It’s compliance time. With the European Union’s AI Act officially active on August 1st (though most regulations not enforceable until 2026), it joins the Digital Services Act (DSA) and Digital Markets Act (DMA), both active in early 2024, and the Data Governance Act (DGA), which kicked into gear in September 2023.
We’ll get into what these cover shortly, but make no mistake, the EU is serious about enforcing their growing slate of regulation and guidance, demonstrated by challenges to nearly all the big tech powerhouses. With billions of dollars in fines already levied, blocked rollouts, required modifications, and a frenzy of investigations, challenges, and counter challenges, the fight is on.
At a time when the US is also starting to push against the scale of big tech companies (for example Google search was ruled to be illegally monopolistic on August 5), the European Union is going much further, faster, and more aggressively in their attempts to protect consumers, enforce transparency, and open up competition.
But are they picking fights they can win, or, in attempting to follow-up on the successes of the GDPR, is the EU going too far?
This week we look at specific EU tech regulations, the impact of current investigations, the key regulatory frameworks, what this may mean for the future of tech regulation, and the increasing difficulty of global compliance.
Digital Services Act (DSA)
Part of extensive e-commerce regulations that went into effect earlier this year, the DSA launched with a long build-up intended to give companies time to get their plans in order.
But this lengthy runway also means its provisions were drafted before AI use became widespread.
The DSA is about content moderation, and, like many of these newer EU regulations, has designations for size, allowing very small companies (with low revenue and less staff) freedom from most provisions, while coming down hardest on the biggest players.
DSA is focused on:
- Ensuring regional laws are respected by the internet (so you can’t use it to get around local rules for commerce or speech)
- Greater protection for minors (privacy, safety, and security), including barring their data for advertising
- Greater transparency requirements, including reports, clarity on algorithms and communication of risks
- Content reporting and moderation requirements for users
Impact:
Investigations are underway in areas deemed initial priorities, with the potential for significant fines to be levied (up to 6% of global, annual turnover), which can in some cases be moderated by commitment to corrective action.
Specific examples of challenges include:
- Twitter/X: Investigations have been long running, for allowing disinformation and a failure of moderation requirements on the platform, and now over the pay-for-blue checkmark process.
- Meta: Facing threats of heavy sanctions for failure to protect minors, Instagram and Facebook’s parent company is also being investigated for insufficient moderation of political ads, flagging of content, exploitation by Russian influence campaigns, and more.
- ByteDance/Tik Tok: As with the above: insufficient protection for minors, harmful content and design, a specific focus on Tik Tok Lite stopped its use of reward features in the EU.
Digital Markets Act (DMA)
Far more concerning to the biggest tech players is DMA, which is geared around opening-up competition in technology.
Focused on the biggest players, it designates “gatekeepers” who run “core platform services.” These giants face the brunt of the impact of this regulation, which takes on interoperability, barring third-party data competition, and reduced consumer choice, with controlled cost/pricing.
Impact:
Most of the big tech powerhouses have drawn the gatekeeper designation, including Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft.
In the area of interoperability, Meta’s WhatsApp has already been redesigned, for compliance.
Other examples include:
- Meta: Their pay-for-privacy model is deemed illegal under the DMA. The ruling requires they must give a third option to users for non-targeted ads.
- Apple: The App Store was found in violation for steering preventing customers from learning of better offers, and restrictions on app developers. It could face fines up to 10% of its global revenue, doubling to 20% for repeats offenses.
- Alphabet/Google: Investigations through the DMA are focused on driving search results, and Google Play.
AI Act
PTP has covered the AI Act extensively, both in an edition of The PTP Report, and with full consideration by our founder and president both on Substack and in his PTP newsletter.
With a long lead-in (most not enforceable until 2026), the AI Act aims to secure voluntary compliance from the AI providers from the ground-up, as well as inspiring other nations to develop their own AI regulations.
Impact:
Regulating systems relative to their classifications of risk, the fallout from the collision of the AI Act and big tech remains to be seen. But there have already been industry impacts, including:
- Apple: The Apple EU fine (see DMA above) no doubt played a role in the delayed launch of its AI offerings in Europe.
- Meta: Like Apple, Meta is delaying the rollout of their multimodal, open-source Llama, calling the regulatory market too “unpredictable” at this time.
- Nvidia: CUDA, central to the software at the heart of their AI dominance, has drawn attention from French regulators.
[For an overview of CUDA in Nvidia’s incredible AI rise, check out this edition of The PTP Report.]
General Data Protection Regulation (GDPR)
You may think of this as the cookies compliance (monster), as the source for all those webpage popups. But more importantly, it covers the collection, storage, use, and transfer of user data.
The grandfather of all of these pieces of regulation, the GDPR came into effect in May, 2018, and inspired numerous laws in other countries around the world, including Brazil, Japan, and South Korea, and in various states in the US (including California, Virginia, Colorado, and Connecticut). England even created their own identical version, called the UK GDPR.
Impact:
The GDPR has been a massive game-changer for tech companies. Two examples: interdependence among systems that freely share data cause compliance headaches for companies, and consumers have been provided the option to request gathered data and its removal.
Recent challenges include:
- Twitter/X: Ireland is taking the firm to court for claims user data trained the AI Grok without sufficient permission requests and transparency.
- Meta: Similar GDPR challenges in June caused Meta to pause using EU user data for AI training. They’ve also received record 1.2 billion euros ($1.3 billion) fines and been ordered to stop transferring data collected in Europe to the US.
- Amazon: Also suffered numerous fines for data processing and targeted advertising, including the second largest to date at 746M euros ($780 million)
- Alphabet: Numerous fines for Google with ongoing fights, incurring penalties for cookies, failures of transparency, control, and consent.
[For coverage on the Data Governance Act’s impact ending egress fees in the cloud market, see The PTP Report.]
Conclusion
With the new EU regulations, size is key: the bigger and more profitable the company, the more severe the requirements and repercussions. The goal is clear: spur global tech competition by opening markets.
But will this succeed? Varied tactics are now being used across rollouts: from the knuckle cracking GDPR fines, greater emphasis is being placed on long rollouts (seeking corrective plans and negotiations for change).
There can be no doubt Europe’s prior regulatory efforts have led the world (as also appears to be happening with AI), but this time there’s a nagging question about whether all the overlapping legislation might damage the European market.
With Apple and Meta both rolling out AI products globally but pointedly avoiding Europe, big tech is certainly showing its frustration.
And while such moves allow smaller companies to step into the vacuum (and French-based Mistral is thriving in AI), it also deprives European innovators new technology which can potentially damage their capacity to keep up.
Regulations of this kind are always a balancing act, and no doubt there will continue to be adjustments on each side in this ongoing fight.
For smaller players and consumers, the hope is that these challenges encourage innovation, with privacy protection and a freer landscape for competition, and don’t instead create a European bubble that stands detached from the rest of the globe.
References
How GDPR Changed European Companies’ Tech Stacks, Harvard Business Review
EU charges X with deceiving users via blue checkmark, draws Musk’s ire, Reuters
EU could hit Apple with a huge fine after accusing it of breaking new tech rules, CNN
Europe’s Digital Services Act applies in full from tomorrow — here’s what you need to know, Tech Crunch
Data Governance Act became applicable on 24 September, European data portal for European Union
DSA vs. DMA: How Europe’s twin digital regulations are hitting Big Tech, Tech Crunch
Meta’s Pay-for-Privacy Model Is Illegal, Says EU, Wired
Apple, Google, and Meta are failing DMA compliance, EU suspects, Ars Technica
Elon Musk’s X taken to court in Ireland for grabbing EU user data to train Grok without consent, Tech Crunch
Meta won’t release its multimodal Llama AI model in the EU, The Verge