Tech Brief: AI Act deal, very large online platforms designated
Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“We have made a great effort to construct an ambitious text that is up to the great challenges posed by AI, but without abandoning a competitive model that respects the social model of European values.”
-Brando Benifei, European Parliament’s co-rapporteur for the AI Act
Story of the week: The main political groups of the European Parliament have reached an agreement on the AI Act. Following two technical and two political meetings, the agreement was reached after what a European Parliament official described as the “tensest day of negotiations so far”. The real point of contention, as anticipated, was on the prohibited practices. The EPP managed to get read of the ban on general monitoring algorithms but had to accept limiting ex-post biometric identification to serious crimes and prior judicial approval. Whilst all the groups supporting the deal (EPP, Renew, S&D and the Greens) committed not to table alternative amendments and key votes, the EPP was conceded to attempt a split vote on ex-post identification during the committee vote on 11 May. ID and the Left might still try something, together with some isolated MEPs, but if the agreement holds, there should not be room for surprises.
The MEPs confirmed the ban on emotion recognition in the areas of law enforcement, border management, workplace, and education. The ban on predictive policing was extended to administrative offences following the example of the Dutch child benefit scandal. Very large online platforms’ recommender systems have been added to the list of high-risk use cases, whilst AI used in critical infrastructure will also be considered high-risk if it has the potential to cause serious environmental damage. The Greens obtained that high-risk AI systems must keep track of their environmental footprint, whilst foundation models must comply with European environmental standards. Read more.
Don’t miss: The European Commission identified 19 platforms that will fall under the Digital Services Act’s stricter regime. All of the platforms had communicated figures that surpassed the 45 million EU users threshold. The only exception was Zalando, which recently revised its notice to include a second figure based on a broader interpretation. The designated platforms now how until 25 August to comply and produce their first risk assessment. Speaking to reporters, Commissioner Breton said that there are still four or five platforms that approach the threshold, and the Commission is looking at their methodology. He also added that Twitter agreed to run a ‘stress test’ in June but that TikTok and Facebook are also on his ‘special watch’ list. Read more.
Also this week:
- The UK competition authority shot down the Microsoft-Activision merger.
- The Swedish presidency completed the first full rewrite of the Cyber Resilience Act.
- The European Commission presented its controversial patent package.
- The UN Cybercrime Convention became a battleground between the West and authoritarian regimes.
- Dutch MEPs have taken aim at Google’s advertising practices.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Today’s edition is powered by VivaTech
Unravel the technology of the future, and glimpse into the game-changing innovations that will be showcased at Viva Technology on June 14-17 in Paris!
Book your pass for Europe’s biggest startup and tech event >>
Consumers on generative AI. The European Consumer Organisation (BEUC) has called for an inquiry into generative AI systems and the potential risks they pose to consumers. While there are potential benefits to the tech, BEUC notes, there are also concerns related to impersonation, deceptive advertising, protection of children and data protection, amongst others. The organisation also says the AI Act is insufficient to tackle the issue quickly and calls for greater scrutiny and control by public authorities.
CNIL in the AI race. A new paper by the CNIL, France’s data protection authority, has outlined an overview of generative AI chatbots, examining their language processing and learning methods. The document looks at their evolution, novel uses and the technical and legal risks associated with them, including, for example, biased data and outputs. The review is part of a broader effort of the CNIL to position itself as the regulator that will enforce the AI Act in France.
AI and migrants. A letter from Amnesty International to MEPs urges the legislators to ensure that the rights of migrants, asylum seekers and refugees are protected in the legislation. While the letter might preach to the converted, these areas will likely be the main friction point with the EU Council once the trilogues kick off in late June. It is dubious the Parliament might find a sympathetic ear in the Spanish presidency, given Madrid’s efforts to curb migration flows from Morocco.
A doomed marriage? After the US Federal Trade Commission, the UK’s Competition and Markets Authority (CMA) is the second competition regulator to throw a roadblock on Microsoft’s proposed acquisition of gaming company Activision Blizzard, ruling that the solutions offered by the tech giant in response to the watchdog’s concerns were insufficient. The CMA found that the deal, which also faces regulatory scrutiny in the EU and US, poses a threat to competition across several markets but that the steps Microsoft had offered to rectify this contained “significant shortcomings” and would inevitably require CMA oversight. Read more.
Don’t take no for an answer. Microsoft’s President, Brad Smith, reacted with outrage to the CMA’s decision, and in an interview with the BBC, hit out at the UK government, saying the move was “bad for Britain” and that the message was that the EU was a more attractive place to start a business. “People are shocked, people are disappointed, and people’s confidence in technology in the UK has been severely shaken,” he said. The CMA’s decision is indeed a terrible blow for the acquisition, which had, in the meantime, cashed in green lights from tens of jurisdictions, including Japan, Sony’s domestic market. The blockage is unusual for the UK regulator, with the most malicious saying the authority is praying on a merger, counting on the fact that the FTC was already blocking it.
DMA, Made in the UK. The view that gives the CMA more credit is that the authority is taking an unprecedentedly bold stance to protect consumers. The Markets, Competition and Consumer Bill introduced this week after it was shelved last year might have played a part in emboldening the competition watchdog. The legislation is set to usher in changes to the country’s competition and consumer protection laws. It will give statutory backing to the new Digital Markets Unit, a department within the antitrust authority that will regulate the largest tech firms, which was established in shadow form in 2021. Read more.
Microsoft’s peacekeeping. Meanwhile, Microsoft is trying to settle all the competition fronts it has opened. In a bid to stave off antitrust enquiries by EU authorities, Microsoft is set to remove the requirement that users of its Office software also have the Teams video call and messaging app automatically installed on their devices, the FT reported. The as-of-yet unconfirmed decision follows a complaint in 2020 against the bundling of the two by workplace platform Slack and prompted Microsoft to pledge that, moving forwards, companies will be able to buy Office without Teams, though how this would work in practice is not yet clear.
CRA full rewrite. On Wednesday, the Swedish presidency presented its first full rewrite of the Cyber Resilience Act (CRA) at the Cyber Working Party. The very notion of the critical product has been removed, the criteria for falling under Class I and Class II have been reduced from three to two, several categories have been removed, and a couple related to consumer products added. A unique product identifier for security updates and the possibility to remove all data when disposing of a device were added to the list of essential requirements. The Commission’s discretion in the standardisation process has been curtailed, considering the ever more frequent delays. Read more.
No space for prima donna. “There is no room for prima donna politics in cybersecurity. This is a team effort. No individual actor or superpower alone can provide the level of cybersecurity that our society expects,” Margaritis Schinas, the Commission Vice President responsible for cybersecurity, said at the Cyber Agora on Tuesday. The not-so-subtle reference is to the national governments that have been resisting the Commission’s push to centralise operational capacity and intelligence sharing at the EU level with the Cyber Resilience Act.
AI for cybersecurity. The EU’s cybersecurity agency, ENISA, has published an assessment of AI cybersecurity standards, recommending standardised terminology and technical guidance for how they should be applied. The body also suggests greater cooperation and coordination between standards organisations to address cybersecurity concerns coherently.
ICANN vs DNS threats. A new project by the Internet Corporation for Assigned Names and Numbers (ICANN) is set to systematically analyse cyberattacks’ preferences and examine possible approaches to mitigating malicious activities across top-level domains.
Data & Privacy
A chair for three. Candidates are lining up to become the next Chair of the European Data Protection Board when the term of its current leader, Andrea Jelinek, ends on 25 May. Officially, there are three candidates: Bulgaria’s Ventsislav Karadjov, the Finn Anu Talus and Dutchman (and current Deputy Chair) Aleid Wolfsen. It will almost certainly be Anu Talus, two sources informed on the matter told EURACTIV, as Karadjov does not stand a chance and Wolfsen is a rather last-minute candidate. Interestingly, neither the French nor the German authorities have thrown their hat into the ring, despite the fact they would have the resources to bring strong leadership – but are at times in conflict with the EDPS. The Board’s Chair is a time-consuming role held in parallel with the national role, and the fact the strongest authorities do not apply for the post might mean their priorities lay elsewhere.
Cookie pledge roundtable. The first stakeholder roundtable on DG JUST’s cookie pledge initiative occurred this morning. The discussion was rather preliminary, but several stakeholders raised doubts regarding the Commission’s striving away from the mainstream data protection doctrine, the risk of reinforcing Big Tech’s position via a centralised browser setting and the importance of cookies not only for advertising but also for audience measurement. While this is just the beginning of the ‘reflection’, many of those involved doubt anything meaningful can be agreed upon.
IMCO’s Data Act update. Briefing IMCO colleagues about the last Data Act trilogue this week, opinion rapporteur Adam Bielan said that the last session focused on switching and interoperability between cloud services. The next trilogue will be held on 23 May, with at least two further technical meetings planned on the provisions covering cloud issues.
More complaints incoming. The Irish Council for Civil Liberties (ICCL) has submitted a new complaint. With a previous complaint, the ICCL pushed the Commission to conduct bi-monthly reviews of every large-scale European case. Now, the Irish NGO wants that the EU executive does that retroactively too. The ICCL says that it twice tried to raise the issue with Justice Commissioner Didier Reynders but received no response.
EDPS on admin procedures. The European Data Protection Supervisor (EDPS) has published its contribution to the Commission’s consultation on strengthening cooperation between national authorities in General Data Protection Regulation (GDPR) enforcement. The EDPS emphasises the need to ensure that effective and efficient cooperation is not limited to cross-border cases but that it must also apply where personal data is transferred from EU institutions and other bodies.
Digital Markets Act
Data workshop. The Digital Market Act’s (DMA) interplay with the GDPR, effective and privacy-compliant data portability and limitations on gatekeepers’ use of business users’ non-publicly available data are among the topics set for discussion at the next DMA stakeholder workshop. Set for 5 May, the session will focus on the legislation’s data-related obligations and will feature speakers from academia, industry actors such as Meta, Google and Amazon, and regulators, including the French Data Protection Authority (CNIL).
Digital Services Act
Access to researchers’ act. The Commission has opened a call for evidence on the delegated act concerning vetted researchers’ access to platform data under the Digital Services Act. The measures will specify the conditions under which such data sharing should occur and the purposes for which this data can be used.
INGE’s report. This week, MEPs adopted a report on foreign interference and information manipulation, calling for coordinated EU action on the issue, particularly in light of Russia’s invasion of Ukraine and the upcoming European elections. The report, prepared by the Special Committee on Foreign Interference (INGE) addressed platform responses to disinformation, critical infrastructure and resilience-building and called for a new approach to identify and consider the involvement of “high-risk third countries”. Read more.
Jourová vs Twitter. Commission vice-president Věra Jourová has said she feels increasingly uncomfortable on Twitter due to the rise of Russian disinformation on the platform. The Commissioner also this week criticised Twitter over reports that changes at the company have led to a surge in propaganda, saying that it signalled the company was failing on its Code of Practice on Disinformation commitments. Read more.
Still stuck. Over a year in, the negotiations on the Platform Workers Directive continue to be stuck in the EU Council, despite the Swedish presidency’s latest mediation attempt. At the Working Party meeting on Monday, Spain was ‘very irritated’ by the latest compromise text, EU diplomats told EURACTIV. The file will now be discussed at the COREPER level in mid-May.
SEP draft law. The Commission’s controversial patent package dropped on Thursday. The main component is a proposal intended to increase transparency and ensure fair access conditions to patents essential to comply with technical standards. The draft law has been toned down compared to a previous draft, but a large chunk of the industry is still adamantly averse to it and warns it might lead Europe to further lag behind in the international tech race. Read more.
More export restrictions in sight. Germany is looking to possibly limit the export of key chipmaking materials to China, amid a broader effort by Berlin to reduce the country’s economic exposure to Beijing, according to Bloomberg. Discussions are still preliminary, but the restrictions would focus on certain chemicals central to the semiconductor production process. They would follow similar moves recently made by other countries, such as the US and the Netherlands.
UN controversial Convention. National representatives were gathered last week in Vienna to discuss the UN Cybercrime Convention, which has become a battleground between the EU and other Western countries and China, Russia and other authoritarian regimes. The ten-day session saw several divisive subjects covered, including chapters on international cooperation, safeguards on personal data, electronic databases and evidentiary requirements for extradition. Read more.
Slow headway in Council. Several national governments have not yet formed their opinions on the Child Sexual Abuse Material (CSAM) proposal, EURACTIV has learned, but a COREPER meeting set for 3 May is due to give more political guidance to the technical work. The Swedish presidency is holding back from talking about the big questions on the process of Detection Orders, and no clarity is expected on these orders in the Council until mid-May at the earliest. Still, the Justice and Home Affairs Council plans to adopt a partial general approach on the file on 8 June.
IWF 2022 report. The Internet Watch Foundation’s (IWF) 2022 report about child sexual abuse material online was released this week, showing that most of the children affected are girls and the most-affected age group is between 11- to 13-year-olds.
Another worrying sign. The issues plaguing the media sector, including increasing abusive lawsuits against journalists, physical attacks, restrictions to freedom of information and media ownership concentration, remain unresolved in most EU countries and have, in some cases, worsened, according to a newly-released report by the Civil Liberties Union for Europe.
Call to action. Separately, the Committee to Protect Journalists (CPJ) has also issued a new report on press freedom in the EU, concluding that, while progress has been made, further action from Brussels is still needed and detailed several recommendations.
JURI’s metaverse hearing. Experts on the Metaverse gathered this week to discuss the regulatory challenges associated with the tech, organised by the Parliament’s legal affairs (JURI) committee. The meeting focused on two key issues: intellectual property and data. While experts saw intellectual property law questions to warrant a more long-term approach, those surrounding data protection were emphasised as larger and more immediate concerns.
Citizens’ Panel outcome. Harmonising labour market legislation and training for work in the Virtual World, regularly reviewing existing related EU guidelines and providing training and education on them are among the final recommendations issued by the European Citizens’ Panel on Virtual Worlds. The suggestions, which were put together by participants during discussions on the topic between February and April, also cover equitable connectivity, information-sharing and international cooperation and standards.
Dutch MEPs vs Google. Six MEPs have written to Google’s Europe President urging action on malicious advertising following an investigation by Dutch broadcaster Radar which found that services such as emergency plumbers were paying to boost their ads via the company’s ad platform and subsequently engaging in unfair trade practices such as overcharging customers. Google has said it has taken steps to address the issue. Read more.
Second pol ads trilogue briefing. The second trilogue on the political advertising regulation focused on four key elements, rapporteur Sandro Gozi said during an IMCO meeting this week. The Council raised legal concerns regarding the compatibility of the first two – the principle of non-discrimination in the cross-border provision of political advertising services and clarifying the proposal to ban sponsors who are not EU citizens or established in the EU. The Commission expressed concerns about the financial burden of the proposal to create an online ad repository. The next trilogue will be held on 5 May, focusing on targeting.
The scope question. The EU Council is starting to question its own position, especially with regard to the scope. Eleven EU countries asked to re-discuss this part of the text that was fed to the presidency from the Commission, but a Working Party meeting on Monday did not solve the issue, EURACTIV has learned. Jourová’s cabinet seems more open to revising the scope, whilst DG JUST does not see the issue of organic content unintentionally falling into the scope.
ECON pro-fair share. The 2022 Competition Report was adopted by the Parliament’s economy committee (ECON) this week, with a plenary vote set for May or June. Amongst the key points raised in the report, there is a call for the Commission to establish a policy framework where large traffic generators contribute fairly to the adequate funding of telecoms network. The wording was pushed by MEP Stéphanie Yon-Courtin, who carried the day against the file’s rapporteur René Repasi. Repasi opposed the amendment as the German liberals and greens opposed the senders-pay initiative.
A telecom-focused presidency. Spain reportedly plans to push forward with telecom sector mergers during its Council presidency later this year amid Brussels’ ongoing antitrust investigation into the proposed €18.6 billion union of Orange and MasMovil. The outcome of the inquiry is expected to indicate the Commission’s future stance on telecoms sector consolidation. Still, Spain’s Telecommunications Secretary has said the presidency hopes to contribute to the necessary changes for the European market to compete globally.
What else we’re reading this week:
ASML, Europe’s Most Valuable Tech Firm, Is at the Heart of the US-China Chip War (Bloomberg)
Google’s DeepMind-Brain merger: tech giant regroups for AI battle (FT)
Julia Tar, Theo Bourgery-Gonse and Alina Clasen contributed to the reporting.
[Edited by Nathalie Weatherald]