While the Irish regulator has just fined Twitter €450,000 in a privacy case, the European Commission, on Tuesday (15 December), presented its legislative proposals to regulate online platforms with obligations graduated according to the size of the service.
Its proposals are based on two texts: horizontal regulation covering all digital services with obligations graduated according to their importance (the Digital Services Act - DSA) and ex-ante regulation which only targets platforms which act as gatekeepers in the digital sector. Here too, the Commission draws up a list of obligations (such as the obligation to notify of any new acquisition or to provide access to data) and prohibited practices (such as the prohibition on preventing users from uninstalling preinstalled applications).
“These proposals provide clarity, readability and objectives. Everyone is welcome, but our responsibility is to provide leadership and set the rules”, said Commissioner for the Internal Market Thierry Breton, anticipating criticism that the new proposals would only target US platforms.
AFSM clearly in sights
While Vice President Margrethe Vestager declined to identify companies that meet the definition of a gatekeeper, the US giants Google, Apple, Facebook, Amazon, and Microsoft are undoubtedly on the list.
The Digital Market Access Regulation (DMA), which is intended to complement competition law that is considered too slow and too little dissuasive, targets companies controlling at least one basic service (search engine, social network services, certain messaging services, operating systems, and online intermediation services) and targeting many users in at least three EU countries.
As regards the precise criteria, kept secret until the last moment, the Commission suggests that the size, control of an access point and position should be studied cumulatively. On size, the text speaks of an annual turnover in the European Economic Area (EEA) of at least €6.5 billion over the last 3 financial years or a market value of at least €65 billion in the last financial year. On the second criterion, the Commission refers to a service with more than 45 million active end-users per month in the EU and an average of more than 10,000 active business users in the EU in the last financial year. The last criterion is met if the first two are met in each of the last three fiscal years.
In concrete terms, it will be up to each company to carry out a self-assessment, after which the Commission will have 60 days to characterise the service or launch a market investigation (Article 15). The gatekeepers will have to comply with the obligations incumbent upon them 6 months later.
Asymmetric measurements in DSA
Regulation of digital services is more general. It targets all digital services that play an intermediary role in connecting consumers to goods, services, and content.
It provides for graduated obligations for these services, according to their importance. All of them will at a minimum have to set up contact points, a legal representative, identify any restrictions in their terms and conditions and will be subject to reporting obligations. Hosting services will have some additional obligations, online platforms will have even more, and “very large platforms” - those that capture 10% of the European population - will be subject to the most rules (see EUROPE 12622/1).
Penalties: up to 10% of worldwide turnover
Both texts provide for a sanctions regime. “With the regulation, you must also have a sanction. If only to protect the vast majority who will abide by these rules. We have taken the full range of sanctions, including structural separation”, explained Thierry Breton.
The digital services regulation provides for fines of up to 6% of a service provider’s total revenues in the most serious cases. The rules on digital markets allow the Commission to impose fines of up to 10% of the company’s total worldwide annual turnover and periodic penalty payments of up to 5% of its total worldwide annual turnover. It does not preclude structural measures in the event of systematic breaches, such as the obligation for the access controller to divest an activity or parts of it.
Vice-President Vestager and Commissioner Breton, who are usually relatively opposed on this subject, have in fact expressed themselves in the same direction on this issue. Mr Breton stressed that the proposals were not aimed at dismantling, while Ms Vestager pointed out that this would be a tool of last resort.
Rather positive reactions
Overall, reactions to the legislative proposals have been rather positive, although some criticise a slight lack of ambition. This is the case of Tiemo Wölken MEP (S&D, Germany), rapporteur on DSA in the European Parliament, who regretted the lack of European supervision for all platforms, or the NGO Global Witness, which said it regretted the lack of a limit on micro-targeting.
On the online platforms (Digital Europe and DOT Europe), the reception has been relatively cautious. Facebook even suggested that it hoped the DMA would set “limits for Apple”, which “controls an entire ecosystem (...) and uses that power to harm developers and consumers as well as major platforms like Facebook”.
Proposals now have to be evaluated by the European Parliament and the EU Council. The European Commission foresees an implementation period of 3 months for the DSA and 6 months for the DMA.
Links to the proposals : DMA: https://bit.ly/2KwkbX6 and DSA: https://bit.ly/3nsmjy4 (Original version in French by Sophie Petitjean)