Welcome to EURACTIV’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here.
“‘General purpose AI system’ means an AI system that is trained on broad data at scale, is designed for generality of output and can be adapted to a wide range of tasks.”
-Compromise proposal on General Purpose AI for the AI Act
Story of the week: Lawmakers leading on the AI Act have shared a first draft on the sensitive topic of how to deal with General Purpose AI (GPAI), such as large language models like ChatGPT that can be adapted to carry out various tasks. The proposal of the file’s co-rapporteurs, seen by EURACTIV, makes GPAI systems high-risk by default, and they will have to comply with the most stringent requirements. In addition, GPAI solutions would have to undergo external audits throughout their entire lifecycle and be registered on the EU database. The co-rapporteurs also proposed the shift of responsibilities if a downstream actor significantly modifies the GPAI model. Still, in these cases, GPAI providers must provide all relevant information to make the downstream actor comply with the AI regulation. The compromise includes a ban on unilaterally imposed unfair contractual terms for SMEs and some more tasks for the AI Office in relation to GPAI. Read more.
Don’t miss: The Swedish presidency circulated a new compromise text, perhaps the most significant so far, on the Cyber Resilience Act ahead of the Council’s Cyber Working Party meeting this week. The text, seen by EURACTIV, introduces key changes such as the removal of the five-year limit on product lifecycle, clarification of the scope, especially about non-commercial open source components, due diligence obligations when integrating third-party components, automatic security updates made the default setting, and obligation for response teams (CSIRTs) to inform the manufacturer if third parties report actively exploited vulnerabilities. Read more.
Also, this week:
- The European Parliament adopted the negotiating mandate for the Data Act and European Digital Identity.
- The EU negotiators meet today to discuss the Chips Act’s crisis management mechanism.
- A new compromise text on the Product Liability Directive is up for discussion in the Council.
- France is working on a legislative proposal to regulate influencers.
Before we start: If you just can’t get enough tech analysis, tune in on our weekly podcast.
Fast developments. OpenAI has released a new iteration of its headline tech ChatGPT. GPT-4, which has reportedly been in the works for a while, and leverages more data and computation than the previous models. According to its producer, it has a much higher advanced reasoning capability than ChatGPT. OpenAI also says the tool, capable of receiving both text and images, is significantly less likely than previous generations to respond to requests for disallowed content or produce factual inaccuracies.
Ethics is not a priority. Microsoft has axed its entire AI ethics and society team as part of recent mass lay-offs. The company’s Office of Responsible AI (ORA) remains, but the eliminated team was reportedly in charge of ensuring that the principles devised by the ORA are put into practice. The move comes amidst an increase in investment by the company into OpenAI, the parent of the generative AI model ChatGPT.
NGOs not welcome. The Council of Europe, often a preacher of the involvement of civil society in policymaking, is continuing its trend of obstructing the participation of observer participants (i.e. NGOs) in discussions on the AI Convention. The possibility to participate remotely has been removed, meaning that the civil rights groups with less funding will not be able to participate. During the plenary discussions, observers can only send one representative, while the participating countries can have two. In the drafting group, where all the actual work happens behind closed-door, an exceptional number of four representatives per country has been admitted, signalling that perhaps the intent of these measures was not to cut down costs.
Tailor-made definitions? During a hearing this week, US chip company Qualcomm criticised EU competition authorities over the definition of rebates it gave to Chinese phone makers Huawei and ZTE. Qualcomm seeks to overturn a €242 million fine levied against it by the Commission in 2019 over predatory pricing allegations. Lawyers for the company this week argued that had Brussels used slightly amended terms in their investigation, they would have reached a very different conclusion.
More gaming deals. Microsoft has announced another 10-year deal with a gaming platform as part of its bid to ease the Commission’s competition concerns over its acquisition of Activision Blizzard. The company this week unveiled a partnership with cloud gaming company Boosteroid to secure the streaming of Activision games on their platform. Microsoft is under heavy scrutiny by EU officials over fears that the deal could result in flagship titles such as Call of Duty being significantly restricted, giving the giant tech dominance in the gaming market. In February, the company’s president visited Brussels to meet with antitrust authorities and announced similar agreements with Nintendo and Nvidia.
Never-ending fight. The competency fight between ITRE and IMCO is still not settled, frustrating rapporteur Nicola Danti’s ambition to finalise his draft report by the end of March. The Conference of Committee Chairs (CCC) put its recommendation on hold as the two committees have been negotiating bilaterally in the past weeks. However, a provisional deal broke down last week due to some last-minute changes, Politico reported. The deal included giving exclusive competencies to IMCO regarding the free movement of products, product safety, machinery, and CE marking. The two committees were also due to share competencies regarding the obligations of economic operators, market surveillance, and relations with the AI Act. It is now for the chair of the CCC to issue an opinion on the matter to the Conference of Presidents. These continuous delays cast doubts on whether the file might complete its legislative procedure before the end of this mandate.
Data & Privacy
Data Act plenary vote. MEPs adopted their position on the Data Act with a large majority this week, opening the door for trilogue negotiations to begin, with the first meeting scheduled for 28-29 March. At the parliament’s plenary session in Strasbourg this week, lawmakers approved the report on the regulation, negotiations on which resulted in changes in areas including scope, compensation, B2G data sharing, trade secrets and others. Read more.
Council’s final discussions. On Tuesday, the Telecom Working Party discussed the last compromise on the Data Act. The Swedish presidency received some broad support to go to COREPER next Wednesday. The country with the longest list of grievances was, as usual, Germany, which insisted on the protection of trade secrets. Berlin also aimed to modify recital 28a to define serious damages and exclusion of scientific data from the scope, points several other national representatives picked up. In turn, France reiterated that it would like to see more ambition on the cloud part. A fine-tuned text is now expected for ambassadors’ approval next week.
DPO coordinated action. The European Data Protection Board has initiated its 2023 coordinated enforcement action – cooperation between various European data protection authorities on the designation and position of data protection officers (DPOs). The privacy watchdogs will look at whether DPOs are organised as legally required and will decide on any potentially necessary national-level supervision and enforcement actions.
Illegal tracking tool. Facebook’s tracking pixel directly violates the GDPR and the 2020 Schrems II decision, which the Austrian Data Protection Authority (DSB) ruled this week. The decision results from the 100+ complaints filed by NOYB in August 2020 targeting companies accused of disregarding the Schrems II ruling. The DSB’s decision finds that using the Facebook Login and Meta Pixel tools resulted in data transfers to the US, rendering them illegal, which could have a wide-ranging impact. However, no financial penalty was issued in this case.
DPF committee vote. The LIBE committee will finalise its opinion on the EU-US Data Privacy Framework by mid-April. The draft resolution tabled by the committee’s Chair, Juan Fernando López Aguilar, was overwhelmingly negative, and it is unlikely to improve following amendments.
eIDs trilogues begin. The Parliament this week adopted the mandate to begin trilogue negotiations on the European Digital Identity proposal following the ITRE vote in February. The first meetings on the file are set to begin next week to reach a political agreement before the end of the Swedish presidency. Still, the institutions remain at odds in several areas, including privacy, governance, accessibility and relying parties. Read more.
Crisis management discussions. The crisis management mechanism of the Chips Act will be the focus of a technical meeting today. The European Parliament put forth a compromise text mixing some of the proposals of the two co-legislators but is facing resistance on some of the most ambitious points from the Commission. Among the measures to be discussed are the set up of a long-term strategic mapping excercise, the involvement of key market actors, the inclusion of the critical sectors in the annexe, and the crisis stage definition. Read more.
Rethinking tech policies. The US will have to rethink the international economic system if it wants to pursue its digital policies vis-à-vis allies and rivals, according to a new report by the German Marshall Fund (GMF). The report’s authors argue that a new technology policy architecture is needed to foster socially responsible innovation and digital trade and set out how the US could boost multi-stakeholder frameworks for achieving this.
Evading chip sanctions. Covert networks set up to facilitate purchasing US semiconductor technology allow Russian buyers to access the material despite sanctions on the country. According to US and EU officials, Russia can still access the tech through these links and is using them for military purposes, prompting a push from some to ensure that US companies are not unwittingly supplying chips to actors who will put them to use in war.
French interests at stake? On Thursday, the MEPs of the PEGA committee heard from journalists Rosa Mussoaui of L’Humaninté and Madjid Zerrouky of Le Monde. The two journalists said that the French government has done “absolutely nothing to protect us” and has shown “no willingness to investigate from the French side” because “French interests are at stake.”
CSAM reporting & fines. A new compromise text on the Child Sexual Abuse Material (CSAM) proposal, presented last week and leaked by Contexte, proposed amendments to reporting requirements, such as the inclusion of metadata, the fixing of fines at 6% and the specification that the time frame for content removal by hosting providers sits at one hour. The Swedish presidency circulated the text ahead of the Council’s Law Enforcement Working Party meeting this week.
Paris’s influencer law. France will bring out a plan to better regulate social media influencers’ commercial work, it was announced this week. The aim is to ensure their protection and that of those who consume their content. The move comes amid recent rapid growth in the influencer marketing industry. It will draw on recommendations from a public consultation launched at the start of the year, including legally defining influencers and their agents and potentially prohibiting or restricting the promotion of certain products. Read more.
Join the queue. The UK has banned using TikTok on government-issued devices over data privacy concerns, following the introduction of similar measures by several US states, the EU institutions, Belgium, Canada and India. Government ministers, civil servants and Members of Parliament were told on Thursday that the app would be banned immediately in response to security issues. Lawmakers have, however, asked the country’s privacy regulator, the Information Commissioner, to review whether the app has breached UK law in handling personal data. France is also set to follow suit, according to Bloomberg.
Divorce is on the table. TikTok is reportedly considering splitting from its Chinese parent company ByteDance if a deal to allay the concerns of US national security officials fails. The app is currently being reviewed by security personnel, offering several changes to respond to identified issues. However, if these reassurances miss the mark divorcing from ByteDance might be the only way to win back credibility.
PLD latest text. A new compromise text on the Product Liability Directive, circulated by the Swedish presidency last week, has introduced changes in areas including manufacturers’ control, harmonised interpretation, timeframes and scope. The document is set for discussion within the Civil Law Matters Working Party today. Read more.
Commercial constellations. Elon Musk’s SpaceX currently operates a large constellation of satellite but these could be joined by thousands more from at least eight other companies seeking to catapult their fleets into orbit. Many national governments harbour similar ambitions, raising questions about competing for sovereign interests and sustainability in space. Read more.
More RED delays. The CEN/CENELEC working group on the standardisation request for the Radio Equipment Directive (RED) received feedback from the Commission stating that the early working draft does not provide sufficient legal certainty to be adopted. The draft took months of intensive discussions to put together, and the negative feedback means the standardisation request will see even more delays. The standardisation bodies decided to start working on the Cyber Resilience Act earlier, with a specific working group to be established in August. Moreover, the RED working group will provide lessons learned to inform future work on the CRA.
Interceptions discount. The EU Court of Justice has ruled that it is legal for telecom operators to be required to intercept communications in return for a fixed rate if requested by judicial authorities. The ruling stems from a case in which Italian operators sought to annul a 2017 decree that established a reduction of at least 50% of reimbursements for the cost of such interceptions, arguing that this was insufficient. Italian authorities came out victorious after having the court whether they were, under EU law, required to reimburse the full amount.
Tech export controls. The US and EU are upping their (anti-Chinese) cooperation, President Biden and Commission President Ursula von der Leyen have announced. The transatlantic partners want to coordinate more closely to prevent leaks of sensitive emerging technologies and other dual-use items to areas of concern they could be used in “civil-military fusion strategies”. Based on what the two leaders defined as a common interest in preventing companies’ resources and knowledge from being used to fuel military or intelligence gains by rivals, the allies will aim to update their respective controls on exports, inbound investment and research cooperation.
EU-LAC Digital Alliance. This week saw the launch of the European Union-Latin America and Caribbean Digital Alliance, the first intercontinental digital partnership agreed upon under the EU’s Global Gateway investment strategy. Despite the grand ambitions of the initiative, which is set to see another major boost under the Spanish presidency, the project will receive a mere contribution of €145 million, as most EU international funding is already directed to Africa.
What else we’re reading this week:
China exerts control over internet cable projects in South China Sea (FT)
GPT-4 is bigger and better than ChatGPT—but OpenAI won’t say why (MIT Technology Review)
The TikTok wars – why the US and China are feuding over the app (The Guardian)
Julia Tar contributed to the reporting.
[Edited by Alice Taylor/Nathalie Weatherald]