Dear Readers,

As is traditional, I would like to use the first Newsletter of the year to wish you a healthy, successful and peaceful 2025.

All of us have a sense that we are facing major challenges. Donald Trump is starting his second term of office as US President. Early elections are due to be held in Germany in February. Russia's war of aggression in Ukraine is entering its fourth year. The global economy is barely growing and inflation has by no means been defeated. In this perfect storm, Europe, and with it Germany, is fighting to avoid geopolitical and economic oblivion.

But neither Trump, nor Ukraine, nor the dwindling competitiveness of the old continent will leave as profound a mark as the industrial revolution that is taking place at the speed of light all around us in these weeks and months. It is the transformation of the digital age into a new era, the metamorphosis of the world as we have always known it into a world of artificial intelligence (AI).

What we are experiencing is nothing more and nothing less than the birth of a new species. Homo sapiens is being superseded; they are no longer the only intelligent, thinking beings with the ability of subjugating everything else by the power of their intellect. For the first time in the history of evolution, a created technology will be smarter. The growth in AI knowledge is happening so rapidly that its risks are almost impossible to assess. We are experiencing man’s transition from ruler to ruled.

Is that too negative for you? Then concentrate on what will remain: empathy, compassion and human creativity. Because in these qualities we will always and everywhere have an advantage over any technology. Ultimately, we are the ones who provide AI with the data required to train it. We are the ones who, with the aid of digital literacy, decide which answers provided by generative AI systems we want to believe and which we do not. Let's be homo sentiens.

With that in mind: despite all the temptations, stay tuned to the Centrum für Europäische Politik. It's worth it - especially in the age of artificial intelligence.

Yours
Dr. Jörg Köpke 

Competitiveness of the European Automotive Industry

In January, the European Commission will launch a Strategic Dialogue on the Future of the Automotive Industry in Europe. In the coming months, the European Commission, car manufacturers, suppliers, infrastructure providers, trade unions and trade associations will jointly develop concrete strategies and measures to support the global competitiveness of the European automotive industry. These will focus on the following topics:

Once the dialogue has been launched, under the leadership of Commission President Ursula von der Leyen, there will be a series of thematic meetings. The result should be recommendations for a holistic EU strategy and for corresponding adjustments to the EU regulatory framework in order to overcome the various challenges. Further summit meetings chaired by the Commission President will review the progress made and provide political impetus for further work. cep, which has long been warning of a rapidly accelerating crisis in the automotive industry - partly due to ill-conceived EU policies [cepPolicyBrief 6/2022] -, will actively contribute to the discussions with its own proposals.

Polish Council Presidency Focuses on Defence and Security

In the first half of 2025, under Poland’s presidency of the Council, the EU intends to implement EU-wide measures to strengthen its defence and security architecture. In view of the ongoing threat from Russia and the need for increased military readiness, Member States should increase their defence spending and invest jointly in key technologies and military infrastructure. A central project here is the advancement of the European Defence Industrial Programme (EDIP) to expand defence capabilities and intensify armaments cooperation. In addition, cooperation with NATO, the US, the UK and other partners is to be intensified in order to ensure a coordinated response to threats. An important goal is the development of infrastructure such as the "East Shield" and the "Baltic Defence Line" in order to better defend against hybrid and military attacks. At the same time, the EU is endeavouring to expand strategic transport corridors for rapid troop deployments as part of military mobility. The EU Rapid Deployment Capacity (EU RDC) should be operational by 2025 to enable a flexible response to crises. And the Polish Council Presidency is also aiming to significantly improve digital resilience for more effective defence against cyber-attacks and foreign interference. This includes increased measures to combat disinformation and information manipulation and to expand crisis management capabilities in cyberspace.
 
Healthcare: Presentation of an Action Plan to Strengthen Cybersecurity

On 21 January 2025, and thus, as announced, within the first 100 days of its new term of office, the Commission will present a European Action Plan on the cybersecurity of hospitals and healthcare providers. Its aim is to send a strong signal, right from the start, in support of a robust cybersecurity strategy in the healthcare sector and to strengthen the healthcare sector's resilience to cyber-attacks. Increasing digitalisation and interconnectedness in the healthcare sector has significantly increased the sector's vulnerability to cyber-threats. As numerous media reports in recent years have shown, hospitals are often the target of ransomware attacks and data breaches. At the beginning of December 2024, a Report presented by the European Cybersecurity Agency (ENISA) pointed out that the healthcare sector is one of the three sectors experiencing the most cybersecurity incidents, even if these do not usually have a cross-sectoral impact. Henna Virkkunen, Executive Vice President for Technological Sovereignty, Security and Democracy, emphasised at her hearing before Parliament in November 2024 that it is crucial to fully implement the cybersecurity legislation, much of which was adopted in the last legislative period.
This includes the NIS 2 Directive [(EU) 2022/2555, see cepAdhoc], which the Federal Government is currently attempting to implement (belatedly), the Cyber Resilience Act [CRA, (EU) 2024/2847, see cepPolicyBrief), which only came into force on 10 December 2024 and will start to apply in December 2027, the Cybersecurity Act [CSA, (EU) 2019/881, see cepPolicyBrief on ENISA and cepPolicyBrief on cybersecurity certification] and the Cyber Solidarity Act (see Council Decision of 2 December 2024).
The Action Plan now being announced by the Commission will probably not contain any announcements for new legislative initiatives. Instead, it is likely to provide guidance for healthcare stakeholders and refer them to best safety practices and security measures. The EU Commission also wants to strengthen Europe's competitiveness through joint investment in research and innovation in the field of cyber-defence.
 
AI Factories: European Computing Power to Be More Than Doubled by 2026

In the field of artificial intelligence (AI), the Commission wants to involve the Member States more closely in its plan for AI factories by 1 February 2025 as this is the next deadline for submitting additional proposals for so-called AI factories. The growing importance of AI in all sectors of the economy has significantly increased the need for specialised computing infrastructure. Established plans from the Commission already indicate that AI factories are to be located in leading research and technology centres across Europe, including Barcelona, Bologna, Kajaani, Bissen, Linköping, Stuttgart and Athens. The European supercomputers will enable European AI start-ups to innovate and grow. The Commission plans to invest a total of € 1.5 billion in the AI factories, half of which will be financed by EU funds from the "Digital Europe" and "Horizon Europe" programmes. The overarching goal is to build a flourishing AI infrastructure and strengthen Europe's competitiveness in the field of artificial intelligence for the long term. cep supports this digital policy project from the new Commission [see cepInput Mission Letters: Digital Policy] and has emphasised the need for increased efforts in the field of AI in order for Europe to remain competitive [see Study Europe's Path to Competitiveness in the Global AI Race for the Friedrich Naumann Foundation].

Polish Council Presidency: Priorities for the Financial Markets

In mid-December 2024, the Polish Council Presidency presented its Programme. This includes a number of priorities in the area of financial market regulation which it intends to tackle during its presidency (1 January - 30 June 2025). In particular, it intends to contribute to strengthening the competitiveness of European capital markets. EU legislation supporting the participation of private investors in the financing of the economy and the green and digital transitions will be prioritised. This is likely to include the legislative initiatives presented as part of the EU retail investment strategy (see cepStudy). The Council Presidency also wants to resume the discussion on greater involvement of the European Investment Bank (EIB) in the financing of defence and security expenditure. It also intends to continue work on revising the Payment Services Directive [PSD 3, COM(2023) 366], the new Payment Services Regulation [PSR, COM(2023) 367] and the Regulation on access to financial data [FIDA, COM(2023) 360, see cepPolicyBrief] as well as continuing work on the introduction of the digital euro [COM(2023) 369, see cepPolicyBrief].

Trilogue Agreement on Labour Market Statistics on Businesses

On 12 December 2024, a provisional political agreement was reached on a law to facilitate the collection of labour market statistics on businesses at EU level. The new rules are intended to ensure that the data collected is more up to date and more comparable and will affect statistics on earnings, labour costs and job vacancies in the EU. The aim is to improve, most notably, the data available for measuring the gender pay gap and to provide the most complete possible picture of the economy. The background to this is the increasing need for reliable labour market data to evaluate the EU's economic and social policy measures. More efficient data management aims to improve political target management.

Agreement on the Targeted Adjustment of the Benchmark Regulation

On 12 December 2024, the Council and the European Parliament provisionally agreed on a revision of the so-called Benchmark Regulation [BMR, (EU) 2016/1011]. The Regulation establishes a legal framework to ensure the accuracy and integrity of indices used as benchmarks for financial instruments and contracts, or to measure the performance of investment funds in the EU. The Commission presented a proposal to revise the Regulation in October 2023 [COM(2023) 660]. The revision is intended to streamline reporting obligations, adjust the scope of the Regulation and create new rules on the use of benchmarks that are administered by benchmark administrators in non-EU countries.
In future, under the agreement that has now been reached, benchmarks that are categorised as non-significant in the EU will no longer fall within the scope of the Regulation. This should help to reduce the administrative burden. On the other hand, all benchmarks that are categorised as significant or critical will remain within the scope of the Regulation as will the Paris-aligned benchmarks, EU benchmarks related to climate transition and benchmarks for certain raw materials. In addition, administrators who are exempt from the Regulation are to be allowed to submit to the requirements of the Regulation voluntarily by way of an opt-in. The agreement also includes adjustments to the method of calculation that determines whether a particular benchmark is to be categorised as significant. Additional qualitative criteria will, in future, be taken into account in this regard. One important new provision also concerns the European Securities and Markets Authority (ESMA). In future, it will have additional powers with regard to benchmark administrators in third countries.
The provisional agreement must now be formally confirmed by the Council and the European Parliament, which should take place at the beginning of 2025. The new provisions will apply from 1 January 2026. More information on the provisional agreement is available here and here.

Better Data Sharing: Streamlining Reporting Requirements in the Financial Sector

On 17 December 2024, the Council and the European Parliament provisionally agreed on a revision of numerous Regulations as regards certain reporting requirements in the areas of financial services and investment support. The Commission presented its proposal on 17 October 2023 as part of its general agenda for rationalising and streamlining reporting requirements and strengthening EU competitiveness. The Regulation is intended to promote more efficient data collection and avoid duplicate reporting which should directly relieve the burden on European and national financial supervisory authorities and, indirectly, on financial sector companies subject to reporting requirements. Most notably, the agreement allows the European Supervisory Authorities and the competent national authorities to make an assessment and report within five years on whether the introduction of an integrated reporting system to facilitate the collection and exchange of data is appropriate. If this is the case, the Commission will submit a legislative proposal for its introduction. Furthermore, the principle of "reporting once" is to be given greater emphasis. In future, before requesting certain information from a financial institution, authorities will check whether this information is already available to other authorities. This aims to prevent financial institutions from having to submit the same reports more than once. The agreement still has to be formally confirmed by the European Parliament and the Council.

The Commission, the Council and the European Parliament regularly negotiate in the so-called trilogue on EU legislative proposals in order to find a common position. We have put together a summary of the most important trilogue decisions since the last Newsletter.

Data Transfers to Third Country Authorities: Guidelines from the European Data Protection Board

How should data controllers and processors in the European Economic Area (EEA) behave if they are requested by third country authorities to disclose or transfer personal data - for example to banking regulators, tax authorities or law enforcement or security authorities or to agencies for the authorisation of pharmaceutical products? This is what the European Data Protection Board (EDPB) wants to clarify with its Guidelines 02/2024 on Art. 48 of the General Data Protection Regulation (GDPR) regarding data transfers to authorities in third countries, which were published on 3 December 2024. Art. 48 states that court judgements or administrative decisions from third countries that require the disclosure or transfer of personal data cannot be recognised or enforced automatically unless there is an international agreement such as a mutual legal assistance treaty which provides for this.
The guidelines are intended to help companies and other private entities to decide whether they may transfer personal data to authorities in third countries when requested to do so and under what conditions they can lawfully respond to such requests. This is necessary because anyone who receives and responds to a request from a third country authority is carrying out an international data transfer, and thus data processing, for which they require both a legal basis in accordance with Article 6 and a ground for transfer in accordance with Chapter V of the GDPR. The EDPB clarifies that the transmitting party must check both of these as part of a so-called two-stage test because neither Art. 48 nor the request by a foreign authority alone constitutes a legal basis or a ground for the transfer.
According to the EDPB, if an international agreement exists, it may constitute both a legal basis and a ground for transfer if it creates a legal obligation for controllers and processors to comply with the request and contains appropriate safeguards to protect the data. If there is no international agreement or if such agreement fails to provide a suitable legal basis or safeguards, the transferring party must carefully examine whether it can rely on another legal basis or another reason for the transfer in the individual case. In its guidelines, the EDPB examines, among other things, which legal bases (such as consent, fulfilment of a contract, public interest, legitimate interests) come into consideration and which are (more likely) to be ruled out. The EDPB invites all stakeholders and citizens to comment on the guidelines.

The submission period for opinions ends on 27 January 2025.
Go to Consultation

Public Procurement

The EU Commission has launched a consultation to evaluate the three Directives on the award of public contracts. Specifically, this relates to the Directive on the award of concessions contracts (Directive 2014/23/EU), the Directive on public procurement (Directive 2014/24/EU) and the Directive on procurement by entities operating in the water, energy, transport and postal services sectors (Directive 2014/25/EU). The Directives are intended to ensure the efficient use of public funds and contribute to strong competition in the internal market. The Directives are also intended to increase the participation of SMEs in procurement procedures, reduce the administrative burden associated with procurement procedures and make the European economy greener, more social and more innovative. The aim of the consultation is to gather opinions, information, data and feedback on how the three Directives have performed. The Commission would also like to know whether the Directives are still fit for achieving the EU's political objectives.

The submission period for opinions ends on 7 March 2025.

Go to Consultation

8 January 2025
Luxembourg

In a hitherto largely unknown but potentially important case, the European General Court has once again ruled on the lawfulness of data transfers to the US (Case T-354/22). The proceedings are based on a complaint filed by German lawyer Thomas Bindl against the EU Commission for violations of Regulation (EU) 2018/1725, the equivalent of the EU General Data Protection Regulation (GDPR) that applies to EU institutions.
Specifically, Bindl accuses the Commission of unlawfully transferring his personal data to the US when he accessed the website operated by the Commission for the Conference on the Future of Europe (futureu.europa.eu) in 2022. Because this website was hosted by Amazon Web Services, his IP address, among other things, was transmitted to the US when he accessed the site, even though the European Court of Justice (ECJ) had ruled that there was (at that time) no adequate level of data protection there. In its 2020 Schrems II judgement, the ECJ ruled the existing 2020 adequacy decision - based on the EU-US Privacy Shield - null and void; the Commission's current adequacy decision based on the EU-US Data Privacy Framework (DPF) did not enter into force until 2023. Bindl also criticises the fact that the Commission unlawfully failed to provide the information he requested about the processing of his data and about the protective measures it took when transferring it. In addition to unlawful transmission and the failure to provide information, Bindl also complains of a violation of his fundamental rights to data protection, privacy and legal redress.
What is notable about these proceedings is the fact that they do not - as is often the case with data protection issues - involve a preliminary ruling but that Bindl is in fact bringing an action for annulment against the data transfers initiated by the Commission, and an action for failure to act regarding the Commission’s failure to provide information. He is also suing the Commission for damages in the amount of € 1,200 because he has suffered non-material loss as a result of the uncontrolled transmission of his data.
Among other things, the Court must now decide to what extent private individuals can take legal action against EU institutions - in this case the Commission - for unlawful data transfer and the failure to provide information, as provided for in the EU Treaties. To this end, it must clarify, among other things, whether the data transfer at issue is a contestable act of the Commission that directly and individually concerns Bindl or impairs his legal position, and whether the provision of information under data protection law, which was not carried out, constitutes an act which the Commission should have addressed to Bindl. Pursuant to Art. 263 (4) TFEU, private individuals may bring proceedings against acts by the Commission which are addressed to them or which are of direct and individual concern to them, subject to more detailed conditions. Under Art. 265 (4) TFEU, they can bring an action against the Commission for a declaration of a breach of contract if the Commission has failed, in breach of the EU Treaties, to "address to that person [the private individual] any act other than a recommendation or an opinion”.
If the Court upholds the claims, its statements on joint responsibility and the numerous detailed technical issues surrounding content delivery networks and dynamic IP addresses could also be of interest for other cases. It will also be interesting to see whether the Court rules that the transfer of data by a website to third countries without an adequate level of protection, also involved a loss of control over the data thereby constituting non-material damage to the data subject that is eligible for compensation - without any further requirements such as actual access to the data having to be demonstrated. The judgement would then be in line with the latest case law of the European Court of Justice and the German Federal Court of Justice, which recently significantly lowered the hurdles for claiming non-material damages in the event of loss of control. This could have far-reaching consequences, as companies transferring data could then also find themselves increasingly exposed to claims for damages. However, it is unclear whether the Court will also comment on the current level of data protection in the US. As this concerns incidents that occurred before the new adequacy decision came into force, the Court will probably refrain from reviewing its lawfulness.

9 January 2025
Luxembourg
Can companies require their customers to state their form of address ("Mr" or "Mrs") when concluding an online contract? Or must they at least offer them an alternative option such as "Neutral" or "Other"? The European Court of Justice (ECJ) is dealing with these questions in a further data protection dispute between Association Mousse, on the one hand, and the French supervisory authority CNIL and the ticket provider SNCF Connect, on the other (Case No. C-394/23).
The proceedings offer the ECJ the opportunity to further clarify the scope of the principles of lawfulness of processing, data minimisation and accuracy. The CNIL considers the mandatory collection of the form of address to be necessary in order to fulfil the intended contract for a rail journey and to protect the legitimate interests of the provider. Firstly, addressing customers using the appropriate form of address is common practice in communication; secondly, data subjects - for whom none of the specified forms of address fit - could later exercise their right to object to the data processing. Mousse, on the other hand, believes that the collection and storage of the form of address violates, among other things, the fundamental right of those affected to respect for their privacy and the principle of freedom of movement. The data would also be incorrect if a data subject who felt neither male nor female had to choose one of the two specifications.
Among other things, the ECJ must decide whether common practice (in this case, the collection of the form of address) and a possible right to object must be taken into account when examining the necessity of data processing. According to the EU Advocate General, whose opinion the ECJ often follows, the systematic processing of data relating to the form of address, for the purpose of personalised business communication, is not necessary for the performance of a contract. Nor can the legal basis of legitimate interests be relied upon if the provider failed to inform the customer of these interests at the time of collection. Data processing cannot be assumed to be lawful purely because the data subject can subsequently object to it, otherwise, the lawfulness of processing would depend on the behaviour of the data subject. In addition, the grounds for lawfulness would then be extended beyond the conclusive list of cases in Art. 6 GDPR.

On 18 December 2024, the Italian bank UniCredit announced that it had subscribed for new financial instruments relating to Commerzbank shares, in line with its previously announced target of acquiring a stake of up to 29.9% in the German bank. UniCredit's total position now amounts to around 28%, of which 9.5% is held directly and around 18.5% via derivative instruments. UniCredit points out that it has submitted the necessary regulatory documents for the acquisition of a stake of more than 10% and up to 29.9% in Commerzbank. The authorisation process has been initiated and discussions with the authorities are ongoing. According to the Italian bank, UniCredit's average entry price for the entire position is below current listings and fulfils all the financial parameters which the bank has undertaken to its shareholders to comply with. UniCredit's economic risk would be almost completely covered, which demonstrates a prudent approach and ensures full flexibility and optionality. Prior to this transaction, UniCredit had already spent around € 3.5 billion on the acquisition of a 21% stake in Commerzbank. In September, it acquired the entire 4.5% stake that the German Treasury (which holds a further 12.5%) had placed on the market. Berlin, for its part, immediately opposed the hostile takeover of the capital of Germany's second-largest bank by UniCredit. UniCredit's latest move confirms "that the Commerzbank has significant value that needs to be consolidated. It reflects the confidence in Germany, its companies and communities as well as the importance of a strong banking sector for the country's economic development.”

The international website "Common Ground of Europe" is an initiative of the Centres for European Policy Network (cep). On the commongroundeurope.eu website, cep collects mainly English-language contributions, articles and interviews from decision-makers and experts in politics, business and science. We cordially invite you to take a look through our window on Europe. Here are some examples from the past month.

Dear Readers,

In the words of Johann Wolfgang von Goethe: "And here I am, for all my lore, the wretched fool I was before!"

Yours
Dr. Jörg Köpke