The New Year Starts With Permanent Scrutiny And The Looming Spectre Of Regulations

The January 2022 Developers Alliance UK & EU Policy Update.


Critical Amendments To The Digital Services Act

The European Parliament has set its position on the Digital Services Act (DSA). The text approved by the plenary contains significant amendments to the initial proposal put forward by the European Commission:

  • Restrictions on personalised advertising: 

    • Ban on personalized ads for minors and the use of sensitive data; 

    • Extended transparency for users, including on how their data will be monetised; refusing consent should be as easy as to give it; 

    • In case of no consent or consent withdrawn, users should have access to the online platforms, with “options based on tracking-free advertising.”

  • Prohibition of deceiving or nudging techniques to influence users’ behaviour otherwise known as “dark patterns.”

  • The obligation for very large online platforms is to provide “at least one recommender system that is not based on profiling.”

  • An obligation for service providers to respect in their terms and conditions the freedom of expression and freedom and pluralism of the media.

  • Users’ right to use and pay for digital services anonymously.

  • Compensation and redress for users for any damages resulting from platforms not respecting their due diligence obligations.

  • Platform data disclosure to law enforcement and researchers.

  • Additional exemptions for micro and small enterprises from certain obligations.

The negotiations with the French Presidency of the Council of the EU, representing the Member States, have already started. The goal of the negotiations is to reach a final agreement and adopt the regulation this year. After the EP’s vote, Developers Alliance published our reaction highlighting concerns with the lack of clarity and the complexity of the proposal, especially how certain provisions are supposed to be implemented.

UK’s Content Regulation Is Under Way

The UK’s House of Commons Digital, Culture, Media and Sport Committee has published its report on the Draft Online Safety Bill. The bill provided two months for the Government to respond to several outlined issues. The Committee proposed several amendments to the definition and scope of harms covered by the regime in order to address the protection of freedom of expression and various types of illegal and harmful content on user-to-user and search services. It suggested including “types of content that are technically legal, such as insidious parts of child abuse sequences like breadcrumbing and types of online violence against women and girls like tech-enabled ‘nudifying’ of women and deepfake pornography.” The report also includes recommendations to address the proportionality of the provisions regarding enforcement. 

Competition

The Netherlands Authority for Consumers and Markets (ACM) has ordered Apple to adjust the  conditions for accessing the App Store for dating-app providers. In concrete terms, Apple has to allow those apps to use alternative payment systems other than the Apple-controlled App Store system. Apple announced that, in order to comply with the ACM’s order, it will provide specific entitlements only available for dating apps on the Netherlands App Store. Dating app developers using these entitlements will have to submit a separate app binary for iOS or iPadOS that may only be distributed in the Netherlands App Store. Also, the dating apps that are granted an entitlement to link out or use a third-party in-app payment provider will pay Apple a commission on transactions. ACM considered that Apple has failed to satisfy the requirements of the order and asked Apple to facilitate dating apps developers to use both payment systems outside of the app and an alternative payment system. Otherwise, Apple will be under the sanction of a weekly penalty payment of €5 million euro, up to a maximum of €50 million.

The European Commission has approved the acquisition of Kustomer by Meta, under conditions. Meta committed to guaranteeing, for ten years, access without discrimination to its messaging software for competing providers of customer relationship management software, as well as to keep making improvements to Messenger, WhatsApp and Instagram software available to Kustomer’s rivals. The acquisition was also cleared by the UK’s CMA in September last year.

Meta has appealed the CMA’s Decision on the acquisition of Giphy to the U.K.’s Competition Appeal Tribunal. In November 2021, the CMA ordered Meta to sell Giphy and to take a number of further measures for the purpose of unwinding the merger. The appeal challenges the order on six grounds, as unlawful and procedurally flawed. It underlines that the CMA’s decision “does not contain any finding that it is probable that Giphy would have become a meaningful competitor to the Applicant on any UK advertising market in the future.” The CMA considered that “Giphy’s advertising services had the potential to compete with Facebook’s own display advertising services,” despite the fact that Giphy wasn’t active in the UK advertising market. The case has significant importance in the context of the increased scrutiny of tech acquisitions by competition authorities worldwide. The value of the transaction put it under the usual threshold of intervention in different jurisdictions, including the US. In the EU only Austria is currently investigating it, as the country has recently raised the threshold for mergers and acquisitions. The UK’s approach of ordering the divestiture of a merger of two companies not established in its jurisdiction, could represent a dangerous precedent for the future of acquisition in the tech sector. 

The CMA has secured changes to Microsoft’s Xbox subscription practices. Following the inquiry in the online console video gaming sector, the CMA identified issues about certain features of Microsoft’s auto-renewing subscription. The changes will ensure better upfront information, the option for existing customers on recurring 12-month contracts to end their contract and claim a pro-rata refund, to end payments for inactive users, and improved notifications about price increases.

The CMA has launched a market study into the music streaming market, “paying particular attention to the roles played by record labels and music streaming services.” The study is intended to build “a deeper understanding of how firms in the market influence listeners’ choices and experiences.” It will assess the state of competition between music companies and its impact on musicians, singers, songwriters and consumers. The CMA is inviting stakeholders to comment by February 17, 2022.

The CMA has also announced the launch of an inquiry into the anticipated acquisition by NortonLifeLock Inc. of Avast plc.

The German Competition Authority (Bundeskartellamt) has designated Alphabet Inc. and its subsidiary Google as companies of “paramount significance for competition across markets”, which makes it subject to extended scrutiny by the competition authority. An amendment to the German Competition Act (Section 19a of the German Competition Act (GWB)), which entered into force in January 2021, enables the Bundeskartellamt to intervene earlier and with extended powers. Specifically, it allows interventions against the practices of large digital companies and prohibits them ex-ante from engaging in various commercial practices that are considered as anti-competitive. Currently, The Bundeskartellamt is investigating Google’s data processing terms and the Google News Showcase online service. The Bundeskartellamt has also announced that it discontinued antitrust administrative proceedings against Alphabet Inc. regarding the treatment of so-called higher-quality Transport Layer Security certificates by web browsers for discretionary reasons.

The European Commission has presented the final report of the competition sector inquiry into the consumer Internet of Things (IoT). The main findings of the sector inquiry on the Consumer IoT cover aspects related to: 

  1. …the characteristics of consumer IoT products and services, 

  2. …the features of competition in these markets, 

  3. ….the main areas of potential concern.

The report identifies several potential competition concerns:

  • …exclusivity and tying practices in relation to voice assistants, practices limiting the possibility to use different voice assistants on the same smart device.

  • …the intermediary position of voice assistants and smart device operating systems between users and the providers of smart devices or consumer IoT services. The Commission considers that this role, “combined with their key role in the generation and collection of data, would allow them to control user relationships.” 

  • …the extensive access to data, including information on user interactions with third-party smart devices, and consumer IoT services by providers of voice assistants. This would “allow voice assistant providers to improve their market position and to leverage more easily into adjacent markets.”

  • …the lack of interoperability in the consumer IoT sector due to the prevalence of proprietary technology, leading at times to the creation of “de facto standards.” The Commission specifies that “in particular, a few providers of voice assistants and operating systems are said to unilaterally control interoperability and integration processes and to be capable of limiting functionalities of third-party smart devices and consumer IoT services, compared to their own.”

The sector inquiry will guide further enforcement and regulatory measures, as well as prompt companies to review their commercial practices. In particular, the Commission notes Amazon’s recent revision of some of the business-to-business conditions applicable to its automatic and smart product reordering services.

The French Competition Authority has announced an assessment of the cloud sector. It will focus on defining the relevant markets, the position, interaction, and competitive advantages of the various players involved at different levels in the value chains, as well as commercial practices. The Authority will organise a broad public consultation around the summer and issue the final conclusions in early 2023.

Data Protection & Privacy

The European Data Protection Supervisor (EDPS) has ordered Europol to delete the personal data of persons with no established link to criminal activities. The binding decision is the outcome of an inquiry into Europol’s data protection practices, launched in 2019. Europol was found in breach of the principles of data minimization and data retention, hence it has to comply with a 6 month retention period to filter and extract the personal data from the databases (Data Subject Categorisation). Meanwhile, an updated mandate for Europol is being negotiated by the EU co-legislators, which, according to the current draft, would allow Europol an extended retention period of three years, to sort the personal da
ta that is relevant for criminal investigations.

The Austrian Data Protection Authority (Datenschutzbehörde/DSB) has decided that the continuous use of Google Analytics violates the GDPR, following a complaint of digital rights NGO noyb, led by Austrian activist Max Schrems. The decision is based on the Court of Justice’s “Schrems II” decision, which stated that data transfers between the EU and the US are not compatible with the GDPR, as the US is not providing sufficient safeguards to ensure equivalent protection of data of EU citizens. The Dutch data protection authority (AP) has announced that it is currently investigating two complaints regarding the use of Google Analytics in the Netherlands, noting the DSB’s decision. 

Additionally, the European Data Protection Supervisor (EDPS) has issued a decision after a complaint filed by noyb, finding the European Parliament in violation of the GDPR by using Google Analytics and the payment provider Stripe on its COVID testing website. The EDPS stated that the website transferred data to the US without ensuring an adequate level of protection for the data: “…the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.”

German publishers, advertisers, as well as media and industry groups have filed a formal complaint to the European Commission about Google’s Privacy Sandbox. Financial Times reported the project was designed to phase out support for third-party cookies from the Chrome browser and develop more privacy-respecting ad tools alternatives. The publishers are now complaining about the intermediary role of Google and demand to “remain in a position where they are allowed to ask their users for consent to process data.”

The French Data Protection Authority (CNIL) has fined Google €150 million and Facebook €60 million for not allowing users to refuse cookies as easily as to accept them. The sites facebook.com, google.fr, and youtube.com need to ensure compliance with the order within 3 months. 

The French highest administrative court rejected Google’s request for annulment of a €100 million fine imposed by CNIL in December 2020 for non-compliance with the ePrivacy directive. The breach consisted of the automatic upload of cookies on users’ devices “without prior consent or satisfactory information.”

CNIL has published an updated GDPR Guide for developers. The revised version (available only in French) contains 18 thematic sheets as guidance tools for each phase of a project, a list of vulnerabilities that pose risks for non-compliance, as well as practical examples including code snippets.

The European Data Protection Board (EDPB) has adopted Guidelines on the Right of Access. The Guidelines provide clarification on the scope of the right of access, including  

  • the information the controller has to provide to the data subject,

  • the format of the access request, 

  • the main modalities for providing access,

  • and the notion of manifestly unfounded or excessive requests. 

The Guidelines will be subject to public consultation for a period of 6 weeks.

During the January plenary, the EDPB also adopted a letter specifying a consistent interpretation of cookie consent. In addition, the EDPB has recently established a task force on cookie banners, to coordinate the response to complaints. The EDPB has updated the Guidelines on consent “in order to ensure a harmonized approach on the conditionality of consent and on the unambiguous indication of wishes.”

Consumer Protection

The European Commission and the network of national consumer authorities (CPC) asked WhatsApp to clarify the recent changes to its terms of service and privacy policy and to ensure their compliance with EU consumer protection law. The request follows an alert by the European Consumer Organisation BEUC. WhatsApp has to respond on the following issues: 

  • whether sufficiently clear information is given to consumers on the consequences of their decision to accept or decline the company’s new terms of service; 

  • the fairness of WhatsApp’s in-app notifications prompting consumers to accept the new terms and privacy policy; 

  • whether consumers have an adequate opportunity to become acquainted with the new terms before accepting them and the exchange of users’ personal data between WhatsApp and third parties or other Facebook/Meta companies.

The European Commission and national consumer protection authorities of 26 Member States, Iceland and Norway presented the results of an EU-wide website screening (“sweep”) on online consumer reviews. 223 major websites were checked for misleading consumer reviews. Almost two-thirds of the online shops, marketplaces, booking websites, search engines, and comparison service sites analysed triggered doubts about the reliability of the reviews. In the case of 144 websites, the authorities could not confirm that these traders were doing enough to ensure that reviews are authentic, i. e. that they were posted by consumers that actually used the product or service that they reviewed.

The UK consumer rights organisation Which? issued the results of an investigation on dating app Tinder showing price discrimination based on age. There was no evidence that sexuality, gender, or location make a difference to pricing, but the results revealed that 18 to 29-year-olds UK users typically paid les
s than all other age groups.

Cybersecurity

To mark Data Protection Day, the European Union Agency for Cybersecurity (ENISA) has published a new report on data protection engineering. The report is aimed to support practitioners and organisations with the practical implementation of the technical aspects of data protection by design and by default. It provides an analysis of possible strengths of techniques in several areas including anonymisation, data masking, privacy-preserving computations, storage, transparency, and user control tools. ENISA also opened a call for expression of interest to participate in an Ad Hoc Working Group in the area of Data Protection Engineering (open until 15 February 2022 at 12:00 noon EET (Athens time zone). The role of the group will be “to support the analysis of available or emerging technologies and techniques in the area in order to identify and highlight good practices and innovative security techniques.”

ENISA has also published two reports on digital identification: an analysis of self-sovereign identity and a study of major face presentation attacks. The first report presents what self-sovereign identity technologies (SSI technologies) are and explores their potential to achieve greater control of users over their identities and data, cross-border interoperability, mutual recognition, and technology neutrality, as required by the EU regulation on electronic identification and trust services (eIDAS Regulation). The other report, on remote identity proofing, is an update of the previous report Remote ID Proofing of ENISA. That report is an analysis of the different methods used to carry out identity proofing remotely. The new report analyses the different types of face recognition attacks and suggests countermeasures. It also validates the security controls introduced in the previous report and offers further recommendations on how to mitigate identified threats.

Another ENISA report published this month, Interoperable EU Risk Management Framework, is providing an assessment of the existing risk management frameworks and methodologies in order to identify those with the most prominent interoperable features.

The UK Government has opened a consultation for a proposal to regulate the cyber profession, following the launch, in March 2021, of the UK Cyber Security Council, as “the new professional body to lead the cyber workforce.” In the Ministerial forward, Julia Lopez MP, Minister for Media, Data, and Digital Infrastructure notes that “the term “cyber professional” encompasses many different specialists covering those who design systems to be more secure, those who test security, those who research threats, those who detect intrusions, those who respond to incidents and many more.” The proposal is to empower the UK Cyber Security Council to define and set professional standards for cyber security experts, as well as to provide clearer information for young people and professionals and pathways into the cybersecurity field. The regulation will follow the model of other traditional regulated professions, such as those in the fields of accounting, law or engineering. Feedback can be submitted via the online consultation tool, until 20 March 2022 at 11:45 pm.

Miscellaneous

The UK’s Financial Conduct Authority (FCA) has proposed restrictions on the marketing of crypto assets. The intention is to categorise qualifying crypto assets as ‘Restricted Mass Market Investments’. The companies promoting such assets will have to adhere to FCA rules (e.g. promotions should be clear, fair and not misleading) and the consumers would be able to respond only to those crypto assets promotions which are classified as restricted, high net worth or sophisticated investors. The FCA is inviting feedback by March 23 and plans to adopt the new rules later this year, in summer. 

The EU is also seeking to have better scrutiny of the markets in crypto-assets and proposed a regulation (MiCA) that could be adopted soon.

The UK Information Commissioner’s Office (ICO) has criticised the Home Office backed campaign (#NoPlaceToHide) calling for a delay of roll-out of end to end encryption (E2EE) by tech companies, until they can ensure the safety of their users. ICO emphasized that “the discussion on end-to-end encryption use is too unbalanced to make a wise and informed choice” and called for the consideration of the significant benefits of E2EE, including in protecting children or other vulnerable persons.

The UK Government has announced the launch of AI Standards Hub, with the goal to “lead in shaping global technical standards for Artificial Intelligence.” The initiative, part of its AI Strategy, will be conducted together with the Alan Turing Institute and supported by the British Standards Institution (BSI), the National Physical Laboratory (NPL), the Department for Digital, Culture, Media and Sport (DCMS), and the Office for AI (OAI). It will create practical guidance tools for AI developers and companies, build an online platform to gather the U.K.’s AI community and develop educational materials “to help organisations develop and benefit from global standards.”

Also in the UK, the International Data Transfer Expert Council has been launched, to provide independent advice to the government, in support of “government ambition to unlock benefits of free and secure data flow after leaving the EU.” The 20 experts on the council (including representatives of Google and Microsoft) have been selected from civil society, academia and industry around the world, with experience in a range of areas including patient healthcare, scientific research, artificial intelligence and finance. 

The European Commission’s Open source Programme Office has laun
ched a set of bug bounties, via the Intigriti platform. Awards of up to EUR 5000 are available for finding security vulnerabilities in LibreOffice, LEOS, Mastodon, Odoo, and CryptPad, which are open source solutions used by public services across the European Union. There is a 20% bonus for providing a code fix for the identified bugs.

The European Commission published a call for tender for the deployment of a recursive European DNS resolver service infrastructure (DNS4EU). The announcement specifies that the DNS4EU “shall offer a high level of resilience, global and EU-specific cybersecurity protection, data protection and privacy according to EU rules, ensure that DNS resolution data are processed in Europe and personal data are not monetised.” Also, the service infrastructure “shall adhere to the latest internet security and privacy standards.” It must also offer additional optional services such as free parental control, as well as paid premium services for enhanced performance or security for corporate users. The expected impact of the DNS4EU has enhanced cybersecurity and “complete safeguards for EU internet users that their data and privacy are protected and handled according to EU rules.”

The European Commission proposed to the European Parliament and Council that they “sign up to a declaration of digital rights and principles.” The declaration of digital rights and principles would guide the digital transformation in the EU and “define the approach to the digital transformation which the EU will promote throughout the world.” The main principles are: 

  • placing people and their rights at its centre, 

  • supporting solidarity and inclusion, ensuring the freedom of choice online, 

  • fostering participation in the digital public space, increasing safety, security and, empowerment of individuals, 

  • and promoting the sustainability of the digital future.

Avatar photo

By Karina Nimară

Director of EU Policy and Head of Brussels Office - Karina previously served as Legal Advisor and Internal Market attaché at the Permanent Representation of Romania to the EU. Prior to her work with the Romanian diplomatic mission, Karina spent ten years in European Union affairs within the Romanian Government. While there she coordinated, inter alia, the process for transposition and implementation of EU legislation. Karina holds a law degree and specializes in EU law and policies. Based in the Alliance’s Brussels office, she's a tech enthusiast, enjoying the dawn of the Age of Artificial Intelligence. Other than robots, she's fascinated with cats and owls.

Related Content

Developers Alliance Joins Call for EU Policymakers to Swiftly Adopt the Extension of the Interim ePrivacy Derogation

Developers Alliance Joins Call for EU Policymakers to Swiftly Adopt the Extension of the Interim ePrivacy Derogation

Developers Alliance’s Reaction to the Political Agreement on the New EU Law on Liability for Defective Products

Developers Alliance’s Reaction to the Political Agreement on the New EU Law on Liability for Defective Products

A Busy Regulatory End of the Year in Europe 

A Busy Regulatory End of the Year in Europe 

Join the Alliance. Protect your interests.

©2022 Developers Alliance All Rights Reserved.