The product liability train, the Commission’s AI guidelines
“The industry is going have a fit over this one. It’s a spectacular failure on our part.”
Story of the week: Brussels-based industry lobbyists have largely underestimated the Product Liability Directive, which is being revised after nearly 40 years to cover software, including Artificial Intelligence. The PLD, which is set to define the liability regime for the decades to come, was overlooked due to a combination of factors, mostly because the AI Liability Directive caught most of the attention despite being much narrower, and because of the regulatory overload with a massive amount of digital policy developments to follow. Meanwhile, the EU Council is on its way to reach a general approach later this month, leaving the European Parliament the only entry point for industry representatives. The new liability regime is set to be extremely consequential, as tech companies are increasingly targeted by class actions fuelled by commercially-motivated hedge funds and VCs from China and the United States. This phenomenon started to take place in the Netherlands in the last few years but might expand to other EU countries via the EU Representative Actions Directive. Read more.
Don’t miss: The Commission has issued internal guidelines on using and interacting with generative AI models. The EU executive’s internal rules mandate that staff members should refrain from inputting confidential information into generative AI systems to avoid that they are fed into the system and becoming public. In addition, AI-generated content should be critically assessed for biases and inaccuracies, to consider whether the outputs violate Intellectual Property rights and avoid relying on these AI models for time-sensitive tasks. Read more.
- Vestager launched an AI Code of Conduct in competition with Breton’s AI Pact.
- The EU Council is moving toward creating a new annexe listing highly critical products in the Cyber Resilience Act.
- The European Data Protection Supervisor slammed Frontex for collecting unreliable data.
- What was meant to be the last political trilogue on political advertising regulation has been postponed until further notice.
- The EU Council is closing in on the Product Liability Directive, whilst the European Parliament kicked off the technical work.
Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.
Data Act trilogues – where are we at?
The interinstitutional negotiations on the EU Data Act are at a critical stage, with fundamental aspects such as data-sharing and trade secrets still on the table.
Never stop moving forward
Since 2017, we’ve been committed to being better partners to drivers, better residents of the EU, and better citizens of the planet.
Find out more >>
CoC, AI Pact, can you keep up? In a surprise move, EVP Vestager announced at the press conference following the fourth summit of the Trade and Technology Council on Wednesday that the EU and US will be working in the coming weeks on developing a voluntary code of conduct for Artificial Intelligence, particularly generative AI. The idea is to introduce voluntary standards in this fast-paced industry, as the AI Act will take some years before it starts biting. The initiative wants to bring in as many partners as possible, starting with the G7, by building on the ‘Hiroshima AI Process’. However, the Code of Conduct, which is not even mentioned in the TTC joint statement, comes just one week after Thierry Breton announced an AI Pact when meeting Google’s CEO Sundar Pichai, in what seems to be an internal competition between Commissioners on who puts the hat on this hot topic.
AI Act standardisation request. The European Commission published its standardisation request on the AI Act. There are only a few significant changes from the version EURACTIV reported back in December. The final version specifies that accuracy should be understood as referring to the capability of an AI system to perform the task and not as statistical accuracy. It also states that “public interest should take a prominent role when executing this standardisation request,” but how this will be checked and enforced remains unclear.
Extinction warning. Mitigating the risk of extinction from AI should be made a global priority on the same level as other risks such as pandemics and nuclear war, yet another open letter from business leaders. The letter’s signatories include Bill Gates and OpenAI CEO Sam Altman, amongst many others.
More privacy troubles. Japan’s Personal Information Protection Commission has warned OpenAI over collecting user and third-party data as part of its machine learning process. The watchdog instructed the company not to collect personal information that requires special care from users or other parties and said it might take “additional steps”.
News media move ahead. News companies are exploring potential approaches to working with AI firms in ways that could help them reap the benefits of the tech rather than falling foul of it.
EdTech generative AI. Nearly half of the teachers report that their schools have already blocked or restricted the use of generative AI in some way, according to a new report by Capgemini, which also found that while 78% of teachers globally share concerns about the tech’s negative impact, 50% believe its potential outweighs the risks.
Meta’s AdTech concessions. Meta has proposed several proposed concessions in response to the UK Competition and Markets Authority’s concerns over its ad data practices. Meta has now offered not to use competitors’ advertising data for its Facebook Marketplace online classified ad service and has pledged to take steps to restrict the use of ad data for the development of other products. If accepted, a lengthy enquiry in the UK would be avoided. However, the company still faces investigation by authorities in Brussels, who in December informed the company of its preliminary view that its behaviour had distorted the market.
iRobot merger. The Commission launched an investigation on Thursday into Amazon’s $1.7 billion acquisition of vacuum maker iRobot. A provisional deadline of 6 July has been set for the enquiry, which it was earlier reported would focus on concerns over how the tech giant might combine the two companies’ data to its own advantage. The deal is also under scrutiny by UK antitrust authorities.
New highly critical annex. EURACTIV has obtained a Council draft text for Annex III of the Cyber Resilience Act, which includes a new Annex IIIa for categories of highly critical products. The new annex covers devices based on temper-resistant integrated circuits, hardware security modules, secure cryptoprocessors, smartcards, readers and tokens, all categories that were previously listed under class II. The intent seems to be to curtail the discretion of the Commission, which was previously in charge of defining what products should be considered highly critical and might be mandated to comply with certification schemes. Other changes include the reintroduction of ‘general purpose’ operating systems, microprocessors, microcontrollers, industrial automation systems, computerised numeric controllers and industrial Internet of Things products under class I.
EUCS saga unfolds. The European Cybersecurity Certification Group met last Friday to discuss the controversial European Cloud Services scheme (EUCS). A debrief with EU diplomats followed on Wednesday at the Cyber Working Party in what was defined as a ‘laconic’ presentation. The mediation attempt, revealed by EURACTIV, to focus most of the sovereignty requirements on a new high+ level of assurance does not seem to have been very successful, as the usual countries requested, once again, an impact assessment. However, for the first time, there was openness around this, with the Commission saying they would consider it but that it would have to be limited to this new category. National representatives now have until the end of June to submit written comments, and a new ECCG meeting might take place as early as next month. Meanwhile, France and Italy defended the latest draft at the Telecom Council today, whilst ENISA is due to have an internal meeting on the scheme.
AI in cyber. The progression of AI might bring with it a host of new challenges and risks. Still, it also contains new opportunities for cybersecurity in what experts have dubbed a technological tug-of-war. These potential avenues range from job creation to automation, but those working in the sector also warn that with new developments come new vulnerabilities, and so cybersecurity must remain a priority, with care taken not to divide the community into groups with differing approaches to the disruptive technology. Read more.
CRA ministerial discussion. At the Telecom Council today, EU ministers raised several points on the Cyber Resilience Act that require further discussion, namely the certification schemes, reporting obligations, exclusion clause, and open software. Dutch state secretary Alexandra van Huffelen stated openness on using certification schemes (without mentioning EUCS) in reference to highly critical products but stressed that “certification schemes should exist in the first place”.
Spies pointing fingers. Russia’s Federal Security Service (FSB) said this week it had detected malware designed to access specially-made “backdoor vulnerabilities” in Apple phones, which it said was being used by the US National Security Agency (NSA). Read more.
Europol’s Cyberthreat assessment. According to Emmanuel Kessler, head of prevention at Europol’s Cybercrime Centre EC3, the modus operandi of attackers is increasingly DOOS attacks and data theft. “Data theft is becoming a really big problem in our perspective,” he said at the EU-LISA industry roundtable.
Data & Privacy
Don’t trust your data. EU border agency Frontex generates untrustworthy risk analyses on migration due to the low reliability of the data it collects, the European Data Protection Supervisor (EDPS) said. Following an investigation, the EDPS questioned the agency’s methodology and found that the data it amassed was not sufficiently protected. These findings, the body said, raised concerns about the low reliability of the information being fed into risk analyses and the implications for certain groups that could be unduly targeted or overrepresented as a result. Read more.
Data Act update. EU officials involved in the trilogue negotiations on the Data Act are still optimistic that the file can be closed with the Swedish presidency. With two technical meetings taking place this week and three more next week, the positions of the co-legislators are said to be converging, with the B2G chapter virtually closed – and MEPs said they were close to giving in on personal data but just for responding to emergencies. B2B and B2C data sharing are the remaining major topics to be agreed upon, but while it does not seem to be hugely political, the presidency still needs to request an updated mandate for a compromise to be found. On trade secrets, the EU Parliament is unlikely to accept any non-disclosure motivated by ‘serious economic damage’, whilst there is more openness on security and data transfers outside the EU jurisdiction. Provisions on the alignment with the GDPR and product design are largely settled.
Digital Markets Act
Open the door please. A group of civil society organisations, including EDRi, ARTICLE 18, and the Irish Council for Civil Liberties, have written to the Directors General of the Commission’s digital and competition departments to clarify the role of third parties in the DMA’s implementation and avoid that it becomes “a closed-door discussion between the Commission and gatekeepers.”
Skills first approach. New data from LinkedIn shows that there could be a six-fold increase in the size of EU member states’ talent pool if hiring is conducted based on skills rather than traditional markets such as schooling and previous jobs. 45% of employers globally on LinkedIn are already using a skills-first approach, a 12% increase from the previous year, and this prioritisation could help to foster a more diverse EU workforce by opening up greater opportunities for women, Gen Z workers and people without bachelor’s degrees.
MEPs on disinfo. By a large majority, lawmakers have approved a report on countering foreign interference and information manipulation, calling for a “risk-based” and whole-of-society approach to tackling the issue. Read more.
Anti-disinfo AI. Ukrainian company Osavul has been using AI to fight against Russian disinformation within the context of the war, deploying Large Language Model technologies to upgrade information environment analysis.
Uber Files hearings. Uber CEO Dara Khosrowshahi spoke before the French Parliament’s “Uber Files” committee, arguing that the company has radically shifted its lobbying behaviour, moving from “an era of confrontation to one of collaboration.” A few days later, Uber’s Senior VP Pierre-Dimitri Gore-Coty told the committee he could not recall an email, seen by EURACTIV, in which he personally requested actioning a “kill switch” tool designed to destroy sensitive data before police and regulators could access it. The tool was abandoned in 2017 and is among the “mistakes” publicly identified by the company as having contributed to the exit of founder and previous CEO Travis Kalanick.
If it is broken, fix it. The second COREPER under the Swedish presidency failed to agree on a common position on Wednesday’s Platform Workers Directive. As EURACTIV reported, the split remains between member states that look for an ambitious legal presumption with no derogation and those who want a more liberal text. Luxembourg and Romania, which were previously against the compromise text, now said they could agree to it. However, France’s demand that a broad derogation clause be brought back from the recital to the operative part of the text is met with strong resistance – and negotiations have reached a stalemate. The text has now been added to the ministerial EPSCO agenda on 12 June in Luxembourg.
One system to rule all patents. The EU’s new Unitary Patent System was launched on Thursday to simplify the process for companies seeking to protect their intellectual property. Initially, the scheme will cover 17 member states and act as a “one-stop-shop” for patent registration and enforcement, reducing the administrative burden involved. A new Unified Patent Court has also been established and will preside over Unitary Patents and existing EU patents, providing a more consistent legal framework in which companies can exercise their patent rights.
Chip war spills over. Top server manufacturers in China, such as Inspur Group and Lenovo, have reportedly requested that suppliers suspend shipments of modules containing chips made by US-based firm Micron Technology. This follows a partial ban on the company’s products introduced by Beijing on Sunday. China has been a major market for Micron, and the adjustments needed to locate alternatives will likely not be immediate.
Sovereignty fund release date. A proposal for a European sovereignty fund is set for release on 20 June, EVP Vestager told a conference on deep tech entrepreneurship hosted by the Council’s Swedish Presidency in Stockholm this week. The proposed fund will be used, Commission officials have said, to support projects of interest for the EU, tackle critical dependencies and protect the integrity of the single market.
Further work is needed. After being taken off their agenda three times, the proposal aiming to fight child sexual abuse material was finally discussed at the COREPER level on Wednesday. Once again, the Commission defended the idea that encrypted messages can be scanned safely and feasibly. The file is still far from mature, though, as five technical meetings have been scheduled on the file in June and July to speed up progress. The thorny issue of detection orders (Articles 7 to 11) is on the agenda for 13 June.
Meanwhile in the Parliament. The first shadow meeting took place on Wednesday, and technical work kicked off on Thursday, with one more technical meeting scheduled for Monday. Seven political and 11 technical meetings are scheduled in total on 7, 14 and 28 June, and 5, 12 and 19 July. Technical sessions are equally intense, as there are 11 meetings scheduled on 8, 13, 26 and 29 June, and 3, 6, 11, 17, and 29 July.
Child protection petition. Child support organizations launched a petition on 1 June called Every Second Counts, referring to the fact that every two seconds, a piece of CSAM is shared online. Signatories already include Home Affairs Commissioner Ylva Johansson, MEP and CSAR rapporteur for the proposal Javier Zarzalejos, and Francois Hollande, the former president of France.
Independent from whom? The last Council text on the Media Freedom Act has fallen short of convincing those countries that have been pushing hard for making the new Media Board independent from the Commission, with the harshest critics convinced that the Swedish presidency is playing deaf under the influence of the EU executive. Countries like France, Germany, Portugal, and Poland are pushing to limit the staff supplied by the Commission to a merely administrative role and leave the decisions in the hands of seconded national experts. However, it is unclear how much this coalition will manage to obtain as Paris might have other priorities, especially on source protection, and Berlin is using this argument to obtain concessions for its Länder (federal states). Another point to be clarified is who would have to finance the Board – if the Commission or the member states and in what proportions.
No trilogue in sight. What is supposed to be the last trilogue on the proposal to regulate political advertising has been postponed at the request of the Swedish Council presidency, throwing their aim of achieving a general approach by June into further jeopardy. One European Parliament official told EURACTIV that the delay resulted from Stockholm’s desire to conclude all areas simultaneously rather than dealing with the file topic-by-topic. Read more.
Influencers law adopted. The French Parliament unanimously adopted a new law regulating online influencers on Thursday and the French government says it aims to establish similar legislation at the EU level in the future.
Exit confirmed. As anticipated by EURACTIV last week, Twitter has withdrawn from the EU’s Code of Practice on Disinformation, a move slammed as “dangerous and…irresponsible” by VP Věra Jourová.
Council closes in. This week, a new compromise text on the Product Liability Directive was circulated as the Council approaches a formalised opinion. The text, dated 23 May and seen by EURACTIV, clarifies the new provisions that would allow member states to extend liability on unknowable defects, specifying that the procedure with the Commission is one of notification and not of authorisation; the scope for open software is also refined together with the definition of defectiveness in relation to security updates, and the timeline for application was extended. Read more.
Parliament accelerates. The first technical meeting on the PLD was held this week. Discussions largely focused on the scope, limitation of liability, transparency and final provisions, whilst thorny issues such as the issue of software, burden of proof and disclosure of evidence were left out for the moment. A shadow meeting is planned for next Tuesday, with a technical one scheduled for Wednesday. The co-rapporteurs are pushing on the accelerator to reach a committee-level agreement by September, with bilateral meetings with political groups already kicking off.
NL vs fair share. Claims that the European telecoms sector is struggling financially are not supported by the facts and their veracity should be proven before the Commission moves ahead in addressing them, the Netherlands has said in a position paper, seen by EURACTIV, accompanying its response to the Commission’s consultation on the future of the telecom sector. In the document, the Dutch question whether the sector is lagging globally or whether there is an investment gap, and argue that forging ahead with a one-size-fits-all approach risks negative outcomes.
GIA ministerial discussion. The Gigabit Infrastructure Act was on the table of the Telecom Council today. Several countries like the Netherlands, Finland, Romania, Latvia, and Croatia called for the file to respect national situations, such as the heterogenous permit procedures. There were also calls from Italy to avoid an excessive administrative burden, whilst some smaller countries asked for a longer implementation time.
Recommendation spats. MEP Dita Charanzová received a reply from Commissioner Thierry Breton to her question regarding the preparatory work on the Gigabit recommendation. The reply states that the non-legislative reform took into account an external study and a stakeholder consultation. However, just a day before, the European Consumer Organisation (BEUC) penned a letter to the Commission’s digital policy department, underlying several problematic aspects of the recommendation, which in their view goes beyond the European Electronic Communications Code and risks raising both prices and barriers to enter the market.
Roam like in Moldova. EU and Moldovan telecom operators have issued a joint declaration on lowering roaming charges for those travelling between the countries, with a view to bringing Moldova into the EU roaming area.
TTC conclusions concluded. The EU, under French pressure, has tried to remove explicit references to China and Russia from the non-market practices and economic coercion sections in the joint TTC conclusions. The changes did not make it into the final text but are symptomatic of an underlying divergence between the two powers in how to approach China. The US vision seems to be expanding the TTC from an anti-Russian platform, as it has been since the war of aggression against Ukraine, into an anti-Chinese one.
What else we’re reading this week:
How Taiwan became the indispensable economy (FT)
China isn’t waiting to set down rules on generative AI (MIT Technology Review)