Will the EU's Sweeping Regulations Make Big Tech Platforms Safer?

When Apple recently announced the launch of its iPhone 16 series, it touted the device's new AI features as a main selling point. This latest generation of iPhones boasts the ability to help people with a range of tasks, including transcribing phone calls, rephrasing text messages, and generating images.

But not everyone will have access to the iPhone's latest bells and whistles. Apple also announced that the features would not be launched in the European Union in the foreseeable future. Differences in tech regulations and privacy expectations mean that the same product—in this case, the iPhone—can have different capabilities based on a country's regulatory environment.

Apple, like other Big Tech companies, is facing increasing regulatory scrutiny in the EU. Drata examined news reports and economic analyses to see how regulations in the U.S. and the EU differ and how they're affecting consumers.

Regulators take aim at Big Tech

The Digital Markets Act, implemented in 2023, was a major regulatory change in the EU that requires platforms to be "interoperable" in order to bolster competition by preventing users from being locked into a particular tech company's ecosystem. Apple argues that these regulations place its users' privacy at risk.

The DMA boosts competition by regulating "gatekeeper" platforms—large tech companies that act as intermediaries between businesses and consumers. It aims to prevent these platforms from abusing their market power and to ensure fair competition in digital markets. In addition to Apple, the DMA also covers Alphabet (Google's parent company), Amazon, ByteDance (the creators of TikTok), Meta, and Microsoft. Other companies could be affected, too.

The DMA has already led to many changes for EU consumers, including the ability to install apps from alternatives to Apple's app stores. Currently, Apple charges developers a fee of up to 30% on purchases consumers make on the app store. If users are free to download apps from where they want, the result could be cheaper software.

Less expensive apps, more consumer autonomy and privacy, and greater market competition may seem like a win, but there are drawbacks to the regulation. Some EU Facebook and Instagram users also face a difficult choice between either paying for a subscription to use the apps or allowing the company to collect data about them to run targeted ads.

In July, however, the European Commission announced Meta (the parent company of Facebook and Instagram) was in violation of the DMA through what regulators called a "pay or consent" model in its social media apps. The Commission argues that this violates users' right to "freely consent" to the use of their personal data.

A complicated picture emerges when it comes to the rights to safety and autonomy

The DMA is not the first big piece of legislation the EU has passed to rein in tech companies. In 2018, it implemented the General Data Protection Regulation, better known as GDPR, which gave EU citizens greater control over their personal information. It also required businesses to obtain explicit consent for data collection and processing, mandated prompt disclosure of data breaches, and gave individuals the "right to be forgotten," permitting them to request deletion of their personal data under certain circumstances.

Tech companies have racked up billions of dollars worth of fines for breaches of the GDPR for a whole host of issues. Last year, Irish regulators fined Meta 1.2 billion euros for violating how it transferred the personal data of its users from the EU to the United States. Months later, Irish regulators also fined TikTok 345 million euros for violating the GDPR by having inadequate privacy controls for children. More recently, Dutch regulators fined Uber 290 million euros for not implementing enough privacy safeguards when it transferred the personal data of its drivers to the U.S.

These regulations have brought significant benefits in terms of enhanced privacy and data protection. For consumers, they've added guardrails—and inconveniences. Companies that adhere to stricter rules when handling user data, for instance, are less inclined to misuse the information or leak it to malicious hackers. But ubiquitous cookie consent pop-ups on websites and occasional geo-blocking of content for Europe-based visitors have also called into question how much regulations can and should restrict the access of individual users.

American consumers, who operate within a very different regulatory environment, are generally worried about how their data is used on the internet. According to a Pew Center survey conducted in May 2023, some 72% of American adults support more regulation of how companies can use their personal data.

In the U.S., some states have addressed the lack of federal policy with their own laws to ensure more data privacy. In 2020, the California Consumer Privacy Act went into effect, giving residents of the Golden State many of the same rights that Europeans have under the GDPR. Other states have since followed up to pass their own data privacy legislation. In April, legislators introduced the American Privacy Rights Act in both the House and the Senate, a comprehensive plan that would give consumers more control over their data and address the piecemeal state-by-state approach to data privacy.

However, the tension between the rights to privacy and freedom may play out differently in the U.S., where individual choice has long been paramount. Business leaders worry that these regulations hamper innovation. Security compliance automation is helping unlock business opportunities in the EU Both companies and regulators are still exploring what policies make the most sense for consumers. For now, at least one thing is clear: The Wild West era of tech is over.

Ready to get started on your GDPR journey? Learn more here.