The European Commission has unveiled proposals aimed at overhauling the digital market, including the way in which big tech businesses operate in the EU. They are aimed at increasing the responsibility of certain tech businesses for the way in which they operate and connect customers to goods, services and content – and there will be scope to impose significant fines for non-compliance. Meanwhile, similar measures are being put forward in the UK – so Brexit will not mean that UK tech businesses are off the hook.
EU turns the screw on Big Tech: the Digital Services Act Package
At EU level, there are two legislative proposals:
- A Digital Services Act, which is the measure likely to have the widest application in practice, setting out new rules for ISPs, cloud and webhosting services, online marketplaces, app stores, search engines and social networks. The proposal also contains a more stringent set of rules which will apply to "Very Large Online Platforms", which have at least 45 million users in the EU; and
- A Digital Markets Act, which is aimed at regulating larger tech businesses which are regarded as having "gatekeeper" status. The majority of tech businesses are likely to be outside its scope – although since many businesses (both within the tech sector and outside it) have to interact with the "gatekeepers" that the Act seeks to regulate, it is still likely to be of interest to them.
The legislation will also create a new EU-wide network of regulators (consisting of the European Commission and national bodies at Member State level). These regulators will have powers similar to those enjoyed by competition and data protection regulators, including the ability to impose significant fines, investigate complaints, require provision of information and carry out on-site inspections.
As explained in Section 4, similar proposals are being put forward in the UK – so Brexit will not mean that UK tech firms are off the hook.
The proposals have been drafted as EU Regulations which, once formally approved, will be directly applicable in Member States without the need for further implementing legislation at national level. It will nevertheless take time for the proposals to work their way through the EU legislative process and once that has happened, EU Member States are likely to need to make some changes at national level in order to give effect to the Regulations; for example, they will need to create or nominate bodies to act as national regulators (known as Digital Services Coordinators), in much the same way that each Member State has a national regulator for data protection under the EU General Data Protection Regulation (GDPR). As a result, it is likely to be some time before these proposals become applicable - possibly years.
Online intermediaries and platforms which offer their services in the EU single market should familiarise themselves with the proposals and keep a watching brief on their development so that they are well placed to implement the organisational changes, and address the increased regulatory risk, which the new rules look set to bring about. For some tech businesses, the additional compliance burden could prove to be similar to, if not in some cases greater than, the GDPR. For other tech businesses – particularly those which have to interact with tech "gatekeepers" – some aspects of the proposals may create opportunities by constraining the market power of some of the key tech "gatekeepers".
The Digital Services Act builds upon the E-commerce Directive, which was adopted in 2000 to address the growth of the Internet at that point in time. It will update and create a harmonised set of rules across a range of areas outlined below and give regulators new powers, including the ability to impose significant fines.
Addressing illegal content
The Digital Services Act preserves the liability regime set out in the E-commerce Directive for online intermediaries which exempts them from liability for the content they manage, provided they fulfil certain conditions. However, it puts greater onus on hosting providers and platforms to provide notice and take down mechanisms so that those who do consider content illegal, can notify as such with greater confidence that something will be done about it. Platforms will also have to establish complaint handling systems enabling users to contest the outcome of content moderation, deal with dispute settlement bodies, suspend repeat infringers, and have systems in place to prioritise notifications made by 'trusted flaggers'.
Where content is removed, platforms will have to provide an explanation to the content provider as to the reasons for removal, and they will have to publish reports outlining the steps they have taken to remove illegal content or content which is not in accordance with their terms and conditions.
More onerous obligations for online platforms
In addition to the measures relating to illegal content outlined above, online platforms (including online marketplaces, app stores and so on) will also face a range of new obligations including:
- Transparency – for example, they will have to include information in their terms and conditions on any restrictions they impose on the use of data provided by users – such as the policies, processes, mechanisms and tools they use for the purpose of content moderation, or any algorithmic decision-making that they rely on. Platforms must also be transparent about online advertising, for example by making it clear to users when they are placing online adverts, on whose behalf they are doing so, and the reasons for targeting a user with the specific ad.
- Due diligence – online platforms which allow consumers to contract with traders, will have to carry out "know your trader" checks before allowing them to operate via the platform, to ensure greater traceability for example, of sellers of illegal goods and services.
- EU representative - in a measure reminiscent of GDPR style obligations, online intermediaries which operate within the EU, but from a location outside, will have to appoint EU based representatives to co-operate with supervisory authorities.
The Act imposes additional compliance, accountability and risk management obligations on "very large online platforms" – defined as online platforms which provide their services to at least 45 million recipients in the EU (with mechanisms to adjust this figure to reflect changes in population numbers). For example, these businesses will be under a positive duty to identify "systemic risks" arising out of their platform and take action to mitigate them. Among other things, they will also be obliged to appoint a compliance officer, commission independent audits of their compliance and allow access to data by both regulators and independent researchers to verify their compliance.
New regulators with new powers
The Digital Services Act will also create a new network of national regulators, known as Digital Services Coordinators, with powers including the ability to impose fines (see textbox), investigate complaints, carry out on-site inspections and require provision of information. The European Commission will have the same powers with respect to very large online platforms. A European Board for Digital Services will also be created with a view to ensuring consistent application of the Act across the EU.
Sanctions for breach are linked to turnover, with fines of up to 6% of the annual income or turnover of the provider of intermediary services, and periodic penalty payments for continuous infringement up to 5% of the average daily turnover of the intermediary in the preceding financial year, per day.
The Digital Markets Act applies to "gatekeeper platforms". It is designed to ensure that they operate fairly and don't abuse the market power that they hold as gatekeepers.
Gatekeeper platforms are large online platforms which have a strong economic position and significant impact on the EU internal market, are relied on by a large number of businesses to link up to their customers and are entrenched in the market. Broadly, there will be a presumption that a business meets this test where, over the preceding 3 years: (a) it has generated turnover in the EEA of at least €6.5 billion or had an average market capitalisation or equivalent fair market value of at least €65 billion; and (b) it has had at least 45 million monthly active users and more than 10,000 yearly active business users in the EEA.
What the legislation seeks to prevent
Examples of unfair practices by gatekeepers which the Act prohibits include:
- treating products or services that they offer directly more favourably in ranking than those of the third party traders which use their platforms;
- preventing customers from linking up to businesses outside their platforms; and
- preventing users from uninstalling pre-installed software or an app if they wish to do so.
There will also be obligations preventing gatekeepers from imposing exclusivity provisions on traders, and requiring them to permit access by their business users to the data that they generate on their platforms. In addition, gatekeepers will be obliged to permit a certain amount of interoperability between their own systems and third party software / operating systems, as long as the interoperability does not endanger the integrity of the gatekeeper's own systems.
Enforcement will be the responsibility of the European Commission rather than national regulators. The Commission will enjoy powers similar to those available to regulators under the Digital Services Act, including power to investigate complaints, require provision of information and carry out on-site inspections.
Sanctions/remedies for breach are greater than in the case of the Digital Services Act: the Commission will be able to impose fines of up to 10% of the company's total worldwide annual turnover (as opposed to 6%), and in the case of systemic infringements, it will be able to impose additional behavioural or structural remedies such as requiring divestiture of parts of a business.
By the time the proposals are formally implemented, the UK will have long exited the EU, and therefore they won't form part of UK law. However, UK online intermediaries and platforms which offer their services in the EU will have to comply, including (as the proposals stand) by appointing EU based representatives. Businesses which just operate in the UK are not off the hook either, as they face several proposed measures aimed at addressing similar concerns.
Tackling online harms
The UK Government has very recently published its full response to the 2019 Online Harms White Paper. This sets out plans to impose a new duty of care and regulatory framework on any company which allows users to share or discover user generated content or interact with each other online (i.e. social media platforms, hosting providers, file hosting sites and online discussion forums) to make them take more responsibility for the safety of their users, and tackle harm caused by content or activity on their services.
As with the EU proposals, the duty of care will require companies to establish steps such as setting up complaints mechanisms for dealing with users' complaints, and greater transparency and accountability such as the requirement for companies to publish annual reports outlining the prevalence of harmful content on their platforms and any countermeasures taken to address this. Ofcom has been named as the regulator which will oversee this. The draft Online Harms Bill is expected to be published early in 2021 and pre-legislative scrutiny will take place before debates in Parliament begin.
Tackling "gatekeeper" businesses
In addition, in response to the Competition and Markets Authority's final market study report into online platforms and digital advertising markets, the Government announced the setting up of a dedicated Digital Markets Unit to oversee a pro-competition regime for platforms that currently dominate the market, such as Google and Facebook, and introduce and enforce a new code to govern their behaviour when interacting with competitors and users.
Of both the EU and UK proposals, Baroness Nicky Morgan, Consultant to the Tech Sector Group here at Travers Smith LLP, and former Digital Secretary of State, comments:
"Legislators and regulators in the EU and the UK are now clear that while Big Tech offers many consumer benefits, their dominance in data and refusal to accept responsibility for content cannot continue unchecked. The UK Government’s online harms proposals will launch a new era of accountability amongst large platforms for illegal and legal but harmful content and the UK’s new Digital Markets Unit will try to find a balance between being pro-tech while keeping digital markets open and competitive. The EU’s Digital Services Act and Digital Markets Act will address the same issues although the EU is perhaps more likely to focus on threatening to break up Big Tech than the UK will. We will have to see what each proposal finally looks like and what it achieves.”
Competition Partner Stephen Whitfield comments:
"The Digital Markets Act, in particular, seems to represent a part of the European Commission's contribution to a debate which has developed over the last few years in the competition enforcement world. In recent years, many competition enforcers and commentators have concluded that the existing competition enforcement toolbox is not sufficient to address the potential harm to competition posed by the world's largest digital platforms. In merger control, various European competition authorities have increasingly investigated the concept of "killer acquisitions" (acquisitions of still-nascent competitors by Big Tech companies) or whether Big Tech deals might have an adverse impact on the use of consumer data. In antitrust, those same authorities have also pursued 'abuse of dominance' cases against Big Tech companies. However, critics have argued that this approach is fragmentary and reactive, where a more forward-looking approach is required in dynamic tech markets. Viewed in that light, the Digital Markets Act can be seen as, in some respects, a form of ex ante competition regulation similar to that which already exists in sectors such as energy or telecoms."