Security, Surveillance & Human Rights

Building Global Spyware Standards with the Pall Mall Process

As international attention focuses on misuses of commercial spyware, the Pall Mall Process continues to gather momentum. This joint initiative, led by France and the United Kingdom, seeks to establish international guiding principles for the development, sale, and use of commercial cyber intrusion capabilities (CCICs). 

At the Process’s second conference in Paris earlier this month, Programme Director Silvia Lorenzo Perez joined global stakeholders as the process concluded with the adoption of a Pall Mall Code of Practice for States. The Code has been endorsed by 25 countries to date, including 18 EU Member States. It sets out commitments for state action regarding the development, facilitation, acquisition, and deployment of CCICs. It also outlines good practices and regulatory recommendations to promote responsible state conduct in the use of CCICs. 

CDT Europe will soon publish a comprehensive assessment of the official document to provide deeper insights into its implications. In parallel, and as part of our ongoing work to advance spyware regulation within the EU, CDT Europe is leading preparation of the sixth edition of the civil society roundtable series, “Lifting the Veil – Advancing Spyware Regulation in the EU,” on 13 May. Stakeholders will discuss what meaningful action should look like in the EU, following the political commitments made by the Member States that endorsed the Pall Mall Code of Practice.

CSOs Urge Swedish Parliament to Reject Legislation Undermining Encryption

CDT Europe joined a coalition of civil society organisations, including members of the Global Encryption Coalition, in an open letter urging the Swedish Parliament to reject proposed legislation that would weaken encryption. This legislation, if enacted, would greatly undermine the security and privacy of Swedish citizens, companies, and institutions. Despite its intention to combat serious crime, the legislation’s dangerous approach would instead create vulnerabilities that criminals and other malicious actors could readily exploit. Compromising encryption would leave Sweden’s citizens and institutions less safe than before. The proposed legislation would particularly harm those who rely on encryption the most, including journalists, activists, survivors of domestic violence, and marginalised communities. Human rights organisations have consistently highlighted encryption’s critical role in safeguarding privacy and free expression. Additionally, weakening encryption would also pose a national security threat, as even the Swedish Armed Forces rely on encrypted tools like Signal for secure communication. 

Recommended read: Ofcom, Global Titles and Mobile Network Security, Measures to Address Misuse of Global Titles

  Online Expression & Civic Space

DSA Civil Society Coordination Group Meets with the ODS Bodies Network

Earlier this month, the DSA Civil Society Coordination Group met with the Out-of-Court Dispute Settlement (ODS) Bodies Network for the first time to explore ways to collaborate. Under Article 21 of the Digital Services Act (DSA), ODS Bodies are to provide independent resolution of disputes between users and online platforms. As these bodies start forming and seeking certification, their role in helping users access redress and offering insights into platform compliance is becoming more important.

The meeting introduced the ODS Network’s mission: to encourage cooperation among certified bodies, promote best practices for data-sharing, and engage with platforms and regulators. Civil society organisations, which often support users who have faced harms on platforms, discussed how they could help identify cases that could be referred to ODS Bodies. In return, records from ODS Bodies could become a valuable resource for tracking systemic risks and holding platforms accountable under the DSA.

The discussion further focused on how to raise user awareness of redress options, make ODS procedures more accessible, and strengthen data reporting practices. Participants also outlined next steps for working more closely together, particularly around identifying the types of data that could best support civil society’s efforts to monitor risks and support enforcement actions by the European Commission.

Asha Allen Joins Euphoria Podcast to Discuss Civil Society in the EU

Civil society is under pressure, and now more than ever, solidarity and resilience are vital. These are the resounding conclusions of the latest episode of the podcast Euphoria, featuring CDT Europe’s Secretary General Asha Allen. Asha joined Arianna and Federico from EU&U to unpack the current state of human rights and the growing threats faced by civil society in Europe and beyond. With key EU legislation like the AI Act and Digital Services Act becoming increasingly politicised, they explored how to defend democracy, safeguard fundamental rights, and shape a digital future that truly serves its citizens. Listen now to discover how cross-movement collaboration and rights-based tech policy can help counter rising authoritarianism.

Recommended read: FEPs, Silenced, censored, resisting: feminist struggles in the digital age

Equity and Data

EU AI Act Explainer — AI at Work

In the fourth part of our series on the AI Act and its implications for human rights, we examine the deployment of AI systems in the workplace and the AI Act’s specific obligations aimed at ensuring the protection of workers. In particular, we assess which of the prohibited AI practices could become relevant for the workplace and where potential loopholes and gaps lie. We also focus on the obligations of providers and deployers of high-risk AI systems, which could increase protection of workers from harms caused by automated monitoring and decision-making systems. Finally, we examine to what extent the remedies and enforcement mechanisms foreseen by the AI Act can be a useful tool for workers and their representatives to claim their rights. Overall, we find that the AI Act’s approach to allow more favourable legislation in the employment sector to apply is a positive step. Nevertheless, the regulation itself has only limited potential to protect workers’ rights.

CSOs Express Concern with Withdrawal of AI Liability Directive

CDT Europe joined a coalition of civil society organisations in sending an open letter to European Commission Executive Vice-President Virkkunen and Commissioner McGrath, expressing deep concern over the Commission’s recent decision to withdraw the proposed Artificial Intelligence Liability Directive (AILD) and stressing the urgent need to immediately begin preparatory work on a new, robust liability framework. We argued that the proposal is necessary because individuals seeking compensation for AI-induced harm will need to prove that damage was caused by a faulty AI system, which would be an insurmountable burden without a liability framework. 

Programme Director Laura Lazaro Cabrera also participated in a working lunch hosted by The Nine to discuss the latest trends and developments in AI policy following the Paris AI Summit. Among other aspects, Laura tackled the deregulatory approach taken by the European Commission, the importance of countering industry narratives, and the fundamental rights concerns underlying some of the key features of the AI Act.

Recommended read: Tech Policy Press, Human Rights are Universal, Not Optional: Don’t Undermine the EU AI Act with a Faulty Code of Practice

New Team Member!

CDT Europe’s team keeps growing! At the beginning of April, we welcomed Marcel Mir Teijeiro as the Equity and Data programme’s New AI Policy Fellow. He’ll work on the implementation of the AI Act and CDT Europe’s advocacy to protect the right to effective remedy for AI-induced harms. Previously, Marcel participated in the Code of Practice multistakeholder process for General-Purpose AI Models, advising rights-holder groups across the cultural and creative industries on transparency and intellectual property aspects. A Spanish qualified lawyer, he also helped develop a hash-based technical solution for training dataset disclosure shared with the AI Office, U.S. National Institute for Standards and Technology, and the UK AI Safety Institute. We are excited to have him on board, and look forward to working with him!

In the Press

• Euractiv, AI Act negotiators raise alarm over fundamental rights neglect in key implementation document
• Euractiv, Pall Mall Process: US to join European countries in pledge to curb ‘irresponsible’ use of spyware
• Agenda Digitale, Digital Services Act: What is it and what does the European law on digital services provide?

Upcoming Events

Tech Policy in 2025: Where Does Europe Stand?: On May 15, CDT Europe and Tech Policy Press are co-hosting an evening of drinks and informal discussion, “Tech Policy in 2025: Where Does Europe Stand?”. It will be an opportunity to connect with fellow tech policy enthusiasts, share ideas, and figure out what the future holds for tech regulation in Europe. The event is currently sold out, but you can still join the waitlist in case some spots open up! 

Lifting the Veil – Advancing Spyware Regulation in the EU: CDT Europe, together with the Open Government Partnership, is hosting the sixth edition of the Civil Society Roundtable Series: “Lifting the Veil – Advancing Spyware Regulation in the EU.” The roundtable will gather representatives from EU Member States, EU institutions, and international bodies alongside civil society organisations, technologists, legal scholars, and human rights defenders for an in-depth exchange on the future of spyware regulation. The participation is invitation-only, so if you think you can contribute to the conversation, feel free to reach out at eu@cdt.org.

CPDP.ai 2025: From 21 to 23 May, CDT Europe will participate in CPDP.ai 18th International Conference. Each year, CPDP gathers academics, lawyers, practitioners, policymakers, industry, and civil society from all over the world in Brussels, offering them an arena to exchange ideas and discuss the latest emerging issues and trends. This year, CDT Europe will be hosting two workshops on AI and spyware, in addition to our Secretary General Asha Allen speaking on a panel on the intersection of the DSA and online gender-based violence. You can still register to attend the conference.

The post EU Tech Policy Brief: May 2025 appeared first on Center for Democracy and Technology.

The legislation would require companies to store and provide law enforcement access to encrypted communications, effectively forcing them to create an encryption backdoor. Security experts, including the Swedish Armed Forces, warn that such backdoors weaken overall security, making private data vulnerable to cyberattacks and espionage. If passed, the law could lead encrypted service providers to reconsider their presence in the Swedish market rather than compromise user security.

This move would particularly endanger those who rely on encryption the most: journalists, activists, survivors of domestic violence, and marginalised communities. International human rights bodies have affirmed the essential role of encryption in protecting privacy and free expression. Moreover, weakening encryption would also threaten national security, with even the Swedish Armed Forces endorsing encrypted tools like Signal for secure communication in relation to non-classified communication of national security professionals.

Sweden should prioritise modern, targeted investigative techniques that uphold digital security and encryption for all users, rather than approaches that risk undermining these protections. We urge the Parliament to reject this dangerous legislation and protect Sweden’s security, privacy, and digital future.

Read the full letter.

The post Broad Coalition Urges Sweden To Reject Draft Legislation Undermining Encryption appeared first on Center for Democracy and Technology.

Security, Surveillance & Human Rights

Citizen Lab Unveils Surveillance Abuses in Europe and Beyond                                       

​The recent Citizen Lab report regarding deployment of Paragon spyware in EU Member States, particularly Italy and allegedly in Cyprus and Denmark, highlights a concerning trend of surveillance targeting journalists, government opponents, and human rights defenders. Invasive monitoring of journalist Francesco Cancellato, members of the NGO Mediterranea Saving Humans, and human rights activist Yambio raises serious concerns about press freedom, fundamental rights, and the broader implications for democracy and rule of law in the EU. 

The Italian government’s denial that it authorised surveillance, while reports indicate otherwise, indicates a lack of transparency and accountability. Reportedly, the Undersecretary to the Presidency of the Council of Ministers admitted that Italian intelligence services used Paragon spyware against Mediterranean activists, citing national security justifications. This admission highlights the urgent need for transparent oversight mechanisms and robust legal frameworks to prevent misuse of surveillance technologies. 

Lack of decisive action at the European level in response to these findings is alarming. Efforts to initiate a plenary debate within the European Parliament have stalled due to insufficient political support, reflecting a broader pattern of inaction that threatens civic space and fundamental rights across the EU. This inertia is particularly concerning given parallel developments in France, Germany, and Austria, where legislative measures are being considered to legalise use of surveillance technologies. In light of the European Parliament’s PEGA Committee findings on Pegasus and equivalent spyware, it is imperative that EU institutions and Member States establish clear, rights-respecting policies governing the use of surveillance tools. Normalisation of intrusive surveillance without adequate safeguards poses a direct challenge to democratic principles and the protection of human rights within the EU.

Recommended read: Amnesty International, Serbia: Technical Briefing: Journalists targeted with Pegasus spyware

  Online Expression & Civic Space

DSA Civil Society Coordination Group Publishes Analysis on DSA Risk Assessment Reports

Key elements of the Digital Services Act’s (DSA) due diligence obligations for Very Large Online Platforms and Search Engines (VLOPs/VLOSEs) are the provisions on risk assessment and mitigation. Last November, VLOPs and VLOSEs published their first risk assessment reports, which the DSA Civil Society Coordination Group, convened and coordinated by CDT Europe, took the opportunity to jointly assess. We identified both promising practices to adopt and critical gaps to address in order to improve future iterations of these reports and ensure meaningful DSA compliance.

Our analysis zooms in on key topics like online protection of minors, media pluralism, electoral integrity, and online gender-based violence. Importantly, we found that platforms have overwhelmingly focused on identifying and mitigating user-generated risks, as a result focusing less on risks stemming from the design of their services. In addition, platforms do not provide sufficient metrics and data to assess the effectiveness of the mitigation measures they employ. In our analysis, we describe what data and metrics future reports could reasonably include to achieve more meaningful transparency. 

CDT Europe’s David Klotsonis, lead author of the analysis, commented, “As the first attempt at DSA Risk Assessments, we didn’t expect perfection — but we did expect substance. Instead, these reports fall short as transparency tools, offering little new data on mitigation effectiveness or meaningful engagement with experts and affected communities. This is a chance for platforms to prove they take user safety seriously. To meet the DSA’s promise, they must provide real transparency and make civil society a key part of the risk assessment process. We are committed to providing constructive feedback and to fostering an ongoing dialogue.”

Recommended read: Tech Policy Press, A New Framework for Understanding Algorithmic Feeds and How to Fix Them 

Equity and Data

Code of Practice on General-Purpose AI Final Draft Falls Short

Following CDT Europe’s initial reaction to the release of the third Draft Code of Practice on General-Purpose AI (GPAI), we published a full analysis highlighting key concerns. One major issue is the Code’s narrow interpretation of the AI Act, which excludes fundamental rights risks from the list of selected risks that GPAI model providers must assess. Instead, assessing these risks is left as an option, and is only required if such risks are created by a model’s high-impact capabilities.

This approach stands in contrast to the growing international consensus, including the 2025 International AI Safety Report, which acknowledges the fundamental rights risks posed by GPAI. The Code also argues that existing legislation can better address these risks, but we push back on this claim. Laws like the General Data Protection Regulation, the Digital Services Act, and the Digital Markets Act lack the necessary tools to fully tackle these challenges.

Moreover, by making it optional to assess fundamental rights risks, the Code weakens some of its more promising provisions, such as requirements for external risk assessments and clear definitions of unacceptable risk tiers. 

In response to these concerns, we joined a coalition of civil society organisations in calling for a revised draft that explicitly includes fundamental rights risks in its risk taxonomy.

Global AI Standards Hub Summit 

At the inaugural global AI Standards Hub Summit, co-organised by the Alan Turing Institute, CDT Europe’s Laura Lazaro Cabrera spoke at a session exploring the role of fundamental rights in the development of international AI standards. Laura highlighted the importance of integrating sociotechnical expertise and meaningfully involving civil society actors to strengthen AI standards from a fundamental rights perspective. Laura emphasised the need to create dedicated spaces for civil society to participate in standards processes, tailored to the diversity of their contributions and resource limitations.  

Recommended read: Tech Policy Press, Human Rights are Universal, Not Optional: Don’t Undermine the EU AI Act with a Faulty Code of Practice

Job Opportunities in Brussels: Join Our EU Team

We’re looking for two motivated individuals to join our Brussels office and support our mission to promote human rights in the digital age. 

The Operations & Finance Officer will play a key role in keeping our EU office running smoothly—managing budgets, coordinating logistics, and ensuring strong operational foundations for our advocacy work. 

We’re also seeking an EU Advocacy Intern to support our policy and advocacy efforts, with hands-on experience in research, event planning, and stakeholder engagement. 

Apply before 23 April 2025 by sending your cover letter and CV to hr@cdt.org. For more information, visit our website. 

In the Press

• Euronews, Online platforms fail to assess risks in annual reports, study says
• Mlex, Big Tech’s EU Digital Services Act risk reporting needs work, monitor group says
• Euractiv, Paragon scandal: Denmark and Cyprus potential spyware customers alongside Italy
• Euractiv, ​​GPAI Code of Practice: The impossible task of pleasing 1,000 lobbyists

Upcoming Event

Pall Mall Process Conference: On 3 and 4 April, our Director for Security and Surveillance Silvia Lorenzo Perez will participate in the annual Pall Mall Process Conference in Paris. 

The post EU Tech Policy Brief: April 2025 appeared first on Center for Democracy and Technology.

The British government is attacking encryption, and the casualties could include the privacy and cybersecurity of millions worldwide. The U.S. should demand that the U.K. withdraw its order, or else terminate the U.K.’s  unique access to the troves of user data it obtains from U.S. tech companies. 

The U.K. Ambushes Encryption

Recent reports suggest that the British Home Office has secretly issued a Technical Capability Notice (TCN) to Apple under the Investigatory Powers Act (IPA) of 2016, commonly known as the “Snoopers’ Charter,” compelling the company to introduce a backdoor into its end-to-end encrypted cloud storage service, “Advanced Data Protection” (ADP). The Snooper’s Charter, which has long concerned CDT, prohibits the recipient of a TCN from disclosing the existence or contents of the notice to anyone without the permission of the Secretary of State, so Apple can neither confirm, nor deny, the existence of the demand. 

Assuming the reports are true, such backdoor access would allow British officials to require Apple to provide in decrypted form content that any user — not only in the U.K., but worldwide — has uploaded to the cloud using ADP. This type of order has no known precedent in major democracies — for good reason. 

Introducing backdoors into end-to-end encryption means introducing systemic security flaws, as the U.K. knows. Across the world, cybersecurity experts agree that there is no way to provide government access to end-to-end encrypted data without breaking end-to-end encryption. News of the U.K. order to Apple sparked global alarm. Backdoors into encryption jeopardize all users’ privacy and cybersecurity because criminals specifically look to exploit these vulnerabilities. Nevertheless, the U.K. has decided to ambush encryption with its notice. As President Trump put it: “That’s something, you know, you hear about with China.”

In the case of Apple, the world’s second largest provider of mobile devices, introducing backdoor access into its encrypted cloud service would mean putting millions of users at risk. To make matters worse, the most harmful impact would fall on those who rely on encryption because they are already most vulnerable, including domestic violence survivors, LGBTQ+ persons, and others. These risks must not be tolerated.

Apple Fights Back in the Shadows

Rather than capitulate to the U.K.’s demand, Apple made the principled decision to cease offering ADP in Great Britain, and it has reportedly appealed the notice to the Investigatory Powers Tribunal, which has the authority to review complaints against U.K. intelligence services. British law requires Apple to comply with the notice even while its appeal is pending. As a result, British authorities may insist that Apple build a backdoor to ADP even though it does not offer ADP in the U.K. Apple may challenge such a fully extraterritorial mandate as disproportionate under applicable law. 

To make matters worse — again — the entire review process is also shrouded in secrecy. Similar to how the recipient of a TCN is prohibited from disclosing the existence or contents of the notice, the Investigatory Powers Tribunal proceedings can be kept secret. This means the U.K. Home Office can place Apple, or any other service provider, under a strict gag order when it issues a TCN. The chilling result: the public does not know if other encrypted services have received such notices and, if so, which of them complied with those notices, putting user data at risk. 

This blatant lack of transparency severely inhibits public discourse, making it impossible for stakeholders — including cybersecurity experts, civil rights organizations, and the general public — to understand the full implications and challenge the U.K.’s policy. Apple may or may not be the first recipient of a notice that requires undermining encryption, but it’s unlikely to be the last. In any case, policies that affect millions of users and global cybersecurity ought not be fought out in the shadows. 

Another CLOUD Looms in the U.S.

Despite the U.K. Home Office issuing the TCN under its own domestic law, the U.S. is not without means to respond. The US-UK CLOUD Act Agreement (Agreement) entered into effect under the authority of the U.S. CLOUD Act and gives the U.S. substantial leverage over the U.K. in surveillance matters. 

The CLOUD Act allows U.S. providers to disclose user data directly to foreign states under the laws of those foreign states, with certain conditions. Those conditions include limiting disclosures to cases involving serious crimes, preventing disclosure of information of Americans or anyone physically located in the U.S., and most importantly, requiring that the U.S. has entered an executive agreement with the requesting state that certifies the state’s laws and practices meet certain human rights standards. Countries with CLOUD Act agreements with the U.S. can bypass the cumbersome process under mutual legal assistance treaties (MLATs), as well as the probable cause requirement for compelled disclosure of communications content that applies in the MLAT context, and most importantly for the U.K., can engage in real time wiretapping of the users of U.S. tech companies, which MLAT processes and U.S. law do not otherwise permit. All CLOUD Act agreements are reciprocal, so the U.S. should enjoy the same benefits as partner states. 

So far, the U.S. has entered into only two CLOUD Act agreements: one with Australia, and one with the U.K., which entered into force on October 3, 2022. So what can be done?

Light Through the CLOUD

The CLOUD Act, and the US-UK CLOUD Act Agreement, present a significant opportunity for the U.S. to meaningfully pressure the U.K. to withdraw its demand to Apple. By law, the US-UK CLOUD Act Agreement expires after five years unless renewed, which means the Agreement will expire in October 2027 unless renewed. 

The U.S. Department of Justice quietly recertified the US-UK CLOUD Act Agreement in November 2024, around the Thanksgiving congressional recess. The recertification report sent to Congress, which is required by the Act, provides several key insights about the U.K.’s conduct under the Agreement, not least that the U.K. issued more than 20,000 requests to U.S. service providers — almost all of which included wiretapping surveillance — while the U.S. issued a mere 63 to British providers. This dramatic imbalance owes to the geographic concentration of major service providers in the U.S., but it also demonstrates the overwhelming importance of the Agreement to the U.K. and its relative lack of importance to the U.S., and provides a powerful lever for the U.S. to wield. After all, the Trump Administration could, under the terms of the Agreement, unilaterally terminate it without cause and with only 30 days notice.  

The recertification report subtly hints that the DOJ knew about the TCN issued to Apple, or other attacks on encryption in the U.K. The report states that although new laws in the U.K., such as the Investigatory Powers (Amendment) Act of 2024 that expanded surveillance authority under the IPA, did not violate the requirements of the CLOUD Act (per the DOJ), the DOJ had nonetheless “taken the opportunity […] to remind the U.K. of the the statute’s requirement that the terms of the Agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.” At a minimum, the DOJ should also have “taken the opportunity” to warn Congress that the U.K. was preparing to use newly acquired powers under British law to undermine the security of Americans’ encrypted data and those of people around the world. 

The U.S. Seeks Answers

Congress has, in fact, taken steps to leverage the CLOUD Act and the US-UK CLOUD Act Agreement to seek answers from top U.S. and U.K. officials. In a letter to the Director of National Intelligence (DNI), Tulsi Gabbard, Senator Ron Wyden (D-OR) and Representative Andy Biggs (R-AZ) urged the U.S. to “[give] the U.K. an ultimatum: back down from this dangerous attack on U.S. cybersecurity, or face serious consequences.” The letter also asked DNI Gabbard to provide Congress with unclassified answers to critical questions, like whether the Trump Administration had any awareness of the TCN.

In her response, DNI Gabbard expressed that she shared a “grave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a ‘backdoor’ that would allow access to Americans personal encrypted data.” She further noted that such a TCN would be a “clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors,” while committing to using her office to investigate the matter further. 

Most recently, a bipartisan group of members of Congress also urged the IPT to open its hearing to the public, and former Secretary of Homeland Security Michael Chertoff said the U.K. should reconsider its move to break encryption. 

These actions are the appropriate first steps, but the DOJ should also weigh in and urge the U.K. to reverse course, and Congress should modify the CLOUD Act itself to preclude agreements with states whose laws authorize orders to compel decryption by providers of end-to-end encrypted services. Such providers cannot decrypt data or communications without introducing serious security vulnerabilities and, as Apple was here, could effectively be compelled to cease the offer of such service, to the detriment of cybersecurity in the U.S. and abroad. In the meantime, if the U.K. refuses to withdraw the order, the U.S. should terminate the Agreement. 

***

The U.K.’s secret war on encryption threatens global cybersecurity and sets a dangerous precedent for government overreach. With secret orders, secret appeals, and secret hearings, the U.K. is undermining public trust and digital safety from the shadows. The U.S. must continue to  demand transparency and accountability. If the U.K. refuses to back down, Congress and the Trump administration should take decisive action to protect the security of Americans’ data. Encryption is not just a policy debate—it is a fundamental pillar of people’s privacy and security, and it must be protected.

The post <strong>Secrets, Secrets Are No Fun: the United Kingdom’s Secret War on Encryption</strong> appeared first on Center for Democracy and Technology.

As a transatlantic civil society organisation advocating for the respect of human rights in tech policy, Centre for Democracy and Technology (CDT) is deeply concerned by these developments. CDT US has extensively analysed the implications of these dismissals for U.S. surveillance practices, while CDT Europe has raised concerns about the impact of a non-operational PCLOB on the implementation of the EU-U.S. Data Privacy Framework (DPF). 

To support EU policymakers, we have prepared this brief in order to provide a clear overview of how these developments affect the implementation of the DPF and outline necessary steps to safeguard fundamental rights. 

1. What role does the PCLOB play under the DPF

The European Commission’s 2023 adequacy decision places significant importance on the role of the PCLOB in ensuring that U.S. intelligence practices align with EU data protection standards under the DPF. In its adequacy decision the Commission defines the PCLOB as follows: an independent agency within the executive branch composed of a bipartisan, five-member Board appointed by the President for a fixed six-year term with Senate approval. According to its founding statute, the PCLOB is entrusted with responsibilities in the field of counterterrorism policies and their implementation, with a view to protect privacy and civil liberties. In its review it can access all relevant agency records, reports, audits, reviews, documents, papers and recommendations, including classified information, conduct interviews and hear testimony. 

PCLOB’s Oversight Role in U.S. Intelligence Activities

Under the DPF, PCLOB is responsible for overseeing U.S. intelligence agencies’ compliance with the procedural safeguards introduced in Executive Order 14086 (EO 14086). These functions are intended to reinforce the credibility of U.S. surveillance safeguards and provide sufficient guarantees regarding the protection of the EU citizens’ fundamental rights by U.S intelligence agencies. 

PCLOB’s role includes monitoring whether U.S. intelligence activities adhere to the principles of necessity, proportionality, and respect for fundamental rights, which are key requirements for aligning U.S. surveillance practices with EU legal standards as established by the CJEU jurisprudence. It evaluates the implementation of EO 14086 safeguards, ensuring that new privacy protections are effectively enforced, and reviews intelligence procedures and policies to verify compliance with limitations on bulk data collection. PCLOB is responsible for conducting an annual review of EO 14086’s implementation, assessing whether U.S. intelligence agencies comply with the new procedural and fundamental rights safeguards established therein.

At the time of the dismissals, the expected annual report was under preparation, and its publication is on hold for an undetermined period of time. This report is a key piece of the EU Commission annual evaluation of the DPF. Therefore the inability to produce such a report would severely undermine the Commission’s ability to ensure compliance with EU standards, rendering PCLOB a futile safeguard for the purposes of the DPF. Recognising the gravity of this issue the Commission noted in its last implementation report that “given the important role of the PCLOB to review the implementation of EO 14086, the Commission will closely monitor the status of future vacancies and nominations/appointments.”

PCLOB’s Role in the Redress Mechanism: The Data Protection Review Court (DPRC)

In its 2023 resolution, the European Parliament highlighted significant concerns about the DPRC being placed under the executive branch, noting that “although the new redress mechanism does not allow for the U.S. Attorney General to dismiss and supervise the DPRC judges, it does not affect the relevant powers of the US President; stresses that as long as the US President can remove DPRC judges during their term, the independence of these judges is not guaranteed”. 

PCLOB is responsible for overseeing the newly established DPRC, which, under EO 14086, is intended to provide a redress mechanism for EU citizens challenging unlawful surveillance in the US. PCLOB’s responsibilities regarding the DPRC include:

• Monitors and evaluates how the DPRC operates to ensure complaints are handled fairly, independently, and in a timely manner, including assessing whether the DPRC has full access to necessary intelligence data.
• Is consulted in the appointment of DPRC judges, helping to reinforce the tribunal’s impartiality.
• Conducts an annual review of the redress mechanism under EO 14086 and publishes a report on its findings, including an unclassified public version, which informs the European Commission’s periodic review of the DPF.
• Reviews whether the substantive safeguards of EO 14086 are properly applied.
• Verifies whether the Intelligence Community fully complies with determinations made by the DPRC.
• Issues an annual public certification confirming whether the redress mechanism operates in line with EO 14086 requirements.

The CJEU previously struck down the Privacy Shield, finding, among other issues, that its Ombudsperson Mechanism lacked sufficient independence from the U.S. executive branch. While the DPRC remains under the executive branch, the European Commission characterized PCLOB’s independent oversight as a key safeguard to defend its compliance with the CJEU’s standard of independence. With PCLOB now non-functional, the legitimacy of the DPRC’s independence is at serious risk and could face legal challenges.

2. The Impact of PCLOB’s dysfunction on the EU-US DPF

The recent dismissal of PCLOB members appointed on a bipartisan basis has effectively crippled PCLOB as an oversight body and raises serious concerns about political interference in the independent oversight mechanism. This marks a potential regression to the times when PCLOB members served at the discretion of the President, and its work was subject to White House influence. This move by the new U.S. administration signals a potentially prolonged period without a quorum, as it remains uncertain when replacements will be appointed. Past instances suggest that the appointment process could take months or years, leaving the agency effectively non-operational for the foreseeable future. While the sole remaining PCLOB member has the ability to issue reports in her individual capacity or oversee the preparation of “staff reports,” these documents do not carry the same institutional weight as formal PCLOB reports. PCLOB reports are adopted through a deliberative process at the Board level, ensuring bi-partisan oversight and institutional legitimacy. In contrast, “staff reports” are technical documents produced at the working level and do not reflect the formal position of the Board as a whole. As such, they do not hold the same legal or procedural validity in official assessments or oversight processes. Furthermore, they certainly would not comport with the Commission’s vision of a reliable, bi-partisan oversight mechanism with members serving full, six-year terms of office that protect their independence from political influence.

The lack of an operational oversight body and the firing of most its members without cause raise fundamental concerns about the effectiveness and compliance with U.S. surveillance safeguards under EO 14086 for several reasons:

• No independent verification of U.S. intelligence compliance: With PCLOB in a sub-quorum state, there is no independent body ensuring that U.S. intelligence agencies comply with EO 14086 safeguards, leaving fundamental questions about whether surveillance activities remain within agreed legal limits.
• The DPRC’s legitimacy is now in question: PCLOB was meant to reinforce the independence and fairness of the DPRC, providing oversight to ensure it functions as an independent redress mechanism for EU citizens. Without PCLOB, the DPRC’s ability to operate as an impartial body is severely weakened. Even if PCLOB is eventually reconstituted, its independence is forever tarnished by the dismissal without cause of most of its members.
• The DPF’s entire independent oversight framework is at risk: The absence of an effective PCLOB further weakens the foundation of the DPF’s oversight structure, increasing the likelihood of legal challenges before the CJEU, similar to those that led to the invalidation of the Privacy Shield.

3. An agreement built on fragile ground

The DPF’s validity depends heavily on the safeguards introduced by EO 14086, which were introduced to address the CJEU’s concerns regarding oversight, accountability, and redress. The oversight and redress mechanisms were designed to provide the accountability and proportionality needed to meet CJEU standards of independence and effectiveness. However, the credibility of these safeguards hinges on the PCLOB’s independence and operational capacity. Given that the PCLOB had been weakened and  rendered effectively non-functional for what could be a lengthy period, essential equivalence is highly questionable. 

EU civil society and the European Parliament were very critical of the new adequacy decision granted by the EU Commission in 2023. In its resolution the Parliament urged the European Commission to renegotiate the framework, stating that it “fails to create essential equivalence in the level of protection” as required by EU law. Recent development pertaining to the removal of legitimately appointed PCLOB members only exacerbate these concerns. In its 2024 annual review of the functioning of the DPF, the Commission concluded that it will “closely monitor relevant developments in the next months and years, paying particular attention to (1) the upcoming reports of the PCLOB on the implementation of EO 14086 and … (3) the nomination and appointment of members to the PCLOB to fill upcoming vacancies.” Now that the Board members needed for a quorum have been fired, the report that the Commission relies on to monitor implementation and compliance cannot be issued by PCLOB, and the problem of prospective PCLOB vacancies that concerned the Commission a few months ago has worsened. 

Recommendations

• The European Commission must take this issue seriously by closely monitoring the situation to reassess whether the safeguards under the DPF still meet the CJEU’s requirements and actively engaging with the U.S. administration to demand the reappointment of new, PCLOB members approved on a bipartisan basis. 
• Should the U.S. administration and the U.S. Senate fail to restore PCLOB’s operational capacity within a reasonable timeframe, EU citizens’ personal data would be exposed to unlawful surveillance without guardrails necessary to preserve in contravention to their rights. Even before PCLOB’s ability to fulfill its role in the DPF had been put in doubt CDT had called for more protection of the rights of EU citizens against U.S. surveillance practices. Now, the DPF is on even shakier ground. As stated in the European Parliament’s resolution of 2023, the Commission is obligated to suspend the adequacy decision if the level of protection in the U.S. no longer meets the required standard of “essential equivalence” with EU data protection laws. Under the General Data Protection Regulation (GDPR), this assessment must be an ongoing process, continuously evaluating changes in law and practice to ensure compliance. 
• In light of previous CJEU decisions,  the EU should not wait for another legal challenge on account of PCLOB’s inoperability but instead proactively anticipate the risks and take the necessary measures to uphold the integrity of the agreement before it faces another inevitable invalidation by the CJEU.
• The European Parliament should engage in a transparent dialogue with the Commission and ensure that the above recommendations are followed. 

The post What the PCLOB Firings Mean for the EU-US Data Privacy Framework appeared first on Center for Democracy and Technology.

Today, CDT and a group of over 100 civil society organizations, companies, and cybersecurity experts – as part of an effort led by the Global Encryption Coalition (GEC) – submitted a letter to British Home Secretary Yvette Cooper calling on the UK Home Office to rescind its demand that Apple create a backdoor into its end-to-end encrypted services.

The UK demand is an alarming effort to undermine encryption, and if carried out would endanger the privacy and security of hundreds of millions of individuals who use Apple products across the globe.

As encryption advocates have demonstrated for decades, creating any backdoor access to encrypted systems for law enforcement will also make those systems vulnerable to cybercriminals, foreign espionage, and other bad actors.

The ongoing damage of the Salt Typhoon hack shows how severe the risks of leaving communications and data systems vulnerable can be, and why encryption is so vital. Now more than ever we need to be championing strong encryption, not tearing it down. The UK’s short-sighted effort will make its citizens less safe and more vulnerable to having their most sensitive data and intimate conversations stolen and snooped on. We hope the UK Home Office will heed the warning of experts and reconsider this decision.

This letter was published on Thursday, February 13, 2025 with 109 signatures. More signatures may be added as they come in, and will be noted at a future date.

Read the full letter – and list of signatories – on the GEC’s website.

The post CDT Joins Global Encryption Coalition Letter on UK Government’s Use of Investigatory Powers Act to attack End-to-End Encryption appeared first on Center for Democracy and Technology.

Poland will assume the rotating presidency in January 2025. This role, held by each EU member state for six months, allows the presiding country to set the Council’s agenda, chair meetings, and represent the Council in negotiations with other EU institutions. This makes the presidency a crucial opportunity to influence the EU’s policy making priorities and focus.

Despite widespread awareness of the harm caused by spyware, the EU has yet to take significant action to address the issue. Key recommendations from the PEGA Committee, which investigated the use of spyware within member states, have not been adequately followed up. The topic was also conspicuously absent during the hearings of the new commissioners and insufficient engagement with these urgent issues have allowed spyware abuses to persist unchecked. 

The coalition highlights spyware’s devastating impact on fundamental rights, rule of law, and national security across the EU and beyond. We commend Poland for its national efforts to address spyware abuses, namely its willingness to investigate allegations of unlawful surveillance and efforts to increase transparency around spyware procurement and use. Poland has also demonstrated its commitment to combating spyware misuse by signing the Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the Pall Mall Declaration.

The start of the Polish Presidency comes at a key moment, aligning with the beginning of the new legislative mandate, following Parliament’s confirmation of the  new European Commission College. This pivotal timing provides Poland with a unique  opportunity to set the tone for the EU in advancing  comprehensive reforms to regulate spyware technologies, strengthen safeguards, and ensure accountability.

In the letter, we provide key recommendations and call for a collaborative approach between governments and civil society to turn commitments into impactful policies. By prioritising these reforms, Poland can position the EU as a global leader in addressing spyware misuse and champion the values of fundamental rights and the rule of law.

Read the full letter here.

The post Civil Society Calls on the Polish Presidency to Lead the EU in Combating Spyware Abuse appeared first on Center for Democracy and Technology.

Please do not hesitate to contact our team in Brussels: Laura Lazaro Cabrera, Silvia Lorenzo Perez, Aimée Duprat-Macabies, David Klotsonis, and Giulia Papapietro.

Security, Surveillance & Human Rights

Civil Society Strategises on Tackling Spyware

Spyware remains high on the EU agenda; in Poland, an arrest was recently made in relation to the governmental probe on the use of Pegasus. In this context, on 20 November, CDT Europe convened the Spyware coordination group to strategise on EU-level actions to tackle spyware. The discussion focused on key areas of regulation and advocacy, aiming to build consensus. Points of convergence included the need for definitions of key terms that can adapt to the rapid evolution of spyware technologies, and the strict prohibition of spyware use against journalists.

Participants also explored the potential of internal market regulation as a legal basis for addressing the commercial spyware market and industry. Insights from the European Media Freedom Act (EMFA) and the EU Cybersecurity Framework informed discussions, particularly regarding litigation strategies to challenge Article 4 implementation and leverage cybersecurity policies to mitigate spyware threats. 

The workshop highlighted the shared urgency of curbing spyware misuse through coordinated, impactful advocacy and legal action.

All Eyes on Member States’ Actions on Spyware

At the various Pall Mall Process meetings that took place on the sidelines of the Paris Peace Forum, CDT Europe’s Silvia Lorenzo Perez engaged in critical discussions where she highlighted the urgent need for coordinated global action on spyware. 

At a panel held by the Swedish government and Access Now, victims shared powerful testimonies on the devastating impact of spyware abuse. These accounts underscored the urgent need for robust regulatory action to protect human rights defenders. This meeting was followed by a multistakeholder roundtable focused on combating the spread of commercial spyware. 

The day concluded with a Pall Mall Process meeting to review measures aimed at preventing spyware proliferation globally. While governments recognise the dangers of spyware, translating concerns into enforceable legal frameworks remains a challenge. The EU now has a unique opportunity to lead, with Member States at the table tasked with driving critical reforms. With the Polish Presidency of the Council of the EU at the helm, the time is now for bold leadership to address spyware abuse and protect both national security and individual rights.

Recommended read: The Guardian, Ronan Farrow on surveillance spyware: ‘It threatens democracy and freedom”

  Online Expression & Civic Space

Trusted Flaggers in the DSA: Challenges and Opportunities

Implementation of the Digital Services Act (DSA) is at a busy phase, with online platforms starting to release their first annual risk assessment and audit reports (CDT Europe and other CSOs published a joint letter on the process). Another crucial part of the regulation’s implementation rests with the Trusted Flagger Mechanism, which helps combat illegal content online by granting certified entities priority processing of flagged material. CDT Europe and EU DisinfoLab organised a webinar on the topic on 21 November, where over 30 participants, including civil society organisations (CSOs), Digital Services Coordinators, and the European Commission, explored current challenges and opportunities. The system faces significant hurdles, including resource constraints for CSOs applying for certification, misinformation campaigns undermining public trust in Trusted Flaggers, and low uptake due to complex, burdensome processes and unclear benefits. With only 15 certifications granted so far, the mechanism is underutilised. 

Some key recommendations from the event include:

• Ensuring sustainable funding for CSOs to meet Trusted Flagger obligations’
• Developing proactive communication strategies to counter misinformation and clarify the role of Trusted Flaggers to the wider public; and
• Establishing a working group to harmonise practices, support applicants, and address challenges like application complexity.

In our full outcomes report blog, we identify key opportunities for CSOs.

A Human Rights-Centered Application of the DSA

CDT Europe’s Research and Policy Officer David Klotsonis joined a workshop in Vienna, organised by the DSA Human Rights Alliance and hosted by the Organisation for Security and Co-operation in Europe (OSCE). The event focused on exploring principles for a Global Human Rights-Centered application of the Digital Services Act. The participants discussed lessons from other jurisdictions and conflict zones to shape thoughtful DSA implementation, while considering the risks of applying the law to different regulatory environments without accounting for unique vulnerabilities. As the “Brussels Effect” continues to generate buzz, it’s crucial to unpack its real-world implications. How can laws, when removed from their original institutional context, unintentionally—or deliberately—undermine human rights? This workshop offered a timely platform for reflection, and was a source of important insights.

Online Gender-Based Violence: What Now?

Online gender-based violence (OGBV) continues to be a widespread and alarming issue, fueled by misogynistic narratives, that affects women in Europe and around the world. On the International Day for the Elimination of Violence against Women. and in the context of the 16 Days of Activism against Gender-Based Violence, CDT Europe highlighted the EU’s progress on the issue, such as the Directive on combating violence against women and the Digital Services Act. Despite these advancements, problems persist in ensuring the online space is free of this gendered harm. In our blog, we explored the obstacles ahead, emphasising the need for cultural change and effective implementation. 

Recommended read: The Verge, Meta says it’s mistakenly moderating too much 

Equity and Data

An Ongoing Battle for Full Accountability for AI Harms

In our latest blog post, we reflected on persistent gaps in EU regulation that hinder accountability for AI-induced harms. Transparency, an inherent challenge for AI systems, is a crucial prerequisite to identifying harms. The AI Act goes some way towards ensuring a base level of transparency in some circumstances, but neglects the importance of procedural safeguards to ensure individuals’ legal access to remedies. This was never the AI Act’s intention, as it was conceptualised around the same time as the AI Liability Directive (AILD), a proposal that outlined basic steps towards easing procedural burdens for complainants in recognition of the hurdles posed by AI’s opaque functioning. Despite the AILD’s process-oriented nature and modest impositions, the draft law is struggling to get off the ground — even as the effective remedies issue in AI remains unaddressed. 

Making the Case for Robust European Regulation

In a debate hosted by Euronews as part of their Tech Summit on 4 December, CDT Europe’s Laura Lazaro Cabrera shared the stage with representatives from DG JUST and CEPS to discuss regulation for consumer protection in the digital age. In the discussion, Laura highlighted the importance of ensuring laws regulating tech include both substantive and procedural safeguards to truly guarantee robust consumer protection. She also noted the importance of challenging the false dichotomy between innovation and regulation, underscoring the value of high product standards and their essential role in preserving health, safety, and fundamental rights. She also questioned the false assumption that underperforming products falling short of robust standards would lead to Europeans missing out — rather, it’s companies that would be missing out on the European market should they fail to find ways to conform. 

Recommended read: The Guardian, Deus in machina: Swiss church installs AI-powered Jesus

Bluesky

We are on Bluesky! As more users join the platform (including tech policy thought leaders), we’re finding more exciting content, and we want you to be part of the conversation. Be sure to follow us at @cdteu.bsky.social! You can also follow our starter pack of EU tech journalists, to catch the latest digital news in the bubble. Find us also on Mastodon and LinkedIn.

Upcoming Events 

Liberal Forum Roundtable: On 10 December, our Equity and Data Programme Director Laura Lazaro Cabrera will participate to the the European Liberal Forum’s conference on “The Era of AI: Harnessing AI for Humanity”, bringing together MEPs, APAs, political advisors, civil society, academia, and corporate sector representatives to engage in Chatham House discussions on the role of the EU in advancing AI over the next mandate. 

Kofi Annan Foundation: On 11 December, Laura will speak at the “Comparative lessons from the EU and the US elections in the age of Artificial Intelligence” event organised by Democracy Reporting International (DRI) and the Kofi Annan Foundation (KAF) to reflect upon the risks and challenges generative AI represents for European democracy.

The post EU Tech Policy Brief: December 2024 appeared first on Center for Democracy and Technology.

Security, Surveillance & Human Rights

CDT Europe Leads Coalition to Combat Spyware Abuse Across the EU 

On 1 October 2024, during the Tech and Society Summit (TSS), CDT Europe officially launched a Spyware Coordination Group composed of 16 leading civil society and journalist organisations from all over the EU focused on safeguarding democracy, transparency, and accountability in relation to spyware technologies. This initiative aims to combat the growing misuse of spyware technologies in the EU, and advocate for stronger regulations to protect fundamental rights and ensure respect for the rule of law. United in their commitment to protecting democratic institutions and civil society, members of the Coordination Group will work tirelessly to ensure that the new EU institutions take necessary measures to regulate and prevent abuse of spyware technologies in the EU.

Strengthening Global Efforts Against Commercial Spyware

The issue of spyware is not only being debated at the EU level: on 8 October 2024, the U.S. Department of State hosted its first commercial spyware-focused Human Rights Council side event. CDT Europe’s Security, Surveillance and Human Rights Program Director Silvia Lorenzo Perez spoke at the event, emphasising that modern spyware is not just a tool for law enforcement, but represents a fundamental shift that undermines our democratic values and violates the very principles upon which the European Union is built. She also commended the U.S. Government’s leadership in combating the abuse of commercial spyware through diplomatic efforts such as the U.S.-led Joint Statement, and encouraged the U.S. to intensify diplomacy towards the EU institutions to secure commitments from the European Commission, Parliament, and Council.

Push for Stronger Spyware Oversight in Slovakia and Greece

CDT Europe, alongside 11 organisational members of the Spyware Coordination Group, addressed the European Parliament with serious concerns about the procurement, use, and regulation of spyware technologies in Slovakia and Greece. In a joint letter, the coalition highlights the alarming developments in both countries, where spyware tools like Pegasus and Predator have been linked to violations of privacy and fundamental rights. The letter urges the European Parliament to take immediate action to ensure transparency, accountability, and adherence to rule of law principles, emphasising the need for robust legislative frameworks to protect privacy and freedom of expression.

Recommended read: Human Rights Watch, UK Court Accepts Case About Saudi Spyware Use

Online Expression & Civic Space

CDT Europe at the Tech and Society Summit

At the Tech and Society Summit, CDT Europe’s Online Expression team played a key role in two critical discussions: First, Our Secretary General Asha Allen participated in a roundtable, “Making EU laws work for people: best practices for engaging with civil society”, emphasising the vital role of civil society in identifying harms and proposing actionable policy solutions. This session created an invaluable space for exchanging lessons learned and best practices related to civil society participation in the policymaking process and the enforcement of EU laws.

In a separate high-level roundtable, CDT Europe joined discussions on crafting an effective, rights-respecting EU digital enforcement strategy. Here, participants reached a consensus on the need to address pervasive digital harms by adopting a holistic, society-centred approach, rather than relying solely on individual regulations.

Enhancing Transparency with the Digital Services Act for Stronger Platform Accountability

Our Research and Policy Officer David Klotsonis recently shared key insights with Open Government Partnership (OGP) members on the Digital Services Act (DSA) and its role in promoting accountability in the digital space. David emphasised that annual risk assessments required of Very Large Online Platforms and Search Engines are essential to proactively identifying potential harms, and central to fostering transparency and safeguarding user trust. He also pointed to the importance of Digital Services Coordinators, whose timely appointment and adequate resourcing are vital for meaningful oversight and compliance at the national level. This dialogue with OGP members reinforced the value of collaboration in driving effective, accountable digital governance. You can watch the recording of the webinar on OGP’s YouTube channel.

Workshop on Prosocial Tech Design Governance

On 8 October, the Council on Technology and Social Cohesion and Search for Common Ground hosted a workshop that gathered policymakers, academics, and civil society leaders to examine technology’s role in supporting social cohesion and human rights. Key takeaways included the need for algorithmic accountability, with the DSA serving as a framework to mitigate harmful, profit-driven designs that amplify divisive content, in particular by leveraging risk assessments under the DSA’s Article 34 to address the monetisation of such content. Participants also discussed child protection efforts and the data privacy concerns around age verification, as the EU looks to further bolster the online protection of minors in the coming mandate.

Recommended read: Daphne Keller published an opinion piece in Lawfare, The Rise of the Compliant Speech Platform.

Equity and Data

Feedback to French Authority on GDPR Guidance for AI

CDT provided feedback to the French Data Protection Authority (Commission nationale de l’informatique et des libertés, or “CNIL”) on recently released factsheets that are intended to guide application of the EU’s General Data Protection Regulation (GDPR) to AI systems and models. We reiterated the limits of relying on “legitimate interests” as a valid legal basis for using data to train AI systems, particularly when conducting web scraping to source that data. CDT similarly called for protection of data subject rights in the AI ecosystem, highlighting the current obstacles individuals face in accessing sufficient information about the processing of their data and enforcement of their rights.

General Purpose AI Models and the Code of Practice Process

As part of our ongoing involvement in the Code of Practice process for general-purpose AI (GPAI) models — set to guide providers’ compliance with the AI Act’s rules governing GPAI models — we published a brief outlining the precedent-setting potential of the Code of Practice process, as well as the importance of civil society engagement and fundamental rights advocacy in the process. Active civil society  participation will be crucial to ensure a robust interpretation of the GPAI rules in the AI Act, and to promote high levels of transparency in GPAI models thorough risk mapping as well as development of robust mitigations and safeguards.

Addressing AI Governance Challenges in Democratic Elections

On 14 October, our Secretary General Asha Allen spoke at POLITICO Live’s “AI & Elections: Are Democracies Ready?” event, where she shared insights on the state of AI governance and its implications for democratic processes. During the event, Asha and the other panellists discussed the relevance of AI in democratic processes, emphasising that more research is essential to fully understand how AI-generated content might impact the online space and individuals’ rights to participate in democratic debate without interference or discrimination. While the AI Act and DSA are a welcomed step forward, the impact of these laws in mitigating the risks of AI-generated disinformation during elections is yet to be determined. Asha also highlighted the need for tech platforms to fulfil their due diligence obligations and to comply with the EU legislative framework. If you missed it, you can rewatch the panel on YouTube.

Recommended read: La Quadrature du Net, French Family Welfare Algorithm Challenged in Court by 15 Organisations.

Hearings to confirm the incoming European Commissioners

From 4 November to 12 November, the European Parliament is holding hearings to confirm the incoming European Commissioners. CDT Europe is closely monitoring these proceedings and will publish analyses of the nominees’ responses regarding digital rights. As part of this process, nominees have submitted written responses outlining their visions, priorities, and approaches to the portfolios they are set to manage. These answers provide valuable insights into how the new Commission might address some of the most pressing issues facing the European Union today. While the written responses reflect promising commitments in some areas, there are still questions that the Parliament should raise during the hearings to ensure that the final agenda aligns with the EU’s values of privacy, democracy and fundamental rights. We have written an in-depth article outlining these questions and delving into the nominees’ commitments related to our three key programs: Security and Surveillance, Online Expression and Civic Space, and Equity and Data.

Upcoming Events

Democracy Alive Summit: On 6 November, the day after the U.S. elections, CDT Europe’s Laura Lazaro Cabrera will participate in the Democracy Alive Summit organised by the European Movement International (EMI). Laura will discuss the challenges caused by AI in time of election, and what can be done to combat disinformation and manipulation. If you wish to attend, you can register by filling out this form.

Paris Peace Forum: On 12 November, CDT Europe’s Silvia Lorenzo Perez will attend spyware-focused sessions at this year’s Paris Peace Forum. Those include multistakeholder meetings: one on the Pall Mall Process, organised by the French and UK governments, and one organised by Access Now, the CyberPeace Institute, Freedom House, and the Paris Peace Forum.

Webinar on Trusted Flaggers in the DSA: On 21 November, CDT Europe is co-organising a webinar on Trusted Flaggers. By bringing together institutions, regulators, and civil society organisations, we aim to deepen participants’ understanding of the legal text, and share insights on what the vetting process looks like in practice, what can practically be expected, and what potential benefits are for CSOs interested in applying. This is a closed-door event; however, if you believe that your participation would add valuable insight to the discussion, or are interested in applying to be a Trusted Flagger, please feel free to reach out to eu@cdt.org.

The post EU Tech Policy Brief: October 2024 appeared first on Center for Democracy and Technology.

In a joint letter, the coalition highlights the alarming developments in both countries, where spyware tools like Pegasus and Predator have been linked to violations of privacy and fundamental rights. The letter urges the European Parliament to take immediate action to ensure transparency, accountability, and adherence to legal standards, emphasising the need for robust legislative frameworks to protect privacy and freedom of expression.

You can read the full letter here.

The post Joint Letter on Concerns Regarding Procurement, Use and Regulation of Spyware in EU Member States appeared first on Center for Democracy and Technology.