Tech Brief: IoT cybersecurity law leaked, media freedom with little transparency

Welcome to EURACTIVs Tech Brief, yourweekly update on all things digital in the EU. You can subscribe to the newsletterhere.

 

Cybersecurity of the entire supply chain is ensured only if all its components are cyber-secure.

-Leaked draft of the Cyber Resilience Act

 

Story of the week: Baseline cybersecurity standards will be required for all connected devices under the Commissions new proposal for a Cyber Resilience Act, seen by EURACTIV and set for presentation next Thursday. The initiative, the first of its kind globally, will address widespread and interlinked vulnerabilities in the Internet of Things (IoT) sector. Furthermore, it will mandate conformity assessments by manufacturers, safeguarding criteria in the design, development and production of devices, and penalties of either 15 million or up to 2.5% of annual turnover.

The Commission adopted a risk-based approach, including stricter conformity assessment procedures for the so-called critical products. For the highest level of assurance, a third-party assessment will be required to demonstrate conformity with a governance structure based on the New Legislative Framework. Moreover, the Commission would be empowered to adopt secondary legislation to introduce mandatory EU cybersecurity certification schemes for highly critical products. Read more.

Dont miss: The Commissions European Media Freedom Act, due for official release next week, is set to address media regulators, editorial independence and economic revenues but notably dodges the issue of media ownership. The proposal will establish a Media Board, the enhanced successor of ERGA, which will require transparency and objectivity in allocating public funds to media outlets and will introduce several safeguards for public service media providers. Despite the marketing of the initiative as being mainly in the name of increasing media ownership and transparency in the allocation of public funding, the draft text leaves ample room for discretion to the member states. This goes against the recommendation of the Centre for Media Freedom and Media Pluralism of the European University Institute, which was initiated precisely to advise the Commission on these matters. Moreover, the leaked draft includes a mechanism by which very large online platforms under the DSA will have to justify content moderation decisions related to editorial content, providing the publishers with the possibility to seek an amicable solution. Read more.

Also this week:

• The Irish data protection authority fined Instagram 405m for violating child privacy.
• EURACTIV obtained a document showing how France tried to kill the rebuttable presumption before the platform worker directive was published.
• MEPs discussed regulatory sandboxes on the AI Act.
• Germany said it supports a ban on inferring personal data for political ads.
• The European frontrunner on quantum computing called on Brussels to provide further support.
• Greek officials have shielded behind ‘national security’ any questioning on the surveillance of journalists and opponents.

Before we start: This week, the Irish Data Protection Commission sanctioned Instagram for violating childrens privacy. After much waiting for the EUs data protection rulebook to bite, privacy watchdogs have started to show their teeth. Is this a sign of a new trend? And how does it sit with the ongoing discussions about potential reforms of the General Data Protection Regulation? Tune in for this discussion with Isabelle Roccia, managing director for Europe of the International Association of Privacy Professionals, and Vincenzo Tiani, a partner at the law firm Panetta.

A message by Google

In times of crisis, technology can support democracy

Google is working with governments, NGOs and experts in Europe to protect citizens and the public space. Project Shield is defending the sites of more than 200 organisations in Ukraine. We have committed $10 billion by 2026 to strengthen cybersecurity.

Continue Reading >>

Artificial Intelligence

Smooth sailing so far. The latest Parliamentary compromise on the AI Act has proven relatively uncontroversial, mainly composed of proposals made by other political groups. Discussions have so far largely steered clear of the most sensitive political elements, in this case, related to provisions on the interaction between national governments regulatory sandboxes with general purpose AI. In the technical meeting on Tuesday, the different political groups closed several less controversial articles on the initial batches. However, the discussion on sandboxes is only at an initial stage as lawmakers still need to reach a common understanding of what they want the sandboxes to look like and with what time of safeguards. Whether they should be mandatory or not for member states remains open. Next weeks shadow meeting will likely focus on these open issues, including the part on the registration on the EU database for high-risk systems. Before the discussion moves on to more political questions, the co-rapporteurs plan to have a general discussion to better gather each groups political position before proposing compromise amendments.

JURIs opinion is finalised. The AI Act opinion report was adopted in JURI on Monday, with the compromise amendments passing the test of the committee vote. The opinion report proposes three new exemptions from the scope of the legislation, namely on R&D, B2B low-risk industrial application and open source systems until their commercialisation. The legal affairs committee also introduces significant changes in the responsibilities of providers and users and the provisions related to general purpose AI defined based on the definition provided by the French Presidency. In addition, the AI Board was enhanced, and the Commission would have to evaluate after three years if an EU agency is needed. In the human oversight article, a mention was added that the persons in question would need to be AI literate. Other highlights involve provisions on transparency, risk management and harmonised standards.

More ideas on the table. The Slovak government has put forth a series of proposals on the AI Act during the first of a series of expert-level workshops. The first workshop took place this week and focused on the governance of AI regulation. Bratislava pitched the idea of moving away from traditional institutional settings in favour of novel virtual collaborative teams to mirror the degree of technological convergence and integration, according to the supporting presentation seen by EURACTIV. Slovakia also proposed establishing a real-time helpdesk set up on a common communication platform that would provide continuous support for member state authorities on the legislative interpretation and technical assessment. Finally, the Slovak ministry suggested the introduction of co-regulatory dialogues between the providers of general purpose AI systems, the AI Board and the European Commission, proposing to delegate to the Commission powers similar to those it has for very large only platforms under the Digital Services Act.

Competition

We’ll take this further. EU competition regulators have expanded their investigation into Googles digital advertising business to include a similar inquiry by the Portuguese competition authority, which opened in May this year. Both investigations focus on the ad space management market and whether Google used information that competitors lacked access to win online ad auctions. EU authorities took over the parallel probe in Portugal at the end of July. Read more.

Cybersecurity

Cyber diplomacy (done wrong). NATO has condemned a cyberattack on Albania, which took down all government sites and online citizen portals, beginning in July. The attack, which has been attributed to Iran, led Tirana to cut ties with Tehran and order the expulsion of all Iranian diplomats by Thursday (8 September). NATO Secretary General Jens Stoltenberg this week condemned the attack, and the alliance pledged to continue to raise its defences against cyber threats. Tehran, for its part, has denied any involvement. Read more.

Data & Privacy

Kids deserve privacy. Instagram was hit with a 405 million fine this week, levied by the Irish Data Protection Commission (DPC) over the platforms breach of the GDPRs rules on the privacy of minors. The decision follows an inquiry into Instagrams practice of allowing users aged 13-17 to operate business accounts, enabling the use of analytics features which required the provision of personal data that the minors were unaware would be made public. The watchdog issued the penalty the highest ever, far surpassing the previous record of WhatsApps 225 million last year. Read more.

Data defenders. Germany, joined by Greece, is backing a general ban on the processing of personal data in political ads, including for statistical inferences, and rejects the call by France to intensify rules on reporting in the run-up to elections. In response to questions issued by the Councils Czech Presidency, 16 countries set out their positions on some issues related to the Commissions proposed regulation on political advertising. Also revealed in their replies were Berlins desire for specific infringement rules for the largest online platform and Hungarys rejection of the regulations overall legal basis and formulation. Read more.

Lets ask the court. Brussels Court of Appeals has partially dismissed IAB Europes appeal against a decision by the Belgian data protection authority that the organisation breached the GDPR in multiple ways via the consent system in its Transparency & Consent framework. The case has now been referred to the European Court of Justice, which ICCL, one of the drivers that brought the suit in the first place, described as the next step in our effort to put an end to the consent pop-ups that have harassed internet users in Europe for years. IAB Europe said it welcomed the referral, adding that the original ruling had been based on an unnecessarily broad idea of personal data and controllership with significant negative implications for the development of open standards and the Codes of Conduct foreseen in the GDPR. The key question the EU court will have to rule on is if the Belgian watchdog was correct in deeming the standard-setting organisation a data controller.

Digital Markets Act

Keep the pressure up. Leading MEPs Andreas Schwab and Christel Schaldemose are considering setting up a working party to monitor the implementation of the DMA and DSA. The initiative will land on the table of the IMCO coordinators on Monday, and it is intended to keep up the pressure on the Commission in the crucial months ahead of the new legislation coming in full swing.

Gig economy

French force. France has been heavily lobbying the Commission with positions close to those of gig economy platforms. Documents obtained this week by EURACTIV show how, even before the proposals publication, the country was pushing the EU executive to eliminate the presumption of employment. The news comes in the shadow of an already brewing storm over lobbying by officials in France after the Uber Files revealed earlier this year that President Emmanuel Macron had gone against his own government to support ride-hailing company Uber. In an internal note seen by EURACTIV, a French diplomat said they expected the upcoming Swedish Presidency to support them in trying to kill the rebuttable presumption but feared that the opposite would be through if the file was to land in the hands of the Spaniards in the second half of next year. Read more.

Worker status discussion. The rapporteur for the platform workers directive Elisabetta Gualmini continues to push for a broad legal presumption of employment in the platform workers proposal. According to new compromise amendments seen by EURACTIV this week, the leading MEPs proposal consists in moving away from the criteria Commission proposed to trigger such a presumption, introducing new criteria regarding the burden of proof on platforms to prove that a worker is genuinely self-employed. Sources told EURACTIV, however, that a compromise is still far off and that the changes were more of a basis for future work than signals of a deal being within sight. Read more.

Uber hearing. The MEPs could agree on the date for the parliamentary hearing to discuss the revelations related to the Uber Files. The coordinators of the political groups in the EMPL committee decided on Thursday to schedule the hearing on 25 October, with whistleblower Mark MacGann as the guest of honour.

Industrial strategy

Seeking the quantum leap. The Netherlands is pressing ahead in the global race towards the quantum advantage to show that a quantum computer can answer commercial or social advantage problems much faster than a regular computer could. On a visit to QuTech, a Dutch research institute, EURACTIV learned more about what is needed to take the development of the technology to the next stage and the challenges facing those working to do so. Read more.

Mind your cloud. Switching and combining cloud service providers is difficult for users, posing a threat to prices, quality and innovation within the sector and necessitating further measures in the upcoming Data Act to make things easier, the Netherlands Authority for Consumers and Markets (ACM) said this week. Following a market study, the ACM has proposed several amendments to the act that will simplify the process for users seeking to combine cloud services, enhancing interoperability. The watchdog is also set to launch a follow-up investigation to gain further insight into how these barriers cause issues in practice and what more immediate solutions might be available. The Data Act is the Netherlands’ first tech priority, which sought to influence it before the proposal was published. The Hague is now dedicating more experts to the ongoing discussion in the EU Council than any other country.

Truss on tech. Liz Truss became the UKs latest Prime Minister this week, as the countrys Parliament returned from its summer hiatus. Ahead of her unsurprising election, EURACTIV spoke to some analysts about what her premiership could mean for tech policy across the Channel, where the action is expected in areas including the Online Safety Bill, data reform, digital competition and research and innovation. Read more.

Law enforcement

The national security curtain. During a European Parliament hearing on Thursday (8 September), Greek officials put forth national security reasons to fend off uncomfortable questions about why journalists and opposition politicians had been targeted with surveillance technology. Journalist Stavros Malichudis even provided written evidence that the national intelligence services were merely interested in his journalistic work and sources. Still, the Greek authority representatives at the hearing remained unresponsive behind the wall of confidentiality motivated by national security reasons. Read more.

Media

De facto ban. Novaya Gazeta, one of the last remaining independent Russian news outlets, was effectively banned from operating this week after a court revoked its media license over what the countrys media regulator claimed was its failure to provide documentation related to a change in ownership in 2006. The publications Nobel prize-winning editor, Dmitry Muratov, described it as a political hit job and said the paper would launch an appeal. The courts decision came on the same day that ex-journalist Ivan Safronov was found guilty of treason and sentenced to 22 years in a penal colony in what his lawyers said was retaliation for his reporting on Russias international arms deals. Read more.

Platforms

Political ads after the elections? When the European Commission presented its proposal for a regulation on political ads, it explicitly said that the aim was to have it in place before the next elections for the European Parliament in 2024. However, that timeline seems more and more at risk as several member states seem reluctant to compromise on the file, and the Czech Presidencys aim to reach a general approach in November appears less realistic. The main questions remain the very definition of political ads, how the regulation will interact with existing legislation such as the Digital Services Act and if there should be a distinction between online and offline media. In the background, as usual, the publishers are asking to be exempted.

Research & Innovation

No country for researchers. The UKs attractiveness as a location for scientists is declining, a top official at Imperial College London said this week, a comment echoed by others in the sector who have warned that the lack of skilled workforce might jeopardise the governments plans to boost R&D spending. In May, London released a strategy to up R&D expenditure by 2.4% over the next five years, but those working in academia are warning that the countrys post-Brexit attitude to immigration and unsuccessful attempts to forge new international research partnerships have made the UK less appealing to the people whose arrival and work will be crucial to meeting these targets.

Telecom

Connectivity climb. Germany now ranks third in Europe in fibre infrastructure, with a quarter of all households connected, according to a report released this week. Connectivity has risen by 26% since 2020, and demand continues to grow. Germany has set a goal of total connectivity by the decade’s end. Still, the report notes that the war in Ukraine and political framework conditions could impact this achievement. Read more.

Access recommended. The revision of the recommendation work started in July 2020 with a targeted consultation. The initiative is meant to be vetted by the Regulatory Scrutiny Board and be published as part of the Connectivity Infrastructure Act package. The idea is to complement the EUs guidelines on Significant Market Powers in the telecoms sector and the Recommendation on Relevant Markets to advance the private actors rollout of high-capacity networks by incentivising investments while maintaining competition in place. The recommendation might also include a negative opinion toward the regulation undertaken by certain national regulators of access price of high-capacity networks, which is seen as disincentivising investments.

What else were reading this week:

Google Pays Enormous Sums to Maintain Search-Engine Dominance, DOJ Says (Bloomberg)

Tech regulation: change is coming, but itll take a while (FT)

FACT SHEET: Climate and Energy Implications of Crypto-Assets in the United States (The White House)

Laura Kabelka contributed to the reporting.

[Edited by Alice Taylor]