Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Delegations will find attached the final 4-column document (Articles and Recitals) after technical finalisation to reflect the provisional political agreement reached during the 4th DMA trilogue of 24 March 2022 and pending lawyer linguistic finalisation.”
-Final four-column document on the Digital Markets Act
Story of the week: After three weeks of wait, the final DMA four-column circulated on Thursday, with some important last-minute surprises. The delay was due to the Parliament’s services being overburdened with temporary legislation related to the war in Ukraine, but the more sceptical found the timing when most people have already left for the Easter holidays to be suspiciously convenient. The question is now how the final version of the text will sit with the shadow rapporteurs and EU countries.
EURACTIV provided a first glance of the main changes, but more surprises might be spotted as the 349-page-long text is thoroughly analysed. The recitals were made much stronger with the view of making the regulation harder to challenge in court, notably by explaining the scope of the legislation and the key concepts of contestability and fairness. Every app that is not essential to the function of the operating system and device can now be uninstalled, and the Council’s text to let the gatekeepers define ‘duly justified’ security requirements for third-party apps, software and hardware made it into the final text.
In terms of data, a new paragraph was included that prevents Google and Facebook from tracking users who have denied their consent when they visit websites that are part of their ad networks. Advertisers will be given access to both aggregate and non-aggregate data and to analyse it with their own tools. The text on data combining was significantly redrafted, reintroducing the single consent choice and removing the reference to purpose limitation. ICCL’s Johnny Ryan, who was the promoter of the previous version of the article, stressed that the new text might lead to years of litigation and less effective enforcement of the data-related obligations.
In another surprise move, the reference to ‘ancillary services’ was completely removed from the text, which now only refers to ID, payment systems and web browser engines. An anti-free-riding clause was also included to ensure that marketplaces receive some form of remuneration before the business users can interact directly with the customer. Business user representatives and consumer groups are also to be involved in the regulatory dialogue and investigations on systematic non-compliance. More on the timeline below.
Don’t miss: The DSA might also be approaching the finishing line, with the fifth and possibly final political trilogue planned for next Friday (22 April). On the thorny issue of online advertising, an agreement might be approaching, according to a compromise text seen by EURACTIV this week. The text includes a ban on targeting users that the platform knows are minors and protection ‘by design’ for platforms accessible by minors. The profiling based on sensitive data is also prohibited, although it does not go as far as banning inferencing as some NGOs had asked. The text is to be seen together with a new article on dark patterns, which will be elaborated on and implemented with the guidance of the European Commission.
The French Presidency is requesting that EU ambassadors gather in COREPER on Wednesday (20 April) for a new mandate. According to an internal note seen by EURACTIV, the intention is to concede to the MEPs the part on recommender systems. Similarly, the transparency requirements and provisions against dark patterns would be extended to all online platforms, on which the Commission will provide guidance under the advice of the Board.
For the crisis management mechanism, the French are proposing that the crisis stage could only be triggered by the Board with a two-thirds majority. The Board would also play a key role in ensuring the measures taken by the Commission are proportionate and necessary. The lawmakers are sceptical on this point, as too much power would be given to unelected authorities, and want the Parliament to have veto power. In turn, Poland asked for the threshold to go back to three national authorities as in the original proposal.
On the supervisory fee, discussions have been ongoing on the potential cap in terms of annual net income on very large online platforms. According to a source informed on the matter, the measure was thought to not overburden Wikipedia, hence MEPs have proposed to lower the cap to 0.05%, but in the last four-column document from the French Presidency, it is still at 0.1%. Moreover, for the Council, the EU executive will have to provide an estimate of the annual costs for each platform in the form of implementing acts.
For the French Presidency, online marketplaces would need to take all reasonable steps based on publicly available information to check the legality of the product. Rapporteur Christel Schaldemose is pushing for requirements on platforms to make random checks on the product, a measure criticised by other political groups and member states that are afraid the DSA would go above and beyond the General Product Safety Directive. It is also not clear how often and how many times these checks would have to occur, nor what should happen for products that are legal but not harmonised. However, it is not impossible that Schaldemose might get this point as French digital minister Cedric O is particularly keen on closing the file before retiring from politics.
Finally, in terms of systemic risks, the Presidency is asking for a mention of fighting cyber violence, referring in particular to enabling victims of revenge porn to take it down, a provision included in the mandate of the Parliament. Search engines are to be included in the form of a category with specific responsibilities in terms of illegal content, notably to remove the content from its search results (i.e. delisting) as soon as it is flagged to them. This point is very dear to France which wants to make sure Google is in the scope of the DSA and is likely to be traded by the MEPs.
Also this week:
- An exclusive view of the AI Act draft report
- NIS2 trilogue postponed
- The second stakeholder roundtable on the platform worker directive
- The digital side of the French presidential campaign
- The long delay of the Copyright Directive transposition
Before we start: As the European Parliament is preparing to discuss the first draft of the AI Act, we took a critical look at the proposal with Lilian Edwards, professor at the University of Newcastle and expert legal adviser at the Ada Lovelace Institute. We touched upon the overall approach of the proposal, the role of users, high-risk systems and risk assessment.
Today’s edition is powered by The Greens/EFA.
Future economic growth must be inclusive, as well as digital
Don’t be that creepy ad company! Join Alexandra Geese MEP to dive into the future of digital advertising and find out why contextual ads are better for privacy and the economy. Sign up here.
What’s in. The AI draft report was finalised on Monday by LIBE’s Dragoș Tudorache and IMCO’s Brando Benifei. While stakeholders are still waiting for the actual text, EURACTIV provided an overview of the hot topics with two exclusive interviews with the two co-rapporteurs. The two lawmakers agreed to keep the definition broad, avoiding the exclusion of general-purpose AI system conservative MEPs have been calling for. Predictive policing was added to the list of prohibited practices while the number of applications considered high-risk now includes medical triage, insurances, deep fakes and algorithms designed to interact with children and that might impact democracy. The leading MEPs agreed to a two-layer approach in terms of enforcement, with the Commission in charge of cross-border cases as in the DSA. The draft report also includes an amendment to include the AI Act in the Representative Action Directive.
What’s out. Perhaps even more interesting is what the two lawmakers could not agree on. While some responsibilities for users were added, Benifei wants to go much further with them, like on the compliance process for system providers. Tudorache is taking the pro-business position here, which is also exemplified by its position on regulatory sandboxes that, in his view, should be extended to the regional level if we are serious about reaching SMEs. The fundamental rights impact assessment is on the table, but there is no agreement if it should be applied only to public institutions or to all users. Finally, the part on biometric recognition and biometric categorisation looms over the Parliamentary report, with Benifei pushing for a total ban and Tudorache insisting on some well-defined exceptions. Given the position of the Council, if the Parliament is not fully behind a ban it seems very difficult for it get through the trilogue. At the amendment stage, it will be down to who gets a majority, but for those wondering about the power relationship between the two MEPs look no further than the number of committee members: LIBE has 69 while IMCO has only 40.
Spotify vs Apple. The EU will levy another antitrust charge against Apple in the next few weeks as part of an investigation launched last year into the tech giant’s alleged distortion of the music streaming market, Reuters reports. The probe was initiated in April following a complaint filed by Spotify and centres on what the EU says was the company’s imposition of restrictive App Store rules that forced developers to use its own in-app payment system and prevented them from informing users of alternative purchasing options.
A fault confessed is half redressed? Microsoft seems ready to let some slack after accusations of anti-competitive practices in the cloud market, especially through its licensing system. “There definitely are some valid concerns,” Microsoft President and Vice-Chair Brad Smith told Bloomberg, adding that “it’s very important for us to learn more and then make some changes.”
Long spared by the wave of antitrust scrutiny in the cloud market that focused on Google and Amazon, the latest complaint to the European Commission from several European cloud players, including OVHcloud, seems to have put Microsoft back in the sights of regulators. “European cloud infrastructure providers demand urgent action, not only vague commitments to talk,” responded CISPE, a federation of European players that has AWS among its members.
Waiting for Godot. Almost a year on from the transposition deadline, only 12 countries have codified the EU Copyright Directive into national law. Only 3 states had fully transposed the legislation by 7 June last year and rates of subsequent processes vary greatly. Member states, however, are not wholly to blame, some observers say, pointing to the pandemic and confusion around certain controversial articles as reasons why adoption has been slow. Read more.
Trilogue postponed. The NIS2 trilogue planned for 25 April has been postponed to a date to be decided. The reason was that more work needed to be done at the technical level, as several member states considered the text ‘not mature yet’. Closing the file is a top priority for the French Presidency, but MEPs have been pushing for a solid text that will have a long-term legacy and won’t need a NIS3 in just a few years. The most controversial point is, as usual, the scope, with Germany, Czech Republic, Sweden and Poland insisting on leaving regional authorities out of it. In the ongoing discussions, lawmakers proposed to carve-out regional authorities from the scope on the condition that the provisions on national security strategies mandated the same level of cybersecurity between the national and regional levels. More generally, for the EU countries, the MEPs’ text on the national strategies is too prescriptive and does not allow enough flexibility. On the issue of cooperation between different jurisdictions, which for member states is a complex one, a political agreement has been reached but not on the exact wording. A possible new date for the next trilogue could be 12 May.
Mind your authentication. Web community leaders have sent a letter to MEPs and Council representatives expressing concern over a revised article of the e-ID Draft Legislative Proposal that would obligate browsers to accept specific systems of authorisation certification from certain Certificate Authorities (CAs), regardless of whether they met the browser’s security standards. The letter’s signatories have raised concerns that the legal inclusion of these CAs could pose threats to web security and pose a dangerous precedent for authoritarian countries that might be tempted to mandate authentication services to control the online environment. Read more.
Cybercrime convention. The international advocacy group European Digital Rights (EDRi) sent its position on the Budapest Second Additional Protocol on Cybercrime to the European Parliament on 13 April. EDRi asked for a review by the European Court of Justice regarding the compatibility of the Protocol with the EU treaties, notably the Charter of Fundamental Rights, as it believes that law enforcement authorities are being given a much stronger mandate without appropriate safeguards. In particular, they fear that there are no sufficient safeguards for data protection, privacy and procedural rights as of now. The question is now if the European Parliament will give its consent for the ratification on 12 May or ask for the opinion of the Court. Read the room though: there is a war ongoing in Europe and the surge of cyberattacks means that everything security-related takes precedence.
Cyber Resilience. A study commissioned by the cybersecurity company Trellix found that a vast majority of security professionals surveyed in the UK, Germany and France believe that formalised, government-led initiatives will lead to improved protection against cyberthreats. To thwart the increasing threats of cyber adversaries, the relationship between the government and critical infrastructure institutions should be strengthened via data sharing and consistent guidelines. “Now more than ever, a unified response by the EU is needed also for cyber readiness,” said John Fokker, Head of Cyber Investigations and Principal Engineer at Trellix to EURACTIV.
Data & privacy
Frontex, you’re next. After the Europol saga seemed to have reached a conclusion, the European Data Protection Supervisor (EDPS) is taking aim at Frontex, reprimanding the EU’s border agency this week following an investigation into its move to the cloud. The EDPS found the agency to have made the shift without an adequate assessment of its potential data protection risks or the steps required to mitigate them. The watchdog has also ordered Frontex to undertake a review of its Data Protection Impact Assessment and its record of processing activities related to personal data and cloud services. Other elements linked to the move, such as the lawfulness of data transfers to non-EU/EEA countries were not covered by the probe but are the subject of separate EDPS investigations into the use of cloud services in the context of the Schrems II ruling.
Persons of interest. Senior Commission officials, including EU Justice Commissioner Didier Reynders, were among those targeted with Pegasus spyware last year, according to Reuters. The Commission became aware of the targeting in November and warned colleagues about the potential threat. The use of the tools in the EU is now the subject of a Parliamentary inquiry, which will meet for the first time next Tuesday (19 April). Read more.
Digital Markets Act
Timeline. The final text is expected to land on the table of the competition attachés at the Working Party on 28 April, to be rubber-stamped by the ambassadors at the COREPER on 4 May. IMCO might adopt the agreement as early as 16-17 May. The final adoption in Parliament and Council is expected in July or September at the latest, followed by publication in the official journal in October 2022. The application would then take six months, in April 2023. Between then and the end of the summer, the notification and designation of gatekeepers should be completed. Finally, by February or March 2024 the gatekeepers would have to comply with the new obligations.
Complementarity or competition. Germany is already exploring how the DMA will be implemented on a national level once it enters full application, likely in spring 2024, and how it will interact with parts of the existing Act against Restraints of Competition (ARC), seen as a blueprint for the EU legislation. MEP Andreas Schwab told EURACTIV this week that care needed to be taken to prevent competition-like relationships between EU and national bodies from arising and to ensure harmonisation between all authorities. Read more.
App Store battle. Sideloading came under fire this week from Tim Cook, who warned that the practice threatens the privacy and security of iPhones. Speaking at the IAPP Summit, the Apple CEO skirted around referencing competition regulation that will ensure the accessibility of different app stores on operating systems – read: the DMA. The Coalition for App Fairness reacted by pointing out that the security concerns highlighted by Apple when it comes to downloading apps onto iPhones are seemingly absent when it comes to accessing apps on Macs. However, Apple should be satisfied as the final draft of the DMA enables the gatekeeper to impose strict cybersecurity standards to third parties.
Round two. The second stakeholder roundtable on the Platform Worker Directive took place on 14 April. The mood was less confrontational than in the last meeting when platforms clashed with the trade unions. Still, the format did not allow a lot of discussions as each speaker was allocated eight minutes to speak and very little time was left for discussion. Business representatives cannot shake the feeling that rapporteur Elisabetta Gualmini already knows what she wants to do and is organising these round tables as a ‘tick the box’ exercise. However, she did show openness in discussing the formulation of the criteria and how many should trigger employee status. The algorithmic management provisions, another key part of the legislation, was not discussed for lack of time.
What now. The draft report is expected by the beginning of May. According to a draft timeline that circulated in the Parliament, the consideration of the report in the EMPL committee is expected on 19 May, with the deadline for amendment set for 1 June. The EMPL hearing is expected on 13-14 June (tbc) and the consideration of amendments between the second half of June and the first half of July. The vote in EMPL is expected in October and the plenary vote in the second session of November. The timeline is still provisory and does not leave a lot of room for solving potentially contentious issues. Gualmini seems to think that there will not be huge divergences given the broad support the Parliament’s own-initiative report had in September. However, for obvious reasons, there is much more attention to this file, and the fact that the EMPL shadows, which traditionally are more sensitive to social affairs issues, will be able to control their entire group is not a given. Especially in the Renew and EPP, which are still forming their position internally there are already noises that they don’t want to hurt the ‘genuinely self-employed’.
Meanwhile the Council. The member states are at a much more advanced stage on the file, having finished the first reading. Although not everyone has made their position public, the coalition of countries convinced that the criteria don’t work seems to be growing: after Sweden, Finland also published a critical position, which is shared by the Czech Republic – although they will not say it publicly as they will take over the file in July. At the moment, the French Presidency is dealing with plenty of questions on how the directive would work in practice, as every member state is concerned with the particularity of their legal system. It is yet not clear what the French will be able to achieve before the end of their Presidency.
Transpose it, or what? The Commission has urged Greece to transpose the EU Whistle-blower directive as the prosecution of two journalists who exposed a corruption scandal continues. The deadline for codifying the directive – which protects those who report corruption – passed in December 2021 and the EU executive called on the country in January to ensure its transposition. Greek MEP Stelios Kouloglou, however, told the Commission in response that much of the preparatory work on its implementation was still incomplete. The reprimand arrives at a time when several alarm bells have gone off on the state of media freedom in the Mediterranean country. Read more.
Fleeing journalists welcome. Germany’s government has pledged €1 million in support for Ukrainian, Russian and Belarussian journalists who have become refugees as a result of the war. €800,000 of the funds will go to the JX Fund, an initiative that distributes aid to media workers in exile, and the remaining €200,000 will go to the European Centre for Press and Media Freedom’s Journalists-in-Residence programme, which provides temporary working scholarships for refugee media professionals. Read more.
Sovereignty over content. Marine Le Pen will seek a stronger approach to online platforms if elected to the French presidency later this month. The far-right candidate’s proposals for the digital sector, presented earlier this month, focus heavily on sovereignty and include a call for judges rather than platforms to be in charge of content removal. If platforms fail to comply, she warns, the alternative would be the creation of “a free and open public social network” instead. EURACTIV took a further look at this, and Le Pen’s other digital suggestions. Read more.
Anonymity back on the menu. On the other side of the contest, incumbent Emmanuel Macron has reiterated his opposition to online anonymity and has refused to rule out dismantling platforms if necessary and if Europe cannot offer alternatives. The DSA and DMA, he said, are the beginning of a response to the power of these platforms, but has repeated his support for increased identity verification measures online. Read more.
Undisciplined Twitter. Despite France’s ban on “electoral propaganda”, political content was trending on Twitter during the election weekend. Ahead of the vote last Sunday, platforms were instructed to refrain from sharing content such as exit polls, in line with French election law. While Twitter said it had been cooperating with the French authorities in this regard and introduced mechanisms to that effect, hashtags such as #DimacheJeVoteMelenchon were still found to be trending on Saturday and Sunday. Read more.
The billionaire’s gambit. Elon Musk offered to buy Twitter for the price of $52.20 per share, or a total of $41 billion in cash, this week, shortly after rejecting an offer to join the tech giant’s board which followed the disclosure of his stake in the company. Musk has criticised the platform and its policies in the past, particularly with regards to free speech, and has said that the platform needs to be privatised in order to implement effective changes moving forward. If his offer is not accepted, Musk said, he would be forced to reconsider his shareholder position. Read more.
The lawmaker’s take. Regulation is crucial in ensuring that online platforms seeking to maximise profits become compatible with or foster consumer protection, democratic processes and workers’ rights, MEP Tiemo Wölken told EURACTIV in an interview this week, also covering the DMA, DSA and the EU’s upcoming platform worker directive. The lawmaker also warned against the development of European social media platforms, favouring instead the creation of a European public media platform for the improved sharing of content and bolstering of the European public cultural sphere. Read more.
Research & Innovation
Ultimatum to researchers. The European Research Council (ERC), a component of Horizon Europe and the main EU research funding body, has issued an ultimatum to the 150 successful grant applicants based in the UK, telling them that if they do not move to an EU institution in the next two months, they will be forced to forfeit their funding. The EU has halted the UK’s association with Horizon Europe until outstanding issues concerning the Northern Ireland protocol are resolved. UK-based applicants who were selected for grants under the ERC’s 2021 work programme received a letter outlining the deadline last week and many have since expressed concern that the timeline is too short and the demand that they relocate unfeasible, jeopardising their access to funding.
What else we’re reading this week:
Microsoft Customers Decry Cloud Contracts That Sideline Rivals (Bloomberg)
Twitter/Elon Musk: is funding secured this time? (FT)
Laura Kabelka and Mathieu Pollet contributed to the reporting.
[Edited by Benjamin Fox]