In April of 2018, I started to receive email after email asking me to opt-in to newsletters and services I’d already been using for years.
I began to notice that some websites I commonly visited were not accessible anymore. Long tails of website banners began to appear, prompting me for permissions and approvals that continue to this day.
The root cause? The EU's newly implemented GDPR (General Data Privacy Regulation) had finally gone into effect.
'Global standard' not up to scratch?
Praised by the EU as an “overall success,” GDPR was intended as a global standard for consumer-focused privacy practices. The experience for the millions of Europeans who make their living creating software applications and services was anything but positive. Many developers spent time and effort modifying their apps to accommodate the new rules. Some companies located outside Europe announced that they abandoned the EU market entirely. An example is Unroll.me, which helps users unsubscribe from email spam. If you access this site from Europe, you will still see a message saying that "the service is not available for customers in the EU and the European Economic Area."
After almost three years of implementation, few companies can be assured that they are fully compliant with the GDPR. Having to deal with personal data remains a strong inhibitor for European technology projects of any kind. We've seen this with health researchers who have called for changes to GDPR to better allow for the exchange of health data outside of the EU. All of which was predictable, and all of which was ignored by policymakers before and after the regulation became law.
Something similar is about to happen, but this time the impact could be more far-reaching.
Next wave of regulation
The next wave of EU-driven internet regulation centres on two initiatives: the DSA (Digital Services Act) and the DMA (Digital Markets Act). As important in the long term will be the Commission’s new proposal for “a European approach” to artificial intelligence (AI Act).
The DSA aims to instill uniform rules to tackle illegal content we see online, in social media and similar sites. It’s a measured improvement that encourages everyone to adopt what works, and while not perfect, it does put some guardrails around the worst excesses we see online, i.e. child abuse, terrorist content, and illegal hate speech. As long as the rules are applied uniformly across the EU, and not undermined by member states going on ‘solo runs’, the DSA seems like a reasonable proposal.
The DMA however, is a very different regulation whose objective is not to improve the online experience for Europeans, but rather to make current data-driven internet business models (including some app stores and integrated hardware/software operating systems) illegal, in the hopes that European companies might benefit. It is mainly a set of rules meant to regulate how large platforms like Google, Facebook or Apple (which the DMA calls ‘gatekeepers’) operate.
Disruption for start-ups?
While such rules claim to help consumers and small companies, their impact will be to shift profits from one set of large companies to another, and in the process disrupt the app and software marketplace for everyone – especially small players and startups. Moreover, if operating system providers and smart device providers must fully open their platforms to third parties, they lose the ability to oversee and manage the ecosystem, leaving the door open to malware, and making the development of the next generation of apps (voice-activated, internet-of-things, etc) much more difficult.
The AI Act also follows a traditionally heavy-handed EU regulatory approach. The aim is to ban Chinese-style public surveillance, but also to restrict the use of computers to make decisions in important areas like education, employment or law enforcement. Faulty definitions, coupled with complex legal requirements and the risk of high penalties, will seriously inhibit the development of these advanced technologies in the EU, leaving only the largest players able to compete.
These legislative proposals are promoted by the European Commission and welcomed by the EU co-legislators as critical regulations for the EU’s digital markets. As with the GDPR though, little has been done to assess whether Europeans and European start-ups will actually benefit from these rules. Policymakers are again gambling that technology companies will simply give the EU a major say in their global businesses and share their ‘trade secrets’, rather than just block services and dump obsolete products into a market where they can no longer operate efficiently.
Put simply, initiatives such as the DMA and the AI Act will discourage startups, SMEs and platforms from embarking on the innovative R&D that these regulations are supposed to promote. The cumulative effect of these initiatives must be considered. In the end, this is about Europe’s global competitiveness, not just its aspiration to be seen as a global tech regulator.
Europeans deserve the benefits that the digital economy provides just as much as any foreign market does. They should demand to know exactly how these regulations will actually make life better in the EU.
We do not believe they will.
If EU policymakers want to change the internet, rather than banning the business models that have driven its success and (re)designing markets, they should focus on setting principled rules around legitimate behaviour and providing incentives for investment in the Digital Single Market and innovation more broadly.
Innovation will always find a home, and Europe as a whole would be much better served if policymakers completed the job of building a Digital Single Market where our entrepreneurs could thrive, rather than trying to act as gatekeepers to that market in the hope of keeping competition out.
Karina Stan is the Director of EU Policy for the Developers Alliance based in Brussels
The views expressed here are those of the author