Isn’t it strange that a majority of tech is built in the US, but it’s mostly the EU that decides how big tech is regulated?
That trend continued recently when the EU’s Digital Services Act and Digital Marketing Act went into effect, setting out a comprehensive set of rules requiring online companies to combat the sale of illegal goods and services, fight disinformation and hate, protect children, and deal with consumers in a fair, straightforward manner.
The law’s obligations are tilted to require more of very large platforms and search engines like Google and Facebook—in biblical fashion, to whom much has been given, much is required.
The EU isn’t kidding around. The potential fines for failure to comply with the DSA are breathtakingly large—up to 6% of a company’s global (not just EU) revenue (not profit) or a complete ban from the EU.
Google generated almost $280 billion in revenue in 2022, and a file of 6% would amount to almost $17 billion, over a quarter of their annual profits. And the fine structure for the DMA is even higher. That will get your attention.
The idea that the EU is the one regulating big US companies is nothing new. Yes, the first laws regulating the internet—the Communications Decency Act and the Digital Millennium Copyright Act—came from the US government. But the purpose of these laws was less to regulate internet companies, and more to insulate them from regulation, and foster their growth. Mission accomplished.
When it comes to actually regulating big internet companies, the US has been largely silent. A smattering of 20th century laws such as the 1973 Privacy Act and the 1986 Electronic Communications Privacy Act are still on the books, and some states such as California and Delaware have passed privacy laws to protect US consumers.
But a patchwork of inconsistent and unclear laws is a compliance nightmare for large companies, which have customers moving across all 50 states and most countries. Think about the challenges faced by Airbnb, which is often regulated differently in each town or county, everywhere in the world, where it has a host. Companies need and want one clear standard.
With a few exceptions, the only practical approach for companies is to select the most comprehensive and strict set of regulations that apply to a meaningful number of their customers, and build out an internal compliance structure that follows that law.
In this environment, the EU has stepped in, showing a willingness, and increasingly even urgency, to fill the void left by US inaction.
The first major privacy and cybersecurity law, GDPR, came out of the EU, and it has effectively governed how US global companies collect, store, and use the data of all the customers around the world, including US citizens.
Years after GDPR went into effect, the US is still “studying,” “exploring,” and “gathering input” about potential federal privacy and cybersecurity laws, effectively ceding regulation over its own companies and citizens to Europe.
Absent comprehensive legislation out of Washington, the Federal Trade Commission has recently stepped up its efforts to regulate big tech, using antitrust laws and more general laws that ban unfair and deceptive trade practices. It has run into roadblocks, however, losing court cases to block Meta’s acquisition of virtual reality startup Within, and Microsoft’s acquisition of Activision.
Expect global regulation of AI to follow the same pattern. Already, the European Parliament has passed the AI Act, the world’s first comprehensive legal framework for development and use of AI. The European Commission is expected to finish the act for a final vote by the end of the year.
In the US, federal laws governing AI are not expected for years, only hearings and voluntary blueprints and discussions and guidelines. Again, the US seems poised to cede regulation of its companies, and protection of its citizens, to the EU.
In an odd way, this EU regulation of the US makes sense. Free wheeling entrepreneurialism has always been part of the American DNA—lobbyists and corporate leaders are traditionally good at throwing sand into the gears of potential regulation. But some regulation of the technology that is changing society at such lightning speed is in all our interests, and perhaps that regulatory framework needs to come from outside of a US government structure that is increasingly paralyzed by partisanship.
Global companies know that a maze of conflicting laws from each country would grind the gears of a connected world to a halt.
One comprehensive set of laws to govern the internet, created and enforced outside the US, by an increasingly technical and sophisticated EU regulatory body that is harder for US companies to influence and control. Welcome to the 21st century.
Rob Chesnut consults on legal and ethical issues and was formerly general counsel and chief ethics officer at Airbnb. He spent more than a decade as a Justice Department prosecutor.
To contact the editors responsible for this story: