“Digital regulation” is a legislative concept and trend which has grown exponentially in recent years and looks set to develop for many more years to come.

On 5 July 2022, the day the European Parliament adopted the Digital Services Act (“DSA”) (on relations between digital services providers and consumers) and the Digital Markets Act (“DMA”) (on the functioning of competition in digital markets), Commissioner Thierry Breton authored an extensive post commenting on how historic this day was and how the “EU is the first jurisdiction in the world to set a comprehensive standard for regulating the digital space”.^[1]

It seems that this has incited a number of other authorities to take action as well, with the U.K. CMA and U.S. authorities looking to introduce similar tools.

The two draft regulations were issued by the European Commission (“Commission”) on 15 December 2020. Some 15 months later, on 24 March 2022, the EU legislative institutions^[2] reached a “political agreement” on both texts, in considerably amended form compared to the original proposals. The two Acts have were formally adopted on 5 July 2022.^[3]

Both impose considerable obligations on digital companies.

These Acts represent only part of the vast legislative revamp being operated by the European Commission, spanning not only digital services as such, but all the drivers of digital economy transformation: data (notably, Big Data) and the algorithms which exploit them for business – and government – purposes (Artificial Intelligence Systems). On multiple occasions, the Commission has referred to this vast revamp as a regulatory framework for the “Digital Age”^[4].

The DSA and DMA have been heavily publicized, although they constitute only the first instruments of the new Digital Age package to become legally effective. Other regulations are currently at various stages of the EU legislative process, including notably the following:

• Regulation on cybersecurity requirements for products with digital elements (the “Cyber Resilience Act”), proposed on 15 September 2022;
• Regulation on European Data Governance (“Data Governance Act”) which entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable from September 2023 onwards;^[5]
• Regulation on Harmonized Rules and Fair Access to and use of Data (the “Data Act”, proposed on 23 February 2022) ;
• Regulation setting out a legal framework governing the use of Artificial Intelligence Systems (the “AI Act”, proposed on21 April 2021).

Director for Competition at the Commission, Mrs. Margrethe Vestager recently announced^[6] that the Commission was “in the process of establishing a chief technology office” in the coming months. Her vision is to bring on board tech specialists in competition cases, similar to the French Competition Authority’s digital unit established in 2020.

1. DMA: ex ante monitoring of competitive conditions in digital markets

Scope of the DMA

According to Mrs. Margrethe Vestager the DMA aims to ensure that “the digital economy remains fair and contestable in order to promote innovation, high quality, privacy and security standards and fair competition.”^[7] To that end, the Commission imposes a number of ex ante rules in order to solve the main issue with the application of preexisting competition law: speed.

Gatekeepers. The DMA applies to companies designated as “gatekeepers”, by reference to the nature of their activity and their market position. Gatekeepers designate large companies providing so-called “core platform service(s)” that have significant impact on the internal market, serve as an important gateway for business users and end users to reach other end users and enjoy (or it is foreseeable that they will enjoy such a position in the near future) an entrenched and durable position in their operation. These requirements are deemed met when the digital company has a market capitalization of at least 75 billion euros in the last financial year or an annual turnover of 7.5 billion euros or more in each of the last three financial year (considering all its activities, not only the core platform service(s)) and provides the same core platform service in at least three Member States, and to at least 45 million monthly-active EU end users and 10,000 yearly-active EU business users. The Commission will review every three years if the designated gatekeepers continue to satisfy those requirements.

Providers of core platform services can (and in some instances will very likely) challenge such designations, which seek to apply relatively broad brush characterizations to what are, in reality, a highly diversified set of different digital business models. 

Core platform services. These include but are not limited to:

• online intermediation services;
• online search engines;
• online social networking services;
• video-sharing platform services;
• number-independent interpersonal communication services;
• operating systems;
• virtual assistants;
• web browsers;
• cloud computing services; and
• online advertising services, including advertising intermediation services

Rules imposed on gatekeepers

Personal data. The Commission aims to target in particular the accumulation and the cross use of personal data, one of the factors it considers to contribute to network effects and to the weakened contestability of the markets, unfair practices and acquisition deals that could potentially significantly restrict competition in a digital market.

Barriers to entry. A remarkable provision that embodies the logic of the DMA is the one that obliges search engine gatekeepers to provide their competitors with access on fair, reasonable and non-discriminatory terms, to data generated by end users activities. In addition, the gatekeeper may not combine or cross-use personal data from its core platform services with data from any other service, unless the end user has provided consent.

Unfair and anticompetitive practices. The Commission will scrutinize how gatekeepers treat business users, both with respect to their direct contractual relationship, and in relation to the way business users can use their core platform services to reach consumers. Gatekeepers have to allow business users to communicate their offers to end users acquired via their core platform service, and to conclude contracts with these end users, regardless of whether they use the core platform services of the gatekeeper or not for that purpose. Also, gatekeepers may not prevent business users from offering different terms of purchase for the same products or services, depending on whether these are proposed directly to the end users or through the gatekeeper’s online intermediation services, and vertically-integrated gatekeepers are prohibited from engaging in any form of differentiated or preferential treatment in favor of their own products.

Killer acquisitions. Digital gatekeepers are facing an increased obligation to inform the Commission about mergers and acquisitions. Lawmakers agreed that gatekeepers would need to inform – in advance – the European watchdog about all takeovers involving data and digital companies, before closing their deals, even when these transaction do not meet the relevant thresholds.

Timeline. Within six months of its gatekeeper designation, the company will have to comply with all obligations provided in the DMA and report to the Commission on the measures implemented to that effect.

Sanctions. Proof of the desire to give this text a strong impact are the heavy penalties provided for in the event of infringement: fines may reach 10% of the worldwide sales of the companies concerned in the preceding financial year, and 20% in the event of repeated infringements, together with a merger ban for a certain period. If a gatekeeper violates the rules at least three times in eight years, the Commission can open a market investigation and, if necessary, impose behavioral or structural remedies. The DMA also provides for periodic penalty payments of up to 5% of the average daily turnover of the company and interim measures if there is a risk of serious and immediate damage for business users or end users.

Coordination with national authorities. To ensure the effectiveness of the Act, the Commission and national competition authorities will coordinate their enforcement efforts in particular to comply with the non bis in idem principle.

Practical considerations

The Commission’s DMA department has a projected number of some 80 staff members appointed to enforce the law. Competition official Alberto Bacchiega recently said (September 2022) that this would probably be insufficient.

Work has already started, with contacts between the Commission and firms that could be designated gatekeepers, and the workload is expected to increase in 2023 (formal gatekeeper designation process) and 2024 (enforcement and monitoring).

2. DSA: the protection of consumers

Separately, the DSA builds upon existing EU provisions regulating electronic commerce. It is centered on the protection of consumers’ interest.

Obligations imposed on online intermediaries and platforms

The DSA applies to intermediary services provided within the EU, irrespective of the place of establishment of the provider of those services. It updates the directive on electronic commerce and builds on its provisions to introduce obligations pursuing three main objectives, namely, the delimitation of online platforms liability, transparency and cooperation with public authorities.

Exemption of liability. One major issue with online intermediaries / platforms is whether the service providers should be held responsible for the content published on their platform. The DSA maintains the exemption of liability, even in cases where service providers take voluntary actions to remove illegal content. What is illegal is determined in the strict sense according to the applicable Union or national law, with the intention being to avoid infringing upon freedom of expression more generally.

Increased transparency for businesses. When platforms allow users to contract with businesses, the latter will have to provide information beforehand allowing their traceability, in order to use the services and be in contact with end users. Digital platforms will also have a greater transparency obligation with regard to online advertising. Platforms displaying advertisements will now have to inform each user in a clear, unambiguous manner and in real time  that the information displayed is an advertisement and why the user is specifically targeted.

Cooperation with public and judicial authorities. Another key objective of the DSA is the will to establish greater cooperation between intermediary services providers and public authorities. Companies will have to designate a single contact point to facilitate direct communication with Member States’ authorities, the Commission and the European Digital Services Committee. They must also be able to inform the competent law enforcement authorities when they have information giving rise to suspicions of serious criminal offences involving a threat to personal safety. Service providers shall take actions without undue delay, upon the receipt of an order to act against illegal content, or to provide information about specific individual users of their service.

Very large online platforms. Platforms with a very large number of users (45 million monthly-active users, in line with the DMA threshold) are considered to have an influence on online safety, public opinion and online commerce. As such, they have to comply with stricter obligations, and  must deploy the necessary means to diligently mitigate the systemic risks they identify such as the dissemination of illegal content and the pursuit of illegal activities, the impact on fundamental rights such as the right to privacy and the intentional manipulation of the platform’s service, through fake accounts.

Compliance procedures implications

Transparency and accountability requirements result in enhanced obligations and significant additional burden for companies.

Illegal content reporting. Intermediary service providers must provide users with mechanisms for action to enable them to report illegal content. These mechanisms already exist on certain platforms, but should be generalized and provide simpler action means and better follow up.

Providers of intermediary services shall publish clear, easily comprehensible and detailed reports on, among other things, any content moderation they engaged in during the relevant period.

Transparency obligations. Online platforms will have to publish information on the average monthly active users in each Member State. They will also have to allow users to be better informed on how content is recommended to them and to choose at least one option not based on profiling.

Audits and inspections. In addition to internal procedures and reports, platforms will also have to undergo regular external audits, at their own expense to evaluate their compliance or the implementation of their commitments, and submit themselves to on-site inspections.

Sanctions. Member States shall lay down the rules on penalties applicable to infringements of the DSA, the maximum amount of penalties imposed for a failure to comply being 6% of the annual worldwide income or turnover of the service provider concerned in the preceding financial year. Penalties for providing incorrect, incomplete or misleading information and for failing to submit to an on-site inspection shall not exceed 1% of the annual worldwide turnover of the provider of intermediary services or person concerned in the preceding financial year.

Conclusion

The Commission’s clear objective of speeding up the processes and making the regulation of digital markets more efficient raises various questions.

The DMA and DSA could turn out to be a so-called “racehorse”, but it will not be without leaving out the traditional economic analysis of market definition, theories of harm and evaluation of the negative effects of the practices on competition and consumer welfare.

In addition, these two Acts, along with the other upcoming regulations for the “Digital Age”, will result in burdensome internal procedures for the companies targeted but also in additional work for the Commission and it is legitimate to wonder if it will be sufficiently resourced and empowered for the enforcement task ahead, with the risk of not achieving its objective of swift movement and impact.

Finally, multiple disputes could arise (for example on the definition of a user, as it should reflect the market position of the gatekeeper). In addition, companies could mount arguments that their services are not appropriate to categorize them as gatekeepers. Officials would need to draft decisions that will ultimately stand up in court.