On 27 November 2024, the European Parliament formally approved the new College of Commissioners presented by the recently re-elected Commission President, Ursula von der Leyen. The new Commission took office on 1 December 2024. The renewed institutions will now face the continuing challenge of pursuing the regulatory framework for tech and digital while promoting innovation and defending EU competitiveness. We look at what to expect in 2025.
A new European political landscape to address tech issues
As a result of the European Parliament elections held in June 2024, right wing and far-right parties have gained a significant number of seats and the new assembly is now more fragmented. In the absence of a stable majority, we can expect an impact on the decision-making process: coalitions may fluctuate on a case by case basis.
With regard to technology-related matters, the approach adopted by President Von Der Leyen in composing the Commission and assigning portfolios to Commissioners is also slightly different from the one adopted during the previous mandate. Responsibilities for tech-related topics will be distributed to a larger number of European Commissioners, than previously.
Vice-President Henna Virkkunen, responsible for “Tech Sovereignty, Security and Democracy”, is likely to play an important role in the future of tech regulation. However, other Commissioners will also contribute. These include in particular Commissioner Michael McGrath, responsible for “Democracy, Justice, and the Rule of Law”, Vice-President Stéphane Séjourné, overseeing “Prosperity and Industrial Strategy”, Commissioner Magnus Brunner, handling “Internal Affairs and Migration”; Commissioner Maria Luís Albuquerque, in charge of “Financial Services and the Savings and Investments Union” and Vice-President Teresa Ribera Rodríguez responsible for “Clean, Just and Competitive Transition”.
Given their overlapping responsibilities, the Commissioners will need to collaborate closely to align in the decision-making process.
Should we expect better clarity and simplification of EU digital regulation in 2025?
In recent years, we have seen an onslaught of legislation in the tech sector whose complexity and potential inconsistencies in both interpretation and enforcement across EU Member States, have been widely criticised.
In his report on the future of European competitiveness, which was submitted to Ursula von der Leyen on 19 September 2024, Mario Draghi, former president of the European Central Bank, states that an “excessive regulatory and administrative burden can hinder the competitiveness of EU companies compared to other blocs”. He outlines more specifically the complexity and risk of overlaps and inconsistencies in the GDPR and the AI Act. Mr Draghi says the EU should “simplify the existing EU acquis and filter new legislative proposals”. He further considers that EU policy and legislative actions should focus on areas where the EU provides “clear added value” over national or regional regulations, in compliance with the principle of subsidiarity.
Many consider that this report should be used as a roadmap for the new European Commission. It is, however, far from certain that 2025 will be the year of EU regulatory simplification.
Privacy
In the privacy area, the inconsistencies in the enforcement of the GDPR and the lack of clarity on certain issues - such as the conditions under which personal data can be used to train AI systems -have led to criticism. The anticipated developments in this area may be a source of disappointment.
The GDPR will mark its seventh anniversary in 2025 but we do not expect any significant amendments. The work initiated by the former Commission on the GDPR Enforcement Procedure Regulation is, however, expected to be carried forward by the new EU Commission. This proposed Regulation is intended to align the procedural rules applied by supervisory authorities when handling cross-border matters under GDPR. In particular, it is intended to harmonise the requirements for the admissibility of cross-border complaints and the rights of the parties that are subject to a cross-border investigation. It also reinforces cooperation between authorities in cross-border cases in order to facilitate consensus between them and limit the risks of disagreement at a later stage. It should also reduce the duration of GDPR enforcement procedures. Although the initiative aims for greater harmonisation, the scope of the Regulation is limited, and its impact may reflect that.
Adoption of the long-awaited ePrivacy Regulation (or integration of a dedicated e-Privacy section into the GDPR) does not seem to be a top priority although it remains on the European Parliament's agenda, at least until the advent of the Digital Fairness Act (see below). For now though, the use of cookies will continue to be regulated by each Member State’s transposition of the ePrivacy Directive, without a unified one-stop-shop mechanism or specific cooperation between Supervisory Authorities.
AI
In 2025, the application of the newly enacted AI Act will mark a significant regulatory milestone. Effective since 1 August 2024, the first provisions of the Act will become applicable in February 2025. The AI Act establishes a governance framework involving multiple actors at both EU and Member State level. Each Member State must designate at least one notifying authority and one market surveillance authority. In addition, each of these responsibilities can be split between several authorities. The fragmentation of responsibilities may add to the complexity of achieving compliance.
The European Commission has already introduced a proposal for an AI Liability Directive (published on 28 September 2022). This Directive aims at harmonising national liability rules to ensure that individuals seeking to obtain compensation for damages caused by AI systems can benefit from a protection that is equivalent to those claiming damages caused by non-AI systems. This initiative has been introduced because many consider existing national liability principles are not adapted to cases involving AI-related damage.
While the proposal is supported by consumer protection associations and some members of the European Parliament, it has also faced significant criticisms from the tech industry stakeholders. They fear the Directive will impose additional regulatory constraints. The reasons for adopting the Directive have also been questioned, considering that the Product Liability Directive has also recently been revised and extends the definition of the products it covers to software, including AI systems. For more predictions on AI, see here.
Digital Fairness Act
The development of the Digital Fairness Act will be another major piece of work for the new European Commission. This initiative follows the Digital Fairness Check, which assessed the adequacy of the EU’s existing regulatory framework for consumer protection ie the Unfair Commercial Practices Directive (UCPD), the Consumer Rights Directive, and the Unfair Contract Terms Directive. The Digital Fairness Check report highlighted specific gaps in the current framework.
The political objective is to address these gaps without fundamentally reshaping the existing framework. Some have concerns that the planned Regulation will overlap with existing laws, which is likely to further complicate the regulatory landscape.
The Digital Fairness Act aims to “tackle unethical techniques and commercial practices related to dark patterns, marketing by social media influencers, the addictive design of digital products and online profiling especially when consumer vulnerabilities are exploited for commercial purposes”, as outlined by President von der Leyen in her mandate letter to Commissioner Michael McGrath, who will focus on this initiative in close collaboration with Vice-President Henna Virkkunen.
Many of the practices intended to be addressed by this new initiative are already partially covered by existing legislation, including the recent Digital Services Act (DSA).
Article 25 of the DSA prohibits dark patterns, even though this is limited to online platform providers. Additionally, such practices may qualify as unfair commercial practices under the UCPD. In this respect, the European Commission’s guidance on the UCPD already includes a dedicated section explaining how dark patterns can fall under its scope.
As noted in the context of the Digital Fairness Check, the UCPD already captures the most obvious addictive designs. These designs may also fall under Article 28 of the DSA, which imposes obligations on providers of online platforms to implement "appropriate and proportionate measures" to protect minors, or under the risk assessment and mitigation requirements for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) provided for under Article 34 of the DSA.
Certain Member States have already introduced legislation on topics to be addressed by the Digital Fairness Act. For example, France has already regulated influencer marketing, including a prohibition on the promotion of certain products and services by influencers, creating new transparency obligations, and regulating contracts between influencers and influencers’ agencies. The adoption of the Digital Fairness Act raises important questions about how it will interact with or override, these national regulations.
In practice, the Digital Fairness Act may introduce an additional layer of regulation. The potential overlap with existing EU and national legislation could result in regulatory duplication which would cause compliance difficulties and create inconsistencies in the enforcement of these rules across the European Union.
We do not expect draft legislation before 2026 but the work on the Digital Fairness Act is likely to start in 2025 with a public consultation and an impact assessment.
For more on consumer protection issues see here.
Pursuing existing workstreams and launching new regulatory proposals
2025 should see the new Commission and EU Parliament advance some of the work initiated during the previous mandate as well as starting on new workstreams.
Protection of minors
In his written responses to the European Parliament, Commissioner Magnus Brunner, responsible for Internal Affairs and Migration, stressed that there was an urgent need to finalise the Child Sexual Abuse Material (CSAM) Regulation. This draft Regulation imposes obligations on certain online service providers to detect, report, and remove child sexual abuse material on their services. The proposal, which was introduced by the EU Commission in 2022, was highly criticised. Reaching a consensus is complicated due to the delicate balance between combating child abuse and preserving user privacy.
Data protection authorities, privacy activists, and messaging service providers, have raised concerns as the Regulation would require the monitoring of conversations and file exchanges on messaging services, even those subject to end-to-end encryption, in order to proactively detect CSAM and child grooming activities. They argue that such measures create serious risks to both user privacy and security, as they may undermine end-to-end encryption and create vulnerabilities which could be used maliciously.
Some compromises have been made in the most recent version of the draft but opponents remain vocal. Even if finalising this legislation remains a top priority for the new European Commission, reaching a consensus will be challenging.
Work is also ongoing to produce guidelines for the protection of minors under the DSA, which are expected before summer 2025. These will outline how online platforms can ensure a high level of privacy, safety, and security for minors, in line with the requirements set out in the DSA. Vice-President Henna Virkkunen has said that these guidelines will also be accompanied by the introduction of a privacy-preserving age verification system, a project on which the European Commission has been working for a few months already.
E-commerce platforms
The new EU Commission will continue its work on the enforcement of legislation adopted during the previous mandate, including the Digital Markets Act (DMA) and the DSA. Vice-President Virkkunen declared that “online marketplaces were among enforcement priorities under the DSA”. The Commission is currently investigating e-commerce platforms, including the Chinese platforms Shein and Temu, and “should maintain a zero-tolerance policy for rogue traders in unsafe products and for products manufactured with forced labour”. The EU Customs Reform, initiated on 17 May 2023, will also address e-commerce platforms. The reform aims at making e-commerce platforms responsible for ensuring that customs duties and VAT are paid at purchase (whereas the current customs system puts the responsibility on end-customers and carriers).
EU Cloud and AI Development Act
As suggested by the Draghi Report, the Commission will also start working on a future EU Cloud and AI Development Act. Following Draghi’s recommendations, Vice-President Virkkunen intends to develop a single EU-wide cloud policy for public administrations and public procurement. She outlines that cloud providers currently face inconsistent regulatory requirements across Member States. At the same time, she notes that it is difficult for public authorities to identify the services that will meet their needs in terms of security and sovereignty. This legislation, following the lines of the existing EU Cybersecurity Certification Scheme for Cloud Services (EUCS), should create a “common EU-wide approach to tender specifications, a common data security framework and an EU-curated marketplace for secure and innovative cloud-based services” according to Virkkunen.
Digital Network Act
Vice-President Virkkunen has also announced her plans to prepare a Digital Network Act on the basis of the stakeholder feedback on the Commission´s White Paper of February 2024 on the future of electronic communications, and the Draghi report, “to help boost secure high-speed broadband, both fixed and wireless, supporting competitiveness and affordable quality services for consumers”. Discussions will certainly intensify regarding the proposed digital network fee. This proposed fee would require content service providers to contribute financially to their use of the European internet infrastructure.
More to come
There are clearly no plans for the European Commission to slow down with its legislative programme in the digital arena. If you're finding it hard to stay on top of it all, you can sign up to receive our updates, and you may also find our Digital Legislation Tracker and Digital and Data Regulation update useful.