Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
MEETING WITH
AMAZON
Scene setter
• You are meeting with
at AMAZON.
• Amazon may raise the following issues: the
strategy on AI; the
GDPR evaluation; the
Digital Single Act; the revision of the
General Product Safety Directive; ongoing
litigation with an impact on the Privacy Shield (in particular the Schrems II case)
.
• Amazon is a member of DigitalEurope, which is
a member of the Commission GDPR
Multistakeholder expert group.
• Luxembourg’s National Commission for Data Protection (CNPD) is the lead supervisory
authority for the
one-stop-shop mechanism, since Amazon’s main establishment in the
EU is in Luxembourg. A complaint regarding Amazon Alexa devices is under examination
by the CNPD.
• Amazon is one of the big tech companies that is
supportive of comprehensive federal
privacy legislation in the United States. Their main concern seems to be the risk of a
“patchwork” of privacy laws in different sectors and at state level. It would therefore be
useful to
obtain
views on the ongoing privacy debate in the U.S.
(including whether he sees any useful role for the EU in this context).
• Amazon is also
Privacy Shield certified and is a member of several trade associations that
have provided input for the annual reviews of the framework. The continuity of the Shield
is very much in the interest of the U.S. business community, which has in the past insisted
with the U.S. authorities on the implementation of our recommendations (e.g. the
appointment of a permanent Privacy Shield Ombudsperson).
• Amazon, together with other major online marketplaces (Alibaba, Ebay and Rakuten
France, Allegro and Cdiscount), has signed the
Product Safety Pledge. The conclusion of
the Pledge was facilitated by DG JUST. This initiative sets out specific voluntary actions
by online marketplaces that go beyond what is already established in EU legislation.
• DG JUST has regular meetings with Amazon and the other signatories of the pledge.
Signatories have to report every 6 months on the implementation of the initiative. From the
information of the first two published reports, it is really difficult for the Commission to
assess real progress on the voluntary commitments. Therefore, DG JUST is in conversation
with the companies to try to gather more evidence and data from them.
• Amazon takes also part in the expert group DG JUST set up for connected products and
other new challenges in product safety (the first meeting was on 29 January 2020).
1
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
Lines to take
ARTIFICIAL INTELLIGENCE
• AI is a key technology of our century. It can bring big
benefits to our society and economy, but it can also bring
risks.
• We must develop policies that protect individuals – a
human centric approach which at the same time allows
Europe to be competitive in the AI landscape. AI
applications must comply with fundamental rights. The
General Data Protection Regulation already protects
personal data. It is now essential to shape a framework to
address possible challenges to human dignity, non-
discrimination, equality, freedom of expression and other
fundamental rights.
• In April 2018, the Commission defined a strategy on AI. It
is based on three pillars: (1) boosting the EU’s
technological and industrial capacity and AI uptake across
the economy, (2) preparing for socio-economic changes
brought about by AI and (3) ensuring an appropriate ethical
and legal framework.
• On 19 February 2020, the Commission will publish a white
paper with the core features of the future regulatory
framework for AI. The objective is to ensure that AI is
developed in line with EU values and principles, and with
existing EU legislation; to foster the use of AI on the digital
single market; and to provide a clear and predictable
framework for operators. The publication of the white
paper will be followed by a public consultation.
2
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
GDPR
• Given the importance of data protection as a fundamental
right and as a stepping stone for a wide range of policies,
the Commission attaches a great importance to the correct
implementation of the new data protection rules.
• We have adopted a multi-faceted approach to
implementation: we have engaged into bilateral dialogues
with Member States on the compliance of national
legislations; we work closely with data protection
authorities in the context of the European Data Protection
Board; we also support those authorities financially through
grants.
• We will publish in May an evaluation report on the
application of the GDPR. We will build upon the stock-
taking exercise we conducted last July, which led to the
publication of our July Communication. As mandated by
Article 97 of the GDPR, the report will focus on the
provisions on the international transfer of personal data and
on the cooperation and consistency between data protection
authorities. It will also examine other aspects of the
application of the GDPR.
• We will take into account the contribution of the Council,
the European Parliament, the European Data Protection
authorities and our GDPR Multi Stakeholder Group [to
which DigitalEurope is a member].
3
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
INTERNATIONAL ASPECTS OF DATA PROTECTION
• We have been following with great interest the recent
developments in the United States in the area of privacy.
• I believe that it is in everyone’s interest that what happens
in the United States is convergent with what we are seeing
in the rest of the world.
• I would therefore be very interested to hear your views on
the ongoing debate in the United States and how the EU
could contribute to it in a meaningful way.
• Of course, if one day there would be comprehensive
privacy legislation in the United States, this would also
strengthen the long-term viability of the Privacy Shield.
• As you know, the framework is under increasing political
and judicial scrutiny, in particular when it comes to aspects
relating to governmental access to data.
• There is litigation pending before the Court of Justice and,
while we are strongly defending the Shield before the
Court, we cannot exclude that we will have to go back to
the negotiating table to introduce further changes.
• At the same time, we continue to believe that in our
globalised world it is essential to have a broad toolbox for
international transfers.
• That is also why we are currently working on different
instruments, including the existing Standard Contractual
Clauses, to update them in light of the GDPR and to be
prepared for the upcoming judgment of the Court.
4
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
SAFETY OF PRODUCTS SOLD ONLINE
• The Commission gives great importance to the
safety of
consumer products sold online. Such products fall under
the same rules as products sold in the traditional supply
channels and they need to be safe when offered and sold to
EU consumers.
• We welcome the efforts from Amazon regarding the safety
of product sold online, in particular the signature of the
Product Safety Pledge.
• To properly assess if voluntary initiatives such as the
Pledge are working in practice, it is important for the
Commission to have enough data to assess its functioning. I
am aware that Commission services are in contact with
Amazon to try to improve the monitoring system of the
Pledge.
• Despite these common efforts, there are still many cases of
unsafe products sold online. The Commission is gathering
evidence on the real size of the problem and how it can be
tackled. This will feed into the evaluation and impact
assessment of the
General Product Safety Directive.
• There are also other ongoing initiatives at Commission
level regarding platforms, such as the
Digital Single Act.
We will ensure coherence between the different
instruments.
5
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
E-EVIDENCE
• In the area of law enforcement cooperation, we have
three parallel processes: the internal EU rules, the EU
US negotiations and the multilateral negotiations in the
context of the Budapest Convention. Each has its own
dynamics and at the same time impacts on the other
negotiations. We will have to ensure consistency
between them and there a number of challenges to
address in the months ahead.
• On the internal rules, we are analysing the impact of the
amendments tabled by the European Parliament and are
looking forward to its final report so that trilogue
negotiations could begin as soon as possible.
• It is important not to make the instrument too
burdensome or too restrictive in terms of the offenses
covered; if the European Production Order is not an
effective tool, it will not be used by authorities.
• Our ultimate aim is to improve cross border access to
electronic evidence for criminal investigations while
ensuring legal certainty and respect for fundamental
rights as well as avoiding conflicts of law.
• It is very important for us to ensure that service
providers are clear on the rules they need to follow when
orders are made from the United States or European
Union.
• This is also why we insisted on the “comity clause” (to
take into account fundamental considerations of other
legal systems that may prevent companies to comply
with a EU order) in our e-evidence proposal and for
6
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
which we would like to thank you very much for your
support.
• Moreover, the EU aims at pursuing a comprehensive
Agreement at EU level with the US that would enhance
such legal certainty, notably by setting common rules for
obtaining evidence between all the EU Member States
and the US. The Agreement would complement the e-
evidence proposals, notably by removing the risk of
being confronted with conflicting obligations (including
under the GDPR) when a request from a European or a
US law enforcement authority would be directed at a
service provider.
• It was very important for us to launch these negotiations
(even if our EU legislation is not yet adopted) to avoid
fragmented solutions, negotiated on a bilateral basis
between the US and certain Member States, which
would also have complicated the life of business on both
sides of the Atlantic.
• As you probably remember, the US government was
originally against the idea of a EU-US agreement (which
is for us the only possible solution). Things have
improved by the continuous support of the business
community is needed if we want to make progress as
regard the nature (EU-US agreement) and content (data
protection and procedural safeguards) of the agreement.
7
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
BACKGROUND
Artificial Intelligence
It is important that the development and use of Artificial Intelligence advance in line with
fundamental rights and democratic values. Robust legal and ethical frameworks are enablers
for the development of Artificial Intelligence and other emerging digital technologies and
provide legal certainty to entrepreneurs. Commercial and ethical interests converge when it
comes to creating sustainable AI business models. In this regard, the EU can build on the
European Charter of Fundamental Rights and on its robust data protection framework.
The GDPR provides many obligations and rights that are particularly relevant in the context
of AI. It does not mention the term Artificial Intelligence, it has been designed as
technologically neutral. However, all organisations that process personal data must comply
with it, including when they use AI. First, the GDPR is based on accountability and on a risk
based approach. It is for those who process personal data to evaluate the risks and to
implement the necessary measures to mitigate these risks. Second, the GDPR requires
organisations to implement data protection by design and by default and to ensure an
appropriate level of security.
To help address ethical and regulatory questions, the Commission has set up a High-Level
Expert Group on Artificial Intelligence. It is made up of 52 representatives of industry,
academia and civil society. This expert group drafted AI ethics guidelines that were published
on 8 April. The ethics guidelines are voluntary and the applicable legal rules always take
precedence. The guidelines contain high-level principles and requirements as well as a
practice-oriented assessment list that shall help stakeholders assess whether they fulfil the
requirements set out in the guidelines.
Between 9 April and 01 December 2019, the expert group had invited stakeholders to provide
feedback about the assessment list. On this basis, the expert group will produce an updated
version of that list in 2020.
The Guidelines were accompanied by a Commission Communication, which references the
ethics guidelines and supports its key requirements:
1) Human agency and oversight; 2) Technical robustness and safety; 3) Privacy and data
governance; 4) Transparency; 5) Diversity, non-discrimination and fairness; 6) Societal and
environmental well-being; 7) Accountability.
Another, second, Deliverable of the expert group – AI Policy and Investment
Recommendations – was publicly presented at a stakeholder event on 26 June 2019. The
recommendations focus on issues such as the governance of AI, improving infrastructure,
research funding, skills and the recommended use of AI in the public sector.
GDPR 2020 evaluation
Paragraph 1 of Article 97 of GDPR stipulates that by May 2020 “
the Commission shall
submit a report on the evaluation and review of this Regulation to the European Parliament
and to the Council”, while paragraph 4 provides that
‘in carrying out the evaluations and
reviews, the Commission shall take into account the positions and findings of the EP, of the
8
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
Council, and of other relevant bodies or sources’.
For the preparation of the report we will thoroughly examine the Council position which was
adopted on 21 January. The report will further rely on the contributions of the European
Parliament, the data protection authorities, the European Data Protection Board and of the
Multi Stakeholder Group (composed by representatives from business, civil society and
academics).
Pursuant to Article 97(2) of the GDPR, the Commission shall in particular examine the
application and functioning of the provisions on the international transfer of personal data
and on the cooperation and consistency between data protection authorities.
This review should not be an occasion to re-open the GDPR but an opportunity to assess the
progress made and whether after two years of application the various components of the new
data protection regime are fully operational.
Privacy developments in the United States
In the past two years, there been an ongoing debate on possible federal privacy legislation in
the U.S. While the ongoing impeachment process/upcoming election campaigns might have a
negative impact, so far the real initiative on federal privacy rules seems to come from
Congress (rather than from the US administration). A number of hearings on consumer
privacy have taken place in the past months and several bills have been introduced, in both
Houses. A recurring argument in favour of federal privacy rules is the need to avoid
fragmentation of the regulatory framework through diverging State laws. Another aspect on
which there seems to be broad agreement is the need to strengthen the powers and authority
of the Federal Trade Commission, the independent enforcement authority dealing with unfair,
deceptive or fraudulent practices in the market, which in this capacity also enforces consumer
privacy. Finally, a key concern shaping the debate is the possible negative effect of privacy
legislation on SMEs and on innovation (including e.g. the development of AI).
In parallel to the ongoing debate at federal level, and in the absence of concrete action by
Congress, several States have in the meantime developed their own privacy legislation. The
most well-known is the California Consumer Privacy Act (CCPA), which entered into effect
on 1 January 2020. While the CCPA has now entered into force, it is not excluded that it
might be amended further. For example,
the leading force behind the
CCPA, has announced at the end of last year that
will propose a new draft in 2020 to
further strengthen the CCPA (including by creating a Californian data protection authority
with enforcement powers). In addition, privacy laws have been adopted in Nevada and
Maine, while privacy bills are currently being debated in parliament in a number of other
States, including Illinois, Minnesota, New York and Washington.
Privacy Shield –Schrems II case
There are currently two cases pending before the Court of Justice with relevance for the
Privacy Shield. The first (La Quadrature du Net and Others v. Commission) concerns an
action for annulment against the Privacy Shield decision before the General Court. This case
has so far been suspended in light of developments in the second case (Schrems II).
The Schrems II case (reference for preliminary ruling), essentially concerns the validity of a
different transfer instrument (namely the Standard Contractual Clauses adopted by the
Commission). However, the main focus is about the use of Standard Contractual Clauses to
transfer personal data to the U.S. and the safeguards that apply in the area of national security
9
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
in this context. There is therefore a close link with the Privacy Shield, as the representations
and commitments by the U.S. government with respect to the applicable safeguards in case of
national security access, and in particular the Ombudsperson mechanism, apply irrespective
of the tool for data transfers.
On 19 December 2019, the Advocate-General issued his Opinion in the Schrems II case.
While the Advocate-General argues that the Court should not pronounce itself on the validity
of the Privacy Shield (in particular because it is not necessary in order to decide on the case at
hand), he at the same time questions the validity of the framework. If the Advocate-General’s
doubts would be endorsed by the Court, they would very likely lead to the invalidation of the
Privacy Shield. While the Opinion is not binding, the Court generally follows its Advocate-
Generals.
Defensive: What outcome do you expect from the litigation currently pending before the
Court of Justice? Is the Commission considering taking measures to mitigate the
possible outcome of the Schrems II case?
• The two cases currently pending before the Court concern two different instruments for
international data transfers: (i) Standard Contractual Clauses (SCCs) and (ii) the EU-US
Privacy Shield.
• We strongly defended these instruments before the Court and were supported by many
intervening parties, including Member States and business associations.
• We cannot of course predict the outcome of these cases and in particular cannot exclude
that they will require amending some aspects of the Shield and/or the SCCs.
• However, the Commission continues to believe that in our global world it is essential to
have a broad toolbox for international transfers, adapted to different sectors, business
models, countries of destinations etc.
• That is the approach that was adopted by the co-legislator in the GDPR, that is what we
are arguing before the Luxembourg Courts and that is what we are currently working on,
including in order to be prepared for the Court's judgment.
• Our preparation involves several work streams. For instance, we are currently reviewing
the 11 adequacy decisions that were adopted under the 1995 Directive to make sure they
can withstand political and judicial scrutiny under the GDPR. We are also working on
updating the existing SCCs to align them with GDPR requirements. This is something we
are doing in close consultation with stakeholders (civil society, business, DPAs, etc.) to
better understand transfer needs and what is missing or not working well with the current
SSCs.
Consumer Protection
More and more consumers shop online. In 2018, about 60% of EU consumers have made a
purchase online. Rates vary according to countries ranging from 20% in Romania to 84% in
Denmark. Online shopping is convenient for consumers but it poses certain challenges for
product safety.
Controlling the safety of products sold online can be also problematic for public authorities.
For this reason, in 2017 the Commission issued a
Notice on the market surveillance of
10
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
product sold online to help authorities with their work. The Notice clarifies the
responsibilities of online actors, including platforms and their notice and action obligations to
remove illegal content i.e. dangerous products.
The
e-Commerce Directive (Article 14) states that online intermediaries are not liable for
the illegal content they host (including dangerous product listings), provided that they do not
have knowledge of the illegal activity or information or, upon obtaining such knowledge or
awareness, they act expeditiously to remove it. The Directive does not specify what
expeditiously means.
The 2020 Commission Work Programme has announced an evaluation and revision of the
GPSD for Q42020.
11
Meeting with
AMAZON)
European Commission – 18 February 2020 at 09.45
CV OF
12
