back to school edition – EURACTIV.com
Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The Czech Presidency invites the delegations to discuss the changes in Chapter V and the related recitals during the WP TELECOM meeting on 5 September 2022.”
-The first partial compromise text on Chapter V of the Data Act
Story of the week: While virtually all of Brussels was on holiday, the Czech Presidency continued its work to reach a compromise on the Data Act, one of its digital priorities. The document, to be discussed on the Telecom WP after the summer break, regards the controversial part on government access to privately held data, trying to address the concerns of those who see these provisions as handing arbitrary and disproportionate powers to the public entities.
The definition of exceptional need based on which an access request can be sent has been further refined, as well as the exceptional circumstances. Alternatively, public bodies will be able to request private data to carry out their specific tasks (i.e. urban planning), but only if EU or national law allows it. Stricter requirements have been introduced on what public bodies, and their subcontractors, might do with the obtained data, together with additional safeguards for personal data. Prague also sought to clarify the legal procedure in case of litigation. Read more.
Don’t miss: Germany’s digital strategy is getting closer after weeks of delays and open questions. According to a draft seen by EURACTIV and due to be presented next week, the new version of the strategy includes the main digital policy projects per ministry, including on e-governance, mobility, defence and climate protection. However, still few details have been provided about the Data Institute, a new body intended to spearhead the work on data availability and technical standards. No budgetary detail has been included, as the budget for digital will be discussed in autumn together with that of the rest of the government for the rest financial year. Read more.
Also this week:
- A new whistleblower has come forward, this time casting a shadow on Twitter.
- Intense lobbying continues on the fair share proposal as the Commission prepares to launch a public consultation.
- The European Commission asked the EU Council the mandate to negotiate the AI treaty on fundamental rights on behalf of the EU.
- ENISA’s cybersecurity certification scheme for cloud services is facing increasing opposition from member states and the agency’s own experts.
- The EU executive replied to Germany’s questioning of the CSAM proposal, with a series of workshops planned for the coming weeks.
Before we start: The internet’s multi-stakeholder model faces recurrent pressure from political actors that want to assert control over its backbone infrastructure. These tensions are generated from the accusation that the internet is too US-centric, which seems shared not only by non-Western powers such as Russia and China but also by Europe itself. We discuss the challenges for internet governance and whether there is a need to ‘democratise’ it with Goran Marby, CEO of ICANN.
Negotiating as a bloc. The European Commission adopted a recommendation for a Council decision last week asking for a mandate to negotiate on behalf of the bloc the Council of Europe’s convention on AI and fundamental rights. This is possible not only for areas where EU legislation is already in place but also if an ongoing legislative procedure exists. As usual, when more powers are to be given to Brussels, the negotiations might not be straightforward. The timing does not match the EU’s agenda, though, as it would be more convenient to negotiate the treaty once the AI Act is already in place. Therefore, the Commission’s mandate is likely to be vague, and Brussels might be tempted to buy time as it gets its act together.
JURI opinion. It is still unclear when the JURI (legal affairs committee) opinion on the AI Act will be voted on, following a last-minute spat before the summer break. JURI has a technical meeting scheduled on Monday when things should become clearer.
Growing opposition. Ireland, Sweden and the Netherlands were the most vocal opponents of the inclusion of data sovereignty requirements in ENISA’s cloud certification scheme, opposition that crystallised in a non-paper circulated earlier this year. Since then, the coalition has been growing and now includes Denmark, Estonia, Greece and Poland, and the non-paper has made it into an official Council document. Meanwhile, the front of those in favour of these requirements, which would make the certification virtually inaccessible for non-European companies, has lost Germany, which is now more divided than ever following heavy pushback from its industrial base. The European Cybersecurity Certification Group discussion, already postponed to September, has been further delayed to November as France tries to reorganise its offensive. Read more.
It’s all about the process. The trouble is not limited to the member states. In July, 14 of the 20 experts part of ENISA’s ad hoc working group on cloud services also raised concerns with sovereignty requirements and specifications with the process that led to their inclusion in the initial draft. The experts pointed out in an opinion obtained by EURACTIV that the issue of independence from non-EU law is complex and that they had not been able to reach a consensus on its feasibility. While ENISA asked the experts not to cause a public debate on the issue, the experts stressed the principle of transparency and the need to conduct a public consultation about these requirements. Moreover, the opinion states that the impact of the requirements is likely to be very significant, particularly for companies with global operations, and significantly restrict the choice of cloud services, even if they comply with the highest security standards.
More attacks to come. Cisco’s Talos Intelligence Group warned this week that cyber-attacks on Ukraine’s agricultural infrastructure are likely to grow as the sector’s global importance is laid bare by the war. As the vital nature of agriculture, and the potential extent of disruption, becomes clear to cyber actors, assaults on the sector could mount, compounding the international food security issues already created by the conflict. Cisco said that the sector’s low defences, international dependencies, and increasing digitalisation make it particularly vulnerable. While Ukraine’s cyber defences have been proven robust so far, the fact that the country accounts for 10% of global agricultural output means the consequences of an assault could be significant, well beyond its borders. Read more.
CRA – what to expect. The Commission is set to present the proposal for the Cyber Resilience Act on 13 September. The task is a challenging one since there is no existing legal framework for the cybersecurity of connected devices. The EU executive is likely to draft inspiration from the US NIST, a voluntary framework for cybersecurity standards, best practices and guidelines, and it is considering the introduction of cybersecurity labels, EURACTIV has learned. One of the main hurdles the Commission has to solve in its draft is how to define the risk category for each connected product, if via an exhaustive list, likely to be subject to intense lobbying, or with other criteria such as the use of the device. Regarding conformity assessment, EURACTIV understands that there might be similar requirements for all risk categories; what would change would be if the conformity is based on a self or third-party assessment. At any rate, the obligations would fall on the product manufacturer and must be ensured throughout the product lifecycle.
Soviet past, present attacks. Estonia shut down a major DDoS cyberattack last week, responsibility for which was claimed by the Russian hacker group Killnet. Described by an Estonian official as “the most extensive cyber attacks since 2007”, the assault followed the removal of Soviet monuments in Narva, a town with an ethnic Russian majority. Killnet said it had blocked access to over 200 public and private institutions, but Estonia said the attack was limited and had gone “largely unnoticed” in the country. Read more.
Data & Privacy
Germany asks, Commission replies. The Commission has had to reply to the 61 questions sent by the German government on the proposal to fight Child Sexual Abuse Material (CSAM). The EU executive explained that if the regulation is not adopted before the end of the legislative term, the current ePrivacy Regulation could be extended. The role of the EU CSAM centre was clarified, preventing false positives from being flagged to law enforcement agencies, although little information has been provided on how the body will be funded since the error rate is expected to be around 10%. The Commission also stated that search engines that are not hosting services do not fall under the proposal’s scope. The EU executive has scheduled (and already started) a set of 10 seminars with national experts to address the member states’ remaining questions, notably how the liability regime will interact with the DSA, consistencies and discrepancies with the regulation against terrorist content, the compatibility with end-to-end encryption and the involvement of Europol.
Data Act timetable. As the competency fight on the Data Act was put to rest before the summer break, a new timeline has been circulating. The public hearing on the draft report is expected on 8 September, followed by the consideration on 26 September. The deadline for amendments in the ITRE committee is set for 17 October, with the committee vote expected by February and the plenary vote by March. However, the draft report might still be further delayed since the final decision on the competencies arrived late in July.
Spam email complaint. Privacy advocacy group NOYB filed a complaint with the French Data Protection Authority (CNIL) this week against Google, alleging that the tech giant has disregarded the EU’s ePrivacy Directive regarding marketing emails. According to NOYB, Gmail is being used by the company to send unsolicited direct advertising emails disguised as normal emails without users’ consent. The group says this is in direct violation of a 2021 ruling by the EU Court of Justice stipulating that any advertising that ends up in a user’s inbox requires their consent.
Google’s anti-disinfo pilot. Google unit Jigsaw is set to launch a campaign to “inoculate” people in three EU countries against disinformation about Ukrainian refugees. Using research from psychologists at two UK universities, a series of 90-second clips have been developed to help people identify emotional manipulation and scapegoating in news headlines and are designed to build public resilience in the face of anti-refugee messaging. The material will be shown on platforms including Twitter, TikTok and Facebook for one month across Poland, Slovakia and the Czech Republic, with a potential expansion to other countries in the future. Read more.
Chips working points. While the Czech Presidency wants to reach a general approach on the Chips Act before the end of the year, the task is made significantly more challenging because many member states still do not have a position yet. According to some EU countries, the lack of impact assessment is one of the reasons why they are struggling so much, hence the call on the Commission to provide one. The Czech Republic follows the other smaller member states with the intention to make the Chips Act benefit the whole bloc and not just the large countries. There is, in fact, the widespread perception that France and Germany might use the Chips Act as a power grab for supply chain emergencies via the Commission and for deciding where to locate mega fabs via the concept of first-of-a-kind. Therefore, it is not surprising that the Presidency will focus on defining first-of-a-kind and clarifying the factors that trigger the crisis status. Prague is also waiting for inputs on the countries’ R&D priorities for the Chips for Europe Initiative.
Know your weaknesses. The Semiconductor Expert Group is due to open a new survey on the chip value chain by the end of October to collect feedback from industry stakeholders and end users. The objective is to develop a detailed mapping of the supply chain’s structural weaknesses and related risks. The survey follows up on a previous one related to chip demand.
Parliamentary timeline. The Chips Act’s timeline also had to be updated following redistributing competencies in the European Parliament. The draft report is expected to be sent to translation on 16 September and presented in ITRE on 10 October. The deadline for amendments is on 13 October. The committee vote is expected on the third or fourth week of January, followed by the plenary vote the following month.
Spanish state secrets. A group of NGOs has voiced concern over the potential implications of a new secrecy law introduced by the Spanish government, arguing that it could hamper transparency and public participation. The bill would replace an existing Franco-era law, introduced in 1968, which keeps classified material secret indefinitely. While reform efforts have been underway for several years, the new draft law was presented at the start of August following a pledge by Prime Minister Pedro Sánchez to reform Spain’s official secrecy system in the wake of the Pegasus scandal, which saw figures linked to the Catalan independence movement target by the Spanish intelligence services, as well as the infiltration of devices belonging to politicians including Sánchez himself. Over 20 NGOs, however, have now voiced their concerns that the new law would still make declassification extremely difficult and that the consequences for journalists and others leaking information remain unclear. Read more.
Next steps of the Pegasus committee. After a delegation’s mission to Israel earlier this summer, the next mission on the agenda will be to Poland, currently planned for the week starting on 19 September, followed by Hungary, planned for the week from 31 October. An additional mission is foreseen for the United States, probably taking place in February 2023. For next Tuesday, two committee hearings are scheduled, focusing on spyware’s victims and the remedies.
Greece’s “Watergate” – The fallout from Greece’s spyware scandal continues to unfold, with the European Parliament pledging to launch an investigation into the situation and a domestic enquiry set to begin next week. The head of the Greek EYP intelligence service and a top aide of Prime Minister Kyriakos Mitsotakis, resigned their posts earlier this month after revelations that the agency had tapped the phone of Nikos Androulakis, leader of opposition party PASOK. While EYP – which has also recently come under fire for surveilling the phone of CNN Greece journalist Thanasis Koukakis – says the targeting of Androulakis was lawfully done, Mitsotakis has insisted that he had no knowledge of the operation and would not have allowed it if he had. It has since emerged that, in addition to EYP’s hack, Androulakis’ phone was also breached by Predator spyware, which Athens denies any involvement in.
Nothing to see here. Journalists covering the situation have also received pushback from the government. Reporting by Politico contributor Nektaria Stamouli, who first covered a letter sent to the Commission by the Greek Permanent Representation to the EU in early August describing reports on the scandal as unsubstantiated, was this week singled out by a government spokesperson, to great criticism from press organisations.
Tighter than ever. Russian search engine Yandex announced this week that it will sell its news aggregator and homepage to rival and state-owned company VK in exchange for the acquisition of food delivery company Delivery Club. The move constitutes a further tightening of media control in Russia, which has increased since the invasion of Ukraine. Yandex has previously complied with Moscow’s orders to restrict access to certain sites, including those of many independent Russian media outlets. Read more.
No platform is safe. Twitter has lax security measures, makes little effort to measure or tackle spam accounts and could have intelligence officers of foreign governments amongst its workforce, according to the platform’s former head of security. Peter Zatko, who was fired from the company in January, turned whistle-blower last month, sending an 84-page document to the US government detailing his concerns about Twitter’s operations. Amongst them were allegations that internal security threats were not attended to, that employees have too much access to user data and that the platform intentionally neglects to combat fake and spam accounts. Twitter has pushed back against Zatko, describing his comments as “a false narrative”.
Speaking of Twitter. Non-profit organisation Hate-Aid has filed a complaint against Twitter with Germany’s Federal Office of Justice over the platform’s alleged failure to report on its internal complaint mechanism, which it is required to do under the country’s Network Enforcement Act (NetzDG). Twitter was the only platform that excluded information relating to countermotion procedures, as required under the law, from its transparency report for the first half of 2022, which HateAid said could signal that no such mechanism exists. Speaking to EURACTIV, the organisation also warned that this could foreshadow how big tech will behave once the DSA, which contains similar measures, is in place, highlighting the need for strong oversight of platforms’ compliance. Read more.
Research & Innovation
Arbitration needed. The UK has initiated legal proceedings against Brussels over the blocking of the UK’s association with the Horizon Europe programme, which was agreed as part of Brexit negotiations but which has been delayed by the EU pending resolution of the issues surrounding the Northern Ireland protocol. London notified the EU last week that it would begin formal consultations on the issue, a process which could culminate in international arbitration. The move follows warnings from UK officials that the country was ready to drop the programme altogether and the publication last month of plans to establish a domestic alternative for research funding. Read more.
Uncertain future. While the decision to launch the proceedings, taken by Liz Truss, current Foreign Secretary and Prime Ministerial hopeful, has been seen as a political move by some, Horizon Europe and R&I more broadly have so far had little presence on the campaign trail of the UK’s upcoming leadership election. Following Truss’ announcement, however, rival Rishi Sunak released plans to construct a “better UK alternative” to Horizon Europe and transform the country into a “science and technology superpower”, adding that while his preference was for the UK to re-join the programme, he would not hesitate to walk away from negotiations.
Paper and counter paper. Following the letter of seven EU countries that warned the Commission against hasty decisions against the ‘fair share’ proposal, France, Italy and Spain shared on 1 August a joint paper, seen by EURACTIV, that basically echoes the arguments of the telcos. Interestingly, Italy’s signature, due to the ministries of foreign affairs and digitalisation, was later on dismissed by the ministry for industrial policy. With Rome heading towards elections, its support for the initiative remains to be seen. Meanwhile, the Commission has clarified in its reply to the MEPs concerned about net neutrality, also seen by EURACTIV, that the fair share principle will not be introduced in the Connectivity Infrastructure Act. A public consultation is now expected, and the BEREC study that will be released in October will also inform the proposal.
Safe 5G. The European Commission launched a public consultation on the preliminary opinion on scientific evidence on radiofrequency. The Scientific Committee on Health, Environmental and Emerging opinion did not identify any health risks related to mobile networks such as 5G. This seminal report will provide a strong argument to push back against limitations on mobile signal power below the ICNIRP standards. The consultation is open until 25 September, and some ‘entertaining’ replies are to be expected.
No more blind spots. Mobile “dead zones” are set to receive service under a new partnership between Elon Musk’s SpaceX and T-Mobile. The new venture will link mobile phones to SpaceX’s Starlink satellites to provide connectivity in all remote, previously uncovered areas. Starting in the US with an expected international expansion to follow, the plan will begin with the rollout of text messaging late next year before voice calling and data services are added. Read more.
Big Tech diplomacy. Maintaining good relations with US tech giants as new legislation comes into force will be one of the key tasks of the EU’s new San Francisco office, which is set to open next week. The West Coast delegation will not only focus on Big Tech, Commission officials have stressed, but the office’s launch comes at a time when major laws, including the DSA and DMA, are set to come into force, necessitating greater dialogue between regulators and companies. The office is also expected to engage with Silicon Valley start-ups, support EU-US Trade and Technology Council discussions and explore potential partnerships with the US on programmes such as Horizon Europe. Read more.
What else we’re reading this week:
FCC Reports to Congress on Future of the Universal Service Fund (Federal Communications Commission)
TikTok’s extraordinary rise signals a more multipolar internet (FT)
U.S. House chair demands Twitter answer whistleblower allegations (Reuters)
[Edited by Nathalie Weatherald]