The May 2021 European Developer’s Alliance Update
The EU And UK Propose New Rules For Content Moderation
The European Commission has published a guidance for the Code of Practice on Disinformation. The document calls for stronger commitments by the companies signatories and seeks to…
-
…reduce financial incentives tied to disinformation,
-
…empower users to take an active role in preventing its spread,
-
…better cooperate with fact-checkers across EU Member States and languages,
-
…and provide a framework for access to data for researchers.
The Commission expects other stakeholders to join the Code: “established and emerging platforms active in the EU, relevant stakeholders in the online advertising ecosystem (e.g. ad exchanges, ad-tech providers, brands benefitting from ads), private messaging services, as well as stakeholders that can contribute with resources or expertise to the Code’s effective functioning.”
The guidance for the Code of Practice on Disinformation is designed to complement the proposed Digital Services Act, an update of the general framework for online intermediaries with new rules for tackling illegal content, content moderation, online advertising and the transparency of algorithms (here’s our position). Moreover, later this year the Commission has announced it will propose legislation to improve the transparency of political advertising.
Meanwhile, in the UK, the government presented the draft Online Safety Bill, a new regulatory framework to tackle harmful content online. The draft proposes a duty of care on digital service providers to moderate user-generated content in a way that prevents users from being exposed to illegal or harmful content online. Critics of the proposal warn, like in the case of the EU’s DSA proposal, about the risks to freedom of expression and censorship,specifically in relation to certain obligations that will force online platforms to overreact. The draft bill will be scrutinized by the UK Parliament.
Data Protection & Privacy
The European Parliament adopted two resolutions on data transfers, one with the UK and another with the US. MEPs urged the European Commission to amend its draft decision on UK data adequacy to bring it in line with EU court rulings and the opinions of the EU privacy supervisor. The UK data protection laws are similar to EU laws, but questions were raised on the enforcement and exemptions related to UK’s migration and public security policies as well as on future data transfers. The concern is that future UK-signed trade agreements with other countries may result in the forwarding of EU data without an adequate level of protection. Developers Alliance signed a Joint industry statement “Global Industry Groups Urge European Parliament to vote in favour of EU-UK Adequacy Decisions.”
In the second resolution, MEPs called on the Commission to issue clear guidelines in line with the EU Court rulings that found EU–US data transfer regimes non-compliant with GDPR and with the EU Data Protection Board (EDPB) opinions. The Commission has been accused of having “put the relations with the US before the interests of EU citizens, and the Commission thereby left the task of defending EU law to individual citizens,” during its current negotiations with the US administration. The resolution also underlines that the Commission should start infringement procedures against Ireland for failure to enforce GDPR and that data storage in Europe is necessary to reach data autonomy.
Microsoft “answered the EU call” and announced that its business and government customers will be able to store their data in the EU. Microsoft also partnered with French consulting and IT company Capgemini and telecom operator Orange in setting up Bleu, an independent cloud platform that aims to meet the French State’s “Cloud de Confidance” label for enhanced data sovereignty and will be “fully under French and European jurisdictions”.
The European Data Protection Supervisor (EDPS) launched two investigations. The first regards the use of cloud services provided by Amazon Web Services and Microsoft under Cloud II contracts by European Union institutions, bodies and agencies (EUIs). The second regards the use of Microsoft Office 365 by the European Commission. The investigations are part of the EDPS’ strategy for EU institutions to comply with the “Schrems II” Judgement so that ongoing and future international transfers are carried out according to EU data protection law.
The European Data Protection Board (EDPB) adopted several new opinions during its latest plenary, including:
-
the first draft decisions on two transnational Codes of Conduct, the EU CLOUD for cloud service providers, and the CISPE, intended for providers of cloud infrastructure, presented by the Belgian, and French supervisory authorities respectively. The Codes are intended to provide practical guidance for processing EU data;
-
on the need of the proposed Digital Governance Act (DGA) to be consistent with the GDPR and to avoid creating a parallel set of rules;
-
recommendations on the legal basis for the storage of credit card data for the sole purpose of facilitating f
urther online transactions.
The Hamburg data protection authority banned Facebook from using data collected from German WhatsApp users for its purposes, considering that it does not have a sufficient legal basis. The order comes in the context of changes to WhatsApp’s terms and conditions.
The Irish High Court overturned a Facebook appeal against the Irish Data Protection Commission. In their appeal, Facebook argued that the regulator did not follow regulatory procedures for a preliminary decision to block the company from using Standard Contractual Clauses to transfer data to the U.S.
The Norwegian Data Protection Authority issued a preliminary fine of €2.5 million to Disqus for unlawfully tracking visitors online. The authority noted that the company cannot rely on legitimate interest as a legal basis for tracking across websites, services or devices or profiling and disclosure of personal data for marketing purposes. The authority then indicated that this type of tracking would require consent. Disqus is a US company owned by Zeta Global, which offers an online public comment sharing platform, and which was previously used by a number of Norwegian online newspapers. It also engages in programmatic advertising.
On GDPR’s third anniversary, MEP Axel Voss presented a paper on why and how to fix GDPR. He notes, among other issues, the disproportionate burdens for SMEs, researchers, and innovators. The paper also pleads for clear exemptions for anonymization and pseudonymization and relaxing restrictions on secondary use of personal data.
Competition
The Italian Antitrust Authority has fined Google over 100 million euros for abuse of its dominant position. It also ordered Google to include in Android Auto the Enel X app allowing the use of services related to the recharging of electric vehicles. The authority states that “by refusing Enel X Italia interoperability with Android Auto, Google has unfairly limited the possibilities for end-users to avail themselves of the Enel X Italia app when driving and recharging an electric vehicle. Google has consequently favoured its own Google Maps app, which runs on Android Auto and enables functional services for electric vehicle charging, currently limited to finding and getting directions to reach charging points, but which in the future could include other functionalities such as reservation and payment.”
The European Commission will assess the proposed acquisition of Kustomer by Facebook. The transaction does not meet the turnover thresholds set by the EU Merger Regulation and therefore it was not notified to the European Commission. It was instead notified by Facebook for regulatory clearance in Austria, where the transaction meets the national merger notification threshold. Following the recent Commission’s guidelines, Austria submitted a referral request to the Commission pursuant to Article 22(1) of the EU Merger Regulation and other nine Member States have joined. The Commission considers that “it is best placed to examine the potential cross-border effects of the transaction,” and that “the transaction might affect competition in the markets for CRM software and online display advertising services.” Facebook cannot implement the transaction before notifying and obtaining clearance from the Commission.
The German Competition Authority (Bundeskartellamt) initiated two investigations against Google and one against Amazon, based on the new competition law provisions applicable to large digital companies. A similar proceeding was initiated against Facebook at the beginning of the year, shortly after the amendment to the law entered force. Bundeskartellamt wants to determine whether the companies are “of paramount significance across markets.” The second investigation against Google is related to data processing terms. The new law includes some specific examples of practices that can be prohibited if they are used by a company designated with “paramount significance for competition across markets.” The Bundeskartellamt will examine whether Google/Alphabet makes the use of services conditional on users agreeing to the processing of their data, without first giving them sufficient choice as to whether, how, and for what purpose such data is processed.
The Dutch Authority for Consumers and Markets announced a study into the market for cloud services, following complaints received from business users. French, Dutch and Belgian IT users’ associations sent a joint letter to the European Commission last year. In it, the groups call for “a broader scope and new tooling for authorities to better understand and redress unfair and unwanted behaviour by dominant actors in the digital technology markets.”
The UK competition (CMA) and data protection (ICO) authorities issued a joint statement on the relationship between the aims of competition and data protection law. The statement describes the important role that data, including personal data, plays within the digital economy, the strong synergies that exist between the aims of competition and data protection and “…the ways that the two regulators will work collaboratively together to overcome any perceived tensions between their objectives.”
Cybersecurity
The Belgian government has suffered a cyberattack. The target was Belnet, a network hosting websites from the public administration, universities and law enforcement agencies, and it reportedly affected more than 200 organisations and disrupted parliamentary activities currently taking place remotely.
The Irish Health system is recovering after a major cybersecurity incident. The attackers, supposedly of Russian origin, have provided a decryption key that may allow hospitals to regain access to patients’ records. The government stated that “No ransom was paid by the Irish state”.
The UK is planning a number of measures to enhance the security of digital supply chains and third-party IT services. Managed service providers, like providers of cloud infrastructure, management software, security software, and other IT services could be required to follow updated new security standards, similar to those for critical services, meaning stricter access controls, stricter data protection policies, backing up data and training staff on cybersecurity protocols.
The European Union Agency for Cybersecurity (ENISA) formally transmitted to the European Commission the first candidate cybersecurity certification scheme under the Cybersecurity Act. The proposed scheme covers the certification of ICT products, using the Common Criteria ISO/IEC 15408 and it represents the first step in the development of a European Cybersecurity certification framework.
The European Parliament announced its backing of the new EU Cybersecurity Competence Centre and network. This comes as part of the EU’s broader efforts to increase its capacity against cyber threats. The initiative also “aims to stimulate innovation among small businesses & start-ups.” The Cybersecurity Centre will be located in Bucharest, Romania.
ENISA reported on CySOPex exercise, aimed to test Member States procedures for fast cyber crisis management in the EU when facing large-scale, cross-border cyber incidents and crises.
Artificial Intelligence
The Organisation for Economic Co-operation and Development (OECD) has launched a public consultation for its framework for classifying AI systems. The OECD is a member-group of 38 countries that look to promote global economic progress. The deadline for public submissions is June 30th. The framework will be published in autumn this year. The Council of Europe, the Strasbourg-based human rights organization, has also announced that it will begin negotiating its AI treaty.
Miscellaneous
European Parliament and Council negotiators have reached a provisional deal to make the Blue Card system more attractive to highly qualified third-country nationals wishing to work in the EU. The agreement provides more flexible criteria for admission (a valid work contract or binding job offer of at least six months), a lower threshold for a minimum salary that applicants must earn to qualify, an extension of the rights of beneficiaries with simplified intra-EU mobility and faster family reunification procedures.
The European Commission put forward a proposal for a new framework for taxation – “Business in Europe: Framework for Income Taxation” (or BEFIT), which will provide a single corporate tax rulebook for the EU. The rules will be based on a formulary apportionment and a common tax base. The framework’s other proposed measures intend to set greater public transparency for the effective tax rates of certain large companies and to encourage companies to finance their activities through equity rather than turning to debt. On the latter, the Commission notes that “current pro-debt bias of tax rules, where businesses can deduct interests attached to a debt financing, but not the costs related to equity financing, can encourage companies to accumulate debts.”
The EU approved stricter rules for the trade of dual-use goods, software and technologies, that have both civilian and military applications. The regulation will update the EU system for the control of exports, brokering, technical assistance, transit and transfer of dual-use items, including cyber-surveillance tools.
The European Court on Human Rights has ruled that the U.K. and Sweden’s surveillance regimes violate fundamental human rights, by failing to meet “end-to-end safeguards” that disrupt interception operations.
The European Commission and the network of national consumer authorities (CPC) have launched a formal dialogue with TikTok, following an alert by the European Consumer Organisation (BEUC) earlier this year concerning TikTok’s breaches of EU consumer rights. TikTok has a month to reply on issues related to hidden marketing, aggressive advertising techniques targeted at children, and certain contractual terms in its policies that could be considered misleading and confusing for consumers.
A coalition of musicians and human rights organizations have written a critical open letter to Spotify CEO Daniel Ek regarding the company’s recently approved speech-recognition patent. The organizations note that the technology which, according to the patent, claims to detect “emotional state, gender, age, or accent” to recommend music, could lead to emotion
al manipulation, discrimination, privacy violations, data security and exacerbate existing inequality in the music industry.
