In recent days, there has been a loud and largely enthusiastic response to the European Union’s final agreement of the Digital Services Act (DSA). The DSA is intended to police online content, including social media platforms and video sites. It has been presented as a victory for rights and a statement of the EU’s commitment to privacy and data protection – comparing Europe favourably with the United States. There is some truth in this view – and the EU has faced down some of the aggressive lobbying by Big Tech during the development of the Act. However, the full story of the DSA may be more complex and may present some hard lessons for Ireland in the future.
On the positive side, the DSA has some useful provisions. Now, watchdog organisations will gain access to Big Tech’s opaque and harmful algorithms. Tech firms will also have to take more care about the safety of products sold on their marketplaces. And image-based sexual abuse will be more robustly policed.
But it also tackles many big problems that should have been fixed under the existing General Data Protection Regulation (GDPR), which the EU introduced in 2016, and applied in 2018. Robust enforcement of GDPR should have already solved the problem of micro-targeted ads based on Cambridge Analytica-style intimate profiles. Misleading consent requests are also already unlawful. Yet, European legislators felt the need to outlaw these things again. Part of that is due to the failure of European regulators – and particularly Ireland’s Data Protection Commission – to enforce the GDPR on Big Tech firms.
Missing a trick
Oddly, the DSA refrains from addressing the most dangerous online hazard: the algorithmic recommender systems that operate behind the scenes to spread hate and confusion on Facebook and YouTube.
Illegal content and hate groups grow because Facebook and YouTube’s algorithmic recommender systems promote them. Facebook’s own studies concluded that recommender systems amplify unlawful material at enormous scale, and caused people to join groups that led them into extremism. These systems have threatened democracy elsewhere. They may do so here.
While some forms of recommender systems may be safe, it is very clear that some are not. When an algorithm is designed to probe one’s darkest instincts, and serve up a diet of poison, it should not come preinstalled, and switched on by default. The DSA could have banned these systems, or forced Big Tech to keep them off until a person switched them on. This would have instantly slowed the torrent of unlawful material and hate discussion online.
Ireland’s own goal
The GDPR gave Ireland the chance to become the key location for digital regulation, which would make us a central player in the world’s digital economy. But more than a year ago, the Irish Council for Civil Liberties warned the Government that the DPC’s failure to uphold the rights of 448 million Europeans creates strategic economic and reputational risks for Ireland.
The new DSA initially contemplated a mechanism like that in the GDPR that would give Ireland enforcement powers across the EU for all online content. This is a vast digital market, and would have added to Ireland’s pre-eminence as a location for business in the EU. Ireland would have been the super enforcer for all online content issues across the EU, solidifying Dublin’s place as the capital of Europe’s digital market. But this plan was abandoned. Instead, the European Commission has stepped in and will exclusively supervise Big Tech firms under the DSA.
While Ireland remains the lead GDPR enforcer for Big Tech, this is a lost opportunity. The EU clearly regards Ireland as having failed in its role as the primary regulator under GDPR. Promoting Dublin as a global technology hub is a cornerstone of Irish industrial strategy. This should worry the Irish Government and the Irish exchequer.
Last year, the Oireachtas Justice Committee recommended that Government launch an independent review of how to strengthen and reform the Data Protection Commission – a measure that the European Commission endorsed. It also recommended the appointment of two additional Data Protection Commissioners.
Unfortunately, while the Government is still talking about taking action, damage to Ireland has mounted, and continues to mount. The European Parliament has just signalled it wants to take the same approach with the forthcoming Artificial Intelligence Act, too. Unless Ireland shows it is serious about enforcing EU digital law, Ireland has little hope of becoming a key digital centre not only for online content, but for artificial intelligence, too.
Although the DSA is to be welcomed, the European Commission’s failure to ensure that the last big digital law – the GDPR – was enforced should give us all pause. For all the hype, the DSA may be irrelevant because without enforcement, all EU regulation is irrelevant.
Moving enforcement of “very large online platforms” to the commission does not necessarily change anything. The commission is currently failing to act to see that the GDPR is enforced by Ireland. Why should we anticipate that the commission now supervising Big Tech will solve the enforcement problem?
The DSA is like all other EU digital law: meaningless unless enforced.
Johnny Ryan is a senior fellow at the Irish Council for Civil Liberties