Already facing a number of investigations and fines under the existing General Data Protection Regulation (GDPR) rules, the Big Tech companies are feeling even more pressure in Europe with the proposal of two new antitrust policies. Together the “Digital Markets Act” and “Digital Services Act” would limit use of personal data and require social media platforms to do more policing of user-created content.
The two policy proposals are in an initial draft state right now, likely subject to a great deal of debate and tinkering before going to European Parliament and the Council of the EU for a vote. Big Tech is thus far responding cautiously and with signals of cooperation, but will no doubt push to weaken or eliminate what would be the world’s strongest attempt by far at limiting their size and power.
Digital Markets / Digital Services Act seeks consumer safety, marketplace competition
The Digital Services Act and its companion bill would collectively give regulators the ability to increase fines on Big Tech companies, and would introduce the prospect of requiring them to break up or be banned from the EU entirely if they commit repeat offenses.
The Digital Services Act addresses user content hosted on Big Tech’s various platforms, such as Facebook and Twitter. Firms of this size would be required to be much more active in policing their own territories for illegal content: the sale of illegal goods and services, human trafficking, terrorism, child abuse and things of that nature. The Digital Markets Act addresses the increasing concentration of social media and e-commerce power in the hands of a relative few major online players. These Big Tech heavyweights are branded “gatekeepers” by the Act and would be subject to a new package of rules to prevent anticompetitive behavior, such as being limited in their use of information of business users to develop and deploy competing services.
In general, the terms of the Digital Services Act apply to any business that hosts content online as well as intermediaries that offer network infrastructure (such as ISPs). However, it creates a tiered package of rules that scales with the size of the business in question. All services in this realm would have new transparency reporting requirements and obligations in cooperating with national authorities, with hosting services having an added requirement to provide certain notices and informative statements to users. From there the rules depend on the size and specific classification of the company. Those designated as “online platforms,” such as social media and e-commerce sites of a certain size and reach, have added requirements for things such as flagging illegal content, vetting third-party partners and being transparent about online advertising methods in use. A special category of “very large platforms” face even more responsibilities in terms of data sharing obligations, appointing compliance officials, crisis response and auditing.
The terms of the Digital Markets Act also apply to those companies that are large enough to be tagged with the “very large platforms” designation. This draft is more specific about whom it will apply to: companies with a “strong economic position,” “significant impact on the EU market,” “entrenched and durable,” and that link a large EU-spanning user base to a large amount of different businesses. These platforms would be required to increase third-party access to their services, open up a variety of relevant data to their business users, be more transparent to advertisers about how their systems work, and prevent business partners from limiting promotional activity outside of their platform. Gatekeeper-class companies would also not be allowed to prioritize their own products over those of third parties on their own platforms, and those that deal in hardware would not be allowed to prevent users from removing pre-installed apps.
These new rules provide for fines of up to 10% of the company’s total worldwide annual turnover, substantially more than the 4% maximum fine under the present GDPR terms. Organizations could also face periodic penalty payments of up to 5% of the average daily turnover. But those are not the ultimate penalties; the final measures for the most serious cases are “behavioral and structural,” i.e. forced divestiture of assets or even a ban on operating in the EU.
Big Tech expected to push back
An initial statement from Computer and Communications Industry Association, which represents most of the biggest names in Big Tech, was neutral and signaled cooperation: “We look forward to working with EU policy makers to help ensure that the proposals meet the stated goals so that Europeans continue to reap all the benefits of digital products and services … We hope the future negotiations will seek to make the EU a leader in digital innovation, not just in digital regulation.”
While Big Tech is being cautious in its response to the Digital Services Act package in its early days, industry analysts fully expect resistance to become more pronounced as it moves closer to becoming a reality. There was more initial pushback from the United States Chamber of Commerce than from organizations in the EU, which complained that the proposed new regulations were “onerous” and would unfairly target the business models of tech giants based in America.
While the Digital Services Act package might initially seem to be a giant boon for consumers that promotes safe products and services, the EFF has identified some points where it may not entirely be in the public interest (and that the Big Tech firms might make use of in their opposition). These points include a ban on competing national-level legislation for EU member states, weak terms mandating interoperability between competing products, and inability to port data from one service to another without maintaining an active account with the original service. Saryu Nayyar, CEO of Gurucul, added the following observation about a potential added security burden on the end user created by the Digital Services Act package terms: ” … There is always the very real possibility that apps not associated with the platform vendor may be less secure. It’s hard enough for tech giants to keep their heads above cybersecurity waters. Imagine how difficult it will be for the small guys to guarantee their apps are 100% secure.”