EU Digital Services Act and Digital Markets Act – Compliance Countdown

Reading Time: 5 minutes

Authors:  

Benjamin Daley | Data Protection Advisor

Date: 26 March 2024

The EU Digital Services Act (DSA) came into force on 17 February 2024, with the Digital Markets Act (DMA) applying to the specifically designated ‘gatekeepers’ from now onwards; both are quickly being exercised by regulators. A proactive two-pronged approach to enforcement activities has been apparent from the outset, in addition to standalone actions. 

Organisations of all sizes must therefore understand whether they fall within the scope of the DSA or DMA, and resultant obligations, ahead of potential enforcement action on a new regulatory front. 

This article first outlines the DSA aims, scope, and requirements, then DMA goals and gatekeeper obligations. These regimes are explored through recent examples of early enforcement action by the European Commission, before suggesting proactive steps that organisations may take to support regulatory compliance. 

Digital Services Act

The DSA, according to the European Commission, aims to ‘prevent illegal and harmful activities online and the spread of disinformation… to ensure user safety, protect fundamental rights, and create a fair and open online platform environment’. Online players are accordingly categorised, and assigned tiered obligations, against their role, size, and market impact, in ascending order: 

  1. Intermediary services provide network infrastructure through mere conduit, caching, or hosting. 
  2. Hosting services include cloud and web hosting. 
  3. Online platforms connect sellers and consumers through online marketplaces, app stores, collaborative economies, and social media platforms. Micro and small enterprises are excluded from these obligations. 
  4. Very large online platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) are those reaching more than 10% of 450 million European consumers, with a published list of designations. 

A provider of the above service types must have a “substantial connection” to the EU – namely: having an establishment in the EU; or having a significant number of users in the EU; or targeting its activities towards one or more EU member states. If one of these conditions is met, then the tiered requirements under Chapter 3 DSA, outlined below, apply in a cumulative manner: 

There are commonalities between DSA obligations and existing GDPR requirements, supporting a robust organisational framework. Complementary DSA and DMA provisions include transparency, interoperability, and accountability, whereby existing policies, protocols, and procedures may be reviewed and expanded to include new considerations. Notable additional measures include notice and action mechanisms, tiered transparency contents, and the last-minute inclusion of crisis response mechanisms. 

Digital Markets Act 

The DMA correspondingly supports European Commission aims to ‘make the markets in the digital sector fairer and more contestable’, by identifying ‘gatekeepers’ through defined criteria. Gatekeepers are large digital platforms providing ‘core platform services’, with obligations under the DMA complementing competition law rules to regulate their power and influence. Six organisations have been designated as gatekeepers thus far: Alphabet, Amazon, Apple,  ByteDance, Meta, and Microsoft. 

The European Parliament are seeking to control the digital sphere through the DMA, where the following apply: 

1. A Core Platform Service (CPS) is offered:

a. online intermediation services.

b. online search engines.

c. online social networking services.

d. video-sharing platform services.

e. number-independent interpersonal       communications services.

f. operating systems.

g. web browsers.

h. virtual assistants.

i. cloud computing services.

j. online advertising services.

2. The organisation meets the following grounds:

1. has a significant impact on the internal market, and

2. provides a core platform service which is an important gateway for business users to reach end users, and

3. enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future.

 

An organisation is presumed to meet the second grounds with an annual turnover of €7.5bn in each of the last three financial years, and have reached 45 million active end users per month and 10,000 active business customers in the EU in the last financial year, demonstrating an entrenched and durable position where present over the previous three financial years. 

Organisations must inform the Commission within two months of these thresholds being met, who will accordingly designate the organisation as a gatekeeper. The Commission may still designate a platform as a Gatekeeper where these thresholds are not met but a CPS is offered, through a market investigation. 

Thereafter, Chapter 3 DMA outlines obligations for gatekeepers to tackle practices that limit contestability or are unfair, expressed by the Commission through a high-level exemplar list of do’s and don’ts. These may be summarised as to: 

  • Not process personal information for advertising purposes without explicit consent, 
  • Not interfere with business to consumer activities, 
  • Allow and enable third-party software, 
  • Support interoperability. 

Enforcement 

Early action by the European Commission demonstrates that the DSA and DMA have significant effect when read in parallel, following their original purpose. ByteDance (TikTok) is experiencing their joint legislative impact within their respective opening months. The General Court dismissed their request under the DMA for interim measures to suspend their obligations, pending their ongoing appeal against their gatekeeper decision. Ten days later, the Commission opened formal investigative proceedings under several areas of the DSA, leaving TikTok exposed on both DSA and DMA fronts. 

The DSA and DMA have also been relied upon as sole instruments: the Commission have sent requests for information on Generative AI risks (see our article on this topic) to 6 VLOPs and 2 VLOSEs under the DSA, without reference to their notifications of potential gatekeeper status to the Commission under the DMA. More recently, the Commission have opened non-compliance investigations against Alphabet, Apple, and Meta, under the DMA. Therefore, when only the DSA or DMA captures an organisation, this does not affect the extent to which they must meet their designated requirements. 

Existing fines under GDPR are up to €20m or 4% annual worldwide turnover, whichever is greater. However, DSA fines are expanded up to 6% annual worldwide turnover, with a right to compensation for users suffering from the result of an infringement. Further remedies allow the Commission to demand immediate actions from VLOPs or VLOSEs, through the crisis response mechanism, where necessary to address serious harms. These efforts will be supported by Digital Service Coordinators at Member State level. DMA fines are further expanded up to 10% annual worldwide turnover, or up to 20% for repeated infringements, with periodic penalties of 5% average daily worldwide turnover to incentivise compliance. Last-resort additional remedies are in place for systematic infringements, proportionate to the offence, up to and including a divestiture order. 

The scope and pace of regulators’ activities, with enhanced fining powers, should therefore bring the immediate importance of DSA and DMA obligations into focus. 

Next steps 

Organisations should firstly assess their operations against this emerging regulatory landscape, to determine whether any categories apply. If not falling under the DSA or DMA, then organisations should monitor scope updates and remain compliant with surrounding legislation, including the GDPR and ePrivacy Directive. 

If captured by the DSA or DMA, then existing technical and organisational measures may be expanded to comply with some requirements. This may include implementing annual transparency materials reviews and reporting schedules, appointing existing roles such as Data Protection Officer (DPO) to designated DSA point of contact or EEA representative to include DSA legal representative, and effective cyber risk management practices. 

Trilateral have longstanding expertise in data protection and cyber risk advisory services (DCS), offering outsourced DPO services and compliance management solutions with an adaptable approach – including our recently announced end-to-end compliance tool STRIAD:AI Assurance. If you would like to find out more, please get in touch. 

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career