New EU Regulation to Impact Digital Services in 2022

The Digital Services Act (DSA) and the Digital Markets Act (DMA) have been voted through in the European Union (EU) Parliament (on 19 January 2022 and 15 December 2021, respectively), meaning the EU can now start negotiations with member countries and plan for their entry into force. Both pieces of legislation are set to significantly impact the digital services landscape in the Union, notably around market competition rules, creating a single set of applicable regulations across member countries. All organizations doing digital business in the EU and offering digital services to EU citizens will have to be compliant, regardless of headquarter location. This includes online intermediation services, online search engines, operating systems, online social networking, video sharing platform services, number-independent interpersonal communication services, cloud computing services, and online advertising services, among others (collectively identified as core platform services). The regulations are in part a reform of existing legislative instruments and in part an addition to them (i.e., the e-Commerce Directive, P2B Regulation, GDPR, and EU competition rules).

The DSA and the DMA are two different, but related, sets of regulation. The DSA is mainly concerned with creating safe digital spaces and is focused on the protection of end users, whether those are companies or individuals. As digital spaces continue to exert increasing influence over and consume ever more space in users lives, the goal of the DSA is to bring to account those digital service providers that threaten fundamental rights, either by enabling harmful and illegal content or through unscrupulous corporate tactics (e.g., aggressive marketing, disinformation, biased algorithms, etc.) that may breach privacy or anti-discrimination laws.

The DSA includes rules on better recourse to judicial redress, detailed ‘notice-and-action’ mechanisms, tighter requirements around online (and targeted) advertising, and on the development and use of smart contracts. These new due-diligence obligations for service providers aim to provide more transparency, fairness, and accountability to users under threat of penalties for non-compliance (to be decided by member states). Additional rules are set out for very large online platforms with undue influence.

What this means in practice is that service providers will have to be much more proactive in monitoring content hosted on their platforms and addressing information/action requests by users, as well as providing much greater transparency on how operations run behind the scenes, notably for algorithms. Both these requirements will be a big change from the status quo; the former because service providers have limited themselves to monitoring what is illegal in the strictest sense of the term and the latter because behind the scenes processes are closely guarded corporate secrets. Overall, the effect of the DSA will be bring to account providers of digital services, in the interest of consumer protection.

The DMA is a complementary regulation that focuses more specifically on competition rules and attempts to level the playing field by reducing the potential harmful impact of dominant platforms (notably weak contestability and unfair practices through abuse of a dominant position). The rules define a new category of such dominant players as gatekeepers and effectively sets out many new requirements and obligations for digital service provisioning and core platform services. Among many other obligations, gatekeepers will not be allowed to provide their own services preferential treatment or prices in contrast to those of third parties present on their platforms, or combine personal data derived from one service with another (e.g., WhatsApp with Facebook) or require subscription to a service in order to access another. The DMA is set to impact advertising business models, as well as interoperability of digital services. Penalties for breach will result in a minimum level of fines of 4% and up to 20% of total turnover, as well as the threat of restrictions in the Mergers and Acquisitions approval at the EU Commission level for those engaged in systematic non-compliance.

While the merits of the new regulations are triggering heated debate among various stakeholders, there will be little that even the most powerful core platform providers will be able to do about their entry into force. The DSA and the DMA will become law, and all EU-facing digital service providers will have to comply. Much like the GDPR before it, service providers need to start paying attention to how the regulations will affect them, and what they need to start implementing in order to ensure compliance. In large part, the new regulations will likely set off a series of long-winded and complex regulatory battles between those likely to be designated gatekeeps and the EU Commission; not unlike the technology battles fought at the turn of the century by Microsoft for its Windows Operating System (and later with its IE Browser), by Google for its search engine algorithms, and today by Facebook for its user data practices. The EU has systematically, consistently, most often successfully sought to address the imbalances that the technology era has brought to the fore in its internal market and the harm inflicted upon EU citizens, albeit at the often-glacial pace imposed by any judicial proceeding (which is in stark contrast to digital developments). The DSA and the DMA will be no different. In a future dominated by the Internet of Things (IoT), Artificial Intelligence (AI), 5G, and Quantum, where users will have little choice and limited impact on developments, this is perhaps not a bad thing. Ultimately what will be a financial blow to some digital service providers in the short terms will be in the best interest of end users overall and can only drive a healthy competitive landscape forward.