With the fall fast approaching, trans-Atlantic ties face a formative moment in terms of the direction of tech policy in the EU’s capital. Here, we take a look at some of the main developments to expect over the coming months from Brussels, for the data protection community.

Trans-Atlantic data flows

Earlier this year, there had been talk of negotiations between the European Commission and the U.S. Department of Commerce "intensifying" on a new trans-Atlantic data accord, to replace the annulled Privacy Shield agreement. An agreement had been expected by the end of September but is now likely to have been set back even further.

Then, rumors in Brussels emerged that talks on a new agreement may find their way into the newly established EU-U.S. Trade and Technology Council, a group established to forge closer policy ties between Washington and Brussels. The first get-together is due to take place this week, after fears that the first meeting would be canceled following a diplomatic spat between France and Washington over the Info-pacific AUKUS security pact.

And don’t hold your breath for the Privacy Shield talks to feature in the TTC  — a leaked draft joint statement did not even reference trans-Atlantic personal data transfers, despite the commitment to set up a joint working group on "data governance."

UK data flows

On the subject of data flows, following the rubber stamping of the UK’s data adequacy by EU officials, the country has made no secret of its ambitions to diverge from EU data protection rules. On Aug. 26, the government’s Department of Culture, Media and Sport published its post-Brexit global data plans, which broadly outlined the approach, and in early September gave more details as part of the launch of a consultation by the DCMS, pitching several divergences including for the use of cookies, covered under the scope of the EU’s ePrivacy Directive.

It is important to note the EU’s adequacy decision for the UK includes, for the first time, a so-called "sunset clause," meaning the decisions expire after four years and should the UK be deemed to no longer be adequate to EU data protection standards, the Commission could seek to not renew the agreement.

Data Governance Act

The EU’s Data Governance Act is the first in a package of measures comprising the European Commission’s Data Strategy, aiming to set new rules for the sharing and reuse of personal and non-personal data. Specifically, this includes establishing conditions under which the public sector is able to reuse data, formatting new rules for so called data brokers that will facilitate sharing of personal and non-personal data between data holders and data users, as well as establishing a new expert group, namely the "European Data Innovation Board," which will be responsible for reviewing best practices.

Parliament’s Industry Committee adopted its report in July, and the green light for inter-institutional negotiations was also given. For EU member states, deputy ambassadors are set to back their text on Oct. 1, with negotiations with the Parliament soon following.

Data Act

Meanwhile, the Commission is also preparing to unveil its Data Act, another strand on the data strategy, on Dec. 1. The new bill will lay down the rules of business-to-government data sharing for the public interest, as well as support business-to-business data sharing and review the intellectual property rights framework for data management. Ahead of the December unveiling, the Commission conducted a public consultation, as well as an inception impact assessment.  

Artificial intelligence

The EU’s landmark Artificial Intelligence Act, which establishes a series of prohibitions for the use of certain technologies, as well as minimum standard for less risky applications, has been hotly debated in Brussels. The rules essentially put forward a risk taxonomy that subjects different types of technology to different levels of legal obligation, covering an ‘Unacceptable risk,’ ‘High risk,’ ‘Limited risk’ and ‘Minimal risk.’ There has been considerable debate among Parliament committees as to which should lead the file, but the Internal Market committee has been made the provisional main committee, with the file being overseen by Italian Socialist Brando Benifei.

In terms of data use, a number of key issues will take center stage when Parliament progresses on the text later this year. Civil society representatives in Brussels have been keen to make the case for stronger provisions against biometric AI applications that can be used for mass surveillance. While the Commission proposal does pitch a ban on the use of real-time facial recognition systems in publicly accessible spaces for the purpose of law enforcement — unless in cases of national security — there are no shortage of MEPs who would like to see a broader prohibition on various use of facial recognition tech in public.

Member states, for their part, are said to be seeking for clarification on the use of certain AI applications by law enforcement authorities, which could eventually take the form of a separate regulation altogether.

ePrivacy Regulation

Under the Slovenian Presidency of the EU, the ill-fated e-Privacy Regulation, originally proposed by the European Commission in 2017 to regulate the privacy of online communications, has fallen down the priority list. However, inter-institutional negotiations are continuing Sept. 29.

Commission officials are said to be getting frustrated with divisions between the Parliament and the Council on the file, but with a number of outstanding thorny issues, including access to communications data by public authorities, data retention, and cookie walls, it is unlikely that an agreement will come anytime soon.

CSAM

Continuing with the subject of the privacy of electronic communications, earlier this year, the EU adopted a temporary derogation from rules laid out in the ePrivacy Directive, allowing for service providers to scan online communications for instances of child sexual abuse material. However, bearing in mind talks on ePrivacy have stalled, the Commission is now seeking a separate and long-term solution, and will duly present legislation to effectively tackle child sexual abuse online on Dec. 1, as part of a new Security and Justice package.

Digital Services Act 

Some in Brussels are suspicious the new TTC will be exploited as a forum for the U.S. Big Tech lobby to rally against certain aspects of the EU’s two big legislative files in the digital policy space: The Digital Markets Act and the Digital Services Act. In these areas, there is much to follow in the next few months.

The DSA outlines new rules across advertising transparency, illegal content removal and data access for so-called ‘vetted researchers’ who will monitor compliance. Penalties for violations of the rules include fines of up to 6% of a company’s annual income.

As the file makes its way through the inter-institutional process in Brussels, however, more robust revisions are being pitched by lawmakers and national representative alike. In the data space, members of one Parliamentary group, the Industry committee, have proposed to deactivate personalized recommendation algorithms by default, across so-called ‘very large online platforms’. In this field, the Commission’s original proposal had only pitched transparency requirements for the placement of certain online advertising.  

In the EU Council, there has emerged calls for the EU to deal with the various challenges related to political advertising more effectively. For their part, Germany wants to see the option available for users to access certain online platforms without targeted ads, and for targeted ads to be banned outright for minors. Parliament should adopt a position on the DSA before the end of the year, as should EU member states in the European Council. This would lead negotiations between the Parliament and the Council into 2022, where France will shepherd talks on the file.  

Political advertising

In terms of issues surrounding targeted advertising, the European Commission is currently readying new rules for ‘greater transparency in paid political advertising,’ which is due to be presented by the EU executive during plenary week in Strasbourg between November 22 and 25. The Financial Times has seen a draft copy of the new measures, which may hone in on various micro-targeting techniques for political actors.

Digital Markets Act

Under the Digital Markets Act, so-called ‘gatekeeper platforms’ which are likely to include some of the largest players in the market such as Google and Facebook, may face billions in fines unless they abide by a set of ex-ante prohibitions. In the data space, the Commission’s proposal pitches a ban on gatekeepers from combining personal data from a number of sources without soliciting user consent, and certain platforms will also be barred from ring-fencing business user data that isn’t publicly available, in a move that may likely impact e-Commerce giant Amazon more than others.

As it stands, one of the key battlegrounds in the negotiations is the scope of companies that will actually fall under the rules, with many industry players currently lobbying lawmakers to ensure that their organization does not end up subject to the new prohibitions. Amendments are currently being discussed in the Internal Market committee, the lead Parliamentary group for the file, while other committees are in the process of adopting opinions. 

Google under the anti-trust radar

It’s not only Brussels that will come under the magnifying glass of tech aficionados in the EU and further afield this fall, but also Luxembourg, which hosts the Court of Justice of the European Union.

Google faces a number of tough sessions, starting with an appeal this week regarding the Commission’s 4.3 billion euros antitrust fine levelled for alleged competition abuses regarding its Android software.  This comes before another appeal before the ECJ later in November, concerning the Commission’s 2.42 billion euros penalty against Google for “giving illegal advantage to its own shopping comparison service.”

With regards to Google’s use of data and antitrust violations, most recently the European Commission took aim at the company’s alleged restricting of access for third parties across its display advertising business. The EU executive opened an investigation in June, which is not likely to be concluded any time soon. Fines for breaches of EU competition rules are hefty, at up to 10% of a firm’s global annual turnover.

Cybersecurity

For online security, European Commission President Ursula von der Leyen announced mid-September a new Cyber Resilience Act, which will regulate minimum standards for cybersecurity for connected devices.

Following the announcement, the EU’s Internal Market Chief Thierry Breton penned a blog post that highlighted how Europe raced an intensified risk landscape with the “explosion of connected objects and the increased use of industrial data,” while also referring to several high-scale attacks that have hit the continent’s health systems since the start of the pandemic. The news comes after the EU executive published a revision of the Networks and Information Security Directive, which will aim to bolster cyber rules for ‘critical services.’ Under the reform, the scope of so-called critical services has expanded. Positions in the Parliament and the Council should be confirmed before the end of the year.

Photo by Yannis Papanastasopoulos on Unsplash