We knew 2024 would be a year of implementing the many new acts that brewed in Brussels' acronym soup over the past few years. We also knew the insertion of these texts in the already complex landscape would be no small task, starting with the Digital Services Act and the Digital Markets Act.

The DSA's implementation is coming during a pivotal year of elections across many member states and at EU level in June. The European Commission opened a consultation period on draft DSA guidelines on the integrity of the electoral process and is seeking contributions until 7 March. This will be the first guidelines under Article 35 of the DSA, aiming to present very large online platforms and search engines with best practices and possible measures to mitigate systemic risks that may threaten election integrity. The draft guidelines open for feedback provide examples of:

  • Potential measures to mitigate election-related risks, for instance, if stakeholders agree with recommended best practices, if there are other effective mitigation measures, or if there is a reliable way for very large online platforms and very large online search engines to measure the effectiveness.
  • Specific mitigation measures linked to generative AI content, such as how to ensure mitigation measures of very large online providers and very large online search engines keep up with technological advancement, including deepfakes.
  • The planning of risk mitigation measures before, during or after an electoral event, for example, improvement of rapid response mechanisms to handle elections-related incidents and voluntary post-elections review to assess effectiveness of mitigation strategies.
  • Specific guidance for the European Parliament elections.

As for the DMA, the designation of gatekeepers quickly gave rise to legal challenges. On 6 Sept. 2023, TikTok's parent company ByteDance was designated as one of the first six gatekeepers under the DMA, meaning it would have six months to ensure compliance. Among others, obligations include submitting to the Commission an independently audited description of any techniques for consumer profiling, which is then communicated to the European Data Protection Board.

ByteDance contested this decision in November 2023 by bringing an action for annulment and requesting interim suspension. The latter was dismissed 9 Feb. by the order of the President of the General Court — the first judicial proclamation on application of the DMA. ByteDance asserted that immediate compliance with gatekeeper obligations would cause serious harm to its business, as highly strategic information related to its user profiling practices would be disclosed. However, the court did not identify this as a real risk of serious and irreparable harm. As a result, ByteDance is compelled to comply with the DMA, at least until the proceedings for annulment are concluded. 

Elsewhere:

  • The consultation period on the Commission's upcoming report on the application of the EU General Data Protection Regulation just closed. So far, we know the consultation period gathered the feedback from 260 stakeholders. A quarter of these came from Germany, followed by Belgium — in large part due to the numerous public policy teams and associations based in Brussels — France and Austria. Five percent of the contributions originated in the U.S. Business associations and individual citizens make for more than half of the submissions received.
  • Speaking of the GDPR, the Committee on Civil Liberties, Justice and Home Affairs this week adopted its draft report on the GDPR Procedural Regulation, reforming enforcement of cross-border cases. In a somewhat rare occurrence, however, not overwhelmingly enough to approve the mandate for trilogue negotiations. The draft report will therefore be tabled for plenary in hopes of receiving formal approval. No rush, though, as the Council is still a few weeks away from adopting its general approach. Trilogue negotiations are unlikely to start until after the summer once the new term starts.
    In parallel, the two parliamentary committees that lead on the AI Act approved the final political agreement this week. The plenary session will seal the fate of the text the week of 10 April.
  • France's data protection authority, the Commission nationale de l'informatique et des libertés, released its enforcement priorities for 2024. Unsurprisingly, the Olympics are high on that list as Paris will host the 2024 Summer Games, attracting millions of visitors and athletes. The CNIL will emphasize controls on two fronts: Some of the security measures that will be deployed and data collection practices related to ticketing.
    Other enforcement priorities this year cover collection of children's personal data and age verification on social networks and gaming platforms, e-loyalty programs and their interplay with consent and targeted advertising compliance, and the CNIL's active participation in the EDPB's coordinated enforcement action on the right to access.