Between now and early 2024, the European Union is introducing a range of new data directives around data and online services. These regulations aim to protect consumers and citizens, enable safe data sharing, and even prepare for more widespread adoption of artificial intelligence. In the first of a two-part series, we’ll cover the Digital Services Act and the Digital Markets Act.
This blog will look at who those Acts apply to, when they’ll come into force, as well as how and if they interact with the EU General Data Protection Regulation (GDPR). Then in our follow-up blog, we’ll outline the EU Data Act, the Data Governance Act, and the Artificial Intelligence Act.
First off, the Digital Services Act (DSA) will regulate the obligations and accountability of online intermediaries and platforms we use every day.
The EU’s summary outlines the goals of the Act for citizens, digital services providers, business users and broader society. The DSA aims to protect consumers in their online activities, provide them with more choice and lower costs online, and protect them from illegal content. Online intermediaries (which we’ll describe below) will need to provide more certainty in how they offer their services. The EU envisages that smaller platforms and start-ups will have the ability to scale up.
Who’s in scope?
The DSA applies to four types of organisations: intermediary service providers such as search engines, wireless local area networks, cloud infrastructure services, or content delivery networks. Hosting services that store information at the service user’s request. (For example, cloud services and services that enable sharing information and content online, like file storage and sharing.) Online platforms like social media platforms, message boards, app stores which also share the information they store to the public at the user’s request.
All organisations will have obligations, but they’ll differ according to their size and the nature of their service. The larger the provider, the greater the number of obligations.
The DSA has extra-territorial scope, just like the GDPR. In other words, it applies to intermediary service providers even if they’re established outside of the European Union, provided they offer services to users within the bloc. (And it also applies to providers based within the EU.)
There are three main criteria that bring a company into scope for the DMA:
- Size: when the company achieves a certain annual turnover EU revenue of €7.5 billion in each of the last three years and has a market cap of €75 billion in the last financial year in the EEA
- Service: when the company provides a core platform service in at least three EU Member States
- Control: when the company provides a core platform service, or important gateway, to more than 45 million monthly active end users established or located in the EU and to more than 10,000 yearly active business users in the EU. The EU will consider that company’s position “entrenched and durable” if it has reached the second criterion during the last three years.
When does it come into force?
The Digital Services Act was officially published in the Official Journal of the European Union in October 2022 and entered into force on 16 November. From this date, online platforms will have three months to report the number of active end users by 17 February 2023 on their websites. The Act will apply to most services from 17 February 2024.
Key points and obligations
The DSA’s importance lies in the significant new obligations it places on intermediary service providers. The key responsibilities are:
- Transparency reporting: providers must publish annual transparency reports about their content moderation activities
- Clear terms and conditions for providers’ content moderation practices, including easily accessible information on the right to terminate the use of their services
- All intermediary service providers that receive an order to act against illegal content must inform the relevant supervisory authority
- Having a designated single electronic point of contact for official communication with supervisory authorities in the EU
- There must be a notice and action mechanism for content that users consider illegal e.g., cyber violence and harassment.
What should you do next?
- Know your stuff: be aware of the what the Act entails and what deadlines you should be aware of
- If your organisation falls into the criteria of the DSA, carry out external independent audits to show compliance
- Have procedures and policies in place to demonstrate due process
- Ensure transparency when advertising to consumers
- Carefully monitor content, services and goods which may be deemed illegal
- Have procedures in place for removing illegal goods
- Perform vulnerability assessments to flag any risks which fall under the DSA.
The Digital Markets Act
The Digital Markets Act, or DMA, is the sister act of the DSA. It aims to enable open and fair digital and data markets by fostering competition. It aims to regulate market power based on data and address imbalances or abuses of power by the biggest digital companies. The Act will impose obligations on online platform providers, or “gatekeepers,” to share or to provide access to data.
The European Commission states that the DMA defines when a large online platform qualifies as a “gatekeeper.” Gatekeepers are digital platforms that provide an important gateway between business users and consumers – whose position can grant them the power to act as a private rule maker, and thus create a bottleneck in the digital economy.
How the Act designates companies as a ‘gatekeeper’
The DMA contains objective thresholds for assessing gatekeeper status that closely mirror the DSA. That is, annual turnover in the EU of €7.5 billion or more in each of the last three financial years or its average market capitalisation/market value is at least €75 billion in the last financial year. It must also provide the same core platform service in at least three Member States and to an average of at least 45 million monthly active end-users.
When does the DMA come into force?
The DMA entered into force in November 2022. Then follows a six-month period before the rules apply (approximately 2 May 2023). This is a significant piece of legislation that all active players and organisations within the digital markets should be aware of, and not just those to whom the rules apply. The DMA will centralise enforcement power in the EU Commission.
How the DMA interacts with the GDPR
The Act will overlap with the GDPR because datasets may be shared or combined. So, organisations will have to carefully assess the implications of such data processing under the DMA to comply with the GDPR. Together with the Digital Services Act, these new Acts aim to address the negative consequences arising from certain behaviours by online platforms acting as digital gatekeepers to the EU single market.
Gatekeepers have key obligations under the DMA, such as:
- Ensuring users have the right to unsubscribe from core platform services
- Ensuring their instant messaging services’ basic functionalities are interoperable
- Allowing app developers fair access to supplementary functionalities of smartphones
- Giving sellers access to marketing or advertising performance data
- Informing the European Commission of their acquisitions and mergers
- Pre-installing certain important software
- Not ranking their own products or services higher than others’
- Avoiding reuse of private data collected during one service for the purposes of another
- Not establishing unfair conditions for business users.
What to do next if your organisation is within scope?
- Assess if you meet the threshold of a gatekeeper
- Six months after a company is identified as a “gatekeeper”, it will have to comply with the dos and don’ts listed in the DMA
- Ensure transparency for consumers
- Have a process in place for complaint handling
- Have a process for implementing and managing interoperability.
Closing thoughts: Act now?
In its press release announcing the DSA, the EU described the Act as a “landmark” set of rules that will impact how online intermediaries need to design their services and procedures. It talked of the DSA as a “first-of-a-kind regulatory toolbox globally”. EU vice president Margarethe Vestager hailed the DMA for its ambition to “change the digital landscape profoundly”.
GDPR was similarly far-reaching and it’s definitely caused organisations to change their privacy and data protection processes. With these latest Acts, we applaud the ambition; now we await the outcome. Some of the details are still vague, so we’ll need to see how the Acts operate in practice.
Over the coming weeks, we’ll publish the second part of this blog, looking at the EU Data Act, the Data Governance Act, and the Artificial Intelligence Act.