The December 2021 EU & UK Policy Update.
The European Parliament pushes a strong position on the two key digital regulations
The European Parliament (EP) has set its position on The Digital Market Act (DMA), a proposal for regulation aimed to restrict a series of business practices for large companies designated as digital market ‘gatekeepers’. The bill regulates online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services. With their recent adoption, the European Parliament has proposed a wide scope of additional common consumer services be included, adding voice assistants, web browsers, and connected TVs. It has also increased the quantitative thresholds for gatekeeper designation to €8 billion in annual turnover in the European Economic Area (EEA) and a market capitalization of €80 billion, thus only capturing large American tech companies.
Other significant amendments voted by the EP plenary include:
-
An option for users to change the default settings and uninstall pre-installed software applications on a core platform service at any stage.
-
Additional restrictions on the use of data for targeted or micro-targeted advertising, such as a ban on personalized advertising for minors and limits to the processing of sensitive information such as political views, religious beliefs and sexual orientation.
-
Mandated interoperability for social media networks and messaging apps.
-
Restrictions on mergers and acquisitions, giving the Commission the power to restrict a gatekeeper in case of “systematic non-compliance” from making acquisitions. Additionally, gatekeepers are required to inform the Commission on any intended concentration.
-
Fines for non-compliance of “not less than 4% and not exceeding 20%” of its total worldwide turnover.
The above amendments will be the centerpiece of the upcoming negotiations with the Council of the EU. The position adopted last month by the governments of the Member states, is much closer to the initial proposal of the Commission. The negotiations will start under the French presidency of the Council. The council will be under great political pressure to have the regulation adopted in the first semester of 2022.
The EP’s Committee for Single Market and Consumer Protection (IMCO) has adopted its report on the Digital Services Act (DSA). The DSA will set the EU legal framework for tackling illegal content and for content moderation, for providers of intermediary services, and in particular online platforms, such as social media and marketplaces. ‘Very Large Online Platforms’ (VLOPs) will be subject to additional obligations (e.g. mandatory risk assessments, take risk mitigation measures) as they are considered to pose particular risks in the dissemination of both illegal and harmful content.
Important amendments put forward for the final EP position:
-
A prohibition on “dark patterns” (online platforms are prohibited from using deceiving or nudging techniques to influence users’ behaviour).
-
Restrictions on personalizeded advertising for minors, users’ choice, and additional transparency regarding how their data will be monetised.
-
An obligation for VLOPs to provide “at least one recommender system which is not based on profiling”.
-
Additional obligations for platforms primarily used for the dissemination of user-generated pornographic content.
-
Micro and small enterprises may be exempt from certain DSA obligations. Additionally, a clarification may be issued of the role of “Digital Services Coordinators” in member states, as well as their cooperation with the Commission.
-
Digital services users, and the organisations representing them, will be able to seek redress for any damages resulting from platforms not respecting their due diligence obligations.
The final position of the EP will be voted by the plenary in mid-January 2022, which will allow the start of the negotiations with the Council. It is expected that a couple of significant amendments could still impact the final vote, such as an exception for media publishers from platforms’s T&Cs and a total ban on personalized advertising.
Developers Alliance’s reaction to the outcome of these EP votes is critical, as the amendments are not improving the Commissions’ proposals. On the contrary, they are adding a series of disproportionate elements, without proper consideration of their implementation and the unintended consequences for small businesses and consumers.
UK’s Draft Online Safety Bill Takes Form
The Joint Committee on the draft Online Safety Bill, chaired by Damian Collins MP, has presented its report with conclusions and recommendations, after a series of hearings. The Committee considers that the Online Safety Bill should be clearer about what is specifically illegal online, and “it should not be up to the tech companies to determine this.”
The main recommendations are:
-
Ofcom, as the regulator, should set the standards “by which big tech will be held accountable,” with increased powers to investigate, audit, and fine the companies.
-
Ofcom should draw up mandatory Codes of Practice for internet service providers (e.g. on Child Exploitation and terrorism).
-
Service providers should be under a legal obligation to conduct internal risk assessments and record reasonable and foreseeable threats to user safety, including any potential harmful impact caused by algorithms, not just content.
-
The new regulatory regime must contain robust protections for freedom of expression, “including an automatic exemption for recognised news publishers, and acknowledge that journalism and public interest speech are fundamental to democracy.”
-
The scope should cover scams and fraud generated in an aim to tackle harmful advertising such as scam adverts and pa
id-for advertising. -
Service providers should be required to create an Online Safety Policy for users to agree with, similar to their terms of conditions of service.
In addition, new criminal offences are proposed:
-
cyberflashing
-
deliberately sending flashing images to people with photosensitive epilepsy with the intention of inducing a seizure (known as Zach’s law).
-
pornography sites to have legal duties to keep children off them regardless of whether they host user-to-user content.
-
content or activity promoting self-harm, such as it already is for suicide.
The Online Safety Bill, which is due to be put to Parliament for approval in 2022.
Transatlantic Digital Policy Dialogue
On December 7, in Washington, D.C., co-chairs Executive Vice President Margrethe Vestager of the European Commission, Chair Lina Khan of the United States Federal Trade Commission, and Assistant Attorney General Jonathan Kanter of the United States Department of Justice Antitrust Division, launched the EU-U.S. Joint Technology Competition Policy Dialogue. The discussion was concluded in a joint statement on common approaches to competition policy in the digital sector. The statement mentions that “the cooperation and exchanges within the Joint Dialogue are of a legally non-binding nature and without prejudice to the regulatory and law enforcement autonomy of the European Union and the United States, their respective domestic legal frameworks, and the EU-U.S. Agreement on the application of their competition laws.” The Joint Dialogue will include high-level meetings as well as regular staff discussions focused on the shared competition enforcement and policy issues related to technology markets. Vice-President Vestager also had meetings with several high-profile U.S. officials in the field of antitrust policy for the digital economy: U.S. Trade Representative Katherine Tai, Secretary of Commerce Gina Raimondo, Secretary of the Treasury Janet Yellen, and Democratic Senator Amy Klobuchar. Secretary of Commerce Gina Raimondo expressed “serious concerns” regarding the EU’s DMA and DSA, as “these proposals will disproportionately impact U.S.-based tech firms and their ability to adequately serve EU customers and uphold security and privacy standards.” She also called for EU officials to “continue listening to concerns by stakeholders before finalizing their legislation.”
Developers Alliance joined with other associations commending the strong stance of President Biden’s Administration on the EU’s DMA.
Competition & Consumer Protection
The Italian Competition Authority (AGCM) has fined Amazon €1,128 billion, a record fine for Italy. The AGCM established that “Amazon holds a dominant position in the Italian market for intermediation services on marketplaces, which Amazon leveraged to favour the adoption of its own logistics service – Fulfilment by Amazon (FBA) – by sellers active on Amazon.it to the detriment of the logistics services offered by competing operators, as well as to strengthen its dominant position.” The Authority also imposed behavioural measures, in particular, obliging Amazon to grant sales benefits and visibility on Amazon.it to all third-party sellers which can comply with fair and non-discriminatory standards for the fulfilment of their orders.
The European Commission openedr a similar investigation at the EU level last year and decided to exclude Italy in order to allow the national investigation to proceed.
The UK CMA is investigating the acquisition of Nuance Communications, Inc. by Microsoft. It invites comments on the matter until January 10, 2022. The transaction is also under the European Commission’s scrutiny, which should give its opinion on December 21, 2021.
The CMA has published the interim report of the Mobile Ecosystem Market Study. It provides initial findings on a wide range of potential concerns and potential interventions that could address them. The main provisional conclusion is that “Apple and Google have been able to leverage their market power to create largely self-contained ecosystems,” which “is leading to less competition and meaningful choice for customers.” The CMA found in particular the access to market for ‘web apps’ and new ways to play games through cloud services on iOS devices as problematic. The interim report proposes a set of possible remedies, such as:
-
making it easier for users to switch between iOS and Android phones when they want to replace their device without losing functionality or data.
-
making it easier to install apps through methods other than the App Store or Play Store, including so-called “web apps”.
-
enabling all apps to give users a choice of how they pay in-app for things like game credits or subscriptions, rather than being tied to Apple’s and Google’s payment systems.
-
making it easier for users to choose alternatives to Apple and Google for services like browsers, in particular by making sure they can easily set which browser they have as default.
Interested stakeholders can submit comments by February 7, 2022.
Alongside the interim report, the CMA has also published a notice of its decision to not make a market investigation reference. It recommended the Digital Markets Unit study the results of the surveyafter the legislation giving its statutory powers is adopted by the Parliament.
The Polish Competition Authority (UOKiK) is investigating whether the Privacy Policy and Personal Data Processing Policy introduced by Apple for iOS devices violates competition law. The UOKiK notes that Apple has significantly reduced the ability of third-party apps to obtain personal data on iOS in order to send personalised ads, but th
is “does not mean that users’ information is no longer being collected and that they do not receive personalised ads.” The investigation is initiated on doubts “as to whether the rules established by Apple were not designed to promote their own advertising service, Apple Search Ads, which could be a violation of competition principles.”
French publishers association, Geste, has filed a complaint against Apple to the French Competition Authority. They are claiming that a series of practices are “asphyxiating the market of online publishing,” such as the fees policy, restrictions on data access, self-preferencing, an opaque review process, lack of support in case of account suspension and “a permanent risk of suspension and exclusion”.
Politico is reporting that the Paris Commercial Court has denied the intervention of startup association France Digitale in the case against Apple initiated by the French economy ministry in 2017. France Digitale was seeking to participate in the case arguing that Apple is “dictating unfair conditions” to app developers. The Court found that the former director-general, who initiated the organization’s “voluntary participation,” was not qualified to take legal action on behalf of France Digitale.
Data Protection & Privacy
The French Data Protection Authority (CNIL) has ordered Clearview AI to stop reusing photographs available on the Internet and delete the data within two months. The investigation was initiated after receiving several complaints from individuals and the association Privacy International about Clearview AI’s facial recognition software. The CNIL established two breaches of the GDPR:
-
unlawful processing of personal data (breach of article 6 of the GDPR) because the collection and use of biometric data are carried out without a legal basis;
-
the failure to take into account the rights of individuals in an effective and satisfactory way, in particular requests for access to their data (articles 12, 15 and 17 of the GDPR).
The CNIL has sent another set of letters of formal notice to 30 organizations for non-compliance with the rules on cookies, in addition to the 60 warning letters already sent since May 2021. The condemned practices found by the recent investigation are:
-
Cookies subject to user consent were automatically placed on the user’s terminal before acceptance by the Internet user, upon arrival on the site.
-
Information banners are still not compliant because they do not allow the user to refuse the deposit of cookies as simply as to accept them.
-
Information banners offer the user a means of refusing cookies with the same degree of simplicity as that provided for accepting them, but the proposed mechanism is not effective because cookies subject to consent are still placed after the refusal expressed by the user.
The French audiovisual authority has sent letters of formal notice to five adult content websites on the access of minors, requesting appropriate measures for age verification, under the sanction of blocking those sites on French territory. A set of recommendations on age verifications for children, published in June this year by the CNIL, explicitly mention that identification by passports, IDs, or credit cards should be avoided “as much as possible”.
The Norwegian data protection agency fined the dating app Grindr €6.3 million for sharing users’ data with third parties for marketing purposes without their consent. The data shared was GPS location, IP address, Advertising ID, age, gender and the fact that the user in question was on Grindr.
Cybersecurity
The Member States’ governments have agreed upon their position on the proposal for a new directive for a high common level of cybersecurity across the EU (NIS2), which will replace the current directive on security of network and information systems (the NIS directive). The directive is setting the baseline for cybersecurity risk management measures and reporting obligations for all medium-sized and large entities operating in strategic sectors, such as energy, transport, health and digital infrastructure. The text will be further negotiated with the European Parliament.
Artificial Intelligence
The Centre for Data Ethics and Innovation (CDEI) within the UK Government published a Roadmap to an effective AI assurance system. This is part of the UK’s National AI Strategy, aiming to establish ‘the most trusted and pro-innovation system for AI governance in the world’. Based on this Roadmap, the CDEI will publish an AI assurance guide and support the Department for Digital Culture Media and Sport (DCMS) in promoting AI standard setting and other government policy teams in developing regulation, policy and guidance. The CDEI intends also to ensure coordination of different stakeholders and convening accreditation and professionalisation forums.
Miscellaneous
The State of European Tech 2021, by Atomico in cooperation with Slush, presents a strong position of the sector, with a record $100B of capital invested, 98 new unicorns, and a fast pace of value creation ($1 trillion in 8 months). Investors, including US VCs, are showing more and more interest, while Europe’s capital markets are maturing. This year hit a record with over $100B in total M&A exits, $55B of which were VC-backed. Public US tech companies are most active in M&A, with notable acquisitions by Allegro (Czech Republic-based Mall Group) and Klarna (
German-based Stocard, UK-based Hero Towers and UK-based PriceRunner). Over 1 in 3 companies founded after 2015 choose the US over Europe for public listing.
Regulation is perceived as one of the greatest challenges facing the European tech ecosystem, together with funding and talent. Only 2% of respondents shared concerns related to Big Tech. In comparison to the US and China, the main regulatory hurdles limiting startup and scaleup growth in Europe are the fragmented regulatory regime and over-regulation. There’s a lot of scepticism concerning the effectiveness of the Digital Markets Act (DMA), many respondents seeing it as an example of over-regulation, as well as that it would be circumvented by Big Tech. As the DMA imposes restrictions on M&A, there are also “concerns about potential unintended negative consequences, such as a disproportionately harmful impact on smaller companies or a negative impact on the liquidity of capital markets by adding friction to fundraising or exits.”
The number of startup jobs are rising, with an estimate of 2.4 million for 2021. Finding talent for technical roles is a major challenge for the industry. 50% of founders identified software developers as the hardest roles to fill. Additionally, diversity remains a continued and identified problem, despite more initiatives to tackle it.
The European Innovation Council (EIC) Accelerator delayed its cut-off date, initially scheduled for January 2022, due to a delay in the adoption of the EIC work programme 2022. The EIC Accelerator was set up to provide funding for innovative SMEs and in particular start-ups, through grants and direct equity investments. Under the last call, 99 companies were selected to receive €627 million. 65 companies opted for equity investments, for a total of €414 million.
The European Commission proposed to extend the list of ‘EU crimes’ to hate speech and hate crime. This would set minimum common rules on how to define these criminal offences and sanctions applicable in all EU Member States. Currently hate speech and hate crime are criminalised to a varying degree in the EU Member States. The initiative is part of a broader set of EU actions to counter illegal hate speech and violent extremist ideologies and terrorism online, notably the EU Code of Conduct on countering illegal hate speech online, the proposed Digital Services Act and the Regulation on addressing terrorist content online.
The European Parliament called for a common European approach to tackle gender-based cyberviolence, in the form of a directive. The issues proposed to be addressed by such specific legislation are:
-
cyber harassment; cyber stalking;
-
violations of privacy;
-
recording and sharing images of sexual assault;
-
remote control or surveillance (including spy apps);
-
threats and calls to violence;
-
sexist hate speech;
-
induction to self-harm;
-
unlawful access to messages or social media accounts;
-
breach of the prohibitions of communication imposed by courts;
-
and human trafficking.
The EP also called for the Member States governments to extend the list of ‘EU crimes’, adding gender-based violence as a serious crime with a cross-border dimension.
The European Alliance for Industrial Data, Edge and Cloud has started its operational work with a meeting of the thirty-nine confirmed first members chaired by the Commissioner for Internal Market Thierry Breton. The alliance is based on the European Data Strategy and the political objective of ‘strategic autonomy’.
The European Commission put forward two proposals to improve lifelong learning and employability, as part of the European Skills Agenda. Individual Learning Accounts and Micro-credentials. Individual Learning Accounts will consist of digital wallets with training entitlements. Micro-credentials provide records of skills, competencies or knowledge following the completion of small learning experiences, like short courses or pieces of training.
