Digital Rulemaker: GDPR, DSA, and the DMA

Episode Narrative

In the early 1990s, Europe stood at a crossroads. The Cold War had ended, and the continent was witnessing a dramatic shift in both political realities and economic frameworks. This transformative moment laid the groundwork for what would become the European Union, not merely as a political entity, but as a dynamic force capable of shaping the digital future. In 1991, the EU embarked on a journey marked by considerable legal and institutional transformation. This journey was crystallized with the signing of the Treaty on European Union, commonly known as the Maastricht Treaty in 1992. This treaty introduced a vision of deeper integration, not just in trade but in fundamental areas like justice and home affairs, setting the stage for a cohesive legal framework that would one day encompass digital governance.

The urgency for such integration became starkly apparent with the dawning of the digital age. By 1995, the EU adopted its first comprehensive data protection directive, known as Directive 95/46/EC, which established baseline privacy standards across member states. This was not merely a bureaucratic exercise; it was a necessary response to the rapid digitization of personal data that accompanied the Internet's burgeoning influence. The directive was a precursor to what would later emerge as more robust protections, hinting at the complex landscape of data privacy that lay ahead.

As Europe continued its evolution, 2004 marked a significant juncture with the EU’s "big bang" enlargement. In an ambitious expansion, ten new countries joined the union, seven of which were from Central and Eastern Europe. This expansion was more than geographic; it was a sweeping statement about unity and diversity. It represented a bold commitment to include nations with distinct histories and diverse cultures, all now under the jurisdiction of EU law. This further broadened the framework in which digital regulations would be shaped, a vital consideration as greater numbers of citizens engaged with emerging digital platforms.

By the time the Lisbon Treaty came into force in 2009, the EU had entered a new phase of governance. This treaty bolstered the EU’s legal personality and empowered the European Parliament, establishing a more robust legislative framework for future digital laws. The groundwork was being laid for imminent developments that would approach data governance with an urgency that mirrored the technological acceleration of the 21st century.

In 2016, the landscape shifted with the adoption of the General Data Protection Regulation, known as the GDPR. This comprehensive law replaced the earlier directive, introducing sweeping changes to data privacy that rattled the foundations of how personal information was managed. The GDPR enshrined the right to be forgotten in law, mandated breach notifications, and levied staggering fines for non-compliance — up to 4% of global turnover. It was not merely an evolution; it was a revolution, not only for Europe but for the entire world. The regulation came fully into effect on May 25, 2018, and sent ripples across the globe. Companies, big and small, scrambled to align their data practices with EU standards. By 2025, over 100,000 organizations had appointed Data Protection Officers, marking an era of heightened accountability and oversight.

Fast forward to 2020. The European Data Protection Board had stepped up its enforcement efforts, coordinating actions that resulted in fines exceeding €1 billion. Notable tech giants like Google, Amazon, and Meta found themselves on the receiving end of these penalties, signaling the bite of regulation and the EU’s unwavering commitment to enforcing digital rulemaking. This was a watershed moment that shaped not only the landscape of data governance in the EU but also reverberated throughout the global tech industry. The message was clear: digital rights were no longer an afterthought; they were central to the European identity.

The evolution did not stop with the GDPR. In 2022, the landscape further transformed with the introduction of the Digital Services Act, or DSA. This groundbreaking legislation imposed new obligations on online platforms, focusing on transparency requirements, risk assessments, and mechanisms for users to challenge content moderation decisions. It aimed to create a safer digital space, responding to a rising tide of scrutiny regarding online safety and the responsibility of tech companies to their users.

Alongside the DSA emerged the Digital Markets Act, or DMA. This act was a targeted response to concerns over monopolistic practices by "gatekeeper" platforms. It introduced rules to promote fair competition, such as prohibiting self-preferencing — a practice where dominant platforms prioritized their own services over competitors. The DMA represented a paradigm shift in EU antitrust enforcement, marking a determined effort to inject fairness into an increasingly consolidated digital sector.

As the EU catalyzed these changes, 2023 ushered in a new era of regulatory scrutiny. The European Commission began enforcing the DMA with initial investigations into major tech companies, signaling both a commitment to oversight and the potential for significant structural changes in digital markets. With each new legislative framework, the EU was crafting an intricate digital governance tapestry that resonated well beyond its borders. By 2024, a network of Digital Services Coordinators was established in each member state to oversee compliance with the DSA. This structure encapsulated a decentralized yet coherent approach to governance, one that balanced unity and local autonomy.

The complex interplay between digital rights and social governance came to a head in 2025, when the Court of Justice of the European Union delivered two landmark rulings. One case clarified the “sufficiently comparable” benefits standard for cross-border claims, while another addressed indirect discrimination regarding school assistance for disabled children. These decisions illuminated the intersections between the digital realm and the social fabric of Europe, emphasizing the need for inclusive policies in an increasingly digitized world.

What was emerging was a digital landscape that intertwined with healthcare, research, and social rights. The EU’s Clinical Trials Information System, operational by 2025, managed an impressive 7,600 clinical trials, revealing the necessity of robust digital platforms in regulatory oversight. The system was vital, especially since a significant proportion of the trials involved participants over age 64, underscoring the importance of data protection in areas critical to human health and dignity.

As we look ahead, we see the EU carving out a “geopolitical Commission” approach under the leadership of President Ursula von der Leyen. This vision embodies a more assertive role for the EU on the global stage, shaping digital standards and influencing policies well beyond its member nations. The EU's regulations have become a blueprint, navigated by countries seeking to adapt their own frameworks to address emerging digital challenges.

However, the EU's digital laws have ignited fervent debates about the balance between innovation and regulation. Startups have been tasked with adapting to an evolving maze of compliance requirements, while citizens are increasingly aware of their data rights. The present digital landscape is dotted with pop-ups and privacy notices — a testament to a society undergoing a collective awakening.

Simultaneously, the European Parliament's role in overseeing digital governance has grown, with a marked increase in scrutiny of tech CEOs and active involvement in shaping the legislation that will govern the future of the digital market. The dynamic nature of EU lawmaking is now a mirror reflecting the complexities of a rapidly evolving global landscape.

The EU’s digital rulemaking does not exist in a vacuum; it draws from historical precedents, such as the Maastricht Treaty of 1992 and the consequential enlargement of 2004. These events laid the groundwork for today’s regulatory frameworks, informing the EU’s holistic approach to digital governance. The GDPR serves as a model for data protection regulations worldwide, while the DSA and DMA influence global debates on platform regulation and competition policy.

As we continue to navigate this fast-paced digital era, discussions around the Economic and Monetary Union, the role of digital currencies, and the integration of technology in public services are ongoing. The evolution of the EU’s digital governance framework seems unending, a reflection of the multifaceted and dynamic nature of law in our contemporary world.

The journey of digital rulemaking in Europe raises pressing questions that echo through time. As we forge deeper into the digital age, how will the balance between safeguarding rights and fueling innovation evolve? Will the frameworks established today remain resilient in the face of future challenges? As the EU sets out on this uncharted path, the answers await just beyond the horizon, shrouded in the mists of an ever-changing landscape.