The European February 2023 Policy Update
Competition in Digital Markets
The European Commission has sent an updated Statement of objections to Apple on concerns over App Store rules for music streaming providers. Initially, the Commission took issue with Apple’s rules on imposing music streaming app developers to use its in-app purchase payment technology (‘IAP obligation’), and those restricting app developers’ ability to inform iPhone and iPad users of alternative music subscription services (‘anti-steering obligations’). The new Statement of objections clarifies that “the Commission does no longer take a position as to the legality of the IAP obligation for the purposes of this antitrust investigation but rather focuses on the contractual restrictions that Apple imposed on app developers which prevent them from informing iPhone and iPad users of alternative music subscription options at lower prices outside of the app and to effectively choose those.” The Commission expressed the preliminary view that Apple’s anti-steering obligations are unfair trading conditions in breach of Article 102 of the Treaty on the Functioning of the European Union (‘TFEU’).
The antitrust investigation is carried out in parallel with the implementation of the Digital Markets Act (DMA). The DMA requires app stores that qualify as “gatekeepers” to allow developers to use alternative billing and to inform users of different offers. Developers Alliance has been invited together with other stakeholders to provide input on these new rules during a workshop on the implementation of the app store-related provisions of the DMA.
The European Commission has organized a technical workshop on the implementation of the DMA provisions on interoperability between messaging services. Various stakeholders participated in an exchange on possible compliance solutions and challenges, with a focus on end-to-end encryption, security, and the identification of users across different messaging services. Developers Alliance actively follows the DMA’s implementation process and participates in the Commission’s dialogue with relevant stakeholders, such as these thematic workshops.
The EU and the UK competition watchdogs are deliberating the fate of the Microsoft – Activision merger. The European Commission will issue its decision on Apr 25, 2023. The UK’s CMA has announced that it “has provisionally found competition concerns as part of its in-depth investigation”. The CMA considers that the merger could make Microsoft even stronger in cloud gaming, stifling competition in a growing market, weakening the important rivalry between Xbox and PlayStation gaming consoles and harming UK gamers who cannot afford expensive consoles. The CMA also presented possible remedies, such as a partial divestiture of Activision Blizzard in the form of selling off the Call of Duty business, or selling off the Activision segment or the Activision and Blizzard segments that would include the business associated with Call of Duty, World of Warcraft, and other games.
The European Commission has approved under Mergers Regulation a joint venture of four European telecom operators which intends to offer an alternative advertising offer. The joint venture, concluded between Deutsche Telekom, AG Orange SA, Telefónica S.A. and Vodafone Group plc., will develop a platform to support brands and publishers’ digital marketing and advertising activities in France, Germany, Italy, Spain and the UK. The proposed solution is based on a unique digital code derived from users’ mobile or a fixed network subscription, which will allow brands and publishers to identify users on their websites or applications on a pseudonymous basis, group them under different categories and personalize content to specific users’ groups.
Data protection and privacy
The European Commission is preparing a legislative proposal to improve the cross-border application of the GDPR. The proposal will not amend the GDPR; it will only lay down procedural rules for the enforcement of cross-border cases, to strengthen the cooperation between national authorities and dispute resolution mechanisms.
The European Data Protection Board (EDPB) has issued its opinion on the European Commission’s Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework. The EDPB has welcomed the proposed changes by the US, but also pointed out additional changes that would ensure strengthened protection of the rights of EU citizens, in the spirit of the European Court of Justice’s decision in the Schrems II case.
There is more skepticism on the European Parliament’s side. The Committee on Civil Liberties, Justice, and Home Affairs has adopted a motion for a resolution calling on the European Commission not to adopt the adequacy finding. The LIBE Committee considers that the proposed EU-US Data Privacy Framework “fails to create actual equivalence in the level of protection.”
The EDPB has published the final version of the Guidelines on deceptive design patterns in social media platform interfaces. The document provides the relevant GDPR provisions, examples of deceptive design patterns in use cases of the life cycle of a social media account, best practice recommendations and a checklist of deceptive design pattern categories.
The EDPB has also published Guidelines clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V and Guidelines on certification as a tool for transfers. The guidelines were updated after public consultation.
The Italian Data Protection Authority (Il Garante) has ordered Luka Inc., the US-based developer of the chatbot Replika to cease processing Italian users’ data. Due to the lack of an age verification mechanism, the app providing the virtual friend was considered to carry “factual risks to children” and to inappropriate content for minors.
The French Data Protection Authority (CNIL) has launched a regulatory sandbox for a GDPR compliant solution for age verification on pornographic sites. The solution is part of CNIL’s call in the summer of last year to find solutions to ensure user verification in a GDPR-compliant way. It indicated at that time that it accepts age verification by means of bank cards or by estimating the age based on “facial analysis without facial recognition.” The CNIL recommends that the implementation of both solutions should not be implemented by the websites themselves but by independent third parties.
The European Commission has published The European Digital Identity Wallet Architecture and Reference Framework, a set of specifications needed to develop an interoperable European Digital Identity (EUDI) Wallet Solution based on common standards and practices. This will support the implementation of the updated eiDAS Regulation, which will extend the use of government issued digital IDs from public to private sector.
Content regulation
The first implementation deadline of the Digital Services Act (DSA) was marked by the collection of online platforms and search engines’ users numbers. Those that will meet the threshold of 45 million active users, or 10% of the EU’s population will be designated by the European Commission as ‘very large online platforms’ (VLOPS) and ‘very large online search engines’ (VLOSE), subject to the strictest obligations under the DSA. The user numbers will have to be reported at least once every six months. The Commission has published a non-binding guidance in all EU languages to help companies in scope of the DSA to comply with this requirement.
Different companies’ public announcements and press reports show that Facebook, Google Search, Google Maps, Google Play. Google Shopping, Instagram, TikTok, Twitter, and YouTube are over the threshold. Among those declaring themselves below the threshold are eBay, Spotify, GoFundMe, Microsoft’s App Store, and SkySkanner.
The first baseline reports for the 2022 Code of Practice on Disinformation were submitted in time by the signatories of the Code, including large online platforms. The reports provide insight and extensive initial data on aspects such as: how much advertising revenue flowing to disinformation actors was prevented; the number or value of political ads accepted and labeled or rejected; instances of manipulative behaviors detected (i.e., creation and use of fake accounts); information about the impact of fact-checking; and information reflecting the situation on Member States level. The European Commission expressed its disappointment regarding Twitter, “whose report is short of data, with no information on commitments to empower the fact-checking community.” The next set of reports from major online platform signatories is due in July.
The European Commission referred 11 Member States to the European Court of Justice for failing to transpose the EU copyright rules into their national law. The transposition deadline for the new Copyright Directive and the Directive on television and radio programs expired in June 2021.
The European Audiovisual Observatory has published a “Mapping of national rules applicable to video-sharing platforms: Illegal and harmful content online”. It is an updated report providing a detailed country-by-country analysis of the transposition into national law of the Audiovisual Media Services Directive (AVMSD) in all EU member states, Norway and the UK. It also contains a comparative analysis and the perspective of industry stakeholders.
Cybersecurity
The European Union Agency for Cybersecurity (ENISA) has published a report on the challenges faced by operators of essential services in the EU, when seeking to acquire cyber insurance. A survey reveals that a majority of these service providers cannot afford cyber insurance given the outstanding premiums and disadvantageous coverage. More than half of the respondents consider other risk mitigation tools more effective than cyber insurance. The report also includes recommendations to policy makers and operators of essential services.
ENISA has organized a workshop on approaches to the certification of cybersecurity skills and how they can be aligned with the European cybersecurity skills Framework (ECSF). This is the first in a series of seminars intended to help organizations interested in upskilling and reskilling professionals to respond to the need of increasing the cybersecurity workforce.
Miscellaneous
The European Tech Champions Initiative has been launched by the European Investment Bank Group (European Investment Bank, European Investment Fund) and 5 EU Member States (Spain, Germany, France, Italy, and Belgium). The initiative is presented as a fund of funds to back high-tech companies in their late-stage growth phase, in order to “reinforce Europe’s strategic autonomy and competitiveness”. It has secured initial commitments of €3.75 billion with the objective to strengthen European scale-up VC markets “by bridging gaps in financing availability, especially for companies seeking to raise amounts of over €50 million.”
The Commission has launched the European Regulatory Sandbox for Blockchain. The sandbox will support decentralized technology solutions, including blockchain, “by identifying obstacles to their deployment from a legal and regulatory perspective and providing legal advice, regulatory experience and guidance in a safe and confidential environment.” It will run from 2023 to 2026, with 20 projects annually, including public sector use cases such as the multi-country project the European Blockchain Services Infrastructure (EBSI). Companies (including start-ups and scale-ups) and public entities with a validated proof of concept can apply for the first call until Apr 14, 2023.
The EU and India have set up a Trade and Technology Council. Following the model of the EU-US TTC, the EU dialogue with India will focus on digital transformation, connectivity, green technologies, resilient supply chains and trade. This is complemented by other Digital Partnerships in ASEAN. The most recently launched is the Digital Partnership with Singapore, which will focus on common approaches in e-identification and in Artificial Intelligence governance, on projects to facilitate digital trade and SME’s digital transformation.
The European Commission has hosted a European citizens’ panel on virtual worlds. The consultation is part of the Commissions’ plans to regulate the metaverse. The Commission also published the study “Extended reality: Opportunities, success stories and challenges”, assessing the strengths and weaknesses of the use of extended reality technologies in the healthcare and education sectors.
All main European institutions have banned the use of TikTok on work devices, for cybersecurity concerns. The European Commission was the first to announce the immediate ban, followed by the EU Council and the European Parliament, the European External Action Service (EEAS), the European Court of Auditors (ECA), the European Committee of the Regions (CoR) and the European Economic and Social Committee (EESC), as well as the European Ombudsman. The decision raises some questions among European policymakers, as Politico reports. A study conducted by Gizmodo shows that banning the app is not going to solve the issue of data flows to China. TikTok’s SDKs and ad pixels, but also more generally, how data is shared, including via data brokers, should be considered.