The European Commission, under its newly elected president Ursula von der Leyen, this morning emitted a sweeping digital strategy for the member states over the next five years. There's a lot to get through, but it focuses on three pillars: digital enablement and protection for individuals (including AI regulation and broadband availability), fair competition, and sustainability.
The proposers of EU-wide law published multiple papers on the issues, which included a proposed new Digital Services Act.
New publications include a white paper on artificial intelligence (PDF) (feedback is requested); a European strategy for data (PDF); and an overall strategy statement (PDF) on shaping Europe's digital future.
Today's announcements are significant in that they should guide new legislation, but that does not mean that forthcoming legislation will achieve the goals described. Many of the aspirations are vague and implementation is difficult.
How are you going to get it done?
The EU's track record on regulating the tech giants that dominate both the internet and IT generally is mixed. Initiatives like Windows N and the Windows browser ballot box, or more recently the Android search provider choice screen are examples of botched solutions whereas the 2016 General Data Protection Regulation (GDPR) regulation has had real impact, though the extent to which it has achieved its goals is limited.
"We must be prepared to act to forcefully defend our democracies," says the strategy document, referring to "attempted manipulations of the information space, often in the form of targeted and coordinated disinformation campaigns".
The EU will publish a "European Democracy Action Plan to improve the resilience of our democratic systems, support media pluralism and address the threats of external intervention in European elections" planned for late 2020.
By 2025, the EU also intends to provide all European households (whether urban or rural) with a minimum 100Mbps broadband and "Gigabit internet connectivity" for schools, hospitals and businesses.
The EU also aspires to use technology to improve the environment, saying: "Digital solutions can advance the circular economy, support the decarbonisation of all sectors and reduce the environmental and social footprint of products placed on the EU market."
Infrastructure issues aside, how does the EU intend to clean up the internet? "Many decisions that strongly affect the lives of citizens and businesses are taken by private gatekeepers, based on their exclusive access to all data generated within their ecosystems," it says.
There are a number of references to "online platforms" (think Facebook, Google, Twitter and so on) and their "roles and responsibilities", with the goal of tackling illegal content and "the sale of illicit, dangerous or counterfeit goods".
Competition: As offline, so online
In the area of competition, the EU states its intention of "ensuring a level playing field for businesses, big and small". The intent of forthcoming measures will be rules that apply offline – including competition rules, consumer protection, intellectual property, taxation and workers' rights – "should also apply online."
There is also the matter of taxation. "In the borderless digital world, a handful of companies with the largest market share get the bulk of the profits on the value that is created in a data-based economy," says the paper. "Those profits are often not taxed where they are generated as a result of outdated corporate tax rules, distorting competition. This is why the Commission will look to address the tax challenges arising from the digitisation of the economy."
It is notable that this statement is diluted from an earlier leaked draft, which insisted that it is unacceptable "that some companies pay their taxes and others do not" and that "companies that want to play in Europe must pay in Europe". An ambition that may be too hard to achieve.
AI, AI, AI
In its paper on AI, the EU is conscious that it is behind. "Investment in research and innovation in Europe is still a fraction of the public and private investment in other regions of the world. Some €3.2 billion were invested in AI in Europe in 2016, compared to around €12.1 billion in North America and €6.5 billion in Asia," it says, adding: "Europe currently is in a weaker position in consumer applications and on online platforms, which results in a competitive disadvantage in data access."
Acknowledging that AI can be used for harm as well as good, the EU plans to review its existing legislative framework because of the specific risks posed – though existing legislation such as GDPR also applies. These risks include lack of transparency in AI algorithms, systems that change their functionality after initial installation and "changes to the concept of safety" because of cyber threats, or what happens to an IoT device if connectivity is lost. The EU is exploring a risk-based approach, where the regulation is heavier if risks are higher. High-risk areas include healthcare, transport, energy, and "parts of the public sector".
New requirements will cover safety, such as "ensuring that AI systems are trained on data sets that are sufficiently broad and cover all relevant scenarios", discrimination such as "reasonable measures aimed at ensuring that such subsequent use of AI systems does not lead to outcomes entailing prohibited discrimination" – such as gender or ethnicity – and "requirements aimed at ensuring that privacy and personal data are adequately protected during the use of AI-enabled products".
There is recognition of the importance of human oversight so that humans are not helpless in the face of "computer says no". For example, "the output of the AI system does not become effective unless it has been previously reviewed and validated by a human (e.g. the rejection of an application for social security benefits may be taken by a human only)."
The controversial topic of facial recognition is addressed. The paper says: "The gathering and use of biometric data for remote identification purposes, for instance through deployment of facial recognition in public places, carries specific risks for fundamental rights," though it also states that existing regulations apply. "In accordance with the current EU data protection rules and the Charter of Fundamental Rights, AI can only be used for remote biometric identification purposes where such use is duly justified, proportionate and subject to adequate safeguards." In its Q&A on the topic, the commission adds that facial recognition is normally prohibited "in principle" unless certain specific conditions are met. "The Commission wants to launch a broad debate on which circumstances might justify exceptions in the future, if any," it says.
How would AI regulations be implemented? The EU is planning a "conformity assessments for high-risk AI applications" similar to mechanisms that exist for other types of goods placed on the EU's internal market.
We want our data back
The EU's paper on data bemoans that "a small number of Big Tech firms hold a large part of the world's data". It does not want to cede the benefits of data analysis (which is also the foundation of AI) to other regions. "The EU should create an attractive policy environment so that, by 2030, the EU's share of the data economy – data stored, processed and put to valuable use in Europe – at least corresponds to its economic weight, not by fiat but by choice," it says.
Plans for data are set out as four pillars. The first is "a cross-sector governance framework for data access and use". An “"enabling legislative framework" is planned for late 2020. Second, it says that between 2021 and 2027 the EU plans to invest in a "High Impact Project on European data spaces and federated cloud infrastructures". Total funding might be €4bn-€6bn, partly from central funds and partly from member states. Does the EU plan to build its own alternative to AWS and Azure? Possibly, though using federation rather than a single centralised entity. "The project will fund infrastructures, data-sharing tools, architectures and governance mechanisms for thriving data-sharing and Artificial Intelligence ecosystems," it says, "based on the European federation (i.e. interconnection) of energy-efficient and trustworthy edge and cloud infrastructures (Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service services)."
The third pillar is investment in data skills for individuals and SMEs, including "increasing the participation of women", while the fourth is the creation of sector-specific "data spaces", which means cooperation to create "large pools of data" that can be used to power "new services and applications based on data". Sectors include manufacturing, environmental "Green deal" issues, intelligent transport, health, finance, energy, agriculture and public administration.
In a separate personal statement, President von der Leyen states her aim of achieving "tech sovereignty", explaining that "this describes the capability that Europe must have to makes its own choices, based on its own values, respecting its own rules."
What are we to make of this raft of plans and proposals? The European Commission has shown its understanding of the importance of numerous issues, including the risks of depending on tech giants based outside the EU, the business advantages and ethical concerns around AI and facial recognition, and "the dangers of losing control of our data". The ability of the EU to come with workable legislation that makes a difference is less certain, bearing in mind past failures, the commercial and lobbying power of the tech giants whose influence it is trying to lessen, and the challenge of reaching agreement with all member states. The plans for federated cloud infrastructures and cooperative data spaces seem vague and fanciful. The strategy seems to understate the difficulty of simultaneously reaping all the benefits of AI while protecting privacy and preventing discrimination.
That said, the commission's work here is well intentioned and as a bloc the EU does have the economic clout to make a difference. ®