Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.”
-Wojciech Wiewiórowski, European Data Protection Supervisor
Story of the week: Europol must delete the personal data of people with no established link to criminal activity, according to a binding decision of the European Data Protection Supervisor (EDPS) made public on Monday. The decision is the result of an inquiry into the law enforcement agency’s data protection practices launched in 2019, after which the agency requested the EDPS for guidance on such activities. For the supervisory authority, Europol was in breach of the data minimisation principle, processing data of individuals not relevant for criminal profiling, and the data retention principle, refusing to set a timeline for maintaining such personal data in its database.
The EU agency’s scope is to support law enforcement authorities at the national level by making cross-border data available. However, in recent years Europol’s role has evolved in developing data-driven tools for policing and training algorithms for law enforcement. In doing so, national authorities have been transferring to the agency more and more data, not only strictly related to criminals but also data resulting from the suspects’ interactions with other individuals. Needless to say, these practices are at odds with said data protection principles.
Europol’s new activities would be legitimised by the recast mandate that is currently the subject of trilogue negotiations. For privacy activists, that would mean legalising illegal practices, whereas security advocates believe these tools are by now necessary for law enforcement. As confirmed by leaked documents, the co-legislators are close to reaching an agreement. As things currently stand, the new mandate would give Europol up to three years to figure out whether the data it has is criminally relevant or should be destroyed. Still, the agency will have to comply with the EDPS six months timeline for existing datasets. For the agency, the decision will seriously hamper its operations. Read more.
Don’t miss: The full extent of the Schrems II ruling fallout started to take shape this week. The EDPS censured the European Parliament for violating EU privacy laws in the operation of its internal COVID-19 testing website. Concerns over the site were raised by six MEPs in October 2020 after it was revealed that the site, used by lawmakers and staff at the Parliament to book tests, was transferring data to the United States via Google and Stripe. Among other charges, the EDPS found that the Parliament had failed to provide evidence of any steps taken to ensure sufficient data protection in the use of the US cookies. “No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance,” said privacy activist Max Schrems, whose NGO NOYB supported the MEPs in their complaint. The Parliament now has a month to address the outstanding issues. Read more.
Austria’s Data Protection Authority has ruled that Google Analytics violates the GDPR through its processing of Europeans’ personal data in the US. During the investigation Google admitted that the data collected through Google Analytics is hosted in the US, making the data transfer illegal. The decision was the first on the 101 similar complaints filed by NOYB in most EU countries. Moreover, cooperation between regulators under the European Data Protection Board means that other EU countries could take similar steps. Read more.
Some of them already are, in fact, as the Dutch Data Protection Authority (AP) followed Austria’s lead warning on Thursday that Google Analytics could soon be banned, given its failure to meet the stipulations of the GDPR. The AP published instructions in 2018 on how the GDPR could be complied with when processing personal data via Google Analytics, but two complaints have led to renewed scrutiny of the service. The conclusion of their investigation is due early this year; with it will likely come a ruling on whether or not Google Analytics can continue to operate in the Netherlands.
Also this week:
- EU institutions start negotiations on the DMA
- The French Presidency’s pick up the pace on the AI Act
- Plenty of amendments table ahead of the DSA plenary vote
- The first NIS2 trilogue enters hearth of the discussion
Before we start: As the debate on digital sovereignty is as relevant as ever, we discuss with Jean-Marc Leclerc, co-director of IBM’s policy lab, Europe’s position on emerging technologies such as Artificial Intelligence, quantum computing and cloud.
A message by Facebook
Facebook is helping communities in Europe do more.
In Slovenia, Facebook Page Ekologi brez meja helped turn 7,000 illegal landfill sites into clean land. Learn more.
The French timeline. The French Presidency gave until the end of last week to submit written comments on articles 8 to 85. The commitment is to put this together in a new compromise text that will be circulated at the beginning of February when the pace of the discussion is expected to pick up. The intention is to provide a full compromise text by April. Meanwhile, diplomats are meeting once per week, with the Slovenian compromise on articles from 1 to 7 up for discussion.
First partial compromise. On Thursday, the French Presidency circulated a first partial compromise on Articles 8 to 15, with some significant changes. On risk management (Art. 9), high-risk systems are presented as those entailing risks on “health, safety and fundamental rights in view of the intended purpose of the high-risk AI system.” On data governance (Art. 10), a specification has been added that training datasets should be complete and free of error “to the best extent possible.” More flexibility on the technical document was provided for SMEs and start-ups. The record-keeping and transparency provisions were modified for clarity. The measures on human oversight (Art. 14) were revised to assign clear responsibility and make them more proportional to the context. On accuracy and robustness, the change aims to better avoid ‘feedback loops’, namely biased outputs become the basis for future distorted results.
Outstanding issues. When the Slovenian Presidency circulated its text, there was not really time for discussion. The revised definition of AI systems was generally well-received, although some questions remain around Annex I, for instance, if statistical methods are to be considered as AI or not. For the revision of the list of Annex I, several countries called for involving stakeholders in the process. The extension of social scoring to private companies was also seen positively, as national authorities might use private contractors to circumvent the measure. Clarifications were asked regarding the inclusion of digital infrastructure.
Law enforcement exceptions. The main point for discussion at the moment remains the application of biometric recognition systems for law enforcement. This time, Finland was alone in requesting AI applications for law enforcement to be taken out of the regulation, as the new German government is probably still discussing the matter internally. Hungary, Poland, and Sweden are pushing to include migration and border control as exceptions for deploying biometric systems (Art. 5(1)(d). The question is also what publicly accessible spaces include, as the EU’s external border is not publicly accessible but these countries would also like to use biometric systems in the vicinity of the border.
Meanwhile, the Parliament. The IMCO and LIBE committees have drafted an ambitious timeline on the AI Act, seen by EURACTIV. The committee hearing is scheduled for 16 March, to be followed by the draft report on 5 April. The political groups will only have three weeks to table amendments, with the deadline on 26 April. The other committees will have until 20 June to deliver their opinion. The committee(s) vote is planned for 29 September, and if everything goes well it will be certified by the plenary on 9 November.
AIDA discussions. MEPs gathered to discuss the AIDA report on Thursday. Rapporteur Axel Voss defended the report, notably reiterating the key arguments that AI should be looked at as an opportunity and not only risk and that the GDPR should be revised to leave more space for data-driven innovation. However, other groups contested the fact that the GDPR was put at the centre of the report, defining it as an EU’s landmark success. The confrontational tone of the report was also contested, with several MEPs calling for building bridges with partner countries rather than looking at AI as the ground for an international race.
The effects of the German push. Google will take steps to address criticism from the German competition watchdog over its Google News Showcase platform. An investigation initiated by the German Federal Cartel Office (Bundeskartellamt) last June found that the platform could lead to discrimination against individual publishers and reduce competition in the market. The tech giant has now presented a package of measures to address the concerns; among them, a change to exclude Showcase content from general Google searches and adjustments to the contracts of publishers involved in the platform and the criteria for their involvement. The antitrust body announced consultations with publishers to determine if the measures are considered fit for purpose. Read more.
New year, new president. Benoît Cœuré was heard on Wednesday by the deputies of the National Assembly ahead of his official appointment as head of the French Competition Authority, succeeding the ousted Isabelle De Silva. He said he wanted to make digital one of the priorities of his mandate and considered it “important and justified for the Authority to rapidly undertake in-depth work” on the cloud sector. On the proposed merger between TF1 and M6, Coeuré said it was “too early” to conclude anything while insisting that he was “aware of the possible consequences in economic terms, potential market dominance, diversity of supply and pluralism”. “I will not hide from you that the operation is not self-evident when we see the consolidated market share that this player would have on the advertising market,” he stressed.
Class action. Meta is facing a major class-action suit in the UK, brought by international law expert Dr Liza Lovdahl Gormsen in opposition to what she describes as the company’s abuse of its market dominance. The suit, which seeks at least £2.3 billion, plus interest, in damages from the tech giant, claims that Facebook implemented unfair terms and conditions on as many as 44 million British users, leading to the exploitation of their personal data for profit. Lovdahl Gormsen’s lawyers will argue that this constitutes an “unfair price” for the use of the platform and that users should be compensated under the UK’s Competition Act.
NIS2 kick-off. While the first political trilogues are usually ceremonial (see DMA), that was not the case for the NIS2 meeting that kick-started the negotiations on Thursday. The co-legislators already entered into discussions about the four points of contention: the scope (the most difficult part), the national security strategy, the timeline for reporting and the peer-review process. The French are planning to close the file by April, with the possibility of the negotiations dragging into May. While less ‘spendable’ in electoral terms, the pace of two technical meetings per week signals that Paris is seriously putting the file on its priority list. The next political trilogue is scheduled for 17 February.
Flexing muscles. A large-scale cyber-attack hit government websites in Ukraine on Thursday night, rendering them inaccessible as of Friday and displaying the message “Ukrainian! All your personal data has been uploaded to the public network…be afraid and expect the worst.” Authorities have launched an investigation and have yet to assign blame for the attack, which comes amid rising tensions over a potential Russian invasion of the country. The US and UK have in recent weeks sent experts to Ukraine to help shore up its cyberdefences in anticipation of potential hybrid assaults. Read more.
In the crossfire. Europe has experienced a surge in cyberattacks by 68% in 2021, against a global average of 50%. Portugal was particularly affected (+81%), resulting in 881 attacks per week, according to security firm Check Point. Read more.
Digital Markets Act
Negotiations kick-off. The first political trilogue on the DMA took place on Tuesday, in what was mostly a photo opportunity and a display of goodwill. As MEP Evelyne Gebhardt put it, “it was defining on what we have to discuss but not on the details.” The French are planning to close the file in two more political trilogues, on 10 or 15 February and 29 March. Two more have been scheduled just in case, on 5 or 6 April and 3 or 4 May. Political meetings at this frequency essentially mean that the bulk of the work will be kept at the technical level.
Let’s keep it technical. Technical meetings will take place twice per week, on Tuesday afternoon and Friday morning. The four-column document discussed at the first meeting on Friday, seen by EURACTIV, shows how quickly the Presidency wants to progress on the file. On the menu there are recitals from 1 to 8, 10 to 12, 15 to 21, 24 to 29, 34, 39, 45, 50 to 52, 55, 60 to 63, 65, 72, 73, 75a, 77a, 77c, 78a, 79, 79a, 79b. The articles up for discussion are 1 to 22, 25 to 32 and 35 to 37, although not all articles are discussed in full. Around 70 of them over 200 points of discussion are related to linguistic issues, and some controversial points, such as recital 9 on how to avoid fragmentation across the bloc, were avoided. Still, putting key provisions from Art. 5 and 6 for discussions does not necessarily make for an easy start.
Digital Services Act
Amendment crowd in. Those expecting plenty of amendments ahead of next week’s plenary vote were not disappointed. 22 amendment were presented by the Left alone, which include the removal of the trade secret safeguards in the transparency obligations, measures banning targeted ads, introducing interoperability obligations, higher penalties from 6% to 10% of the turnover and safeguard on animal trade (something requested by the German government during the Council discussion). The Green also presented 16 amendments, including some that were rejected in IMCO, in particular on short-term rentals, the citizen assemblies, supervisory fees and environmental risks. Other amendments concern the recommender systems, the environmental impact of product delivery, the methodology for designating VLOPs and interoperability. Another amendment proposes to relieve digital archives and non-for-profit education platforms from the reporting obligations of the DSA, a measure that is likely to find support in Renew. The ITRE committee also presented amendments including interoperability obligations and the portability of reputation systems for very large online platforms (VLOPs).
Media exemption (or not). Repeating a scheme already tested with the DMA, Emmanuel Maurel (the Left) and Geoffroy Didier (EPP) presented a series of amendments, the most relevant of which try to give rightsholders automatically the status of the trusted flagger and the (perhaps lighter) remaking of the media exemption. A change to recital 12 would in fact require platforms to put in place a special mechanism for dealing with editorial content and to inform the outlet before the content moderation decision is applied. For the publishers, that does not equal to an exemption as it merely puts extra safeguards that media content is not dealt with in an arbitrary way. By contrast, Alexandre Alaphilippe, executive director at the EU DisinfoLab, argues that that is “basically the media exemption through bureaucracy.”
Targeted ads. The tabling process in LIBE has become somewhat messy, as following a procedural problem the other political groups have until Monday at noon to withdraw their support for the tabled amendments. The tracking-free ad coalition has in the meantime managed to table two separate amendments that however do not go as far as a total ban. First, refusing consent should not result in disabling functionalities, as tracking-free options should be made available. Second, platforms should put users in the situation to express an informed choice when they request their consent for the processing of personal data, and refusing consent should be more time consuming than giving it.
Fact-checking in Hungary. News agency Agence France-Presse (AFP) partnered up with Hungary news media 444.hu to launch a fact-checking website designed to tackle disinformation in Hungary, as the country gears up for elections in April. The project is co-funded by the EU and will focus on verifying information and combating false claims in the public domain. A number of controversial laws related to the media have been passed by the Hungarian government in recent years and the presence of international media has decreased; while AFP insists that the project is not about striking out against the government, its initial material indicates that it may be on a collision course with the authorities. However, not everyone is convinced that this type of initiative can make a difference, given the polarised political context. Read more.
Publishers unite. A report by French MPs has stressed the need to tackle the information gap between the media and digital platforms and to encourage collaboration and negotiations between publishers and companies such as Google and Facebook. The report, presented this week, is the latest instalment of the “neighbouring rights” issue in France. Since the 2019 transposition of the EU copyright directive, French publishers have been tussling with digital giants to secure remuneration for the reuse of their content. The report notes, however, that few such deals have yet been struck and that there has been a lack of cohesion or transparency in those that have. Read more.
Media freedom consultation. The European Commission opened the public consultation on the European Media Freedom Act on Monday. The structure of the consultation suggests what will be the pillars of the proposal: 1. Safeguarding free movement, independence and pluralism in the EU internal media market; 2. Transparent and independent media markets; 3. Conditions for healthy media markets; 4. Fair allocation of state resources in the media markets; 5. Governance options.
Ireland’s DSA. New legislation put forward by the Irish government this week seeks to regulate harmful online content for the first time. The Online Safety and Media Regulation Bill will oversee streaming platforms and broadcasters and will establish a new Media Commission and Online Safety Commissioner to enforce not only this law but what the government says will be a “rolling package” of related legislation from Ireland and the EU. The bill parallels measures in the DSA when it comes to moderating harmful online content and is also similar to the UK’s Online Safety Bill, the joint committee report on which was debated in Parliament for the first time on Thursday, eliciting cross-party support. Read more.
UK content moderation rulebook. The report of the Joint Committee on the Draft Online Safety Bill was debated in the UK Parliament on Thursday, a month from its publication. The proposed legislation looks at how to better regulate online harms and service providers in a similar way to the EU’s Digital Services Act and the joint committee issued a number of unanimous recommendations for the bill in December. Among the points discussed in Thursday’s session were the issues of director liability for harms, age and identity verification and enforcement of the law and while differences remain, the report received cross-party support, with a number of lawmakers declaring the era of tech self-regulation to be over.
Worse than ever. Reports of online child sexual abuse reached record levels in 2021, according to the Internet Watch Foundation (IWF). 361,000 reports were investigated by IWF in last year alone – more than the total across the first fifteen years of the organisation’s existence – with action taken against 252,000 links. IWF called on European lawmakers to protect children’s rights online as the Digital Services Act moves forward and ahead of legislation that would place additional requirements on tech companies to tackle child sexual abuse online, planned to be introduced by the Commission later this year.
Apple’s developer programme. Apple announced the extension of its App Store Foundations Program to 29 European countries this week. The programme, which began in 2018 in France, gives selected developers extra support in-app creation, including individualised and group work with App Store leaders on growing their apps using Apple technology. It will now be applied to all EU member states, as well as Switzerland and Norway.
What else we’re reading this week:
IAB Tech Lab – a reluctant peacekeeper in the privacy wars (Digiday)
Economists Pin More Blame on Tech for Rising Inequality (The New York Times)
Over 200 papers quietly sue Big Tech (Axios)