Written by Shaked Feldman Yiftah
The European Union is in the midst of a legislative revolution of the digital economy. As part of its “Digital Decade” strategy, the European Commission is promoting the enactment of a series of regulations that will form the legal framework for digital services operating from or within the EU. The recently enacted Digital Services Act (DSA) and Digital Markets Act (DMA) are at the forefront of the EU’s digital reform.
Both legislations aim to enhance consumer rights and protections in the digital world and increase legal certainty, fairness, and harmonization of the rules that apply to digital service providers. Both will become enforceable at the beginning of 2024. Their potential implications on your business’s operations may be significant. Compliance efforts for these laws may be considerable and complex. Organizations should therefore consider launching their compliance work sooner, rather than later.
The Digital Services Act
Scope. The DSA’s scope of application is quite extensive and it regulates a wide range of online intermediary services. The DSA applies to entities acting as intermediaries that connect consumers in the EU with goods, services, and content. These include internet service providers, web hosting and cloud services, direct messaging services, marketplaces, social networks, app stores, and online travel and accommodation platforms. All online intermediaries offering their services to the EU digital market, whether established within or outside the EU, will have to comply with the DSA.
The DSA distinguishes between three types of intermediaries. “Mere conduit” services provide users with access to communication networks (e.g., internet service providers). “Caching” services transmit users’ information while temporarily storing it (e.g., content delivery networks (CND)). “Hosting” services store user information at their request. The final category includes “classic” hosting services (e.g., cloud services) and online platforms (e.g., social media). It also includes very large online platforms (VLOP) and very large online search engines (VLOSE) with over 45 million monthly active EU users.
Layered Obligations. The DSA’s obligations are layered according to the level of risk that the intermediaries’ operations pose to consumers. The first layer applies to all intermediaries. The second layer applies to hosting services. The third and fourth layers apply to online platforms. The final layer applies to VLOPs and VLOSEs. Generally, these obligations can be classified into five main categories:
- The DSA precedentially governs the obligation of all intermediaries to publish their terms and conditions and to actively inform users of any significant changes made to them. Moreover, the DSA imposes further obligations relating to transparency in advertisements on online platforms.
- All intermediaries must submit annual public reports concerning their content moderation activities. Hosting services are also required to report to authorities any suspicion of criminal behavior regarding their service.
- Content Moderation. All hosting services must implement the unified criteria specified in the DSA for notice and action procedures for reports of illegal content.
- Compliance by design. The DSA requires that online platforms design their interface in a manner that does not impair the users’ ability to make free and informed decisions, and that allows traders to comply with their obligations under EU law.
- Risk Management. The DSA requires that VLOPs and VLOSEs perform and publish yearly risk assessments, adopt measures to mitigate those risks, implement a crisis response mechanism, and perform yearly independent audits.
Penalty. Fines for non-compliance may be as high as 6% of the company’s annual worldwide turnover. In cases of continued infringement, a daily added fine of up to 5% of the average daily worldwide turnover is imposable.
Applicability. The DSA entered into force on November 16, 2022. It will become generally enforceable on February 17, 2024. Yet, providers designated by the European Commission as VLOP or VLOSE may have to comply within four months of receiving their designation.
The Digital Markets Act
Scope. The DMA governs the activities of “gatekeepers”, which are major digital service providers operating in the EU, who, in the preceding three years have had:
- A yearly turnover of at least €7.5 billion, or a yearly fair market value of at least €75 billion; and
- At least 45 million monthly active users who are individuals, or, if the company is located within the EU, at least 10,000 yearly active business users.
A company is a gatekeeper only if the European Commission announces so.
Rules of Conduct. The DMA specifies rules of fair conduct for gatekeepers, concerning both consumers and small competitors. Among other things, the DMA requires that gatekeepers allow their competitors to inter-operate with their services (e.g., by allowing them to offer and promote their applications on the gatekeepers’ app store), and to engage with end users outside the gatekeeper’s platform.
The DMA also prohibits gatekeepers from exercising discriminatory practices, such as favoring their own products on their platforms and imposing illegitimate restrictions on end-consumers (e.g., preventing users from uninstalling gatekeeper’s pre-installed software or app).
Penalty. The DMA imposes unprecedented fines of up to 10% of the gatekeeper’s total worldwide annual turnover, and up to 20% for repeated infringements. In case of recurring infringements, non-monetary remedies are imposable, such as remedies relating to the organizational structure or business conduct.
Applicability. The DMA entered into force on November 1, 2022. Potential gatekeepers must inform the European Commission of their number of users by July 2023. The Commission will designate relevant entities as gatekeepers by September 6, 2023. The DMA will become enforceable within six months from designation, i.e., in March 2024, at the latest.
Conclusions
The DSA and the DMA can impact your business activities in the EU. It warrants the planning and implementation of changes to your internal and external policies and legal documents, as well as to the structure and features of your service, well ahead of the DSA and DMA becoming enforceable.
As always, we are available for any questions in this matter.
Cyber, Privacy and Copyright Practice Group,
Shaked Feldman Yiftah, ADV. SFeldman@PearlCohen.com
This memorandum does not comprehensively cover all the aspects of the issue. It is intended only to provide a general update and should not be relied upon as legal advice.