Foundation model discussions heat up, EUCS mediation attempt

Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here. 

“In Parliament, there is a clear majority position in wanting obligations, perhaps limited but clear, for the developers of the most powerful models.”

-European Parliament’s co-rapporteur Brando Benifei

Story of the week: The heated discussion on foundation models seems far from settled after an intense week of negotiations. On Sunday, France, Germany and Italy showed their hand with a non-paper that pushed back against the tiered approach and demanded codes of conduct based on the principles of the Hiroshima process rather than binding obligations on foundation models. On Monday, Euractiv revealed a Commission compromise text that, to bring the tiered approach back to life, suggested watering down the transparency obligations and introducing codes of practice for the models that pose a systemic risk. The Commission’s top bureaucrat Roberto Viola personally pushed the proposal during a ‘dinner’ with MEPs on Tuesday evening and at a breakfast with ambassadors on Wednesday.

France remained the most sceptical country, while Germany and Italy started showing some flexibility. While most other countries still have reservations about the Commission text, particularly for the lack of clarity of the definition and ample discretion for the Commission to adopt secondary legislation, there is a general openness to accept it to finalise an agreement. However, the European Parliament is not satisfied with this approach and circulated a working paper that insists on mandatory requirements for foundation models with systemic risks and only envisages codes of practice to complement the horizontal transparency requirements. The topic was meant to be discussed at a technical meeting on Friday. Still, the discussion was postponed to Monday as the Spanish presidency needed more time to consolidate its mandate. Meanwhile, the clock is ticking as the presidency will need to obtain a revised mandate next week in light of the trilogue on 6 December.

Don’t miss: A new draft of the European Cloud Services scheme, seen by Euractiv, was circulated ahead of a meeting of the European Cybersecurity Certification Group on Monday, with some tweaks on the controversial sovereignty requirements. Another option was introduced to allow cloud providers to prove that they are not effectively controlled by non-European entities. The idea that the notion of the primacy of EU law would apply to the whole contractual relationship was dropped, as were the staff requirements for those conducting functional maintenance. New wording would allow cloud providers to comply with data access requests from jurisdictions with a mutual legal assistance treaty with the EU. Read more.

Also this week:

• Euractiv obtained the Council’s position on the application of the General Data Protection Regulation that was adopted on Thursday at the ambassadors’ level.
• The Spanish presidency is seeking flexibility on the rebuttable presumption in the Platform Workers Directive ahead of next Tuesday’s trilogue.
• France is said to be preparing a position paper on the child sexual abuse regulation.
• Market fragmentation and the sustainability of the telecom sector will be on the table of the Telecom Council on 5 December.

Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.

 Today’s edition is powered by Instagram 

Instagram’s Family Tools for parents and teenagers

Instagram provides a range of tools for parents to help support their teenager’s safety and wellbeing on the app —including Daily Time Limit, Supervision and more. And when teenagers set up their profile, their accounts are private by default.

Find out more

Artificial Intelligence

Non-paper reactions. According to the Future of Life Institute, published on Tuesday, the recent AI non-paper by Italy, France, and Germany “largely fails to provide any provisions on foundation models or general purpose AI systems, and offers much less oversight and enforcement than the existing alternatives.” By contrast, a statement of DIGITALEUROPE was published on Thursday and undersigned by several national trade associations, including those of France, Germany, and Italy, calls for the risk-based approach to remain in the AI Act. The statement also advocates for the regulatory flaws to be aggravated at the sectoral level, the regulation of GPAI and foundation models “focusing on information sharing, cooperation and compliance support across the value chain”.

OpenAI drama. Much back and forth followed after the OpenAI’s board dismissed its CEO, Sam Altman, and other members left the firm in protest. It was reported that Microsoft has hired its co-founders Altman and Greg Brockman to head up a “new advanced AI research team”. However, on Wednesday, it was announced on X by OpenAI that they “have reached an agreement in principle for Sam Altman to return to OpenAI as CEO with a new initial board”. The reasons for the initial dismissal are still to be clarified in full.

Where to draw the line. Researchers at Stanford University warned that as governments try to draw a line to categorise the most powerful foundation models, “we caution against compute as a sole basis for thresholds” – as the EU Commission did. The analysis uses a combination of criteria, including the company’s revenues, the amount of training data, safety benchmarks and several downstream applications.

Habeck on foundation models. “Regulating in order to have trustworthy AI made in Europe and then excluding the small players [start-ups & SMEs] means that you only end up with trustworthy AI from the big players [tech giants], which doesn’t exactly give the small players a competitive advantage. That’s the problem I also see with the Spanish proposal,” Robert Habeck, Germany’s economy minister, said this week at the 16th annual Digital Summit. “I think referring to self-regulation is a better and more correct approach,” Habeck added.

German-American AI Alliance. At Germany’s annual Digital Summit, Digital Minister Volker Wissing highlighted plans to enter into an ‘intensive transatlantic exchange with the USA in AI’. “A joint concept for a joint summit is already being developed,” he said.

Cedric O keeps getting involved in AI development. Cédric O, the Former French Digital Secretary of State and chief lobbyist for Mistral AI, is further expanding his involvement in French AI start-ups by joining the board of Artefact. He will act as a business developer for the company.

Mind the liability interlink. The AI Act’s exemption for open-source software might have important implications for interacting with the (much-neglected) Product Liability Directive. While open-source software might be exempted from the AI law’s requirements, it can still be subject to product liability rules if it is supplied in the context of a commercial activity or exchange for personal data. However, in these cases, the claimant will not be able to cite breaches of the AI regulation as grounds for proving the open-source software defective.

Competition

What do you think about Teams? Microsoft’s competitors are being questioned by the EU about the company’s Teams software, according to MLex. The European Commission would like to know more about the issues the rivals might have with competing with the tech giant’s products as part of an antitrust probe officially launched in July following a complaint from Slack that accused Microsoft of bundling the service.

Amazon to get green light. Amazon is likely to win over the EU watchdogs in its takeover of iRobot, a smart vacuum manufacturer, according to a Reuters. iRobot, which makes the Roomba robotic vacuum cleaners and sells them on Amazon’s online marketplace. As reported by Euractiv, the Commission opened an in-depth investigation into the proposed Amazon acquisition in July over concerns that it could restrict the competition in the product’s market. After reviewing the merger, the British Competition and Markets Authority has already given the green light.

Cybersecurity

Hackback debate. As cyber threats continue to multiply, governments are looking at the option of controversial cyber defence operations such as hackbacks. According to an action plan published on Tuesday, one of the biggest arguments against hackbacks is the potential risk of collateral damage and diplomatic escalation. Still, it sets out a series of principles to make it a viable option. Read more.

Counter-Ransomware Initiative. A high-level event about the US’s International Counter Ransomware took place in Washington D.C. on 31 October “to foster a closer relationship between government and industry in halting the scourge of ransomware”, including participants from such companies as Microsoft, Blackberry, or Deutsche Telekom Global, according to an internal document seen by Euractiv. Among other topics, the event touched upon suggestions by Europol and France about cybersecurity and cooperation.

EU elections put to a cyber-test. On Tuesday, EU institutions and partners, including the EU Commission and CERT-EU, tested their crisis plans in a cybersecurity exercise organised by ENISA, the EU’s cybersecurity Agency in the EU Parliament. The Cyber-exercise aimed at testing response capabilities to cyber incidents affecting the EU elections set for June next year and to ensure fair and free elections.

Supporting immunity. Ahead of the ECCG meeting on Monday, European tech heavyweights like OVH Cloud, Airbus, Orange and Telecom Italia circulated a letter advocating for “the inclusion of criteria that guarantee immunity against non-European extraterritorial laws in the voluntary European Cybersecurity Certification Scheme for Cloud Services (EUCS).”

Data & Privacy

GDPR evaluation. Marking five years since the EU General Data Protection Regulation entered into application, the Council’s position on the status of the data protection law, seen by Euractiv, was adopted by EU ambassadors on Thursday. Overall, the member states’ assessment is less critical than one could have expected: it dubs the regulation as a ‘success’. It does not wish to reopen it but asks the Commission to conduct a comprehensive review of its application next year. The Council points to several ‘practical implementation challenges’ for private and public entities and calls for further clarifications on specific data-processing practices such as using minors’ data, anonymisation and pseudonymisation. While the European Data Protection Board is seen as a ‘positive achievement’, the EU countries note that some improvements might be needed at the level of enforcement but make no specific suggestion. Finally, the Council calls for a strategy for future data adequacy decisions. Who would contribute to drafting this strategy is unclear, nor how the geographical priorities could be established. However, it could change the Commission’s currently reactive approach to a more proactive one, although that would – as usual – raise a question of resources. Read more.

GDPR harmonisation report. The rapporteur for the regulation harmonising the administrative procedures for GDPR enforcement published its draft report this week. Significant changes include a specification that national authorities should not apply their national procedures conflicting with the regulation and must acknowledge receiving a complaint. The authority, however, has to reject those complaints that do not meet the minimum requirements and must inform the complainant about what information is missing. The text also adds that when such supervisory authorities do “not use its powers to ensure that another supervisory authority progresses the procedure”, and do not comply with the deadlines or with a binding decision of the Board, there is a “right to an effective judicial remedy.”

Data collection in question. The Italian Data Protection Authority opened an investigation into collecting personal data online to train algorithms. The initiative aims to verify the adoption of security measures by public and private sites and prevent the massive collection of personal data by third parties for training AI algorithms. The investigation concerns all public and private entities operating as data controllers, established or offering services in Italy.

Cyprus and porn. According to a post by StopDataPorn, a collective initiative aiming to end data malpractices, Aylo, formerly known as Mindgeek, submitted a defensive statement for the trial about General Data Protection Regulation violations on the porn platform, Pornhub, owned by the company. StopDataPorn believes that the focus is now on Cyprus since the legal entity responsible for Pornhub is located on the island.  The country also counts as a high-tech hub for the porn industry, which may raise concerns that the Cypriot Data Protection Authority “will be too lenient with Aylo not to jeopardise the presence of its wealth on the island”.

Digital Markets Act

Apple’s unexpected move. At the end of last week, Apple announced that iPhones will have Rich Communication Services (RCS), a new messaging standard, also pushed by Google, including such features as full-size files, improved encryption, group chats with as many as a hundred people, sending messages over Wi-Fi or cellular, typing indicators, or delivery and read receipts, Macworld reported last Friday. Apple told the Commission about the move in advance, but the U-turn was a surprise. The EU executive is due to finalise its market investigation in February. If iMessage is designated as a core platform service, the Commission must analyse whether content can be sent to iMessage from other communication services without being downgraded. However, Euractiv understands Apple’s motivation for adopting RCS is not the DMA but an ongoing discussion with the German telecom regulator.

DMA until up and running. DG CNECT has almost completed the recruitment process for its DMA unit, with only a handful of spots still left to be filled. So far, the Commission has had to keep up with the juridical deadlines: designation last September, market investigation until February and compliance as of March. There will be little room for anything else in the coming month, with the good rest of those asking for the designation of cloud services based on the qualitative criterion, as it will likely have to wait for the end of the ongoing antitrust investigations. Those asking for a revision of the annexe on the counting of the number of users are also bound for disappointment: the DMA will not be touched until the review is due in three years.

Gig economy

Get flexible. The Spanish presidency is expected to request flexibility on the Platform Workers Directive, especially concerning the conditions for the rebuttable presumption of employment, at the ambassador meeting on Friday. Euractiv understands that the presidency would like room for manoeuvre on the number of necessary criteria before the presumption can be triggered to less than three out of seven and move from ‘criteria’ to ‘indicators’ – deemed less constraining. It also looks to get member states’ approval that no rebuttal to the presumption means the reclassification is confirmed. It comes after months of a stalemate over this issue, with legislators hoping to get a deal through before year-end. The next political trilogue is planned for Tuesday.

Industrial strategy

EU ‘quantum valley of the world’. This week, the Spanish presidency hosted a summit on quantum technology. “We want Europe to be at the forefront of research and deployment and to be the best place to do quantum globally. We want Europe to become the quantum valley of the world,” said DG CNECT’s Deputy DG Thomas Skordas. A ‘quantum pact’ is expected to be signed before the end of the year.

€1bn German and EU VC funds. Germany announced the closing of €1 billion worth of fund of funds for the ‘Growth Fund Germany’, which will be part of the Future Fund, aiming to make more growth capital.

Law enforcement

Position paper incoming. France is preparing a position paper about the child sexual abuse regulation, Euractiv has learned this week. The initiative could result from a conflict between the French Prime Minister’s office and the Interior Ministry. While the paper might not be final yet, the country most likely has a problem with the scope and proportionality of encryption and detection orders. Either way, the file seems to be stuck in the Council at the moment, with no hope of being finalised before the European Parliament elections next year.

PEGA resolution adopted. MEPs criticised the lack of follow-up on the findings on spyware abuse by the European Parliament’s already disbanded Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware in a resolution adopted during Thursday’s plenary session. Euracitv learned that it is unlikely a new committee will form. Still, MEPs may hope for the issue to continue being raised during the Parliament’s Civil Liberties Committee hearings. Meanwhile, some anticipate that a regulation on spyware will be among next year’s Commission files. Back in April, Spanish MEP Diana Riba told Euractiv that she believes there is not enough majority for an EU-wide ban to happen.

German awareness for Pegasus spyware. On Monday, at an event hosted by the German Council for Foreign Relations, Regine Grienberger, German Cyber Ambassador, said that Germany is “also controlling the use of commercial spyware because this is where we have to focus on the actual operationalisation of this ban or restrictions on commercial supply.”

Media

TV is still a source of news. According to a Eurobarometer survey published by the EU Parliament last Friday, the main source of news is still television, with 71% of the respondents saying that it was one of their most used data during the past seven days at the time of the research. However, there is an 11% increase in those using social media platforms to get news compared to last year’s survey.

Include platforms as well. Ahead of the trilogue next Wednesday, six organisations representing Europe’s commercial media sector published a joint statement about the European Media Freedom Act (EMFA), suggesting that very large platforms and search engines should “be fully and explicitly included in the market review mechanism” of the media law, “when they have an impact on media pluralism”.

Don’t water this down. An open letter signed by civil society organisations and journalist associations, published on Voxeurop on Monday, pointed out that key issues still remain in the European Media Freedom Act, such as limiting the use of spyware against journalists, protecting the independence of public service media, and transparency obligations on media owners.

Platforms

Online advertising meeting. It has been rumoured that the Commission is planning to have a file about online advertising next year. Euractiv learned that DG CNECT is planning a multi-stakeholder meeting touching upon mostly the Digital Services Act provisions. Still, additional discussion topics might also include a future Digital Advertising Act. No detail has been shared yet.

Standards

Game of musical chairs. Next week, ETSI is due to elect the chair of its general assembly, the decision-making body of the standardisation organisation. Jochen Friedrich of IBM, Markus Mueck of Intel, and Enrico Scarrone of Telecom Italia are running for the office. Technically, only companies in the CEPT area can apply for the role, so both IBM and Intel are participating via their European subsidiary – and both their candidates are German nationals. Still, if a representative of an American company takes over a leading position in ETSI, it is likely to exacerbate further tensions with the European Commission, which already mandated some internal reforms because it considered the body to be driven by ‘foreign influence’ and started excluding it from crucial standardisation work on the AI Act and Cyber Resilience Act.

Telecom

Let’s discuss fragmentation. Market fragmentation and the financial sustainability of the telecom sector will be a point for discussion in the upcoming Telecom Council, with the view to continue the discussion initiated in Leon. On the same day, Breton is organising a meeting with financial institutions to discuss investments in the sector. Read more.

GIA path set. The Gigabit Infrastructure Act was unanimously endorsed at the ambassador level on Wednesday, paving the way for a general approach to be officially adopted at the Telecom Council on 5 December. The first hand-shake trilogue is expected to take place on the same day.

A Fastweb-Vodafone deal. According to Bloomberg, Italian telecom operator Fastweb, owned by Swisscom, one of Switzerland’s major telecommunications providers, is pursuing a possible future deal with Vodafone Italia.

DT appeal. Deutsche Telekom challenged its €31 million EU fine in 2014 for its unfair wholesale prices in Slovakia, which, the EU believes, limited the rivals’ opportunities on the market. In 2018, the fine was cut to €18 million, but the telecom company refused to pay the reduced amount and appealed to the EU Court of Justice. According to a Reuters article, the EU court judges will dismiss the bid.

What else we’re reading this week:

Chaos in the Cradle of A.I. (The New Yorker)

India drawing up laws to regulate deepfakes – minister (Reuters)

Nvidia sued after video call mistake showed ‘stolen’ data (BBC)

Alina Clasen and Théophane Hartmann contributed to the reporting.

[Edited by Nathalie Weatherald]

Read more with EURACTIV