A tide of online accountability has come to Europe.
In July, the European Parliament adopted the Digital Services Act (DSA) and the Digital Markets Act (DMA). Although they were passed as one legislative package, they function as two distinct laws.
The DSA creates new obligations for online platforms to moderate content and be transparent about how they collect and use data.
The DMA, meanwhile, is an anticompetition law designed to rein in what it calls “gatekeeper platforms,” such as Google, Amazon and Meta, including a requirement to get consent before combining personal data for targeted advertising.
The common thread between them is that both the DSA and the DMA call for Big Tech providers to be more accountable for what happens on their platforms.
The fine for noncompliance is even steeper than GDPR, which could result in sanctions of up to 4% of global annual turnover. Companies face fines of up to 6% of annual worldwide turnover for violations of the DSA and 10% for the DMA.
The DMA is expected to come into force by the end of the year, while the DSA will take full effect by 2024.
Service, please
The DSA enforces stricter content moderation, mandates certain disclosures about paid ads and fully bans targeted ads to children under 18 for just about all online platforms. (But heavier responsibility falls on platforms that have 10% of the EU population in their user base.)
EU member states will also have access to the inner workings of platforms’ recommendation algorithms, breaking open their black boxes. Algorithmic transparency will also be user-facing – platforms will have to briefly explain why certain ads were targeted to individual users. This includes allowing users to see ads that aren’t based on “profiling,” for example, or scroll through their social feeds based on chronological, not algorithmic, order.
Platforms also have to release a biannual report on their content moderation efforts.
And they’re specifically prohibited by the DSA from using dark patterns, or language that results in users inadvertently agreeing to share their data.
Paired with the prohibition against targeting ads to kids, the explicit ban on dark patterns makes the DSA a strong data privacy play, said Elle Todd, an attorney and partner at London-based firm Reed Smith LLP.
“The DSA is very UX-focused – it’s all about changing interfaces and changing the ways consumers are interacting with platforms online,” she said. “People will see far more impact on a day-to-day basis as everyday consumers from the DSA than the DMA.”
The digital marketplace
The DMA applies to a much smaller subset of companies, specifically those with 45 million monthly active users and/or that have an annual turnover of at least 7.5 billion euros. Amazon, Google, Meta, Apple and Microsoft would all qualify.
Whereas the DSA focuses more on protecting the rights of individual users, the DMA gives European regulators unprecedented power to crack down on anticompetitive and unfair business practices, including over how large Big Tech platforms collect and use data.
The DMA prohibits platforms from combining data sources without explicit opt-in as well as from preferencing their own products and services.
Google, for example, would be barred from combining data from across its services to show targeted ads without consent, and it would be illegal for Amazon to use data from third-party sellers to inform its own competing products.
Picking up where GDPR left off
Once they go into effect, the DSA and the DMA will be enforced by different enforcement bodies. The European Commission is the primary enforcer of the DMA, but EU member states will have to coordinate their own governing bodies for DSA enforcement.
But despite the difference in enforcement, there’s a common goal: reining in data abuse to protect children.
Both laws are largely consistent with international demands for data privacy laws, especially when it comes to protecting kids online and limiting data collection without the proper consent, said Seth Redniss, co-founder and chief legal counsel of Qonsent, a data platform that helps companies with privacy compliance.
Specifically, the DSA and the DMA provide added protections for children online.
“The GDPR doesn’t say too much about children beyond general statements about processing children’s data,” Todd said. “The DSA is new in that it superimposes a specific prohibition against using children’s data for targeted advertising.”
Next stop America?
The DSA and DMA are both European laws, but the sentiments expressed within them will likely make it to the US sooner or later.
Not to mention that nearly all the gatekeeper companies the DMA targets are based in the US, and that US companies will have to comply with both the DSA and the DMA if they want to do any business in Europe, Redniss said.
The DSA and the DMA have overlapping consent requirements with the GDPR, meaning platforms that don’t comply now can be hit with multiple violations at once, said Susan Israel, a privacy attorney at Loeb & Loeb LLP.
Platforms generally apply user interface changes globally because it’s less complicated to implement.
But whether companies choose to apply European privacy expectations to American users before they’re eventually forced to, Israel said, will be their own decision to make.