EU Tech Policy Brief: December 2023

This is the December 2023 issue of the Centre for Democracy & Technology Europe‘s monthly Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them. Our aim is to help shape policies that advance our rights in a digital world. Please do not hesitate to contact our team in Brussels: Iverna McGowan, Asha Allen, and Rachele Ceraulo.

As European Elections Approach, EU Reaching Agreement on Numerous Tech Files

With EU institutions due to go into election mode next year, there has been a rush to complete numerous key tech files. As we detail below, key agreements have been struck on the political advertising Regulation, the child sexual abuse Regulation, and the EU’s AI Act:

• Towards a More Transparent Political Advertising Ecosystem in the European Union

On 8 November, EU lawmakers made a political agreement on the Regulation on the Transparency and Targeting of Political Advertising, which aims to create a more transparent and rights-respecting political advertising environment in the European Union. 

In line with long-standing civil society demands, negotiators rejected restrictions on freedom of expression by defining political advertising as only ‘paid or sponsored content’. They also bolstered privacy protections, prohibiting use of sensitive personal data to target political advertising. EU lawmakers similarly focused on establishing meaningful transparency mechanisms for users, including labelling of political advertising and an online repository of all political advertisements accessible to everyone.

Asha Allen, Advocacy Director for Europe, Online Expression & Civic Space, commented, “Serious questions remain as to how well enforcement of the Regulation will work, and more importantly, how well the mechanisms to preserve fundamental rights will be safeguarded. How the law works in practice and is enforced will be vital especially given the unique European context, in which the largest trans-national democratic election in the world occurs every five years.”

• Combatting Child Sexual Abuse Online: LIBE Committee Rejects Mass Surveillance

On 14 November, the European Parliament’s LIBE Committee voted — with a large majority — to adopt its position on the draft Regulation to prevent and combat child sexual abuse. The vote signalled a clear will to reject the notion that mass surveillance is either necessary or effective to protect children from abuse online. 

CDT Europe has long been critical of the European Commission’s original draft of the law, due to its failure to factor in safeguards for the most vulnerable children, its overreliance on unreliable technologies, its threat to break end-to-end encryption, and its undermining of the right to presumption of innocence. We, therefore, welcome the European Parliament’s introduction of measures that protect end-to-end encryption and ensure that EU citizens have a right to communicate securely free from interference — significant steps that bolster the legislation. While the Parliament made significant improvements to the text, some serious risks to human rights remain that will have to be clarified in the upcoming trilogue negotiations. 

• Political Deal Struck on the EU AI Act

The EU’s long-anticipated and much-heralded Artificial Intelligence Act was finally agreed, late on Friday 9th December. Following a record-breakingly long trilogue negotiation, a political deal was struck, although an actual text as well as many technical details are still outstanding — and for CDT Europe, the devil is likely to be in the details.

During the long haul of the trilogue negotiations, CDT Europe and many civil society organisations urged lawmakers to prioritise fundamental rights and freedoms when regulating artificial intelligence in the EU. We called on negotiators to ban law enforcement use of untargeted facial recognition, which poses a grave risk to fundamental rights like protest and freedom of expression. This was also the main call of a joint letter, signed by CDT Europe and over 70 civil society organisations and more than 30 experts, and published during the final hours of the 36-hour negotiations. 

A prohibition on remote biometric surveillance survived in the text, but with exceptions so broad that they threaten to swallow the rule. The text also continued to limit retrospective use of remote biometric surveillance to cases involving ‘serious crimes’, but here again, precision will really matter: leaked drafts suggested that the list of ‘serious crimes’ was long, and included categories that objectively could be challenged as to whether they should be considered serious enough to be used as a threshold. 

The text’s prohibition on emotional recognition AI was unfortunately only maintained for the areas of work and education. Fundamental Rights Impact Assessments were maintained in the text, but only in relation to high-risk systems, and the loophole on high-risk classifications that CDT Europe previously criticised remains in place. On foundation models, the ‘tiered approach’ — which opts for obligations on the highest risk and most powerful systems — was agreed upon, but the criteria for defining risk are not yet clear. For more analysis, on the AI Act, be sure to sign up for our AI Bulletin.

Digital Services Act: Auditing in the Dark

Recently, CDT looked in detail at the recently adopted delegated act governing independent audits of very large online platforms (VLOPs) and search engines (VLOSEs) under the EU Digital Services Act (DSA). These audits are one of the central due diligence obligations under the DSA, making adoption of this delegated act highly significant. This delegated act is particularly timely, given that the independent audit of VLOP and VLOSE compliance with the DSA is due to begin in the coming months, and the risk assessments for VLOPs and VLOSEs — which are inherently intertwined with the audits — have already been completed.  

The delegated act aims to lay down the ‘rules of engagement’ for auditors and platforms subject to these audits, which are now mandatory as part of the DSA’s due diligence regime. In our blog, we looked at the existing landscape of independent audits in practice, and outlined the challenges that will likely still remain despite the adoption of the delegated act. Civil society, for example, raised concerns about the potential for audit capture, where auditors are deterred from criticising their clients to ensure they are hired in the future. We also zoomed in on the hurdles to conducting and assessing algorithmic audits, given the novelty of the field, and provided recommendations on how the European Commission and European Centre for Algorithmic Transparency should address remaining gaps. 

International Lessons in the Implementation of the DSA

Last month, CDT Europe’s Asha Allen facilitated an event for the world’s largest dedicated peacebuilding organisation, Search for Common Ground. The event brought together policymakers and civil society for an open discussion about how lessons from around the world can inform the implementation of the EU’s Digital Services Act.

The event came at a key moment, given that the DSA recently came into force, allowing for exchanges on how civil society can be best involved in the effective enforcement of the DSA (as CDT has frequently called for it to be). A major focus of the event was how the DSA will be used during times of conflict — particularly pertinent given the most recent conflict in the Middle East, and the ensuing spread of illegal content and disinformation online. This was the subject of a series of letters from EU Commissioner Thierry Breton to various social media platforms regarding the spread of illegal content on their respective platforms. The letters prompted a strong reaction from civil society, including CDT Europe; we signed a public letter to Commissioner Breton urging him to respect procedural safeguards and rule of law when enforcing the DSA. 

At the beginning of the DSA’s implementation and enforcement journey, this event provided a crucial moment for reflection and taking stock. Read more on this in Search for Common Ground’s report: “Boosting the EU’s Digital Services Act: Conflict Sensitivity Requirement for Very Large Online Platforms”.

CDT Europe Joins UNDP Conference on Peaceful and Inclusive Elections in the Digital Age

With multiple major elections set to take place globally next year, there could not be a more apt time to discuss the role of information integrity and digital technology in ensuring peaceful and inclusive elections – the topic of UNDP’s Global Conference, “Peaceful and Inclusive Elections in the Digital Age”, which took place in Brussels on 8-10 November. 

CDT Europe’s Asha Allen was a speaker at the conference, where she explored key themes around how the internet and other technologies help or hinder inclusivity. Allen highlighted that the digital age has brought some advantages to democratic participation, including increased access to information and freer exchange of ideas — both essential components of an inclusive democratic process. She also spoke to the power that the internet brings for raising awareness on social justice issues and building global movements for political change.

Allen cautioned, however, that equitable and safe participation in the digital civic space is not guaranteed and often expressly undermined, with a direct impact on our ability as a society to achieve truly representative democracies. This is especially true for many historically oppressed and marginalised groups, such as women, in particular women of colour, and gender non-conforming persons — as explored in CDT’s recent reports.

Online Gender-Based Violence — #NoExcuse

58 percent of women and young girls globally have experienced online harassment on social media platforms — a statistic that points to the abhorrent situation women and girls face as they go about their day-to-day lives online. CDT Europe was therefore very active during the global “16 days of activism” against gender-based violence, coordinated by UN Women, which kicked off on the International Day for the Elimination of Violence Against Women.

Asha Allen of CDT Europe joined a panel at an event hosted by The Left in the European Parliament — “Violence Against Women: Exploring Legal Avenues at EU Level”. Allen highlighted that a thriving online civic space is a place in which all women and girls can safely and equitably enjoy their digital rights. She argued that much more must be done to enable this, advocating for a proportionate and harmonised co-regulatory approach and warning that, whilst online harms must be addressed, not all forms of online gender-based violence should be criminalised. Indeed, hasty criminalization may actually unintentionally harm and undermine the rights of the very groups we wish to protect.

CDT Europe also joined an open letter sent to the European Commission (as reported in EurActiv) that called for major porn platforms to be designated “very large online platforms” (VLOPs), which would require them to follow a stricter due diligence and transparency regime under the Digital Services Act (DSA). These sites have tremendous impact in respect to many types of gender-based violence, for example “image-based sexual abuse such as the non-consensual sharing of intimate material”.   

 EU Digital Diplomacy and Human Rights

The 10th December saw celebrations and events to mark the 75th anniversary of the Universal Declaration of Human Rights, which also coincided with International Human Rights Day. This significant milestone provided a moment to pause and reflect on the strengths and weaknesses of the international human rights system. 

On this occasion, the EU Council Working Party on Human Rights (COHOM) invited CDT Europe to address delegates from the 27 EU capitals on next steps for the EU’s work on digital diplomacy and protecting human rights and democracy through foreign policy. 

Iverna McGowan, Director of CDT Europe, took the opportunity to highlight that whilst the EU has made significant progress, including through its strategy on digital diplomacy, there’s more to be done to ensure that the EU’s digital foreign policy does not unwittingly undermine its existing human rights foreign policy. McGowan laid out how the EU has come to play a global role in tech regulation by passing landmark laws such as the Digital Services Act, the Digital Markets Act, the Online Political Ads Regulation, and the AI Act. But, she asked the delegates, what does this mean for the EU’s human rights foreign policy in relation to digital affairs? CDT Europe’s presentation seeks to respond to this question, laying out key elements of a roadmap for human rights in digital diplomacy.