Digital Services Act (DSA)
The Digital Services Act (DSA) is a proposed regulation regarding illegal content, transparent advertising, and disinformation online. Up until now, the most current rules regarding these matters in the EU are part of the e-Commerce Directive (adopted in 2000) and in the meantime, many countries have adopted their own laws regarding illegal content and hate speech online. Once adopted, the DSA would be valid at the European level and overrule the then-obsolete national laws.The Digital Services Act (DSA) proposal is aimed at creating a safer online environment and defines clear accountability and responsibilities for providers of intermediary services, and in particular online platforms, such as marketplaces and social media platforms.
Very large online platforms (VLOPs) like Facebook or YouTube will be subject to more specific obligations due to the increased risks they pose regarding the dissemination of both harmful and illegal content. For such platforms, the DSA would also mean additional mandatory risk assessments, risk mitigation measures, independent audits, and transparency regarding recommendation algorithms.
Reactions to the Digital Services Act have so far been mixed – U.S. media and tech whistleblowers have reacted positively, whereas human rights activists and civil society organizations have called for yet stronger privacy protections. Unsurprisingly, big tech companies have not welcomed these upcoming rules with open arms and have sought countermeasures, especially regarding the proposed mandates regarding targeted advertising.
Digital Markets Act (DMA)
The purpose of the Digital Market Act (DMA) is to ensure a higher degree of competition in the European Digital Markets, by preventing the largest digital players (defined as Gatekeepers) from abusing their market position and power by enabling smaller companies to enter the market on a more level playing field.Gatekeeper companies could face significant fines over non-compliance with the proposed changes: Google and Apple will have to allow users to uninstall apps that have originally come with their devices and are no longer allowed to practice self-preferencing in their app stores and owned products like Google Search. Other obligations would include prohibitions on combining user data collected from two different platforms belonging to the same company (for example Facebook and Instagram), provisions for ensuring portability, and interoperability as well as access to data for businesses and end-users of platforms.
The DMA covers eight different areas which are defined as Core Platforms Services (CPS) which are considered problematic by the EU Commission due to the usual dominance of big tech companies. Core Platform Services include online intermediation services like app stores or digital content storefronts; search engines; video sharing platforms; social media; communication platforms; advertising services as well as cloud services and operating systems.
There are already numerous instances of big tech companies garnering antitrust fines (Facebook and Google) or being sued by business clients (Apple vs. Epic) for unfair practices, so these upcoming changes are hotly anticipated by many. However, the technical implementation of some of the requirements is unclear, and of course, the Gatekeeper stakeholders like Google, Apple, and Meta are strongly incentivized to increase their European lobbying activities for more favorable conditions.
Both the DSA and the DMA have been approved by the European Parliament in July 2022 and are expected to be formally adopted by the Council of the European Union in September 2022. Rules regarding DSA and DMA will begin to apply for designated companies in January 2024 at the latest.
General Data Protection Regulation (GDPR)
Moves to regulate the power of big tech companies are nothing new: the General Data Protection Regulation (EU) is a regulation on privacy and data protection in Europe that was adopted in April 2016 and became enforceable in May 2018. The GDPR was and still is one of the core regulations on privacy and data protection in Europe, and arguably one of the biggest tech regulations so far. The GDPR contains rules regarding the processing of personal data of individuals and applies to any enterprise that is processing the personal data of individuals inside the European Economic Area (EEA). As many online companies derive a large share of their revenues from online advertising and user-targeted ads, this regulation already made huge waves before its release.The rollout of the GDPR was not a smooth process and many companies were criticized for implementing the changes on short notice, or for blocking EU users entirely to not be held liable for any breach of the new regulations. Since the implementation of the GDPR by the EU in May 2018, over 1,100 fines have been issued for violations or non-compliance. Of these, the fine of 746 million euros received by Amazon in July 2021 has been by far the greatest.
In the years since the implementation of the GDPR, many countries around the world have adopted similar regulations. In 2022, approximately half of online users in European countries were aware of GDPR. As user data breaches continue to make news, internet users have become increasingly aware of online privacy and their consumer rights, and more often than not factor privacy into account in their decision-making process regarding digital products and services.