In 2018, a new European law called the General Data Protection Regulation, or GDPR, took effect. With the stroke of a pen, a host of common online practices—used by everyone, from big tech companies like Google to small web publishers, for everything, from showing popup ads to requiring an email address to enter a website—suddenly became illegal in the European Union, or at least heavily regulated. Consent was required before any personal information could be collected or used—and the EU’s definition of personal information was considerably broader than the US definition. Elizabeth Denham, the information commissioner for the UK, called the GDPR “the biggest change to data protection law for a generation.” Others were less diplomatic: one critic described the law as a “clunky bureaucracy” and a regulatory minefield that shackled businesses with “unnecessary red tape.”
If tech platforms thought that the GDPR was the end of their problems in the EU, they were mistaken: the law was only the lip of a wave of European regulatory activity aimed at the online world, and specifically the behavior of digital giants like Meta, Google, and Apple. These new laws have targeted everything from alleged anti-competitive practices to the ways in which personal data is used to customize search results and news feeds. Brian Wieser, a technology analyst and former investment banker, told the Wall Street Journal recently that the laws are a “Glass-Steagall moment for big tech,” a reference to a Depression-era law that supporters believe was instrumental in reining in anti-competitive behavior by banks. As a result, Wieser said, tech platforms are going from “effectively no regulation to heavy regulation.”
Unlike the GDPR, which targeted all online activity, the new European laws are focused primarily on the largest digital platforms and services. Two of the most significant new regulations are the Digital Services Act, or DSA, and the Digital Markets Act, or DMA. Under the former, which governs everything from the removal of illegal or harmful content to the retention of personal user data, any time a service such as Facebook removes content, they have to file that decision with the EU, as part of a public database. Platforms with more than forty-five million users in the EU—a figure equivalent to roughly 10 percent of the bloc’s population—are subject to the highest level of regulation. (The EU has listed nineteen companies covered by the Act but there is still debate as to who should be included; according to the Associated Press, some EU insiders have pointed to notable omissions such as eBay, Airbnb, Netflix, and even PornHub.) TikTok, which is on the list, said earlier this month that users in the EU will soon be able to turn off the service’s recommendation algorithm, because, under the DSA, users have the right to refuse any feature that relies on personal data-tracking. Likewise, Meta has said that EU users of Facebook and Instagram will be allowed to opt out of their algorithmic news feeds.
Note: This was originally published as an email newsletter for the Columbia Journalism Review, where I am the chief digital writer
Continue reading “European regulatory vise tightens around digital platforms”