Tech Brief: the encryption question, NIS2 agreed, platform workers’ battle

Welcome to EURACTIV’s Digital Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here

 

“Today’s proposal sets clear obligations for companies to detect and report the abuse of children, with strong safeguards guaranteeing the privacy of all, including children.”

Commissioner for Home Affairs, Ylva Johansson

 

Story of the week: The European Commission has finally shown its hand with its much-awaited proposal to address child pornography online, obtained by EURACTIV before the announcement. As expected, the proposal sparked controversy over how it will affect encryption, framing the debate in terms of a dichotomy between child protection and privacy. At its core is the obligation for tech platforms to scan the communications of their users to detect child sexual abuse material (CSAM), upon a “detection order” coming from national authorities.

The news was very well received by children’s organisations, as Europe has previously been identified as a global hub for such despicable content. “We are pleased to see the proposal announced [on Wednesday] brings forward strategies which have the potential to improve this situation,” said Susie Hargreaves OBE, Chief Executive of the Internet Watch Foundation. Julie Cordua, CEO of Thorn, echoed these remarks calling the proposal a “milestone” and urging co-legislators “to prioritise the safety and privacy of children online.”

The battle with those opposed to the text is shaping up to be tough. Privacy defenders consider the proposal an indiscriminate and disproportionate intrusion into personal communications. “If passed, the European Commission’s proposal on online CSAM would harm online security and privacy, and is likely to create a surveillance system infringing on EU citizens’ right to privacy”, warned Adam Hadley, Founder and Director of Tech Against Terrorism.

Several platforms joined in the outrage over concerns the proposal will create backdoors to encryption or, at the very least, disincentivise the use of this process for messaging services. “It’s important that any measures adopted do not undermine end-to-end encryption which protects the safety and privacy of billions of people, including children”, said a spokesperson of Meta, WhatsApp’s parent company. “This would be the worst surveillance mechanism ever established outside of China, and all in the pretext of protecting children”, declared Matthias Pfau, CEO of the encrypted email service Tutanota.

“I’m prepared to hear criticism from companies because detecting CSAM, protecting children is maybe not profitable, but it’s necessary”, Home Affairs commissioner Ylva Johansson told journalists when presenting the proposal.

“I know there are rumours on my proposal, but this is not a proposal about encryption […] but about finding this specific illegal content”, she added, stressing that the proposal includes safeguards and it “technology-neutral”. In the European Parliament, the proposal is set to be assigned to the Civil Liberties committee, with maybe some minor concessions to the Legal Affairs committee. The EPP has already expressed interest in leading on the proposal.

 

Don’t miss: The European Parliament’s rapporteur for the platform worker directive, Elisabetta Gualmini, took an ambitious approach to her draft report published on Tuesday. The centre-left lawmaker adopted a position very close to that of the trade unions, removing the criteria approach proposed by the Commission in favour of a system where social security bodies would have to apply the rebuttable presumption when a platform informs them about new contracts. Similarly, the platforms would have to refute employment status during labour inspections and legal proceedings.

“These are not punitive measures against platforms,” Gualmini told EURACTIV in an exclusive interview. “We welcome innovation in the workplace, as long as it does not go to the detriment of workers’ rights.” Moreover, the Italian MEP made major changes to the part of algorithm management, requesting human oversight on all significant decisions and enlarging the scope to all workers that interact with AI. Workers would also be in a better position to unionise and collectively bargain on how the algorithms assess their performance.

The draft report was not well received by conservative MEPs, who organised an event on Thursday with the industry. EPP’s lawmakers Radan Kanev, Miriam Lexmann and Sara Skyttedal are particularly vocal in opposing the rapporteur’s position. This division seems to replicate the one from the Council, suggesting that social affairs are often more a matter of national political culture than party allegiance. The tight deadline for amendments, on 1 June with green week in-between creates more potential difficulties. We can expect thousands of amendments that will try to water down the proposal or even make it unworkable.

 

Also this week:

  • A political agreement on the NIS2 Directive was reached last night. Listen to what the Parliament’s rapporteur had to say.
  • French Presidency pitches changes to the AI Board and market surveillance authority in new compromise text and anticipates future points of discussion in a draft progress report.
  • The network contribution lobbying battle is gaining momentum.
  • The UK government set out its plan (or lack thereof) in terms of data policy, competition reform and media privatisation in the Queen’s Speech.
  • Google set up a new tool to extend dealing with publishers.

 

 

Before we start:The EU legislators have just reached an agreement on the revised Network and Information Security Directive (NIS2), flagship cybersecurity legislation. We caught up with the European Parliament’s rapporteur Bart Groothuis straight out of the trilogue to get all the details on the political deal.

NIS2 – All you need to know

The EU legislators have just reached an agreement on the revised Network and Information Security Directive (NIS2), flagship cybersecurity legislation. We caught up with the European Parliament’s rapporteur Bart Groothuis straight out of the trilogue to get all the details …

Artificial Intelligence

Nationalised board. The French Presidency presented yet another compromise text in its rush to complete the first revision of the AI Act. This time it took aim at the European Artificial Intelligence Board and market surveillance authorities. The Board was significantly reworked to centre around the representatives of national governments, and no longer of the independent authorities, who will also take the chair and set up the rules of procedure. The Commission’s and EDPS’ roles have been significantly downsized, and eight experts proposed by SMEs, large companies, civil society and academia were added into the picture. The market surveillance authorities have been given the power to request the source code for high-risk systems with a ‘reasoned request’. The procedure for taking off the market non-compliant AI systems was clarified, with a shorter procedure if the case related to prohibited practices.

Report time. A first version of the progress report that the French Presidency is set to present to the Telecom Council on 4 June started circulating this week. In the draft report, seen by EURACTIV, France points to the progress it achieved on the requirements for high-risk AI systems, responsibilities for actors across the AI value chain, conformity assessment, enforcement and governance, law enforcement, general-purpose AI and support in innovation.

In terms of open questions, the French note that more work needs to be done to make the definition of AI and classification of high-risk systems clearer (and possibly narrower), the governance framework more centralised and further clarify the law enforcement part. The delegation of powers to the Commission and its relationship with other legislation are also mentioned as future discussion points. Another compromise is expected before the end of the presidency on the part concerning regulatory sandboxes.

More time needed. The Internal Market/Civil Liberties committee deadlines for amendments to the AI Act is to be postponed to 1 June, as several issues are still being discussed. In a hearing earlier this week, co-rapporteur Brando Benifei anticipated some of the points he will try to push: introduction of fundamental rights impact assessments, the extension of requirements for all systems notably in terms of accessibility, tighter rules for AI in the workplace, the extension of the ban on social scoring to private organisations, a clampdown on emotion recognition, third party impact assessment on emotion recognition. With so many issues on the table, the possibility that the plenary vote will slip to next year is becoming increasingly likely.

Competition

Better luck next year. The UK does not plan to introduce legislation this year to empower a new digital regulator created in 2021. The new bill was excluded from the Queen’s Speech on Tuesday, which sets out the legislative agenda of the upcoming Parliamentary session. The Digital Markets Union was established last year and currently operates on a non-statutory basis and while observers have noted that it has helped to strengthen the UK’s tech regulation already, it is now not set to receive legal backing until at least 2023-24. Read more.

Who likes e-commerce anyway. The Commission has adopted an updated set of competition rules in light of the growth of e-commerce. The new measures, the EU says, will provide businesses with clearer and more relevant guidance when it comes to assessing the compatibility of their supply and distribution agreements with EU rules. In practice, vendors will be able to establish different prices for online commerce in order to favour offline sales. Among the changes the Vertical Block Exemption Regulation (VBER) and new Vertical Guidelines will implement clarifications of the term “supplier” and the rules on dual distribution agreements.

Merger regulation to change. A public consultation on the Commission’s proposal for revising its Merger Implementing Regulation and the Notice on Simplified Procedure opened this week, following a review launched in 2016 with the aim of simplifying the merger review process for cases that were unlikely to cause competition issues. Among the proposed changes are the expansion and clarification of which cases will be eligible, the streamlining of review procedures, the creation of electronic notifications and the introduction of safeguards to ensure cases that necessitate closer examination don’t inadvertently slip through the simplified procedure.

Copyright

Google’ peace offer. Google launched a new tool this week designed to broaden the reach of its Extended News Preview (ENP) agreements, under which the tech giant pays publishers to display enhanced previews of their content. Also announced this week was the news that Google has struck licensing deals with over 300 EU publications after years of tense platform-publisher negotiations triggered by the passage of the 2019 EU Copyright Directive, which afforded the latter the right to “fair remuneration” for the reuse of their material. Read more.

Cybersecurity

DORA is agreed. Parliament and Council negotiators have agreed on a provisional deal on new cybersecurity rules for the EU’s financial system, aiming to protect it against attacks and disruptions. The rules will cover financial entities regulated at the EU level, including banks, payment providers and investment firms, amongst others, and will introduce measures to strengthen and centralise reporting mechanisms.

G7 meeting. On 10 and 11 May, the G7 Digital Ministers met in Düsseldorf to discuss digitalisation and sustainability, the free flow of data, eSafety, competition, standardisation and the digitalisation of trade documents. Ukrainian Vice-Prime Minister Mykhailo Fedorov joined the meeting online, giving insights into the country’s cyber defence. “We agreed to share more information on the cyber resilience of the digital infrastructure so that we have a better overview of threat situations,” Germany’s minister for digital and transport Volker Wissing said in a concluding press statement. Read more.

Satellite cyber strike. The EU this week accused Russia of conducting a cyberattack against a satellite network just one hour before launching its invasion of Ukraine in February, the first time the bloc has officially blamed Kremlin for conducting such a strike, foreign policy chief Josep Borrell said on Tuesday. The incident, officials said, disabled tens of thousands of modems, causing disruption to public authorities, businesses and users in Ukraine and a number of EU member states. On Wednesday, the UK and US joined the EU in condemning the attack, described by British Foreign Secretary Liz Truss as “deliberate and malicious”. Read more.

Top of the agenda. The incoming Czech Presidency is set to place a particular focus on hybrid threats during its six-month tenure at the head of the EU Council. Speaking to EURACTIV, the country’s Deputy Minister of Defence said that Russia’s invasion of Ukraine had emphasised the importance of cyber and disinformation in war and that the Czech Republic would focus on addressing these issues when it takes over the Presidency in July. Read more.

Are you even counting? Germany maintains that it has not been hit by Russian-based cyber-attacks since the war in Ukraine began, despite the rise in such incidents in other EU countries. However, this may in part be to do with how the country is defining these attacks, a cybersecurity researcher told EURACTIV this week. The lack of a fixed framework for classifying attacks means that records vary significantly between countries and comparisons remain complicated. Read more.

Resource constraints. Insufficient financial and human resources could hinder the implementation of the EU’s upcoming NIS2 Directive, Czech companies have warned. The broader cybersecurity requirements set to be contained within the directive have raised concerns among private firms that financial and administrative burdens may grow with the regulation’s passage, complicating existing efforts to better guard against incoming cyberattacks. Read more.

Cybercrime survey. 28% of SMEs in Europe experienced at least one form of cybercrime in 2021, according to new data from the Eurobarometer survey released this week. The SMEs surveyed said in general they are very concerned about the risks of different types of attacks, with 32% citing the hacking of online bank accounts as their primary worry, 31% citing phishing or other impersonation attacks, and 29% naming spyware or malware as their key concern.

Data & privacy

Data flow sunset? Included in this year’s Queen’s Speech was a promise by the UK government to introduce a data reform bill within the next parliamentary session. Last year the EU deemed the UK’s post-Brexit approach to data protection sufficient to continue data transfers between the two, but under the decision, there is a “sunset clause” that requires that it is reviewed in 2024. Brussels is already concerned about the implications for EU users of the UK’s stated desire to establish data flows with countries such as the US and Singapore, but the planned data reforms now cast even greater uncertainty over the future of data transfers across the English Channel. Read more.

Data breaches surge. The number of personal data breaches registered in France rose to an all-time high in 2021. According to a report it released this week, the French data protection authority, CNIL, received 5,037 notifications of personal data breaches last year, a 79% rise on 2020 figures. In part, CNIL officials explained, this reflects a greater awareness among companies of the need to report cyberattacks but is also a result of an increase in cyberattacks. Read more.

Protocol controversy. The Council of Europe’s Second Additional Protocol of the Budapest Convention on Cybercrime was opened for signature this week, with the view of modernising the original framework. The text will now require consent by the European Parliament, but civil society organisations and some MEPs are calling for an opinion from the European Court of Justice on the Protocol’s compatibility with EU treaties over concerns that it could threaten European law, particularly with regards to privacy. Read more.

Clear the path, please. The recently-proposed European Health Data Space (EHDS) could have huge impacts on health research if key barriers related to the cross-border secondary use of data can be overcome, a Finnish health data stakeholder told EURACTIV this week. These barriers range from legal to structural, but also touch on communication. Key to ensuring the smooth functioning of the EDHS, said Markus Kalliola, will be efforts to boost people’s knowledge about secondary health data, shown by recent studies to increase public support for its use. Read more.

Digital Markets Act

Ambassadors’ green light. EU ambassadors rubber-stamped the final text of the Digital Markets Act at the COREPER meeting on Wednesday. The next step is now the plenary vote set for 4 July.

No more changes. On Thursday, the European Commission replied to the privacy advocates and competition experts that warned about potential ambiguity in the data provisions (Art. 5.1). The EU executive dismissed the argument stressing that it is based on a “misunderstanding of the notion of consent as provided for in the GDPR,” and that the DMA complements but does not alter the data protection rulebook. Similar points were already raised by leading MEPs from the centre-right and centre-left. ICCL’s Johnny Ryan, the main driver of this initiative, told EURACTIV that the critical part will be that the Commission sticks to such a position and fully enforces it on any gatekeeper that might try to move away from it.

Make sure you are ready. The European Consumer Organisation (BEUC) wrote to EU Competition chief Margrethe Vestager this week to voice its concerns about the implementation of the DMA and DSA by the Commission and the member states. The consumer group fears that the Commission will lack the resources and expertise to effectively enforce the two landmark bills and to ensure the compliance of Big Tech, at a time when these companies, it notes, are expanding their legal presence in Brussels.

Digital Services Act

Written procedure (almost) done. The DSA shadows are set to receive the revised four-column document today – in theory at least. That means the written procedure between the rapporteur, Commission and Presidency. After being kept in the dark on this process, the shadows are preparing to fight any last-minute surprises.

Disinformation

INGE 2.0 The Parliament’s second special committee on foreign interference in EU democratic processes began work this week, re-electing MEP Raphaël Glucksmann as its Chair. The first committee (INGE) closed in March this year with a report that called for strengthened rules on social media platforms and the financing of political parties, amongst other measures. INGE 2.0 is set to build on this work over the next year and will convene for its first meeting, considering Russian disinformation and propaganda, next week. Also elected were four vice-chairs: Javier Zarzalejos (EPP), Morten Løkkegaard (Renew), Dace Melbārd (ECR) and Włodzimierz Cimoszewicz (S&D).

Gig economy

Deliveroo’s third way. The UK’s GMB Union and delivery company Deliveroo signed a Voluntary Partnership Agreement this week, providing the company’s 90,000+ self-employed riders with rights to collective bargaining and consultation in areas such as benefits and health and safety. The deal, which GMB describes as “the first of its kind in the world”, builds on a number of UK court rulings which have confirmed riders’ self-employed status, and also affords the union the ability to represent individual riders in disputes with the company.

Industrial strategy

Growth doesn’t stop. Germany’s digital industry continues to grow despite the war in Ukraine and high levels of uncertainty within the sector and among customers, according to a report published this week. The war’s impact on digital was found to be more limited than in other areas and the report predicts stable growth in the internet economy until the middle of the decade, with a growth in demand for internet services having been prompted by the shift to greater home working and price increases caused by the war leading to an upward trend in revenue. Read more.

Media

It’s not only Russia then? The EU has called for an independent investigation into the killing of well-known Palestinian-American journalist Shireen Abu Akleh in the occupied West Bank this week. Abu Akleh’s employer, Al Jazeera, said the veteran journalist was shot dead by Israeli forces on Wednesday while covering army raids in the city of Jenin, despite wearing a vest clearly marked with the word “press”. A second Al Jazeera journalist was also shot and injured. Israel has blamed Palestinians for Abu Akleh’s death and both the US and EU’s External Action Service have called for an investigation into the circumstances of her killing. Read more.

Channel 4 privatised. The British government will push ahead with plans to privatise the publicly-owned and commercially-funded Channel 4, it was confirmed this week after a broadcasting bill was included in the Queen’s Speech. Earlier this year the government announced its intention to sell off the broadcaster, a move which has prompted significant opposition. Downing Street has also called into question the future of the license fee that currently funds the BBC. In January, the fee was frozen for the upcoming two years, which the broadcaster warned could lead to layoffs and budget cuts, and the UK’s Culture Secretary Nadine Dorries said the government would be reviewing whether the funding system should be fundamentally altered to remove the fee altogether.

We won’t take that. Albanian Prime Minister Edi Rama’s claims that the Reporters Without Borders (RSF) 2022 Press Freedom Index findings were “lies” and “fantasy” have been disputed by the organisation, which released a response this week debunking Rama’s accusations. Albania fell 20 places to a record low of 103 in this year’s rankings, and RSF detailed accusations of police violence, threats and defamation suits. Read more. 

More funding than ever. To secure a more sustainable future for the media industry, financial diversification and collaborative funding models will be key, sector stakeholders said at an event on the future of the media this week. Philanthropic funding is one under-utilised strand of revenue for the media which could provide greater opportunities moving forwards. Speakers also emphasised the importance of cross-border projects in widening the scope of innovation with news media. Read more.

Platforms

Not wanted here. Electricity companies in Finland are refusing to sign contracts with Russian search engine Yandex over concerns it may be disseminating war propaganda. Yandex has had a data centre based near Helsinki since 2015, one of the few located outside of Russia. The company’s CEO was added to a sanctions list in March, following the invasion of Ukraine, prompting his resignation. Despite Yandex itself not having been sanctioned, Finnish providers are now ending their electricity contracts with the company, which is struggling to find new sources of power, relying on a diesel generator since April. Read more.

No opinion needed. Meta has withdrawn a policy advisory opinion request related to Russia’s invasion of Ukraine due to safety and security concerns. The company had asked its Oversight Board for policy guidance on content moderation relating to the war but later rescinded the request. While Meta says it is continuing to take steps to protect speech and take into consideration security issues on the ground, the Oversight Board said it was disappointed with the company’s decision and that it hoped it would not diminish Meta’s responsibility to attend to content moderation issues linked to the crisis.

Standards

The first political trilogue on the EU’s proposed common charger was held this week. The key differences between the Council and Parliament’s positions that have emerged from the meeting are the proposal’s scope, when it would come into application, unbundling and wireless charging. Another trilogue is set to be held before the close of the French Council Presidency at the end of June.

Telecom

Pressure is up. The telecom companies are now pushing hard on their proposal to make online platforms contribute to network costs. ETNO is organising an event on Monday in partnership with MLex. One to watch: Rita Wezenbeek, the Commission’s Director for Connectivity, is attending, hence expect some questions on further details about the initiative the EU executive is working on. GSMA will publish a new report on the internet value chain on Monday, and is organising an event on Wednesday. Yet another event sponsored by Orange is taking place on 31 May. Meanwhile, the platforms have started to reorganise after being caught flat-footed by the Commission’s announcement. This week, on-demand platforms launched their own lobby with the European Video on Demand coalition.

First seatback. In the Council’s position on the Path to the digital decade, adopted by COREPER on Wednesday, the French Presidency managed to add both in the recital and the article a strong reference to the network contribution, namely that “all market actors benefiting from the digital transformation assume their social responsibilities and make a fair and proportionate contribution to the costs of public goods, services and infrastructures.” Similar language was proposed in the European Parliament by EPP MEPs François-Xavier Bellamy and Adam Jarubas. However, this proposal was rejected by the other political groups, according to compromise amendments dated 3 May seen by EURACTIV. According to an EP official, the S&D and Renew shadows essentially went against the rest of their groups, which had proposed similar language.

But more to come. The Industry committee is set to adopt the Parliament’s position on 17 May, after which the trilogue negotiations might provide a testbed for the power balance on this topic. There it will become clearer how strongly the Council, or rather France, will push for it, and how much unity there is in the Parliament to resist such pressure. The Commission’s position will be particularly interesting to watch, as their positioning here will suggest how far they intend to go with their proposal.

Open RAN politics. Open RAN presents the opportunity for security opportunities such as the achievement of EU 5G Toolbox recommendations and increasing the visibility of networks, but the concept lacks maturity and cybersecurity challenges remain, according to a report published by member states with the support of the Commission and the EU’s cybersecurity agency, ENISA. Open RAN is becoming increasingly political, with American operators pushing for opening up the ecosystem and Europe’s Nokia and Ericsson scared to lose their competitive edge on network building.

Cautious approach. The report confirms Europe’s cautious approach to Open RAN, similar to the one on 5G networks, acknowledging the opportunities but also potential security pitfalls. There is a mention to include Open RAN components in the 5G certification scheme, which might lead to more harmonisation and legal certainty compared to the technical standards developed in the United States. To push forward with Open RAN, the report recommends, the EU must adopt a cautious approach towards the rollout of its architecture, allowing ample time and resources to ensure that risks are identified and tackled. At the same time, the possibility for regulators to look into high-risk vendors might be problematic given the dynamic nature of Open RAN ecosystems.

Spectrum scarcity. Significant additional spectrum will need to be dedicated to 5G in the coming years if the generation of new networks is to reach its full potential and allow Europe to catch up technology-wise, GSMA’s Head of Spectrum told EURACTIV this week. Not only would this help Europe’s tech standing globally, Luciana Camargos, said, but the allocation of mid-band spectrum to 5G networks would bring with it substantial socio-economic benefits. Read more.

Transatlantic ties

Anti-Russian Summit. The next TTC summit will be heavily focused on Russia, according to a version of the draft conclusions seen by EURACTIV. The document is dated 6 May, but although there might have been some changes since the essence is the same. The focus on the confrontation with Russia is not only driven by the current political climate, but also by the desire to stick together and avoid more controversial points like the DMA, DSA and data sovereignty. There are some significant announcements, such as the establishment of an EU-US Strategic Standardisation Information (SSI) mechanism, a sub-group dedicated to AI, and a Cooperation Protocol on Information Integrity. The areas where the work progressed the most at the technical level are also those related to Russia: the fight against disinformation and export control. More recently, things started moving on the screening of foreign investments.

 

What else we’re reading this week:

How a Hollywood star lobbies the EU for more surveillance (Netzpolitik)

New push to make Big Tech pay more for bandwidth (Axios)

Intel’s $100B Ohio dilemma: Why it must spend a lot now to avoid spending more later (Protocol)

What we know about Spain’s cyber-espionage spyware scandals (The Guardian)

 

Mathieu Pollet and Laura Kabelka contributed to the reporting.

[Edited by Benjamin Fox]

Subscribe to our newsletters

Subscribe