The Developers Alliance March 2021 European Policy Update
The EU-US Relationship Is Officially Revamped
First and foremost the US and Europe are finally returning to productive discussions. US President Joe Biden joined the EU leaders video conference on March 25th to discuss transatlantic relations, the continued fight against COVID-19, and other important points.
The EU high-level meeting also included discussions on the single market and the digital agenda, with a focus on digital sovereignty.
The EU’s Digital Ambitions
The European Commission proposed a Digital Compass, a set of ambitious digital targets to be attained by 2030. These include:
-
Digital Skills. At least 80% of all adults should have basic digital skills, and there should be 20 million employed ICT specialists in the EU. Women in particular are being encouraged to take up such jobs in order to close gender disparity in tech.
-
Digital Infrastructures. All EU households should have gigabit connectivity and all populated areas should be covered by 5G. The production of cutting-edge and sustainable semiconductors in Europe should be 20% of world production. Additionally, 10,000 climate-neutral highly secure edge nodes should be deployed in the EU and Europe should have its first quantum computer.
-
Digital Transformation Of Businesses. The compass recommends that three-fourths of companies should use cloud computing services, big data, and Artificial Intelligence. It also states, that more than 90% of SMEs should reach at least a basic level of digital intensity, and the number of EU unicorns should double.
-
Digitalisation Of Public Services. All key public services should be available online, that all citizens will have access to their e-medical records, and 80% of citizens should use an eID solution.
Along with the EU’s plans to increase semiconductor production, amid the global shortage and the tensions between China and the U.S., Apple announced a significant investment for a “European Silicon Design Center” in Munich, Germany.
Member State Support For Tech Legislation?
According to official letters signed by their leaders (see here and here), some EU Member States are strong supporters of the Commission’s current legislative agenda. These include AI, data, an EU-wide ecosystem for digital identities, and investment initiatives in quantum computing and EU-based distributed data cloud solutions. Member States also noted a desire to see a “…new global initiative on platform regulation, building on the current discussion on the Digital Services Act and the Digital Markets Act in the EU.” Other Member States, while supporting these proposals, find an open approach more favourable to “preserving open markets and strengthening global cooperation and the external trade dimension.” They also stressed the need for eliminating barriers to entry across the Digital Single Market while ensuring free data flows.
Concrete Promises To Boost European Start-ups
Ambitious ministerial declarations were presented during the annual Digital Day event. The event was organized by the European Commission in cooperation with the rotating Presidency of the Council of the EU, held by Portugal in the first half of 2021. Member States pledged concrete measures to foster data, startup success, and the green and digital transformation of the EU.
The declaration on Startup Nations Standard of Excellence was signed by 24 EU Member States and Iceland. Here are some of the commitments that include best practices and measures which respond to the needs of European startups and scale-ups:
-
An entrepreneur can establish a startup (legal entity) both online and offline in one day for a fee of no more than 100 EUR. In exceptional cases, to carry out appropriate checks, the establishment should be possible within one week.
-
Visa applications, as a general rule, are to be processed within a month for founders from third countries supported by a trusted partner in the Member State. Additionally, experienced staff from those third countries, submitted by startups (which may also be pre-approved as a ‘trusted party’). Finally, programmes and incentives are to be put in place to encourage the return of EU tech-talent who emigrated to third countries.
-
Stock options are recognised and subject to capital gains tax at the moment of cash receipt and not before. Further, startups are to be allowed to issue stock options with non-voting rights, so as to avoid the excessive burden of consulting large numbers of minority shareholders.
-
Avoiding unnecessary administrative burden/red tape for start-ups in the legal framework of policies. This includes the promotion of experimentation and innovation through regulatory sandboxes
-
Innovation procurement (including tech transfer policies) and access to financing.
The European Commission launched the European Innovation Council (EIC) with a budget of over €10 billion for 2021-2027. Its mission is to develop and expand breakthrough innovations. It combines research on emerging technologies with an accelerator programme and a dedicated equity fund, the European Innovation Council Fund, to scale up innovative start-ups, as well as small and medium-sized businesses (SMEs). Around €3 billion of the EIC’s budget will go towards the EIC Fund.
A report released by the Connected Commerce Coun
cil, funded by Google, shows how a “digital safety net” of affordable and accessible digital tools can serve as a support system for small businesses, especially in the context of the COVID-19 pandemic.
The European Commission launched Horizon IP Scan, a tailored and free-of-charge IP support service specifically designed to help European start-ups and other SMEs involved in EU-funded collaborative research projects.
Data Protection & Privacy
Important guidelines and position documents were adopted at the 46th plenary of the European Data Protection Board. They include the following:
-
Draft Guidelines On Virtual Voice Assistants. The draft guidelines will be open for comment until April 23, after which the EDPB will put out the final version. A few takeaways: i) companies providing voice assistant services should apply both the GDPR and the ePrivacy Directive and should not store personal data until their users request their deletion, but rather store data only during the amount of time necessary for processing purposes; ii) voice assistants should provide information to users about their data practice, as requested by the GDPR, including on screenless devices; iii) voice assistants should not be bundled with other services such as email or video streaming
-
Statement On The ePrivacy Regulation. Comments on the recently adopted negotiation mandate for the Council were made, such as…
-
…warning about setting of a legal base for data retention and processing by enforcement authorities and protecting national security.
-
…proposed exceptions by the Member States “to allow for very broad types of processing.”
-
…a “strong state-of-the-art encryption” as the general rule for audience measurement.
-
that so-called “cookie walls” should not be allowed.
-
-
Joint Position EDPB-EDPS On The Data Governance Act. The groups recommended an alignment with the GDP on different provisions. These include the reuse of personal data held by public sector bodies, more clarity concerning the data sharing providers/intermediaries, and the concept of data altruism.
The Data Protection Authority of the German State Bavaria (BayLDA) called for a German company to cease the use of the ‘Mailchimp’ tool, due to illegal transfers of personal data to the U.S. The Bavarian DPA stated that “in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7. 2020, C-311/18) were necessary in order to make the transfer compliant with data protection requirements, and in the present case there were at least indications that Mailchimp may in principle be subject to data access by US intelligence services (…).”
The European Parliament adopted a resolution on the GDPR, saying that so far it has been an overall success and should not be reviewed. The MEPs called, however, for better enforcement, and in particular on the Irish and Luxembourg authorities to speed up their ongoing investigations into major cases.
The French data authority CNIL has launched an investigation into Clubhouse, in order to check the social media tool’s compliance with the GDPR. The US company that developed the app is not established in the EU, therefore the one-stop-shop enforcement mechanism is not applicable. Due to this CNIL, as well as the data protection authorities of any other Member State, could pursue an investigation. CNIL also received a complaint from the lobby organisation France Digitale, arguing that Apple may be collecting user data for ad tracking services without explicitly asking permission.
The European Newspaper Publishers’ Association (ENPA) and the European Magazine Media Association (EMMA) issued a public statement stating they are “seriously concerned that the Google Privacy Sandbox further reinforces Google’s gatekeeper role.” The two associations consider Google’s proposed model, following the phase-out of third-party cookies on its services, “will affect the advertising market and disrupt the business model of the digital press.”
According to the judgement of the Court of Justice of the EU in Case C-746/18 H.K. v Prokuratuur, “access, for purposes in the criminal field, to a set of traffic or location data in respect of electronic communications, allowing precise conclusions to be drawn concerning a person’s private life, is permitted only in order to combat serious crime or prevent serious threats to public security.”
A Swiss legislative proposal for a digital identity scheme was rejected by citizens due to privacy concerns. The digital identity verification system would have been licenced and controlled by the state but provided mainly by private companies.
Competition
The case Bundeskartellamt v. Facebook was referred to the European Court of Justice by the Düsseldo
rf Higher Regional Court, to see “whether Facebook is abusing its dominant position as a provider on the German market for social networks because it collects and uses the data of its users in violation of the GDPR.” The litigation began in 2019, when Germany’s Federal Cartel Office (Bundeskartellamt), ordered Facebook to limit the cross-service collecting and processing of data. The authority cited a lack of user consent and abuse of power. The “innovative” language used by the German competition authority in combining competition and privacy law is expected to have a large impact on the formation of future policies.
The case is specifically highly relevant in the context of the European Commission’s recent proposal Digital Markets Act (DMA), where a similar restriction is the first on a “blacklist” of prohibited behaviours for so-called “gatekeepers.”
Bundeskartellamt declared no objections to the “Online Copyright Clearance System,” an initiative to act against systematic infringements of copyrights and ancillary intellectual property rights. The key element of the project is the use of so-called “DNS blocks” to make it more difficult to access websites that by their nature infringe copyrights. Participants in the initiative include holders of copyrights and ancillary intellectual property rights, their associations from the music, film, gaming, and scientific publications sectors, as well as all the large internet access providers in Germany.
The French Competition Authority decided not to impose interim measures against Apple’s App Tracking Transparency (ATT) feature in iOS 14, but to pursue its investigation, following several complaints from the ad tech industry. The Authority will assess if Apple is applying the restrictive rules to its own apps vs third party developers (‘self preferencing’).
The UK Competition Authority (CMA) launched an investigation into Apple over anti-competitive behaviour, following its own work in the digital sector as well as several complaints. “The CMA’s investigation will consider whether Apple has a dominant position in connection with the distribution of apps on Apple devices in the UK – and, if so, whether Apple imposes unfair or anti-competitive terms on developers using the App Store, ultimately resulting in users having less choice or paying higher prices for apps and add-ons.”
Epic Games announced that it filed a complaint in support of CMA’s investigation, continuing its series of similar complaints across different jurisdictions.
The two largest equity crowdfunding platforms in the UK, Crowdcube and Seedrs, have abandoned their proposed merger. The CMA provisionally blocked the deal, which would have resulted in the combined company having at least a 90% share of this important market.
The European Commission has published its findings on the evaluation of procedural and jurisdictional aspects of EU merger control. Based on the results of the evaluation, the Commission will adopt a communication providing guidance to the application of the referral mechanism between Member States and the Commission. Additionally, they will launch an impact assessment to explore policy options for further targeting and simplification of merger procedures. The Commission intends, in specific circumstances, to encourage and accept referrals in cases where the referring Member State does not have initial jurisdiction over the case. Finally it will also accept cases where a company’s turnover is under the threshold, noting for example, “a start-up or recent entrant with significant competitive potential or an important innovator,” or “a company with access to competitively significant assets or with products or services that are key inputs or components for other industries.”
Both the UK CMA and Austria’s Federal Competition Authority are investigating Facebook’s acquisition of Giphy. The CMA has already stated its objections and recommended the purchase receive an in-depth investigation, considering that it “raises competition concerns in relation to digital advertising and the supply of GIFs.” In Austria, a transaction value threshold was added in 2018 to the existing thresholds for merger control. The authority observed that Facebbok did not notify it had surpassed this threshold when it formally took over Giphy in May 2020.
Cybersecurity
The European Banking Authority (EBA) announced that its Microsoft Exchange Servers have been the subject of a cyber-attack. In a later update the EBA stated that the scope of the event was limited and that the confidentiality of its systems and data has not been compromised.
A joint operation of judicial and law enforcement authorities in Belgium, France and the Netherlands was able to intervene and block the further use of encrypted communications by large-scale organised crime groups. The authorities have been able to break the encryption and monitor the information flow of approximately 70,000 users of the Sky ECC platform.
The UK Government has established the Counter-Terrorism Operations Centre and Situation Centre to bring together CT police, intelligence agencies, and the criminal justice system. It also published the Integrated Review of security, defence, development and foreign policy, its biggest programme of investment in defence since the end of the Cold War. The programme targets critical
technologies like microchips and quantum computing, cybersecurity capabilities to counter threats like cyberattacks, as well as the strategic dependencies and challenges of the tech sector and an open democratic internet.
The European Union Agency for Cybersecurity (ENISA) issued technical guidance and recommendations on Electronic Identification and Trust Services to help trust service providers comply with eIDAS Regulation. The new guidelines are presented in four different reports. A fifth report includes an analysis of the methods used for remote identification and exploring security considerations.
Miscellaneous
The Council of the EU has adopted the Regulation on addressing the dissemination of terrorist content online. The legal act now needs to be adopted by the European Parliament at second reading before being published in the EU Official Journal. The regulation will be enforced on the twentieth day after its publication and will begin application one year later. Competent authorities will have the power to issue removal orders to service providers to remove terrorist content, or to disable access to it in all Member States. Service providers will then be required to remove or disable access to the content within one hour. Hosting service providers exposed to terrorist content are under the obligation to take specific measures to address the misuse of their services and to protect their services against the dissemination of terrorist content.
The Court of Justice of the EU issued a judgement on copyright infringement and framing (the process of embedding a video or image from another website). It stated that the technique of framing constitutes an act of communication to a public, and a copyright holder may not limit his or her consent to framing by means other than effective technological measures. “Where the copyright holder has adopted or imposed measures to restrict framing, the embedding of a work in a website page of a third party, by means of that technique, constitutes making available that work to a new public, and that communication to the public must, consequently, be authorised by the copyright holder.”
The European Parliament drew attention to the remaining restrictions across the Single Market, after more than two years of application of the Geo-blocking Regulation. Cross-border sales of goods and services still encounter barriers related to payment location and delivery requirements. Access to audiovisual services and digital content remains an area where geo-blocking continues, copyright being one of the primarily cited concerns.
A letter signed by 116 MEPs was sent to the European Commission’s President Ursula von der Leyen and several Commissioners, calling out risks to fundamental rights as part of the upcoming legislation on Artificial Intelligence. The Commission’s reply indicates that the mandatory rules will be “applicable to all AI systems that pose a high risk to the rights or safety of people” and “in the case of applications that would be simply incompatible with fundamental rights, we may need to go further,” as EurActiv reports.
The Tech Nation Report 2021 shows that tech venture capital investment in the UK hit a record high of $15 billion, which positions Britain third in the world behind the US and China. The key stats indicate that 2020 was a record year for investment in deep tech, jumping by 17 per cent to just under $4 billion, the highest rate of growth globally. The UK is continuing to become more and more attractive to international investors, with 63% of 2020’s investments into UK tech coming from overseas. London is fourth for tech VC investment globally behind San Francisco, Beijing and New York at $10.6bn. The UK tech startup and scaleup ecosystem is valued at $585bn – 120% more than it was in 2017 and more than double the next most valuable ecosystem, Germany, at $291bn.
On March 9th, French cloud company OVH Cloud experienced a major disruptive incident. A fire broke out in one of its server facilities in Strasbourg, which affected its client websites and IT infrastructure. Affected operations included several government services, such as the open data platform, several websites of local authorities, and private organizations across the country. The company had recently started the IPO process in Paris, which could represent one of the biggest tech transactions of the year in France.