The April 2023 European Policy Update
Data protection and privacy
The Italian Data Protection Authority has announced that Open AI’s Chat GPT has been reinstated in Italy after implementing a series of changes in response to its order. The changes include enhanced transparency for European users and non-users about the processing of personal data, options to opt-out from processing of data for training of algorithms, and a special button for Italian registered users to confirm that they are aged above 18 before gaining access to the service, or that they are over 13 and have consent from their parents or guardians for that purpose. Open AI also obliges users to provide their birthday for sign-up and block access for users under 13, unless parents or legal guardians provide consent. The Italian DPA is still waiting for Open AI to implement other measures from the order, such as implementing an age verification system and planning and conducting an information campaign to inform Italians of what happened as well as their right to opt-out from the processing of their personal data for training algorithms.
An ad-hoc task force was set up by the European Data Protection Board (EDPB) after other data protection authorities expressed their intention to investigate Chat GPT.
The EDPB has published a guide for small businesses, with “various tools and practical tips to help them comply with the GDPR,” including practical examples. The Guide also lists relevant materials developed for SMEs by the national data protection authorities.
The UK Information Commissioners’ Office (ICO) has fined TikTok £12.7 million for misusing children’s data. The ICO estimated that TikTok allowed up to 1.4 million UK children under 13 to use its platform in 2020, despite the platform’s own rules to not allow children to create accounts without consent from parents and carers, as UK data protection law requires. The ICO also found that TikTok failed to take measures to identify and remove underage children from its platform, despite certain concerns being raised internally.
The UK Competition and Market Authority (CMA) published the latest quarterly update on the implementation of Google’s Privacy Sandbox commitments. The Privacy Sandbox will offer new tools after third-party cookies are removed from the Chrome browser in the second half of 2024. The CMA monitors the implementation of the commitments, together with the Information Commissioner’s Office (ICO), and an independent Monitoring Trustee, but also tests the proposed solutions with third parties from the online advertising ecosystem.
A resolution of the European Parliament’s Civil Liberties Committee (LIBE) recommends against the adoption of the EU-U.S. Data Privacy Framework, which is considered “an improvement, but not enough to justify an adequacy decision on personal data transfers.” LIBE MEPs note that the framework still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorization, does not provide for clear rules on data retention, and the Data Protection Review Court (“DPRC”) aimed at providing a redress to EU data subjects is not truly independent. They also doubt that the new proposed framework will survive the test of the CJEU.
The US Government is also asking, for its part, about EU member countries’ surveillance practices, if there are sufficient legal safeguards when personal data is collected for security reasons, including legal remedies to non-EU citizens to challenge national security agencies’ access to such data (as Politico reports).
Competition in digital markets
The UK government has presented the Digital Markets, Competition and Consumers (DMCC) Bill, which will extend the CMA’s powers in consumer protection, digital markets, and competition investigations. The new regime for digital markets will be overseen by the Digital Markets Unit (DMU) in the CMA and will target firms with a global turnover above £25bn or UK turnover above £1bn and is designated with “Strategic Market Status,” on the model of Germany’s section 19a of the German Competition Act (GWB) or EU’s Digital Markets Act (DMA).
The CMA has blocked Microsoft’s acquisition of Activision, rejecting the solution proposed by Microsoft in response to its concerns regarding the impact on the cloud gaming sector. The CMA considers that the transaction would reinforce Microsoft’s advantage in the market by giving it control over important gaming content such as Call of Duty, Overwatch, and World of Warcraft. It says that available evidence “indicates that, absent the merger, Activision would start providing games via cloud platforms in the foreseeable future.” The remedy proposed by Microsoft was setting out what games and under what conditions should be offered by Microsoft to certain platforms for a period of 10 years. The CMA found that this does not sufficiently cover different cloud gaming service business models, including multigame subscription services, and is not sufficiently open to providers who might wish to offer versions of games on PC operating systems other than Windows. It would standardize the terms and conditions on which games are available, instead of allowing them to be determined by the free market. Moreover, because the remedy “would inevitably require some degree of regulatory oversight by the CMA,” at a global level, the CMA assesses that “preventing the merger would effectively allow market forces to continue to operate and shape the development of cloud gaming without this regulatory intervention.”
The CMA is consulting interested stakeholders on its intention to accept Google’s proposed commitments to implement changes to Google Play’s rules to allow certain app developers to use alternative billing systems for in-app purchases. The commitments respond to an investigation into payment systems for in-app purchases through Google Play on Android devices, initiated by the CMA in June 2022. The outcome would be three options for app developers in the UK: stick with Google Play Billing, or offer a different billing system of their choosing- ‘Developer-only Billing’ (DOB), or to offer users a choice between an alternative billing system or Google Play’s billing system – ‘User Choice Billing’ (UCB).
The CMA invites comments until May 19th on the proposed commitments, “including on:
• the extent of the proposed reduction in Google’s service fee under each of UCB and DOB;
• the proposed process for the reporting of in-app purchases turnover to Google either manually or using APIs, in order for a service fee to be calculated on in-app transactions;
• the use of information screens and, for UCB, a billing choice screen; and
• the CMA’s proposed process for monitoring Google’s compliance with the commitments, particularly its commitment not to retaliate against app developers choosing to use UCB or DOB.”
Google states that the proposed changes are based on the experience of offering users a choice of billing systems in the EEA and other parts of the world. The changes are to be phased in, and made first available to developers of non-gaming apps, and then to gaming apps no later than October 2023.
The German Competition Authority (BundesKartellamt) has designated Apple as “an undertaking of paramount significance for competition across markets.” According to the stricter regime of Section 19a of the German Competition Act (GWB), such companies can be prohibited from engaging in certain practices. In a previous proceeding, the Bundeskartellamt is already assessing Apple’s tracking rules and the App Tracking Transparency Framework, under the suspicion that these rules could favor Apple’s own offers and/or impede other companies.
The European Commission sent Broadcom a Statement of Objections over the proposed acquisition of VMware. The Commission considers that the transaction may restrict competition in the market for the supply of Fiber Channel Bus Adapters (FC HBAs) and storage adapters which interoperate with VMware’s virtualization software.
The European Commission has announced a simplification of the procedures for merger control. The adopted measures will simplify and expand the scope of the Commission’s review process of unproblematic mergers (‘simplified cases’), reduce the amount of information required for notifying transactions in all cases, and optimize the transmission of documents.
The Dutch Competition Authority (ACM) has published guidelines for the implementation of the Platform-to-Business Regulation. The P2B Regulation imposes online platforms and online search engines transparency obligations, and rules for internal complaint handling systems for larger platforms (e.g. app stores).
Content regulation
The European Commission has designated a first set of 17 Very Large Online Platforms (VLOPs) and 2 Very Large Online Search Engines (VLOSEs) under the Digital Services Act regime. The VLOPs and VLOSEs were designated based on the declared number of users, which should be at least 45 million monthly active users. They will have to comply, with the strictest obligations under the DSA within four months of the designation. New obligations will include assessing and mitigating their systemic risks, implementing strong moderation tools, no longer providing personalized advertising to children, ensuring a high level of transparency, and giving vetted researchers access to publicly available data. The 19 VLOPs are: Alibaba AliExpress, Amazon Store, Apple AppStore, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, and Zalando. The VLOSEs are Bing and Google Search.
The European Centre for Algorithmic Transparency (ECAT) was launched in Seville, Spain. ECAT will consist of an interdisciplinary team of data scientists, AI experts, social scientists, and legal experts, which will provide the Commission with in-house technical and scientific expertise to assess if algorithmic systems used by the very large online platforms and search engines comply with the risk management, mitigation and transparency requirements in the DSA.
The European Parliament’s Research Centre has published a complementary impact assessment on the CSAM proposal, confirming serious concerns over the potential impacts of the proposal on fundamental rights. The study concludes that the overall effectiveness of the European commission’s proposal is expected to be limited. The conclusions reinforce the following issues:
• the technologies to detect new content and grooming are of low accuracy compared to the technologies to detect known CSAM;
• the regulation will result in an increase of reported content and a decrease in accuracy thereby substantially impacting the workload of law enforcement Authorities.
• bad actors will likely resort to the dark and deep web,
• “the detection of CSAM in E2EE raises fundamental issues with regards to the secure nature of E2EE”, creating vulnerabilities for users of E2EE communication channels. Moreover, “the CSA proposal would infringe, in respect of users, Articles 7 and 8 of the Charter of fundamental rights.” The report clearly states that the violation of the prohibition on general data retention and the prohibition against general monitoring obligations cannot be justified.
An open letter co-signed by 7 messaging services, including WhatsApp and Signal, has called on the UK government “to urgently rethink” the Online safety Bill, in order to protect end-to-end encryption. The letter warns that it’s technically impossible to comply with the obligations to scan private messages without opening backdoors to private communications secured by encryption. The letter also cautions that: “Global providers of end-to-end encrypted products and services cannot weaken the security of their products and services to suit individual governments. There cannot be a “British internet,” or a version of end-to-end encryption that is specific to the UK.”
The German Federal Office of Justice (BfJ) has initiated proceedings under the Network Enforcement Act (NetzDG) against Twitter for inadequate handling of user complaints about illegal content. BfJ considers that “there are sufficient indications” of a systemic failure in Twitter’s complaints management. According to NetzDG, online platforms must immediately take note of reported content, check whether it is illegal, and delete or block access to such illegal content, observing the statutory period of seven days or 24 hours in the event of “obvious illegality.” In Germany. content is considered illegal if it contains one of the offenses listed in the Criminal Code, including incitement to hate, insult or threats. Twitter risks a fine of up to 50 millions euro.
The Italian Competition Authority has ordered a series of interim measures to Meta concerning alleged abuse of economic dependence in relation to music rights. The order came after the failure of negotiations between Meta and the Italian Society of Authors and Publishers (SIAE), to renew copyright licenses, and the lack of availability of all songs under SIAE’s repertoire on Facebook and Instagram since March 16th of this year. Meta has to resume the negotiations and restore the availability of the songs.
Cybersecurity
The European Commission has adopted new measures to increase the EU’s cybersecurity resilience. The EU Cyber Solidarity Act is aimed to support detection and awareness of cybersecurity threats and incidents, bolster preparedness of critical entities, and to strengthen existing cooperation mechanisms. The proposal for a Cybersecurity Skills Academy will set up an online platform bringing together various existing initiatives for cybersecurity skills and increasing their visibility. The platform will be “a common space for academia, training providers and industry helping them to coordinate education programmes, training, funding, and monitor the evolution of the cybersecurity job market.” The expected outcome is to increase the number of skilled cybersecurity professionals in the EU.
Miscellaneous
The EU Parliament has adopted the proposal for a regulation on markets in crypto-assets (MiCA), and the proposal for a regulation on information accompanying transfers of funds and certain crypto-assets for tracing transfers of crypto-assets (Accompanying Regulation). According to the new rules imposing transparency, disclosure, authorization and supervision of transactions, operations with crypto-assets, such as bitcoins and electronic money tokens, will be traced in the same way as traditional money transfers. Crypto-asset service providers will have to be authorized at the EU level. Important service providers will have to disclose their energy consumption. Public offers of crypto-assets are also regulated. The regulations will have to be formally endorsed by Council, and then will enter into force 20 days after their publication in the EU Official Journal. The MiCA provisions will be phased in, with the rules on stablecoins to start to apply from 12 months after MiCA enters into force (expected in July 2024) and the measures applicable to issuers of other crypto-assets and crypto-asset service providers to start 6 months later (about January 2025).
The European Commission has proposed a regulation on harmonized rules for standard essential parents (SEPs). One of the main objectives of the legislative proposal is to support small and medium businesses. It enhances transparency for licensing and sets out a registration system for SEPs, complemented by an essentiality check procedure. The regulation also provides a procedure for amicable dispute settlement for SEP licensing and FRAND terms. The proposal needs to be discussed and approved by the European Parliament and the Council of the European Union. Interested stakeholders can provide feedback until June 26th.
The European Commission has adopted two initiatives for improving the digital skills of European citizens. It calls on Member States to ensure universal access to high-quality digital education and training, and to address the varying levels of digital skills within different segments of the population. The Commission will facilitate mutual learning and exchanges among Member States and stakeholders, and the recognition of certification of digital skills through a pilot project of the European Digital Skills Certificate. The pilot project will be run together with several Member States, and the final European Digital Skills Certificate will be rolled out in 2024 based on the pilot’s outcomes and a feasibility study.
The European Commission has published a second report on the implementation of the Regulation on open internet access. The report finds that the Regulation continues to fulfill its objectives. It also underlines that the development of technology and market changes require further guidance and greater legal clarity in certain areas. The report is relevant in the context of an ongoing exploratory consultation on the future of connectivity and infrastructure. A part of the consultation is subject to a heated debate on telecommunication provider’s proposal regarding contributions from large online providers to compensate internet service providers for the use of their network.
The Regulation on open internet access and the subsequent BEREC’s implementing guidelines ensure rules are applied uniformly across the EU. The EU does not allow blocking, throttling and discriminating internet traffic by Internet Service Providers (ISPs). There are, however, 3 exceptions: compliance with legal obligations, integrity of the network, and congestion management in exceptional and temporary situations. The Regulation also specifies the requirements regarding the provision of specialized services with specific quality requirements by internet access providers and providers of content and applications. These must respect certain safeguards to ensure that the open Internet is not negatively affected by the provision of the service.
A letter co-signed by 11 Members of the European Parliament (MEPs) has called for “action on very powerful AI.” The letter was presented in response to the open letter of the Institute for Future of Life proposing a 6 months moratorium on the development of AI systems such as GPT 4, stating that there is a clear need for “a complementary set of preliminary rules for the development and deployment of powerful General Purpose AI systems.” The MEPs (which include the two main co-rapporteurs for the AI Act), said that, in the context of the negotiations of the draft regulation, they are proposing rules “specifically tailored for foundational models.” They also called on European Commission President Ursula von der Leyen and U.S. President Joe Biden “to convene a global Summit on Artificial Intelligence and on the democracies of the world to start working on governance models for very powerful AI.”
The European Commission is preparing an initiative on virtual worlds. Besides a typical stakeholder consultation, a European Citizens’ Panel on Virtual Worlds was organized. The Panel issued 23 recommendations “on their expectations for the principles and actions to ensure that virtual worlds in the EU are fair and relevant to citizens,” structured around eight values and principles: freedom of choice, sustainability, human-centeredness, health, education, safety and security, transparency and inclusion.