How Europe's new online rules will affect UK businesses
DMA, DSA, DGA, Data Act and AI Act are all on their way
Europe's new data and markets legislation doesn't apply directly to the UK, but its impact will be felt by any organisation doing business with the bloc
A raft of new interlocking regulations around online services, competition, content and privacy will arrive this year. Many are extraterritorial and will apply to UK organisations doing businesses with Europe even though Britain is no longer part of the bloc.
A panel at the PrivSec London event last week covered the main ones to look out for.
The Digital Services Act (DSA)
Together with the Digital Market Act (DMA), the DSA defines the EU's digital strategy for the next five years.
"They are meant to create a safer digital space where the fundamental rights of users are protected and also to establish a level playing field for businesses," said Nathalie Moreno, partner at Addleshaw Goddard LLP.
The DSA imposes a set of new due diligence obligations in relation to illegal content on hosting services, search engines, app stores, content sharing platforms, online platforms and "very large online platforms" (VLOPs), those with 45 million or more registered EU users. The latter are "the real targets" of the regulation, Moreno said.
Requirements differ according to the type of platform but include measures to counter illegal content, bans on targeted adverts to children and transparency of recommender systems.
Companies that do not comply with the new obligations risk fines of up to 6% of their annual turnover.
The DSA entered into force last November and will apply after a 15-month grace period from 1st January 2024. Its rough equivalent in the UK is the Online Safety Bill (OSB).
Digital Markets Act (DMA)
The DMA also entered into force in November last year, and will be applicable from May 2023. It is a competition law that imposes significant new obligations on "gatekeepers", a category that includes large providers of online platform services, intermediation services, social media and cloud computing providers. Its aim is to increase competition and ensure a more level playing field for smaller companies.
Gatekeepers are companies that can restrict how smaller firms operate, said Vincent Rezzouk-Hammachi, MD privacy solutions at legal firm Bird & Bird. "These gatekeepers currently have absolutely no rules governing the way they can behave with smaller businesses, and that's something that the European institutions are trying to address."
Under the DMA, gatekeepers will need to allow business users to access the data they generate in their use of their platform. Businesses must also be allowed to promote offers and conclude contracts with their customers outside of the gatekeepers' platforms.
If a gatekeeper violates the DMA, a fine of up to 10% of its total worldwide turnover can be levied, rising to up to 20% of worldwide turnover for a repeat offence.
The equivalent UK legislation is the Digital Markets, Competition and Consumer Bill, which will be overseen by the new digital markets unit (DMU) of the Competition and Markets Authority.
"Similar to the DMA, the [Digital Markets, Competition and Consumer Bill] requires very large, powerful tech companies to comply with additional obligations to ensure that they don't abuse the dominant position," said Joanna Moczadio, senior legal counsel at Pay.UK. It also carries a fine of up to 10% of global annual turnover.
"I think the UK is definitely taking measures to replicate some aspects of the digital package presented by the EU that the UK is relying more on policies rather than legislation at the moment. The regimes are aligned for now, but we are still to see how it's going to unfold in the UK."
Data Governance Act (DGA) and Data Act
These acts are designed to regulate the sharing of both personal data and non-personal data.
The DGA will apply from September 2023. "It's meant to increase trust in sharing data within the single market", Moreno explained.
The DGA aims to make more data available to European organisations by facilitating the reuse of protected data held by the public sector and private businesses through the regulation of data intermediaries and by supporting data sharing for "altruistic purposes", such as for scientific or medical research. It applies to a wide range of data, both personal and non-personal
It does not oblige organisations to share data, but rather seeks to make it easier for them to do so for the common good. As such, it includes measures to rebalance negotiation power of SMEs by preventing abuse of contractual imbalances in data sharing contracts, and rules allowing customers to more easily switch between different data processing providers. For public sector bodies that provide access to data, there are data protection rules. For example, some data will only be shareable after anonymisation.
The DGA also introduces protections regarding cross-border transfers of non-personal data. For example, "re-use" of data derived from a public sector organisation in the EU could be confined to a narrow use case.
The Data Act is still in draft. It will apply to manufacturers of connected devices, service providers and data holders. It aims to create a fair environment by setting out rules to govern data generated by IoT services, including allowing users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers.
Personal data is currently covered by the GDPR, and the Data Act aims to do something similar for non-personal data.
AI Act
The AI Act is also still a work in progress. It has the aim of ensuring that AI systems used in the EU market are safe and respect existing laws on fundamental rights. It follows a risk-based approach and places AI applications into three categories, accordingly. Producers of high-risk AI systems, and public agencies using them, will need to be registered with the EU, under current proposals. If the European Parliament comes to an agreement over the final text soon, it could become law in 2024.
Where any of these new laws contradict the GDPR, the latter will always prevail, according to Rezzouk-Hammachi.
Impact on the UK
"Clearly, none of these regulations are going to apply directly in the UK," Moreno said. "But something to bear in mind is that they do have an extraterritorial application. So if you're an organisation operating in the EU, or if you're looking to send goods and services into the EU market, then those regulations will need to be taken into consideration."
The fact that these new regulations are a mixture of privacy, security and competition laws mean that organisations affected should consider creating "a super-compliance team" that brings these silos together, she added.
The EU is likely to make examples of transgressors early on to focus minds, the panel agreed. Therefore, UK businesses would be wise to acquaint themselves with the requirements of the DSA and DMA in particular.