Skip to Content

AI Policy & Governance, European Policy, Government Surveillance, Privacy & Data

EU Tech Policy Brief: September 2024

Welcome back to the Centre for Democracy & Technology Europe‘s Tech Policy Brief. This edition covers the most pressing technology and internet policy issues under debate in Europe and gives CDT’s perspective on the impact to digital rights. To sign up for CDT Europe’s AI newsletter, please visit our website. Do not hesitate to contact our team in Brussels: Silvia Lorenzo Perez, Laura Lazaro Cabrera, Aimée Duprat-Macabies, David Klotsonis, and Giulia Papapietro.

👁️ Security, Surveillance & Human Rights

Civil Society Takes a Stance Against Surveillance Spyware 

In response to recent spyware attacks, and the absence of a strong political reaction to the risks posed by these intrusive technologies, CDT Europe and 30 civil society and journalists’ organisations released a joint statement on the use of surveillance spyware in the EU and beyond. The coalition expressed deep concern over the EU institutions’ failure to address the misuse of spyware technologies in the EU, which pose a serious threat to EU democratic values, public debate, and healthy civic spaces.

The statement cited findings from the European Parliament’s PEGA Committee, which revealed in May 2023 that a majority of EU Member States had acquired spyware, with some using it unlawfully against journalists, human rights defenders, and politicians. The coalition criticised the recently adopted European Media Freedom Act for failing to protect journalists adequately, arguing that it introduces sweeping legal grounds to use highly-intrusive spyware such as Pegasus and Predator against journalists without crucial safeguards.

Our coalition called on the incoming EU institutions to, in the new legislative term, address the threats spyware poses to fundamental rights. This should include a ban on the production, sale, and use of spyware that grossly violates fundamental rights, and for which strict safeguards would never be sufficient to mitigate the harm to victims’ rights. 

Other demands of the coalition include the need for stronger export controls by incorporating a definition of spyware into the EU Dual-Use Regulation, and strengthening fundamental rights safeguards to ensure these tools aren’t used for repression or human rights abuses in countries outside the EU. The coalition also demands stronger accountability measures, more transparency in government contracts involving spyware, and that EU decision-makers consult systematically with civil society and stakeholders in the process of reviewing, implementing and enforcing EU legislation.

Concerning Update on the EU Child Sexual Abuse Regulation

The start of the Hungarian Presidency brought a worrying new compromise proposal for the EU Child Sexual Abuse Regulation in September, which led members of the Global Encryption Coalition Steering Committee to express serious concerns. While the proposal narrows detection to known child sexual abuse material (CSAM) and delays evaluations of new technologies, it still mandates scanning for encrypted messaging services. Any form of content scanning, including client-side scanning, undermines the core principle of end-to-end encryption, introducing significant security risks for all users. These measures would weaken encryption, making systems vulnerable to exploitation by third parties, without effectively tackling the spread of CSAM. 

Recommended read: CDT Europe’s Silvia Lorenzo Perez detailed how the joint statement on spyware came to light, and why civil society’s work is important in the fight against spyware abuse in the EU. 

 💬 Online Expression & Civic Space

Digital Services Act in the New Mandate

In several mission letters setting out the next mandate for the European Commission, Commission president von der Leyen placed particular emphasis on the European Democracy Shield, which will create new EU capabilities and leverage existing frameworks like the Digital Services Act (DSA) to combat foreign interference and disinformation. We urge the Commission to ensure that any effort to protect its information space does not come at the expense of freedom of expression through over-removal of lawful online content, given the complexity of distinguishing between legal and illegal disinformation. We expect that civil society will play an important role in this process.

Also key to development of the European Democracy Shield will be Commissioner-designate Henna Virkunnen, who as vice-president of the EU Commission and head of DG CNECT will oversee enforcement of the Digital Services Act (DSA) and online child protection, and Michael McGrath, Commissioner-designate for Democracy, Justice and the Rule of Law, who will lead DG JUST. DG CNECT and DG JUST will work together not only on the European Democracy Shield, but also on the Digital Fairness Act, which will address broader digital consumer protections. While DG JUST will spearhead the Digital Fairness Act, the legislation will have significant overlap with the DSA, as children are by definition considered vulnerable consumers. DG JUST coordination with DC CNECT, especially on issues like addictive design and dark patterns – which are both seen as risks under the DSA — will thus be essential to ensure coherent policy across the EU’s digital space. 

Von der Leyen additionally tasked McGrath with building a Civil Society Platform to “support more systematic civil dialogue and work to strengthen protection of civil society, activists and human rights defenders and their work.” This would be a significant step for the inclusion of civil society in the design and enforcement of digital policy, and echoes CDT’s advocacy for a formal consultation mechanism for civil society in the context of the Board of Digital Services, which was established by the DSA.

Call for Evidence for the Online Protection of Minors

In response to the European Commission’s recent call for evidence on the Guidelines for the Online Protection of Minors, under Article 28 of the Digital Services Act (DSA) — which will be subject to public consultation once a draft is ready — CDT Europe emphasised a balanced, rights-based approach to safeguarding minors online. Our response highlights three key points:

  • The EU Digital ID is not a silver bullet for protecting minors online: While the EU Digital Identity Wallet presents potential for age assurance, it is not a comprehensive solution. The technology faces several challenges, including privacy concerns and gaps in inclusivity, particularly for marginalised groups. Age assurance methods must evolve while preserving users’ privacy and avoiding excessive data collection.
  • User controls are promising: Offering minors tools to manage their online interactions can empower them to make safer choices. Customizable filters, blocklists, and other features allow young users to tailor their online experience in real time, addressing evolving risks faster than traditional content moderation measures.
  • Consulting young people is essential: Including youth in the development of the guidelines, and encouraging platforms to engage them during the design process, is critical. Young people’s insights ensure that measures are relevant and responsive to their needs, fostering a safer and more user-friendly online environment.

Recommended read: Tech Policy Press, Researcher Data Access Under the DSA: Lessons from TikTok’s API Issues During the 2024 European Elections

⚖️ Equity and Data

AI Agenda in the New Mandate

While implementation of the AI Act will necessarily fall within Commissioner-designate Henna Virkkunen’s Tech Sovereignty, Security and Democracy portfolio, Virkkunen’s mission letter notably does not refer to the AI Act’s enforcement. It instead asks the Commissioner-designate to take several steps to facilitate the regional uptake of AI, including by providing access to tailored supercomputing capacity for AI start-ups, boosting industrial uses of AI, and setting up a European AI Research Council. The mission letter similarly calls for the development of an EU Cloud and AI Development Act to increase computational capacity, and creation of an EU-wide framework for providing “computational capital” to innovative small and medium-sized enterprises. 

Other portfolios that will touch on AI include that of the Commissioner for People, Skills and Preparedness, who will work on algorithmic management, and the Commissioner for Intergenerational Fairness, who was tasked with developing an AI strategy for the creative industries, possibly addressing issues of copyright.

While the mission letter does not suggest further regulation of new technologies, a recent report from the European Parliamentary Research Service (EPRS) moves in this direction. In its complementary impact assessment on the draft AI Liability Directive (AILD) — an instrument proposing a draft legal framework for extra-contractual civil liability for harms caused by AI systems, put on hold during the AI Act negotiations — the EPRS argued for the AILD to be revisited, strengthened, and pushed forward. In our latest blog post, we unpack the relationship between the AILD and the AI Act, the key suggestions made in the EPRS report, and the potential of the AILD going forward. 

In the meantime, implementation of the AI Act is seeing its next few steps. Following the AI Office’s selection of interested stakeholders, CDT Europe will participate as an organisation with technical expertise in the Codes of Practice process — steered by the AI Office — to develop rules for General Purpose AI models. The process formally began yesterday with a closed plenary meeting, which presented co-chairs and vice-chairs, set out the basic rules for the process, and underscored the confidential nature of the proceedings. The AI Office has until April 2025 to prepare and finalise the Codes of Practice. Multiple stakeholders will be involved, including general-purpose AI model providers, academic experts, organisations with technical expertise, and civil society organisations. We set out the eligibility criteria in an earlier publication

Challenges and Opportunities of AI in the Public Sector

In mid–September, CDT Europe’s Laura Lazaro Cabrera participated in a multistakeholder consultation on the challenges and opportunities of artificial intelligence in the public sector, organised by the European Committee of the Regions. Laura stressed the importance of public authorities taking a considered, careful approach towards AI deployment, highlighting that responsible adoption of AI-powered tools is resource-intensive, not least due to the obligations the AI Act sets for public authorities. In light of these obligations, she called on public authorities to request comprehensive information from AI vendors prior to contracting to ensure that the effectiveness, benefits, and risks of any AI systems are comprehensively addressed and mitigated.   

Recommended read: The Financial Times published an opinion piece explaining why lobbying for unfettered innovation is bad for democracy

🗞️ Press Corner 

⏫ Upcoming Events 

Global Encryption Day: The Global Encryption Coalition, of which CDT Europe is a member, is holding its annual Global Encryption Day event on 26 October. Watch this space for more information.