March 28. 2024. 5:16

The Daily

Read the World Today

Tech Brief: AI Act’s Parliament endgame, Cyber Solidarity Act


“We will have 3 crazy weeks. If we are successful, we will have a vote at the end of March. If not, the file will be open for much longer.”

Story of the week: The co-rapporteurs have revised almost all compromise amendments following the last political meeting. Among the most significant changes, social scoring has been extended to private companies, regulatory sandboxes’ users would enjoy a presumption of compliance, and the role of the AI Office has been significantly watered down. Open source AI models are set outside of scope unless they are integrated into larger high-risk systems. Whilst the Greens’ amendment requires AI developers to verify that the training datasets have been legally sourced, wording will be added to specify that data collection must respect Intellectual Property and data protection rules. Moreover, recitals specifying the ban on biometric categorisation and subliminal techniques are expected to follow. Read more.

Don’t miss: The EU’s Cyber Solidarity Act made its first appearance on the Commission’s work programme this week. The legislative proposal is set to provide the legal framework for the critical entities identified under NIS2 to access a cybersecurity emergency fund in response to large-scale cyber attacks and for the prevention of, for instance, penetration testing or bug hunting. The fund will finance the work of trusted providers that must qualify for certification based on a pilot project ENISA has been running since the summer. The most sensitive questions remain the budget, which will come from the Digital Europe Programme, the governance, namely to what extent the Cybersecurity Competence Centre will be involved, and to what extent member states will have to share threat intelligence with the European Detection Infrastructure. Read more.

  • The European Commission narrowed the scope of the Spotify-promoted probe into Apple.
  • The Swedish Council presidency circulated another partial compromise of the Cyber Resilience Act, completing the first review of the text.
  • The European Data Protection Board put forth significant caveats to the new EU-US Data Privacy Framework.
  • China pushed back after all main EU institutions banned TikTok on staffers’ devices used for work.

Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.

TikTok’s ban – what now?

All major EU institutions banned TikTok on work phones in the last week. We discuss the ban and the geopolitical context in which it takes part with Jade Nester, Head of Data Public Policy for Europe at TikTok, and Katja …

Artificial Intelligence

EP schedule. The AI Act’s shadow meeting scheduled for next week has been moved to the plenary session in Strasbourg to allow for more technical work to progress. While co-rapporteur Brando Benifei tried to reassure everyone this week that a political deal is within reach, some parliamentary officials are starting to think that if no agreement is reached by the end of March, the negotiations might drag on for a lot longer. Technical standards and conformity assessment are on the menu of the next technical meetings. The big question that the EU lawmakers have not yet touched upon is general purpose AI. EURACTIV understands a text on this sensitive topic was about to be presented at the last shadow meeting. However, it was stopped at the last minute, either because the agenda was full or there was still disagreement between the co-rapporteurs.

Generative AI race. Elon Musk is looking to develop a rival to OpenAI’s ChatGPT, having reportedly recently approached researchers about creating a new research lab. Musk, an OpenAI co-founder, left the company’s board in 2018 and has praised the generative AI model it has produced. Among those reportedly recruited is a researcher formerly part of Google’s AI department.

AI workforce. According to a new OECD study, the AI workforce currently represents just a small share of employment in OECD countries despite being crucial to the future development and deployment of tech. The research also examines the academic background of, as well as gender disparities within, the AI workforce and concludes that there is strong demand for AI workers overall.

Standardisation request. The standardisation request for the AI Act is set to be discussed within the relevant committee today, meaning the draft is close to finalisation. Before being sent to the European standardisation bodies, the request must be formally adopted. In the coming weeks, the Commission will have to prepare the implementing act that will serve as the legal basis for the request, which will likely go out around the end of April or the beginning of May. Confirming EURACTIV’s previous reporting, ETSI is cut out in favour of CEN/CENELEC.

Competition

Apple’s probe halved. The Commission has dropped some antitrust charges against Apple in a rare revision of a previous Statement of Objections. The second statement published this week notes that the EU antitrust authority is no longer pursuing the issue of in-app purchasing restrictions on music streaming app developers distributing on the App Store but would instead focus solely on the fact that developers were not allowed to inform users of cheaper off-app purchasing options, seen as a violation of EU law. The case stems from a 2019 complaint by music giant Spotify. Read more.

Vestager’s vision. The EU has been too slow to act and anticipate change, Commissioner Margrethe Vestager said at a conference this week, arguing that the EU needs to turn its attention to emerging realms such as the Metaverse and ChatGPT to understand what healthy competition in these areas would look like. She also voiced support for a pro-competitive green economy and slated greenwashing claims, which she said were being used to push through subsidies and regulations and diminish competition for covert purposes.

AdTech probe incoming. Commission competition officials are reportedly preparing charges against Google over its ad technology, a key revenue driver for the company. A statement of objections is set to lay out Brussels’ concerns as part of the investigation into whether the tech giant preferenced its own ad tech, thereby suppressing rivals in a dominant market. EU antitrust officials have reportedly, in recent days, been contacting these rival companies to gather evidence, suggesting that the presentation of charges is imminent.

Cybersecurity

CRA’s first review. A partial compromise text on the Cyber Resilience Act, circulated by Stockholm following February discussions, has dealt with the interplay between the regulation and other EU laws and notifying authorities, enforcement, and penalties. The changes in the text, obtained by EURACTIV, are not major, suggesting ahead of this week’s technical discussion that the Council might not yet be prepared to tackle the most sensitive aspects of the proposal, such as the Commission’s delegated powers and the implementation timeline. The Swedish Council presidency will circulate a new text next week, revisiting the parts covered in the first two compromises.

IMCO’s timeline. The EU Parliament has started its work on the Cyber Resilience Act, beginning with an exchange of views with the Commission in IMCO this week. Although the competence fight is not settled yet, IMCO published its timeline officially recognising that the Industry committee will stay in the lead (as ITRE will vote last). The deadline for amendments has been set for 26 April, just after considering the draft opinion, with a committee vote planned for the end of June. The question still open is what exclusive competencies IMCO will obtain.

Danti’s second workshop. Meanwhile, ITRE’s rapporteur Nicola Danti hosted his second stakeholder workshop on the CRA. Among the invitees featured Apple, manufacturing associations, the European Consumer Organisation (BEUC), Privacy International, and cybersecurity company Trellix.

SCCG meeting. The Stakeholder Cybersecurity Certification Group is meeting today, but the controversial cloud certifications scheme (EUCS) is nowhere on the agenda seen by EURACTIV. The discussion will focus on the CRA, NIS2, and Cyber Defence Policy, cybersecurity certification activities related to the EU5G scheme, AI feasibility study, and the state of the cybersecurity market.

Data & Privacy

EU-US framework opinion. The European Data Protection Board (EDPB) expressed several concerns that should be addressed to ensure that the new EU-US Data Privacy Framework “endures”. The Board found in its non-binding opinion that the new arrangement is an improvement compared to the Privacy Shield. However, it stressed that limitations to the US security agencies’ data collection activities and legal redress would have to stand in practice and not only on paper. The European data protection authorities also called for more clarity on the temporary bulk collection, onward transfers, and the lack of automated decision-making and profiling rules. The EBPD also wants the adequacy decision to be reviewed every three years. Read more.

General Approach approaching. The Swedish presidency is set to present its sixth compromise on the Data Act, with the previous version’s measures on trade secrets and B2G data-sharing emerging as the main issues that are still open. The text is expected to be discussed at the Telecom Working Party meeting on 14 March, with the view to sending it to COREPER as early as on 30 March. EURACTIV understands this scenario is likely as the remaining changes are a little more than fine-tuning, there are currently no red lines and there is political pressure from the Commission and presidency to sync the timing with the European Parliament that is due to adopt its mandate at the next plenary session.

Looking ahead. The Swedes aim to close the negotiations with the EU lawmakers. The rush to close a deal would be due to domestic politics: The Parliament’s rapporteur Pilar del Castillo, a Spanish conservative, does not want to hand a victory to Spain’s centre-left-led government during its Council presidency, and just ahead of the national elections in December.

RIP ePR? Despite saying in its programme that it will continue working on the ePrivacy Regulation, Stockholm has prioritised other files like the Data Act, the Commission admitted in an internal note seen by EURACTIV this week. The Parliament’s rapporteur Birgit Sippel similarly complained on Twitter about the presidency’s lack of interest in the file. A growing number of EU countries believe the ePrivacy is dead and the Commission should withdraw it and propose something new, an EU official told EURACTIV.

Dark patterns guidelines. The EDPB has also published its guidelines on deceptive design patterns on social media platforms this week, dividing them into categories to ease their recognition and outlining some best practice recommendations for designing user interfaces that would facilitate more effective implementation of the GDPR.

Digital Markets Act

2nd stakeholder workshop. The Commission’s second stakeholder workshop on DMA implementation was held this week, focusing on the interoperability of messaging services. Stakeholders proposed several technical solutions and language models to ensure messaging service interoperability, both vertical and horizontal, and examined, in particular, the technicalities of the incremental nature of the DMA’s obligations in this area. The decision on which technical standard should be used lies with the European Commission.

Technically feasible. IMCO rapporteur for the DMA, Andreas Schwab, reported back to the committee this week on a working group meeting examining precisely the interoperability question. Schwab underlined the technical feasibility of the obligations but stressed that further work is needed on the designation of gatekeeper platforms and the implementation details.

Digital Services Act

Speeding up. The Commission is accelerating the designation of very large online platforms. A few days after the deadline for digital platforms to publish their EU users count, the EU executive sent out letters with preliminary findings, asking the tech companies to comment on them. Apparently, some platforms lamented factual mistakes in the findings, suggesting the designation process is being rushed due to political pressure.

Supervisory fee rules. The Commission has adopted the draft rules and procedures for levying supervisory fees on very large online platforms under the DSA. This week, the delegated regulation adopted by the EU executive would put in place the legislation’s provision allowing the Commission to impose such fees on any service providers that fall under its purview. The Parliament and Council now have at least three months to scrutinise the act.

Paying visit. Commissioner Thierry Breton told an IMCO hearing this week that he will meet with the MEPs involved in the DSA and DMA on 21 March.

Gig economy

STR general approach. The Competitiveness Council formalised its general approach to the short-term rental proposal, as anticipated by EURACTIV. Airbnb, one of the key platforms that would be affected by the rules, criticised the Council’s text for a lack of streamlining data-sharing, not giving the Commission a more active role in assessing registration schemes, and falling short of preventing disproportionate local regulations.

IMCO’s timeline. Meanwhile, IMCO published its timeline on the short-term rental proposal with the consideration of the draft report planned for 22-23 May and the deadline for amendments set for 1 June. The committee vote has been scheduled for 18-19 September, followed by plenary approval the next month.

Industrial strategy

Chips Act trilogues. A timeline for the Chips Act trilogue has been defined following negotiators’ first meeting this week. The next political meeting is set for 9 March, with follow-ups scheduled for 30 March, 4 May and 5 June.

SMEs funding. An EU-funded programme, DREAM Eurocluster, has launched an expression of interest in funding SMEs working on new solutions for digital technology-focused industries such as AI, IoT and Cloud services. Funding of up to €30,000 will be available, and the deadline for expressing interest is 31 March, ahead of an open call in April.

Law enforcement

Negotiations resumed. Washington and Brussels have revived negotiations on an EU-US agreement on facilitating access to electronic evidence as part of criminal investigations. Negotiations began in 2019 but were put on hold while the EU worked on its e-evidence legislation. Officials from the Commission and the US Department of Justice will meet in Stockholm later this month to continue work on a transatlantic deal.

Platforms

TikTok ban fallout. A week after the Commission’s introduction of a ban on downloading TikTok onto employee devices, institutions across Brussels have followed suit, with the Parliament and External Action Service introducing prohibitions of their own. Canada has also taken similar steps, and lawmakers in Washington are considering allowing the President to invoke an outright ban on the app in the US. Beijing also hit back at the EU’s decision this week, warning that it jeopardised international confidence in the European market. Read more.

Against the tide. The Polish government will continue using TikTok, although a growing number of authorities have banned the app. Ruling party PiS requested this week justification from the Commission for prohibiting employees from having the app on professional devices. They said the government would continue to use the app for electoral purposes. Read more.

Pol ads 1st trilogue. The co-legislators met this week for the first trilogue on the Political Advertising regulation, a draft report approved by the Parliament in February. Reporting back to lawmakers on the Internal Market Committee, parliament rapporteur MEP Sandro Gozi said the EU Parliament had set out its main priorities, including the proposal’s scope, enforcement, the creation of an online ad repository, and a ban on third-country sponsors. A negotiation timeline was also agreed upon, with the next meeting set for 30 March.

Metaverse citizen discussion. The first instalment of a citizens panel on the EU virtual worlds initiative was held this week, with follow-up sessions scheduled for March and April. 150 randomly selected EU citizens gathered in Brussels to test immersive technologies and discuss their experiences with the technologies, raising concerns on issues such as the digital divide, cyberbullying and online fraud. However, some participants criticised that they were not given enough time to get beyond superficial discussions, and some stakeholders pointed to the fact that the Commission stirred the debate in the direction of its own choosing.

Telecom

Breton at MWC. The EU’s current telecom networks are insufficient to handle the growing demand on internet services, Internal Market Commissioner Thierry Breton said at the Mobile World Congress in Barcelona this week. Referencing the Commission’s recently announced ‘fair share’ proposal, Breton also said that the subject was not a battle between “Big Telco and Big Tech” but rather an issue of improving connectivity to meet future needs.

Member states’ backlash. The Netherlands was the first to openly criticise the Commission’s proposal, stating that the plan could harm European consumers and businesses and hamper digitalisation in the region. The country also accused telecom companies of omitting “crucial information resulting in a misrepresentation of facts”. German state secretary for digital Stefan Schnorr also criticised the initiative at a hearing in the German Bundestag on Wednesday, saying he considered the Commission’s questionnaire to be ‘tendentious’. The same ministry’s top bureaucrat attacked Breton on Twitter, accusing the Commission of asking for feedback when he had already decided. To note: this critical position comes from the German liberals, who are part of Breton’s own political group, Renew. Still, it is not necessarily the line that prevails in the coalition government, given Deutsche Telekom’s enormous influence.

One to watch. The EU executive is set to present its Connectivity Package at the Telecom Working Party next week, including the ‘fair share’ consultation. Although it might be too early for countries to take a strong stance on it, it might provide interesting indications of the different views.

French grandeur. The day after Breton’s grand speech at the Mobile World Congress, Orange, the company the French Commissioner headed in the 2000s when it was still called France Télécom, sent an email to shareholders, obtained by EURACTIV, declaring its intention to “re-create itself as a global competitor on all the value chain of the digital transformation: digital integration, cybersecurity, data, Artificial Intelligence, data centres, cloud.”

GIA consultation. The Commission has published a call for feedback on its Gigabit Infrastructure Act. The feedback window opened on Monday and will run until at least 27 April, with extensions until the proposal is made available in all EU languages.

Twin transitions

Competitive sustainability. A comprehensive industrial plan will be needed to secure Europe’s green transition, MEP Eva Maydell told EURACTIV this week. For the EU lawmaker, despite its noble ambitions, the Green deal “was not backed up with the industrial and technological potential” from its inception. As such, she said, innovative solutions such as AI applications will be needed to push it forward and a plan that shifts the EU’s focus towards competitive sustainability will be vital. Read more.

What else we’re reading this week:

Why Do A.I. Chatbots Tell Lies and Act Weird? Look in the Mirror. (New York Times)

Conspiracy Theories Have a New Best Friend (The Atlantic)