The April 2021 Developers Alliance European Policy Update
The European Commission’s Proposal On AI Is Pushing Strict Rules On Software Beyond AI And Beyond The EU Borders
The European Commission has published a legislative package on artificial intelligence that comprises two regulations: the Artificial Intelligence Act and an update to the regulation of machinery products. The Commission also adopted a New Coordinated Plan on AI, a strategy for using EU and Member States funding to create an ecosystem for research and development of AI across the EU.
The AI Act defines AI broadly, as “software that is developed with one or more of the techniques and approaches listed in an annex (which can be further updated) and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with.” The annex includes different machine learning approaches, logic and knowledge-based approaches, statistical approaches, Bayesian estimation, as well as search and optimization methods.
The proposal also sets out the legal requirements for putting AI systems into the market, categorized from low-risk to high-risk. A ban is proposed for certain applications, such as those “that manipulate human behaviour to circumvent users’ free will” and systems that allow ‘social scoring’ by governments. For software used in the following areas, the proposal lays down a complex process of the pre-market approval (strict requirements certified by affixing the CE Mark): infrastructure (e.g. transport), education, safety component of products (e.g. medical devices, automated cars), employment (e.g. CV-sorting systems), private and public services (e.g. financial services), law enforcement, border control, administration (especially in justice). It is also proposed that some low-risk systems, such as chatbots, be under transparency requirements (so the users will be aware that they aren’t talking with humans).
A European AI Board will be set up for the enforcement of the regulation. There is a possibility for Member States to establish regulatory sandboxes. The proposal contemplates severe penalties for non-compliance: administrative fines for certain offences of up to €30 million or, if the offender is a company, 6% of its total worldwide annual turnover. The rules are intended to have an extraterritorial effect, to be imposed on “providers and users of AI systems that are located in a third country, where the output produced by the system is used in the Union”.
Here‘s our preliminary assessment of the regulation. We are quite concerned about the broad definitions that capture software beyond the generally accepted notion of AI and useful applications, as well as by the disproportionate extraterritorial scope.
The European Commission opened a public consultation, inviting stakeholders to submit their opinions on the proposal until July 9th.
Calls For Total Ban Of Biometric Surveillance
The European Data Protection Supervisor expressed his regrets that the proposal doesn’t impose a “moratorium on the use of remote biometric identification systems – including facial recognition – in publicly accessible spaces.”
Before the publication of the proposal, a letter signed by 40 MEPs, was sent to the European Commission asking for a ban on biometric surveillance in public places. This included any automated recognition of gender, sexuality, race/ethnicity, disability and other protected characteristics.
A similar second letter, signed by 35 MEPs, and inspired by advocacy groups led by the digital rights association EDRI, insists on eliminating various exceptions for law enforcement.
The Future Of Digital Ecosystems In The EU – Our Position On The Digital Markets Act
We submitted our position to the European Commission’s consultation on the Digital Markets Act. The DMA could benefit the EU by increasing transparency and creating a harmonized business environment within the digital market across the EU. We are highly concerned, however, that the arbitrary prohibitions of commercial behaviours based on assumptions of harm are likely to disrupt the 3rd party software ecosystem. We remain engaged with the EU co-legislators on the DMA as well on the Digital Services Act (DSA), raising awareness on the unintended consequences of these upcoming regulations for the developer community.
European Parliament Final Vote On Terrorist Content Removal
In the latest plenary session the European Parliament approved the result of the inter-institutional negotiation with the Council concerning the regulation preventing the dissemination of terrorist content online. According to the regulation, online platforms will have to remove harmful content within one hour. Before the vote, a last call against the regulation was sent to the Parliament through a joint letter signed by several French associations, labour unions of lawyers and magistrates, and Wikimedia France. The Council already adopted the final text last month, so the text is ready to be published in the Official Journal of the EU. It will enter into force on the twentieth day following its publication and will begin to apply after one year.
Data Protection & Privacy
The European Parliament and the Council agreed on temporary exceptions from ePrivacy rules to maintain tools that identify online child abuse. The derogations will enable providers of web-bas
ed email, chats and messaging services to voluntarily detect, remove and report child sexual abuse online as well as using scanning technologies to detect cyber grooming. The interim regulation will be applicable for a maximum of three years, depending on when the new ePrivacy regulation will be adopted.
The European Data Protection Board (EDPB) has issued two opinions on the adequate protection of personal data in the United Kingdom, presented by the European Commission in February. The EDPB identified many aspects “to be essentially equivalent”, as there’s a “strong alignment” between the EU and the U.K. data protection frameworks. The EDPB has recommended the European Commission to “closely monitor such evolutions,” however, based on the political declarations of the UK Government. The UK has previously stated it’s intention to develop separate and independent policies in data protection. In the case of a UK divergence from the EU data protection law, the EDPB also recommended the Commission “take necessary actions including by amending and/or suspending (the adequacy) decision.” The UK has already declared the EU ‘adequate’, as the data flows from the UK to the EU fall under UK law. The data flows from the EU to the UK remains to be officially approved by the EU. The approval process is expected to be concluded at the end of May or early June, with Member States’ green light, thus allowing for free flow of data between the EU and the UK.
The Civil Liberties Committee (LIBE) of the European Parliament urged the Commission to issue detailed guidelines on how to make data transfers compliant with the recent EU Court of Justice that invalidated the EU-US Privacy Shield. LIBE considers that the Commission should not conclude new adequacy decisions with third countries without taking into account the implications of EU court rulings. The majority of LIBE members expressed their “disappointment with the Irish Data Protection Commission and its decision to initiate the Schrems court case instead of independently triggering enforcement procedures in the EU’s GDPR, while also criticising the DPC’s long processing times.” They additionally, called on the Commission to launch infringement procedures against Ireland for failing to enforce the GDPR effectively.
The EDPB has adopted a statement on international agreements including transfers, after receiving questions about the exchange of personal data between public authorities under existing international agreements in different areas. EU Member States are concerned about the international transfers of personal data relating to taxation (e.g. sharing financial records to detect money laundering and tax avoidance), social security, mutual legal assistance, police cooperation, etc. The EDPB stated that all agreements concluded before the entering into force of the GDPR and “which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked”. It invited the Member States “to assess and, where necessary, review” such international agreements for “further alignment with current Union legislation and case law on data protection”.
A report of three European academy networks (ALLEA, EASAC and FEAM) on international sharing of health data for research shows that “there are significant hurdles for sharing data with researchers outside the EU/EEA, including EU collaborative research studies, when other countries may not have equivalent legal frameworks.”
The Belgium Constitutional Court annulled parts of the national law on data retention regime, in accordance with the interpretations of the Court of Justice. In the same spirit, the French highest administrative court issued a similar rule, rejecting the government’s arguments against the Court of Justice competence to decide on national security issues. Joint rulings in October 2020 from the Court of Justice concerning the Belgium, French and UK data retention regimes, were clear that obligations to retain communications data in a “general and indiscriminate” way violate EU data protection and privacy standards. The only exception permitted by the EU Court is “a serious threat to national security.”
The draft policy of the European cloud initiative Gaia-X proposes rules that would allow customers to demand that their data be processed and stored exclusively in the EU, and also would make cloud providers disclose what foreign laws they are subject to as well as the location of their servers. Other proposed rules would require cloud providers not to access customer data, but to ensure “appropriate handling of government investigation requests” for legal reviews and “limitation of access to or disclosure of data”.
The Irish DPC launched an inquiry into Facebook concerning a collated dataset of user personal data that was made available on the internet, following multiple international media reports.Regarding the same incident, the Italian DPA has requested Facebook to take measures to limit risks and “to immediately offer a service enabling all Italian users to check whether their phone numbers or email accounts were affected by the breach.”
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has started proceedings against Facebook. They aim to issue an immediately executable order not to collect any data from WhatsApp users and to process it for their own purposes. The proceedings are based on the presumption of a lack of voluntary and informed user consent.
The privacy advocate noyb filed another complaint, this time with the French Data P
rotection Authority against Google’s AAID (Android Advertising Identifier), for lack of user consent, following similar complaints against Apple’s IDFA in November of 2020.
The European Data Protection Supervisor (EDPS), together with the Spanish Data Protection Authority (AEDP) has published a joint paper on 10 misunderstandings related to anonymisation. The document aims to raise awareness about common misunderstandings related to anonymisation and to serve as motivation “to check assertions about the technology, rather than accepting them without verification.”
The European Commission has opened three antitrust investigations into Apple’s App Store rules. The Commission is assessing the mandatory use of Apple’s own proprietary in-app purchase system “IAP” for the distribution of paid digital content and the related 30% commission on all subscription fees through IAP. The Commission issued a Statement of Objections, informing Apple of its preliminary view that “it distorted competition in the music streaming market, as it abused its dominant position for the distribution of music streaming apps through its App Store.” The other investigation concerns the restrictions placed on developer’s ability to inform users of alternative purchasing possibilities outside of apps. The investigations follow separate complaints by Spotify and by an ebook/audiobook distributor. The third investigation concerns Apple’s terms, conditions and other measures for integrating Apple Pay in merchant apps and websites on iPhones and iPads, Apple’s limitation of access to the Near Field Communication (NFC) functionality (”tap and go”) on iPhones for payments in stores, and alleged refusals of access to Apple Pay.
The UK Competition and Markets Authority (CMA) has established the Digital Markets Unit (DMU), to be in charge of the upcoming regulatory regime for firms with “Strategic Market Status.” For the time being, the DMU will function on a non-statutory basis, waiting for the adoption of the necessary legislation for its powers and the new regulatory regime for digital markets. In contrast to the EU’s DMA proposal, based on a non-rebuttable presumption of harmful behaviours, the UK’s approach for preserving competition in digital markets is focused more on evidence gathering, case-by-case assessment, and targeted remedies through codes of conduct.
Reuters has reported that the Bundeswettbewerbsbehörde (BWB), the Austrian competition authority, has sent a referral to the European Commission regarding Facebook’s acquisition of customer service platform Kustomer. The purchase was not supposed to be scrutinized by Brussels, as it falls below the regulatory thresholds previously set for review at the EU level. On March 26 the European Commission published new guidance on article 22 of the Merger Regulation, encouraging national competition authorities to refer mergers and acquisitions that fall below the thresholds when they are presumed as potentially harmful. According to the Commission, “cases that will normally be appropriate for such a referral consist of transactions where the turnover of at least one of the companies concerned does not reflect its actual or future competitive potential. This could be the case of a start-up or recent market entrant with significant competitive potential or an important innovator.” The new approach is more likely to affect the transactions in the technology and pharmaceutical sectors.
The UK Competition and Markets Authority (CMA), German Bundeskartellamt (BKA) and Australian Competition and Consumer Commission (ACCC) have issued a joint statement on their intention to apply stronger merger controls. The stricter scrutiny is targeted mostly at “big tech” acquisitions.
The German Advertising Federation (ZAW) has filed a complaint against Apple to Bundeskartellamt (BKA), Germany’s national competition regulator, on behalf of eight industry associations from the German media and communications industry. The ZAW argues that Apple is abusing its market power and violates antitrust law by imposing the iOS 14.5 feature App Tracking Transparency (ATT). The complaint stems from the recent amendments to the Act Against Restraints Of Competition (GWB), which came into force at the beginning of the year. The Act gives the BKA special intervention powers in order to intervene in the practices of multiple companies which have been identified as of “paramount significance for competition across markets.”
The French Competition Authority, Autorité de la concurrence, published a sectoral market study into fintech. The conclusions point out risks related to the strengthened market power of BigTech and foreclosure of consumers, and restrictions on access to data held by payment services providers. Additionally, the study is “calling into question the universal banking model and marginalization of traditional banking players” by disruptive developments.
The European Parliament formally approved the agreement setting the rules for the future EU-UK relationship. The agreement has been retroactively applied to take effect 1 January 2021. The Parliament’s vote will begin enforcement once the Council has concluded on 30 April.
The founders and CEOs of over thirty European unicorns called upon EU institutions and the Member States to invest and support a set of 8 strategic measures for “the rise of a European innovation ecosystem.” The beneficiaries would be European sof
tware and hardware startups, deep tech and green tech startups. The representatives of these European unicorns met with European Commissioner for Innovation, Research, Culture, Education and Youth, Mariya Gabriel, to promote the idea of a “European Sovereign Tech Fund, which should use European Public Funding to leverage at least €100 billion, in public/private funding to anchor European champions and so crowd in private capital.”