Cybersecurity

Big Tech: Adapting to A New Regulatory Reality

Mike Harris
By:
insight featured image
How big tech can ensure new rules become just another cost of doing business.
Contents
  • With the first independent auditor reports as part of the Digital Services Act due this month, major social media and search engine companies face a new era of transparency as part of an increased regulatory stance in Europe.
  • Digital Services Act and Digital Markets Act will help tackle disinformation, boost safety of minors online and dilute Big Tech’s market power.
  • Different regulatory philosophies are still being ironed out, with Ireland's principals-based approach contrasting with continental Europe's more prescriptive enforcement.

For those who have observed the financial sector over the past two decades, watching tech companies understand their obligations under Europe's Digital Services Act (DSA) and the Digital Markets Act (DMA) may evoke a sense of deja vu.

Since the turn of the millennium, Europe has seen significant developments in financial regulation, particularly in response to the 2008 economic crisis. Frameworks such as the Markets in Financial Instruments Directive (MiFID) and European Market Infrastructure Regulation (EMIR) sought to increase competition and offer greater consumer protection as regulators navigated a landscape of competing interests and complex ecosystems.

The early days of these rules were marked with fraught exchanges as companies worked their way through implementation. Before long, they just became another cost of doing business.

Tech companies are experiencing a similar shift in regulatory philosophy from a light touch to a more proactive, stringent approach as the DSA and DMA follow GDPR and the Network Information Security Directive amid a broader trend towards tighter regulation.

As we approach the first independent auditor reporting period for very large online platforms (VLOPs) and very large online search engines (VLOSEs) such as Meta and Google under the new digital regime, we are in a similar spot marked by gradual adaptation, responses to emerging challenges, and a balancing act between innovation and oversight.

Time to show your cards

After a long, complex gestation involving various stakeholders, including the European Parliament, the Council of the European Union, and the European Commission, the proposed regulation is a new reality as tech companies enter their first reporting periods. For tech companies, this represents a significant shift as they now shoulder the burden of showing compliance with strict rules on content moderation, advertising transparency, and greater user choice to control what they see.

The DSA and DMA are part of a single set of new rules that apply across the entire EU to regulate digital services such as online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.

The DSA specifically targets online intermediary services by imposing strict obligations, with additional rules and obligations imposed on very large online platforms and search engines with more than 45 million monthly users in the EU. On the other hand, the DMA focuses on very large digital platforms designated as gatekeepers providing digital services allowing for a fairer business environment for users and new entrants into the market.

Tech companies have been actively working to comply with the new regulations. They have changed or stopped activities they have done previously while engaging with the Commission to provide information and documentation following formal requests for information. The DMA demands that platform giants like Apple, Alphabet, and Meta become more open to competition by imposing a new set of legal requirements on more than twenty of their core platform services (CPS).

Companies designated under the DMA as "gatekeepers" must make significant changes to their operations, including not discriminating against similar services or products offered by third parties on their platform. Failure to comply with the Regulations can lead to significant fines from the Commission of up to 10% of the most recent global turnover under the DMA and up to 6% of global turnover under the DMA, for significant breaches.

Since February, the DSA requires all providers of intermediary services to publish transparency reports on their content moderation practices at least once a year. These reports must include information such as the number of orders received from national authorities, the measures of content moderation, the number of content pieces taken down, and the accuracy rate of automated content moderation systems.

The reporting requirements are even more stringent for very large online platforms (VLOPs) and very large online search engines (VLOSEs) such as Meta and Google. They must publish their transparency reports at least every six months, which have to include additional information on their content moderation teams, qualifications, linguistic expertise, and more.

2024 is effectively year zero for these published reports, but their impact is already being felt, with the general public benefiting in ways like being able to opt out of recommendation systems based on profiling.

From reactive to proactive

The tech companies are not the only ones in for a period of adjustment. How these rules are applied remains up to individual country regulators. Approaches diverge between Ireland's more principled stance and continental Europe's stricter, rules-focused stance. 

As an epicentre of tech in Europe, Ireland again becomes a central player. The implementation and enforcement of the DSA is overseen by both the European Commission and Coimisiún na Meán, designated as the Digital Services Coordinator (DSC) for Ireland. This body is responsible for regulating broadcasting and the audiovisual sector and dealing with online harm under the Online Safety and Media Regulation Act 2022.

The Competition and Consumer Protection Commission (CCPC) also plays a competent authority role under the DSA, specifically concerning Articles 30, 31, and 32, which deal with online marketplaces. Given the expected increased activity level, the Irish government has allocated a substantial €6 million to support Coimisiún na Meán's activities in 2024.

Differences between geographic enforcement approaches are inevitable, as Irish common law principles differ from those of some of our European counterparts.

Strict rules and tech are always likely to create issues; given the pace of change in the sector, lawmakers risk playing an endless game of catchup. A more principals-based approach to working with tech companies to promote compliance will become more effective.

Growing pains

For an industry that thrived under the mantra of 'move fast and break things,' regulation has always been considered anathema. Inevitably, some friction will emerge.

Yet big tech has grown up, and these large operations have gradually transitioned from their startup roots to more traditionally structured corporations - compliance is now just another cost of doing business.

Transparency has become a cornerstone of regulation, especially in data handling and content moderation practices. Internal controls, monitoring, and meticulous record-keeping are also likely required.

However, after a period of consolidation across tech that led to a series of layoffs, companies may be light on the ground in areas such as content moderation, which will come under more scrutiny due to the DSA.

Tech companies should follow the financial industry's example and learn to anticipate regulatory changes as part of their risk management strategy.

Key to achieving this is development of robust compliance programs and ensuring that boards have members with a deep understanding of risk assessment and management. By bringing this expertise to the board level, companies can organise internally and build the required relationships to deal with an evolving business and regulatory landscape.

Some growing pains are involved with integrating compliance practices into tech operations, but short-term pain leads to long-term gain, as investing in the changes required will ultimately mean that their obligations under these new regulatory frameworks will be seen as an integral cost of doing business.

Contact us
Learn more about how our Cyber Security solutions can help you
Visit our Cyber Security page
Learn more about how our Cyber Security solutions can help you