The European Union is proposing legislation to curb the growth of big tech and promote data protection and other digital rights. The proposed EU digital rights reforms to existing legislation represent a significant move by the EU to regulate the digital sector and ensure a level playing field for all companies.
The developments in EU regulations will have significant implications not only for EU member states and the organisations that operate there but also for the UK. As a major trading partner with the EU, organisations in the UK will need to consider how these new regulations could impact their operations too. This article will explore the proposed EU digital rights reforms and their potential impact on big tech companies and digital rights, as well as how the UK might be affected by these developments.
Digital Markets Act
The European Union’s Digital Markets Act (DMA) is a new set of regulations designed to prevent unfair practices by large technology platforms operating within the EU. It came into effect on November 1, 2022, and the European Commission is set to designate the first ‘gatekeeper companies’ on May 1, 2023. The criteria for companies to be designated as gatekeepers include providing a core platform service that serves as an important gateway for business users to reach end users, having a significant impact on the internal EU market, and having an entrenched and durable position. Google, Amazon, Facebook, and Apple are examples of companies likely to be designated as gatekeepers.
The DMA prohibits gatekeeper companies from engaging in certain practices, including processing end-users’ personal data collected from third-party services for the purpose of providing online advertising services without prior consent, reusing personal data collected during a service for the purposes of another service without prior consent, and preventing business users from offering their products and services under different prices and conditions on their own sales sites, as well as on third-party platforms. You can read more about the Act here.
Digital Services Act
The Digital Services Act (DSA), approved by the European Parliament in July 2022, is a significant piece of legislation that aims to regulate the digital industry, with a focus on large digital platforms and search engines with more than 45 million average monthly active recipients within the EU. It also includes detailed consumer protection rules, safe harbour principles, and transparency rules for big tech algorithms, all under a single regulatory framework.
Under the DSA, companies must provide transparent information on any restrictions in their terms and conditions affecting the provision of information. They must also provide reports on algorithmic decision-making and other internal processes. The DSA also prohibits misleading user interfaces that hamper the recipient from making free and informed decisions about their personal data. Providers of online platforms are prohibited from profiling-based online advertising based on sensitive data, such as health data, and aimed at minors. You can read more about the Act here.
General Data Protection Regulation (GDPR) Reform
The European Commission is working on a new law aimed at improving the enforcement of the General Data Protection Regulation (GDPR) by EU countries’ privacy regulators. The new EU regulation, expected to be proposed in the second quarter of 2023, seeks to set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements. The law “will harmonise some aspects of the administrative procedure” in cross-border cases and “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms,” according to the European Commission.
The European Data Protection Board (EDPB) has been actively involved in the development of the new regulation. In October, the EDPB submitted a “wishlist” of procedural law changes to the European Commission to enhance enforcement. The proposed changes include setting deadlines for different procedural steps in handling cases and harmonising the rights of various parties involved in investigations across the EU. You can read more about the planned amendments here.
A package of two cybersecurity laws is the last component of the EU digital rights reforms. The first one , the Network and Information Security directive (NIS2) introduces new cybersecurity rules to establish a high common level of cybersecurity across the EU for both companies and countries. It expands the scope of covered sectors and activities, including energy, transport, banking, health, digital infrastructure, public administration, and space. The directive requires more entities and sectors to adopt cybersecurity risk management measures and sets stricter cybersecurity obligations for EU countries regarding supervision, enforcement, and cooperation. Member states have 21 months to implement NIS2 after its approval in November 2022. You can read more about the directive here.
The Digital Operational Resilience Act (DORA) aims to enhance the EU’s financial sector resilience to operational disruptions and cyber-attacks, as the sector increasingly relies on software and digital processes. The legislation, approved by Parliament on 10 November 2022, introduces and harmonises digital operational resilience requirements for the EU’s financial services sector. The new rules apply to various companies providing financial services, including banks, payment providers, electronic money providers, investment firms, and crypto-asset service providers, as well as critical ICT third-party service providers. You can read more about the Act here.
Potential impacts on UK Businesses
In conclusion, the EU digital rights reforms aimed at curbing big tech growth, promoting data protection, and enhancing digital rights will have far-reaching implications for UK businesses. As a key trading partner with the EU, UK organisations will need to closely monitor and adapt to these new regulations to maintain smooth trade relations and ensure ongoing compliance with legal obligations on both sides.
Furthermore, the UK’s own digital economy legislation may be impacted by the developments in the EU, striking a balance between protecting consumer privacy and fostering innovation. For example, the UK’s proposed Online Safety Bill shares some features with the Digital Services Act. Ultimately, UK businesses must be prepared to navigate the complex landscape of privacy and data protection shaped by these EU legislative changes, as they strive to maintain their competitive edge in an increasingly interconnected digital world.