March 29. 2024. 4:06

The Daily

Read the World Today

Tech Brief: AI Act committee vote, EUCS tiered approach


“We are on the verge of building a real landmark legislation for the digital landscape, not only for Europe but also for the entire world.”

Story of the week: MEPs endorsed the AI Act report in the leading committees with a vast majority, paving the way for a plenary vote in mid-June. EURACTIV provides an overview of the main changes introduced by the Parliament. Only the Left voted consistently against the text, whilst far-right ID and ECR were divided. The split vote on the biometric recognition systems, the only one tabled upon the insistence of the centre-right EPP, was not even close, with 58 votes to maintain the full ban and only 10 against it. Some heavyweights in the IMCO committee, like Schwab, Ansip, and Charanzová, decided to abstain. In the liberal group, there is particular adversity for creating an AI Office, MEP Dragos Tudorache’s baby, which is seen as redundant with the new algorithm transparency centre.

Ahead of the vote, EURACTIV reported on the last-minute changes introduced to the text following the political agreement reached two weeks ago. On foundation models, additional transparency measures and a sanction regime were introduced. A definition of significant risk was added to qualify high-risk systems. A new accessibility requirement was introduced upon the insistence of the European Disability Forum. The critical use cases for recommender systems and political campaigning were further refined. New wording was introduced stating that the AI Office might be upgraded into an EU agency at a later stage. Read more.

Don’t miss: A draft of the controversial EU certification scheme for cloud companies was shared with the European Cybersecurity Certification Group members on Monday, before the meeting on 26 May. Obtained exclusively by EURACTIV, the draft puts the bulk of the much-discussed sovereignty requirements on a new level of assurance, high+. Only European companies not controlled by foreign entities could qualify for this category. On data localisation, high+ requires all data processing to occur in Europe, whilst the level high would have to propose that option at least. Measures to put EU data outside the reach of foreign jurisdictions and mandating internal controls on staff members and suppliers apply equally to high+ and high. Many people wonder whether the new draft resulted from the meeting between Rutte and Macron last month, as the idea of an high+ category was already floated in a mediation attempt between France and the Netherlands. Still, the part of the industry that opposed the scheme as a protectionist move is hardly impressed with the changes. Read more.

  • The European Cybersecurity Competence Centre opened its doors in Bucharest.
  • Using sensitive data in targeting techniques provides one more hurdle in political advertising regulation.
  • Germany’s implementation bill of the Digital Services Act includes establishing an advisory board.
  • The EU Parliament’s rapporteur on the short-term rental proposal presented her draft report.
  • The EU Council’s legal service joins the list of those raising fundamental questions on the proposal to fight child sexual abuse material (CSAM).
  • France put forth a new digital rulebook about digital fraud, online harassment, child protection and cloud switching.

Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.

The state of the AI landscape

The discussions around AI and its impact on society have accelerated following the release of ChatGPT. But what is really new about these AI models? What are the societal problems they could lead to and how can they be mitigated?

Artificial Intelligence

Let’s do our own thing. France may look to introduce its own AI legislation if not satisfied by the EU’s AI Act, the minister in charge of the Digital Economy said during a week-long hearing. Jean-Noël Barrot told the Cultural Affairs Committee that the topic was a major concern, particularly in ensuring rightsholders get either remunerated or can opt-out from having their copyrighted content feed into AI models. Misinformation was also mentioned as a point of concern. If European-level negotiations did not succeed in these regards, Barrot said, France shouldn’t rule out legislating for itself on the topic.

Human rights for AI. The Council of Europe has published a review of the challenges participating countries face in implementing its 2019 Recommendation on protecting human rights in the rollout of AI. The follow-up recommendation notes an assessment of risks and impacts, strengthened transparency guarantees and independent oversight requirements as key obstacles and considers the potential for AI systems to pose a human rights harm.

Competition

App Tracking under scrutiny. The Italian competition authority opened an investigation against Apple for alleged abuse of its dominant position in the app market. As of April 2021, the company adopted a privacy policy for third-party app developers only, which is more restrictive than the one that applies to themselves. The different treatment is mainly based on the characteristics of the prompt displayed to users to acquire consent to track their browsing data and on the tools to measure the effectiveness of advertising campaigns. Similar investigations are ongoing in France and Germany.

More information needed. The Commission said on Wednesday it is seeking more information on Apple’s mobile payment system, in a sign the EU antitrust authority is trying to strengthen its case. Last year, Apple was accused of restricting rivals’ access to Near-Field Communication (NFC), a technology used to pay via mobile phones. It also made it difficult to develop rival services for Apple users.

We have a date. 15 May is the most likely date for the approval of Microsoft Corp’s $69 billion acquisition of American video game publisher Activision by the EU antitrust regulators, Reuters reported. The decision would come three weeks after the UK competition authority’s block on the deal due to concerns about it potentially hindering cloud gaming competition. The EU antitrust enforcer is expected to clear the acquisition after Microsoft agreed on licensing deals with cloud streaming rivals.

Cybersecurity

Centre opens up. The European Cybersecurity Competence Centre (ECCC), which will oversee the functioning of the EU-wide Cyber Shield, was officially opened this week in Bucharest. The Centre is tasked with strengthening Europe’s cybersecurity competence and coordinating the Commission’s proposed cooperation network of centres working on monitoring and responding to cyber threats. It will also include rapid technical intervention teams able to intervene anywhere in Europe to detect and defend against attacks. However, the Centre already has a troubled history. Read more.

ITRE amendments. The right to compensation for consumers against all market actors and the right for member states to add requirements for NIS2 products are among the more contentious elements of amendments to the Cyber Resilience Act in the ITRE committee, circulated this week. Also amongst the proposals are suggestions for better intellectual property protections, a database of exploited vulnerabilities and differentiation between consumer and B2B Products.

EU naivety is over. Commission VP Margaritas Schinas told the European Defence & Security Summit on Thursday that Europe’s naivety in cybersecurity is over. He sang the praises of the Cybersecurity Skills Academy, dubbing it as an initiative to “inject in an orderly way a system that produces these types of skills and provide horizontal comparability in competence.”

Industry mobilises. A statement signed by several tech industry organisations has called for changes to the Cyber Resilience Act to ensure its ambition is met. Among the suggested alterations are an extension of the implementation period, clarifications on the regulation’s scope, particularly regarding the inclusion of software as a product, and ensuring that the proposal does not mandate the reporting of unpatched vulnerabilities, among others.

Data & Privacy

Sensitive data hurdle. Progress on resolving the political advertising regulation in trilogue negotiations has reportedly been slow, raising concerns about whether the Swedish Council presidency will be able to finalise the file before the end of its term. Several outstanding issues remain, including the provisions on targeting and amplification using sensitive data, with the Commission pushing for an approach that could lower protections to below the standard set in the Digital Services Act. Read more.

Won’t wait much longer. Meta’s landmark data transfer case is in its final steps. Ireland’s Data Protection Commission is set to adopt its decision and share it with Meta today, a DPC spokesperson told EURACTIV. Meta will have a few days window to react to commercially sensitive information, with the publication of the findings expected around 22 May. A source informed on the matter anticipates that the data transfers with the US will almost certainly be blocked, and the fine is expected to be ‘unprecedented’.

Think twice, Ursula. Trade association DIGITALEUROPE and the CEOs of five companies of European heavyweights such as Siemens and SAP have written to Commission President Ursula von der Leyen and other EU officials to express their concerns regarding the Data Act, arguing there is an insufficient safeguard for trade secrets, B2G provisions are too broad and that cloud switching obligations run against contractual freedom.

Data intermediaries’ logos. The window for feedback on the Commission’s implementing regulation under the Data Governance Act has opened, with contributions being accepted until 7 June. The regulation introduces common logos to aid stakeholders in identifying data intermediation service providers and assisting data altruism organisations with recognition within the EU. These trust marks must be displayed on all online and offline publications relating to organisations’ activities and are intended to contribute to transparency in the market.

Digital Markets Act

DMA data workshop. The DMA’s data access provisions were the subject of a workshop on 5 May, with panels focusing on the combination and cross-use of personal data online and restrictions on using non-publicly available data of business users and gatekeepers, and data portability. A key concentration of this workshop, which follows others on elements such as self-preferencing, messaging service interoperability and app store provisions, was the general framework for compliance with data-related measures and the interplay between the DMA and the GDPR. Among those speaking were representatives of national bodies such as the French Data Protection Authority (CNIL) and major companies, including Meta and Amazon.

DMA group launch. The High-Level Group on the DMA met for the first time today with an agenda featuring topics such as the state of the legislation’s implementation and findings of the Commission’s recent DMA workshops. The Group, established in March, comprises 30 representatives from various European regulators. With a mandate of two years, the group will gather at least once per year and will advise the Commission.

Digital Services Act

German implementation bill. Berlin has suggested establishing an advisory board to monitor the implementation of the Digital Services Act to ensure German law is fit for its enforcement. A draft version of the implementation law, seen by EURACTIV, covers the application of some areas of the legislation, including the advisory board, national legal framework and federal vs state structure. Read more.

Procedural consultation. The Commission has opened a call for feedback on delegated regulation setting out the DSA’s rules for the procedures, methodology and templates used in audits of very large online platforms (VLOPs) and search engines. The feedback window opened last week and will close on 2 June.

Gig economy

Short-term rental draft report. The Parliament’s rapporteur for the initiative to regulate the short-term rental market published her draft report this week, giving competent authorities greater powers and increasing requirements on travel tech platforms. MEP Kim van Sparrentak said her top priority is ensuring that authorities can better enforce local rules on short-term rentals to secure affordable housing. She is proposing changes to the proposal in areas including the registration process, competent authorities and timeline. Read more.

Letter or no letter? Word on the street is that a confidential letter was sent from Spanish diplomats to their French counterparts to summon them to soften their stance on the Platform Workers Directive ahead of an ambassadors’ meeting on 24 May. As it often happens in the Brussels circles: everyone’s heard of this letter, but none has read it. Both the Spanish and the French Permanent Representations are in silence mode, of course. In confidence, EU diplomats, such an initiative might be too upfront, as Spaniards are just a few weeks away from taking over the presidency, which would require them to be more impartial. Others wonder whether the letter even exists.

Industrial strategy

Alert system in place. The Commission this week launched its Semiconductor Alert System, a new pilot initiative to monitor the chips supply chain and allow those involved to flag disruptions. The system, which falls under the third pillar of the Chips Act, will also allow the Commission to gather the information needed to assess risks and respond rapidly to potential crises.

Digital Europe calls. The Commission has launched calls for more than €122 million in investment in digital technologies and competence under the Digital Europe Programme’s 2023-24 work programme. This investment round is set to fund projects related to child protection, tackling disinformation, data, cloud-to-edge infrastructure and AI, focusing on digital skills. The deadline for the calls, which are open to businesses, public administrations and other entities, is 26 September, with additional calls set for publication as the year goes on.

Law enforcement

Another nail in the coffin. This week, the EU Council’s legal service slammed the Commission’s controversial proposal to tackle child sexual abuse material (CSAM), particularly regarding its potential implications for privacy rights. According to extracts of the legal opinion seen by EURACTIV, the legal service was particularly critical of the ambiguity around detection orders and warned that screening interpersonal communications also affects the fundamental respect for private life and freedom of expression. Read more.

PEGA committee report. Lawmakers on the Parliament’s committee to investigate the use of Pegasus spyware in Europe this week approved its resolution on the misuse of the tech, calling for what was described as a moratorium on its use by member states unless specific conditions are met by the end of the year. The report was accompanied by country-specific recommendations focused on EU states where the tech has been deployed. Read more.

Council’s survivor board. A new compromise text on the CSAM initiative from the Council’s Swedish presidency has introduced a proposal for a survivors’ board. It shifts responsibility away from coordinating authorities and towards competent authorities, amongst other changes. In a separate document, ten member states have also called for a technology-neutral and future-proof approach to the proposal, asking that detection orders be a measure of last resort. Read more.

Timeline in question. After the EU Council’s legal opinion about the CSAM proposal, EURACTIV learned that another legal opinion is expected to come, this time from the Commission’s legal service, before the file goes to the COREPER level next Wednesday (17 May). The presidency aims for a partial general approach, but many controversial issues, such as detection orders, are still wide open. For the same reason, the parliamentary vote expected in late September might also prove to be too tight of a deadline.

Media

AVMSD implementation report. The Parliament this week adopted a report on the implementation of the Audio-visual Media Services Directive (AVMSD). The report criticises lagging transposition in several member states and slams the Commission’s reluctance to initiate infringement proceedings on this matter. MEPs touched upon topics like online platforms, the protection of minors, promoting European content, and AI’s implications for the AV sector. Read more.

Preparing for Cannes. As industry celebrates that the number of cinema-goers has begun to surpass pre-lockdown levels in certain member states of the EU, European producers are set to regroup in Cannes next week, where they are expected to find a sympathetic ear in Commissioner Breton. Speaking to EURACTIV, Marc-Oliver Sebbag, Director-General for the National Federation of French Cinemas, speculated Breton’s speech might boost the Media Invest funding initiative.

Platforms

Paying a visit. Arcom will also be tasked with the enforcement of the Digital Services Act. With this view, the French authority visited Ireland to meet the Irish regulator and some of the very large online platforms headquartered in the country, like TikTok and Meta.

Meta pushes the metaverse. New research by Meta has examined the economic opportunities presented by the Metaverse, finding that the EU, it could contribute between €259 billion and €489 billion per year in additional GDP by 2035.

Product liability

PLD amendments. The amendments to the Product Liability Directive circulated this week. The main hurdle seems to be the scope, with what seems to be a consensus to exclude open-source software but with different nuances and ECR going as far as excluding stand-alone software altogether. The definition of damage is also a battleground, with left-to-centre lawmakers pushing to include non-material damages and conservative MEPs that want to remove psychological harm.

Telecom

BEREC’s recommendation opinion. The European Electronic Communications regulator, BEREC, issued an opinion last Friday on the draft Gigabit Recommendation. Among the points raised in the opinion are concerned that the recommendation is not entirely in line with the European Electronic Communications Code and the potential for long-term access pricing and volume discounts to have both positive and negative impacts, among several other areas. The recommendation will affect the national authorities, which will define how they should interpret the Code.

Ready to discuss. On Wednesday last week, the Swedish presidency sent to member states a series of questions, seen by EURACTIV, regarding the Commission’s consultation on the future of the connectivity sector, which is seen as a prelude to a controversial proposal based on the senders-pay principle. The questions will inform the Telecom Council discussion on 2 June and relate to whether they see a need to stimulate investments in connectivity infrastructure and what other potential areas will face major challenges.

Poland pitches fund. Poland proposed creating a ‘Solidarity Broadband Fund’ as an alternative to a direct contribution in the senders-pay debate, according to a discussion paper seen by POLITICO. The paper was shared before the D9 group’s meeting this week in Poznań. The informal group comprises Denmark, Finland, Sweden, the Netherlands, Luxembourg, Belgium, Spain, Ireland, Estonia, the Czech Republic and Poland. While these countries are usually like-minded regarding digital affairs, a common position on this particular topic might not be so likely as it has been divisive across the bloc.

Intra-EU calls question. Commissioner Breton committed to limiting the costs for intra-EU calls in a letter of reply sent to MEPs. He also mentioned that the Commission and BEREC are currently assessing the Roaming Regulation’s relevant provision. The reaction comes from a written question signed by MEPs Dita Charanzová, Pilar del Castillo, and Evzen Tosenovsky that stressed intra-EU calls and roaming must go hand-in-hand.

Think about the future. A future-oriented rethink of telecoms regulation is needed if Europe’s connectivity goals are to be achieved, stakeholders emphasised at an event in Brussels this week, where sector representatives discussed the Commission’s ongoing Future of Connectivity consultation. Read more.

BREKO vs GIA. BREKO, the German Broadband Association, has criticised the draft Gigabit Infrastructure Act in a position paper that warns that in its current form, the proposal will slow fibre deployment significantly rather than helping the Commission to achieve its goals.

What else we’re reading this week:

Spotify ejects thousands of AI-made songs in purge of fake streams (FT)

Google is throwing generative AI at everything (MIT Technology Review)

Elon Musk says he has found a new CEO for Twitter (Tech Crunch)

Edited by Alice Taylor