By Ahissa Rice

Digital Rights and the History of Surveillance in the EU

The European Union has made significant strides in protecting digital rights by introducing of comprehensive laws, most notably the General Data Protection Regulation (GDPR) and the proposed Digital Services Act (DSA). The GDPR, which came into effect in 2018, is a far-reaching data protection law that applies to any organization processing the personal data of EU residents, regardless of the organization's location.[1] The GDPR sets out fundamental  principles and rights, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.[2]  It also grants individuals rights to access, rectify, erase, and restrict the processing of their data, as well as the right to data portability and the right to object to certain types of processing.[3] The GDPR strengthens data protection as a fundamental right and empowers individuals with control over their personal data.[4] It imposes strict obligations on data controllers and processors, requiring them to implement appropriate technical and organizational measures to ensure data security, conduct data protection impact assessments, and appoint data protection officers in certain cases.[5] The GDPR also establishes a robust enforcement and penalty system, with organizations facing fines of up to €20 million or 4% of their global annual turnover for violations.[6] The proposed Digital Services Act (DSA) aims to address the challenges posed by illegal content online and the amplification of harmful content. It seeks to consolidate various pieces of EU legislation and self-regulatory practices while harmonizing the rules applicable to digital services across the EU.[7] The DSA's primary objectives are to make large technology companies accountable for their content moderation practices and ensure the protection of users' fundamental rights.[8]

The global reach of the GDPR is evident in how major US tech companies have responded to the regulation. As noted in the chapter "Globalizing European Digital Rights through Regulatory Power," Meta chose to extend GDPR protections to its then 2.2 billion users worldwide in anticipation of the regulation's entry into force.[9] Similarly, Google updated its privacy policy globally in response to the GDPR, stating that they were taking the opportunity to make improvements for Google users around the world.[10] Apple carries out GDPR-mandated privacy impact assessments across all its products and rolls out updates required by the GDPR on its operating systems worldwide.[11] Microsoft implements the GDPR's "privacy by design" concept, designing its products at the outset to incorporate the EU's data privacy standards and thereby globalizing those standards through its inherent product features.[12] These examples illustrate the de facto Brussels Effect, where market forces and companies' business incentives alone are often sufficient to convert the EU's data privacy regulation into a global regulation.[13]

EU Digital Security and Privacy Policies

In addition to laws, the EU has introduced various policies to protect digital rights and address the challenges posed by the digital landscape. The EU's approach emphasizes fundamental rights, transparency, and user empowerment. One of the positive aspects of the DSA is the retention of conditional immunity for hosting providers and the prohibition on general monitoring, which are crucial for safeguarding digital rights.[14] The DSA also imposes wide-ranging transparency obligations on internet intermediaries, online platforms, and very large online platforms (VLOPs), requiring them to provide information on content moderation, dispute resolution, and the use of automated means for content moderation.[15] The DSA introduces due process rights for users, mandating that hosts provide a statement of reasons for their content moderation decisions and that online platforms put in place internal complaints mechanisms and participate in out-of-court dispute settlement mechanisms.[16] The DSA also encourages innovative content moderation practices through the adoption of a good samaritan provision, recognizing that content moderation is an ongoing, developing effort.[17] However, there are areas of concern and potential improvements in the EU's digital rights protection framework. The DSA's proposed notice-and-action mechanism may lead to the over-removal of content, as hosting providers may make decisions about the legality of content upon receipt of a substantiated notice of alleged illegality to avoid liability risks[18] The due diligence obligations for VLOPs under Article 26 of the DSA are also vague, leaving significant discretion to companies and the European Commission to decide how risks should be mitigated.[19] Furthermore, the DSA fails to address the business models based on behavioral advertising, which is a missed opportunity to tackle the underlying incentives that drive the amplification of harmful content.[20] The DSA also does not include provisions to ensure the unbundling of hosting from content curation, which could help promote competition and user choice in the online environment.[21]

EU Digital Security and Privacy Culture

The EU's digital rights protection framework reflects a growing culture of awareness and concern about the impact of digital technologies on individuals' rights and freedoms. The widespread collection and sharing of personal data, the challenges posed by illegal content online, and the amplification of harmful material have raised concerns about the need for comprehensive digital rights protection. The EU's response through the GDPR and the proposed DSA demonstrates a commitment to safeguarding individuals' rights in the digital age.[22] The emphasis on fundamental rights, transparency, and user empowerment sets a strong foundation for digital rights protection that could serve as a global standard. Alia Al Ghussain, Researcher and Advisor on Technology and Human Rights at Amnesty Tech, states, "EU member states and the EU Commission are primarily responsible for the monitoring and enforcement of the additional obligations that apply to Big Tech companies under the DSA. They must resist any attempts by Big Tech companies to water down implementation and enforcement efforts and insist on putting human rights at the forefront of this new digital landscape," [23] underscoring the critical role that EU member states and the Commission play in ensuring that the DSA is effectively enforced and that human rights are protected in the digital age. It also highlights the potential challenges they may face in doing so, particularly from Big Tech companies seeking to minimize the impact of the DSA on their operations.

However, the EU's digital rights protection framework also highlights the ongoing challenges and tensions in balancing competing interests, such as freedom of expression and content moderation obligations. The concentration of power among a few large platforms and the need for a more decentralized and competitive online environment are also significant concerns that require further attention. Amnesty International's analysis of the surveillance-based business model of many Big Tech companies contends that this business model is fundamentally incompatible with a range of human rights, including the rights to privacy, freedom of thought, and non-discrimination.[24] As the digital landscape continues to evolve, the EU's digital rights protection framework will require ongoing refinement and adaptation to address emerging challenges effectively. The EU's approach has potential to serve as a model for other jurisdictions, promoting a culture of respect for digital rights and encouraging the development of comprehensive legal and policy frameworks to protect individuals' rights in the digital age. According to Al Ghussain, the European Commission must address the potentially harmful design features of social media platforms to reduce the risks they pose to human rights.[25]This includes modifying recommender systems to prioritize user well-being over engagement metrics and moving away from default user profiling practices that can lead to discriminatory outcomes.

Conclusion

The EU's digital rights protection framework, anchored by the GDPR and the proposed DSA, represents a significant effort to safeguard individuals' rights in the digital age. The GDPR has significantly strengthened data protection, while the DSA aims to tackle illegal content and amplify harmful material online. Despite some areas of concern and potential improvements, the EU's approach emphasizes fundamental rights, transparency, and user empowerment, setting a solid foundation for digital rights protection that could serve as a global standard. As the digital landscape continues to evolve, ongoing refinement and adaptation will be necessary to address emerging challenges and ensure the framework remains effective in protecting digital rights in the EU. The EU's experience in developing and implementing comprehensive digital rights protection laws and policies can serve as a valuable model for other jurisdictions seeking to balance the benefits of digital technologies with the need to safeguard individuals' rights and freedoms.

Anu, Bradford. “Globalizing European Digital Rights through Regulatory Power.” In Digital Empires: The Global Battle to Regulate Technology, by Bradford Anu, 324-. Oxford Academic, 2023. https://doi-org.ezproxy.lib.vt.edu/10.1093/oso/9780197649268.003.0010.

“At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?” Article 19, 2021. https://www.article19.org/resources/does-the-digital-services-act-protect-freedom-of-expression/.

“EU: Landmark Digital Services Act Must Be Robustly Enforced to Protect Human Rights.” Amnesty International, 2024. https://www.amnesty.org/en/latest/news/2024/02/eu-landmark-digital-services-act-must-be-robustly-enforced-to-protect-human-rights/.

Pírková, Eliška. “How the Digital Services Act Could Hack Big Tech’s Human Rights Problem.” Access Now, 2020. https://www.accessnow.org/eu-digital-services-act/.

“Regulation (EU) 2016/679 (General Data Protection Regulation).” Official Journal of the European Union, 2016. https://gdpr.eu/tag/gdpr/.

Wolford, Ben. “What Is GDPR, the EU’s New Data Protection Law?” GDPR.EU, 2020. https://gdpr.eu/what-is-gdpr/.

[1] Ben Wolford, “What Is GDPR, the EU’s New Data Protection Law?,” GDPR.EU, 2020, https://gdpr.eu/what-is-gdpr/.

[2] Wolford.

[3] “Regulation (EU) 2016/679 (General Data Protection Regulation),” Official Journal of the European Union, 2016, https://gdpr.eu/tag/gdpr/.

[4] Wolford, “What Is GDPR, the EU’s New Data Protection Law?”

[5] “Regulation (EU) 2016/679 (General Data Protection Regulation).”

[6] Wolford, “What Is GDPR, the EU’s New Data Protection Law?”

[7] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?,” Article 19, 2021, https://www.article19.org/resources/does-the-digital-services-act-protect-freedom-of-expression/.

[8] Eliška Pírková, “How the Digital Services Act Could Hack Big Tech’s Human Rights Problem,” Access Now, 2020, https://www.accessnow.org/eu-digital-services-act/.

[9] Bradford Anu, “Globalizing European Digital Rights through Regulatory Power,” in Digital Empires: The Global Battle to Regulate Technology, by Bradford Anu (Oxford Academic, 2023), 324-, https://doi-org.ezproxy.lib.vt.edu/10.1093/oso/9780197649268.003.0010.

[10] Anu.

[11]Anu.

[12] Anu.

[13] Anu.

[14] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[15] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[16] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[17] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[18] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[19] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[20] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[21] “At a Glance: Does the EU Digital Services Act Protect Freedom of Expression?”

[22] “EU: Landmark Digital Services Act Must Be Robustly Enforced to Protect Human Rights,” Amnesty International, 2024, https://www.amnesty.org/en/latest/news/2024/02/eu-landmark-digital-services-act-must-be-robustly-enforced-to-protect-human-rights/.

[23] “EU: Landmark Digital Services Act Must Be Robustly Enforced to Protect Human Rights.”

[24] “EU: Landmark Digital Services Act Must Be Robustly Enforced to Protect Human Rights.”

[25] “EU: Landmark Digital Services Act Must Be Robustly Enforced to Protect Human Rights.”