The End Of A Troubled Year: EU’s Digital Regulations And A Last-Minute Brexit Deal

The Developers Alliance 2020 Year End EU Policy Update.


9B26B805-0BFF-41E0-BDBB-C9127F102CED.png

Commission’s Crucial Proposals For Digital Services, And Special Rules For Big Tech

The European Commission presented a legislative package on December 15 with new rules for all digital services, including mechanisms for the removal of illegal content, and a set of rules for big online platforms (so-called “gatekeepers”). 

The Digital Services Act (DSA) sets out an updated, harmonised, EU-wide liability regime, including different levels of due diligence obligations for digital services, depending on the platforms’ size and impact. Stricter rules are proposed for companies with over 45 million active users in the EU, such as rules on transparency, yearly audits, the appointment of a compliance officer, and more. Fines for non-compliance can be up to 6% of global revenue. 

The Digital Markets Act (DMA) imposes specific restrictions for “digital gatekeepers”, major providers of core platform services, such as search engines, social networks, operating systems, or online intermediation services, presumed as such based on quantitative thresholds, but also designated by the European Commission following a market investigation. The proposal sets out fines of up to 10% of annual global revenue.

Here’s our preliminary reaction. The DSA represents an opportunity to establish an EU harmonized liability regime of online intermediaries. Our message to the commission is to tread lightly and focus on the smallest corrections possible to achieve your vision. The DSA seems to broadly reflect this approach and builds some scaffolding for future refinement. Unlike the DSA, the DMA risks a significant negative impact on software developers that benefit from platform ecosystems and on the future of European digital markets. As Bruce Gustafson, President and CEO of Developers Alliance stated: “By banning today’s successful digital companies and salting the earth where European champions might have grown, this regulation makes clear that tomorrow’s internet will be born elsewhere – and that bright minds will need to leave Europe if they want to help build it.” 

The European Commission is receiving feedback on DSA and DMA until February 11, 2021. Let us know what is right and in particular what is wrong with the proposed new rules.

The EU On The Job

The Data Governance Act (DGA) was proposed by the European Commission on November 25, to facilitate data sharing, support European data spaces, and “offer an alternative European model to data handling practice of major tech platforms”. The European Commission welcomes feedback until February 1st, 2021.

Parliament and Council agreed on the legislative framework to fight the dissemination of terrorist content online on November 12. Platforms will have to remove harmful content within one hour, with some safeguards. There is no obligation to monitor or filter all content, but service providers can take voluntary proactive measures. The service provider decides on those measures. Service providers will also need to publish annual transparency reports on action taken against the dissemination of terrorist content.

The European Democracy Action Plan, presented on December 3, sets out measures for promoting free and fair elections (EU legislation on political advertising), strengthening media freedom and pluralism, and countering disinformation (revamping the Code of Practice on Disinformation into a co-regulatory framework of obligations and accountability of online platforms, complementing the upcoming Digital Services Act).

The Media and Audiovisual Action Plan, presented the same day, lay down support measures focused on the news media sector and audiovisual entertainment, including video games and virtual reality. 

The European Commission launched infringement procedures against 23 EU countries and the United Kingdom for failing to transpose into national law the Audiovisual Media Services Directive (AMSD). The directive, adopted in 2018, and due to be transposed by the Member States by September 19, 2020, sets out new rules governing EU-wide coordination of all audiovisual media, both traditional TV broadcasts and on-demand services, and video-sharing platforms. These rules cover advertising and investments in TV and films, and the protection of minors online and apply to broadcasters, streaming services, and video-sharing platforms. 

The Commission presented the first short-term review of the geo-blocking regulation on November 30, which prohibits unjustified geographical restrictions in the sale of goods and services within the EU. It decided not to extend the scope of the regulation to copyright-protected content, such as audiovisual, music, e-books, and games, and to instead launch a stakeholder dialogue with the audiovisual sector. The next review of the regulation will be in 2022.

On December 7 The Commission adopted Guidelines for online platforms on ranking transparency, according to the Platform-to-business Regulation, which is applicable since July 12, 2020. The guidelines are not legally binding, they aim to help platforms and search engines in complying with their obligation to improve the transparency of their ranking parameters.

The Commission published an Action Plan on Intellectual Property on November 25, announcing measures on five key areas: improving the protection of IP, boosting the uptake of IP by SMEs, facilitating the sharing of IP, fighting counterfeiting, and improving enforcement of IP rights and promoting a global level playing field. 

On November 13, the Commission launched the New Consumer Agenda, a roadmap of priorities and key action points for 2020-2025, aimed to empower European consumers in the green and digital transitions.

The Legal Affairs Committee of the European Parliament adopted guidelines on the use of AI for military purposes and in healthcare and justice. The MEPs consider that: i) lethal autonomous weapon systems should be lawful only if subject to human control, ii) AI cannot replace human decision-making nor replace human contact, and iii) they call for a ban on “highly intrusive social scoring applications” by public authorities.

The EU budget, which will amount to €1.074 trillion, covering almost 40 EU spending programmes in the next seven-year period, was adopted in due time. The €7.5 billion Digital Europe Programme will provide funding for projects in five crucial areas: supercomputing, artificial intelligence, cybersecurity, advanced digital skills, and ensuring the wide use of digital technologies across the economy and society. 

The EU Proposes A New Transatlantic Agenda

On December 2, The European Commission and the High Representative of the EU for Foreign Affairs and Security Policy proposed a new transatlantic agenda, with concrete proposals for cooperation with the new US administration. Some of the main areas for the proposed partnership are technology, trade, and standards. The EU wants “to create a specific dialogue with the US on the responsibility of online platforms and Big Tech, work together on fair taxation and market distortions, and develop a common approach to protecting critical technologies, artificial intelligence, data flows, and cooperation on regulation and standards.”

The Last-Minute Brexit Deal 

The negotiators managed to reach a deal on Christmas Eve on the future relationship between the EU and the UK: the Trade and Cooperation Agreement. As of January 1st, 2021, the EU and the UK will be two separate markets. The free movement of persons, goods, services, and capital between the two jurisdictions will end. The Agreement covers the main economic and social areas with special provisions, similar to other EU trade agreements. An interim deal to temporarily keep data flowing between the EU and the UK for up to six months was agreed upon, at least until a so-called ‘adequacy decision’ will be ratified by the EU. The Agreement will provisionally enter into force after its approval by the EU member states governments – the Council of the EU – by December 31, and by the European Parliament in early January.

The UK Digital Regulatory Proposals

The UK Government presented its proposal for a new regulatory framework on December 15, establishing an asymmetric duty of care on companies to improve the safety of their users online, overseen and enforced by an independent regulator (Ofcom). The legislation will set out a general definition of the harmful content and activity covered by the duty of care and will include disinformation and misinformation. The legislation will not change companies’ liability for individual items of illegal content that meet the definition of harm. Only a small number of high-risk, high-reach digital services will have to address legal-but-harmful content and activity accessed by adults on their services. The Government published interim codes on terrorism and child exploitation and sexual abuse alongside the main proposal for online harms. The Online Safety Bill, which will give effect to the new regulatory framework, will be ready next year. 

The Digital Markets Task Force published its advice to the Government on the potential design and implementation of a special regulatory regime for tech giants on December 8. Companies with strategic market status (SMS) – meaning those with substantial, entrenched market power and where the effects of that market power are particularly widespread or significant – will be subject to a set of measures comprising a legally binding code of conduct, market interventions (e.g. imposing interoperability) and stricter merger rules. 

The Government had announced previously, on November 27, that “a dedicated Digital Markets Unit, which will be set up within the Competition and Markets Authority (CMA), will work closely with regulators including Ofcom and the Information Commissioner’s Office to introduce and enforce a new code to govern the behaviour of platforms that currently dominate the market, such as Google and Facebook, to ensure consumers and small businesses aren’t disadvantaged.”

The new regime is meant to be part of a wider regulatory framework for digital markets, including the new regime for harmful online content, and data protection laws. 

To Encrypt Or Not To Encrypt

The EU Member States adopted a resolution on “security through encryption and security despite encryption” on December 14, which refers to “potential technical solutions” to ensure the use of encryption while allowing law enforcement and the judiciary to have access to electronic evidence.

The main critical reaction to the ambiguous language of the resolution came from academia in the form of an open letter signed by more than 150 scientists.

Europol announced the inauguration, together with the European Commission, of a decryption platform on December 18, that aimed to “significantly increase Europol’s capability to decrypt information lawfully obtained in criminal investigations”. 

Legislative Controversy On Tackling Online Child Sex Abuse

The European Parliament’s civil liberties committee approved its position on the European Commission proposal for temporary derogations from Directive 2002/58/EC for the purpose of combatting child sexual abuse online on December 7. The derogation would allow online platforms to continue voluntarily tracking child sexual abuse online, including grooming. The EU legislators need to agree on the interim regulation by December 21, the date of application of the Electronic Communications Code, which puts internet communication services under the strict ePrivacy obligations, and thus impeding the use of scanning technologies for detecting online child sexual abuse without user consent. 

The European Data Protection Supervisor has published an opinion on the interim proposal on November 10, stating ‘the measures envisaged by the Proposal would constitute an interference with the fundamental rights to respect for private life and data protection of all users of very popular electronic communications services, such as instant messaging platforms and applications”. In the same vein, the European Data Protection Board issued its opinion on the matter too. 

The controversy around the issue involved actor and activist Ashton Kutcher. With a few notable exceptions, Kutcher has largely retreated from acting and instead has been focusing on his extensive venture capital work (Business Insider, paywall). This includes companies such as Uber, Airbnb, Foursquare, and others. As part of this career, Kutcher has become involved with combatting online child abuse, sex trafficking, and other human rights violations by investing in companies who are developing tools to prevent this criminal activity. He has testified before the US Congress, and now taken a stand in favour of the Commission proposal

The Member States’ deputy ambassadors agreed on a mandate for negotiations with the European Parliament in October, but an agreement won’t be possible in due time, leaving online messaging services in a legal grey zone. 

The Data Flows Deadlock

The European Commission proposed updated standard contractual clauses for data transfers between EU and non-EU countries. It also published draft Article 28 Standard Contractual Clauses for use between controllers and processors located within the European Union. 

The European Data Protection Board (EDPB) adopted a set of two essential ŕecommandations on November 10: on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and on European Essential Guarantees for surveillance measures. The most problematic issue arising from EDPB recommendations is related to the prescriptive obligations for companies to assess the impact of the rules under which authorities from third countries access data for law enforcement or national security purposes. Such “equivalence assessments” render companies’ compliance operations on data flows unworkable. 

Data Protection And Privacy 

The Council of the EU took note of the German Presidency e-Privacy progress report. The progress report means Germany couldn’t find a compromise between the EU Member States, so the matter was passed on to Portugal, which takes over the rotating presidency in January 2021. The e-Privacy Regulation, a proposal to update the e-Privacy Directive, has been discussed in the Council since it was presented by the previous Commission, in January 2017. The European Parliament adopted its mandate for the inter-institutional negotiations in October 2017 and has been waiting for the Council since.

The European Data Protection Board (EPDB) adopted its Strategy 2021-2023 in the last plenary session of this year, on December 15. Four important guidance documents were also approved: i) on data transfers under the GDPR after the Brexit transition period ends, ii) on restrictions of data subject rights under Article 23 GDPR, iii) on the interplay of the Second Payment Services Directive (PSD2) and the GDPR, and iv) on transfers of personal data from EEA public authorities or bodies to public bodies in third countries, where these transfers are not covered by an adequacy decision.  

The UK Informat
ion Commissioner’s Office (ICO) published a new Data Sharing Code of Practice on December 17, providing practical advice to individuals, businesses, and organisations on how to share data in compliance with the UK data protection law.

The French data regulator (CNIL) fined Google €100 million and Amazon €35 million, for automatically placing cookies for advertising purposes on users’ computers when users visited their websites (google.fr and amazon.fr), without obtaining prior consent and without providing adequate information.

The Irish data regulator fined Twitter €450,000, finding that it breached Article 33(1) and 33(5) of the GDPR, in terms of a failure to notify a data breach on time and a failure to adequately document it.

Digital and human rights groups have filed coordinated privacy complaints against Google and the Interactive Advertising Bureau (IAB) over real-time bidding systems. The complaints were filed on December 10 in Romania, Portugal, Croatia, Malta, Greece, and Cyprus, under the coordination of a consortium made up of the Civil Liberties Union for Europe (Liberties), Open Rights Group (ORG), and Panoptykon Foundation. These new complaints cow4e. me on top of similar ones lodged in 15 other EU countries over 2018 and 2019.

A group led by privacy activist Max Schrems filed complaints over Apple’s online tracking tool, with German and Spanish authorities on November 16. The allegation is that Apple breached European law by allowing iPhones to store users’ data without their consent.

The Dutch Authority for Consumers and Markets (ACM) welcomed Apple’s answer to the call made by 27 consumer authorities across the world, including ACM, united in ICPEN (International Consumers Protection and Enforcement Network) for transparency on the use of personal data by the apps in the App Store. Apple now indicates in the App Store what personal data each app uses, so app developers are required to include such information on their products’ pages.

In June, Apple announced iOS 14 updates that, among other changes, require apps to ask users for permission to collect and share data using Apple’s device identifier. Given the significant impact on businesses’ ability to market themselves and monetize through ads, on December 16 Facebook shared an update on preparing their partners for the iOS14 AppTrackingTransparency framework. Here is FB’s detailed guidance for developers.

Competition

On December 17, the European Commission approved, under the EU Merger Regulation, the acquisition of Fitbit by Google. The approval is conditional on full compliance with a commitments package offered by Google, to be applied for a period of ten years. Significant commitments on data include a restriction to use Fitbit data for advertising, a technical separation of data, and user consent obligations. Under the Web API Access Commitment, Google will maintain access to users’ health and fitness data to software applications through the Fitbit Web API, without charging for access and subject to user consent. There are also commitments on Android APIs, on the free license to Android to OEMs of public APIs covering all current core functionalities that wrist-worn devices need to interoperate with an Android smartphone (with specific safeguards). 

The European Commission issued a notice on December 2 reminding the economic operators of the legal situation applicable after the end of the transition period. The notice notably explains the relevant legal situation in the fields of antitrust and merger control. 

The Netherlands Authority for Consumers and Markets (ACM) has launched an investigation into payment apps’ access to NFC communication (‘Near-Field Communication’). NFC communication offers the ability to make contactless payments using smartphones in brick-and-mortar stores. The authority observed during the market study ‘Big Tech and the Dutch payment market’ that software on some smartphones only allows the software developer’s own payment app to connect to NFC communication, and considers that this problem “may stifle innovation with respect to payment apps, it reduces the freedom of choice for consumers and businesses” and needs to be further investigated.

In December the German Competition Authority (The Bundeskartellamt) initiated proceedings against Facebook, investigating the links between Oculus virtual reality product s and the Facebook social network and Facebook platform. In early 2019 the Bundeskartellamt opened another abuse of dominance proceeding against Facebook. This complaint focused on the collection and use of data and prohibited the company from extensively collecting and merging user data from different sources. The restrictions are currently suspended, as the case is under appeal. 

Cybersecurity 

On December 16, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy. It comprises two legislative proposals, aiming to strengthen cybersecurity for companies providing critical infrastructure and crucial sectors including energy, transport, financial services, cloud, telecoms, aerospace, health care, manufacturing, and central government IT services. One of the two proposals revises the Directive on security of Network and Information Systems (NIS Directive). Additional sectors have been proposed to the scope, including certain digital services (social networking services platforms and data centre services). New requirements are proposed for “essential” and “important” service providers in critical sectors, such as reporting cyberattacks, implementing security policies, scrutinizing the security of suppliers, and the use of encryption technology.

A cyberattack on coronavirus vaccine makers in the EU was reported by the European Medicines Agency (EMA) in November. The Agency confirmed that information about the BioNTech/Pfizer coronavirus vaccine was “unlawfully accessed” and launched a full investigation, in close cooperation with law enforcement and other relevant entities.

The EU Agency for Cybersecurity (ENISA) published guidelines for securing the supply chain for IoT. The security guidelines cover the whole lifespan of IoT products: from requirements and design, end-user delivery and maintenance, as well as disposal. The aim is to help IoT manufacturers, developers, integrators, and all stakeholders that are involved in the supply chain of IoT to make better security decisions when building, deploying, or assessing IoT technologies.

ENISA also released its Artificial Intelligence Threat Landscape Report, an active mapping of the major cybersecurity challenges facing the AI cybersecurity ecosystem.

The European Commission created the European Cybersecurity Atlas, a digital knowledge management platform to map, categorise, and stimulate collaboration between European cybersecurity experts in support of the EU Digital Strategy. The Atlas is a first of its kind and will be an important support to the forthcoming European Cybersecurity Competence Centre.

Miscellaneous

ICYMI, check out the annual State of European Tech, presented by Atomico.

Sifted, the startup Europe focused publication,  presented the list of Europe’s startup unicorns. In 2020 so far, at least 10 new unicorns have been ‘born’ in Europe. 

Twelve digital rights organizations have launched a coordinated campaign against the use of biometric identification technology, in Italy, Greece, the Netherlands, the Czech Republic, and Serbia.

A Dutch reporter hacked a videoconference of European Defense Ministers, a meeting with classified documents on the agenda. He used the login information shared in negligence on the Dutch defense minister’s Twitter account, as reported by Politico.

Avatar photo

By Karina Nimară

Director of EU Policy and Head of Brussels Office - Karina previously served as Legal Advisor and Internal Market attaché at the Permanent Representation of Romania to the EU. Prior to her work with the Romanian diplomatic mission, Karina spent ten years in European Union affairs within the Romanian Government. While there she coordinated, inter alia, the process for transposition and implementation of EU legislation. Karina holds a law degree and specializes in EU law and policies. Based in the Alliance’s Brussels office, she's a tech enthusiast, enjoying the dawn of the Age of Artificial Intelligence. Other than robots, she's fascinated with cats and owls.

Related Content

Developers Alliance Joins Call for EU Policymakers to Swiftly Adopt the Extension of the Interim ePrivacy Derogation

Developers Alliance Joins Call for EU Policymakers to Swiftly Adopt the Extension of the Interim ePrivacy Derogation

Developers Alliance’s Reaction to the Political Agreement on the New EU Law on Liability for Defective Products

Developers Alliance’s Reaction to the Political Agreement on the New EU Law on Liability for Defective Products

A Busy Regulatory End of the Year in Europe 

A Busy Regulatory End of the Year in Europe 

Join the Alliance. Protect your interests.

©2020 Developers Alliance All Rights Reserved.