Just in Time for Christmas! Europe Has Rolled Out a New Data Law With GDPR-Like Impact: Data Privacy Trends

Seems like it was just yesterday that the European Economic Area (EEA), which is actually larger than the European Union (EU) implemented the General Data Protection Regulation (GDPR) in May 2018 to protect data privacy rights of European individuals.  But it’s actually been two years and seven months since GDPR became effective.  Now, the European Commission has rolled out another regulation that lawyers expect to wreak just as much havoc as GDPR did.

As reported by Legaltech® News (The EU is About to Roll Out a GDPR-Sized Data Law. Are You Ready?, written by Linda A. Thompson), the Digital Services Act (which was unveiled on December 15) is expected to reset the rules around online content moderation and to reframe the responsibility of platforms for illegal content uploaded to their websites.

It is likely to impose new risk assessment and reporting obligations on platforms like search engines, online marketplaces and social media networks, and to introduce a codification and harmonization of the existing notice-and-action mechanism that allows users to flag illegal content to such platforms.


The EU’s Digital Services Act represents just one leg of the Commission’s plan to increase regulation on large tech companies like Google, Amazon and Facebook. Its legislative companion piece, the Digital Markets Act, is aimed at ensuring that large online platforms don’t distort competition in the 27-member bloc.

Asked whether the Digital Services Act would be as controversial as the GDPR, Diletta De Cicco, an associate at the Brussels office of Steptoe & Johnson, pointed out that the European Commission received more than 3,000 comments after inviting stakeholders to comment on the proposal. For comparison, a recent consultation on a new artificial intelligence legislation garnered 1,200 comments. “So, I think it is likely to be,” she said.

Like the 2018 data law, the new proposal is expected to have an extraterritorial scope, meaning companies outside the 27-member bloc will also be caught in its net. “The moment you direct your services to the European Union, there is no real way of trying to avoid those rules,” De Cicco said.

It’s also expected to apply to an equally wide range of industries. “It’s not only the telecoms companies of course; it’s not only the social networks; it’s not only the general websites; it’s not only the press and the media,” said Benjamin Docquir, a partner at Osborne Clarke’s Brussels office and the head of its Belgian IT and IP law department. “It’s everybody.”

One core motivation behind the upcoming Digital Services Act appears to be lawmakers’ desire to ensure that users are made aware that they are being profiled by online platforms, Docquir added.

“The idea of the proposal is to go after the very companies that make profit on such a business model by forcing them to be more transparent, and to give individuals effective means to oppose or at least to move away from a given service” if users don’t agree with how their data is being used, he explained.

That means the proposal threatens the advertising-based business models of online platforms, which are often based on the collection of large amounts of user data, without users being aware of this or being able to verify how their data is used, monitored and stored. 

“Because if new rules on how users can be tracked online are included, it means that they will have to put in place a mechanism for this to happen and they did that two years ago with the GDPR already,” De Cicco said.

“So, this will mean rethinking again a model that some of them, just two years ago, already redid.”

According to De Cicco, whether or not the proposal will bring more legal certainty for large tech companies will depend on how clearly terms like “illegal content” are for instance defined. It also remains to be seen how the proposed bill will interact with other pieces of legislation targeting online platforms such as the GDPR, the upcoming ePrivacy Regulation and still-to-be-proposed legislation of artificial intelligence.

The bill will need to be approved by the European Parliament and the member states, meaning several changes will likely be made to it before a final version is adopted in 2021 or later.  So, there is still some time to prepare for it, just like there was for GDPR.  Will it force companies to make major changes once again from a data privacy compliance standpoint?  We’ll see.

So, what do you think?  Do you expect that the Digital Services Act will have a similar impact to GDPR on organizations?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


  1. “The bill will need to be approved by the European Parliament and the member states, meaning several changes will likely be made to it before a final version is adopted in 2021 or later.” More like 2022 or 2023. It is already being challenged, and the lobby crowd is out with knives – as are several EU member states which find it incompatible with how they regulate business. Expect it to be neutered like the GDPR was. Lawyers do not care. There will be a ton of € and $ to be made 😈

  2. Thanks, Gregory. Yes, I would expect later rather than sooner as well. As for being “neutered”, we will certainly see, but (as is almost always the case) the money to be made will often hold considerable sway.

Leave a Reply