started.”

Google’s Pichai agreed limply with increased efforts around transparency and accountability but held back from jockeying for Section 230 reform outright, while Twitter’s Dorsey said lawmakers should be careful that such moves don’t ‘incentivise the wrong things.’

Facebook disinformation problem. A new report has landed from rights group Avaaz, highlighting Facebook’s role in the Capitol Hill riots earlier this year. Amongst other things, the report shows Evidence of 267 pages and groups with a combined following of 32 million that spread violence-glorifying content in the heat of the 2020 election season and evidence that the platform could have prevented up to 10.1 billion estimated views on pages that repeatedly shared misinformation.

I caught up with Avaaz Campaign Director Luca Nicotra earlier this week to hear more, and he said the problem is not only confined to the US. “Platforms have one set of algorithms used globally. What our reporting has shown is that these same problems exist on European soil as they do in the states. The EU should be careful that it doesn’t experience its own Capitol Hill crisis.”

Avaaz is also a member of the Commission’s multi-stakeholder forum on disinformation, and Nicotra said that discussions with the Commission and other platforms in the group generally follow the same pattern, with the big tech companies claiming that the work they do to stamp out disinformation online is sufficient.

Commission update on code of practice against disinformation. On the subject of disinformation, the Commission may have other ideas. In an updated work agenda published this week, the EU executive stated that increased guidance on the code of practice against disinformation will come on 26 May.

Journalists complain against Facebook. Reporters Without Borders (RSF) filed a complaint against Facebook for “deceptive commercial practices” on Monday (22 March), accusing the social media giant of not respecting its commitments related to fighting disinformation and moderating online hate, particularly targeting journalists. EURACTIV France reports.


Artificial Intelligence

Dual-use rules. MEPs backed new rules on the export of so-called dual-use technologies earlier this week, which will result in stronger checks on goods that could be used for nefarious means being sent to dictatorial regimes worldwide.

“The new rules will ensure that sensitive technologies no longer end up in the hands of those who spy on and persecute opponents of regimes, human rights activists and minorities with,” said Markéta Gregorová, Parliament Rapporteur and Czech Pirate Member of the Greens/EFA Group. “These new export standards are a clear message to the Chinese leadership and other authoritarian regimes, that they can no longer easily import facial recognition and other surveillance technologies from the EU.”

‘High-risk’ AI definitions. Khalil Rouhana, deputy director-general of DG Connect, told MEPs in Parliament’s special AI committee earlier this week that the update on the Artificial Intelligence white paper on 24 April will set out the scope of ‘high-risk’ applications, which will be well-defined. This runs counter to some of the positions of EU member states, including Germany, who had hoped for a broader scope.



Cyber strategy conclusions. The Council of the European Union (EU), currently chaired by Portugal, on Monday (22 March) adopted conclusions on the EU cybersecurity strategy, particularly about fifth-generation mobile networks (5G), aimed at protecting against cyber threats.

APT31 accused of cyber attack on Finnish parliament. The Finish Security Intelligence Services have accused China-linked cyber espionage group APT31 of a cyber espionage operation that targeted the Parliament in 2020 with the aim of intruding into its IT systems.



EU Digital Tax proposal to come by June. The European Commission is on track with plans to present a digital tax by June despite recent progress at the level of the Organisation for Economic Cooperation and Development (OECD), the Commission’s Executive Vice-President Margrethe Vestager has said.

Speaking to MEPs in the European Parliament’s tax subcommittee on Tuesday (23 March), the EU’s digital chief welcomed efforts by US President Joe Biden’s administration to drop some of the previous red lines put up by his predecessor as part of talks on the international stage. Read more.

Online marketplace tax clampdown. The Council of the European Union (EU), chaired by Portugal until July, on Monday (22 March) adopted new rules to improve administrative cooperation in the field of taxation by obliging digital platform operators to report the income earned by sellers.

Luxembourg to use EU money to become more digital. Luxembourg wants to use EU funds to modernise its healthcare sector and retrain workers to have more digital skills, as part of a raft of measures to help the country recover from the economic blow of the pandemic. The Grand Duchy should get around €93.53 million from Brussels over the next three years, as part of a set of grants the Commission will hand out to help EU countries recover, the government said in a “recovery and resilience plan” this month, reports Anne Damani.




Serbian chamber of commerce launches digital platform for circular economy. The Serbian Chamber of Commerce launched on Tuesday the CE HUB Digital Platform for a Circular Economy, intended for the exchange of information, knowledge, and Serbian economic activities in the process of transitioning to a green economy. The platform was unveiled online by representatives of the Serbian Chamber of Commerce’s centre for a circular economy and the UNDP, with the support of German development agency, GIZ.

The purpose of the digital platform is to support the economy in modernising production processes, creating sustainable business models, and ensuring there is harmonisation between a circular economy and decarbonisation. The platform also aims to support constant dialogue between business and government representatives of the Green Alliance. According to Antoine Avignon of the EU Delegation in Serbia, the platform is very important for the promotion of a circular economy in Serbia, adding that companies and the private sector would have to innovate new ways of doing business.



Hungary drops in Freedom House report. Hungary is still partially free, dropping from 70 to 69 points from last year, according to a report by Freedom House published on Thursday. Read more.

Italian Press Publishers in Google win. After recent success for French publishers, Google this week announced a new agreement for remuneration with Italian press publishing groups. Read more here.



What else I’m reading this week:

  • What a Gambling App Knows About You (New York Times)
  • India antitrust body orders investigation into WhatsApp’s privacy policy changes (TechCrunch)
  • You Probably Don’t Remember the Internet (The Atlantic)

Subscribe to our newsletters