The EU’s Digital Services Act stole the show last week, with sweeping new rules coming into effect on 25 August for very large online platforms. But for now, that date may not mean much: It’s the DSA’s enforcement that will make the biggest difference. In other news, ransomware has reared its ugly head, while damaged cables have slowed down internet access along Africa’s western coast. Microsoft’s Activision deal is anything but sealed.
Let’s get started.
Stephanie and the Digital Watch team
// HIGHLIGHT //
EU DSA’s stricter rules for tech giantscome into effect
Much as 25 May 2018 marked the birth of the EU’s General Data Protection Regulation (GDPR), 25 August 2023 will be etched as the day on which very large online platforms and search engines began implementing stricter measures under the EU’s new Digital Services Act (DSA).
The DSA and GDPR have a lot in common. Both prioritise the protection of European users’ rights; both extend their impact beyond the boundaries of the EU; and most significantly, they both (re-) affirm the EU’s role as the leading global authority in setting regulatory standards. So, even if European citizens are the primary beneficiaries, the DSA’s approach to regulating digital services (and how the EU will enforce those rules) will undoubtedly influence how other countries address similar issues.
Which users will benefit most from the new rules?
European users. But remember how the GDPR influenced non-EU jurisdictions to adopt similar rules? Companies that operate globally may also decide to adjust their practices for their non-EU user base while making these changes, as applying different rules to different markets is time-consuming, costly, and complex.
Which companies are affected?
For now, it’s the 19 very large platforms and search engines, each of which has at least 45 million monthly active users: AliExpress, Amazon Store, Apple AppStore, Bing, Booking.com, Facebook, Google Play, Google Maps, Google Shopping, Google Search, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, YouTube, and Zalando. As of February 2024, the DSA will impose some of these obligations on smaller companies.
What do very large platforms and search engines need to do?
Make it easier for users to report illegal content.
Remove illegal content quickly.
Label all ads and inform users about who is promoting them. While they’re at it, they also need to publish repositories of all the ads shown on their platforms.
Clarify terms and conditions by providing an easily understandable, plain-language summary.
Allow users to turn off personalised content recommendations.
Ban targeted adverts to children and ads based on a user’s sensitive data.
Analyse the specific risks in their platforms and practices, and establish mitigation measures.
Publish transparency reports on how content moderation is implemented.
Have companies started implementing these changes?
In all fairness, some of these obligations (such as transparency reports by Google, Facebook, Snapchat, and others) have existed for years. Other changes have been implemented during the past weeks, including ad libraries published by TikTok and Booking.com; simplified terms and conditions posted by AliExpress; Facebook’s ad limitations for teenagers; and more straightforward reporting tools by Google. But there are changes we haven’t seen yet – where is Booking.com’s simplified version of their terms? – and others that must be carried out in due time (such as risk assessments by the end of the year).
Will the EU monitor compliance?
Definitely. The European Commission will actually be in charge itself, which is perhaps the biggest difference between the DSA and the GDPR. To do so, the commission and the entities helping it will need more staff, reports suggest. (In comparison, Facebook had a 1,000-strong team working on the DSA). Digital Services Coordinators – national regulators tasked with overseeing the DSA’s implementation – must also be appointed by February.
The DSA has yet to face its greatest challenge. Enforcing the rules remains an uncharted territory. But for now, it’s essentially a waiting game.
Digital policy roundup (21–28 August)
// AI GOVERNANCE //
BRICS announces new body to develop AI governance frameworks
The BRICS countries (Brazil, Russia, India, China, and South Africa) have joined the list of groups establishing specialised entities to cover AI governance issues.
Addressing the annual summit, China’s President Xi Jinping referred to a new BRICS AI study group, as part of the BRICS Institute of Future Networks, that would develop governance frameworks and standards, and help make AI technologies ‘more secure, reliable, controllable, and equitable’.
Why is it relevant? Although there’s a placeholder for this new working group on the institute’s website, the institute doesn’t divulge any details, nor does the BRICS’ final communique refer to this development.
// CYBERSECURITY //
Ransomware on the rise; MOVEit vulnerability partly to blame
The NCC Group security company reported the highest record number of ransomware attacks in July. The company said that over 500 cyberattacks were recorded, most targeting large companies. The increase has been attributed to the exploitation of a vulnerability in MOVEit, a file transfer software, by a hacker group known as CLOP or Cl0p.
Why is it relevant? If you thought cybercrime takes a break in summer, think again. The list of victims affected by CLOP since June seems endless (over 1,000 entities and millions of users) and includes airlines, universities, and health centres.
Plan ahead to counter quantum-powered cyberattacks, US security institutes urge
The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) are urging organisations, especially those supporting critical infrastructures, to plan early for the probability (not if, but when) of quantum-powered cyberattacks.
The agencies are advising organisations to start thinking about migrating to post-quantum cryptographic standards, and have released guidelines on how to prepare a customised roadmap.
Why is it relevant? To explain the upcoming risk, we’ll cite an excerpt from our ongoing infrastructure policy course: ‘Breaking one of the most secure codes of today… by trying all the possible options with a conventional computer would take around 300 trillion years. A powerful quantum computer would take only 8 hours for this task. In essence, all of the data we have ever encrypted could suddenly become exposed, and most of the current encryption algorithms rendered obsolete.’
// DATA PROTECTION //
Data scraping concerns raised by data protection authorities
Data protection authorities from around the world have issued a joint statement expressing their concerns about the practice of data (or web) scraping by tech companies due to the potential of data scraping technologies to harvest personal data. Just because information is publicly available on the internet does not mean that privacy protections no longer apply, the statement said.
The statement, issued by the privacy protection authorities of New Zealand, Canada, Australia, the United Kingdom, Hong Kong, Switzerland, Norway, Columbia, Morocco, Argentina, Mexico and Jersey, was sent to several tech companies.
Why is it relevant? The statement highlights one of the most widely used techniques for harvesting internet content to train large language models. Although many platforms prohibit web scraping (not to mention the data protection laws that also impose restrictions), the practice is nonetheless prevalent.
// ANTITRUST //
Back to the drawing board? The EU might reassess the Microsoft-Activision acquisition.
Microsoft has agreed to transfer the licensing rights for cloud streaming of Activision Blizzard games to Ubisoft, in order to win approval from the UK to acquire Activision. All will be well and good if the UK’s Competition and Markets Authority agrees.
But Microsoft’s new proposal has also prompted the European Commission to reconsider whether it should reevaluate the deal once more, according to a media report.
Why is it relevant? The commission approved the deal in May; Microsoft’s new strategy could upset the approval that the commission had granted, placing the planned merger on an uncertain track once again.
// SUBSEA CABLES //
Western Africa’s choppy internet access after cable damage
It could take weeks for Africa’s internet connection to be fully restored, after an underwater landslide in Canyon damaged two major submarine cables. The impacted cables are the SAT-3 and WACS cables, which led to the loss of international internet bandwidth along the western coast of Africa.
At the time of writing, the cable-laying ship Léon Thévenin was still on its way to the suspected break points off the Congo coast after setting out from Cape Town in South Africa last week. The cables were damaged earlier in August.
Why is it relevant? We take undersea cables largely for granted. Not only do they carry over 90% of the world’s internet traffic, but there can be serious implications (economic impact, disrupted communications, etc.) when they get damaged.
The week ahead (28 August–4 September)
21 August–1 September: The UN Ad Hoc Committee working on a new cybercrime convention is meeting in New York for its 6th session.
1–4 September: The self-organised privacy and digital rights conference Freedom Not Fear returns to Brussels this weekend.