Deciphering the Code: the EU’s Digital Packages Act

Authors: Andrew J. Zammit & Jessica Camilleri

The Digital Services Package was adopted by the Commission on the 5^th of July 2022 and is currently undergoing its implementation phase. It includes both the Digital Services Act and the Digital Markets Act. It is evident that both Acts are being implemented with the aim of creating an enhanced sense of uniformity with regards to the regulation of a safe digital space where the fundamental rights of users are protected, as well as to establish a level playing field for businesses in the ever-growing tech industry. However, even though the Digital Services Act and the Digital Markets Act are proposed simultaneously, they are entirely different instruments, creating distinct rules and procedures which are to be complied with.

The raison d’être behind the DSA is to enhance the regulation of online intermediaries, which may be both large online platforms and smaller intermediary ones. The DMA, however, caters for so-called “gatekeepers”, who essentially offer core platform services which act as a bridge between companies and consumers for a range of digital services.

The Digital Markets Act

Purpose

Since European rules on e-commerce hadn’t been updated for around 20 years and given the dramatic evolution of the speed and capabilities of the internet infrastructure, the EU felt that a new framework was required to navigate specific uncertainties. The Digital Market’s Act (DMA) is the EU’s most recent law, designed to make the digital sector safer, fairer and more contestable. In order to achieve this, the DMA establishes several objective and specific criteria in order to qualify a large online platform as a “gatekeeper”. The Digital Markets Act specifically caters for the widespread evolution and growth of digital services including online services and internet infrastructure services as well as online platforms, which evidently requires supervision in order to prevent unfair competition from occurring within the European Single Market. It can be said that it was the best of times, it was the worst of times, since entities did not have to undergo such extensive compliance procedures, however these new developments may be the best of times, with this framework being the catalyst for innovation which may finally provide a new incentive for start-up companies.

Both businesses entities and consumers cannot circumvent the large digital platforms which are endowed with a certain degree of dominance within the tech industry. Gatekeeper platforms essentially benefit from this by working independently and to their own advantage in relation to companies using their platforms, therefore making it more difficult for potential competitors to be successful. The Commission is aware that by having tech giants such as Microsoft or Google potentially embarking on unfair practices, which will in turn result in less potential competition, shortcomings in the digital sector will grow, with the potential associated risks of having lower quality products, higher prices, less variety and less innovation within the Union which will ultimately result in a large disadvantage to the European Single Market and more importantly, the consumer.

What is a gatekeeper?

The DMA is complex and has many facets, but its overall approach is to place new requirements and restrictions on online “gatekeepers” which essentially include de-facto digital market bottlenecks. Article 2 of the DMA is the main article which describes who would fall under the category of gatekeeper. The Commission, on the other hand, essentially identifies gatekeepers by assessing whether the said platform operates a ‘core platform service’ (CPS). A core platform service may include an online search engine, an online social networking service, video-sharing platform services as well as other entities which “enjoy an entrenched and durable position in its operations” as defined by the Directive.  

For one to be able to establish whether a provider is covered by the DMA requires a combination of qualitative or quantitative tests, which are still to be clarified by the Commission. It has however been mentioned by the Commission that one such criterion may include having achieved an average annual turnover of at least 6.5 billion in the European Economic Area in the last three financial years, which reduces ambiguity in this context.

It is interesting to note that gatekeepers are responsible to undertake a self-assessment and report to the Commission accordingly should the criterion of if the quantitative criteria are met if appropriate, report to the Commission for the provision of the core platform services. It is important to add, however, that the designation of this “gatekeeper” title may be designated to any operator by the Commission with or without this self-assessment.

In terms of the DMA, these so-called “gatekeepers” must comply with some key requirements intended to dilute and regulate the power of the larger digital companies within the industry. Should a gatekeeper systematically fail to comply with the provisions of the Digital Markets Act, the European Commission is empowered to open a market investigation and if necessary, impose structural remedies or behaviour remedies. It is only those “gatekeepers” that operate core platform services in relation to data, advertising, e-commerce, interoperability and the commercial relationship between service providers, customers and end users that will be required to comply with the obligations listed under the DMA. In this way, the EU will take a proactive role as it will be allowed the ability to observe where large, dominant tech companies take governance of the Single Market

The DMA will ban gatekeepers from engaging in unfair competition behaviours, which may limit the contestability of core platform services. To enforce these prohibitions, the DMA enables the European Council to carry out market investigations and sanction non-compliant behaviour. The legislation is intended to target companies providing so-called “core platform services”, which legislators have deemed the most prone to unfair business practices and therefore consumer harm, including search engines, social media networks, e-marketplaces and web browsers.

Furthermore, This Directive lays out that it is only those companies meeting the required criteria as laid out in the Directive which will be deemed “gatekeepers” and, therefore, subject to the proposed restrictions. The obligations which the Digital Markets Act establishes includes obligations which gatekeepers are to implement in their day-to-day business practices. The Digital Markets Act provides a few examples in this regard, including allowing end users to unsubscribe from core platform services of the gatekeeper, allow end users to easily uninstall pre-installed apps or alter default settings on operating systems or web browsers. On the other hand, gatekeepers will not be permitted to track end users outside of the gatekeepers’ ore platform service for the purpose of targeted advertising without effective consent having been granted.

The DMA effectively reflects a shift from ex post antitrust intervention to ex ante regulation and will radically change how large digital platforms are allowed to operate in the EU.

Practical Issues

New, time-sensitive obligations

Gatekeepers are obliged to comply with the new rules laid out in the DMA within a time period of 6 months of being designated as such and will be added to a list which is to be maintained by the Commission. Every 2 years, the Commission will analyse whether the designation of gatekeeper would continue to apply.

A shot in the dark?

The fact that formal guidance has yet been published by the European Commission, has created a palpable sense of doubt within the industry, particularly given the short timeframe that gatekeepers are given to comply with said requirements. It can be also expected that the new DMA rules will require gatekeepers to alter their business model and could also have the effect of discouraging operators from expanding their user-base if such expansion would effectively place them under the heading of gatekeeper.

Effect on the User

The  DMA requirements are designed to break down the competition barriers faced by businesses competing with tech giants. Following the implementation of the DMA a gatekeeper is no longer able to compile customer information from all the company’s services into a single profile, without the end-user’s consent. This limitation is likely to cause gatekeeper services to become less individualized and integrated, requiring more “cookie banner”-style demands for the user’s consent for the sharing of their personal data across the gatekeeper’s various offerings.  

A Zero Tolerance Policy

The DMA grants the European Council broad investigative and enforcement powers to initiate market investigations to designate gatekeepers, examine and monitor non-compliance, and impose fines and penalties. Additionally, national authorities are expected to assist and liaise with the European Council, where appropriate and in the event of non-compliance, the EC may impose fines on gatekeepers of up to 10% of the gatekeeper’s total worldwide turnover in the preceding financial year, and fines for repeat infringements may be up to 20 percent of total worldwide turnover, in addition to periodic penalty payments. The DMA may also issue fines of up to 5% of the average daily turnover in the preceding business year if the gatekeeper refuses to cooperate in a market investigation due to systematic non-compliance. A fine of up to 1% of the annual turnover in the preceding year may be imposed for the provision of incorrect or misleading information, provided to the Commission.

The DMA imposes a series of far-reaching obligations on gatekeepers, signalling a new era of digital regulation for the EU, that may be replicated elsewhere.

The Digital Services Act

The Digital Services Act (DSA) on the other hand is a horizontal instrument which keeps the consumer at the forefront by emphasizing the importance of transparency and the requirement for the protection of consumer rights and protection on the online environment as well as provide opportunity for digital start-ups. This is done by creating duties which regulators must carry out which target the different types of intermediary services which in turn affect and influence consumers. The aim of this instrument is to introduce a system of accountability and mutual trust, ensuring that service providers will be held liable for content moderation operations within the digital sphere.

In fact, according to the impact assessment published by the European Union in June 2022, as officially stated therein, the general objective is to ensure the proper functioning of the single market, especially the provision of cross-border online intermediary services. Furthermore, there are also specific objectives which aim at (i) maintaining a safe online environment, (ii) improving conditions for innovative cross-border digital services, (iii) empowering users and protecting their fundamental rights online, and (iv) establishing an effective supervision of digital services and cooperation between authorities.

The salient regulatory legal initiatives emanating from the DSA relate to measures catered specifically to prohibit the distribution of illegal goods, services, or content online, as well as measures empowering users and society at large. For example. The DSA envisages a mechanism for users to easily flag illegal content and provides a means by which such platforms may interact and contrive with said flaggers. The DSA also brings to fruition safeguards for the protection of minors and limits on the use of sensitive personal data for targeted advertising practices.

Shielding the User

The Directive refers to the implementation of measures designed to reduce illicit activity which are expected to be conducive to achieving a uniform Single Market which will aid start-ups and innovators to operate on a level playing field and create a safer digital space. It is expected that the DSA will become fully applicable across the EU on 17^th February 2024 for all entities which it targets. It is predicted that, by this time, each EU Member state will be required to appoint a regulatory body known as the Digital Services Coordinator (DSC) who will be bound to act independently. This body will be responsible for enforcing codes of conduct on smaller platforms established within that same Member State as well as liaise with the Commission as well as other DSCs on an ongoing basis to enhance transparency within the Union. This will be achieved by imposing the obligation on search engines and platforms to report the number of their active end users to the European Commission, which is done with the goal to begin determining which platforms and search engines would qualify as a Very Large Online Platform (VLOP) or as a Very Large Online Search Engines (VLOSE). The purpose behind this designation is to be able to allocate compliance rules accordingly, such as publishing annual risk assessments as well as imposing rules on content moderation and regularly updating their Terms and Conditions and ensuring said terms are readable to all users. The Commission will have direct oversight and enforcement authority over very large online platforms and search engines, and it can, in the most critical circumstances, impose fines of up to 6% of a service provider’s annual global revenue

In the fine print

Practical outcomes of the Digital Packages Act include, but are not limited to having multiple app stores, since gatekeepers will be obliged to allow third party app stores to compete with their own. A possible issue with this is that users might be more easily misled into installing malicious software if Apple and Google were to permit the installation of unapproved apps and app shops.  Additionally, gatekeepers will be obliged to allow consumers access to data on their commercial activities. Finally, there will be a complete eradication of automatic sign-ins, known as APIs, which has become custom practice by platforms such as Google (such as logging into YouTube via Gmail), and finally, a ban on prompting end-users to sign up for “ancillary services”. It is commonplace that users are not typically interested in taking the risk of leaving the larger tech companies’ platforms’ ecosystem, due its seamless procedures from the end-user’s point of view, as major digital platforms make sure that their own services integrate smoothly and securely. It may be argued that the DMA will initially make services in the digital sphere worse before they get better, to enhance competition and to prompt consumers to explore their choices. 

Whereas the DSA provides rules which apply to players of any size, the obligations imposed through the DMA is predominantly focussed on the largest tech platforms. Digital Europe, which is a trade association composed of members including dominant tech platforms Google and Facebook, has revealed the DSA has been welcomed into the regulatory framework, whereas the DMA has not received such a warm welcome and has, in fact, received criticism for tweaking.  This is not surprising, since it has been shown that larger tech companies could be facing fines running into billions of Euros.