Towards a new era of digital regulation The DSA and DMA proposals

This article has been also published on the EACCNY website on January 28, 2021.

Thanks to Marianna Riedo for collaborating on this article

The COVID-19 pandemic crisis has highlighted the central role that digital platforms play from both an economic and a social perspective, along with the challenges arising from online flow and concentration of Big Data. In response to political pressure for reforming the rules governing digital markets and services, on December 15, 2020 the European Commission (Commission) published the text of two proposals that undoubtedly represent the most ambitious regulation of internet services and markets since the e-Commerce Directive. The Digital Services Act and the Digital Markets Act proposals are part of the new EU digital strategy that the Commission has designed for the purpose of introducing new rules to protect the rights of online users and safeguard the development of a fair and competitive digital services market. We published a preliminary description of the envisaged content and aims of the two proposals in a previous newsletter (see here), while this article illustrates the actual content of the proposals as published by the Commission in December 2020.

The goal announced by the Commission is to cover “gap cases” in the existing legislation that have emerged as digital services have developed over the last twenty years. The common perception is that during that time a small number of platforms have continuously expanded their services so that they now serve as “gatekeepers” of online interaction and the spread of content and information.

Scope of application of the proposals

Both proposals apply to a set of different digital players and provide various measures based on the size of each player and the type of services it offers. In this respect, during presentation of the Digital Services Act Package initiative (which includes both the DSA and the DMA), the Commission expressed its intention to act to regulate mainly the “very large online platforms acting as gatekeepers.” That intention arises from the widespread perception that, although there are more than 10,000 online platforms in the European digital economy today, over the last twenty years only a very small number of large platforms has benefitted from network effects that have led to the creation of what the Commission calls “tipping markets”, or non-contestable market positions. The two proposals published on December 15 establish the quantitative parameters set by the Commission to determine under what circumstances a platform should be subject to the “gatekeepers” regime. While the DSA applies to all digital intermediaries and provides additional measures for platforms that are used by at least 10 percent of the 450 million European consumers, the DMA applies only to the small number of main service providers active in the Digital Single Market.

More specifically, the DSA divides platforms into sub-classes, from a wide group of “intermediary services” to a more limited group of “very large online platforms.” More specifically, these are (i) intermediary services, i.e. all those services that offer digital infrastructure, including network access services and top-level domain registrars; this first category in turn includes (ii) hosting services, such as cloud and webhosting services, which in turn include the subgroup of (iii) online platforms, such as online marketplaces, app stores, and social media sites; among these the DSA proposal also identifies a limited category (iv) of very large online platforms, i.e., platforms that make their services available to at least 10 percent of European users (45 million users).

For its part, the DMA limits its scope of application to a closed list of eight types of digital services, defined directly in the proposal as “core platforms”: (i) intermediation services (e.g., marketplaces and app stores); (ii) search engines; (iii) social networks; (iv) video sharing platforms (e.g., YouTube); (v) number-independent interpersonal communication services; (vi) operating systems (e.g., iOS, Android); (vii) cloud computing services; and (viii) advertising platform providers (e.g., Google AdSense). The proposal also identifies what it terms “gatekeepers” among the core platform providers: Art. 3 of the proposal provides that, in order to be subject to the rules for gatekeepers, a platform must (a) have significant impact on the internal market; (b) operate a service that serves as an important gateway for business users to reach end users; and (c) enjoy an “entrenched and durable” market position in its operations.

According to the rules set out in the same article, the first of the three criteria is deemed met if the company to which the platform belongs generated annual turnover within the EEA of 6.5 billion euros or more in the most recent financial year and provides a basic platform service in at least three Member States. The second requirement, relating to the operation of a “gateway” for business users to reach end customers, is deemed met if in the previous financial year the platform provided its service to more than 45 million monthly active end-users established or located in the EU and more than 10,000 active business users located in the EU. Finally, a platform is presumed to have an “entrenched and durable position” if over the last three financial years it has provided its service to more than 45 million monthly active end-users established or located in the EU and more than 10,000 annual active commercial users located in the EU.

The Digital Services Act

The Digital Services Act represents a continuum that follows in the wake of EU regulatory interventions implemented in recent years, starting with the GDPR, followed by the new Copyright Directive, and ending with the new Platform-to-Business Regulation and the proposed ePrivacy Regulation that is currently under discussion. All these regulatory measures are aimed at determining how these platforms can develop their business while introducing standards of transparency and accountability in data and content flows.

The Digital Services Act, in particular, provides new guarantees for the purchase of products online, but also introduces new mechanisms for risk identification and management for all those platforms that host user-generated content.

With reference to the issue of the liability regime for online intermediaries (or “ISPs”), the proposed text does not alter the framework already defined in the e-Commerce Directive, as it re-establishes the three-way division between “mere conduit”, “caching”, and “hosting” services. The general exemption from monitoring obligations and liabilities for third-party content and information also remains firmly in place, as does the “good Samaritan” clause (which provides that immunity is maintained when an intermediary in good faith prevents access to objectionable material or activity).

ISPs will also have to indicate the mechanisms used for content moderation (particularly if carried out through automated tools) and the limitations to the use of services imposed by the terms and conditions. ISPs will also have to establish easier procedures for notice-and-takedown purposes and, to this end, each will also have to introduce a system of priority reports provided by “trusted flaggers” identified on the basis of specific personal and/or professional characteristics. To ensure better transparency, the proposal envisages that the mechanism will be standardized and will necessarily provide a statement of reasons for the removal of content. In addition, “very large platforms” will have to carry out periodic risk assessments and undergo audits by independent and external parties.

Failure to comply with the obligation to check and remove illegal content will trigger penalties of up to 6 percent of overall turnover of the company.

With a view to facilitating communication between authorities and ISPs, the proposal introduces two new “institutional” roles: a Digital Services Coordinator and a Digital Compliance Officer. The former is a new independent national authority in charge of oversight and enforcement of the rules established in the DSA. The Compliance Officer, following the example set by the Data Protection Officer introduced by the GDPR, will be an independent, internal or external role attached to the service provider, which is responsible for monitoring compliance with the new regulation.

The Digital Markets Act

The Digital Markets Act represents the final chapter (and the opening of a new one) of what in recent months has been called the “antitrust tech storm”, with a series of investigations by the Commission and by national antitrust authorities — with the Italian AGCM taking a leading role along with the Bundeskartellamt and the Autorité — against Big Techs for suspected abusive conduct (see e.g., here, here, here, and here).

Having identified a possible systemic failure of competition in the functioning of digital markets — which, however, is disputed — the Commission has made a policy choice to overturn the pre-existing approach to antitrust infringements — mainly based on ex post assessment of conduct already performed — by introducing an ex ante regulation that identifies a detailed set of prohibited and mandatory practices to prevent conduct that may harm or further weaken competition in digital markets.

More specifically, the current DMA proposal lays out a blacklist of unlawful practices that are per se prohibited for gatekeepers. These practices largely reflect conduct that has been investigated or identified as a concern by antitrust authorities in recent years: self-preferencing; exploitation of data collected from business users of the platform to formulate competitive offers or strategies against the same business users; unjustified denial of access to platform functions or data collected from users; unjustified tying or bundling of digital services and combination of users’ data across services; imposition of unclear terms on users; and so on. The draft DMA also contains a “whitelist” (or rather a “greylist”) of mandatory practices and obligations that may need further specification by the Commission. Practices and obligations on this latter list include authorizing the installation and use of third-party software with the platform; favoring interoperability and multihoming solutions; allowing business users free access to performance indicators available through the platform; allowing business users access to aggregated and non-aggregated data collected through their interactions via the platform; sharing information on ranking and search algorithms; and so on.

Another set of rules is aimed at making life more difficult for emerging platforms that are on a path to becoming gatekeepers (but still not there) by subjecting them to some of the obligations imposed on gatekeepers once they get closer to the thresholds described above. In addition, a provision in the proposal introduces notification requirements for concentration between a gatekeeper and a provider of any core or non-core services provided in the digital sector, regardless of whether the concentration exceeds the thresholds for mandatory notification pursuant to national or EU merger control legislation.

Under the proposal, the Commission would enjoy wide investigative and sanctioning powers for the application and enforcement of the DMA, similar but even greater than the powers already assigned to the Commission for enforcement of existing antitrust rules. The draft DMA also assigns the Commission the power to conduct sector-wide investigation into the digital field to identify new gatekeepers and new core services that should be subject to the DMA, or new obligations/bans to add to the DMA blacklist or whitelist. After a market investigation, the Commission may therefore be able to impose new ad hoc structural or behavioral remedies to undertakings identified as gatekeepers, even when no infringement has been found.

With regard to sanctions, in case of violation of the obligations and prohibitions set forth in the DMA, fines can be as high as 10 percent of the annual worldwide turnover of the undertaking concerned, with periodic penalties for noncompliance of up to 5 percent of average daily turnover. Finally, repeated failure to comply with the remedies and sanctions imposed by the Commission or systematic violation of the DMA rules may ultimately lead to application of remedies of an extraordinary nature, such as the obligation to sell part of the company’s assets or property (so-called “splitting”).

Needless to say, these are ambitious and far-reaching obligations that may critically impact the commercial policies and business models of digital platforms. Additionally, under the proposal the Commission will enjoy greater discretion in identifying obligations and remedies that could be imposed on private undertakings in the digital sphere.

Some commentators have observed that putting so much discretionary power in the hands of the Commission may undermine due process and the ability of courts to scrutinize adequately the lawfulness of the Commission’s own decisions, while also putting excessive political and media pressure on the Commission to use its powers to the greatest allowable extent. Indeed, one could argue that the potential impact of this set of rules on the strategic commercial decisions and business models of private undertakings is unprecedented. Previous sector-wide regulatory interventions in strategic industries — such as telecommunications, transport, energy, financial services, and pharmaceuticals — have been far more limited in scope and impact on business models, or in any case were justified by the undisputed presence of “essential facilities” or former legal monopolies in the markets concerned.

For the sake of clarity, the ex ante rules provided would not replace ex post investigation (by the Commission, national competition authorities, and courts) of traditional antitrust infringement of Articles 101 and 102 TFEU (which prohibit anti-competitive agreements and abuse of market dominance) but would supplement it. However, one of the problematic issues of the DMA is figuring out how it will interact and coordinate with the traditional competition law toolkit, national pieces of legislations with a similar scope and aim that have been approved recently or are under discussion in a number of Member States (including Germany and France), as well as with the GDPR, without conflicting with them.

Next steps

The legislative process for the DSA and the DMA to become EU law requires the involvement and approval of the two proposals by the European Parliament (in addition to the Commission) and is still at an early stage. We likely won’t see a definitive draft text for a couple of years (if not longer). In the meantime, the Commission and national antitrust authorities across the EU — with the AGCM playing a leading role — are proving even more determined to continue ex-post investigation and monitoring activities in the digital sector using the existing antitrust toolkit.

Seguici su