Can the law keep up with Big Tech?

The influence of major technology companies such as Amazon, Google (Alphabet) and Meta is hard to overestimate. They have not only reshaped our online interactions and political debate, but also fundamentally changed the economy. Their business models, often based on swapping services for data , however, rarely fit within existing legal frameworks, which predate the data economy.

The common thread, then, is that one of conflict. This friction between rapid technological innovation and slower law leads to a vicious cycle of litigation and, most recently, a tsunami of new, complex and often overlapping EU regulations (such as the DMA, DSA and AI Act). The result, ironically, is increasing legal uncertainty, not just for ‘Big Tech,’ but for any company offering or using digital services.

---

The inevitable spiral: innovation, conflict, and regulation

The interaction between technology and law follows a predictable pattern that has repeated itself constantly over the past few decades:

1. Innovation: A new technology or service is launched that challenges existing legal concepts. The rules are often too old to correctly qualify the new activity.
2. Conflict: A regulator, consumer organization or competitor starts an administrative procedure or lawsuit, arguing that the (old) law is violated .
3. Clarification: The case leads to a court ruling (often from the European Court of Justice) that stretches or clarifies the old rules. This, in turn, can prompt the legislature to create completely new rules.

However, this process leads to a plethora of complex, multi-layered regulations that undermine legal certainty. Its impact is felt in virtually every area of law.

---

Battlefield 1: Competition law - from punishing after the fact to intervening beforehand

The competition law is perhaps the clearest example of how Big Tech has overturned the law.

• The old law: Traditional EU competition law (Art. 101-102 TFEU) is a posteriori: it occurs only after abuse of a dominant position is established.
• The clash: This approach proved far too slow for the digital economy. Tech giants become dominant at lightning speed through network effects, economies of scale and vertical integration. Matters of self-promotion dragged on for years.
• The crucial cases:
  • Google Shopping: The Court of Justice confirmed that Google was abusing its dominant position in the search engine market to favor its own price comparator (Google Shopping) to the detriment of competitors. This stretched the concept of ‘abuse’ considerably.
  • Google Android: Google was fined for requiring manufacturers to pre-install Google Search and Chrome on Android devices (tying). This case also forced the Commission to use new methods (such as the SSNDQ test, looking at quality reduction rather than price increase) to define the relevant market in ‘free’ services.
  • Amazon Marketplace: The European Commission investigated Amazon's unique dual role as both a marketplace and a seller in that same marketplace. Amazon was accused of using non-public data from third-party sellers to benefit its own retail operations.
• The new law: The inadequacy of the old rules led directly to the Digital Markets Regulation (DMA). This regulation is ex ante: it imposes ‘gatekeepers’ (the very largest platforms) a list of concrete ‘dos and don'ts’ in advance, such as a ban on self-promotion.

---

Battleground 2: Liability - the end of the ‘passive’ platform

Another major bone of contention is the liability of platforms for illegal content their users upload.

• The old law: The E-Commerce Directive 2000 provided a crucial safe harbor. Providers of services such as ‘mere conduit,’ ‘caching’ and ‘hosting’ were not liable for the information they stored as long as they played a passive, technical role. Also crucial was the prohibition of a general monitoring obligation.
• The clash: The assumption that platforms are ‘passive’ proved unrealistic. They curate, recommend and actively promote content. This led to tensions.
• The crucial cases:
  • SABAM t. Scarlet/Netlog: SABAM demanded that the provider Scarlet and the platform Netlog install a filtering system to stop copyright infringements. The Court of Justice judged that such an order, preemptively and generally filtering all communications, violated the prohibition on a general monitoring duty .
  • L'Oréal t. eBay: The Court ruled that a platform such as eBay can lose its ‘safe harbor’ if it takes an active role in promoting products, giving it knowledge or control over the (illegal) data.
  • Glawischnig-Piesczek t. Facebook: The Court went a step further and held that a national court may order a platform to remove not only specific defamatory content, but also equivalent content (with essentially unaltered content), as long as it does not require an independent assessment of context .
• The new law: This confusing case law and fragmented national rules led to the Digital Services Regulation (DSA). The DSA retains the liability exemption, but attaches a comprehensive and tiered system of due diligence and transparency obligations. The larger the platform (e.g., VLOPs), the stricter the rules .

---

Battleground 3: Data protection - how case law has shaped the GDPR

Nowhere was the law more outdated than in data protection law. The Personal Data Processing Directive dates back to 1995, even before the commercial breakthrough of the Internet. The Court of Justice had to fundamentally reinterpret the principles.

• The crucial cases:
  • Google Spain: In this landmark ruling, the Court of Justice created the ‘right to be forgotten’ (or more accurately, the right to de-referencing). It ruled that a search engine operator (Google) is a ‘processor’ of personal data and can be required to remove links to outdated or irrelevant information from search results .
  • Wirtschaftsakademie & Fashion ID: The Court dramatically broadened the concept of ‘joint processing responsibility. It ruled that the administrator of a Facebook fan page (Wirtschaftsakademie) and a website owner integrating a Facebook ‘Like’ button (Fashion ID) are jointly responsible with Facebook for the collection and transfer of personal data because they help enable that data collection.
  • Google t. CNIL: The Court had to determine the territorial scope of the ‘right to be forgotten'. It ruled that de-referencing should in principle be limited to EU versions of the search engine, but left the door ajar for global application in specific cases .
• The new law: These principles created by case law were later codified and enshrined in the General Data Protection Regulation (GDPR), such as the right to data erasure in Article 17.

---

Battleground 4: Telecom, media and intellectual property

The disruption was also felt in other regulated industries.

• Telecom law: Traditional telecom legislation focused on parties who owned the infrastructure (the cables). ‘Over-the-top’ (OTT) services such as Skype and WhatsApp, which ran over the Internet, fell outside this definition. In the ‘Skype saga,’ brought by the Belgian BIPT, the Court of Justice ruled that the SkypeOut service (calling from Skype to a telephone number) was indeed an ‘electronic communications service. The Court moved away from the technical requirement of infrastructure and adopted a functional approach: the service is functionally equivalent to traditional telephony . This opened the door for the European Electronic Communications Code, which modernized the definition of communication services.
• Copyright: The rise of platforms created conflicts over copyright. In the Belgian Copiepresse t. Google-case, Google News was condemned for displaying excerpts of news articles without permission. These tensions eventually led to the much-discussed DSM Directive, which, among other things, in the infamous Article 17 requires platforms to make ‘best efforts’ to filter copyrighted content (the ‘upload filters’).
• Platform work: The ‘platform economy’ (think Uber and Deliveroo) challenged labor law claiming that their couriers are ‘independent contractors’ . This led to a new EU Directive which introduces a (rebuttable) presumption of employee status for platform workers.

---

The problem today: a ‘regulatory inflation’ affecting everyone

The constant reaction to Big Tech has sent the EU into legislative flux. Between 2022 and 2024, the EU published an unprecedented amount of digital legislation: the NIS 2 directive, DORA, the Data Governance Act, the DMA, the DSA, the Data Act, the AI Act, and the Cyber Resilience Act, just to name a few .

However, this ‘regulatory inflation’ creates new, serious problems for all companies:

1. Overlap and complexity.

The new laws are not only numerous, but also extremely voluminous and they overlap constantly.

• Example - Incident Report: A cyber attack at a cloud provider supplying a bank may simultaneously trigger notification obligations under the GDPR (if personal data has been leaked), NIS 2 (if the provider is an essential entity), DORA (specifically for the financial sector) and the Cyber Resilience Act (if it affects a product with digital elements). This leads to an administrative nightmare.
• Example - Data and AI: The AI Act requires data for training AI systems to be “relevant, representative, error-free and complete.” This seems at odds with the GDPR's principles of data minimization and purpose limitation.

2. Unclear legislative technique

Recent laws are characterized by ‘recital inflation. For example, the AI Act has 180 recitals (considerations) preceding the articles. These recitals often paraphrase the articles themselves, add new normative elements, or are the result of political compromises. Because the legal status of a recital is unclear (it is not binding, but can be used for interpretation), this leads to enormous legal uncertainty.

---

The way forward: toward smarter regulation and enforcement

The friction between law and technology is inevitable. But the legislature's response can and must be better. To restore legal certainty, several approaches are needed:

1. Better legislation

• Simplification and consolidation: Instead of constantly piling up new laws, the EU should consolidate, similar to how the European Electronic Communications Code merged various telecom directives. There should be a ‘once-only’ principle for obligations such as incident reports.
• More principles, less rigid rules: Legislation should be more principles-based (such as the GDPR Art. 5) . A ‘hybrid model’ - with general principles supplemented by specific rules where necessary (such as the DMA) - is more flexible and future-proof.
• Technology neutrality: Laws should not prescribe specific technologies (such as the recent EU requirement for USB-C) because technology ages too quickly .

2. Faster and smarter enforcement.

• Less fragmentation: Digital law enforcement is extremely fragmented across numerous new agencies (Data Protection Authorities, Digital Services Coordinators, the AI Office, CSIRTs, etc.) . This expertise, budgets and resources need to be concentrated and harmonized.
• Faster clarification: The preliminary ruling procedure (Art. 267 TFEU), in which national courts seek clarification from the ECJ, is crucial but too slow. In 2024, it took an average of 17.2 months. For fast-moving digital cases, a request for a preliminary ruling should become mandatory for all courts (not just the highest), to get clarity faster .

Conclusion

Disruption by Big Tech has forced law to evolve. However, the recent wave of EU regulation, although well-intentioned, has created a new problem: an unprecedentedly complex, overlapping and fragmented legal landscape. This complexity no longer affects only the tech giants, but every business in Belgium that digitizes. Navigating this rule tsunami requires specialized legal expertise more than ever.

---

Read more on this topic in “Big tech and the rule of law” by Valgaeren and Duquin