The EU is one of the world's most influential regulators and is often at the forefront of creating regulations that serve as a blueprint that other jurisdictions follow; a phenomenon known as the ‘Brussels effect.' For example, the General Data Protection Regulation (GDPR) has had a profound global impact, shaping not only European practices but also international standards.

In this context, to mention a few notable examples, the EU's Digital Agenda, driven by the European Commission's digital and data strategies from early 2020, led to the Digital Markets Act (DMA) and the Digital Services Act (DSA) coming into force in 2022, and the Data Act in 2024. In 2023, the trilogues regarding the Artificial Intelligence Act (the AI Act) were concluded, paving the way for the finalization of the legislative text. Additionally, sector-specific digital legislation is in the pipeline; including regulations for a European Health Data Space and Financial Data Access.

Each of these legislative measures introduces frameworks for managing data and regulating specific stakeholders. All of these laws also provide for enforcement rules.

Decentralized approach of the GDPR

The GDPR, effective from May 25, 2018, marked a significant milestone in the EU's approach to data protection. Designed to protect individual privacy while ensuring the free flow of personal data, the GDPR grants individuals in the EU control over their personal data and imposes strict rules on entities that host and process such data, regardless of their location within or outside the EU.

The GDPR established various obligations tied to its core principles, significantly increasing compliance requirements for both private and public stakeholders when processing personal data. Key requirements of the GDPR include a higher standard of consent for data processing, ensuring data accuracy, minimizing the further processing of collected data, protecting minors, ­­­and implementing Privacy by Design strategies.

Public enforcement of the GDPR falls primarily on the shoulders of national data protection authorities (DPAs) in each EU Member State. The DPAs hold the power to investigate, audit, and enforce compliance through corrective powers such as ordering the suspension of data flows. DPAs may also impose fines for GDPR non-compliance, which can be up to 4% of an organization's total worldwide annual turnover or €20 million, whichever is higher. The risk of such fines brought GDPR conformity onto the list of top compliance matters for organizations operating in the EU.

While DPAs generally operate autonomously within their respective territories, the GDPR provides for a decentralized enforcement approach, especially in cases of cross-border processing. In such instances, one DPA assumes the role of the lead DPA, determined by the (main) establishment of the relevant organization. Other DPAs can contribute to the decision-making of the lead DPA through a cooperative mechanism, under which the lead DPA considers the opinions of its counterparts before issuing a final decision. If other relevant DPAs disagree with the lead DPA, the issue must be escalated to the European Data Protection Board (EDPB), which then resolves the dispute under a detailed consistency mechanism. So far, the EDPB has adopted 11 decisions under the consistency mechanism. The EDPB also plays a crucial role in issuing guidelines, recommendations, and best practices for interpreting GDPR provisions, contributing to more uniform enforcement on specific data protection issues across the EU.

Centralized approach of the DMA

The DMA, effective as of May 2, 2023, signifies a change in EU competition law by specifically targeting ‘gatekeepers' – large platforms that are assumed to exert considerable influence in the digital market through their core platform services (e.g., web browsers, online search engines, or social networking services).

A critical aspect of enforcing the DMA is the Commission's role in formally designating gatekeepers. Businesses are identified as gatekeepers based on specific criteria, including their size, user base, and impact on the market. This designation is crucial as it triggers the applicability of the DMA's obligations. These obligations include allowing end-users to uninstall pre-installed apps, ensuring the interoperability of messaging services, and granting business users access to certain data. In September 2023, the Commission designated six gatekeepers that provide a total of 22 core platform services.

Enforcement of the DMA relies on the Commission's central role, not only in designating gatekeepers but also in overseeing compliance and imposing penalties. This centralized approach was adopted due to the typically cross-border nature of gatekeeper activities and the DMA's objective of establishing a harmonized framework, offering legal certainty for businesses across the EU.

In instances of DMA non-compliance, the Commission has the authority to impose substantial fines on gatekeepers. Such fines may be up to 10% of annual worldwide turnover, which can increase to 20% in cases of systematic non-compliance. To impose a fine, the Commission must formally open proceedings to execute its various investigative powers, such as requesting information, carrying out interviews, or conducting inspections. If a market investigation reveals that a gatekeeper has engaged in systematic non-compliance, the Commission has the power to enforce additional remedies, such as imposing restrictions on certain acquisitions or mergers.

Dual approach of the DSA

The DSA is designed to foster a safer and more accountable digital space. It regulates digital service providers acting as intermediaries, focusing on user protection, transparency, and accountability to enhance the protection of users' fundamental rights. The scope of the DSA applies to a broad spectrum of online intermediaries, including host providers and online platforms, with specific obligations for very large online platforms (VLOPs) and very large online search engines (VLOSEs). In 2023, the Commission designated a total of 20 VLOPs and two VLOSEs.

The DSA requires regulated entities (and particularly VLOPs and VLOSEs) to implement various measures related to content moderation, advertising transparency, and systemic risk management. To enforce these measures, the DSA establishes a cooperative framework involving both the Commission and national authorities in each EU Member State. On the one hand, the general supervision of intermediaries other than VLOPs and VLOSEs falls decentralized under the jurisdiction of national authorities in each EU Member State. On the other hand, the Commission is centrally responsible for the specific obligations of VLOPs and VLOSEs. For general obligations, which are not specific to VLOPs and VLOSEs, the Commission shares responsibility with national authorities vis-á-vis VLOPS and VLOSEs, but with a prerogative for the Commission. On December 18, 2023, the Commission initiated its first DSA infringement proceeding against X (formerly known as 'Twitter') for suspected breaches of, among others, obligations to counter illegal content as well as disinformation and transparency obligations.

This dual approach aims to effectively regulate the typical cross-border activities of VLOPs and VLOSEs, while maintaining national competence for other intermediaries operating in individual markets within the EU. The enforcement tools for the Commission and national authorities may thereby differ. On the one hand, the Commission is granted tools in the DSA regarding VLOPs and VLOSEs such as the power to request information, take interviews and statements, or issue fines up to 6% of their annual global turnover. On the other hand, EU Member States are empowered to establish their own penalty frameworks for other intermediaries which must be effective, proportionate, and dissuasive and also need to provide for the power to levy fines of up to 6% of the intermediary's annual global turnover.

To ensure a consistent application of the DSA for intermediaries under national jurisdiction, the DSA outlines a framework for coordinated investigations and consistency mechanisms. Each EU Member State must designate a single authority, a Digital Services Coordinator (DSC), especially if multiple national authorities are responsible for enforcing the DSA. The DSCs across the EU are then expected to work closely with the Commission in cross-border cases. Additionally, the DSA establishes an independent advisory group comprising DSCs, known as the European Board of Digital Services (EDIB). The EDIB is expected to play a crucial role in ensuring the consistent application of the DSA and fostering effective cooperation between the DSCs and the Commission.

Challenges of the various approaches

Fragmented enforcement

Enforcement of the GDPR since 2018 has been uneven. Recent statistics from the EDPB on the fines issued by DPAs under the GDPR highlight the varying approaches of the DPAs: while some DPAs in EU Member States were quick to levy fines, even in the first year of the application of the GDPR, others opted for a more gradual approach, focusing on stakeholder communication and reserving fines for severe infringements.

Moreover, the enforcement of the GDPR against organizations with cross-border activities under the consistency and cooperation mechanisms has faced challenges. In response, the Commission proposed an update to the procedural rules of the GDPR in summer 2023, which sought to further harmonize procedural rules in cross-border cases. A main objective of these new rules is to enhance the speed of remedies for individuals and provide more legal certainty for businesses.

Given this backdrop of fragmented GDPR enforcement due to its decentralized approach, the centralized approach of the DMA and the DSA for VLOPs and VLOSEs suggests that enforcement of those laws by the Commission may be more consistent. However, challenges similar to those encountered in GDPR enforcement may arise in the context of the enforcement of the DSA by the DSCs, in particular against intermediaries not considered VLOPs or VLOSEs.

Further, some DSA implementation laws of Member States aim to make DPAs responsible for enforcing particular DSA provisions. In this context, the EDPB recently noted discrepancies in the tasks assigned to DPAs. Some DPAs expressed uncertainty about their exact responsibilities, although others considered their responsibility sufficiently clear. Further, the EDPB expressed concerns that the lack of EU harmonization could lead to legal uncertainty and inconsistencies in the application and enforcement of the DSA. Hence, the effectiveness of cross-border cooperation among national authorities, DSCs, and the Commission under the DSA remains to be seen.

Private enforcement

Alongside the rising number of fines imposed under the GDPR, private enforcement of the GDPR has emerged. Under the GDPR, individuals or non-profit organizations can lodge complaints with DPAs, potentially triggering official proceedings against businesses that may result in fines. Additionally, private actors can file (mass) claims for compensation against GDPR-regulated entities in court. Such private enforcement mechanisms can influence the compliance strategies of businesses involved in official or judicial proceedings. In the case of larger businesses, they can even have wider impacts on an entire business sector.

The DSA establishes rules that enable private enforcement in a similar manner as under the GDPR. Specifically, the DSA empowers users of intermediary services with new rights, including the ability to challenge content moderation decisions. This user-centric approach is reinforced by granting users the right to lodge complaints with the competent DSC in cases of alleged non-compliance and to seek compensation for violations of the DSA by an intermediary, potentially paving the way for mass claims similar to those seen under the GDPR.

Regarding the DMA, third parties such as business users, competitors, and end-users of core platform services have the right to inform national competition authorities or the Commission about any practice or behavior by gatekeepers that falls within the DMA's scope. While these authorities have full discretion regarding follow-up actions and are not obligated to act on such reports, the Commission can initiate non-compliance procedures and national authorities can transfer information to the Commission in response.

Although the DMA does not explicitly grant a right to compensation for users of core platform services of a gatekeeper, the Commission anticipates that users will be able to bring claims directly to national courts. This is supported by the DMA explicitly requiring cooperation between the Commission and national courts where proceedings concern the application of the DMA, which could imply that individuals will be able to bring actions for breaches of the DMA. In addition, the DMA allows for representative actions by qualified entities acting on behalf of consumers against gatekeeper infringements that harm or may harm the collective interests of consumers. Ultimately, it will primarily depend on national law who will be entitled to bring which claims. This, combined with the judicial independence of national courts in EU Member States, suggests there is potential for inconsistent private enforcement of the DMA across the EU.

Overlapping enforcement

A challenging scenario arises when an authority responsible for enforcing one law must also consider potential infringements of another law, even though enforcement of the latter falls under the jurisdiction of a different authority. This issue was highlighted in Case C-252/21 before the Court of Justice of the EU (CJEU). There, a national competition authority had attempted to enforce competition law in a matter related to the GDPR, despite DPAs being primarily responsible for the GDPR's public enforcement. The CJEU ruled, in essence, that authorities other than DPAs should, in principle, enforce the laws for which they are competent and if GDPR provisions are relevant, they should closely cooperate with the relevant DPAs. However, a national competition authority may conduct its own investigation relating to the GDPR in exceptional circumstances, especially if a DPA fails to cooperate within a reasonable time.

Such overlapping enforcement can occur under the DMA and the GDPR as well. Thus, the Commission will be obliged to cooperate not only with national competition authorities but with any relevant national authority, including DPAs. In light of this, the DMA also establishes a 'high-level group' comprising various European bodies and networks, including the EDPB, which are each responsible for consistent enforcement of different European acts. The high-level group's tasks are to provide advice on general matters of DMA implementation or enforcement and to promote consistent regulatory approaches that could prevent overlapping enforcement.  

The interplay between the DSA and GDPR may require various national and EU authorities to harmonize their enforcement actions. Specifically, the DSA's rules concerning advertising on online platforms and the online protection of minors include explicit requirements that intersect with the GDPR. To address this, some EU Member States plan to transfer the competence for enforcing these overlapping DSA rules to the DPAs. It remains to be seen whether overlaps in the enforcement of the DSA and GDPR can be avoided as a result. The EDPB has raised concerns though that the resources of DPAs are not increasing at the same pace as their new responsibilities and tasks, which could contribute to a lack of enforcement of the GDPR and DSA.

Conclusion

The enforcement mechanisms of the GDPR, the DMA, and the DSA present diverse strategies employed by the EU to regulate its digital and data-driven markets. The decentralized approach of the GDPR, the centralized approach of the DMA, and the dual approach of the DSA each aim to ensure that the EU market operates in a fair and transparent manner, safeguarding the rights of individuals and businesses alike.

However, the experiences of fragmented regulatory enforcement in the case of the GDPR suggest that the DSA could also face challenges of inconsistent enforcement, particularly in the context of rules for intermediaries where DSCs and other national authorities are involved. This inconsistency may not extend to the DMA as well as the DSA provisions for VLOPs and VLOSEs, which are exclusively enforced by the Commission.

To mitigate overlapping enforcement in the DMA, the Commission is set to work closely with other authorities. However, such issues might be avoided for the DSA, if DPAs take charge of the provisions that intersect with the GDPR and are provided sufficient resources for their new tasks. Private enforcement, as seen under the GDPR, might also influence the enforcement of the DMA and the DSA and potentially cause fragmentation.

As the Commission's data and digital strategies continue to evolve, new regulations such as the Data Act, forthcoming regulations such as the AI Act, and sector-specific regulations in health and finance are expected to introduce enforcement styles that should be similar, or distinct, from existing approaches. It remains to be seen whether these upcoming digital and data-related laws will result in similar patterns of fragmented, private, and/or overlapping enforcement, or even introduce new, unforeseen challenges.

The expanding landscape of EU digital and data legislation will bring more authorities and regulatory frameworks into play. Consequently, businesses must carefully consider the impacts of these enforcement challenges in their compliance strategies.

Theresa Ehlen Partner
[email protected]
Philipp Roos Principal Associate
[email protected]
John-Markus Maddaloni Trainee Lawyer
[email protected]
Freshfields Bruckhaus Deringer, Dusseldorf