In Practice Series – How to prepare for the upgraded digital services laws in Europe

This article was originally published on Compliance & Risks 'In Practice Series' blog, December 2022.

The use of digital platforms over the last twenty years has become a significant part of everyday life.

It is undeniable that the way consumers purchase their products and engage with services on the internet has changed substantially since times past.

The modern consumer has global buying power, and suppliers must adapt in order to meet this consumer demand.

This change in consumer behaviour has brought both benefits, but also introduced legal risks that have required careful consideration by regulators and legislators alike.

In particular, the competitive advantage of online sale mechanisms, and their role as gatekeepers between businesses and internet users, and the potential ability for foreign entities to supply global markets with little responsibility in each country are the main motivators behind recent legislation on this topic.

The protection of users on digital platforms has also become a great focus of legislators’ attention following concerns over the safety of users (particularly minors) on social media and content-sharing platforms.

The proposed revisions to the mainstay product safety regime in the EU, in the new draft General Product Safety Regulation, aims to modernise the laws in line with the advancement of technology since 2001 when the original law was created.

In an attempt to combat the new challenges, the EU has also otherwise reformed the current rules governing digital services by introducing a raft of existing and proposed laws including the Omnibus Directive, Market Surveillance Regulation (‘MSR’), the Digital Markets Act (‘DMA’) and the Digital Services Act (‘DSA’).

The implementation of these laws will create a package of legislation with rules that will apply across all Member States to regulate online sales and content more and more.

The legal framework

The aim of the various laws is creating a safer digital space where users’ fundamental rights are not infringed.

Omnibus Directive

The Omnibus Directive came into force for Member States on 28 May 2022. The purpose of the Directive is to strengthen consumer rights in the context of modernised EU consumer protection rules by placing obligations on entrepreneurs or ‘traders’ conducting online business.

Its introduction is seen as a catalyst for the introduction of the DMA and DSA.

The biggest impact is seen on traders, online traders, and marketplace platforms in sectors such as sales, service market, and e-commerce.

New legal obligation	Impact
Information on price	Customers need to be informed if the price presented is personalised from automated decision-making and profiling or not.
Information on price reduction	Traders are required to inform consumers about the previous price of a product following a price reduction.
Customer Review Checks	Traders must confirm that reviews left by customers are genuine by checking that the customers themselves produced such reviews.
Applying data protection and consumer protection rights	The General Data Protection Regulation and consumer protection rights must be applied to/protected in contracts for the provision of digital content or services without the customer paying a specific monetary amount but instead in exchange for their personal data.
Third party	Customers must be informed whether the third party offering the goods, services or digital content is a trader or not.

MSR

The MSR came into force on 16 July 2021. Its aim is to complement and strengthen the existing EU product laws applying to products sold both online and offline.

The focus of the MSR is on the marketing of products and brings online platforms within the umbrella of EU products regulations.

The most significant requirement is that certain goods can only be placed on the EU market where there is an EU established economic operator responsible for verification of technical documentation, notifying / cooperating with market surveillance authorities on any safety and compliance issues and placing its name and address on the product for identification purposes.

The economic operator may be an EU based manufacturer, an EU based importer, an EU based authorised representative or a newly defined entity known as a fulfilment service provider which is defined as “any natural or legal person offering, in the course of commercial activity, at least two of the following services: warehousing, packaging, addressing and dispatching, without having ownership of the products involved, excluding postal services… or freight transport services”.

The introduction of a fulfilment service provider addresses the increased significance of e-commerce and requires non-EU manufacturers to appoint an EU based economic operator even where they are selling direct to end users.

New legal obligation	Impact
Cooperation with authorities	Economic operators (such as manufacturers, importers, and distributors) must cooperate with market surveillance authorities in eliminating and mitigating risks presented by products made available on the market.
Market surveillance authorities	Member States are required to designate at least one market surveillance authority responsible for the organisation of surveillance and enforcement.

DMA

The DMA came into force on 1 November 2022 and will start to apply from 2 May 2023.

The purpose of the DMA is to regulate unfair practices amongst online platforms by levelling the playing field of digital companies, regardless of their size.

New legal obligation	Impact
Gatekeeper thresholds	Gatekeepers are firms that have a significant impact on the internal market and provide a “core platform service”, which is an important gateway for business users to reach end users. Companies operating one or multiple of the “core platform services” listed in the DMA qualify as a gatekeeper if they meet the following criteria: Size: The company must either have had an annual turnover of at least €7.5bn in the past 3 years (up from €6.5bn in the European Commission’s (‘EC’) proposal) or a market valuation of at least €75bn (up from €65bn in the EC’s proposal). Control: They must have at least 45m monthly end users and at least 10,000 business users established in the EU. Stability: The company meets the control element in the last three years.
Emerging gatekeepers	Platforms that are considered to be in the scope of the DMA are marketplaces and app stores, search engines, social networks, cloud services, advertising services, messaging platforms, virtual assistants and web browsers. However, there is also a new category referred to as “emerging gatekeeper” that will enable the EC to impose “obligations on companies whose competitive position is proven but not yet sustainable”.
Gatekeeper responsibilities – Do’s	The DMA establishes a list of responsibilities that gatekeepers will need to carry out on a daily basis to ensure fair and open digital markets. These are as follows: Ensure that users have the option to unsubscribe from core platform services under similar conditions to subscription; Allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations via their instant messaging services. Provide choice screens for the installation of certain software (e.g. web browsers, search engines or virtual assistants); Allow app developers fair access to the supplementary functionalities of smartphones (e.g. NFC chip); Give sellers access to their marketing or advertising performance data on the platform; and Inform the EC about planned M&A activity.
Gatekeeper responsibilities – Dont’s	Gatekeeper platforms may no longer carry out the following: Gatekeepers must not show ‘self-preference’ for their own services by treating their own products and services more favourably than products offered by third parties on the gatekeeper platform; Reuse personal data collected from a core platform service for the purpose of another service i.e. by tracking services outside of the gatekeeper’s core services for the purpose of targeted advertising; Establish ‘unfair’ conditions for business users; Pre-install certain software applications or prevent users from un-installing any pre-installed software or app if they wish to; or Require app developers to use certain services (e.g. payment systems or identification services) in order to be listed in app stores.
Compliance & penalties	To ensure that the new rules keep up with the pace of digital markets, the EC will conduct market investigations to qualify companies as gatekeepers, update obligations of gatekeepers when necessary and design remedies to tackle systematic infringements of the DMA.

DSA

The DSA came into force on 16 November 2022 and will apply from 1 January 2024. The purpose of the DSA is to reduce harms, combat risks online, and protect users’ fundamental rights.

Some of the significant changes are set out in the table below.

New legal obligation	Impact
Transparency	All online intermediaries must use a mechanism to flag illegal content. This is aimed at increasing accountability and oversight. For very large online platforms (‘VLOP’) and very large online search engines (‘VLOSE’) i.e. for those with more than 45 million users, further obligations are required including annual assessments of risks for online harms when using their services. This includes in relation to illegal goods, or the spread of disinformation. Smaller platforms including start-ups will have a reduced set of obligations and special exemptions. This will bring the benefit of greater clarity on the legal rules for providing their services in the EU.
Content moderation	Arbitrary decisions moderating content will be limited and ways for consumers to appeal or challenge such decisions will be expanded. This will include complaints directly to the platform, via dispute settlement bodies, or through courts. Complaints can include decisions based on alleged infringement of a platform’s terms and conditions with a duty on platforms to ensure their terms are presented clearly and concisely to users. VLOP’s and VLOSE’s will also be required to carry out a comprehensive assessment of risks to fundamental rights of users which include freedom of expression, personal data rights, freedom and pluralism of media, and the protection of minors.
New European Commission supervisory powers	The EC has the ability to supervise VLOP’s and VLOSE’s in addition to Member States each being required to appoint a Digital Services Coordinator for supervising entities that fall in scope of the DSA, VLOP’s and VLOSE’s. Together they operate through a European Board of Digital Services effectively sharing the supervising responsibility.
Tracing sellers	Online market places will be required to randomly check their databases to determine if products or services on their site are compliant.
Targeted advertising ban	Using profiling results of children or special categories of personal data to tailor adverts to particular consumers will be banned.

The consequences

Each Member State’s Digital Service Coordinator will have the power to impose penalties that include financial fines.

These need to be clearly set out in the national laws and be proportionate to the nature and gravity of the infringement whilst still encouraging compliance.

Both the Digital Service Coordinator and the EC will also be able to require immediate actions for serious harms.

Under the DSA, for VLOP’s and VLOSE’s, the EC will have the power of direct supervision and enforcement and can issue fines up to 6% of the global turnover of the provider.

Additionally, rogue platforms that do not comply with their obligations could be subject to a temporary suspension from offering their services by requesting a court to enforce this.

Under the Omnibus Directive, sanctions include fines of up to 4% of annual turnover of the entity in the Member State where the breach occurred.

Under the DMA, the EC can impose fines of up to 10% of global turnover for non-compliance by gatekeepers, which increases to 20% for repeated offences.

Systematic violations could trigger structural and behavioural remedies, including a ban on mergers.

Also gatekeepers may now face collective actions from individuals and companies in national courts in cases of non-compliance with the DMA obligations.

Checklist to limit risk

Companies should always refer to the specific regulations and guidance in place in the jurisdictions they are operating.

However, the following general principles may provide some helpful pointers for staying on the right side of the law:

Traders should inform customers on information on price and price reduction.
Traders should ensure data and consumer protection laws are applied to their sites, customer reviews are confirmed, and third party traders are confirmed.
Cooperation is maintained with market surveillance authorities.
Under the DMA, Gatekeepers have to ensure that their obligations are fulfilled within 6 months after their designation in accordance with Article 5.
Gatekeepers will need to ensure that company practices are kept up to date to remain compliant with the EC monitoring efforts.
Online platforms, particularly online search engines, should ensure they have, or begin to create, an effective mechanism in place to flag any illegal or harmful content on their sites.
Terms and conditions with users of online platforms should be revisited to ensure they are clear regarding content moderation.
The different ways that users can appeal or challenge a decision (or ‘strikes’) issued by an online platform against them should be clearly set out and easily accessible by the user.
Entities who sell products via online platforms should be vetted to ensure that they have active contact details and are selling compliant products and/or services on the platform.
Mechanisms for the protection of minors should also be in place that will stand up to scrutiny should they be questioned by the Member State’s Digital Service Coordinator or the EC.