Prime minister’s questions: a shouty, jeery, very occasionally useful advert for British politics. Here’s what you need to know from the latest session in POLITICO’s weekly run-through. What they sparred about: Grooming gangs. Prime Minister Keir Starmer and Tory Leader Kemi Badenoch went toe-to-toe over whether the investigation into widespread child abuse was fit for purpose — or falling apart before it even started. Word of context: The government confirmed a national inquiry into child sexual exploitation would take place in June. Since then, four abuse survivors quit the inquiry’s victims and survivors liaison panel over their treatment. Former senior social worker Annie Hudson also withdrew from a shortlist of potential inquiry chairs. No confidence: Badenoch said the four victims had “lost all confidence” and were “dismissed and contradicted” by ministers. “What’s the point in speaking up if we’re just going to be called liars,” the Tory leader asked on behalf of one victim. Starmer condemned it as one of the “worst scandals of our time” and said the door “will always be open” if they wanted to return. Bookmark this: The PM insisted the inquiry will “never be watered down, its scope will not change, and it will examine the ethnicity and religion of the offenders.” Starmer confirmed crossbench peer and government troubleshooter Louise Casey (mooted as a future cabinet secretary), who wrote the initial grooming gangs audit, would support the inquiry. War of words: The Tory leader asked why victims would return when “the government has engaged in a briefing war against survivors.” That strong accusation drew cries of “shame” from Labour backbenchers before Badenoch referenced another survivor, accusing Labour of creating a “toxic environment.” Pushing on: Starmer conceded there were still “hard yards” to be done to put survivors at the heart of the inquiry, given their “difficult experiences” and “wide range of views.” Nonetheless, the PM insisted, “I want to press on and get this right.” Perhaps unsurprisingly, Badenoch mentioned Starmer’s previous opposition to a national inquiry. “The victims don’t believe them,” she declared. “They don’t like it, but it’s true.” Of course: This sensitive and horrifying chapter in Britain’s history descended into a political knockabout. The PM mentioned work on reopening historic sexual abuse and mandatory reporting, which “fell on deaf ears” from the Tories. He should know: Starmer, often pejoratively labeled a lawyer by Badenoch, was asked why the inquiry wasn’t judge-led, given victims would prefer this, rather than a police officer or social worker chairing proceedings. The PM said judge-led inquiries were “often held back until the end of the criminal investigation,” which he wanted to run alongside the inquiry. Ministerial matters: But Badenoch suggested the chair was not the only problem. Quoting one victim, who accused Safeguarding Minister Jess Phillips of lying (which Speaker Linsday Hoyle frowned upon), the Tory leader asked if the PM still had confidence in her. Starmer answered in the affirmative, saying she “has probably more experience than any other person in this House in dealing with violence against women and girls.” The Tories, you won’t be surprised to learn, want Phillips gone. Helpful backbench intervention of the week: Roz Savage, the, er, Lib Dem MP for South Cotswolds, initially made PMQs a bit easier for Starmer after the Political Pics X account snapped her question in a transparent folder heading into No 10 … on Tuesday. “There was a very, very serious breach of national security,” she joked. Keeping Starmer on his toes, Savage instead asked about digital ID and, aptly, the risk of data breaches. Totally unscientific scores on the doors: Starmer 7/10. Badenoch 6/10. Choosing a winner and a loser seems trivial given the main topic this week. Badenoch understandably used the victims’ departure to ask if the inquiry could fulfill its purpose. But the Tory leader’s political points lost the room, with the PM — just about — retaining authority with promises about the inquiry’s scope and remit. The survivors, on and off the panel, will hope those words translate into action.

Ireland’s Data Protection Commission (DPC) has launched a fresh inquiry into TikTok’s transfers of personal data to Chinese servers, it said Thursday, following on from its investigation that led to a €530 million fine against the company in April. The Irish regulator in April was informed by TikTok of an issue that meant a limited amount of EU user data had been stored on servers in China, an issue it said it discovered in February. The discovery contradicted the firm’s long-held position that personal data of EU users was only accessed remotely by the platform’s staff in China. But it came only just before the investigation concluded. Because of this, the DPC did not investigate it fully. The regulator in April fined TikTok for not sufficiently protecting EU personal data from Chinese state surveillance. The DPC earlier this year expressed “deep concern” that TikTok submitted “inaccurate information to the inquiry.” In a statement on Thursday, it said it had decided to open a new inquiry into the personal data transfers to servers in China after consulting with other data protection authorities in Europe. The Irish regulator said the inquiry will focus on whether TikTok has complied with its obligations under the EU’s General Data Protection Regulation, including articles relating to accountability, transparency, cooperation with supervisory authorities and compliance with rules around data transfers outside of the EU. TikTok was notified earlier this week about the Irish DPC’s decision to launch a fresh inquiry. The company has been contacted for comment.

Dutch authorities are investigating a major disruption to train traffic in the Netherlands on the opening day of the NATO summit — an incident that one senior official said could be sabotage. A power outage early on Tuesday has disrupted some traffic to and from the Netherlands’ main airport Schiphol, located 50 kilometers from where leaders of the Western defense alliance NATO are gathering today and tomorrow. Around 30 cables were damaged due to a fire, local media reported. The damaged cables have impacted the trains running from Amsterdam, Schiphol and Utrecht stations. Dutch Justice Minister David van Weel on Tuesday said the disruption “could be sabotage.” “[Sabotage] is one of the things we are now investigating,” he told broadcaster NOS at the Public Forum ahead of the NATO leaders’ meetings. “Then the question is: Who is behind it? It can be an activist group, it can be a country. It can be many things,” he said. Van Weel served as NATO’s most senior hybrid and cybersecurity official until the middle of last year. Officials at Dutch railway provider ProRail and public authorities are still investigating the incident. The train disruptions are the most recent disruption to events in the Netherlands, after Dutch municipalities on Monday already faced a series of low-level cyberattacks. A wave of distributed denial-of-service attacks hit a dozen Dutch organizations, including several municipalities, the National Cyber Security Centre confirmed. The attacks did not result in data breaches or intrusions, authorities said. Dutch cyber authorities pointed to the pro-Russian hacktivist group NoName057(16), which claimed the attacks. The group has targeted NATO countries including Belgium, Romania and others in the past year with such DDoS attacks, seeking to influence how countries position themselves toward NATO and the war in Ukraine. The attacks fit the description of threats outlined by Dutch authorities ahead of the NATO summit. While not very sophisticated, they appeared aimed at sowing confusion and stretching the capacity of public sector institutions involved in organizing the summit. Threat intelligence firm Recorded Future last week warned that the NATO summit in The Hague was expected to draw intense interest from Russian and Chinese threat operatives, with defense infrastructure and logistics providers likely to be top targets for espionage and sabotage.

WhatsApp plans to roll out a new advertising model in the coming months, but the company has told Ireland’s privacy regulator that it won’t affect the EU until next year. WhatsApp owner Meta announced the launch of new features in WhatsApp’s “Updates” tab on Monday, including targeted advertisements and a subscription model. It said the features would start to appear for users “over the next several months.” The announcement immediately raised concern among privacy organizations, in particular the fact that Meta will also use “ad preferences and info” from across people’s Facebook and Instagram accounts, where they are linked to WhatsApp. Speaking to reporters on Thursday, the Irish Data Protection Commission, responsible for enforcing the EU’s General Data Protection Regulation against Meta, said that it has been informed by WhatsApp that its advertising model won’t roll out in the EU until 2026. “That new product won’t be launching [in] the EU market until 2026. We have been informed by WhatsApp and we will be meeting with them to discuss any issues further,” said Commissioner Des Hogan. He added that the advertising model will be discussed with other data protection authorities “so that we can reflect back any concerns which we have as European regulators.” A spokesperson for WhatsApp confirmed that the advertising model is a “global update, and it is being rolled out gradually around the world.” Meta said in the announcement that the new features are built “in the most privacy-oriented way possible,” and has emphasized that sharing of data between WhatsApp, Instagram and Facebook will only happen when users have opted in to having their accounts linked. The U.S. social media giant previously paused the rollout of flagship artificial intelligence technology in the EU over privacy concerns from the Irish regulator. Commissioner Dale Sunderland said that regarding WhatsApp’s advertising model, they “haven’t had that sort of conversation” with the company. “We’re still early days, we’ll engage as we do with every other new feature, new issue that they bring to us … and at this stage, it’s too early to say what, if any, will be any red line issues,” he said.

BRUSSELS — The European Union’s most iconic tech law was long thought to be untouchable. Those days are over. The EU executive on Wednesday will present its plan to amend the General Data Protection Regulation, GDPR for short, to ease reporting requirements for small and cash-strapped businesses. That same evening, EU officials are negotiating the final details of a separate law that’s meant to fix some of what’s seen as the GDPR’s original design flaws. It’s the latest law to fall victim to the European Commission’s drive to slash red tape and “simplify” EU legislation for the benefit of businesses and growth. The EU’s landmark economic report by former Italian Prime Minister Mario Draghi warned in September that Europe’s complex laws were preventing its economy from keeping up with the United States and China. Draghi singled out the GDPR in particular as hampering innovation. Digital rights groups and EU insiders often praise the GDPR for setting the global standard for the protection of privacy. For many businesses, though, it is seen as a symbol of costly, burdensome EU rules. But changing the GDPR threatens to topple a delicate balance between privacy activists and business lobbies in Brussels. Mario Draghi singled out the GDPR in particular as one of the laws hampering innovation. | Teresa Suarez/EFE via EPA Negotiations on the GDPR from 2012 to 2016 triggered one of the biggest lobbying efforts Brussels has ever seen. Since it took effect in 2018, the EU has steered clear of amending it, fearing it would reignite the vicious lobbying war. The Commission has preempted some of those worries, saying its simplification proposals will be limited to easing reporting requirements and won’t touch the underlying principles of the GDPR.   A review of the law last summer showed “the need for greater support [for] businesses, especially SMEs, in their compliance efforts,” Justice Commissioner Michael McGrath said.   Emails seen by POLITICO earlier this month showed the proposal is expected to extend reporting exemptions currently reserved for SMEs (with fewer than 250 employees) to mid-cap companies (with fewer than 500 employees). It would also create more exemptions for these smaller businesses, freeing them from keeping records or preparing privacy impact assessments. On Wednesday evening, negotiators will head into final crunch talks to agree on extra rules to speed up GDPR investigation procedures. The new rules aim to spur sluggish cross-border data protection probes, which can drag on for years and often involve Big Tech companies. The goal is to set clearer ground rules for how national data protection regulators work together, clarify the rights of complainants and those being investigated during the process, and, crucially, set concrete deadlines for investigations.  According to four people familiar with the negotiations, most of the text has already been agreed, and the main things left to be hammered out on Wednesday evening are the length of deadlines and judicial remedies.   The EU is unlikely to stop there in its efforts to trim its famed privacy law. When consulting companies and experts about Wednesday’s proposal, the Commission said there could be “possible future reflection on the application of the GDPR.” In a separate consultation about an upcoming Data Union Strategy, it also name-checked the GDPR as one law on the table for possible “consolidation.”  And countries have asked the EU executive to clarify how the new Artificial Intelligence Act interacts with the GDPR, according to a document obtained by POLITICO. Pieter Haeck contributed reporting.

EU privacy regulators have for the first time taken aim at Beijing’s sweeping surveillance laws in a ruling that threatens to cut off data pipelines with China to protect Europeans.  Ireland’s powerful privacy regulator slapped TikTok with a €530 million fine on Friday, ruling it illegally sent data to China and couldn’t guarantee this was safe from government snooping. The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China. Friday’s ruling means the “screw is turning” on data flows to China, said Joe Jones, research director at the International Association of Privacy Professionals, which represents people working in the world of privacy globally. “We’ve had over a decade of EU-U.K., EU-U.S. fights and sagas on [data flows]. This is the first time we’ve seen anything significant on any other country outside of that transatlantic triangle — and it’s China,” said Jones. Most high-level enforcement of the EU’s General Data Protection Regulation (GDPR) has so far targeted American tech giants, as Europe and the United States have bickered over legal protections for personal data sent across the Atlantic.  Chinese surveillance and data privacy breaches remained out of the EU’s crosshairs but the growth in popularity and EU presence of big Chinese players has now cast a spotlight on Beijing’s techno-authoritarian tendencies.  Earlier this year, six Chinese companies (AliExpress, SHEIN, Temu, WeChat and Xiaomi as well as TikTok) were the target of complaints filed with European data protection authorities by Austrian privacy group Noyb, founded by privacy activist Max Schrems.  The third-largest fine ever for a breach of the EU’s data protection rulebook, Friday’s decision by Ireland’s Data Protection Commission highlights that China’s laws are fundamentally at odds with European data protection principles. The fact that the Irish decision was backed by all European data protection authorities with no objections is “pretty significant,” Jones said. “I expect the question of where data can flow, and how, will quickly become part of the conversation on competitiveness.” TikTok, in its response, said the ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.” The decision is a watershed moment for Europe’s relationship with Beijing when it comes to the bloc’s flagship data privacy rules and has significant implications for any company transferring personal data from the EU to China. | Erik S. Lesser/EFE via EPA The ruling, and especially the fact that TikTok had been storing a limited amount of European user data on Chinese servers, is also likely to prick the ears of U.S. authorities which are trying to force a sale of TikTok from Chinese parent ByteDance to a U.S. owner. The U.S. has similar concerns over how Chinese authorities can access Americans’ data. TikTok has repeatedly insisted it does not store U.S. data in China. THE €530 MILLION QUESTION TikTok has been working for years to stave off a heavy fine. Companies sending EU data to China don’t have an overarching legal framework for this as they would for territories such as the U.S. — instead they rely on individual contracts, through which China-based companies receiving EU data pledge to follow EU protections.  Two years after the Irish investigation was launched, TikTok also unveiled a €12 billion plan called Project Clover to assuage EU concerns over Chinese surveillance through the app. This centered around keeping European users’ data on servers in Europe and allowing a European security company far-reaching access to audit cybersecurity and data protection controls. Just this week, TikTok confirmed a €1 billion investment in a new data center in Finland.  The question now being asked by TikTok and other European businesses sending data to China is: If specific contracts and locating data servers in the EU is not enough to please regulators, then what is?   TikTok said on Friday it was “disappointed to have been singled out” despite it relying on the “same legal mechanism employed by thousands of other companies providing services in Europe.” “If the extensive measures implemented under Project Clover … as well as independent, third-party monitoring are deemed insufficient, it’s reasonable to ask: what would be considered sufficient?” said Christine Grahn, TikTok’s head of public policy and government relations for Europe. TikTok now has six months to find a way to make its data transfers to China compliant with the GDPR or shut off the flow of EU data to China entirely.   The company has said it plans to challenge the decision, which will delay the six-month ultimatum. But any business taking a similar legal approach to TikTok will now be in the dark about how it can legally send data to China. ‘GREY ZONE’ Chinese laws like the Anti-Terrorism Law, the Counter-Espionage Law, the Cybersecurity Law and the National Intelligence Law give the government sweeping powers to order Chinese companies to hand over data. Tim Rühlig, senior analyst for Asia and Global China at the European Union Institute for Security Studies said that there is currently a legal “gray zone” in terms of how those surveillance laws apply to data stored outside of China. “It’s a one-size-fits-all clause that says organizations [and] natural persons of China have to comply with security services when asked something. I have a hard time seeing a Chinese company saying, ‘Sorry that that piece of data that you’re asking for lies on a European server,’” he said. Rogier Creemers, lecturer in Modern Chinese Studies at Leiden University, said it was “notoriously difficult to monitor” how often Chinese authorities actually use these powers, but the risk that EU citizen data will be snooped on is “not zero.”  Although the Irish regulator’s decision is specifically related to TikTok’s data handling practices, Creemers said that other companies sending data to China will “definitely reassess their own compliance strategies with the GDPR, and whether those compliance strategies will need to be revised.”

TikTok has to pay €530 million in penalties because it sent the personal data of Europeans to China illegally and wasn’t transparent enough with users, Ireland’s powerful privacy regulator said Friday. The Irish Data Protection Commission (DPC) said TikTok breached the EU’s flagship data protection rules when it sent European user data to China because it couldn’t guarantee that the data was protected under China’s surveillance laws. Taking a stance on data transfers to China for the first time, the regulator said TikTok failed to adequately assess the implications of Chinese surveillance laws on Europeans’ data. Those laws — which give the Chinese government sweeping powers to order companies to hand over data — “materially diverge from EU standards,” TikTok acknowledged during the inquiry. The regulator also said TikTok breached transparency rules between 2020 and 2022 because it didn’t tell users that personal data was being transferred to China. It noted that TikTok updated its privacy policy in 2022 and is now “compliant.” The company has been fined €485 million for its data transfers to China and €45 million for the lack of transparency in its privacy policy. The fine is the third-largest ever for a breach of the EU’s General Data Protection Regulation. TikTok has its EU headquarters in Ireland, meaning the Irish DPC is the lead authority in charge of enforcing the EU rules. TikTok had for years claimed it did not store European or American user data on servers in China, but in April informed the regulator that it had discovered in February that “limited EEA User Data” had in fact been stored in China. Irish DPC Deputy Commissioner Graham Doyle said the regulator was taking this discovery “very seriously,” and while TikTok has said it deleted the data on Chinese servers, was considering “what further regulatory action may be warranted.” TikTok has been given six months to bring its data processing practices in line with the EU’s privacy rules, or suspend all data transfers to the country. TikTok said it “strongly contest[s]” the Irish DPC’s findings and plans to appeal in full. “Beyond the DPC’s failure to substantively consider the extensive safeguards [already implemented by Tiktok], we are disappointed to have been singled out despite relying on the same legal mechanism employed by thousands of other companies providing services in Europe,” said Christine Grahn, TikTok’s head of public policy and government relations for Europe, in a written statement. TikTok pointed to its €12 billion investment in Project Clover, which is rolling out data centers in Europe to store data locally in the EU, as well as other privacy safeguards. The Irish DPC acknowledged the project but said it was not enough to sway its decision. Grahn emphasized that TikTok has “never received a request for European user data from the Chinese authorities, and has never provided European user data to them.” She said that the Irish DPC ruling “risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale,” and “delivers a blow to the European Union’s competitiveness.”

BRUSSELS — Top officials at the European Union’s in-house data protection authority have expensed a high number of trips to their home countries in past years, an analysis by POLITICO shows — prompting calls for closer scrutiny from a key oversight committee. Figures obtained by POLITICO reveal a pattern in which the most senior officials at the European Data Protection Supervisor (EDPS) took a large share of official missions to their own home countries over the 2017-2023 period. The findings are “deeply concerning” and “highly irregular,” said Czech center-right lawmaker Tomáš Zdechovský, who holds a key role in the European Parliament. The figures suggest that “some of the European Union’s most senior officials appear to have used mission budgets to repeatedly travel to their home countries under the pretext of official duties,” he said in a comment. The figures raise questions about the oversight and approval process for travel spending by the EU institution, and whether officials are using the system for personal benefit. POLITICO previously uncovered dubious travel expense practices at other EU institutions, such as when top Commission official Henrik Hololei cleared himself of any conflict of interest in taking freebie flights on Qatar Airways while his team negotiated a major aviation deal with the Gulf state. Reacting to POLITICO’s reporting on the EDPS’ travel data, the head of the authority Wojciech Wiewiórowski on Wednesday told Parliament he had “nothing to hide,” and the practice of sending high-level EDPS officials to their home countries was “absolutely a deliberate decision.” The EDPS is in the middle of a contested and controversial race to select its next chief supervisor. The European Parliament and EU Council reached a stalemate in January, with the EU Council pushing to reappoint Wiewiórowski for a second term and Parliament favoring to pick one of the European Commission’s key data protection officials, Bruno Gencarelli, to replace him. HOME SWEET HOME The European Parliament’s civil liberties committee already scrutinized EDPS spending in a recent opinion drafted by Zdechovský that flagged a “significant” increase in mission costs in recent years and warned of a lack of transparency about mission expenses. Missions undertaken by EDPS staff can include attending conferences, events and official meetings, as well as trips to visit or audit the EU institutions that the regulator supervises. The EDPS oversees whether the EU institutions are following privacy rules. It also gives advice to the institutions on data protection. POLITICO examined mission travel documents provided by the EDPS, analyzing its three most senior officials from 2017 to 2023: former European Data Protection Supervisor Giovanni Buttarelli; current (caretaker) European Data Protection Supervisor Wojciech Wiewiórowski; and Secretary General Leonardo Cervera Navas. POLITICO also looked at mission travel for the agency as a whole, including around 100 lower-level staffers and officials running the secretariat of Europe’s national data protection regulators’ group, the European Data Protection Board (EDPB). Cervera Navas took a total of 36 trips to his native Spain over the seven-year period. His next most frequently visited countries were France and Germany, with six trips each. By comparison, Wiewiórowski visited Spain five times over the same period, while Buttarelli did not visit the country. Cervera Navas was only appointed as the agency’s (first-ever) secretary general in 2023, having previously joined the EDPS as a manager in 2010 and being appointed director in 2018. While serving as director from 2018-2023 he was the only person at the EDPS with this title; no other director has been appointed since he took up the role of secretary general. Meanwhile, former supervisor Buttarelli, who passed away in August 2019, took 29 trips to his home country of Italy, compared to four trips to his second-most visited country, the United States, and three trips each to France and the United Kingdom. By comparison, Wiewiórowski took nine trips to Italy in 2017-2023, and Cervera Navas three. The current supervisor, Wiewiórowski, most often visited his home country of Poland and the Netherlands, with 20 mission visits to each. France was third with 13 trips. The preference of senior officials for visiting their home countries is even clearer when these top officials are compared with all staff missions across the institution. Mission data provided by the EDPS included individual entries from EDPS staff, as well as entries from the EDPB (European Data Protection Board) secretariat, which is overseen by the EDPS. The analysis of trip destinations included both EDPS or EDPB secretariat staff because the anonymized entries did not allow the two to be separated. However, EDPB staff mission spending represented a small share of total spending compared to EDPS staff missions. For example, in 2023 total EDPS staff mission spending (excluding top officials Wiewiórowski and Cervera Navas) was €180,930, while EDPB mission costs were €54,166.92. Almost half of all trips taken by Cervera Navas over the period were to Spain, his home country. By contrast, less than 5 percent of travel for other EDPS and EDPB staffers was to Spain. Likewise, almost 60 percent of trips taken by Buttarelli were to Italy, compared to less than 8 percent for other EDPS and EDPB staff. ‘DEEPER AUDIT’ The European Parliament’s opinion, drafted by Zdechovský in January, raised “concern about the significant increase in EDPS staff mission costs” in recent years and called for more transparency. Spending rose to €284,580 in 2023 from €28,789 in 2021. But the authority’s February rebuttal said the increase had been due to the resumption of travel after the pandemic, as well as to inflation.   Still, Zdechovský, who holds a lot of sway as the European People’s Party (EPP) coordinator in the Parliament’s budgetary control committee, called for a “deeper audit” of EDPS mission expenditures in his comments to POLITICO, and urged that the regulator be required to publish justifications for each trip taken by senior officials.   “If patterns suggest systematic abuse, we must be ready to act, either through a proposal for a budgetary revision, or calls for reforms to travel and mission policy,” he said.   The Parliament’s budgetary control committee is due to deliver its discharge (where it decides whether to sign off on the accounts of an EU institution) on the EDPS budget for 2023 at the upcoming May plenary session in Strasbourg. NATIVE LANGUAGE REQUESTS In response to POLITICO’s reporting, current EDPS Wojciech Wiewiórowski (who is holding a caretaker position at the moment) told members of the Parliament’s civil liberties committee on Wednesday: “We try to send to the member states the persons who can take part in the discussion, who are not there just to lecture, just to say something, but who will go into the discussion with the people there,” he said. Following POLITICO’s reporting, EDPS Secretary-General Leonardo Cervera Navas told reporters on Wednesday it was “super important” for the authority to be transparent on mission spending. “We have to be fully accountable, this is the strength of our democracy … But we have to be serious about these budgets and figures and the money we invest in effective supervision,” he said. He warned it would be a “mistake” to freeze spending on EDPS missions or inspections, especially as the office’s responsibilities under the AI Act are ramping up. “I think it’s really, really important that our budget on missions grow[s] and we can send many people around to interact with AI especially, and to participate in global discussions about this subject,” Cervera Navas said. The EDPS’ Head of Communication Olivier Rossignol said in a comment there was “always a transparent decision” to share events among senior officials according to their native language (Italian for the late Buttarelli, Polish for Wiewiórowski and Spanish for current Secretary General Cervera Navas). “Italy, Poland and Spain are three important Member States in the European Union that organize a lot of events and high-level meetings on data protection and privacy. These three countries are often used to work in their national language because [the] specialized audience is not always fully operational in English, and do appreciate native speakers on expert topics and fields,” Rossignol said. Rossignol said that missions by the EDPS supervisor and secretary general are validated by the secretary general as head of the authority’s secretariat, while the secretary general’s own trips are agreed and confirmed in advance by the supervisor. He added that missions by the supervisor and secretary general are coordinated at weekly meetings with the information and communication unit that publishes the agenda online, as well as with middle managers. This article was updated to include comments by Wiewiórowski and Cervera Navas responding to POLITICO’s initial reporting.

Youth gangs have wreaked havoc in Sweden and Denmark for months, with violence ranging from murders to explosions. For Peter Hummelgaard, Denmark’s justice minister, it’s not just guns and bombs that are causing mayhem. It’s also the criminals’ smartphones. “We’ve seen a new trend of crime-as-a-service, where organized criminals use digital platforms to hire children and young people from Sweden to commit serious crimes in Denmark — murders, attempted murders, explosions,” Hummelgaard told POLITICO in an interview last month. Technology has made it “far easier for criminals to reach a larger audience and also coordinate actions in real time,” the justice minister said, singling out crimes like spreading child pornography, money laundering, illicit drug smuggling — “or, as we’ve seen examples in Denmark and Sweden, recruitment of minors into a life of crime.” The smartphones and applications used by criminals to recruit, organize and carry out crime sprees are increasingly the target of European law enforcement and politicians alike. So-called end-to-end encrypted technology — a pillar of privacy-friendly and cybersecure digital communication — is seen as a foe by police and investigative authorities. The technology is now coming under heavy fire across Europe. “Without lawful access to encrypted communications, law enforcement is fighting crime blindfolded,” said Jan Op Gen Oorth, a spokesperson for Europol, the European Union’s law enforcement agency. France has put forward an anti-drug trafficking law that critics say would ban encryption. The Nordic countries have taken the fight to tech companies. Spain said it wants to ban encryption. And the U.K. government has now entered a legal battle with Apple over an apparent attempt to secretly spy on encrypted data.  Denmark will soon take over the rotating presidency of the Council of the EU, giving it an influential role at a time when EU countries are debating the bloc’s child sexual abuse material bill (CSAM). That draft legislation could impose an obligation on all messaging platforms to conduct blanket scans on their content to root out child abuse images — even if they’re end-to-end encrypted and thus technically out of reach of the platforms themselves. “It’s no secret that I would like to see an ambitious regulation on child sexual abuse,” Hummelgaard said.  The EU won’t stop there. The European Commission, the bloc’s executive branch, this month unveiled a new internal security strategy, setting out plans to look into “lawful and effective” data access for law enforcement and to find technological solutions to access encrypted data. The smartphones and applications used by criminals to recruit, organize and carry out crime sprees are increasingly the target of European law enforcement and politicians alike. | Oscar Olsson/TT News Agency/AFP via Getty Images It also wants to start work on a new data retention law, it said in the strategy, which would define the kinds of data that messaging services, including digital ones like WhatsApp, have to store and keep, and for how long. The EU’s top court struck down the previous data retention legislation in 2014, saying it interfered with people’s privacy rights. The Commission is presenting a united front in their plans to help law enforcement. The internal security strategy was presented jointly by Henna Virkkunen, a powerful executive vice-president who heads the digital department, and Magnus Brunner, the commissioner in charge of home affairs. Both hail from the center-right European People’s Party, as does Commission President Ursula von der Leyen. POLICE FACE PRIVACY GROUPS In taking on encryption, European governments are heading for a massive clash with a powerful political coalition of privacy activists, cybersecurity experts, intelligence services and governments favoring privacy over police access. Strands of that fight date all the way back to the last century. Cryptography was a powerful asset during the Cold War, when the U.S. and the Soviet Union aimed to restrict access to the technology to keep control of confidential communication. But the technology grew in stature during the age of the internet, underpinning everything from digital banking to sensitive data transfers. In recent years, an increasing number of major tech firms have moved toward using end-to-end encryption as a default setting. “I have no sympathy for the argument that one needs to undermine encryption in order to catch the bad guys,” said Matthew Hodgson, a co-founder of Matrix, a secure comms protocol that has been used by the U.S. Navy and multiple European governments.  Doing so would punish regular people hoping to communicate privately while pushing drug dealers, pedophiles and terrorists toward encrypted messaging services operated in countries beyond the reach of European police, Hodgson said. “It really is a naive, fool’s errand.” One app in particular has taken up the fight against the creep of encryption-threatening laws: Signal. The app is seen as the industry standard on end-to-end encrypted messaging — and recently entered the limelight when a group chat among top U.S. security officials was compromised in what was dubbed “Signal-gate.” Its president, Meredith Whittaker, has repeatedly threatened to pull out of a country rather than abide by any law that forces her to weaken Signal’s security. Whittaker told POLITICO in early March that it is a “fundamental mathematical reality that either encryption works for everyone, or it’s broken for everyone.” Danish Justice Minister Hummelgaard suggested he would have no problem if Signal ceased operations in Denmark over its refusal to work with law enforcement. “I’m beginning to question whether or not these are technologies and platforms that we simply cannot live without,” he said. A FORK IN THE ROAD With no legal solution in sight, law enforcement authorities are making do with what they have. They’ve had success infiltrating and compromising open encrypted messaging services used only for criminal purposes, like Encrochat, and getting access to so-called metadata (like location information) that is more in the open than messages. But they continue to complain of being locked out of the dominant form of communication. Jean-Philippe Lecouffe, the deputy head of Europol, put it simply at a recent conference: “We want legal access.” That’s where mathematics gets in the way. Those in favor of police access to data argue there are ways for messaging services to get access to criminals’ end-to-end-encrypted messages without weakening the security of regular people’s conversations. Yet tech experts have noted that with end-to-end-encryption, it’s not possible for only the “good guys” to get access. Once such a so-called backdoor has been opened, they say, it cannot remain closed to hackers, criminals and spies.  Both can’t be true, so the debate remains a clash of heads with no compromise available. With the legislative challenges to encryption, Europe seems headed for a fork in the road, where political momentum could give the police what they want — or the fight could rumble on. Ella Jakubowska, head of policy at European digital rights group EDRi, which has long fought police surveillance, said the debate seems intractable. “It’s like banging our head into a brick wall.”

Italy’s data protection authority has ordered a block on Chinese artificial intelligence revelation DeepSeek, it said late on Thursday.  The regulator said it has ordered Hangzhou DeepSeek Artificial Intelligence and Beijing DeepSeek Artificial Intelligence — the Chinese companies behind the DeepSeek chatbot — to stop processing Italians’ data with immediate effect.  The move comes after DeepSeek apparently told the authorities it wouldn’t cooperate with a request for information made by the agency.  “Contrary to what was found by the authority, the companies have declared that they do not operate in Italy and that European legislation does not apply to them,” the Italian regulator said. This response “was deemed completely insufficient,” it added. The regulator has also opened an investigation, it said.  The Chinese AI firm recently emerged as a fierce competitor to industry leaders like OpenAI, when it launched a competitive model to ChatGPT, Google’s Gemini and other leading AI-fueled chatbots that it claimed was created at a fraction of the cost of others. The release triggered an industry panic and markets shock in the U.S., as key shares in the tech sector dropped sharply on Monday.  The ban is not the first time the Italian privacy authority has taken such a step; it also blocked OpenAI’s ChatGPT in 2023. It later allowed OpenAI to re-open its service in Italy after meeting its demands. POLITICO has approached DeepSeek for comment.