BRUSSELS — More than 80 percent of Europe’s companies will be freed from environmental-reporting obligations after EU institutions reached a deal on a proposal to cut green rules on Monday.   The deal is a major legislative victory for European Commission President Ursula von der Leyen in her push cut red tape for business, one of the defining missions of her second term in office. However, that victory came at a political cost: The file pushed the coalition that got her re-elected to the brink of collapse and led her own political family, the center-right European People’s Party (EPP), to team up with the far right to get the deal over the line. The new law, the first of many so-called omnibus simplification bills, will massively reduce the scope of corporate sustainability disclosure rules introduced in the last political term. The aim of the red tape cuts is to boost the competitiveness of European businesses and drive economic growth. The deal concludes a year of intense negotiations between EU decision-makers, investors, businesses and civil society, who argued over how much to reduce reporting obligations for companies on the environmental impacts of their business and supply chains — all while the effects of climate change in Europe were getting worse. “This is an important step towards our common goal to create a more favourable business environment to help our companies grow and innovate,” said Marie Bjerre, Danish minister for European affairs. Denmark, which holds the presidency of the Council of the EU until the end of the year, led the negotiations on behalf of EU governments. Marie Bjerre, Den|mark’s Minister for European affairs, who said the agreement was an important step for a more favourable business environment. | Philipp von Ditfurth/picture alliance via Getty Images Proposed by the Commission last February, the omnibus is designed to address businesses’ concerns that the paperwork needed to comply with EU laws is costly and unfair. Many companies have been blaming Europe’s overzealous green lawmaking and the restrictions it places on doing business in the region for low economic growth and job losses, preventing them from competing with U.S. and Chinese rivals.   But Green and civil society groups — and some businesses too — argued this backtracking would put environmental and human health at risk. That disagreement reverberated through Brussels, disturbing the balance of power in Parliament as the EPP broke the so-called cordon sanitaire — an unwritten rule that forbids mainstream parties from collaborating with the far right — to pass major cuts to green rules. It set a precedent for future lawmaking in Europe as the bloc grapples with the at-times conflicting priorities of boosting economic growth and advancing on its green transition. The word “omnibus” has since become a mainstay of the Brussels bubble vernacular with the Commission putting forward at least 10 more simplification bills on topics like data protection, finance, chemical use, agriculture and defense. LESS PAPERWORK   The deal struck by negotiators from the European Parliament, EU Council and the Commission includes changes to two key pieces of legislation in the EU’s arsenal of green rules: The Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CSDDD).  The rules originally required businesses large and small to collect and publish data on their greenhouse gas emissions, how much water they use, the impact of rising temperatures on working conditions, chemical leakages and whether their suppliers — which are often spread across the globe — respect human rights and labor laws.    Now the reporting rules will only apply to companies with more than 1,000 employees and €450 million in net turnover, while only the largest companies — with 5,000 employees and at least €1.5 billion in net turnover — are covered by supply chain due diligence obligations. They also don’t have to adopt transition plans, with details on how they intend to adapt their business model to reach targets for reducing greenhouse gas emissions.   Importantly the decision-makers got rid of an EU-level legal framework that allowed civilians to hold businesses accountable for the impact of their supply chains on human rights or local ecosystems. MEPs have another say on whether the deal goes through or not, with a final vote on the file slated for Dec. 16. It means that lawmakers have a chance to reject what the co-legislators have agreed to if they consider it to be too far from their original position.

BRUSSELS — The European Commission said it is “not empowered to take action” amid concerns about the appointment of a former tech lobbyist to Ireland’s privacy regulator. The Irish Council for Civil Liberties — a non-profit transparency campaign group — on Tuesday filed a complaint calling on the Commission to launch an inquiry into how Niamh Sweeney was appointed to co-lead the Irish Data Protection Commission. Citing reporting from POLITICO, the complaint alleges the appointment process “lacked procedural safeguards against conflicts of interest and political interference.” It’s the first formal challenge to the decision after Sweeney took up her role as one of three chief regulators at Ireland’s top data regulator this month. Her prior experience as a lobbyist for Facebook and WhatsApp reignited concerns that the regulator is too close to Big Tech. In response to the complaint, Commission spokesperson Guillaume Mercier said that “it is for the member states to appoint members to their respective data protection authorities.” The Commission “is not involved in this process and is not empowered to take action with respect to those appointments,” Mercier told a daily press briefing Tuesday. He emphasized that countries do need to respect requirements set out in EU law — that the appointment process must be “transparent,” and that those appointed should “have the qualifications, the experience, the skills, in particular in the protection of personal data, required to perform their duties and to exercise their powers.” The complaint asked the Commission to look into the appointment as part of its duties to oversee the application of EU law, claiming these responsibilities had not been met by Ireland. Sweeney was appointed by the Irish government on the advice of the Public Appointments Service, the authority that provides recruitment services for public jobs, which has previously expressed its full confidence in the process.

Ireland’s Data Protection Commission (DPC) has launched a fresh inquiry into TikTok’s transfers of personal data to Chinese servers, it said Thursday, following on from its investigation that led to a €530 million fine against the company in April. The Irish regulator in April was informed by TikTok of an issue that meant a limited amount of EU user data had been stored on servers in China, an issue it said it discovered in February. The discovery contradicted the firm’s long-held position that personal data of EU users was only accessed remotely by the platform’s staff in China. But it came only just before the investigation concluded. Because of this, the DPC did not investigate it fully. The regulator in April fined TikTok for not sufficiently protecting EU personal data from Chinese state surveillance. The DPC earlier this year expressed “deep concern” that TikTok submitted “inaccurate information to the inquiry.” In a statement on Thursday, it said it had decided to open a new inquiry into the personal data transfers to servers in China after consulting with other data protection authorities in Europe. The Irish regulator said the inquiry will focus on whether TikTok has complied with its obligations under the EU’s General Data Protection Regulation, including articles relating to accountability, transparency, cooperation with supervisory authorities and compliance with rules around data transfers outside of the EU. TikTok was notified earlier this week about the Irish DPC’s decision to launch a fresh inquiry. The company has been contacted for comment.

WhatsApp plans to roll out a new advertising model in the coming months, but the company has told Ireland’s privacy regulator that it won’t affect the EU until next year. WhatsApp owner Meta announced the launch of new features in WhatsApp’s “Updates” tab on Monday, including targeted advertisements and a subscription model. It said the features would start to appear for users “over the next several months.” The announcement immediately raised concern among privacy organizations, in particular the fact that Meta will also use “ad preferences and info” from across people’s Facebook and Instagram accounts, where they are linked to WhatsApp. Speaking to reporters on Thursday, the Irish Data Protection Commission, responsible for enforcing the EU’s General Data Protection Regulation against Meta, said that it has been informed by WhatsApp that its advertising model won’t roll out in the EU until 2026. “That new product won’t be launching [in] the EU market until 2026. We have been informed by WhatsApp and we will be meeting with them to discuss any issues further,” said Commissioner Des Hogan. He added that the advertising model will be discussed with other data protection authorities “so that we can reflect back any concerns which we have as European regulators.” A spokesperson for WhatsApp confirmed that the advertising model is a “global update, and it is being rolled out gradually around the world.” Meta said in the announcement that the new features are built “in the most privacy-oriented way possible,” and has emphasized that sharing of data between WhatsApp, Instagram and Facebook will only happen when users have opted in to having their accounts linked. The U.S. social media giant previously paused the rollout of flagship artificial intelligence technology in the EU over privacy concerns from the Irish regulator. Commissioner Dale Sunderland said that regarding WhatsApp’s advertising model, they “haven’t had that sort of conversation” with the company. “We’re still early days, we’ll engage as we do with every other new feature, new issue that they bring to us … and at this stage, it’s too early to say what, if any, will be any red line issues,” he said.

PARIS — France’s President Emmanuel Macron is set on banning kids from social media.   All that stands in his way are legal fights, glitchy tech, a powerful lobby of Big Tech and Big Porn — and kids being kids.  Macron said late Tuesday that France “can’t wait” any longer in banning social media for children under 15, in response to the fatal stabbing of a teaching assistant at a high school in the suburbs of Paris. The stabbing came one month after a teenager killed a student in a similar incident at a high school in Nantes.   The incidents have determined the French government to keep kids away from what it considers harmful content, and has made France the epicenter of a fierce debate across Europe and the West over imposing limits on social media and smartphone use to better protect children online.  In the past year, Macron’s government has pushed to bar smartphones from schools and to limit screen use in nurseries. It has even gone head to head with the world’s biggest porn platforms, forcing them to verify their users’ age — a high-stakes move that prompted the owner of Pornhub, Redtube and YouPorn to stop serving porn in France earlier this month.   But the French crusade has also put Paris on a collision course with Brussels regulators, privacy rights groups and social media platforms.   Here’s what stands in the way of Macron and a French ban on social media for kids:   1. PARIS IS HEADED FOR A CLASH WITH BRUSSELS Paris insists it really wants an EU-wide regime, and Macron himself has said that banning kids would be a “European competence.”  “I’m giving us a few months to achieve European mobilization. Otherwise, I will negotiate with the Europeans so that we can do it ourselves in France,” the French president said Tuesday.  The government has launched a campaign to pressure other European countries to follow its example, with digital minister Clara Chappaz taking the lead.  “France cannot play it solo because member states have lost most of their competences” on regulating social media platforms, said Thibault Douville, a professor of French digital law.  In Brussels, though, European Union officials aren’t warming to the idea of an all-out ban for kids.   The Commission is readying its own measures on age verification, including guidelines and an app, but a social media ban is not foreseen. | STR/NurPhoto via Getty Images “Let’s be clear … [a] wide social media ban is not what the European Commission is doing. It’s not where we are heading to. Why? Because this is the prerogative of our member states,” Commission spokesperson Thomas Regnier told reporters Wednesday.  Minors protection online is covered by the Digital Services Act, an EU-wide regulation that gives supervisory powers over Very Large Online Platforms such as major social media to the European Commission.   The Commission is readying its own measures on age verification, including guidelines and an app, but a social media ban is not foreseen.   EU countries can set a digital age of majority under the EU’s landmark privacy rules, the General Data Protection Regulation, Regnier said. “Of course, member states can go for that option.”   Under Article 8 of the GDPR, EU countries can set a minimum user age for platforms to process their data, provided it is over 13. But data can still be processed if parents give their consent, the law says.  On paper, this GDPR article bars minors under that age from accessing social media, but it leaves it up to the platforms to decide how to comply with this “digital majority.”  Ultimately, the Commission may have to challenge any French law imposing a ban — depending on its shape — which could lead to a long legal tussle.  2. WATCHDOGS WARN OF SURVEILLANCE  To block kids from porn sites, France passed measures requiring that platforms verify age online using a double-blind method: where an independent age checker knows the person’s details, but not what platform they want to visit.   That has won the approval of the country’s CNIL data protection regulator, which found it protected privacy sufficiently.  But the privacy watchdog has stressed that age checks on the internet should only happen in specific contexts, such as when there are risks to minors.    If age verification creeps into more general use it could “lead to the establishment of a closed digital world, in which individuals would have to constantly prove their age, or even their identity, leading to significant risks to their rights and freedoms, including freedom of expression,” the regulator has warned.    Andy Yen, the chief executive officer of privacy technology company Proton, told POLITICO that “we’re really not debating age verification for children, we’re debating whether it makes sense to do age verification for everyone. And if you do age verification on everyone, there are definitely privacy and security considerations that come as a result of that.”   Within half an hour of the suspension, ProtonVPN saw registrations increase by 1,000 percent, the VPN service said in a post on X. | Fabrice Coffrini/AFP via Getty Images Trying to gauge someone’s age by profiling their activities online or using AI to estimate it from a selfie involves gathering huge amounts of information, said Urs Buscke, senior legal officer with European consumer organization BEUC. He said this conflicted with the GDPR’s key principle of data minimization, where data is only collected if it is strictly necessary. 3. THE TECH SECTOR ISN’T QUITE READY YET  For regulators and tech firms alike, enforcing a social media ban for kids is a nightmare.  Despite legal protections, almost half of children under 10 have social media accounts in Denmark, the country’s digital minister Caroline Stage Olsen said last week.  “There is no data” to suggest that these sorts of bans are effective, said Jessica Piotrowski, chair of the University of Amsterdam’s School of Communication Research and an adviser to YouTube on the issue of minors protection.   Instead, there is “some data that actually suggests, when you try to ban, it can actually do them harm, because [minors] find other ways instead,” Piotrowski said. To make matters worse, Big Tech firms have clashed heavily over who should be responsible for checking the ages of internet users.   On the one side, Meta as well as porn platforms and others claim it should be up to companies running operating systems — most notably Apple, through its mobile system iOS, and Google through Android.   On the other, the owners of operating systems say the social media apps themselves have a responsibility to stop harmful content from reaching minors.   Some technologies used to check the age of internet users are having growing pains as well. Research out this month claimed that Yoti, a leading age verification app that counts Meta among its customers, is “extensively tracking users without consent” and was operating with chinks in its cyber armor that “potentially could be manipulated by third parties.”   In response, Yoti said it had passed the information on to be investigated, but added that researchers had drawn “certain conclusions and extrapolations that are incorrect and potentially harmful to public confidence in a technology built with the intention of promoting and supporting online safety.”  The European Commission, meanwhile, is developing its own age verification app, but it remains in the testing phase in countries like Denmark, Italy, France, Greece and Spain. 4. KIDS WILL FIND A WAY The clearest data point showing that Paris faces an uphill battle came in the hours and days after porn platforms stopped serving adult content in France.   Virtual private networks, which allow internet users to bypass geographic restrictions, saw a surge in demand after Aylo Freesites, the parent company of Pornhub, Redtube and YouPorn, suspended the sites for French users this month.  Within half an hour of the suspension, ProtonVPN saw registrations increase by 1,000 percent, the VPN service said in a post on X. Demand for VPNs overall increased by 334 percent on June 4 compared to the average of the 28 previous days, ranking site Top10VPN said.  Whatever Macron’s plans, you can count on kids to figure out any and all possible ways to thwart them.  Eliza Gkritsi and Ellen O’Regan reported from Brussels. Émile Marzolf and Klara Durand reported from Paris. Pieter Haeck contributed reporting from Brussels. 

BRUSSELS — The European Union’s most iconic tech law was long thought to be untouchable. Those days are over. The EU executive on Wednesday will present its plan to amend the General Data Protection Regulation, GDPR for short, to ease reporting requirements for small and cash-strapped businesses. That same evening, EU officials are negotiating the final details of a separate law that’s meant to fix some of what’s seen as the GDPR’s original design flaws. It’s the latest law to fall victim to the European Commission’s drive to slash red tape and “simplify” EU legislation for the benefit of businesses and growth. The EU’s landmark economic report by former Italian Prime Minister Mario Draghi warned in September that Europe’s complex laws were preventing its economy from keeping up with the United States and China. Draghi singled out the GDPR in particular as hampering innovation. Digital rights groups and EU insiders often praise the GDPR for setting the global standard for the protection of privacy. For many businesses, though, it is seen as a symbol of costly, burdensome EU rules. But changing the GDPR threatens to topple a delicate balance between privacy activists and business lobbies in Brussels. Mario Draghi singled out the GDPR in particular as one of the laws hampering innovation. | Teresa Suarez/EFE via EPA Negotiations on the GDPR from 2012 to 2016 triggered one of the biggest lobbying efforts Brussels has ever seen. Since it took effect in 2018, the EU has steered clear of amending it, fearing it would reignite the vicious lobbying war. The Commission has preempted some of those worries, saying its simplification proposals will be limited to easing reporting requirements and won’t touch the underlying principles of the GDPR.   A review of the law last summer showed “the need for greater support [for] businesses, especially SMEs, in their compliance efforts,” Justice Commissioner Michael McGrath said.   Emails seen by POLITICO earlier this month showed the proposal is expected to extend reporting exemptions currently reserved for SMEs (with fewer than 250 employees) to mid-cap companies (with fewer than 500 employees). It would also create more exemptions for these smaller businesses, freeing them from keeping records or preparing privacy impact assessments. On Wednesday evening, negotiators will head into final crunch talks to agree on extra rules to speed up GDPR investigation procedures. The new rules aim to spur sluggish cross-border data protection probes, which can drag on for years and often involve Big Tech companies. The goal is to set clearer ground rules for how national data protection regulators work together, clarify the rights of complainants and those being investigated during the process, and, crucially, set concrete deadlines for investigations.  According to four people familiar with the negotiations, most of the text has already been agreed, and the main things left to be hammered out on Wednesday evening are the length of deadlines and judicial remedies.   The EU is unlikely to stop there in its efforts to trim its famed privacy law. When consulting companies and experts about Wednesday’s proposal, the Commission said there could be “possible future reflection on the application of the GDPR.” In a separate consultation about an upcoming Data Union Strategy, it also name-checked the GDPR as one law on the table for possible “consolidation.”  And countries have asked the EU executive to clarify how the new Artificial Intelligence Act interacts with the GDPR, according to a document obtained by POLITICO. Pieter Haeck contributed reporting.

BUCHAREST — With a nationalist, self-proclaimed Trumpist leading the polls into the first round of the rerun of the Romanian presidential election on Sunday, the big question is: Which candidate can beat him?  Romania’s first crack at a presidential election last November was dramatically annulled over allegations of illegal campaigning and Russian interference that helped ultranationalist independent candidate Călin Georgescu emerge as shock winner.  With Georgescu barred from running this time, George Simion — the 38-year-old leader of the Alliance for the Union of Romanians (AUR) — has taken on his mantle and moved into pole position. Polls would suggest he is almost certain to get through to the second round on May 18, when the two top-placed candidates from the first round will face off.   POLITICO’s Poll of Polls currently places Simion’s support at about 30 percent. The battle for second place looks set to be close. According to Poll of Polls, the candidate from the governing coalition, Crin Antonescu, is set to win 24 percent of the vote; the centrist independent mayor of Bucharest, Nicușor Dan, could get 22 percent; leftist-turned-nationalist and former Prime Minister Victor Ponta is predicted to win 10 percent; and the reformist Elena Lasconi is on track for 7 percent. But November’s shock result showed a lot can change in the final days before a Romanian election. The diaspora vote, typically not covered by polls, can make a difference, and many voters still had to make up their mind in the eleventh hour. So, how would each of those four fair in a runoff against Simion? While many voters are not seeking a candidate who could destabilize Romania’s important position within the EU and NATO, that may not be the first thing in mind when it comes to domestic political concerns. Political analyst Radu Magdin said it should not be taken for granted that voters will mobilize against an extremist candidate, given the depths of public frustration with corruption and ineffectiveness of the mainstream parties — the Social Democratic Party (PSD) and National Liberal Party (PNL). “Simion is the main representative of a strong anti-system feeling in Romanian society, so it remains to be seen if those who are not necessarily in favor of the system, but are looking for more mainstream options, manage to impose themselves against the anti-system wave,” he said. Here’s how the potential May 18 runoffs could play out. MAINSTREAM MAN: CRIN ANTONESCU Former PNL leader Crin Antonescu looks in a good position to make the second round and represents the governing coalition of the PSD, PNL and Democratic Alliance of Hungarians. The downside for Antonescu is that he will be seen as the face of the old order of the PSD and PNL — parties public patience has worn thin on. On the other hand, those parties include veteran campaigners who can exert influence nationwide and get out the vote. Polls by Flashdata and AtlasIntel suggest he can beat Simion in a runoff. In theory, his political pedigree gives him a broad voter base, as well as party machinery and regional bastions that could prove a formidable force. “Together, [the PNL and PSD] have more than 75 percent of the mayors in Romania,” said Remus Ștefureac, a political analyst and director of polling company Inscop Research. Small-town and village mayors can mobilize constituents to vote for their party’s candidates by highlighting easier access to funding for local projects if the country is led by one of their own.  Regional politics can be a cutthroat business in Romania. Some local politicians use threats to slash the minimum guaranteed income from those who don’t support them. Others can offer money, often around €20, particularly in villages, for people to vote for their candidate. Although these practices are illegal, authorities have often turned a blind eye. One person, who was granted anonymity for fear of retribution, described how exactly such tactics were used to get tens of thousands of people to come out in support of Antonescu at a rally in a city in southern Romania a few weeks ago. POLITICO contacted the organizers of that rally, but received no immediate response. Antonescu’s three-party support could also be a weakness, however. It is difficult for a single candidate to appeal to the supporters of three individual parties, said Ștefureac; even more so as PSD and PNL have typically been enemies. And the parties’ broad local networks didn’t help their candidates to a victory in the canceled November election. When PSD and PNL each had their own candidates in that contest, “they barely got 30 percent” in total, Ștefureac said. Siegfried Mureșan, a PNL member of the European Parliament, expected that people who in the first round voted for Dan, the Bucharest mayor, would turn to Antonescu in the runoff to block Simion. “It’s not their first option. But no matter how much they don’t love him, they don’t want George Simion as president,” Mureșan said. Antonescu also benefits from equal support from both women and men — while men favor Simion, said Andrei Roman, chief executive of polling company AtlasIntel. Antonescu also has the most support among people over 60, he said. THE URBANITES’ CHOICE: NICUȘOR DAN Polling from Flashdata sees Dan losing to Simion in a second round, while the latest AtlasIntel polling data shows him slightly ahead.  Dan gets much of his support from large urban areas among voters who are typically highly educated and well-off, polling data shows.  But he’s less popular outside of big cities — and in his campaign so far, he’s “missed the chance to address messages to people in the rural areas, to people in smaller cities, people with low income,” Ștefureac said. The vote from Romanians abroad could be decisive, as they typically reject the political establishment candidate, said Otilia Nuțu, a public policy analyst at think tank Expert Forum. Voters from abroad can make up to 7 to 8 percent of the total, which makes an impact. “Some vote for anti-system reformists, others vote for anti-system extremists,” she said. “It depends on who will turn up to vote.” Dan is in his second mandate as Bucharest mayor. He’s well known for his decades-long fight against “real estate sharks” whom he’s accused of collusion with the political establishment to obtain prime real estate areas and build there for high profits, often without consideration for preserving historical buildings or areas. Dan used that against Antonescu in presidential TV debates this week, accusing him of helping privatize large zones of public property when he was a youth and sports minister in the late 1990s. Some of those transactions were later found illegal by the courts, he said.  Antonescu has denied any collusion with real estate sharks and accused Dan of being unable to produce any evidence tying him to them. Dan founded the center-right reformist party Union Save Romania (USR), which he left in 2017, and won his first mandate as a mayor with PNL support. MEP Mureșan predicted fewer Antonescu voters would head toward Dan in the runoff than the other way around. “Some of these voters are liberal, some are conservative, some very conservative — and some, particularly the voters of the socialist party, are partly also elderly, less educated, partly also from the rural areas,” he said of the Antonescu voters. THE CHAMELEON: VICTOR PONTA Victor Ponta, the former Social Democrat prime minister-turned-nationalist, has had a mixed showing in the polls. If he does make it, AtlasIntel’s latest data shows him losing to Simion. But Ștefureac sees him as “the candidate who has a chance — theoretically and based on the figures that we have now — to generate a broader coalition against Simion.” He warned that the radically new dynamic in the second round makes current surveys about runoffs tricky. Ponta’s old political orientation endears him to some typical PSD voters who may not be convinced by the PSD-backed but center-right Antonescu. His “Romania first” platform could also appeal to voters who chose Georgescu last November, analysts say. He had been improving in the polls before he told a podcast earlier this month that he allowed several villages on the Danube to be flooded in 2014 to avoid flooding the Serbian capital of Belgrade when he was prime minister, Expert Forum’s Nuțu said.  “I didn’t understand what that was about,” she said, calling it either “prebunking,” a technique meant to preempt manipulation online, or an act to show his influence.  Ponta declared he chose to save lives in Serbia over fields in Romania. He said he was made an honorary Serbian citizen as a result. Not a classic vote-winning move in Romania. THE UNDERDOG: ELENA LASCONI USR President Elena Lasconi, a former television journalist, appears to have lost the wave of support that carried her into the runoff of the canceled election last year, mostly due to Dan entering the race. Leaders of her own party abandoned her earlier this month to throw their support behind Dan, whom they said was the only reformist candidate with a real chance of making the runoff this time. It’s unclear what the impact of her party leaders abandoning her would have on voters, Nuțu said. Some saw the move as unfair and will want to punish USR, which could result in fewer votes for both Lasconi and Dan, Nuțu said. In an explosive move ahead of the first round, Lasconi Thursday published pictures that purport to show Dan and Ponta meeting with a former deputy director of the Romanian intelligence service, allegedly to talk about this year’s election. That aims to make Dan look like a man of the system and ties him to a controversial former spy in a country weary of the intelligence service’s involvement in politics.  Both Dan and Ponta said the images were fake and that the meeting never happened, accusing Lasconi of playing into the hands of the mainstream political system. Dan and Ponta lodged a criminal complaints against her Friday. If Lasconi ends up beating the odds and qualifying for the runoff, she would beat Simion, according to AtlasIntel, by 3 points.

EU privacy regulators have for the first time taken aim at Beijing’s sweeping surveillance laws in a ruling that threatens to cut off data pipelines with China to protect Europeans.  Ireland’s powerful privacy regulator slapped TikTok with a €530 million fine on Friday, ruling it illegally sent data to China and couldn’t guarantee this was safe from government snooping. The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China. Friday’s ruling means the “screw is turning” on data flows to China, said Joe Jones, research director at the International Association of Privacy Professionals, which represents people working in the world of privacy globally. “We’ve had over a decade of EU-U.K., EU-U.S. fights and sagas on [data flows]. This is the first time we’ve seen anything significant on any other country outside of that transatlantic triangle — and it’s China,” said Jones. Most high-level enforcement of the EU’s General Data Protection Regulation (GDPR) has so far targeted American tech giants, as Europe and the United States have bickered over legal protections for personal data sent across the Atlantic.  Chinese surveillance and data privacy breaches remained out of the EU’s crosshairs but the growth in popularity and EU presence of big Chinese players has now cast a spotlight on Beijing’s techno-authoritarian tendencies.  Earlier this year, six Chinese companies (AliExpress, SHEIN, Temu, WeChat and Xiaomi as well as TikTok) were the target of complaints filed with European data protection authorities by Austrian privacy group Noyb, founded by privacy activist Max Schrems.  The third-largest fine ever for a breach of the EU’s data protection rulebook, Friday’s decision by Ireland’s Data Protection Commission highlights that China’s laws are fundamentally at odds with European data protection principles. The fact that the Irish decision was backed by all European data protection authorities with no objections is “pretty significant,” Jones said. “I expect the question of where data can flow, and how, will quickly become part of the conversation on competitiveness.” TikTok, in its response, said the ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.” The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China. | Erik S. Lesser/EFE via EPA The ruling, and especially the fact that TikTok had been storing a limited amount of European user data on Chinese servers, is also likely to prick the ears of U.S. authorities which are trying to force a sale of TikTok from Chinese parent ByteDance to a U.S. owner. The U.S. has similar concerns over how Chinese authorities can access Americans’ data. TikTok has repeatedly insisted it does not store U.S. data in China. THE €530 MILLION QUESTION TikTok has been working for years to stave off a heavy fine. Companies sending EU data to China don’t have an overarching legal framework for this as they would for territories such as the U.S. — instead they rely on individual contracts, through which China-based companies receiving EU data pledge to follow EU protections.  Two years after the Irish investigation was launched, TikTok also unveiled a €12 billion plan called Project Clover to assuage EU concerns over Chinese surveillance through the app. This centered around keeping European users’ data on servers in Europe and allowing a European security company far-reaching access to audit cybersecurity and data protection controls. Just this week, TikTok confirmed a €1 billion investment in a new data center in Finland.  The question now being asked by TikTok and other European businesses sending data to China is: If specific contracts and locating data servers in the EU is not enough to please regulators, then what is?   TikTok said on Friday it was “disappointed to have been singled out” despite it relying on the “same legal mechanism employed by thousands of other companies providing services in Europe.” “If the extensive measures implemented under Project Clover … as well as independent, third-party monitoring are deemed insufficient, it’s reasonable to ask: what would be considered sufficient?” said Christine Grahn, TikTok’s head of public policy and government relations for Europe. TikTok now has six months to find a way to make its data transfers to China compliant with the GDPR or shut off the flow of EU data to China entirely.   The company has said it plans to challenge the decision, which will delay the six-month ultimatum. But any business taking a similar legal approach to TikTok will now be in the dark about how it can legally send data to China. ‘GREY ZONE’ Chinese laws like the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law give the government sweeping powers to order Chinese companies to hand over data. Tim Rühlig, senior analyst for Asia and Global China at the European Union Institute for Security Studies said that there is currently a legal “gray zone” in terms of how those surveillance laws apply to data stored outside of China. “It’s a one-size-fits-all clause that says organizations [and] natural persons of China have to comply with security services when asked something. I have a hard time seeing a Chinese company saying, ‘Sorry that that piece of data that you’re asking for lies on a European server,’” he said. Rogier Creemers, lecturer in Modern Chinese Studies at Leiden University, said it was “notoriously difficult to monitor” how often Chinese authorities actually use these powers, but the risk that EU citizen data will be snooped on is “not zero.”  Although the Irish regulator’s decision is specifically related to TikTok’s data handling practices, Creemers said that other companies sending data to China will “definitely reassess their own compliance strategies with the GDPR, and whether those compliance strategies will need to be revised.”

TikTok has to pay €530 million in penalties because it sent the personal data of Europeans to China illegally and wasn’t transparent enough with users, Ireland’s powerful privacy regulator said Friday. The Irish Data Protection Commission (DPC) said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws. Taking a stance on data transfers to China for the first time, the regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data. Those laws — which give the Chinese government sweeping powers to order companies to hand over data — “materially diverge from EU standards,” TikTok acknowledged during the inquiry. The regulator also said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.” The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy. The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules. TikTok had for years claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China. Irish DPC Deputy Commissioner Graham Doyle said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.” TikTok has been given six months to bring its data processing practices in line with the EU’s privacy rules, or suspend all data transfers to the country. TikTok said it “strongly contest[s]” the Irish DPC’s findings and plans to appeal in full. “Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by Tiktok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a written statement. TikTok pointed to its €12 billion investment in Project Clover, which is rolling out data centers in Europe to store data locally in the EU, as well as other privacy safeguards. The Irish DPC acknowledged the project but said it was not enough to sway its decision. Grahn emphasized that TikTok has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.” She said that the Irish DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”

Chinese spies sought to gain information on Samuel Cogolati, a Belgian co-chair of the Greens party and prominent China critic, by attempting to coerce one of his political opponents, local media reported on Wednesday. Chinese intelligence services in 2020 approached Eric Dosogne, the then mayor of the Wallonian town Huy and a political rival of Cogolati, the media reported, adding that Dosogne had a close relationship with the Chinese state due to a city friendship agreement. Belgian security services were monitoring the phone of the Chinese agent that approached Dosogne and warned the local politician of the risks of interference and espionage at least two times, say the reports. Services later warned Cogolati and the chairman of the French-speaking Socialist Party (PS), Paul Magnette, of the threat. News publications Le Soir, Knack, De Tijd and public broadcaster RTBF first reported on the news. Dosogne declined to comment on the reports. The Belgian intelligence services also declined to comment. It is not the first time a Belgian politician has been embroiled with the Chinese spy agency. In December 2023, far-right politician Frank Creyelman was expelled from the Vlaams Belang party after it was revealed he was involved in influencing discussions on issues ranging from China’s crackdown on democracy in Hong Kong to its persecution of Uyghurs in Xinjiang. Cogolati — who was placed on a sanctions list by Beijing in March 2021 — has been a key voice pushing back against Alibaba’s logistics hub investment in Liège, criticizing Uyghur forced labor in China and pushing to restrict the use of Huawei in Belgian 5G networks. He was previously the target of a cyberattack for his work in the Inter-Parliamentary Alliance on China (IPAC), a coalition of lawmakers critical of Beijing. Huy, where both Cogolati and Dosogne are active in local politics, is also home to one of the largest Tibetan Buddhist centers in Europe, which the Dalai Lama has visited several times.