What Does the EU’s Far-Reaching New Digital Services Act Mean for Privacy Worldwide?

The Digital Services Act (DSA) is a major new EU law with the potential to be as influential globally as the 2016 General Data Protection Regulation (GDPR).

It aims to end the current era of weak self-regulation, and to force companies to actively tackle some of the internet’s more harmful aspects. It includes rules to ensure that major platforms:

• delete illegal content rapidly
• make it easier for users to report such content
• provide new rights for users to challenge moderation decisions that remove their posts or block their accounts.  

The DSA primarily applies to intermediaries and platforms, for example online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. It applies now to a group of Very Large Online Platforms (VLOPs) – including Amazon, Apple, Facebook, Google, Instagram, LinkedIn, Pinterest, Snapchat, TikTok, Twitter, Wikipedia, and YouTube – and two Very Large Search Engines (Google and Bing), but next year it will apply more widely to a variety of online companies operating in the EU.

A major theme of the new law is transparency. Platforms must provide clear information about how the algorithms they use work. They will also be required to produce annual reports detailing their moderation activity. The largest platforms must assess how their products and services, including their algorithms, may be harming society, and come up with preventative measures. As part of the DSA drive for transparency, platforms’ data must be shared with independent auditors and with researchers, including those at a new European Centre for Algorithmic Transparency, recently set up in Seville, Spain.

One of the most interesting aspects for privacy-conscious readers is the new requirement for systems that make recommendations to users, and those that choose which ads to display to them. New transparency requirements mean that platforms must give users a clear explanation of how material is chosen, and why individuals are targeted for certain ads. Most importantly, platforms must give their users at least one option for a recommendation system that is not based on profiling. In other words, EU-based users can finally opt out of surveillance advertising, choosing instead to be shown posts and ads based on more general criteria – for example, chronology or location. Facebook was the first of the major platforms to implement this major shift. Even before it announced all the actions that it was taking in response to the DSA, Mark Zuckerberg wrote back in July:

Today we’re launching a Feeds tab where you can see posts from your friends, groups, Pages and more separately in chronological order. The app will still open to a personalized feed on the Home tab, where our discovery engine will recommend the content we think you’ll care most about. But the Feeds tab will give you a way to customize and control your experience further.

A few weeks before the DSA came into effect, TikTok announced that it was allowing its users to turn off “personalisation” – that is, tracking. Instead of constantly feeding videos based on previous interactions, TikTok would show “popular videos from both the places where they live and around the world.” In the same way, Snap announced that users of Snapchat will “have the ability to opt out of a personalised Discover and Spotlight content experience” and be able to limit the personalisation of ads shown.

YouTube announced that “if you have YouTube watch history off and have no significant prior watch history, features that require watch history to provide video recommendations will be disabled – like your YouTube home feed.” More recently, it listed a number of other changes that it was making in order to comply with the DSA’s requirements.

One company conspicuous by its absence from the list of those announcing changes to accommodate the DSA is X (formerly known as Twitter). Back in November, the EU Commissioner responsible for overseeing the DSA, Thierry Breton, wrote a post (on Mastodon) warning Elon Musk that 

There is still huge work ahead, as Twitter will have to implement transparent user policies, significantly reinforce content moderation and protect freedom of speech, tackle disinformation with resolve, and limit targeted advertising.

This raises the important issue of DSA enforcement. Companies that infringe on the new laws could be fined 6% of their global turnover – even higher than the 4% fine that the GDPR can impose. But just as the GDPR has imposed very few big fines, there are doubts whether the DSA will be effectively enforced. Other issues include two companies – Amazon and Zalando – fighting against their inclusion in the list of VLOPs, and human rights organizations worried that the DSA could be wielded by governments as a tool for censorship.

Against those concerns, it’s worth noting that the changes made by Facebook and YouTube to comply with the DSA, mentioned above, apply globally and not just in the EU. As with the GDPR before, it would seem that the EU’s DSA is already improving privacy rights around the world. The hope is that other regions – notably the US – will take note and bring in similar legislation.

If they do, or if all the main platforms start to apply the right to opt out of personalized advertising globally, it would be a huge win for privacy. It would mean the beginning of the end for surveillance-based advertising online, and a move to better alternatives that generate revenue for advertisers while respecting users’ privacy.

Featured image by Jai79.