The European Union is often considered a global frontrunner in setting rules for the digital sphere. When it came into force in 2018, the General Data Protection Regulation (GDPR) revised and harmonized outdated data protection rules that had been in place since 1995, established a regime based on data protection as a fundamental human right, and set a global standard for modern privacy protection. Since its establishment, the regulation has inspired other regions to follow suit.
The European Union is now on the verge of writing another potentially standard-setting law for the digital sphere—the Digital Services Act (DSA). The DSA may have an even greater impact than the GDPR on the way major internet firms do business. Whereas the GDPR harmonized and, in many countries, raised data protection standards, the DSA is not limited to one specific policy field, but aims to establish a comprehensive framework for how “digital services” operate in Europe. It will cover services ranging from Uber and Amazon to the App Store and Facebook, and its rules will span liability, competition, employment, and advertising. This goes way beyond the rules in the E-Commerce Directive (ECD), which the DSA is meant to replace and expand upon. The ECD contains liability exemptions and “notice and takedown” obligations for platforms regarding illegal content, similar to those in Section 230 of the Communications Decency Act in the United States. Such rules have been credited for enabling the internet as we know it. Any major changes to the liability regime, though unlikely, would fundamentally alter the way businesses and people use the web.
But aside from liability questions, the EU wants to adapt the ECD to a changed digital sphere. When the ECD came into effect in 2000, Google was two years old, Amazon four, and Facebook would not go live until fours year later, in 2004. In the 20 years since the ECD came into force, digital business models have changed substantially. European lawmakers, the tech industry and civil society now sense the opportunity to rewrite and introduce rules for these business models with major implications for how the internet functions.
The DSA is likely to become a battlefield for European digital policy
The development of the DSA is still in the early stages. Over the summer, the European Commission asked for feedback in a public consultation. It is now expected to publish a first draft of the new law on December 2. The European Parliament, which has already published its own recommendations, will then have to sign off on the law, as will the EU’s member states. This process can last years. At this stage, the long questionnaire from the public consultation provides a good measure of what the Commission is thinking of including in the DSA. The starting point is the reform of the ECD’s liability regime.
The ECD currently provides internet firms with some liability protections to shield companies from suits stemming from content posted by users. Based on the consultation, it seems clear that the Commission is keen to pursue a broader approach to online harms that goes well beyond merely updating internet firms’ liability protections. In addition to a section dedicated to liability, the Commission’s consultation included questions about “how to effectively keep users safer online.” The scope here is wide, ranging from illegal and problematic speech to product safety and counterfeit goods.
Reforming liability exemptions presents the Commission with the difficult task of balancing free-speech concerns with addressing online harms. On the one side, NGOs and activists argue that those exemptions would result in chilling effects on free speech. On the other, governments are under pressure to find ways to curb the spread of disinformation, conspiracy myths, child sexual abuse material, extremist content, and the online sale of illegal products, such as drugs and counterfeit goods. A stricter liability regime could be seen as one way to clamp down on these kinds of harmful online activities.
One approach under consideration by the Commission is to link the level of liability protection to the buying and selling of goods. For content—images, video, and text—liability may remain limited. Platforms that sell products, however, might face greater liability, given they are earning a commission from each sale. These retail platforms, such as Amazon and eBay, are under scrutiny for not doing enough to prevent illegitimate retailers from selling sub-quality or illegal goods, such as fake luxury handbags or dangerous electric devices. So far, platforms have avoided court rulings that would expose them to liability for defective products sold using their systems, but the DSA could get ahead of the courts.
The Commission is also interested in addressing “challenges around the situation of self-employed individuals offering services through online platforms.” This means that not just firms and consumers, but also employees, may fall within the scope of the DSA. The EU seems to be looking for a unified approach to the gig economy to ensure that workers do not lose access to benefits and protections due to their status as self-employed. This ties into the broader question of how to best create an EU-wide level playing field for the “Digital Single Market”, the union’s terms for the free flow of not just labor and capital, but also goods and digital services. The Commission has sought input on how EU and national institutions should collaborate to foster market integration.
The online advertising market is also expected to be affected by the DSA, a policy field that has just begun to catch the attention of authorities. The consultation asked about what transparency and accountability rules should be in place for online advertising. Any rules in this area would directly affect the monetization model of Google, Facebook, and many other digital platforms that rely on advertising revenues. A committee in the European Parliament already recommended stricter rules for targeted advertising, including restricting the data used for this practice, more user controls, and transparency reporting. An important controversy of the online advertising debate revolves around political ads. Finding ways to deal with data-driven voter segmentation, political microtargeting, and public-interest oversight of paid political communication on YouTube, Facebook, and other platforms is essential for democratic accountability. The DSA may not resolve all of these issues because media regulation and campaign finance laws are under the purview of member states, but it might at least stimulate more debate.
Gatekeeper regulation is intended to tame Big Tech
Another major battleground in the DSA is how to address “issues deriving from the gatekeeper power of digital platforms,” as the Commission put it in its consultation. But how to define gatekeepers represents a major challenge: It is necessary to determine sufficiently clear characteristics that distinguish between those firms that are subject to additional rules and those that are not. There is also considerable disagreement about whether the regulation should be strict and apply to just a few companies, or whether it should rule out only the most problematic behaviors by a wider range of platforms. It is unclear whether a conglomerate company structure should play any role in qualifying companies as “gatekeepers,” as is being considered as part of reforms to competition law in the UK and in Germany. Rather than focusing on corporate structure, European lawmakers are probably more likely to consider the way in which one market gives access to downstream markets as criteria for gatekeeper status. Obvious candidates are app stores (think the App Store and Play Store), search engines (Google Search) and marketplaces (Amazon). For others, such as travel booking platforms or mobility platforms, the standard for stricter regulation is more ambiguous.
The Commission has recently provided hints that the scope could be broader than the big four tech companies and include up to 20 platforms, but there should still be a principle-based definition that can be applied to future platforms and markets.
The second major challenge is to define what gatekeepers should be prevented from doing. A leaked document features a long list of behaviors that would become illegal under ex-ante regulation. One problematic behavior most stakeholders agree should be prohibited is self-preferencing, which refers toa platform giving preferential treatment to its own product and services. However, most observers also agree that self-preferencing needs to be defined more clearly to ensure pro-competitive behavior remains legal. The leak suggests a rather wide interpretation, ranging from a ban on pre-installed apps on a smartphone, for instance, to a ban on contract clauses that would prevent businesses from complaining about platforms, such as non-disclosure clauses/agreements. Data will also play a key role: It is being considered, for example, whether gatekeepers should only be allowed to use data across their services if they make the data available to other providers as well. Such measures would have to build on the GDPR requirements and wider sharing would call for consumer choice in controlling how the data is shared.
The Commission is also developing another instrument to cut short lengthy competition law procedures. (The Google Search antitrust case took close to seven years to conclude, and whether the remedies it put in place were adequate remain a matter of debate.) What the Commission is calling the “New Competition Tool” (NCT) would address structural problems in markets without finding companies guilty of illegal conduct. A speech by a commissioner and media reports suggest that the NCT and the DSA’s ex-ante regulation could be merged into a “Digital Markets Act” that would stand alongside the DSA. Doing so would give the Commission powerful tools that go far beyond the current scope of competition law.
An interested public is vital to get the EU’s future internet regulation right
From the breadth of topics addressed in the consultation and floated around Brussels, it is clear that the DSA will encompass more than the ECD. However, it remains an open question what aspects the Commission will emphasize and how far it will go. It makes a huge difference whether the DSA keeps a narrow focus on liability, with some light-touch rules for other areas, or whether it strives to create a comprehensive set of rules to govern digital services of various kinds.
Developing coherent and balanced policy responses across the different areas will be challenging for the Commission, not least because the regulation will affect the interests of many stakeholders. There will be an intense lobbying fight waged by the private sector, national governments, and civil society. Brussels has experience with long fights over tech policy, most recently with the GDPR and the reform of the copyright directive. These two pieces of legislation, despite their profound effect on the European internet and digital society, only drew public attention towards the end of the legislative process, when much had already been decided.
During the laborious legislative back-and-forth, it is easy to lose sight of the big picture. Yet, it will be important for the public to watch the DSA taking form in order to make sure the rules are well-balanced and build on the best available arguments and expertise. Those rules should serve the public interest and not solely corporate or governmental interests. They should aim at mitigating online harms from bad incentives and market concentration, while resisting the urge to impose supposedly clear-cut answers to complicated questions. If the DSA succeeds in doing this, it will shape the internet for the years to come, not only in Europe, but by serving as a blueprint for regulation across the globe.
Aline Blankertz and Julian Jaursch are project directors at Stiftung Neue Verantwortung (SNV), a not-for-profit, non-partisan tech policy think tank in Berlin. Aline focuses on data and the platform economy. Julian works on disinformation topics and platform regulation.
Amazon, Facebook, and Google provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.