The European Parliament and Council of Europe have reached a political agreement on the EU’s Digital Services Act (DSA), designed to overhaul the EU’s digital regulation regime, under the over-arching principle “what is illegal offline must also be illegal online”.
The counterpart to the Digital Markets Act (DMA), the DSA took EU officials 16 hours of discussions to reach agreement on, with a deal finally coming early in the morning of Saturday 23 April.
EU commissioner Margrethe Vestager said after the deal: "The agreement tonight is better than the proposal that we tabled. And what we have achieved is not a slogan any more, that what is illegal offline should also be seen and dealt with as illegal online. No, now it is a real thing. Democracy is back, helping us to get our rights, and feel safe when we're online."
But not all observers were as convinced, with many noting that a lot will depend on the exact wording of the final legislation, which is not expected for several weeks.
Speaking to The Stack, Dr Nathalie Moreno, data protection and cyber security partner at law firm Addleshaw Goddard, welcomed the broad strokes of the DSA as agreed - but said a lot remained unclear.
"I don't know if this legislation is going far enough, to be honest as it is not clear how it articulates with the other draft legislations, the DMA and AI Act in particular. It doesn't seem to address the risks related to AI. And perhaps this, this is not the place for it yet. Some of the issues here could totally be triggered by the use of AI," said Moreno.
She said a lot of organisations - "not necessarily the big platforms" - were concerned about the EU DSA.
"However, this is not meant to stifle innovation and smaller players, it's the opposite. Especially the articulation of the Digital Markets Act and Digital Services Act is all about helping innovation, helping new entrants going around the rules set out by the big players."
What is the EU Digital Services Act?
The DSA will regulate digital platforms which act as “intermediaries within the EU to connect consumers with goods, services and content” according to the EU. It covers a wide range of policy areas, from online marketplace requirements to protection of minors.
In practice this will mean anything from Facebook to Google to Spotify will come under the DSA’s terms – and very large online platforms (VLOPs) and very large online search engines (VLOSEs), defined as having more than 45 million monthly EU users, will face stricter rules.
For big tech companies, one of the most significant elements of the DSA is its requirement for algorithmic transparency: platforms will need to be able to explain how their “recommendation systems” produce their results. This has been interpreted by some as looking to force Google and others to reveal their secretive algorithms - but the details of how this will work in practice are not yet known.
"To my knowledge, there is at this point in time, no consensus of what it means to be transparent, from a practical point of view," said Moreno. "Providing to a layman any explanation around an algorithm as such is probably not something helpful. However, as always, it might be helpful to have more information on the purpose of the algorithm.
"If the the purpose of an algorithm is to target your preferences and use that information to sell your data and make profits, the obviously that may trigger second thoughts from the users," she added.
In addition VLOPs and VLOSEs will have to offer users the choice of not using profiling to generate recommendations.
On the UX side, the DSA will also outlaw misleading interfaces, or “dark patterns” which are designed to manipulate users into making certain choices. This will also cover “misleading practices” – so potentially will outlaw certain forms of clickbait.
See also: The Digital Markets Act: What you need to know about the EU’s new DMA
The EU DSA also requires VLOPs to analyse systemic risks, and “carry out risk reduction analysis” annually. This aims to reduce the spread of illegal content, and the risks to fundamental rights, democratic processes, as well as the health of users.
Controversially, the DSA includes a so-called “crisis mechanism” – directly inspired by the Russian invasion of Ukraine, and the spread of Russian misinformation online. This mechanism can be activated by the European Commission, and will allow it to analyse and control the activities of VLOPs and VLOSEs in relation to the crisis at hand.
Penalties for online platforms under the DSA are potentially substantial: companies can be fined up to 6% of annual global turnover.
With all of these areas, the devil will be in the details – a lot will depend on the exact wording of the final text.
Moreno noted one example: "The issues around illegal content, I think there will need to be good guidance around how this is going to apply, because what's illegal in a country might not be exactly the same in another country."
Big tech lobbies hard
Unsurprisingly, the big beasts of the online world have upped their EU-focused lobbying over the last year, faced with both the DMA and DSA. A report by the Corporate Europe Observatory (CEO) claimed Google, Facebook, Apple, Amazon and Microsoft spent a combined €27 million in 2021, with Apple almost doubling its lobbying spend to more than €6 million.
According to CEO, this lobbying has succeeded in watering down proposals to prevent users being tracked for advertising purposes. Google reportedly led the charge on this area, with its lobbying efforts continuing until very late in the process of aligning the Parliament and Council’s positions.
(In 2020 Google was also caught with a plan to target commissioner Thierry Breton, one of the strongest advocates for more regulation of big tech. Sundar Pichai, CEO of Google parent Alphabet, was forced to apologise to Breton.)
On this subject Moreno noted: "As for all legislation, if the European Commission had failed to engage with industry, and in particular the VLOPs and VLOSEs, there's a chance that the legislation will not be successful. So this is obviously the fruit of a compromise, which is why I'm raising the issues on how it's going to work in practice."
Follow The Stack on LinkedIn
So while many EU lawmakers praised the agreement on the DSA others, such as German Pirate Party MEP Patrick Breyer, said the new rules did not “deserve the name ‘Digital Constitution’”.
Breyer, who attended the final session to agree the DSA, said in a post: “The disappointing outcome fails in multiple respects to protect our fundamental rights online. Our online privacy will not be protected by a right to use digital services anonymously, nor by a right to encryption, a ban on data retention, or a right to generally opt-out of surveillance advertising in your browser (do not track).”
DOT Europe, the industry lobby group representing the largest online platforms, said in a statement that it welcomed the DSA agreement. Given DOT has not been shy in the past about calling out the legislative direction of the DSA in the past, this may signal that big tech is largely content with the end result.
“DOT Europe would like to thank the European Commission for its strong proposal and its continuous input throughout the negotiations. We are pleased to see that the European Parliament and Council recognised the importance of this framework legislation and did their utmost to find compromises and efficiently make progress on the file.” said Siada El Ramly, director general of DOT Europe, in the statement.
EU DSA’s next steps
After the legislation's final text is agreed, the DSA will have to be formally passed by the European Parliament and the Council of Europe, representing all 27 member states – according to Moreno, this process is likely to take several months.
Once passed, most of the DSA’s rules will come into force either on 1 January 2024, or 15 months after being passed, whichever is later. Requirements for VLOPs and VLOSEs will come into force earlier, four months after the DSA is passed.
Tech companies everywhere will now be waiting to scrutinise the final text – and hoping its implementation will be less messy than GDPR.
"I think there's lots of lessons to be learned from what happened in the data protection world with the GDPR, which is currently criticised for its lack of enforcement," said Moreno.
She also noted there were indications the DSA would be enforced centrally by the European Commission, as opposed to GDPR which is currently in the hands of individual member states.