The June/July 2022 EU & UK Policy Update.
The European Parliament Approves Two Landmark Digital Regulations
The European Parliament has approved the Digital Services Act (DSA) and the Digital Markets Act (DMA). The legislative package was presented by the European Commission in December 2020. The co-legislators – the European Parliament and the Council of the EU – reached a political agreement on March 24, 2022 on the DMA, and on April 23 on the DSA. The DSA represents the updated framework for content regulation, applicable to all online intermediary services (from internet service providers, cloud services, messaging, marketplaces, to social networks), with stricter requirements for very large online platforms. The DMA is a regulation that will impose special rules and restrictions for large companies that will be identified as “gatekeepers”.
Both texts now have to be formally adopted by the Council, and then they will be published in the Official Journal. Both acts will enter into force 20 days after their publication in the Official Journal, in autumn this year. The DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024 (whichever comes later) after the entry into force. As regards the obligations for very large online platforms and very large online search engines, the DSA will apply earlier – four months after they have been designated as such by the Commission. The DMA will start to apply six months following its entry into force. The gatekeepers will have a maximum of six months after they have been designated to comply with the new obligations.
The Alliance has been vocal in opposing many of the provisions in the DMA because of the inevitable damage they will inflict on developers, including the likely collapse of the EU market for 3rd party apps. We will now focus on mitigating the worst impacts as the law takes effect.
EU’s First-Time Regulatory Framework for Crypto Assets
The European Parliament and the Council of the EU have reached an agreement on the Markets in Crypto-assets (MiCA) Regulation. The regulation applies to issuers of unbacked crypto-assets and so-called “stablecoins”, as well as the trading venues and the wallets where crypto-assets are held. Non-fungible tokens (NFTs) are excluded from the scope, except if they fall under existing crypto-asset categories.
Crypto-asset service providers (CASPs) will need an authorization in order to operate within the EU. They will have to respect strong requirements to protect consumers’ wallets and become liable for damages or losses caused because of hacks or operational failures. Crypto-assets will be protected in case of insolvency of the exchange. The new rules will also cover “any type of market abuse related to any type of transaction or service, notably for market manipulation and insider dealing”. There is a special obligation for crypto market players to declare information on their environmental and climate footprint.
According to MiCA, the European Banking Authority (EBA) will set up and maintain a public register for non-compliant and non-supervised CASPs, with which EU CASPs would not be allowed to trade.
The European Parliament and the Council of the EU have also reached a political agreement to apply traditional money transfer rules to transfers of crypto-assets like bitcoins and electronic money tokens. These rules are part of the new EU anti-money laundering package and complement MiCA. The so-called “travel rule” in traditional finance, will also cover transfers in crypto assets. The information on the source of the asset and its beneficiary will have to travel with the transaction and be stored on both sides of the transfer. Crypto-assets service providers (CASPs) will have to verify that the source of the asset is not subject to restrictive measures or sanctions, and there are no risks of money laundering or terrorism financing, before making the crypto-assets available to beneficiaries. CASPs will be obliged to provide all relevant information to competent authorities if an investigation is conducted into money laundering and terrorist financing.
Both texts are under preparation at the technical level and then must be formally approved by both Parliament and the Council before they can be published and enter into force.
A New EU Plan to Boost Innovation
The European Commission has adopted the New European Innovation Agenda. The strategy sets out 25 dedicated actions that will:
improve access to finance, by “mobilizing untapped sources of private capital and simplifying listing rules”
enable innovation through experimentation spaces and public procurement (e.g. regulatory sandboxes, test beds, living labs and innovation procurement)
support European innovation ecosystems across the EU (“regional innovation valleys”)
foster, attract and retain deep tech talents, “by training 1 million deep tech talents, increasing support for women innovators and innovating with start-up employees’ stock options”
improving policy making tools, through clearer terminology, indicators and data sets.
Germany is also working on its own plan to support the national startup ecosystem, aiming to mobilize “up to 30 billion euros in private and public capital for Germany as a VC”, as Reuters reports.
Competition in Digital Markets
The UK Competition and Markets Authority (CMA) has published its final report for the study into mobile ecosystems. The study has focused on operating systems, app stores and web browsers and has concluded that “Apple and Google’s duopoly means they have a stranglehold over these key gateways”.
The CMA acknowledged that “people are generally satisfied with their devices and the way they work” and “the valuable roles that Apple and Google play as stewards of their ecosystems, helping to protect users’ privacy, security and safety online.” However, it concluded that there are “significant downsides” and “found greater concerns with respect to Apple (as it imposes more direct restrictions)” and “heard fewer concerns from app developers about Google’s operation of the Play Store.” The CMA also notes that Google is less restrictive than Apple on access to hardware functionality like contactless payments, but “there are some signs that Google’s approach is tightening in certain respects.” Therefore, the CMA launched a competition law investigation into Google’s rules for using its payment systems for in-app purchase. There is a similar investigation underway in relation to Apple’s App Store terms and conditions, opened in March 2021.
Following the conclusions of the market study, the CMA has announced a market investigation into mobile browsers and cloud gaming. The CMA is mostly concerned about restrictions imposed by Apple, on functionality and use of other browsers, which “seriously inhibits the capability of web apps.” The CMA also considers that Apple “has impeded the emergence of cloud gaming (permitted on Android).” The outcome of the investigation could be legally binding orders requiring changes to be made to Apple’s and Google’s practices.
The UK Competition Appeal Tribunal (CAT) has issued its judgment on Meta’s appeal against CMA’s decision to unwind the completed acquisition of Giphy. It upheld much of the CMA decision, but also found serious procedural problems leaving open the option of remitting the case to the CMA for re-review. The Developers Alliance intervened in the case to argue against the extraterritorial remedy imposed on Giphy, a U.S. startup with no UK ties. Our statement is here.
The CMA has started to investigate the acquisition of Activision Blizzard by Microsoft. It invited interested parties to comment until July 20, and on September 1 will decide on the next phase of the investigation.
The German Competition Authority (BKA) has initiated an investigation regarding “possible restriction on competition at the expense of alternative map services on the Google Maps platform”. The BKA is concerned that Google is restricting the combination of its map services, such as integrating location data from Google Maps or the search function or Google Street View, with third-party map services. The investigation will focus also on the license conditions for the use of Google’s map services in vehicles.
The BKA has also opened a procedure against Apple, to investigate its App Tracking Transparency Framework (ATT), under “the initial suspicion that these regulations give preferential treatment to Apple’s own offers and/or could hinder other companies.”
The BKA notes that the new rules, which require additional user consent and use of the tracking identifier provider by Apple, “do not appear to affect Apple when using and combining user data in its own ecosystem.”
These proceedings are part of a series of other ongoing or already completed proceedings against Google, Apple, Amazon and Meta/Facebook, based on the new powers that the BKA received as part of the expanded abuse control over large digital companies at the beginning of last year (Section 19a GWB). In a two-phase procedure, the authority can prohibit commercial practices of companies “of paramount significance for competition across markets.”
The Dutch Competition Authority (ACM) has announced that Apple has met its requirements and changed its AppStore conditions, allowing different methods of payment in Dutch dating apps. ACM imposed these changes by an order subject to periodic penalty payments, which totaled 50 million euros. Apple’s appeal
against ACM’s full order is still ongoing.
France’s Competition Authority has closed a procedure and accepted Meta’s commitments to ensure easy access to its advertising services for competitors. The procedure was opened in 2019, following a complaint by French advertising platform Criterio. The Authority has stated that Meta’s commitments are ““substantial, credible and verifiable.” These include non-discriminatory access for advertisement companies to the label “Meta Business Partner,” and for 3rd ad tech providers to a new Meta recommendation and auction technology. The French authority has also emphasized that it was the first time that a competition authority accepted commitments from Meta within an antitrust procedure.
Privacy and Consumer Protection
The French and Italian Data Protection Authorities have followed Austrian and Dutch data protection regulators in ruling that the use of Google Analytics is illegal under the GDPR. The Italian privacy watchdog has stated that that “US-based governmental and intelligence agencies may access the personal data being transferred without the required safeguards” and that “the measures adopted by Google to supplement the data transfer instruments did not ensure an adequate level of protection for users’ personal data in the light of the guidance provided by the EDPB through its Recommendations No 1/2020 of 18 June 2021.”
The French authority (CNIL) has offered a detailed explanation of the GDPR breach and called on all website operators to find alternative solutions with sufficient safeguards. It has suggested a possible solution involving a proxy server that avoids direct contact between the user’s terminal and Google’s servers. This could be considered as a sufficient supplementary measure, under the condition that the proxy server will have to meet all the criteria applicable to supplementary measures set forth in the EDPB Recommendations.
Finland’s Data Protection Authority issued a decision stating that a vehicle’s maintenance history data represents personal data under the GDPR and therefore a new owner is not entitled to obtain the data on the basis of right of access under Article 15 of the GDPR. The Finish DPA has, however, mentioned that such datasets may also contain non-personal data. The interpretation is highly relevant in the context of the recent EU proposal Data Act, which would impose mandatory B2B data sharing for aftermarket services. It has also indicated that the release of the vehicle’s maintenance history and repair information to the person who bought a used vehicle might be possible, in principle, based on the grounds of legitimate interest, as defined by the GDPR.
Luxembourg is the first country to introduce a certification mechanism according to the GDPR criteria. The National Data Protection Commission (CNPD) has adopted the GDPR-CARPA certification, which will allow companies, public authorities, associations and other organizations established in Luxembourg to demonstrate that their data processing activities comply with the GDPR.
The UK’s Department of Media, Culture & Sport (DCMS) has published its response to the Data Reform consultation, promising that “the government’s new data protection rules will be focused on outcomes to reduce unnecessary burdens on businesses”. The future UK Data Reform Bill will provide:
more flexibility for data risks management – including the need for certain organizations, such as small businesses, to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments. It will still require organizations to set out “a privacy management program to ensure they are accountable for how they process personal data”
cutting-down on ‘user consent’ pop-ups and banners. The consent requirement for analytics cookies will be removed, excepting for content available to children
a clear list of approved processing situations under “legitimate interest”
increasing fines for nuisance calls and texts and other serious data breaches under the UK’s existing Privacy and Electronic Communications Regulations (PECR), from the current maximum of £500,000 to be brought in line with current UK GDPR penalties which are up to four per cent global turnover or £17.5 million, whichever is greater
changes regarding the processing of personal data for scientific research, including broader consent for data collection
reform of the Information Commissioner’s Office (ICO), including changes to the process for issuing penalties (e.g. the power to compel witnesses to answer questions in investigations).
The UK Government has announced a data transfer agreement with South Korea. This is the UK’s first independent adequacy agreement with a priority country since leaving the EU.
TikTok has committed to align its practices with the EU rules on advertising and consumer protection, following a joint intervention of the European Commission and the network of national consumer protection (CPC) authorities. The alarm was first triggered by the European Consumer Organization (BEUC) in February 2021 regarding certain problematic practices, such as failing to protect children from hidden advertising and inappropriate content.
Amazon has committed to bringing its cancellation practices in line with EU consumer rules, f
ollowing a similar intervention by the European Commission and CPC network. The platform will provide consumers from the EU and EEA a prominent and clear “cancel button” to unsubscribe from Amazon Prime with just two clicks. Amazon has committed to implementing these changes on all its EU websites and for all devices (desktop, mobile and tablet). The action was initiated in April 2021, following a joint complaint by BEUC, the Norwegian Consumer Council and the Transatlantic Consumer Dialogue.
National consumer groups under BEUC’s coordination have taken action against Google, accusing that it “unfairly steers consumers towards its surveillance system when they sign up to a Google account, instead of giving them privacy by design and by default as required by the GDPR.” They have filed complaints with the European Commission, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS), as well as national data protection authorities.
The European Parliament’s special inquiry committee investigating the use of Pegasus and other spyware continues its series of hearings. MEPs discussed with representatives of the NSO Group, the supplier of the Pegasus spyware, while for another hearing they invited security experts, public policy figures, NGOs and representatives of Big Tech.
Three large EU digital business organizations and AmCham EU have issued a joint statement expressing concerns over the Cybersecurity Certification Scheme for Cloud Services. The concerns are related to several procedural and substantial elements in the Cybersecurity Certification Scheme for Cloud Services (EUCS) currently undertaken within the European Union Agency for Cybersecurity (ENISA), notably the inclusion of ‘digital sovereignty’ requirements. The statement also notes that “the EUCS discussions have been characterized by limited transparency and lack of stakeholder engagement.”
The EU has a revamped Code of Practice on Disinformation. The 34 signatories include major online platforms, notably Meta, Google, Twitter, TikTok, and Microsoft, as well as a variety of other players like smaller or specialized platforms, the online ad industry, ad-tech companies, as well as fact-checkers and civil society organizations that offer specific expertise and solutions to fight disinformation. The strengthened Code aims to address the shortcomings of the 2018 Code “with stronger and more granular commitments and measures”: broader participation, cutting financial incentives for spreading disinformation, covering new manipulative behaviors (fake accounts, bots or malicious deep fakes), better tools for users, expanding fact-checking in all EU countries and all its languages, more transparent political advertising, better access to platforms’ data for researchers, a strong monitoring framework and regular reporting. The Code aims to become recognised as a Code of Conduct under the Digital Services Act to mitigate the risks stemming from disinformation for Very Large Online Platforms.
More than 3,000 amendments were tabled by MEPs to the draft report on the Artificial Intelligence Act. The main controversial areas of negotiations are related to the scope (definition of AI, general purpose systems, some amendments on AI applications in the metaverse and references to crypto assets and NFTs), prohibited use-cases (biometric identification, emotion recognition, and automated monitoring of human behavior, including certain recommender systems), categorization of high-risk systems (proposals to also cover systems used for advertising), obligations for high-risk systems (including on the impact on fundamental rights and environmental requirements), and the governance framework.
Meanwhile, the Government of Spain and the European Commission have organized an event on June 27 – “Bringing the AI Regulation Forward”, launching Spain’s pilot for a Regulatory Sandbox on Artificial Intelligence (AI).
Applications are open for the 9th edition of the EIT Digital Challenge, a pan-European competition for digital deep tech scaleups. Scaleups can apply in five thematic areas: Digital Tech, Digital Industry, Digital Cities, Digital Wellbeing, and Digital Finance. Five winners will receive waived entry into the 12-month Accelerator Program worth €50,000. The submission deadline is September 19, 2022.
LUMI, EU’s most powerful supercomputer, was inaugurated in Kajaani, Finland. The new supercomputer has seven times the computing power of Europe’s previous strongest computer, the JUWELS computer, located in Germany.