On 15 December the European Commission published a hotly-anticipated package of new draft legislation for online platforms active in the European Union in the guise of two legislative proposals: the Digital Services Act (DSA) and the Digital Markets Act (DMA).

The DSA seeks to create a new contract between online platforms, businesses, regulators and EU citizens, designed to protect consumers from illegal goods and content and safeguard European values and democracy. It applies broadly to all online ‘intermediaries’.

The DMA in contrast seeks to place significant constraints on a limited number of online ‘gatekeeper’ platforms in order to level the playing field between big tech and the businesses who rely on them to reach their customers. In the spirit of prevention being better than cure, it consists of a series of ex ante rules designed to complement existing ex post competition law enforcement – and has been described by The Economist as ‘the biggest shift in competition policy in a generation’.

Together the DSA and DMA will create Europe’s biggest shake up of the digital regulatory regime since the 2000 E-Commerce Directive. Once implemented will require significant changes to the business practices of digital sector players such as Google, Amazon, Facebook and Apple, but also potentially smaller competitors. The stakes are high – fines for non-compliance could reach up to 6% and 10% of global turnover for the DSA and DMA respectively.

The Commission’s legislative proposals follow months of consultations during which different interest groups submitted their ideas and suggestions. This will intensify now that the texts of the proposals have been published and pass to the European Parliament and EU member states in the Council for discussion and amendment. Both the parliament and council must jointly agree the final wording of the legislation before it can be formally adopted.

Margrethe Vestager, Executive Vice President of the European Commission, said that she wants to move quickly. In EU terms this means the new laws could hit the statute books in 18 months. France has indicated it wants to finalise the texts during their six-month presidency of the EU Council in the first half of 2022.

The publication of these two proposals is the official beginning of a process with many moving parts. We know from recent experience that digital dossiers can provoke some of the most intense lobbying campaigns Brussels has ever seen. Big tech, scale-ups and start-ups, consumers and NGOs, broad industry groups with an important online presence, academia and government agencies: all interested parties will try to convince the legislators of their arguments to strengthen or to weaken the provisions in the proposals.

The stage is set for more of the same for a number of important reasons:

  1. These are ambitious proposals. The EU is seeking to re-shape business on the world wide web in a European image by making online platforms and intermediaries more accountable. They will want to make sure it achieves its objectives but without stymying innovation or free speech.
  2. The proposals deal with complex issues with a very broad impact, essentially affecting any and all businesses, large or small, with an online presence.
  3. Both the DSA and the DMA are set to become EU Regulations which are directly applicable in EU member states without further legislation at national level. Member states will therefore want to agree every detail at the EU level.
  4. The European Parliament has published its own reports over the last year indicating that it wants to be even more ambitious than the Commission’s proposals – eg by banning targeted online advertising altogether, and calling for much broader obligations on intermediaries, such as properly vetting the identity of companies they do business with.
  5. Among member states a number of countries like France and Germany also want to go further. The Nordics are more cautious and neutral, while Ireland (home to the EU headquarters of a number of the large US platforms) denies that big tech gatekeepers are harming competition.
  6. Several countries including Germany have been working on their own new competition tools to constrain big tech which may go further than the current DMA proposal. They may resist the Commission’s push for a fully harmonised approach.
  7. A number of countries may resist the notion that the new ex ante competition rules under the DMA are to be enforced centrally by the European Commission rather than nationally.
  8. The draft texts start their legislative journey just as Brussels is seeking to reset the transatlantic trading relationship with the new US administration. There is no doubt that the EU wants these new rules to set a global standard, just as its GDPR did, yet it may not want to target Silicon Valley too aggressively when a wider trade relationship is in play.

Our H+K experts in Brussels and in member-state capitals understand the process and can help to navigate it. We know how to craft campaigns so that the right arguments are submitted in the right way, to the right people, at the right time. We stand ready to help.

For more detailed information on the DSA and DMA see below.

 

DIGITAL SERVICES ACT

‘what is illegal offline should also be illegal online’

What does it aim to achieve?

The Digital Services Act (DSA) is aims to create a safe predictable and trusted online environment for European consumers by creating new obligations for digital intermediaries to trace and remove illegal goods and services and be more proactive and transparent regarding content moderation processes and decisions.

Who does it apply to?

It applies to a wide range of online ‘intermediaries’ regardless of size, including those established outside the EU with a significant number of EU users or which target one or more EU member states. Intermediaries covered include: internet access providers, domain name registrars, hosting and cloud services, online market places that connect sellers and buyers, app stores and social media networks.

Very large online platforms with over 45 million average monthly users in the EU that pose particular risks for the dissemination of illegal content and societal harm are subject to additional obligations.

What new obligations does it introduce?

The DSA builds on the 2000 E-Commerce Directive preserving several of its core principles such as a prohibition on general monitoring by online platforms of the content and activity of their users – and strengthening others such as the ‘safe harbour’ limitation of liability of online platforms for illegal content posted by their users. In regard to the latter, the DSA introduces a ‘good samaritan’ principle that preserves the safe harbour even when a gatekeeper company engages actively on its own platform. The DSA applies new obligations apply to different tiers of intermediaries as follows:

General obligations

–          Create an EU based point of contact or a legal representative for communications with EU regulators,

–          provide clear information in their terms and conditions on any service restrictions that apply to their customers’ content, including information on content moderation tools and policies,

–          publish detailed reports at least once a year regarding their content moderation activities.

Notice and action

Intermediaries that store information provided by their customers will have to:

–          Implement mechanisms to allow third parties to notify them of illegal content and act on such notifications in a timely and objective manner – giving priority to notifications from those designated by national authorities as ‘trusted flaggers’.

–          Set up dispute resolution mechanisms in relation to content moderation decisions

–          Suspend services to customers that frequently provide illegal content and alert law enforcement regarding information or content involving threat to life or safety.

Online marketplaces

–          Online marketplaces that connect buyers and sellers must verify the identity and traceability of traders that use their platforms under a Know Your Business Customer principle.

–          Online platforms that display advertising would have to ensure that users can tell that what they are being shown is an advert.

Very large online platforms (VLOPs)

Platforms with more than 45 million monthly EU users have additional obligations to:

–          assess and mitigate systemic risks, such as dissemination of illegal content, negative effects on the exercise of fundamental rights and intentional manipulation of their services;

–          submit to external independent audits at least once a year;

–          appoint at least one compliance officer to monitor compliance with the DSA and provide compliance data to DSCs and the Commission; and

–          provide more frequent reports than other online platforms, containing additional information on risk assessments carried out, risk mitigation measures implemented and the results of audits.

How will they be enforced?

Each EU member states will appoint a Digital Services Coordinator (DSC) to manage enforcement of the DSA. Online intermediaries breaching their DSA obligations may be fined up to 6% of their global turnover.

Where is controversy likely to arise as the text is debated in Parliament and the Council?

A number of players, including several vociferous MEPs, believe these new rules do not go far enough for example calling for the Know Your Business Customer provision to be applied to all intermediaries not just online marketplaces.

 

DIGITAL MARKETS ACT

What does it aim to achieve?

The DMA aims to level the playing field between very large digital ‘gatekeepers’ and the businesses who rely on them to reach their customers. In the spirit of ‘prevention is better than cure’ it consists of a series of ‘ex ante’ rules designed to complement existing ex post competition law enforcement.

Who does it apply to?

The DMA applies only to companies that the European Commission designates as digital ‘gatekeepers’ according to objective criteria set out in the DMA that promise to be among the most hotly contested aspects of the legislation.

Amazon, Apple, Google, Facebook and Microsoft are likely meet the proposed criteria – as well as others such as Booking.com, Alibaba’s AliExpress and cloud providers Microsoft Azure, Amazon Web Services and Google Cloud.

According to the DMA criteria, a company is presumed to be a ‘gatekeeper’ if it provides a “core platform service” in at least 3 EU member states (such as search engines, social networking services, certain messaging services, operating systems and online intermediation services), and:

–      Has a size that impacts the internal market : this is presumed to be the case if the company achieves an annual turnover in the European Economic Area (EEA) of € 6.5 billion or more in the last three financial years, or where its average market capitalisation or equivalent fair market value amounted to at least € 65 billion in the last financial year;

–      Has control of an important gateway for business users towards final consumers: this is presumed to be the case if the company operates a core platform service with more than 45 million monthly active end users established or located in the EU and more than 10 000 yearly active business users established in the EU in the last financial year;

–      Has an (expected) entrenched and durable position: this is presumed to be the case if the company met the other two criteria in each of the last three financial years.

If all of these quantitative thresholds are met, the specific company is presumed to be a gatekeeper, unless it submits substantiated arguments to demonstrate the contrary.

If not all these thresholds are met, the Commission may decide that it is nevertheless a ‘gatekeeper’ but must do so in the context of a market investigation.

Companies that are emerging as gatekeepers but are not yet ‘entrenched and durable’ will have to comply with a subset of the DMA standards.

What new obligations does it introduce?

Within 6 months of being designated a ‘gatekeeper’, companies will have to comply with a set of do’s and don’ts designed to ensure that they behave fairly towards businesses and consumers and keep online markets open to innovation by all. Some would apply without any possibility for further specification or clarification by the Commission, while others would allow for the Commission to further specify what individual gatekeepers must do in order to comply with them. Together they have far reaching consequences for the digital marketplace.

Obligations with no further specification:

–          refrain from combining personal data from core platform services with personal data from other services;

–          refrain from restricting business users’ freedom to freely price products on other platforms, e.g., through “most- favoured nation” clauses;

–          allow businesses on the platform to promote and contract with users outside the platform, and, where such off-platform purchases take place, to allow those businesses to provide those products and services through their own software applications;

–          refrain from restricting business users from complaining to public authorities;

–          refrain from requiring business users to use, offer or interoperate with an identification service of the gatekeeper;

–          refrain from making access to any core platform services conditional on users registering or subscribing to any other core platform services;

–          provide advertisers and publishers to which a platform supplies advertising services with certain information about pricing of those services;

–          inform the Commission about intended acquisitions of any other digital services before closing their transactions, irrespective of whether the merger control thresholds for EU or national filings are met. This obligation will give the Commission new scope to monitor and control gatekeepers’ M&A, when combined with its new policy of accepting EU Merger Regulation jurisdiction over small mergers that are not otherwise notifiable anywhere; and

–          submit to the Commission an independently audited annual report describing any techniques applied by the gatekeeper for profiling of consumers across its core platform services.

Obligations with potential for further specification by the Commission:

–          refrain from using non-public data from its business users to provide services in competition with these users;

–          allow uninstallation of preinstalled applications unless technically essential;

–          allow installation of third-party apps and app stores on its operating systems, to the extent these do not endanger the integrity of hardware or operating systems provided by the gatekeeper;

–          refrain from preferencing own services and products versus those of third parties in rankings;

–          refrain from technical restrictions on users switching between (or subscribing to) different software applications and services that are accessed using the gatekeeper’s operating system;

–          provide competing third-party providers of ancillary services non-discriminatory access to interoperability and features of their operating system, hardware or software;

–          provide advertisers and publishers with access to the performance measuring tools and information that allows them to carry out their own independent verification of ad inventories;

–          facilitate data portability;

–          provide business users with access to data generated by their use, and their users’ use, of the gatekeeper’s core platform services;

–          provide third party providers of online search engines with fair, reasonable and non-discriminatory access to ranking, query, click and view data generated by users of the gatekeeper’s online search engine; and

–          apply fair and non-discriminatory general conditions of access for business users to its app store.

How will they be enforced?

Gatekeepers found to breach the rules could face fines of up to 10% of their global turnover. Persistent and systemic non-compliance could lead to structural measures including as a last resort, company break up.

A potential bone of contention with EU member states, enforcement will be managed centrally by the European Commission.

Where is controversy likely to arise as the text is debated in Parliament and the Council?

–          The definition of ‘gatekeeper’.

–          The list of dos and don’ts.

–          The appeal process for designated gatekeepers.

–          Centralised enforcement by the European Commission.

–          The Commission’s full harmonisation approach that prevents member states imposing further constraints on gatekeepers in their own national laws for the purposes of promoting fair and contestable markets (they can still do so to achieve other policy goals).