The EU & UK November Policy Update
EU Digital Regulations On Fast Forward
The EU ministers have adopted the Council’s position on the Digital Markets Act (DMA) and Digital Services Act (DSA). Most ministers supported the European Commission as sole enforcer of the DMA regulation, which aims to impose very strict rules on large tech companies which are to be designated as “gatekeepers”. Several member states (Austria, Belgium, Germany, Netherlands, Denmark, Italy, Portugal, and Spain) called for additional rules to be considered in the upcoming negotiations with the European Parliament. Some member states still insist on more involvement of national competition authorities. Support was specifically expressed, however, for:
the extension of fair access obligations to social media and search engines,
stricter measures against ‘killer acquisitions’,
measures on default settings and in-app payment systems,
and a change of the ‘active end-user’ definition for online marketplaces.
The DSA, which will be EU’s content framework regulation, was drafted under the principle ‘what is illegal offline, should also be illegal online’, but actually creates stricter rules online than offline. The Council has added a series of obligations for online marketplaces and search engines to the European Commission’s initial proposal:
stricter rules for very large online platforms (VLOPs),
stronger protection of minors, requirements to notify law enforcement (extended to all hosting services, not only to online platforms),
preservation of illegal content for legal proceedings (the feedback obligation),
as well as due diligence obligations for online marketplaces.
The proposed text also allows national authorities to issue orders regarding illegal content online directly to service providers.
The Parliament’s leading committee for the DMA – IMCO – has adopted a compromise text. The compromise includes significant amendments to the initial proposal:
extended scope to include web browsers, virtual assistants and connected TV,
an extension of self-preferencing provisions,
interoperability for social media and messaging services,
a ban on targeted advertising for minors,
additional requirements on the use of data for personalized or micro-personalized advertising,
restrictions on acquisitions,
and stricter enforcement and higher levels for fines.
Additionally, the Parliament is supporting centralised enforcement by the EU Commission, in cooperation with national authorities.
The European Parliament is due to formally adopt its position on the DMA during the December plenary in Strasbourg and that of the DSA in January. Afterwards, the interinstitutional negotiations involving the Council, the Parliament and the Commission will lead to final compromise texts to be adopted.
Several business associations and representatives of SMEs (including Developers Alliance) have formed a coalition to warn against disproportionate amendments regarding personalized
advertising. The coalition will inform EU policymakers on the negative economic impact of a blanket ban, the unintended consequences of heavy restrictions on advertising, and how to respond to multiple misconceptions used in the debate. For example, these issues underline that while contextual ads are an important tool, they cannot be a replacement for effective personalisation.
The European Parliament and the EU Member States have reached a political agreement on the Data Governance Act (DGA). The regulation will be setting a framework for the reuse of certain categories of public-sector data that are subject to trade secrets, personal data and data protected by intellectual property rights. It also supports a business model for data intermediation services considered as safe and trustworthy and promotes ‘data altruism’, to make it easier for individuals and companies to share data voluntarily for the common good. The regulation provides the foundation for “common European data spaces” in areas such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills. The Commission welcomed the agreement and reminded that it will soon complement this regulation with another legislative initiative the “Data Act”, aimed “to foster data sharing among businesses, and between businesses and governments.”
Competition & Consumer Protection
The UK CMA ordered Meta/Facebook to reconstitute and sell Giphy, concluding after an investigation that the already completed merger could harm social media users and UK advertisers. The CMA considered the transaction to allow Facebook to “…increase its already significant market power in relation to other social media platforms. It does this by denying or limiting other platforms’ access to Giphy GIFs, driving more traffic to Facebook, WhatsApp and Instagram, or requiring other platforms (e.g. TikTok, Twitter and Snapchat) to provide more user data in order to access Giphy GIFs. Regarding th
e impact on the display advertising market, the investigation found that “Facebook terminated Giphy’s advertising services at the time of the merger, removing an important source of potential competition.” The CMA concluded that “the competition concerns can only be addressed by Facebook selling Giphy in its entirety to an approved buyer.”
The Italian Competition Authority fined Google and Apple €10 million each for “aggressive practices” in collecting and using consumers’ data, in breach of the Consumer Code. The Authority noted the companies provide inadequate information on how they collect and use data. Meanwhile, users are given little or no choice when it comes to the terms and conditions for the use of their data.
The same Italian authority has also sanctioned Amazon and Apple for an agreement dated back to 2018 which concerns the restrictions to access of the Amazon.it marketplace by legitimate resellers of “genuine” Apple and Beats branded products. The investigation found that under the agreement certain consumers were discriminated against on a geographic basis, which is in violation of the Treaty on the Functioning of the EU. The Authority imposed a fine of €68.7 million on Amazon and a fine of €134.5 million on Apple. It also ordered the companies to end the restrictions, allowing resellers of “genuine” Apple and Beats products to access to Amazon.co.uk in a non-discriminatory manner.
The General Court largely dismissed Google’s action in the ‘Google Shopping’ case, against the decision of the European Commission. They found that Google abused its dominant position by favouring its own comparison shopping service over competing comparison shopping services. The court also upheld the fine of €2.42 billion.
During its ongoing investigation of Google’s Privacy Sandbox, the CMA has secured improved commitments from Google on its proposals to remove third party cookies and other functionalities from its Chrome browser. The investigation was initiated at the beginning of this year. The new commitments address a series of concerns regarding the implementation of the measures. These include strengthened monitoring and reporting, which will require the appointment of a CMA-approved monitoring trustee. Additionally, testing, consultation, and further clarification on use of data will also be required. There will be a short consultation period, closing December 17, 2021. Afterwards, if the commitments are accepted, the investigation will be closed. Google stated that if the CMA approves these commitments it will apply them globally.
A coalition of European software and cloud businesses, led by the German software company Nextcloud, have submitted a formal complaint to the European Commission about anti-competitive behavior from Microsoft’s surrounding its OneDrive (cloud) product. In their complaint they point out that Microsoft bundles its OneDrive, Teams, and other services with Windows, aggressively pushing consumers to sign up and hand over their data to Microsoft.
The German competition authority (Bundeskartellamt) has published the interim report of its sector inquiry into messenger and video services, entitled “Sector overview and general attitude toward interoperability.” The report contains the results of a survey of more than 40 different service providers. Andreas Mundt, the President of the authority, acknowledges the diversity of the sector and stated that “on the one hand, interoperability could provide a solution for challenging the automatism of large services attracting more and more users,” but it’s not clear if better accessibility between the services can also increase the incentives for the providers to offer a higher level of data protection. He also noted technical obstacles and the need for standardisation but that it could act as a brake on innovation and competition. Bundeskartellamt also collaborated with the Federal Office for Information Security (BSI), which published a related report on the operating principles, safety requirements and security features of the messenger services.
French authorities have ordered the removal of retail platform Wish from search engines and app stores for distributing a large number of non-conforming products. It’s an unprecedented, exceptional measure, made possible by the EU latest consumer protection rules. In case of serious breaches, the new rules allow national authorities to ask internet service providers and online platforms to block access to a site, application, or even a domain name.
Data Protection & Privacy
The U.K. Supreme Court had rejected a class action lawsuit seeking compensation for alleged privacy violations by Google. The case sets a precedent for future similar mass legal claims of privacy violations. Richard Lloyd initiated the legal action against Google over alleged secret tracking of iPhone Safari browser users, claiming to represent millions of iPhone users without actually having them opt in. The Supreme Court rejected Lloyd’s arguments, as he “had to show that each of those individuals had both suffered a breach of their rights and suffered damage as a result of that breach.”
The European Data Protection Board (EDPB) has issued a Statement on the Digital Services Package and Data Strategy. Concerning the AI regulation, it recommends the prohibition of face recognition in public areas and of AI systems categorizing individuals from biometrics (such as facial recognition), on grounds of ethnicity, gender, political affiliation, sexual orientation, other prohibited grounds of discrimination, as well as heavy restrictions on the use of “AI to infer emotions of a natural person.”
With regard to the DSA and DMA, the EDPB is in favour of a ban of “targeted advertising on the basis of pervasive tracking” and profiling of children. Also, it insists that interoperability requirements in regulations should be introduced.
The EDPB has also publishe
d draft guidelines on when a transfer of personal data to a third country or international organisation takes place for the purposes of Chapter V of GDPR. The guidelines cover different specific scenarios and indicate what qualifies as a ‘transfer’.
One situation, for example, would be where a processor in the EU sends data back to a controller or sub-processor outside of the EU, who is not subject to GDPR. Moreover, even if a ‘transfer’ is not taking place, the guidelines suggest that a controller or processor may conclude that extensive security measures are needed to conduct a specific processing operation in a third country. Further, when personal data is sent to a third country importer subject to the GDPR, it is still considered a ‘transfer’ by the EPDB. As such, additional safeguards are required, in accordance with the Schrems II decision of the CJEU. The consultation on the new guidelines is open until January 31 2022.
The U.K. Information Commissioner’s Office (ICO) issued an opinion on data protection and privacy expectations for online advertising proposals. The Commissioner welcomed “proposals to remove the use of technologies that lead to intrusive and unaccountable processing of personal data and device information, which increases the risks of harm to individuals.” Until those proposals are put in practice, however, the digital advertising sector must acknowledge the need for change and apply a “data protection by design” approach.
The data protection authorities in France, Lithuania and Poland decided to cooperate to monitor the GDPR compliance of the platform Vinted. Vinted is an online marketplace based in Lithuania for buying, selling and exchanging new or secondhand items, mainly clothing and accessories. The investigation focuses on the service’s requiring the user to upload a copy of their ID in order to allow them to access the transactions within the accounts. It also assesses the conditions for blocking accounts and the duration of data storing. In May, French consumer group UFC-Que Choisir launched a collective action against the online marketplace for a misleading commercial practice concerning a supposedly optional commission which in fact is imposed on consumers.
The Belgian Data Protection Authority is set to rule that IAB Europe is a data controller under the GDPR for developing a best practice standard to help publishers and other websites comply with certain provisions of the GDPR – the Transparency & Consent Framework (TCF). IAB Europe states that the draft ruling will consider “TC Strings” to be personal data. These ‘strings’ are the digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content, and measurement. Additionally, the Belgian DPA sent its draft decision to the EU network of privacy regulators, which will have to give their stance on the decision in four weeks. The decision could impact other standardization bodies and trade associations that are offering legal guidance to their members or other entities that are developing relevant specifications.
The Irish Council for Civil Liberties (ICCL) has launched a formal complaint against the European Commission before the European Ombudsman. The Commission is accused of failing to properly monitor the implementation of the GDPR and neglecting to act against Ireland’s failure to properly apply the GDPR. ICCL is concerned that 98% of Ireland’s major cases remain unresolved and therefore EU enforcement against Big Tech “is paralysed by Ireland’s failure to deliver draft decisions on cross-border cases.” According to the GDPR’s one-stop-shop enforcement, Ireland is the responsible data protection regulator for the big tech companies that have established their European headquarters in this country. Examples include Meta, Google, and Apple.
The Austrian organisation noyb, lead by the privacy activist Max Schrems, has complained about the request of the Irish DPA to sign an NDA (non-disclosure agreement) in order to hear them in a procedure regarding Facebook on EU-US data transfers. Besides a new legal action, it started an “Advent Reading” on its website, disclosing documents from the procedure.
Google has reopened its news service in Spain. The service was shut down in 2014, after the introduction of neighboring rights for press publishers, imposing compensation when their content is displayed by online platforms. Spain recently implemented the EU copyright directive, adopted in 2019, which sets waivable neighboring rights (which allows the publishers to choose to provide content for free). Google also concluded a series of deals with German publishers and a five-year licensing agreement with the French press agency AFP.
The European Commission has presented a proposal on transparency and targeting of political advertising. Under the proposed rules, any political advert will have to be clearly labelled as such and include information such as who paid for it and how much. The proposal contains strict conditions for targeting and amplification. Political targeting and amplification techniques would need to be explained publicly in unprecedented detail and would be banned when using sensitive personal data without explicit consent of the individual. The Commission also pro
poses to update the current EU rules concerning EU “mobile citizens” and their right to vote in European and municipal elections, as well as on European political parties and foundations.
The Digital Economy and Society Index (DESI), an annual report published by the European Commission that monitors the progress of EU Member States’ on digital, reflects large development gaps. The Nordic countries (Denmark, Finland and Sweden, Netherlands) rank among the most digitally developed countries, while Poland, Greece, Bulgaria, and Romania are the least. This year, the Commission has proposed digital targets for the EU to be met by 2030. These include workforce skill development, infrastructure, and digital transformation. The statistics indicate a high risk of missing these digital targets. For example, there are 8.4 million tech workers in 2020, a small figure compared to the EU’s digital target of 20 million tech workers in 2030.
The European Innovation Council, launched in March 2021, has held its first summit. The EIC aims to support “game changing innovations throughout the lifecycle from early stage research, to proof of concept, technology transfer, and the financing and scale up of start-ups and SMEs.” The EIC has launched a forum to bring together policymakers, researchers, and entrepreneurs involved in innovation, as EurActiv reports. The EIC’s recent funding round secured €363 million of funding for 65 start-ups and SMEs. Only three of them are from Eastern Europe (Slovakia, Estonia and Lithuania).
The European Commission has given the green light to three funding streams of the Digital Europe Programme, covering a budget of €1.98 billion. Until the end of 2022, the main work programme, worth €1.38 billion by itself, will focus investment in the areas of:
artificial intelligence (AI),
cloud and data spaces,
quantum communication infrastructure,
advanced digital skills,
and the wide use of digital technologies across the economy and society.
The second work programme focuses on the area of cybersecurity, with a budget of €269 million, running through the end of 2022. Finally, a third work programme concerning the set-up and operation of the network of European Digital Innovation Hubs, with a budget of €329 million, will run until the end of 2023. The Digital Europe Programme’s how to get funding guide and more info is available here.
The European Commission intends to facilitate access to capital for SMEs and make public capital markets more attractive for EU companies. This will be achieved by simplifying the listing requirements, including post-listing. Those interested can give feedback until February 11, 2022.
A report commissioned by the European Commission – “The impact of open source software and hardware on technological independence, competitiveness and innovation in the EU economy,” has made the case for the public sector procuring OSS instead of proprietary software. This “could reduce the total cost of ownership, avoid vendor lock-in and thus increase its digital autonomy.” The study gives a number of specific public policy recommendations meant to improve Europe’s institutional capacity related to OSS which is disproportionately smaller than the scale of the value created by OSS.
As part of the UK National AI Strategy, the Central Digital & Data Office published an Algorithmic Transparency Standard, aimed at “helping public sector organisations provide clear information about the algorithmic tools they use, and why they’re using them.” It consists of an “algorithmic transparency data standard” and “an algorithmic transparency template and guidance.” The latter is a tool for public sector organisations to support their algorithm-assisted decisions.