Tech Brief: OECD definition, Data Act semi-final text
“But then the next question is, of course, whether generative AI systems fall under high risk and chapter 2 [related obligations] or can count on a big GPAI [General Purpose Artificial Intelligence] exemption.”
Story of the week: The European Parliament has sped up the technical work on the AI Act this week, with the most notable result being an agreement on the OECD definition with some minor tweaks, like the removal of ‘machine-based’ wording, achieved last Friday. ChatGPT and other generative AI models have been firmly put into scope whilst accompanying text attempts to distinguish AI from simpler software systems. On Monday, almost all other definitions used in the draft law have been settled, with some significant rewording of ‘significant risk’ and ‘biometric categorisation’, whilst biometric authentication and verification were distinguished. On Thursday, the standalone articles were finalised, with the article on the right not to be subject to non-conforming systems being dropped as it was deemed redundant. The general principles, right to explanation, and AI literacy are all set to stay, with some tweaks. The article on accessibility requirements proposed by the centre-left saw significant pushback and is set to be limited, enraging disability organisations, who note that a low-risk AI might become high-risk for someone with disabilities.
- The European Parliament adopted its report on common cybersecurity requirements for EU bodies.
- The ePrivacy Regulation rapporteur sent a letter to the Swedish presidency calling for a political trilogue.
- The Dutch government implemented export control measures to prevent China from obtaining advanced lithographic machinery.
- EURACTIV revealed that at a closed-door meeting with MEPs, the European Data Protection Supervisor criticised the CSAM proposal as creating an ‘illusion of legality’.
- The European Commission presented the Connectivity Package at the Telecom Working Party.
Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.
GDPR enforcement seen from Ireland
The Irish Data Protection Commissioner plays a critical role in enforcing the EU General Data Protection Regulation. We discussed with Commissioner Helen Dixon enforcement trends, different legal interpretations with other data protection authorities and recent decisions on cross-border cases.
Register here >>
GPAI text. How to deal with General Purpose AI is the last open question that EU lawmakers still have to start outlining an answer to. At an event on Tuesday, co-rapporteur Dragoș Tudorache said that taking into account new realities like ChatGPT is one of the main reasons for the delays, as MEPs are trying to make the text ‘future-proof’. The EPP, Renew, and S&D are currently working on a joint text on this sensitive topic. The basic idea is to turn the existing recital 60 into an article, making cooperation across the AI value chain legally mandatory for GPAI.
Speaking of GPAI. Generative AI tools such as ChatGPT are being adapted to defraud people, cybersecurity company Darktrace has warned. Since the launch of ChatGPT, Darktrace says, text-based frauds have increased as the tool is used to construct more complex and realistic ruses, decreasing the likelihood that they are identified as cons.
Child protection. A letter from several children’s rights organisations to members of the Parliament’s IMCO and LIBE committees has urged lawmakers to ensure that the protection of children is made a priority within negotiations on the AI Act. The authors argue that AI systems likely to impact children’s safety and personal development should be classified as ‘high-risk’ under the proposal’s terms.
Common EU standards. The European Parliament’s mandate on the proposal to establish common cybersecurity standards across EU bodies was approved by ITRE on Thursday, opening the door for trilogue negotiations. Based on identified weaknesses in the cyber-defences of EU institutions, agencies and offices, the proposal is intended to set out a framework for boosting their capacity to identify, respond to and share information on potential or realised cyber threats. Read more.
Don’t do this. In a CCIA-sponsored paper published this week, the think tank European Centre for International Political Economy warned that including sovereignty requirements in the European Cloud Service Scheme (EUCS) would risk “opening Pandora’s box” and increase cloud adopters’ cybersecurity risks, calling instead for the scheme to be limited to technical and transparency requirements.
Data & Privacy
ePrivacy frustrations. The parliament’s rapporteur for the ePrivacy Regulation, Birgit Sippel, has written to the Swedish ambassador calling on the Council presidency to accelerate work on the file. In the letter, seen by EURACTIV, Sippel notes that it has been almost one year since the last political trilogue meeting and calls for a political trilogue in the coming weeks. However, the possibilities of the file seeing the light of day are running short, with EU diplomats increasingly convinced it is already dead. “We have other files in the digital area where we need to make progress. We evaluate the situation as we go,” a spokesperson of the Swedish presidency told EURACTIV. Read more.
UK data protection reform. The UK introduced its new data protection reform bill this week, set to relax certain aspects of the country’s post-Brexit data protection regime. The bill is set to reconfigure the office of the Information Commissioner, the UK’s data watchdog. It will significantly reduce requirements on businesses when it comes to record-keeping, limiting obligations to categories of high-risk data only. Changes have also been included to make it easier for data to be reused for scientific research and to the measures on ‘legitimate interests’, a concept which has been expanded to an extent under the new bill’s wording.
You are warned. WhatsApp would withdraw from the UK market if the Online Safety Bill’s provisions that endanger end-to-end encryption (E2EE) were to become law, the messaging service’s boss said on Thursday. Will Cathcart issued a stark warning on the bill, which is focused on content moderation and would place requirements incompatible with E2EE on platforms. With 98% of WhatsApp’s users residing outside the UK, Cathcart said, the company would not take decisions that would endanger their privacy to comply with British law.
Digital Markets Act
App stores workshop. The Commission’s third DMA workshop took place on Monday, focusing on the legislation’s app store provisions. Among the topics discussed were in-app payment systems and steering, where there was strong support for the strict implementation of measures to prohibit gatekeepers from mandating the use of a specific payment service. Participants also broadly agreed that app stores should be prevented from abusing security concerns to allow access to certain apps, one of Apple’s most used talking points, and on the need for greater clarification of FRAND conditions.
False war narratives. Attacking NATO and foreign supporters of Ukraine, compromising Ukrainians’ image and damaging Zelenskyy’s public standing were all identified by the European Digital Media Observatory as key false narratives circulating online in February. The analysis also issues an early warning on disinformation related to the battle of Bakhmut, which EDMO says is likely to increase as Russian troops move closer to capturing the city.
ASML export controls. The Dutch government will introduce new export controls on advanced semiconductor production technology, it was announced this week, following reports in January that it had agreed on a deal to this effect with the US and Japan. The move comes as a reaction to recent technological and geopolitical developments, the country’s trade and development minister said, and companies like ASML, which produces the world’s most advanced lithographic machinery, will be required to apply for licences to engage in such exports. Read more.
Chips Act 2nd trilogue. The second political trilogue on the Chips Act was held on Thursday, 9 March 2023. No formal decision was taken but the Commission and Council opposed the enlargement of the first-of-a-kind concept to design, retrofit and back-end facilities. MEPs are also facing opposition to their new articles on international cooperation and transfer or access to confidential information from third countries. Also discussed were the public interest requirement and fast-tracking procedure.
Critical raw materials. Brussels is seeking to introduce targets to boost Europe’s self-sufficiency along the entire critical raw materials value chain, according to a draft version of the EU’s Critical Raw Materials Act, seen by EURACTIV. The act, set for presentation next week, will install targets to ensure that 10-40% of the mining, recycling and processing of the critical raw materials used in the EU is being done within the Union by the end of the decade. Read more.
Illusive safeguards. The European Data Protection Supervisor vehemently criticised the Commission’s proposal on tackling Child Sexual Abuse Material in a closed-door meeting with EU lawmakers, stating that the initiative created an ‘illusion of legality’ that does not change the fact that it would lead to mass surveillance of private electronic communications – in stark contrast with fundamental rights. In other words, for Supervisor Wojciech Wiewiórowski, no safeguard can be put in place to remedy this disproportionate access that is set to be struck down in court, either at the EU or national level. Read more.
Rule of law on edge. Threats to fundamental rights, including media freedom, mean the rule of law in Greece is on edge, MEP Sophie in ‘t Veld said as representatives of the LIBE committee visited the country this week. In ‘t Veld warned that journalists face physical threats for doing their jobs and that media ownership by select oligarchs had negatively impacted media pluralism and editorial independence. Read more.
SLAPP you to silence. A lawsuit filed against a Bulgarian fact-checking news site risks pushing the outlet into bankruptcy. The suit, which seeks €500,000 in retaliation for reporting by Mediapool based on the official transcript of a government session, has been filed by insurance company Lev Ins and is regarded as a SLAPP (strategic lawsuit against public participation) case launched to silence media and related actors. Read more.
Policy updates commitments. WhatsApp has agreed to various commitments to appease the Commission amid a consumer protection probe into how the messaging service rolled out updates to its terms of service in 2021. Consumer group BEUC, whose complaint initiated the probe, has reacted with disappointment, noting that the deal that has been struck will offer no remedy to users already impacted by the company’s past conduct. Read more.
TikTok’s charm offensive. TikTok has launched a new data security initiative “focused on creating a secure enclave for European TikTok user data”. Project Clover, as it is called, is set to introduce measures to strengthen data protection provisions and further align the platform’s approach to data governance with the principle of European data sovereignty. The move attempts to reassure users and policymakers after the platform has been banned from work-related devices within EU institutions amid data security concerns.
Those are rookie numbers. Snapchat removes far fewer children from its platform in the UK than rival social media companies, according to media regulator Ofcom. The company, which requires users to be at least 13 years old, told the watchdog it is blocking the access of dozens of children per month, significantly less than rival TikTok, for instance, which has the same age limit in place but is removing tens of thousands of underage users monthly.
Forget about me. France leads within Europe in terms of people exercising their ‘right to be forgotten’, accounting for 24% of all requests submitted to Google and Bing between 2015 and 2021. Analysis by Surfshark shows that more than one million requests were submitted to these search engines in Europe during this timeframe, with half originating in Western European countries.
Metaverse landing page. The Commission will soon open a call for evidence on its metaverse initiative, which it says is aimed at creating “open, interoperable and innovative virtual worlds that can be used safely and with confidence by the public and businesses”.
PLD timeline. The joint IMCO-JURI timeline on the Product Liability Directive has been set, with the deadline for amendments planned for 28 April, the committee vote on 3 or 6 July and a plenary adoption on the same month.
Connectivity Package presentation. The Commission gave the Telecom Working Party an overview of its legislative package on Tuesday. Quite tellingly, out of the 34 slides of the presentation seen by EURACTIV, two were on the Gigabit recommendation, one on the exploratory consultation and 25 on the Gigabit Infrastructure Act. Still, most of the discussion focused on the ‘fair share’ element of the consultation, with EU countries taking some initial positioning. The Netherlands, which earlier this week hosted an event highly critical of the ‘network fee’ proposal, was joined by Germany, Estonia, Austria, and Finland in criticising the initiative and calling on the Commission to follow a transparent and fact-based approach. Similarly, Portugal cautioned that the initiative should not raise wholesale prices for consumers. Only Spain spoke out in favour of the proposal, as France fell into silent mode.
What now? Whilst it is still unclear what path the Commission will take in the end, it will probably draw conclusions on the consultation in the summer, and EU countries are keen to be involved in that discussion. Another element of uncertainty is what position Germany will take at the end. Although Berlin has sided with the more sceptical camp so far, the coalition government is not unfamiliar with dramatic U-turns, from EUCS to car emissions. All the criticism against the initiative has so far come from liberal-led ministries, and it is not certain it will be the FDP to dictate the line on the matter.
The spectrum question. Some member states are increasingly convinced the Commission might link up the ‘fair share’ initiative with the issue of radio spectrum. The EU executive already floated the (not-so-new) idea of some EU-wide spectrum allotments in the public questionnaire. Moreover, at the last IMCO hearing, Commissioner Thierry Breton criticised EU governments for using spectrum auctions to cash in rather than to finance infrastructural investments. The Commission is due to present its Radio Spectrum Policy Programme after the summer, just in time to slip something in before the end of the mandate.
GIA attribution. The Gigabit Infrastructure Act is set to land in the ITRE committee. Angelika Winzig, who previously led the Roaming recast, is interested in leading the file. Most major groups are still undecided on who will follow the GIA, with EU lawmakers more tempted to throw their weight behind the upcoming proposals related to energy. A decision on which group will take the lead is expected to be taken on 28 March.
What else we’re reading this week: