In a highly anticipated move pre-Christmas, the European Commission produced two proposals for regulating digital services in the EU: The Digital Markets Act (“DMA”) and the Digital Services Act (“DSA”). Forming part of the Commission’s European Digital Strategy, “Shaping Europe’s Digital Future”, these proposals are the latest example of the EU’s pro-active and trailblazing approach to addressing the major questions of 21st century economic and social life. In this instance, Europe is looking to establish itself as the region that finally reins in ‘big tech’ by laying down clear rules to ensure fair play as between major technology platforms and each of smaller competitors, B2B customers and consumers.
Both the DMA and DSA have a long path to travel before becoming effective, with commencement of the final forms of each Act not likely until 2023 at the earliest, and a strong likelihood that many of the specifics of the two Acts will change during the protracted adoption process. Nonetheless, this is a signal of intent from the Commission that the era of untrammeled and often (perceived) unscrupulous exploitation of the opportunities presented by the digital markets within the tech sector will soon be coming to an end.
The Need for New Rules
The current, comparatively light-touch rules on digital services in Europe date back to 2000 and the e-Commerce Directive (the “Directive”). The most notable aspect of this Directive is the immunity it facilitated for online platforms for content posted on such platforms until such content is specifically brought to the attention of the platform. It is almost unnecessary to say that the digital landscape has been subject to vast and rapid change since the Directive’s introduction, change which continues apace. The extent to which that change amounts to an overall positive societal outcome is a broader philosophical debate, however undeniable negative impacts of the digital world in which we live include manipulative algorithms disseminating disinformation, large platforms controlling significant swathes of markets, the wielding of influence by unknown commercial and political interests, and the proliferation of illegal and harmful content.
The DMA and DSA are being proposed as a modern legal framework in the area of digital services to achieve two key goals:
- creating a safer digital space where the fundamental rights of digital services users are safeguarded; and
- establishing a level playing field to foster innovation, growth, and competitiveness, both in the European Single Market and globally.
According to the European Commission, the DSA represents: “a common set of rules on intermediaries’ obligations and accountability across the single market will open up new opportunities to provide digital services across borders, while ensuring a high level of protection to all users”.
Digital service providers to be subject to the DSA include all forms of online intermediary service providers, including: intermediary services; hosting services; online platforms; and ‘very large’ platforms, being platforms that reach at least 45 million users (“OIPs”). OIPs will be subject to the DSA irrespective of their establishment or residence – as with the GDPR, US tech giants who provide digital services to European consumers will be subject to the same responsibilities as European-established companies.
Although specific obligations differ as between the different categories of OIPs, certain minimum requirements are put in place, including transparency reporting, requirements on terms of service with due account of fundamental rights, cooperation with national authorities in following orders and setting points of contact within the organisation.
The main subjects covered by the DSA are set out below.
1. Illegal content: The DSA maintains the current position under the Directive, exempting OIPs from any general obligation to monitor information they transmit or store or to actively seek facts or circumstances indicating illegal activity. However, OIPs will be required to put in place user-friendly notice and action mechanisms, to allow notification of illegal content on their services. Platforms will be required to make a decision in relation to any notice they receive in a “timely, diligent and objective manner”. ‘Very large platforms’ will also be required to provide more detailed reporting to authorities on the control of illegal content.
2. Advertising: All OIPs will need to ensure that users can identify “in a clear and unambiguous manner and in real time”:
a. that the information displayed is an advertisement;
b. on behalf of whom the advertisement is being displayed; and
c. “meaningful information about the main parameters used to determine the recipient to whom the advertisement is displayed”.
Again, ‘very large’ platforms will be subjected to more onerous transparency obligations, including a requirement to compile and make publicly available a repository containing historic information as to the content and targeting of advertisements and the total number of recipients reached.
3. Traceability of business users: Particularly relevant to online marketplaces such as Amazon, all online platforms will be required to vet third party suppliers that conclude distance contracts with consumers through their platform. Traders will be required to provide specific information to the platform, including a self-certification by the trader that it only offers goods or services which comply with EU law.
‘Very large’ platforms, will be subject to the highest number of obligations, including those noted above as well as: sharing data with authorities and researchers; preparing and maintaining codes of conduct; conducting annual risk assessments (at their own expense) regarding systemic risks (such as the dissemination of illegal content online) and including ‘risk mitigating measures’; and engaging in crisis response cooperation.
Each Member State will each need to appoint a ‘Digital Services Coordinator’, who will be responsible for implementing the DSA’s provisions in that Member State, and a new EU-wide agency will be created to manage compliance and enforcement. Failure to comply with the DSA will result in fines of up to 6% of the annual income or turnover of the OIP, depending on the severity, duration and frequency of the violation. Fines of up to 1% of annual income or turnover of the OIP may also be imposed for providing incorrect, incomplete or misleading information in response to a request for information from the Commission.
The DMA is, in essence, an application of established anti-trust rules to the ‘wild west’ of the internet in a manner that is clearer and more targeted than ever before. The DMA will apply to ‘gatekeepers’, with ‘gatekeeper’ defined as a ‘core platform service’ (including, at least initially, online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communication services, operating systems, cloud computing services, and advertising services, including advertising networks, exchanges and intermediation services) which:
a. has a significant impact on the internal market;
b. operates a core platform service which serves as an important gateway for business users to reach end users; and
c. it enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future.
Certain presumptions as to meeting those requirements are set out in the DMA – including, for example, the presumption that a company with an annual EEA turnover of not less than €6.5 billion meets criterion (a). Interestingly, the DMA creates a ‘self-designation’ system, requiring companies to self-assess the application of the criteria and notify the Commission.
The DMA sets out a number of “dos and don’ts” for gatekeepers. Although the list is long, these include:
- stopping gatekeepers giving preference to their own search rankings or product display;
- requiring gatekeepers to allow the installation of third-party software and the un-installation of pre-installed software;
- allowing third parties to interoperate with a gatekeeper’s own services on equal terms;
- preventing gatekeepers from combining data from different sources and from using data generated by business customers (such as traders on the platform) from competing with those users;
- requiring that business customers be allowed to offer their products/services to end users through different competing platforms and allowing those platforms to differentiate on commercial conditions (including price).
The nature of the beast and, in particular, the need to keep up with an ever-changing digital market is something which has clearly factored into the Commission’s proposals. For example, the DMA allows for ‘further specification’ of some of the obligations, and enables the Commission to carry out market investigations to determine who the gatekeepers are and address systematic infringements.
In the event of non-compliance, the Commission may impose penalties such as fines up to 10% of a company’s total worldwide annual turnover, periodic penalty payments of up to 5% average daily turnover and ‘behavioural and structural remedies’ for systematic infringements. It is the last of these which generates the greatest public interest, hinting as it does at the potential for the break-up of ‘big tech’ if rules are not being, or cannot be, complied with.
A Shot across the Bows?
Rather than the specific provisions of the DSA and the DMA, what is of greatest significance here is the fact that the Commission has signalled an unambiguous intention to rein in the excessive freedoms granted to major technology companies in the digital age. For some, this may be construed as a re-establishment of political and economic control over entities perceived by many to be answerable to no one and often motivated by less than altruistic aims.
Although the EU is, once again, at the vanguard of digital regulation, the publication of the DSA and DMA proposals come at a time when we are seeing a global trend towards the status of ‘big tech’ being scrutinised. In the UK, for instance, authorities are also seeking to update existing competition and consumer protection legislation in order to adapt them to the modern digital age. The UK aim to establish a central entity called the “Digital Markets Unit”, designed to be the core of expertise in this area. The proposal implements the recommendations of a study focused on online platforms and digital advertising published by the UK Competition and Markets Authority at the request of the government that advocated for ‘a new, regulatory approach – one that can tackle a range of concerns simultaneously, with powers to act swiftly to address both the sources of market power and its effects, and with a dedicated regulator that can monitor and adjust its interventions in the light of evidence and changing market conditions.’ In the US, three anti-trust suits are being taken by individual states and district attorneys against Google, with the common thread of seeking to put a stop to alleged anti-competitive conduct designed to entrench Google’s monopoly position in the digital market.
Whilst it will be years before we may see the EU’s proposals becoming law, the publication of the first draft of the legislation, and the broader political atmosphere in which it has occurred, suggests that we have reached the peak of the phenomenon of ‘big tech’ and its influence on every aspect of business and society.