👓February 2025's European Digital Policy Roundup

Hi there ☕

Welcome to your complimentary edition of La tech est politique, highlighting the significant developments in European tech policy for February 2025.

We will examine:

• The Competitiveness Compass and the European Commission's 2025 work programme;

• Personal data protection concerns amidst AI development initiatives;

• On the cyber front: submarine cables and EU-level incident response coordination;

• Competition matters, focusing on the investigations into Apple and Google;

• On AI: the first AI Act obligations in force, the anticipated abandonment of the AI Liability Directive, and the challenging journey towards establishing the GPAI code of good practices.

Reading time: 10 minutes (1,442 words)

What Happened in February?

A dense month filled with announcements, surprising developments and even some delays. Here's our curated selection of key highlights:

The Commission's Strategic Vision Takes Shape

The Competitiveness Compass is the strategic roadmap that Commission President Ursula von der Leyen announced in late January 2025. It seeks to strengthen Europe's technological autonomy while driving growth for innovative businesses—a delicate balancing act. The Compass marks a significant leap for tech entrepreneurs, notably through administrative simplification measures designed to reduce bureaucratic hurdles (you've heard it as "cutting red tape").

The Commission also published its work programme for 2025 in quick succession. This programme implements the commitments von der Leyen in support of her second mandate (the political guidelines), the priorities from the Commissioners' missions, and the direction of the rotating Presidency. This programme also 'plans out' the ambitions of the Competitiveness Compass. Furthermore, it establishes the future of carried-over projects from the previous mandate. You can review my illustrated summary of these announcements for a more comprehensive understanding.

Personal Data in the Spotlight

In its work programme, the Commission has confirmed the end of the e-Privacy Regulation proposal. This regulation addresses the confidentiality of electronic communications and was intended to replace the eponymous Directive that has been woefully outdated for quite some time. The regulation text was presented in 2017 but has remained stalled in trilogue negotiations since 2021.

The EDPB has released its position on GDPR-compliant approaches to online age verification systems. The EDPB elaborates on the limitations of what can be done with data collected through such systems (respecting fundamental freedoms, prohibition of use for commercial targeting, transparency on purposes) and recommends conducting a systematic DPIA (Data Protection Impact Assessment, cf. Article 35 GDPR) before implementing any online age verification system.

Tensions between AI and personal data protection are multiplying, raising fascinating questions. In late January, the Garante (the Italian data protection authority) had already announced the blocking of DeepSeek after a complaint by a consumer protection association. The same approach has been initiated with regulators in Belgium, Greece, Portugal, Spain, and Germany; whilst the Croatian and Irish data protection authorities have requested information from DeepSeek. In the Netherlands, Luxembourg, Cyprus, and Poland, citizens have been issued warnings. Given this level of mobilisation, coordinated European action seems imminent.

💎La tech est politique closely monitors the interactions between the two major regulatory frameworks (AI Act and GDPR). We have also included a dedicated section in our training course, "Mastering the AI Act".

In a CJEU ruling on the transparency of algorithmic decision-making (in the case of automated credit assessment), the decision states that it is the responsibility of the data controller to "concretely describe the procedure and principles applied in such a way that the data subject can understand which of their personal data were used and how during the automated decision-making process".

Submarine Cables and Incident Response

Earlier this month at the Council, Member State representatives urged the Commission to develop a dedicated plan to protect submarine cables. The Commission and the High Representative for Foreign Affairs have presented a communication on the subject, outlining an upcoming concrete and dedicated strategy.

The Commission has updated its cyber incident response master plan, the 2017 Cyber Blueprint. It aims to collaborate more closely with NATO to protect critical infrastructure, recognising that coordinated international efforts are vital for effective cybersecurity in interconnected systems that span many jurisdictions.

Competition Corner

The German Competition Authority is concerned about Apple's ATTF (App Tracking Transparency Framework). This system collects consent from individuals when their personal data is processed for advertising purposes by Apple. The Authority highlights that developers of applications on the iOS App Store must obtain additional consent from users before accessing specific data for advertising purposes. Yet, Apple does not apply these exact requirements to itself. This suggests potential abuse of dominant position by the Apple brand, creating an uneven playing field that disadvantages third-party developers.

Still in the realm of abuse of dominant position, we have the successful case brought by the Italian Competition Authority against Google. This case pertains to Google's refusal to allow interoperability of a third-party application (in this instance, Enel) to provide services related to electric vehicle charging via the Android Auto digital platform. The CJEU has explained that Android Auto, an operating system for cars, must ensure interoperability with an application from a non-dominant player, even if the platform is not essential for the commercial operation of the application. This ruling reinforces that dominant platforms cannot arbitrarily exclude competitors from ecosystem integration.

AI Everywhere

I won't recap the AI Summit, as you've already heard enough about it 😅

One of the major topics this month concerns the AI Liability Directive. Vocally advocated by MEP Axel Voss, this Directive seeks to establish a framework that allows consumers to pursue compensation for harm suffered while using products that incorporate AI systems. In its work programme, the Commission announced its decision to halt progress on this text, which has been pending since 2022 due to the development of the AI Act. Since then, MEPs in the IMCO committee (Internal Market) have been divided between "let's drop it" (the MEPs on the right side of the chamber) and "no, we should uphold it" (the MEPs on the left). The Commission must justify its decision by June.

Another major deadline arrived in early February: The first AI Act obligations (on prohibited models and AI literacy) started to apply. The Commission was apparently caught off guard, as it published its guidelines four days late. As with this type of document, these guidelines are not binding but aim to help providers, institutions, and other ecosystem actors implement the AI Act more effectively. The document provides criteria to determine whether a system can be considered AI under the AI Act.

The code of practices for general purpose AI (GPAI) continues to face headwinds. This author has been discussing this with you every month, in varying detail. After all, it's a document created by multiple stakeholders—one of many counterexamples to the refrain that the EU develops regulations in isolation, which Big Tech companies criticise as inefficient because they oppose the rules... (big sigh). The Code was to be published in its third version during the week of 17 February. Yet, the timeline on the Commission's website has been revised to state "in March". This pushes back the deadlines: the Code would be finalised in May instead of April 2025. Yet, the AI Act asks that this Code be ready by 2 May 2025, creating a timeline crunch that could impact implementation quality.

💎Unlock Premium Insights: Stay Ahead in EU Tech Policy

💎Premium subscribers to La tech est politique have received, among other things:

• An analysis of European strategic directions on digital matters, featuring an in-depth examination of the contributions made by the Competitiveness Compass.

• A thorough examination of the Commission's programme for 2025, emphasising blind spots and investment announcements;

• An analysis of the Commission's e-commerce measures and the significance of the AI Act requirements applicable since 2 February.

• A Resilience Guide with the necessary elements for building a backup strategy that stands the test of time.

🎁You're reading the free edition, but don't worry: you can subscribe and receive all analyses for an entire year 👇

👉 Free subscribers receive a concise monthly summary (like this one) and cannot access the premium💎 resources (analyses, themed features, legislators' agenda, etc.).

🙏 Thank you for reading this edition of La tech est politique!

If you have any comments or questions about this edition, please feel free to get in touch.

🌞 If you enjoyed this edition, please share it with your colleagues. Let's help spread a solid understanding of Digital Europe and what it means for innovation.

See you in a month!

💌 Questions, comments or secrets to share? Contact me: [email protected]