Europe must up its game against fake news, European Commission officials said Wednesday. The EC published guidance on how to improve the 2018 code of practice. Recommendations address shortcomings identified in a 2020 review and lessons from COVID-19 disinformation monitoring. The EC wants the code reinforced by: (1) More participation by a wider range of relevant players, such as emerging platforms and the online advertising sector. (2) Demonetization of disinformation. (3) More comprehensive coverage of current and emerging forms of manipulative behavior. (4) Enabling users to better understand and flag disinformation. (5) More fact-checking and better access to data for researchers. (6) Better monitoring of results of the industry actions. The EC urged signers to develop a transparency center. Participants have until fall to come up with a revised draft code. It's needed to make online platforms and others address “the systemic risks of their services and algorithmic amplification,” stop policing themselves alone and prevent money being made on disinformation, while preserving free speech, said Values and Transparency Vice President Vera Jourova. Google and Facebook said they're assessing the guidance and are committed to making the code a success. It “became a true asset in the fight against COVID-19 disinformation and created strong cooperation between regulators and platforms,” Facebook said. “Regionally consistent co-regulatory standards are a crucial element in maintaining an open Internet, ensuring that platforms of all sizes can operate around agreed norms,” emailed Twitter Vice President-Public Policy Sinead McSweeney. “We need platform regulation by legislation and oversight,” not voluntary codes of practice, said European Parliament Member Patrick Breyer, of the Group of the Greens/European Free Alliance and Germany. He's preparing the report by the Civil Liberties, Justice and Home Affairs Committee on the EC-proposed Digital Services Act (see 2012150022).
Dugie Standeford
Dugie Standeford, European Correspondent, Communications Daily and Privacy Daily, is a former lawyer. She joined Warren Communications News in 2000 to report on internet policy and regulation. In 2003 she moved to the U.K. and since then has covered European telecommunications issues. She previously covered the U.S. Occupational Safety and Health Administration and intellectual property law matters. She has a degree in psychology from Duke University and a law degree from the University of Tulsa College of Law.
Cyberattacks such as SolarWinds and Colonial Pipeline shouldn't become a norm, said European Member of Parliament Eva Maydell, of the European People's Party Group and Bulgaria, Wednesday at a webcast on the European Commission's proposed network and information security directive update (NIS2). Maydell, who's writing the legislative response to the proposal for the Industry, Research and Energy Committee, said Europe needs a clear, robust defense and high cyber-resilience. Cybersecurity requires trans-Atlantic cooperation, she said. Asked what common ground could be explored, Cisco Head-EU Public Policy Chris Gow listed use of internationally recognized standards; investment funding for governments and industry; better cyber skills for employees; and to "go after the bad guys." If cybercrime losses were an economy, they would be No. 3, Gow said. Major incidents made people fully aware of what's at stake, said Jakub Boratynski, head of unit-cybersecurity and digital privacy policy, EC Directorate-General, communications networks, content and technology. EU cybersecurity strategy began slowly when the original NIS became effective in 2013 and it needs improvement, he said. There's a "mismatch" between the regulatory framework at the EU level and what happens on the ground, said European Network and Information Security Executive Director Juhan Lepassaar: NIS2 is an effort to catch up, and it must also capture the future. The proposal is "evolution, not revolution," Gow said: NIS2 could help create more harmonization, and a more consistent overall approach is needed.
An EU-backed cloud industry code could help ease data transfer woes caused by Privacy Shield's rejection by the European Court of Justice in Schrems II (see 2007160002), its developers said. The Cloud Code of Conduct, developed by the European Commission and the cloud computing community, is expecting final approval soon, and work is underway on a "Third Country Module" of the CoC that could be an alternative to PS, said K&L Gates data protection attorney Thomas Nietsch.
Any new EU-US data transfer scheme must avoid a "Schrems III" rejection by the European Court of Justice, European Commission Values and Transparency Vice President Vera Jourova told a Tuesday webinar on Privacy Shield. Given her discussions with Commerce Secretary Gina Raimondo, "I remain pretty much confident" a new data-sharing regime is possible because of new momentum between like-minded partners. Asked what the EU's strategy is, Jourova said it's to achieve a common understanding of pillars on which a new pact might be built. The essential vision is to remake PS for legal certainty, and to work through problematic issues, mostly on the U.S. side. A federal privacy law "would help," said Jourova. Surveillance issues must be addressed by resolving the conflict between national security and privacy principles, and imposing tougher safeguards against mass surveillance, she said. Europeans need more certainty they will get redress for abuse of their personal data. Asked when a new PS might emerge, Jourova said talks have resumed but will take time: Quality is more important than speed. Negotiations are taking place in a different context from when the ECJ annulled safe harbor, said Commerce Department Privacy Shield Director Alex Greenstein: The stakes are higher now because the world has become more digital. He said Schrems II addressed standard contractual clauses (SCCs) and other data transfer mechanisms, so the situation is about all transfers "writ large," resulting in a "significant impact on trans-Atlantic commerce." Asked whether it will be possible to find a new outcome without fundamental changes on the U.S. side, Greenstein said the U.S. issued a white paper about surveillance practices to help companies make the required risk assessment for SCCs, but that's an imperfect solution. U.S. domestic privacy legislation would probably not affect the negotiations because it probably wouldn't address ECJ requirements, which is why talks are focused on surveillance. No one believes a federal privacy bill can address mass surveillance because it's focused on the commercial side, said Bruno Gencarelli, deputy director-head of unit, international data flows and protection, EC Directorate-General for Justice and Consumers. Such a law would strengthen the basis on which any new PS would be grounded, he added.
Facebook's Oversight Board backed the Jan. 7 decision to restrict then-President Donald Trump's access to the social media website and Instagram account, but said Wednesday it wasn't "appropriate" to impose an indefinite and standardless suspension. Facebook responded that the suspension stands.
Apple rules imposed on music streaming app developers violate EU competition law, the European Commission said. Its tentative findings in a statement of objections announced Friday tentatively said Apple has a dominant position in the market for distribution of music streaming apps through its App Store. For app developers, it's the only gateway to consumers who use the smart mobile devices running on Apple's iOS operating system, the EC said. Apple devices and software form a "closed ecosystem" in which the company "controls every aspect of the user experience for iPhones and iPads." The App Store is part of that ecosystem, and it's the only app store iPhone and iPad users can turn to for downloading apps for their mobile devices. Consumers are loyal to the brand and don't switch easily, so to service iOS users, app developers must distribute their apps via Apple's store, subject to mandatory and non-negotiable rules. Two rules are under investigation: (1) Mandatory use of Apple's proprietary in-app purchase system (IAP) for distribution of paid digital content, on which Apple charges a 30% commission on all subscriptions bought, and (2) "Anti-steering provisions" that hamper app developers from telling users about alternative -- and generally cheaper -- purchasing possibility outside of apps. These rules distort competition in the market for music streaming services by hiking the costs of competing music streaming app developers, raising consumer prices, the EC said. They make Apple the intermediary for all IAP transactions. Spotify had complained. "At the core of this case is Spotify's demand they should be able to advertise alternative deals on their iOS app, a practice that no store in the world allows," an Apple spokesperson said. Spotify doesn't pay Apple any commission on over 99% of its subscribers, and just 15% on those remaining subscribers acquired through the App Store. The EC argument on Spotify's behalf "is the opposite of fair competition," said the spokesperson. A recent Senate Judiciary Antitrust Subcommittee hearing on app store competition "heard troubling allegations about Apple and Google's behavior," said Chairwoman Amy Klobuchar, D-Minn.: The EC would "only reaffirm" that app store policies and conduct need careful scrutiny in the U.S. as well. The European Consumer Organisation welcomed the charges.
The European Commission's "first-ever" draft rules for AI unveiled Wednesday prompted a mix of praise and criticism. "Trust is a must" for AI, and the rules will spearhead "the development of new global norms to make sure AI can be trusted," said Margrethe Vestager, EC vice president for a Europe fit for the digital age. The rules take a risk-based approach. AI systems deemed a clear threat to users' safety, livelihoods and rights would be banned, including AI that manipulates human behavior to circumvent users' free will and systems allowing government "social scoring." High-risk uses include those involved in critical infrastructure; those that could put people's lives at risk; safety components; and law enforcement. High-risk systems would be subject to strict obligations, including adequate risk assessment and mitigation; logging activities to ensure results are traceable; and giving users clear, adequate information. "All remote biometric identification systems are considered high risk and subject to strict requirements." Limited-risk AI systems such as chatbots would have specific transparency conditions, like notifying users they're interacting with a machine. Low-risk uses such as AI-enabled videogames or spam filters, which comprise the majority of AI systems, won't face the regulation. The EC proposed that national market surveillance authorities supervise the rules and that a European Artificial Intelligence Board be established. The plan foresees voluntary codes of conduct for non-high-risk AI. It needs the European Parliament's and EU governments' OKs. Parliament's Special Committee on Artificial Intelligence in a Digital Age welcomed the proposal. Lawmakers now "need to act on two fronts," said Chair Dragos Tudorache of Renew Europe and Romania: Reduce unnecessary burdens on startups, small and midsize businesses, and industry so "AI can be unleashed to its full economic potential" and boost citizens' rights. The Computer & Communications Industry Association applauded the risk-based approach, saying the proposal should be "clarified and targeted to avoid unnecessary red tape for developers and users. ... Regulation alone will not make the EU a leader in AI.” It's a "bold step towards pioneering regulation in this field," said the Information Technology Industry Council, urging the EC to focus on flexible rules targeted to the highest-risk applications. BSA|The Software Alliance urged the EC to engage with international partners, since building trust in AI is a shared responsibility. Others were less enthusiastic. The draft fails to prohibit "the full extent of unacceptable uses of AI," particularly biometric mass surveillance, and allows too much industry self-regulation, said European Digital Rights. The Center for Data Innovation accused the EC of striking "a damaging blow to the Commission’s goal of turning the EU into a global AI leader by creating a thicket of new rules." The recommendations overly focus on too limited a range of AI uses, said the European Consumer Organisation: It omits many uses that affect people's everyday lives, such as smart thermostats, and doesn't ensure consumers have enforceable rights.
EU efforts to quash dissemination of terrorist content online moved forward Tuesday as the European Parliament Civil Liberties Committee recommended approval of a measure on "the misuse of hosting services for terrorist purposes." European Council government ministers have greenlighted the regulation, which is expected to be approved by the full parliament later this month. Hosting service providers play a key role in the digital economy but are sometimes abused by third parties for carrying out illegal activities online, a March 18 EC memo said. Of particular concern is their misuse by terrorist groups and their supporters to spread content to radicalize and recruit followers, it said. In light of their central role and the technology and capabilities associated with the services they provide, hosting services "have particular societal responsibilities" to protect their services from misuse while preserving fundamental rights. The regulation shouldn't affect the application of directive 2000/31/EC, which grants intermediaries exemption from liability from illegal content, nor would it hamper national authorities and courts from imposing liability if hosting services violate the conditions, the memo said. The measure would apply to information society service providers that store and disseminate to the public information and material provided by a user of the service on request, regardless of whether the storing is "of a mere technical, automatic and passive nature." Providers of "mere conduit" or "caching" services -- along with other services in other layers of the internet infrastructure that don't involve storage, such as domain name registries and registrars and providers of domain name systems -- would be outside the scope. Terrorist content is often spread through services set up in third countries, so this would apply to "all providers of relevant services in the Union" that let people or entities in one or more EU countries use those services and that have a substantial connection to the countries. The legislation calls for harmonized rules on procedures for taking down terrorist content. The Electronic Frontier Foundation, Center for Democracy & Technology, European Digital Rights and Internet Governance Project joined about 60 civil society groups in panning this. They argued it would incentivize online platforms to continue to use automated content moderation tools such as upload filters to the detriment of free speech, and that it lacks sufficient judicial oversight.
The U.S. and EU are aligning more closely on a range of digital issues, speakers said Monday at a webcast interview with European Commission Vice President Margrethe Vestager and Senate Intelligence Committee Chairman Mark Warner, D-Va. Asked what their priorities are for the U.S.-EU digital relationship, Vestager said some key issues, such as secure supply chains, the approach to AI and the stance on regulating the technology sector, are obvious. Warner called for collaboration on values-based tech development that includes standards and rules on transparency and other issues. His key concern is the failure to create joint cybersecurity norms and policies, an omission he warned could be devastating. Cybersecurity must be part of every EU and U.S. discussion, Vestager said. Tech won't be successful if it's unsafe and people don't trust it, she said. Barriers to online manipulation of democracies must be integrated into everything stakeholders do and into digital skills people need as the first line of defense. When China or Russia sends hackers against a private entity or government, it will succeed without shared concepts of security services in Europe and the U.S., Warner said. On AI, Vestager noted that upcoming EC rules aim to be balanced and that their ban on certain uses of the tech will affect a limited number of cases. Warner hoped the U.S. embraces AI without subjecting people to discrimination, but this technology hasn't penetrated the U.S. policy world much yet. On content moderation on platforms, Vestager said the Digital Services Act sets up a systemic redress mechanism that balances the need to take down illegal content while preserving freedom of expression and imposes accountability on companies to ensure operations don't create risks. Platforms aren't doing enough to address disinformation, Warner said: Content moderation in the U.S. will come about in bits and pieces because the country has been so slow in addressing it.
Proposed European Commission plans to update cybersecurity rules are overbroad and need clarification, ICANN said Friday. The revisions to the network and information security directive (NIS2), part of a package aimed at tightening rules for online platforms, will affect ICANN (see 2101290006). Responding to an EC consultation, ICANN said NIS2 could have "far-reaching impacts" on the domain name system: The directive captures all DNS service providers. It urged the EC to consider distinguishing between providers of authoritative domain name resolution services (the "publication" side of domain name resolution) and providers of recursive domain resolution services (the name resolving side). Entities that operate a resolver service, often now otherwise classified as essential or important, are within the scope of the draft because they host a domain name or operate a recursive resolver, ICANN said. Providers of authoritative domain name resolution services should qualify as essential only if they serve domains of such important entities, it said. NIS2 requires EU governments to ensure that top-level domain registries and registrars collect and maintain accurate and complete domain name registration data in a "dedicated database facility with due diligence" subject to EU data protection law. ICANN said no entity can guarantee the integrity and availability of domain name registration data. The European Internet Services Providers Association noted only two years have passed since the effective date of the directive, meaning EU countries have had little time for assessment. NIS2 will raise costs for affected providers and should be future-proofed, said EuroISPA. The Information Technology Industry Council urged the EC to ensure reporting requirements are harmonized across the EU. The Internet Systems Consortium, which runs an ICANN authoritative root server, recommended NIS2 not include root name servers, saying doing so could destabilize the unitary DNS system. Verisign encouraged the EC to turn to ICANN's multistakeholder community for details on how EU governments can implement NIS2 consistently.