A proposed European Union law targeted at America’s largest technology companies could force U.S. companies to make changes to carefully developed security protocols aimed at keeping their users’ data secure and private. Suggested changes could introduce cybersecurity weaknesses for U.S. government agencies, going against recommended safeguards and ultimately increasing national security risks. President Biden should use his remaining time in Europe this week to emphasize that any attempts by the European Union to unfairly single out the U.S. technology industry for strict regulation that could risk compromising users’ security is unacceptable.
In the waning weeks of the Trump administration, the European Commission announced the Digital Markets Act (DMA), which it called one of the “centerpieces of the European digital strategy.” While the DMA is still under review by EU institutions, the EU continues to doggedly defend implementation of the DMA in its current form. Case in point, the DMA rapporteur Andreas Schwab, a central figure on DMA at the EU Parliament, was quoted in the Financial Times explicitly highlighting that DMA will target five U.S. companies. He said, “Google, Apple, Amazon, Facebook and Microsoft, were the ‘biggest problems’ for EU competition policy.” In the same article, Schwab stated no European company should be included “just to please [US president Joe] Biden.”
Such comments lay bare that although the DMA’s purported goal is to ensure competition, the DMA as drafted would specifically target a narrow set of American companies large enough to meet an arbitrary threshold of size metrics. Unlike the General Data Protection Regulation (GDPR), which impacts any company that collects the data of any EU citizen, only a handful of U.S. companies fit the criteria of what the DMA calls a “gatekeeper.” With EU officials unable to identify a single EU company that would have to comply with the strict requirements mandated for gatekeepers, it is clear whom these regulations are intended to cover: American platforms that have achieved a competitive advantage within the nascent European technology market. Of note, Russian and Chinese companies are also exempted from the DMA, despite these companies being in a much stronger position than their European competitors to fill any gap caused by a U.S. “gatekeeper” being forced to change its business models to comply with the DMA. As a result, the DMA could effectively give a green light to China and Russia to further expand influence in the EU via their technology companies.
Among the list of problematic challenges with the DMA, one of the obligations that stands out is a requirement that would force gatekeepers to allow third-party software to be downloaded directly from the internet. “Side-loading” is currently prohibited by companies like Apple, given concerns about the potential vulnerabilities that could be introduced when an unvetted app is able to bypass company security and safety controls. Many parts of the U.S. government prohibit side-loading on work devices for these very reasons, with the General Services Administration (GSA) stating in its IT Security Procedural Guide that side-loading apps present “one of the greatest risks to GSA’s environment.” The Department of Homeland Security (DHS) also recommends users “avoid (and enterprises should prohibit on their devices) sideloading.”
The U.S. government is not the only entity to warn against sidel-loading: the EU’s own Agency for Cybersecurity (ENISA) states, ”users should not sideload applications if they do not originate from a legitimate and authentic source.” As is shown after each cybersecurity breach, from petty cybercrime to the seismic effects of the SolarWinds and Colonial breaches, having an integrated security system is essential to the overall security of a technology platform. In effect, the DMA risks introducing additional vulnerabilities to systems already under near constant attack from adversaries.
Other concerning obligations would require U.S. companies to distribute proprietary information and intellectual property to EU competitors, as well as provide competitors access to “operating system, hardware or software features” used by U.S. companies. This forced sharing of sensitive company methods and information could disincentivize gatekeepers from continuing to maintain cutting-edge security standards and innovative practices. With each new advancement, they could be forced to share trade secrets with direct competitors who had no obligation to do the same. Over the long term, this could hurt the U.S.’s ability to compete with the growing technology power of China.
Despite its goal to increase competition in the EU market, the DMA would disincentivize European companies from aspiring to gatekeeper status given the heavy penalties gatekeepers face for violating any number of provisions like the ones highlighted above. As the proposal is currently written, if a company commits three violations within five years, EU policymakers can pursue “divestment” of the company in question, forbid them from certain offerings, and impose fines of up to 10 percent of the company’s worldwide annual turnover.
At a time when the U.S. economy is so heavily reliant on the strength and innovation of our technology industry, we should not stand by while the European Commission pursues policies that discriminate against U.S. technology companies. This is especially true when regulation on the table has the potential to impact the privacy and security standards of technology products and services relied upon by U.S. agencies, businesses and everyday users.
Rick Ledgett is the former deputy director of the National Security Agency and a member of the advisory board for Beacon Global Strategies, which advises U.S. technology companies.