EU’s Digital Services Act (DSA) & Digital Markets Act (DMA)

In 2022, the EU will adopt two new pieces of legislation – the Digital Services Act (DSA) and the Digital Markets Act (DMA) – that will significantly impact Big Tech. The pressure lies upon policymakers, as the French Presidency of the EU Council wishes to see these materialised as soon as possible. Here, we track their progress and what this means for Big Tech. 

The two pieces of legislation, bundled together as the Digital Services Act package (DSA package), aim to create a safer and more open digital space for individuals and businesses alike. Both the DSA and the DMA have a special focus on big digital service providers, especially those who enjoy great sway in the shaping of the digital future given their market share or their role as online intermediaries and platforms. While they are often discussed together, they regulate different fields. 

The DSA is concerned with harmful and illegal goods, services, and content online. Since certain very large online platforms have emerged as quasi-public spaces where an immense amount of information sharing and online trade takes place, the DSA will regulate such service provisions to protect individual fundamental rights and safety. 

The DMA addresses competition and antitrust issues. A few tech companies have achieved a ‘gatekeeper’ role as they become the bottleneck between businesses and customers. As an extension of the EU competition law regime, the DMA aims to ensure fair practices among different digital market actors. See the fact box below.

Comparison of EU’s DSA and DMA regulation

The Digital Services Act (DSA) The Digital Markets Act (DMA)
What will they regulate?The DSA is concerned with harmful and illegal goods, services, and content online. 

It will replace the E-Commerce Directive (2000).
The DMA is concerned with competition and antitrust issues.   

It will broaden the range of existing measures for investigating and correcting market practices by creating ex-ante rules that prohibit certain behaviours.
Who will be regulated by the new laws?Intermediary services, that is, companies whose business places them between sellers and customers. 

Companies will be categorised according to the type of service they offer, that is:
– Basic intermediary service providers, including ISPs, domain name registrars, etc.
– Hosting service providers, including cloud, web hosting services, etc.
– Online platforms, including marketplaces and social networks.
– Very large online platforms (VLOPs), that is, those with at least 45 million average monthly active users.

These definitions are still up for debate. The EU Council, for instance, thinks that the law should include a reference to online search engines; there’s no such reference in the Parliament’s draft.
Gatekeepers, which in practice means only a small number of tech companies.
The original proposal defines gatekeepers as those companies that control core services on the internet and serve more than 45 million users and 10 000 business users in the EU per month.

One open issue relates to this definition. The European Parliament, for instance, thinks that smart devices such as virtual assistants should be added to the list of core services due to their growing demand. The Council calls this ‘voice assistant technology’, which could be interpreted a bit differently.

As updated on 11 May 2022, the proposal targets companies with more than €7.5 billion in annual turnover or a fair market value of €75 billion.
How will they be regulated?This depends on the type of intermediary services. The original proposal describes a basic set of obligations for intermediary service providers but heftier rules for the other categories. This means more transparency and consumer protection-related obligations for these companies.

VLOPs and very large online search engines are subject to a list of stricter obligations, such as rules on how to tackle illegal and harmful content. The Commission will be the primary regulator for them for more effective and collaborative interventions, while other service providers remain supervised by the member states’ new Digital Services Coordinators.
The original proposal lists what a gatekeeper is prohibited from doing, such as giving preference to its own goods and services over those of others using its platforms. 

Things a gatekeeper should do include allowing users to uninstall native software, enhancing the interoperability of cross-channel messaging services, and allowing business users access to the platform’s data. 

The Council and Parliament are asking for more. For instance, a ban on the use of children’s data and easier ways for users to unsubscribe from a core service. The devil will be in the details.

Strict penalties for non-compliance behaviour will be imposed. The Commission can fine up to 10% of a gatekeeper’s total global turnover in the preceding financial year, with heavier penalties up to 20% due to repeated non-compliance. The Commission also has the power to open market investigations and take stronger measures (such as banning acquisitions) in face of systemic infringements.
When will the rules take effect?The DSA has been met with a political agreement between the Parliament and the Council on 23 April 2022. 

The DSA has been adopted by the Parliament on 5 July 2022. It is expected to be put to a final vote in the Council in September 2022 before being published in the EU Official Journal.

Once adopted, the DSA will be directly applicable across the EU and will apply fifteen months or from 1 January 2024, whichever later, after entry into force. Rules regarding VLOPs and very large online search engines will go into effect at an earlier date, which is four months after them being designated as VLOPs and very large online search engines.
The DMA has been met with a political agreement between the Parliament and the Council on 22 March 2022.

The DMA has been adopted by the Parliament on 5 July 2022 and by the Council on 18 July 2022. It now awaits for the signatures of both Presidents of the Parliament and the Council before being published in the EU Official Journal.

The DMA regulation will enter into force 20 days following the publication and the provisions will start to apply 6 months thereafter.

New laws and USA-EU relation

Across the pond, the US government is in a bit of a bind. It wishes to advance its antitrust agenda on its home turf, but also wants to defend US tech firms overseas. Of the two, the transatlantic issue is a more serious problem. It’s been reported that the US government has called on EU policymakers not to raise the threshold for defining gatekeepers under the DMA. The higher the thresholds, the more concentrated the law around Big Tech will be – something the USA finds to be discriminatory.

There’s even more bipartisan pressure on the administration to tackle this issue with the EU. The Senate Finance Committee believes that both laws ‘must apply equally to firms based in Europe, China, the United States, and other countries’ in order to not give non-US companies a competitive advantage. Still, this argument is unlikely to hold water, considering that the world’s most valuable tech companies are US companies.

Lobbying in Brussels

‘Big Tech firms are therefore throwing immense resources (that they can easily afford) on a scale rarely seen to influence, persuade and cajole members of the European Parliament, member state governments and European Commission officials to roll back the obligations the DMA would impose’, BEUC’s deputy director-general wrote

‘Not only are they lobbying in their own names, but they are also deploying trade associations, think tanks and “favourable” academics to mirror, endorse, and amplify their arguments. They have even claimed to represent the best interests of small and medium-sized companies (!), much to the annoyance of genuine SME representatives.’