Analysis: The DSA and DMA – big changes are on the way
Philip Lee partners Sean McElligott and Anne Bateman examine coming changes to EU rules for big tech companies.
On Tuesday, the European Parliament passed the Digital Services Act (DSA) and Digital Marketing Act (DMA) in what European Commissioner, Thierry Breton referred to as a “landslide vote”. Guided by the principle of making whatever is illegal offline, illegal online, the DSA sets out multiple standards related to corporate accountability and transparency while the DMA is concerned with market dominance. The legislation increases third-party access to large platforms and threatens to sanction those that fail to comply with these measures. The DSA and DMA aim to regulate online platforms, which is why they are often discussed together, although they regulate different aspects – together, their aim is to promote safer and more transparent internet use.
The DSA aims to preserve fundamental rights by imposing more stringent regulations on tech companies. The requirements of the DSA include:
- responding quickly to any illegal content on the site;
- increasing traceability and checks on traders to ensure that items and services sold are legal by nature;
- allowing users to challenge a site’s protocol for recommending content;
- providing even stricter measures for large platforms, which it defines as sites with over forty-five million users. Accordingly, these companies must be subject to independent audits and take additional measures to avoid systemic risks; and
- allowing users of large corporations to opt of any targeted advertising.
To promote fair competition among tech companies, the DMA regulates large platforms, which it defines as businesses with an annual turnover of over €7.5 billion. The rationale behind the bill is described by Andreas Schwab, the rapporteur for the DMA, “We no longer accept the ‘survival of the financially strongest’. The purpose of the digital single market is that Europe gets the best companies and not just the biggest”. As such, the DMA classifies large tech corporations as “gatekeepers” whose prominence on the market makes it difficult for consumers to avoid. Thus, the act sets forth requirements that promote third-party involvement within the platforms:
- third parties must be allowed to request access to operate within the gatekeeper’s platforms;
- gatekeepers must provide businesses with the data they produce to promote their own products; and
- gatekeepers are prohibited from favouring their products over others, impeding users’ ability to download third-party applications, and processing user data for targeted advertisements without consent to do so. The DMA seeks to limit gatekeepers’ hold over the vast amounts of data it generates and increase outside access to popular platforms.
The DSA and DMA were passed quickly, showing the strong political support behind the new laws. The DSA and DMA are expected to enter into force this autumn twenty days after they are adopted by the European Council. The DSA will apply fifteen months after it enters into force or on 1 January 2024 (whichever date comes later). However, large corporations will be expected to adhere to the DSA within only four months after entry into force. Large platforms must then comply with the DMA six months after it enters into force.
Enforcement of the DMA is a key issue. To fund enforcement of the DSA, the European Commission will be able to charge companies up to one per cent of their annual turnover for a supervisory fee. In contrast, there is no such levy to enforce the DMA. The Directorate-General for Communications Networks, Content and Technology (DG CNECT) plans to dedicate one-hundred staff members to enforce both regulations and expects to enhance this support by consulting experts and outside contractors. Enforcement of the DMA will be shared with the Department for Competition Policy. There has been significant criticism of the high fining cap provided by the DMA. The GDPR provides a legal maximum of four per cent of a company’s annual turnover, but the DMA more than doubles this value, allowing for fines of up to 10 per cent of the company’s turnover.
Tech companies will almost inevitably have to make changes to comply with the DSA and DMA. Christel Schaldemose, rapporteur for the DSA, is on the record as saying that, “For too long tech giants have benefited from an absence of rules. The digital world has developed into a Wild West, with the biggest and strongest setting the rules.” The DSA and DMA complement each other, arguably setting higher standards for online platforms and reducing the dominance major corporations have over the market.
The clear message is that if you are not already doing so, you need to get ready – does the DSA impact on your business model, do you need to do things differently, will your existing contracts need to be amended? By analogy with the transformative impact of GDPR, it is possible that the new laws may have a ripple-effect across the Atlantic.