Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“Gatekeepers will now have to adapt if they want to benefit from the Single Market”
– Thierry Breton, European Commissioner for the Internal Market, told EURACTIV.
Story of the week: Thierry Breton, European commissioner for the internal market, announced in a post on the social media platform X the list of gatekeepers that fall under the Digital Market Act (DMA). They include Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft. This list of online services designated as “gatekeepers” will now have six months to adapt to strict antitrust practices or face up to 20% global annual turnover fines. While Samsung did not make the list of gatekeepers, Meta qualified for five of its “core platform” services: Facebook, Instagram, WhatsApp, Messenger and Meta Marketplace. Alexandre de Streel, an academic director at the Centre on Regulation in Europe, commented, “It is not probable that a company contests it is a gatekeeper itself, but more probable that it contests that one of its core platform services qualifies as a gateway”. Read more.
Don’t miss: A study published by Mozilla reveals that 25 of the most known car brands collect user data using connected devices, microphones, and cameras. Car brands that scored a failing mark for consumer privacy include BMW, Ford, Toyota, Tesla, Subaru, Volkswagen, Mercedes-Benz, and 18 more. Twenty-one car brands keep the right to share personal data, and 19 can even sell it. While the companies denied wrongdoing, the study proves the lack of GDPR enforcement in the automotive industry. Raffaele Zallone, an expert in data privacy law, told EURACTIV that the Commission should press the automotive industry to draw a code of conduct and then review the practices put in place by the industry to ensure compliance is reached. Read more.
Also this week:
- Apple now champions privacy protection, halting the development of a photo-scanning tool to detect child sexual abuse material
- As the Slovak elections are coming closer, social media platforms are now obliged under the DSA to combat electoral manipulation
- Tech companies are optimistic about the latest stage of the UK government’s Online Safety Bill, with the removal of message scanning provisions.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
UK prepares for its AI Summit. The UK government has set out its ambitions for its upcoming AI Summit, to take place on 1 and 2 November. This week, Secretary of State Michelle Donelan is launching the start of a formal engagement, while the Prime Minister’s Representatives for the AI Safety Summit, Jonathan Black and Matt Clifford, are beginning discussions with countries and organisations. Last week, a roundtable was hosted by the Secretary of State with civil society groups. The summit will focus on the risks of AI, as well as on international collaboration, possible measures to take, and safe developments of artificial intelligence. As EURACTIV reported last week, China is rumoured to be included in the summit despite the disapproval from the European Union, Japan, and the United States.
Guarding data. As EURACTIV reported last week, after OpenAI announced on 8 August that GPTBot, the company’s web crawler, will automatically collect data from the entire internet to train its GPT-4 and GPT-5 models, many French media groups, such as France24.com, RFI.fr, mc-doualiya.com, Radio France and TF1, all decided to block the tool from collecting data from their websites. They already followed the steps of several English-language media, like The New York Times, CNN, Reuters, Chicago Tribune, the Australian Broadcasting Corporation, and other Australian Community Media brands such as the Canberra Times and the Newcastle Herald. This week, on Monday, The Guardian decided to join the list of such media and disallow the tool. “The scraping of intellectual property from the Guardian’s website for commercial purposes is, and has always been, contrary to our terms of service,” a spokesperson for Guardian News & Media, publisher of the Guardian and Observer, said, adding that “The Guardian’s commercial licensing team has many mutually beneficial commercial relationships with developers around the world, and looks forward to building further such relationships in the future.”
AI principles. Twenty-six organisations representing creative professionals released ‘Global Principles for Artificial Intelligence’. The principles focus on the development, deployment, and AI regulation of systems and applications. This ensures that business opportunities and innovation can work within a framework. The principles are also aimed at ensuring that publishers can create and disseminate quality content.
AI Act loophole. The association European Digital Rights (EDRi) and 118 other civil society organisations, such as BEUC or Access Now, published a statement on Thursday calling on EU lawmakers to close a loophole in the AI Act. According to the signatories, those developers and deployers of AI that are considered to have ‘high risk’ when it comes to artificial intelligence, would have to make sure that their systems are safe from bias and lobbying. However, according to the organisations, there is a loophole which would allow developers of the systems to decide whether the system is ‘high-risk or not. The NGOs believe that this could result in legal uncertainty and enforcement issues.
AI made in Europe. Roberto Viola, director general of DG CONNECT, was invited to the Permanent Representation of Baden-Württemberg to speak about the implications of the AI Act and the potential to innovate AI in the EU. Viola emphasised that data and supercomputers are needed for the innovation of AI to take place in Europe. “We want to use supercomputers for the EU, and we want to offer this capacity to our startups,” Viola emphasised. “We want to ensure that those machines are there for our companies to develop ‘AI made in Europe’.”
French-German Alliance is back. The October agenda for Germany’s Chancellor Olaf Scholz and France’s President Emmanuel Macron is set. On October 9 and 10, a joint cabinet meeting will be held, with the agenda item being artificial intelligence. Particularly, France would like to see a different approach to generative AI in the current version of the AI Act.
Farewell, Vestager? The European Commission stated on Wednesday (5 September) that her Executive Vice-President and Commissioner for Competition, Margrethe Vestager, temporarily leaves her position so that she can concentrate on her candidacy for President of the Management Committee of the European Investment Bank. In the meantime, Vice-President for Values and Transparency Věra Jourová will take over the “digital age” portfolio, while Commissioner for Justice Didier Reynders will take responsibility for the Competition portfolio. The role of “executive Vice-President” remains vacant.
Merger approved. Under the EU Merger Regulation, the European Commission approved the acquisition of Swedish IT service provider Foxway by Dutch private equity investor Nordic Capital. According to the Commission, the merger would not raise competition concerns. “The companies are not active in the same or vertically related markets,” the Commission’s Press Corner reads.
EU-Cyber file pending. After working closely with the previous Council Presidency, the Spanish Presidency concluded a Council mandate on the Cyber Resilience Act in July. The current Presidency is now prioritising this file to come to an agreement with the European Parliament by the end of the year and before the EU elections in 2024.
Incompliance with cyber best practices. A whistleblower revealed that the Commission was not compliant with a system for best practices in cyber-security, called Cyber Essentials, at the time when hackers accessed Electoral Commission email correspondence back in August 2021. The data breach was not discovered until October 2022, and impacted some 40 million voters.
High-tech battle Ukraine vs. Russia. The head of the Ukrainian Security Service’s (SBU) cyber department informs that it uses Artificial Intelligence (AI) visual recognition systems to analyse information gathered from aerial drones, supported by human sources, satellites and other technical sources, to identify military targets. SBU also hacks surveillance cameras to monitor Russian troops. Similarly, Russia located their cyber team close to the front line.
China counters with iPhone ban. To cut reliance on foreign technology and improve cybersecurity, China’s government officials ordered a ban on iPhone usage. This move allows China to control the flow of sensitive information better. It remains uncertain how widely the order finds applicability. Previously, Beijing restricted officials at some agencies, but the order stretches now even further.
Data & Privacy
To scan or not to scan, that is the question. Following an eleventh-hour concession on the UK’s Online Safety Bill, the British government conceded message scanning for harmful content cannot happen until it is ‘technically feasible’ without compromising users’ privacy, yet tech companies are optimistic about potential changes. One of the controversial parts of the bill, which mirrors the EU’s DSA, was the so-called ‘spy clause’. This would allow scanning messages on apps like WhatsApp or Signal, which use end-to-end encryption to secure communications. Both companies welcome the latest reading of the bill, with President of Signal Meredith Whittaker saying that she is “hopeful that it opens the door for changes to the text of the bill in the final stages.” Read more.
Susie Hargreaves OBE, Chief Executive of the Internet Watch Foundation, told EURACTIV that “as far as we can see, the Government’s position on this has not actually changed, and there has been no change to the proposed legislation,” adding that “these powers were never intended to be used right from the off on the Bill’s gaining Royal Assent, and the best available technologies should always be deployed to help ensure the ends of the Bill.” Read more.
Passenger data. The Commission adopted the recommendations of the Council on Wednesday about opening negotiations with Switzerland, Iceland, and Norway for agreements on the transfer of Passenger Name Record (NPR) data to increase the Schengen area’s security. Transferring such data would help authorities detect, prosecute, and investigate terrorist and other criminal offences.
EU-Turkey aligns digitally. According to the European Commission, an agreement on the Digital Europe Programme was signed with Turkey. The Digital Europe Programme is a fund that aims to bring Tech closer to businesses, citizens and public administrations and has a budget of €7.5 billion. One of the purposes of this alliance is the creation of Digital Innovation Hubs in Turkey and Turkish participation in tech projects across the EU. Therefore, the Commissioner for Neighbourhood and Enlargement, Olivér Várhelyi, visited Ankara to discuss bilateral relations and cooperation in this vein during the week.
Roam in Moldova. In June 2023, the EU-Moldova Priority Action Plan was agreed, outlining the priority of bringing Moldova into the EU “roam like at home” area. Future steps include fully integrating Moldova into the Free Trade Area and EU Single Market. “Roam like at home” allows Moldovan citizens “to use their mobile phones under the same price conditions as if they were in Moldova,” reads the Commission’s press release.
Digital gathering in Tallinn. IT, tech, and digital leaders gathered in Estonia for the Tallinn Digital Summit to address challenges and seek dialogue. The aim of the summit is to “refresh the agenda of democracy and technology,” its website states. The Summit identified three agenda items: Resilient governance, responsive governance, and open governance.
EU tamed Apple. According to EU law, introduced in September 2021, phone manufacturers must adopt a common charging connection by December 2024 in hopes that this would cut waste and save users’ money. Now, it seems that Apple’s latest iPhone is likely to have USB-C chargers instead of the lightning cable, used in the past, which is different and incompatible with other types of phones. While most new Apple products, for example, the latest iPads, already use USB-C, the firm previously argued against the rule, saying that making only one type of charger would “stifle innovation” instead of encouraging it, ultimately harming the consumers. It is not clear yet whether the change would only affect the EU or not, but it would be surprising if the company decided to produce a different type of charger for the rest of the world.
Apple won’t detect CSAM due to privacy concerns. US tech giant Apple, which decided to halt the development of a photo-scanning tool to detect child sexual abuse material (CSAM) last December, offered data privacy concerns as the main reason behind the decision last Thursday (31 August). While Ella Jakubowska, senior policy adviser at the European digital rights association EDRi, shared Apple’s concerns, saying that “there is not a way to safely and securely scan encrypted messages or services,” Emily Slifer, director of policy at the NGO Thorn, which seeks to defend children online, said that “we need to stop pitting user privacy and child safety against each other because with tools like the ones created by Thorn and others alongside an adequate framework with robust safeguards, we can have both.” Meanwhile, Javier Zarzalejos, the EU lawmaker who is the European Parliament’s rapporteur for the CSAM file, emphasised the technical neutrality of the regulation. Read more.
Meanwhile, in the Parliament. EURACTIV understands that during a shadows meeting about the CSAM file in the Parliament on Tuesday, there was much focus on detection orders, in line with last week’s informal documents, and reportedly support for narrowing them. EURACTIV also learned that the plenary vote about the regulation could occur in the second half of October or November.
Czech concerned about CSAM legislation. Confederation of Industry of the Czech Republic, with a coalition of 13 trade associations from eight European member states representing digital technology companies and platforms operating across the EU, sent a joint letter addressed to the Spanish Presidency of the Council and Commissioner for Home Affairs Ylva Johansson, about the draft law combating online child sexual abuse material. The letter expresses concerns about the balance between protecting children and privacy and voluntary measures. The document also says that detection and delisting orders should be the last resort and that the regulation should be aligned with other EU legislations.
A fragmented response. A report published on the OECD iLibrary on Tuesday about platform’s policies fighting child sexual exploitation and abuse (CSEA), has found that there is a fragmented response by online content-sharing services to the problem. The paper also concludes that “despite many political calls to action, the proliferation of online CSEA is a societal challenge that is growing in scale and complexity.”
Another one. A group of 13 tech industry associations, including, CCIA Europe, DOT Europe, or EuroIspa, also sent a joint statement to the EU co-legislators about CSAM on Wednesday. The statement focuses on safeguarding encrypted communications and recommends mandatory detections to be the last resort. Moreover, the paper says that detection orders should only be issued to providers with the technical ability to act.
Media, we need protection. Yesterday (7 September), the European Parliament’s Culture Committee adopted its position on the European Media Freedom Act (EMFA). The Committee presents its decision as protective of media against pressure and as protective of journalists who cannot be forced to disclose sources. Additionally, it states that media should be fully transparent towards who owns them and adds additional measures to prevent arbitrary decisions from very large online platforms. This last provision is considered by the CCIA, the industry association of platforms, a loophole to spread disinformation. They consider the current text “would allow rogue actors posing as self-declared media to spread disinformation for 24 hours before platforms can take it down”.
Stop spying. The European Federation of Journalists (EFJ) and other organisations called on journalists to sign an open letter about an absolute ban on the use of spyware against journalists. According to the EFJ, the current text of the European Media Freedom Act still contains loopholes that could be exploited by governments, such as in the case of Pegasus and Predator.
No more privilege. A study published on Wednesday by Media Laws analysed the Media Freedom Act’s very large online platforms’ content moderation practices towards media services providers. The paper recommends the removal of the media privilege, limiting the scope of the exemption, or introducing an inclusive designation process.
Snapchat introduces new safeguards. Snapchat introduced new safeguards for minors on Thursday, including in-app warnings, a new feature that sends a pop-up warning to teens when someone tries to contact them with whom they don’t share mutual friends or the person isn’t in their contacts. Snapchat already requires 13-to-17-year-old users to have several mutual friends in common with another user before they can show up in search results or friend recommendations. However, this number will now be raised as well. Snapchat’s public content will now also have to go through additional content moderation so violating content cannot reach a large audience. Another new in-app content will feature resources such as hotlines to contact. This will surface to users who have searched for relevant keywords beforehand.
Norway said ‘no way’. Meta’s behavioural ads on Instagram and Facebook were temporarily banned by Norway’s data protection authority in July. On Wednesday, an Oslo District court rejected Meta’s arguments seeking to block the order. According to the Norwegian data protection authority, daily fines are accruing on Meta for not complying with the ban on running ads and tracking and profiling local users without their consent. The tech giant would have the chance to appeal the decision to a higher court but has not confirmed whether or not it will do so.
Untamed bear on social media. The high amount of disinformation campaigns coordinated by Russia continued since the war of aggression against Ukraine. The increase in disinformation has been connected to X, formerly Twitter, and its new safety standards. Other social media platforms that spread pro-Russian campaigns include Meta and Telegram.
Not Beijing, but Dublin. In a move to ease concerns over surveillance by China, TikTok opened a data centre on European ground, namely in Dublin, under the name “Project Clover”. Previously, the app was restricted on government official devices across the EU and the UK in response to a warning that China could intercept emails, contacts and communication. The new data centre aims to ensure that European data is stored locally.
Apple’s DMA worries. Apple said on Wednesday that they still have concerns about privacy and security risks regarding the Digital Markets Act and the newly designated gatekeepers of online services. “Our focus will be on how we mitigate these impacts and continue to deliver the very best products and services to our European customers,” the company said. Meanwhile, Microsoft accepted the designation as gatekeeper, but it welcomed the decision to investigate a possible exemption of Bing, Edge and Microsoft Ads.
Slovak elections, the guinea pig. The first parliamentary election with the Digital Services Act (DSA) in force was the Slovakian. The DSA is relevant insofar as it obliges social media platforms to combat electoral manipulation, misinformation, and hate speech. Most relevant for the Slovak election are Facebook, YouTube and TikTok. Previously, Thierry Breton, Commissioner for Internal Market, expressed concerns earlier this year about “hybrid warfare happening on social media” during Slovak elections since the country had to deal with multiple cases of illegal content online in the past. With the DSA in place, the EU remains optimistic that it will “impose a series of other transparency obligations” by 30 October.
Airbnb running a race. The European Parliament’s Committee on Internal Market and Consumer Protection’s vote on the short-term rental regulation is due on 19 September. Rapporteur for the Committee on Transport and Tourism, centre-left MEP Josianne Cutajar, hosted an event gathering short-term rental platforms on Tuesday (5 September), which published a report on short-term rentals. Meanwhile, Airbnb started meeting local, national policymakers, business groups and hosts to discuss the short-term rental regulation across at least 6 Member States.
Don’t transfer my data. French MEP Philippe Latombe announced on Thursday that he is challenging the new transatlantic deal before the EU’s General Court, which would allow companies to freely transfer data between the EU and the US. While its previous version was already challenged, the EU-US Data Privacy Framework was approved in July. However, Latombe now wants the agreement to be suspended immediately, and he is also challenging the content of the text. “The text resulting from these negotiations violates the Union’s Charter of Fundamental Rights, due to insufficient guarantees of respect for private and family life with regard to bulk collection of personal data, and the General Data Protection Regulation,” he believes.
Théophane Hartmann contributed to the reporting.
What else we’re reading this week:
Telefonica Deal Tests Europe’s Appetite for Mideast Wealth (Bloomberg)
India’s Tech Obsession May Leave Millions of Workers Without Pay (Wired)
Norway’s oil fund is sending a message to companies on AI (Financial Times)
[Edited by Alice Taylor]
Read more with EURACTIV