The European Union’s (EU) wide-ranging new digital privacy protection law went into effect on Friday (Aug. 25), ushering in a new era for Big Tech in Europe.
The slate of laws known as the Digital Services Act (DSA) is arguably the toughest series of tech privacy regulations in the world. It builds on last year’s Digital Markets Act, which focused on antitrust reform for major tech firms. The DSA’s priorities are different. Its laws are focused on individual user protection, and on preventing harmful content and misinformation from spreading across the web.
“The DSA is here to protect free speech against arbitrary decisions and at the same time to protect our citizens and democracies against illegal content,” Thierry Breton, the European Commissioner of the internal market, said in a video posted to Twitter. “My services and I will now be very rigorous to check that platforms comply with the DSA.”
What does the DSA do?
Mainly, the law mandates that tech platforms make it easier for users to understand how the site works. This underlying philosophy includes rules like making the process of content moderation more transparent, requiring any pornography sites to identify the users who are uploading material, and detailing how content recommendations work.
Another aim is to rein in the algorithms themselves. A controversial part of the law bans companies from using so-called “dark patterns,” or manipulative ways of nudging users to click on content they weren’t originally looking for, such as reality TV or ISIS recruitment videos.
It also bans surveillance advertising (ads personalized for users after tracking online habits and search history) for minors. An earlier draft of the bill included a ban on surveillance advertising altogether, but the rule was successfully watered down by tech lobbyists. Personalized advertising is one of the biggest drivers of profit for companies like Google and Meta.
Which type of sites does the DSA apply to?
The DSA’s full regulations are reserved for 19 websites with more than 45 million users in the EU (10% of the economic bloc’s total population.)
Though many of the sites are multinational and operate outside the EU, the new rules only apply to each company’s operations in Europe.
Meta has said it will stop showing personalized ads to European users 17 and younger, as well as introducing the ability to view Reels, Stories, and Search functions without an algorithm choosing the next video in the EU market. Google announced similar reforms, including giving more data to researchers in the EU studying “systemic content risks.”
Companies with fewer than 45 million users will not have to follow every DSA rule and will have an extra six months to comply with the law.
How will the DSA be enforced?
If the original 19 companies do not comply with the new rules, they risk a fine of up to 6% of their company’s global revenue—that could be as much as $16 billion for a company like Google—and could even risk a ban from the EU market.
However, these penalties will not kick in right away. Initially, the tech firms are asked to conduct internal assessments of how closely they already follow the regulations, which is due in the coming weeks. Then, the European Commission plans to audit those reports and make recommendations for what steps the companies must take if they’re out of compliance.
Related stories
⚖️ Meta’s personalized ads violate privacy, an EU court ruled
📱 Meta’s new record-setting EU fine is nearly as big as its last six combined
🎮 Activision conceded its cloud streaming service to get the Microsoft deal across the finish line