Welcome to AWO’s final Algorithm Governance Roundup of 2025. This month I spoke to Bram Vranken at Corporate Europe Observatory (CEO) about mapping industry influence on the AI Act, the AI standardisation process which has "run into serious trouble" and its complaint to the European Ombudsman. AWO supported this complaint with an opinion on the legal framework governing harmonised standards.

As a reminder, we take submissions: we are a small team who select content from public sources. If you would like to share content, please reply or send a new email to algorithm.newsletter@awo.agency. Our only criterion for submission is that the update relates to algorithm governance, with emphasis on the second word: governance.

You can also share your feedback about the newsletter. I would love to hear from you!

Many thanks and happy reading!

Esme Harrington

In Australia, the Government’s social media age restrictions have entered into force. As a result, under-16s should no longer be able to access Facebook, Instagram, Snapchat, Threads, TikTok, Twitch X, YouTube, Kick or Reddit.

The Department for Infrastructure, Transport, Regional Development, Communications, Sport and the Arts has consulted on the design of a Digital Duty of Care under the Online Safety Act. The Government has committed to introduce a duty of care on online services to prevent serious online harms.

The Government also announced its National AI Plan to encourage the development and adoption of trusted AI solutions. This includes establishing an Australian AI Safety Institute to monitor, test and share information on emerging AI developments.

In the EU, the European Commission has published its Digital Omnibus package, which proposes to simplify a range of legislation including the GDPR, ePrivacy Directive and AI Act. The proposal revises the definition of personal data; codifies legitimate interest as a lawful basis for training AI on personal data (subject to legitimate interest assessment, safeguards and user opt-outs); and introduces lawful bases to train on sensitive category data. It also delays implementation of the AI Act obligations on high-risk AI systems and expands exemptions to cover small-mid-cap companies. The European Data Protection Board and European Data Protection Supervisor have warned the Omnibus could put fundamental rights at risk.

The EC has fined X €120 million for breaching the Digital Services Act (DSA). The EC found X breached rules on (1) deceptive design, regarding its verification feature which enables impersonation scams; (2) transparency and accessibility of its ad repository, due to an incomplete and inconsistent ad library; and (3) researcher access, by imposing unnecessary barriers to public data and prohibiting independent scraping.

The EC has also accepted TikTok’s commitments to improve advertising transparency under the DSA. TikTok has committed to provide full advertisement content, ensure information is available within 24 hours, disclose targeting criteria, and introduce enhanced search functionality.

The EC has published a report assessing the DSA’s interaction with other EU laws and its designation process for Very Large Online Platforms. The EC and Digital Services Coordinators have also published its first report on prominent and recurrent systemic risks, drawing on platform’s risk assessments, audits and transparency reports.

The European Ombudsman has concluded that the EC’s refusal to grant public access to X’s DSA risk assessment constituted maladministration. The Ombudsman recommended that the EC reassess whether it can disclose risk assessment reports with the aim of granting the widest possible public access, including to redacted material.

The EC has opened an antitrust investigation into Meta regarding a policy that prohibits rival AI providers from offering services through WhatsApp. The Italian competition authority previously opened an investigation and has initiated interim measures.

The EC has also opened an antitrust investigation into Google on its use of online content for AI purposes. The investigation will assess whether Google has engaged in anticompetitive conduct by using the content of web publishers to provide AI-powered search services, or by using content on YouTube to train its models.

The Court of Justice of European Union (CJEU) ruling in Russmedia Digital and Inform Media Press has introduced proactive obligations on an online marketplace processing sensitive personal data in user-posted advertisements. The CJEU found that the online marketplace was a controller of personal data in the ads. Therefore, the marketplace must implement systems to monitor whether ads contain sensitive personal data and verify whether the data subject has consented to ad publication. It also held that the marketplace must implement measures to prevent copying or reproduction of the personal data (for example by web scraping). The CJEU held that the marketplace could not rely on the intermediary exemption in the eCommerce Directive and DSA.

The AI Office held a kick-off plenary to begin developing the Code of Practice on marking and labelling AI-generated content under the AI Act. Two Working Groups will draft the Code led by independent chairs and vice-chairs. It also launched a whistleblower tool, a secure and confidential channel to report suspected breaches directly to the AI Office. The AI Office is also seeking feedback on its draft implementing act on AI regulatory sandboxes. The feedback deadline is 06 January.

In France, the Défenseur des Droits, an administrative authority, found that Facebook’s job advertising feature led to indirect gender discrimination. This followed a complaint by Global Witness. Meta has three months to report on the measures it will adopt to ensure non-discriminatory advertising.

In Germany, the Regional Court of Munich found OpenAI models infringed the copyright of GEMA, a major collecting society for musical works. It ruled that OpenAI models infringed copyright by memorising and reproducing copyright material in outputs, noting that works could easily be reproduced on the basis of simple prompts.

In Ireland, the Coimisiún na Meán, the media regulator, has opened an investigation into X under the DSA. It will investigate whether users can appeal content moderation decisions, whether they are properly informed of outcomes, and the accessibility of internal complaints handling systems. The regulator also commenced DSA investigations into TikTok and LinkedIn regarding the accessibility of illegal content reporting mechanisms and potential use of dark patterns to deter users from reporting content.

The Coimisiún na Meán has also signed a memorandum of understanding with Australia’s eSafety Commissioner to enhance cooperation on platform oversight. The memorandum commits to sharing data, methodologies and best practices with a focus on platform design and enhanced protections for children and vulnerable users.

X has issued legal proceedings against Appeals Centre Europe (ACE), a DSA-certified out-of-court dispute settlement body. The claim challenges its certification and seeks to block ACE from ruling on user complaints.

In the Netherlands, the data protection authority published a study indicating that chatbots provide distorted and polarised voting advice. The DPA found that ChatGPT, Gemini, Grok and Le Chat underrepresented centrist parties and directed users towards far-right or green-labour parties. The DPA noted that these systems may qualify as both GPAI models and high-risk systems under the AI Act when used to provide voting advice.

In the UK, the High Court rejected Getty’s claim of secondary infringement against Stability AI. It found that Stable Diffusion’s model weights did not constitute an ‘infringing copy’ because they do not store a copy of the original copyright works. The Court found some historic and limited instances of trademark infringement. Getty abandoned two significant claims relating to copyright infringement during training and in outputs before trial.

The Home Office has opened a consultation on a legal framework for law enforcement use of facial recognition and biometrics. This follows independent testing by the UK’s National Physical Laboratory that revealed historical bias in the tool used by police forces for retrospective facial recognition. The consultation deadline is 12 February.

Ofcom has published its first report on platform risk assessment records under the Online Safety Act. After reviewing 104 illegal content and children’s risk assessments, Ofcom identified methodological deficiencies and outlined areas for improvement. Ofcom also fined a pornography company £1 million for failing to implement robust age assurance measures.

Assessing High-risk Artificial Intelligence: Fundamental Rights Risks, Fundamental Rights Agency

Blueprint for Rights-Centre AI in Public Participation, European Centre for Not-for-Profit Law and Society Inside

Children’s Rights in the Age of Generative AI: Perspectives from the Global South, Mariya Stoilova, Sonia Livingstone and Ayça Atabey

Effective Legal Protections from Harms Caused by Advanced AI Assistants, Alex Lawerence-Archer and Lucie Audibert, AWO

Ensuring News Quality in Platformized News Ecosystems: Shortcomings and Recommendations for an Epistemic Governance, Pascal Schneiders and Birgit Stark

EU AI Act Harmonised Standards Mapping, Adam Leon Smith

EU’s Digital Services Act Just Became Applicable: Outlining Ten Key Areas of Interplay with the GDPR, Gabiela Zanfir-Fortuna and Vasileios Rovilos, Future of Privacy Forum

Framework for Meaningful Engagement 2.0, European Centre for Not-for-Profit Law and Society Inside

From Symptoms to Systems: A Stakeholder-Informed Taxonomy of Generative AI Risks for Eating Disorders, Amy Winecoff and Kevin Klyman, Center for Democracy & Technology

Guidelines for the Governance of Digital Platforms and Generative Artificial Intelligence, UNESCO

Impact of Generative AI on the Novel, Dr Clementine Collett, Minderoo Centre for Technology and Democracy

Mind the Gap: Understanding Age Verification and Assurance, Katelyn Ringrose, David Sullivan, Basia Walczak and Melanie Selvadurai, IAPP

Prebunking at Scale: The Next Chapter for European Fact-Checking, Full Fact and Maldita.es

Preparing for AI Security Incidents, Tommy Shaffer Shane, The Centre for Long-Term Resilience

Prompt, Upload, Repeat: Agentic AI Accounts Flood TikTok, Natalia Stanusch, Martin Degeling, Raziye Buse Çetin and Marcus Bösch, AI Forensics

That Violates My Policies: AI Laws, Chatbots and the Future of Expression, Jordi Calvet-Bademunt, Jacob Mchangama, Isabelle Anzabi, Carlos Affonso Souza, Ge Chen, Sangeeta Mahapatra and Kyung Sin Park, Kevin T. Greene and Jacob N. Shapiro, The Future of Free Speech

The Era of Answer Engines: Generative AI’s Impact on Search Experiences and Online Safety, Ofcom

The EU AI Act: The Objectives (and the nature) of the Law, Gianclaudio Malgieri, Gloria Gonzàlez Fuster, Alessandro Mantelero, Gabriela Zanfir-Fortuna

The Ominous Omnibus: Dismantling the Right of Access to Personal Data, René Mahieu

The Regulation of Delegation, Harry Farmer, Julia Smakman and Michael Birtwistle, Ada Lovelace Institute

The State of State AI: Legislative Approaches to AI in 20205, Justine Gluck, Future of Privacy Forum

Two AI Copyright Cases, Two Very Different Outcomes – Here’s Why, Hayleigh Bosher, The Conversation

Understanding Online Financial Harm: Fraud, Scams and Disinformation Exposure Across Demographic Groups in the UK, Ofcom’s Online Information Advisory Committee

Understanding the Dual Footprint of AI, Paola Tubaro

The Joint Research Centre of the European Commission is hiring a Legislative and Scientific Officer – Legal Aspects of Data and Digital Sovereignty. The role is based in Ispra. 

Digital Freedom Fund is calling for grant applications to support digital rights strategic litigation that advances human rights in Europe. It is hosting information events on 14 January and 04 February.

Bram Vranken is a researcher and campaigner at Corporate Europe Observatory (CEO), a Brussels-based watchdog that monitors corporate lobbying and its influence on European policymaking. We spoke about CEO’s work on the AI Act and its recent complaint to the European Ombudsman about the AI Act’s standardisation process.

Bram: Corporate Europe Observatory (CEO) is a watchdog that researches corporate influences in EU policymaking. We focus on sectors such as fossil fuels, agribusiness, and Big Tech. My own work centres on technology and digital policy, tracking how major tech firms seek to shape regulation to suit their commercial interests.

We conduct investigative research to map the lobbying ‘firepower’ of Big Tech, analysing lobbying registrations, corporate spending, and meeting disclosures. This enables us to understand how much companies spend, how many lobbyists they employ and the tactics they use. Big Tech has also built an extensive ecosystem of organisations such as think tanks and trade associations that amplify its messaging. We trace those connections and show how they skew the public debate and policymaking.

Bram: We began working on the AI Act in 2023. At this time, the European Commission’s proposal was under negotiation and OpenAI had just launched ChatGPT. This transformed the debate, sparking new questions about what constituted ‘general-purpose’ AI and how it should be regulated since it was not covered in the draft law. From the outset, we observed a strong pushback from mostly Big Tech companies against regulating general purpose AI systems. Companies insisted that policymakers should only regulate how it is used, not how it’s developed.

We noticed that the lobbying around the AI Act was incredibly intense involving a wide range of industry actors, from established technology giants to emerging AI startups such as Mistral AI and Aleph Alpha. This is surprising: The AI Act is a piece of product safety regulation that was based on the advice of a corporate dominated expert group and that relies on industry-friendly harmonised standards. It is intended to support industry and facilitate the uptake of trustworthy AI.

Bram: Across industry, the same narrative reappears: Regulation is bad for innovation. We’ve seen this play into geopolitical rhetoric too, with industry suggesting that Europe’s regulatory approach will lose the ‘AI race’ to the United States or China. The narratives reframe the AI Act from a rights-protecting instrument into an economic threat.

In addition, companies deploy highly technocratic arguments. For example, they make claims about technical feasibility or model behaviour. It is difficult for policymakers or civil society to verify these claims because so much expertise and data is concentrated within industry.

Industry’s lobbying power is enormous. Our research has found that technology companies are now the EU’s top corporate spenders. For example, Meta spends around €10 million annually on EU-level lobbying, in addition to major efforts in member states such as France and Germany. Currently, there are more Big Tech lobbyists than MEPs. At CEO, we mapped this “lobby firepower” by tracing meetings between officials and industry representatives obtained through freedom-of-information requests. We also monitored think tanks and consultancies whose research is funded, directly or indirectly, by these companies.

We’ve published several reports throughout the process. Our first report, published in February 2023, mapped the tactics Big Tech were using to influence the AI Act. During the trilogue negotiations, our follow-up research revealed a ramping up of lobbying, with 84 out of 97 meetings held by senior Commission officials on AI occurring with industry and trade associations, compared to 12 with civil society and 1 with academia. It also mapped how European AI startups influenced national governments. Across this period, we mapped corporate tactics from private meetings with the Commission, funding academics and thinks tanks, working with lobby groups and the US government, and coordinated public campaigns.

This is ongoing with the implementation the AI Act. During the passage of the voluntary Code of Practice for General Purpose AI, our research revealed that industry enjoyed privileged access to drafting the text. Meanwhile many companies have shifted from claiming to nominally support the Act to calling for a pause or delay. These narratives continue to gain momentum due to the Commission’s priority of deregulation.

Bram: The providers of high-risk AI systems, such as those used for credit assessment or recruitment, must comply with detailed requirements. To assist compliance, the AI Act relies on harmonised standards. If a provider complies with the standards, they are presumed to be in conformity with the AI Act’s requirements.

The European Commission requested CEN (the European Committee for Standardisation) and CENELEC (European Committee for Electrotechnical Standardisation) to draft these standards. CEN/CENELEC set up Joint Technical Committee (JTC) 21 to coordinate several expert Working Groups who are developing the AI Act standards.

Standardisation bodies such as CEN/CENELEC are private, industry-led bodies which traditionally specify highly technical product requirements such as the acceptable dangerous chemical threshold in toys. As a result, expert membership has historically been dominated by industry-affiliated individuals. Unlike past product harmonisation requests, AI systems touch on a range fundamental rights considerations which these bodies do not have the experience or expertise to consider. This makes this work unprecedented and problematic.

We conducted research to identify the individuals who were drafting the AI Act standards and their affiliations. It proved extremely difficult. As a private body, CEN/CENELEC maintain that the membership of JTC-21 is confidential and require Working Group members to sign non-disclosure agreements about meetings. To pierce the opacity, we turned to LinkedIn and identified around 150 Working Group members. More than half of the identified participants represented industry, whilst many others were consultants with unclear affiliations. CEN/CENELEC has involved several civil society and academic participants to address concerns with representation, but they face an uphill battle. Standardisation is dominated by corporate veterans whilst civil society and academia lack the institutional knowledge and resources to navigate the process.

Alongside this research we filed freedom of information requests with the Commission asking for the list of experts and meeting minutes. These were refused on the grounds that the Commission “did not hold” the information, despite the fact it mandated the process. We also tried to raise concerns directly with the Commission’s AI Office which referred us to DG GROW who oversee standardisation requests. Despite repeated follow-ups, we received no response. At this point, we commissioned a legal opinion from AWO about the opacity.

AWO looked into the legal framework governing EU harmonised standards, alongside its interpretation by the Courts and academic analysis. The sources all emphasised the importance of supervising the standardisation process and ensuring compliance with the rule of law to safeguard the constitutional principles fundamental to democratic governance. AWO concluded that there is strong normative and legal grounding to argue that the process of creating harmonised standards must comply with transparency and participatory requirements embedded in the rule of law. As such, not only the standards but also the processes that generate them may be subject to legal scrutiny and potentially challenge where these principles are not observed.

At that point, we filed a complaint to the European Ombudsman concerning the lack of transparency and the lack of balanced stakeholder participation. The Ombudsman has opened a formal inquiry, requesting documents and planning an on-site inspection at the Commission. Based on their investigation, the Ombudsman will issue preliminary findings and recommendations to which the Commission must respond.

We hope the investigation will affirm that the Commission retains responsibility for ensuring transparency and balanced representation, even when delegating tasks to private bodies. At minimum, there should be public disclosure of experts’ identities, meeting minutes, and conflict-of-interest policies, alongside a clear guarantee that stakeholder representation will be balanced to include civil society. Standardisation on such sensitive matters must not happen behind closed doors.

Meanwhile, the standardisation process itself has run into serious trouble. Under pressure to meet tight implementation deadlines, CEN/CENELEC recently suspended their consensus-based Working Groups model and concentrated decision-making in small Drafting Groups dominated by long-standing experts, often industry participants. Civil society and academic experts have been sidelined, prompting several senior members of JTC-21 to protest publicly.

The Commission’s experiment in outsourcing fundamental rights governance to industrial standardisation bodies is now blowing up. The Commission’s implementation of the AI Act depends on a process it does not control. This has produced delay, opacity, and a structural bias towards weaker safeguards, with industry pushing for weaker international ISO standards to be adopted through the CEN/CENELEC process. As the deadline looms, contentious issues, especially those touching on fundamental rights, are being dropped just to get the standards done. Meanwhile, industry is using the delay, that it has in some cases been responsible for, as a reason to call for pausing the implementation of the AI Act.

Bram: We will continue to follow the Ombudsman process and monitor how standards are finalised. But new challenges are emerging: The Commission’s deregulation agenda is now also affecting digital legislation. On 19 November, the Commission proposed a drastic roll-back of digital rights, through its so-called digital omnibus. The AI Act, the GDPR, and ePrivacy are all affected, including a delay of the implementation of the AI Act and the serious weakening of data protection in the GDPR.

Big Tech firms have used the Trump administration to put pressure on the EU to weaken its digital rulebook, but equally worrying is that the EU’s deregulation agenda has opened the door to corporate interests. For example, the Commission invited industry to closed-door workshops to ‘reality-check’ legislation related to AI, effectively asking which rules they find burdensome. Several civil society organisations requested to participate but were not invited. Fortunately, there is also huge push-back from civil society, political groups in the European Parliament, and experts.

Looking ahead, our priority is defending these digital rights from being watered down and reforming the standardisation system. That means stronger transparency requirements, real conflict-of-interest rules, and genuine participation for civil society. Without these safeguards, decisions about fundamental rights will remain in private hands beyond democratic accountability.