The European Commission’s proposals for Digital Markets Act and Digital Services Act: new ex ante obligations for digital gatekeepers & update of e-commerce regulatory framework

Contact People

Stamatis Drakakakis

Stamatis Drakakakis

Partner

vcard

LEARN MORE

Ellie Gavriilidou

Ellie Gavriilidou

Associate

vcard

LEARN MORE

Athina Skolarikou

Athina Skolarikou

Partner

vcard

LEARN MORE

Antonis Giannakodimos

Antonis Giannakodimos

Partner

vcard

LEARN MORE

On 15 December, the European Commission (“Commission”) published its legislative proposals for the Digital Markets Act (“DMA”) and the Digital Services Act (“DSA”). The proposals introduce new ex ante obligations for a wide range of firms active in the digital sphere, as well as significant new competences and powers for the Commission and newly established national authorities in regulating conduct in the digital sector, including the power to impose fines.

A. Digital Markets Act: regulating “gatekeepers”

The draft DMA lays out certain ex ante obligations (a list of “do’s and don’ts”) for digital companies that qualify as “gatekeepers”, and vests the Commission with powers to enforce those obligations.

Gatekeeper characterisation
The “gatekeeper” characterisation will be accorded to any provider of “core platform services”[1] that fulfils the following, cumulatively required, conditions:

  1. it has a significant impact on the internal market, which is presumed to be the case if the company achieved an annual turnover in the European Economic Area (“EEA”) of at least EUR 6.5 billion in the last three financial years, or if the company’s average market capitalisation or equivalent fair market value indicator amounted to at least EUR 65 billion in the last financial year, and it provides a core platform service in at least three EU Member States;
  2. it operates a core platform service which serves as an important gateway for business users to reach end users, which is presumed to be the case if the company operates a core platform service with more than 45 million monthly active end users established or located in the EU and more than 10,000 yearly active business users established in the EU in the last financial year; and
  3. it enjoys an entrenched and durable position in its operations, or is expected to enjoy such a position in the near future, which is presumed to be the case if the company met criteria (i) and (ii) above in each of the last three financial years.

The characterisation of firms as “gatekeepers” is a competence that lies exclusively with the Commission. Companies have to self-assess whether they fulfil the “gatekeeper” thresholds mentioned above, and will have to inform the Commission accordingly within three months after they start to meet those thresholds (after the date of entry into force of the DMA, if they already meet thresholds at that time). A company can be designated as a gatekeeper even if it does not meet the presumptive thresholds, based on a case-by-case assessment by the Commission, taking into account factors such as size, turnover, number of users, entry barriers, scale and scope effects, user lock-in and other market characteristics.

After the company has notified the Commission, the latter will have 60 days to assess the information and reach a decision on whether it will designate the company as a gatekeeper. In its assessment, the Commission has to take into account any rebutting evidence submitted by the company with its notification to substantiate that, even though it meets the quantitative thresholds mentioned above, it should not be designated as a gatekeeper based on the particular circumstances in which it operates.

The Commission is required to review its “gatekeeper” designations every two years or at any point in time either upon request of the company concerned or on its own initiative if the decision was based on information that has either substantively changed or is proven to have been incomplete, incorrect or misleading in the first place.

Ex ante obligations
Designated gatekeepers are assigned a list of “do’s and don’ts” under the draft DMA, to which they will be required to adhere within 6 months of receiving the “gatekeeper” designation. The obligations are broken down into two categories:

  1. self-executing obligations”, which are applicable as such across the board to all gatekeepers and address certain “core” issues relating to the preservation of a competitive digital playing field, such as: to refrain from combining personal data sourced from their core platform services with personal data from other services of the gatekeeper or third parties, unless the end user has provided express consent; to allow business users to offer different prices or conditions to end users through online intermediation services other than those operated by the gatekeeper; and to refrain from requiring business users or end users to use other core platform services as a condition to access the gatekeeper’s core platform services.
  2. obligations susceptible to specification”, which can be further defined based on the particular circumstances of each gatekeeper, in the context of the core platform services which they operate, such as the obligations: to refrain from using non-public data generated through business users’ activities on the platform, to compete with said business users; to allow end users to uninstall pre-installed software applications on the gatekeeper’s core platform service, unless such applications are essential for the functioning of the operating system or the device and cannot be offered on a standalone basis by third parties; and to refrain from treating more favourably in ranking services and products offered by the gatekeeper itself or by any third party belonging to the same undertaking compared to similar services or products of third parties, and to apply fair and non-discriminatory conditions to such ranking.

Market investigations
The Commission may conduct market investigations (on its own initiative or following a request by a Member State), with the aim of evaluating:

  1. a “gatekeeper” designation;
  2. the inclusion of a new service in the list of “core platform services” or a new practice to the list of conducts considered contestable under the DMA; or
  3. the (non-)compliance of a “gatekeeper” with its obligations under the DMA (see next section).

It is notable that the original approach put forth by the Commission for its “digital package” envisioned a significantly broader market investigation tool (dubbed the “New Competition Tool – NCT”), which would have potentially given the Commission the power to conduct wide-ranging market investigations into structural market concerns. The NCT was met by strongly divergent views by stakeholders, including fierce criticism regarding its scope, necessity, proportionality, and legal basis in the Treaty on the Functioning of the EU. This controversy likely played a role in the Commission’s decision to opt for a narrower market investigation tool in the draft DMA.

Obligation to inform about concentrations
Under the draft DMA, gatekeepers are required to notify to the Commission any and all concentrations they undertake in the digital sphere, even if those concentrations do not meet the notification thresholds of the EU Merger Regulation. However, it is notable that this is only an information-giving obligation, i.e. it does not amount to a full-blown merger control review process.

Enforcement powers
The draft DMA vests the Commission with enforcement powers very similar to those it holds with respect to antitrust: the Commission can launch formal non-compliance proceedings, issue requests for information (“RFIs”), carry out on-site inspections (“dawn raids”), take interim measures and accept commitments, and impose fines (maximum 10% of the gatekeeper’s total turnover in the last financial year) and periodic penalty payments.

B. Digital Services Act: New rules for online intermediaries & new supervisory authorities

The draft DSA essentially constitutes an update to the 2000 e-Commerce Directive, in that it lays down a comprehensive EU regulatory framework for the provision of online intermediation services (apart from competition law enforcement), updated so as to address the paradigm-shifting digital developments of the past 20 years.

The Regulation is envisioned to apply to: intermediary services offering network infrastructure, such as internet access providers and domain name registrars; hosting services, such as cloud and webhosting services; online platforms bringing together sellers and consumers, such as online marketplaces, app stores, collaborative economy platforms and social media platforms; and very large online platforms (reaching at least 45 millionmonthly users on average), which are considered a separate category, with specific additional rules applicable for them.

It should be noted that the framework established through Regulation (EU) 2019/1150 (the “P2B Regulation”) for the promotion of fairness and transparency for business users of online intermediation services, which aims to ensure that business users of such services and corporate website users are granted appropriate transparency, fairness and effective redress possibilities, will apply as lex specialis[2] to the rules set out in the DSA.

The key elements of the draft DSA are the following:

Rules applicable to all online intermediaries
The draft DSA lays out detailed rules and conditions regarding the liability (and absence thereof) of online intermediaries in various contexts, aiming to ensure their accountability for the systemic risk they pose. Notably, the DSA provides for an exemption from liability for online intermediaries regarding third-party information which they transmit and store. This applies for intermediaries such as providers of mere conduit (i.e. providing network access or transmission services), caching (i.e. storing data to make transmission more efficient), and hosting services (i.e. storing data provided by users).

Furthermore, the draft legislation imposes on all provided or online intermediation services the following obligations:

  1. to establish a single point of contact for direct communication with Member States’ authorities, the Commission and the European Board for Digital Services;
  2. to designate a legal representative in the EU (when no establishment in the Union);
  3. to set out in their terms and conditions information on any restrictions they impose relating to the use of their services and to enforce those restrictions in a diligent, objective and proportionate manner; and
  4. to publish annual reports on content moderation actions (e.g. removal of illegal conduct).

Rules specific to hosting services and online platforms
Under the draft DSA, hosting services (including online platforms) are required to establish complaint mechanisms for the reporting of illegal conduct on the service. Additionally, online platforms (excluding micro or small enterprises) are required, among else, to:

  1. establish an internal complaint-handling system, whereby recipients of the service can lodge complaints against the platform’s decisions;
  2. engage in good faith in the out-of-court procedure of the recipient’s choice, to resolve disputes arising out of the decisions mentioned under (i);
  3. suspend, for a reasonable time period, the provision of their services to recipients that frequently engage in manifestly illegal conduct;
  4. ensure the traceability of traders when the latter conclude distance contracts through the platform;
  5. ensure that recipients can clearly identify advertisements, the entity on whose behalf the advertisement is being displayed, and meaningful information on the main parameters used to target the advertisement recipient.

Additional rules for very large online platforms
The draft DSA imposes additional obligations on very large online platforms (reaching at least 45 million monthly users on average). Such platforms are indicatively required to:

  1. identify, assess and mitigate systemic risks[3] stemming from the provision of their services;
  2. set out clearly and plainly in their terms and conditions the main parameters used in their recommender systems;[4]
  3. share data with authorities, independent auditors, and vetted researchers on how they comply with the rules;
  4. abide by stricter advertising transparency standards;
  5. appoint “one or more” compliance officers, responsible for making sure that a company abides by the obligations.

Supervision and enforcement: joint enforcement by Commission and new national regulator
The draft DSA proposes a comprehensive oversight and enforcement regime for the covered services. Member States are obliged to appoint a digital service coordinator (“DSC”) to act as a single contact point for the Commission and take part in a new advisory group — the European Board for Digital Services (“EBDS”). 

The draft DSA vests DSCs with investigative powers, including conducting on-site inspections, interviewing staff members, and requesting the production of documents and information. DSCs that detect an infringement will be allowed to order that the conduct ceases, impose interim measures, levy fines (up to 6% of a service provider’s annual global turnover) or periodic payments (up to 5% of average global daily turnover) and accept commitments.

At the EU level, very large platforms are subject to enhanced supervision and potential enforcement by the Commission. The Commission, acting either upon the EBDS’ recommendation or on its own initiative, may initiate proceedings, which shall follow a one-stop-shop process, whereby the Commission itself has the responsibility to carry out the relevant procedure. In case of an infringement, the Commission can adopt fines (up to 6% of the company's total turnover in the preceding financial year) and periodic penalty payments.

C. Next steps

The draft Regulations will now be put to deliberation among stakeholders, in a process which is expected to be marked by considerable debate. Although the Commission’s proposal for a potentially wide-ranging market investigation tool – which was arguably the most controversial aspect of its original proposals – seems to have been put aside for now, there is still likely to be notable divergence of opinion as to whether the new legislation goes too far or instead falls short of the mark on certain aspects, whether the criteria for defining “gatekeepers” have been crafted appropriately, whether the proposed new tools are necessary and proportionate to the perceived challenges etc. In any event, this digital package is expected to have broad-ranging implications for the digital competitive landscape and for conducting business online going forward.

 

[1] “Core platform services” are defined to encompass online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communication services, operating systems, cloud computing services, and advertising services provided by a provider of any of the above.

[2] For an overview of the P2B Regulation’s key terms, see here.

[3] Three categories of systemic risk are identified: (i) the dissemination of illegal content; (ii) negative effects on the exercise of the fundamental rights of private and family life, freedom of expression and information, the prohibition of discrimination and the rights of the child; and (iii) the intentional manipulation of the platform, with an actual or foreseeable negative effect on the protection of public health, minors, civic discourse, or to the electoral processes and public security.

[4]Recommender system” is a subclass of information filtering system that seeks to predict the "rating" or "preference" a user would give to an item.