New Landmark Regulations for the European Digital Market
16 December 2020
Technology & eCommerce Regulation in the Spotlight
The European Commission has unveiled draft versions of the Digital Services Act (“DSA“) and the Digital Markets Act (“DMA“). Both acts impose significant obligations on entities operating in the EU digital market, and especially on Big Tech companies, in the areas of content moderation, transparency and competition.
These acts aim to introduce a codification and harmonization of the existing EU legislation regarding its digital single market. These new acts are considered by many to be the most influential data-related EU legislation activity since the General Data Protection Regulation (“GDPR“). Similarly to the GDPR, both acts will have an extraterritorial scope, meaning they would also apply to companies outside the EU.
Both acts are subject further legislative steps, including the approval of the European Parliament, therefore the timelines of application are still unknown and could take a few years. According to the drafts presented, both the DSA and DMA will be enacted as EU regulations, therefore once approved they will automatically apply all across the EU (as opposed to directives that require further implementation in each Member State).
Below we review the key provisions in both of the acts.
The Digital Services Act
The DSA introduces a set of new rules, imposing harmonized transparency and accountability obligations on entities operating in the EU digital market. These rules are graduated, based on the entities’ size and impact. Very small providers (not defined) are exempt from the obligations altogether.
The DSA would apply to four types of entities: intermediary service providers (e.g. internet access providers), hosting services (such as cloud service providers) online platforms (e.g. social media networks, marketplaces and app stores) and very large online platforms (at least 45 million users in the EU, representing 10% of EU population).
With regard to accountability, online platforms covered by the DSA will have an increased responsibility to take down illegal and harmful content. The current EU law in this regard has remained largely unchanged since the e-Commerce Directive, and its safe harbors were adopted twenty years ago. The DSA does not replace this directive but rather confirm its objectives while implementing additional rules and measures.
Covered online platforms will be required to set up “notice-and-action” mechanisms so that users can notify them about potentially illegal content, as well as out-of-court dispute settlement mechanisms to assess the legality of the content. The platforms will need to cooperate with users who will be marked as ‘trusted flaggers‘ of such content.
Very large online platforms, namely Big Tech companies, would also be required to publish annual risk assessments, which will be externally audited, on their efforts against systemic risks of illegal content and misinformation.
In addition, to increase customer safety, e-commerce platforms are required to conduct ‘Know Your Client‘ procedures, in order to verify the identity of sellers prior to allowing them to trade on the platform.
With regard to transparency, covered online platforms will have to provide users with immediate information about advertisements and on algorithms behind recommendations they encounter. This include information the advertisements’ source and the reasons for which the user is targeted with a specific advertisement or recommendation.
To the extent applicable, very large online platforms must publicly disclose a compilation of information about advertisements displayed on the platform, including on their content, term of display, source and target recipients. Such entities will also need to publicly disclose the main parameters used in their recommender systems.
EU member states will be required to designate a ‘Digital Services Coordinator‘ (“DSC“) that will be in charge of enforcement of the DSA. One of the DSC’s roles will be to monitor the number of users of an application, to assess whether it meets the 45 million users threshold. The European Board for Digital Services will also be established to apply the DSA in a harmonized manner.
Non-compliance with the DSA could lead to fines of up to 6% of the violating entity’s annual revenues. Continuous violations could lead to periodic payments of up to 5% of the daily turnover in the preceding financial year.
The Digital Markets Act
The Digital Markets Act aims to tackle behavior that closes EU digital single market from competition. In order to do so, the DMA imposes various obligations and restrictions on covered entities, defined as “gatekeepers“, meaning very large tech entities that intermediate between other businesses and their end users. These include, inter alia search engines, social media networks and marketplaces.
The DMA divides the gatekeepers’ businesses into “core services” (e.g. selling apps on an app store, or goods in a marketplace) and “ancillary services” (for example, payment processing and advertising).
Gatekeepers’ would be identified as such if they have a significant impact on the EU digital market, based on their number of users (over 45 million, roughly 10% of the EU population) or earnings (over €6.5 billion in the last three financial years).
As part of the DMA’s self-executing obligations, gatekeepers would be prohibited from mixing data from data brokers or their businesses customers with data they collect from their own end users. Gathering business customers’ data in order to compete with the same business customer is strictly forbidden as well. Gatekeepers must also refrain from automatically signing users into additional services, other than the one they logged in to.
In addition, gatekeepers will have to remove barriers from their business customers. The DMA bans gatekeepers from forcing their own login systems, and requires them to allow “ancillary service providers” (e.g. payment processors) to connect into the gatekeeper’s core services on the same terms as the gatekeeper’s own ancillary service.
Gatekeepers are also required to act fairly and in a nondiscriminatory manner with regard to access for business users on software application stores, as well as on ranking of services and products. Specifically, the gatekeeper must refrain from ranking its own products and services more favorably over those of third parties.
The DMA also provides the gatekeepers’ business customers and end users with data-related rights, including data portability and real-time access to data that is required to switch between platforms (these rights are not limited to personal data, but rather address wider scope of user data). Business customers must also be able to access real time commercial data (for example on their sales).
Non-compliance with the DMA could lead to fines of up to 10% of the violating entity’s annual revenues. Repeated violations could ultimately lead to a structural remedies such as a forced divest, meaning the entity would be required to sell parts of its business.
While both acts present increased scrutiny mainly towards Big Tech companies, they are expected to influence both directly and indirectly all business entities operating in the EU online market. Feel free to contact us if you have any questions regarding the effect of these developments on your company’s practices.
****************************************
Feel free to contact us with any further question or comments regarding the update and subjects detailed above.
Kind regards,
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation
Herzog Fox & Neeman