On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online marketplaces, and other online platforms, meaning tech companies active in Europe will have a new set of rules to follow.

According to the EC, the DMA is intended to address a perceived lack of contestability in the digital sector regarding certain practices such as leveraging data collected in one market to compete in a different market, self-preferencing, and restrictions on switching. It goes beyond the traditional antitrust tools and outlines a new enforcement framework. The DSA regulates the liability of platforms and imposes new obligations regarding content moderation, due diligence for illegal content, and transparency of advertising.

The draft laws are not yet effective and will likely be amended, as they still need to be discussed and adopted by the European Parliament and by the Council of the European Union (i.e., national governments of each member state of the EU). The process to formally adopt the draft laws is likely to take a few years.

Background

The DMA and DSA fit into the broader European Digital Strategy (the Strategy) announced by the EC last February (see the press release here). The Strategy highlighted the EC's intention to review the rules applicable to digital platforms and propose a revamped new framework, with the aim of creating a single market for data that should ensure Europe's global competitiveness and data sovereignty. The strategy focused on ensuring that data can flow within the EU while respecting EU rules and values (including competition law and data protection).

The existing rules governing digital platforms are largely contained in the e-Commerce Directive, which was adopted in 2000. In a nutshell, the e-Commerce Directive protects online intermediaries from liability for illegal content transmitted by users. In addition, it enshrines platforms' freedom to operate across the EU without restrictions by national governments. The EC's Strategy highlighted that the e-Commerce Directive does not govern how platforms should exercise content moderation, the taking down of illegal or harmful content, or exercise due diligence over their services.

Digital platforms are also subject to the EU's general rules on antitrust. The EC has so far relied on its existing antitrust enforcement powers to levy record fines against certain platforms. However, these rules pre-date the digital economy and, in the EC's view, may not adequately address issues presented by large digital platforms.

The DMA/DSA draft package is just one of a number of EU initiatives designed to target online platforms and the use of data. Germany is awaiting the parliamentary adoption of an amendment to its competition code under which "undertakings with paramount significance for competition across markets" face additional behavioral rules. In the UK, the government recently put forward an Online Harms proposal similar to the DSA that could see companies fined up to 10 percent of their global revenue if they fail to stop illegal and harmful content from reaching their online users. The UK's competition regulator has also recommended that the government implement new merger rules requiring certain digital companies that have "strategic market status" to notify every deal, implement a legally binding code of conduct, and allow for market intervention by a new digital enforcement unit.

The Digital Markets Act

Under the DMA, the EC will be solely responsible for ensuring that "gatekeeper" platforms do not harm competition and that the emergence of new gatekeepers is addressed, with national authorities playing an advisory role. The DMA is not designed to apply across the entire digital space, but rather focuses on "core platform services." According to the draft, these include: i) online intermediation services (for example marketplaces, app stores, and online intermediation services in other sectors like mobility, transport or energy); ii) online search engines; iii) social networking services; iv) video sharing platform services; v) number-independent interpersonal electronic communication services; vi) operating systems; vii) cloud services; and viii) advertising services.

The DMA sets out narrow criteria for qualifying a core platform service as a so-called "gatekeeper," namely that a company:

• Has a significant impact on the internal market. This is presumed where: 1) the company achieves an annual revenue in the EEA equal to or above €6.5 billion in the last three financial years, or where its average market capitalization or equivalent fair market value amounted to at least €65 billion in the last financial year; and 2) it provides a core platform service in at least three member states;
• Has a strong intermediary position. This is presumed where: 1) the company operates a core platform service with more than 45 million monthly active end-users established or located in the EU; and 2) has more than 10,000 yearly active business users established in the EU in the last financial year; and
• Has (or is expected to have) an entrenched and durable position in the market. This is presumed where the company meets the other two criteria in each of the last three financial years.

This is different from the standard legal test typically used under EU competition law, which focuses on establishing whether a player is "dominant" or whether an "essential facility" is at play. According to the EC, these concepts did not enable the EC to intervene in markets with a significant—but not yet dominant—player where there was a risk of the market tipping in favor of that company. The DMA proposal seeks to tackle this perceived enforcement gap. The gatekeeper classification can be rebutted.

Obligations

The DMA establishes a list of prohibitions and obligations that digital platforms must comply with once designated as a gatekeeper. For instance, a gatekeeper must "refrain from combining personal data sourced from [its] core platform services with personal data from any other services offered by the gatekeeper or with personal data from third-party services, and from signing in end users to other services of the gatekeeper in order to combine personal data, unless the end user has been presented with the specific choice and has provided consent in the sense of Regulation (EU) 2016/679."

Some of the requirements are framed as being "susceptible of being further specified" and the DMA proposal envisages a future regulatory dialogue with gatekeepers to tailor those obligations and ensure their effectiveness and proportionality. This category includes requirements related to self-preferencing, interoperability, and certain data-related practices.

In a bid to "future-proof" the DMA against the fast pace of digital markets and the emergence of future gatekeepers, the EC can also carry out market investigations to ensure both current and new markets remain contestable. This power was initially proposed as a separate new tool, but has since been subsumed under the DMA. It will allow the EC to:

• identify gatekeepers that do not satisfy the DMA's quantitative thresholds;
• assess whether new conduct or practices need to be added to the rules and;
• design additional remedies to tackle repeat infringements of the DMA rules.

The EC's ability to designate digital platforms which do not meet the quantitative thresholds as gatekeepers following an investigation is likely to lead to significant legal uncertainty and antitrust counsel should be regularly consulted.

The DMA will be enforced without prejudice to the existing tools of Article 101 and Article 102 TFEU. However, the exact interplay between the DMA and the EU's conduct tools has yet to be decided. Similar questions as to the interplay with the DMA will arise with a view to similar provisions in the EU member states. While under the current draft the DMA would prohibit national rules from imposing diverging obligations on gatekeepers, it would allow member states to apply stricter standards based on national competition rules, provided that they are based on an individualized assessment of market positions and behavior. How this distinction will play out in practice is unclear. For example, the proposed amendment of the German competition code would cover "digital ecosystems" instead of gatekeepers and would make market dominance a crucial, albeit not indispensable, point for identifying addressees. Nevertheless, the amendment would ultimately impose similar rules on the same companies as the DMA.

Sanctions

In terms of sanctions, the DMA will enable the EC to levy fines of up to 10 percent of the company's total worldwide annual turnover. In cases of repeat infringements, the EC can undertake a market investigation and assess whether it is appropriate to impose additional behavioral or structural remedies (for example, due to the further strengthening of its gatekeeper position). Structural remedies, including the break-up of large platforms in certain circumstances, can be imposed only where there is no equally effective behavioral remedy or that remedy is more burdensome than a structural solution. As the DMA will likely be enacted as a regulation, the restrictions it places on gatekeepers can be enforced directly in national courts and be subject to private damages actions.

The Digital Services Act

The DSA introduces a horizontal legal framework for content, products, and services offered by intermediary service providers. It creates new requirements for all intermediary service providers, including online platforms, together with a new enforcement framework. The regulatory burden imposed by the DSA varies depending on the type of services concerned. It is important to keep in mind that all obligations listed below are subject to change as the DSA is a draft that will need to go through the EU legislative process.

• Covered services. The DSA follows a layered approach with cumulative obligations for online intermediary services depending on their function and size. Specifically, the draft DSA sets forth obligations for four types of service providers: i) intermediary services ("mere conduit" and "caching" services like internet access providers and domain name registrars); ii) hosting services (e.g., cloud and web hosting services); iii) online platforms (e.g., online marketplaces, app stores, and social media platforms); and iv) "very large" online platforms (i.e., platforms reaching more than 10 percent of the then current EU population, the threshold presently being 45 million users). The relevant DSA obligations are cumulative, meaning that each next layer adds obligations on top of all the preceding layer(s)' obligations.
• General obligations. All intermediary service providers must i) publish annual reports on any content moderation they engage in; ii) diligently enforce their terms and conditions, including with regard to content moderation (e.g., removal of fake news); iii) cooperate with national authorities and follow orders to act against illegal content (e.g., take down orders for hate speech or illegal content); and iv) have a point of contact and, where necessary, an EU representative. Providers with no presence in the EU are required to appoint an EU representative. Unlike with EU representatives under the General Data Protection Regulation (GDPR), regulators may hold the EU representative liable for any breach of the DSA.
  • Hosting services. On top of the general obligations, hosting service providers will be required to put online mechanisms in place so that users and companies can notify them of any illegal content. Such mechanisms should be easy to access and user-friendly. These providers will also need to inform users and states of the reasons for taking down any content or when they suspend a user's account due to the user's repeated spread of manifestly illegal content.
  • Online platforms. In addition to the aforementioned obligations, online platforms will be required to establish an internal complaint-handling system where users can contest the platforms' decisions (e.g., to take down fake news). Online platforms would also need to rely on so-called "trusted flaggers" (i.e., entities that can flag any illegal content to the online platforms) and take measures against misuse, such as suspending a user's account for a "reasonable period of time" if the user repeatedly transmits "manifestly illegal content" through the platform (e.g., the sale of counterfeit goods on the platform). Online platforms will also be required to maintain a "Know Your Business Customer" (KYBC) registry before allowing other companies to offer goods and services on the platform, and to notify authorities about any suspicion of criminal offense. Finally, online platforms will have to provide detailed information about the ads shown to users. This includes ensuring that users can recognize sponsored content, and can identify the company responsible for the ad and receive "meaningful information" about the "parameters" used to show the ad to a specific user. These terms are not clearly defined in the DSA.
  • Very large platforms. Further to all the above, very large platforms will be required to: i) conduct annual risk assessments about the use of their services; ii) be subject to annual independent audits regarding compliance with the DSA; iii) appoint company officers dedicated to DSA compliance; and iv) provide access to data that is necessary to prove compliance with the DSA upon request from national authorities or the EC. Very large platforms will additionally be required to provide a publicly available list of advertisements detailing the audience reached for each ad and the "parameters" used to target specific groups of individuals.
• Extraterritorial reach. Similar to the GDPR, the DSA has extraterritorial application. The current draft covers companies with no presence in the EU that: i) have a "significant number" of users in the EU; or ii) intentionally target the EU market (e.g., by expressly accepting payments in euros or by offering the platform in several EU languages). Accordingly, it is expected that a substantial portion of platforms without an EU establishment may become subject to both the GDPR and the DSA.
• Liability. The DSA provides that there will be no general monitoring or active fact-finding obligation for intermediary service providers. Further, liability would not be triggered to the extent that intermediary service providers do not have actual knowledge of illegal activity or illegal content present in their services. However, upon being made aware of such illegality, they will be required to act without undue delay to remove or disable access to the illegal content. Finally, the DSA tries to incentivize intermediary services to conduct voluntary investigations to detect illegal content by immunizing them from liability for findings that come as a result of such investigations.
• Enforcement. The DSA creates a one-stop shop for all intermediary service providers who have an EU establishment or an EU representative. National authorities will be responsible for supervising the EU operations of companies established in their territory and of companies whose EU representative is located in their territory. The DSA creates an EU agency (the "European Digital Services Board") responsible for ensuring consistent enforcement of the DSA across the EU. At this stage, the board's prerogatives are mostly advisory (e.g., issuing guidelines). Furthermore, concerning very large platforms, the EC may impose sanctions directly in cases where national authorities decide not to do so.
• Sanctions. EC may impose fines for very large platforms of up to 6 percent of the company's total turnover in the preceding year, or periodic penalty payments of up to 5 percent of the average daily turnover. Penalties imposed by national authorities could also be in similar ranges.
• Class actions. Civil society organizations and NGOs will be able to lodge class action lawsuits in the event of an infringement of the DSA, on the basis of the EU's Collective Redress Directive, which was recently adopted.

The DSA is expected to create major regulatory obligations and risks for platform service providers, given its broad scope and potentially very high sanctions. It is recommended that intermediary services that will likely be subject to the DSA closely monitor this development.

Conclusion

In terms of next steps, the DMA/DSA proposal will now be discussed by the European Parliament and the Council of the European Union. Together with the EC, these three institutions will then need to agree on the final text before the DMA/DSA package is adopted. This process may take several years, but is expected to seriously change the regulatory landscape for all intermediary service providers and platforms offering their services in the EU. Companies which are the clear focus of the DMA/DSA—such as ISPs, cloud providers, and online platforms—should consider reviewing the draft laws and start assessing how their activities might be impacted by this upcoming legal framework in Europe.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and cybersecurity issues and antitrust matters in Europe and beyond. For more information, please contact the firm's privacy and cybersecurity or antitrust practices.