Hello, everyone! Almost two weeks ago online platforms released their user
numbers for the EU, including the Wikimedia Foundation, an obligation under
the DSA. Else, the Commission is running a consultation on… well… de facto
net neutrality. Meanwhile, the Parliament and Council are starting to think
hard about liability and security of software, including a potential
liability carve-out for free & open software.
=== Digital Services Act ===
The EU’s new content moderation rules have a number of special obligations
- transparency, annual risk assessment, mitigation plans, third-party
audits - for so-called very large online platforms (VLOP). A VLOP is any
platform that averages more than 45 million monthly active recipients
within the EU. Platforms had until 17 February to declare their numbers.
Here is a list of declarations: [1]. So far, 18 self-declared very large
online platforms and search engines. Among them, Wikipedia is the only
not-for-profit.
—
For the Wikimedia Foundation it was of utmost importance to produce
reliable user numbers without gathering additional data. Wikimedia records
only the number of unique devices, not actual users. The “EU DSA Userbase
Statistics” [2] uses the unique devices data and a conservative estimation
taken from the Cisco Annual Internet Reports on how many devices per person
there are. It is important that there is at least one VLOP out there whose
operator is demonstrating how one can comply while protecting fundamental
rights such as privacy. So far, there is no indication that the European
Commission intends to challenge the Foundation’s methodology.
—
The European Commission will soon officially designate VLOPs, after which
platforms will have a further four months to start complying with the
specific obligations, while all the other obligations that aren’t specific
to VLOPs will only apply from 17 February 2024. One of the challenges will
be to find a third-party auditing body that annually checks the risk
assessments and mitigation measures. It would be exciting to see
not-for-profit or community led initiatives here, instead of the The Big
Four [3] professional services firms dominating the field.
=== Cyber Resilience Act ===
The Cyber Resilience Act is a proposed regulation by the European
Commission aiming to introduce baseline cybersecurity requirements for
digital products and services. It includes such obligations as security
tests and security updates for up to five years after a product or even a
piece of software. [4]
—
The European Commission is proposing a carve-out for free & open source
software, which we welcome. However, the carve-out is only in a recital
(which is the “non-active” part of a EU law), instead in a proper article.
It also restricts the protection to “software developed or supplied outside
the course of a commercial activity”, which most programmers and lawyers we
spoke to believe is a very problematic wording. Many FOSS software projects
are usually developed and maintained by a mix of volunteers, contractors,
businesses or even incidental contributors participating in bug bounty
hunts.
—
Wikimedia is working on addressing the above mentioned weaknesses and
trying to coordinate with organisations such a the Free Software Foundation
Europe and Open Forum Europe on this. Our current thinking and suggestions
can be seen here: [5]
=== Net Neutrality ===
The European Commission, under the lead of Commissioner Breton, has
launched an “exploratory consultation” (i.e. not a regular consultation) on
what they call “Fair Share”. [6] It is essentially an idea by the French
Commissioner to have network operators charge data-heavy services, such as
streaming platforms. The idea is, of course, not new and has been heavily
discussed in the past under the banner “net neutrality”.
—
While it seems the initiative won’t get the necessary traction to make it
to an actual legislative proposal, we intend to participate in the
consutlation. Our thinking and public positioning on the matter can be
found in EN [7] and FR [8].
=== Data Act ===
The Data Act is a regulation proposal that aims to boost data sharing
in-between businesses and between businesses and governments. [9] It also
wants to make it easier to switch between cloud services. As such it
touches upon a myriad of data sharing issues, including the sui generis
database right and data protection.
—
The Council [10] and the Parliament [11] have written and agreed on their
negotiating positions and are expected to start trilogues in the second
half of March, when the parliamentary position is adopted in plenary.
—
Both houses agree with the Commission to de facto abolish the sui generis
database right when it comes to machine-generated data. However, the
European Parliament wording on Article 35 has fewer conditionalities
attached to it, which is why we will reach out to negotiators to voice our
preference for it.
—
Another part of the text we are working on, together with EDRi, is Chapter
V. It gives governments the right to request data from businesses in
emergency situations. This is so vaguely framed that it might not even
survive a legal challenge. The European Parliament added “no personal data”
to the text, which is welcome, we continue to be worried about the lack of
purpose limitation.
=== EEN ===
A somewhat weird challenge to Wikipedia’s prominence on search engines and
most importantly Google Search came from a group called the European
Encyclopedia Network. [12] In a letter to Danish Commissioner Vestager [13]
they claim that Wikimedia Enterprise is proof that Google is unfairly
upranking Wikipedia. A logic we can’t really follow.
—
Wikimedia Europe and Wikimedia Denmark have jointly written an open letter
to Commissioner Vestager [14] offering collaboration on making
encyclopaedia content more accessible and pointing out some criteria which
we know influence search rankings. We have also written to the EEN offering
to work together, as we believe we have much in common.
===
[1]
https://docs.google.com/spreadsheets/d/1H89uABJZCg0BQlUdpDPE0XBpdtXWPGQbwLW…
[
2]https://foundation.wikimedia.org/wiki/Legal:EU_DSA_Userbase_Statistics
[
3]https://en.wikipedia.org/wiki/Big_Four_accounting_firms
[4]https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
[5]
https://docs.google.com/document/d/1GSO-WpA86vklStTIXpSJrqvppqQTyUfn90Q55EY…
[6]
https://digital-strategy.ec.europa.eu/en/consultations/future-electronic-co…
[7]https://wikimedia.brussels/net-neutrality-the-fair-share-debate/
[8]
https://www.wikimedia.fr/neutralite-du-net-et-partage-equitable-des-couts-l…
[
9]https://en.wikipedia.org/wiki/Data_Act_(European_Union)
[10]
https://drive.google.com/file/d/1AtjIhK3dVqqgMyuHEuA0IzCCYoqvicLF/view?usp=…
[
11]https://drive.google.com/file/d/1n4HyPr2epR_lOrPjJefU2JuLCF6Yys28/view
[12]https://encyclopedianetwork.eu/
[13]
https://encyclopedianetwork.eu/sites/default/files/2023-02/Letter%20to%20th…
[14]
https://wikimedia.brussels/wp-content/uploads/2023/02/Open-letter-from-Wiki…
--
Wikimedia Europe ivzw