Download the PDF here.

The European Commission (the “EC”) has tried to regulate e-commerce and the related challenges offered by internet giants “GAFAM” - acronym for Google, Amazon, Facebook, Apple and Microsoft, the biggest internet based corporations, from time to time also Netflix and/or Twitter is added – and last winter a significant step has been undertaken.

In the following months and years, the European Parliament and the European Council will vote the two Digital Service Act (the “DSA”) and the Digital Market Act (the “DMA”) as part of the European Union (the “EU”) strategy for the digital market.

This article will try to summarise some of the main elements of those legislations.

Disclaimer: Readers of this newsletter should note that at the date of circulation of this article, the laws and regulations to which this newsletter makes reference to may be subject to further amendments which will not be reflected in this newsletter.

Background

The first European legislation related to internet and online services was the famous e-commerce directive (directive 2000/31/EC).

The directive was partially modelled on the famous American section 230, the Communication Decency Act, that it has been often indicated as the legislation that created the modern internet, allowing a great degree of freedom online.

Internet has been giving us new marvellous services and opportunities, but an unfortunate outcome is the power that some corporations obtained has led to monopolies. For example, Google is the monopolist of search engine, while Facebook is the almost monopolist of social network. Other companies, like Amazon, while relying on their main business, they prefer a subtler game: most of the cloud computing is owned or redirected on Amazon’s servers.

All of these created many new challenges and risks, including aggressive tax planning aided by revenues from intellectual properties. The von der Leyen commission has decided to tackle them down.

In the context of the European digital strategy, the so-called Shaping Europe’s Digital Future, the EC proposed the DMA and the DSA with the aim to protect the rights and freedoms online, achieve a better degree of harmonisation of the internal market and to foster innovation and business.

DMA summary

The DMA is a strange piece of legislation. It has been specifically created for the huge internet corporations (called “gatekeeper” in the act) and its provisions will not affect the largest share of businesses.

Article 3 states that in order to trigger those obligations a company must have a significant impact on the internal market, operate a core services (there is a list, it includes: video sharing, cloud computing, social network and so on), and enjoy (and shall enjoy) an “entrenched and durable position”. The DMA sets forth that the above must be presumed if: the turnover in the previous three financial years is EUR 6.5 billion or the market capitalisation corresponds to EUR 65 billion and the amount of active users per month is at least 45 million and there are at least 10k business users active per year. These figures indicate quite clearly that the EC focused on the American corporations as the most relevant digital services in Europe do not even reach half of the threshold.

As most of the obligations within the DMA would not affect ordinary companies, it is not worthy to discuss them in details. Some interesting provisions are related to the new limits imposed to gatekeepers: for example, they will no longer be able to treat their services more favourably than third parties’ services (the famous praxis of Amazon to suggest its products over competitors) or preventing users from uninstalling a service if they wish so (any Apple user knows what this provision refers to).

It is interesting to say that the DMA is not very well written from a legal point of view: the political intent is often poorly hidden. For example, article 7(1) lays down that the gatekeeper shall comply with the general data protection regulation (the “GDPR”). But the GDPR is a regulation by itself and does not require another act to enforce it. The reason is that the sanctions are considerably higher than GDPR (up to 1% or 10% of the annual turnover and a new concept: up to 5% periodically paid) but the obligations are separated as well as the enforcement (GDPR is enforced by data protection authorities, while DMA by the EC itself). Therefore, the logical consequences are that if, e.g., Google is fined by an authority, then the EC imposes its own cumulative fine as consequences. In this way, the political suasion is achieved at a lower lever (the authority can seriously threaten a corporation).

As stated, it is very unlikely that an ordinary business, even when dealing with millions of users, has to care about this act.

DSA summary

The DSA is the real next big thing. It is turning the previous e-commerce directive into a regulation and the DSA will affect almost every online business or business offering products and services online. Only micro and small enterprises are explicitly excluded.

The DSA upholds the three main categories of the e-commerce directive in terms of liability: mere conduit, caching and hosting. The mere conduit is that service that merely transfers the information, the caching that service that involved the automatic, intermediate and temporary store of information and the hosting is that service that store the information at the request of a user.

The last example is the most relevant as it is, for example, the case of a user posting a comment.

The DSA restates that a hosting service is not responsible for illegal content posted by users, if they are not aware of it and/or they remove it promptly when they have become aware. However, new exceptions to this rule are introduced, the most notable is the one for consumer protection.

Moreover, regarding illegal contents, the DSA provide a new obligation for a service to act according to an order received from an authority. In any case, the DSA specifies the requirements of such order and gives the authorities the burden to communicate in the language elected by the service itself, closing a series of ongoing issues.

The digital services shall also ensure that there are appropriate mechanisms in place to evaluate and resolve a dispute. It can be either internal or external, i.e. traditional or alternative dispute resolution.

One of the most critical provision remains that related to the “trusted flaggers”. In order to fight the phenomenon of the “fake news”, the EC has decided to elect some entities as “trusted flaggers” able to indicate what content shall be considered or not legit. This provision has been criticised as it is not clear who is going to guard the guardians themselves.

From a corporate point of view, the DSA introduces some relevant novelties.

First of all, it lays down stricter rules for “very large online platform”, which is basically a reference to the DMA.

Companies outside the EU shall elect a point of contact and a representative, in order to operate in the internal market.

Moreover, the vetting for third party vendors has been strengthen, in order to ensure a proper know-your-business-customer (the “KYBC”). Along with KYBC, compliance with code of conducts, especially for online advertising, is strongly encouraged.

It’s interesting to note that a new role will be introduced: a mandatory compliance officer that shall ensure the compliance with the DSA. This shall apply only for very large online platforms.

Last, the sanctions for non-compliance are up to 1% or 6% of the annual turnover (depending on the gravity and article violated) and also the DSA includes the above mentioned 5% of periodic payment. However, the supervision would be given to a competent “Digital Service Authority”, which should be market friendly as its purpose is to foster the market.

Conclusion

The DMA and the DSA are going to reshape the internal market of the EU.

However, business should focus only on the DSA as it is unlikely that they would ever trigger the obligation included in the DMA.

In conclusion, in order to ensure your compliance and cybercapabilities, it is always better to trust professionals in order to minimise the risks and ensure a proper compliance.

Riccardo Varisco
Riccardo Varisco
Associate and Data Protection Specialist