The EU&UK November 2022 Policy Update
Data protection & privacy
Developers Alliance has joined the call of a broad transatlantic coalition of 41 business associations for EU policymakers to swiftly conclude the EU adequacy decision process so businesses can confidently rely on the new EU-U.S. Data Privacy Framework.
The coalition, representing companies of all sizes from various sectors of the business community, has issued a statement which was delivered to EU and U.S. officials. The statement offered an analysis of the recent U.S. Executive Order and accompanying U.S. Department of Justice regulations implementing the U.S.’s commitments under the EU-U.S. Data Privacy Framework, in order to help inform and support the EU’s work towards making the EU-U.S. Data Privacy Framework operational through the EU adequacy decision process.
Ireland’s Data Protection Commission (DPC) has announced the decision in Facebook’s “Data Scraping” inquiry, imposing a fine of €265 million and a range of corrective measures. This is only a preview of further decisions regarding Meta expected in the course of December.
The French privacy authority (CNIL) has fined U.S. messaging platform Discord €800,000 for several breaches of the GDPR. Discord was in breach for not defining a data retention proportionate time period and for not informing users about its data retention policies. Other issues were related to weak password management and the lack of a data protection impact assessment. Most of the breaches have been corrected by Discord since. The CNIL has acknowledged “the efforts made by the company to comply throughout the proceedings, as well as the fact that its business model is not based on the exploitation of personal data.”
The CNIL has presented an action plan for the privacy of users of mobile apps. The CNIL will provide practical guidance, including self-assessment checklists, to mobile-app operators concerning data protection and privacy rules. Depending on the observed practices, the CNIL could decide to conduct a large-scale control operation and apply fines.
The United Kingdom has concluded its first independent data adequacy decision with South Korea. UK organizations will be able to share personal data with the Republic of Korea without special contractual safeguards by the end of 2022 when the legislation is expected to enter into force.
NOYB, the organization led by the Austrian lawyer and privacy activist Max Schrems, is preparing a broad complaint campaign targeting mobile applications that collect personal data without the users knowledge, via SDKs, either for lack of information to users, or for violation of their consent (according to an interview of NOYB’s legal counsel by Le Journal du Net).
Competition in digital markets
The German Competition Authority (Bundeskartellamt) has secured Meta’s commitments to allow users the possibility to set up VR headsets using a separate account, the “Meta account”, as opposed to their Facebook account. This will also apply to the new Quest Pro headsets which will be soon offered for sale in Germany. Besides a choice architecture allowing users to set up their headsets separately or in connection with other Meta services, the investigation, initiated in late 2020, also focuses on whether and how data processed in the context of different Meta services are combined. Data processing is a pending issue, awaiting the interpretation of the European Court of Justice.
The UK Competition Authority (CMA) has opened a market investigation on mobile browsers and cloud gaming. The CMA has decided to pursue an investigation on the supply of mobile browsers and browser engines and the distribution of cloud gaming services through app stores on mobile devices in the UK, based on the feedback received during a consultation alongside its market study into mobile ecosystems. The investigation will focus on “the way that Apple and Google dominate the mobile browser market and how Apple restricts cloud gaming through its App Store.” The market investigation will be concluded within 18 months. If there are findings about anti-competitive behavior in the market, the CMA can impose remedies on firms and make recommendations to the government on regulation.
The CMA has decided to investigate the anticipated $61 billion acquisition by Broadcom of VMware. A similar investigation is underway in the EU, with a decision for either a clearance or an in-depth investigation to be expected by December 20, 2022.
The European Commission has opened an in-depth investigation on the acquisition of Activision Blizzard by Microsoft. The Commission is concerned that the proposed acquisition “may reduce competition in the markets for the distribution of console and personal computers (‘PCs’) video games and for PC operating systems.” The Commission will take a decision by March 2023. A similar investigation is ongoing in the UK, but also in other jurisdictions (U.S., Australia, New Zealand, Japan and South Korea).
Content regulation
The UK government has proposed new amendments to the Online Safety Bill to ease the obligations over the removal of “legal but harmful” material in response to concerns about free speech. In the new draft, besides illegal content, platforms need to remove any material that breaches their own terms of service. The amendments provide more user control to reduce disturbing content on their social media feeds. Additional amendments for child protection oblige social media platforms to publish their risk assessments on the dangers their sites pose to children and to clearly set out and explain in their terms of service how they ensure age verification.
The latest evaluation of the EU Code of Conduct against online hate speech indicates a slowdown in the implementation. The European Commission’s assessment shows a decrease in companies’ notice-and-action results and the removal rate (with the exception of YouTube, which performed better than in the last two years). There is, however, a positive development in the companies’ frequency and quality of feedback to users. The Code of Conduct is based on close cooperation between the European Commission, IT companies, civil society organizations and national authorities.
The European Commission is setting up a European Centre for Algorithmic Transparency (ECAT), following the entry into force of the Digital Services Act (DSA). ECAT’s main role is to support the Commission’s oversight of the algorithmic systems used by very large online platforms and search engines in assessing whether the functioning of such algorithms is in line with the risk management obligations under the DSA. The ECAT will have its main seat at the JRC’s Seville site, with staff also located in Brussels and Ispra. It is expected to be fully operational in the first quarter of 2023. A recruitment campaign was launched, for experts in data science, algorithmic design, algorithmic auditing and other closely linked fields. Applications are open until January 9th, 2023. The Commission is also currently recruiting for the DSA team in the Directorate General for Communications Networks, Content and Technology (DG CONNECT).
Regulators from the United Kingdom, Australia, Ireland and Fiji have joined forces to set up a global network to counter online harm. The objective is “to pave the way for a coherent international approach to online safety regulation, by enabling new online safety regulators to share information, experience, and best practices.”
Cybersecurity
A coalition of 13 global business associations has issued a joint statement calling on the EU not to impose “immunity requirements” in the European Cybersecurity Certification Scheme for Cloud Services (EUCS). The draft EUCS contains a series of requirements aimed to prevent and limit interference from non-EU states with the operation of certified cloud services. The draft provides that the registered head office and global headquarters shall be established in a member state of the EU, that the cloud services would have to be operated and maintained from the EU, and that all cloud service customer data stored and processed in the EU.
The industry statement calls on the EU to refrain from adopting requirements of a political rather than technical nature, which would exclude legitimate cloud suppliers and would not enhance adequate cybersecurity controls.
The EU has adopted a new Cyber Defence policy to strengthen coordination mechanisms among national and EU cyber defense players and investments in cyber defense capabilities.
The plan to secure the EU defense ecosystem considers that “even non-critical software components can be used to carry out cyber-attacks on companies or governments, including in the defense sector,” which “calls for further work on cybersecurity standardization and certification to secure both military and civilian domains.”
The European Data Protection Supervisor (EDPS) and the European Union Agency for Cybersecurity (ENISA) have signed a Memorandum of Understanding establishing a strategic cooperation framework between them. The agreement includes a strategic plan to promote the awareness of cyber hygiene, privacy, and data protection amongst EU institutions, bodies, offices, and agencies, and also to promote a joint approach to cybersecurity aspects of data protection and the adoption of privacy-enhancing technologies.
The European Commission has invited companies, public administrations, and other organizations to submit proposals for innovative cybersecurity solutions and to apply for EU funding under the Digital Europe Programme.
Miscellaneous
The European Commission has launched a public consultation on a “fitness check on digital fairness” of the consumer protection framework. The evaluation, planned for the second quarter of 2024, will focus on the need for additional rules on issues like dark patterns, influencer marketing, the sale of virtual items, and the addictive use of digital items. Stakeholders are invited to provide feedback until February 20th, 2023.
The report presenting the findings and recommendations of the first part of Meta’s Open Loop policy prototyping program focused on the EU AI Act has been published. The report concludes that while many provisions of the AI Act tested in the project can help reach the objective of “trustworthy AI,” there are several areas in the AI Act where there is room for improvement, and some provisions that might even undermine another goal of the legislator: the uptake of AI in Europe. Developers Alliance is one of the industry associations supporters of the project.
The Coalition for a Digital Economy (Coadec) has organized an open letter to the new UK Government to further support the startup and scaleup ecosystem. The call comes in the context of a difficult economic situation and the recent news about the Government-backed tech support organization, Tech Nation, losing its funding to Barclays.
The French government has maintained advantageous fiscal measures in support of the gaming sector. The main measure is the extension of the video game tax credit until December 31st, 2028. This allows companies creating video games to benefit, subject to conditions, from a tax credit corresponding to 30% of new game production spend. The criteria for the fiscal scheme have been updated to the development of cloud gaming, virtual reality, blockchain, as well as to video games on mobile phones. Since its implementation in 2008, this mechanism has benefited more than 150 video game development studios and has contributed to financing more than 370 projects, as the press release mentioned.
The European Parliament has adopted a resolution on esports and video games. The resolution calls on the Commission and the Council “to acknowledge the value of the video game ecosystem as a major cultural and creative industry (‘CCI’) with strong potential for further growth and innovation.” The European Parliament envisages a long-term European video game strategy, in order to support EU actors and EU start-ups in the sector. The resolution notes that the European video game industry is mainly made up of small and medium-sized enterprises. The resolution calls, amongst other things, on: i) the protection of data privacy and cybersecurity challenges, without losing sight of the esports phenomenon; ii) fair consumer monetization of video games through micro-transactions, in-game currencies and loot boxes to ensure robust consumer protection; iii) the protection of video game IP and the cross-border enforcement of IP rights of game producers; and iv) the ongoing battle against stereotypical representation of women in video games, and in general, the promotion of a framework for attaining greater equality for women in all positions in the value chain.
The European Innovation Fund has announced its first equity investments, amounting to €190 million, under the funding program Horizon Europe. The investment decisions were delayed by a dispute over the management of the fund, which led to the appointment of an external fund manager. The due diligence process for the 35 selected investments will be performed by the European Investment Bank (EIB).
The European Commission has launched a website to monitor the deployment of key Internet standards, EU’s Internet Standards Deployment Monitoring website. The website presents the current level of deployment of a set of internationally agreed Internet Standards across the EU. The website focuses on 5 categories of Internet standards: 1) Browsing – Web communication standards, 2) Routing – Mutually Agreed Norms for Routing Security (MANRS), 3) Emailing – Email communication security standards, 4) Naming – Domain Name System Security Extensions (DNSSEC), and 5) Addressing – Internet Protocol version 6 (IPv6).