On 15 December 2020, the European Commission published two regulation proposals as part of the digital services act package: the digital services act (DSA) and the digital markets act (DMA).
The DSA and DMA are designed to create a safer digital space in which the fundamental rights of all users of digital services are protected and establish a level playing field to foster innovation and competitiveness in the European market and globally.
The DSA is expected to affect all digital service providers (including social media, online marketplaces, online platforms, etc.) while the DMA will only apply to large companies that are identified as gatekeepers; i.e. those which control at least one “core platform service” (such as search engines, social networking services, certain messaging services, operating systems and online intermediation services) and meet several cumulative criteria including having a large, lasting user base in multiple countries in the EU.
These proposals complement recent EU legislation, such as Regulation (EU) 2019/1150 (Platform to Business Regulation) and Directives that were adopted as part of the New Deal for Consumers (Directive 2019/2161 (the Omnibus Directive) and Directive 2020/1828 (Collective Redress Directive).
The DSA applies to the provision of intermediary services (i.e. the providers of mere conduit, caching or hosting services as defined in the DSA), irrespective of their location, as long as their service recipients have their place of establishment or residence in the European Union.
Exemptions from liability are available where the intermediary confines itself to providing the services neutrally, by a merely technical and automatic processing of the information, and where the cumulative conditions set forth in the DSA proposal are met. Providers of intermediary services shall not be deemed ineligible for the exemptions from liability solely because they carry out voluntary activities aiming at detecting, identifying and removing, or disabling of access to, illegal content. There is, however, no general obligation to monitor the information which providers of intermediary services transmit or store, nor to actively seek facts or circumstances indicating illegal activity.
Due diligence obligations
Intermediary service providers will be subject to a number of obligations, varying depending on their type and size:
All intermediaries shall:
- establish a single point of contact, and, when they do not have an establishment in the EU but offer their services in the EU, designate a legal representative within the EU;
- include in their terms and conditions, in clear and unambiguous language, information on any restrictions having an impact on the use of the services, including content moderation mechanisms, algorithmic decision-making and human review;
- be subject to transparency reporting obligations including the publication of detailed reports on their activities relating to the removal and the disabling of illegal content or content contrary to their terms and conditions.
Providers of hosting services (including online platforms) must implement notice-and-action mechanisms to allow third parties to notify the presence of alleged illegal content. In the event of removal or disabling of such alleged illegal content provided by a user, a “statement of reasons” would have to be provided to the concerned user.
Online platforms shall:
- put in place internal complaint handling systems and out-of-court dispute settlement mechanisms;
- ensure that notices relating to alleged illegal content submitted by entities qualifying as “trusted flaggers” are processed with priority;
- when allowing consumers to conduct distance contracts with traders, ensure that traders can only offer goods and services via their platforms after strict Know Your Customer procedures. Platforms must keep information about the traders to help track down sellers of illegal goods or services;
- be subject to transparency obligations concerning online advertisements.
Very large platforms which provide services to at least 45 million users in the EU (representing 10 per cent of the population) shall:
- analyse any systemic risk stemming from the use of their platforms and put in place mitigation measures (including content moderation mechanisms and limiting display of advertisements);
- be subject to an independent audit at least once a year and appoint a compliance officer;
- set out in their terms and conditions the main parameters used in their recommender systems, as well as any options for the recipients of the service to modify or influence those main parameters;
- establish and maintain a public repository, available via application programming interfaces, with detailed information on the online advertisements they served on their platforms in the past year.
Implementation, enforcement and sanctions
Each Member State shall designate a Digital Services Coordinator (DSC) who will have investigation (e.g. performing on-site inspections and asking for explanations from legal representatives) and enforcement powers (e.g. ordering the cessation of actions constituting infringements or imposing fines) at national level.
A European Board for Digital Services (EBDS) will be established to, among others, support the coordination of joint investigations and issue opinions and recommendations to the DSCs.
The Commission will have specific powers, either at its own initiative or in coordination with the EBDS and DSCs, with regards to very large online platforms.
Sanctions for non-compliance with the provisions of the DSA include fines of up to 6 per cent of the annual income or turnover of a provider of intermediary services.
The DMA only applies to so-called “gatekeepers”, i.e. providers of core platform services (such as search engines, social networking services, video-sharing platform services, online intermediation services) which meet the following cumulative criteria:
- it has a significant impact on the internal market, which is presumed to be the case where it had an annual EEA turnover of at least EUR 6.5 billion over the last three financial years, or where its average market capitalisation or fair market value amounted to at least EUR 65 billion in the last financial year, and it provides a core platform service in at least three Member States;
- it serves as an important gateway for business users to reach end users, which is presumed to be the case where it has more than 45 million monthly active end users in the EU and more than 10 000 yearly active business users established in the EU in the last financial year;
- it enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future, which is presumed to be the case if it met the other two criteria in each of the last three financial years.
Providers of core platform services meeting these three criteria must notify the European Commission within three months after those thresholds are satisfied. Based on a market investigation, the European Commission can also designate platforms as gatekeepers even if the above-mentioned presumptions do not apply.
Obligations for gatekeepers
Obligations of gatekeepers include:
- refraining from combining personal data from core platform services with personal data from other services;
- allowing their business users to promote their offer and conclude contracts with their customers outside the platform at prices or conditions that are different from those offered through the online intermediation services of the gatekeeper;
- refraining from restricting business users from raising issues with public authorities relating to any practice of gatekeepers;
- refraining from requiring business users to use, offer or interoperate with an identification service of the gatekeeper;
- refraining from requiring business users or end users to subscribe to or register with any other core platform services as a condition to access, sign up to or register with any of their core platform services;
- providing advertisers and publishers to which a platform supplies advertising services with information about the pricing of those services;
- refrain from using non-public data from its business users to provide services in competition with these users;
- allow uninstallation of preinstalled applications unless technically essential;
- refrain from treating more favourably products and services of the gatekeeper compared to third party products and services;
- refrain from technically restricting the ability of end users to switch between and subscribe to different software applications and services to be accessed using the operating system of the gatekeeper.
Notification of intended acquisition
Gatekeepers shall inform the European Commission about intended acquisitions of any other digital services before closing their transactions, irrespective of whether the merger control thresholds for EU or national filings are met.
The European Commission may, among other penalties, impose fines of up to 10 per cent of the gatekeeper's worldwide annual turnover.