On December 15, 2020, the European Commission released its highly anticipated Digital Act package in the form of two new sets of rules – the Digital Services Act (DSA) and the Digital Markets Act (DMA). The DSA seeks to set harmonized due diligence rules for online platforms, whilst the DMA pursues a narrower objective of taming the market power of large gatekeeper platforms without introducing new antitrust powers.
These packages represent a major shift, not only for large tech platforms and internet giants known collectively as GAFA (Google, Amazon, Facebook and Apple), but for absolutely all online intermediaries such as internet service providers, domain name registrars, cloud services, marketplaces, or social networks.
Digital platforms will truly have a lot at stake as in the most serious cases the Commission could fine them up to 6% of their global turnover.
The DMA and DSA proposals will follow the ordinary legislative procedure and we can expect their implementation by the end of 2022 or by the beginning of 2023.
DSA introduces an updated framework for the liability of providers of intermediary services
The DSA lays down harmonized rules for online intermediaries, which include internet service providers, cloud services, marketplaces, or social networks, to ensure that they are free of illegal content. It marks a significant milestone in the EU effort to raise the accountability of digital platforms, which have repeatedly been accused of downplaying their social responsibilities.
The draft regulation essentially confirms the relevance of the rules of the e-Commerce Directive, under which intermediaries are exempt from liability for the content they manage as long as (i) they provide a service of a passive nature and (ii) they remove or disable access to any illegal material expeditiously after learning about its illegal nature. However, the proposal seeks to integrate relevant judicial developments of the EU Court of Justice to ensure effective harmonization across EU and avoid legal fragmentation.
Its main noticeable improvement as regards liability is the elimination of the (perceived) disincentive towards the voluntary own-initiative investigations undertaken by service providers to protect their users’ safety, through the important clarification that it does not affect their liability.
The true revolution of the DSA is to introduce a series of new harmonized EU-wide due diligence obligations for digital service providers graduated on the basis of their size and societal impact.
Rules applicable to all providers of intermediary services
The draft DSA formulates a core set of obligations applicable to all providers of intermediary services, also encompassing internet access providers and domain name registrars, including:
- The establishment of a single point of contact to be used for the correspondence relating to the regulation
- An obligation to include in their terms and conditions clear information on their policies, procedures, measures or tools used for the purpose of content moderation, including and where appropriate on their algorithmic decision-making
- An obligation to publish, at least once a year, detailed reports on any content moderation they engaged in
- An obligation to comply with orders from national authorities to act against illegal content
Provisions applicable to providers of hosting services, including online platforms
Hosting services, which in particular include cloud and webhosting services and online platforms, will also be required to put in place “notice and action” mechanisms to allow individuals and entities to notify them swiftly of the presence on their services of contents that may be of an illegal nature, in accordance with their national law. This solution should undoubtedly be welcomed, as it should be easier for companies to report a breach in their distribution networks and for citizens to report the presence of harmful content, such as fake news.
Provisions only applicable to online platforms
Online platforms, such as online marketplaces, app stores, collaborative economy platforms and social media platforms will be subject to another layer of due diligence obligations, which are particularly demanding.
In relation to the reporting of illegal content, online platforms will be required to offer to trusted flaggers, i.e. entities that demonstrate particular expertise and competence in reporting inappropriate content, a privileged channel to report their suspicions along with a priority reaction.
Another key element of the proposed regulation is to introduce new rules on the traceability of business users in online market places to help track down sellers of illegal goods or services, in other words imposing on platforms a vetting of third-party suppliers (a.k.a. “KYBC” requirements).
The draft regulation also sets out transparency measures regarding online advertising to regulate the highly sensitive question of micro-marketing. In that regard, users will have to be clearly informed whether and why they are targeted by each ad and who paid for the ad.
Obligations for very large platforms
Finally, under the current proposal, certain substantive obligations will be applied to the largest online platforms, which are perceived as having acquired a central role in facilitating public debate and economic transactions and posing particular risks in the dissemination of illegal content. These very large platforms are concretely defined are those which reach more than 10% of the EU’s population (circa 45 million users).
The main duty of these platforms will be to evaluate the systemic risks they generate, specifically as regards the following categories: (a) the spread of illegal content; (b) their negative effects on citizens’ fundamental rights (privacy, family life, etc.); and (c) the intentional manipulation of their service, in particular to harm the electoral process. At last, they will be compelled to take risk-based actions at the level of the overall organization of their services to mitigate those risks. Ultimately, they will need to subject their assessments and measures to external audit.
Another important aspect of the regulation is that very large platforms will have to provide access to their key data to researchers to facilitate the assessment of their systemic risks. They will also be compelled to designate a compliance officer and to produce regular reports as regards how they manage the above-mentioned risks.
The enforcement of the new diligence obligations will be primarily entrusted to national independent authorities, designated as ‘Digital Services Coordinators’ under the Commission’s supervision.
These Digital Services Coordinators will be in charge of the supervision of the intermediary services established in their respective states (under the country of origin principle) and will cooperate within an independent advisory group called the European Board for Digital Services.
In contradiction with the primarily national-based pretention of the enforcement scheme, for the case of very large platforms, the Commission seeks to have direct supervisory powers.
Digital platforms will truly have a lot at stake as in the most serious cases the Commission could fine them up to 6% of their global turnover.
Hence, there is absolutely no doubt that the DSA will attract a lot of attention and criticism, and that the debate is still only just beginning.
The Digital Markets Act is targeted against the power of private rule-makers
Through its consultation process, the Commission has come to the view that there are a few large platforms that control important ecosystems in the digital economy. According to the Commission, they have emerged as ‘gatekeepers’ in digital markets, with the power to act as private rule-makers.
Who qualifies as a gatekeeper?
Unlike the initial New Competition Tool (NCT) proposal that was put forward by the Commission last summer (see our post here), the DMA does not intend to regulate ‘tipping’ markets. Rather, the proposed regulation focuses on a few enumerated digital activities, the so-called core platform services, which are commonly associated with weak market contestability and ‘unfair’ competitive practices. These services, which are listed restrictively under Article 2 of the draft legislation, include, in particular, the following activities:
- Online intermediation services;
- Online search engines;
- Online social networking services; and
- Video-sharing platform services.
Only the core platform services of the largest digital platforms, i.e. those acting as gateways or gatekeepers between business users and end users and enjoying ‘an entrenched and durable position, often as a result of the creation of conglomerate ecosystems around their core platform services, which reinforces existing entry barriers’ will be subject to the regulation.
Under the draft regulation, such a gatekeeper status may be first determined with reference to “crude” quantitative metrics, described in Article 3(2), which will create a rebuttable presumption. Such presumption will apply if:
- The provider achieves an annual EEA turnover equal to or above €6.5 billion in the last three years (or the equivalent fair market value of €65 billion in the last financial year)
- It provides its core platform service in at least three member states
- This service exceeds 45 million monthly active end users established or located in the EU (which correspond to a tenth of its population), and more than 10,000 yearly active business users established in the EU in each of the last three financial years.
Alternatively, the status could be attributed by the European Commission to a core platform service provider, following a case-by-case qualitative analysis under a novel market investigation procedure, if the Commission can demonstrate that the following criteria, set in Article 3(1) of the DMA proposal, are satisfied:
- The digital service provider has a significant impact on the internal market
- It operates one or more important gateways to customers
- It enjoys or is expected to enjoy an entrenched and durable position in its operations
What would be the rules applying to gatekeepers?
Under the EC’s proposal, companies qualifying as ‘gatekeepers’ would have to follow multiple obligations and prohibitions for their core platform services. Chapter III of the proposal contains strict obligations on tech platforms containing language such as a gatekeeper “shall allow” or “shall refrain” from certain practices. Whilst some will welcome these proposed reforms, in some ways it shows the EU backpedalling on the past 20 years of EU competition law modernization and its economic approach to market failures in favor of an old-fashioned, rigid and one size-fits-all “dos and don’ts” list.
There are two categories of obligations, which gatekeepers must comply with in their daily operations, under the DMA proposal: a list of directly applicable obligations, as well as a list of more complex obligations. As such, the obligations can hardly translate into uniform enforcement across the core platform services, so are susceptible to be further specified.
These obligations aim at allowing:
- Third parties to inter-operate with the gatekeeper’s own services (in specific situations)
- Business users to access the data their consumers generate when accessing their services via the gatekeeper’s platform
The rules will also prevent gatekeepers from engaging in self-preferencing practices of the kind identified in Google Shopping, as well as using user data to enter into adjacent markets in competition with third-party vendors, an allegation that the EC is currently advancing against Amazon.
Furthermore, it will no longer be possible for gatekeepers to prevent consumers from linking up to businesses outside their platforms, and/or prevent users from un-installing any pre-installed software or app.
This approach is not without risks for innovation and the future of digital markets in Europe. The fact that these obligations apply as soon as the box is ticked rather than adopting a ‘case-by-case’ approach – relying on economic effects – could mean that emerging and new entrants may be prevented from engaging in, for example, self-preferencing and platform integrity tactics. This would make it more difficult for them to compete and flourish in the same way that existing platforms did during their start-up phase (which took over a decade). It translates into an obligation to stay small, which could create a hostile environment for those ready and willing to challenge the existing internet behemoths. As such, one would wonder whether this proposal is capable of achieving its goal of restoring effective competition in some segments of the digital markets – something that the Commission claims EU competition law remedies have so far failed to deliver.
Under the draft proposal, ‘gatekeepers’ will also need to inform the EC of any contemplated mergers or acquisitions involving another provider of core platform services or of any other digital service, irrespective of whether the operation is reportable under European or national merger control rules.
What would be the Commission’s new investigative and enforcement powers?
The draft regulation sets up a new instrument, called market investigation, that will allow the EC to perform functions aimed at ensuring the proper implementation of the DMA, including making it future proof. Specifically, it will enable the EC to:
- Examine whether a provider of core platform services should be designated as a gatekeeper
- Assess whether a gatekeeper has systematically infringed its obligations
- Investigate new services and new practices, in particular to determine whether one or more services within the digital sector should be added to the list of core platform services
As regards the enforcement mechanisms, they will closely resemble the powers currently available to the EC under EU competition rules: ‘Gatekeepers’ may face dawn raids, information requests or even interviews of relevant officers and employees in order for the EC to determine if they are complying with their dos and don’ts obligations.
If a gatekeeper is found to be non-compliant, the EC will be empowered to hand down fines of up to 10% of the company’s total worldwide annual turnover. This level of fine is not unheard of in EU competition law, but the DMA also includes periodic penalty payments of 5% of average daily turnover, and additional remedies imposed on gatekeepers for systemic infringements. In the most extreme cases, the draft regulation even includes the controversial power to break-up a gatekeeper’s business.
What is next?
The DMA and DSA proposals will follow the ordinary legislative procedure. This means that the European Parliament and the member states will discuss the Commission’s proposal until they reach a common agreement. The Commission expects the entire process to take around a year and a half. Once adopted, the DSA should be enforceable after three months. The transitional period is slightly longer – six months – for the DMA. If no major hurdle is encountered, which is highly doubtful given the major contemplated shifts in policy and the high stakes involved, this would lead to an implementation of the proposed regulations by the end 2022 or by the beginning of 2023 at the earliest.
A serious challenge ahead could be the willingness of many member states, including most recently Germany, to strengthen their own national rules dealing with the digital economy. As the Commission has expressly offered to harmonize this area with its current DSA and DMA proposals, which are both based on Article 114 of the Treaty on the Functioning of the European Union (harmonization of national rules to avoid regulatory fragmentation), it will be particularly interesting to see how the interplay with the national proposals will be worked out.
What should you do now?
Both the DSA and DMA will have profound consequences and implications in the online space and, in particular, will reshape the often complex and unbalanced relationships between users, be they citizens, consumers or businesses on the one hand, and large online intermediaries and platforms on the other. Those proposals will also have an impact on investments, innovation and the digitalization of the European economies.
For those reasons, businesses and interest groups, on either side of the fence, should carefully consider the proposals and reflect on the far-reaching implications for the future of their business and activities online. To that end, feel free to reach out to us, or to your contact at Dentons should you have any questions regarding the DSA and the DMA proposals, the EU legislative processes, including whether, when and how you can make your voice heard.