25 September 2024
ICCL Enforce remarks at the European Parliament (EPP IMCO hearing)
Dr Johnny Ryan appeared before the European Parliament's European People's Party hearing of the Internal Market and Consumer Protection Committee on competitiveness and digital sovereignty.
See video of Dr Ryan's opening remarks here.
Opening statement by Dr Johnny Ryan FRHistS, Director of Enforce Unit of Irish Council for Civil Liberties at the European Parliament IMCO EPP hearing, 11 September 2024
Ms David, allow me to congratulate you. Andreas, thank you for your very kind invitation to discuss this pressing issue.
I want to set out what the issue is: we have giant Chinese and US firms, and they dominate Europe's digital infrastructure, platforms and media.
That problem causes other problems in our digital single market, and in European life. Let's set out four of those sub problems.
- We are unable to scale our startups and our SMEs;
- we cannot curb automated disinformation;
- we can't shield our children against the toxic algorithms that push suicide and self-harm into their feeds; and
- we can't really protect our elections and our security against malign foreign influence and penetration.
That's quite a shopping list of pain. But we're blessed in one respect. These are all data problems. We have the tools to address them.
I want to share two lessons that I learned in my time working for some of the most innovative startups and SMEs of the last decade.
In the next Commission, we will see a big investment in infrastructure and capacity to try to scale Europe's startups and SMEs. My concern is that while that should of course happen, it will not be adequate.
Lesson one is that even if Europe produces the best startups, even if her SMEs produce the best products and technologies, the best will not be good enough.
I have experienced the challenge. My last boss, before I joined an NGO, was the inventor of JavaScript. I was in a tech firm called Brave. Brave is a web browser and, then as now, is far superior to Chrome. Even so, it was far too difficult for this nascent competitor to compete on a fair footing against the incumbent, which not only dominated the browser market, but took data from other parts of its huge business and dropped it into other parts to cascade its monopoly. There are plenty of SMEs all across the Union who have experienced similar stories.
If we invest in innovation and capacity, we have to make sure we don't waste it. What does that mean? We have giant Chinese and US firms that do not respect European law today. They need to be pushed back. That has to be part of the competitiveness agenda.
They are uniquely vulnerable because they operate internal data free-for-alls that infringe several different domains of European law. Not just one, several. So, fairly and fully enforcing European law even in a single member state (such as my own, Ireland) would create space across the European market for Europe's SMEs and startups to grow.
Lesson two is that sham compliance works for the really big non-EU firms. They promote sham compliance, but have no, or very little, material internal compliance.
When you wake up in the morning and go onto the Web, and you see consent spam, please know that we have been litigating against this charade for six years. We're going to be back in court in this city in October, following a favourable decision at the European Court of Justice, to finally kill consent spam.
And when an SME, which I spoke to over the weekend, finds itself having to do anything small with another business that involves data, it has to fill in pages of nonsense. This is completely divorced from the reality of protecting data.
This is compliance theatre. It works for the players that dominate the market. Enforcers failed to tackle these problems and enforcing EU law against giant Chinese and U.S. firms. That would have caused trickle down compliance throughout the market. But instead our SMEs and startups and consumers must endure this burdensome scam.
I agree with Draghi in his report. He says, "We must streamline regulation." I think that means a few things. No compliance theatre. Enforcers who no longer tolerate that burden, not just on our SMEs and startups, but on the citizen, too. No two pages of nonsense for businesses to fill if doing so has no impact on data protection because the systems imposed by giant Chinese and US firms are fundamentally at odds with European law.
I suggest two things be done to aid European competitiveness and security.
First, we need material and proportionate enforcement on the giant non-EU that pose the greatest hazards to data. That is fair and proportionate.
We need to strip away their compliance charade, which is costing us all time and money.
Second, enforcing our law against the big players who dominate our market by breaking our law is the missing leg of the competitiveness agenda. We need to invest, but we also need to enforce.
Mission letters for incoming commissioners (and the mission letter to the next commissioner for justice) should make clear that the small Member States where these companies have put all of their European eggs in the single basket must now finally, fully, and fairly apply EU law to the highest risk offenders. That enforcement will be enormously consequential for SMEs.