EU Tech Policy Brief: September 2023

Also authored by CDT Europe’s Vânia Reis and Rachele Ceraulo

This is the September 2023 issue of the Centre for Democracy & Technology Europe‘s monthly Tech Policy Brief. It highlights some of the most pressing technology and internet policy issues under debate in Europe, the U.S., and internationally, and gives CDT’s perspective on them. Our aim is to help shape policies that advance our rights in a digital world. Please do not hesitate to contact our team in Brussels: Iverna McGowan, Asha Allen, and Ophélie Stockhem.

EU Leaders Should Prohibit Biometric Mass Surveillance in EU AI Act 

Negotiations between the European institutions on the Artificial Intelligence (AI) Act are in full swing, but eagerness to move swiftly might be hampered by some contentious issues, including whether the legislation will prohibit remote biometric surveillance. In light of the ongoing institutional negotiations, CDT Europe’s new blog post outlines which uses of biometric technologies ought to be outlawed or carefully regulated in the upcoming EU AI Rulebook.

The EU is leading the world on regulation of AI, and it must not miss this opportunity to set high standards for human rights and an ethical approach to AI regulation. We call on the EU institutions to prohibit mass surveillance through indiscriminate and arbitrary uses of biometric technologies, given the unacceptable risks to human rights. We also advocate for non-mass surveillance uses of biometric data to be heavily regulated, and permitted only on a case-by-case basis under a robust regulatory regime that ensures transparency, proportionality, oversight, and redress.

How Can the DSA Promote Responsible, Rights-Respecting Business Conduct? 

On 25 August, the Digital Services Act (DSA) came into force for providers of “very large online platforms” and “very large search engines” such as Facebook and Google Search. This means that these companies must now fully comply with the law, including the additional obligations set for the largest online platforms. These platforms’ obligations include performing annual risk assessments on the potential harms and societal impacts of their products and services, mitigating those risks, and being subject to independent audits — thereby ensuring greater transparency and accountability.

To mark this important milestone, CDT Europe and the United Nations’ Human Rights B-Tech Project published a new blog post analysing how the DSA’s provisions on risk assessments, transparency, and stakeholder engagement compare with the UN’s Guiding Principles on Business and Human Rights (UNGPs), the gold standard for rights-respecting corporate responsibility.

As we lay out in the blog post, the European Commission should align the DSA with the UNGPs by more clearly describing what constitutes a “systemic risk”, and create guidance as to how companies are expected to comply with their human rights risk assessment obligations. There must be robust and comprehensive stakeholder engagement, as a way to support the monitoring of implementation and enforcement, and hold platforms accountable to their due diligence and transparency obligations. Finally, companies should be transparent and accurate in making information public, so that progress on content moderation can be tracked over time.

Exporters of Dual-Use Items Must Clarify Their Intended Use 

The global transfer and sale of digital surveillance technologies brings significant human rights risks, for example when those technologies are used to monitor and suppress journalists and members of civil society. Legal mechanisms — including the new EU Dual Use Regulation — for controlling dual-use exports (goods and technology that can be used for both civil and military applications) are one avenue for preventing some of the problematic consequences of those sales. CDT Europe emphasised in comments, though, that the guidelines for implementing the Regulation as currently proposed would create a series of unintended loopholes. 

Therefore, the guidelines should be revisited to include technologies – such as facial and emotion recognition technologies – used for both covert and overt cyber-surveillance. They must place a clearer obligation on exporters to take into account the human rights situation in a given country, and whether there is a risk that these items will be used for cyber-surveillance. 

Exporters should also take full stock of recent developments — for example, if a State has recently been found to engage in mass surveillance of human rights defenders and journalists, it follows that any cyber-surveillance import would be at high risk of further violations. The guidelines should also recommend assessment of dual-use exporters’ corporate policies and practices, in relation to the UNGPs and OECD guidelines for multinational enterprises. 

CDT Europe additionally stressed the need for further actions to halt the export of cyber-surveillance equipment for the purpose of unlawful surveillance and human rights violations.

🗞️ Press Corner 

Concerns Over AI-Based Political Repression in Gulf States 

• Radio Télévision Suisse (RTS), Tout un monde (podcast in French), “Purchase of microprocessors by the thousands: authoritarian regimes are also interested in AI”: CDT Europe Director Iverna McGowan joined the podcast, and commented, “We are dealing with a country where human rights are very weak, where we know that there has been a long history of serious human rights violation, including the suppression of civil society, like investigative journalists, bloggers, and defenders of human rights. Therefore, we should be worried about the way that artificial intelligence can be instrumentalized and militarised by such regimes on an even larger scale than is already happening.” 
• Financial Times, “Saudi Arabia and UAE race to buy Nvidia chips to power AI ambitions”: “Human rights defenders and journalists are frequent targets of government crackdowns [in the UAE and Saudi Arabia]. Pair this with the fact that we know how AI can have discriminatory impacts, or be used to turbocharge unlawful surveillance. It’s a frightening thought,” Iverna McGowan told the Financial Times.

What’s Next for the DSA Regulation? 

• Euronews, “Online platforms targeted as the EU’s biggest ever shake-up of digital rules kicks in”: Asha Allen, CDT’s Advocacy Director for Europe, Online Expression & Civic Space, told Euronews the DSA gives users more control: “Users will now have more transparency on how content moderation decisions are made. They will have more choice regarding the content that they engage in…. There will be more mechanisms for complaints and mechanisms for redress for individual users.”
• Ars Technica, “Big Tech isn’t ready for landmark EU rules that take effect tomorrow”: Asha Allen warns in the article, “Quite simply, without the meaningful engagement of advocates in the implementation and enforcement of the entire DSA, the potentially groundbreaking provisions we have collectively worked so diligently to obtain in the text won’t come to fruition.” The article goes on to quote Iverna McGowan, who elaborates: “To avoid the DSA becoming a paper tiger, it will be crucial that national level enforcement bodies are independent and well-resourced, that civil society be given a formal role in enforcement oversight, and that there be careful attention maintaining a public interest focus on questions such the foreseen auditing of algorithms.”
• Deutsche Welle, “What impact will the EU’s Digital Services Act have?“: “Enforcement should be rigorous,”  Iverna McGowan, told DW. “But to be rigorous in practice, a number of things have to happen: Firstly, we believe that civil society should have a formal role in overseeing the implementation because, obviously, civil society has a level of expertise and independence. And the other point would be that we need to see adequate resources at a national level for the different agencies that will have enforcement powers and that they also be independent in practice.”

Don’t forget to check out CDT’s publications for this month, and to sign up for CDT Europe’s AI newsletter!

• Fostering Responsible Business Conduct In the Tech Sector – The Need for Aligning Risk Assessment, Transparency, and Stakeholder Engagement Provisions Under the EU Digital Services Act with the UNGPs 
• CDT Europe Calls on EU Leaders to Prohibit Mass Surveillance Through Indiscriminate and Arbitrary Uses Of Biometric Technologies In the EU’s AI Act
• CDT Europe’s AI Bulletin: July 2023