The October 2022 EU & UK Policy Update
The DSA and the DMA have been entered into the EU’s rulebook
The two landmark regulations, the Digital Markets Act (DMA) and the Digital Services Act (DSA) were published in the Official Journal of the EU – the final step before they take effect.
The DMA will start to apply as of 2 May 2023. After that, within two months, potential gatekeepers will have to notify their core platform services to the Commission if they meet the thresholds. The Commission will designate the gatekeepers by September 2023. Gatekeepers will have six months to comply with the requirements in the DMA, at the latest by 6 March 2024. In order to ensure the smooth implementation of the regulation, the Commission announced that it will consult various stakeholders. A series of technical workshops will start on 5 December 2022 with a discussion on restrictions of “self-preferencing”.
The German Competition Authority (Bundeskartellamt) has started its own consultation, with the aim to “support the EU Commission in this process”. Companies and civil society are invited to report the behavior of large digital players to the German Federal Ministry of Economics and Climate Protection.
The DSA will come into effect from 17 February 2024, but certain provisions related to preparation for implementation and enforcement will be applicable from 22 November 2022. Also, the stricter regime for designated “very large online platforms” (VLOPS), with over 45 million users in the EU, will apply earlier, in the summer of next year. The rest of the digital players in the regulation’s scope will have to ensure compliance with the updated content regulation framework from February 2024 onwards.
The EU Commissioner for the Single Market, Thierry Breton, sent a warning to Twitter: “In Europe, the bird will fly by our EU rules“, with an assuring reply from Elon Musk, according to Reuters.
Contact us at policy@developersalliance.org if you are interested in how these two significant regulations will affect your work and to help us inform the EU regulators about their effects.
Good news for transatlantic data flows
On 7 October, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. The Executive Order is complemented by a set of Regulations issued by the Attorney General. It introduces new binding safeguards to address all the points raised by the Court of Justice of the EU in the Schrems II case, setting strict limits for access to EU data by US intelligence services and establishing a Data Protection Review Court. The European Commission is now preparing a draft adequacy decision, and soon will launch its adoption procedure. The new EU-US Data Privacy Framework will provide a solid legal background for transatlantic data flows.
Competition in Digital Markets
The UK’s competition authority has ordered Meta to sell Giphy.The CMA has issued its final report following appeal, maintaining its stance that the Giphy/Meta merger “would limit choice for UK social media users and reduce innovation in UK display advertising”. The Developers Alliance intervened in the case to argue against the extraterritorial remedy imposed on Giphy, a U.S. startup with no UK ties. Here’s our reaction to the final decision.
The CMA has extended its investigation into the Microsoft/Activision merger. The main concerns are related to a possible foreclosure of rival console gaming platforms and their subscription services, respectively; a foreclosure of cloud-gaming service providers through leveraging Microsoft’s ecosystem.
Data protection & privacy
The UK’s Communications Authority (Ofcom) has found that most of the UK adult sites “do not have sufficiently robust access control measures in place to stop children accessing pornography”. Ofcom has powers to regulate video-sharing platforms (VSPs) and therefore assessed the situation of 19 companies falling under its jurisdiction, such as TikTok, Snapchat, Twitch, Vimeo, OnlyFans and BitChute, as well as several smaller platforms, including adult sites. While larger platforms have started to implement various measures to prevent children accessing adult content, smaller ones and websites “are not sufficiently equipped, prepared and resourced for regulation”. The report is part of the preparation for the forthcoming Online Safety Bill, which will provide Ofcom extended enforcement powers.
The Court of Justice has provided an important interpretation of the application of GDPR’s principles of purpose limitation and storage limitation. Personal data can be legally processed for testing and bug fixing, but only for the necessary period of time.
The case is about one of the leading internet and television providers in Hungary, Digi, which, following a technical failure affecting the operation of a server, created ‘a test’ database to which it copied the personal data of about one third of its private customers. The test database was accessed by an ethical hacker. After deleting the test database, Digi notified the personal data breach to the National Authority for Data Protection and Freedom of Information, which found Digi in breach of the GDPR and applied a fine of approximately EUR 270,000. The Hungarian DPA found that, once the necessary tests had been carried out and the problems corrected, Digi did not delete the test database, with the result that a large amount of personal data in that test database was stored for no purpose for almost 18 months in a file that could allow the data subjects to be identified, the failure to delete that database having allowed a personal data breach to occur.
The Court of Justice confirmed that the principle of “purpose limitation” does not preclude the recording and storage by the controller, in a database created for the purpose of carrying out tests and correcting errors, of personal data previously collected and stored in another database, where such further processing is compatible with the specific purposes for which the personal data was initially collected. However, the principle of “retention limitation” precludes the retention by the controller, in a database created for the purposes of carrying out tests and correcting errors, of data of a personnel previously collected for other purposes, for a period exceeding that which is necessary for carrying out these tests and correcting these errors.
The French Data Protection Authority (CNIL) has fined Clearview AI EUR 20 million and ordered the company to stop collecting and using data on individuals in France without a legal basis and to delete the data already collected within two months. Besides unlawful processing of personal data and disrespect of individual’s rights, the facial recognition software company was also sanctioned for lack of cooperation with the CNIL.
The Italian Data Protection Authority has fined a US company EUR 459,000 for offering a health app that disclosed the health data relating to about 2,000 Italian diabetic patients.The breach was found due to an employee’s sending, as part of an information campaign, email messages with the recipients’ addresses in the ‘Cc’ field. The Italian DPA also found that, after downloading the app, users were expected to accept, by a single click, the terms of use of the service jointly with the contents of the privacy policy. This prevented them from giving their consent separately to the individual processing operations including the processing of health-related data. Further GDPR related non-compliance was found as the information provided to users was unclear and incomplete, and the company had failed to designate, in writing, its EU representative for all privacy-related issues in pursuance of the GDPR.
The French Government has enacted a new data retention law, which imposes electronic communications operators to retain, for a period of one year, the traffic and location data listed in the French Post and Electronic Communications Code. This includes the date, the time and the duration of electronic communications as well as information allowing mobile communications localization, among other personal information.
Europrivacy is the first certification mechanism to ensure compliance with GDPR. The certification scheme was approved by the European Data Protection Board, which represents all EU’s national data protection authorities. It is a general scheme, with specific criteria that make it scalable and applicable to a large range of different processing operations performed by both controllers and processors from various sectors of activity.
Cybersecurity
The Dutch government has presented to the Parliament its Cybersecurity Strategy. The strategy includes a report conducted by Deloitte on behalf of the Dutch Ministry of Economic Affairs and Climate into the risks associated with the use of mobile devices and applications. The report provides an overview of the diverse landscape of risks related to cybersecurity, privacy and the social sphere, with specific attention to the impact on minors. Developers Alliance was one of the respondents to Deloitte’s research.
A coordinated law enforcement action by the French, Spanish and Latvian authorities, supported by Europol and Eurojust, have dismantled a car theft ring which used fraudulent software to steal keyless vehicles from two French car manufacturers. The fraudulent tool was marketed as an automotive diagnostic solution, and used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob. Among car thieves and resellers, software developers were also arrested.
Google promotes “open security”, an approach based on security-by-default, zero-trust architecture, transparency and communication between companies, which will allow them to properly respond to and prevent attacks. This approach is seen by Google as an alternative to “data localization requirements, limits on market access, and even restrictions to accessing some cross-border services”. Google will soon open a Safety Engineering Center in Spain, with the aim to become “a European hub for joint research on advanced threats”. It will also host Google for Startups Growth Academy for EU Cybersecurity in 2023, a growth program to help cybersecurity startups across Europe grow into success stories.
Artificial intelligence
The UK Government has set an AI Standards Hub, as part of the National AI strategy, with the aim “to help stakeholders navigate and actively participate in international AI standardization efforts and to inform the direction of these efforts.” The AI Standards Hub consists of an interactive online platform and a program of live and in-person events. It seeks to bring together industry, government, regulators, consumers and civil society, and academia. The platform contains Hub’s AI Standards Database, a searchable catalog of standards and interactive libraries “to keep track of other documents and publications with implications for standards, such as government strategies, standardization roadmaps, or laws and regulatory requirements with relevance for AI technologies” The platform also provides opportunities for collaboration, training, as well as research and analysis.
The EU has announced that it is developing Europe’s AI-on-demand Platform. The platform is developed by a consortium (AI4Europe project) led by Irish University College Cork (UCC). The European Commission has allocated EUR 9 million from the Horizon Europe programme for this project. The objective is “to bring together Europe’s AI community while promoting European values”, and more concretely, “the community resource seeks to address the fragmentation of the European AI landscape and facilitate technology transfer from research to business”.
The European Commission has published Ethical Guidelines on the Use of AI and data in teaching and learning for teachers.One of the objectives is to “clarify popular and widespread misconceptions about AI that might cause confusion or anxiety over its use, especially in education.” The Guidelines are offering practical advice to educators and school leaders on how to plan an effective use of AI and data in schools.
An unofficial document reveals US concerns related to the EU’s proposed AI regulation, as Euractiv reports.The main issues are related to the broad AI definition, liability exemptions for general purpose AI providers and a more individualized risk assessment that should focus on threat sources, vulnerabilities and consider human rights impact only in particular cases.
The leaked document states that: “Many of our comments are prompted by our growing cooperation in this area under the U.S.-EU Trade and Technology Council (TTC) and concerns over whether the proposed Act will support or restrict continued cooperation”.
The AI Act proposal is currently under legislative procedure, with both the Council and the European Parliament expected to present their negotiations positions soon. Developers Alliance is actively following the proposed amendments.
Miscellaneous
The EU co-legislators have reached a political agreement on the updated EU standardization system. TheEuropean standardization organizations – CEN, CENELEC and ETSI – have an exclusive role in carrying out standardization work requested by the Commission
The new framework instills a protectionist approach in their governance structures by requiring decisions concerning European standards following mandates from the Commission to be taken only by national standardisations bodies from the EU and EEA member states. The objective is to “reinforce the role of member states and avoid the undue influence of foreign actors during the development of standards for key areas, like cybersecurity or hydrogen fuel”.
European standards will play a significant role in the implementation of regulations such as the AI Act or the Cyber Resilience Act, which will require software to comply with technical requirements and CE marking.
The European Parliament’s Transport Committee has voted on new intelligent road transport systems. It “supports extending the scope of the new rules to cover more emerging services, such as multimodal information, booking and ticketing services, communication between cars and infrastructure, and automated mobility”. The Committee insists that data on speed limits, roadworks or accidents should be available in digital format and through an appropriate user interface. The new rules are expected to “to boost digitalisation in the transport sector, to better connect different mobility apps, and to ensure wider data sharing”.
The European Commission has presented an Action Plan to digitize the energy sector which sets limits for the crypto-assets market.The intention of the proposed measures is to ensure that the green and digital transition go hand in hand. The Action Plan proposes “to boost data sharing, promote investments in digital electricity infrastructure, ensure benefits for consumers and strengthen cybersecurity”. Among the ways to decouple the energy footprint of the ICT sector, the Commission urges Member States: “to implement targeted and proportionate measures to lower the electricity consumption of crypto-asset miners,” and “also in a longer term perspective, to put an end to tax breaks and other fiscal measures benefitting crypto-miners currently in force in certain Member States. In case there is a need for load shedding in the electricity systems, the Member States must also be ready to stop crypto-assets mining”.