There's no shortage of legal proposals hitting the EU this year. The bills to watch in the upcoming months would impose significant obligations on the organizations they cover. They aim to modernize EU law with technologies that have exploded in the last couple of decades or so.
Here are the highlights.
Digital Services Act (DSA)
The European Commission aims to upgrade its rules on digital services in the EU. It’s doing this using two proposed laws to form a single set of rules across the EU. They’re called the Digital Services Act and the Digital Markets Act. Together, they aim to protect users and establish a “level playing field to foster innovation, growth and competitiveness.”
Think of anything delivered via the internet when you think of digital services. That could be a music streaming service or an e-book or a website.
The Digital Services Act would cover:
- Intermediary services (Internet access providers, etc.).
- Hosting services.
- Online platforms.
Its obligations vary depending on an organization’s size, but they can include monitoring of third-party vendors, external risk auditing and codes of conduct.
While the internal market committee at the European Parliament has given its approval, the bill will face Parliament in its entirety in January 2022.
The Digital Markets Act
The Digital Markets Act would cover the largest digital platforms, known as “gatekeepers,” under the proposal. Think companies like Facebook, Apple, Microsoft and Google. It aims to level the playing field for digital companies of all sizes. It would create rules for major internet platforms that would prevent them from imposing “unfair conditions on businesses and consumers.” For example, a company like Amazon wouldn’t be allowed to rank products on its site in a way that gives Amazon’s own products and services an advantage.
It would also give the European Commissioner the power to carry out investigations and sanction bad behavior and update the law’s obligations as needed.
The European Parliament passed the Digital Markets Act, and it now heads to the European Commission for negotiations.
The e-Privacy Regulation has been a long time coming. It aimed to come into force alongside the EU’s General Data Protection Regulation in 2018 but has stalled for years. The e-Privacy Regulation would create privacy rules for traditional electronic communications services and entities that weren’t covered by the former law, the e-Privacy Directive, such as WhatsApp, Facebook Messenger, and Skype.
It would create stronger rules on electronic communication’s privacy, and it would apply to not only communications content but “metadata,” that is, data that describes other data. Under ePrivacy, service providers and electronic communications networks have to get prior consent from the user before processing their electronic communications metadata.
It would also, importantly, create simpler rules on cookies. It would allow users to consent or deny tracking cookies at the browser level, and it would also clarify that websites do not need to get consent for what is called “non-privacy intrusive cookies.” Those cookies allow website features like “shopping carts” to keep track of what a user has ordered. It would also require that organizations allow end-users to withdraw their previously-granted consent at least once per year.
The EU’s Artificial Intelligence Act would apply to any company doing business in the EU that develops or adopts machine-learning-based software. It would apply extraterritorially, meaning the law will cover companies based elsewhere if they have customers or users inside the EU.
The AI Act would ban the following:
- Techniques used to manipulate a person’s behavior in a manner that could cause mental or physical harm.
- AI systems that could exploit vulnerable groups based on age, physical or mental disability.
- AI systems that provide real-time remote biometric data in publicly accessible spaces by law enforcement.