The February 2022 EU & UK Policy Update.
Tech Industry Responds Promptly To Russian Aggression Against Ukraine
The tech community in Ukraine is an active participant in Ukraine’s defense. We stand with the Ukrainian people and its developer community.
In addition to the widely-noted sanctions against Russia, the EU has taken a series of measures in order to help Ukraine, such as the provision of equipment and supplies to the Ukrainian Armed Forces through the European Peace Facility, a ban on the overflight of EU airspace and on access to EU airports by Russian carriers of all kinds, a ban on the transactions with the Russian Central Bank, and the SWIFT ban for certain Russian banks.
The EU is also tackling “systematic information manipulation and disinformation by the Kremlin”, and therefore adopted severe restrictions on state-owned media companies Russia Today, Sputnik, and their subsidiaries. In this context, the EU leaders had “coordinating calls” with the representatives of major online platforms, such as Google’s CEO Sundar Pichai and Youtube’s CEO Susan Wojcicki.
Mykhailo Fedorov, Ukraine’s minister of digital transformation sent letters to the CEOs of Google, YouTube, Apple and Netflix asking them to restrict their services in Russia. He also asked Tim Cook, CEO of Apple, to stop supplying services and products to Russia and to block the Apple App Store.
Youtube announced that it blocked YouTube channels connected to RT and Sputnik across Europe, “effective immediately.” In a blogpost on the support actions for Ukraine, Google specified that most of its services (like Search, Maps and YouTube) “currently remain available in Russia, continuing to provide access to global information and perspectives.” They then specified that Google Pay might not be available in certain countries as well because of the sanctions imposed by the international community.
Meta announced a series of measures to combat misinformation and expand third-party fact-checking capacity in Russian and Ukrainian. It also decided to prohibit ads from Russian state media and demonetize their accounts. Ukrainian users were provided with enhanced safety features. Meta’s Vice President for Global Affairs Nick Clegg stated that ordinary Russians should be able to use Meta’s apps “to make their voices heard, share what’s happening, and organize for action.” Additionally, Facebook restricted the official accounts of four Russian media outlets, the Zvezda TV channel, the RIA Novosti news agency, and the Lenta.ru and Gazeta.ru Internet sites. Russian authorities responded by imposing measures to partially restrict access to Facebook by slowing its local traffic.
Apple has sent a statement to the media announcing that it paused all product sales and exports in Russia. Also, Apple Pay and other services have been limited and RT News and Sputnik News are no longer available for download from the App Store outside Russia. Both Google and Apple have disabled both traffic and live incidents in Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens.
The Lithuanian Ministry of National Defense announced that it will lead the EU Cyber Rapid Response Team, a team of cybersecurity experts from Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands, to help Ukraine fight off Russian cyberattacks. The team of cyber experts was activated following the Ukrainian authorities’ request for help. Websites of Ukraine’s Ministry of Foreign Affairs and national parliament, as well as banks and other government websites, were the target of a massive DDoS attack, as Reuters details. The Ukrainian digital infrastructure remains operational, however. The same digital minister asked for Elon Musk’s support on Twitter leading to Ukrainian internet connectivity being bolstered via Musk’s Starlink.
The Commission Proposes A New Set Of Rules On Data
The European Commission proposed the Data Act, a regulation on business-to-business and business-to-government exchange of data. The proposal is part of the European Data Strategy, alongside a previous proposal, The Data Governance Act. The Commission explained that the Data Governance Regulation will create the processes and structures to facilitate data and that the Data Act will clarify who can create value from the data and under which conditions. More concretely, the Commission proposes:
-
to allow users of connected devices to have access to data generated by them, and to share such data with thir
d parties to provide aftermarket or other data-driven services (e.g. predictive maintenance); an obligation of the data holder to make such data available to third parties upon the request of the user. -
To exclude companies designated as ‘gatekeepers’ under the Digital Markets Act (DMA) exclusion from accessing that data.
-
to place B2B data sharing under FRAND terms, and add an ‘unfairness test’ for contractual terms
-
to allow public authorities and EU institutions free access to data held by companies in special situations such as public emergencies, pandemics or disasters
-
minimum regulatory requirements of contractual, commercial and technical nature, for mandated interoperability between providers of cloud, edge, and other data processing services
-
restrictions on non-personal data flows outside the EU market
-
essential requirements for smart contracts
-
voluntary model contract terms on data access and use
-
amending the Database Directive in order to exclude databases containing machine-generated data from the protection of their sui-generis right. Databases containing data from Internet-of-Things (IoT) devices and objects will not be subject to separate legal protection.
-
to further specify a monitoring mechanism on switching charges imposed on providers of data processing services,
-
to further specify the essential requirements regarding interoperability, and to publish the reference of open interoperability specifications and European standards for the interoperability of data processing services.
A first assessment of the proposal is raising questions about the economic viability of such measures, their implementation and the impact on software developers. We are concerned about several critical issues, in particular about cybersecurity, the respect of intellectual property rights, and the burdens and costs for software businesses.
The proposal is now following the ordinary legislative procedure. The Member States’ governments, and respectively in the European Parliament, will have to set out their positions before starting the negotiations.
The European Commission intends to complement the Data Act with sectoral legislation, such as in agriculture and in the automotive sector. On the latter, a revision of the Regulation 2018/858(EU) on vehicle approval framework is expected in the second part of this year.
Main amendments will target access to in-vehicle data, the possibility to send data to the vehicle (dashboard and routines), software/cybersecurity management including replacement parts, and new categories of autonomous vehicles.
New Amendments To The Uk’s Online Safety Bill
The UK Government has proposed an amendment to the Online Safety Bill for child protection from online pornography. The proposal is a new legal duty requiring all sites that publish pornography to use age verification technologies to ensure their users are 18 years old or over (e.g. “to verify that they possess a credit card and are over 18 or having a third-party service confirm their age against government data”).
The UK Government also announced new amendments to the Online Safety Bill, intended to help users against anonymous abusers. Two new obligations were proposed:
-
for the largest and most popular social media sites to give adults the ability to block people who have not verified their identity on a platform.
-
for online platforms to provide users with options to opt-out of seeing harmful content.
The proposed amendments raise the question of identity verification and anonymity on the internet. The UK Government acknowledges that “Banning anonymity online entirely would negatively affect those who have positive online experiences or use it for their personal safety(…)” and considers that its proposal “will provide a better balance between empowering and protecting adults – particularly the vulnerable – while safeguarding freedom of expression online because it will not require any legal free speech to be removed”.
Significant Decisions On Data Protection & Privacy
The CMA has accepted Google’s revised commitments for the Privacy Sandbox, the company’s project to remove third-party cookies from the Chrome browser. The CMA will supervise the implementation of the Privacy Sandbox to ensure that it “is developed in a way that benefits consumers”. Google has also announced that the commitments will be rolled out globally, because “they provide a roadmap for how to address both privacy and competition concerns in this evolving sector”.
Google also announced the introduction of Privacy Sandbox on Android and invited developers to stay informed and provide input along with the development of the alternative privacy-preserving solutions that allow developer businesses to further succeed on mobile.
The Belgian Data Protection Authority (APD) has issued a decision finding IAB Europe’s Transparency & Consent Framework (TCF) and the Real-Time Bidding (RTB) system in breach of the GDPR. They then gave IAB two months to present an action plan. Supervisory authorities from across the European Union were also involved in the process that led to the APD’s administrative ruling. IAB Europe is established in Belgium, so APD is the leading supervisory authority under the GDPR’s one-stop-shop enforcement mechanism. Following the decision, the Dutch Data Protection Authority (Dutch DPA) recommended that Dutch websites stop using the IAB framework and other similar tools for tracking users. IAB announced that it appealed the decision to the Belgian Market Court, stating that “the controversial ruling that IAB Europe is a data controller for information processed for TCF purposes is based on a misunderstanding of the facts and a misapplication of the law”. In repl
y to advocacy organizations calling upon advertisers to cease using TCF and OpenRTB, IAB Europe indicated that “such a conclusion unfounded, first, because no advertisers are named parties in the Belgian ruling and second, because the APD has not ordered the IAB Europe to discontinue use of TCF pending its submission of a plan to the APD”. The same privacy advocacy activists consider “one of the consequences of the decision is that all data collected through the TCF should in principle be deleted”.
In the same context, an open letter by the Irish Council for Civil Liberties (ICCL) and Electronic Privacy Information Center (EPIC) was addressed to the global brand CEOs of P&G, Unilever, AT&T, BoA, Ford, GM, IBM, and Mastercard demanding they stop consent spam and delete data. The letter calls those companies to “immediately delete all personal data collected through consent popups that feature on 80% of the European internet” and to refrain from “consent spam” in the United States based on the TCF.
The French Data Protection Authority (CNIL) followed the Austrian DPA decision earlier this year and decided that the use of Google Analytics violates GDPR. The CNIL considered that “although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services”. It ordered the website manager to be in compliance with GDPR, “if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU”. As a reminder, these decisions are direct consequences of the July 2020 “Schrems II” judgment by Court of Justice of the European Union that invalidated the Privacy Shield framework.
A regional German court decided that embedding Google Fonts is in breach of the GDPR. The Court considered that “Dynamic IP addresses represent personal data for the operator of a website because, in the abstract, he has the legal means that could reasonably be used to, with the help of third parties, namely the competent authority and the Internet access provider, identify the person concerned based on the stored IP – to have addresses determined”. It also noted that the legal base for processing the data for legitimate interest is provided by art. 6.1.f GDPR is not acceptable, since the use of fonts is also possible without the visitor having to connect to Google servers. The Court also concluded that “the transfer of the user’s IP address in the above-mentioned manner and the associated encroachment on general personal rights is, with regard to the loss of control over personal data, to Google, a company that is known to collect data about its users and the way the user perceives it individual discomfort is so significant that a claim for damages is justified”.
The French deputies and senators reached an agreement on a future law requiring the installation of parental controls by default on digital devices with an operating system that is intended for online use. Second-hand devices are also included. The law states that the parental control tools are not to be installed by default but to be activated by users during setup. The law also requires that the personal data of minors “collected or generated during activation” may not be used for commercial purposes. The technical specifications and minimal functionalities for such tools will be lately defined by a decree. The National French Agency of Frequencies (ANFR) was designated as the responsible regulator.
The Dutch Data Protection Authority (AP) has imposed a fine of 525,000 euros on DPG Media because people who wanted to view their data or have it removed first had to upload proof of identity. The AP considered that the media company requested too much personal data.
The French Data Protection Authority (CNIL) has published a new White paper on payment data and means of payment and is available in English. The paper addresses a wide range of issues, such as the international circulation of payment data, the question of anonymity and the use of cash, the new risks arising from the increasing digitisation of payment operations, the use of “crypto-currencies”, and the practical application of the main principles of GDPR in the field of payments.
IAB Europe has published a Guide to In-App Advertising, aimed at helping advertisers and publishers better understand, and tap into, the in-app opportunities. It also addresses barriers such as “some fundamental industry changes that are affecting digital advertising, such as Apple’s IDFA”.
A joint investigation under the Coordinated Enforcement Framework of the European Data Protection Board (EDPB) was launched by twenty-two national data protection authorities on how the public sector at the national and EU levels uses cloud services. It will also investigate if the information and communication technology products and services they use comply with EU data protection rules. The investigation will cover over 80 public bodies, including EU institutions, from a wide range of sectors such as health, finance, tax, education, central buyers or providers of IT services.
Important Developments Also On The Competition Policy Front
At a hearing before the UK Competition Appeal Tribunal on Feb. 15, 2022, the Developers Alliance made oral submissions in support of its application to intervene in the proceedings brought by Meta against the UK Competition and Markets Authority (CMA). The application was successful and permission to intervene was granted by the Tribunal.
The appeal challenges the CMA decision to prohibit Meta’s acquisition of Giphy and impose far-reaching remedies. These require, amongs
t other things, the funding re-constitution of Giphy. Should the CMA’s decision stay in place, it will set a dangerous precedent and reduce startup funding and disrupt digital markets everywhere. As such, the Developers Alliance applied to intervene. The extraterritorial reach of the CMA’s actions is symptomatic of conflicting regulations in the global digital economy.
The CMA fined Meta £1.5m for a second time for breaching the enforcement order and for failing to notify in advance that three members of the staff had left the company. A Meta spokesperson stated for Reuters that the company will pay the fine, but finds it “problematic that the CMA can make decisions that could directly impact the rights of our U.S. employees protected under U.S. law.”
Austria’s antitrust court approved the acquisition, albeit under several conditions. These include granting competitors access to Giphy’s image library for a period of five years and establishing an “alternative provider” of a GIF library within seven years (as reported by Reuters).
The German competition authority (Bundeskartellamt) has cleared Meta’s acquisition of customer relationship platform Kustomer, following the European Commission’s approval earlier this year under conditions. The President of Bundeskartellamt Andreas Mundt stated that “it is with unease that we ultimately had to acknowledge that the effects of the acquisition would not have warranted a prohibition under existing competition law.” The acquisition was also approved by the U.K.’s CMA in September last year.
The Dutch Competition Authority (ACM) has fined Apple five times for non-compliance with the order to let dating apps use alternative payment methods. Another €5M weekly fine is likely imminent. TechCrunch reports that the total amount of all penalty payments currently stands at €25M, out of a maximum of €50M. The ACM considers that the solutions proposed by Apple still create barriers for those dating apps that wish to use alternative payment systems. In a recent letter to ACM, disclosed by Politico, Apple explains that it “has asked developers to submit a separate binary for the Netherlands storefront if they intend to use a payment service other than IAP. This approach is the same approach Apple and developers use in other jurisdictions where there are unique legal issues that require a different approach in a particular jurisdiction.” It also emphasizes that “a new binary for the Dutch storefront would simply require a minor technical change” that would “not add any additional coding obligation on the developers”. The EU Vice President Margrethe Vestager, in charge of competition policy, criticized Apple’s approach. She cited it as an example of gatekeepers’ temptation to play for time or try to circumvent the rules. She then once again justified the Digital Markets Act proposal (DMA), currently under negotiations.
French publishers association GESTE submitted a second complaint against Apple to the French Competition Authority. After a first complaint at the end of last year “against the excessive contractual restrictions imposed by Apple on its App Store”, the second one laments “the devastating effects of Apple’s imposition of its App Tracking Transparency (ATT) mechanism on publishers”.
The European Publishers Council filed a complaint with the European Commission against Google over its advertising business, calling for remedies “to restore conditions of effective competition in the ad tech value chain”. The European Commission already opened an investigation into Google’s ad tech business in June of last year.
Finally, a Dutch organization announced the start of a collective action procedure against Apple and Google on app store fees.
Standardization At The Forefront Of Eu Policies
The European Commission presented a new Standardization Strategy, aiming to set global standards and export EU values while providing EU companies with an important first-mover advantage. Amongst the priorities set in strategic areas are chips certification and data standards. Part of the strategy is a proposal amending the current framework regulation on standardization. The amendment would require that mandates at the request of the Commission to the European standardization organizations must be handled by national delegates – the national standardization bodies – from the EU and the EEA Member States. The Commission explains that “this will avoid any undue influence of actors from outside the EU and EEA in the decision-making processes during the development of standards for key areas, like cybersecurity or hydrogen standards”. The Commission also calls on the European standardization organizations to modernize their governance structures and will launch a peer review process among the Member States and national standardization bodies to achieve better inclusiveness for civil society, users and SMEs-friendly conditions for standardization.
On March 15, European Standards Organizations CEN, CENELEC and ETSI, together with ENISA, the European Union Agency for Cybersecurity, will organize a virtual Cybersecurity Standardization Conference, “European Standardization in support of the EU cybersecurity legislation”. There will be dedicated sessions on AI, digital identity wallets, data protection and infrastructure, and supply chain.
Calls For Strict Regulation Of Crypto And Fintech
The European Parliament postponed the vote on the proposal on Markets in Crypto Assets (MiCA regulation), in order to clarify the provisions on proof-of-work-based cryptocurrency services. The European Parliament rapporteur Stefan Berger has stated that “it is essential(…) that the MiCA report is not misinterpreted as a de facto ban on bitcoin.” This comes in the context of calls from MEPs on the left side of the political spectrum against cryptocurrencies like Bitcoin. The regulation’s objective is “to create a regulatory framework for the crypto-assets market that supports innovation and draws on the potential of crypto-assets in a way that preserves financial stability and protects investors.”
The Council of the EU adopted its position in November last year. After the Parliament votes on its version, the negotiations will start in order to adopt the regulation.
The three European Financial and Banking Supervisory Authorities (EBA, EIOPA and ESMA) have published a joint report in response to the European Commission’s February 2021 Call for Advice on Digital Finance. The report notes that “note that the use of innovative technologies in the EU financial sector is facilitating changes to value chains, that dependencies on digital platforms are increasing rapidly, and that new mixed-activity groups are emerging.” Among the proposed measures to increase consumer protection and avoid new risks, the report lists: strengthened consumer protection in a digital context, effective regulation and supervision of ‘mixed-activity groups’ (i.e. groups combining financial and non-financial activities, with a focus on Big Tech companies), and active monitoring of the use of social media in financial services.
Miscellaneous
The European Commission selected 50 women-led deep-tech companies under the new Women TechEU pilot programme. The companies proposed for funding have developed innovations across a range of areas, addressing sustainable development goals (SDGs). These include climate change, reducing food waste, access to education, and empowering women. The project is funded under the European Innovation Ecosystems work programme of Horizon Europe, the EU research and innovation programme. The Commission intends to renew the Women TechEU programme later this year, with an increased budget of €10 million, which will fund roughly 130 companies (up from 50 this year).
The European Software Skills Alliance has proposed the Software Skills Strategy for Europe, “to answer the increasing demand for software skills and professionals in the EU”. It focuses on aligning the market needs with the educational offer and on “professionals involved in the development, implementation, and operation of software.” According to the report underlying the strategy, there are three important skills categories for professionals in software roles:
-
hard software skills, primarily programming skills like for example Java, SQL and Python, but also other skills like testing and debugging, algorithm skills, and DevOps skills,
-
profession-related skills, related to the ICT professional field in general project skills, security skills, software lifecycle skills, sustainability skills, and ethical awareness skills,
-
soft skills, such as interpersonal soft skills like teamwork skills and communication skills and personal soft skills like critical thinking & analysis, problem-solving, and self-management.
The expected outputs of the Software Skills Strategy will be developed in the coming years and will consist of curricula, qualification/certification frameworks, accreditation standards, and a mobility programme.
OECD has presented a Framework for the classification of AI systems. The framework links the technical characteristics of AI with the policy implications and is intended to assist “policy-makers, regulators, legislators and others so that they can assess the opportunities and risks that different types of AI systems present and to inform their national AI strategies”.
The European Commission has launched an online platform to gather feedback from interested parties on the European Digital Identity Wallets. The consultation is related to the eID Regulation proposed by the Commission in June last year, for setting up an EU digital identity and personal digital wallets for European citizens. The Commission has called on Member States to work on a toolbox that would address the technical aspects of the future system.