With upcoming regulation, tightly controlled anti-COVID-19 technologies, antitrust investigations, and national Supreme Courts weighing in, technology businesses in Europe are facing more scrutiny than ever before.
Upcoming EU Digital Regulation
Digital Services Act Public Consultation Opens
The European Commission has launched a public consultation on the future Digital Service Act legislative package (DSA). The upcoming regulation will revise the twenty-year-old e-Commerce Directive, with an “aim to establish clearer and modern rules concerning the role and obligations of online intermediaries, including non-EU ones active in the EU, as well as a more effective governance system.”
Additionally, the Commission wants to set “additional general rules for all platforms of a certain scale, such as rules on self-preferencing, and/or through tailored regulatory obligations for specific gatekeepers, such as non-personal data access obligations, specific requirements regarding personal data portability, or interoperability requirements.”
Structural Competition Problems Lead To New Tool Consultation
A parallel consultation was launched on a new competition tool, “to deal with structural competition problems across markets which cannot be tackled or addressed in the most effective manner on the basis of the current competition rules.” The submission period opens to stakeholders June 30. The public consultation is open until 8 September.
EU Member States Seek To Preserve Core Of E-Commerce Directive
Ten EU Member States (Belgium, the Czech Republic, Denmark, Estonia, Finland, Ireland, Luxembourg, the Netherlands, Poland, and Sweden) published a joint position calling on the European Commission to strengthen the core principles of the E-Commerce Directive in the upcoming update to the digital services rules. These principles are:
-
the country of origin (a provider of information society services is subject to the law of the EU Member State in which it is established),
-
the prohibition of general monitoring obligations,
-
and the limited liability regime (exemption for intermediaries from liability for the content they store, meaning that online platforms are not legally responsible for illegal content hosted, but must remove it once flagged).
Industry Open Letter Looks To Bolster e-Commerce Directive Principles In Digital Services Act
Along with 27 organizations from 11 EU Member States, the Developers Alliance has joined an open letter to EU policymakers, welcoming the position of the D9+ Member States. The letter calls for retaining the e-Commerce Directive’s careful balance of free expression and legal responsibility in the upcoming Digital Services Act.
Public Consultations On AI & Data With Many More In The Pipeline
Besides the public consultations (check here and here for our feedback on the White Paper on AI and on the European Strategy on Data), we’re already contributing to the debates within the EU Parliament, where plenty of reports with hundreds of amendments are discussed. Let us know your questions, worries, and opinions on the perspective of having new rules affecting the way you’ll code and build apps in the future.
Competition
The European Commission Opens (Two!) Antitrust Investigations Against Apple
The Commission is assessing whether Apple’s App Store distribution rules for app developers to violate EU competition rules. “The investigations concern, in particular, the mandatory use of Apple’s own proprietary in-app purchase system and restrictions on the ability of developers to inform iPhone and iPad users of alternative cheaper purchasing possibilities outside of apps.”
The second investigation “concerns Apple’s terms, conditions and other measures for integrating Apple Pay in merchant apps and websites on iPhones and iPads, Apple’s limitation of access to the Near Field Communication (NFC) functionality (“tap and go”) on iPhones for payments in stores, and alleged refusals of access to Apple Pay.”
German Supreme Court Disallows Facebook User Data Aggregation
The German Federal Supreme Court has ordered Facebook to stop merging and sharing users’ data across its platforms, confirming the opinion of Germany’s Federal Antitrust Agency (Bundeskartellamt). The Supreme Court overruled the decision of The Higher Regional Court in Düsseldorf, which was not convinced that a breach of data protection rules could fall under antitrust intervention, as an abuse of market power. The decision is not final.
UK CMA Publishes Final Digital Advertising Report, Looks For Reactions
The UK Competition and Markets Authority (CMA) published the final report of the “Online platforms and digital advertising” market study. We participated in the consultation. Our preliminary reaction on the result of its findings can be found here. A Digital Markets Taskforce was launched, with the aim to gather “views and evidence from a wide range of stakeholders to inform its work and advise the Government on a new pro-competition approach for digital markets.” For those who sell or distribute their products and services (including apps) using UK online marketplaces or app stores, you can provide your input to digitaltaskforce@cma.gov.uk and complete the online questionnaires by 31 July 2020.
Privacy
GDPR Turns Two
On May 25th the EU celebrated GDPR’s second anniversary, the date that the (in)famous General Data Protection Regulation entered application. The Commission presented a report on June 10th concerning the implementation of the GDPR in these two years. The Commission considers it a success but acknowledges the fragmentation and enforcement issues that have risen across the EU, as well as the burden placed on small businesses. The Developers Alliance contributed to the stakeholder consultation that preceded the report.
French Supreme Court Sides With French Data Protection Authority Against Google To The Tune Of €50 Million
The French Supreme Court (Le Conseil d’État) has confirmed a financial penalty of 50 million euros against Google. The fine was imposed by the French Data Protection Authority (CNIL) for lack of transparency, inadequate information, and lack of valid consent regarding ad personalization. The landmark decision raises questions on GDPR’s one-stop-shop mechanism. The mechanism guarantees or is supposed to, that companies deal only with the supervision authority from the Member State of their primary EU establishment. This functions to streamline GDPR compliance and minimize the burden of compliance on businesses.
French Supreme Court Against French Data Protection Authority On Cookie Guidelines
In another case, the Conseil d’État partially annulled the CNIL’s guidelines on cookies, invalidating its interdiction of “cookie walls.” The Court considered that such an absolute interdiction can not be prescribed by soft law, without ruling on the substance of the matter. There are different interpretations of how to obtain consent from users accessing websites in compliance with the GDPR. The recently updated Guidelines on the consent of the European Data Protection Board (EPDB) back the CNIL interpretation: “ In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so-called cookie walls)”.
French Data Protection Authority Warns Public Data Is Still Personal Data
CNIL has published Guidance on Web Scraping and Re-Use of Publicly Available Online Data for Direct Marketing. CNIL warns that individuals’ contact details published in online public spaces are still personal data, even if the data is publicly available. Thus the data cannot be freely re-used and further processed without the concerned individuals’ knowledge.
Two Years Into GDPR And The EDPB Issues Further Consent Guidelines
In May, the European Data Protection Board (EDPB) issued guidelines on consent under the GDPR. The document provides insightful clarifications and practical examples on the elements of valid consent, obtaining explicit consent, and specific issues such as those related to children, scientific research, and consent obtained previously on the date of application of the GDPR.
With TikTok, The EDPB Decides To Not Stop
The EDPB decided to establish a task force on TikTok’s processing and practices across the EU. TikTok is a product of ByteDance, a Beijing-based company with ties to the Chinese government. As such, the company has been under close scrutiny in the US, as well as the EU, and elsewhere. As of June 30th, the app has been banned in India.
EDPB Also Responds To Clearview AI Controversy
In the same release as the previous TikTok task force announcement, the EDPB adopted a letter with regard to the use of Clearview AI by law enforcement authorities. Civil rights advocates have called for the banning of the controversial facial recognition AI. The European Data Protection Board shared: “Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.”
Spanish Data Protection Authority Corrects Biometric Misunderstandings
The Spanish Data Protection Authority and the European Data Protection Supervisor (EDPS) published a joint paper on fourteen misunderstandings with regard to biometric identification and authentication. Each is explored further in the paper but the misunderstandings listed are:
-
“Biometric information is stored in an algorithm”
-
“The use of biometric data is as intrusive as any other identification/ authentication system”
-
“Biometric identification / authentication is accurate”
-
“Biometric identification/ authentication is precise enough to always differentiate between two people”
-
“Biometric identification/ authentication is suitable for all people”
-
“The biometric identification/ authentication process cannot be circumvented”
-
“Biometric information is not exposed”
-
“Any biometric processing involves identification/ authentication”
-
“Biometric identification/ authentication systems are safer for users”
-
“Biometric authentication is strong”
-
“Biometric identification/ authentication is more user-friendly”
-
“Biometric information converted to a hash is not recoverable”
-
“Stored biometric information does not allow the original biometric information to be reconstructed from which it has been extracted”
-
“Biometric information is not interoperable”
The paper is available in both English and Spanish here.
noyb Continues GDPR Complaint Filings
The activist group noyb, sent an open letter complaining about the way the Irish Data Protection Commission is handling their three complaints about Facebook, submitted two years ago – within hours of the application of the GDPR. The same organization previously filed a formal GDPR complaint against Google, claiming the lack of proper user consent for the unique tracking ID “Android Advertising ID.”
Irish Data Protection Commission Moves Inquiries Into “Big Tech” Forward
Meanwhile, the Irish Data Protection Commission is preparing its decisions after an inquiry into the Twitter data breach. Specifically, whether it is in compliance with GDPR Articles 33(1) and 33(5).
Regarding the commission’s inquiries into WhatsApp, Deputy Commissioner Graham Doyle stated: “In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken into account by the DPC before preparing a draft decision in that matter also for Article 60 purposes. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.
The IDPC has also begun investigating the complaint of a former Apple contractor regarding the holding of Siri recordings.
EU MEPs Reject Council Draft To Exchange Fingerprint Data With UK
According to the Prüm framework, EU member states participate in an automated exchange of fingerprint data. The UK has stated however that it won’t be providing the fingerprint data it collects from its suspects, contrary to the rest of the member states. The EU draft was rejected by 329 votes for, 357 against, and 4 abstentions. The European Parliament warned that data protection and reciprocity should be guaranteed before allowing fingerprint data exchange with the UK.
Content Moderation
French Constitutional Court Rejects Controversial Hate Speech Law
In a landmark decision, the French Constitutional Court rejected the recently adopted hate speech law, finding that it “infringes upon freedom of expression”. The law, which was intensively criticised, required online platforms and search engines to remove hateful or terrorist content within 24 hours of it being posted, and child pornography to be removed within one hour of being posted. The decision is highly relevant for the current debate at the EU level on the Digital Services Act.
ERGA 2019 Report On Fake News Brings Framework Recommendations
ERGA (European Regulators Group for Audiovisual Media Services) is recommending a co-regulatory framework to fight against fake news online, based on the conclusions of the “Report on disinformation: Assessment of the implementation of the Code of Practice.” The report summarises ERGA’s 2019 work – designed to assist the European Commission – with monitoring the implementation of the commitments made by the signatories to the Code of Practice on Disinformation. The Code was signed in October 2018 by online platforms such as Facebook, Google, Twitter, and Mozilla, as well as by advertisers and the advertising industry.
Fact-checkers, Researchers, And Stakeholders Launch Platform Combatting Disinformation
The European Digital Media Observatory (EDMO) project started its activities on 1 June 2020. It aims to provide a platform to support the work of a multidisciplinary community composed of fact-checkers, academic researchers, and other relevant stakeholders, to better understand and limit the phenomenon of disinformation and increase societal resilience to it.
UK CMA Investigates Misinformation And Disinformation In Reviews
The UK Competition Authority (CMA) has launched an investigation into several major websites concerning how they detect, investigate, and respond to fake and misleading reviews. CMA has already secured commitments from Instagram, Facebook, and eBay to take action to tackle the business of fake and misleading reviews.
The Netherlands Sides With Mother Against Grandmother On Children’s Photos
A Dutch court has decided that the processing of personal data (photos) of underage children by their grandmother is unlawful and should be based on the legal representative’s consent (their mother). The grandmother was ordered to remove the photos from social media platforms Facebook and Pinterest.
Europe’s Reopening
Corona Apps And The EU’s Reopening Stumbles
The EU has launched the web platform Re-open EU that provides real-time information on borders and available means of transport and tourism services in the Member States, as well as practical information provided by the Member States on travel restrictions, public health, and safety measures such as on physical distancing or wearing of face masks.
The EU Bolsters Fight Against Covid-19 Disinformation
The EU Commission and the High Representative have set out their steps to tackle the quite large and still growing problem of disinformation surrounding COVID-19. In March, leaders across Europe were tasked to “…resolutely counter disinformation and reinforce the resilience of European societies”, based on the Action Plan Against Disinformation from 2018. The coordinated measures focus on strengthening strategic communication within and outside the EU, better cooperation amongst the EU actors and with international partners, and also on greater transparency of online platforms about disinformation and influence operations. They reinforce the policies that the online platforms voluntarily committed to implementing by adhering to the Code of Practice on Disinformation. The platform signatories of the Code are asked to make available monthly reports on their policies and actions to address COVID-19 related disinformation.
Decentralised Approach To Contact Tracing Apps Wins Out In EU
The EU Member States now agree on a decentralised approach for technical specifications. The Member States, with the support of the Commission, have to ensure an interoperability solution for national contact tracing apps based on a decentralised architecture.
The EDPB And ETSI Have Thoughts On Tracing App Interoperability
The EDPB adopted a statement on the interoperability of contact tracing applications, emphasizing that “the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by voluntary action of the user.” It also warned that “the goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary”.
Meanwhile, the European Standardization body ETSI set up the Industry Specification Group “Europe for Privacy-Preserving Pandemic Protection” (ISG E4P), “to provide a standardization framework that will enable developers to build interoperable mobile apps for proximity detection and anonymous identification”.
Germany, France, Italy, Spain and Portugal Seek Digital Sovereignty For Europe
Five European high officials in charge of digital affairs, from Germany, France, Italy, Spain, and Portugal, signed a joint op-ed calling for Europe’s digital sovereignty. They complained that democratically-elected governments are constrained in imposing standards on coronavirus tracking technology by the private sector.
Germany Launches The Clearly Named “Corona-Warn-App”
The German coronavirus tracing app called “Corona-Warn-App” was launched on June 16. The app is based on a decentralised approach and the documentation was published on GitHub. SAP and Deutsche Telekom were involved in the development of this app.
“Immuni” App Now Tracing For Italy
Italy’s tracing app Immuni, also based on a decentralised approach, is now available to its citizens.
With “SwissCovid” Switzerland Begins Tracing
“SwissCovid”, the official Switzerland application for tracing contacts at risk of transmission of COVID-19, based on Apple|Google APIs, was launched in a large scale pilot. At the same time, the developer’s team published updated documentation on GitHub.
France Aims To Stop COVID-19 With StopCovid App, But Doesn’t Go All In
France has launched its contact-tracing app StopCovid, developed by national companies such as Orange and Dassault Systemes, independently of the Apple|Google tool. The app is based on the ROBERT system (ROBust and privacy-presERving proximity Tracing protocol). Still, in France, researchers at INRIA Institute presented the alternative project DESIRE, a “third way for a European Exposure Notification System that leverages the best of centralized and decentralized systems.”
Paris Metro Authority Tests Mask Facial Recognition Software, But French Data Protection Authority Warns Of Privacy Risks.
In May, the Paris Metro Authority began testing CCTV software for face-mask recognition. In June however, the French Data Protection Authority warned about the risks to citizen’s fundamental rights posed by the deployment of thermal cameras and other smart devices used to ensure social distancing.
UK Adopts Move To Apple/Google Model
The UK has failed with its contact tracing app and decided to switch to one based on the Apple | Google system. After months of developing and then testing the app, it was found that it doesn’t work well in detecting iPhones. Besides this major technical difficulty, concerns related to data collection and to the lack of interoperability with similar apps lead to the decision to develop another app based on the decentralized approach based on Apple|Google APIs.
Norway And Lithuania Back Out Of App Tracing Methods
Lithuania and Norway suspended their tracing apps due to concerns expressed by their Data Protection Regulators.
Estonian Technologists Test Immunity Passports
In Estonia, a team including founders of global tech startups Transferwise and Bolt is testing digital immunity passports.
EU Small Businesses In The Economic Recovery
Next Generation EU, €750B EU Recovery Package Proposed
The European Commission proposed a €750B EU recovery package, called Next Generation EU. This represents a collective debt that would provide the Member States with grants and loans aimed to help their economies to recover after the coronavirus crisis. It should go along with a €1.1 trillion seven-year budget of the EU. The budgetary plans need unanimous approval from the EU heads of state and government, so tough negotiations are starting. The way this money will be spent will be decisive for the economic future of the EU, including for the much-needed digital transformation.
State Aid Temporary Framework Extended
The European Commission extended the State Aid Temporary Framework to enable the Member States to provide public support to all micro and small companies, even if they were already in financial difficulty on 31 December 2019. This amendment i
s of particular relevance for start-ups. The conditions for recapitalisation measures under the Temporary Framework were also adapted for those cases where private investors contribute to the capital increase of companies together with the State.
Estonia Welcomes Digital Nomads
Estonia is preparing to be the first country in the world offering a “digital nomad visa.” Digital entrepreneurs are already highly welcomed with e-residency, a government-issued digital identity allowing them to establish their business in this EU state.
France Moves To Protect Home Tech
France is establishing a special fund to protect its tech startups from foreign takeovers.
Slush Shows Bleak Report For European Startups
Slush’s COVID-19 startup and investor survey shows that without new funding, one in two of all European startups now has just 6 months to survive.
Miscellaneous
Representative Action Directive Reaches Compromise Within EU
EU Parliament and Council negotiators have reached a compromise deal on The Representative Action Directive, which will grant European consumers the right of collective redress, similar to the class action suits in the US. The scope of collective action would include trader violations in areas such as data protection, financial services, travel and tourism, energy, telecommunications, environment, and health, as well as air and train passenger rights, in addition to general consumer law.
Digital Economy and Society Index Presented For 2020
The European Commission presented the Digital Economy and Society Index (DESI) for 2020. The composite index measures the progress made by the EU Member States towards a digital economy and society, on five principal policy areas, which group 37 indicators overall: connectivity, human capital, use of the internet, integration of digital economy and digital public services. Finland, Sweden, Denmark, and the Netherlands have the most advanced digital economies in the EU followed by Malta, Ireland, and Estonia. Bulgaria, Greece, Romania, and Italy mark the lowest scores.
EU Innovation Improves 8.9% Since 2012
Another index, the European Innovation Scoreboard 2020, shows that, on average, the xd by 8.9% since 2012. Sweden continues to be the EU innovation leader, followed by Finland, Denmark, the Netherlands, and Luxembourg. At the global level, the EU’s performance gap with South Korea, Australia, and Japan has increased, while the EU’s performance lead over the United States, China, Brazil, Russia, and South Africa has decreased.
Gaia-X Cloud Infrastructure Launches
Germany and France have launched the project Gaia-X, an attempt to create a European cloud data infrastructure, aiming to set European standards for data storage.
EDPS Sets Data Strategy
The European Data Protection Supervisor (EDPS) presented their view on the Data Strategy. The EDPS sees the strategy as providing “an alternative data economy model” to the current predominant business model of the digital economy “characterised by an unprecedented concentration of data in the hands of a handful of powerful players, based outside the EU, and wide-scale pervasive tracking”.
German Public Consultation On Copyright Law Adaptation Opens
The German Federal Ministry of Justice and Consumer Protection has opened a public consultation on the draft proposal to adapt copyright law. The draft contains proposals for the transposition of the Directive on Copyright in the Digital Single Market (EU) 2019/790, of the Online SatCab Directive (EU) 2019/789, and “addresses numerous further changes, including a new statutory exception for caricatures, parodies and pastiches”. The consultation will be closed on July 31, 2020.
Cyber Attack Sanctions Extended By EU To May 18, 2021
The Council of the EU adopted a decision that extends the “restrictive measures framework against cyber-attacks” which threaten the EU or its member states, for one more year, until 18 May 2021. The decision came just a few days after an EU declaration on malicious cyber activities exploiting the coronavirus pandemic. The extent of the sanctions, as well as further details, can be found here.
UK And US Cybersecurity Authorities Release Warning For Heath And Research Organisations
A joint advisory from the United Kingdom’s National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned about APT (advanced persistent threat) actors actively targeting organisations involved in both national and international COVID-19 responses. The targeted organisations include healthcare bodies, pharmaceutical companies, academia, medical research organisations, and local government.
Ada Lovelace Continues To Support Computer Science With Tools For Assessing Algorithmic Systems
The Ada Lovelace Institute and DataKind UK published the report Examining the Black Box: Tools for Assessing Algorithmic Systems, which “clarifies the terms around algorithmic audits and impact assessments, and the current state of research and practice.”
German NGO Algo
rithm Watch Sets Out AI Ethics Guidelines Global Inventory
The German NGO Algorithm Watch published an “AI Ethics Guidelines Global Inventory” that maps frameworks that seek to set out principles of how systems for automated decision-making can be developed and implemented ethically.
Help Keep The Kids Learning At Home
EU Code Week has launched a series of videos to help kids and parents learn basic computational thinking concepts. The games and coding challenges don’t necessarily need a computer and are available in 29 languages.
Open-Source Cell Analysis Software From Flemish Researcher Wins Funding
A Flemish researcher that developed open-source software for analysis of individual cells won funding from Chan-Zuckerberg Initiative. This represents one of the grants awarded through the Essential Open Source Software for Science program. A third distinct cycle of funding for software projects that are essential to biomedical research has been opened on June 16, 2020. Applicants can request funding between $50k and $250k for one year.