Campaigns

Dear all,

Generative AI is in the news again, with two lawsuits against OpenAI over alleged data theft and privacy violations. In other news: Companies are finding the idea of withdrawing from a country to be an increasingly enticing strategy to wield against governments and regulators, especially when it comes to AI regulation and content policy.

Let’s get started.
Stephanie and the Digital Watch team

// HIGHLIGHT //

OpenAI is sued for data theft and privacy violations: Here’s what we can expect

OpenAI and Microsoft have been sued in California in a major class-action lawsuit. The long-anticipated legal battle will address crucial privacy and copyright concerns surrounding the data used, and still being used, to train generative AI models. Hopefully, some clarity on how to apply the books to this latest technology is finally in sight.

OpenAI’s alleged violations. The lawsuit, launched by a California-based law firm, alleges that through its practices to train its AI models, ChatGPT: 

• Secretly scraped people’s data (the legal term is misappropriation)
• Violated intellectual property rights of users
• Violated the privacy of millions of users
• Normalised the illegal scraping of data which is forever embedded in AI models
• Gathered more data than users consented to
• Posed (and poses) special privacy and security risks for children.

The last one is a particularly serious accusation, considering that the ‘defendants have been unjustly enriched by their theft of personal information as its billion-dollar AI business’, the lawsuit states.

Rings a bell? The case reminds us of two concluded cases:

• Italy’s ChatGPT ban in March 2023, which the country lifted a few weeks later after OpenAI added information on how user data is collected and used and started allowing users to opt out of data processing that trains the ChatGPT model. 
• The ACLU vs Clearview AI case, which ended in a settlement last year, after the company agreed to stop selling access to its face database to businesses and people in the USA, and to any entity in Illinois, including state and local police, for five years.  

There are also two similar ongoing lawsuits:

• The copyright sections of the new case are similar to another case initiated last week in San Francisco against OpenAI by two US authors who say the company mined data copied from thousands of books, without permission. 
• It’s also similar to a class action suit initiated in January 2023 against Sta­bil­ity AI, DeviantArt, and Mid­jour­ney for their use of Sta­ble Dif­fu­sion, a tool that was trained on copy­righted works of artists. 

What is the lawsuit asking for, as a remedy? Obviously, financial compensation to users affected by the company’s violations, and more transparency on how personal data is collected and used. But also:

• Digital dividends as compensation for people whose data was used to develop and train OpenAI’s models
• Establishment of an independent body to approve products before they are launched publically. Until then, a freeze on the commercial use of some of the company’s models.

The legal arguments. The main argument used by companies challenged by generative AI lawsuits is that the outputs are different from their source material, and are therefore, unequivocally transformative. But the Andy Warhol Foundation for the Visual Arts v. Goldsmith ruling, in May 2023, clarified how transformative use is defined: If it’s meant to be used commercially, the fair use argument won’t stand.

The courts will also undoubtedly be looking at the data-scraping practices of OpenAI. Beyond this, there’s ChatGPT itself: If the software can’t function without underlying data, is it continuously infringing copyright laws? And where does that leave people who use ChatGPT as part of their work?

The ethical issues. One of the things that irks people is the permanence of models trained with personal data. If your data was used to train the model, that data has now become part of it and is, in turn, merged with additional data to train the model further. It’s a never-ending loop.

There’s also the unprecedented scale of it all. The entire internet has become one unending source of data for AI companies. In OpenAI’s case, one wonders whether any data at all was off-limits to the company. 

If people seek solace in any of this, we don’t think any can be found. The fact that generative AI models are not infallible provides more worry than consolation. It’s also becoming increasingly difficult to tell whether a piece of content was created by humans or generated by an AI model – not to mention the increasing difficulties of discerning truth from fiction (and lies). 

And yet, despite all the bad press for OpenAI (and other AI companies, for that matter), this doesn’t seem to be stopping anyone from exploring or using AI tools. Reversing data misuse is next to impossible; the closest thing is to forcibly improve company practices, as similar cases have already shown.

// AI GOVERNANCE //

Draft AI rules could lead us to pull out of Europe, say industry executives

More than 160 executives from companies, including Meta, Siemens, and Renault, jointly signed an open letter to EU lawmakers expressing their concerns regarding the proposed EU AI Act. 

They think the new rules, as they currently stand, will have a negative impact on Europe’s competitiveness and technological independence due to the substantial compliance costs and significantly increased liability risks for companies. The executives also warn that the rules may lead innovative companies to relocate their operations and investors, withdrawing their support for European AI development.

Why is it relevant? First, Member of Parliament and co-drafter Dragos Tudorache pushed back quite forcibly: ‘I am convinced that they have not carefully read the text but have rather reacted on the stimulus of a few who have a vested interest in this topic’. Second, the proposed rules are still under negotiation, so they can still be changed (and watered down). Third, it reminds us of OpenAI Sam Altman’s recent comment (which he later retracted) on pulling out of the EU.

// DATA //

EU policymakers reach agreement on Data Act

EU countries and lawmakers have reached a provisional agreement on the Data Act, proposed by the European Commission in 2022. The next step is to be endorsed by the Council and the European Parliament.

The act will give users access to data generated by connected devices and will address concerns about unauthorised data access and the protection of trade secrets.

Why is it relevant? One of the most important concepts is that the owners of connected devices will be able to monetise the generated data, which so far has been predominantly harvested by manufacturers and service providers.

Was this newsletter forwarded to you, and you’d like to see more?

// CONTENT POLICY //

Twitter implements limits on reading tweets

In what seems to be a reaction to last week’s lawsuit against OpenAI (and the violations the lawsuit is alleging), Twitter’s Elon Musk announced the company will limit the number of tweets a verified account can read to 6,000 posts per day. Unverified accounts will have a limit of 600 posts per day, while new accounts will be limited to 300 posts per day. 

A few hours later, he increased the numbers to 10,000, 1,000, and 500 – a moderate increase, but an increase nonetheless. Companies (like Twitter) are also bothered by extensive web scraping.

US regulators to crack down on fake reviews

The US Federal Trade Commission (FTC) is proposing new rules that prohibit businesses from paying for reviews, manipulating honest reviews, and posting fake social media engagement. The announcement follows a period of public consultation, which ended in January.

Why is this relevant? The rules will be accompanied by civil penalties for violators. As the FTC confirmed, fines are a stronger deterrent.

Cambodian PM backtracks on country-wide Facebook ban

Cambodian Prime Minister Hun Sen briefly considered a country-wide ban on Facebook over the many abusive messages he was receiving from political opponents on the platform. He also announced a switch to the messaging app Telegram, citing its effectiveness and its usability in countries where Facebook is banned. 

The announcement came right before Meta’s independent oversight board ordered the removal of a video where the Prime Minister threatened his political rivals, overturning the company’s original decision to keep the video online in line with its newsworthiness allowance policy. The board also recommended a six-month suspension of the premier’s Facebook and Instagram accounts. 

Why is it relevant? It’s not so much the decisions by Meta or its oversight board that are so important, but rather the remarks made (on Telegram) by the prime minister in reaction to the board’s decision: ‘I have no intention to ban Facebook in Cambodia… I am not so stupid as to block the breath of all the people.’ 

Google follows Meta’s lead: Canadian news to be blocked

Google announced it will remove links to Canadian news content from its platform in response to new rules requiring companies to compensate local news publishers for linking to their content. This decision follows a similar move by Facebook owner Meta. 

Canada’s Parliament passed the new law, known as the Online News Act or Bill C-18, last week.

Why is it relevant? We’ve already compared this development with what happened in Australia two years ago, when Google temporarily blocked news outlets from its search engine in reaction to the Australian government’s plans to enact the news media bargaining code. The difference, however, is that by the time the law was enacted in Australia, Google had already entered into private agreements with news agencies. So far, it looks like the situation in Canada will have a more pronounced impact on both consumers and the company’s operations in the country.

// MARKETS //

Apple has become the world’s first USD3 trillion (EUR2.7 trillion) company (after closing with this market cap, compared to the intraday trading high in January 2022), achieving what no other tech or non-tech firm has ever achieved. While this milestone may elate company investors, it also raises concerns about the immense power wielded by Big Tech, leaving some feeling uneasy.

2–8 July: The IEEE International Conference on Quantum Software, taking place in Chicago, Illinois, USA, and online, will bring researchers and practitioners from different areas of quantum (and classical) computing, software, and service engineering to discuss architectural styles, languages, and best practices.

3–4 July: The 18th World Telecommunication/ICT Indicators Symposium, in Geneva, Switzerland, and online, will highlight the need to improve how we measure data to achieve universal connectivity.

6-7 July: The annual AI for Good Global Summit returns to Geneva, Switzerland and online this week. Over 100 speakers from governments, international organisations, academia, and the private sector are expected to discuss the opportunities and challenges of using AI responsibly.

10–19 July: The annual High-Level Political Forum (HLPF), taking place in New York, USA, will focus this year on accelerating the recovery from COVID-19 and fully implementing the 2030 Agenda for Sustainable Development. 

10–12 July: The second IGF Open Consultations and Multistakeholder Advisory Group (MAG) meeting, in Geneva, will continue shaping the Internet Governance Forum meeting, to be held in Japan later this year.

Microsoft offers Europe suggestions on AI regulation

We couldn’t help but notice the constructive tone in Microsoft President Brad Smith’s message to European lawmakers on AI rules: 

‘From early on, we’ve been supportive of a regulatory regime in Europe that effectively addresses safety and upholds fundamental rights while continuing to enable innovations that will ensure that Europe remains globally competitive. Our intention is to offer constructive contributions to help inform the work ahead. … In this spirit, here we want to expand upon our five-point blueprint, highlight how it aligns with EU AI Act discussions, and provide some thoughts on the opportunities to build on this regulatory foundation.’ Read the full text.

Was this newsletter forwarded to you, and you’d like to see more?

Dear all,

Last week’s European Commission visit to San Francisco was more than a formality: it cemented a commitment by US tech giants to adhere to Europe’s new rules. In other news, new AI rulebooks and investigations are coming soon, while Google and Apple stores are undergoing antitrust reviews in India.

Let’s get started.
Stephanie and the Digital Watch team

// HIGHLIGHT //

Twitter, Meta ‘not dragging their feet’ on DSA compliance, says Breton after Silicon Valley meeting

If last week’s San Francisco meeting was aimed at reminding Big Tech that the Digital Services Act (DSA) clock is ticking, European Commissioner Thierry Breton achieved his goal: ‘They are not dragging their feet,’ he said this morning (26 June) on France Inter, referring to the 25 August cut-off date for implementing the complete set of DSA obligations. ‘I want to make that very clear. They have committed themselves.’ (Here’s the transcript in French, and a translation to English.)

Mark Zuckerberg, CEO of Meta, which owns Facebook and Instagram, Elon Musk, Twitter chairman, and Sam Altman, CEO of OpenAI, the startup behind ChatGPT, were among those Breton met during the two-day trip that also included the launch of the EU’s San Francisco office.

The DSA is about preserving innovation while protecting individual freedoms, in Breton’s words. But in truth, Big Tech wants to continue offering services in Europe – a digital market which is too large to ignore. After the 25 August deadline, non-compliance can result in hefty fines, which the EU will not hesitate to impose. Overall, Big Tech gets the big picture.

Twitter will comply with the DSA – Musk

Of the two giant social media companies, Meta was not Breton’s biggest worry. In fact, the commissioner was impressed with Mark Zuckerberg last week, saying he recognised all of the articles of the law and was enthusiastic about it. 

Rather, it’s Twitter which was causing headaches: The company ditched the EU’s disinformation charter last month, and had European leaders worrying that Twitter wouldn’t be willing to comply with the rules. The fact that Twitter committed to the obligations of the DSA is positive news for regulators. 

We actually heard it from Elon Musk himself in a France 2 interview last week. In a somewhat humorous tone, he said it wasn’t the first time he was iterating that Twitter will comply with the law and adhere to regulations. He added a cautious note though: adhering to the law is the limit of Twitter’s intentions, as going beyond what is lawfully required would mean going ‘beyond the will of the people as expressed by the law’. Beyond the DSA, whether intentional or not, Twitter is signalling that it values binding rules much more than voluntary ones – a sentiment that many companies do not share. 

Of course, the real proof of Big Tech’s adherence to the DSA will come after the deadline. So what European regulators can do right now is to continue their stress tests to assess the readiness of the industry, which is what Commissioner Breton’s team did, in fact, prior to his Twitter HQ visit (Meta’s stress test is in July). The outcome hasn’t been disclosed, but Commissioner Breton’s upbeat remarks this morning are another indication that Twitter is on track to implement Europe’s new rules. 

Friends again
Breton’s conversation with OpenAI’s Sam Altman was about the EU’s upcoming AI Act, and the AI pact – a set of voluntary guidelines which Breton devised to help companies prepare for implementing the AI Act. What stood out wasn’t what the two said during the meeting, but what they tweeted right after. The two have come a long way since their recent misunderstanding.

// AI GOVERNANCE //

US lawmaker releases AI framework

US Senate Majority Chuck Schumer, who in April announced the need for AI rules, has now released his SAFE Innovation Framework. 

He has also announced a series of AI Insight Forums, starting in September, which will serve as building blocks for new US AI policy. The experts will be a part of what Schumer describes as ‘a new and unique approach to developing AI legislation’. 

Why is it relevant? First, the one-pager mentions China (twice) as a cause for concern. The lawmaker thinks the Chinese Communist Party may be able to set AI standards and write the rules of the road for AI ahead of anyone else. Interestingly, there’s no mention of the EU, whose proposed AI Act is moving ahead quickly. 

Second, Schumer thinks it will take (only) months for Congress to pass AI legislation. It’s ‘exceedingly ambitious’, to quote Schumer himself.

Consumer groups call for more ChatGPT investigations

Consumer groups across 13 European countries are urging their national authorities to investigate the risks posed by generative AI such as ChatGPT. They’re also asking them to enforce existing laws to safeguard consumers. 

The statement, timed to coincide with the publication of a Norwegian consumer group’s report on the consumer harms of generative AI, says the new technology carries many risks, including privacy and security issues, and results which can be inaccurate and can manipulate or mislead people. The organisations also say that consumer groups in both the USA and EU are writing to US President Joe Biden on behalf of the Trans-Atlantic Consumer Dialogue (TACD) on this issue.

Why is it relevant? The call adds more pressure on regulators, especially data protection authorities, to investigate OpenAI, the company behind ChatGPT. So far, tens of investigations have been launched; the list continues to grow.

New AI guidebook in the making in ASEAN region 

ASEAN countries are planning an ASEAN AI guide that will tackle governance and ethics, Reuters has reported exclusively. The agreement was made in February, but the development became known only a few days ago.

Discussions are in their early stages; the guidebook is expected to be released at the end of this year, or early next year.

Why is it relevant? More countries and regions are developing AI rules, which means that unless there’s a concerted effort to build on each other’s work, the world will end up with unharmonised – albeit broadly similar – rules at best. At worst? A patchwork of rules built on a conflicting set of values and priorities.

// SEMICONDUCTORS //

Intel invests in chip fabs in Germany; EU woos Nvidia

Intel has expanded its investment to build two new semiconductor facilities, known as fabs, in Germany. The company will invest EUR 30 billion (USD 32.8 billion), and will receive subsidies worth nearly EUR 10 billion (USD 10.9 billion) from Germany. German Chancellor Olaf Scholz hailed the new agreement as the country’s biggest-ever foreign investment. 

Intel is unlikely to experience a shortage of skills: There are around 20,000 technology students residing in Magdeburg, where the semiconductor fabrication plants (or fabs) will be built. The company is expecting the first plant to start operating within four-to-five years after the European Commission’s subsidies approval.

Across the pond, European Commissioner Thierry Breton took the opportunity of his San Francisco trip to visit NVidia CEO Jensen Huang. The CEO said Breton encouraged him to invest ‘a great deal more’ in Europe, which is going to be a ‘wonderful place to build a future for Nvidia’. 

Why is it relevant? Both the USA and Europe are vying to attract semiconductor companies to their shores. But right now, it’s Europe that is beckoning.

Was this newsletter forwarded to you, and you’d like to see more?

// ANTITRUST //

Google asks Indian court to quash regulator’s antitrust ruling 

This morning (26 June), Google requested India’s Supreme Court to quash antitrust directives which the country’s competition regulator imposed on the company for allegedly exploiting its dominant position in India’s Android mobile operating system market. 

In March, a tribunal modified four of the ten directives imposed by the Competition Commission of India (CCI) in October, which allowed the company to sustain its current business model. Google is now asking that the remaining directives be stopped and that the court revoke the regulator’s earlier antitrust ruling.

Why is it relevant? The tug of war has already been partially won by the tech giant. The rest of it could go down in one of two ways: If the court confirms the March ruling, it’s status quo for the company; if the court rules that Google did not abuse its position, it’s a significant win for Google, which could influence other cases with other giant tech companies…

Indian competition regulator set to rule on Apple’s app store policies 

The CCI is set to rule soon on Apple’s app store billing and policies. The regulator launched its investigation in 2021, but the process stalled after the commission’s chairman retired in October 2022. 

Why is it relevant? On the one hand, the case is similar to Google’s case, prompting the regulator to go down the same path. On the other, the regulator’s ruling in Google’s case was revised on appeal, and is now subject to another lawsuit, which may influence the regulator’s final decision.

// E-VOTING //

Switzerland positive after e-voting trial

Swiss voters are shining a good light on a recent e-voting trial, which saw participation rates higher than the national average rate for Swiss voters abroad as a whole. The e-voting software, developed by the Swiss Post, was reviewed after the flaws reported in 2019, and approved for trial in three cantons by the Federal Chancellery earlier in March. 

Why is it relevant? Despite warnings from some Swiss parliamentarians, the outcome of this trial could open the door for Swiss voters living abroad to use the e-voting system in parallel to traditional mail-in ballots. It could also encourage countries where e-voting has either been abandoned (such as recently in Latvia) or never explored. (For reference, here’s where the world stands on e-voting right now).

19 June–14 July: The four-week 53rd session of the Human Rights Council is ongoing in Geneva and online. What to watch for:

• 3 July: A panel discussion on the role of digital, media, and information literacy in the promotion and enjoyment of the right to freedom of opinion and expression (HRC res. 50/15)
• 6 July: A discussion on the report on the relationship between human rights and technical standard-setting processes for new and emerging digital technologies and the practical application of the Guiding Principles on Business and Human Rights (A/HRC/53/42)

Dates may change. Consult the agenda and the latest programme of work. Refer also to the Universal Rights Group’s The Inside Track covering HRC53.

29 June: The EU’s new Regulation on Markets in Crypto-assets, also known as the MiCA regulation, enters into effect today (and will start applying from December 2024). It will regulate crypto-asset issuers and service providers at the EU level for the first time.

1 July: Spain takes up the presidency of the EU Council; a new trio of rotating chairs (Spain-Belgium-Hungary) starts today till the end of 2024. The next elections will be held during Belgium’s presidency.

For more events, bookmark the Digital Watch Observatory’s calendar of global policy events.

An atlas on SDGs

Where do countries stand in their goals to achieve the 2030 Agenda? The World Bank’s 2023 Atlas of Sustainable Development Goals tells us how far countries have come – and what more needs to be done. It draws from the World Bank’s database of indicators and multiple other sources. 

SDG practitioners will be happy to learn that the visualisations, together with all the data and code can be downloaded and used for similar purposes.

Dear all,

Antitrust regulators in the EU and USA have Big Tech firms in their crosshairs. The EU wants to curb Google’s dominance in the adtech market, while the US Federal Trade Commission has managed to halt – so far temporarily – Microsoft’s plans to acquire Activision Blizzard. Meanwhile, trilogues on the proposed AI Act have begun in Europe.

Let’s get started.
Stephanie and the Digital Watch team

// HIGHLIGHT //

EU takes aim at Google:
Company could be forced to sell off adtech arm

The European Commission is quite unhappy with Google’s role in the adtech business. The company, at the centre of an ongoing antitrust investigation, is dominant on both sides of the market (see the explainer below), making it a prime target for the Commission to order tough remedies if suspicions of abusive patterns are confirmed. 

Not just tough, but tougher. When the European Commission announced last week that it couldn’t see any other solution, we knew it was quite serious for Google. 

What stood out in last week’s press conference was that European Commissioner for Competition Margrethe Vestager described Google’s dominance as pervasive, singling it out as the company with the most ubiquitous presence across markets. What this means in practice is that it’s not just a matter of one company being dominant in a particular market, but a more extensive dominance by one company. It’s a situation that will test the Commission’s resolve in correcting market distortions, and will determine whether existing rules fit this situation.  

It also appears that every time the Commission flagged undesired behaviour, Google swiftly tweaked its actions in subtle ways to comply with the letter of the law, while still accomplishing the same results. The creature stayed the same; only its spots changed. This certainly does not help its cause. As Vestager said, the ‘learning curve is somewhat flat’ for dominant companies: Big Tech has failed to recognise that it’s acceptable to lead a market, but unacceptable to exploit it.

How it started. The EU investigation into Google’s behaviour in the adtech business started a few years ago. Since Google is dominant across the whole value chain, it can be pretty tough to detect specific behaviours. So throughout its preliminary investigation, the commission roped in other competition authorities to investigate practices in arguably one of the most complex technical markets out there. That includes cooperating with the US Department of Justice, itself investigating Google on multiple accounts of alleged antitrust violations.

There’s no other solution. The Commission has touted the notion of divestiture before in other cases, but there were less intrusive measures available. It now appears that when it comes to the adtech market, the market distortions from Google’s dominance in a two-sided market can’t be solved in any other way: You just can’t have ownership of the entire value chain. 

How this could affect Google. There’s no other way to describe it: A request for the company to sell off its adtech arm would be a strong blow to the company. It would mean a major shake-up of the company’s digital advertising empire, and, potentially, a significant restructuring of Google’s business model. 

The formal investigation, launched last week, will determine whether Google violated EU antitrust rules. But the million-dollar question is: Is it a matter of arguing that all other alternatives have been exhausted, or that no other alternative can adequately address this market distortion? 

If the Commission believes that the time for behavioural remedies is up, Google’s only solution is to persuade the Commission that the situation can be remedied by alternative methods. But if the Commission thinks that Google’s dominance in a two-sided market can’t be fixed in any other way, the Commission has a complex task ahead to justify an adtech break-up.

// AI GOVERNANCE //

EU Parliament advances AI Act, trilogues start

All eyes were on the European Parliament last week in anticipation of the lawmakers’ crucial vote on the EU’s proposed AI Act. Receiving a resounding 499 votes in favour, with 28 against, and 93 abstentions, the Parliament’s text made it through plenary and will now be used as a foundation for negotiations with the EU Council.

The trilogues – tripartite negotiations among the EU’s lawmaking institutions – have already started.

Why is it relevant? For a second, we thought there might be hiccups. But there was too much at stake for European lawmakers to jeopardise the process. So there’s one less hurdle for the AI Act to reach its destination: the coming into effect of new rules that address the risks from AI systems based on their risk level. Yet, it won’t be smooth sailing: biometric-related risks will be a major bone of contention.

Was this newsletter forwarded to you, and you’d like to see more?

// ANTITRUST //

US judge temporarily blocks Microsoft’s Activision acquisition

It’s not just Google having antitrust issues of late. Microsoft’s takeover of video game maker Activision Blizzard has suffered a setback after a US judge granted the Federal Trade Commission’s (FTC) request to temporarily block the acquisition. The judge has scheduled a two-day evidentiary hearing for this week on the FTC’s request for a preliminary injunction.  

The FTC is arguing that the transaction would give Microsoft’s video game console Xbox, exclusive access to Activision games, leaving Nintendo and Sony Group’s PlayStation out in the cold.

Why is it relevant? First, without a court order, Microsoft could have closed the USD69 billion (EUR63 billion) deal as early as last week. The company will now have to wait for this week’s hearing. Second, the merger faces a legal battle in August, when an FTC judge is set to hear the case. 

The FTC’s actions stand in contrast with the European Commission’s approval of the merger in May. No doubt the UK’s Competition Authority, which denied approval of the deal citing concerns over the potential impact on competition in the video game industry, is watching closely.

// CYBERSECURITY //

Amid soaring tensions, US official warns of cyber sabotage from China

Chinese hackers are all but sure to disrupt US critical infrastructures, such as pipelines and railways, in the event of a conflict with the USA, a senior US cybersecurity official has warned. Tensions between the two countries have soared. 

The Director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, emphasised during a recent event that China is significantly investing in its capability to sabotage US infrastructures. With the possibility of Chinese hackers compromising current security measures (given the recent cyberattacks by Chinese state-sponsored hacking group Volt Typhon), Easterly warned that prioritising resilience and strengthening defences is paramount to being prepared.

// DATA PROTECTION //

Swedish data protection watchdog fines Spotify over GDPR breaches 

The Swedish Data Protection Authority has imposed a EUR5 million (USD5.5 million) fine on digital music service company Spotify for breaching several GDPR provisions a few years ago. According to the authority, Spotify failed to provide clear information to users regarding the purposes of its data processing, categories of personal data involved, and data storage periods, among other infringements.

As with many European legal actions concerning data protection, the complaint against Spotify was filed by Austrian non-profit NOYB, which also took the Swedish Data Protection Authority to court for not wanting to investigate the case.

Why is it relevant? The ruling serves as a reminder for organisations operating in the EU to provide clear and transparent information about their data processing practices (and for data protection authorities to investigate every complaint).

19–21 June: The 2023 edition of Europe’s foremost regional internet governance gathering – EuroDIG – is underway in Finland and online. The theme – Internet in troubled times: Risks, resilience, hope. We’ll use our latest AI tool, DiploGPT, to draft reports that reflect the discussions throughout the meeting. (By the way, here’s DiploGPT in action).

19 June–14 July: The four-week 53rd session of the Human Rights Council also starts today in Geneva and online. What to watch for:

• 22 June: A discussion on the report Digital Innovation, Technologies, and the Right to Health (A/HRC/53/65)
• 6 July: A discussion on the report on the relationship between human rights and technical standard-setting processes for new and emerging digital technologies and the practical application of the Guiding Principles on Business and Human Rights (A/HRC/53/42)
• 3 July: A panel discussion on the role of digital, media, and information literacy in the promotion and enjoyment of the right to freedom of opinion and expression (HRC res. 50/15)

Dates may change. Consult the agenda and the latest programme of work. Refer also to the Universal Rights Group’s The Inside Track covering HRC53.

20–21 June: The Ad Hoc Committee on Cybercrime, tasked with advancing a new cybercrime convention, is holding the fifth intersessional stakeholder consultation in Vienna and online.

21–22 June: The annual Cybersec Forum and Expo features discussions among policymakers and the industry on cybersecurity and resilience, across four streams: state, defence, business, and future technologies. Takes place in Poland, onsite only.

23 June: It’s the last day to propose a session for UNCTAD’s eWeek (known until recently as eCommerce Week). It will take place in December in Geneva and online.

For more events, bookmark the Digital Watch Observatory’s calendar of global policy events.

Do we trust algorithms to choose our news?

Not really. According to the Reuters Institute’s annual Digital News Report 2023, which surveyed around 94,000 adults across 46 markets, people are sceptical of algorithms determining news selection based on what our friends have read or read (19% agree, 42% disagree) and based on what we ourselves have read or seen in the past (30% agree, equal numbers disagree).

How about the sources we choose to stay informed? Facebook, which was once dominant as a primary network for news, has been surpassed by rivals such as YouTube and TikTok. Read the full report.

Dear all,

The USA and the UK signed the Atlantic Declaration to strengthen their economic, technological, commercial and trade relations. The EU’s AI Act might be in jeopardy. Meta is in trouble with the EU over content moderation, namely failure to remove child sexual abuse material from Instagram, and Google has published its Secure AI Framework.

Let’s get started.
Andrijana and the Digital Watch team

// HIGHLIGHT //

The US-UK Atlantic Declaration signed

The UK and the USA signed the Atlantic Declaration for a Twenty-First Century US-UK Economic Partnership, touted as a first of its kind as it spans their economic, technological, commercial and trade relations. Here’s what’s in it regarding digital policy (not everything about it is) and how it impacts the USA, the UK… and the EU.

The first pillar focuses on ensuring US-UK leadership in critical and emerging technologies. Under this pillar, the two nations have established a range of collaborative activities:

• They will prioritise research and development efforts, particularly in quantum technologies, by facilitating increased mobility of researchers and students and fostering workforce development to promote knowledge exchange. 
• They will work together to strengthen their positions in cutting-edge telecommunications by collaborating on 5G and 6G solutions, accelerating the adoption of Open RAN, and enhancing supply chain diversity and resilience. 
• Deepening cooperation in synthetic biology is also a priority, aiming to drive joint research, develop novel applications, and enhance economic security through improved biomanufacturing pathways. 
• Investigators will conduct collaborative research in advanced semiconductor technologies, such as advanced materials and compound semiconductors.
• Additionally, the countries will accelerate cooperation on AI, with a specific emphasis on safety and responsibility. 

This will involve deepening public-private dialogue, mobilising private capital towards strategic technologies, and establishing a US-UK Strategic Technologies Investor Council within the next twelve months. The council will include investors and national security experts who will identify funding gaps and facilitate private investment in critical and emerging technologies. Lastly, efforts will be made to improve talent flows between the USA and the UK, ensuring a robust exchange of skilled professionals.

What this means for digital policy: The UK and US investments in quantum technology are dwarfed by, for instance, the USD15.2-billion public investment in quantum technology announced by the Chinese government. The UK’s investments in semiconductors–USD1.2 billion–are modest. On the other hand, US companies have pledged nearly USD200 billion. In biotech, the UK is behind the USA. The UK currently, by its own estimate, ranks 3rd in AI behind the USA and China. Overall, China has a stunning lead in research in 37 out of 44 critical and emerging technologies with the USA often second-ranked. Perhaps this partnership with the UK will give both the UK and the USA a leg up.

The second pillar of the partnership centres on advancing cooperation on economic security and technology protection toolkits and supply chains. This involves addressing national security risks associated with some types of outbound investment and preventing their companies’ capital and expertise from fueling technological advances that could enhance the military and intelligence capabilities of countries of concern. Additionally, the countries will work towards flexible and coordinated export controls related to sensitive technologies, enabling the complementarity of their respective toolkits. Strengthening their partnership across sanctions strategy, design, targeting, implementation, and enforcement is another objective. Lastly, the countries aim to reduce vulnerabilities across critical technology supply chains by sharing analysis, developing channels for coordination and consultation during disruptions and crises, and ensuring resilience.

What this means for digital policy:  Judging by previous comments from Paul Rosen, the US Treasury’s investment security chief, this is about preventing know-how and investments in advanced semiconductors, AI, and quantum computing from reaching China, which would allegedly use it to bolster military intelligence capabilities. The UK, which already shares a special relationship with the USA in intelligence, just might be joining the US-led export controls on semiconductors. Reminder: Chip giant Arm is headquartered in the UK.

Pillar 3 of the partnership focuses on an inclusive and responsible digital transformation. The countries aim to enhance cooperation on data by establishing a US-UK Data Bridge, ensuring data privacy protections and supporting Global Cross-Border Privacy Rules (CBPR) Forum and the OECD’s Declaration on Government Access to Personal Data Held by Private Sector Entities.

The countries will accelerate cooperation on AI, and the USA welcomed the planned launch of a Global Summit on AI Safety by the UK Prime Minister in the autumn of 2023. Collaboration on Privacy Enhancing Technologies (PETs) is also planned to enable responsible AI models and protect privacy while leveraging data for economic and societal benefits.

What this means for digital policy: The establishment of a US-UK data bridge was first agreed upon in January, at the Inaugural Meeting of the US-UK Comprehensive Dialogue on Technology and Data. Now we know that the data bridge will support a UK extension to the EU-US Data Privacy Framework. 

Why is it relevant? First, interestingly, there was no mention of the EU in this equation, although it impacts EU and US-UK-EU relations. Second, the USA and the UK are stressing collaboration on AI. It’s clear that AI is a priority for both. The USA is looking to Britain to help lead efforts on AI safety and regulation, hoping that AI companies find more fertile ground in the UK than in the EU’s stricter environment. Fourth, the UK wants to put its EU membership firmly behind it. Sunak stated ‘I know some people have wondered what kind of partner Britain would be after we left the EU. […] And we now have the freedom to regulate the new technologies that will shape our economic future, like AI, more quickly and flexibly.’

Beyond what they said, we’ll see how this impacts what they did not mention: Microsoft’s Activision Blizzard takeover.

// AI GOVERNANCE //

Is the EU’s AI Act in jeopardy?

The political deal behind the AI Act may be crumbling, and this might affect the Parliament’s endorsement of the text. 

In April, a deal struck between the four main political groups at the European Parliament stipulated they would not table alternative amendments to the AI Act. However, the European People’s Party (EPP) was given flexibility on the issue of remote biometric identification (RBI). On 7 June, the final deadline for amendments, the EPP tabled a separate amendment on RBI. There are two problems with that.  

1. Other groups claim that the EPP broke the deal, and they might feel legitimised to vote for amendments that were tabled outside of the deal. If they do, there’s no telling how the Parliament’s plenary vote on 14 June will go. 

2. Not everyone likes what’s in the actual amendment. The EPP’s proposed text stipulates that the member states may authorise the use of real-time RBI systems in public spaces, subject to the prejudicial authorisation, for ‘(1) the targeted search of missing persons, including children; (2) the prevention of a terrorist attack; (3) the identification of perpetrators of criminal offences punishable in the Member State concerned for a maximum period of at least three years.’ MEPs from four political groups (liberals, socialists, greens, and left) firmly oppose the EPP’s amendment on biometric identification. They are asking for a ban on such systems, claiming that AI systems that perform behavioural analysis are prone to error and falsely reporting law-abiding citizens and are discriminatory and ineffective for law enforcement.

Why is it relevant? If the Parliament doesn’t endorse the text, it will slow down the world’s first playbook on AI–it might take longer than the projected end of 2023 to reach a political deal among EU Institutions. This threatens the EU’s plans to be a leader in AI rule-making, and plenty of others are willing to step up.

// CHILD SAFETY ONLINE //

Instagram’s algorithms recommend child-sex content to paedophiles, research finds

An investigation by the Wall Street Journal, Stanford University, and the University of Massachusetts at Amherst uncovered that Instagram has been hosting large networks of accounts posting child sexual abuse material (CSAM). The platform’s practical recommendation algorithms play a key role in Instagram being the most valuable platform for sellers of self-generated CSAM (SG-CSAM): ‘Instagram connects paedophiles and guides them to content sellers via recommendation systems that excel at linking those who share niche interests, the Journal and the academic researchers found.’ Even viewing one such account led to new CSAM selling accounts being recommended to the user, thus helping to build the network.

This is where it gets worse. At the time of the research, Instagram enabled searching for explicit hashtags such as #pedowhore and #preteensex. When researchers searched for a paedophilia-related hashtag, a pop-up informed them: ‘These results may contain images of child sexual abuse’. Below the text, two options were given: ‘Get resources’ and ‘See results anyway’. Instagram has since removed the option to review the content, but it doesn’t stop us from wondering why this option was available in the first place.

Why is it relevant? First, it tells us something about the speed at which the platform reacted to reports of CSAM. Perhaps, it will now change, since the platform said it will form a task force to investigate the problem.

Second, it attracted the ire of European Commissioner Thierry Breton. 

Third, Meta will have to demonstrate the measures it plans to take to comply with the EU’s Digital Services Act (DSA) after 25 August or face heavy sanctions, the bloc’s Thierry Breton said. Meta, designated a Very Large Online Platform (VLOP), has stringent obligations under the DSA, and fines for breaches can go to as high as 6% of a company’s global turnover. While Breton didn’t put Twitter on the blast, the company has also been designated as a VLOP, meaning it will also run the risk of being fined.

(And finally, it seems the media did not get the memo: ‘child sexual abuse material’ is the preferred terminology.)

Was this newsletter forwarded to you, and you’d like to see more?

// PRIVACY //

French Senate approves surveillance of suspects using cameras and microphones

The French Senate approved a contentious provision to a justice bill that allows for remote activation of computers and connected devices without the owner’s knowledge. This provision serves two purposes: (1) real-time geolocation for specific offences and the activation of microphones and (2) cameras to capture audio and images, which would be limited to cases of terrorism, delinquency, and organised crime. The Senate also adopted an amendment that limits the possibility of using geolocation to investigate offences punishable by at least ten years imprisonment. However, the implementation of this provision will still require judicial approval.

Why is it relevant? Surveillance tactics are never a favourite with privacy advocates, who typically argue that such privacy breaches cannot be justified by national security concerns. In this instance, the safeguards are unclear, as are mechanisms for redress.

// CYBERSECURITY //

Google introduces Secure AI Framework

Google’s introduced its Secure AI Framework (SAIF), which aims to reduce overall risk when developing and deploying AI systems. It is based on six elements organisations should be mindful of:

1. Expand strong security foundations to the AI ecosystem by leveraging secure-by-default infrastructure protections and scaling and adapting infrastructure protections as AI threats advance
2. Bring AI into an organisation’s threat universe by extending detection and response to AI-related cyber incidents
3. Automate defences to keep pace with existing and new threats, including harnessing the latest AI innovations to improve response efforts
4. Harmonise platform-level controls to ensure consistent security of AI applications across the organisation
5. Adapt controls to adjust mitigations and create faster feedback loops for AI deployment via reinforcement learning based on incidents and user feedback
6. Contextualise AI-system risks in surrounding business processes by conducting end-to-end risk assessments on AI deployment

Google has committed to fostering industry support for SAIF, working directly with organisations to help them understand how to assess and mitigate AI security risks, sharing threat intelligence, expanding its bug hunter programs to incentivise research around AI safety and security and delivering secure AI offerings.

Why is it relevant? As more AI products are integrated into digital products, the security of the supply chain will benefit from the secure-by-default AI products.

NATO to enhance military cyber defences in peacetime, integrate private sector capabilities

NATO member states are preparing to approve an expanded role for military cyber defenders during peacetime, as well as the permanent integration of private sector capabilities, revealed NATO’s assistant secretary general for emerging security challenges David van Weel. Furthermore, NATO plans to establish a mechanism to facilitate assistance among allies during crises when national response capabilities become overwhelmed.

The endorsement is expected at the upcoming Vilnius summit in Lithuania, scheduled for July.

Why is it relevant? Van Weel stated: ‘We need to move beyond naming and shaming bad actors in response to isolated cyber incidents, and be clear what norms are being broken.’ The norms he referred to are agreed-upon norms of responsible state behaviour in cyberspace, confirmed in the reports of the GGEs and the first OEWG on ICTs. His remarks come just two weeks after UN member states met under the auspices of the OEWG in New York to discuss responsible state behaviour in cyberspace. We’ll have more on that towards the end of this week on the Digital Watch Observatory–keep an eye out.

China issues draft guidelines to tackle cyber violence 

China’s Supreme People’s Court, Supreme People’s Procuratorate, and Ministry of Public Security issued draft Guiding Opinions on Legally Punishing Cyber Violence and Crimes (Chinese). 

The guidelines propose the punishment of online defamation, insults, privacy violations, and offline nuisance behaviour, such as intercepting and insulting victims of cyber violence and their relatives and friends, causing disturbances, intimidating others, and destroying property. They also address using violent online methods for malicious marketing and hype, as well as protecting civil rights and identifying illegal acts. 

The guidelines also note that network service providers can be convicted and punished for the offence if they neglect their legal obligations to manage information network security regarding identified instances of cyber violence and fail to rectify the situation after being instructed by regulatory authorities to take corrective measures. This applies to cases where such neglect results in the widespread dissemination of illegal information or other serious consequences.

The draft is open for public comments until 25 June.

// CRYPTOCURRENCIES //

US SEC launches lawsuits against Binance and Coinbase

The world’s biggest cryptocurrency exchanges–Binance and Coinbase–were hit by a wave of lawsuits from the US Securities and Exchange Commission (SEC). 

Why is it relevant? Because down the line, these actors might leave the USA for greener pastures. Diplo’s Arvin Kamberi has more on that in the video below.

13 June: The Swiss Internet Governance Forum 2023 will discuss the use and regulation of AI, especially in the context of education, protecting fundamental rights in the digital age, responsible data management, platform influence, democratic practices, responsible use of new technologies, internet governance; and the impact of digitalisation on geopolitics. Our Director of Digital Policy, Stephanie Borg Psaila, will speak at the session: Digital governance and the multistakeholder approach in 2023.

14 June: The last two GDC thematic deep dives will focus on global digital commons and accelerating progress on the SDGs. The discussion on the global digital commons will explore principles, values, and ideas associated with this approach while considering how the Global Digital Commons (GDC) can enhance the safety, inclusivity, and the global ecosystem of digital public infrastructure and goods. The discussion on accelerating progress on the SDGs will examine the role of digital technology in achieving the SDGs and addressing future challenges, and the potential for generalising principles and approaches based on shared experiences. For more information on the GDC, visit our dedicated web page on the Digital Watch Observatory.

15–16 June: This year’s Digital Assembly will be held under the theme: A digital, open and secure Europe, and has openness, competition, digitalisation and cybersecurity in its focus. The assembly is organised by the European Commission and the Swedish Presidency of the Council of the EU.

19–21 June: The 2023 edition of Europe’s regional internet governance gathering–EuroDIG–will be themed Internet in troubled times: Risks, resilience, hope. The GIP will once again partner with EuroDIG to deliver messages and reports from the conference using DiploGPT. The reports and messages will be available on our dedicated Digital Watch page. 

19 June–14 July: The 53rd session of the Human Rights Council (HRC) will feature a panel discussion on the role of digital, media, and information literacy in the promotion and enjoyment of the right to freedom of opinion and expression. The council will also consider the report on the relationship between human rights and technical standard-setting processes for new and emerging digital technologies and the practical application of the Guiding Principles on Business and Human Rights, as well as the report on Digital innovation, technologies, and the right to health.

For more events, bookmark the Digital Watch Observatory’s calendar of global policy events.

The June issue of the Digital Watch Monthly newsletter is out! 

We asked: who holds the dice in the grand game of addressing AI for the future of humanity? A brief summary of the UN Secretary-General’s policy brief with suggestions on how a Global Digital Compact (GDC) could help advance digital cooperation, May’s barometer of updates, and the leading global digital policy events ahead in June also feature.