EU Tech Policy Brief: June 2024

Welcome back to the Centre for Democracy & Technology Europe‘s Tech Policy Brief. This edition covers the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on the impact to digital rights. To sign up for CDT Europe’s AI newsletter, please visit our website. Do not hesitate to contact our team in Brussels: Asha Allen, Silvia Lorenzo Perez, Laura Lazaro Cabrera, Aimée Duprat-Macabies, David Klotsonis, and Jonathan Schmidt.

👁️ Security, Surveillance & Human Rights

On 15 May, CDT Europe hosted a high-level panel reflecting on the Pegasus scandal, its revelations about the dangers of government surveillance, and ways to combat spyware in the EU going forward. While the European Parliament adopted the PEGA Committee’s report and recommendations in 2023, significant EU-level action against civilian-targeted spyware is still lacking. In October 2023, the Council of Europe’s Parliamentary Assembly urged the EU to collaborate on setting standards and monitoring data protection and surveillance practices.

Internationally, initiatives like the Pall Mall Process supported by most EU member states, and the U.S. administration’s efforts to combat commercial spyware misuse, have gained momentum. These initiatives underscore global recognition of the need for regulatory measures to protect human rights and the rule of law.

CDT Europe’s event featured a stellar lineup of speakers, including:

• Sophie in ‘t Veld, Member of the European Parliament, Renew Europe, and Rapporteur of the PEGA report; 
• David Kaye, UC Irvine School of Law, Independent Board Chair, Global Network Initiative, former UN Special Rapporteur on Freedom of Opinion and Expression; 
• Anna Buchta, Head of Unit “Policy & Consultation”, European Data Protection Supervisor; and
• Iverna McGowan, Tech and Human Rights Advisor, Office of the United Nations High Commissioner for Human Rights. 

The discussion — moderated by CDT Europe Deputy Director Asha Allen — highlighted the EU’s insufficient action on spyware, the complete incompatibility of such technology with human rights, and the necessity of a democratic debate on its civilian use. Panellists questioned whether spyware use can ever be justified even in the context of national security, and deemed a multistakeholder approach involving civil society crucial for future efforts.

Following the panel, a civil society roundtable moderated by Programme Director on Security and Surveillance Silvia Lorenzo Perez allowed European partners to discuss regulatory pathways and strategies to keep the need for solutions prominent on the EU’s agenda. This event underscored the critical nature of collaborative efforts to address the spyware issue effectively.

Recommended read: Our Programme Director on Security and Surveillance, Silvia Lorenzo Perez, penned an op-ed for Euractiv on 22 May titled, “Governments spying on citizens: Who is to blame, what can the EU do?”. 

 💬 Online Expression & Civic Space

At the beginning of May, the Council of the EU adopted the Directive on violence against women and domestic violence, marking the final step before the law enters into force for all EU member states by 2027. As laid out in our analysis of the Directive, the law — alongside the EU Digital Services Act — creates a new precedent in addressing online gender-based violence (GBV).

During the annual Computers, Privacy & Data Protection (CPDP) conference, Programme Director for Online Expression & Civic Space Asha Allen spoke on a panel organised by Glitch UK entitled “The Deepfake Dilemma”, which focused on deepfakes, online GBV, and the disproportionate impact this technology has on black women and other minoritised groups. The groundbreaking panel was a first of its kind at CPDP, with a panel of speakers entirely made up of black women technologists and policy experts. 

Speakers explored how the history of black feminist analysis can shine light on the increasing prevalence of online GBV in the last decade, and critiqued newly adopted EU regulatory frameworks aimed at addressing the issue of non-consensual intimate images. Asha shared the importance of integrating intersectional feminist methodologies into AI and tech policy governance to better ensure effective redress and remedies for all communities.

On 29 May, Asha spoke at a joint event of the Brussels Binder and the UK Mission to the European Union, “A safer digital public sphere: addressing gender-based cyber violence”. Panellists explored the social implications of online GBV, and delved into whether the final Directive will substantively change the digital ecosystem and provide better protections against this pervasive fundamental rights violation. Asha noted that the Directive, alongside other legislative measures like the Digital Services Act, marks progress but requires further refinement in the implementation phase to fully protect against online GBV and avoid creating unintended harms.

Recommended read: Our Policy and Research Officer David Klotsonis shared key insights and themes that emerged during our Fifth DSA Civil Society Roundtable Series event.

⚖️ Equity and Data

The AI Act got its final green light on 21 May, and continues to make headlines, as the European Commission recently announced the setup of the AI Office tasked with overseeing the Act. 

In our latest EU AI Act explainer, Programme Director for Equity and Data Laura Lazaro Cabrera delved into how the AI Act affects freedom of expression and opinion, highlighting its interplay with the Digital Services Act. While the AI Act clearly attempts to curtail threats to freedom of opinion by banning AI-fuelled manipulation of individuals, it also sets a high bar for applying those bans, requiring demonstration of intent or effect on behaviour.  

The Act also imposes special disclosure obligations on actors using AI to create synthetic content, including deepfakes, but these obligations are less robust and specific than disclosure requirements existing in other pieces of legislation like the Political Ads Regulation. Notably, the AI Act does not prohibit law enforcement use of synthetic content or deepfakes — rather, it creates exceptions from disclosure requirements, when use of synthetic content is authorised by law to detect, prevent, or prosecute criminal offences. In so doing, the AI Act creates a new vector for lawful AI-reliant law enforcement tactics. 

The AI Act was also high on the agenda of many events and workshops at CPDP. At a panel organised by Data Privacy Brazil, which focused on the differences between the EU AI Act and Brazil’s latest AI bill, CDT Europe’s Laura Lazaro Cabrera described the Act’s attempt to reconcile a risk-based and rights-based approach. 

She underscored the need for effective remedies as a key component of a human rights approach, noting that, while the AI Act includes some practical avenues — such as the limited right to explanation, and access to complaint mechanisms for individuals impacted by AI systems — these fall short of GDPR standards in terms of coverage, follow-up, and compensation. By contrast, the Brazilian AI bill places a stronger emphasis on rights. Laura argued that in order to protect human rights, AI regulation must address effective remedies within the text of the regulation through actionable measures.

In another panel organised by the International Centre for Future Generations, Laura provided an overview of the regulatory landscape around AI and neurotechnology, emphasising that a robust understanding of the constellation of applicable laws is necessary before rushing to create new subject matter-specific regulations. She highlighted the risks of having parallel frameworks for neurotechnology health applications and direct-to-consumer neurotechnology applications, noting that both should be subject to strict safeguards as they ultimately entail the same data processing operations and therefore similar levels of privacy risks.

Recommended read: Laura Lazaro Cabrera, Director of CDT Europe’s Equity and Data Programme,  and Nathalie Maréchal, Co-Director of CDT’s Privacy and Data Project, analysed the European Data Protection Board’s opinion on “Pay or Okay” Models.

🗞️ Press Corner 

• Euronews, Brussels, My Love: On violence against politicians
• The Record, EU failure to rein in spyware reflects lack of political will, parliamentarian says
• MLex (paywalled), Comment: Messaging services in limbo as privacy concerns delay EU rules on detecting child abuse material 
• Euractiv, Governments spying on citizens: Who is to blame, what can the EU do?

⏫ Upcoming Events 

• FOSI 2024 European Forum: Join Laura Lazaro Cabrera, Director of our Equity and Data Programme, in Paris on 5 June at the FOSI 2024 European Forum. There, she will discuss Europe’s approach to online safety, the balance it strikes between human rights and industry priorities, and upcoming challenges for implementation of regulations. Register on FOSI’s website!