European Commission proposes impactful reform of rules for digital platforms
Yesterday, the European Commission proposed a significant legislative reform of the EU digital economy, as part of its initiative to make “Europe fit for the digital age”. The Commission has heralded the Digital Services Act (DSA) and Digital Markets Act (DMA) as an ambitious package intended to protect online consumers better and lead to fairer and more open digital markets.
The package comes after several years of pressure from society, the industry, Member States and European Parliament for an effective legislative framework to regulate the digital economy. If adopted, the DSA and DMA will create a suite of new rules directed at digital services, including social media, online marketplaces, and other online platforms and apps operating in the EU. It will impact large digital platforms, of course, but also any company doing business with them.
The DSA sets rules on the liability of digital platforms for the content, products and advertisements that they distribute. It takes several pages from established playbooks such as GDPR and competition enforcement. If adopted, it will create a significant burden on tech companies, in particular on so-called “very large online platforms”. These companies will have to comply with information, reporting, auditing, risk management and cooperation obligations. It will also establish a European Board for Digital Services with a role akin to the European Data Protection Board under the GDPR.
The DMA is designed to address perceived shortcomings in the Commission’s existing competition law instruments, as they apply to digital markets. This will represent a radical shift in antitrust enforcement from "cure" to "prevention". It will change the rules of the game by giving the Commission powers to regulate the conduct of digital platforms classified as “gatekeepers”, through one or more of the digital services which they offer.
Both the DSA and DMA envisage heavy fines for non-compliance: up to 6% and 10% of global annual turnover respectively.
Digital Services Act
The regulation of digital services within the EU has stayed broadly the same since the adoption of the e-Commerce Directive in 2000. The e-Commerce Directive harmonised the cross-border provision of online services in the EU and created favourable conditions for businesses operating in the EU’s nascent digital sector.
But, since 2000, the digital sector has evolved greatly. It now plays a vital role in the everyday life of most European citizens. The global pandemic has further pushed our lives online. This transformation comes with new risks and challenges, especially in relation to the dissemination of illegal content and the impact that the conduct of digital platforms may have on individuals and society. The DSA aims to place more obligations on digital service providers in relation to the content which they transmit, cache or host. It stops short, however, of far-reaching control over that content by those service providers.
Scope of the DSA
The DSA applies to online intermediaries, including:
- Intermediary services offering network infrastructure (e.g. Internet access providers, domain name registrars)
- Hosting services (cloud and webhosting services)
- Online platforms bringing together sellers and consumers (social networks, content-sharing platforms, app stores, online marketplaces, online travel and accommodation platforms)
- Very large online platforms (systemic platforms with at least 45 million monthly active users in the EU). Since those platforms are considered to pose particular risks in the dissemination of illegal content and societal harms, specific rules are provided for them.
All online intermediaries offering their services in the EU, whether they are established in the EU or outside, will have to comply with the new rules.
Liability for user content
Maintaining one of the core principles of the e-Commerce Directive, the DSA continues to shields internet companies from liability when they merely transfer, cache or host information. It also confirms that intermediaries have no general obligation to monitor content.
The Digital Services Act imposes obligations on digital service providers centred around four principles: transparency, empowering users, risk management and industry cooperation.
- Transparency: Digital service providers without an establishment in the EU must appoint a legal representative in a Member State where they offer services. They must publish clear, comprehensible and detailed annual reports on content moderation (additional information for online platforms and systemic platforms). Online platforms must ensure that traders provide sufficient verifiable information to the platform and display trader information to users. Platforms must provide transparency on advertisements and on algorithms used to display them (with additional requirements for systemic platforms). Systemic platforms must also publish information on their use of recommender systems.
- Empowering users: Digital service providers must include information on any content restrictions that they impose in their terms and conditions. Providers of hosting services must set up a notice mechanism for users to notify allegedly illegal content and they must give a statement of reasons when they remove or disable access to specific content. Online platforms must provide content dispute resolution mechanisms enabling users to appeal their decisions.
- Risk management: Online platforms have to take measures to protect their systems against misuse, including obligations to remove illegal goods, services or online content and to suspend services for users who frequently misuse them. Online platforms must inform the relevant authorities if they suspect a serious criminal offence involving a threat to the life or safety of persons. In addition, systemic platforms must manage systemic risks. This includes yearly risk assessments, risk mitigation measures, annual independent audits, providing information/data to Digital Services Coordinators or the Commission and appointing compliance officers.
- Industry cooperation: The Commission will support and promote the development of voluntary industry standards, codes of conduct and crisis protocols on certain aspects of online businesses.
Each Member State will be required to appoint a Digital Services Coordinator (DSC) to enforce the DSA. DSCs will have far-reaching powers of investigation, including to carry out on-site inspections, interview staff members and require the production of documents and information. DSCs will also have extensive enforcement powers. They will be able to order the cessation of infringements, impose interim measures, levy fines (up to 6% of global annual turnover) as well as periodic penalty payments (up to 5% of average global daily turnover), and accept binding commitments. These powers are similar to the powers that the Commission currently has in competition investigations.
Users will be able to lodge complaints with the DSCs. DSCs from several Member States may also cooperate in joint investigations.
At EU level, the DSA proposes an independent advisory group of DSCs – the European Board for Digital Services. The Board would advise and provide guidance on issues falling within the scope of the regulation as well as assisting in joint investigations and the supervision of systemic platforms.
Where an investigation or enforcement measure relates to a systemic platform, the DSA provides for a one-stop-shop: the relevant procedure may be carried out in full by the Commission. In that event, national DSCs will be barred from taking any investigatory or enforcement measures with regard to the relevant conduct.
The Digital Markets Act
The DMA introduces rules for platforms that act as gatekeepers in the digital sector. Gatekeepers will carry an extra responsibility to conduct themselves in a way that ensures an open online environment, in particular by complying with specific obligations laid down in the DMA.
Qualifying as a gatekeeper
There are a number of cumulative criteria for companies to qualify as a gatekeeper:
- Activities: the company must provide a “core platform service” in at least three EEA Member States. These services include, for example, search engines and social networking services.
- Size: in each of the last three financial years the company must have: (a) achieved an annual turnover in the EEA of €6.5 billion or more or had an average market capitalisation of at least €65 billion; and (b) had more than 45 million monthly active end users located in the EU and more than 10,000 yearly active business users established in the EU for the relevant core platform service.
In simple terms, if a company meets the thresholds it is presumed to be a gatekeeper for the specific core platform service at stake, unless it can prove otherwise. Below the thresholds, the Commission can still conduct a market investigation and designate a company as a gatekeeper for a specific core platform service even if it does not meet the threshold for the number of users. The latter is intended to catch digital platforms that may enjoy an entrenched and durable position in the near future, i.e. markets that are prone to tipping.
The DMA regulates “core platform services” rather than undertakings. A platform can therefore be designated as a gatekeeper for one or more services. At the same time, these obligations may not cover all of an undertaking’s activities, just those which have been designated under the DMA.
What happens when you qualify as a gatekeeper?
The DMA, in essence, provides a list of do’s and don’ts (prohibitions and obligations) for gatekeepers. These include:
Allow third parties to inter-operate with the gatekeeper’s own services
Allow business users to promote offers and conclude contracts with customers outside the platform
Provide business users with access to the data generated by their activities on the gatekeeper’s platform
Block users from un-installing any pre-installed software or apps
Use data obtained from business users to compete with these business users
Restrict users from accessing third-party services
Investigative and enforcement powers
Some of the investigative powers proposed by the DMA closely resemble Commission powers under competition law. These include the power to carry out on-site inspections, interview staff members and require the production of documents and information
But then, the legal concepts, such as the definition of a gatekeeper, deliberately deviate from the familiar competition law concepts. This is the case for the concept of dominance or economic dependency, which has so far set the threshold for antitrust enforcement against the so-called U.S. “Big Tech”.
For a more detailed discussion on the implications of the DMA, including on ongoing antitrust investigations by the Commission, a separate Competition Insight will be posted on our website this week.
Now that the Commission’s legislative proposals have been published, both texts will be scrutinised and likely amended by the EU co-legislators, the European Parliament and Council. Once the Parliament and Council define their positions, they will try to reach a political agreement before formal votes are held within each institution.
Given the highly sensitive and complex nature of the proposals, as well as the interest around them during the preparatory phase, we are expecting fierce debates and negotiations, including on the appropriate level of regulation.
We expect the DSA and DMA to come into force in 2023 at the earliest. Given the political sensitivity it would not be surprising to see lengthier negotiations, as was the case for the Copyright Directive and the GDPR. Nonetheless, the Commission’s objective is to have both proposals adopted as a matter of priority.
In the meantime, some Member States already have draft legislation in process. As the DSA and the DMA propose to harmonise this area, the interplay with such national proposals will need to be worked out.