The June and July 2023 European Policy Update
Data Protection & Privacy
The European Commission has adopted the new adequacy decision for the EU-U.S data flows. The companies participating in the Data Privacy Framework (DPF) will be able to transfer personal data from the EU without additional data protection safeguards. The DPF is administered and monitored by the US Department of Commerce.
Max Schrems, the Austrian privacy activist that obtained the invalidation of the previous two data flows frameworks by the EU Court of Justice, has announced that NOYB (the NGO he’s leading) is already preparing for a third challenge. He also sent an open letter to the EU Commissioner Didier Reynders against his statement during the EU-US Trans-Atlantic Data Privacy Framework presentation, referring to activists and NGOs bringing cases before the CJEU as a business model.
The European Commission has proposed new rules for harmonized GDPR enforcement in cross-border cases. The GDPR Procedural Regulation will set out rights for complainants and the parties under investigation (controllers and processors) and detailed rules for streamlining cooperation and dispute resolution between national data protection authorities (DPAs).
The Norwegian Data Protection Authority has imposed a temporary ban on behavioral advertising on Facebook and Instagram. The order is based on a recent interpretation of the EU Court of Justice in a competition case, stating that “the personalized advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent.” The ban will apply from 4 August for three months, or “until Meta can show that it complies with the law” and only with regard to users in Norway.
The French Data Protection Authority (CNIL) has fined Criterio, a big French adtech company, € 40 million for failing to obtain users’ consent for personalized advertising. The CNIL found that Criteiro breached several GDPR requirements; from proper transparency for users, to failure to delete and remove user data at request, to failure to “provide for an agreement between joint controllers.” The CNIL also found that. although Criteo didn’t know users’ names, the data was “sufficiently accurate to re-identify individuals” in some instances and notes that it took into account Criterio’s business model “which relies exclusively on its ability to display to internet users the most relevant advertisements to promote the products of its advertiser customers and thus on its ability to collect and process a huge amount of data.”
The Irish Data Protection Commission has published Guidance on Legal Bases for Processing Personal Data. Article 6 of the GDPR provides several legal bases for data processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. The guidance aims “to assist controllers in identifying the correct legal basis for any processing of personal data which they undertake or plan to undertake – and the obligations which go with that legal basis.”
The Swedish Data Protection Authority (IMY) has audited how four companies use Google Analytics for web statistics and issued fines for two of them. It has fined telecommunication provider Tele2 (about € 1 million) and the online retailer CDON for using Google Analytics on their webpage. The investigation followed NOYB’s 101 complaints on unlawful EU-US data transfers. While Austrian, French and Italian DPAs have already found that using Google Analytics violates the GDPR, this is the first time a financial penalty has been imposed on companies for using Google Analytics. IMY notes that “all four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses, while “none of the companies’ additional technical security measures are sufficient.”
The IMY has also issued a fine of about € 5 Million against Spotify. The decision follows a complaint of the same NOYB, finding that Spotify didn’t fully respect users’ rights to access all their data and information on the use of their data.
The Italian Data Protection Authority has requested clarifications on user profiling and tracking systems from Pornhub . The Italian DPA wants to know whether the Cypriot company that manages the site “carries out profiling of users, and, if so, by what means and for what purposes” and “whether the data collected is communicated to third parties.”
Competition in digital markets
A landmark decision of the EU Court Of Justice (CJEU) allows competition authorities to consider GDPR compliance in assessing market power. The judgment was delivered following Meta’s appeal against the German Competition Authority (Bundeskartellamt) in a case dating from 2019. Bundeskartellamt prohibited the processing of so-called “off-Facebook data” collected from German users without their consent and asked for the modification of Ts&Cs accordingly. The CJEU ruled that competition authorities should not supersede the data protection watchdogs, but consider data protection breaches “merely to establish an abuse of a dominant position and impose measures to put an end to that abuse on a legal basis derived from competition law.” The Court took the view that “the personalized advertising by which the online social network Facebook finances its activity, cannot justify, as a legitimate interest pursued by Meta Platforms Ireland, the processing of the data at issue, in the absence of the data subject’s consent.” The court held that a dominant position on the social network market “constitutes an important factor in determining whether the consent was in fact validly and, in particular, freely given” and that “this is for the operator to prove.”
The European Commission has announced 7 gatekeepers under the DMA. By the deadline of 3 July 2023, imposed by the Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector (Digital Markets Act or DMA), the Commission received notifications from the following companies: Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, and Samsung. These companies meet the thresholds set by the DMA to be designated as ‘gatekeepers.’ After assessing each of them, the Commission will issue designation decisions, giving those companies six months to comply with the requirements in the DMA, at the latest by 6 March 2024.
The European Commission has published a template for reporting acquisitions under the DMA. According to article 14(1) of the DMA, designated gatekeepers are to inform the Commission of any intended merger “where the merging entities or the target of concentration provide core platform services or any other services in the digital sector or enable the collection of data.”
The European Commission considers that Google distorts competition in the adtech market and hints at mandatory divestment. The Statement of Objections preliminarily finds that Google is dominant in the European Economic Area-wide markets for publisher ad servers and for programmatic ad buying tools for the open web. The Commission sees Google as “active on both sides of the market with its publisher ad server and with its ad buying tools and holds a dominant position on both ends,” while operating “the largest ad exchange.” The Commission is dismissing a priori any potential behavioral remedies, which are common in competition cases, and states that “only the mandatory divestment by Google of part of its services would address its competition concerns.”
The Bundeskartellamt has issued a Statement of Objection against various of Google’s practices in connection with Google Automotive Services and Google Maps Platform. The German authority takes issue with Google Automotive Services, which is bundling Google Maps map service, a version of the Google Play app store and the Google Assistant voice assistant, run on the Android Automotive Operating System (AAOS). It will investigate the impact of the contractual agreements imposing default settings on interoperability with third-party services.
The UK Competition and Markets Authority (CMA) has issued a notice of extension for the Microsoft/ Activision merger. The deadline was extended until August 29th after receiving “a detailed and complex submission from Microsoft.” The CMA has proposed to block the transaction, but it needs to consider the situation in the context of a recent US federal Court ruling dismissing a similar attempt from the Federal Trade Commission (FTC). The transaction was cleared by other competition watchdogs across the world.
Content regulation
An open letter on the position of scientists and researchers on the EU’s proposed Child Sexual Abuse Regulation has gathered more than 450 signatories across 38 countries. The letter urges policymakers to consider the following:
– detection technologies are deeply flawed and vulnerable to attacks
– technical Implications of weakening End-to-End Encryption
– the effectiveness of the technologies imposed by the draft regulation.
A European Commission blog post defends the proposal, dismissing the arguments put forward by “technology sector academics,” as “technical hypotheticals.” It offers, in exchange, poor safeguards provided by the regulation and a bold absolute statement that “the law leaves no space for any malicious actor to intervene.”
The European Commission has organized a stakeholder event on the implementation of the Digital Services Act (DSA). The discussions, across multiple workshops, addressed issues related to disinformation, online hate and extremism, freedom of expression and media pluralism, privacy and child protection, dark patterns and advertising, risk assessments and algorithms, data access for researchers, etc.
The European Commission has kick started the EU Code of Conduct for age-appropriate design. The code should support the implementation of the DSA, especially those provisions dedicated to safeguarding minors. A Special Group will develop it, led by the Commission and comprising 21 representatives from the industry, academia and civil society.
Amazon has contested its designation as a large online platform (VLOP) under the DSA, as has the German retail platform Zalando. Both companies have challenged the European Commission’s designation decisions before the EU Court. The DSA provides stricter obligations for large online platforms with over 45 millions users in the EU, which are deemed to present a systemic risk.
Artificial Intelligence
The inter-institutional negotiations on the AI Act have started, after the European Parliament has officially approved its position. The Parliament wants a full ban on AI for biometric surveillance, emotion recognition, and predictive policing. It proposes specific rules for generative AI and includes on the list of ‘high-risk AI’ recommender systems used by large social media platforms (with over 45 million users). The EP also proposes human rights and environmental risk assessments.
More than 150 executives from well-known big European companies have issued a warning about a rigid AI Act, as Financial Times reports. The open letter urges EU policymakers to consider future high compliance costs and liability risks for companies in the EU.
The British Standards Institution has issued its “EU AI Act Readiness Assessment and Algorithmic Auditing.” BSI aims to provide support to companies by measuring AI compliance against technical standards, based on ”in-depth technical analysis including fairness testing, bias detection, and robustness testing.” It notes that, however, there are limitations of compliance assessments, as “not all the relevant standards will be available during the transition period.”
The UK has announced that it will host the first major global summit on AI safety. The event is planned for autumn this year to “focus on the risks of AI, including frontier systems, and discuss how they can be mitigated through internationally coordinated action.”
Cybersecurity
Developers Alliance put forward joint industry recommendations for the Cyber Resilience Act (CRA). Developers Alliance and The Information Technology Industry Council, in collaboration with the Computer & Communications Industry Association and BSA – The Software Alliance, have presented concrete recommendations to EU co-legislators, targeting remaining issues within the Cyber Resilience Act proposal.
The four industry associations urge EU lawmakers to pay attention to the following:
- consistency with other applicable legislation
- a clearer and narrower scope for the regulation
- a more proportionate, risk-based approach to determining the risk level of a product with digital elements
- less burdensome reporting obligations that don’t increase cyber risk
- avoiding disproportionate or impossible obligations.
Developers Alliance has also co-signed a specific statement regarding the reporting obligations of unpatched vulnerabilities under the CRA, joining a broad coalition of diverse national, European, and international associations active across different sectors.
Both Council and the European Parliament set out their positions on the CRA and will start negotiating the final text for adoption. One of the Parliament’s main amendments is the extension of the list of critical products to include identity management systems software, password managers, biometric readers, smart home assistants, smart watches and private security cameras. It also proposes that security updates should be installed automatically “when technically feasible” and separately from functionality ones. Council’s amendments are also focusing on different categories of products in the scope. They also propose reporting of actively exploited vulnerabilities or incidents at the national level instead to the EU Agency ENISA, criteria for manufacturers to determine the expected product lifetime, and a simplified declaration of conformity. Both co-legislators are paying attention to support measures for SMEs and exempting Free and Open Source Software outside commercial activities.
The European Union Agency for Cybersecurity (ENISA) has released four reports on AI and cybersecurity. One report proposes a scalable framework based on good cybersecurity practices for AI. Two reports are focused on cybersecurity and privacy threats, as well as vulnerabilities that can be exploited in two use cases: forecasting demands on electricity grids and medical imaging diagnosis. The fourth report shows the need for further research on AI for cybersecurity.
Miscellaneous
The new General Product Safety Regulation (GPSR) has entered into force, with potential legal obligations for software developers. The regulation applies to all non-food products sold offline or online, including digitally connected products. Software providers of standalone or embedded software could fall under the scope of the regulation and need to comply with the applicable requirements. The products should be placed on the EU market only after an assessment of compliance with the applicable safety requirements. The GPSR provides that new technologies, including software updates, that might substantially modify the original product, should be subject to a new risk assessment, if that substantial modification were to have an impact on the safety of the product. The persons that are carrying such a substantial modification qualify as manufacturers under the GPSR. Those developers outside the EU that are manufacturers of digital products reaching the EU market, are bound to have a legal representative in the EU.
The negotiations on the Data Act were finalized. The Council has endorsed the agreed text, while the EP plenary will formally adopt it in autumn. The regulation imposes sharing of data generated through the use of connected products or related services, letting users decide on access to the data they generate. The objective is to support the markets for after-sales services and repairs of connected devices. It regulates switching between cloud service providers and introduces restrictions on international data transfers by cloud service providers similar to those applicable for personal data under the GDPR. The regulation also enables public sector bodies to access and use data held by the private sector in exceptional circumstances or emergencies.
The scope of the regulation is quite broad, covering various sectors, from household IoT to automotive and industrial machinery. Developers Alliance was, in particular, engaging with EU lawmakers with regard to the notion of ‘related services’, as it could (unintentionally) include software and digital services that are not directly related to the core functions of an IoT product.
The Data Act will start being applicable in the second half of 2025.
The EU Digital Wallet was agreed upon. The regulation sets up an EU digital identity app, which will allow European citizens to digitally identify themselves for public and private online services, store and manage identity data and official documents in electronic format (e.g., driving license, medical prescriptions, or education qualifications). The EU Digital Identity is also envisaged for age verification for online content access.
The European Commission proposes enhanced access to financial data. It has put forward two legislative proposals: PSD3, updating the Payment Services Directive (PSD2), and framework for Financial Data Access. The main objective is to improve consumers’ payment experiences and access to various financial services, and to support fintechs. Following a user-centric approach, the Financial Data Access Framework sets out clear rights and obligations to manage customer data sharing in the financial sector beyond payment accounts.
ESMA, the EU’s financial markets regulator and supervisor, has published a consultation package under the Markets in Crypto-Assets Regulation. It invites comments from stakeholders by September 20th on CASP (crypto-asset service provider) applications (incl. application templates), complaint handling, and conflict of interest management.
The European Banking Authority (EBA) is seeking views on draft technical standards on EU market access of issuers of asset-referenced tokens under the Markets in Crypto-Assets Regulation (MiCAR). The deadline for the submission of comments is October 12th. The EBA will also hold a virtual public hearing on September 21st.
EBA has issued a guiding statement “for the attention of financial institutions and other undertakings who intend to commence or have commenced, asset-referenced token (ART) or electronic money token (EMT) activities prior to June 30th 2024 (the application date for the relevant provisions of the Markets in Crypto-assets Regulation – MiCAR) and for competent authorities”.
BEUC, the European Consumer Organization is complaining about social media platforms facilitating misleading crypto asset promotion. BEUC and nine of its members (in Denmark, France, Greece, Italy, Lithuania, Portugal, Slovakia, and Spain) have filed a complaint with the European Commission and the network of national consumer authorities against Instagram, YouTube, TikTok, and Twitter for facilitating the misleading promotion of crypto assets. BEUC laments that MiCAR “does not apply to the social media companies benefiting from the advertising of crypto at the expense of consumers.”
The European Commission has proposed a strategy on Web 4.0 and virtual worlds. The strategy sets four main directions for support measures: skills, a European Web 4.0 industrial ecosystem, virtual public services, and “shaping global standards for open and interoperable virtual worlds and Web 4.0.” For the latest, the EU’s objective is to prevent the domination of a few big players and to “promote Web 4.0 standards in line with the EU’s vision and values.”
The UK Information Commissioner’s Office (ICO) is concerned about the risk of discrimination posed by newly emerging neurotechnologies. They published a report exploring future developments of neurotechnology (from workplace and employee hiring to sports, personal health and wellbeing, to marketing and video games). ICO shows that “discrimination in neurotechnology could occur where models are developed that contain bias, leading to inaccurate data and assumptions about people and communities” and that “neurodivergent people may be particularly at risk of discrimination.”
