Understanding Europe’s big push to rewrite the digital rulebook

European Union lawmakers have set out the biggest update of digital regulations for around two decades — likening it to the introduction of traffic lights to highways to bring order to the chaos wrought by increased mobility. Just switch cars for packets of data.

The proposals for a Digital Services Act (DSA) to standardize safety rules for online business, and a Digital Markets Act (DMA), which will put limits on tech giants aimed at boosting competition in the digital markets they dominate, are intended to shape the future of online business for the next two decades — both in Europe and beyond.

The bloc is far ahead of the U.S. on internet regulation. So while the tech giants of today are (mostly) made in the USA, rules that determine how they can and can’t operate in the future are being shaped in Brussels.

What will come faster, a U.S. breakup of a tech empire or effective enforcement of EU rules on internet gatekeepers is an interesting question to ponder.

The latter part of this year has seen Ursula von der Leyen’s European Commission, which took up its five-mandate last December, unleash a flotilla of digital proposals — and tease more coming in 2021. The Commission has proposed a Data Governance Act to encourage reuse of industrial (and other) data, with another data regulation and rules on political ads transparency proposal slated as coming next year. European-flavored guardrails for use of AI will also be presented next year.

But it’s the DSA and DMA that are core to understanding how the EU executive body hopes to reshape internet business practices to increase accountability and fairness — and in so doing promote the region’s interests for years to come.

These are themes being seen elsewhere in the world at a national level. The U.K., for example, is coming with an “Online Safety Bill” next year in response to public concern about the societal impacts of big tech. While rising interest in tech antitrust has led to Google and Facebook facing charges of abusive business practices on home turf.

What will come faster, a U.S. breakup of a tech empire or effective enforcement of EU rules on internet gatekeepers is an interesting question to ponder. Both are now live possibilities — so entrepreneurs can dare to dream of a different, freer and fairer digital playground. One that’s not ruled over by a handful of abusive giants. Though we’re certainly not there yet.

With the DSA and DMA the EU is proposing an e-commerce and digital markets framework that, once adopted, will apply for its 27 Member States — and the ~445 million people who live there — exerting both a sizable regional pull and seeking to punch up and out at global internet giants.

While there are many challenges ahead to turn the planned framework into pan-EU law, it looks a savvy move by the Commission to separate the DSA and DMA — making it harder for big tech to co-opt the wider industry to lobby against measures that will only affect them in the 160+ pages of proposed legislation now on the table.

It’s also notable that the DSA contains a sliding scale of requirements, with audits, risk assessments and the deepest algorithmic accountability provisions reserved for larger players.

Tech sovereignty — by scaling up Europe’s tech capacity and businesses — is a strategic priority for the Commission. And rule-setting is a key part of how it intends to get there — building on data protection rules that have already been updated, with the GDPR being applied from 2018.

Though what the two new major policy packages will mean for tech companies, startup-sized or market-dominating, won’t be clear for months — or even years. The DSA and DMA have to go through the EU’s typically bruising co-legislative process, looping in representatives of Member States’ governments and directly elected MEPs in the European parliament (which often are coming at the process with different policy priorities and agendas).

The draft presented this month is thus a starting point. Plenty could shift — or even change radically — through the coming debates and amendments. Which means the lobbying starts in earnest now. The coming months will be crucial to determining who will be the future winners and losers under the new regime so startups will need to work hard to make their voices heard.

While tech giants have been pouring increasing amounts of money into Brussels “whispering” for years, the EU is keen to champion homegrown tech — and most of big tech isn’t that.

A fight is almost certainly brewing to influence the world’s most ambitious digital rulebook — including in key areas like the surveillance-based adtech business models that currently dominate the web (to the detriment of individual rights and pro-privacy innovation). So for those dreaming of a better web there’s plenty to play for.

Early responses to the DSA and DMA show the two warring sides, with U.S.-based tech lobbies blasting the plan to expand internet regulation as “anti-innovation” (and anti-U.S.), while EU rights groups are making positive noises over the draft — albeit, with an ambition to go further and ensure stronger protections for web users.

On the startup side, there’s early relief that key tenets of the EU’s existing e-commerce framework look set to remain untouched, mingled with concern that plans to rein in tech giants may have knock-on impacts — such as on startup exits (and valuations). European founders, whose ability to scale is being directly throttled by big tech’s market muscle, have other reasons to be cheerful about the direction of policy travel.

In short, major shifts are coming and businesses and entrepreneurs would do well to prepare for changing requirements — and to seize new opportunities.

Read on for a breakdown of the key aims and requirements of the DSA and the DMA, and additional discussion on how the policy plan could shape the future of the startup business.

Digital Services Act

The DSA aims to standardize rules for digital services that act as intermediaries by connecting consumers to goods, services and content. It will apply to various types of digital services, including network infrastructure providers (like ISPs); hosting services (like cloud storage providers); and online platforms (like social media and marketplaces) — applying to all that offer services in the EU, regardless of where they’re based.

The existing EU e-Commerce Directive was adopted in the year 2000 so revisiting it to see if core principles are still fit for purpose is important. And the Commission has essentially decided that they are. But it also wants to improve consumer protections and dial up transparency and accountability on services businesses by setting new due diligence obligations — responding to a smorgasbord of concerns around the impact of what’s now being hawked and monetized online (whether hateful content or dangerous/illegal products).

Some EU Member States have also been drafting their own laws (in areas like hate speech) that threatens regulatory fragmentation of the bloc’s single market, giving lawmakers added impetus to come with harmonized pan-EU rules (hence the DSA being a regulation, not a directive).

The package will introduce obligations aimed at setting rules for how internet businesses respond to illegal stuff (content, services, goods and so on) — including standardized notice and response procedures for swiftly tackling illegal content (an areas that’s been managed by a voluntary EU code of conduct on illegal hate speech up til now); and a “Know Your Customer” principle for online marketplaces (already a familiar feature in more heavily regulated sectors like fintech) that’s aimed at making it harder for sellers of illegal products to simply respawn within a marketplace under a new name.

There’s also a big push around transparency obligations — with requirements in the proposal for platforms to provide “meaningful” criteria used to target ads (Article 24); and explain the “main parameters” of recommender algorithms (Article 29), as well as requirements to foreground user controls (including at least one “nonprofiling” option).

Here the overarching aim is to increase accountability by ensuring European users can get the information needed to be able to exercise their rights.