Digital Brief: To GDPR or not?

The Digital Brief is Euractiv's weekly tech newsletter.

Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here

 

“I cannot predict now whether it will be so easy.”

 

– Commission Vice-President for Values and Transparency Věra Jourová, 24 June, speaking about a future UK adequacy decision on data transfers.

 

GDPR Review. On Wednesday (24 June), the European Commission presented its first review of the application of the General Data Protection Regulation across the EU. As well as calling for greater harmony and increased resources given to certain member states, the executive also cast doubt over a future data transfer agreement with the UK, should the country seek to diverge from EU data protection law.

 

*Also this week*

Chinese cybersecurity spat, ENISA certification, Commission on hate speech, EU crowd control tech, digital tax war, Facebook data sharing in Germany, Libra clampdown, COVID apps in Croatia & Germany, and more…

Digital Brief: To GDPR or not?

 

The Commission’s assessment of the UK’s data adequacy will have to be made in rapid time if it is to be passed before the end of the transition period at the close of this year, and earlier this week, Vice-President for Values and Transparency Věra Jourová said that she couldn’t predict whether the UK will be fit for a data adequacy agreement with the EU anytime soon.

“I cannot predict now whether it will be so easy and without any further negotiations needed for the possible adequacy decision because we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation,” she said.

As part of the GDPR review published on Wednesday this week, the European Commission said that “a high degree of convergence in data protection is an important element for ensuring a level playing field between two so closely integrated economies.”

The UK transposed the EU’s GDPR into national law with the 2018 Data Protection Act, but Prime Minister Boris Johnson earlier this year said that the UK would diverge from the EU framework, which gives powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million for data protection breaches.

From the UK’s side, there could be a degree of spurious rhetoric here. It is likely that the UK will eventually be rubber-stamped as adequate, meeting the minimum standards required for an agreement. However, the country will also look to pursue a more pro-innovation, liberalised personal data economy, as much as it can do within the framework of the adequacy agreement.

More broadly, as part of the GDPR review, the Commission reiterated the importance of EU data protection authorities being adequately resourced to deal with vast quantities of data protection complaints.

“Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross- border cases and may need larger resources than their population would otherwise suggest,” the document states.

However, between 2016 and 2019, Ireland saw the largest upturn of all EU member states, with a 169% increase in staff during this period, with Luxembourg on 126%.

After the publication of the review, EURACTIV heard from a number of stakeholders on the issue.

The European Data Protection Supervisor said that “resources available for the national data protection authorities (DPAs) are sometimes insufficient and there are some discrepancies caused by the different legal frameworks and national procedural laws.”

Eva Simon, senior advocacy officer at the Civil Liberties Union for Europe (Liberties), added: “In the two years since the law’s entry into force, enforcement has been the weak link. There are still far too many governments, organisations and businesses flouting the rules.”

Tom De Cordier, a partner at Brussels-based global law firm CMS, said: “As the impact of COVID-19 continues to be felt, governments struggling with public debt may look to reduce resources further, which will impact the enforcement landscape. I would therefore not be surprised if, in the short to medium term, the number of GDPR-investigations decreases and that turnaround times of the ongoing investigations increase.”

Read more on a leaked identical copy of the GDPR Review EURACTIV obtained ahead of the presentation here.

 

Cybersecurity

EU-China spat. EU Commission President Ursula von der Leyen has suggested that China may have been behind a spate of cyberattacks against hospitals in Europe during the coronavirus outbreak, stressing that the EU will not “tolerate” such malicious activity.

The accusations were levelled at the conclusion of a virtual EU-China summit on Monday (22 June), which brought together von der Leyen and Council President Charles Michel with Chinese counterparts, Premier Li Keqiang and President Xi Jinping.

“We have seen cyber attacks on hospitals and dedicated computing centres,” von der Leyen said, adding that she had “pointed out” to Premier Li and President Xi that such attacks along with China’s disinformation campaign in Europe “cannot be tolerated.”

China quickly countered, with a statement sent from the Chinese mission to EURACTIV saying that the country itself feels victim to cybersecurity threats.

“Even during the COVID-19 outbreak, cyber attacks targeted at China do not stop.  China is a staunch defender of cybersecurity. We are firmly opposed to and are committed to tackling all forms of cyber attacks and cyber theft in accordance with the law,” the statement read.

“We have noticed the relevant comments by the EU side and have lodged representation. Those comments are completely unacceptable and we have asked the EU side to provide evidence.”

ENISA certification members. The EU’s cybersecurity agency, ENISA, has published a list of members of its Stakeholders Cybersecurity Certification Group (SCCG), which will work on a certification framework for products and services as part of last year’s Cybersecurity Act. Read the list here.

 

Digital Services Act

Hate speech. The European Commission has applauded efforts by some of the world’s largest tech platforms in stifling the spread of illegal content, in the last evaluation of the EU’s code on countering illegal hate speech online before the Digital Services Act is presented later this year.

Meanwhile, last week France’s top court rejected most of a draft law that would have compelled social media giants such as Facebook and Twitter to remove any hateful content within 24 hours, it said on Thursday (18 June).

IMCO study. Parliament’s Internal Market Committee has commissioned a study, published this week, on the EU regulatory framework on content moderation and the practices by key online platforms. The document features recommendations on improving the EU legal framework within the context of the forthcoming Digital Services Act.

 

Artificial Intelligence

EU crowd control tech. The European Commission has given its ‘seal of excellence‘ to a technology that provides ‘advanced video analytics, including real-time face recognition and crowd behaviour analysis,’ to be used in the bloc’s fight against another potential outbreak of the coronavirus.

UK AI Study. The UK’s Centre for Data Ethics and Innovation (CDEI) has published its AI Barometer, an examination of the most pressing opportunities, risks, and governance challenges associated with AI and data use in the UK.

 

Data strategy

Earlier this week, S&D MEP Miapetra Kumpula-Natri, rapporteur in the European Parliament for the Industry Committee’s report on the EU Data Strategy report, presented an event ‘Building a European approach to Data Society,’ with Internal Market Commissioner Thierry Breton making an appearance.

The plans put on the table by the Commission in February involve the creation of nine common EU data spaces across sectors including healthcare, agriculture and energy, as well as the establishment of a Data Act in 2021, that could “foster business-to-government data sharing for the public interest.”

Kumpula-Natri highlighted during the event the importance of common guidelines for cross-sectoral data flows, and also pitched the establishment of a data governance body. Breton, meanwhile, said that a Data Governance Act will be presented after the summer and that the 2021 Data Act will aim to accelerate access to industrial data in the EU.

One of the more contentious issues that arose during the event was how as part of the EU data strategy, non-personal data (which the EU wants to liberalise) and personal data (ring-fenced by high data protection laws) can be distinguished from one another. While Agustin Reyna of the European Consumer Organisation, BEUC, said that this was an impossible distinction to make, Facebook’s Director of Social and Economic Policy, EU Affairs, Phillip Malloch, said the lines between personal and non-personal data should be straightforward to draw.

 

Platforms

Facebook data sharing Germany. With immediate effect, the Facebook company must stop merging and sharing user data from its Facebook, Whatsapp and Instagram platforms in Germany, according to a ruling by the country’s highest court. EURACTIV Germany reports.

 

Crypto

Libra clampdown. The European Commission will present later this year new rules to develop a “sound” crypto-asset market in the EU, including for stablecoins such as Facebook’s digital currency Libra, Financial Services Commissioner Valdis Dombrovskis said on Tuesday. Jorge Valero reports.

 

Coronavirus

Croatian App. Interior Minister and head of the National Civil Protection, Davor Božinović, has advised citizens not to travel abroad but guaranteed “safe stay in Croatia’s tourist destinations’’. The country’s COVID-19 mobile app will be ready for use in July, Jutarnji list daily was told on Thursday by the company APIS, whose experts are developing the app to trace contacts for the Croatian market.

According to unofficial information, the country’s health ministry had already sent a request to Apple and Google to register the application in Croatia, reports EURACTIV Croatia’s Karla Juničić.

First German tracing app notifications. A week after its roll-out, Germany’s so-called ‘Corona-Warn-App’ issued its first push-notification to users that have come into contact with infected people, reports Sarah Lawton. On Tuesday (23 June), around 24 users were registered as infected with COVID-19, and that evening, the app sent out notifications to their contacts. Given the decentralised data privacy approach, officials do not know how many people were notified or where they were located.

UK U-turn. Britain will switch to the Apple and Google model for its COVID-19 test-and-trace app, ditching an attempt to develop an app by itself after the homegrown system did not work well enough on Apple’s iPhone, the government said on Thursday (18 June).

French slow start. France’s COVID-19 app has sent just 14 notifications since its launch, Bloomberg reported earlier this week.

 

Digital Tax

Digital tax war continues. After Washington confirmed on Wednesday (17 June) that the US had pulled out of talks on global rules for taxing the digital economy, French finance minister Bruno Le Maire told radio station France Inter on Thursday that it was “a provocation to all OECD partners as we were just a few centimetres away from an agreement on taxing digital giants.” Le Maire also stated the move had provoked US allies. EURACTIV France has the details.

For their part, German Finance Minister Olaf Scholz (SPD) and French counterpart Bruno Le Maire (LREM) are confident that the current OECD negotiations on international tax systems will be concluded by the end of 2020. EURACTIV Germany reports.

On this subject, Christy Hoffman, general secretary of UNI Global Union, and Oliver Roethig, regional secretary of UNI Europa, write in EURACTIV this week that now is the time for the EU to step up to the plate on digital tax. The European Commission has repeatedly said that it will go its own way should OECD talks fail.

 

Digital Economy and Society Index

Bulgaria bottom. After the European Commission’s recent publication of the Digital Economy and Society Index, which pits the digital and technological performance of member states against one another, Kalina Angelova this week observes how for a second consecutive year, Bulgaria has been ranked last among all 27 EU members, despite having a powerful IT sector, concentrated mostly in the capital Sofia.

 

Media

Possible criminal charges against a taz journalist. German Interior Minister Horst Seehofer (CSU) is contemplating criminal charges for the author of a satirical piece published on the media outlet taz. Critics accuse him of infringing press freedoms and Chancellor Angela Merkel has reportedly weighed in on the matter. EURACTIV Germany’s Sarah Lawton looks into what had caused such an uproar.

Hungarian Editor booted off management board. The editor in chief of Hungary’s most popular news website, Index, Dull Szabolcs, will no longer be part of the publication’s management board for making public internal decisions, 444.hu reported. Szabolcs warned on Sunday (21 June) about a planned overhaul that would jeopardise Index’s freedom to publish stories critical of Prime Minister Viktor Orbán’s government, says EURACTIV’s Vlagyiszlav Makszimov.

Czech Support for media. Czech media could benefit from a €75 million package as reports by investigative server Neovlini.cz point to the government working on a grant support scheme for Czech media that have suffered from the COVID-19 crisis.

However, while Cultural Minister Lubomír Zaorálek (S&D) later clarified that it was too early to speak about numbers because no concrete proposal had yet been tabled, Finance Minister Alena Schillerova (ALDE) confirmed that the idea of a grant support programme had already been discussed, reports Aneta Zachová from Prague.

 


On my radar

Next Tuesday, the European Data Protection Supervisor will present its 2020-2024 strategy, highlighting the EDPS’ aim to ‘promote responsible personal data processing in the wake of the pressures exerted by the Covid-19 pandemic on data protection and privacy.’ The EDPS is responsible for overseeing data protection standards across EU institutions. 

 

What else I’m reading this week:

  • China’s GPS competitor is now fully launched (TechCrunch)
  • Google Sets Time Limit on How Long it Will Store Some Data (New York Times)
  • UK allows Amazon to invest in Deliveroo (BBC)

 

Subscribe to our newsletters

Subscribe
Contribute