May 2023 European Policy Update
Data Protection & Privacy
TLDR: Data Protection Authorities are issuing millions of dollars in fines against companies exporting personal data from Europe. At this time, the Alliance opinion is that there is no mechanism to avoid fines that doesn’t include processing all data inside the EU.
Meta received a record fine of €1.2 billion for data transfers in breach of the GDPR, following the CJEU’s judgment in the Schrems II case. The transfers took place on the basis of the updated Standard Contractual Clauses (“SCCs”) adopted by the European Commission in 2021 in conjunction with additional supplementary measures that Meta implemented. However, Ireland’s Data Protection Commissioner (DPC) found that ”these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.” The European Data Protection Board proposed the fine after a dispute resolution process.
The order suspends ”any future transfer of personal data to the US within the period of five months from the date of notification,” along with “ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR,” within six months from the date of notification.
Meta’s response has pointed out that the decision is relevant for all companies and organizations relying on transatlantic data flows and reflects a fundamental conflict of law. The hope is that the legal uncertainty will be solved by the new EU-US Data Privacy Framework (DPF), which should be adopted by the EU by the end of the 3rd quarter of this year.
The European Parliament has objected that the DPF could justify an adequacy decision on personal data transfers. The resolution is non-binding, but it displays the problematic areas that could end up being scrutinized by the EU Court. The DPF is considered “an improvement on previous frameworks,” but without sufficient safeguards, as it “still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorization, and does not provide for clear rules on data retention.”
The European Parliament’s special spyware inquiry committee (PEGA) has adopted its final report and recommendations. It condemns spyware abuses in several EU member states (such as Poland Hungary, Greece and Spain), which used it “to monitor, intimidate and discredit opponents, journalists and civil society.” PEGA recommends EU rules on the use of spyware by law enforcement, authorizing it only in exceptional cases for a pre-defined purpose and a limited time. It also emphasizes that “data falling under lawyer-client privilege or belonging to politicians, doctors or the media should be shielded from surveillance, unless there is evidence of criminal activity.” Other recommendations are mandatory notifications for targeted people and for non-targeted people whose data was accessed as part of someone else’s surveillance, independent oversight after it has happened, meaningful legal remedies for targets, and standards for the admissibility of evidence collected using spyware.
The French Data Protection Authority (CNIL) has fined Clearview AI an overdue penalty payment of 5.2M euros for not complying with an order issued last year. The company, which is using facial recognition technology, was sanctioned by CNIL in October 2022 with a fine of 20 million euros and ordered not to collect and process data on individuals located in France without any legal basis, and to delete the data of these individuals after responding to requests for access it received. A penalty of 100,000 euros per day overdue was set for lack of compliance with the order within two months. The company still needs to send CNIL proof of compliance.
CNIL has fined French health platform Doctissimo 380 000 euros for GDPR breaches and for inappropriate cookie consent. The breached GDPR obligations were those about: data storage for a limited period of time, explicit consent for the collection of health data, contracts for joint data processing with 3rd parties, such as advertisers, and ensuring data security.
Germany’s Federal Cartel Office (Bundeskartellamt) has published the final report on its sector inquiry into messenger and video services. The investigation focused on the issues of data protection and data security. The main conclusions of the report indicate the following:
• the practice of synchronizing contact lists could be in breach of the GDPR as it implies the collection of the data of those contacts that have so far not registered with the service (including phone numbers shown in encrypted form).
• those messenger and video services transferring and storing data in countries where the level of data protection is not considered similar to that ensured by the European GDPR is also illegal. A special note on the US specifies that “based on the current legal situation, the transfer of data to and their storage in the USA, in particular, is not permissible.”
• many services could improve transparency for their users on how the security of their communication is ensured (including through encryption), in order to be fully compliant with the German Act against Unfair Competition (UWG).
The EU Court of Justice has clarified that not every infringement of the GDPR gives rise, by itself, to a right to compensation. Responding to a request for interpretation (“reference for a preliminary ruling”) of the Austrian Supreme Court, the EU Court also stated that “the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness.” and that the criteria for determining the compensation is to be established at the level of Member States.
Artificial Intelligence
TLDR: AI Regulations are solidifying in the EU and UK, with risk of an extensive list of traditional and non-traditional harms driving potential liability for those developing and using AI tools. The potential remains for global reach and application.
The European Parliament has finalized its position on the AI Act. The Internal Market Committee and the Civil Liberties Committee have adopted a draft negotiating mandate which will be voted on in the mid-June plenary session. This will allow the Parliament to start negotiations with the Council of the EU, representing the EU Member State governments.
The Parliament’s position extends the list of bans including biometric surveillance, emotion recognition, and predictive policing AI systems. It also extends the classification of high-risk areas to systems that harm people’s health, safety, fundamental rights or the environment. AI systems used to influence voters in political campaigns and those for recommender systems used by large social media platforms (with more than 45 million users under the Digital Services Act) are also considered high-risk.
The Parliament also added specific obligations for providers of foundation models “to assess and mitigate risks, comply with design, information and environmental requirements and register in the EU database.” There are also special obligations for providers of generative AI, on transparency (disclose that the content was generated by AI), on designing the model to prevent it from generating illegal content and to publish summaries of copyrighted data used for training.
Exceptions for research and support for startups and SMEs through regulatory sandboxes are proposed as a counterpoint to the rigid obligations. The Parliament also proposes a citizens’ right to complain and receive explanations of “decisions based on high-risk AI systems that significantly impact their rights.”
The Internal Market Commissioner, Thierry Breton, has announced an ‘AI Pact’ ahead of the AI Act, on the occasion of meeting Google and Alphabet’s CEO Sundar Pichai. He also met Anthropic AI’s CEO, Dario Amodei to discuss ways to anticipate compliance with the upcoming rules. Open AI’s CEO, Sam Altman, has also visited some European capitals and met with the European Commission. At the fourth meeting of the EU-U.S. Trade and Technology Council (TTC), Commission’s Vice-President Margrethe Vestager confirmed that it is “a question of absolute urgency to have such an AI Code of Conduct for a voluntary signup.”
In the UK, the Competition Authority (CMA) has announced an “initial review” on the market of foundation models, after the Government’s pro-innovation regulatory approach announced in March. The CMA wants to explore how the market could evolve and what opportunities and risks could emerge for competition and consumer protection.
Competition
TLDR: Extra-territorial regulation and the imposition of global remedies by individual nations are becoming more common in tech. Cascading inquiries and serial fines are now the norm as countries compete to extract cash and concessions from digital economy companies.
The European Commission has cleared the acquisition of Activision Blizzard by Microsoft, conditional on commitments related to cloud gaming. The Commission found “that Microsoft would not be able to harm rival consoles and rival multi-game subscription services.” It found, however, that there’s a risk related to competition in the distribution of games via cloud game streaming services and that Microsoft’s position in the market for PC operating systems “would be strengthened.”
The commitments oblige Microsoft to provide to consumers in the EEA a free license for streaming all current and future Activision Blizzard PC and console games, via any cloud game streaming services of their choice. They also put forward a free license to cloud game streaming service providers allowing EEA-based gamers to stream any Activision Blizzard’s PC and console games. The free licenses should be provided for a period of 10 years. The Commission noted that “cloud game streaming service providers gave positive feedback and showed interest in the licenses.”
UK’s CMA decision to block the merger is currently under appeal before the Competition Appeal Tribunal (CAT). One of the grounds of Microsoft’s appeal is the lack of consideration of potential remedies, and failing “to take account of the interests of comity” (extraterritorial effect of the decision) – an argument the Alliance made in the CMA’s inquiry into the Meta/Giphy merger.
The Italian Competition Authority (AGCM) has opened an investigation into Apple for alleged abuse of dominant position in the app market. The AGCM considers that “as of April 2021, Apple has adopted a privacy policy for third-party app developers only, that is more restrictive than the one the company applies to itself.” The investigation focuses on the consent prompt imposed by the AppTrackingTransparency (ATT) framework and on the disadvantages for third-party developers and advertisers “in terms of the quality and detail of the data made available by Apple concerning the effectiveness of advertising campaigns on their applications.” The AGCM recognizes the importance of “the availability of data on both user profiling and the measurement of advertising campaign effectiveness” for the attractiveness of advertising space sold by app developers. A similar investigation is underway in Germany.
Germany’s Bundeskartellamt has published the final report of its sector inquiry into non-search online advertising. The main conclusions of the investigation are: 1) a significant market position of Alphabet/Google, and 2) insufficient transparency in programmatic advertising. Bundeskartellamt is contemplating the approach to take in imposing remedies: whether measures targeting specific practices are enough or “whether it would be worth discussing more fundamental, large scale, perhaps also structural interventions.”
UK’s CMA is ready to accept Meta’s commitments not to use competitors’ advertising data for its Facebook Marketplace online classified ad service. The commitments will be implemented by setting up new technical systems and training for staff. Meta will also have to restrict the use of ad data for the development of other Meta products made available in the UK in competition with advertisers.
The CMA has started an inquiry into the acquisition by Adobe of Figma. The European Commission is also assessing the impact of the transaction on the market. Figma offers a web-based interactive product design tool, used for software applications and websites, including a free version. Competition regulators want to assess whether the merger could affect the availability or prices of such tools, and could even hamper potential innovation.
Cybersecurity
TLDR: EU policy makers are offering incentives and support for cybersecurity initiatives
The European Commission is offering €71 million in total for proposals under the Digital Europe Work Programme 2023-2024, for cybersecurity actions. The calls are addressed to companies, public administrations and other organizations, for “proposals aimed to boost the EU’s resilience against cyber threats and its capacity to protect, detect, defend, and deter cyber-attacks, as well as enhance cooperation among Member States.” In addition, a previous program was re-opened until July 6th 2023, for a remaining total budget of €36,5 million. The latter offers opportunities to obtain grants for the uptake of innovative cybersecurity solutions, capacity building of security operation centers, or for EU Cybersecurity resilience, coordination, and cybersecurity Ranges.
The European Cybersecurity Competence Centre has launched in Bucharest. Its mission is to support innovation and industrial policy in cybersecurity and develop and coordinate EU cybersecurity projects. The Centre is responsible for managing EU cybersecurity funds for the current long-term EU budget (2021-2027) and for managing cyber projects under the Digital Europe Programme and Horizon Europe. It will also help implement the European Cyber Shield, a pan-European infrastructure composed of national and cross-border Security Operations Centres (SOCs) across the EU.
Miscellaneous
Developers Alliance joined a broad coalition of associations representing technology companies in calling the EU legislators not to rush the negotiations on revising the product liability framework. The joint industry letter points out several important aspects that should be carefully considered due to their impact:
• the disproportionate extension of the scope with regard to software, AI applications, and services, as well as immaterial harms such as data loss/corruption and psychological damage,
• undue disclosure obligations and a shift in the burden of proof, and
• a chain of liability inconsistent with other EU legislation.
The European Centre for International Political Economy (ECIPE) has organized a webinar on the economic impacts of the reform of the EU’s Product Liability Directive. Our Director of EU Policy was invited to the discussion.
The European Commission has opened the first set of calls for proposals worth over 122 million euros under the 2023-2024 Main Work Programme of the Digital Europe Programme. The calls are open to businesses, public administrations, and other entities from the EU Member States, EFTA/EEA countries, and associated countries. The investments are intended to support a Network of Safer Internet Centres that will help minors tackle online risks and enable citizens to anonymously report online child sexual abuse material (CSAM) and an IT system for the removal of CSAM, hubs for fighting disinformation, an application to help citizens reduce energy consumption, setting up a European reference genome database, as well as projects in the area of cloud to edge infrastructure. There are also funding opportunities for AI-related projects worth 18 million euros, while 16 million euros are allocated to promote advanced digital skills (reinforcing skills in semiconductors and digital skills of young pupils with a focus on young girls.)
The EU and India have launched a Trade and Technology Council to support a strategic partnership. The first ministerial meeting set up three working groups on:
• strategic technologies, digital governance, and digital connectivity,
• green and clean energy technologies, and
• trade, investment, and resilient value chains.
