With the Digital Services Act (DSA) and the Digital Markets Act (DMA), the Commission is significantly tightening its grip in the online space. These new bills have several features, such as: the appointment of Digital Services Coordinators per member state; reporting, auditing and monitoring obligations; a notification procedure for the designation of gatekeeper platforms; and an extensive set of additional obligations for very large platforms and gatekeeper platforms.
Digital Services Act (DSA)
The Commission proposes a regulation on a single market for digital services which will also amend the 20-year old E-Commerce Directive. The DSA has an onion-layered structure, aiming to create a transparent and safe user experience in a number of online environments. The outermost layer covers the basic rules that apply to all intermediary service providers of EU customers, regardless of where those providers are established. The second layer focuses on hosting services (both cloud hosting services and website hosting services) which have to adhere to the same basic rules and to some additional ones. The third layer imposes more obligations on online platforms, as compared to the other providers. In addition to imposing these same obligations on "very large" online platforms, the innermost layer includes even more rules specifically designed for those platforms due to their systemic nature and importance. Thus, these very large online platforms are considered akin to other systemically important networks (like telecoms, rail, or electricity) and financial institutions. A platform is considered "very large" if it has more than 45 million users in the EU (that is, 10% of the EU's population).
The basic obligations for all types of providers include: (i) the designation of a single point of contact or a legal representative for communications with the regulators; (ii) clarity on any service restrictions in their terms and conditions; and (iii) transparency about possible removal of information, for example, when content is considered illegal.
The second set of obligations applies to hosting services and online platforms. They relate to the possibility for third parties to file a complaint about potentially illegal content.
In addition to the basic rules and the second set of obligations, the third set applies to all online platforms (SME excluded). They should set up: (i) an internal complaints-handling system for disabling the alleged illegal content or information; and (ii) an alternative dispute settlement mechanism for their services. When traders are active on the platform, the platform must make reasonable efforts to assess the traders' reliability.
Finally, the rules for very large platforms relate to the managing of possible "systemic" risks, such as: (i) misuse by the act of uploading illegal content; (ii) breach of fundamental rights (for example, by algorithms which may restrict freedom of speech or hamper competition); and (iii) manipulation which leads to disturbing public order, breaching privacy, or causing fraudulent and deceptive commercial practices (such as fake news and content created by fake accounts). Furthermore, those systemic platforms must share data with regulators and researchers.
Digital Markets Act (DMA)
In addition to the DSA, the Commission proposes the introduction of the DMA, which is a regulation focusing on contestable and fair markets in the digital sector. This only applies to what are known as "gatekeeper platforms". There is a rebuttable presumption that an online platform qualifies as a gatekeeper if it meets two criteria. First, that, over the preceding three financial years, it has provided core platform services to over 45 million monthly active EU consumers, and to over 10,000 yearly active EU business users. This criterion is similar to the DSA's test to determine systemic-platform. But under the DMA, an additional criterion applies: the online platform must: (i) either be part of an undertaking with an annual turnover of EUR 6.5 billion or more in the EEA in the preceding three financial years; or (ii) where that is not the case, have offered core platform services in at least three member states, while being part of an undertaking with an average market capitalisation of at least EUR 65 billion in the last financial year. Once these thresholds are met, the platform has to make a mandatory notification to the Commission. In that notification, it can rebut the legal presumption that it qualifies as a gatekeeper. The Commission must then decide on whether the platform is a gatekeeper platform or not. Once the Commission designates a platform as a gatekeeper, that platform must respect the additional prohibitions and obligations pursuant to the DMA.
The DMA provides rules on transparency and fairness for gatekeeper platforms. These would be in addition to the Platform-to-Business Regulation (P2B). P2B already provides for basic rules on transparency. For example, the terms and conditions must include: (i) the main parameters and their relative importance in determining rankings (the Commission published detailed guidelines on ranking on 8 December 2020); (ii) the differences in the treatment (if any) between goods and services offered by the platform itself and by third parties; (iii) the access to any personal data or other data of the consumers (if any) that third party business users will have through the platform; and (iv) an explanation as to why the platform uses price parity/MFN clauses (if any) with third party business users which prohibits them from selling their goods/services at lower prices through other sales channels (either through other platforms or their own website).
Core platform services
In addition to these basic rules, the DMA adds obligations and prohibitions for gatekeeper platforms which offer "core platform services", for example: intermediation services, search, social networks, video-sharing, cloud services and online advertisement. Gatekeepers can have multiple core platform services, which will then individually be subject to the obligations pursuant to the DMA. The regulation blacklists any unfair practices by the gatekeeper and also creates obligations. Some examples include:
- Gatekeepers are prohibited from combining personal data sourced from core platform services with data sourced from any other services it offers or data sourced from third-party services. This prohibition does not apply only if the gatekeeper has offered the consumer the choice and the consumer has given his/her consent in compliance with the GDPR.
- Gatekeepers are prohibited from using broad price parity/MFN clauses, whereas P2B allows them as long as the platform is transparent about these clauses.
- Gatekeepers cannot force the use of other core platform services as a condition for users to access a given core platform service, which results in the prohibition of bundling services.
- Gatekeepers may not engage in self-preferencing and are therefore not allowed to rank their own products or services above those of third-party businesses. Instead, when it comes to ranking, gatekeepers must apply fair and non-discriminatory conditions.
- With regard to data, gatekeepers must provide data portability to its users by providing continuous and real-time access; this relates to both personal data of consumers and data of business users, such as reviews.
- Gatekeepers must provide business users free, high-quality, continuous and real-time access to the data concerning consumers engaging with their products or services. This also applies to the personal data of consumers, provided that they have consented to this in compliance with the GDPR.
Importantly, the Commission will be empowered to extend the list of prohibitions and obligations.
In addition to these rules on the commercial behaviour of gatekeepers, the DMA imposes an obligation on gatekeepers to notify the authorities about any takeover or merger in the digital space. There is no threshold in terms of the target company's market presence (such as turnover, market share, or transaction value). This is intended to prevent "killer acquisitions" of competing start-ups, which could otherwise remain under the radar of merger control. Furthermore, gatekeepers must allow independent auditors reviewing their techniques used to profile consumers.
Abuse of Dominance
Many of the prohibitions and obligations under the DMA seem to qualify as abusive behaviour if a gatekeeper has a dominant position in the relevant market.
On the basis of the abuse of dominance prohibition, unfair practices by online platforms are subject to enforcement actions by competition authorities.
These cases concern, for example:
- Self-preferencing by platforms (the EU Google shopping case and the ongoing EU Amazon Buy Box case);
- Platforms relying on the data of consumers engaging with products or services of third-party business users, to promote the platform's own products or services (the ongoing EU Amazon data case);
- Price parity/MFN-clauses (the EU Apple e-books case and the many cases on platforms providing hotel booking services);
- Exclusivity Agreements (the US Google search case);
- Combining personal data from various sources without GDPR compliant user consent (the German Facebook case).
The Commission nevertheless believes that it needs these new regulations to intervene with greater speed and immediately, rather than after the harm has occurred, or at an earlier stage where a gatekeeper is not yet dominant.
EU consumer protection law
P2B blacklists unfair practices targeted at business users of the platforms. If the platform engages in the same behaviour towards consumers, P2B does not apply since it only applies to commercial relationships between the platform and it business users. The EU Omnibus Directive includes similar transparency obligations in consumer law, for example, in relation to rankings. The platform should be transparent to the consumer about the main parameters of the ranking. Platforms must inform the consumer succinctly; that is, easily, prominently and directly available to the consumer. If the ranking can be influenced by paid advertisement, the platform should inform the consumer, without having to disclose the details of their ranking system, such as its algorithm. The EU Omnibus Directive modernises consumer protection law by introducing new rules in relation to online trading and online platforms, such as fake reviews (see our earlier article on that).
Decentralised and centralised enforcement of the DSA and DMA
The enforcement of the proposed acts differs and leads to a patchwork of EU law enforcement authorities, as mentioned. This increases the possibility of situations where several competent authorities can, independently, carry out enforcement actions against the same practice (see our earlier analysis on that). The Digital Services Act provides decentralised enforcement and introduces a new enforcement authority: the Digital Services Coordinator. Each member state will have to designate one or more competent authorities, and one of those will be the Digital Services Coordinator in that member state. The Digital Service Coordinator must: (i) at a national level, coordinate enforcement and ensure it to be effective and consistent, and (ii) at the EU level, cooperate with its counterparts (within the newly established European Board for Digital Services) and the Commission. The member state in which the service provider has its main establishment will have jurisdiction over the enforcement of the behavioural obligations and prohibitions. Non-EU providers will be under the jurisdiction of the member state where their legal representative resides or is established. Only in relation to very large platforms will the Commission be jointly competent - besides the home state's Digital Service Coordinator - to enforce the Digital Services Act.
In contrast, the Digital Markets Act provides centralised enforcement by the Commission only. National competition authorities may still enforce competition law for the same behaviour provided this does not run counter to the possible enforcement decisions of the Commission under the Digital Markets Act.
The DSA and DMA add to the already vast landscape of legislation which tries to prevent unfair practices against both consumers and business users. After this proposal by the Commission, the European Parliament and Council of the EU (which represents member states) will have to act, as they are the co-legislators and have the requisite powers to adopt the proposed regulations.