“Ultimately, the invalidation of Privacy Shield in 2020 was caused by a fundamental conflict of law between the US government’s rules on access to data and the privacy rights of Europeans. It is a conflict that neither Meta nor any other business could resolve on its own.”

Story of the week: The week that celebrated the fifth anniversary of the GDPR also saw a historic decision and the largest administrative sanction issued so far. Ireland’s Data Protection Commissioner (DPC) has hit Meta, as anticipated by EURACTIV, with a record fine of €1.2 billion over transferring EU data to the United States in breach of the Schrems II ruling. Even more significantly, Meta has been ordered to stop Facebook’s data transfers in the US by October and until November to move the data back to Europe and to delete the data stored in its US data centres. Although the DPC considered the data transfer illegal, the Irish authority did not deem the breach worth a fine, which was only introduced via the dispute resolution mechanism of the European Data Protection Board. Unprecedently, the Board published its own press statement to make clear that the fine was “a result of EDPB binding decision,” which is quite telling of the current relations between the DPC and its European peers. Read more.

Don’t miss: Twitter is ‘seriously considering’ exiting the EU Code of Practice on Disinformation, representatives of the company told the European Commission on Wednesday. Although the final word is with the senior management, the Commission expects the formal resignation any time now. The move might, in fact, be welcomed with a sigh of relief from EU officials, as the platform was already disengaged from the Code and made virtually no effort to comply with it. Still, it is yet another sign that the company is not taking compliance with the Digital Services Act seriously since the voluntary commitments largely anticipate the regulation’s requirements for managing systemic risks like disinformation. As Twitter has close to zero capacity in terms of regulatory compliance at the moment, and the EU is only a secondary market for the platform, the withdrawal from the code might be the first formal step in its departure from Europe. Read more.

• OpenAI’s CEO toured Europe this week, finding the time to threaten withdrawal from the EU market if the AI Act overregulates and back-pedalling following backlash.
• The EU Council gave a lukewarm reception to the Commission’s Cyber Defence Policy.
• Trilogues took place on the Data Act and Digital Identity framework.
• The Swedish presidency made a third unsuccessful attempt to reach a general approach to the Platform Workers Directive.
• New Council compromises circulated on the CSAR and Media Freedom Act.
• The next Telecom Council is set to discuss a ‘roadmap’ to strengthen EU’s coordination vis-à-vis the UN telecom agency.

Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.

---

Artificial Intelligence

Saltman’s EuroTrip. The monumental rise and potential future trajectory of AI systems require tailor-made governance and coordination, according to OpenAI, the company behind ChatGPT. Now is the time to begin thinking about the future of superintelligence, said officials at the company, including CEO Sam Altman, who is mid-way through the Europe leg of a global tour promoting the tech. Altman’s stop in Europe is, in part, a way of identifying a location for a potential European office, he said this week, floating Poland as a possible location. He also warned that the company might consider withdrawing from the region if it could not ensure compliance with the EU’s upcoming AI Act, which Altman described as “over-regulating”. However, the statement predictably prompted a backlash among EU lawmakers, who replied they would not be blackmailed into watering down the AI regulation. Altman consequently backtracked on the threat. Read more.

EPIC white paper. Regulators are scrambling to catch up as generative AI systems are deployed rapidly and without safeguards, signalling that self-regulation has failed. This is according to the Electronic Privacy Information Center, which has released a new white paper on Generative AI’s impact and the paths forward, outlining several potential harms, from economic loss and psychological distress to reputational damage and discrimination.

ML for content analysis. Machine-learning language models have been suggested as a solution to the lack of provision of services in languages other than English, for which Western tech companies have long been criticised. Still, they may not be the fix-all they’re touted as. A new report by the Center for Democracy and Technology explores the capabilities and limits of these models.

Bundestag on generative AI. The German Committee on Digital Affairs discussed generative AI on Wednesday in a public hearing with experts who touched upon the issues of copyright, data protection, media, and liability.

European AI Forum. Nine national AI associations have launched a new European AI Forum. The forum, which presents itself as the largest representative of the European AI industry, aims to promote investments, implement AI strategies, and push for policy alignment.

Competition

Apple case appealed. EU regulators have lodged an appeal with the European Court of Justice to overturn a 2020 ruling disputing their claim that Apple had faced an artificially low tax burden in Ireland for over two decades, warranting a €13 billion back-tax charge. The General Court subsequently found that Brussels had not met the legal threshold to prove that Apple had an unfair advantage. Still, the Commission is now seeking to overturn this decision in a case that could have important implications for member states’ future multinational tax policies.

No privacy for Meta. There was a victory for Brussels antitrust authorities this week as the EU’s General Court rejected a move by Meta to prevent the Commission from accessing company documents as part of investigations into the tech giant’s data use and platform management. Meta had protested the request, but the Court ruled this week the company had not successfully demonstrated that it went beyond what was necessary.

That didn’t go well. Shutterstock will purchase image platform Giphy from its current owner Meta, it was announced this week. The $53 million cash purchase follows last year’s ruling by the UK’s Competition and Markets Authority that Meta’s $400 million acquisition of Giphy in 2020 posed a threat to competition, prompting the tech giant to divest the company.

Appealed as expected. To no surprise, Microsoft has formally launched an appeal against the UK’s Competition and Markets Authority’s recent rejection of its acquisition of gaming company Activision Blizzard because it threatened competition.

Copyright

AI anti-piracy. Sports streaming platform DAZN and AI-powered content detection tool Videocities have formed a partnership to address copyright infringement issues. By integrating the two companies’ technologies, the collaboration aims to detect and eliminate illegal streaming on social media and offer AI-powered anti-piracy solutions.

Cybersecurity

Council’s lukewarm reception. This week, EU defence ministers adopted cyber defence conclusions, advocating for further investment to boost capabilities and address common challenges and warning against duplications within the institutional architecture. The 18-page document also outlines the member states’ priorities in areas including skills development, industry support and a coordinated approach to defence. Read more.

Certifications update. At the Stakeholder Cybersecurity Certification Group held this week, ENISA, the EU cybersecurity agency, said the Commission will kick-start the formal adoption process of the EU Common Criteria Cybersecurity Certification Scheme, which will play a key role in the implementation of the Cyber Resilience Act. While ENISA refused to comment on the European Cloud Services Scheme (EUCS) draft leaked by EURACTIV, the EU Certification Cooperation Group that meets today is still far from giving an opinion on the controversial proposal. However, the meeting might shed some light on the timeline. ENISA also commented on the upcoming EU 5G Cybersecurity Certification Scheme (EU5G), for which the trade association GSMA is the trusted partner for developing the new standard.

Who will apply this? A range of new regulatory requirements is incoming in the EU, as the NIS2 Directive and the Cyber Resilience enter into force. However, the new framework risks exposing the increasing cyber-talent shortage in Europe among regulators and companies. According to new data, the growing issue of cyber threats is compounded for companies by the skills shortage, with no improvement on the horizon. Read more.

ICT security forum. ENISA held its annual Telecom and Digital Infrastructure Security Forum in Lisbon this year, examining key cybersecurity issues such as global internet resilience, sub-sea cables and 5G security, and ransomware attacks. The agency has also published its 5G security controls matrix, along with a new report exploring the importance of owner verification to secure the domain name registration process.

CRA technicals. The first technical meetings on the Cyber Resilience Act took place on Wednesday and Friday, based on a first batch of compromise amendments reported by EURACTIV last week. The discussions focus on the uncontroversial parts dedicated to conformity assessment bodies and delegated powers.

Data & Privacy

Data Act trilogue. Little progress was made at the Data Act trilogue on Tuesday, as virtually nothing was closed on the B2G chapter due to the little flexibility of the co-legislators. The presidency is now to request a revised mandate, but more technical work might be needed on the conditions and safeguards aspects. An exchange of views took place on trade secrets, but the Commission is still to present its compromise on the Council’s idea that the data holder can refuse an access request. Another discussion was on the B2B and B2C data sharing, but again it is still unclear what a landing zone could be. Technical work is set to intensify from now on, with four meetings scheduled for next week. But given the little progress, reaching a political deal in June seems less likely.

Meet the new Chair. The European Data Protection Board has elected Ana Talus as its new chair, replacing outgoing leader Andrea Jelinek. Talus, who has served as the Finnish Data Protection Ombudsman since 2020, beat candidates from the Dutch and Bulgarian Data Protection Authorities and will hold the position for the next five years. She was elected via a two-round voting process, winning 19 out of 27 votes.

5 years in numbers. Statistic information about GDPR fines from Privacy Affairs points out that, of the four billion euros in GDPR fines, Meta accounted for €2.5 billion in penalties. According to the data, TikTok has €15 million worth of fines accumulated from two cases in the UK and the Netherlands. The world of GDPR fines has witnessed a grand total of 1,701 finalized cases, with Spain emerging as the leader with 594 fines, followed by Italy with 244 fines. The Data Protection Authority of Ireland is responsible for 2.5 billion euros in GDPR fines from just 23 cases.

Edwards in Brussels. The UK’s Information Commissioner, John Edwards, visited the European Parliament this week for a hearing on the country’s new data protection reform bill, which is currently under legislative scrutiny in London. Edwards sought to assure MEPs that Europeans’ data would not lose any protections under the changes, but MEPs challenged his views.

eGovernance

eIDs trilogue. The governance and relying parties were the focus of the political trilogue on the European Digital Identity on Tuesday. On governance, the Council agreed to follow the MEPs’ structure with some carve-outs, notably limiting the Board to a coordination role. Relying parties is still a moving target, but the text should land somewhere in the middle: it will not be a mere notification, but excessive administrative burden is to be avoided. No date has been set for the next trilogue yet. Although the discussions are accelerating now, it still seems unlikely a deal will be reached under the Swedish Council presidency.

Germany’s digital account. On Wednesday (24. May), the German Bundestag adopted the bill to amend the ‘Online Access Act’ (OZG 2.0), a package for digital administration presented by Federal Minister of the Interior Nancy Faeser. It is intended to create the framework for more prioritisation and standardisation in the area of digital identity and to ensure user-friendly digital administration processes.

Gig economy

Third strike. A third compromise text on the Platform Workers Directive has been circulated by the Swedish Council Presidency. The text attempts to resolve remaining divisions amongst member states over the proposal’s key issue – the rebuttal presumption that would automatically classify platform workers as employees if certain criteria are fulfilled – ahead of the Social Affairs Council on 12 June. Read more.

Failed again. To Sweden’s disappointment, there was no majority in COREPER on Wednesday. Member states stuck to their guns, with some worried that derogations within the operative part of the text would make the legal presumption of employment virtually inoperative. French Minister of Labour Olivier Dussopt told a public parliamentary hearing on Thursday (25 May) it would be “very hard” to agree on a deal under the Swedish presidency. A revised text should be presented to COREPER on 31 May. If there is no agreement, the text may not even reach ministers at the next EPSCO meeting on 12 June.

Industrial strategy

UK chip strategy. The UK published its new chip strategy after months of delays and warnings from manufacturers that they may be forced to relocate abroad without action. The National Semiconductor Strategy sets out a pledge of up to £1 billion in investment over the next ten years. Still, it has been received with disappointment from many stakeholders who describe it as unambitious compared to the plans of other powers such as the EU and the US. Read more.

Internet governance

UN Digital Cooperation Forum. The UN Secretary-General’s office released its input on the Global Digital Compact this week. The document, prepared by the UN Tech Envoy Amandeep Singh Gill, has stirred a negative reaction, as it proposes setting up a Digital Cooperation Forum to bring internet governance under a single roof. Stakeholders have seen this as a power grab that would mark a significant shift in favour of intergovernmental management of the current internet architecture, which authoritarian countries like China have attempted in the past in ITU. The input will be discussed at the next ministerial meeting in September.

Law enforcement

New CSAM compromise. The Swedish Council Presidency circulated a new compromise text on the proposal to tackle child sexual abuse material (CSAM) this week ahead of the Law Enforcement Working Party meeting on Thursday and Friday. The document, dated 17 May, covers areas including removal orders, reporting requirements, the EU Centre, and coordinating authorities and member states’ competent authorities. Read more.

Spyware warfare. An investigation by AccessNow and other organisations has uncovered hacking of civil society victims in Armenia with NSO Group’s Pegasus spyware targeted between October 2020 and December 2022. The spying is linked to the military conflict in Nagorno-Karabakh, making it the first documented evidence of the use of Pegasus spyware in an international war context.

Media

Media Outlook confrontation. The Commission has published its first European Media Industry Outlook examining key trends in the audiovisual, video game and news media industries. The report finds that segments including video on demand, mobile gaming or immersive content largely drive growth in the sector. However, in a CULT committee hearing this week, Commissioner Thierry Breton was fiercely confronted about them by MEP Petra Kammerevert.

Platforms

France’s influencer law. French MPs and senators nailed down an agreement on a national law targeting influencers on Thursday. The two chambers bridged their differences about the definition of ‘influencer’, a threshold to qualify commercial influence, transparency, and the best way to combat scams. Further clarifications have also been made regarding various sanitary and public health provisions and the rights of minors and animals. The final vote in the Assemblée Nationale and the Senate is scheduled for next Wednesday. The European Commission is expected to provide its opinion on the compatibility of the text with EU regulations by the end of July.

Standardisation

HLF deep dives. A new meeting of the Sherpa group of the High-Level Forum on European Standardisation was held on Thursday. A shortlist of deep-dive sessions has been agreed upon and includes education and skills, fundamental rights, national standardisation bodies and inclusiveness, standardisation at the international level, the ecological transition of the cement industry, wind, sustainable cities, green electricity systems, hydrogen, AI, digital product platforms, data interoperability and certified reference materials. The next Sherpa meetings are planned on 14 September and 16 October whilst the next forum meeting is scheduled on 2 November.

Telecom

US voices on senders-pay. The US National Telecommunications and Information Administration has submitted its response to the Commission’s consultation on the future of the electronic communications sector and its infrastructure, setting out its concerns about the senders-pay initiative, notably regarding market dominance and net neutrality. The input from the US administration on an EU initiative is rather unusual, if not unprecedented. At the same time, the initiative has received the endorsement of Brendan Carr, commissioner of the Federal Communications Commission, who slammed those who say the status quo of the European telecom market is working fine as not having the ‘finger on the pulse’.

Transatlantic ties

ITU coordination roadmap. EU governments will discuss how the bloc can ensure its voice is heard within ITU, the UN’s telecom agency, after this point was added to next week’s Transport, Telecommunications and Energy Council agenda. An information note by Lithuania, Poland, and Portugal called on the Council to request that the Commission and External Action Service propose a roadmap for ensuring this heightened coordination by the end of 2024. Read more.

G7 on tech. Leaders at the G7 summit in Hiroshima reaffirmed their support for export controls on critical and emerging technologies such as microelectronics and cyber surveillance systems to prevent abuse. In a communiqué published this week, the officials also highlighted the need to boost ICT skills and ensure that digital governance keeps pace with technological developments, particularly in emerging areas such as AI and immersive technologies, where they urge incorporating principles such as transparency, safety and accountability. Also covered were issues such as Open RAN, science and technology, and space research.

Update TTC conclusions. The potential impacts and risks of generative AI, and the resulting urgency of cooperation in addressing them, have been highlighted in the updated conclusions of the EU-US Trade and Technology Council, dated 24 May and seen by EURACTIV. Other additions concern language around ‘sanction-related export restrictions’, critical raw materials, post-quantum cryptography, the use of PFAS in semiconductor manufacturing, and 3D printing standards.

What else we’re reading this week:

What can the EU learn from China’s generative AI regulation before it adopts its AI Act? (Euronews)

Generative AI Systems Aren’t Just Open or Closed Source (Wired)

Read more with EURACTIV