In 2020 the European Commission put forward a digital services regulatory package with an aim to upgrade the rules in a single framework in the EU. By mid 2022, the duo – namely the Digital Services Act (DSA) and the Digital Markets Act (DMA) – received political agreement among the EU institutions. With their subsequent publication in the EU Official Journal, DMA entered into force on 1 November[i], and DSA on 16 November[ii].
Both instruments taking the form of Regulation, and hence directly applicable across the bloc, were essentially created with two goals in mind[iii]:
- to create a safer digital space in which the fundamental rights of all users of digital services are protected
- to establish a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally
Applicable in parallel with the EU and Member State (MS) competition laws, the DMA sets out supplementary rules prohibiting unfair business practices by large online platforms and defines a ‘gatekeeper’ status for entities, provided certain conditions are met. In other words, meeting certain financial and user thresholds would give rise to the presumption of a gatekeeper status, whereby entities will be given two months to report whether or not such a status is merited.
Notably, the ramifications of such a framework will certainly expand beyond gatekeeper entities, and will be indirectly felt by all players active in digital markets, given that business practices will eventually begin to shift.
Unless demonstrated to the contrary, an entity would be deemed to have a ‘gatekeeper’ status if it a) provides ‘core platform services’ such as intermediation services, online search engines, online social networking services, cloud computing services etc.; b) has a significant impact on the internal EU market, with either an annual turnover of minimum €7.5 bln within the EU in each of the past three financial years or an average market valuation of at least €75 bln in the past financial year, and provides the same ‘core platform services’ in at least three MSs and c) enjoys an established or expected entrenched and durable position with an average of minimum 45 mln monthly end users established or located in the EU and at least 10,000 yearly business users established in the EU in each of the previous three financial years.
Once such a status is established, rather extensive prohibitions and obligations are put in place. The prohibitions include, but not limited to:
- processing end users’ personal data collected from third party services for the purpose of providing online advertising services without prior consent
- reusing personal data collected during a service for the purposes of another service without prior consent
- preventing business users from offering their products and services under different prices and conditions on their own sales sites, as well as on third party platforms
- requiring users to use certain platform services, i.e. payment systems, identification services, web browser engines or technical services
- requiring users to register or subscribe to other ‘core platform services’ as a condition to use any of the ‘core platform services’
- using business users’ non-public data to compete against them
- ranking own products or services higher than those of others
- restricting end users from switching between different apps and services
The obligations include, but not limited to:
- allow communication and content access between business users and end users
- ensure price and fee transparency in ad intermediation services
- ensure users can access their marketing or advertising performance data on the platform
- allow end users to easily change default settings and/or uninstall any software apps on an operating system, unless essential for the good functioning of the latter
- allow effective interoperability with operating systems, hardware or software applications
- ensure interoperability of instant messaging services’ basic functionalities with those of other platforms
- ensure portability of end users’ data to other systems or applications
- provide business users real time access to their data generated on the platform
The European Commission, as the sole enforcer of the DMA, will be given discretionary power to update the list of obligations and prohibitions through issuing ‘delegated acts’. Furthermore, the European Commission will impose penalties of up to 10% of an entity’s worldwide annual turnover, and up to 20% of such turnover when infringements would be recurring.
On the other hand, the DSA as essentially a content moderation framework sets out rules which primarily concern online intermediaries and platforms, requiring these to amend their terms of service, to better handle complaints, and to increase their transparency especially with respect to advertising. The DSA is broad in scope and applies to a range of key players across the digital ecosystem categorised under a) intermediary services, b) hosting services, c) online platforms bringing together sellers and consumers, or d) very large online platforms / very large online search engines (VLOPs/VLOSEs).
More importantly, the legislation incorporates a risk-based asymmetric approach to the obligations, whereby those service providers that fall under either definitions of VLOPs or VLOSEs would be subject to especially burdensome rules. A platform or search engine is considered very large if it has 45 mln active monthly service recipients in the EU, and if the European Commission takes a decision designating it as such.
A notable difference between the two Acts concerns the definitions of ‘end user’ and ‘business user’ under the DMA, and those of ‘recipient of the service’ and ‘consumer’ under the DSA. Under the DMA, an end user is “any natural or legal person using core platform services other than as a business user,” and a business user is “any natural or legal person acting in a commercial or professional capacity using core platform services for the purpose of or in the course of providing goods or services to end users.” Under the DSA, a recipient of the service is “any natural or legal person who uses an intermediary service, in particular for the purposes of seeking information or making it accessible,” and a consumer means “any natural person who is acting for purposes which are outside his or her trade, business, craft, or profession.”
Similar to the DMA, the European Commission will be given discretion to impose fines on VLOPs and VLOSEs for DSA violations amounting to up to 6% of their total worldwide annual turnover.
In terms of connection between the DSA and the EU e-Commerce Directive, the former restates the rules on the liability privileges for intermediary services which would replace Articles 12 to 15 of the latter. In principle, intermediary services are not liable for third party content they process, provided they act expeditiously upon receiving notices of illicit content, but are not obliged to take preemptive checks. The DSA further clarifies that providers shall not be deemed deprived of their immunity “solely because they, in good faith and in a diligent manner, carry out voluntary own-initiative investigations into, or take other measures aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with the requirements of Union law and national law in compliance with Union law, including the requirements set out in this Regulation.”
Takedown orders must also fulfil certain minimum requirements. These include orders a) being limited territorially “to what is strictly necessary to achieve its objective”; b) containing “clear information enabling the provider to identify and locate the illegal content concerned, such as one or more exact URL and, where necessary, additional information” and c) containing information about redress mechanisms available to the provider and to the recipient of the service who provided the content.
As a result, the DSA only replaces the provisions of the e-Commerce Directive which deal with the liability of online intermediaries and the remainder of the Directive shall remain in force. With an extra-territorial effect, the DSA applies not only to EU based service providers, but also those based outside the EU that offer services within the EU.
In terms of clear cut bans, the Act bans all online service providers from utilising ‘dark patterns’ in order to prevent consumers from engaging in unwanted behaviours. Furthermore, the use of sensitive data, defined under the GDPR, will be prohibited, so will targeted advertising addressing minors by means of profiling.
In the end, what will exactly change through this legislative package would depend on the kind of service being offered, or the kind of platform being operated.
[i] See here https://ec.europa.eu/commission/presscorner/detail/en/ip_22_6423; https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-markets-act-ensuring-fair-and-open-digital-markets_en.
[ii] See here https://ec.europa.eu/commission/presscorner/detail/en/IP_22_6906; https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-services-act-ensuring-safe-and-accountable-online-environment_en.