T3CON23 Recap—Quo Vadis, EU Law?

Peretz began by defining personal digital sovereignty as having privacy, choice, transparency, access, safety, and control over one’s data.

We can approach the idea of personal digital sovereignty by analogy with national sovereignty:

Sovereignty usually talks about nation-states. And they talk about things like: Is your state competitive in the global economy? Does your technology represent the values that you consider to be important? Do you have independence from foreign suppliers?

When it comes to digital sovereignty, by contrast, “people want to hear about their own story.” This involves a different set of questions:

Do I have a choice of different systems to use? Is it transparent? Do I know what’s going on with my data? Can I access it? Is it safe? Am I going to have people hacking in? Can I express myself? Do I own my data? Can I control my data?

Peretz went on to discuss these questions by exploring the details of new and upcoming EU laws aimed at improving personal data sovereignty.

Peretz highlighted serious concerns around the pending EU Cyber Resilience Act, suggesting that it could hamper open source innovation.

The real winner of this, if you heighten the barriers for open source, is the big tech companies. They’re the only folks who can actually afford to go through all these steps.

The Act also prohibits shipping unfinished code, which prevents gathering feedback from the community on early versions. And EU-specific needs could block global collaboration, even excluding European contributors. Ultimately, instead of empowering users with more software choices, Peretz believes the Cyber Resilience Act will severely limit options.

One of the problems is: If it’s not open source, you’re going to have a ban on shipping it if it’s unfinished. That means you’re not going to be able to ship alpha releases and beta releases. And that’s how open source works — we get feedback from the community.

While strongly supporting the law’s consumer protection goals, Peretz urged significant revisions. Otherwise, EU officials may inadvertently shatter vibrant open source communities across Europe.

According to Peretz, the EU’s Product Liability Act unfortunately risks turning into another dangerous scenario, threatening open source communities with legal liability.

Peretz explained that the law allows lawsuits even when no contractual relationship exists between software users and developers. Merely proving that a product caused damages opens manufacturers to court judgments. He said this means the developer is at fault without users demonstrating negligence.

The Product Liability Act is about what happens if you’re inadvertently affected by software, and you don’t even have a contract with a developer. Essentially, what it means is, the developer is at fault. You don’t need to prove fault. All you have to do is prove causation.

While such obligations are reasonable for physical goods, Peretz argued they become problematic online. Open-source projects have loose, ever-changing contributors across multiple countries. There is rarely a single manufacturer to hold responsible.

At the same time, the Act’s expansive definition of commercial activity drags nearly all real-world community coding efforts under its purview. Peretz noted even distributing programs for free often involves income like support services or sponsorships. This disqualifies most platforms from exemption.

Under the Act, source code is deemed to be non-executable information, rather than software, so it escapes liability. But Peretz said distributing compiled binaries may still raise major legal risks.

In particular, open-source projects might face liability simply by neglecting updates after an initial launch:

Defects can include a lack of updates. It’s not just that you shipped it and a problem was discovered later — but you did the right thing when you shipped it. If you’re not updating your software, and you’re not monitoring it, you still could have liability in this situation.

With limited resources, most projects cannot pledge ongoing upgrades, yet would still carry the blame under the Product Liability Act. Ultimately, Peretz again warned that good-faith consumer protections may unintentionally crush digital innovation that springs from open-code collaboration.

Shifting focus, Peretz next addressed the recently enacted EU Data Governance Act. He explained that this law aims to increase public access to government data sets across Europe. Member states cannot play favorites or grant exclusivity over these public resources. However, Peretz noted that authorities can still place necessary restrictions on any disclosures:

The government can put conditions on disclosure. They can say this is secret data, you need to keep it secure in a certain way — maybe I only issue it to you in the aggregate, or you have certain security measures in place.

On the positive side, Peretz said that the Data Governance Act creates new business models around open data. It provides for certified “data intermediation services” that must fairly redistribute public data to all requesters without preference.

Another positive development from the law lies in data altruism organizations — nonprofits that can collect and reformat data for issues like transportation, climate change, and other public interests. Peretz noted these bodies will face audits and oversight to prevent misuse.

[Data intermediation services are] an outgrowth of making the government more accessible to the public.

Potentially most significantly, the law could enable valuable data collaboration across borders. Peretz highlighted the new EU Data Innovation Board, tasked with standardizing formats across the region. This could let agencies easily combine insights from multiple countries into shared data lakes.

Peretz moved on to the similarly-named, but quite different, Data Act, which also recently passed into law. This legislation tackles data gathering from the estimated 40 billion Internet of Things (IoT) devices now deployed across Europe.

Peretz explained that this Act forces disclosure and access requirements around IoT data collection. Manufacturers cannot simply collect information through smart devices while users remain ignorant. Instead, they must clearly detail what is gathered and enable consumers to access these digital exhaust trails.

The Data Act limits secondary usage of this personal data only to stated purposes. Firms cannot use individuals’ intimate IoT insights for undisclosed advertising or other ancillary objectives. There are also restrictions around declaring some data as protected trade secrets, requiring consent agreements with users first.

What you have to do, if you’re an Internet of Things manufacturer under this law, is to disclose the data that you’re gathering from people — you’ve got to enable them to access the data. […] There are restrictions on what the manufacturer can do with the data, and the manufacturer has to make the data available to you.

In a boon for open source, Peretz highlighted how the Data Act also extends transparency rules to cloud platforms. Providers must outline onboarding processes, data export fees, and support for portability between competing services. Within three years, they must enable users to fully offboard within 30 days at no cost.

This cloud provision removes vendor lock-in. Developers can freely relocate projects, confident their cloud partners must facilitate rapid, inexpensive data transfers:

This is going to mean much more portability. It really plays to the strength of open source, because now you can go move anywhere, and your cloud provider actually has to help you.

In concert with the Data Governance Act, the Data Act seems to be a positive development in securing user rights while fueling digital innovation.

No discussion of European data legislation is complete without addressing General Data Protection Regulation (GDPR) compliance.

The biggest source of litigation about GDPR and the EU has been: “Oh my God, you’re hauling data back to America, and who knows what they're doing with it over there!”

Peretz explained that these legal complaints recently toppled an agreement called the Privacy Shield, between the EU and the United States. Now, after years of negotiations, the two parties have adopted a new Data Protection Framework to enable compliant cloud data flows.

This framework legally binds US government agencies to strict limits on accessing data from European citizens. Access requests must target specific national security threats like terrorism or transnational crime. Broad population surveillance is prohibited.

Additionally, the Framework mandates the use of the least intrusive investigative methods and storing only necessary information. Peretz said an independent US data protection court was created to hear European complaints and enforce constraints on data seizure.

Through these mechanisms, [the Data Protection Framework] is thought to deal with the objections that were raised about the Privacy Shield and the European Court of Justice. Basically, the Commission has declared that it’s OK to transmit data back to the US under this framework.

Peretz also noted that the Data Protection Framework helps assure European privacy rights are respected when data leaves the continent, while enabling cloud services critical for global digital infrastructure.

Moving to the hot topic of AI, Peretz highlighted serious open-source community worries around the pending EU AI Act. He warned this law’s expansive scope and arduous demands seem custom-built to crush small, nonprofit AI innovators.

In Peretz’s view, the Act designates a lot of requirements for core foundation models like machine learning architectures:

You’ve got to make sure it doesn’t harm the health or safety, it doesn’t harm fundamental rights, it’s efficient with energy use. I’ve got to have extensive documentation, when I ship it. I’ve got to register the bottle in all the different EU databases. It’s a big life. If you want to go build the foundation model, you’ve a lot of homework to do.

This imposes a limit on who can ship foundation models, as only well-funded efforts will be able to proceed. Currently, researchers rely on open-source access to debug models when issues emerge, but this Act may lead to a future limited to black-boxed proprietary AI.

“The open source community is pretty concerned about the Act,” Peretz said, since its endless auditing mandates will hinder iterative collaboration. Instead, he advocates simply for transparent testing and risk analysis — not recurrent demonstrations of conformity that are irrelevant to community coding.

More broadly, Peretz noted, the law invoked a litany of arbitrary AI categories and definitions that encompass nearly any software: when “signing up for T3CON, if the form predicted what I wanted for dinner, it was an AI system.” This confusing scope makes compliance challenges even tougher.

Another major regulatory push, the EU’s Digital Markets Act, targets perceived unfairness by Big Tech gatekeepers: prominent American giants like Amazon and Google, though Chinese conglomerate ByteDance also makes an appearance. These dominant platforms can shape the open source projects that are reliant upon them.

The idea of the Digital Markets Act is: Let’s regulate the gatekeepers, let’s make them be more transparent about how they use data, let’s make them be more transparent about their algorithms — how do they raise things up to the top?

For example, Amazon cannot elevate its own white-label goods over sellers using its commerce platform to access its massive customer base. More broadly, mandated algorithmic transparency would reveal if marketplaces were creating systemic bias against certain providers.

Peretz suggested this call for transparency poses useful questions for the open-source developers that rely on reaching users through these content and ecommerce ecosystems. Understanding what fully drives app store selections or search rankings could help level the competitive playing field.

In the same category as the Digital Markets Act, the EU’s Digital Services Act also targets transparency. However, this law focuses specifically on the data and algorithms powering content presentation and removals (think social media posts), rather than e-commerce.

Peretz explained how this Act creates avenues to challenge decisions made internally at companies. It introduces trusted flagger organizations — that is, certified nonprofits that can report problematic posts and force reconsideration by providers. The goal is to let outside advocates address controversies, rather than leaving judgments solely to profit-driven platforms. This prevents companies from allowing popular, but extremist posts to boost engagement.

If disputes emerge around organization reliability or takedown disputes, formal arbitration procedures will be in place to find a resolution. Each EU country will maintain a regulatory body to hear appeals and levy fines, which should incentivize corporations to screen their content carefully.

Peretz concluded by highlighting substantial differences in data governance approaches between the European Union and the United States. He depicted European officials as driving principled digital policy and American lawmakers as influenced by corporate donors.

[In the US], it costs a lot of money to run for office. You need a lot of money to buy lots of advertisements. Who’s got the most money? Corporations, right? There are some rich people out there, but corporations really have the most money. And so they spend that money. And we have this weird equation, where in the United States money equals free speech.

Corporations give money to political campaigns, empowering them to influence politicians desperate to fund their re-election campaigns. This reliance on corporate fundraisers leads Congress to avoid most restrictions on business practices.

By contrast, European governance proceeds from abstract priorities like consumer welfare and open innovation of platforms. The EU enacts sweeping regulations focused on societal advantages, rather than commercial feasibility.

However, Peretz noted individual US states can play a similar role to European nations as laboratories of democracy. Major states, like California, do succeed in passing their own expansive privacy laws, at times explicitly learning from EU policies, like GDPR. This state-level activism seeds ideas that may eventually create more uniform and modern nationwide regulations.

As EU regulations like the Cyber Resilience Act, Digital Services Act, AI Act, and updates to GDPR continue to unfold, the open source community stands at a crossroads. These laws, aiming to enhance digital sovereignty and personal data control, present both challenges and opportunities.

While concerns about stifling innovation and the practicality of compliance are valid — particularly for open-source projects — these regulations also pave the way for greater transparency, user choice, and data security. The juxtaposition of these tensions suggests a future where EU law could either inhibit or invigorate open-source development.

Peretz said the open source community should remain cautiously optimistic, advocating for revisions where necessary, while leveraging the potential of these laws to foster a more secure and user-empowered digital landscape.

You can catch up on more talks from T3CON23 here.