With the European elections in spring 2024 fast approaching, in the next 12 months, EU policymakers will focus on closing the most important legislative files.

Artificial Intelligence Act

The EU's Artificial Intelligence Act is the first attempt to establish a regulatory framework for artificial intelligence. As Brussels doesn't want to lose its first-mover advantage and set up the international standard in the field, there will be a rush to close the negotiations before the end of the year.

The EU Council, the body that gathers the national governments, reached its position in December. The ball is now in the European Parliament's court, where lawmakers will likely finalize their mandate in March or April.

While still a moving target, it is not difficult to anticipate some of the most controversial points the co-legislators will face. Starting with the definition of AI, member states are pushing for a narrower scope of the regulation while the Parliament is more conflicted.

How to deal with facial recognition technologies and predictive policing are other critical points, with lawmakers keener on a total ban while governments want to give leeway to law enforcement agencies. However, on these questions, Germany might become a fruitful ally for the MEPs.

Another contentious point is how to deal with general-purpose AI like ChatGPT, large language models that can be adopted for different purposes. On this, the Parliament might follow the Council's lead, which asked the European Commission to put forth more tailored obligations.

Data Act

The Data Act is the other big file on the EU policymakers' table that is likely to be closed before the end of the year.

The new data law is divided into three main strands. It regulates how businesses and consumers can access data generated by connected devices, empowers public bodies to obtain privately held data under certain conditions (business to government), it mandates conditions to facilitate the switching of cloud service providers.

The Czech presidency, which led the work in the EU Council for the last six months, did not manage to broker a final position but advanced the file significantly. They passed the baton to the Swedish presidency aiming to reach a general approach by March.

The Swedes are asking the member states' views on core issues such as to what extent small and mid-sized companies should be exempted from the regulation, how to deal with trade secrets and the business-to-government data sharing provisions.

In the EU Parliament, the situation is more complex, with four different parliamentary committees having exclusive competencies on different parts of the file. The main one is the Industry, Research and Energy Committee, which leads on the business-to-business and business-to-customer data sharing and is scheduled to adopt its position in February. However, delays are not to be excluded yet.

The Committee on Civil Liberties, Justice and Home Affairs has exclusive competencies in the relationship with the EU General Data Protection Regulation, and it has prompted business concerns, especially from the advertising sector, as the leading MEP has been pushing to restrict some of the legal basis for data processing, such as legitimate interest.

Internal Market, Industry, Entrepreneurship and SMEs committee, the opinion rapporteur has tried to remove the principle of functional equivalence, namely the idea that when changing cloud service, the website or application should retain roughly the same functionality. Although functional equivalence remained in the text, this part is so convoluted it is still likely to change considerably.

DPA's harmonization of procedural law

In a late addition to the European Commission's work program for 2023, the justice department, home of the GDPR, included a proposal to harmonize some national procedural aspects of national data protection authorities, in particular concerning cross-border cases.

The initiative follows a letter sent by European Data Protection Board Chair Andrea Jelinek to Justice Commissioner Didier Reynders in April 2022, calling precisely to remove these obstacles to effective cross-border cooperation.

The EDPB's wish list touched upon several important aspects of national procedures, such as the legal standing of the plaintiff, differences across the bloc, and a streamlining of procedural deadlines and case handling aspects such as admissibility.

A better codification of investigative powers and cooperation procedures was also requested. To what extent the commission will oblige with this wish list remains to be seen.

Digital Markets Act and Digital Services Act

The Digital Markets Act and Digital Services Act were among the most significant achievements of this commission's mandate. The focus is now on implementing these platform regulations, with the new rules for the most prominent platforms starting to bite by this summer.

The expectations are very high as the EU executive takes on the role of regulator of the European single market for the first time. Internal practical arrangements are well underway, although several observers have warned against lacking capacity and technical competencies.

One option would be to hire from the massive layoffs Big Tech companies have recently undertaken, although that would not be without its conflict of interest. What seems clear is the commission will look for easy wins ahead of the elections, with Twitter and TikTok looking as attractive targets.

The elephant in the room will be the potential fragmentation of the single market. Small member states have minimal resources to implement the DSA. Meanwhile, the German competition authority is taking a steadily more active role, for instance, partially anticipating some of the DMA's data provisions in a draft decision addressed to Google.

Cyber Resilience Act

In September 2022, the commission proposed the Cyber Resilience Act, legislation designed to introduce minimal security requirements for connected products, setting the regulatory framework for the booming Internet of Things market.

The EU executive points to the fact many manufacturers launch products on the markets even when they are aware of potential cybersecurity vulnerabilities. In 2017, Germany was shocked to learn that a commercially available doll could be easily hacked to speak to children.

However, one of the main issues is to what extent the software components should be covered in the cybersecurity law. In this regard, the EU Council is still in the early stage of the discussion. In turn, the European Parliament is still internally divided on which committee should lead on the file.

For the proposal to complete its legislative journey by the end of the mandate, both institutions would have to reach their position by the summer and work constructively on a compromise in the second half of the year. A timeline many would not hesitate to define as "ambitious."

Product liability

In September 2022, the Commission presented two proposals, the Product Liability Directive and AI Liability Directive, extending the EU's liability regime to software and digital products. The reasons for having two separate legislations on this topic are more due to the internal politics of the commission than to a regulatory need.

Even more so since the two EU laws do not follow the same liability regimes. The Product Liability Directive, which also covers software and therefore AI, follows a strict liability regime that allows victims of material damages to ask the manufacturer for compensation.

By contrast, the AI Liability Directive will not provide the basis for new lawsuits, as it merely harmonizes legal proceedings initiated under national law.

The legislation reverses the burden of proof on the provider to prove its system did not cause the damage, but only after the complaint has proven that the system is not complying with the AI Act — for instance, because the training data set was not robust enough. Putting this requirement on such a complex technology has been heavily criticized by consumer organizations as unrealistic.

EU countries are still finalizing their positions on the two files. Still, sticking points in the discussions have already emerged: the provisions on evidence gathering, which has implications for national law, and how the two legislations will interact.

In the Parliament, the files are again stuck in a fight between the Internal Market and Consumer Protection Committee and the Legal Affairs Committee. In practice, an agreement has already been reached on the AI Liability Directive, but the proposal is unlikely to progress until lawmakers confirm their positions on the AI Act.

Child Sexual Abuse Material

The legislation to fight child sexual abuse material is perhaps Brussels's most controversial technology proposal at the moment.

In October 2022, the IAPP provided an in-depth review of how the regulation's detection orders might be problematic for end-to-end encryption and how Germany has questioned the proposal.

Until now, the CSAM proposal has stalled. In the EU Council, the changes have been minor, for instance, introducing the principle that judicial authorities might mandate the de-indexing of websites containing child pornography from search engines results — a practice already applied by Google and the like.

More controversial among member states is the idea of creating an EU agency to centralize the review of detention orders. The Swedish presidency will try to push the file forward since the responsible European Commissioner for Home Affairs, Ylva Johansson, is a Swedish national.

On the parliamentary front, things have moved even more slowly, with the lead of the Civil Liberties, Justice and Home Affairs Committee being challenged. While the competency dispute should be solved in the coming weeks, divisions among political groups remain.

The center-right is traditionally pro-law enforcement, while progressive MEPs have been requesting for safeguarding fundamental rights and end-to-end encryption. Political divisions run so deep in both institutions it would not be surprising if the file suffered the same destiny as the ePrivacy Regulation.

ePrivacy Regulation

Under the previous Czech presidency, there were intensive informal exchanges with the Parliament to try to get the ePrivacy Regulation out of the deadlock. The presidency and the rapporteur came up with a joint paper on the parts related to electronic communications data, metadata and content.

However, the discussions hit a wall when they started to scratch the surface of the data retention provisions that would regulate the access for this data by law enforcement and under which conditions, a long-standing grievance from EU governments.

Member states want such law enforcement access to be a rule, whereas EU lawmakers do not want to go further than considering it as an exception. This deadlock is unlikely to be solved any time soon, and if no significant progress is made by the end of the mandate, the commission will have to consider withdrawing the proposal and proposing something new.