European lawmakers have introduced two legislative proposals as part of a major policy reboot to update regional rules for digital business and rein in big tech.
The Digital Services Act (DSA) will update the bloc’s long-standing ecommerce rules while widening requirements to define areas of additional responsibility around content — such as how platforms must handle illegal content or dangerous third party products through mechanisms like standardized reporting and verification checks.
The Commission says the DSA is about bringing online rules up to speed with rules that already apply for offline business. It will apply widely, to different types of services, with additional transparency and accountability obligations for the largest platforms (with ~45M+ monthly users; aka 10% of the EU population) which must conduct risk assessments to guard against misuse of their tools.
A second legislative package, the Digital Markets Act (DMA), proposes a system whereby a sub-set of key Internet players are deemed ‘gatekeepers’ and required to abide by specific additional conditions — with the overarching goal of fostering competition in digital markets which can be prone to ‘winner takes all’ dynamics.
The DMA is expected to apply to tech giants like Amazon and Google, though the Commission avoided naming any names today.
It’s the bloc’s response to concerns that competition rules have not been able to keep pace with the market-denting power of a handful of data-mining, attention-dominating Internet giants — hence coming for them with an ex ante regulation that puts limits on practices like self-preferencing and data use, and requirements to support interoperability.
Top-line fines under the proposals laid out today are up to between 6% (in the DSA) and 10% (in the DMA) of global annual turnover — higher than the maximum 4% allowed for under the bloc’s existing General Data Protection Regulation framework (albeit it’s hard to imagine those maximums ever being levied, as GDPR maximums haven’t — but they make for an eye-catching headline).
An idea the Commission consulted on earlier this year — to introduce a new competition tool for digital markets to prevent tipping — does not appear to have made it to the legislative proposal stage.
The Commission has been working on its grand plan to reboot the EU’s digital rulebook since before president Ursula von der Leyen took up her mandate a year ago. EVP Margrethe Vestager told Europe’s parliament in October 2019 that new regulations are needed to build trust in digital services and thereby underpin the bloc’s strategic push for digitalization to drive the next decades of economic growth.
Vestager and internal markets commissioner, Thierry Breton, are responsible for leading the digital policy package. Public consultations on the proposals ran for many months this year. But internal EU debate and division over exactly how to regulate digital services appears to have contributed to some of the delays — though the commissioners denied it had added a last minute delay to today’s press announcement (which had already been postponed twice, from dates earlier in the month).
Today marks the start of an even longer road for the Commission to secure backing for and firm up the legislative proposals with the other EU institutions — the Council and the parliament — a process that will take months at least.
It could in fact be years before the DSA and DMA become law and start being applied (though the Commission said the intention is to have short implementation period once both are adopted, of three months and six months respectively).
Enforcement of existing EU digital rules is hardly a shining example of efficient process. So questions over how to translate the planned requirements for platforms, small and massive, into a functional, friction-free operational on-the-ground reality will persist. Enforcement of the DSA and DMA is slated to be the responsibility of various resourced Member State-level agencies — but with the Commission monitoring how it’s going and retaining some power to step in if required.
Breton denied that the planned enforcement framework will be akin to GDPR — but it’s hard to see how it won’t suffer from some of the same problems.
Tech giants are also of course used to flexing legal muscle to challenge European regulation that threatens their business interests — so there’s no reason to think they won’t apply the same playbook to try to avoid being labelled a ‘gatekeeper’ and getting saddled with a list of ‘dos and don’ts’ in the first place.
One thing is clear: Tighter European regulation of digital business and big tech is coming down the pipe, regardless of whether it has the intended effect. Today the UK also set out further details of a national plan to regulate a range of online harms (also proposing fines of up to 10% of turnover), saying it will introduce an Online Safety Bill next year.
The European Commission also has a number of other legislative proposals in train as part of its overarching digital strategy — including a Data Governance Act and another forthcoming data act to create a regulatory framework to encourage the reuse of industrial data; as well as plans to set risk-based rules for artificial intelligence which it’s due to unveil next year, after publishing a white paper in February.
Highlights of the DSA and DMA proposals from today’s Commission briefing follow below.
The Digital Services Act
The DSA will place new due diligence obligations on digital services to swiftly remove illegal content and in parallel explain what’s been done and why — as well as offering users an option to complain.
Online marketplaces will also have a new ‘Know Your Customer’ obligation — to try to tackle counterfeit and/or dangerous products — meaning they will be required to verify the identity of a seller before allowing them to trade on their platform.
A third requirement focuses on algorithmic transparency/explainability — meaning (larger) platforms will need to explain rankings and hierarchies they generate, such as products they feature or recommend.
They will not, however, be required to reveal the algorithms themselves.
Access to key data for researchers (which will also apply to larger platforms) is another requirement.
The Digital Markets Act
The DMA will lay extra obligations (ex ante) on large players with significant market power, and who intermediate between a threshold level of other businesses (10,000 yearly) and users (45M+ actives per month) — who will be classified as ‘gatekeepers’.
The idea is to complement existing EU competition law, with Vestager saying the DMA has been fed by multiple antitrust cases brought against the likes of Google and Amazon, in recent years.
She also likened it to the approach that already applies in sectors like banking and energy.
Per the commissioner, gatekeeper status will depend on size (as well as turnover and market cap); the role they play in the market; and their durability (how entrenched their market position is over time).
Gatekeepers would also need to be active in several EU Member States.
Vestager briefly highlighted three of the obligations that gatekeepers will be required to live up to: Their use of data; interoperability; and self-preferencing.
“You cannot use the data of the people you compete with just because you can — you have to use data silos,” she said, explaining how the requirements on data use will work to create “fairness in the marketplace” by levelling the risk involved for non-gatekeepers in launching new services (vs data mining giants who benefit from such a wealth of competitive market insight).
As well as the threat of fines, she confirmed that structural remedies (such as breaking up businesses) remain possible — such as in cases of repeat breaches of the DMA’s requirements.
Gatekeepers will also be required to notify regulators if they intend to acquire even small businesses that would not normally trigger such a notification requirement.