Departing from a tumultuous 2019, in which several tech behemoths faced the ire of European regulators, the forthcoming twelve months in the digital arena will prove to be lively in terms of EU policy.
2019 saw EU Commissioners hit out at online platforms for their lack of effort in targeting disinformation online, G7 ministers highlighting the ‘serious risks‘ of Facebook’s Libra ‘coin,’ a gradual fracturing of the EU market in terms of a 5G strategy, concerns mounting over the broader employment of Artificial Intelligence technologies, and the adoption of one of the most divisive files in the history of intellectual property law – the copyright directive.
And of course, we should not forget the announcement of the establishment of the EU’s landmark cloud infrastructure – Gaia-X, the rising importance of bolstering defence against cybersecurity threats to critical national infrastructures, or tougher EU privacy rules faltering – in addition to the bloc’s efforts in digital taxation falling short.
Against this backdrop, the EU’s new digital tsar, Margarethe Vestager, hit out at the so-called ‘biopower’ of global tech giants just before taking up her new post, giving us an insight into how she will seek to continue to impose her authority over the next year.
In terms of how the momentum of 2019 could propel the direction of EU policy this year, this is our take on what could be in store, in what will prove to be a ‘geopolitical’ 12 months for digital policy.
The European Commission is currently in the process of thrashing out the details of the Digital Services Act (DSA), a new framework due to be put forward in 2020, which will update the decades-old eCommerce directive and establish new rules governing the internet.
The DSA is likely to include measures aimed to tackle illegal content online and political advertising across platforms, as well as establishing an EU definition of hate speech. Adopting a common approach on hate speech at the EU level will be no mean feat, as differing interpretations on the concept have been manifesting recently.
On 19 December 2019, the German justice ministry released a draft law to combat right-wing extremism and hate crime – which ramps up the legal obligation under the German Network Enforcement Act for social media providers active in Germany to delete hate speech, so that such firms would now be required to proactively report offending content to the authorities.
In France, the National Assembly approved draft legislation on hate speech in July, a revised version of which went through the senate in December after having removed a 24-hour removal order obligation. Commission Vice President for Values and Transparency Věra Jourová said towards the end of the year that the French should hold tight on the plans for now, while the Commission puts the final touches to the Digital Service Act framework.
A important point on the DSA, is the fact that the Commission proposal is unlikely to re-open the liability exemptions in the e-Commerce Directive, which had been put in place to protect hosting providers.
Moreover, it remains to be seen whether disinformation and fake news will come under the scope of the digital services act. Last year, the Commission put into action the code of practice against disinformation – a voluntary framework that aimed to stamp out the spread of fake news online. Signatories included Facebook, Google and Twitter.
However, throughout the review process, Commissioners frequently criticised the lack of oversight by some of the platforms. Should disinformation continue to cause worry in terms of the integrity and independence of European elections, regulators in Brussels may very well consider more stringent measures to ensure that fake news is not given the space to foster online.
In another area of the digital services ecosystem, trilogue negotiations are still ongoing as part of the EU’s online terrorist content regulation, which aims to force internet companies to remove content promoting terrorism. There are several crucial areas of negotiation ongoing, including the timeframe of the removal orders and potential exemptions for educational, journalistic or research work.
Commission President Ursula von der Leyen has pledged to deliver a strategy on Artificial Intelligence and Ethics in the first 100 days of the new Commission. An EU source recently told EURACTIV that we are likely to see a ‘roadmap’ rather than a tightly defined strategy, as part of the announcement.
A report published in June by the Commission’s High-Level Group on AI suggested that the EU should consider the need for new regulation to “ensure adequate protection from adverse impacts,” which could include issues arising from biometric recognition, the use of lethal autonomous weapons systems (LAWS), AI systems built on children’s profiles, and the impact AI may have on fundamental rights.
Justice Commissioner Didier Reynders told his parliamentary hearing in October he would advocate for an ‘ethics-by-design’ approach, whereby products and services using AI take into account ethical guidelines at the earliest possible stage in their development.
Moreover, appearing at the European Parliament’s Knowledge and Big Data Innovation Summit in December, Lucilla Sioli, director of Artificial Intelligence and digital industry at DG CONNECT, suggested the EU’s plans in the field of AI could help foster an environment that would bolster European technology.
“There are technical reasons, together with the complexity of our geopolitical context that really call for us to be able to develop a lot of these key technologies,” she said.
Another area which hasn’t received much attention so far in the field of AI is how the technology will impact intellectual property rights. When AI is used to compose a work of art or create music, who owns the work? Should AI-generated works always be in the public domain? Some of these questions will only become more pertinent in 2020.
Following on from this, the EU’s copyright directive, adopted last year, will begin to be transposed in more countries across the bloc in 2020. Due to the divisiveness of the reforms, the nature or manner of how the measures will be transposed will be of interest. We already conducted a (partial) overview of how things stood towards the end of 2019.
One AI technology that will continue to raise concerns is facial recognition. Last year, the Swedish Data Protection Authority fined a municipality 20,000 euros for using facial recognition technology to monitor the attendance of students in school – the first fine issued by the Swedish DPA, and indicative of how attitudes towards facial recognition may be coloured over the next five years in Europe.
Meanwhile, France’s data regulator, the CNIL, said the technology breaches consent rules outlined in the EU’s General Data Protection Regulation, which states that users must give their permission before their biometric data can be stored.
In France, however, the issue is not so clear cut, President Emmanuel Macron has been keen to rally the benefits of his country’s new ID programme, ‘Alicem’, which employs facial recognition technologies for identity verification purposes. That being said, France’s Secretary of State for Digital, Cédric O, was wary about the project actually gaining traction, in an interview with Le Parisien.
In Brussels, the European Data Protection Supervisor, Wojciech Wiewiórowski, voiced a number of concerns with facial recognition technologies just before taking up the post in December, in a blog post where he highlighted the possible privacy and data protection issues.
Margarethe Vestager’s approach to AI is cautious, but not overly prohibitive. She told EURACTIV in November that “great opportunities come with great risks,” but that she has “strong reservations” with the ‘blanket’ application of some technologies in particular, such as facial recognition software.
In December, EU ministers adopted conclusions concerning the importance and security of 5G technology, stressing that an approach to 5G cybersecurity should be comprehensive and risk-based, while also taking into account ‘non-technical factors’. An important statement amid continuing pressure from the US administration on policymakers and regulators in Europe, who are yet to form a unified position the involvement of telecommunications giant Huawei.
In the Commission, an October report on the coordinated risk assessment of 5G networks noted that “threats posed by states or state-backed actors are perceived to be of highest relevance”. Member states have now been tasked with working on a set of measures to mitigate the cybersecurity risks outlined in the report. EU nations are currently working alongside the Commission and ENISA, the European Agency for Cybersecurity, in drawing up the plans.
5G is inextricably a geopolitical issue. Some member states, such as Poland and Romania, have adopted agreements with the US on the collaboration of next-generation mobile technologies, while others have tried to resist the US pressure.
In March, NATO’s Supreme Allied Commander in Europe, US General Curtis Scaparrotti, said the Alliance may cut communications with its German counterparts should the latter decide to collaborate with Huawei in the development of 5G. His comments prompted German Chancellor Angela Merkel to state that “we will define standards for ourselves,” and the Germans have since put forward measures to bolster their 5G security standards.
Towards the end of 2019, we conducted a survey of the state of play in Europe. Read here to find out more and expect 5G to dominate the telecommunications agenda over the following twelve months.
Many in Europe have heralded the recent implementation of the California Consumer Privacy Act, which took effect on 1 January, as being indicative of the global reach and influence of the GDPR. The new measures will give residents in the state much more control over how their personal data is protected online, while also placing more responsibility on businesses in their data protection practices.
In Brussels, following last year’s failure of EU ministers to agree on new measures to bolster data protection standards as part of the ePrivacy regulation, the EU’s new Internal Market Commissioner Thierry Breton suggested in December that the Commissioner may present a revised ePrivacy proposal as part of the forthcoming Croatian Presidency of the EU.
However, a Commission insider later informed EURACTIV that a complete overhaul of the measures is unlikely to be on the table, and Breton will rather seek to make ‘clarifications’ to the Croatian Presidency concerning any revisions to the text that could be made.
In addition, throughout 2020, the European Data Protection Watchdog is set to publish several recommendations on how to improve data rights.
Meanwhile, the UK’s withdrawal from the EU will have an impact on how data transfers will take place between the two parties. The Commission says it will begin evaluating the UK’s data protection standards with a view to securing an adequacy agreement “by the end of 2020.”
However, the Commission actually cannot commence an evaluation of UK data protection standards until the country has left the EU entirely, because the UK would still be bound by EU law during the transition period, which, under the current agreement runs until the end of 2020.
Moreover, even when such an evaluation takes place, there could be serious bumps in the road, especially when taking into account the UK’s previous ‘questionable’ track record in mass surveillance programs and the fact that the ECHR ruled in September 2018 that the U.K. had breached human rights in its mass surveillance program.
In terms of extra-territorial applications that have raised data protection worries, China’s TikTok video-sharing platform is being subjected to a national security review in the US, and the UK’s Information Commissioner’s Office will conclude its own investigation over the next few months.
It has increased its lobbying presence in the EU, hiring policy experts in Brussels, London, Dublin, Paris, and Berlin. The company, gearing up for the judicious eye of EU regulators, released its own transparency report on January 1.
Facebook, meanwhile, is set to go ahead in 2020 with plans to end-to-end encrypt communications across its messaging platforms, such as Facebook Messenger, Instagram and WhatsApp. The move was welcomed by privacy activists but criticised by those in the security world.
As part of the EU’s cybersecurity act, adopted last year, cybersecurity certification schemes may become commonplace for a breath of goods and services – the scope of which is still to be hashed out by the Commission working alongside ENISA.
EURACTIV understands that the priority for the EU is to ensure that hackable goods connected to a wider network of devices are likely to be included in the scope of the certification framework – including equipment used for 5G infrastructure, as well as Internet of Things devices and cloud services.
2020 may see significant cybersecurity breaches across public and private sectors, with a further blurring of the boundaries between hacktivism, criminality, and terrorism. Expect cyber warfare to very well be increasingly conducted with Artificial Intelligence activities, as well as an increase in the cost of cyber insurance as a result of an increase in threats and attacks.
[Edited by Zoran Radosavljevic]