Archives For Digital Services Act

Regulators around the globe are scrambling for a silver bullet to “tame” tech companies. Whether it’s the United States, the United Kingdom, Australia, South Africa, or Canada, the animating rationale behind such efforts is that firms like Google, Apple, Meta, and Amazon (GAMA) engage in undesirable market conduct that falls beyond the narrow purview of antitrust law (here and here).

To tackle these supposed ills, which range from exclusionary practices and disinformation to encroachments on privacy and democratic institutions, it is asserted that sweeping new ex ante rules must be enacted and the playing field tilted in favor of enforcement agencies, which have hitherto faced what advocates characterize as insurmountable procedural hurdles (here and here).

Amid these international calls for regulatory intervention, the EU’s Digital Markets Act (DMA) has been seen as a lodestar by advocates of more aggressive competition policy. Beyond addressing social anxieties about unchecked tech power, the DMA’s primary appeal is that it claims to strive for two goals with almost universal appeal: fairness and market contestability.

Unfortunately, the DMA is not the paragon of regulation that it is sometimes made out to be. Indeed, the law is structured less to forward any purportedly universal set of principles, but instead to align digital platforms’ business models with an idiosyncratic and specifically European industrial policy, rooted in politics and protectionism. As explained below, it is unlikely other countries would benefit from emulating this strategy.

The DMA’s Protectionist Origins

While the DMA is today often lauded as eminently pro-competition (here and here), prior to its adoption, many leading European politicians were touting the text as a protectionist industrial-policy tool that would hinder U.S. firms to the benefit of European rivals: a far cry from the purely consumer-centric tool it is sometimes made out to be. French Minister of the Economy Bruno Le Maire, for example, acknowledged as much in 2021 when he said:

Digital giants are not just nice companies with whom we need to cooperate, they are rivals, rivals of the states that do not respect our economic rules, which must therefore be regulated… There is no political sovereignty without technological sovereignty. You cannot claim sovereignty if your 5G networks are Chinese, if your satellites are American, if your launchers are Russian and if all the products are imported from outside.

This logic dovetails neatly with the EU’s broader push for “technology sovereignty,” a strategy intended to reduce the continent’s dependence on technologies that originate abroad. The strategy already has been institutionalized at different levels of EU digital and industrial policy (see here and here). In fact, the European Parliament’s 2020 Briefing on “Digital Sovereignty for Europe” explicitly anticipates that an ex ante regulatory regime similar to the DMA would be a central piece of that puzzle. French President Emmanuel Macron summarized it well when he said:

If we want technological sovereignty, we’ll have to adapt our competition law, which has perhaps been too much focused solely on the consumer and not enough on defending European champions.

Moreover, it can be argued that the DMA was never intended to promote European companies that could seriously challenge the dominance of U.S. firms (see here at 13:40-14:20). Rather, the goal was always to redistribute rents across the supply chain away from digital platforms and toward third parties and competitors (what is referred to as “business users,” as opposed to “end users”). After all, with the arguable exception of Spotify and, the EU has none of the former, and plenty of the latter. Indeed, as Pablo Ibañez Colomo has written:

The driver of many disputes that may superficially be seen as relating to leveraging can be more rationalised, more convincingly, as attempts to re-allocate rents away from vertically-integrated incumbents to rivals.

Alternative Digital Strategies to the DMA

While the DMA strives to use universal language and has a clear ambition to set global standards, under this veneer of objectivity lies a very particular vision of industrial policy and a certain normative understanding of how rents should be allocated across the value chain. That vision is not apt for everyone and, indeed, may not be apt for anyone (see here). Other countries can certainly look to the EU for inspiration and, admittedly, it would be ludicrous to expect them to ignore what goes on in the bloc.

When deciding whether and what sort of legislation to enact, however, other countries should ultimately seek those approaches that are appropriate to their own context. What they ought not do is reflexively copy templates made with certain goals in mind, which they might not share and which may be diametrically opposed to their own interests or values. Below are some suggestions for alternative strategies to the DMA.

Doubling Down on Sound Competition Laws

Mounting evidence suggests that tech companies increasingly consider the costs of regulatory compliance in planning their business strategy. For example, Meta is reportedly considering shutting down political advertising in Europe to avoid the hassle of complying with the EU’s upcoming rules on online campaigning. Just this week, it was revealed that Twitter may be considering pulling out of the EU because it doesn’t have the capacity to comply with the Code of Practice on Disinformation, a “voluntary” agreement that the Digital Services Act (DSA) will nevertheless make binding.

While perhaps the EU—the world’s third largest economy—can afford to impose costly and burdensome regulation on digital companies because it has considerable leverage to ensure (with some, though as we have seen, by no means absolute, certainty) that they will not desert the European market, smaller economies that are unlikely to be seen by GAMA as essential markets are playing a different game.

Not only do they have much smaller carrots to dangle, but they also disproportionately benefit from the enormous infrastructural investments and consumer benefits brought by GAMA (see, for example, here and here). In this context, the wiser strategy for smaller, ostensibly “nonessential” markets might be to court GAMA, rather than to castigate it. Instead of imposing intricate, costly, and untested regulatory obligations on digital platforms, these countries may reasonably wish to emphasize or bolster the transparency, predictability, and procedural safeguards (including credible judicial review) of their competition-law systems. After all, to regulate competition, you must first attract it.

Indeed, while competition is as important in developing markets as developed ones, developing markets are especially dependent upon competition rules that encourage investment in infrastructure to facilitate economic growth and that offer a secure environment for ongoing innovation. Particularly for relatively young, rapidly evolving industries like digital markets, attracting consistent investment and industry know-how ensures that such markets can innovate and transition into maturity (here and here).

Moreover, the case-by-case approach of competition law allows enforcers to tackle harmful behavior while capturing digital platforms’ procompetitive benefits, rather than throwing the baby out with the bathwater by imposing blanket prohibitions. As Giuseppe Colangelo has suggested, the assumption that competition laws are insufficient to tackle anticompetitive conduct in digital markets is a questionable one, given that most of the DMA’s contemplated prohibitions have also been the object of separate antitrust suits in the EU.

Careful Consideration of Costs and Unintended Consequences

DMA-style ex ante regulation is still untested. Its benefits, if any, still remain mostly theoretical. A tradeoff between, say, foreign direct investment (FDI) and ex ante regulation might make sense for some emerging markets if it was clear what was being traded, and at what cost. Alas, such regulations are still in an incipient phase.

The U.S. antitrust bills targeting a handful of companies seem unlikely to be adopted soon; the UK’s Digital Markets Unit proposal has still not been put to Parliament; and Japan and South Korea have imposed codes of conduct only in narrow areas. Even the DMA—the most comprehensive legislative attempt to “rein in” digital companies—entered into force only last October, and it will not start imposing its obligations on gatekeepers until February or March 2024, at the earliest.

At the same time, there are a range of risks and possible unintended consequences associated with the DMA, such as the privacy dangers of sideloading and interoperability mandates; worsening product quality as a result of blanket bans on self-preferencing; decreased innovation; obstruction of the rule of law; and double and even triple jeopardy because of the overlaps between the DMA and EU competition rules. 

Despite the uncertainty inherent in deploying experimental regulation in a fast-moving market, the EU has clearly decided that these risks are not sufficient to offset the DMA’s benefits (see here for a critical appraisal). But other countries should not take their word for it.

In conducting an independent examination, they may place more value on some of the DMA’s expected negative consequences, or may find their likelihood of occurring to be unacceptably high. This could be due to endogenous or highly context-dependent factors. In some cases, the tradeoff could mean too large a sacrifice of FDI, while in others, the rules could impinge on legitimate policy priorities, like national security. In either case, countries should evaluate the risks and benefits of the ex ante regulation of digital platforms themselves, and go their own way.


There are, of course, other good reasons why the DMA shouldn’t be so readily emulated by everyone, everywhere, all at once.

Giving enforcers wide discretionary powers to reshape digital markets and override product-design decisions might not be a good idea in countries with a poor track record of keeping corruption in check, or where enforcers lack the required know-how to do so effectively. Simple norms, backed by the rule of law, may not be sufficient to counteract these background conditions. But they also may be preferable to the broad mandates and tools envisioned by the kinds of ex ante regulatory proposals currently in vogue.

Smaller countries with limited budgets would probably also benefit more from castigating unequivocally harmful (and widespread) conduct, like cartels (the “cancers of the market economy”), bid rigging, distortive state aid, and mergers that create actual monopolies (see, for example, here and here), rather than applying experimental regulation underpinned by tenuous theories of harm and indeterminate benefits .

In the end, the DMA has been mistakenly taken to be a panacea or a blueprint for how to regulate tech, when it is neither of these two things. It is, instead, a particularistic approach that may or may not achieve its stated goals. In any case, it must be understood as an outgrowth of a certain industrial-policy strategy and a sui generis vision of how digital markets should distribute rents (spoiler alert: in the interest of European companies).

As 2023 draws to a close, we wanted to reflect on a year that saw jurisdictions around the world proposing, debating, and (occasionally) enacting digital regulations. Some of these initiatives amended existing ex-post competition laws. Others were more ambitious, contemplating entirely new regulatory regimes from the ground up.

With everything going on, it can be overwhelming even for hardcore antitrust enthusiasts to keep pace with the latest developments. If you have the high-brow interests of a scholar but the jam-packed schedule of a CEO, you have come to the right place. This post is intended to summarize who is doing what, where, and what to make of it.

Status of Tech Regulation Around the World

European Union

In the European Union—the patient zero of tech regulation—two crucial pieces of legislation passed this year: the Digital Markets Act (DMA) and the Digital Services Act (DSA).

But notably, the EU is just now—i.e., six months before the act is set to apply in full to all digital “gatekeepers”—launching a consultation on the DMA’s procedural rules (a draft is available here). Many of those procedural questions remain exceedingly fuzzy (substantive ones, too), such as, e.g.—the role of the advisory committee, the role of third parties in proceedings, national authorities’ access to data gathered by the Commission, and the role to be played (if any) by the European Competition Network. Further, only now is a DMA enforcement unit being created within the Commission, although it is also unclear whether it will have the staffing capacity to satisfy the tight deadlines.

Whether or not the implementing regulation ultimately resolves all of these questions, they should have been settled much sooner. But as is becoming customary in tech regulation, it seems that the political urge to “do something” has once again prevailed over careful consideration and foresight.

United Kingdom

In the United Kingdom, legislation to empower the Competition and Markets Authority’s (CMA) Digital Markets Unit (DMU) is set to be brought to Parliament this term, meaning that it may be discussed in the next two months. Of all the “pending” antitrust bills around the world, this is probably the most likely to be adopted. Although it dropped an earlier dubious proposal on mergers, there remain several significant concerns with the DMU (see here and here for previous commentary). For example, the DMU’s standard of review is surprisingly truncated, considering the expansive powers that would be bestowed on the agency. The DMU would apply the strategic market significance (SMS) tag to entire firms and not just to those operations where the firm may have market power. Moreover, the DMU proposal shows little concern for due process.

One looming question is whether the UK will learn from the EU’s example, and resolve substantive and procedural questions well ahead of imposing any obligations on SMS companies. In the end, whatever the UK does or doesn’t do will have reverberations around the globe, as many countries appear to be adopting a DMA-style designation process for gatekeepers but imposing “code of conduct” obligations inspired by the DMU.

United States

Across the pond, the major antitrust tech bills introduced in Congress have come to a standstill. Despite some 11th hour efforts by their sponsors, neither the American Innovation and Choice Online Act, nor the Open App Markets Act, nor the Journalism Competition and Preservation Act made the cut to be included in the $1.7 trillion, 4,155-page omnibus bill that will be the last vote taken by the 117th Congress. With divided power in the 118th Congress, it’s possible that the push to regulate tech might fizzle out.

What went wrong for antitrust reformers? Republicans and Democrats have always sought different things from the bills. Democrats want to “tame” big tech, hold it accountable for the proliferation of “harmful” content online, and redistribute rents toward competitors and other businesses across the supply chain (e.g., app developers, media organizations, etc.). Republicans, on the other hand, seek to limit platforms’ ability to “censor conservative views” and to punish them for supposedly having done so in the past. The difficulty of aligning these two visions has obstructed decisive movement on the bills. But, more broadly, it also goes to show that the logic for tech regulation is far from homogenous, and that wildly different aims can be pursued under the umbrella of “choice,” “contestability,” and “fairness.”

South Africa

As my colleague Dirk Auer covered yesterday, South Africa has launched a sectoral inquiry into online-intermediation platforms, which has produced a provisional report (see here for a brief overview). The provisional report identifies Apple, Google, Airbnb, Uber Eats, and South Africa’s own Takealot, among others, as “leading online platforms” and offers suggestions to make the markets in which these companies compete more “contestable.” This includes a potential ex ante regulatory regime.

But as Dirk noted, there are certain considerations the developing countries must bear in mind when contemplating ex ante regimes that developed countries do not (or, at least, not to the same extent). Most importantly, these countries are typically highly dependent on foreign investment, which might sidestep those jurisdictions that impose draconian DMA-style laws.

This could be the case with Amazon, which is planning to launch its marketplace in South Africa in February 2023 (the same month the sectoral inquiry is due). The degree and duration of Amazon’s presence might hinge on the country’s regulatory regime for online platforms. If unfavorable or exceedingly ambiguous, the new rules might prompt Amazon and other companies to relocate elsewhere. It is notable that local platform Takealot has, to date, demonstrated market dominance in South Africa, which most observers doubt that Amazon will be able to displace.


No one can be quite sure what is going on in India. There has been some agitation for a DMA-style ex ante regulatory regime within the Parliament of India, which is currently debating an amendment to the Competition Act that would, among other things, lower merger thresholds.

More drastically, however, a standing committee on e-commerce (where e-commerce is taken to mean all online commerce, not just retail) issued a report that recommended identifying “gatekeepers” for more stringent supervision under an ex ante regime that would, e.g., bar companies from selling goods on the platforms they own. At its core, the approach appears to assume that the DMA constitutes “best practices” in online competition law, despite the fact that the DMA’s ultimate effects and costs remain a mystery. As such, “best practices” in this area of law may not be very good at all.


The Australian Competition and Consumer Commission (ACCC) has been conducting a five-year inquiry into digital-platform services, which is due in March 2025. In its recently published fifth interim report, the ACCC recommended codes of conduct (similar to the DMU) for “designated” digital platforms. Questions surrounding the proposed regime include whether the ACCC will have to demonstrate effects; the availability of objective justifications (the latest report mentions security and privacy); and what thresholds would be used to “designate” a company (so far, turnover seems likely).

On the whole, Australia’s strategy has been to follow closely in the footsteps of the EU and the United States. Given this influence from international developments, the current freeze on U.S. tech regulation might have taken some of the wind out of the sails of similar regulatory efforts down under.


China appears to be playing a waiting game. On the one hand, it has ramped up antitrust enforcement under the Anti-Monopoly Law (AML). On the other, in August 2022, it introduced the first major amendment since the enactment of the AML, which included a new prohibition on the use of “technology, algorithms and platform rules” to engage in monopolistic behavior. This is clearly aimed at strengthening enforcement against digital platforms. Numerous other digital-specific regulations are also under consideration (with uncertain timelines). These include a platform-classification regime that would subject online platforms to different obligations in the areas of data protection, fair competition, and labor treatment, and a data-security regulation that would prohibit online-platform operators from taking advantage of data for unfair discriminatory practices against the platform’s users or vendors.

South Korea

Seoul was one of the first jurisdictions to pass legislation targeting app stores (see here and here). Other legislative proposals include rules on price-transparency obligations and the use of platform-generated data, as well as a proposed obligation for online news services to remunerate news publishers. With the government’s new emphasis on self-regulation as an alternative to prescriptive regulation, however, it remains unclear whether or when these laws will be adopted.


Germany recently implemented a reform to its Competition Act that allows the Bundeskartellamt to prohibit certain forms of conduct (such as self-preferencing) without the need to prove anticompetitive harm and that extends the essential-facility doctrine to cover data. The Federal Ministry for Economic Affairs and Climate Action (BMWK) is now considering further amendments that would, e.g., allow the Bundeskartellamt to impose structural remedies following a sectoral inquiry, independent of an abuse; and introduce a presumption that anticompetitive conduct has resulted in profits for the infringing company (this is relevant for the purpose of calculating fines and, especially, for proving damages in private enforcement).


Earlier this year, Canada reformed its abuse-of-dominance provisions to bolster fines and introduce a private right of access to tribunals. It also recently opened a consultation on the future of competition policy, which invites input about the objectives of antitrust, the enforcement powers of the Competition Bureau, and the effectiveness of private remedies, and raises the question of whether digital markets require special rules (see this report). Although an ex-ante regime doesn’t currently appear to be in the cards, Canada’s strategy has been to wait and see how existing regulatory proposals play out in other countries.


Turkey is considering a DMA-inspired amendment to the Competition Act that would, however, go beyond even the EU’s ex-ante regulatory regime in that it would not allow for any objective justifications or defenses.


In 2020, Japan introduced the Act on Improving Transparency and Fairness of Digital Platforms, which stipulates that designated platforms should take voluntary and proactive steps to ensure transparency and “fairness” vis-a-vis businesses. This “co-regulation” approach differs from other regulations in that it stipulates the general framework and leaves details to businesses’ voluntary efforts. Japan is now, however, also contemplating DMA-like ex-ante regulations for mobile ecosystems, voice assistants, and wearable devices.

Six Hasty Conclusions from the Even Hastier Global Wave of Tech Regulation

  • Most of these regimes are still in the making. Some have just been proposed and have a long way to go until they become law. The U.S. example shows how lack of consensus can derail even the most apparently imminent tech bill.
  • Even if every single country covered in this post were to adopt tech legislation, we have seen that the goals pursued and the obligations imposed can be wildly different and possibly contradictory. Even within a given jurisdiction, lawmakers may not agree what the purpose of the law should be (see, e.g., the United States). And, after all, it should probably be alarming if the Chinese Communist Party and the EU had the same definition of “fairness.”
  • Should self-preferencing bans, interoperability mandates, and similar rules that target online platforms be included under the banner of antitrust? In some countries, like Turkey, rules copied and pasted from the DMA have been proposed as amendments to the national competition act. But the EU itself insists that competition law and the DMA are separate things. Which is it? At this stage, shouldn’t the first principles of digital regulation be clearer?
  • In the EU, in particular, multiple overlapping ex-ante regimes can lead to double and even triple jeopardy, especially given their proximity to antitrust law. In other words, there is a risk that the same conduct will be punished at both the national and EU level, and under the DMA and EU competition rules.
  • In light of the above, global ex-ante regulatory compliance is going to impose mind-boggling costs on targeted companies, especially considering the opacity of some provisions and the substantial differences among countries (think, e.g., of Turkey, where there is no space for objective justifications).
  • There are always complex tradeoffs to be made and sensitive considerations to keep in mind when deciding whether and how to regulate the most successful tech companies. The potential for costly errors is multiplied, however, in the case of developing countries, where there is a realistic risk of repelling “dominant” companies before they even enter the market (see South Africa).

Some of the above issues could be addressed with some foresight. That, however, seems to be sorely lacking in the race to push tech regulation through the door at any cost. As distinguished scholars like Fred Jenny have warned, caving to the political pressure of economic populism can come at the expense of competition and innovation. Let’s hope that is not the case here, there, or anywhere.

There has been a wave of legislative proposals on both sides of the Atlantic that purport to improve consumer choice and the competitiveness of digital markets. In a new working paper published by the Stanford-Vienna Transatlantic Technology Law Forum, I analyzed five such bills: the EU Digital Services Act, the EU Digital Markets Act, and U.S. bills sponsored by Rep. David Cicilline (D-R.I.), Rep. Mary Gay Scanlon (D-Pa.), Sen. Amy Klobuchar (D-Minn.) and Sen. Richard Blumenthal (D-Conn.). I concluded that all those bills would have negative and unaddressed consequences in terms of information privacy and security.

In this post, I present the main points from the working paper regarding two regulatory solutions: (1) mandating interoperability and (2) mandating device neutrality (which leads to a possibility of sideloading applications, a special case of interoperability.) The full working paper  also covers the risks of compulsory data access (by vetted researchers or by authorities).


Interoperability is increasingly presented as a potential solution to some of the alleged problems associated with digital services and with large online platforms, in particular (see, e.g., here and here). For example, interoperability might allow third-party developers to offer different “flavors” of social-media newsfeeds, with varying approaches to content ranking and moderation. This way, it might matter less than it does now what content moderation decisions Facebook or other platforms make. Facebook users could choose alternative content moderators, delivering the kind of news feed that those users expect.

The concept of interoperability is popular not only among thought leaders, but also among legislators. The DMA, as well as the U.S. bills by Rep. Scanlon, Rep. Cicilline, and Sen. Klobuchar, all include interoperability mandates.

At the most basic level, interoperability means a capacity to exchange information between computer systems. Email is an example of an interoperable standard that most of us use today. It is telling that supporters of interoperability mandates use services like email as their model examples. Email (more precisely, the SMTP protocol) originally was designed in a notoriously insecure way. It is a perfect example of the opposite of privacy by design. A good analogy for the levels of privacy and security provided by email, as originally conceived, is that of a postcard message sent without an envelope that passes through many hands before reaching the addressee. Even today, email continues to be a source of security concerns, due to its prioritization of interoperability (see, e.g., here).

Using currently available technology to provide alternative interfaces or moderation services for social-media platforms, third-party developers would have to be able to access much of the platform content that is potentially available to a user. This would include not just content produced by users who explicitly agree to share their data with third parties, but also content—e.g., posts, comments, likes—created by others who may have strong objections to such sharing. It does not require much imagination to see how, without adequate safeguards, mandating this kind of information exchange would inevitably result in something akin to the 2018 Cambridge Analytica data scandal.

There are several constraints for interoperability frameworks that must be in place to safeguard privacy and security effectively.

First, solutions should be targeted toward real users of digital services, without assuming away some common but inconvenient characteristics. In particular, solutions should not assume unrealistic levels of user interest and technical acumen.

Second, solutions must address the issue of effective enforcement. Even the best information privacy and security laws do not, in and of themselves, solve any problems. Such rules must be followed, which requires addressing the problems of procedure and enforcement. In both the EU and the United States, the current framework and practice of privacy law enforcement offers little confidence that misuses of broadly construed interoperability would be detected and prosecuted, much less that they would be prevented. This is especially true for smaller and “judgment-proof” rulebreakers, including those from foreign jurisdictions.

If the service providers are placed under a broad interoperability mandate with non-discrimination provisions (preventing effective vetting of third parties, unilateral denials of access, and so on), then the burden placed on law enforcement will be mammoth. Just one bad actor, perhaps working from Russia or North Korea, could cause immense damage by taking advantage of interoperability mandates to exfiltrate user data or to execute a hacking (e.g., phishing) campaign. Of course, such foreign bad actors would be in violation of the EU GDPR, but that is unlikely to have any practical significance.

It would not be sufficient to allow (or require) service providers to enforce merely technical filters, such as a requirement to check whether the interoperating third parties’ IP address comes from a jurisdiction with sufficient privacy protections. Working around such technical limitations does not pose a significant difficulty to motivated bad actors.

Art 6(1) of the original DMA proposal included some general interoperability provisions applicable to “gatekeepers”—i.e., the largest online platforms. Those interoperability mandates were somewhat limited – applying only to “ancillary services” (e.g., payment or identification services) or requiring only one-way data portability. However, even here, there may be some risks. For example, users may choose poorly secured identification services and thus become victims of attacks. Therefore, it is important that gatekeepers not be prevented from protecting their users adequately.

The drafts of the DMA adopted by the European Council and by the European Parliament attempt to address that, but they only allow gatekeepers to do what is “strictly necessary” (Council) or “indispensable” (Parliament). This standard may be too high and could push gatekeepers to offer lower security to avoid liability for adopting measures that would be judged by EU institutions and the courts as going beyond what is strictly necessary or indispensable.

The more recent DMA proposal from the European Parliament goes significantly beyond the original proposal, mandating full interoperability of a number of “independent interpersonal communication services” and of social-networking services. The Parliament’s proposals are good examples of overly broad and irresponsible interoperability mandates. They would cover “any providers” wanting to interconnect with gatekeepers, without adequate vetting. The safeguard proviso mentioning “high level of security and personal data protection” does not come close to addressing the seriousness of the risks created by the mandate. Instead of facing up to the risks and ensuring that the mandate itself be limited in ways that minimize them, the proposal seems just to expect that the gatekeepers can solve the problems if they only “nerd harder.”

All U.S. bills considered here introduce some interoperability mandates and none of them do so in a way that would effectively safeguard information privacy and security. For example, Rep. Cicilline’s American Choice and Innovation Online Act (ACIOA) would make it unlawful (in Section 2(b)(1)) to:

All U.S. bills considered here introduce some interoperability mandates and none of them do so in a way that would effectively safeguard information privacy and security. For example, Rep. Cicilline’s American Choice and Innovation Online Act (ACIOA) would make it unlawful (in Section 2(b)(1)) to:

restrict or impede the capacity of a business user to access or interoperate with the same platform, operating system, hardware and software features that are available to the covered platform operator’s own products, services, or lines of business.

The language of the prohibition in Sen. Klobuchar’s American Innovation and Choice Online Act (AICOA) is similar (also in Section 2(b)(1)). Both ACIOA and AICOA allow for affirmative defenses that a service provider could use if sued under the statute. While those defenses mention privacy and security, they are narrow (“narrowly tailored, could not be achieved through a less discriminatory means, was nonpretextual, and was necessary”) and would not prevent service providers from incurring significant litigation costs. Hence, just like the provisions of the DMA, they would heavily incentivize covered service providers not to adopt the most effective protections of privacy and security.

Device Neutrality (Sideloading)

Article 6(1)(c) of the DMA contains specific provisions about “sideloading”—i.e., allowing installation of third-party software through alternative app stores other than the one provided by the manufacturer (e.g., Apple’s App Store for iOS devices). A similar express provision for sideloading is included in Sen. Blumenthal’s Open App Markets Act (Section 3(d)(2)). Moreover, the broad interoperability provisions in the other U.S. bills discussed above may also be interpreted to require permitting sideloading.

A sideloading mandate aims to give users more choice. It can only achieve this, however, by taking away the option of choosing a device with a “walled garden” approach to privacy and security (such as is taken by Apple with iOS). By taking away the choice of a walled garden environment, a sideloading mandate will effectively force users to use whatever alternative app stores are preferred by particular app developers. App developers would have strong incentive to set up their own app stores or to move their apps to app stores with the least friction (for developers, not users), which would also mean the least privacy and security scrutiny.

This is not to say that Apple’s app scrutiny is perfect, but it is reasonable for an ordinary user to prefer Apple’s approach because it provides greater security (see, e.g., here and here). Thus, a legislative choice to override the revealed preference of millions of users for a “walled garden” approach should not be made lightly. 

Privacy and security safeguards in the DMA’s sideloading provisions, as amended by the European Council and by the European Parliament, as well as in Sen. Blumenthal’s Open App Markets Act, share the same problem of narrowness as the safeguards discussed above.

There is a more general privacy and security issue here, however, that those safeguards cannot address. The proposed sideloading mandate would prohibit outright a privacy and security-protection model that many users rationally choose today. Even with broader exemptions, this loss will be genuine. It is unclear whether taking away this choice from users is justified.


All the U.S. and EU legislative proposals considered here betray a policy preference of privileging uncertain and speculative competition gains at the expense of introducing a new and clear danger to information privacy and security. The proponents of these (or even stronger) legislative interventions seem much more concerned, for example, that privacy safeguards are “not abused by Apple and Google to protect their respective app store monopoly in the guise of user security” (source).

Given the problems with ensuring effective enforcement of privacy protections (especially with respect to actors coming from outside the EU, the United States, and other broadly privacy-respecting jurisdictions), the lip service paid by the legislative proposals to privacy and security is not much more than that. Policymakers should be expected to offer a much more detailed vision of concrete safeguards and mechanisms of enforcement when proposing rules that come with significant and entirely predictable privacy and security risks. Such vision is lacking on both sides of the Atlantic.

I do not want to suggest that interoperability is undesirable. The argument of this paper was focused on legally mandated interoperability. Firms experiment with interoperability all the time—the prevalence of open APIs on the Internet is testament to this. My aim, however, is to highlight that interoperability is complex and exposes firms and their users to potentially large-scale cyber vulnerabilities.

Generalized obligations on firms to open their data, or to create service interoperability, can short-circuit the private ordering processes that seek out those forms of interoperability and sharing that pass a cost-benefit test. The result will likely be both overinclusive and underinclusive. It would be overinclusive to require all firms in the regulated class to broadly open their services and data to all interested parties, even where it wouldn’t make sense for privacy, security, or other efficiency reasons. It is underinclusive in that the broad mandate will necessarily sap regulated firms’ resources and deter them from looking for new innovative uses that might make sense, but that are outside of the broad mandate. Thus, the likely result is less security and privacy, more expense, and less innovation.

President Joe Biden named his post-COVID-19 agenda “Build Back Better,” but his proposals to prioritize support for government-run broadband service “with less pressure to turn profits” and to “reduce Internet prices for all Americans” will slow broadband deployment and leave taxpayers with an enormous bill.

Policymakers should pay particular heed to this danger, amid news that the Senate is moving forward with considering a $1.2 trillion bipartisan infrastructure package, and that the Federal Communications Commission, the U.S. Commerce Department’s National Telecommunications and Information Administration, and the U.S. Agriculture Department’s Rural Utilities Service will coordinate on spending broadband subsidy dollars.

In order to ensure that broadband subsidies lead to greater buildout and adoption, policymakers must correctly understand the state of competition in broadband and not assume that increasing the number of firms in a market will necessarily lead to better outcomes for consumers or the public.

A recent white paper published by us here at the International Center for Law & Economics makes the case that concentration is a poor predictor of competitiveness, while offering alternative policies for reaching Americans who don’t have access to high-speed Internet service.

The data show that the state of competition in broadband is generally healthy. ISPs routinely invest billions of dollars per year in building, maintaining, and upgrading their networks to be faster, more reliable, and more available to consumers. FCC data show that average speeds available to consumers, as well as the number of competitors providing higher-speed tiers, have increased each year. And prices for broadband, as measured by price-per-Mbps, have fallen precipitously, dropping 98% over the last 20 years. None of this makes sense if the facile narrative about the absence of competition were true.

In our paper, we argue that the real public policy issue for broadband isn’t curbing the pursuit of profits or adopting price controls, but making sure Americans have broadband access and encouraging adoption. In areas where it is very costly to build out broadband networks, like rural areas, there tend to be fewer firms in the market. But having only one or two ISPs available is far less of a problem than having none at all. Understanding the underlying market conditions and how subsidies can both help and hurt the availability and adoption of broadband is an important prerequisite to good policy.

The basic problem is that those who have decried the lack of competition in broadband often look at the number of ISPs in a given market to determine whether a market is competitive. But this is not how economists think of competition. Instead, economists look at competition as a dynamic process where changes in supply and demand factors are constantly pushing the market toward new equilibria.

In general, where a market is “contestable”—that is, where existing firms face potential competition from the threat of new entry—even just a single existing firm may have to act as if it faces vigorous competition. Such markets often have characteristics (e.g., price, quality, and level of innovation) similar or even identical to those with multiple existing competitors. This dynamic competition, driven by changes in technology or consumer preferences, ensures that such markets are regularly disrupted by innovative products and services—a process that does not always favor incumbents.

Proposals focused on increasing the number of firms providing broadband can actually reduce consumer welfare. Whether through overbuilding—by allowing new private entrants to free-ride on the initial investment by incumbent companies—or by going into the Internet business itself through municipal broadband, government subsidies can increase the number of firms providing broadband. But it can’t do so without costs―which include not just the cost of the subsidies themselves, which ultimately come from taxpayers, but also the reduced incentives for unsubsidized private firms to build out broadband in the first place.

If underlying supply and demand conditions in rural areas lead to a situation where only one provider can profitably exist, artificially adding another completely reliant on subsidies will likely just lead to the exit of the unsubsidized provider. Or, where a community already has municipal broadband, it is unlikely that a private ISP will want to enter and compete with a firm that doesn’t have to turn a profit.

A much better alternative for policymakers is to increase the demand for buildout through targeted user subsidies, while reducing regulatory barriers to entry that limit supply.

For instance, policymakers should consider offering connectivity vouchers to unserved households in order to stimulate broadband deployment and consumption. Current subsidy programs rely largely on subsidizing the supply side, but this requires the government to determine the who and where of entry. Connectivity vouchers would put the choice in the hands of consumers, while encouraging more buildout to areas that may currently be uneconomic to reach due to low population density or insufficient demand due to low adoption rates.

Local governments could also facilitate broadband buildout by reducing unnecessary regulatory barriers. Local building codes could adopt more connection-friendly standards. Local governments could also reduce the cost of access to existing poles and other infrastructure. Eligible Telecommunications Carrier (ETC) requirements could also be eliminated, because they deter potential providers from seeking funds for buildout (and don’t offer countervailing benefits).

Albert Einstein once said: “if I were given one hour to save the planet, I would spend 59 minutes defining the problem, and one minute resolving it.” When it comes to encouraging broadband buildout, policymakers should make sure they are solving the right problem. The problem is that the cost of building out broadband to unserved areas is too high or the demand too low—not that there are too few competitors.

Despite calls from some NGOs to mandate radical interoperability, the EU’s draft Digital Markets Act (DMA) adopted a more measured approach, requiring full interoperability only in “ancillary” services like identification or payment systems. There remains the possibility, however, that the DMA proposal will be amended to include stronger interoperability mandates, or that such amendments will be introduced in the Digital Services Act. Without the right checks and balances, this could pose grave threats to Europeans’ privacy and security.

At the most basic level, interoperability means a capacity to exchange information between computer systems. Email is an example of an interoperable standard that most of us use today. Expanded interoperability could offer promising solutions to some of today’s difficult problems. For example, it might allow third-party developers to offer different “flavors” of social media news feed, with varying approaches to content ranking and moderation (see Daphne Keller, Mike Masnick, and Stephen Wolfram for more on that idea). After all, in a pluralistic society, someone will always be unhappy with what some others consider appropriate content. Why not let smaller groups decide what they want to see? 

But to achieve that goal using currently available technology, third-party developers would have to be able to access all of a platform’s content that is potentially available to a user. This would include not just content produced by users who explicitly agrees for their data to be shared with third parties, but also content—e.g., posts, comments, likes—created by others who may have strong objections to such sharing. It doesn’t require much imagination to see how, without adequate safeguards, mandating this kind of information exchange would inevitably result in something akin to the 2018 Cambridge Analytica data scandal.

It is telling that supporters of this kind of interoperability use services like email as their model examples. Email (more precisely, the SMTP protocol) originally was designed in a notoriously insecure way. It is a perfect example of the opposite of privacy by design. A good analogy for the levels of privacy and security provided by email, as originally conceived, is that of a postcard message sent without an envelope that passes through many hands before reaching the addressee. Even today, email continues to be a source of security concerns due to its prioritization of interoperability.

It also is telling that supporters of interoperability tend to point to what are small-scale platforms (e.g., Mastodon) or protocols with unacceptably poor usability for most of today’s Internet users (e.g., Usenet). When proposing solutions to potential privacy problems—e.g., that users will adequately monitor how various platforms use their data—they often assume unrealistic levels of user interest or technical acumen.

Interoperability in the DMA

The current draft of the DMA contains several provisions that broadly construe interoperability as applying only to “gatekeepers”—i.e., the largest online platforms:

  1. Mandated interoperability of “ancillary services” (Art 6(1)(f)); 
  2. Real-time data portability (Art 6(1)(h)); and
  3. Business-user access to their own and end-user data (Art 6(1)(i)). 

The first provision, (Art 6(1)(f)), is meant to force gatekeepers to allow e.g., third-party payment or identification services—for example, to allow people to create social media accounts without providing an email address, which is possible using services like “Sign in with Apple.” This kind of interoperability doesn’t pose as big of a privacy risk as mandated interoperability of “core” services (e.g., messaging on a platform like WhatsApp or Signal), partially due to a more limited scope of data that needs to be exchanged.

However, even here, there may be some risks. For example, users may choose poorly secured identification services and thus become victims of attacks. Therefore, it is important that gatekeepers not be prevented from protecting their users adequately. Of course,there are likely trade-offs between those protections and the interoperability that some want. Proponents of stronger interoperability want this provision amended to cover all “core” services, not just “ancillary” ones, which would constitute precisely the kind of radical interoperability that cannot be safely mandated today.

The other two provisions do not mandate full two-way interoperability, where a third party could both read data from a service like Facebook and modify content on that service. Instead, they provide for one-way “continuous and real-time” access to data—read-only.

The second provision (Art 6(1)(h)) mandates that gatekeepers give users effective “continuous and real-time” access to data “generated through” their activity. It’s not entirely clear whether this provision would be satisfied by, e.g., Facebook’s Graph API, but it likely would not be satisfied simply by being able to download one’s Facebook data, as that is not “continuous and real-time.”

Importantly, the proposed provision explicitly references the General Data Protection Regulation (GDPR), which suggests that—at least as regards personal data—the scope of this portability mandate is not meant to be broader than that from Article 20 GDPR. Given the GDPR reference and the qualification that it applies to data “generated through” the user’s activity, this mandate would not include data generated by other users—which is welcome, but likely will not satisfy the proponents of stronger interoperability.

The third provision from Art 6(1)(i) mandates only “continuous and real-time” data access and only as regards data “provided for or generated in the context of the use of the relevant core platform services” by business users and by “the end users engaging with the products or services provided by those business users.” This provision is also explicitly qualified with respect to personal data, which are to be shared after GDPR-like user consent and “only where directly connected with the use effectuated by the end user in respect of” the business user’s service. The provision should thus not be a tool for a new Cambridge Analytica to siphon data on users who interact with some Facebook page or app and their unwitting contacts. However, for the same reasons, it will also not be sufficient for the kinds of uses that proponents of stronger interoperability envisage.

Why can’t stronger interoperability be safely mandated today?

Let’s imagine that Art 6(1)(f) is amended to cover all “core” services, so gatekeepers like Facebook end up with a legal duty to allow third parties to read data from and write data to Facebook via APIs. This would go beyond what is currently possible using Facebook’s Graph API, and would lack the current safety valve of Facebook cutting off access because of the legal duty to deal created by the interoperability mandate. As Cory Doctorow and Bennett Cyphers note, there are at least three categories of privacy and security risks in this situation:

1. Data sharing and mining via new APIs;

2. New opportunities for phishing and sock puppetry in a federated ecosystem; and

3. More friction for platforms trying to maintain a secure system.

Unlike some other proponents of strong interoperability, Doctorow and Cyphers are open about the scale of the risk: “[w]ithout new legal safeguards to protect the privacy of user data, this kind of interoperable ecosystem could make Cambridge Analytica-style attacks more common.”

There are bound to be attempts to misuse interoperability through clearly criminal activity. But there also are likely to be more legally ambiguous attempts that are harder to proscribe ex ante. Proposals for strong interoperability mandates need to address this kind of problem.

So, what could be done to make strong interoperability reasonably safe? Doctorow and Cyphers argue that there is a “need for better privacy law,” but don’t say whether they think the GDPR’s rules fit the bill. This may be a matter of reasonable disagreement.

What isn’t up for serious debate is that the current framework and practice of privacy enforcement offers little confidence that misuses of strong interoperability would be detected and prosecuted, much less that they would be prevented (see here and here on GDPR enforcement). This is especially true for smaller and “judgment-proof” rule-breakers, including those from outside the European Union. Addressing the problems of privacy law enforcement is a herculean task, in and of itself.

The day may come when radical interoperability will, thanks to advances in technology and/or privacy enforcement, become acceptably safe. But it would be utterly irresponsible to mandate radical interoperability in the DMA and/or DSA, and simply hope the obvious privacy and security problems will somehow be solved before the law takes force. Instituting such a mandate would likely discredit the very idea of interoperability.

The European Commission has unveiled draft legislation (the Digital Services Act, or “DSA”) that would overhaul the rules governing the online lives of its citizens. The draft rules are something of a mixed bag. While online markets present important challenges for law enforcement, the DSA would significantly increase the cost of doing business in Europe and harm the very freedoms European lawmakers seek to protect. The draft’s newly proposed “Know Your Business Customer” (KYBC) obligations, however, will enable smoother operation of the liability regimes that currently apply to online intermediaries. 

These reforms come amid a rash of headlines about election meddling, misinformation, terrorist propaganda, child pornography, and other illegal and abhorrent content spread on digital platforms. These developments have galvanized debate about online liability rules.

Existing rules, codified in the e-Commerce Directive, largely absolve “passive” intermediaries that “play a neutral, merely technical and passive role” from liability for content posted by their users so long as they remove it once notified. “Active” intermediaries have more legal exposure. This regime isn’t perfect, but it seems to have served the EU well in many ways.

With its draft regulation, the European Commission is effectively arguing that those rules fail to address the legal challenges posed by the emergence of digital platforms. As the EC’s press release puts it:

The landscape of digital services is significantly different today from 20 years ago, when the eCommerce Directive was adopted. […]  Online intermediaries […] can be used as a vehicle for disseminating illegal content, or selling illegal goods or services online. Some very large players have emerged as quasi-public spaces for information sharing and online trade. They have become systemic in nature and pose particular risks for users’ rights, information flows and public participation.

Online platforms initially hoped lawmakers would agree to some form of self-regulation, but those hopes were quickly dashed. Facebook released a white paper this Spring proposing a more moderate path that would expand regulatory oversight to “ensure companies are making decisions about online speech in a way that minimizes harm but also respects the fundamental right to free expression.” The proposed regime would not impose additional liability for harmful content posted by users, a position that Facebook and other internet platforms reiterated during congressional hearings in the United States.

European lawmakers were not moved by these arguments. EU Commissioner for Internal Market and Services Thierry Breton, among other European officials, dismissed Facebook’s proposal within hours of its publication, saying:

It’s not enough. It’s too slow, it’s too low in terms of responsibility and regulation.

Against this backdrop, the draft DSA includes many far-reaching measures: transparency requirements for recommender systems, content moderation decisions, and online advertising; mandated sharing of data with authorities and researchers; and numerous compliance measures that include internal audits and regular communication with authorities. Moreover, the largest online platforms—so-called “gatekeepers”—will have to comply with a separate regulation that gives European authorities new tools to “protect competition” in digital markets (the Digital Markets Act, or “DMA”).

The upshot is that, if passed into law, the draft rules will place tremendous burdens upon online intermediaries. This would be self-defeating. 

Excessive regulation or liability would significantly increase their cost of doing business, leading to significantly smaller networks and significantly increased barriers to access for many users. Stronger liability rules would also encourage platforms to play it safe, such as by quickly de-platforming and refusing access to anyone who plausibly engaged in illegal activity. Such an outcome would harm the very freedoms European lawmakers seek to protect.

This could prove particularly troublesome for small businesses that find it harder to compete against large platforms due to rising compliance costs. In effect, the new rules will increase barriers to entry, as has already been seen with the GDPR.

In the commission’s defense, some of the proposed reforms are more appealing. This is notably the case with the KYBC requirements, as well as the decision to leave most enforcement to member states, where services providers have their main establishments. The latter is likely to preserve regulatory competition among EU members to attract large tech firms, potentially limiting regulatory overreach. 

Indeed, while the existing regime does, to some extent, curb the spread of online crime, it does little for the victims of cybercrime, who ultimately pay the price. Removing illegal content doesn’t prevent it from reappearing in the future, sometimes on the same platform. Importantly, hosts have no obligation to provide the identity of violators to authorities, or even to know their identity in the first place. The result is an endless game of “whack-a-mole”: illegal content is taken down, but immediately reappears elsewhere. This status quo enables malicious users to upload illegal content, such as that which recently led card networks to cut all ties with Pornhub

Victims arguably need additional tools. This is what the Commission seeks to achieve with the DSA’s “traceability of traders” requirement, a form of KYBC:

Where an online platform allows consumers to conclude distance contracts with traders, it shall ensure that traders can only use its services to promote messages on or to offer products or services to consumers located in the Union if, prior to the use of its services, the online platform has obtained the following information: […]

Instead of rewriting the underlying liability regime—with the harmful unintended consequences that would likely entail—the draft DSA creates parallel rules that require platforms to better protect victims.

Under the proposed rules, intermediaries would be required to obtain the true identity of commercial clients (as opposed to consumers) and to sever ties with businesses that refuse to comply (rather than just take down their content). Such obligations would be, in effect, a version of the “Know Your Customer” regulations that exist in other industries. Banks, for example, are required to conduct due diligence to ensure scofflaws can’t use legitimate financial services to further criminal enterprises. It seems reasonable to expect analogous due diligence from the Internet firms that power so much of today’s online economy.

Obligations requiring platforms to vet their commercial relationships may seem modest, but they’re likely to enable more effective law enforcement against the actual perpetrators of online harms without diminishing platform’s innovation and the economic opportunity they provide (and that everyone agrees is worth preserving).

There is no silver bullet. Illegal activity will never disappear entirely from the online world, just as it has declined, but not vanished, from other walks of life. But small regulatory changes that offer marginal improvements can have a substantial effect. Modest informational requirements would weed out the most blatant crimes without overly burdening online intermediaries. In short, it would make the Internet a safer place for European citizens.