Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.

“It’s like a regulatory spaghetti bowl and a lot to digest – the next Commission will have to focus on untangling it.”

– said the director-general of the industry group DigitalEurope, Cecilia Bonefeld Dahl, about the AI Act.

Story of the week: On Wednesday, the European Parliament passed its first comprehensive regulation on artificial intelligence (AI), but major questions remain on how the law will be implemented. Key aspects of the legislation are yet to be agreed, including technical implementation standards and guidelines. It will also undergo a review process within the next months and years to determine if they are still relevant. Human rights groups have raised concerns that the law doesn’t go far enough in protecting individuals, particularly biometrics use and AI within an immigration context, such as identity checks. Read more.

Don’t miss: The European Commission violated data protection rules in its use of Microsoft 365, leading to the imposition of corrective measures by the European Data Protection Supervisor (EDPS), the watchdog announced on Monday. According to the EDPS, the Commission violated several parts of the EU’s data protection regulation for institutions and neglected to ensure adequate safeguards for transferring personal data outside the EU or the European Economic Area (EEA). In its contract with Microsoft, the institution also failed to specify the types of personal data collected and the purpose of the data collection when using Microsoft 365. The Commission’s breaches as a data controller also extend to data processing, along with personal data transfers conducted on its behalf. Several violations involve all the Commission’s data activities, including those done through Microsoft 365, affecting many people, EDPS stated. Read more.

Also this week:

• EU Parliament passes European Media Freedom Act, concerns over spyware remain
• At long last, EU countries adopt the platform work directive
• EU Commission investigates AliExpress for potential breach of EU digital rulebook
• EU Commission scrutinises nine big tech platforms over targeted ads and generative AI
• Hard-fought provision on the AI Act could become obsolete, experts say
• Council of Europe’s proposal for AI Convention is inadequate, EU data watchdog says
• YouTube’s algorithm promoted right-wing content in the 2024 Finnish elections
• Disinformation campaigns likely to undermine EU elections, experts say

Before we start: If you still want even more tech analysis, tune in to our weekly podcast.

Data protection in the EU: Children, migrants, and EU Commission

This week, together with the European Data Protection Supervisor Wojciech Wiewiórowski, we look at data protection issues, including the regulation concerning the detection and removal of online child sexual abuse material, as well as Frontex’s handling of migrants’ data, and the recent news regarding the European Commission’s violation of data protection rules in its use of Microsoft.

Artificial Intelligence

AI Act adopted. European lawmakers voted to pass a landmark regulation on AI in Strasbourg on Wednesday, a file that had garnered major lobbying attention from large tech companies over the past few years. After a 523-46 voting result, with 49 abstentions, the act heads down a lengthy and complex implementation path. General-purpose AI models, such as ChatGPT, were a particularly hot topic for discussion, with companies and some governments pushing for a tiered approach instead of horizontal regulation. The use of real-time biometric identification was also a key part of the negotiations. Read more.

Provision on AI Act to become obsolete? A key provision in the AI rulebook to assess the risks of foundation models such as ChatGPT may become obsolete within a year due to the pace of developing technologies, experts told Euractiv. “By the time the rules for foundation models become applicable [12 months from now] either there will be four or five big models that will pass this threshold […] or a new leap in technology [will bring down the computational requirements for powerful foundation models],” Dragoş Tudorache, an MEP who acted as co-rapporteur on the file, told Euractiv. Read more.

EDPS on the AI Treaty. Before its adoption, the European Data Protection Supervisor (EDPS) expressed its disappointment on Tuesday about a treaty on Artificial Intelligence (AI) negotiated in Strasbourg this week, saying it has veered far from its original purpose. The so-called Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law, is touted as the world’s first of its kind. The EDPS pointed to the hotly debated limitation of the Convention’s scope to public bodies only, which it said contradicts the stated policy objective of the treaty to be “transversal”. Read more.

AI Treaty adopted. The Council of Europe Committee on Artificial Intelligence finalised and adopted the first-ever AI treaty, the Framework Convention on AI. It sets common standards for AI use to uphold human rights and democracy. The treaty covers the public and private sectors, allows flexibility in implementation, promotes international cooperation, and imposes strict reporting obligations. It will be sent to the Committee of Ministers for final approval before opening for signature.

Today in the EU: AI Act. An episode of this week’s Today in the EU Euractiv podcast focused on the AI Act vote in Strasbourg – and why the lack of reference to how AI will be used in the defence sector is causing some concern. Listen here.

Civil society and AI. Following the AI Act’s vote on Wednesday, several organisations published their view of the regulation. A group of civil society organisations, such as Foxglove, ARTICLE 19, the Mozilla Foundation, and the Irish Council for Civil Liberties, stressed the need for urgent action to counter the concentrated power of dominant tech firms in AI. They warn of the dangers of unchecked corporate control, urging swift enforcement of competition rules to protect democracy and public interests.

Generative AI obligations. Published on Wednesday, a joint statement from European creators and rightsholders urged the European Parliament to ensure meaningful implementation of General Purpose AI obligations, aligned with the AI Act’s objectives. Among the signatories was the International Federation of the Phonographic Industry (IFPI), representing various sectors such as music, visual arts, publishing, and film. They also stressed the importance of developing a template for sufficient information disclosure by AI providers that facilitates effective enforcement of copyright and other rights, with formal involvement of creative sectors and rightsholders in the drafting process.

Human rights and AI. According to a post by the Center for Democracy and Technology, published on Wednesday, the AI Act emphasises privacy and human rights but falls short of adequately protecting these rights, particularly in vulnerable situations like border control. The Center finds that the requirement for fundamental rights impact assessments only applies to certain sectors and lacks meaningful oversight.

Greece against nude deepfakes. Cyber experts report a surge in cyberattacks targeting underage students, using AI tools to create fake porn videos from social media content. Greece, in particular, faces a rise in cases, with experts warning of the ease with which attackers manipulate images for revenge or ransom. Greece is therefore preparing legislation to combat deepfakes, Euronews reported last Monday. Last October, Euractiv also reported that nude deepfakes, including those of minors, are becoming increasingly common online – yet the law is still behind in regulating such material.

Introducing Devin. On Tuesday, a company called Cognition introduced Devin, which they refer to as “the first AI software engineer”. Devin operates independently in engineering tasks by using its own shell, code editor, and web browser.

Cybersecurity

Cyber Resilience Act adopted. On Tuesday, the Parliament passed the Cyber Resilience Act to safeguard digital products from cyber threats, ensuring they are secure and provide clear information on security features. Products will be categorised based on risk, with varying assessment processes. MEPs included key products like identity management systems and smart home assistants. ENISA will play a crucial role in incident handling and information exchange among member states. The regulation also prioritizes enhancing professional skills in cybersecurity through education and training initiatives.

Digital diplomacy

Hurry up, Commission. The European Parliament adopted a resolution expressing concern about delays in processing requests for public access to documents by the European Commission. They emphasise that public access to EU institution documents is crucial for transparency, accountability, and democratic scrutiny. The resolution highlights systemic delays in granting access, especially in cases of significant public interest. Recommendations include correcting delays, proactively publishing documents, and implementing the Ombudsman’s suggestions.

Digital Markets Act

Ok, you can come back. Apple reversed its decision to ban Epic Games’ app store on iOS in Europe after EU officials investigated the matter. This follows the new Digital Markets Act (DMA), allowing the game Fortnite to return to iPhones in Europe. The move came after Epic last week accused Apple of anti-competitive behaviour and intentional breaches of terms, supported by emails. Apple’s U-turn likely responds to EU pressure, CNN reported last Friday.

DMA workshops. The Commission is hosting technical workshops to gather input from stakeholders regarding implementing measures for gatekeepers’ compliance with the DMA, starting next week. Interested parties can register for workshops focused on companies like Microsoft, ByteDance, Alphabet, Amazon, Meta, and Apple.

Digital Services Act

Commission investigates AliExpress. The European Commission announced on Thursday it is investigating whether online commerce site AliExpress violated the EU’s Digital Services Act (DSA). The Commission said it will look at possible lapses in risk management, content moderation, complaint handling, advertising transparency, recommender systems, trader traceability, and data access. AliExpress, owned and operated by Chinese tech giant Alibaba, is the second Chinese-owned platform after TikTok to be investigated for violations of the DSA. Read more.

Commission needs more info. The European Commission requested information on Thursday (14 March) from nine big tech platforms on their use of targeted ads and generative AI to gauge compliance with the DSA. The Commission asked Bing, Google Search, Facebook, Instagram, Snapchat, TikTok, YouTube, and X to provide details regarding their strategies to address risks associated with generative AI, including on elections. It also asked LinkedIn to clarify how it complies with a prohibition not to target ads based on sensitive personal data. Read more.

Temu also under scrutiny. The Irish media regulator, Coimisiún na Meán, is conducting a comprehensive review of companies falling under the scope of the DSA, Euronews reported on Wednesday, Temu, an online marketplace operated by PDD Holdings, has been questioned regarding its business practices under the DSA. Although Temu claims it does not meet the threshold for Very Large Online Platforms (VLOP), reports suggest a significant rise in its user base. The European Commission is monitoring the situation and liaising with digital services coordinators. Similarly, Chinese fashion website Shein may face stricter EU online content rules due to its large user base in Europe. Both companies are under scrutiny regarding their compliance with the DSA.

Gig economy

Adopted at long last. EU countries finally adopted the platform work directive at a meeting of the bloc’s labour ministers on Monday, after Estonia and Greece, which had abstained in the past, voted in favour “in the spirit of compromise”. The last-minute change of heart by Tallinn and Athens broke a blocking minority they had previously formed with Germany and France, and enabled the file – aimed at regulating the growing gig economy and giving employment rights to several million workers in the EU – to go through. Read more.

Law enforcement

CSAM report. In 2023, the INHOPE Network processed more than 780,000 reports of suspected child sexual abuse material (CSAM) online submitted by the public, according to the association’s 2023 report, published on Thursday. Around 69% of these reports were confirmed as illegal, totalling over 540,000 URLs containing CSAM. Some 88% of the reports contained new content, with 39% originating from image-hosting sites. The data also shows that 9 out of 10 victims are young girls, mostly aged 3 to 13.

Media

EMFA adopted, spyware concerns remain. The European Parliament has voted overwhelmingly in favour of the European Media Freedom Act (EMFA), a landmark legislation to protect journalists and media freedom, though concerns remain over the use of spyware to monitor media. The provisional agreement of the EMFA was passed with 464 votes in favour, 92 against, and 65 abstentions in a vote on Wednesday. Rapporteur of the Civil Liberties Committee, Ramona Strugariu, said that journalists now have a “set of tools” to protect them and help them face the challenges, interference, and pressure that often come with the job. Read more.

EU elections and disinformation. Attempts to delegitimise the upcoming EU elections in June and discourage the public from voting are expected “to be very much prevalent”, the European Parliament and experts have warned. With the EU elections to be held in about 85 days (6-9 June), European institutions aim to outdo 2019’s voter turnout of 50.66% – the highest since 1994. However, not everyone would like to see Europeans enthusiastically heading to the voting booths — and analysts say malign actors are working to make sure that does not become a reality. Read more.

Platforms

YouTube boosted right-wing content in Finnish elections. As European Parliamentarians and Commissioners discussed two major texts on AI in Strasbourg this week, a new study found that YouTube’s recommendation algorithm boosted right-wing content in the run-up to Finland’s 2024 elections. Despite recent changes to its recommendation algorithm, Finnish fact-checking service Faktabaari, and CheckFirst, a Helsinki-based company specialising in countering disinformation, working together in the CrossOver project, found in their report published today that YouTube “exhibits clear political bias”, favouring right-wing politicians. Read more.

‘Pay or okay’ still not okay? In an open letter initiated by Pirate Party MEP Patrick Breyer to Nick Clegg, president of global affairs at Meta Platforms, MEPs voiced deep concerns regarding the ‘pay or okay’ or ‘pay or consent’ model, under review by the European Data Protection Board (EDPB). This model, they argue, undermines the General Data Protection Regulation (GDPR) by coercing consent through financial means, violating fundamental privacy rights. Meta’s model has been criticised since its introduction by other organisations as well, such as the European Consumer Organisation BEUC or Noyb, which also filed complaints against it.

TikTok spied on journalists. An internal investigation at ByteDance, the company behind TikTok, confirmed that employees tracked several journalists, accessing their IP addresses and user data without authorisation. This was done in an attempt to determine if these journalists had been in proximity to ByteDance employees, according to a Forbes article, published on Wednesday. In October, Forbes already reported on this, however, ByteDance only confirmed the news this week.

Meanwhile in the US: TikTok ban? The US House of Representatives passed a bill on Wednesday that would require ByteDance to divest its ownership of TikTok or face a ban in the United States, as reported by Reuters. The bill comes amid concerns over national security and data privacy, with lawmakers worrying about the potential for Chinese government influence through TikTok. Last month, Euractiv also reported on the security concerns of the European Parliament’s usage of TikTok ahead of the EU elections. The bill now heads to the Senate for consideration.

Polish win against Meta. A Polish NGO, Społeczna Inicjatywa Narkopolityki (SIN, the Civil Society Drug Policy Initiative), supported by the Panoptykon Foundation, won a landmark case against Meta. The Polish court ordered Meta to restore blocked content and issue a public apology for unjust account bans, setting a precedent against arbitrary censorship and affirming the jurisdiction of Polish courts in disputes against global internet platforms.

Telecom

UK chips collab. The UK Government is investing £35 million to boost semiconductor research and innovation, joining the EU’s ‘Chips Joint Undertaking’ to access €1.3 billion in funding, the UK Mission to the EU announced on Wednesday. The collaboration aims to advance chip technology, enhance UK leadership, and foster international partnerships in semiconductor research.

What else we’re reading this week:

Read more with Euractiv

EU Commission scrutinises nine big tech platforms over targeted ads and generative AI

The European Commission requested information on Thursday (14 March) from nine big tech platforms on their use of targeted ads and generative artificial intelligence (AI) to gauge compliance with the Digital Services Act (DSA).