In what looks like bad news for adtech giants like Facebook and Google, MEPs in the European Parliament have voted for tougher restrictions on how internet users' data can be combined for ad targeting purposes -- backing a series of amendments to draft legislation that's set to apply to the most powerful platforms on the web.
The Internal Market and Consumer Protection Committee (IMCO) today voted overwhelmingly to support beefed-up consent requirements on the use of personal data for ad targeting within the Digital Markets Act (DMA); and for a complete prohibition on the biggest platforms being able to process the personal data of minors for commercial purposes -- such as marketing, profiling or behaviorally targeted ads -- to be added to the draft legislation.
The original Commission proposal for the DMA was notably weak in the area of surveillance business models -- with the EU's executive targeting the package of measures at other types of digital market abuse, such as self-preferencing and unfair T&Cs for platform developers, which its central competition authority was more familiar with.
"The text says that a gatekeeper shall, 'for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising', except if there is a 'clear, explicit, renewed, informed consent', in line with the General Data Protection Regulation," IMCO writes in a press release. "In particular, personal data of minors shall not be processed for commercial purposes, such as direct marketing, profiling and behaviourally targeted advertising."
It's fair to say that adtech giants are masters of manipulating user consent at scale -- through the use of techniques like A/B testing and dark pattern design -- so beefed-up consent requirements (for adults) aren't likely to offer as much of a barrier against ad-targeting abuse as the committee seems to think they might.
Although if Facebook was finally forced to offer an actual opt-out of tracking ads that would still be a major win (as it doesn't currently give users any choice over being surveilled and profiled for ads).
However the stipulation that children should be totally protected from commercial stuff like profiling and behavioral ads is potentially a lot more problematic for the likes of Facebook and Google -- given the general lack of robust age assurance across the entire internet.
It suggests that if this partial prohibition makes it into EU law, adtech platforms may end up deciding it's less legally risky to turn off tracking-based ads altogether (in favor of using alternatives that don't require processing users' personal data, such as contextual targeting) versus trying to correctly age-verify their entire user base in order to firewall only minors' eyeballs from behavioral ads.
At the very least, such a ban could present big (ad)tech with a compliance headache -- and more work for their armies of in-house lawyers -- though MEPs have not proposed to torpedo their entire surveillance business model at this juncture.
In recent months a number of parliamentarians have been pushing for just that: An outright ban on tracking-based advertising period to be included, as an amendment, to another pan-EU digital regulation that's yet to be voted on by the committee (aka the Digital Services Act; DSA).
However IMCO does not look likely to go so far in amending either legislative package -- despite a call this week by the European Data Protection Board for the bloc to move toward a total ban on behavioral ads given the risks posed to citizens fundamental rights.
Digital Markets Act
The European Parliament is in the process of finalizing its negotiating mandate on one of the aforementioned digital reforms -- aka, the DMA -- which is set to apply to internet platforms that have amassed market power by occupying a so-called "gatekeeping" role as online intermediaries, typically giving them a high degree of market leverage over consumers and other digital businesses.
Critics argue this can lead to abusive behaviors that negatively impact consumers (in areas like privacy) -- while also chilling fair competition and impeding genuine innovation (including in business models).
For this subset of powerful platforms, the DMA -- which was presented as a legislative proposal at the end of last year -- will apply a list of pre-emptive "dos and don'ts" in an attempt to rebalance digital markets that have become dominated by a handful of (largely) U.S.-based giants.
EU lawmakers argue the regulation is necessary to respond to evidence that digital markets are prone to tipping and unfair practices as a result of asymmetrical dynamics such as network effects, big data and "winner takes all" investor strategies.
Under the EU's co-legislative process, once the Commission proposes legislation the European Parliament (consisting of directly elected MEPs) and the Council (the body that represents Member States' governments) must adopt their own negotiating mandates -- and then attempt to reach consensus -- meaning there's always scope for changes to the original draft, as well as a long period where lobbying pressure can be brought to bear to try to influence the final shape of the law.
The IMCO committee vote this morning will be followed by a plenary vote in the European Parliament next month to confirm MEPs' negotiating mandate -- before the baton passes to the Council next year. There trilogue negotiations, between the Parliament, Commission and Member States' governments, are slated to start under the French presidency in the first semester of 2022. Which means more jockeying, horse-trading and opportunities for corporate lobbying lie ahead. And (likely) many months before any vote to approve a final DMA text.
Still, MEPs' push to strengthen the tech giant-targeting package is notable nonetheless.
A second flagship digital update, the DSA, which will apply more broadly to digital services -- dealing with issues like illegal content and algorithmic recommendations -- is still being debated by MEPs and committee votes like IMCO's remain outstanding.
So the DMA has passed through parliamentary debate relatively quickly (versus the DSA), suggesting there's political consensus (and appetite) to rein in tech giants.
In its press release summarizing the DMA amendments, rapporteur Andreas Schwab (of the EPP and DE political grouping) made this point, loud and clear, writing: “The EU stands for competition on the merits, but we do not want bigger companies getting bigger and bigger without getting any better and at the expense of consumers and the European economy. Today, it is clear that competition rules alone cannot address all the problems we are facing with tech giants and their ability to set the rules by engaging in unfair business practices. The Digital Markets Act will rule out these practices, sending a strong signal to all consumers and businesses in the Single Market: rules are set by the co-legislators, not private companies!”
In other interesting tweaks, the committee has voted to expand the scope of the DMA -- to cover not just online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing and video-sharing services (i.e. where those platforms meet the relevant criteria to be designated “gatekeepers”) -- but also add in web browsers (hi Google Chrome!), virtual assistants (Ok Google; hey Siri!) and connected TV (hi, Android TV) too.
On gatekeeper criteria, MEPs backed an increase in the quantitative thresholds for a company to fall under scope -- to €8 billion in annual turnover in the European Economic Area; and a market capitalisation of €80 billion.
The sorts of tech giants who would qualify -- based on that turnover and market cap alone (NB: other criteria would also apply) -- include the usual suspects of Apple, Amazon, Meta (Facebook), Google, Microsoft, etc. but also -- potentially -- the European booking platform, Booking.com.
Although the raised threshold may keep another European gatekeeper, music streaming giant Spotify, out of scope.
MEPs supported the additional criteria for a platform to qualify as a gatekeeper and fall under scope of the DMA of: Namely, providing a "core platform service" in at least three EU countries; having at least 45 million monthly end users and 10,000+ business users. The committee also noted their support that these thresholds do not prevent the Commission from designating other companies as gatekeepers -- "when they meet certain conditions".
In other changes, the committee backed adding new provisions around the interoperability of services, such as for number-independent interpersonal communication services and social network services.
And -- making an intervention on so-called "killer acquisitions" -- MEPs voted for the Commission to have powers to impose “structural or behavioural remedies” where gatekeepers have engaged in systematic non-compliance.
"The approved text foresees in particular the possibility for the Commission to restrict gatekeepers from making acquisitions in areas relevant to the DMA in order to remedy or prevent further damage to the internal market. Gatekeepers would also be obliged to inform the Commission of any intended concentration," they note on that.
The committee backed a centralized enforcement role for the Commission -- while adding some clarifications around the role of national competition authorities.
Failures of enforcement have been a major bone of contention around the EU's flagship data protection regime, the GDPR, which allows for enforcement to be devolved to Member States but also for forum shopping and gaming of the system -- as a couple of EU countries have outsized concentrations of tech giants on their soil and have been critized as bottlenecks to effective GDPR enforcement.
(Only today, for example, Ireland's Data Protection Commission has been hit with a criminal complaint accusing it of procedural blackmail in an attempt to gag complainants in a way that benefits tech giants like Facebook... )
On sanctions for gatekeepers which break the DMA rules, MEPs want the Commission to impose fines of “not less than 4% and not exceeding 20%” of total worldwide turnover in the preceding financial year -- which, in the case of adtech giants Facebook's and Google's full year 2020 revenue would allow for theoretical sanctions in the $3.4 billion-$17.2 billion and $7.2 billion-$36.3 billion range, respectively.
Which would be a significant step up on the sorts of regulatory sanctions tech giants have faced to date in the EU.
Facebook has yet to face any fines under GDPR, for example -- over three years since it came into application, despite facing numerous complaints. (Although Facebook-owned WhatsApp was recently fined $267 million for transparency failures.)
While Google received an early $57 million GDPR from France before it moved users to fall under Ireland's legal jurisdiction -- where its adtech has been under formal investigation since 2019 (without any decisions/sanctions as yet).
Mountain View has also faced a number of penalties elsewhere in Europe, though -- with France again leading the charge and slapping Google with a $120 million fine for dropping tracking cookies without consent (under the EU ePrivacy Directive) last year.
Its competition watchdog has also gone after Google -- issuing a $268 million penalty this summer for adtech abuses and a $592 million sanction (also this summer) related to requirements to negotiate licensing fees with news publishers over content reuse.
It's interesting to imagine such stings as a mere amuse-bouche compared to the sanctions EU lawmakers want to be able to hand out under the DMA.