Tim Roberts
London
We are on the threshold of a new era of regulation in the EU for digital businesses, after the EU Parliament this week voted to adopt two major legislative initiatives proposed by the European Commission (EC): the Digital Services Act (DSA) and the Digital Markets Act (DMA).
While legal and regulatory specialists will have been following these developments closely for some time, this week’s news provides an opportune time for business leaders more broadly to (re)engage with the topic and consider the implications for their businesses.
What are the DMA and DSA, and where are we now?
The two Acts form part of the European Data Strategy, intended to safeguard the rights of digital services users and establish a level playing field in the market, fostering competition and innovation.
The introduction of these initiatives comes at a time of accelerated development in digital services. This has been boosted as a result of the pandemic and the rise of remote working, in a market with just a handful of large, advanced incumbents. However, alongside this, concerns heighten among citizens and lawmakers about the negative impact of a digital society – including loss of privacy, cybercrime and other threats to security, the rise of online bullying, fake news, and viral conspiracy theories.
The acts will be formally adopted in accordance with the EU’s legislative procedure. The DMA is planned to come into force across the EU from May 2023, with full-scale implementation expected in 2024, while the DSA is heading for adoption from January 2024. Fines for violation of the DMA are up to 10% of firms’ global turnover, with increased severity for repeated infringements – up to 20%. For the DSA, fines could amount to up to 6% of global turnover, while serious and repeated violations could result in national courts banning operations in their territories of jurisdiction.
The EC will need to organise itself to supervise these new regulations, for example with the creation and embedding of new structures within the Commission, the development of new capabilities and the preparation of the required documentation – including legal and procedural. Moreover, partnerships are central, the development of which takes time to gain agreement and coordination – for example with jurisdictions and other digital regulators.
On this latter point, the requirements of these digital acts will need to be managed alongside other digital regulations such as GDPR. For example, the DMA promotes data-sharing, which would need to be complied with alongside GDPR regarding the processing of personal data. The effective enforcement of these new requirements is not a straightforward task, even less so when the regulations are groundbreaking, the technology is moving fast, and the resources in the hands of large corporations are extensive.
Who do these new regulations apply to?
The DMA applies to specific organisations designated as “gatekeepers”, when they offer one or more “core platform services” (e.g., marketplaces, app stores, search engines, social networks, cloud or advertising services, voice assistants, and web browsers); and of a scale specifically defined by the EC. While the businesses that will be subject to the DMA have yet to be scoped, it will be no surprise that the familiar Big Tech names will feature.
The DSA applies to providers of intermediary services. This includes internet service providers, social media services, online marketplaces and messaging services. For these providers:
What do these rules mean in practice for firms?
The DMA and DSA introduce systems of prohibition, which are expected to trigger significant and far-reaching changes to the entire business models of the businesses in scope. The prohibitions will be the subject of a period of discussion between big-tech firms and the Commission, with regard to what they mean in practice and how they can be implemented.
The prohibitions will also affect, at a more granular level:
Additionally, compliance processes will require development and enhancement, such as annual risk assessments, safeguards and controls, and active compliance monitoring.
Specific to the DMA: Companies providing “core platform services” as well as those potentially receiving data from such companies should understand not only what the DMA requires, but also its impact on existing obligations under the EU GDPR. This includes a ban on the combination and cross-use of personal data collected during the use of a service for the purposes of another service offered by the gatekeeper, and effective portability and continuous and real-time access to data provided or generated by end-users, complementing GDPR’s right to (personal) data portability.
Specific to the DSA: Amongst a number of requirements, businesses are required to report annually on content moderation conducted, including steps taken to identify and act on illegal content. Mechanisms to identify illegal content could include establishing a trusted ecosystem of content reviewers, internal quality assurance and automated detection systems.
More holistically, Big Tech firms and the other firms that are following similar digital strategies will need to establish a risk management and compliance function along the lines of firms that have been living under regulatory supervision for decades. This is likely to require a “three lines of defence” controls framework, including:
These changes will almost certainly require a culture change to embed a more risk-aware mindset and behaviours across the business. Customer journeys will require an end-to-end review in order to embed the additional controls that the regulations will impose, minimising negative impacts on the consumer experience. Eventually, limitations on content publishing could reduce usage and traffic, in favour of emerging smaller players not subject to such intense regulation.
How can AlixPartners help?
We have been working with regulated firms across industries for years, including building compliance capabilities for newly regulated firms and transforming compliance in mature businesses, using our “Compliance 4.0” framework.
This practical experience helps firms who will be in scope of the DMA and DSA in multiple ways, such as:
With additional thanks to Marcello Bellitto, Klaus Hoelbling, and John Miles in the development of this article.