March 29. 2024. 11:00

The Daily

Read the World Today

Tech Brief: CRA’s draft report, ChatGPT Italian ban


“The horizontal nature of this Regulation means that very different segments of the Union’s economy will be impacted.”

Story of the week: The draft report on the Cyber Resilience Act (CRA) was circulated last Friday, with several changes viewed favourably by industry. On several key aspects, the report aligns with the position of the EU Council, and in particular with the Italian request to simplify the language on the scope of the regulation. The five-year cap for the product lifetime was removed, allowing manufacturers to compete on this aspect, although the mention that the lifespan should be in line with consumers’ expectations is seen at odds with a cybersecurity law largely meant for industrial devices. Regarding the reporting obligations, Danti wants to keep the EU’s cybersecurity agency ENISA in charge with some extra resources – a position that might be instrumental to obtain more concessions during the trilogue, since member states are adamant that vulnerabilities should be kept in their hands. Other relevant points include extended timelines, a Cyber Resilience Expert Group, international considerations and the idea that fines would finance projects on cybersecurity capacity-building. Read more.

Don’t miss: Italy’s data regulator has introduced a temporary ban on ChatGPT until the language model is brought in line with the GDPR. In parallel, the privacy authority has also launched an investigation into the chatbot’s provider, OpenAI, for failing to inform Italians that their data was being used to train the popular language model, a training that, in the eyes of the authority, occurred without the tech company having a legal basis for it. Data inaccuracy and the lack of protection for children were other points raised by Italy’s watchdog. On Thursday, OpenAI’s CEO Sam Altman met with the privacy regulator and denied any wrongdoing but committed to more transparency on the use of personal data and to enhance the protection of minors. Meanwhile, VPN company Surfshark noted a spike in VPN searches in Italy following the ban.

  • The Commission said it has no intention to modify EU copyright rules as it considers they apply well to generative AI.
  • The UK communications regulator looked at the Amazon-Microsoft duopoly in the cloud sector.
  • EU countries are pushing back on any attempt to take cyber threat intelligence away from them.
  • The Commission removed the names and contacts of all staff members below the middle management level from the EU public repository.
  • €100 million is missing to close the Chips Act negotiations.
  • An upcoming EU study is set to contradict Breton’s bid to narrow the definition of European-produced content under the AVMSD.
  • The EU competition department opened an in-depth investigation into the landmark Orange-MasMovil merger.

Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.

European standards and the AI Act

Technical standards will play a key role in how the EU’s upcoming AI rulebook will work in practice. We discuss the challenges and policy trends in the standardization process in Europe with Connor Dunlop, European public policy lead at the …

Artificial Intelligence

High-risk ambiguity. Responding to criticism that the AI Act’s proposals are based on a dearth of empirical evidence, researchers at the Initiative for Applied Artificial Intelligence have conducted a risk classification of AI systems. Their work found that while 18% of systems studied would be classed as “high-risk” and 42% as “low-risk”, it was unclear into which category a further 40% would fall. Most high-risk systems were in areas such as human resources, customer service and finance. The uncertainty regarding other systems was mainly due to the proposal’s wording linked to Critical Infrastructure, Employment, Law Enforcement and safety-critical components.

Security loopholes. AI language models could pose significant novel security challenges as their new modes of operation create various risks. These include “jailbreaking”, whereby the tech is instructed to ignore its own safeguards and could therefore engage in dangerous behaviours such as recommending criminality or endorsing hate speech, participating in scamming and phishing, where its close mimicry of human interactions could make it a convincing tool in conning people into things; and data poisoning, where its data sets are infiltrated and manipulated before it even begins its operative life. What’s more, tech companies might already be aware of these issues, but no effective fixes for them have been devised.

Prepare to take off. AI development is set to skyrocket, with the past few years having seen massive growth in the number, power and capabilities of models released. This is according to new research by Stanford University, which tracks the number of key trends in AI research, including major increases in the training that models receive, the complexity of the tech, the researchers and companies working on it and the volume of AI-focused regulation.

Competition

UK cloud duopoly. The UK’s communications regulator, Ofcom, may propose that the country’s competition authority conduct a full investigation of the cloud services market, it said this week as it reached the midway point in its own probe of the country’s cloud infrastructure. Ofcom released its preliminary findings on Wednesday, identifying a number of features of concern and pointing to Amazon and Microsoft as companies of particular interest given their market dominance. Read more.

Apple joins the club. Apple has been added to the German competition authority’s ‘special watch’ list, already populated by Big Tech companies such as Meta, Amazon and Google’s parent company, Alphabet. While the Bundeskartellamt ruled that Apple is a firm of paramount significance for competition across several markets, the iPhone maker considers the decision disproportionate and will join Amazon in challenging it. Read more.

Bundeskartellamt on steroids. Berlin put forward a draft law this week to hand the country’s competition authority increased powers to tackle interference with the competition. The initiative follows allegations that oil companies misused their market power to keep fuel prices artificially high in 2022, following the jump in prices that came after Russia invaded Ukraine. No collusion could be proven in this case. Still, under the newly proposed law, the authority could take action anyway, as long as there was deemed “significant and continuing interference with competition” within a market. Read more.

Competition for tech. The Commission has released its 2022 report on competition policy, outlining major initiatives undertaken last year. One of the most prominent in the tech field was the DMA, which came into force in November, but also noted are the adoption of a revised Communication on State aid for broadband networks, the July 2022 telecoms commitments, the closing of investigations into companies such as Meta, Google, Apple and Qualcomm.

Cybersecurity

What’s this about? Operational vulnerabilities are weaknesses that can be exploited to hack into someone’s phone, computer or an entire network. No wonder EU countries want to keep such sensitive information to themselves. According to a source informed on the matter, European governments have picked up the American habit of installing backdoors wherever they can and keeping vulnerabilities secret. The phenomenon would be so large that virtually no hardware or software is excluded, and weaknesses might even be embedded in encryption algorithms. In other words, the point might not be having safe products but being able to control vulnerabilities and backdoors.

Cyberwarfare revealed. The inner workings of RTV Vulkan, a Russian cybersecurity company that counts the Kremlin amongst its clients, have been revealed by a consortium of journalists worldwide in a project titled the “Vulkan Files”. Based on thousands of pages of leaked documents, the investigation shows how the company has helped Moscow engineer cyberattacks, spread disinformation and undertake internet surveillance, shedding light on the government’s military, cyber and psychological warfare strategies. Read more.

The spyware question. The Commission launched a consultation on guidelines for cyber-surveillance items under the Dual Use Regulation. The EU executive is testing the waters on whether to prevent European companies from selling spyware abroad to avoid the software is then used against Europe’s interests. However, such an export ban might make little sense as European companies would lose contracts in third countries, whilst the Israeli would continue doing business globally.

CRA opinion. The IMCO’s opinion rapporteur Morten Løkkegaard published its draft opinion on the Cyber Resilience Act this week.

Data & Privacy

EU transparency gap deepens. The Commission has removed from its Whoiswho website the names of all officials below middle management, citing the need to protect their staff from ‘undue pressure’. The move went largely unnoticed as it was not announced publicly nor communicated to staff members. The further reduction of transparency in EU policymaking will likely advantage stakeholders that are better connected via national sponsors or revolving doors or have resources to pay consultants to map civil servants for them. There is little doubt that it will make the work of NGOs, journalists and small interest groups more difficult. The European Data Protection Supervisor confirmed to EURACTIV that no staff member complained about their data being available on the repository, suggesting that the data protection might have been used opportunistically to justify a move that contradicts the Commission’s preaching about transparency everywhere else except in its own house. Read more.

Cookie pledge roundtable. The Commission is looking to initiate a discussion with stakeholders on improving consumer awareness of online tracking and alternatives to tracking-based advertising. This comes as part of Justice Commissioner Didier Reynders’ recently announced plans to introduce a voluntary pledge for companies to phase out cookies, a response to “cookie fatigue”. The first roundtable will be held on 28 April. A discussion note, seen by EURACTIV, indicates that the conversation will focus on enhancing consumer information and alternative methods of ad personalisation for consumers who wish not to be tracked. Read more.

More troubles for TikTok. This week, the UK’s data protection watchdog fined TikTok £12.7 million for numerous data law breaches, though the charge was reduced from an initially proposed £27 million. The charges include a failure to identify and remove users under the age of 13, despite a policy prohibiting them from having accounts on the platform. Read more.

EU-Japan data flows. The EU and Japan have successfully concluded the first review of their 2019 data adequacy agreement, facilitating the data flow between the two countries.

Digital Markets Act

Data workshop. A Digital Markets Act (DMA) workshop scheduled for 5 May is set to feature an exploration of how effective compliance with the legislation’s data-related provisions can be ensured. Up for discussion at the meeting will include data processing for online advertising services, the cross-use of personal data by gatekeepers, the use of business users’ non-publicly available data and data portability. It is still unclear which Big Tech company will be grilled this time, but Apple, Google and Meta already had their share, leaving Microsoft and Amazon as the top candidates.

Technical body meeting. The DMA advisory committee met on Monday to discuss the DMA application procedure and gatekeeper notification process, for which implementing acts are expected in the coming weeks. The discussion was rather technical, with the most sensitive point being the role of national authorities in initiating the designation procedure.

Digital Services Act

Following the example. Switzerland is set to devise its own version of the Digital Services Act (DSA), with the government this week announcing that it had instructed the relevant department to draw up a preliminary draft for consultation on the regulation of communications platforms. The legislation is intended to boost citizens’ rights when interacting with major online platforms who will be required to be more transparent in their operations.

Industrial strategy

€100 million missing. The Swedish presidency debriefed attaches on last week’s Chips Act trilogue on Wednesday. To no one’s surprise, the deal-breaker of the negotiation remains the research budget, which the Parliament wants to keep at least at the level proposed by the Commission, whilst the Council cut by €400 million. What has been discussed so far is to take €75 million from Horizon Europe, €125 million from Digital Europe and €100 million from general decommitments, leaving €100 million missing. The Commission would like to take the sum from more general decommitments, but that would go against the interinstitutional agreement on the Multiannual Financial Framework that caps them to €500 million. Many EU governments, starting with Germany, are against breaching that agreement as it would set a dangerous precedent with the Commission presenting unplanned initiatives and financing them by removing money from existing programmes.

Law enforcement

Catalonia retaliates. The Catalan government has banned the use of Pegasus spyware and similar software until there is proof that it complies with human rights. In doing so, Catalonia became the second government after the US to ban the use of targeted cyber-surveillance tools, a decision linked to the fact that the tech was found to have been used against several figures linked to the Catalan independence movement. Read more.

Transatlantic law enforcement. A recent EU-US Senior Officials Meeting on Justice and Home Affairs, hosted in Stockholm in mid-March, touched on several data issues, including the sharing of information between US authorities and Europol, access to electronic evidence, and encryption. Following a leak of the meeting’s conclusions, however, a coalition of European digital rights groups published an open letter voicing their concerns, including the threats posed by enhanced law enforcement capabilities to privacy and encrypted communications, the sharing of military-produced evidence to be used in criminal investigations and immigration processes.

Media

You are what you watch. The Commission is finalising its Media Outlook report which is due to be published by early May. There is great interest in the study, as it will include data on media consumption trends across the EU. Why is that relevant? Because in post-Brexit Europe, Commissioner Breton wants to narrow the definition of European-produced content, a percentage of which is mandatory for AV services under the Audio-Visual Media Services Directive. In February, the Commission gave a presentation at the Berlinale with extracts from the report, indicating that 69% of Europeans do not seem to care where a film or series comes from as long as it’s good content. In other words, the Commission’s own study is set to contradict a definition restriction. Breton’s activism in this regard was initiated after the Cannes Festival last year, where French producers lobbied him. The question is what will come out this time at the French Festival that will take place in the second half of May.

Standardisation

WRC taking shape. The International Telecoms Union has issued its report on preparatory studies ahead of the 2023 World Radiocommunication Conference (WRC), which will begin this November. The report examines some of the key issues that emerged during the recent preparatory meeting, including identifying additional frequency bands, the use of satellite technologies for broadband services to improve connectivity in remote areas, the future of the ultra-high frequency broadcasting band and the modernisation of the Global Maritime Distress and Safety System.

Telecom

Orange-MasMovil merger. EU competition authorities this week launched the second phase of its investigation into the proposed merger of Orange and MasMovil in Spain. This deal would make the company the largest player in the Spanish market. The Commission identified several initial concerns in the preliminary phase of the investigation, which is regarded as a test case following recent calls for consolidation by major telecoms operators. However, consolidation is only good when it does not happen in your backyard, and the Spanish government would be far from happy to see its legacy operator Telefonica surpassed by the former French monopolist in its domestic market. Raging inflation and upcoming political elections further complicate the picture, but some of the preliminary concerns the Commission raised suggest there might be space to revise the ‘Vestager doctrine’ on 4-to-3 mobile mergers. Read more.

Investment study. The most attentive readers will have noticed that in the footnote to the Commission’s senders-pay consultation, there is a mention of an upcoming study on the investments and funding needs for the Digital Decade target. However, according to the preliminary summary of the public tender, the study is to focus on the questions related to future technological developments and related challenges/opportunities, environmental footprint, digitalisation, cybersecurity and obstacles to the single market. The telcos are hopeful the study will confirm the presence of the investment gap they have been consistently singled out, but the way the study is structured might suggest that the Commission’s priorities might in fact lay elsewhere.

German connectivity plan. A new “Gigabit Funding 2.0” plan presented by Germany’s Digital and Transport Ministry would see the country change its funding policy to expand digital infrastructure and ensure that fibre-optic connections reach underserved communities without interfering with the progress of digital connectivity in the private sector. The plan, announced on Monday, was met with little enthusiasm from businesses, however, who fear it could weaken momentum in the long-term roll-out of fibre-optic networks. Read more.

Recommendation questioned. MEP Dira Charanzová is seeking further information from the Commission on the draft Gigabit recommendation. Based on concerns raised by stakeholders (read: ECTA), the lawmaker submitted a question to the EU executive calling for an impact assessment to be shared along with information on whether stakeholders had been consulted, their feedback and how co-legislators from the Council and Parliament will be involved in the adoption process.

Transatlantic ties

Next TTC meeting. The next instalment of the EU-US Trade and Technology Council (TTC) is set for May 30-31 and will be held in Luleå, Sweden. On the agenda for the meeting, Trade Commissioner Valdia Dombrovskis said this week, would be US-EU cooperation on Ukraine, tech, economic security and resilient supply chains, amongst other global issues. The Biden administration is under pressure from the unions, historical opponents of trade agreements, to carry on the Labour Dialogue, despite the little interest from the European side. Meanwhile, the initiative remains in desperate need of concrete results, in the absence of which might not survive the mandate.

China on the radar. A European funding agency, the Joint European Disruptive Initiative, has launched an expanded China Tech Radar, analysing the country’s technological level and specifics of some of its key technological enablers ahead of Commission President Ursula von der Leyen and French President Emmanuel Macron’s upcoming visit to China. Included are examinations of the semiconductors, cloud, quantum, cyber and blockchain industries’ performance in the first quarter of this year.

Twin transitions

Nintendo’s free repairs. Nintendo has announced that it will provide free repairs of faulty “Joy-Con” controllers after discussions with the Commission prompted by a consumer rights complaint filed in 2021 over recurring technical issues with the device. The policy change, which is applicable to customers in the UK, EEA and Switzerland, brings the region in line with a number of others. Read more.

What else we’re reading this week:

We need a much more sophisticated debate about AI (FT)

Can AI commit libel? We’re about to find out (Tech Crunch)

How Russia killed its tech industry (MIT Technology Review)