Right at the end of 2020, the European Commission published its much-awaited digital regulation proposal – the proposal for the Digital Services Act (“DSA”) and the proposal for the Digital Market Act (“DMA”). The new proposal is intended to modernise the EU E-Commerce Directive, which has been in force for over 20 years. If adopted, the proposal will likely have a wide-ranging impact on digital service providers. Find out what to expect in our summary below and have your voice heard by providing feedback to the European Commission on both the DSA and the DMA by the 15 February 2021.
1. What Is The DSA?
The DSA is intended to foster innovation, growth and competitiveness and to facilitate the scaling up of start-ups, small platforms and SME’s while at the same time better protect consumers and their fundamental rights by clarifying the liability regime for digital intermediaries and reinforce the oversight and enforcement of the DSA obligations. In particular, the DSA will establish a framework for the exemption from liability of intermediary service providers as well as rules on the implementation and enforcement of the DSA.
Based on this, chapter II of the DSA contains provisions on the exemption of liability of online intermediaries similar to the previously existing exception under the EU E-Commerce Directive, such as conditions under which providers of mere conduit (i.e., providing network access or transmission services), caching (i.e., storing data to make transmission more efficient), and hosting services (i.e., storing data provided by users) are exempt from liability for the third-party information they transmit and store.
Chapter III of the DSA sets out the due diligence obligations for a transparent and safe online environment. Concerning these obligations, the DSA distinguishes between different sizes of online intermediaries. Depending on the size of the provider, more or less stringent obligations will be applicable. To find out which obligations apply to what size of digital service provider, please look at the table below.
The DSA puts more focus on the implementation, cooperation, sanction and enforcement of the new obligations in chapter IV of the DSA, intending to boost the effectiveness of the new EU regulation. In particular, this chapter contains rules on penalties for infringements of the DSA. As the proposal for the DSA provides that the Member States shall lay down the rules on penalties and only provides for a maximum amount of penalties that the Member States may implement in their respective acts, this may render the choice of where an online service provider has its main establishment increasingly important. Furthermore, the DSA foresees the creation of a European Board for Digital Services, which is intended to be an independent advisory group of national authorities designated by the Member States for the consistent application of the DSA – similar to the European Data Protection Board.
As noted above, the DSA also takes an active stance on very large online platforms. These are platforms that reach 45 million users in the EU or around 10 per cent of the EU population. Very large online platforms will be subject to enhanced supervision and enforcement mechanisms, meaning that the EU Commission can adopt non-compliance decisions and impose fines of up to 6 per cent of the company’s total turnover in the preceding financial year as well as periodic penalty payments for breaches of the DSA.
2. What Is The DMA?
The DMA is the second part of the new digital regulation initiated by the EU Commission. The DMA builds on Regulation 2019/1150 (P2B Regulation). It is intended to restrain the power of large digital platforms that serve as an important gateway for business users to reach their customers – so-called gatekeepers. Gatekeepers are providers of core platform services such as online intermediation services, online search engines, online social networking services, video sharing platform services and other similar services. While the DSA covers a wide range of online service providers, the DMA only targets gatekeepers. According to the proposal, if following requirements are met an online service provider will qualify as a gatekeeper:
- size (based on turnover or average market capitalisation and activity in at least three Member States);
- gatekeeping role (the platform needs to have a gateway role, and it needs to be necessary for businesses to reach their consumers); and
- an entrenched and durable position of market power (this condition is presumed to be met if the company met the other two criteria in each of the last three financial years).
- Additionally, the EU Commission will have the powers to designate companies as gatekeepers following a market investigation.
The DMA proposal sets out rules that prohibit unfair practices by gatekeepers and places market investigation powers into the EU Commission to address structural problems. As a guideline for acceptable practices, the DMA proposal contains a “do’s and don’ts” list for gatekeepers. As part of this list, the DMA prohibits several practices which are considered unfair. For example, blocking users from uninstalling any pre-installed software or apps requires gatekeepers to proactively put in place certain measures, such as targeted actions allowing the software of third parties to properly function and interoperate with their services.
The EU Commission is empowered to update these obligations after a market investigation if it finds that certain practices are considered unfair or limit the contestability of core platform services according to the DMA. According to 10 (2) DMA, this will be the case where:
- there is an imbalance of rights and obligations on business users and the gatekeeper is obtaining an advantage from business users that is disproportionate to the service provided by the gatekeeper to business users; or
- the contestability of markets is weakened as a consequence of such a practice engaged in by gatekeepers.
The DMA does not only entail obligations for the gatekeepers but also includes heavy sanctions to ensure compliance including fines of up to 10 per cent of the gatekeeper’s worldwide annual turnover or in the case of systematic breaches even structural measures (remedies) extending to the divestiture of a business (or parts of it), where no other equally effective alternative measures are available to ensure compliance.
Do the DSA and the DMA Impact My Business?
Both the DSA and the DMA proposals are set out as regulations rather than directives. This means that they will be directly applicable and will not require any implementation into Member State law. Therefore, it is important to be ready to comply with these obligations once the DSA and the DMA enter into force.
Moreover, both the DSA and the DMA will follow in the footsteps of the EU data protection laws, in that they have extraterritorial scope being applicable to all online intermediaries offering their services in the EU, whether they are established in the EU or outside. This means that also Swiss and other third-country businesses will fall within the scope of these proposed regulations.
As the DMA will only be applicable to gatekeepers, it is unlikely to impact the majority of online service providers. However, the DSA will likely be applicable in some form to all online service providers. To find out which obligations an online service provider must follow, the provider must first find out how it will be qualified under the DSA. The DSA provides for four types of online service providers:
- Intermediary services providers (chapter II, section 1 DSA.
- Hosting services (chapter II, section 2 DSA).
- Online platforms (chapter II, section 3 DSA).
- Very large online platforms (chapter II, section 4 DSA).
Depending on your qualification as one of the above online service providers, you will have to get ready to ensure compliance with more or less stringent new DSA obligations. See the below table outlining the DSA obligations and find out which obligations you will have to comply with:
There will be additional due diligence obligations, which will be supported and encouraged to be implemented by the authorities such as standards, codes of conduct, codes of conduct for online advertising and crisis protocols.
4. What Are the Next Steps?
The European Commission has invited interested parties to provide feedback on both the DSA and the DMA by 15 February 2021. This feedback will then be summarised by the European Commission before they present the proposal to the European Parliament and the European Council.
This means that during the upcoming months, both proposals will be discussed under the ordinary legislative procedure. Nonetheless, it is important that you already keep track of the proposals because, as it stands now, they will be directly applicable across the EU. Notwithstanding the foregoing, if a legislative proposal is rejected at any stage of this procedure, or the Parliament and Council cannot reach a compromise, the proposal will not be adopted and the procedure ends.