The EU Seeks to Update Its Regulation of Big Tech
8 MINS READ
Dec 23, 2020 | 15:59 GMT
EU flags fly outside the European Commission building in Brussels on Dec. 7, 2020.
EU flags fly outside the European Commission building in Brussels on Dec. 7, 2020.
(KENZO TRIBOUILLARD/AFP via Getty Images)
HIGHLIGHTS
Sweeping new EU draft rules will increase the pressure on large tech companies, but debates over their proposed requirements and penalties will likely limit their impact on big tech. The legislation's ultimate fate depends in part on how the European Union frames the proposals to the incoming Biden administration because its receptivity to rules that disproportionately affect U.S. firms could prove decisive to their implementation....
Sweeping new EU draft rules will increase the pressure on large tech companies, but debates over their proposed requirements and penalties will likely limit their impact on big tech. The European Commission, the executive arm of the European Union, on Dec. 15 unveiled two complementary pieces of draft legislation, the Digital Services Act (DSA) and the Digital Markets Act (DMA). Broadly, the measures aim to make big tech more accountable and transparent, and to prevent and remediate anti-competitive behaviors. Both proposals establish fines for rule breakers; in the most extreme cases, they threaten temporary operating suspensions and forced divestitures of some of their business lines.
The DSA encompasses all companies that offer a wide range of digital services in the European Union, although the largest tech giants face special rules. Based on their role, size, and importance, companies face a sliding scale of stricter obligations that broadly aim to make them more accountable to users and regulators and more transparent in their activities and use of information.
The DMA applies only to companies deemed digital "gatekeepers" as defined by their entrenched size and control of an important core service like online search engines. These firms — which, though unnamed, presumably include Apple, Amazon, Facebook, and Google's parent company, Alphabet — face a specific set of requirements and prohibitions on certain practices meant to promote competition and innovation.
A list of Highlights of Draft EU Digital Legislation
The proposals aim to reform an outdated regulatory framework amid growing trans-Atlantic concerns about big tech's influence by trying to increase transparency and prevent anti-competitive behavior. Regulators on both sides of the Atlantic are converging on a consensus on the need to rein in big tech. Existing EU digital rules entered into force when most of today's tech giants either did not exist or were significantly smaller. The European Union hopes the DSA and DMA will provide regulatory and enforcement powers better suited for 21st century concerns, mirroring its similarly ambitious effort to modernize and unify the bloc's personal data policies through the General Data Protection Regulation (GDPR), though that framework has not dented big tech's influence in the way its advocates had hoped it would.
Both European and U.S. regulators are pursuing lawsuits and investigations against tech giants. In November, the European Commission relied on the bloc's 1958 founding treaty to accuse Amazon of violating general competition rules by exploiting the data it collects from other businesses for its own benefit, a practice the DMA would explicitly forbid.
Similarly, since 2019 the U.S. federal and state governments have sued or launched inquiries into Alphabet, Amazon, Apple and Facebook for various alleged antitrust violations. In October, a House Judiciary Committee report found that Alphabet, Amazon, Apple and Facebook had abused their market dominance and recommended considering a series of steps similar to those proposed in the DSA and DMA. While House Republican members may not support more radical ideas like forced divestitures, they are onboard with others, such as giving more resources and legal powers to officials charged with enforcing antitrust measures to block competition-reducing acquisitions and bring lawsuits against rule breakers.
Various political and legal challenges and disagreements over certain provisions will limit the legislation's immediate impact and probably restrain some of the more ambitious proposals. Margrethe Vestager, the EU competition chief who helped lead the DSA and DMA rollout, estimated that it would take at least a year and a half for the proposals to become law and another half year for them to become enforceable. The process is likely to be longer judging from the six-year timeline from introduction to enforcement of the GDPR. The DSA and DMA must be reviewed by EU lawmakers and national leaders, all of whom will be intensely lobbied by large technology companies; they will then draft their own versions to be examined and reconciled with the European Commission proposals.
Rules on content moderation in the DSA could become a particular flashpoint. In the current proposal, one EU member can demand a company based in another remove content it considers illegal, which could quickly devolve into disputes over differences in members' laws, particularly regarding more illiberal states like Hungary and Poland. A similar concern held up agreement on the EU's recently adopted legislation on online terrorist content. Another debate is likely to arise on the question of harmful content — or content that is not illegal, but is seen as problematic — such as disinformation or hate speech. The DSA pointedly leaves such content outside its purview, but multiple EU members seek its inclusion, which could lead to significant debates not only over whether and how to include such content, but also over how to reconcile it with free speech protections.
Ireland, which houses the EU headquarters of many big tech firms, and regulators in Denmark, Finland, Iceland, Norway and Sweden have expressed concerns about the DMA's "ex-ante" antitrust framework, which preemptively requires gatekeepers to take certain steps before there is evidence of actual harm to competition. Ireland is skeptical that gatekeepers require special interventions to boost competition, while the Nordic authorities note that the proposed list of obligations for gatekeepers can have both pro- and anti-competitive effects and are ill-suited to the fast-moving tech market, which could stifle innovation by disincentivizing dynamism rather than enhance it.
The strictest penalties — temporary operating suspensions and forced divestitures — are unlikely to be used. First, the DSA and DMA make clear that these penalties are a last resort and would apply only in the most extraordinary circumstances after repeated and gross noncompliance. European regulators pondering such penalties would likely face pushback from their own citizens, who rely on big tech offerings in their daily lives and have shown little appetite for forgoing them.
Fines are also highly unlikely to be assessed close to their maximum levels, and probably will involve long gaps between the offense and their imposition — particularly given likely legal challenges, thereby limiting their deterrent power. In December, Ireland's GDPR regulator fined Twitter 450,000 euros (about $548,000), a small fraction of the maximum allowable amount, over a data breach nearly two years ago in the first case involving a U.S. tech giant where a national regulator consulted with the European Commission. The case took so long in part because Ireland wanted to impose an even smaller fine, but had to boost the amount after pushback from the commission, demonstrating different European perspectives and challenges on regulating big tech.
The legislation's ultimate fate depends in part on how the European Union frames the proposals to the incoming Biden administration because its receptivity to rules that disproportionately affect U.S. firms could prove decisive to their implementation. If the European Union portrays the drafts as a way to raise standards for all firms and provides assurances that it does not seek to use them to help smaller European companies displace U.S. tech giants, the Biden administration — hardly sympathetic to big tech — is more likely to lend support, even if it advocates for some changes around the edges on behalf firms that comprise an important part of the U.S. economy. By contrast, should EU leaders — perhaps in selling the proposals to domestic audiences — characterize the DSA and DMA as vehicles to benefit European firms and undercut U.S. companies, despite its big tech skepticism, the Biden administration would likely see the legislation as more hostile and object to the EU unfairly scrutinizing and punishing U.S. tech champions. Ironically, while the DSA and DMA offer opportunities for European tech firms to grow and compete, long an EU-wide goal, they also impose potentially substantial risks: EU leaders who present the proposals as a way to develop indigenous tech giants risk not only provoking the Biden administration to see the rules as unilaterally targeting U.S. companies, but also risk overselling the legislation's potential benefits.
The DMA more than the DSA risks stifling smaller European firms' ability to compete rather than enhancing it, as multiple industry groups have noted. Although the digital ecosystems led by gatekeepers give them major power, they also give smaller firms, which rely on them, a common platform to reach large user bases and scale much faster and cheaper than otherwise possible. For example, forcing Apple to allow third-party app stores to compete with its own — something the DMA would do — could fragment the market and make it much harder and more expensive for smaller firms to expand. More broadly, by specifying a list of do's and don'ts the DMA risks creating a blunt instrument ill-suited to dynamic markets that would stifle the innovation and incentive to scale it aims to foster.
Examining the effects so far of the GDPR, a similarly ambitious set of digital rules, also suggests that small firms may struggle with the requirements proposed by the DSA and DMA. At least some initial research indicates that the GDPR has deterred investment in smaller EU firms and imposed compliance costs that raised the barrier to market entry. According to an EU survey in 2019, a year after the GDPR became enforceable about half of small businesses were noncompliant with two of its key requirements, and a large number of executives did not understand many of the legislation’s requirements.
