“The Commission can be open to consider such safeguards, as proposed by the Council, as long as such a mechanism remains an exception to the rule.”

Story of the week: An internal note seen by EURACTIV this week shows that the Commission is willing to add a mechanism for protecting trade secrets to the Data Act, on condition that it remains an exception rather than the rule, that it is in line with the Trade Secrets Directive, and that it does not provide an excessive burden for SMEs. Last week’s mobilisation of German industry giants like Siemens and SAP seems to have made waves in the EU executive, unsurprisingly, since President Ursula von der Leyen has been consistently sensitive to the needs of her home country. The Commission has been very active in the negotiations of the new data law, partially compensating for the lack of leadership of the Swedish presidency. Although the trilogue next week is only set to close the B2G data-sharing chapter, where there is no appetite in the Council to limit the scope to personal data only, the presidency told COREPER on Wednesday it still intends to close the file before the end of its semester, and no member state indicated red lines. Meanwhile, the Commission is still due to present a non-paper with a compromise on how to deal with the trade secrets question. Read more.

Don’t miss: The first compromise amendments to the Cyber Resilience Act were circulated by rapporteur Nicola Danti last week, covering the proposal’s scope, obligations for manufacturers, importers and distributors, compliance, enforcement, product lifetime, critical products and sandboxes. The reporting obligations were aligned with the NIS2 Directive, whilst a reference to high-risk vendors and possible backdoors was included. The recitals, which cover some fundamental aspects such as how to deal with open source software, were not covered as the rapporteur still has to make up his mind on this subject. Political groups have until Monday to submit their written comments ahead of the first technical meeting next Wednesday. Read more

• The French data protection authority initiated an action plan on AI models like ChatGPT.
• The EU competition department cleared Microsoft’s acquisition of Activision.
• A new case before the EU Court of Justice might clarify what ‘serious crime’ can justify surveillance laws.
• The Commission has launched a counter-offensive on its draft law to scan private messages.
• EU and India launches collaboration on strategic digital areas, but underlying tension remains on international data flows.

Before we start: If you just can’t get enough of tech analysis, tune in to our weekly podcast.

The global prospects for data protection

he UK is discussing a data protection reform that would distance its regime from the EU’s General Data Protection Regulation (GDPR). Meanwhile, the US has been working on an alternative standard for international data flows. We discuss these developments and …

Instagram’s Family Tools for parents and teenagers

Find out more >>

Artificial Intelligence

CNIL’s AI action plan. France’s data protection authority (CNIL) has published an action plan designed to address AI-related privacy concerns, particularly those related to generative models such as ChatGPT. The plan follows a four-step approach: understand the technology, provide guidance on how to best respect personal data in AI development, create an ecosystem thanks to various projects like a regulatory sandbox, and undertake audits. One source told EURACTIV this week that the watchdog is positioning itself to lead the national enforcement of the EU’s AI Act, but the CNIL wields significant influence in Europe more broadly, meaning the plan could shape the data protection approach to generative AI beyond France. Read more.

Olympic surveillance approved. The French Constitutional Council this week approved the security provisions of a law concerning next year’s Olympic and Paralympic Games, which will be held in Paris. The law has attracted controversy over provisions that authorise the use of AI in processing data collected by vehicle or drone-based video surveillance systems until March 2025. At the EU level, however, lawmakers have warned that the French law could conflict with European regulation, particularly the upcoming AI Act. Read more.

Merging the impact assessments. Alexandra van Huffelen, the Dutch state secretary for digital, was in Brussels on Monday to anticipate how the Netherlands is rolling out a Fundamental Rights Impact Assessment for AI solutions used in the public sector, an initiative included in the European Parliament’s AI Act report. Van Huffelen sees this new impact assessment as complementary to the existing one organisations must conduct for data protection. “In line with the EU data protection philosophy, our approach is centred around the purpose for which the data is used,” she said.

Competition

EU clearance lands. The EU competition department cleared Microsoft’s proposed acquisition of gaming company Activision-Blizzard on Monday, at odds with the decisions of other international watchdogs. EU competition authorities accepted commitments made by the tech giant to address concerns raised earlier in its investigation, just weeks after the UK’s Competition and Markets Authority rejected the deal. The CMA reacted with unusually strong wording to the EU decision, saying that “Microsoft’s proposals, accepted by the European Commission today, would allow Microsoft to set the terms and conditions for this market for the next ten years.” Read more.

Not everything is peachy. Just a few days after the Commission cleared its acquisition of Activision-Blizzard, Microsoft is back under Brussels’ antitrust microscope, this time over its cloud business, Azure. EU competition authorities this week launched an informal investigation into whether the tech giant is abusing its dominant position in the cloud computing market, speaking to rival companies in anticipation of a potential formal probe.

Broadcom commits. Commission competition authorities have received commitments from the parties involved in chipmaker Broadcom’s proposed acquisition of cloud software company VMware amid an investigation into whether the merger would pose antitrust concerns. The commitments come shortly after the deadline for a decision on the deal was extended by three days, now expected to arrive on 17 July.

Data & Privacy

Five years after. GDPR enforcement is paralysed, and Ireland remains a bottleneck five years after the legislation came into force, according to a new report by the Irish Council for Civil Liberties (ICCL). 75% of the Irish Data Protection Commission’s investigations were found to have been overruled by peers at the European Data Protection Board, and although watchdogs throughout Europe have a combined budget of a third of a billion euros, by December 2022, only 28 GDPR fines had been levied in cross-border cases.

LIBE in DC. Lawmakers from the Parliament’s civil liberties (LIBE) committee travelled to Washington DC this week to discuss data transfers and privacy, technology policy and child protection. The MEPs met with a range of US officials, including the Chair of the Federal Trade Commission, Lina Khan, civil society actors and figures from institutions such as the FBI, the Data Protection Review Court (DPRC) and the Departments of State and Justice. The EU lawmakers also met with their US peers, such as Representatives Anna Eshoo, Ted Lieu, Diana Louise Degette, Lois Jane Frankel, and Senator Marsha Blackburn.

New Commission DPO. The EU Commission appointed Michelle Sutton as Data Protection Officer. The British-Belgian national will move from the post of the principal adviser in the Internal Audit Service to her new role as of 1 July. Sutton previously worked in the cabinets of Barroso, Kroes, and Timmermans.

Industrial strategy

France’s charm offensive. Over 200 chief executives of global companies gathered in the Versailles Palace this week for the “Chose France” investment conference, with a particular focus on green tech projects. Among the attendees was outgoing Twitter CEO Elon Musk, who met with French President Emmanuel Macron to discuss digital regulation, progress in the electric vehicle and energy sectors, and France’s attractiveness as an investment destination. Read more.

Law enforcement

Commission’s counter-offensive. The Commission has entered defensive mode on the proposal to fight child sexual abuse material (CSAM) following the negative opinion of the EU Council legal service. In a non-paper shared with the Law Enforcement Working Party this week and seen by EURACTIV, the EU executive defended the detection order’s compatibility with fundamental rights, stressing that they should be considered as a tool of last resort for situations where “the reasons for issuing the order outweigh its negative consequences.” The document also notes that CSAM is a specific issue compared to the others present on digital platforms because the content itself is the crime and that the rights to privacy and data protection are “not absolute rights but must be considered in relation to their function in society”. Read more.

Where is the majority? The Swedish presidency stated that most member states are in favour of expanding the scope of the proposal to tackle Child Sexual Abuse Material (CSAM) to cover audio communications in a Council document seen by EURACTIV this week. Including audio might have far-reaching implications, particularly given that it is as yet undetermined whether this would also encompass phone calls. However, EURACTIV has consequently learned that only three EU countries expressed support for extending the scope of the regulation in this direction. According to the presidency, the ‘clear majority’ assessment is based on the discussions within the Law Enforcement Working Party. Still, an EU official said there was no substantial discussion on the matter.

COREPER postponement. As EURACTIV reported, the proposal, which aims to fight child sexual abuse material (CSAM) online, was first supposed to be discussed at a COREPER meeting on 3 May but was then pushed to 17 May, as national representatives required more technical work. The proposal, however, has been taken off the agenda again due to lack of agreement, EURACTIV learned. There is no new date announced yet in relation to this.

Media

EMFA ministerial discussion. Sweden is still hoping to achieve a general approach to the European Media Freedom Act by the end of its tenure in June, Stockholm said this week as it presented a progress report on the legislation to the Education, Youth, Culture and Sport Council. Work remains focused on a number of areas, including the new oversight Board, safeguards on and duties of media service providers and provisions related to digital platforms, with varying degrees of consensus reached on each. Guaranteeing the board’s independence and protecting journalistic sources were among the points raised as key concerns by many member states during the ensuing policy debate. States have also spoken out on other sections of the proposal, with Hungary, Poland, and Germany cautioning against potential clashes with national specificities.

AV consultation incoming. The Commission is set to launch a consultation on Europe’s audio-visual industry aimed at strengthening intellectual property rights and addressing the dominance of non-European streaming platforms, Internal Market Commissioner Thierry Breton announced at the Cannes Film Festival this week. The consultation will also examine the definition of European works, including whether content from the UK should be incorporated under this label.

CULT amendments. In the European Parliament, MEPs amendments to the Media Freedom Act were published in the CULT committee this week, with an exchange of views set for 6 June.

Platforms

Let us take a look. TikTok and other major online platforms were invited by Internal Market Commissioner Thierry Breton this week to open themselves up to a “blank” audit before the DSA enters into force in August. Speaking at the Cannes Film Festival, of which TikTok was a partner, the French Commissioner reiterated the call made when the company was designated as a very large online platform under the Digital Services Act to accept such reviews, including of their headquarters.

See you never? The publication date of the EU Commission’s non-legislative initiative on virtual worlds (i.e. the metaverse) has been postponed once again until 11 July. The initiative seems to have lost momentum, as an increasing number of observers consider Meta’s bid in this area to have failed.

Product liability

Businesses on the PLD. The Product Liability Directive’s (PLD) scope should be limited to embedded software. According to a position paper published this week by BusinessEurope, it should retain its focus on material damages only. Provisions within both the PLD and the AI Liability Directive preventing the use of irresponsible third-party litigation should be strengthened, it is also argued, and safeguards are needed to ensure evidence disclosures are proportionate to protect trade secrets and intellectual property rights.

Telecom

No intervention needed. A Commission assessment and Eurobarometer survey have found that rules on intra-EU calls have effectively protected citizens from excessive prices and maintained lower costs since their introduction in 2019. The survey found that consumers benefit on average from a 60+% reduction in price and that almost one-third of EU consumers communicate with people in other EU countries via phone, text or internet at least several times a month.

Telcos’ consultation response. Two major telecoms organisations – GSMA and ETNO – have published a joint response to the EU’s consultation on the future of electronic communications proposal. Unsurprisingly, the industry organisations elicited their support for the senders-pay initiative and called for simplifying the regulatory framework to foster a single telecom market. They also emphasised the importance and urgency of building scale via in-market consolidation and cooperation on innovative technologies to ensure that European operators can be globally competitive.

Transatlantic ties

EU-India TTC launched. The EU-India Trade and Technology Council held its inaugural meeting in Brussels this week, establishing, in the model of the EU-US TTC, a framework for dialogue on tech policy. The two sides publicly emphasised their desire to work more closely on key digital issues, notably emerging technologies like AI and quantum computing, green tech, market access and foreign direct investments. However, behind-the-scenes tension is, in fact, growing when it comes to one key element of international trade: cross-border data transfers. Read more.

What else we’re reading this week:

OpenAI’s Sam Altman Urges A.I. Regulation in Senate Hearing (The New York Times)

‘You can’t unsee it’: the content moderators taking on Facebook (FT)

Read more with EURACTIV

Message-scanning not incompatible with fundamental rights, Commission says

Faced with growing criticism, the European Commission defended in a non-paper its legislative proposal to fight child sexual abuse material, arguing it is not at odds with the EU Charter of Fundamental Rights and existing case law.