An Era of Accountability Hails on the Tech Sector with New EU Regulation

By Amitai Ziv, Tech 12

Companies have become accustomed to the EU’s Global Data Protection Regulation (GDPR), but a new European regulation that is coming into effect soon will introduce new challenges for them — and it does not seem as if enough startups understand this.

The GDPR took effect in 2018 and it had a global impact. Because it covers any company that serves European citizens, it applies to Israeli tech entrepreneurs and executives and others around the world. The broad legislation imposed a new series of privacy rules and obligations that no doubt has caused a lot of headaches for internal IT and privacy teams. And the regulations include hefty fines, providing a lot of work for lawyers.

Now that two new European laws have been enacted, tech companies have even more on their plates to deal with.The Digital Markets Act (DMA) and Digital Services Act (DSA) that went into effect last year make the GDPR look like child’s play. The DMA may prove the most dramatic for the digital playground and the future of the technology market, as it deals with those large

platforms defined as the gatekeepers of the online economy. The DSA may be less historical, but since it imposes direct obligations on medium-sized companies, it may be more relevant to Israeli stakeholders.

“The two laws are intended to replace a longstanding European directive pertaining to digital services, with the DSA acting as a ‘content-GDPR.’” explains Adv. Lior Etgar, Head of the Privacy and Information Protection Department at Erdinast, Ben Nathan, Toledano & Co. The EU’s designated website further elaborates: “The reform’s purpose is to create a playground that facilitates innovation and competition [the DMA] and provide a safe digital environment that keeps consumers protected [the DSA].”

The DSA imposes obligations on companies with more than 50 employees and annual revenues of more than EUR 10 million. In fact, companies are required to post on their website the number of their active European users by February 17. 

The DMA defines as a critical service those operators who serve as gatekeepers for online competition, including: search services, social networks, instant messaging, operating systems, browsers, and cloud hosting services. In short, all the major services we have grown accustomed to receiving from big tech companies such as Amazon, Apple, Google, Microsoft and Meta. The DMA wants to break through the closed big tech clubs.

“If you currently have an Android device and you want to use iMessage, you must purchase an iPhone,” emphasizes Noam Schwartz, Co-founder and CEO of the startup ActiveFence, which detects harmful content. “This is a problem in terms of the DMA because you cannot communicate with another operating system. And then there’s the App stores issue and alternative stores problem. The DMA is a remarkable European regulation seeking to prevent growing companies from prioritizing their product over other products.” 

Other examples Schwartz mentions include blocking Amazon’s ability to use the data it collects from vendors on its platform to promote its products and the expected incorporation of USB-C sockets on Apple iPhones. “There are many more examples, like Google Ads, permitting a client to transfer his/her data to another supplier or opening the search option to free competition,” he adds.


[Noam Schwartz, ActiveFence Co-founder and CEO. “Large companies must not prioritize their own products.” | Photo by: Eduardo Feldman, PR]

However, the conditions for applying the law are broader than the five usual big-tech suspects. A host of sizeable Israeli companies, like Wix, Lightricks, Fiverr, eToro, and Tabola, may also be subject to its terms. The provisions of the law state that the restrictions and requirements contained therein shall be imposed on B2C companies serving 45 million or more monthly users within the European Union or B2B companies serving over 10,000 businesses a year. Failure to comply with its decrees may result in hefty fines of up to 6% of global sales turnover. 

“For small companies, the DMA is actually good news. From our conversations with the market, we believe this is an opportunity because the market is opening up for innovation,” says Adv. Oshrit Aviv, founder of the compliance and regulation consulting firm Entero.

Thanks to this new law, companies seeking to develop data-based services that were previously trapped by the big platforms may now get access to them. AdTech provides a good example.

“The purpose of the law is to prevent the big firms from using their market dominance in one channel to take over another,” Aviv elaborates. “Severe restrictions have been placed to create opportunities for startups to introduce their own solutions.”


[Adv. Oshrit Aviv. “For small companies, DMA is good news.” | Photo by: Yaniv Bisam, PR]

DMA is expected to take effect as early as May 2, however, the EU is still formulating the definition of “gatekeepers,” and the enforcement itself shall be carried out in stages until fully implemented in March of 2024. Meanwhile, the DSA requires local companies to comply as early as this week.

What are the new requirements imposed by DSA?

In the near future, DMA will make the headlines, but the DSA will likely have a more significant impact on startups and more established companies. The U.S., meanwhile, is seeking to reopen debate about Section 230 of the Communications Decency Act, the same piece of legislation that allows online platforms to avoid responsibility for content posted on them. But Europe has already gone further than the U.S. and is demanding increased platform accountability.

“In the U.S., there’s Section 230, which allows digital companies to say I’m just a conduit, thus removing responsibility from themselves,” says Adv. Etgar. “The Europeans have gone in the opposite direction — they demand liability about the content. It is like a content-based GDPR.”

“DSA intends to protect users from content,” Schwartz explains. “including such contentnmatters that are allegedly illegal, like pedophilia, racism, or materials inciting terrorism, but also encompasses legal content that is potentially harmful. For example, fake news or disinformation. There are no laws against it, but lies can provoke acts of violence. Also, content matters that show children how to develop eating disorders or which promote prostitution, even in countries where it is legal.”

The DSA terms apply to companies operating in Europe, even if they are not physically located there, like Israeli companies. However, to avoid harming healthy competition, protection and exemptions from the lion’s share of legal obligations were granted to small companies that employ fewer than 50 employees and have annual revenues or a yearly balance sheet of less than EURO 10 million.

The general requirements of the DSA are numerous. For example, companies will be required to publish a transparency report explaining their content-management and content-removal

choices and offering users accessible appeal mechanisms. They will be required to establish on-the-go contacts for content removal requests for media entities and law enforcement agencies. Companies will be required to cooperate with external entities, defined as reliable commentators, and provide them special access to the platform to report problematic content.

Additional requirements would be imposed on those companies that operate marketplaces and will be subject to Know Your Business Customer (KYBC) procedures to verify the identity providers on their platform and prevent consumer fraud. One such restriction in advertising will prevent AdTech companies from collecting and using users’ standard personal data, including sexual orientation, political stance, and medical information.

These are just the most prominent examples illustrating the fact that under DSA, the name of the game is moderation. If GDPR has set privacy-by-design, DSA attempts to set Moderation-by-design.

From conversations Tech12 has had with managers, lawyers and others in the field, there is a great deal of uncertainty regarding the terms of compliance with the law, with some people complaining about ambiguous phrasing and unclear timetables. Apparently, many startups that would be required to comply with the new regulations are unaware of obligations that are moments away from taking effect.

The question of the applicability of the law is greater and more complex for larger platforms. The regulation applies to a long list of areas ranging from domain registration, internet providers and infrastructure, to hosting services and Online Platforms. This last category incorporates a long list of services, including companies providing marketplaces, price comparison engines, social networks, mapping services, shared economy services, media, video-sharing, payment services, news aggregation sites, and much more.

In fact, anyone covered by the law must post the number of active European users on their website by February 17. This enables the European regulator to know under which category of law the company operates. The complete implementation of the law is expected to take effect February 17, 2024.

[Dr. Avishai Klein. “Those who do not prepare in advance will find themselves in deep trouble” | Photo: Nimrod Glickman, PR]

DMA applies to the big platforms and DSA to almost all companies on the Internet and it tells them, “You have a responsibility for the content, even one that your users produce,”concludes Dr. Avishai Klein, Head of the Privacy Department at Barnea Jaffa Lande & Co. Law. “Both regulations carry hefty fines and extraterritorial legislation and are therefore relevant to Israeli companies.” 

Dr. Klein adds: “We are heading towards a revolution as big as the GDPR. It may take time, but those who do not prepare in advance will find themselves in deep trouble. Therefore, I suggest customers reach for an Olympic minimum: you don’t have to change the products according to each location and regulation, but you must align with the most prominent global standards and implement the principles of regulation in company solutions so that you can say, ‘I am compliant,’ and show there is a serious and global company here.”