EU Enforces Digital Services Act as Privacy Reform Stalls
The European Commission has begun enforcing the Digital Services Act (DSA), issuing its first major fine against X (formerly Twitter) and signaling a new era of compliance risk for digital platforms. This enforcement action comes as a separate attempt at EU-wide privacy reform stumbled after being rejected by member states. The developments create an uncertain regulatory environment for tech companies handling user data at scale.
- The €120 million fine against X was for specific breaches of the Digital Services Act, including the deceptive design of its paid "blue checkmark" verification, a lack of transparency in its ad repository, and failure to provide researchers with access to public data. X has appealed the fine, arguing the decision was based on a flawed reading of the DSA. - The DSA mandates that online platforms using recommender systems must clearly explain the main parameters used to rank content in their terms and conditions. They must also provide users with options to modify or influence these parameters, including at least one option not based on profiling. For a sportsbook, this could mean explaining how betting odds are displayed and offering users ways to customize their feeds. - For frontend development, the DSA introduces strict rules against "dark patterns," which are deceptive user interfaces designed to trick users into making unintended choices. The law also requires that advertisements be clearly labeled and provide information on who paid for the ad and the main parameters used for targeting. - The separate privacy reform, the ePrivacy Regulation, was officially withdrawn by the European Commission after years of failing to reach an agreement among member states. This leaves the existing, but outdated, ePrivacy Directive (the "cookie law") in place, meaning engineering teams will continue to navigate a fragmented landscape of national cookie consent laws rather than a unified EU standard. - The stalled privacy reform was intended to be a *lex specialis* to the GDPR, meaning it would have provided more specific rules for electronic communications, including cookies and direct marketing, overriding the more general GDPR in those areas. - In a move to boost AI development, the European Commission has proposed the "Digital Omnibus" package, which would amend the GDPR. These changes would recognize the use of personal data for AI development as a legitimate interest and introduce exemptions for processing certain sensitive data to detect and correct bias in AI models. - This Digital Omnibus proposal also aims to simplify compliance by refining the definition of "personal data" and streamlining incident reporting. For AI, it proposes delaying the enforcement of rules for high-risk AI systems to give companies more time to adapt.
