The EU's next data privacy push is expected to focus on the liability of platform operators.
A “techlash” against platform operators is prompting a renewed wave of data privacy rules as European regulators seek to rein in U.S. companies viewed there as un-appointed “gatekeepers.”
An ambitious “data strategy” released earlier this month by the European Commission addresses AI regulations along with the follow-on to the EU’s General Data Protection Regulation (GDPR) dubbed the Digital Services Act. An AI white paper released for comment through May stresses “trustworthy” automation. A draft of the Digital Services Act is scheduled for release later this year.
The commission has been especially active in staking out claims of “digital sovereignty,” a push some observers view as a step toward tech protectionism as American companies like Google and Facebook are targeted by regulators in Brussels.
GDPR, which took effect in May 2018, provided consumers a means of regaining control over their own data. A key provision aimed at hyperscalers like Google requires that EU citizens’ data must be stored in Europe.
Now, regulators want to go a step further with tougher rules aimed squarely at platform operators like Facebook. DSA is expected to focus on the potential liability of platform owners for the content they carry. No such liability is currently on the books. Thierry Breton, the EU’s industry commissioner, has said he expects to decide by the end of the year whether to adopt tougher rules for online platforms.
Optimists project a final version of the sweeping data privacy rules by the end of 2021. Skeptics note the rollout of GDPR took longer than expected. They doubt the EU can meet such an ambitious timeline. “The sausage-making machinery in Brussels is slow,” notes Matthew McDermott, an analyst with Access Partnership.
A survey released in January by the U.K.-based technology policy shop warns that the backlash against perceived gatekeepers like Facebook and Google could result in “regulatory overreach.” Still, U.S. companies are embracing calls for rules of the road for emerging AI technologies.
The policy survey argues that DSA’s expected focus on liability and hitting platform owners in their pocketbooks could end up harming smaller, more agile innovators. One reason they cite is the labor-intensive — and therefore expensive — process of determining what content is unethical or illegal.
“The question is not whether to hold digital companies accountable for the actions of their users, but rather which parts of the digital sector and to what extent,” the Access Partnership study concludes.
DSA probably “won’t be the end of the debate,” McDermott added in an interview.
The EU is clearly driving data privacy standards, prompting for example the California Consumer Privacy Act that took effect on January 3. Similar proposals are being floated in other states. The result, says Greg Francis, managing director of Access Partnership, is that the EU’s push for consumer protection created “a template for a multiplicity of standards.”
Meanwhile, the EU’s drive for digital sovereignty for its more than 500 million citizens is seen by go-slow advocates as a form of technology protectionism aimed at tech giants like Google. “Protectionism works when there’s something to protect,” argues Francis. If the EU continues to pursue digital sovereignty, “It’s kind of a dire commentary” on its competitive position.
Others argue for at least light-touch regulation of the digital giants. Among them is French President Emmanuel Macron, who vigorously promotes a middle way he calls “smart regulation.”
“We do need regulation,” Macron said during a recent panel discussion on data privacy. “Smart regulation” would go beyond creating rules for “vested interests” and other incumbents, he said.
“We have to regulate for our citizens, because when you speak about data… you speak about privacy as well,” Macron said. “It’s absolutely critical to be sure they are protected regarding their privacy.”
Macron said he favors an ongoing dialogue with all stakeholders as a framework to “optimize innovation [while] regulating just what you want to regulate.” If executed successfully, Macron argued that privacy rules could ultimately serve as a “complement” to innovation by leveling the playing field for new competitors.
For example, Facebook ultimately endorsed GDPR. Broad adoption made GDPR a global standard, Macron added. “I think it was a regulation for a lot of startups and new players who adapted to the new rules,” thereby improving their competitive positions versus U.S. and Chinese tech giants.
The EU’s Breton echoed that sentiment this week, declaring after a meeting with Facebook CEO Mark Zuckerberg during the Munich Security Conference that the social media giant needs to adapt to European privacy standards, not the other way around.
Those pronouncements strike skeptics as overreach and technology protectionism. Macron’s approach is an “ill-conceived way to provide oxygen to European tech companies,” asserts Greg Francis, underscoring what he sees as a “lack of imagination.”
— George Leopold is the former executive editor of EE Times and the author of Calculated Risk: The Supersonic Life and Times of Gus Grissom (Purdue University Press, Updated, 2018).