Enforcement Spotlight – Autumn 2024
Mehmet Onur Çevik & Maria Koomen | November 2024
Autumn 2024 has been an unusually productive period for the EU tech policy enforcement ecosystem. Significant cases were opened and closed against tech giants, a new policy agenda and leadership constellation has started lining up at the EU level, and European regulators have been working ‘round the clock to design and (re)build enforcement systems to bring the DSA, DMA, and AI Act to life. It was actually hard to avoid news about tech policy implementation and enforcement – a welcome change!
With this first edition of the Enforcement Spotlight, we’ll unpack enforcement news, first looking beyond the headlines for lessons to learn and best practices to adopt, and then highlighting important enforcement developments that are shaping how technology impacts European markets and societies—for better or for worse.
Politics: What’s driving enforcement?
As the international climate for tech regulation heats up, each substantial court case, market access restriction, and piece of press attention adds political pressure that’s conducive to regulatory resilience—and, ultimately, more effective enforcement.
From the outside in, multiple legal frameworks—including tax, antitrust, commercial, and criminal law—are being leveraged to drive tech policy enforcement toward a safer, more equitable tech landscape across Europe. Here are a few examples:
- Recent court decisions to close the Apple Tax and Google Shopping cases have bolstered regulatory resilience in Europe. With the Apple Tax case in Ireland, the Court of Justice of the European Union (CJEU) finally upheld the European Commission’s 2016 ruling that Ireland gave unlawful tax favours to Apple between 1991 and 2014. This case drives home the point that tax laws are important levers for regulatory resilience in Europe, to ensure fairness among big and small tech firms—and, especially, among member states. In practice, tax benefits to big tech firms in a particular member state is a form of regulatory capture. This ruling has triggered similar reforms in other EU member states, including the Netherlands, Luxembourg, and Cyprus, setting the bar higher for tax fairness in Europe.
- The Google Shopping case was another major regulatory win over powerful tech companies in Europe. Building on the recent antitrust wave against Google in the U.S., this case underscored the European Commission’s commitment to ensuring that European markets must be fair in principle. And in practice, this means that favouring your own comparison-shopping service in search results—and hiding competitors’ services—is anti-competitive and, thus, unacceptable behaviour in Europe. Now, when searching Google for products or services in Europe, citizens’ search results should show a relatively unbiased representation of the variety of offers available to them. This landmark win and the corresponding changes it compelled in market behaviours have effectively rolled out the red carpet for the Digital Markets Act to come.
Beyond tax and antitrust laws, commercial and criminal law are also emerging drivers of tech policy enforcement.
- The CJEU upheld German legislation that treats GDPR non-compliance as a prohibited unfair practice under national law. While this remedy does not explicitly protect fundamental rights, it will likely help compel compliance without undermining traditional enforcement mechanisms through Data Protection Authorities (DPAs).
- Sweden urged the EU Council to leverage the Digital Services Act (DSA) to combat online recruitment by criminal networks. Sweden, along with Finland and Denmark, is pushing for increased cooperation with Meta, Google, Snap, and TikTok, and has launched a “Nordic forum” to tackle this issue.
- Six member states led by Germany, are pushing for stricter DSA compliance by platforms like Shein and Temu, which have been accused of exporting products to the EU without meeting safety standards. Following a discussion at the Competitiveness Council, the European Commission formally requested information from these platforms to assess their compliance with DSA requirements, particularly regarding product traceability, protection of minors, and prevention of “dark patterns”, such as tricks that prompt users to make purchases or share data.
Players: Who’s shaping the EU enforcement ecosystem?
The EU tech policy ecosystem is gearing up with new commissioners set to take the helm next month, new Commission teams swelling to implement new laws, new working groups at play around tough issues, and new channels and dispute bodies popping up across member states. How are these players shaping EU tech policy enforcement?
- Ursula Von der Leyen taps Finland’s Henna Virkkunen as a next European Commission EVP to cover “Technology Sovereignty, Security, and Democracy” and digital and frontier technologies. It would be a Commission-first to have one portfolio reach across technologies, security, and democracy, and to have help from not one but two DGs, CNECT and DIGIT. She would oversee all digital policymaking, and the enforcement of platform regulations DSA and DMA. In her hearing, Virkkunen signalled an innovation-friendly vision, positioning herself as an alternative to her predecessor Breton and aligning closely with Von der Leyen’s overall vision—although, notably, without regard to “the people and communities that this blinkered view of digitalisation will leave behind.”
- The AI Office staffing priorities ruffled more feathers in its search for a chief scientific advisor among its own ranks of eurocrats. Echoing our call for the EU to invest in enforcement actors and institutions with technical knowledge and expertise, ICFG advanced AI researchers argue that the AI Office needs top scientific talent in order to be relevant to the fast-paced world of AI governance.
- The EU’s enforcement ecosystem thickens! New, out-of-court dispute settlement bodies are being certified to provide alternatives for dispute resolution. A German-based body, certified under Article 21 of the DSA, is now accepting complaints about Instagram, TikTok, and LinkedIn in German and English. In Ireland, the Media Commission certified the Appeals Centre Europe (ACE) to handle DSA-related content moderation disputes for platforms like Facebook, YouTube, and TikTok. Funded by a €13.7 million grant from Meta’s Oversight Board Trust, ACE is set to operate for five years beginning in 2024.
We also see notable developments across the tech industry:
- TikTok’s lay off of 300 moderation employees from their trust and safety team in Amsterdam has raised concern over human capacity for DSA compliance. TikTok has denied these layoffs affect its DSA obligations. It remains to be seen how TikTok and other tech titans shape their compliance with these laws, but the European Commission looks to very-large-online players to set the bar high for the industry.
- The arrest of Pavel Durov, Telegram’s founder, sets an important precedent, highlighting the extent to which personal accountability for the tech industry may be pursued. The French agency OFMIN, responsible for combating violence against minors, issued a warrant accusing Durov of failing to moderate Telegram content and refusing to cooperate with authorities to curb criminal activities. The Paris public prosecutor views Durov as complicit, with Telegram allegedly being used for drug trafficking, child pornography, and cyber-bullying. Although Durov was released on €5 million bail, he is forbidden to leave France.
Policies: What is actually being enforced?
We’re starting to see some exciting applications of the good ol’ GDPR in the AI space. Things worth watching:
- The Irish Data Protection Commission launched an inquiry into Google’s AI model training to see whether the company is properly upholding its data protection obligations—which are in fact serious public responsibilities, considering the accessibility, reach, and power of its latest model PaLM2.
- Meanwhile, the European Commission is busy ironing out its shiny new suite of digital laws, addressing legislative overlaps and kinks with national laws—all of which would pose significant challenges for compliance, implementation, and enforcement down the road. It is preparing to issue a formal opinion to challenge Hungary’s draft law on online protection for minors, which it believes violates the Digital Services Act (DSA). This is not the first time the Commission has raised concerns about such conflicting laws—similar issues were brought up with France’s Digital Space Bill last year.
- Ireland is also adjusting its draft Online Safety Code for platforms like TikTok and YouTube. In response to concerns that its original proposal could conflict with the DSA, Ireland has removed a requirement that platforms disable recommendation systems by default.
- At the EU level, the European Commission has softened its AI Pact to make it more attractive for companies to participate in the lead-up to the AI Act’s full implementation in 2026. Over one hundred companies have signed the EU AI Pact so far, committing to help drive trustworthy and safe AI development. Notably, pledges are missing from Meta, Apple, and Mistral.
- Besides these digital regulations, financial data is also under sharper scrutiny. Under the draft Financial Data Access Regulation, companies like Google, Meta, and other digital gatekeepers will be required to segregate personal data obtained within the scope of this regulation from data they already possess. The final text, which includes specific restrictions for gatekeepers, will still need to be negotiated with the European Parliament.
Procedures: What does tech policy enforcement look like in practice?
As the EU’s new tech rulebook comes into force, Europe’s enforcement ecosystem is forging new procedures to put these complex laws into practice creatively and collaboratively.
- The European Commission’s DG CNECT is making waves with a new civic engagement track to crack the DSA-implementation nut collaboratively. With burning problems on the table such as violence against women online and the mounting global crisis of mental health, the Commission has so far convened three roundtables with civil society organisations to discuss the role of online platforms and explore how to use the DSA in order to tackle these problems—and the role of civil society in implementing the act.
- The European Board for Digital Services has established eight working groups to coordinate DSA implementation across member states. These working groups, which cover topics like content moderation, consumer protection, data access, and the integrity of the information space, will be instrumental in ensuring consistent enforcement and addressing cross-border issues as the DSA is rolled out. Together, these initiatives reflect a collaborative, multi-stakeholder approach to building a safer and fairer digital environment across the EU.
- Around the corner, the AI Office announced the (primarily academic) chairs of a new General-Purpose AI (GPAI) Code of Practice—including our very own senior fellow Marietje Schaake. The drafting process officially kicked off at the end of September, and global interest in the code has surged, with nearly 1,000 organisations and individuals expressing interest in participating. During the session, the Commission presented preliminary results from the public consultation carried out over the summer, which served as a basis for drafting the General-Purpose AI Code of Practice. The first draft, written by independent experts, was published on 14 November and will be discussed with around 1,000 stakeholders in the following week. This crucial document is scheduled for completion in April.
- And on the other side of the institutional fence, the European Center for Not-for-Profit Law (ECNL) published a proactive vision and strategy for how the AI Act should be implemented and enforced over the next two years, to help ensure the law can be enacted collaboratively in order to deliver for people and society.
- Here in Brussels, the Belgian Data Protection Authority’s challenge of data litigator NOYB’s complaint is just the tip of the iceberg of a broader question of what civil society’s role should be in enforcing the EU’s digital and data rulebook. Efforts like the above by ECNL are a fantastic leap toward more ecosystem-wide responsibility and capacity to uphold these rules.
- To underpin these policy-specific engagement and collaboration tracks, it’s worth watching the new Commission’s efforts to broaden and institutionalise the Better Regulation agenda in order to bring a broader spectrum of evidence in hindsight and foresight into the policymaking process, and how the proposed Digital Fairness Act and Civil Society Platform can be leveraged for stronger implementation and enforcement of the EU’s digital and data rulebook.
Enforcement highlights by legislation
In this section, catch up on major enforcement highlights sorted by legislation.
General Data Protection Regulation (GDPR)
- Irish Data Protection Commission fined LinkedIn €310 million for data processing violations involving user behaviour analysis and advertising.
- EU Court ruled that breaking GDPR rules can be considered unfair business behaviour under national laws, adding another way to hold companies accountable for protecting personal data.
- Meta Ireland was fined €91 million for storing passwords in plaintext, with no objections from other EU authorities.
- Belgium’s Data Protection Authority rejected a privacy complaint by NOYB about Google Analytics, accusing the ngo of misusing legal processes—an approach that contrasts with other European regulators who backed similar cases.
- Meta challenged EU rulings deeming its “pay or consent” ad model non-compliant with GDPR and the Digital Markets Act.
Digital Services Act (DSA)
- Sweden calls for DSA to combat online criminal recruitment, collaborating with other Nordic countries and tech firms.
- New dispute settlement bodies certified under DSA in Germany and Ireland for content moderation complaints.
- The EU’s Digital Services Board has launched eight working groups to tackle key issues like online safety, content moderation, consumer protection, and misinformation under the Digital Services Act
- Online platforms report on efforts to combat disinformation during EU elections, including safeguards against AI-generated fake content, as part of the Code of Practice on Disinformation.
- Ireland’s Media Commission is reviewing online platforms’ compliance with the DSA, focusing on user mechanisms for reporting illegal content amid concerns raised by complaints and initial findings.
Digital Markets Act (DMA)
- X excluded from DMA’s core platform services after investigation found it’s not critical for business-user access.
- European Commission launched DMA proceedings for Apple’s interoperability obligations.
- Commission services and EDPB will start joint work on guidance on the interplay between DMA and GDPR, addressing digital gatekeepers’ compliance.
- BEUC criticised DMA gatekeepers for privacy breaches, highlighting consent issues and inadequate compliance reports.
Artificial Intelligence (AI) Act
- AI Office nears 100-staff goal for 2024, aiming to fulfil EU AI Act responsibilities.
- New AI Act compliance tool highlights gaps among major AI models, suggesting areas for improvement.
- First draft of the General-Purpose AI Code of Practice published, written by independent experts. The four working groups will meet to discuss the draft this week.
- Draft EU AI Pact attracts over 100 companies, although major players like Meta, Apple, and Mistral are not among them.
- The EU’s Artificial Intelligence Board began work on promoting AI adoption and implementing the AI Act, focusing on its organisation, strategic policy discussions, and sharing best practices for national AI governance.
Other
- The French Competition Authority weighed in on the tensions between competition, privacy and data protection law faced by mobile applications in Europe.
- EU’s brief on competition in generative AI and virtual worlds signals evolving competition policies.
- The CJEU upheld a 2016 ruling that Ireland granted Apple unlawful state aid through tax advantages, overturning a 2020 General Court decision.
- CJEU upheld €2.4 billion fine against Google for Shopping service bias, maintaining previous rulings.
- French authorities arrested Telegram founder Pavel Durov, accusing him of failing to moderate illegal activities like child exploitation and drug trafficking on the platform.