[Publicpolicy] EU Policy Monitoring Report - February 2023

Hello, everyone! Almost two weeks ago online platforms released their user numbers for the EU, including the Wikimedia Foundation, an obligation under the DSA. Else, the Commission is running a consultation on… well… de facto net neutrality. Meanwhile, the Parliament and Council are starting to think hard about liability and security of software, including a potential liability carve-out for free & open software. === Digital Services Act === The EU’s new content moderation rules have a number of special obligations - transparency, annual risk assessment, mitigation plans, third-party audits - for so-called very large online platforms (VLOP). A VLOP is any platform that averages more than 45 million monthly active recipients within the EU. Platforms had until 17 February to declare their numbers. Here is a list of declarations: [1]. So far, 18 self-declared very large online platforms and search engines. Among them, Wikipedia is the only not-for-profit. — For the Wikimedia Foundation it was of utmost importance to produce reliable user numbers without gathering additional data. Wikimedia records only the number of unique devices, not actual users. The “EU DSA Userbase Statistics” [2] uses the unique devices data and a conservative estimation taken from the Cisco Annual Internet Reports on how many devices per person there are. It is important that there is at least one VLOP out there whose operator is demonstrating how one can comply while protecting fundamental rights such as privacy. So far, there is no indication that the European Commission intends to challenge the Foundation’s methodology. — The European Commission will soon officially designate VLOPs, after which platforms will have a further four months to start complying with the specific obligations, while all the other obligations that aren’t specific to VLOPs will only apply from 17 February 2024. One of the challenges will be to find a third-party auditing body that annually checks the risk assessments and mitigation measures. It would be exciting to see not-for-profit or community led initiatives here, instead of the The Big Four [3] professional services firms dominating the field. === Cyber Resilience Act === The Cyber Resilience Act is a proposed regulation by the European Commission aiming to introduce baseline cybersecurity requirements for digital products and services. It includes such obligations as security tests and security updates for up to five years after a product or even a piece of software. [4] — The European Commission is proposing a carve-out for free & open source software, which we welcome. However, the carve-out is only in a recital (which is the “non-active” part of a EU law), instead in a proper article. It also restricts the protection to “software developed or supplied outside the course of a commercial activity”, which most programmers and lawyers we spoke to believe is a very problematic wording. Many FOSS software projects are usually developed and maintained by a mix of volunteers, contractors, businesses or even incidental contributors participating in bug bounty hunts. — Wikimedia is working on addressing the above mentioned weaknesses and trying to coordinate with organisations such a the Free Software Foundation Europe and Open Forum Europe on this. Our current thinking and suggestions can be seen here: [5] === Net Neutrality === The European Commission, under the lead of Commissioner Breton, has launched an “exploratory consultation” (i.e. not a regular consultation) on what they call “Fair Share”. [6] It is essentially an idea by the French Commissioner to have network operators charge data-heavy services, such as streaming platforms. The idea is, of course, not new and has been heavily discussed in the past under the banner “net neutrality”. — While it seems the initiative won’t get the necessary traction to make it to an actual legislative proposal, we intend to participate in the consutlation. Our thinking and public positioning on the matter can be found in EN [7] and FR [8]. === Data Act === The Data Act is a regulation proposal that aims to boost data sharing in-between businesses and between businesses and governments. [9] It also wants to make it easier to switch between cloud services. As such it touches upon a myriad of data sharing issues, including the sui generis database right and data protection. — The Council [10] and the Parliament [11] have written and agreed on their negotiating positions and are expected to start trilogues in the second half of March, when the parliamentary position is adopted in plenary. — Both houses agree with the Commission to de facto abolish the sui generis database right when it comes to machine-generated data. However, the European Parliament wording on Article 35 has fewer conditionalities attached to it, which is why we will reach out to negotiators to voice our preference for it. — Another part of the text we are working on, together with EDRi, is Chapter V. It gives governments the right to request data from businesses in emergency situations. This is so vaguely framed that it might not even survive a legal challenge. The European Parliament added “no personal data” to the text, which is welcome, we continue to be worried about the lack of purpose limitation. === EEN === A somewhat weird challenge to Wikipedia’s prominence on search engines and most importantly Google Search came from a group called the European Encyclopedia Network. [12] In a letter to Danish Commissioner Vestager [13] they claim that Wikimedia Enterprise is proof that Google is unfairly upranking Wikipedia. A logic we can’t really follow. — Wikimedia Europe and Wikimedia Denmark have jointly written an open letter to Commissioner Vestager [14] offering collaboration on making encyclopaedia content more accessible and pointing out some criteria which we know influence search rankings. We have also written to the EEN offering to work together, as we believe we have much in common. === [1] https://docs.google.com/spreadsheets/d/1H89uABJZCg0BQlUdpDPE0XBpdtXWPGQbwLW… [2]https://foundation.wikimedia.org/wiki/Legal:EU_DSA_Userbase_Statistics [3]https://en.wikipedia.org/wiki/Big_Four_accounting_firms [4]https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act [5] https://docs.google.com/document/d/1GSO-WpA86vklStTIXpSJrqvppqQTyUfn90Q55EY… [6] https://digital-strategy.ec.europa.eu/en/consultations/future-electronic-co… [7]https://wikimedia.brussels/net-neutrality-the-fair-share-debate/ [8] https://www.wikimedia.fr/neutralite-du-net-et-partage-equitable-des-couts-l… [9]https://en.wikipedia.org/wiki/Data_Act_(European_Union) [10] https://drive.google.com/file/d/1AtjIhK3dVqqgMyuHEuA0IzCCYoqvicLF/view?usp=… [11]https://drive.google.com/file/d/1n4HyPr2epR_lOrPjJefU2JuLCF6Yys28/view [12]https://encyclopedianetwork.eu/ [13] https://encyclopedianetwork.eu/sites/default/files/2023-02/Letter%20to%20th… [14] https://wikimedia.brussels/wp-content/uploads/2023/02/Open-letter-from-Wiki… -- Wikimedia Europe ivzw