Subscribe to regular updates:
A close-up of the European Union's regulatory approach to data governance, content moderation, competition and more.
This is the fifth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Maria Buza
18 Apr 2023
In digital policy, the European Union (EU) is a leading global force. Having created a global benchmark for data protection with its General Data Protection Regulation, the EU is reaching into new policy areas with the Digital Markets Act, Digital Services Act and the Artificial Intelligence Act.
The fifth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas as well as EU-specific focal points. This includes:
Written by Tommaso Giardini and Maria Buza. Edited by Johannes Fritz.
Discover the details of the European Union's approach below and stay informed on our dedicated page:
Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription
Data protection policy developments
In 2020, the European Commission (“Commission”) presented the European Strategy for Data, to create a “single market for data”. The Data Governance Act, implemented in September 2023, aims to facilitate data sharing and increase data availability. The Act forms mechanisms for the reuse of public sector data, requires data intermediaries to enable data sharing and establishes common “European data spaces”, including in health and finance.
The Data Act, on which the Council of the European Union (“Council”) adopted its position in March 2023, regulates the sharing of data generated by connected devices. It requires Internet of Things providers to enable data access, sharing, and portability. In addition, the Data Act aims to prevent contractual imbalances in data sharing contracts, enable public sector access to private sector data and require interoperability for data-processing services.
Data localisation/transfer developments
Since 2021, the EU facilitated data transfers through adequacy decisions, e.g. with South Korea, standard contractual clauses and guidance, including on data transfer certification.
In 2020, the Court of Justice of the European Union invalidated the US-EU Privacy Shield, mainly due to US intelligence services’ access to EU user data. In March 2022, the countries reached an agreement in principle on a Data Privacy Framework. In October 2022, US President Biden issued an Executive Order to implement US commitments under the Framework. In December 2022, the EU circulated a draft adequacy decision for the Framework, on which the European Data Protection Board (EDPB) raised concerns regarding data subject rights and exemptions.
Data protection rules are enforced by national supervisory authorities. In 2023, the Commission proposed a Regulation on Procedural Rules to coordinate GDPR enforcement in cross-border cases. Also in 2023, the EDPB launched the second yearly Coordinated Enforcement Action, concerning Data Protection Officers.
The EDPB can issue binding decisions on disputed cases with cross-border effects. Recently, the EDPB issued two binding decisions in cases of the Irish Data Protection Commission (DPC). In January 2022, the DPC fined Meta EUR 5.5 million because WhatsApp obliged users to agree to its updated Terms of Service as a condition to use its services. The DPC ruled that Whatsapp could not rely on “contractual necessity” as a legal basis and was instead forcing users to consent. In December 2022, the DPC fined Meta because its “contractual necessity” legal basis was insufficient for the data processing on Instagram (EUR 180 million) and Facebook (EUR 210 million). In April 2023, Meta switched to the legal basis of “legitimate interest”.
Content moderation developments
In February 2024, the Digital Services Act (DSA) will be implemented. The DSA imposes a range of rules covering transparency reporting, the prohibition of dark patterns, specific compliance rules for "very large online platforms" and "very large search engines", as well as new oversight powers. Regarding content moderation, online hosting platforms must install a notification mechanism for users to report unlawful content. Online platforms with over 45 million monthly active users in the EU must handle complaints within 15 days and provide justification.
In February 2023, the European Parliament (“Parliament") adopted its position on the Regulation on the transparency and targeting of political advertising. The Regulation requires online service providers to label paid online political advertising and establish a flagging mechanism. The Regulation also contains data protection rules regarding the targeting of political advertising, which reportedly prompted Meta to consider removing all political advertisements in Europe.
In September 2022, the Commission proposed the European Media Freedom Act. The Act introduces safeguards against the “unjustified removal” of media service providers’ content. Platforms with over 45 million monthly active users in the EU must process complaints by media service providers and notify media service providers with justification to remove content.
In May 2022, the Commission proposed a framework including measures for digital service providers to combat online child sexual abuse material (CSAM). Providers must self-assess CSAM risks and can be ordered to detect, report and remove CSAM using automated technologies. Additionally, internet service providers must make content unviewable if content removals are impossible and app store providers must impose age verification and assessment procedures. In a parallel attempt to curb CSAM, the EU’s ePrivacy Directive was partly derogated until 2024 to enable the processing of certain personal data to detect, report and remove CSAM.
Since June 2021, the Directive on Copyright in the Digital Single Market regulates the use of protected content by online content-sharing service providers. Providers are liable for copyright infringements and must obtain authorisation for making available protected works. They must remove access to infringing content upon notification and install a complaint and redress mechanism. Providers exceeding 5 million monthly unique visitors must also prevent infringing uploads. In addition, the Directive introduces the principle of appropriate and proportionate remuneration, entitling authors and performers that license or transfer their copyrights to remuneration and information regarding the revenues generated with their work.
The enforcement of content moderation policy currently remains the responsibility of EU Member States. Future DPA Digital Digests will cover national authorities' enforcement.
Competition policy developments
In May 2023, the Digital Markets Act (DMA) introduces the concept of “gatekeepers” that provide “core platform services”. Regarding mergers, the DMA requires gatekeepers to notify the Commission of their intent to merge or acquire other companies providing core platform or other digital services, regardless of thresholds. Regarding unilateral conduct, the DMA prohibits the combination of personal data between different services and requires interpersonal communications services to be interoperable with other providers' systems.
In January 2023, the Commission consulted on the reevaluation of the Market Definition Notice, to include a market definition for digital ecosystems and multi-sided platforms in assessing "relevant markets". Since June 2022, the revised Vertical Block Exemption Regulation and Vertical Guidelines cover platforms and online intermediaries as “suppliers”. The amendment introduces digital-specific calculations of market share, definitions of vertical agreements and quality requirements for online sales and advertising.
The Commission regularly investigates unilateral conduct in digital markets. In February 2023, it alleged that Apple’s App Store rules unlawfully prevent music streaming providers from informing users of cheaper alternatives. In May 2022, it accused Apple of abusing its dominance by enabling Near Field Communication (NFC) technology on its devices only for Apple Pay. In December 2022, the Commission objected to Meta’s use of data collected from its advertisement service for its Facebook Marketplace. In the same month, the Commission accepted Amazon’s commitments regarding its use of non-public data from competing sellers and discrimination against sellers that don’t use its logistic services. In early 2022, the Commission launched an investigation into Google and Meta concerning an anti-competitive agreement in online display advertising. Previous investigations into Google resulted in a EUR 2.4 billion fine for directing traffic from its search engine to its comparison shopping services and a EUR 4.1 billion fine for requiring pre-installation of its apps, e.g. Chrome, for access to the Google Play Store.
In merger enforcement, the Commission is currently investigating the Microsoft/Activision Blizzard, Orange/MasMovil and Broadcomm/VMware transactions. It has recently approved the Meta/Kustomer, Google/Photomath, Amazon/MGM and Orange/VOO/Brutélé acquisitions.
 Gatekeepers include companies with an annual EU turnover over EUR 7.5 billion (last three years) or market capitalisation over EUR 75 billion (last year) that operate a core platform service in at least three EU countries, reaching more than 45 million monthly “end users” and 10'000 “business users” (last three years).
 Core platform services include: online intermediation services such as app stores, online search engines, social networking services, certain messaging services, video sharing platform services, virtual assistants, web browsers, cloud computing services, operating systems, online marketplaces, and advertising services.
Further digital policy focal points of the European Union
In 2021, the EU consulted on but then postponed its digital levy in view of negotiations on the OECD/G20 Inclusive Framework. From 2024, a Directive requires member states to implement minimum taxation rules under the Framework, namely the Income Inclusion Rule and the Undertaxed Payment Rule under Pillar 2 of the Framework (Global Anti-Base Erosion Rules). The rules affect companies with a global annual turnover of over EUR 750 million.
In 2021, the EU subjected e-commerce providers to its value-added tax (VAT) regime. In addition, it abolished the import VAT exemption for small consignments (previously EUR 22) and lowered the threshold for intra-EU distance sales that triggers a business registration requirement to EUR 10,000. A new “VAT One Stop Shop” allows businesses to register in only one member state.
Starting January 2024, platform providers must adhere to tax reporting rules regarding their business, including the rental of immovable property or transport and the sale of goods. Providers must verify and send information to tax authorities, including an overview of amounts paid and platform commissions. In December 2022, the EU proposed tax transparency rules for crypto-asset transactions by customers residing in the EU. A second proposal would standardise VAT reporting, establish a Single VAT Registration (SVR) and expand record-keeping obligations to short-term accommodation rental and business-to-business supplies providers.
In December 2022, the Council adopted its general approach on the Artificial Intelligence (AI) Act. The Act introduces a risk-based regulatory framework including specific obligations for “high-risk systems” (HRS). The Council approach defines HRS as systems that could pose or cause harm to the health and safety of individuals or could have a negative impact on individuals' fundamental rights. HRS training, validation and testing data must be relevant, representative and free of errors. HRS providers must establish a risk management system to ensure consistent functioning as well as security procedures including human oversight. Users must be informed if biometric or emotion recognition systems are used. Furthermore, the general approach prohibits AI systems that could endanger people's safety and rights or include social scoring. Fines for non-compliance can reach EUR 30 million or 6% of global annual revenue. Currently, AI Act amendments to address generative AI are being debated, following domestic investigations and the creation of an EDPB task force to look into ChatGPT.
In September 2022, the Commission proposed a Directive adapting liability rules to artificial intelligence to complement the AI Act. The directive grants victims the right to claim damages for injury to their life, property, health and privacy resulting from defective products or the fault of AI developers. AI providers must disclose information on their systems in civil court proceedings.
The Markets in Crypto-Assets Regulation (MiCA), proposed in October 2022, requires issuers of crypto-assets to register with national authorities and obtain authorisation to operate in the EU. In addition, crypto-asset issuers and providers must follow transparency requirements regarding the characteristics of their crypto assets, their asset reserves and consumer rights. Finally, MiCA obliges "significant" crypto-asset issuers to ensure effective risk management, implement liquidity management strategies and have 3% of own capital as reserve assets.
The anti-money laundering and countering terrorism financing package contains two cryptocurrency proposals. In June 2022, the Parliament and the Council reached a provisional agreement on a regulation requiring crypto-asset service providers to disclose information on transactions, including the originator and beneficiary, and check for entities at high risk of money laundering. In December 2022, the Council adopted its position on a regulation extending due diligence rules to crypto assets for transactions exceeding EUR 1,000.
In February 2023, the Commission proposed a set of telecommunications rules. First, it proposed the Gigabit Infrastructure Act to facilitate the rollout of high-capacity networks. Second, it published the Draft Gigabit Recommendation which guides national regulatory authorities’ regulation of network infrastructure access regarding operators with significant market power. Third, it consulted on the future of the electronic communications sector and its infrastructure, including the proposal of “fair contributions” from digital providers to telecommunication providers. Previously, the European Telecommunications Network Operators' Association suggested a direct compensation mechanism from large content and application providers to internet service providers. The Body of European Regulators for Electronic Communications’s preliminary assessment found no evidence to justify a direct compensation mechanism.
 The definition includes entities with 1) over 10 million asset-referenced token holders, 2) a market capitalisation of over EUR 5 billion, 3) over 2.5 million daily transactions with a value exceeding EUR 500 million 4) "gatekeeper" status based on the Digital Markets Act or 5) designation as "significant" issuer by the Commission, if other criteria are not met.