The European Commission unveils proposals for a digital services act and a digital markets act
On 15 December 2020, the European Commission finally unveiled its long-awaited proposals for a Digital Services Act (DSA) and a Digital Markets Act (DMA). The DSA aims to harmonize the liability and accountability rules for digital service providers, while the DMA aims to promote fair and contestable markets in the digital sector.
The DSA: liability exemptions and due diligence obligations for digital service providers
The DSA establishes an accountability framework for providers of “intermediary services.” On the one hand, it restates the exemptions from liability currently set out in the e-Commerce directive, and on the other, it imposes new due diligence obligations.
“Intermediary services” are defined to include “mere conduit,” “caching” and “hosting” services. “Mere conduit” services are defined as services consisting of the transmission of information in, or the provision of access to, a communication network, and include the services of telecommunications operators and internet access providers. A “caching” service is defined as the transient storage of information for the sole purpose of making more efficient the transmission of that information in a communication network. A “hosting” service is defined as a service consisting in the (non-transient) storage of information provided by, and at the request of, the recipient of that service. This includes web hosting companies, cloud storage providers and various other online platforms.
1. Liability exemptions
The DSA proposal builds on, but does not replace, the e-Commerce Directive, which entered into force in 2000. More specifically, it largely reproduces the exemptions from liability for the transmission or storage of illegal content set out in Articles 12 to 15 of the Directive (which are to be deleted from the e-Commerce Directive itself if the DSA is adopted). Caching and hosting providers must act expeditiously to remove or disable access to content as soon as they become aware of its illegality.
The DSA proposal does not require service providers to monitor the information transmitted or stored, nor to actively investigate suspected illegal activity, but if they do, this will not make them ineligible for the exemptions. However, the exemption for hosting services will not apply to online platforms that allow consumers to conclude e-commerce transactions with traders where the consumer reasonably believes that the information, product or service that is the object of the transaction is being offered by the platform itself, or a trader under its control.
2. Due Diligence Obligations
The DSA proposal sets out due diligence obligations for providers of four categories of online services: intermediary services, hosting services, online platforms and “very large” online platforms. Each of these categories is a subcategory of the one that precedes it and must comply with additional obligations.
For providers of hosting services there are two additional obligations: (1) to establish a mechanism through which users can notify them of suspected illegal content, and (2) to inform users when they remove their content and to clearly state the reasons for such removal.
An online platform is defined as a hosting service which stores and disseminates information to the public (e.g., social networks, video-sharing websites, etc.). With the exception of “micro and small enterprises” (as defined in the Annex of Recommendation 2003/361/EC), online platforms would be made subject to several additional obligations, including setting up an internal complaint-handling mechanism so users can object to content moderation decisions or to the suspension or termination of their account; allowing users to challenge such decisions before an out-of-court dispute settlement body; giving priority to notices of illegal content submitted by trusted flaggers; promptly reporting suspicions of serious criminal offences to the authorities; and ensuring the traceability of traders active on their platform (“know your business customer”).
Very large online platforms, defined as platforms reaching 45 million average monthly users or more (corresponding to roughly 10% of the EU population) are subject to further obligations, including obligations to conduct risk assessments on the systemic risks brought about or relating to the functioning and use of their services, to take reasonable and effective measures to mitigate those risks, to submit to annual compliance audits, to appoint one or more compliance officers, to publish transparency reports every six months, and to provide access to data to national authorities, the Commission and vetted independent researchers. Very large online platforms using “recommender systems” (essentially, algorithms to determine in an automated way the relative prominence of information displayed to users) must provide transparency regarding the “main parameters” used by those systems. Very large platforms also have additional transparency obligations in relation to advertising, including the main parameters used to target advertising.
Enforcement of the DSA would primarily rest with so-called “Digital Services Coordinators” (DSCs), i.e., the national competent authorities which the Member States would be required to appoint for that purpose. However, the proposal also provides for enhanced cooperation and coordination between the Member States, through the establishment of a European Board for Digital Services made up of all the individual Member State DSCs. As regards very large online platforms, the Commission would have the power to intervene directly. The Commission would be empowered to adopt interim measures, make binding commitments, adopt non-compliance decisions and impose fines of up to 6% of the global annual turnover of a service provider.
The DMA: ex ante regulation of digital “gatekeepers”
The DMA proposes new rules to promote fair and contestable markets in the digital sector, which would apply only to providers of “core platform services” that are deemed to have a “gatekeeper” position.
The DMA defines “core platform services” to include online intermediation services (e.g., marketplaces), search engines, social networks, messaging and chat apps, video-sharing platforms, operating systems, cloud computing services, and advertising networks and exchanges.
A provider of core platform services is deemed a “gatekeeper” if it fulfills three cumulative conditions:
- it has a significant impact on the internal market: this is presumed to be the case if the undertaking to which it belongs achieved an annual turnover of at least € 6.5 billion in the EEA in the last three financial years, or where its average market capitalization or equivalent fair market value amounted to at least € 65 billion in the last financial year;
- it operates a core platform service which serves as an important gateway for business users to reach their customers: this is presumed to be the case if it provides a core platform service which has more than 45 million monthly end users in the EU and more than 10,000 yearly business users in the EU in the last financial year;
- it enjoys, or will foreseeably enjoy, an entrenched and durable position: this is presumed to be the case if the thresholds of the second criterion were met in each of the three last financial years.
Meeting the quantitative thresholds above creates the rebuttable presumption that a platform is a gatekeeper. The core platform service provider can present substantiated arguments to the Commission to the effect that it should not be designated as a gatekeeper despite meeting these thresholds. Conversely, even if a company does not meet the thresholds, the Commission may still decide to designate it as a gatekeeper on the basis of a qualitative assessment (based on e.g., entry barriers, data-driven advantages, etc.).
Core platform service providers must self-assess whether they meet the quantitative criteria and, if they do, inform the Commission within three months of meeting the thresholds. The Commission then has 60 days to designate them as gatekeepers.
Core platform service providers designated as gatekeepers must comply with a list of “do’s” (affirmative obligations) and “don’ts” (prohibitions) within six months from such designation:
- Examples of “don’ts” include prohibitions from engaging in a number of practices deemed to be unfair or to restrict the contestability of markets, such as combining personal data across platforms without real user choice and consent, ‘wide’ most-favored-nation clauses, using non-public data about the activities of business users and business customers to gain a competitive advantage, blocking users from uninstalling pre-installed applications, preventing “side-loading” of applications and application stores, self-preferencing in ranking, etc.
- The “do’s” include measures to promote interoperability, data access, data portability, and transparency regarding advertising services.
Gatekeepers must also inform the Commission of any intended concentration involving another provider of core platform services or digital services, even if the transaction falls below EU and national merger control thresholds.
The DMA proposal would put the Commission in charge of enforcement of these rules, with extensive investigative powers similar to those it has in antitrust investigations. Notably, the Commission would have the power to demand access to databases and algorithms and require explanations about their operational details.
The Commission would be able to impose fines of up to 10% of the company’s total worldwide annual turnover. In case of systematic non-compliance, the Commission would have the power to impose additional behavioral or structural remedies (potentially including the divestiture of businesses).
In addition, the DMA would empower the Commission to carry out market investigations for three purposes:
- to identify gatekeepers not caught by the quantitative thresholds,
- to identify other services that should be added to the list of core platform services, or new practices that could limit the contestability of core platform services or be unfair, and which are not effectively addressed under the existing obligations, and
- to identify appropriate behavioral or structural remedies in case of systematic infringement of the rules by a gatekeeper.
The road ahead
The two proposals are subject to the ordinary EU legislative procedure. That means that they will undergo a lengthy negotiation process between the European Parliament and the Council, which is expected to last at least 1.5 years. Once adopted, the DMA is expected to take effect six months after its publication; the DSA three months after its publication. As EU regulations, both Acts would be directly applicable across the EU.
More Partner Blogs
In 2019, the European Commission alone spent more than €3 billion on public procurement. The...
With a global environment characterised by regulatory change and a growing emphasis on...
As cybersecurity has become a boardroom topic, legal professionals need to be informed about the...
La stratégie de vaccination est un sujet phare en cette période. Différentes entreprises...
As the telework during the COVID-19 pandemic does not perfectly fit with the existing legal...