The Digital Services Act is largely about setting rules for how platforms such as Facebook and Twitter deal with disinformation and illegal content, but it also takes in other aspects of protecting people’s rights when they go online. It was proposed by the European Commission at the end of 2020 alongside a separate law that would tackle anticompetitive practices in the tech industry, and both are now the subjects of intense lobbying wars between consumer and digital-rights activists on one side, and the U.S.-led tech industry on the other.

Late Wednesday, members of the European Parliament voted on amendments to the proposed DSA, effectively setting out their unified position ahead of final negotiations with the Council of the EU, which represents national governments. The results of the vote were revealed Thursday morning, and digital-rights campaigners were jubilant: If this is the text that becomes law, it will radically reshape the ad-fueled business model behind some of the biggest online services.

Blows to Big Tech

The lawmakers didn’t vote for a far-left amendment that would have outright banned targeted advertising, but they did overwhelmingly approve another amendment that would ban the likes of Facebook and Google from using sensitive data—covering everything from sexuality and political views to biometric and genetic information—when deciding which ads to show someone. The amendment would also ban the targeting of advertising at minors, based on any of their personal data (a much wider classification than sensitive data, taking in any data that can be linked to the individual).

In what would be another huge blow to Big Tech, they narrowly (329 votes to 303, with 60 abstentions) approved an amendment that would force providers to axe so-called tracking walls, instead giving people “other fair and reasonable options to access the online platform” if they refuse to consent to having their personal data used for advertising purposes.

What’s more, members of the European Parliament (MEPs) strongly backed an amendment banning the use of “dark patterns” when trying to get that consent. That means no more big, easy-to-see “I consent” buttons while their “I do not consent” counterparts are grayed out or hidden behind links—a practice that just earned Facebook/Meta and Google a combined $238 million in French fines.

The lawmakers also voted against an amendment that would have given the media—or information outlets that call themselves media—an exemption to anti-disinformation rules. They also said platforms should be “nondiscriminatory” when enforcing their content terms and conditions.

‘Beginning of the end’

“MEPs have voted to protect citizens’ rights and wishes by voting to restrict the invasive practice of surveillance advertising, signaling the beginning of the end for Big Tech’s toxic business model,” said Naomi Hirst, a senior campaigner with the human-rights NGO Global Witness, in a statement reacting to the results. “As negotiations progress, we urge legislators to hold firm and deliver on today’s promise.”

Indeed, in the run-up to an agreed text that could appear within the next few months, the law could still be significantly altered in final negotiations among the European Parliament, Council, and Commission. These “trilogue” talks take place behind closed doors, and it is often at this stage that industry lobbyists make their influence most heavily felt, through the unattributed actions of national representatives.

On the other hand, Big Tech’s name is mud in Europe right now, whether at the national or the EU level, and politicians from all sides of the political spectrum are happily bashing the sector—so there’s a good chance that this week’s amendments will appear in the final product.

“More clarity is needed on the proposals on dark patterns and successful enforcement of a ban of targeted ads for minors,” IAB Europe, the trade body representing the digital marketing and advertising sector, tweeted after the vote’s results were published.

U.S. proposal

The outcome of the DSA legislative process could prove instructive over in the U.S., where the Democrats on Tuesday introduced a bill with the straightforward title “the Banning Surveillance Advertising Act.” This is a proposal for an outright ban on targeted advertising, with some narrow exceptions. It would give enforcement powers to state attorneys general and the Federal Trade Commission, while also allowing individuals to sue tech firms for violations.

Enforcement has already proved to be a big issue in Europe with the General Data Protection Regulation (GDPR), a blockbuster privacy law that covers some of the same ground as the DSA. The GDPR has been in place for nearly four years now, but it is only in the past year that regulators have gotten round to levying serious fines.

That’s largely because many cases have to go through the under-resourced data-protection authority in Ireland, where much of Big Tech has its European headquarters. In theory, this should prove less of a problem with the DSA, because the European Commission would handle enforcement when it comes to the largest online platforms, doling out fines as high as 6% of global turnover.