The Summer 2021 European Policy Update.
The Summer 2021 European Policy Update
UK’s Digital Regulatory Plans
The UK is working tenaciously to adapt the regulatory framework to the post-Brexit context, with a strong focus on the digital economy, which plays a significant role for the UK’s future in the global technological race.
On 6 July, the UK Government published the policy paper “Digital Regulation: Driving growth and unlocking innovation,” laying down the principles and objectives for designing and implementing digital regulation. The government commitment is “to proportionate regulation and, where appropriate, deregulation.” The three main principles stated as underpinning the UK’s post-Brexit digital regulatory plans are: i) Actively promote innovation; ii) Achieve forward-looking and coherent outcomes; iii) Exploit opportunities and address challenges in the international arena. The UK will pursue “securing a pro-growth and trusted data regime,” as well as governance or regulatory frameworks for the development and deployment of systems for automated decision-making, which should help to build trustworthiness and consumers’ confidence in their use.
The draft Online Safety Bill, published on 12 May this year, represents the new regulatory framework for tackling illegal and harmful content online. It sets out a duty of care for internet companies, such as “social media, websites, apps and other services which host user-generated content or allow people to talk to others online.” The bill looks to remove and limit the spread of illegal content such as child sexual abuse, terrorist material and suicide content. Stricter rules have been proposed for child protection, for example, exposure to harmful content or activity such as grooming, bullying, pornography and also the encouragement or promotion of self-harm and eating disorders. Special rules are also envisioned for the most popular social media sites concerning “content which is legal but could cause significant physical or psychological harm to adults.” The draft bill will also undergo pre-legislative scrutiny before adoption.
Another important policy development is the new pro-competition regime for digital markets, which aims to provide the new Digital Markets Unit with appropriate powers to implement a specific “pro-competition regime” for firms with “Strategic Market Status” and interventions that will address “the root causes of market power,” including special merger control. The consultation closes on 1 October.
Alongside this, the UK Government has opened a wider public consultation on a reform of competition and consumer policies. This will strengthen consumer enforcement powers and bring them in line with antitrust and data protection enforcement, allowing the regulator (CMA) to impose significant administrative fines, up to 10% of global turnover. On competition policy, the proposed measures target more effective market inquiries and reinforced investigative and enforcement powers across competition tools, stricter merger control, as well as stronger and faster enforcement against illegal anticompetitive conduct. The reform will update consumer rights, especially concerning subscription contracts and prevention of online exploitation of consumer behaviours (including the promotion of ‘fairness by design’ principles), fake reviews, refunds and prepayment. The measures on consumer protection enforcement will specifically address, inter alia, consumers’ access to ADR services such as arbitration and mediation.
The UK Government also made an important announcement regarding its post-Brexit data protection strategy. It will prioritise “striking ‘data adequacy’ partnerships” with the United States, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre, and Colombia. Future partnerships with India, Brazil, Kenya, and Indonesia are also foreseen. These will add to the existing 42 adequacy arrangements the UK has in place. The UK intends to revamp its data protection legal framework, which currently is based on the EU’s GDPR and privacy rules. Digital Secretary Oliver Dowden stated the following: “It means reforming our own data laws so that they’re based on common sense, not box-ticking.” The government also designated New Zealand Privacy Commissioner John Edwards as its preferred candidate to be the UK’s next Information Commissioner.
Competition
The European Commission has opened an in-depth investigation on the acquisition of Kustomer by Facebook. The Commission is concerned that “the proposed transaction would reduce competition in the market for the supply of Customer Relationship Management (CRM) software” and “would further strengthen Facebook’s market position in the online display advertising market by increasing the already significant amount of data available to Facebook for personalisation of the ads it displays.” The decision will be issued on December 8, 2021. The transaction did not meet the turnover thresholds of the EU Merger Regulation, but Austria was notified as it recently changed the thresholds under its national law. Austria submitted a referral request to the Commission based on Article 22(1) of the EU Merger Regulation and on the recent guidelines issued by the Commission encouraging the Member States in this direction. On 12 May 2021, the Commission accepted the request from Austria, which was joined by Belgium, Bulgaria, France, Iceland, Ireland, Italy, the Netherlands, Portugal and Romania. The referring Member States will not apply their national legislation on competition to the transaction, as the Commission will assess the impact of the acquisition of Kustomer by Facebook within the territory of these Member States under the EU Merger Regulation.
In parallel with the European Commission, the German Competition Authority (Bundeskartellamt -BKA) has opened its separate investigation of the Facebook/Kustomer merger. The BKA will assess if the transaction is meeting the merger control thresholds set in 2017 by an amendment to the German Competition Act (GWB). Mergers, where companies or assets which (at the time of the merger) generate little or no turnover and are acquired at a purchase price of more than 400 million euros, now fall under the merger control regime. The BKA specified in its press release that “Germany did not join the application for referral to the EU Commission because in the Bundeskartellamt’s general practic
e a referral requires a merger to be subject to a notification based on national competition law, which still has to be clarified in the present case.”
The UK’s competition authority (CMA) has found Facebook’s merger with Giphy problematic. After an in-depth investigation, the CMA considered that the merger “will harm competition between social media platforms and remove a potential challenger in the display advertising market.” The CMA will receive feedback from interested parties and then publish its final decision on October 6, 2021.
The CMA also found that NVIDIA’s purchase of Arm “raises serious competition concerns. An in-depth investigation will be conducted to assess the impact of the acquisition. CMA’s concerns regard possible harm to competition by the restricting of access to Arm’s intellectual property (IP), which is used by companies that produce semiconductor chips and related products, in competition with NVIDIA. The CMA is considering whether this “could stifle innovation across a number of markets, including data centres, gaming, the ‘internet of things’, and self-driving cars.”
The Spanish Competition Authority has opened an investigation against Amazon and Apple for possible unlawful conduct. Such conduct includes an agreement of possible restrictions on the Amazon website in Spain regarding the retail sale of Apple products by third parties. Additionally, it will investigate the advertising of Apple product competitors and certain campaigns directed at Apple customers by Amazon, as well as other commercial restrictions.
U.K. activists launched a collective legal action against Google, seeking damages up to £920 million for alleged violation of competition law. The claim was filed by digital rights activist Liz Coll who is represented by law firm Hausfeld, and targets the 30% commission in the Play Store, considered as “an unlawful and unearned tax.” In a reaction, a Google spokesperson said that “less than 0.1% of developers are subject to a 30% service fee and only when they’re earning over $1 million,” as Politico reports.
Data Protection & Privacy
Luxembourg’s data protection authority (CNPD) has fined Amazon a record €746 million for GDPR non-compliance. The decision was not published, only confirmed by the CNPD, following the public disclosure of the fine in Amazon’s quarterly results. The full publication of the decision is precluded by the national law’s provisions.
The Dutch Data Protection Authority (DPA) has imposed a fine of €750,000 on TikTok for violating the privacy of children. The DPA found that the privacy statement provided by TikTok to Dutch users upon installation was in English and thus not readily understandable. Many TikTok users were also noted as young children who benefit from stricter privacy protections according to Dutch national law.
The Italian Data Protection Authority (GPDP) has imposed a fine of 2.6 million euros on Foodinho, part of the Glovo group, a Spanish delivery startup. The fine concerns the algorithms used for the management of workers. The authority found that the company had not adequately informed the workers on the functioning of the system and did not guarantee the accuracy and correctness of the results of the algorithmic systems used for the evaluation of the riders. The decision also states that the company did not guarantee procedures to protect the right to obtain human intervention, express one’s opinion, and contest the decisions adopted through the use of the algorithms, including the exclusion of a part of the riders from job opportunities.
The GPDP has also issued guidelines for cookies and other tracking tools. Cookie walls are considered illegitimate, “except for the hypothesis, to be verified on a case-by-case basis, in which the owner of the site still allows users to access equivalent content or services without requesting consent for the use of cookies or other trackers.” Also, the resubmission of the cookie banner at each new access of users who previously denied them “is a redundant and invasive measure.”
France’s data protection authority (CNIL) sent letters of formal notice to 40 organizations for lack of compliance with cookie rules. This comes after it had issued in May formal warnings to 20 organizations and companies, and all of them complied. The second round of formal warnings is targeting, among others, “four major platforms of the digital economy,” six electronic devices and software manufacturers, six e-commerce platforms, and two major online tourism companies.” The 40 companies and organizations have until September 6 to change their websites or face fines up to 2% of their turnover.
The German data protection authorities have launched a coordinated investigation into international data transfers to countries outside the European Union or the European Economic Area. Their goal is to enforce the European Court of Justice’s Schrems II decision of July 16, 2020, which invalidated the Privacy Shield. According to the Court, the data exporters need to show that an equivalent level of protection for personal data is ensured in the recipient state. Additionally, the use of standard data protection clauses for data transfers to third countries is only valid if additional effective measures are taken. The investigation covers the use of third-party providers like e-mail-services, webhoster, services for web tracking or managing applicant data, and the intra-Group exchange of customer data and employee data within companies.
In a civil case between privacy activist Max Schrems and Facebook, the Austrian Supreme Court referred a number of questions to the Court of Justice of the European Union regarding the legality of Facebook’s data use of EU users. The request is seeking the EU Court’s interpretation of ‘consent’ and ‘contract’ as the legal basis for data processing, of the application of data minimization principle, and of sensitive data. The Austrian Court also decided that Mr Schrems should receive €500 of monetary compensation for symbolic emotional damages because Facebook provided him access to his data via an online tool which was dispersed among more than 60 categories of data with hundreds if not thousands of data points.
Max Schrems’ organisation noyb has filed 422 formal GDPR complaints on cookie banners in ten EU countries. After sending written warnings to more than 500 companies in May this year, 516 websites reacted by improving the way users are giving consent for personal data processing. However, noyb considered that many companies have only resolved certain violations, so it filed complaints in 422 of the 516 cases; 82% of all initial draft complaints. Also, noyb intends to file an additional 36 complaints against websites owned by major platforms, including Amazon, Twitter, Google or Facebook, as they didn’t respond to the draft complaints.
Another series of complaints recently filed by noyb target the cookie paywalls of seven major German and Austrian news websites (SPIEGEL.de, Zeit.de, heise.de, FAZ.net, derStandard.at, krone.at and t-online.de). The alleged issue stems from these websites asking their users “to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to €80 per year).” Noyb takes the position that consent cannot be considered freely given “if the users need to ‘buy back’ their data at an exorbitant price.”
During its latest plenary session the European Data Protection Board adopted a dispute resolution decision on the basis of Art. 65 GDPR. In it, they seek to address the lack of consensus on certain aspects of a draft decision issued by the Irish DPA as lead supervisory authority regarding WhatsApp, and objections expressed by a number of concerned supervisory authorities. The decision addresses the merits of the objections found to be “relevant and reasoned” in line with the GDPR specific provisions. The objections of other authorities to the Irish authority’s interim findings are mainly related to whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures. The Irish DPA is expected to issue the final decision in one month.
Prior to this, the EDPB adopted its first urgent binding decision pursuant to Art. 66(2) GDPR, based on a request from the Hamburg supervisory authority. Previously, the authority had ordered a ban on processing WhatsApp user data by Facebook for their own purposes, following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp. The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the Irish DPA against Facebook IE in this case, but the Irish DPA should carry out, as a matter of priority, a statutory investigation. The investigation should, in particular, “verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers.”
During its last plenary session, the EDPB also adopted Guidelines on Codes of Conduct (CoCs) as a tool for transfers, a final version of the Guidelines on Virtual Voice Assistants (VVA), and a final version of the Guidelines on the concepts of Controller and Processor.
Tracking-Free Ads Coalition, a coalition of European Parliament Members, civil society organisations and companies from across the EU, is promoting amendments to EU legislation with the aim to put an end to targeting advertising.
Developers Alliance has signed, alongside more than fifty other organizations, representing thousands of professionals in the digital economy, an open letter stating a firm opposition to a ban on targeted advertising, as well the undermining of existing privacy frameworks by the Digital Services Act proposal. The letter underlines that such rigid measures “would undercut market entry opportunities for start-ups and SMEs in need to reach their customers, create brand awareness and scale.”
Content Moderation
The European Parliament has adopted a temporary regulation that allows web-based service providers to continue fighting child sexual abuse material online voluntarily. It represents a derogation from the European Electronic Communication Code, in force since the end of last year. The Parliament emphasized that the service providers should use the least privacy-intrusive technologies possible, and that enforced privacy protection procedures under the strict supervision of data protection authorities should be applied. However, certain MEPs (the shadow rapporteur for the file, Greens/EFA Group MEP Patrick Breyer), the European Data Protection Supervisor and privacy rights activist groups have expressed concerns related to the use of automated tools, mass surveillance and risks for fundamental freedoms. The heated debate around the regulation involved the American actor and tech investor Ashton Kutcher, as an active supporter. The regulation has to be formally adopted by the Council and will enter into force on the third day following its publication in
the Official Journal.
The new French content moderation regime has come into force after it was officially published. France chose to adopt the law, despite many controversial aspects, including the European Commission’s warnings about the overlap with the proposal for the Digital Services Act (DSA), as Euractiv reports. The law has an extraterritorial scope, covering all online platforms which “list, rank or share content uploaded by third parties and which activity on the French territory exceeds a threshold number of connections determined by decree,” “irrespective of their establishment in France.” The rules are similar to those proposed in the DSA, regarding reporting tools and notice action, complaint and redress mechanism, transparency reporting, points of contact, and cooperation with authorities, as well as additional requirements for very large online platforms. The sanctions are severe, going up to up to 6% of the global turnover, the maximum being set at €20 million.
Youtube has taken a stand against Germany’s hate speech law, the Network Enforcement Act (NetzDG). The NetzDG is controversial and one of Europe’s most stringent content moderation laws. Germany further amended the law last year increasing the number of offences and imposing large social media platforms to take proactive measures and share information on serious hate speech content with law enforcement authorities. These new rules will go into effect in February 2022. Google/YouTube is calling out the disproportionate processes set out by the amended law, which pose risks to users’ privacy and other fundamental rights. Notably, online platforms like YouTube will be obliged to automatically forward susceptible content and related information (such as user names, IP addresses and port numbers) to the enforcement authority via an electronic interface. The authority then checks if the content qualifies as an offence only after receiving all the information. This data cannot be withdrawn from the database, even if the content is not found to be criminal. YouTube mentions that “around 40 per cent of the content passed on by the provider does not contain any criminal content”, so “users who publish legitimate content must therefore fear that their personal data will be stored in police databases.”
Germany’s Federal Court has ordered Facebook to reinstate posts that violate its policy on hate speech. The Court ruled that while Facebook retains the right to enforce its community rules, it should have informed the users about the removal of the posts and allowed them to respond before suspending their accounts. The case in question is from 2018 when Facebook removed posts in which two German users attacked migrants. The two complained that the posts’ removal was a violation of free speech.
An open letter to the EU policymakers against Facebook was initiated by Algorithm Watch, following the shut down of their Instagram monitoring. The letter was sent in the context of the legislative debate on the Digital Services Act (DSA) proposal, in particular on proposed amendments for transparency, and access to platforms’ data for researchers, independent civil society organizations and journalists. Facebook decided to restrict and even remove data access for research teams (e.g. New York University Ad Observatory), noting that it should not happen at the expense of people’s privacy.
Another open letter, signed by 90 international policy and rights organisations, is calling on Apple to abandon the measures announced on August 5 for scrutinising content and communications from its devices to prevent the dissemination of child sexual abuse material (CSAM). The international coalition fears that “once this capability is built into Apple products, the company and its competitors will face enormous pressure — and potentially legal requirements — from governments around the world to scan photos not just for CSAM, but also for other images a government finds objectionable.”
The European Commission has sent letters of formal notice to 23 out of the 27 EU Member States about the lack of transposition into national law of the Directive on Copyright in the Digital Single Market (Directive 2019/790/EU). Austria, Belgium, Bulgaria, Cyprus, Czechia, Denmark, Estonia, Greece, Spain, Finland, France, Croatia, Ireland, Italy, Lithuania, Luxembourg, Latvia, Poland, Portugal, Romania, Sweden, Slovenia and Slovakia failed to enact the new rules by the deadline of 7th of June. The Commission has been late in issuing guidelines on Art. 17 of the directive, a controversial provision which obliges online content-sharing service providers to obtain an authorisation from right holders for the content uploaded on their website and to take proactive measures to avoid unauthorised uploads if no authorisation is granted. In order to ensure compliance with this provision the online platforms will have to heavily rely on automated filtering tools, which pose a high risk to freedom of speech.
Consumer Protection
Three coordinated actions of the European Commission and Consumer Protection Authorities of the EU Member States have been launched regarding:
-
Google’s various services, such as Search (e,g, transparency search result ranking, on the business model of Google Hotels and Flights), PlayStore (e.g. geo-blocking and transparency on the traders), Store (e.g. pre-contractual and standard terms)
-
TikTok’s commercial practices and policies (hidden marketing, aggressive advertising techniques targeted at children, and certain contractual terms that could be considered misleading and confusing for consumers)
-
Facebook and Twitter (to bring their terms of service into conformity with European consumer law and to cooperate swiftly with CPC authorities when they report and request the removal of online illegal c
ontent; Facebook already presented commitments).
The German Competition Authority (Bundeskartellamt) has presented the findings of its sector inquiry into consumer protection in mobile apps. The investigation identified several issues and possible remedies, as follows:
-
lack of information about data being accessed when using apps. An improved app store function should allow users to find “consumer-friendly apps” without trackers or advertisements
-
lack of transparency about contractual relationships between users, the app stores and the app publishers, especially for warranty claims.
-
lack of possibilities for users to control data processing. Users should benefit from more transparency and better option settings allowing them to “effectively deny access to their data via apps and delete all non-system relevant apps”.
The European Consumer Organisation BEUC, together with eight of its members, the European Commission and the European Network Of Consumer Authorities have filed a complaint against WhatsApp. In it they argue that the messaging app has been unduly pressuring its users to accept its new terms of use and privacy policy.
Cybersecurity
The EU Member States have joined the US and condemned “malicious cyber activities” undertaken from China’s territory. The declaration states that “the compromise and exploitation of the Microsoft Exchange server undermined the security and integrity of thousands of computers and networks worldwide, including in the member states and EU institutions.” The UK, Australia, Japan, New Zealand and Canada also joined the coalition. Norway also stated that a cyber attack on parliament’s email system in March this year was carried out from China, as Reuters reports.
The Swedish Financial Markets Supervisor has opened an investigation about an IT incident affecting the payment app Klarna in May. For a limited time, customers were able to access information about one another. The authority stated that the investigation will complement another one already opened into Klarna’s work with information and cyber security.
EU Funding For Deep Tech Ecosystems And Gender Balance
The European Commission has launched, under the Horizon Europe Programme, two calls for tender to support deep tech innovation and WomenTechEU, to “promote female leadership in the deep tech industry to build fairer, more inclusive, and more prosperous innovation ecosystems in Europe”.
The grants from WomenTechEU are targeted at early-stage highly innovative start-ups founded or co-founded by women, holding a top management position (CEO, CTO or equivalent) in the company at the time of submission. The company must be registered and established in an EU Member State or a Horizon Europe Associated Country for at least six months at the time of the submission. The grants for scaling up deep-tech ecosystems are targeting “pan-European research and technology infrastructures, industry including small and medium enterprises, clusters, universities, RTOs, business schools, national/regional innovation funding agencies, as providers of advanced services and procurers of cutting-edge technologies”.
Miscellaneous
The French Competition Authority has fined Google up to 500 million euros for non-compliance with several injunctions issued against it in April 2020 regarding the remuneration of related rights for press publishers and agencies.
Dutch Startup Association and NLdigital expressed their concerns regarding the impact of the Digital Markets Act on European startups and scale-ups. They then called on the Dutch Parliament to consider these effects and become further involved in the legislative debate.
The Frontrunners Alliance, an independent voluntary coalition, recently established a platform for joint advocacy from startup organisations toward the Governments of the D9+ Member States Group and the EU. The coalition is calling the EU policymakers to adopt agile, evidence-based, and proportional legislati
on to facilitate innovation and growth, as well as for the completion of the Single Market and support measures for European startups.
The European Commission announced, as part of its digital and technological sovereignty strategy, two industrial alliances: the Alliance for Processors and Semiconductor technologies, and the European Alliance for Industrial Data, Edge and Cloud. The objective is “to advance the next generation of microchips and industrial cloud/edge computing technologies and provide the EU with the capabilities needed to strengthen its critical digital infrastructures, products and services”. The alliances will bring together businesses, Member State representatives, academia, users, as well as research and technology organisations.
Ministers of Austria, the Czech Republic, and Slovakia have signed a joint declaration on the “digital humanism” approach when adopting policies and regulations for technology and the internet.