In 2018, a new European law called the General Data Protection Regulation, or GDPR, took effect. With the stroke of a pen, a host of common online practices—used by everyone, from big tech companies like Google to small web publishers, for everything, from showing popup ads to requiring an email address to enter a website—suddenly became illegal in the European Union, or at least heavily regulated. Consent was required before any personal information could be collected or used—and the EU’s definition of personal information was considerably broader than the US definition. Elizabeth Denham, the information commissioner for the UK, called the GDPR “the biggest change to data protection law for a generation.” Others were less diplomatic: one critic described the law as a “clunky bureaucracy” and a regulatory minefield that shackled businesses with “unnecessary red tape.”
If tech platforms thought that the GDPR was the end of their problems in the EU, they were mistaken: the law was only the lip of a wave of European regulatory activity aimed at the online world, and specifically the behavior of digital giants like Meta, Google, and Apple. These new laws have targeted everything from alleged anti-competitive practices to the ways in which personal data is used to customize search results and news feeds. Brian Wieser, a technology analyst and former investment banker, told the Wall Street Journal recently that the laws are a “Glass-Steagall moment for big tech,” a reference to a Depression-era law that supporters believe was instrumental in reining in anti-competitive behavior by banks. As a result, Wieser said, tech platforms are going from “effectively no regulation to heavy regulation.”
Unlike the GDPR, which targeted all online activity, the new European laws are focused primarily on the largest digital platforms and services. Two of the most significant new regulations are the Digital Services Act, or DSA, and the Digital Markets Act, or DMA. Under the former, which governs everything from the removal of illegal or harmful content to the retention of personal user data, any time a service such as Facebook removes content, they have to file that decision with the EU, as part of a public database. Platforms with more than forty-five million users in the EU—a figure equivalent to roughly 10 percent of the bloc’s population—are subject to the highest level of regulation. (The EU has listed nineteen companies covered by the Act but there is still debate as to who should be included; according to the Associated Press, some EU insiders have pointed to notable omissions such as eBay, Airbnb, Netflix, and even PornHub.) TikTok, which is on the list, said earlier this month that users in the EU will soon be able to turn off the service’s recommendation algorithm, because, under the DSA, users have the right to refuse any feature that relies on personal data-tracking. Likewise, Meta has said that EU users of Facebook and Instagram will be allowed to opt out of their algorithmic news feeds.
Note: This was originally published as an email newsletter for the Columbia Journalism Review, where I am the chief digital writer
The DMA, meanwhile, targets a wide range of anti-competitive behavior, requiring any company defined as a “gatekeeper”—in effect, big digital platforms that provide core services such as search, app stores, or email and messaging—to interoperate with other platforms, and forbids them from giving their own apps and services priority over those of others. As a result, Apple is planning to allow users of its iPhones to install apps without using its official App Store, a process known as “sideloading.” (Google’s Android operating system has allowed this for a number of years.) Such a step would not only give users more freedom to install apps not officially recognized by Apple, but would also give app-makers the ability to avoid Apple’s mandatory fee of between 15 and 30 percent of app revenue. Apple is also said to be planning other changes, such as allowing users the ability to install other browsers and even redesigning its devices’ charging ports to a more common format.
The DMA also requires companies defined as gatekeepers to keep user data from different services separate, unless they get specific consent from users. The blending of data is currently commonplace for services like Facebook and Instagram; according to the Journal, Meta is in discussions with EU regulators, arguing that its Messenger service should be considered fully integrated with Facebook and therefore not be subject to the restrictions on data combination. Amazon, for its part, has appealed its overall designation as a gatekeeper by challenging the definition in court, while TikTok has tried to make the argument that it is not anti-competitive, claiming that it is helping to bring more competition to social media. Either way, if a service doesn’t comply with the rules under the DMA, the EU can impose a fine of as much as ten percent of the company’s worldwide revenue. Under the DSA, the maximum fine is six percent of global revenue.
Google is making changes, too—and not only because of the DSA and DMA, but due to other EU regulations and antitrust lawsuits. After EU regulators hit the company with a record fine of five billion dollars in 2018, for example, Google (following a failed appeal) changed the way its Android phone software works, allowing users to install any search engine instead of being forced to use Google or one of its chosen alternatives. Last year, antitrust regulators in the EU opened investigations into Google’s practice of charging app-makers for the ability to use a payment-processing service other than Google’s. An EU investigation into whether Google’s ad market breaches antitrust rules is ongoing.
And other EU laws are in the works as well, beyond the DSA and DMA. A proposed EU Data Act would force US tech giants to share proprietary data and intellectual property with their European competitors, including trade secrets. The act covers both non-personal and personal data, defining the term as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” And it outlines requirements for business-to-consumer and business-to-business data sharing, and gives users the right to request their data and share it with a third party, such as an independent repair service, free of charge. Data-holders must also make data available to data recipients in a “fair, reasonable and non-discriminatory” as well as “transparent” manner.
Even with these new laws coming into force, the GDPR continues to hold the large digital players to account. In May, Ireland’s Data Protection Commission fined Meta more than a billion dollars—one of the largest fines ever levied under the framework—for breaching EU data-privacy rules, and ordered the company to stop sending data that it collected from European Facebook users to the US. As I wrote for CJR at the time, the fine called into question not only Facebook’s data-collection apparatus, and the multibillion-dollar business model that it supports, but the similar practices of almost every other global social network and online service. At the time, Nick Clegg, the head of global affairs for Meta and a former deputy prime minister of the UK, said that the ruling risked carving the internet “into national and regional silos.”
US lawmakers have been trying for some time to implement regulations similar to those in the EU, but so far, they have been unsuccessful. Members of Congress from both sides of the aisle have proposed the creation of a commission or other such body that would regulate how digital platforms approach competition, transparency, privacy, and national security, but those efforts have gone nowhere. The Platform Accountability and Consumer Transparency Act of 2021 would have required online platforms to explain their content-moderation practices and keep a public record of content that they remove, but parts of the proposal seemed incompatible with Section 230 of the Communications Decency Act, which shields tech platforms from liability. Last year, a bill that would have banned the major platforms from prioritizing their own services gained bipartisan support, but died in the Senate.
Even if the US never passes anything like the EU’s laws, some experts believe that the large digital platforms could end up implementing some of the same changes for US users. Anu Bradford, a Columbia Law School professor who helped popularize the term “the Brussels effect” to describe the EU’s influence on digital legislation around the world, told the Journal that it will become difficult for Meta and Google to defend their practices in the US when they behave differently in the EU, adding that many Americans “are cheering for Europe.” The absence of laws like Section 230 may have made it easier for the EU to rein in the large digital platforms than it would have been in the US. But Europe also seems more motivated, and perhaps—when it comes to acting against big tech, at least—less paralyzed by political polarization and the dream of American exceptionalism.