Tech Brief: EU standard-setting, cyber intelligence competition, cookie pledge
“To affirm its commitment to applying human rights online, the European Union adopted new standard-setting rules that aim to create a safer and more trustworthy online space for users and consumers.”
Story of the week: Brussels will push for its digital rules to become the global standards at an upcoming UN convention focused on creating a shared vision for digitalised society. According to a document produced earlier this month and seen by EURACTIV, the EU Council has adopted the EU’s contribution to the UN’s Global Digital Compact and emphasises how Europe could act as an international standard-setter in areas such online safety (Digital Services Act), contestable markets (Digital Markets Act), artificial intelligence (AI Act), international data flows (General Data Protection Regulation) and telecom regulation (European Electronic Communications Code). The EU seems determined to define its own policies as the world’s best practices, going as far as proposing to adopt the Digital Decade targets in the UN Global Digital Compact. Read more.
Don’t miss: The EU’s diplomatic arm, the European External Action Service (EEAS), is working on the revisions of the Cyber Diplomacy Toolbox, which, according to documents seen by EURACTIV, will involve the development of a Public-Private Partnership inspired by the Ukrainian model of cyber threat intelligence. While the partnership is still ill-defined, the European companies are expressing doubts about what is in it for them and at the level of the information that can be shared if American companies with strict relations with US intelligence services are also involved. Moreover, the EEAS initiative is in competition with the Commission’s Cyber Reserve to be set up under the Cyber Solidarity that is due next month. Meanwhile, European governments seem determined to keep the most valuable intelligence in their hands. Read more.
- The EU consumer department will launch a voluntary pledge to address the ‘cookie fatigue’.
- The Swedish presidency made its first attempt at bridging the differences on the platform workers’ directive.
- MEPs are discussing differentiating foundation models from ‘true’ General Purpose AI in the context of the AI Act.
- EU countries have raised issues with encryption, data rotation and removal timelines in the CSAM proposal.
- The attempt to split the Media Freedom Act did not fly in the European Parliament, for now.
- Major German parties have been accused of breaching data protection rules during the 2021 federal election campaign.
Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.
Data sharing in the DMA & DSA
The Digital Markets Act and Digital Services Act include unprecedented measures forcing online platforms to share data. We caught up with Inge Graef, an associate professor at Tilburg University, and Filippo Lancieri, a researcher at the ETH Zurich University, who …
Firefighters will save time with the metaverse
Learn more about the metaverse >>
GPAI vs foundation models. This week, the technical discussions on the AI Act focused on General Purpose AI. The direction is taken is to distinguish ‘true’ GPAI models from foundation models based on the training datasets. GPAI is considered with unlabelled data that need further training by the provider, such as algorithms developed to recognise skin cancer. By contrast, foundation models, as defined by Stanford University, include ChatGPT and Stable Diffusion and have labelled data. Whilst discussions on the obligations are still ongoing, a possible compromise taking shape is to have a stricter regime for foundational models and more basic obligations for GPAI.
Enforcement crunch time. Next Wednesday, MEPs are expected to close batches related to enforcement and sandboxes. The governance architecture of AI regulation is still a heatedly debated topic. Renew IMCO, and the EPP are against an AI agency, which in their view means the AI Office should not have any enforcement powers of its own. On the other hand, S&D LIBE does not trust the Commission with enforcing cross-border cases. Still, there are strong pushes from left-to-centre lawmakers to introduce an element of centralisation to avoid a GDPR-style impasse. The way out of this pickle might be a rather unworkable solution, counting on the fact that the EU Council usually dictates the lines on enforcement.
Liability for generative AI. A US Supreme Court justice has suggested that the companies behind generative AI tools such as ChatGPT could be held liable for the content they produce. The comments arose as part of a case against Google currently in court, in which the tech giant is being sued by the family of an ISIS terror attack victim for its alleged failure to remove content aimed at recruiting new group members. The suggestion of potential liability adds to the already murky legal waters around generative AI.
US take on copyright. The US Copyright Office sought to clarify this week the applicability of copyrights to artistic works created using artificial intelligence. Following a decision last month in which copyrights for images produced by the generative AI tool Midjourney were rejected, the new guidance says that eligibility for such protections hinges on whether the AI’s contributions are the product of “mechanical reproduction” or reflect the author’s “own mental conception”.
Mind its limits. GPT-4 “exhibits human-level performance on various professional and academic benchmarks” but is less capable than humans in many real-world scenarios, according to a new technical report on the software published by its creator, Open AI, this week. The document, which looks at the goals and abilities of the new tech, also highlights its limitations and vulnerabilities, warning that care should be taken when using its outputs, “particularly where reliability is important”.
Bard’s partial launch. Google has partially opened access to Bard, its rival to ChatGPT. Users in the US and UK can now join a waitlist to access the chatbot, which the company has said is designed to complement rather than replace its search engine.
ChatGPT industry uptake. 40% of small to mid-sized digital firms are using ChatGPT 3.5 for automating tasks such as social media management, customer service, and data analysis, suggesting a positive outlook for GPT-4, according to research by Workyard.
Auditors will audit. The EU Court of Auditors has launched a new audit on artificial intelligence to examine whether the Commission’s coordinated action plan will likely position the EU as a global AI leader.
Turning the tide? Proposed remedies submitted to the Commission last week by Microsoft regarding the company’s planned acquisition of Activision Blizzard reportedly focused solely on cloud gaming services to exclude points about consoles and without mention of key rival Sony, indicating that the Commission has narrowed its focus. The deadline for the EU executive’s decision on the deal has been pushed back to 22 May, with conclusions of ongoing investigations by authorities in New Zealand and the UK due before this, with developments in the latter now moving in a more positive direction despite a rocky start.
App store ambitions. It was also announced this week that Microsoft plans to launch a new game-focused app store on iPhones and Android devices if the Activision deal goes through, in what the head of Microsoft Gaming said was a move to expand access to Xbox content.
No showstopper expected. Brussels antitrust regulators are reportedly expected to grant unconditional clearance to Google’s purchase of the Croatian-developed maths app Photomath. Approval of the deal, agreed upon last May, would see the US giant’s acquisition move ahead without conditions.
Competency fight settled. At long last, the Conference of Committee Chairs issued its recommendation on allocating competencies for the Cyber Resilience Act. While ITRE stays in the lead, IMCO will get exclusive competencies in general product safety and machinery products. IMCO will also have shared competencies in the free movement of products, high-risk AI systems, CE marking and conformity assessment.
Expect quick turnarounds. ITRE’s rapporteur Danti is determined to close the file within this mandate and might finalise his draft report by the end of next week. IMCO rapporteur Morten Lokkegaard also has a tight timeline in mind: draft opinion ready next week, the deadline for amendments on 26 April, and the committee vote on 29 June.
Cyber skills gap. The 10th annual European Cybersecurity Conference was held in Brussels this week, with policymakers and industry representatives gathering to discuss the topic amid rising threats and a burst of regulatory action at the European level. Stakeholders stressed the need to focus on cyber skills for EU legislative requirements to function.
Few will be ready. According to a new report by cybersecurity firm Cisco, just 9% of companies in Europe are prepared to deal with cyber threats. The company’s Cybersecurity Readiness Index found that, except for the UK and Germany, the proportion of Europe’s companies that are ready to deal with cyber-attacks is significantly lower than the international standard of 15%.
Moving targets. Ransomware attacks have become the most prominent threat to the transport sector, almost doubling between 2021 and 2022, according to a new report released this week by ENISA. Beyond this, data-related threats, malware, and denial-of-service attacks are also prominent.
Data & Privacy
Cookie pledge incoming. The Commission’s consumer protection office is set to launch a voluntary initiative on cookies next week, which might pave the way for a future legislative proposal. The cookie pledge will target the current system of repeat data processing consent requests seen as leading to ‘cookie fatigue’. One of the options on the table is to allow users to set their preference just once in their web browser, a measure that already spurred controversy in the context of the ePrivacy Regulation. Questions remain in relation to how the initiative would interact with existing legal requirements and potential unintended consequences. Read more.
German parties targeted. Digital rights group NOYB filed numerous complaints against major German political parties this week, accusing them of having breached EU data protection rules during the 2021 federal election campaign by using unlawful microtargeting techniques on Facebook in order to attract more voters. Read more.
Olympic-level surveillance. France’s plan to install a system of AI-powered surveillance cameras during the 2024 Paris Olympics looks set to move ahead after lawmakers approved the authorisation bill this week. The plan has drawn strong criticism from civil society groups, opposition MPs in France and MEPs who argue that it opens the door to extensive, potentially permanent surveillance.
No news is good news? The Swedish presidency shared the final version of the Data Act ahead of the COREPER sign-off this week, which was moved to today afternoon due to organisational issues related to the European Council summit. The only difference between the sixth compromise text and the ultimate document, seen by EURACTIV, was that the latter included a specification that the regulation should not affect EU or national legislation on access to data for scientific purposes.
Digital Markets Act & Digital Services Act
DSA update. The Commission DSA team met with MEPs on Tuesday, saying the number of very large online platforms is at least 19 or 20, whilst four or five are either on the verge of passing the threshold or the bureaucrats’ estimates differ from those of the platforms themselves. Legal challenges are to be expected, even from the companies that self-declared themselves to be VLOPs. In terms of secondary legislation, the next one is on the delegated act on audits expected on 18 April. The legal act on data access is only expected by 7 February 2024, meaning its application might even slip to 2025. In terms of enforcement, the Commission said they are “working well with Ireland.”
DMA expert group. This week, the Commission established a High-Level Group on the DMA, gathering 30 experts, industry representatives, and regulators to provide advice on implementation and discuss elements such as emerging services and practices to future-proof the legislation. The group will have a two-year mandate and meet at least once a year.
Regulatory potential. At the annual conference of the Commission’s legal service, Commissioner Thierry Breton and President of the EU General Court Marc Van der Woude emphasised the role of the DMA and DSA in boosting transparency and accountability and clarifying obligations.
eIDs trilogues start. The first trilogue meeting on the eIDAS proposal was held on Tuesday when EU policymakers stated their political priorities and started discussing topics such as data protection, cybersecurity and robust governance. The role and functionality of the EUDI Wallet were also focused on, and a timeline for negotiations to be concluded during the Swedish presidency was agreed. The first technical meeting took lace on Thursday, kicking off discussions on general provisions and notification procedures.
Compromise or die trying. The Swedish EU Council presidency proposed narrowing down the derogations for the presumption of employment in a new attempt to bridge differences after negotiations broke down in December. The proposed text also clarifies the application and scope of the presumption while leaving room for EU countries to put in place collective bargaining agreements. What remains to be seen is if the more pro-employment status camp will be willing to concede before Spain takes over the presidency. The compromise will be discussed at a Working Party meeting on Monday. Read more.
JustEat reverses course. The food delivery platform JustEat UK, which historically championed full-time employment for all riders, announced on Tuesday (21 March) it would stop offering UK riders full-employment benefits such as sick leave and pay holiday. The company has to lay off as many as 1,700 workers, as the number of customers dropped by 9% in the past year. In February, JustEat’s CEO, Jiste Groen, endorsed the European Parliament’s decision to vote in favour of a legal presumption of employment as part of the platform workers’ directive.
‘Giving the finger’ to French law. Uber went all in to force itself into the French taxi market, and lawmakers did nothing about it, Uber Files whistle-blower Mark MacGann told a French Parliamentary Investigation Committee on Thursday (23 March). He told MPs Uber acted out of sheer avarice, driven by a profit-making mentality that hurt drivers the most. He implored France, an open sceptic of the EU platform workers directive, to change its vote and support the general implementation of a legal presumption of employment.
Czech-Taiwanese collaboration. A group of Czech politicians and industry representatives travelled to Taiwan this week to discuss Taipei’s planned €33 million investment in developing chip technologies in Czechia. Also for discussion on the highly political trip is a plan to establish a Czech-Taiwanese chip research centre to share expertise. Read more.
Ireland’s chip support. The Commission has approved a €100 million scheme put forward by Ireland to support the country’s microelectronics-manufacturing sector amid Russia’s war against Ukraine. The funding will take the form of direct grants and aid to offset rising energy prices, part of a broader push to support sectors in accelerating the green transition and reducing fuel dependencies.
Supercomputing summit. This week, experts and stakeholders met in Göteborg for the Euro High-Performance Computing Summit. Discussions included an examination of supercomputing in the context of the Commission’s digital decade goals and how to prepare European R&I to utilise exascale computing, as well as more sectorally-specific focuses.
CSAM national priorities. In their feedback on the CSAM proposal, many countries raised issues with end-to-end encryption, removal timelines and preservation of evidence, with Germany using a particular defensive tone towards encryption. Various national governments also highlighted notification of victims, content removal and the exclusion of voice communication as priority areas within the ongoing Law Enforcement Working Party discussions. Read more.
An influential advocate. Ashton Kutcher, Hollywood star and co-founder of Thorn, was in Brussels this week to push EU policymakers to adopt the CSAM proposal swiftly. Addressing the privacy concerns spurred by the draft law, Kutcher said there are already tools that allow the detection of such material without violating people’s privacy. Mistrust, in his view, is because these technologies are not well understood yet.
Mission to Spain. A delegation from the parliament’s Pegasus committee to investigate the use of spyware travelled to Spain this week but lamented a lack of access to information and raised concerns over judicial oversight of the cases. Read more.
No split, for now. An attempt to move significant chunks of the European Media Freedom Act into a directive, driven by German publishers, has been halted in the Parliament – for now. The push was informally made by the file’s rapporteur Sabine Verheyen, with the support of the S&D shadow Petra Kammerevert. They faced overwhelming opposition inside the house (and even parts of their groups). However, some say the idea is not off the table yet, as EU Council’s legal opinion might provide its supporters with a powerful argument in this sense. Read more.
The ban race. Dutch authorities have become the latest to ban TikTok from civil servants’ work devices, following similar prohibitions in Europe and beyond. Dutch officials went beyond TikTok and took aim at other Chinese apps deemed ‘sensitive to espionage’. Meanwhile, France’s National Assembly, in very Gaullist fashion, advised lawmakers to limit their use not only of TikTok but also of American platforms like WhatsApp.
Content moderation update. TikTok has updated its Community Guidelines in what it says is its ‘most comprehensive refresh’ to date. The changes, which will come into effect on 21 April, include advancing existing rules on the treatment of AI-generated or modified content, adding ‘tribe’ to the list of protected attributes in the company’s hate speech and hateful behaviour policies and providing increased detail on ongoing work to protect civic and election integrity.
Meanwhile, in Russia. Russian government officials have reportedly been ordered to replace their iPhones with devices seen as less vulnerable to hacking by the end of the month, according to Russian media Kommersant. The requirement covers those working in four presidential administration departments but could soon be expanded also to cover regional political blocs.
Orange-Voo merger. The Commission has approved the proposed merger of Belgian telecoms provider VOO and Brutélé by Orange on condition that Orange abide by commitments it made to competition authorities during their investigation. Among these was a pledge by Orange to provide Telenet, one of North Belgium’s major operators, with access to existing fixed network infrastructure and the company’s future fibre-to-the-premises network, for the next decade, a move which expands Telenet’s reach to the rest of the country. The clearance of the mobile-to-cable merger was not unexpected as it is part of a broader telecom market consolidation. However, the remedy of turning Telenet into a national operator is a rather interesting precedent.
Repair directive. The Commission presented this week its proposal for a directive on common rules promoting the repair of goods, aimed at incentivising repair over replacement as a means of boosting sustainability. The proposal is part of a broader focus on the right to repair and more environmentally conscious consumption practices and is intended to tackle barriers to repair for consumers as well as placing obligations on manufacturers. Read more.
What else we’re reading this week:
The case for slowing down AI (VOX)
How to Fix the TikTok Problem (The New York Times)
Bing A.I. and the Dawn of the Post-Search Internet (The New Yorker)