The October 2023 European Policy Update
The Online Safety Act, the UK’s framework content law, has received Royal Assent and will be implemented by Ofcom in three phases covering guidelines and secondary legislation for different legal obligations.
The legal obligations vary for different services, but the law imposes overall duties on all service providers (more than 100,000 online services according to Ofcom’s estimation), regardless of the size, as follows:
- to carry out risk assessments, regarding the risk of harm to all users from illegal content and for those services likely to be accessed by children, the risk of harm to children;
- to “take effective steps to manage and mitigate the risks identified by these assessments;”
- be clear in their terms of service about how users will be protected;
- provide means for users to easily report illegal content and content harmful to children; and for them to complain, including when they believe their posts or accounts have been wrongly blocked or removed;
- “consider the importance of protecting free expression and privacy in meeting their new duties.”
Fines for non-compliance can go up to £18m or 10% of qualifying worldwide revenue (whichever is greater).
Ofcom will publish its first consultation on November 9th, on illegal harms, with “proposals for how services can comply with the illegal content safety duties and draft Codes of Practice.”
The European Commission sent several requests for information under the Digital Services Act (DSA) to platforms designated as Very Large Online Platforms (VLOPs). The Commission is asking for details on the risk assessments and mitigation measures against the spreading of illegal content and disinformation, “in the context of the terrorist attacks by Hamas against Israel and disinformation around elections.” The first request was sent to X (formerly Twitter), followed by formal letters to Meta, TikTok, and YouTube. X’s CEO promptly published her answer on the platform.
The political groups of the European Parliament have reached a common position on the CSAM Regulation. Many controversial aspects of the proposal are attenuated and additional safeguards added, notably for protecting E2E encryption and excluding client-side scanning, restricted detection and removal orders, and the tasks of the EU Centre and Europol. The Parliament also proposes specific criteria for age verification systems, which are not mandatory, with the exception of porn platforms.
The LIBE committee invited Commissioner Ylva Johnson to respond with regard to revelations from journalistic investigations about undue commercial influences and an advertising campaign micro-targeting users in those EU states that don’t support the proposal. (full story by Tech Crunch).
An event organized by the European Data Protection Supervisor (EDPS) gathered a united group of various civil society, industry, and academic experts against the risk of breaking E2E encryption and mass surveillance.
The negotiations on the revision of the EU Product Liability Directive have started. The main differences between the Council and the European Parliament relate to the burden of proof and access to evidence, development risk defense, and compensation period for latent damages. Also, the EP proposes a 1000 EUR threshold for corruption or loss of data and an exemption from liability for micro and small software developers in situations where another economic operator would be liable for damage caused by that software at the time of placing it on the market.
Developers Alliance has presented its recommendations for the final phase of the legislative procedure and also joined other industry associations in a call not to overburden software developers and technology companies.
EU lawmakers continue their negotiations on the AI Act, with the aim to present a final version by the end of this year. One of the compromises so far is on the classification of high-risk systems, introducing additional criteria (e.g., AI systems that are intended for a narrow procedural task, merely to confirm or improve an accessory factor of a human assessment, or to perform a preparatory task), as an additional layer to the list of areas and use cases listed in the initial proposal of the European Commission. The political agreement ignored the European Parliament Legal Service’s negative opinion on this approach (as Euractiv reports). The negotiations still lack concrete compromise solutions on the list of high-risk cases (Annex III), prohibited practices (art. 5), including those related to law enforcement, the fundamental rights impact assessment and environmental requirements. The final version for the specific obligations for general purpose AI (GPAI) providers remains to be seen, as does the tiered approach for foundation models (transparency requirements and additional risk-management obligations for ‘very capable/high impact’ foundation models).
Ahead of the AI Safety Summit 2023 (November 1st & 2nd) the UK government presented a discussion paper on the capabilities and risks of frontier AI.
The European Commission welcomed the G7 leaders’ agreement on International Guiding Principles on Artificial Intelligence (AI) and a voluntary Code of Conduct for AI developers.
The European Commission provided standard EU model contractual AI clauses for public procurement of AI. The proposed requirements follow the ‘high risk’ classification of the AI Act, and cover the scope of the AI Act, “thus excluding other obligations or requirements that may arise under relevant applicable legislation such as the General Data Protection Regulation.” The model clauses seem to be developed based on scenarios when the procured AI Systems are distributed under a proprietary license, according to a commentary by an expert from the Zoom consortium (supporting open licenses for software, hardware, and data).
Privacy & Data Protection
The French Data Protection Authority (CNIL) published a set of guidelines for the development of AI in compliance with the GDPR. CNIL’s ‘AI-how-to sheets’ provide “practical clarifications and recommendations for the development of artificial intelligence (AI) systems and the creation of datasets involving personal data used for their learning.” This first set of guidelines doesn’t cover the deployment phase.
The UK’s Information Commissioner Office (ICO) seeks expressions of interest for the Regulatory Sandbox 2024, in the following areas: biometric processing, emerging technologies, and exceptional innovations.
The ICO has issued a preliminary enforcement notice against Snap concerning privacy risks posed by its generative AI chatbot ‘My AI’.
The Chairs of five European Parliament committees have renewed their invitation for TikTok’s CEO to appear at a joint committee hearing. The invitation was issued in regard to the platform’s obligations under the DSA, but also “in light of the Irish Data Protection Commission’s recent findings of non-compliance by TikTok with GDPR rules regarding the processing of personal data of child users.”
The EU Court of Justice has rejected French lawmaker Philippe Latombe’s request to suspend the adequacy decision for the EU-US Data Privacy Framework due to a lack of standing. The CJEU found that the conditions required for the suspension of execution of the decision and other provisional measures were not met. Latombe did not prove the urgency, as he could not establish that he would suffer serious harm if the operation of the adequacy decision were not suspended.
Competition in digital markets
The German Competition Authority (Bundeskartellamt) obtained Google’s commitments on user data processing, following a specific investigation for large digital companies based on Section 19a of the German Competition Act, GWB). The commitments concern the combinations of users’ data from one of Google’s services to another Google or non-Google sources or the cross-use of data in Google services that are provided separately. There’s such an obligation already imposed at the EU level by the Digital Markets Act (DMA), but only for the designated core platform services (Google Shopping, Google Play, Google Maps, Google Search, YouTube, Google Android, Google Chrome and Google’s online advertising services). Bundeskartellamt obtained from Google commitments related to more than 25 services, in addition to those covered by the DMA, including Gmail, Google News, Assistant, Contacts and Google TV. In practice, Google will offer users “the possibility to give free, specific, informed and unambiguous consent to the processing of their data across services,” and corresponding choice options for the combination of data.
Romania’s Competition Authority is investigating whether Apple abused its dominance in the in-app advertising market by restricting access to user data and self-preferencing its own ad display services. The investigation is pursued in parallel with similar scrutiny from competition enforcers in Italy, France, Germany, and Poland.
The Dutch Competition Authority (ACM) rejected Apple’s objections against the order (subject to periodic penalty payments) that it had previously imposed on the company. The ACM imposed the order on Apple in August 2021 for abuse of dominant position by imposing unreasonable conditions on dating-app providers that use Apple’s App Store. Following Apple’s non-compliance with the order, the ACM imposed a total amount of 50 million euros in penalty payments. Apple has partially complied with ACM’s order, with regard to the payment system and the anti-steering conditions, but not with a third condition, which is not publicly known for legal and procedural reasons related to Apple’s appeal.
The UK’s Competition and Markets Authority (CMA) has cleared the Microsoft/Activision deal with the new concession regarding the acquiring of cloud gaming rights by Ubisoft. The EU approved the acquisition earlier this year under different conditions (e.g., licensing popular Activision games such as “Call of Duty” to rival game-streaming platforms).
The CMA has launched a market investigation into cloud services. The investigation follows a market study conducted by Ofcom, which identified several issues related mainly to: egress fees – charges that cloud customers must pay to move their data out of the cloud, discounts – which may incentivize customers to use only one cloud provider, and technical barriers to switching – which may prevent customers from being able to switch between different clouds or use more than one provider.
Possible amendments to the UK’s Digital Markets, Competition, and Consumers Bill regarding the judicial review have stirred criticism. Baroness Stowell, Chair of the House of Lords Communications and Digital Committee, has written to the Prime Minister asking to maintain the proposed expedited judicial review and not allow a broader appeals system. There are, however, other views. The bill is in the last part of the legislative process, ahead of the final reading at the House of Commons.
A new updated version of the Code of practice for app store operators and app developers was published by the UK’s Department for Science, Innovation and Technology (DSIT). It reflects input received from the Information Commissioner’s Office (ICO) on relevant legal obligations from UK data protection law, and how a stakeholder can make a referral to the ICO if they find details of security and/or privacy concerns in apps.
The DSIT is seeking to understand current security and privacy practices utilized by app developers and especially the impact and awareness of recent voluntary government initiatives. Those interested can have their say here.
The European Parliament calls for new rules tackling “addictive design features of certain digital services” and “fostering ethical design by default.” A resolution voted by the IMCO Committee urges the European Commission to propose legislation to address “harmful addictive techniques not covered by the directive on Unfair Commercial Practice (e.g., infinite scroll, default autoplay, constant push and read receipt notifications).” The MEPs also want obligations for companies to develop ethical and fair digital products and services by design. They propose that the future legislation includes a “digital right not to be disturbed” and a list of good design practices (“think before you share;” turning off notifications by default; chronological feeds; grayscale mode; warnings or automatic locks after a pre-set time use, in particular for minors; total screen time summaries).
The DG Communications Networks, Content and Technology (DG CNECT) of the European Commission has commissioned a study on the value of the European video games sector.
The European Commission is organizing an information and brokerage session about funding opportunities under the Horizon Europe 2024 program. The session will be organized on December 4th, 2023 and will cover the following calls:
- Piloting emerging Smart IoT Platforms and decentralized intelligence
- Platform Building, standardization and Up-scaling of the ‘Cloud-Edge-IoT’ Solutions
- Fundamentals of Software Engineering
- Public recognition scheme for Open Source.
The European Securities and Markets Authority (ESMA) has published a second consultation package under the Markets in Crypto-Assets Regulation (MiCA). The ESMA is seeking input on five sets of proposed rules, covering: sustainability indicators for distributed ledgers, disclosures of inside information, technical requirements for white papers, trade transparency measures; and record-keeping and business continuity requirements for crypto-asset service providers. The deadline for the consultation is December 14th, 2023.
The Influencer Legal Hub is a new EU project on European consumer law and influencer marketing. Influencers that advertise or sell products on a regular basis qualify under the EU law as traders and “have a lot of rules to comply with.” The project offers a variety of resources supporting influencers with legal compliance.
The 11th edition of the EU Code Week took place from October 7th – 22nd..