The January 2021 Developers Alliance European Policy Update
The EU Is Looking Forward To The US Following Its Digital Regulation
The EU has welcomed the new US President with MEPs stating they are looking forward to resetting the transatlantic relationship and cooperating with the US to regulate tech giants.
Ursula von der Leyen, the President of the European Commission, invited the US to follow the EU approach on digital regulations, to create a “digital economy rulebook that is valid worldwide: from data protection and privacy to the security of the technical infrastructure.” She previously proposed an EU-U.S. joint trade and technology council.
The Alliance welcomes the trans-Atlantic initiative as a means to achieve regulatory harmony without imposing EU regulations on the rest of the world unilaterally.
The European Commission Sticks To The Digital Tax
The European Commission has opened a consultation for an EU digital tax. It is addressed at stakeholders operating in the digital economy and will feed into the digital levy proposal scheduled for mid-2021. The multilateral negotiations tasked to the Organisation for Economic Co-operation and Development (OECD) are expected to lead to a deal securing a global digital tax by June. With this, the Commission is preparing the EU levy for the eventuality of OECD negotiations failing. The Commission envisions a list of 20-plus digital services, including cloud computing, streaming, and online gaming companies. It also seeks feedback regarding to what extent small-to-medium-sized companies should be taxed. The consultation is open until April 12.
Data Protection & Privacy
The Italian data protection authority, the GPDB, has ordered TikTok to lock the accounts of users without verified ages. The order was issued after a 10-year-old girl died by asphyxiation while taking part in a social media challenge. The authority extended its investigation to Facebook and Instagram, after discovering the girl had accounts on those platforms as well, despite the age limit. Other social networks, and their possible methods of access by minors, are also said to be on the authority’s radar.
The French data protection authority meanwhile, CNIL, has sanctioned the Ministry of Interior for having unlawfully used drones equipped with cameras to monitor compliance with lockdown measures. It urged the ministry to cease all drone flights until a regulatory framework authorizes it.
The Council of Europe is calling for strict rules to “prevent significant risks to privacy and data protection posed by the increasing use of facial recognition technologies.” It also proposes banning certain facial recognition use applications to avoid discrimination, such as “for the sole purpose of determining a person’s skin colour, religious or other belief, sex, racial or ethnic origin, age, health or social status.”
Privacy activist Max Schrems’ NGO noyb filed a complaint against the European Parliament on behalf of six MEPs regarding data transfers to the US and insufficient cookie information. The complaint was filed with EDPS, the special data protection authority (DPA) responsible only for EU institutions and agencies. It claims the COVID testing website forwarded data to third parties. Cookies from Google Analytics and Stripe were mentioned directly. The complaint also took issue with the use of a “deceptive cookie banner” and other unclear presentations of site information.
Afterwards, noyb filed an appeal against two decisions of the Luxemburg Data Protection Authority (CNPD) before the administrative tribunal of Luxemburg. The appeal followed previously dismissed complaints lodged against US-based data controllers, Apollo and RocketReach. The object of the appeal is the alleged illegal inactivity of CNPD in enforcing GDPR: “The CNPD explicitly confirmed that the GDPR was applicable to these companies, but decided not to act, claiming it could not enforce any decision.”
Dating app Grindr Has Been Fined By The Norwegian Data Protection Authority 100 million NOK (€ 9 600 000), which amounts to 10 percent of the company’s global annual revenue. The decision, following a legal complaint filed by the Norwegian Consumer Council, rules that Grindr users were not given sufficient information about how personal data was collected and later shared with third parties. Specifically, that consumers had to accept data sharing with third parties in order to use the app.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted joint opinions on the two sets of contractual clauses (SCCs) proposed by the European Commission. One refers to the contracts between controllers and processors and the other to the transfer of personal data to additional countries. EDPB and EDPS welcomed the specific provisions intended to accommodate the Schrems II judgment, and called for improvement or clarification of several issues. These included the scope of the SCCs, certain third-party beneficiary rights; certain obligations regarding onward transfers, aspects
of the assessment of third-country laws regarding access to public data by public authorities, and the notification to the supervisory authorities. The EDPB also published Guidelines 01/2021 on Examples regarding Data Breach Notification and invited stakeholders to send comments no later than March 2nd.
The European Commission has fined Valve, owner of the online PC gaming platform “Steam,” and five other video games publishers (Bandai Namco, Capcom, Focus Home, Koch Media, and ZeniMax) a total amount of € 7.8 million for breaching EU antitrust rules. The Commission concluded that Valve and the publishers entered into a so-called “geo-blocking” practice, where they restricted cross-border sales of certain PC video games based on a user’s location.
Germany has amended Section 19a of the German Competition Act, GWB, its national competition law framework. The most important change is the increase in power to Germany’s national competition authority, Bundeskartellamt. The amendment allows the authority to intervene in cases at a much earlier stage, but only when it considers competition threatened by certain large digital companies with a “strategic position of paramount significance for competition across markets.’‘
The Bundeskartellamt can prohibit certain types of conduct by companies, like the self-preferencing of own services or denying third companies access to specific data. Other amendments included a shorter legal procedure for appeals, new internet-specific criteria for assessing abusive conduct and market power – access to data and “power of intermediation”, as well as changes for merger control.
The Bundeskartellamt already put the new rules in practice, extending the scope of the investigation initiated in December last year against Facebook, on the linkage between Oculus and the Facebook network.
The CMA, the UK’s home competition authority, has opened an investigation into Google’s Privacy Sandbox project, aimed to remove third party cookies and other functionalities from its Chrome browser. The CMA will assess “whether the proposals could cause advertising spend to become even more concentrated on Google’s ecosystem at the expense of its competitors.”
The CMA has also announced an inquiry into the Facebook/Giphy merger, by notice to the companies, citing a “‘realistic prospect’ of substantially lessening competition.” Facebook announced its intent to acquire the gif sharing platform in June of 2020 for $400m. Giphy will be integrated into Facebook’s Instagram team, should the merger be approved.
A German app developer has filed a complaint to competition authorities in multiple jurisdictions against Google and Apple, on the restrictions for app developers to publish COVID-related apps. Florian Mueller, also a lobbyist and a blogger, created the “Corona Control Game” which was rejected by both app stores in November last year. He stated that the game was “aimed at encouraging compliance with government COVID-19 rules.”
FairSearch has sent a letter to the European Commission asking for a “strong enforcement of the Android Decision remedy.” The letter was addressed to Executive Vice President and Competition Commissioner, Margaret Vestager, and Director General Olivier Guersent. In the letter FairSearch urges “action be taken now because there is no time to wait for months or years for a proposed law on dominant platforms to fix the problem,” a reference to the legislative proposal Digital Market Act.
The European Parliament has adopted a report calling for guidelines on the military and non-military uses of artificial intelligence centered in an EU legal framework. It was stated the law would be “based on ethical principles, including for military use.” Its main standpoints:
AI can replace neither human decision-making nor human contact.
The EU should prohibit lethal autonomous weapon systems.
Public authorities should ban “highly intrusive social scoring applications (for monitoring and rating citizens).”
Deepfake technologies should be addressed, considering their potential to “destabilise countries, spread disinformation and influence elections.”
On January 7, The European Commission registered the European Citizens’ Initiative (ECI) latest endeavor, “Civil society initiative for a ban on biometric mass surveillance practices.” The initiative calls for a legal act “to permanently end indiscriminate and arbitrarily-targeted uses of biometric data, in ways which can lead to mass surveillance or any undue interference with fundamental rights.” The organisers must collect one million statements of support, from at least seven different EU member states, within the next year to elicit a response from the commission. The Commission will then have an additional six months either to decide whether they will follow the request or not. Regardless of the commission’s choice, if the response threshold is met, it will need to explain its reasoning.
The UK AI Council has published it’s AI Roadmap, an independent report, to provide recommendations for the UK’s strategic direction on AI. The report contains two main recommendations. The f
irst is to “double down” on the UK’s recent investments in AI. The second is to be “future-proof,” specifically that the country’s strategy must be able to adapt to disruption.
The UK CMA has also published new research on algorithms, showing how they can reduce competition in digital markets and harm consumers when misused. The CMA then opened a consultation looking for evidence of the harms outlined in its paper. The CMA will also be identifying potential problem-firms during the consultation for examination and consideration of future action. The consultation closes March 16.
The Federation of German Consumer Organizations (vzbv) is worried about the effects of trade rules on future EU algorithm regulation. The vzbv commissioned a report to investigate the impact of the rules currently being discussed in the World Trade Organization (WTO) regarding the non-disclosure of software source code. The trade agreement clauses were designed to prevent forced technology transfers and put forward in relation to cross-border trade with China. The report found that the clauses could jeopardize a number of EU legislative proposals, however, such as AI regulation or the Digital Services Act, for example. Despite this, the consumer organization is of the opinion that the “disclosure of source code and algorithms may be necessary under certain circumstances in order to ensure consumer-friendly rules of transparency and verifiability of algorithms.”
The European Commission invested €30m in six projects for the EU’s AI-on-demand platform. This follows an initial investment of €20m for the creation of AI4EU. The platform allows the legal exchange of AI tools and resources across Europe.
Google has opened a content responsibility center for Europe. This is the second Google Safety Engineering Center (GSEC) and is located in the company’s European headquarters in Dublin, Ireland. The first GSEC in Munich, is focused on users’ privacy and security. The center will serve not only as a regional hub for Google experts working to tackle the spread of illegal and harmful content, but also as a contact point with policymakers, researchers, and regulators. It “will enable regulators and policymakers (under existing or upcoming legal frameworks like the Digital Services Act) to conduct inquiries, evaluate processes and engage in official fact-finding.”
The European Commission has published a set of reports detailing the actions of Code of Practice on Disinformation signatories to fight coronavirus disinformation. The signatories include Facebook, Google, Microsoft, Twitter, and TikTok, who all submitted their December 2020 action reports to the COVID-19 monitoring and reporting programme. Under the programme the platforms have enhanced the visibility of authoritative content with millions of users directed to dedicated informative resources. The new reporting phase now also includes a special focus on fighting COVID-19 vaccine disinformation.
The European Commission has announced its first round of direct equity investments. The round totals €178 million, sent to 42 European startups, selected by the European Innovation Council (EIC) Accelerator.
The EIC Fund was set up in June of 2020 and is backed by the European Investment Bank. Its mission is to support EU startups developing breakthrough technologies and “fill this financing gap at the start-up stage where the EU venture capital market still underperforms compared to the global venture capital market.” The initiative was received with skepticism by VC experts and even called out by some founders due to unclear funding terms.
The European Parliament has proposed an EU law that grants workers the right to digitally disconnect from work outside their working hours without facing negative repercussions. The EP considers the right to disconnect a fundamental right that allows workers to refrain from engaging in work-related tasks – such as phone calls, emails, and other digital communication – outside working hours. This right also extends to holidays and other forms of leave. The proposal refers to minimum requirements for remote working and to clarify working conditions, hours, and rest periods.
A group of 12 EU Member States, referring to themselves as the “D9+ countries,” have issued a joint declaration entitled “Leading the Way to Europe’s Digital Decade.” The group, self-identified as digital frontrunners, includes Finland, Sweden, Denmark, Estonia, the Netherlands, Belgium, the Czech Republic, Ireland, Poland, Spain, Portugal, and Luxembourg. The declaration includes a roadmap to 2030 outlining goals “for the European digital transition and technological leadership.”
The Stakeholder Cybersecurity Certification Group presented its views on the Union rolling work programme. The report concludes that “more requirements, more standards, and more schemes do not necessarily add to effective cyber-secure ICT products, ICT services or ICT processes.” It then calls for a holistic approach, indicating the areas that are likely to have many interconnections, such as IoT, IACS, Lightweight evaluation, EUCC, Cloud, SDL, and 5G.
Sustainable technology has been front and center in the EU technology debate. The European Consumer Organization BEUC has submitted an EU-wide complaint against Nintendo for premature obsolescence. The complaint follows nearly 25,000 reports, from consumers across nine member states, indicating systemic issues with Nintendo Switch controllers. The issue commonly manifests as false or inaccurate joy-stick input, commonly referred to as “Joy-Con Drift.” In 88% of cases, the game controllers broke within the first two years of use. Additionally, consumer watchdog organisation, Euroconsumer, filed three class-action suits against Apple, over the planned obsolescence of iPhones. Finally, the European Parliament has indicated that it plans to address the planned obsolescence of goods and software and to hold companies accountable for harm to human rights, the environment, and good governance.