Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“The compromise proposal addresses general purpose AI models (hereinafter: GPAI models), which ensures that the approach is technology-neutral. The proposed provisions contain only very limited obligations and introduce codes of practice.”
-Spanish presidency’s note in preparation for the AI Act trilogue
Story of the week: As anticipated, the Spanish presidency circulated its COREPER mandate in two batches. The first one, on law enforcement, was discussed on Wednesday. Regarding bans, the presidency suggested accepting the bulk scrapping of facial images, emotion recognition in the workplace and education, biometric categorisation for sensitive data and predictive policing for individuals. The text also proposes a midway with the Parliament on the fundamental rights impact assessment (FRIA) and law enforcement exemptions. However, while EU ambassadors showed flexibility on the FRIA, real-world testing and derogation to the conformity assessment procedure, countries are much less keen to concede on the national security exemption and prohibitions.
The second part of the mandate touched upon foundation models, governance and other less controversial topics like access to source code, penalties, the sanction regime and AI literacy. The presidency largely maintained the Commission’s text from last week but introduced some elements from the European Parliament’s working paper revealed by Euractiv. A new quantitative threshold was introduced to categories models with systemic risk: the number of business users. A new requirement was introduced mandating model evaluation based on standardised protocols. A new cybersecurity requirement was suggested for top-tiered models, and the presidency asked for flexibility in mandating energy-efficiency standards. In a shadow meeting on Wednesday, MEPs agreed to stick to their position, considering that the code of practice on disinformation provides a vivid example of how this sort of tool has proved ineffective. The ministers of France, Germany and Italy met on the same day to coordinate a common position. An EU official told Euractiv that the Spanish presidency’s text does not fully satisfy the three countries, which are particularly sceptical about the classification thresholds. On Friday afternoon, the mandate is expected to be given despite the reservations.
Don’t miss: EU policymakers have reached an agreement on the Cyber Resilience Act on Thursday evening. As anticipated by Euractiv, many aspects, including the categories of ‘important’ and ‘critical’ products, were already agreed on at the technical level. The main outstanding political point concerned the possibility of national authorities restricting the EU’s cybersecurity agency ENISA’s access to vulnerability reporting. The agreement sets out three scenarios: the product predominantly circulates in the relevant country with limited risks for other member states, the information disclosure goes against essential security interests, and the manufacturer sees an imminent risk in further dissemination. Still, ENISA is to receive some general information on the exploit. The Council carried the day in the national security exemption and turned the obligation to reinvest revenues from sanctions under the regulation in capacity-building activities into a recital. Regarding open-source software, non-profit organisations that sell the software but reinvest the revenues in not-for-profit activities have been excluded from the scope. Read more.
Also this week:
- Euractiv took a deep dive at France’s stance on foundation models.
- The French government wants public officials to ditch WhatsApp and Signal in favour of a French alternative.
- The next summit of the EU-US Trade and Technology Council has been postponed to April as the platform loses momentum.
- The Commission warned EU countries to do their homework in setting up DSA national authorities.
- Consumer organisations filed a complaint accusing Meta’s ‘pay-or-consent’ model of breaching EU consumer law.
- The European standardisation organisation ETSI elected a representative of Intel as the chair of its general assembly despite the Commission’s digital sovereignty agenda.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Algorithm audits in the Digital Services Act
The European Commission adopted the delegated act regulating the auditing of algorithms under the DSA last month. We discussed the challenges in this field and possible implications in terms of technical standards and interlinks with the AI Act with Catalina …
Today’s edition is powered by Google
Google’s new cybersecurity centre in Málaga
Cyber threats are growing more sophisticated and dangerous. Google’s new cybersecurity hub in Málaga will bring Google engineers and European experts together to share knowledge, research and tools- helping build a better, safer Internet for everyone.
Artificial Intelligence
France and the AI Act. In the past weeks, France has emerged as a showstopper in the negotiations on the world’s first comprehensive AI law, taking an uncompromising stance in rejecting binding rules for the most powerful models. Paris has traditionally supported digital regulation, but its position started to change with the emergence of Mistral AI, a start-up that aims to compete with Big Tech. Cédric O, the French former digital state secretary who is now Mistral’s top lobbyist, is at the centre of the polemics. Even Thierry Breton, the driver of French interests in Brussels, distanced himself from this uncompromising stance, pairing Mistral with Big Tech in not representing the public interest. However, for the French company, the idea that this issue sees Mistral against the world is a mischaracterisation. In contrast, the focus should rather be on promoting open-source models to break Big Tech’s proprietary approach to AI. Read more.
Art. 7 closed. Policymakers have green-lighted the text detailing how the Commission will be able to amend the list of high-risk use cases. The agreed text, seen by Euractiv, follows the Council’s mandate, stating that the changes must occur via delegated acts. Deletion will require two conditions: that the high-risk systems concerned no longer pose a significant risk and that the deletion does not decrease overall protection in the Union.
Open letter to Macron, Meloni, and Scholz. On Sunday, leading AI experts like Luciano Floridi sent an open letter to French President Emmanuel Macron, Italian Prime Minister Georgia Meloni, and German Chancellor Olaf Scholz urging them to change their stance on foundation models. “Companies should not make the rules themselves,” the letter emphasised, adding that delaying the regulation “comes at significant costs”.
Liberals for AI. Earlier this week, Germany’s Free Democratic Party (FDP) released a paper on fully seizing the opportunities of AI. “Germany has the best prerequisites in AI research to emerge from this technological race as a global player,” said Maximilian Funke-Kaiser, FDP’s digital policy spokesman.
Take responsibility. According to a YouGov poll, the EU public supports foundation models’ regulation, distrusts tech CEOs and leaders to represent the public’s interest in the AI Act, and wants companies to be legally responsible for the harms when creating AI models.
Competition
The Commission is concerned. The Commission informed Amazon on Monday about its preliminary review of its acquisition of smart vacuum cleaner manufacturer iRobot, sharing concerns that it might restrict competition in the European Economic Area.
Adobe-Figma merger to be cleared. According to Reuters, Adobe’s EU antitrust charges are to be cleared about its $20 billion merger with Figma at a closed hearing on 8 December. The EU watchdog’s deadline to decide is 5 February.
Cybersecurity
Messaging made in France. French ministers will have to stop using WhatsApp, Telegram, and Signal as messaging services starting 8 December for security reasons, with the government already urging them to switch to a new French-made messaging app called Olvid, developed by a Paris-based startup. Olvid’s slogan boasts: “The most secure messaging app in the world.” The French cybersecurity agency ANSSI awarded the application two security certifications. Read more.
Slow progress on Cyber Solidarity Act. The Commission’s proposal for a Cyber Solidarity Act is languishing in the EU Council of Ministers, where the scarce enthusiasm is evidenced by the slow progress at the technical level – despite there being no major political hurdle. EU countries have not enthusiastically received the file, as the Spanish presidency’s report published earlier this week laid out. Read more.
What next for EUCS? Very scant information circulates how things went down at the European Cybersecurity Certification Group meeting on 20 November. Euractiv understands no agreement has been reached with national delegates on the compromise text, and frustration is mounting with the Commission and ENISA around how the process is being managed. No next meeting has been scheduled yet, even though there are rumours the Commission might try to force its way through comitology before the end of the year.
New EU Google Cybersecurity Centre. Google opened the doors of its third Cybersecurity Centre in Europe, pledging $10 million for cyber skills training. “The opening of the centre is also a signal that global tech companies understand that Europe is a place to invest their talents and where cyber experts are valued to help our citizens,” MEP Dita Charanzová said. Read more.
Germany: One account hacked per minute. A new report released by Surfshark monitored that even though the number of data breaches in Germany fell by 49% in the third quarter compared to the second in 2023, one account was hacked per minute on average.
Data & Privacy
Cookie pledges for Christmas. Euractiv learned this week that the European Commission is set to present the cookie pledging principles at the next general assembly of the initiative on 19 December. The EU executive is currently waiting for the feedback of the European Data Protection Board to finalise the drafting. The signature is scheduled for early next year.
Experts not needed. A Freedom of Information request recently revealed that the European Data Protection Board’s pool of experts “has 486 approved subject-matter experts on call” yet has been relying “on only around 2% of them since 2022”. This revelation is particularly relevant as this expert pool inspired the ‘scientific panel’ introduced in the AI Act to advise the AI Office.
Digital diplomacy
EU-US TTC postponed. The high-level meeting of the EU-US Trade and Technology Council (TTC) has been officially postponed, confirming that the initiative has slipped down the priority list on both sides of the pond. The next meeting is expected to happen in early April in Belgium, with more information expected by the beginning of next year. Euractiv understands that the TTC never really took off as the two blocs had different agendas: Brussels unsuccessfully tried to get Washington on board its digital policy agenda, and the US more successfully used it as an anti-Russian, anti-Chinese platform. With the recent international crisis, the TTC no longer seems to be a priority, and with elections coming up in both blocs, its future is more uncertain than ever. Read more.
EU-India semiconductor agreement. Last Friday, the EU-India Trade and Technology Council celebrated a Memorandum of Understanding on semiconductors to best practices, promote skills and identify research collaboration areas.
Digital Services Act
You should be ready. On Wednesday, a Commission background note was circulated in the Council on ensuring the preparedness of Digital Services Act (DSA) enforcement, a topic that will be discussed at the Competitiveness Council on 7 December. The Commission warned that the countries’ failure to meet the deadline to establish a Digital Services Coordinator “will create disadvantages for them, its citizens and their businesses. So far, less than 10% of member states have formally designated”. At the same time, the EU executive stated that ‘almost all’ member states have appointed a representative to the informal network established last October. The network meets regularly and shares evidence with the Commission, albeit no detail is provided. Finally, the document points to an ‘unprecedented’ increase in illegal and harmful content circulating online in the EU due to the conflicts in Ukraine, the Middle East and coordinated misinformation campaigns.
e-Commerce
Be my guest. In case you didn’t know, the European Data Protection Board (EDPB) has a work track on guest accounts, pushed by the French data protection agency CNIL, possibly to produce some guidance, although this is not part of the Board’s official programme. Euractiv understands that, before the summer, the Commission reached out to the EDPB to assess whether, in the context of the upcoming Digital Fairness Act, e-commerce platforms should be prevented from pushing customers away from guest accounts in favour of personal accounts – which enable more extensive user profiling. Last year, the German data protection agency DSK issued guidelines stating that customers should be able to buy products as guests without setting up a personal account. Euractiv understands that CNIL is pushing a similar line, namely that personal accounts should be necessary only for subscription-based services or to access exclusive offers.
e-Commerce commitments. On Thursday, as part of the 3rd Annual Digital Consumer Event, Justice Commissioner Didier Reynders hosted the signing ceremony for the Consumer Protection Undertaking, signed by representatives of 11 e-commerce platforms, namely Allegro, AliExpress, Amazon, bol.com, Cdiscount, eBay, EMAG, Etsy, Joom, Rakuten France, and Wish. The new Consumer Protection Commitment comprises commitments made under the existing product safety pledge based on voluntary commitments.
eGovernance
eIDAS disagreements. Euractiv learned this week that several MEPs, especially from the Greens, ECR Group, and ID Group, are unhappy with the trilogue compromise text on the European Digital Identity framework. A European Parliament official downsized the internal disagreement, stating procedural reasons for the delay.
Gig economy
France’s push on rental rules. The committee in charge of economic affairs at the French National Assembly voted on Tuesday night on a text to balance legislation on energy efficiency, local authorities powers and fiscal rules between short-term and long-term rental units. The text’s objectives are to align obligations related to energy-inefficient properties and stop the lump-sum deduction for short-term rentals. The text should be presented in a plenary session next week. If no political group opposes the committee compromise and French MPs vote favourably, the text will be sent for first reading in front of the French Senate.
Industrial strategy
Tell me about your graphic cards. EU, Chinese, and French regulators asked for information about US chip giant Nvidia’s graphic cards, according to Reuters. Nvidia is the world’s leading provider of graphics processing units (GPU) powering large language models. More requests can be expected in the future based on a regulatory filing.
Chip pilot lines launch. On Thursday, Breton announced a €3 billion investment to establish four cutting-edge pilot lines in chip technology. According to the Commissioner, “this marks the largest-ever public investment in global research infrastructure”.
State of EU tech. This year’s State of the European Tech’s key findings show, for example, that there is a global drop in investment levels and that “the annual volume of founders starting new tech startups in Europe exceeds the US, and has done so consistently for every one of the past five years”.
Cloud middleware project. Next Tuesday, the Commission will announce the winner of the tender to implement Simpl, a smart middleware for cloud-to-edge federations that will support all the European data spaces. The consortium led by Sopra Steria is set to be the winner, with Atos coming in second, Euractiv has learned.
Law enforcement
Extended at last. The Commission finally announced the extension of the temporary interim regulation on preventing online child sexual abuse material. The previous version would have applied until 3 August 2024. Now, with the extension, the new deadline is 3 August 2026. Since the file seems to be stuck in the Council at the moment, with no hope of being finalised before the European Parliament elections next year, the extension was expected for a while to avoid a legislative gap. Euractiv learned that the news was also announced during a coordinators’ meeting of the Parliament’s Civil Liberties Committee. The team to work on the draft law will be the same as two years ago, with MEP Birgit Sippel as rapporteur for the file. Euractiv also understands that the plan was to add a 12-month extension to the interim regulation, so it is possible that adding two years was a last-minute decision.
Serbian spyware attack. Advanced spyware, likely Pegasus, has been used against Serbian civil society just weeks before snap parliamentary elections, human rights organisation Amnesty International confirmed on Tuesday. Read more.
Media
Anti-SLAPP agreement. The EU Council and Parliament agreed on the directive to address the growing number of strategic lawsuits against public participation (SLAPPs) and protect defendants from unfounded, abusive litigation on matters of public interest, following negotiations into the early hours of Thursday morning. The final agreement maintains much of the Parliament’s text, including key provisions such as a broad definition of a ‘cross-border’ case, early dismissal mechanisms, and awards of costs and damages. Once formally approved in plenary and member states, the legislation will enter into force 20 days after its publication in the Official Journal. Member states will have two years to transpose the legislation into national law. Read more.
Metaverse
Finland’s global ambitions. According to its strategy published on Wednesday, the Finnish government is seeking to become a world leader in the metaverse by 2035. While China, Japan, the UK, and the United Arab Emirates have started to work on similar strategies, this is the first national metaverse strategy from an EU member state. The report anticipates that by 2035 the annual metaverse industry turnover will be more than €30 billion. While 2035 is the current ‘deadline’, this date will be updated annually. Read more.
EU’s leading role in virtual worlds? The Internal Market Committee adopted its own-initiative report on Tuesday about the virtual worlds, wanting the EU to have a leading role in shaping them. Rapporteur Pablo Arias Echeverría said, “As we step into Web 4.0 with the development of virtual worlds, we must lay a foundation rooted in strong EU digital rules, guiding principles and values.”
Platforms
Meta’s “unfair pay-or-consent”. The European Consumer Organisation (BEUC) and 18 of its members filed a complaint to the European Commission on Thursday against Meta’s “unfair pay-or-consent” model under EU consumer law. This initiative came two days after the non-profit organisation noyb, founded by Austrian activist Max Schrems, filed a complaint against Meta under the General Data Protection Regulation before the Austrian data protection authority. For BEUC, Meta’s change of policy breaches EU consumer law because it created an undue sense of urgency for users and misled them in its data processing practices. Read more.
Product liability
PLD in slow motion. There was not much movement on the Product Liability Directive (PLD) at a technical trilogue on Monday, with growing scepticism in the Parliament that the file can be closed under the Spanish presidency. At an internal technical meeting on Tuesday, there seemed to be a consensus among parliamentary groups, except the greens, to exclude open-source software supplied outside a commercial activity. Lawmakers also seem to agree to include data recovery costs in the data destruction provision. The liability exemption for micro and small software companies and the right of recourse are to be reworded. Still, there is no internal agreement on compensation funds and alleviating the burden of proof.
Forget about AILD. The reference to the AI Liability Directive was deleted from the PLD in a four-column document dated 23 November. The deletion is because laws cannot reference legislation yet to be passed, but the AILD will not move under this mandate, and there might be new priorities in the new one.
Standards
ETSI’s chair election. As anticipated in last week’s Tech Brief, ETSI elected the chair of its general assembly on Wednesday: Markus Mueck of Intel. The election of the representative of an American company clashes with the Commission’s declared intent to make Europe’s voice more heard in standardisation bodies. The Commission tried to coordinate support for the only representative of a European company, but it was not enough to swing the vote. To make things even more embarrassing for the Commission, while the vote is secret, the vote distribution indicates that the German and French delegates did not support the European candidate. In other words, it appears that the result would have been the same even with the reform of ETSI. Read more.
HLF – what for? The Commission’s lack of coordination is particularly staggering since it established the High-Level Forum on European standardisation precisely with this intent. The HLF met on Thursday, but Commissioner Breton carefully avoided mentioning ETSI. The discussion mostly centred around a voluntary skills pact, the workstream outcomes and Europe’s leadership in international standards – the latter based on a Danish discussion paper.
What else we’re reading this week:
How Huawei surprised the US with a cutting-edge chip made in China (FT)
Meta is giving researchers more access to Facebook and Instagram data (MIT Technology Review)
[Edited by Nathalie Weatherald]
Théophane Hartmann and Alina Clasen contributed to the reporting.