The June 2021 European Developer’s Alliance Update.
The EU And The US Start A New Relationship
On June 15th, the EU-US Summit was held in Brussels. US President Joe Biden met with European Council President Charles Michel and Ursula von der Leyen, president of the European Commission. The discussions marked a new page of transatlantic relations. One of the main points on the agenda was technological cooperation. A high-level Trade and Technology Council was established as the framework for the cooperation, which will comprise working groups “with agendas focused on technology standards cooperation (including on AI, Internet of Things, among other emerging technologies), climate and green tech, ICT security and competitiveness, data governance and technology platforms, the misuse of technology threatening security and human rights, export controls, investment screening, promoting SMEs access to, and use of, digital technologies, and global trade challenges.”
Data Is Free To Flow From The EU To The UK
The European Commission has adopted two adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. The decisions will ensure that personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. They include a so-called ‘sunset clause’, which sets an automatic expiration date four years after their entry into force. After that period, the adequacy findings will need to be reevaluated, and then renewed, assuming the EU finds the UK has continued to ensure adequate levels of data protection.
A New Set Of Standard Contractual Clauses
The European Commission has presented a new set of standard contractual clauses (SCCs), for data transfers between EU and non-EU countries. The new SCCs have been updated to better align with the GDPR and to comply with the Schrems II judgment. The judgement invalidated the EU-US Privacy Shield but confirmed the validity of the SCCs for the transfer of personal data processed outside the EU/EEA, under the condition that the transfers are assessed on a case by case basis. The new SCCs can be incorporated into contracts starting from June 27, 2021.
The European Data Protection Board (EPDB) published the final version of its “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.” The Recommendations were first adopted in November 2020 following the CJEU Schrems II ruling. The final version includes several changes following the public consultation and places a special focus on the practices of a third country’s public authorities. Concerning the new set of SCCs, the EPDB Recommendations are helpful to check “Local laws and practices affecting compliance with the Clauses” (Clause 14 of the new SCCs) and the possible need to implement supplementary measures.
A Proposal For An EU Digital Identity
Updated Rules For Product Safety
The European Commission has proposed a revision of the general legal framework for product safety. The proposed rules would oblige online marketplaces to remove unsafe products within a maximum of two days, under penalty of at least 4 percent of the company’s annual turnover in the relevant EU Member State.
DSA & DMA – Two Critical Regulations In The Making
The main rapporteurs in the European Parliament, those of the Internal Market and Consumer Protection Committee (IMCO), presented their draft reports on the Digital Services Act (DSA), and respectively, the Digital Markets Act (DMA). Both draft reports propose amendments that would significantly expand the scope of the regulations, with potentially negative consequences for all. We recently signed a joint industry letter in reaction to the first proposals for the DSA. Additionally, here is our latest blog post on the DMA’s development. We actively follow the legislative debate and engage with lawmakers to promote our industry interests. Reach out to us for more information and share your feedback.
A joint non-paper by Sweden, Ireland and Finland has called for a balanced approach to safeguard freedom of speech online from the potentially negative effects of the DSA.
The UK CMA Actions
The U.K. Competition and Markets Authority (CMA) launched a market study into Apple and Google’s “mobile ecosystems,” which include operating
systems (iOS and Android), app stores (App Store and Play Store), and web browsers (Safari and Chrome). The study will also examine “any effects of the firms’ market power over other businesses – such as app developers – which rely on Apple or Google to market their products to customers via their phones.” The CMA is looking for app developers feedback, via a questionnaire, until July 26.
The European Commission and the UK CMA have both opened antitrust investigations into how Facebook uses data from advertisers to compete with them.
Both investigations will assess whether Facebook violated competition rules by “using advertising data gathered in particular from advertisers, to compete with them in markets where Facebook is active such as classified ads and/or unfairly using the data gained from its advertising and single sign-on to benefit its services, in particular Facebook Marketplace”. The CMA stated that it “will seek to work closely with the European Commission as the independent investigations develop.”
The CMA has secured commitments from Google regarding the “Privacy Sandbox,” the project to remove third-party cookies on Chrome. The CMA launched a consultation with interested third parties before making a final decision on whether to accept the commitments offered. These commitments are likely to have implications for the global implementation of Google’s Privacy Sandbox proposals. Meanwhile, Google announced that cookie phase-out has been delayed until late 2023.
Finally, the CMA has opened a formal probe into Amazon and Google over concerns that they have not been doing enough to combat fake reviews on their sites.
The European Commission’s Actions
The European Commission has opened a formal antitrust investigation into Google’s advertising business. It will assess whether Google has breached EU competition rules by favouring its own online display advertising technology services in the so-called “ad tech” supply chain, to the detriment of its competition. This includes providers of advertising technology services, advertisers, and online publishers. The Commission will assess “whether Google is distorting competition by restricting access by third parties to user data for advertising purposes on websites and apps while reserving such data for its use.”
The European Commission has published the preliminary results of a competition sector inquiry into the consumer Internet of Things (IoT) related products and services market. The Preliminary Report indicates that consumer IoT is growing rapidly and there is a trend towards increasing availability and proliferation of voice assistants as the primary user interface for enabling interaction with different smart devices and consumer IoT services. The report also covers aspects of the cost of technology investment and the competitive situation as the main barriers to entry or expansion in the sector. The findings are subject to public consultation for twelve weeks, ending September 1st, 2021. The Commission aims to publish the Final Report in the first half of 2022 and will provide guidance to the Commission’s future enforcement and regulatory activity, including the ongoing legislative debate on the Commission’s proposal for the Digital Markets Act.
The French Competition Authority’s Actions
France’s competition authority has fined Google € 220 million for favouring its services in the online advertising market. The authority stated that Google had settled the case and agreed to make operational changes. The investigation started in June 2019 after complaints initiated by Rupert Murdoch’s media conglomerate News Corp, France’s Le Figaro, and Belgian media group Rossel. Le Figaro has withdrawn its complaint.
The German Competition Authority’s (BKA – Bundeskartellamt) Actions
The BKA has initiated a proceeding against Apple, following complaints from the advertising and media industry regarding Apple’s restrictions on user tracking with the introduction of its iOS 14.5 operating system, exclusive pre-installation of their applications and the in-app purchase system (IAP). On the latter, the BKA acknowledged the similarity with the European Commission’s ongoing proceedings against Apple for imposing restrictions on the streaming service Spotify and accordingly preferencing its services. The authority then stated that it “will establish contact with the European Commission and other competition authorities in this regard.”
This is the fourth large digital company against which the German authority is taking action based on a new competition law tool. In the past months, the BKA has initiated similar investigations against Facebook, Amazon and Google, following the coming into force of the 10th amendment to the German Competition Act (GWB Digitalisation Act), in January 2021. Under the updated law, the BKA has the power to intervene earlier and, in a two-step procedure, to prohibit companies that are “of paramount significance for competition across markets” from engag
ing in anti-competitive practices.
The BKA has also opened an investigation into Google News Showcase, a program launched in Germany in October 2020 and which offers the possibility to present news content from publishers in a prominent and more detailed way.
Other Competition Updates
Google has announced changes to the search engine’s “choice screen,” which is presented when setting up a smartphone or tablet that runs on the Android operating system. The choice screen was part of Google’s implementation of the Commission’s decision in the Android case, from 2018, imposing a record €4.3 billion for abuse of dominance. Google will expand the number of search engine providers displayed from three to five on the first screen and twelve when users scroll down. It also stopped charging rival providers for being included on the screen. The changes will become effective in September.
The heads of the EU’s national competition authorities have published a joint letter on the enforcement of the proposed Digital Markets Act (DMA), calling “for better coordination of the DMA enforcement with competition law procedures” and for utilising the experience and resources of national competition authorities in the regulation’s implementation, as “a contribution to the DMA’s effectiveness.”
The EU consumer advocacy organisation BEUC has announced that it joined, as an interested third party, the European Commission’s antitrust investigation into Apple’s AppStore practices related to music streaming services. BEUC previously also intervened in antitrust cases involving Google’s Shopping and Android practices and Amazon’s marketplace.
Calls For Limitations And Bans On AI Technologies
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have adopted a joint opinion on the European Commission’s proposal for a Regulation laying down harmonised rules on artificial intelligence (AI Act). They insist that the “risk to fundamental rights” should be aligned with the EU data protection framework and to consider the “societal risks for groups of individuals.” They also concur with the idea that classification of an AI system as high-risk does not necessarily mean that it is lawful per se and can be deployed by the user as such. Finally, and consequently, that compliance with legal obligations arising from European Union legislation – including on personal data protection – should be a precondition for entering the European market as CE marked product. The two institutions launched a call for “a general ban on any use of AI for automated recognition of human features in publicly accessible spaces, such as recognition of faces, gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioural signals, in any context” and consider that “the use of AI to infer emotions of a natural person is highly undesirable and should be prohibited, except for very specified cases, such as some health purposes.”
An open letter signed by more than 175 civil society organizations, researchers and activists called for an “outright ban” on the use of facial and remote biometric recognition technologies in public spaces that enable mass surveillance. The letter contends that “no technical or legal safeguards could ever fully eliminate the threat [these technologies] pose,” considering they are by design potentially harmful to human liberties and civil rights.
The U.K.’s Information Commissioner’s Office (ICO) stated that it is “deeply concerned” about the legal risks of live facial recognition technology and will be calling for strict regulations accordingly.
A Call For Banning Targeted Advertising
Consumer, digital rights, human rights and other civil society groups called in an open letter to lawmakers to ban “surveillance-based advertising,” based on a report presented by the Norwegian Consumer Council.
A Clarification On GDPR Enforcement
The EU Court in Luxembourg ruled that “under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to that processing.” The national data protection authority of the member state where a company has its main EU headquarters is considered the lead supervisor. As such it has the legal authority to supervise cross-border processing of data by that company. GDPR’s one-stop-shop enforcement system has been criticized. Several national watchdogs in particular have complained about the length of the investigations of their Irish counterpart (which has the legal authority to oversee many Big Tech companies headquartered in its jurisdiction). The decision harkens back to a case brought by the Belgian privacy agency in 2015 against Facebook. The decision regarded Facebook’s collection of local users’ data. Facebook challenged the authority’s legal right to conduct the investigation and the matter was referred to the EU’s highest court to determine how best to enforce the bloc’s privacy rules.
Some Clarification On Content Management And Copyright
The EU Court of Justice ruled that operators of online platforms are not to be considered responsible for content illegally posted by users unless they actively contribute to making such content available. The judgment concerned two separate cases brought before German courts. The German Federal Court of Justice then requested a clarification from the EU Court on whether online content sharing platforms can be considered liable for copyright-protected content illegally posted by their users. In both cases, the lawsuits were initiated by rights-holders against online platforms such as YouTube where users uploaded content without the rights-holders’ consent. The ruling doesn’t take into account the new EU copyright legislation adopted in 2019 (which still needs to be transposed by the Member States into their national laws) or the upcoming Digital Services Act (DSA). In the DSA, the European Commission has proposed a change to the concept of passivity with that of neutrality. This means that the legal exemption would also apply in cases where online platforms play an active role in breaching copyrights. The ruling has high relevance for the application of the Copyright Directive, under which platforms will no longer be exempted for copyright breaches, and in particular Article 17, intended to prevent copyright-protected content from being made available on online platforms.
The European Parliament adopted a resolution regarding EU cybersecurity standards for connected devices, apps, embedded software and operating systems. This resolution is aligned with the European Commission’s plans to propose horizontal legislation on cybersecurity requirements for connected products and associated services.
The European Commission presented its plans to launch a Joint Cyber Unit, a new entity that would allow national capitals to coordinate responses to cyber-attacks. The unit would gather national and EU-level cyber agencies, cybercrime police, industry, and military units that can coordinate responses to large-scale cyberattacks. The unit would be based in Brussels and managed by the European Union’s Cybersecurity Agency (ENISA), and would establish “rapid response teams” to swoop in and fight off hackers.
ENISA has published the report Cybersecurity for SMEs, which provides advice to SMEs for successfully coping with cybersecurity challenges. The study reveals that phishing attacks are among the most common cyber incidents SMEs are likely to be exposed to, in addition to ransomware attacks, stolen laptops, and Chief Executive Officer (CEO) frauds. The report’s main recommendations refer to the essential role of people in the cybersecurity ecosystems. Specifically, they mention the monitoring of internal business processes, such as performing audits, incident planning and response, passwords, software patches, and data protection. They also discuss technical level measures such as network security, anti-virus, encryption, security monitoring, physical security and the securing of backups.
Funding Opportunities And Targets
The European Investment Bank published a report which shows that companies and governments in Europe are substantially underinvesting in AI and blockchain compared to other leading regions. It identified several reasons for this “underinvestment”, including:
the limited availability of venture capital and private investment,
limited appetite due to high initial investment needs,
the lack of knowledge and low visibility of commercial applications,
limited availability of data within the EU,
and a fragmented innovation ecosystem.
It also found that for the EU to remain competitive, it should invest €5-10 billion per year in AI and blockchain.
The European Commision announced funding calls under its Startup Europe and Innovation Council initiatives, within a total budget of EUR 6 million. Cross-border projects are expected from startup ecosystem builders “that will reinforce the activities of the European Innovation Council by targeting EIC supported digital and deep tech startups to support their scale up in Europe.” It also specified that “the actions can also target deep tech startups not yet supported by the EIC, including startups that have already received private investment or EU funding, and raise their awareness of the opportunities on the EIC offer.” Applications can be submitted here until the 22nd of September.
French President Emmanuel Macron expressed support for 10 European tech giants valued at €100 billion or more by 2030, during an event he hosted at the Elysée palace in Paris. The event gathered Europe’s startup and scale-up players from the Scaleupeurope group. The roadmap for this ambitious goal was presented in a report, its main recommendations refer to funding (associating private funds of funds, sharing risk and pooling public investment banks for increased collaboration) and an EU wide tech worker visa for attracting talent. The plan will feed into France’s digital agenda for their EU Council presidency which will start in January next year.
The new EU rules tackling online terrorist content took effect on J
une 6th. According to the regulation, online platforms have one year to “adapt their processes” to comply with the rules, which will apply in practice from June 7, 2022. Platforms will have to remove terrorist content referred by Member States’ authorities within one hour, under penalties. Platforms are also subject to transparency and reporting obligations on the amount of terrorist content removed, the measures used to identify and remove content, as well as the outcomes of complaints and appeals.
A recently adopted French executive order is obliging subscription-based video streaming services such as Netflix, Amazon Prime Video, and Disney+, to invest at least 20 percent of their French annual turnover in European and original French-language content. The rules will apply to streaming services with an annual turnover of at least €5 million and whose audience represents 0.5 percent of the number of French subscribers to any service. The rules apply to streaming services that are targeting a French audience, even if the companies are not based in France.
The European Commission took legal action against Belgium following complaints that its data protection authority fails EU independence requirements. The GDPR requires regulators to be independent of the government.
France will create an agency to fight disinformation coming from foreign actors. The agency will focus on combating misinformation campaigns originating from foreign countries seeking to “undermine” the French state. It will employ sixty people upon launch and be led by France’s Secretariat-General for National Defence and Security (SGDSN).