“I’ve been wondering how to give a metaphor because these are two quite complex proposals. And the best thing I came to think of was the first-ever traffic light that brought order in the streets, that was actually in the US, in Cleveland Ohio. And that was invented as a response to a major technological disruption: the invention of cars. And I think, just like back then, it is more than hundred years ago, now we have such an increase in the online traffic that we need to make rules that put order in the chaos.”
Thus spoke Commissioner Vestager on the occasion of the publication of the Commission’s proposals for the Digital Services Act (DSA) and the Digital Markets Act (DMA) on 15 December 2020. This statement leaves little doubt about the magnitude of the Commission’s ambitions: the goal seems to be to set the template for the regulation of digital markets within the EU with a potential global radiance effect.
Up to this point, the EU has admittedly not been a global frontrunner in the area of digital market regulation. The main legal framework regulating online markets currently in place is the e-Commerce Directive, adopted in 2000. To continue on Vestager’s metaphor of traffic regulation: digital markets have evolved so rapidly since the turn of the century that any attempt to regulate them with a piece of legislation from that day and age could be compared to the police trying to chase speeding motorists in horse-drawn carts. Now, however, it is the Commission’s aspiration that the EU regulatory framework for the digital sector could potentially become a global yardstick for enforcement on digital markets. Has the Commission succeeded in this ambitious aim? In this post, we make up an initial, high-level balance.
Digital Services Act
The DSA is the most broadly applicable of both pieces of envisaged legislation and is meant to apply to all providers of intermediary services, although certain provisions only apply to digital platforms and very large platforms, respectively. The latter are defined as platforms that provide their services to a number of average monthly active recipients of the service in the EU equal to or higher than 45 million (which equals approximately 10% of the EU population).
According to the Commission, “[i]t will give better protection to consumers and to fundamental rights online, establish a powerful transparency and accountability framework for online platforms and lead to fairer and more open digital markets.” The DSA intends to impose rules and obligations in inter alia the following areas:
- measures to counter illegal content online, including goods and service;
- new rules on traceability of business users in online market places, to help identify sellers of illegal goods;
- effective safeguards for users, including the possibility to challenge platforms’ content moderation decisions;
- transparency measures for online platforms, including on the algorithms used for recommendations;
- obligations for very large online platforms to prevent abuse of their systems by taking risk-based action, including oversight through independent audits of their risk management measures;
- researchers will have access to data of core platforms, in order to scrutinise how platforms work and how online risks evolve;
- an oversight structure to address the complexity of the online space.
In addition, Member States will be required to designate competent authorities – the Digital Services Coordinators – with the task of supervising compliance of the services established on their territory with the new rules and to participate in the EU cooperation mechanism of the DSA. We could imagine that many Member States will entrust this task to their competition authority, but this of course remains to be seen. These Digital Services Coordinators – and not the Commission – are meant to be main enforcers of the DSA: an arrangement rather like under the GDPR of which national authorities are also the main enforcers.
Digital Markets Act
By contrast, the Digital Markets Act aims to equip the Commission with enforcement tools of its own. According to the proposal, the DMA shall only be enforced by the Commission. Unlike under Articles 101 and 102, no co-enforcement by national authorities is anticipated. We could imagine that this exclusive enforcement role for the Commission could prove controversial for certain Member States in the course of the legislative procedure. Should these prove to be the case, national governments may introduce their own legislation, as long as such legislation and its enforcement would not be contrary to EU law.
It was already anticipated (see e.g. our earlier blog) that the DMA would apply to ‘gatekeeper’ platforms. One of the biggest mysteries that surrounded the prelude to the DMA’s publication, was however how such gatekeepers would be defined. According to the proposal, the DMA shall apply to a provider of core platform services that:
- has a significant impact on the internal market;
- operates a core platform service which serves as an important gateway for business users to reach end-users; and
- enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future.
While these criteria entail the possibility of being applied rather broadly, the proposal also lays down a set of cumulative conditions that – if met a provider of core platform services – entail a rebuttable presumption of being a gatekeeper. These are:
- an annual EEA turnover equal to or above EUR 6.5 billion in the last three financial years, or an average market capitalisation or the equivalent fair market value of at least EUR 65 billion in the last financial year, as well as providing a core platform service in at least three Member States;
- more than 45 million monthly active end users established located in the EU and more than 10,000 yearly active business users established in the Union in the last financial year;
- the condition mentioned under (b) must be fulfilled for a period of at least the last three financial years.
A platform that meets these conditions is obliged to notify this to the Commission within three months after those thresholds are satisfied. Such a platform may, in its notification, present arguments why it should not be designated as a gatekeeper despite meeting the applicable thresholds. The Commission may also, after a market investigation, designate other platforms that do not fulfil the turnover and user criteria as gatekeepers. We observe that whilst the proposal gives the ECJ (in practice the General Court in the first instance) a power of legal review in respect of fines and penalty payments imposed under the DMA, this is not explicitly stated for Commission decisions designating a platform as a gatekeeper. It, however, appears that such a judicial review should be possible since a platform is of course directly and individually concerned by a decision designating it as a gatekeeper and the effects of such a decision on its business may be substantial.
Rules and obligations
According to the proposal, gatekeepers must comply with extensive lists of do’s and don’ts explicitly laid down in the proposal. According to the Commission, the most important do’s include the following:
- allowing third parties to inter-operate with the gatekeeper’s own services in certain specific situations;
- allowing their business users to access the data that they generate in their use of the gatekeeper’s platform;
- providing companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper;
- allowing their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform.
Important don’t’s mentioned by the Commission are:
- Gatekeepers may no longer block users from un-installing any pre-installed software or apps;
- Gatekeepers may not use data obtained from their business users to compete with these business users;
- Gatekeepers may not restrict their users from accessing services that they may have acquired outside of the gatekeeper platform.
The lists are however much longer and inter alia also include (i) a prohibition to combine personal data sourced from the core platform services of the gatekeeper with personal data from any other services offered by the gatekeeper or with personal data from third-party services (without an explicit user choice and consent as stipulated in the GDPR), (ii) obligations on ensuring data-portability for users, and (iii) on not imposing certain types of most-favoured nation clauses in contracts, as well as (iv) a prohibition on self-preferencing.
These lists of do’s and don’ts are (at least partially) the result of the Commission’s and national competition authorities’ gained experience in enforcing the existing rules on competition. Says Vestager: “(…) from the cases that the Commission has been doing, where I have been responsible for, is not in one, not in two but in three Google cases, and also in the first Amazon case concerning e-books we have seen this behaviour. Many national authorities have also dealt with the issues caused by digital platforms as in the Booking.com cases.” In addition, the aforementioned obligation to refrain from combining personal data shows clear similarities with the German Bundeskartellamt’s 2019 decision regarding Facebook.
Sanctions and other measures: breakup as last resort
The Commission may impose specific measures on gatekeepers ensuring compliance with these do’s and don’ts. In cases of non-compliance, it may also impose fines (of up to 10% of group turnover, just as for infringements for Articles 101 and 102 TFEU), periodic penalty payments and commitments. In cases of systematic non-compliance, the Commission may also impose structural remedies, i.e. actually break up companies. It may, however, be expected that the Commission will use this last instrument very scarcely, if at all. The Commission has never used it under Article 102 and Vestager is sceptical about using this instrument, although she does not exclude its use as a “last resort”. According to an anonymous quote from ‘Brussels’ in the Financial Times, the imposition of forced disinvestments should be considered in particular if a company breaks the rules three or more times. In addition, it would appear that an EU attempt to break up what are generally US companies could be difficult to realise in practice unless such an attempt would have the support of the US authorities.
Did the Commission indeed propose the digital equivalent of the traffic light?
It would appear that if both proposals were to pass in (something like) their current form, the reality for ‘big tech’ and its users may change quite significantly.
As things stand, the DMA, in particular, appears to provide the Commission with credible instruments for regulation. Interesting in this respect is that the Commission has more or less abandoned its original plan to introduce a genuine ex-ante enforcement instrument, to impose measures on digital platforms with significant market power even in the absence of (demonstrated) abusive conduct (the New Competition Tool; NCT). Indeed, Vestager has explicitly confirmed that the Commission will not propose a separate, more ‘general’ NCT in addition to the obligations in the DMA. Instead, the Commission has chosen to lay down a clear set of rules that (in principle) shall apply to platforms meeting clearly defined thresholds and may in addition be imposed by a decision on platforms that fall short of meeting these thresholds.
The Commission’s choice to come up with extensive lists of obligations and prohibitions rather than a more general ex-ante instrument could facilitate more effective enforcement. The obligations of assessment and compliance are placed on the tech firms themselves, with the Commission ‘only’ needing to monitor whether they are indeed complied with. This could facilitate a more speedy intervention in comparison to a situation where the Commission would need to (i) first discover and identify a potential problem, (ii) subsequently investigate whether the platform causing that problem indeed enjoys substantial market power, and (iii) formulate an appropriate remedy. Such a process could turn out to be almost as time-consuming as a regular investigation under Article 102 TFEU. Consequently, a clear set of rules as currently proposed may very well prove itself a much more useful ‘traffic light’.
It now remains to be seen how much of the proposals will actually turn into applicable EU legislation and when (2023 is currently the expectation). This will depend on the one hand on the effectiveness of ‘big tech’s’ potential campaigns to try to amend the proposals in the course of the legislative process. On the other hand, these attempts may encounter (potentially fierce) resistance from certain MEPs. In this respect, the role of the Member States may prove decisive in how things shall eventually shape up. Initial reactions among the Member States, however, appear to be generally positive.
We intend to closely monitor this process, and publish various posts going into specific details of the proposed new regulatory framework on the way. It promises to become a most interesting journey…