2023 was a year of unprecedented change in the area of digital regulation – with platforms, search engines and other online intermediaries being designated under the Digital Markets Act and the Digital Services Act, the adoption of the Data Act and the Chips Act, and the entry into force of many other acts adopted in 2022.
The year also saw the start of many national and European investigations into digital services and ecosystems, while older investigations concluded with eye-watering fines. The threat of structural remedies in the form of divestments continues to loom over some large digital players, like Google. At the same time, various authorities are increasing the role of consumer law to tackle unfair competition, giving consumers more control and transparency in the digital environment, whether over their data, purchasing choices or redress mechanisms.
Full steam ahead
Significant developments continued in the first quarter of 2024, as regulated digital players delivered their compliance plans to the European Commission, against the backdrop of AI developments, such as the adoption of the AI Act. At the European and national level, authorities are gearing up to monitor digital markets more closely.
As a result of last year's developments, in 2024, legislatures and the legislated alike should beon the lookout for the spill-over and unintended effects of enforcement areas that were previously kept separate. The impact of initiatives billed as privacy-first, like the Data Act, should not be overlooked by competition counsel, while competition-first initiatives, like the DMA, risk polluting key privacy concepts such as consent.
In-house counsel can expect a busy 2024
The EU Digital Market Act (DMA) and the Digital Services Act (DSA), 2023's most widely publicised competition law initiatives, took full effect in 2023. This means that competition teams will need to set aside resources to deal with the DMA and DSA's impact and implement their own plans for compliance.
For their part, consumer protection teams will have two proposals to grapple with in the product and AI liability sphere, while privacy compliance teams will have their hands full with the Data Act and Data Governance Act. Information security and compliance teams will have to deal with the Cyber Resilience Act, the NIS II Directive and the Cyber Solidarity Act.
Financial institutions still have some time to comply with the Digital Operational Resilience Act, while companies active in the health sector will have to consider the effects of the Regulation on the European Health Data Space (EHDS).
Regulating artificial intelligence is high on the agenda, with political agreement reached for the Product Liability Act in December 2023 and the adoption of the early in 2024. The ePrivacy Regulation, notoriously deadlocked since 2017, remains in limbo.
Due to a remarkable overlap of lateral themes across these European data laws, such as rules on transparency, individual rights and algorithms, different teams within an organisation will face an urgent challenge to collaborate rather than focus on single regulatory domains as may have been useful in the past. In our updated guide we highlight the most notable enforcement and legislative developments up to March 2024.