The EU Proposes New Regulations Targeting Big Tech
Privacy In Focus®
In December 2020, the European Commission unveiled a two-part initiative with the aim to regulate and remake the digital economy of the continent, furthering its continued push to establish EU “Digital Sovereignty.” In the two-part legislative proposal, containing language for both the Digital Services Act (DSA) and the Digital Markets Act (DMA), the Commission is looking to rein in what they consider to be anticompetitive behavior in the technology sector by increasing the regulatory burden on a wide array of technology equipment and service providers. The key proposals of each piece of the proposed regulation are described below. While the proposals still have a long legislative path to navigate before implementation, these initiatives make clear the intent of EU policymakers to curb the influence and power of large technology companies, and their continued inclination to use regulatory mechanisms to shape cross-border market dynamics.
The Digital Services Act (DSA)
The DSA seeks to open a window into the inner workings of online services and platforms. Specifically, it proposes to implement a strong protection framework for consumers as they interface with online content, increase the transparency and accountability of online platforms, and encourage the innovation and competition of online platforms.
The DSA applies to online intermediary services, which are divided into four categories:
- Intermediary services such as internet access providers and domain name registrars;
- Hosting services such as cloud or web-hosting services;
- Online platforms that match sellers and consumers, such as online marketplaces, app stores, and social media platforms; and
- Very large online platforms, which are defined as reaching more than 10% of the consumers in Europe.
The DSA scales the obligations that apply to each type of provider according to ability and size. Smaller platforms are exempt from many of the more costly compliance mechanisms, but encouraged to implement them as a best practice when possible. Thus, depending on the category of the service, it may be obligated to:
- Implement mechanisms to identify illegal goods services or content, such as a flag system.
- Increase transparency, specifically by disclosing algorithms used to make advertising recommendations to consumers. Very large platforms are required to provide at least one option to direct content that is not based on profiling.
- Institute a system to trace business users to identify sellers of illegal goods.
- Add safeguards for users, such as methods to challenge the platform’s content moderation decision.
- Allow for access by researchers to key data for the purpose of assessing how online risks evolve.
- Add codes of conduct and technical standards.
- Implement systemic changes to prevent misuse of very large platforms, including public accountability and independent audits.
The DSA is focused on removing illegal content from online services/platforms, although the meaning of “illegal content” is not clearly defined. Despite this focus, it does not make services and platforms liable for illegal content, unless they are aware that the content is illegal and fail to take action to remove the content. Primary oversight of the DSA will remain with the member states; however, the DSA does grant regulators increased authority to require tech companies to be more transparent as to the inner workings of their platforms. Fines for providing “incorrect, incomplete or misleading information” to regulators could be up to 1% of annual revenue. Failure to comply with the underlying obligations of the DSA could result in large fines of up to 6% of annual revenue.
The Digital Markets Act (DMA)
At its root, the DMA seeks to help small tech companies compete against their big tech counterparts. The DMA proposes a regulatory framework of obligations and prohibitions specifically targeted at large technology platforms. As the proposal states in the explanatory memorandum, technology innovations can “increase consumer choice, improve efficiency and competitiveness of industry and can enhance civil participation in society.” However, the Commission is concerned that of the over ten thousand online platforms that operate in Europe, a “small number of large online platforms capture the biggest share of the overall value generated.”
To even the playing field, the DMA proposes to heavily regulate what it identifies as digital “gatekeepers.” A gatekeeper is defined as a company that provides a core platform service in the EU and has a “significant impact on the internal market, … operate[s] as an important gateway for business users to reach end users, and enjoy[s] an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future.” Importantly, “core platform services” includes a broad range of digital services, covering online marketplaces, intermediation services, social networking, video-sharing platform services, cloud computing, search engines, software application stores, operating systems, messaging platforms, and digital advertising services.
While the definition of gatekeeper includes some subjective elements, the Commission also identified objective factors that would make a core service platform a gatekeeper, including an annual revenue threshold of 6.5 billion euros over the past three years and having over 45 million monthly active users in the EU or 10,000 yearly active business users. In deciding whether a company should be designated as a gatekeeper, the Commission directs companies to take into account the relative size and market position of the platform, the number of business and end users, entry barriers derived through network effects and data advantages, the scale and scope of benefits imparted to the provider, business and end-user “lock-in” effects, and structural market characteristics in a given sector. The DMA requires companies to self-report their status as a gatekeeper, but retains the right for the Commission to investigate and identify companies that it believes should be treated as gatekeepers.
The proposed DMA imposes significant obligations on gatekeepers, including but not limited to:
- Not requiring business or end users to subscribe or register as a condition of accessing a core platform service;
- Allowing business users to offer the same products and services through third-party intermediation services at prices or conditions that are different from those of the core platform service;
- Pricing transparency for advertising services offered by core platform services;
- Giving end users the ability to uninstall pre-installed applications without restricting access to collateral, related, or core platform services;
- Refraining from using ranking services to more favorably promote products offered by the core platform service provider over those offered by business users;
- Providing tools to business and end users to facilitate data portability between core service providers; and
- Providing fair and nondiscriminatory conditions for business providers to access software application stores.
The DMA proposal does grant the Commission a case-by-case ability to exempt certain gatekeepers from a specifically tailored set of obligations. However, noncompliance with any of the required obligations, to include the disclosure and information-sharing requirements, can result in significant fines or potentially the forced breakup of repeat offenders. Proposed fines can range from 10% of the preceding year’s total revenue for intentional or negligent violations of the act, to 1% of the preceding year’s revenue for more procedural violations, like failing to provide information regarding a platform’s gatekeeper status.
We encourage all businesses potentially subject to the DSA’s and DMA’s obligations to follow the progress of these regulations as they work their way through the legislative process.
Our team has helped entities of all sizes from across various sectors parse through complicated GDPR issues – from determining whether the GDPR applies, to developing compliance programs. If your organization has questions about the GDPR or the possible impact of these new legislative developments, do not hesitate to reach out.
© 2021 Wiley Rein LLP