The Evolving Landscape of European Technology Regulation: Implications for Global Business

Daniel Casares-Lauritsen
Daniel Casares-Lauritsen
March 5th, 2024

The European Union has emerged as an undeniable leader in the comprehensive regulation of the digital sphere. Its approach towards privacy, dominant tech platforms, online content moderation, and the development of artificial intelligence has the potential to influence regulatory trends across the globe. From small businesses to multinational corporations, any entity operating within the EU market or interacting with EU citizens faces a rapidly evolving set of complex requirements.

At the foundation of this regulatory shift lies the General Data Protection Regulation (GDPR). By enshrining user rights over their personal data, emphasizing informed consent, and demanding accountability from businesses, the GDPR has set a new standard for data protection.

Despite initial efforts, GDPR compliance has proven more complex than anticipated. Increased awareness among European citizens has led to a surge in complaints and regulatory investigations. The number of fines and investigations has risen steadily, indicating greater scrutiny and enforcement by authorities.

Compliance strategies have evolved from early initiatives focused on visible actions to a more mature understanding of best practices and standards. However, effective implementation of privacy compliance remains challenging for many organizations. Key issues include the lack of practical experience among staff, fragmented roles within organizations, and inadequate involvement of senior management.

Having worked with a variety of industry clients on a myriad of data privacy-related projects, including end-to-end data privacy programs, FLI has identified some of the most common pitfalls organizations face on their data privacy compliance journey under GDPR:

1. Data Protection Officers (DPOs): DPOs play a crucial role in monitoring privacy compliance, but they are often appointed from existing staff without sufficient independence, resources, or access to senior management. This lack of autonomy can be problematic, especially if detected by data protection authorities. Today, more organizations choose to appoint an external DPO over an internal candidate. This offers several advantages including objectivity, impartiality, independence, experience, and insight into best practices. FLI Local Counsel regularly takes on the external DPO role for clients in key jurisdictions in the EU, inc. Germany, Spain, Italy, Austria; and abroad, inc. China, USA, UK, Mexico, Brazil, among others.

2. Privacy Policies and Related Corporate Documentation: Many organizations have overly legalistic, lengthy, and contradictory privacy policies that fail to adequately inform data subjects, including the employees and staff. They often lack specificity regarding the purpose, method, and timing of data processing activities. This issue is further exacerbated when multinationals attempt to apply a “one-size fits all” approach by administering polices and notices in all countries where they operate without sufficient regard for the local law requirements. This also applies to EU jurisdictions, where local supervisory authorities may have more stringent compliance requirements than those listed under GDPR.

3. Record of Processing Activities (RoPA): RoPA is essential for maintaining an updated overview of data processing activities within an organization. The basic purpose of RoPA is to serve as evidence or an audit trail, giving the supervisory authority a clear picture of how your organization treats the processing of personal data and if it is in compliance with applicable privacy laws. However, many organizations lack a formalized approach to collecting such information, and as a result these records are often incomplete, outdated, and lack detailed information, making it challenging for DPOs to identify compliance issues.

4. Retention Period Schedules: Stemming from the above issue, many organizations overlook the importance of establishing clear retention period schedules for personal data. Without defined timelines for data retention, organizations risk retaining data longer than necessary, increasing exposure to privacy breaches and non-compliance with GDPR requirements. Additionally, the absence of retention period schedules complicates data management processes and makes it difficult for DPOs to ensure compliance with data protection principles such as data minimization and storage limitation.

The Digital Services Act (DSA) and the Digital Markets Act (DMA), collectively known as the "Digital Services Package," represent the European Union's efforts to establish a safer digital environment that upholds the fundamental rights of all digital service users while fostering innovation, growth, and competitiveness. Jointly the DSA and DMA aim to

  • Create a safer digital space in which the fundamental rights of all users of digital services are protected.
  • Regulate the influence of major technology firms and cultivate a fair and competitive landscape in both the European single market and on a global scale.

Digital Services Act

The DSA tackles the spread of harmful and illegal content online. Its tiered approach places escalating responsibilities on platforms based on their size and risk potential. For all users, the DSA promises greater clarity and mechanisms to challenge content moderation decisions. The regulation is essentially based on three key factors:

  1. Liability of intermediary service providers (inc. hosting providers, registries and registrars), who will be subject to new rules for the removal of illegal and harmful content.
  2. Rights of consumers, which are strengthened, in particular with regard to the transparency of product information and the protection of personal data.
  3. Competition, which will be improved, in particular, through the promotion of interoperability between digital services and the prevention of abuse of dominant position.

The DSA entered into force in November 2022, initially with partial application only to Gatekeepers, i.e. those digital platforms that play a systematic role in the market (with more than 45 million active users), including both Very Large Online Platforms (“VLOPs”) and Very Large Online Search Engines (“VLOSEs”), as designated by the European Commission pursuant to Article 33 of the DSA.

From 17 February 2024, however, the DSA began to apply to all intermediary service providers in the EU, including platforms or search engines with fewer than 45 million active users.

Digital Markets Act

The rise of seemingly unassailable tech giants has prompted the EU's DMA. The concept of "Gatekeepers" – companies that control the key points of the digital market distribution channels and which have, therefore, assumed considerable importance in the market – is central to this legislation. By prohibiting practices that give unfair competitive advantages, such as self-preferencing and restricting user choice, the DMA aims to create more contestable and innovative digital markets.

In particular, the DMA’s goal is to standardize the growth opportunities of European companies, regardless of their size, through the regulation of Gatekeepers, prohibiting certain unfair commercial practices implemented by Big Tech companies.

The DMA was legally implemented in November, 2022. The majority of its regulations became effective in May 2023, while the gatekeepers were officially appointed on September 6, 2023. These gatekeepers are required to comply with the DMA by March 6, 2024.

Perhaps the most forward-looking legislation is the EU's Artificial Intelligence Act (AI Act).

The AI Act aims to promote responsible and ethical use of AI while ensuring that health, safety, and fundamental rights of EU citizens are respected. With a commitment to upholding democracy, the rule of law, and environmental protection, the AI Act also seeks to catalyze investment and innovation in AI across Europe.

The Regulation will apply to both private and public actors inside and outside the EU as long as the AI system is placed on the Union market, or its use affects people located in the EU.

The main idea is to regulate AI based on the latter’s capacity to cause harm to society following a “risk-based” approach. Its risk-based classification system acknowledges the spectrum of potential benefits and harms embedded within AI technologies, tailoring regulatory requirements according to the potential societal harm posed by AI applications, with more stringent rules applied to "high-risk" AI. "High-risk" AI, such as that used in medical diagnosis or hiring processes, faces rigorous requirements designed to build trust in these systems. These include mitigating bias in datasets, ensuring transparency for users, and maintaining human oversight.

Despite apprehensions regarding potential innovation constraints, the overarching goal of the AI Act is to establish a framework for the ethical and responsible utilization of AI technologies.

These four regulatory pillars – GDPR, DMA, DSA, and the AI Act – demonstrate the EU's ambition to shape the future of the digital age. However, this does not mean businesses should view them in isolation. An effective privacy program must consider the data-sharing implications of the GDPR and DSA, while AI development projects need to factor in both privacy and content moderation obligations. Compliance in this environment is not a matter of simply ticking off a list of requirements. Companies must adopt a mindset of continuous adaptation, closely monitoring the evolving interpretation of regulations and their potential future expansion.

FLI’s extensive experience in privacy compliance positions us to offer holistic solutions that tackle the nuanced and interrelated challenges arising in the dynamic data privacy environment of today. We work closely with clients to guide them through the intricacies of data protection regulations, guaranteeing compliance with evolving standards while enhancing operational effectiveness. Our commitment extends beyond reactive compliance, emphasizing a robust privacy culture carefully integrated and nurtured within your business. If you would like to explore how FLI may support your organization domestically or in cross-border matters both within and outside of the EU, we invite you to get in touch with Daniel Casares-Lauritsen, FLI’s Chief Business Development Officer, at

Join 10,000 legal professionals
on our mailing list.

Expertly curated emails that will keep you up to date with the latest in the industry.

Daniel Casares-Lauritsen

Daniel Casares-Lauritsen

Daniel has significant experience in advising clients’ corporate portfolios and optimizing multi-jurisdictional legal projects. His mission is to enhance clients’ leverage in complex multi-stakeholder deals through the power of FLI’s business model. He has also supervised the development and roll-out of FLI’s LegalTech Apps/PWAs, including FlightOne and FLInstitute in order to retain counsel in various jurisdictions, as well as promoting client co-creation and corporate compliance. These elements may include, but are not limited to: M&A, Entry/Expansions/Restructurings, VC/CVC/PE/Family Offices and Wealth Management, Compliance & Investigations, FDI, Import/Export Trade Regulations, Tax, Corporate Governance, and more.

Daniel regularly provides insights on industry trends, economic and legislative opportunities and threats, as well as strategic avenues for FLI accounts in conjunction with its subject-matter experts.

Related Articles

September 6th, 2023 Greenwashing in Sustainable Finance: Navigating the Ethical Landscape

The evolving landscape of ESG considerations has attracted widespread attention in recent years, particularly in relation to the prominent subject of Sustainable Finance. However, its emergence has accentuated a concerning issue of greenwashing. The implications of greenwashing are significant as it could undermine the credibility and effectiveness of sustainable finance by potentially misleading investors who seek to support sustainable initiatives.

See more
July 5th, 2022 Guide for Evaluating Country Risk for Global Investments 2022

FLI is excited to have published its 2022 Global Guide for Evaluating Country Risk for Global Investments. As always, FLI is proud to showcase the work of its stellar in-country partners. We are pleased to see so many of them contribute to this year's edition and wish to thank them for their contributions. Targeted at corporates with foreign operations, this guide provides executives with the insights, nuances and ins and outs to navigating investment abroad. It is our aim that this guide will open doors and create opportunities.

See more
June 24th, 2021 Legal Tech Trends Driving Industry Change

While traditionally in-house legal teams are slower to adopt change, the COVID-19 pandemic has started a tech revolution, with many departments embracing new technologies to aid revenue generation. More so, in 2021, the legal industry is projected to become a global market worth $1,011B. One of the slowest sectors to go digital is now coming online, driven by more technology-friendly legal departments.

See more
Copyright © 2024 First Law International
480 Avenue Louise, B-1050 Brussels, Belgium. Privacy Policy

Get Started

Whatever your industry, connect with a member of our cross-border team today. We’ll take care of the rest.