The EU takes on Big Tech with landmark legislative package

It’s been a long-time coming, but in July the European Union finally adopted two legislative initiatives that create a single set of new online rules applicable across the bloc. The Digital Services Act (DSA) and the Digital Markets Act (DMA) are intended to create safer online spaces and bring more competition and transparency to digital markets.

“The DSA is largely focused on protecting individuals from the harms which are generally acknowledged to be proliferating in online environments,” Will Richmond-Coggan, a data and information law specialist at Freeths LLP explains, “while the DMA is primarily aimed at protecting smaller businesses from what are considered to be the market-distorting effects of certain companies referred to as ‘Gatekeepers’ having a broad grip on the fundamental ecosystems of the internet.”

Gatekeepers are defined as, among other things, having an “entrenched and durable position in the market” and those that “link a large user base to a large number of businesses,” – so, Apple, Google, Amazon, Meta et al.

The Act places a set of legally binding ‘dos and don’ts’ upon Gatekeeper companies to build more fairness and transparency into the opaque world of online algorithms, advertising, and ranking.

Dr Oles Andriychuk, a reader in law and director of Strathclyde Centre for Internet Law & Policy at the  University of Strathclyde, says the DMA could help end the omnipotence of Big Tech.

Under the Act, which will be applied in 2023, Gatekeepers are not allowed to treat services and products offered by themselves or affiliated companies more favourably in search rankings than similar services or products sold by third parties.

“The discretion the Gatekeeper currently has to downgrade or upgrade a seller’s position currently depends on factors not necessarily known,” explains Andriychuk.  “The vertical mission of the DMA is not to get rid of these practices outright – this is fairly impossible – but to at least bring some order and transparency.”

Gatekeepers will also be required to provide greater transparency about algorithms, such as those for recommended content – the ‘people who liked this also bought this’ feature, for example.

Additionally, under the DSA, public-interest researchers can apply for access to platform data as another layer of independent scrutiny.

It also bans online platforms from using minors’ and sensitive data to serve users with targeted ads, as well as the controversial practice of political microtargeting in Europe. Human rights group Global Witness has criticised the DSA for not applying the limits on ad targeting to Google’s display advertising or news websites, however, and only covering online platforms that share user content, such as Facebook, Instagram, or YouTube.

Other features of the DMA include allowing business users to access the data they generate in their use of the gatekeeper’s platform, including that of advertising performance. Users can also promote their products and services and conclude contracts with their customers outside the platform.  

These new laws should make it easier for users and businesses to switch technology providers, says Richard Nicholas, a partner specialising in digital and data law at Browne Jacobson LLP.

“If you wanted to move from an Apple Watch to a Samsung, for example, Apple would need to provide the data it has collected to you, the user who owns the watch, in such a format that Samsung could also use it, so someone could switch from the Apple Watch to Samsung without losing their data,” he explains.

This capability will become particularly important for autonomous vehicles and other connected devices and is created to prevent manufacturers having a significant advantage when developing new products.

Gatekeepers must also allow third parties to inter-operate with the Gatekeeper’s own services in specific situations, which could see different messengers become interoperable, says Andriychuk.

“You could potentially reach your contacts who are using different messengers via your current messenger,” he explains.

Nicholas says he doesn’t see many downsides for users in the DMA and DSA; across the board reaction has been largely positive.

Lisa Quest, co-head of the public sector and policy practice in Europe at management consulting firm Oliver Wyman, says under the DSA, which is the equivalent to the recently delayed UK Online Safety Bill, some small and medium-sized (SMEs) companies will need to set up compliance functions to identify areas of potential harms relevant for their consumers, as well as internal risk management around engagement with these users.

She provides an example: a mid-size forum for users with interest in a specific topic – parents discussing their children, for example – that does not remove illegal content quickly enough or does not allow users to easily flag and report inappropriate content or file complaints if they are unhappy with moderation decisions could be in breach of the rules.

“There will be some costs associated with this for all types of firms – I think smaller ones will automate this in any way possible. It will no doubt raise the risk awareness of all companies in the market,” she explains.

“Though I think it should be proportional to their size and the vulnerability of the consumers they’re dealing with; the principle of proportionality is important because if the same rules are applied to all companies, it will be damaging for SMEs who would have high regulatory and risk costs.”

Overall, she agrees the incoming laws are good for SMEs as they create regulatory clarity across the board, which is good for investors that have become more nervous about investing in start-ups due to the uncertainty around regulation.

Perhaps unsurprisingly, the new laws are not popular with the gatekeepers, however. This is largely because most of them are designed not to be “self-executing in fashion” says Andriychuk, but intentionally and excessively broad.

“In law, the more adjectives like ‘fair’, ‘just’ or ‘reasonable’ there are, the more room for manoeuvre there is for regulators and enforcers, and the obligations under the DMA are really broad and susceptible to being further specified,” he says. “To be impossible to box-tick is a feature of the DMA, instead requiring meaningful dialogue between the gatekeepers and the Commission.”

Gatekeepers in breach of the obligations can be fined up to 10 per cent of annual global turnover. Under the DSA its 6 per cent. But there are concerns over enforcement, with critics saying the taskforce of 80 officials being set up will be inadequate.

The DMA and DSA are part of the EU’s wider ambition, announced in 2020, to create a single market for data within the bloc, says Nicholas. These two acts apply and are likely only to impact operators in the EU, but the two other pieces of anticipated legislation, the Data Governance Act and the Data Act, will have a wider impact, he says. 

A feature of these acts is that they restrict the transfer of non-personal data outside the EU, which could be problematic for external vendors selling to the bloc.

“If there aren’t similar adequacy provisions in the UK, for example, a company providing goods to the EU that create non-personal data, like an autonomous vehicle or a connected kettle, will need to set up an EU-based representative,” he explains.

More broadly, the consensus is that globally the mood is moving against big tech and towards greater regulation, with the EU’s new legislative package setting the standard.

“This is a global trend,” says Andriychuk. “In the past, we were driven by the logic that the digital economy is inherently good because it’s free and delivers so many consumer advantages. This overshadowed the importance of keeping things under control from the perspective of regulation; now this very optimistic, permissive, non-interventionist era of internet governance is being replaced by a more proactive approach,” he says.

Therefore, it’s very likely there will be a ‘Brussels effect’ with other legislative proposals getting passed into law. The UK, US and other jurisdictions already have several proposals.  

The next step could be converging regulatory regimes globally, which some EU legislators have called for – a move many companies would be likely to welcome, says Quest.

“Large technology companies want to have standard rules of the road that impact them in different jurisdictions, so that they can create a similar kind of compliance and risk function internally to comply with those regulations,” she concludes.