Foundation model standoff, Media Freedom Act landing zones

Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here. 

“The emerging idea that risk is also proportional to the complexity of the algorithms makes a lot of sense.”

-Roberto Viola, Director General for Communication, Networks, Content and Technology on the AI Act

Story of the week: What is happening on foundation models? That is the question many are wondering after the discussions broke down at a technical meeting last Friday. The discussion on what has become the thorniest topic of the AI Act was pushed from this Friday to next Tuesday. Remarkably, the co-rapporteurs arranged a shadow meeting on the same day and a rather secretive high-level meeting in the evening. Rumours of a joint Franco-German-Italian non-paper circulated throughout the week, but attachés did not receive it by the time of publication. While France would like to limit the dispositions for foundation models merely to codes of conduct, that will not be sufficient for the European Parliament. An EU official dubbed codes of conduct as “the most conservative option”, adding that some agreement could be found on horizontal rules as long as they are not too burdensome for innovators but that discussions on what could count as ‘high-impact’ models were premature.

In this regard, Euractiv understands that discussions are ongoing also for transparency and other types of requirements. “Just because someone speaks the loudest, it doesn’t mean that they have more rights than others,” a senior EU official told Euractiv, hinting at the fact that Paris might remain isolated in asking for only voluntary measures. Meanwhile, Roberto Viola spoke strongly at the AI Assembly in Madrid in support of the tiered approach, stressing that “to increase the level of transparency we need to have attention according to the complexity.” The top EU digital bureaucrat also noted that the Commission supports the idea that the governance over this horizontal part of the regulation should be at the EU level. “This is very much what we have done in other regulations.”

Don’t miss: Euractiv obtained the note of the Spanish EU Council presidency regarding the negotiating mandate for the next political trilogue on 29 November that was discussed at the AV & Media Working Party on Wednesday. The note provides some significant insights into the way the negotiations are going, especially on matters such as state advertising, ownership transparency, media exemption, and market concentration. The national security exemption, the most sensitive part of the file, is being kept for the last trilogue on 15 December, which seems a move to put maximum pressure on the Parliament, in particular the LIBE rapporteur, to cave in to reach a final agreement. Read more.

Also this week: 

• The Spanish presidency requested member states’ feedback on some less controversial parts of the AI Act.
• The EU Commission proposed double reporting for actively exploited vulnerabilities in the Cyber Resilience Act.
• The French police are being accused of illegally using facial recognition software.
• Apple, Meta and TikTok legally challenged the designation of some of their services under the Digital Markets Act.
• The Commission sent requests for information to Meta, Snap and Amazon under the Digital Services Act.
• A political agreement was reached on the short-term rental regulation.

Before we start: If you crave even more tech analysis, tune in to our weekly podcast.

Today’s edition is powered by Google 

Find out how AI could boost the EU economy

Generative AI could increase the size of the EU economy by 1.2 trillion Euros and save the average worker over 70 hours a year. Google is committed to playing its part in helping the EU realize its digital and AI-driven future.

Find out more

Artificial Intelligence

What else is on the table. On Tuesday, the Spanish presidency asked for written feedback on some less controversial parts of the AI Act, namely value chain responsibilities, unfair contractual terms, fundamental rights impact assessment, general principles and AI literacy. On Thursday, a technical trilogue focused on the AI definition, which will be based on the OECD’s but not following it word-for-word. The Commission raised some objections on the ‘varying level of autonomy’ concept, with the recitals tasked to clarify that this wording also includes no level of autonomy. On the dispositions regarding the responsibilities alongside the value chain, the Council agreed overall to the Parliament’s position, although the discussion around what counts as substantial modification is still open.

One man, many hats. The French press has started to take aim at Cedric O for his dual role of being the chief lobbyist of Mistral AI and the government advisor on generative AI. For those who have forgotten, Cedric O was also the state secretary for digital during the French presidency, which proposed strict provisions on General Purpose AI systems just to oppose any obligations for foundation models when he jumped the fence to the private sector. Meanwhile, Mistral AI’s CEO Arthur Mensch took to X to clarify the company’s position on the AI Act, namely the fact the law should focus on the system rather than the model level to maintain its risk-based approach and considering the tiered approach’s could have ‘catastrophic’ effect.

AI start-ups. On Thursday, the Commission and the European High-Performance Computing Joint Undertaking announced their commitment to widening the access to EU’s resources for European AI start-ups, SMEs, as well as the broader AI community. As part of the EU AI Start-Up Initiative, they will support the development of AI models and access to supercomputers.

No generative AI for the Dutch. The Dutch government is preparing a ban on the use of generative AI for civil servants, de Volkskrant reported on Thursday. Minister for Digitalisation Alexandra van Huffelen wants to temporarily ban government officials from using AI software, such as ChatGPT, due to the risks in privacy and copyright.

Future of AI. A report by the Open Markets Institute and the Center for Journalism and Liberty at Open Markets, published on Wednesday, shows that only a few Big Tech companies have the position of controlling the future of AI. According to the report, closely integrating the AI regimes can ensure that “AI truly serves the interest of the people as a whole, and not simply the interests of the very largest corporations”.

Keep up. According to a report by the Mercator Institute for China Studies, published on Thursday, Europe’s policymakers should better understand R&D and commercial ties between Europe and China to remain competitive. The research also found that the UK leads when it comes to research ties with China.

Gaps in business. CISCO’s new survey, published on Tuesday, about the seismic gap in companies’ preparedness for AI revealed gaps “across six key business pillars — strategy, infrastructure, data, governance, talent, and culture. The research also shows that 86% of companies are “not fully ready to integrate AI into their businesses”.

Competition

Competition policy report postponed. A shadow meeting that was supposed to reach a final agreement on the competition policy report 2023 was inconclusive, mostly because some of the key MEPs could not attend the meeting. The most politically sensitive parts are the ‘naming and shaming’ of certain companies, which the centre-right EPP wants to remove. Another political issue to still be settled is amendments pushed by centre-left MEP Paul Tang, pointing to a legislative gap creating competition issues in the advertising market. The ECON committee vote has been postponed to 4 December.

Nothing to see here. The German competition authority, Bundeskartellamt, announced on Wednesday that Microsoft’s investment in OpenAI and the cooperation between the two companies are not subject to merger control in Germany. “We have intensively examined a possible obligation to notify Microsoft’s involvement in OpenAI. As a result, however, the investments and cooperation between the two companies are not subject to merger control,” said Andreas Mundt, president of the German Federal Cartel Office.

Meta’s waiver request approved. Under the EU’s merger regulation, the Commission approved Meta’s commitments to get clearance for acquiring Kustomer, an AI-powered customer service platform. In January 2022, the Commission approved the merger with certain conditions. However, after it received the tech giant’s request to waive the commitments, the Commission investigated whether this was justified.

Let’s remedy this. Adobe is expected to get an EU antitrust warning for its merger with Figma, a collaborative application for cloud design, due to potential harm in the digital single market. “We are certainly open to the discussion of remedies. We want this deal to go through”, Adobe’s Executive Vice President Dana Rao told Reuters on Wednesday.

Be appropriate, please. The British government introduced changes to its Digital Markets, Competition and Consumers Bill to ensure that the UK’s Competition and Markets Authority can only intervene when appropriate, constraining the regulator’s powers.

Cybersecurity

Double reporting, double risks. The Commission’s proposal to double the receivers of actively exploited vulnerabilities reporting, anticipated by Euractiv following last week’s trilogue, was finally put on paper. While this text is still to be improved at the technical level, there are still a few red flags for the EU Parliament that will need to be solved to reach a compromise, most notably the idea that manufacturers without a legal office in the EU can choose at their discretion the CSIRT of reference. Regarding delaying the notification to other authorities, the Commission proposed that the CSIRT would have to provide a justification and an indication of how long the withholding of information is expected to be to ENISA. Read more.

ENISA, Ukraine, and cybersecurity. On Monday, the EU’s cybersecurity agency, ENISA, announced that it will work with Ukraine to enhance cybersecurity by exchanging best practices, information sharing, and capacity-building. Its announcement signalled that it had formed a working arrangement with Ukraine. The arrangement focuses on exchange in three domains: best practices, information sharing, and capacity building. Last Wednesday, the EU recommended opening accession talks with Ukraine, partially based on its results of “the ongoing reform efforts”. Kyiv still needs several conditions to align with EU standards for this to happen. Read more.

New study, new need for action. According to a newly published study on the state of development of quantum computers, the German Federal Ministry for Information Security estimates that it will be another 10 to 20 years before cryptographically relevant quantum computers are developed. At the same time, the ministry warns of the dangers that already exist in the decryption of long-lived data through so-called ‘harvest attacks’. “Data can already be recorded now and decrypted later. What’s more, the migration to quantum-safe cryptography (so-called post-quantum cryptography) will take a very long time and should therefore be started as soon as possible,” BSI-Advisor Dr. Heike Hagemeier told Euractiv.

Member states agreed on cybersecurity. On Wednesday, member states agreed on a common position about targeted amendment of the EU’s Cybersecurity Act. The Council’s amendments clarified the meaning of ‘managed security services’ and introduced technical and drafting modifications.

Growing investments. A report published on Thursday by the European Union Agency for Cybersecurity emphasises the importance of vulnerability management and confirms that investments are continuing to grow. Among the key findings is that part of the IT budget, which is dedicated to cybersecurity, “reached 7,1% in 2022, representing an increase of 0,4% compared to 2021”.

Data & Privacy

Illegal face recognition. French national police have been illegally using the Israeli facial recognition software Briefcam since 2015, according to the French investigative media Disclose. The use of facial recognition software by law enforcement authorities is prohibited in France. Still, this disposition has recently become more flexible for trial purposes in the context of the upcoming Paris Olympic Games in 2024. If confirmed, the usage of Briefcam would breach the French Informatics and Freedom law updated in 2019, stating that it is forbidden to “use any biometric identification system, [or] process any biometric data, and […] implement any facial recognition techniques.” Read more.

Germans are not convinced. Two months ago, the German government set the course with a new strategy to utilise data more effectively. Still, a recent survey shows that the public and businesses are not convinced of the benefits of using personal data. Conducted between September and November on behalf of the Federal Association for the Digital Economy, found that 75% of the 2,500 respondents do not see any economic benefit in digital data processing, with only 10% believing personal data contributes to national prosperity. Moreover, only 14% are convinced that the digital processing of personal data makes their everyday lives easier. Read more.

IP tracking guidelines. On Wednesday, the European Data Protection Board adopted guidelines on the scope of the ePrivacy Directive’s provision on the confidentiality conditions for the storing of information in the user’s technical equipment. Given the different interpretations among data protection authorities on how this measure applies to online tracking techniques, especially about IP addresses, the idea was to provide greater legal certainty. The guidelines still need to be fully digested, but the Board’s position seems to be that the confidentiality condition applies except in narrow cases. “Article 5(3) ePD could apply even though the instruction to make the IP available has been made by a different entity than the receiving one. However, gaining access to IP addresses would only trigger the application of Article 5(3) ePD in cases where this information originates from the terminal equipment of a subscriber or user. ”

Dixon’s goodbye. Ireland’s Data Protection Commissioner Helen Dixon announced on LinkedIn on Wednesday that her “final term at the DPC is due to end in 2024”, confirming that the final date of her departure will be 19 February next year. “During my tenure, the European legal framework governing data protection was substantially overhauled, and the DPC played a pivotal role in ensuring organisations in Ireland and beyond were aware and prepared in terms of meeting their new obligations and that the public had a renewed understanding of risks and rights relating to the processing of their personal data,” she wrote in the post.

Digital Markets Act

CPS appeals filed. The deadline for gatekeepers to appeal the designation of their ‘core platform services’ under the DMA was this Thursday, pushing the Big Tech companies to show their hand. Meta chose to legally battle the designation of its instant messaging platform Messenger and intermediation service Marketplace, considering that the Commission has misunderstood the nature of these services. ByteDance is also bringing the European Commission to court, arguing that TikTok does not enjoy an ‘entrenched and durable’ position and does not meet the revenue threshold. Apple’s appeal over the App Store was anticipated by Bloomberg last week.

Digital Services Act

Commission wants to know more. The Commission sent Meta and Snapchat a request for information last Friday under the Digital Services Act (DSA) to learn what measures the companies have taken to comply with the DSA, for example, measures in connection with risk assessments or mitigation measures to protect minors. The two companies will have to provide the information until 1 December. On Wednesday, the Commission also sent a similar request to Amazon, which has until 6 December to get back to the Commission.

eGovernance

A slow e-administration. Despite being an economic powerhouse that accounts for almost a quarter of the EU’s total GDP, Germany ranks 13th among EU countries for digitalisation, according to the EU Digital Economy and Society Index. Therefore, pressure is building on Germany to move towards a more digitalised administrative framework. While expectations for a successful transition to an e-administration in Germany are high among politicians and business leaders, rollout remains slow, and the laws supposed to facilitate it are being criticised for failing to prioritise. Read more.

Agreement on the Interoperable Europe Act. The European Parliament and Council reached an agreement on the Interoperable Europe Act on Monday evening. The law is meant to improve the EU’s online public services for users and businesses, as well as cross-border interoperability and cooperation.

Gig economy

Short-term rental agreement. The EU Council and Parliament reached a political agreement on the bill to regulate the data-sharing of short-term rental platforms. The compromise was found in allowing accommodation hosts to self-declare their listing on short-term rental platforms and to prevent any illegal listing. Online platforms will have to make “best efforts” to check the completeness and reliability of the information provided. Moreover, platforms must conduct random checks on the listings they host. In contrast, administrative authorities will conduct checks based on data provided monthly by Airbnb, Booking, Trivago, Expedia and the like. Read more.

Industrial strategy

Russian money not wanted. Michiel Scheffer, the chair of the board of the European Innovation Council, announced at the Web Summit this week that new rules were introduced to exclude Russian investors from sensitive technologies, such as microchips. The news comes after the Commission asked in October for more attention to foreign investors joining start-ups developing sensitive technologies in the EU. Start-ups must have a co-investor before the European Innovation Council can accept a minority stake, which may take up to €15 million.

€1 billion for deep tech. Almost €1 billion of investments in deep tech companies has been approved by the EIC, with 159 start-ups and SMEs getting their investments approved, the European Commission announced on Tuesday.

Law enforcement

Commission takes another hit. NOYB filed a complaint on Thursday against the EU Commission with the European Data Protection Supervisor for using microtargeting ads on X to promote its regulation on detecting child sexual abuse material online. NOYB considers that the ads have violated the EU’s data protection rules and that the usage of microtargeted ads contradicts the Commission’s intentions of more transparency about advertising. Read more.

Meanwhile in the Parliament. The European Parliament’s draft position on regulation to detect online child sexual abuse material (CSAM) was adopted by the Committee on Civil Liberties, Justice and Home Affairs (DG HOME)  on Tuesday based on the political agreement Euractiv reported in October. Rapporteur Javier Zarzaljos said the text limits detection order, as a last resort, “to take down abusive material still circulating on the internet” and that the agreement “strikes a balance between protecting children and protecting privacy.”

What’s next? Euractiv learned this week that while the Spanish presidency would like to reach a general approach on the CSAM file, according to several sources, it is becoming less likely that it will able to do so as time is running out. France, Poland, Germany, and Austria are critical of the proposal. It has been in the air for some time that DG HOME is planning to extend the interim regulation, which is currently in force until 3 August 2024, allowing voluntary detection of CSAM, which might happen this month. A German position paper in October also suggested the extension of the regulation.

Platforms

Should you not do something? A cross-party coalition of MEPs sent a series of written questions demanding that the European Commission take action following the revelations that sensitive data from European leaders was being sold to the highest bidder. The initiative spurred from two reports by the Irish Council for Civil Liberties, published on Tuesday, that revealed a trade in real-time bidding data about EU and US leaders and military personnel sent by Google and other firms to China and Russia.

Google pays Apple more than a third of its ad revenue on Safari. As reported by Bloomberg on Monday, a witness in the Google trial in the US admitted that the world’s first search engine pays Apple 36% of all the ad revenues it generates when an Apple’s Safari user does a Google search on the browser. Sundar Pichai, the CEO of Google’s parent company, Alphabet, confirmed the figure on Tuesday in a testimony on a separate lawsuit filed against Google Epic Games, as CNBC reported.

No text in sight. Following last week’s agreement on transparency and targeting of political advertising among the EU Parliament, Council, and Commission, Euractiv learned this week that a new text cannot be expected for several weeks as there is still much cleaning up to do, and it needs to be checked by the legal services and lawyer linguists, following its translations. Some even anticipate that a new version cannot be expected this year.

Product liability

PLD trilogue dates. Euractiv learned this week that the next political trilogues of the Product Liability Directive would take place on 14 December. Before that, five technical meetings have been scheduled in November and two in December.  In a technical meeting on Tuesday, the negotiators went through a series of proposals from the co-rapporteurs, seen by Euractiv, relating mostly to the definitions used in the law. Still, the presidency did not have a mandate to agree on them on the spot. The main remark on content was that the Council expressed its concerns recently about the exclusion of SMEs and lowering the threshold for the presumptions in cases of technical and scientific complexity.

Telecom

A GIA general approach is coming. Euractiv learned that the Telecom Working Party on Tuesday agreed on the new compromise text on the Gigabit Infrastructure Act that Euractiv reported last week. The file will land on the COREPER’s desk on 22 November. A general approach should be agreed upon at the political level on 5 December, which would kick off the inter-institutional negotiations with the Parliament, better known as trilogues. Read more about the Council version and the Parliament mandate.

What else we’re reading this week:

Antisemitic and Anti-Muslim Hate Speech Surges Across the Internet (The New York Times)

Google DeepMind wants to define what counts as artificial general intelligence (MIT Technology Review)

OpenAI explores how to get ChatGPT into classrooms (Reuters)

Théophane Hartmann and Alina Clasen contributed to the reporting.

[Edited by Zoran Radosavljevic]

Read more with EURACTIV