Spring naar hoofd-inhoud

T3CON23 Recap—Quo Vadis, EU Law?

Balancing Digital Freedom, Privacy, and Consumer Protection

The future of open source is inextricably linked to the law. Regulations have the potential to foster or hinder its development. Both existing and forthcoming EU laws reveal tensions between expanding personal digital sovereignty and enabling open-source innovation. At this year’s T3CON, legal expert Neil Peretz gave us a tour of these nuanced aspects of digital sovereignty, as well as a look at the situation in the USA.

Peretz’s talk Quo Vadis EU Law — from the Latin phrase meaning “Where are you going?” — asked about the future of EU digital laws. Peretz explained the most important elements for the open source community of the following pending laws:

Personal Digital Sovereignty
Cyber Resilience Act
Product Liability Act
Data Governance Act
Data Act
GDPR and the Data Protection Framework
AI Act
Digital Markets Act
Digital Services Act
How Does the EU Compare to the US?

He concluded that the regulations overall are seeking to enhance transparency, choice and control over one’s personal data. Some laws can have very unfortunate consequences, but the open-source community should remain cautiously optimistic, and advocate for revisions where necessary.

Read on for a full recap, or catch up on what else you missed at T3CON23.

Personal Digital Sovereignty

Peretz began by defining personal digital sovereignty as having privacy, choice, transparency, access, safety, and control over one’s data.

We can approach the idea of personal digital sovereignty by analogy with national sovereignty:

Sovereignty usually talks about nation-states. And they talk about things like: Is your state competitive in the global economy? Does your technology represent the values that you consider to be important? Do you have independence from foreign suppliers?

When it comes to digital sovereignty, by contrast, “people want to hear about their own story.” This involves a different set of questions:

Do I have a choice of different systems to use? Is it transparent? Do I know what’s going on with my data? Can I access it? Is it safe? Am I going to have people hacking in? Can I express myself? Do I own my data? Can I control my data?

Peretz went on to discuss these questions by exploring the details of new and upcoming EU laws aimed at improving personal data sovereignty.

Cyber Resilience Act

Peretz highlighted serious concerns around the pending EU Cyber Resilience Act, suggesting that it could hamper open source innovation.

The Cyber Resilience Act arises from good intentions, much like previous EU regulations such as GDPR: the desire is to protect consumers from flaws in digital products, as governments already do for physical goods. However, Peretz cautioned that the strict requirements on software developers are problematic. He said these requirements mandate cybersecurity standards and public disclosure about “what I did for cybersecurity.” This is a logical focus on accountability and transparency, however open-source projects have many disparate contributors, making compliance impractical.

Peretz noted the Act’s narrow exception for open source basically only applies “if you’re not paid anything whatsoever” to work on the code. This disqualifies almost all real-world community development models. High overheads here could have very unfortunate consequences:

Editor’s Note: In July 2023,TYPO3 and fellow open-source CMS projects warned of the adverse effects of the Act in an Open Letter to EU legislators. The projects have also participated in meetings with other open-source projects, hosted by Open Forum Europe (OFE), to discuss the proposed legislation. Detailed input and recommendations have been offered to the EU, and since T3CON23 some major improvements have been made to the drafts. Though positive, this highlights the need for vigilance and participation by open-source projects in the development of new legislation.

The real winner of this, if you heighten the barriers for open source, is the big tech companies. They’re the only folks who can actually afford to go through all these steps.

The Act also prohibits shipping unfinished code, which prevents gathering feedback from the community on early versions. And EU-specific needs could block global collaboration, even excluding European contributors. Ultimately, instead of empowering users with more software choices, Peretz believes the Cyber Resilience Act will severely limit options.

One of the problems is: If it’s not open source, you’re going to have a ban on shipping it if it’s unfinished. That means you’re not going to be able to ship alpha releases and beta releases. And that’s how open source works — we get feedback from the community.

While strongly supporting the law’s consumer protection goals, Peretz urged significant revisions. Otherwise, EU officials may inadvertently shatter vibrant open source communities across Europe.

Product Liability Act

According to Peretz, the EU’s Product Liability Act unfortunately risks turning into another dangerous scenario, threatening open source communities with legal liability.

Peretz explained that the law allows lawsuits even when no contractual relationship exists between software users and developers. Merely proving that a product caused damages opens manufacturers to court judgments. He said this means the developer is at fault without users demonstrating negligence.

The Product Liability Act is about what happens if you’re inadvertently affected by software, and you don’t even have a contract with a developer. Essentially, what it means is, the developer is at fault. You don’t need to prove fault. All you have to do is prove causation.

While such obligations are reasonable for physical goods, Peretz argued they become problematic online. Open-source projects have loose, ever-changing contributors across multiple countries. There is rarely a single manufacturer to hold responsible.

At the same time, the Act’s expansive definition of commercial activity drags nearly all real-world community coding efforts under its purview. Peretz noted even distributing programs for free often involves income like support services or sponsorships. This disqualifies most platforms from exemption.

Under the Act, source code is deemed to be non-executable information, rather than software, so it escapes liability. But Peretz said distributing compiled binaries may still raise major legal risks.

In particular, open-source projects might face liability simply by neglecting updates after an initial launch:

Defects can include a lack of updates. It’s not just that you shipped it and a problem was discovered later — but you did the right thing when you shipped it. If you’re not updating your software, and you’re not monitoring it, you still could have liability in this situation.

With limited resources, most projects cannot pledge ongoing upgrades, yet would still carry the blame under the Product Liability Act. Ultimately, Peretz again warned that good-faith consumer protections may unintentionally crush digital innovation that springs from open-code collaboration.

Data Governance Act

Shifting focus, Peretz next addressed the recently enacted EU Data Governance Act. He explained that this law aims to increase public access to government data sets across Europe. Member states cannot play favorites or grant exclusivity over these public resources. However, Peretz noted that authorities can still place necessary restrictions on any disclosures:

The government can put conditions on disclosure. They can say this is secret data, you need to keep it secure in a certain way — maybe I only issue it to you in the aggregate, or you have certain security measures in place.

On the positive side, Peretz said that the Data Governance Act creates new business models around open data. It provides for certified “data intermediation services” that must fairly redistribute public data to all requesters without preference.

Another positive development from the law lies in data altruism organizations — nonprofits that can collect and reformat data for issues like transportation, climate change, and other public interests. Peretz noted these bodies will face audits and oversight to prevent misuse.

[Data intermediation services are] an outgrowth of making the government more accessible to the public.

Potentially most significantly, the law could enable valuable data collaboration across borders. Peretz highlighted the new EU Data Innovation Board, tasked with standardizing formats across the region. This could let agencies easily combine insights from multiple countries into shared data lakes.

Data Act

Peretz moved on to the similarly-named, but quite different, Data Act, which also recently passed into law. This legislation tackles data gathering from the estimated 40 billion Internet of Things (IoT) devices now deployed across Europe.

Peretz explained that this Act forces disclosure and access requirements around IoT data collection. Manufacturers cannot simply collect information through smart devices while users remain ignorant. Instead, they must clearly detail what is gathered and enable consumers to access these digital exhaust trails.

The Data Act limits secondary usage of this personal data only to stated purposes. Firms cannot use individuals’ intimate IoT insights for undisclosed advertising or other ancillary objectives. There are also restrictions around declaring some data as protected trade secrets, requiring consent agreements with users first.

What you have to do, if you’re an Internet of Things manufacturer under this law, is to disclose the data that you’re gathering from people — you’ve got to enable them to access the data. […] There are restrictions on what the manufacturer can do with the data, and the manufacturer has to make the data available to you.

In a boon for open source, Peretz highlighted how the Data Act also extends transparency rules to cloud platforms. Providers must outline onboarding processes, data export fees, and support for portability between competing services. Within three years, they must enable users to fully offboard within 30 days at no cost.

This cloud provision removes vendor lock-in. Developers can freely relocate projects, confident their cloud partners must facilitate rapid, inexpensive data transfers:

This is going to mean much more portability. It really plays to the strength of open source, because now you can go move anywhere, and your cloud provider actually has to help you.

In concert with the Data Governance Act, the Data Act seems to be a positive development in securing user rights while fueling digital innovation.

GDPR and the Data Protection Framework

No discussion of European data legislation is complete without addressing General Data Protection Regulation (GDPR) compliance.

The biggest source of litigation about GDPR and the EU has been: “Oh my God, you’re hauling data back to America, and who knows what they're doing with it over there!”

Peretz explained that these legal complaints recently toppled an agreement called the Privacy Shield, between the EU and the United States. Now, after years of negotiations, the two parties have adopted a new Data Protection Framework to enable compliant cloud data flows.

This framework legally binds US government agencies to strict limits on accessing data from European citizens. Access requests must target specific national security threats like terrorism or transnational crime. Broad population surveillance is prohibited.

Additionally, the Framework mandates the use of the least intrusive investigative methods and storing only necessary information. Peretz said an independent US data protection court was created to hear European complaints and enforce constraints on data seizure.

Through these mechanisms, [the Data Protection Framework] is thought to deal with the objections that were raised about the Privacy Shield and the European Court of Justice. Basically, the Commission has declared that it’s OK to transmit data back to the US under this framework.

Peretz also noted that the Data Protection Framework helps assure European privacy rights are respected when data leaves the continent, while enabling cloud services critical for global digital infrastructure.

AI Act

Moving to the hot topic of AI, Peretz highlighted serious open-source community worries around the pending EU AI Act. He warned this law’s expansive scope and arduous demands seem custom-built to crush small, nonprofit AI innovators.

In Peretz’s view, the Act designates a lot of requirements for core foundation models like machine learning architectures:

You’ve got to make sure it doesn’t harm the health or safety, it doesn’t harm fundamental rights, it’s efficient with energy use. I’ve got to have extensive documentation, when I ship it. I’ve got to register the bottle in all the different EU databases. It’s a big life. If you want to go build the foundation model, you’ve a lot of homework to do.

This imposes a limit on who can ship foundation models, as only well-funded efforts will be able to proceed. Currently, researchers rely on open-source access to debug models when issues emerge, but this Act may lead to a future limited to black-boxed proprietary AI.

“The open source community is pretty concerned about the Act,” Peretz said, since its endless auditing mandates will hinder iterative collaboration. Instead, he advocates simply for transparent testing and risk analysis — not recurrent demonstrations of conformity that are irrelevant to community coding.

More broadly, Peretz noted, the law invoked a litany of arbitrary AI categories and definitions that encompass nearly any software: when “signing up for T3CON, if the form predicted what I wanted for dinner, it was an AI system.” This confusing scope makes compliance challenges even tougher.

Digital Markets Act

Another major regulatory push, the EU’s Digital Markets Act, targets perceived unfairness by Big Tech gatekeepers: prominent American giants like Amazon and Google, though Chinese conglomerate ByteDance also makes an appearance. These dominant platforms can shape the open source projects that are reliant upon them.

The idea of the Digital Markets Act is: Let’s regulate the gatekeepers, let’s make them be more transparent about how they use data, let’s make them be more transparent about their algorithms — how do they raise things up to the top?

For example, Amazon cannot elevate its own white-label goods over sellers using its commerce platform to access its massive customer base. More broadly, mandated algorithmic transparency would reveal if marketplaces were creating systemic bias against certain providers.

Peretz suggested this call for transparency poses useful questions for the open-source developers that rely on reaching users through these content and ecommerce ecosystems. Understanding what fully drives app store selections or search rankings could help level the competitive playing field.

Digital Services Act

In the same category as the Digital Markets Act, the EU’s Digital Services Act also targets transparency. However, this law focuses specifically on the data and algorithms powering content presentation and removals (think social media posts), rather than e-commerce.

Peretz explained how this Act creates avenues to challenge decisions made internally at companies. It introduces trusted flagger organizations — that is, certified nonprofits that can report problematic posts and force reconsideration by providers. The goal is to let outside advocates address controversies, rather than leaving judgments solely to profit-driven platforms. This prevents companies from allowing popular, but extremist posts to boost engagement.

If disputes emerge around organization reliability or takedown disputes, formal arbitration procedures will be in place to find a resolution. Each EU country will maintain a regulatory body to hear appeals and levy fines, which should incentivize corporations to screen their content carefully.

About the Speaker

Neil Peretz is head of legal for WooCommerce and works on EU law and open source law matters for Automattic. He has pursued a lengthy legal career in both the US and the EU, where he was part of a legal research project for the European Commission on consumer dispute resolution.

How Does the EU Compare to the US?

Peretz concluded by highlighting substantial differences in data governance approaches between the European Union and the United States. He depicted European officials as driving principled digital policy and American lawmakers as influenced by corporate donors.

[In the US], it costs a lot of money to run for office. You need a lot of money to buy lots of advertisements. Who’s got the most money? Corporations, right? There are some rich people out there, but corporations really have the most money. And so they spend that money. And we have this weird equation, where in the United States money equals free speech.

Corporations give money to political campaigns, empowering them to influence politicians desperate to fund their re-election campaigns. This reliance on corporate fundraisers leads Congress to avoid most restrictions on business practices.

By contrast, European governance proceeds from abstract priorities like consumer welfare and open innovation of platforms. The EU enacts sweeping regulations focused on societal advantages, rather than commercial feasibility.

However, Peretz noted individual US states can play a similar role to European nations as laboratories of democracy. Major states, like California, do succeed in passing their own expansive privacy laws, at times explicitly learning from EU policies, like GDPR. This state-level activism seeds ideas that may eventually create more uniform and modern nationwide regulations.

Quo vadis? It’s up to us!

As EU regulations like the Cyber Resilience Act, Digital Services Act, AI Act, and updates to GDPR continue to unfold, the open source community stands at a crossroads. These laws, aiming to enhance digital sovereignty and personal data control, present both challenges and opportunities.

While concerns about stifling innovation and the practicality of compliance are valid — particularly for open-source projects — these regulations also pave the way for greater transparency, user choice, and data security. The juxtaposition of these tensions suggests a future where EU law could either inhibit or invigorate open-source development.

Peretz said the open source community should remain cautiously optimistic, advocating for revisions where necessary, while leveraging the potential of these laws to foster a more secure and user-empowered digital landscape.

You can catch up on more talks from T3CON23 here.