Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“WhatsApp must ensure that users understand what they agree to and how their personal data is used, in particular where it is shared with business partners.”
-European Commissioner for justice and consumer protection Didier Reynders
Don’t miss: The workers of Deliveroo and Uber would be automatically reclassified as employees under the Commission’s draft directive on platform workers, according to the European Trade Union Confederation (ETUC). The trade unions pointed the finger at food delivery company Glovo, the marketplace for IT experts Amazon Mechanical Turk and caregiver platform Cuideo, assessing that all platforms fulfil most when not all of the five criteria included in the proposal. However, for Deliveroo, the analysis is based on several judicial decisions that refer to an old way of operating, whereas a more recent judgment in Belgium confirmed its riders are self-employed. The discussion is an anticipation of things to come, and the debate is already very heated. For the unionists, the platforms will try to “cheat” to maintain a business model based on “exploitation”. For the platforms, trade unions are inappropriately speculating on a proposal that still has a long way to go and are failing to understand their business model. Read more.
Also this week:
- MEPs prepare their priorities ahead of the first DSA trilogue
- Intel’s investment plan for Europe starts to take shape
- The Czech Presidency anticipates media freedom as a top priority
- French streaming platforms call for opening up competition on TV remotes
Before we start, the VBER revision will impact online sales for the next ten years. We discuss how the regulation will affect digital markets with Maike Jansen, a public affairs adviser at Ecommerce Europe.
Today’s edition is powered by Facebook.
Facebook is helping communities in Europe do more.
By making use of Facebook’s apps and services, Netherlands-based Young Creators Facebook Group helps transform the ideas of young creatives into successful new businesses. Learn more.
SMEs transparency. 60% of facial recognition start-ups make no public statements about whether or how the products they produce are complying with privacy and data protection standards, a new study by the AI Regulation Chair and deep tech/AI company Skopai has found. Mapping 130 AI start-ups, the research found that around half focus exclusively on facial recognition software. Still, the rest embed this within a much broader array of applications, and more than half provide face ID tech. In a key finding, however, almost two-thirds refrain from publicly discussing their data protection and privacy compliance and even where they do, this is often done as a marketing tactic, with less than sufficient concrete evidence to back up claims of adherence and implementation.
New competition field. Remote controls have become the latest battleground in the contest between American platforms and the French media sector, as streaming service Salto called on public authorities to tackle the “crazy competitive asymmetry” between the two. For Salto, remote controls that have buttons for Netflix or Amazon Prime give these platforms an unfair advantage over more minor services: “If there is a button for an American platform, there must be a button for a French platform”, said Salto’s CEO. Read more.
Another setback. Intel this week won its appeal against an EU antitrust fine levied more than a decade ago. The €1.06 billion penalty was given to the chipmaker in 2009 for hampering the activities of its rival, Advanced Micro Devices, by handing out rebates to computer manufacturers such as Dell and Lenovo for their use of Intel chips. “Please reflect on the fact that the initial complaint about Intel’s rebates was submitted in the year 2000,” tweeted Tommaso Valletti, former chief competition economist in the Commission. The ruling deals another blow to EU competition authorities and, while it can be appealed, could provide a boost to other big tech companies currently in the European antitrust spotlight. Read more.
Cloud under scrutiny. The French competition authority announced this week that it would initiate an investigation into the cloud market over claims of unfair practices by US tech giants. The watchdog’s new president, Benoit Coeuré, has said he wants the digital economy to be a priority and that the cloud is one sector where rapid, in-depth work is needed. The announcement comes amid rising disquiet in France over American tech giants’ power compared to national and European cloud players. Read more.
Not on my watch. Apple has fallen short of requirements set out by the Dutch competition authority over payments systems for dating-app providers. Last year, the Netherlands Authority for Consumers and Markets (ACM) ordered Apple to adjust these “unreasonable conditions”, preventing providers from feely selecting in-app payment systems. Apple later told the ACM that it had revised its policy and the watchdog conducted a review into the changes. Following this week’s finding that the steps taken by the company were insufficient, Apple will now have to pay a fine of €5 million and make further adjustments to the access conditions on its Dutch App Store.
Good for us. The Commission this week approved the acquisition of customer service company Kustomer by Meta, on the condition of the latter’s full compliance with the decade-long commitments it offered to address EU antitrust concerns. A trustee will be appointed to monitor Meta’s adherence to the promises, which include guaranteeing free and non-discriminatory access to its publicly available APIs. Moreover, Facebook will have to implement a “core API access-parity commitment”, ensuring that Kustomer’s rivals and new entrants receive the same updates and improvements that its platforms do moving forward. “The more data they have, the more gatekeeping behaviour they will develop,” said Stéphanie Yon-Courtin, stressing the need to include anti-killer acquisition provisions in the DMA.
France under attack. The French ministry of justice was the subject of a significant cyberattack on Thursday, with hacking collective Lockbit 2.0 threatening to release nearly 10,000 stolen files by 10 February if ransomware is not paid. The group previously targeted the small French commune Saint-Cloud and company Thales Alenia Space, and in both cases, the ransomware was not paid, according to official statements. Just one day before the attack, the Court of Auditors had published a report noting that there was still room for improvement for the security of the IT system. Read more.
InfoSec register. The UK government is looking to pass a new law to reshape the UK Cyber Security Council (UKCSC), currently responsible for developing standards for the sector, over concerns that it is not doing enough. A recent consultation document proposes the creation of an official register of security professionals, which could see them prevented from practising if they fall short of specific ethical and technical standards. The UKCSC, launched as part of the government’s 2016-21 National Cyber Security Strategy, has drawn criticism for its inaction; the push to change this seems to stem from last year’s National Cyber Strategy, which urged the formation of government-led professional oversight authority. However, not everyone agrees it should be up to the government to decide who can be considered an expert in the field.
Data & privacy
From FLoC to Topics. Google has presented an alternative way of providing targeted ads, “Topics API”, after its initial FLoC proposal faced a backlash. Topics API will track five topics representing users’ highest interests each week, based on which advertisers will target their content. The data collected, Google says, will be deleted after three weeks and will avoid third-party involvement by being stored directly on devices. Google committed to phasing out third-party cookies by 2023. From a privacy point of view, the new proposal seems to have addressed some issues related to FLoC. However, the fact that the new system would be based on Chrome reiterates the concerns that Google might leverage its dominant position in the web browser market to reinforce its market power in terms of advertising. Read more.
Publishers on a war footing. Just on Monday, Google came under fire from Germany’s media and advertising industry over its planned third-party cookies phase-out. A coalition of eight associations representing much of the industry sent a letter to the European Commission arguing that the plan will remove a key source of income, with losses potentially climbing to as much as 70% of revenue. Google’s new project is also bound to raise questions among publishers, as it is still unclear how Google would obtain consent and how the topics shown to third parties would be selected. Read more.
Anonymity allowed. A ruling by Germany’s highest court has paved the way for Facebook users to use pseudonyms instead of their real names, as they have been required to do up until now. The Federal Court of Justice ruled on Thursday that, while users must provide platforms with their real names when registering, they can use pseudonyms publicly, after concluding that Facebook’s deletion of the accounts of users who refused to confirm their real names violated EU and German laws. The ruling fits into a broader debate about online information, as many governments wrestle with how much anonymity should be allowed online. Read more.
Benchmark study. More than 90% of organisations see themselves as already having processes in place for responsible automated decision-making, according to the 2022 CISCO Data Privacy Benchmark study released this week. The report, which surveyed over 4,900 security professionals around the world, found that 91% of organisations see privacy as essential to business. While consumer confidence in data protection in specific technologies, especially AI, remains low, many organisations see themselves already prepared.
US consumer probe. A US judge has rejected Google’s arguments in an Arizona privacy case, refusing to accept the company’s claim that its collection of Android location data didn’t violate a consumer fraud law in place in the state. The judge conceded that the US couldn’t prove a connection between the sale of Google-branded Android phones and the company’s sale of targeted ads. Nevertheless, the rest of its argument was thrown out, opening the door to a trial in which the tech giant would be forced to defend itself against the US’ charge that it illegally misled consumers.
Spotify in the spotlight. This week, the Swedish Privacy Authority found that music platform Spotify had breached the GDPR in its failure to adequately explain the details of its data processing in response to a complaint filed in 2018. The complaint came from a man who argued that Spotify was retaining his card details after he’d cancelled his subscription; the Swedish watchdog now says that Spotify’s response didn’t contain necessary information on its data retention procedure or how a complaint could be lodged or judicial redress sought.
More jobs. Almost half of the organisations surveyed in the 2021 IAPP privacy governance report said they plan to hire at least one new member of privacy staff in the upcoming six months, showing an evident industry expansion. On average, the report found, firms have 18 full or part-time privacy employees and 60% of privacy professionals expect their budgets to increase with a decrease projected by almost no one in the sector.
Happy Data Protection Day. ENISA, the EU’s cybersecurity agency, has released a new report on data protection engineering today. The study looks at how practitioners can best implement data protection approaches on a technical level and the technologies that could help with this. The report concludes that promoting best practices and certification schemes should be a key focus of regulators. On the other hand, the research community should continue to explore how organisations can be assisted in the proper deployment of data protection standards.
Not so happy maybe. Forty-one years after signing the first pan-European data protection framework, progress is still needed, says Max Schrems’ NOYB. Among its criticisms of the EU’s approach to data protection is the lack of GDPR enforcement and the delay in processing cases. It says that just 15% of the cases NOYB raises are decided within a year, all of which are at the national level. By contrast, none of the complaints that have been acted upon has been at the pan-European level so far.
Digital Markets Act
Technical standoff. The negotiators sealed the least controversial recitals, mostly adopting the language of the EU Council, notably in terms of “undertakings”, “profiling”, “consent”, “turnover”, and “national courts”. However, the attempt to move ahead with the bulk of the legislation at the technical level inevitably hit a stalemate once it was realised that specific issues are inherently political. On the thresholds, in particular, the Council voiced concerns these might result in “geopolitical” tensions with Washington. A similar impasse was reached on the gatekeeper obligations. On the positive side, there seems to be openness towards including virtual assistants and web browsers in the scope, and an agreement was reached on the designation of gatekeepers that don’t fulfil the quantitative thresholds (Art 3.6).
Timeline adjustments. The need for more political inputs was made clear by anticipating the next political trilogue, moved from 15 to 3 February. The updated agenda of the technical meetings indicates what’s on the menu: obligations (Art. 5, 6, 12, 13) on Friday (3 February); governance (Art.32, 33 Council – Art. 31a-31d Parliament) and general provisions (Art 34-39) on 8 February; investigative powers and enforcement (Art. 18-31) on 11 February. However, the fact that the new political trilogue has been fast-tracked so close in time means that the French Presidency will not have the time to get an updated trilogue mandate from COREPER; hence they will have to refer back to the general approach.
Digital rights declaration. The Commission proposed a declaration on digital rights and principles on Wednesday, intended to guide private actors and policymakers in the interactions with digital technologies. The document gathers existing rights deemed relevant to the digital space rather than establishing any new ones and is designed to operate with the Commission’s Digital Decade targets. Adherence to these principles will be monitored under the governance framework for the Digital Decade, on which the Commission will report annually. The EU Parliament and Council will now discuss the declaration. The Commission urged the co-legislator to sign it by the summer. Read more.
Digital Services Act
Prep talks. MEPs met this week to discuss political priorities ahead of the first DSA trilogue set for next Monday. Among the topics settled upon for negotiation by lawmakers were the legislation’s provisions on dark patterns, online marketplaces and recommender systems, amongst others. The French Presidency, for its part, put at the top of its priorities the enforcement architecture and the inclusion of search engines in the scope. A Parliament official told EURACTIV that a divergence emerged between the centre-right, keen on closing the file as soon as possible, and the centre-left, determined to push for quality. Read more.
Playing tough. While the compromise reached in IMCO was generally speaking more skewed toward the conservative side, progressive lawmakers scored important points during the plenary vote, notably in terms provisions on targeted advertising and anonymity online. The centre-left seems determined to stand its ground on these points, counting on the fact that the Presidency is in a hurry to close the file ahead of the French presidential elections in April. Still, when the DMA reached a compromise in IMCO, the DSA rapporteur felt pressured to do the same and suddenly conceded on most of her priorities that had hold up the negotiations for months. Whether that will again be the case the moment a compromise agreement is reached on the DMA remains to be seen.
Negotiation strategy. During the meeting on Wednesday, it was stressed that the Parliament’s text made most of the change in the article, whilst the Council, strangely enough, focused much more on the recitals. As a consequence, MEPs noted that the two parts should be negotiated together. “Everything we couldn’t reach an agreement on, we put in the recitals,” an EU diplomatic source told EURACTIV. The source added that the French did not share the details on how in practice they were planning to conduct the negotiations. On some of its key issues, the Parliament is likely to find support in Germany, which managed to introduce provisions on dark patterns and the protection of minors. However, on dark patterns, the two texts diverge significantly and a definition is still missing.
NATO takes aim. As tensions build at Ukraine’s border, repeated warnings of the potential for hybrid attacks have also grown. According to internal documents published by NETZPOLITIK, NATO researchers are taking issue with provisions in the DSA which would limit their access to data from social media platforms including Facebook, Instagram and YouTube, as they say could be used in combating issues such as disinformation. The DSA currently restricts access to researchers at economically independent scientific institutions, something which NATO’s Stratcom Center of Excellence said in a 2021 letter it would be “grateful” if lawmakers could adjust.
Scaling up capacity. Intel is looking to undertake a major expansion of its production facilities in Europe. With an €80 billion budget, the semiconductor company intends to focus its efforts on next-generation microchips measuring at a maximum of two nanometres. Production of high-tech semiconductors is concentrated in Asia at the moment, where the scale sits at three nanometres. With eight planned European plants, Intel is looking to beat this and in doing so is tapping into a key geostrategic priority of the Commission, which has emphasised the need for European production amid the ongoing global chip shortage. Read more.
Deal dropped. Chipmaker Nvidia is on track to abandon its acquisition of chip designer Arm, which has already been mired in a number of competition complications. The purchase has come under the scrutiny of antitrust regulators in the EU and UK and has also been the subject of a suit by the US Federal Trade Commission. The $40 billion deal, Reuters reports, could now be off the table, just as the Commission set a new deadline for the completion of its current investigation into the deal, naming 25 May as its scheduled end date.
Czech priority. Media freedom and the rule of law will be key themes of the upcoming Czech EU Council presidency, with particular focus on Hungary and Poland, both of which have seen deteriorations in media independence and pluralism in recent years. According to the Czech minister for foreign affairs, however, “this does not mean that we will preach to our Polish and Hungarian colleagues”. The Czechs will take over the helm of the EU for the second half of the year, and might play a key role in shaping the upcoming European Media Freedom Act. Based on an internal timeline seen by EURACTIV, the tentative date for publishing the new legislative proposal is 29 June. Read more.
Metaverse capacity. Meta announced this week that it will launch one of the world’s most powerful supercomputers, capable of processing data such as images and video as much as 20 times faster than the systems currently in place. Among the potential uses, once it’s up and running in the next few months, the firm says, is the development of an AI tool to allow real-time multilingual translation. However, some remain wary of the power this could hand Meta, particularly in light of previous concerns over the negative consequences of its algorithms and its handling of privacy and disinformation issues. Read more.
Sweden on platform work. “The government considers it important to have a well-functioning internal market where the rules do not lead to distortions, unhealthy competition or to hampered technological development, entrepreneurship and innovation, and which take into account the gender equality perspective,” reads the Swedish position on the platform worker directive, seen by EURACTIV (*own translation). According to the document, Stockholm is particularly concerned with maintaining its national competences on the labour market, safeguarding the autonomy of social partners and avoiding double regulation on algorithmic management. “The proposal should lead to the lowest possible administrative burden for companies and relevant authorities and take into account the situation of small and medium-sized enterprises.”
Italy’s giga plan. The Commission approved on Thursday Italy’s €3.8 billion scheme for the deployment of high-performing gigabit networks in the so-called grey areas, which cover roughly one-third of the national territory. The money will be made available through the Recovery and Resilience Facility and will be divided in 15 calls running from June 2022 to June 2026. “The scheme is going in the right direction, although for the timeline to be respected, providers will need to address complex issues such as the lack of construction capacity and the burden of urbanism regulations,” said ICT legal expert Innocenzo Genna.
Infrastructure market. The public funding will only cover up to 70% of the investment, prompting private operators to make up the rest. However, the calls have been designed in a way that essentially excludes local infrastructure operators, as they are regional in nature and require a significant turnover. As the maximum number of calls a single operator can win is eight, the result is likely to be a partition between the two main infrastructure providers, TIM (Telecom Italia) and Open Fiber, since the other major operators have so far shown no appetite to build an infrastructure of their own. “It is a missed opportunity to stimulate competition between digital infrastructure providers that Italy direly needs,” Genna added.
Uncoordinated means unsafe. The European Court of Auditors issued a report this week criticising divergent rules between EU countries when it comes to the vetting of suppliers of 5G technologies, saying that the discord poses a security threat. While some countries currently ban technologies from vendors based outside the EU, largely over data protection concerns, others do not, highlighting in the report as an obstacle when it comes to a coordinated approach to security and risk assessment in Europe. Read more.
What else we’re reading this week:
If the $40B Nvidia-Arm deal is dead, what does it mean to big tech M&A? (
The UN is testing technology that processes data confidentially (The Economist)
Facebook patents reveal how it intends to cash in on metaverse (FT)