Digital Regulation 2.0: UK and EU announce details of major reforms

Written on 16 Dec 2020

New UK and EU laws reboot the eCommerce Directive, update rules relating to online illegal and harmful content and boost online competition, whilst imposing significant fines and structural remedies

On 15 December 2020, the EU and the UK each announced further details of highly significant pieces of digital regulation. Each piece of regulation carries the potential for huge fines and taken together, the reforms have far-reaching consequences for online platforms and digital services.

The three pieces of legislation are:

  1. The UK Online Harms Bill: the UK government has released its plans to regulate illegal and harmful content online through a proposed online safety bill, to be tabled before parliament in 2021, with powers to levy fines of up to 10% of global turnover or £18 million (whichever is higher).
  2. The EU Digital Services Act (DSA): the European Commission has unveiled the first draft of its proposal to update the responsibilities and liabilities of digital services, including rules on illegal content, notice-and-takedown and online targeted advertising, with powers to fine companies up to 6% of global annual turnover; and
  3. The EU Digital Markets Act (DMA): the companion to the DSA, the DMA is intended to boost online competition in the EU by imposing new competition rules on large online platforms that act as "gatekeepers" and introduce the much-discussed New Competition Tool, with powers to fine companies up to 10% of global annual turnover.

In this Insight article we take a look at each of these proposals in turn, how they might affect businesses and the next steps to watch out for.

UK Online Harms Bill

The UK government has confirmed that an Online Safety Bill will be introduced in 2021. This follows proposals first outlined in an April 2019 white paper and subsequent initial consultation response. The bill will set out a strict new regime to tackle the removal of illegal content online, including terrorist material, child sex abuse, suicide promotion and cyberbullying.

Who is in scope?

The new rules will apply worldwide to any platform that hosts online user interactions or user-generated content that is accessible by people in the UK. Social media platforms, dating apps, search engines, online marketplaces, peer-to-peer services, online forums and video games which allow online interaction will therefore all be caught by the regulations.

What is the proposal?

Confirming earlier proposals, the legislation will place these companies under a statutory duty of care to protect users from illegal material and implement measures to report and remove harmful content published on their platforms. While the full detail of the legislation has not yet been published, the announcement confirms that companies will need to comply with various forthcoming codes of conduct in order to discharge their duty of care.

Companies will be categorised into different tiers according to the size of their online presence and the level of risk posed on the platform. Category 1 companies are specified to have the largest online presence and high-risk features. The government's press release specifically states this is "likely to include social media giants such as Facebook, TikTok, Instagram and Twitter". These companies will have to comply with the most onerous set of obligations and will be under a legal requirement to publish transparency reports on the measures they have taken to tackle online harms, whereas smaller Category 2 companies will face less stringent requirements.

The response will set out how the regulations will apply to communication channels and services that are within the scope of the new rules but on which users will expect a greater degree of privacy, such as online instant messaging services and closed social media groups.

What are the sanctions?

Ofcom, the media and communications regulator, will be responsible for enforcing the rules and will have the power to impose fines for non-compliance of up to 10% of a company's annual turnover or £18 million (whichever is higher). The regulator will also be able to block offending services from being accessed in the UK.

What are the next steps?

Further clarification of the new rules will follow when the government publishes full details of the legislation. For instance, the extent to which criminal penalties may be imposed on senior executives has not yet been made clear, with the announcement suggesting that these measures have been scaled back from earlier proposals. It has been suggested that the Bill might include a power for Ministers to make such offences via secondary legislation at a later point.

The legislative proposals are expected to be published in an Online Safety Bill in 2021, which suggest that the UK laws may be in force before any EU legislation is finalised.

EU Digital Services Act

Who is in scope?

The DSA applies to any information society services provided in the EU and in particular intermediary services consisting of services known as ‘mere conduit’, ‘caching’ and ‘hosting’ services. In practice the DSA is focussed on:

  • intermediary services (for example internet access providers and domain name registrars).
  • hosting services (such as cloud hosting).
  • online platforms that bring together sellers and consumers (examples being online marketplaces, app stores and social networks).
  • "very large online platforms", meaning those reaching more than 10% of the 450 million consumers in Europe.

What is the proposal?

While the e-Commerce Directive remains the cornerstone of digital regulation, much has changed since its adoption 20 years ago. The DSA builds on the e-Commerce Directive to address new challenges. It overhauls, clarifies and updates many aspects of the eCommerce Directive, with the aim of making the online world safe and reliable.

Notably the DSA deletes Articles 12-15 in the e-Commerce Directive (covering the mere conduit defence, the caching defence, the hosting defence and the no obligation to monitor provision) and reproduces them in the DSA. This maintains the liability exemptions for providers of intermediary services and the position that providers of intermediary services are not subject to a general monitoring obligation. It also introduces a long awaited "good samaritan" provision, meaning that providers are still eligible to rely on the defences where they carry out voluntary own initiative investigations or other activities aimed at detecting, identifying and removing, or disabling of access to, illegal content, or take the necessary measures to comply with legal requirements.

The DSA complements other e-commerce laws including the Platform to Business Regulations (and many of the provisions of the DSA echo the obligations in the P2B Regulations), the Unfair Commercial Practices Directive and the Audiovisual Media Services Directive.

The DSA provides a framework setting out clear responsibilities and accountability for providers of intermediary services, and in particular online platforms, such as social media and marketplaces. New obligations include:

  • More detailed procedures aimed at effectively tackling and removing illegal content online, including a harmonised legally-binding European "user-friendly" notice and take down mechanic (with a "trusted flagger" policy).
  • A requirement to report annually on measures taken to moderate content.
  • The need to implement internal complaint-handling systems and out-of-court dispute settlements.
  • A know-your-client obligation, under which platforms that allow B2C sales must obtain certain KYC information from the traders using their platform prior to allowing the trader to use the platform.
  • General obligations with regards to user safety, transparency, controls and information. These include provisions relating to content recommendations and online terms, and obligations relating to the publication and communication of information on the average monthly active recipients of the service.
  • Data sharing obligations, for example to provide regulators and outside groups with greater access to internal data.
  • Significant additional transparency obligations relating to: (i) online advertising (for example, providing greater transparency to their users over what is an advertisement, who the advertiser is, why the recipient has received the ad); and (ii) the use of algorithms (for example, providing greater transparency and control over the material users see online).
  • A requirement to designate a sufficiently mandated legal representative to enable direct communication with Member States’ authorities.
  • A duty on very large online platforms to deploy the necessary means to diligently mitigate the systemic risks identified, being: (i) dissemination of illegal content; (ii) the impact of the service on Human Rights; and (iii) the coordinated manipulation of the platform’s service.
  • New frameworks governing the supervision and cooperation of organisations in scope; for example, the largest platforms will have to appoint independent auditors who will determine if they are compliant with the new rules and they must carry out annual risk assessments over how they are stopping illegal content and goods from spreading on their networks.

The recent P2B Regulation implemented the first "horizontal" platform law in the EU, and clearly has set a template for some of the obligations in the DSA, such as complaint handling, out of court settlements).

We are also seeing platform-specific regulations on a national level with for example NetzDG in Germany, corresponding laws in France and Austria and now the Online Harms Bill in the UK. The Digital Services Act represents a super-charged pan EU version of the P2B Regulations and NetzDG. It goes beyond any regulations seen before, in particular in relation to online advertising and the Digital Services Coordinators as new supervisory authorities.

What are the sanctions?

Each Member State must designate a "Digital Services Coordinator" to enforce the DSA. The Digital Services Coordinators in different territories can work together in matters covered by the DSA. Fines of up to 6% of global annual turnover could be levied for breaches.

What are the next steps?

The DSA will require the approval of both the European Parliament and EU countries through the European Council. The Commission is looking for the DSA to be implemented as fast as possible, but the proposed new rules could still take up to two years to become law. The final rules are not expected until 2023 at the earliest.  Once adopted, the new rules will be directly applicable across the EU.

EU Digital Markets Act

Who is in scope?

The DMA is aimed ar online players that determine how other companies interact with online users. The obligations apply to "core platform service providers" which are designated as "Gatekeepers".

A "core platform service" includes online intermediation services; online search engines; online social networking services; video-sharing platform services; number-independent interpersonal communication services; operating systems; cloud computing services; and certain advertising services so far as they are provided by a provider of any of the core platform services.

A "Gatekeeper" is a "core platform service provider" which has a significant impact on the internal market, plays a special role in allowing business access to customers and enjoys an entrenched and durable position (meaning at least over three years). While there is some nuance in this designation, there will be a presumption that a provider will satisfy the designation test if it:

  • generates an annual revenue of EUR 6.5 billion or more in the last three years, or has an average market capitalisation of at least EUR65 billion in the last financial year in the EEA and provides a core platform services in three member states; and
  • has more than 45 million monthly EU end users or more than 10,000 yearly active EU business users a year, and this has been the case in each of the last three financial years.

The new market investigation tool has a broader scope, depending on the purpose of the European Commission's investigation. At its widest, where the Commission is considering whether services should be added to the list of core platform services and/or identifying unfair practices not addressed by the DMA, it could apply to businesses across the digital sector.

What is the proposal?

The DMA is designed to boost online competition. Similar to other national initiatives (like the current proposals in Germany), the DMA combines ex-ante regulation with traditional case-by-case ex-post competition law enforcement.

The first limb is a set of rules that will apply only to "gatekeepers", comprising a list of dos and don'ts for these providers, designed to address perceived competitive imbalances arising from the gatekeeper's position in the market.

Examples of obligations on gatekeepers include:

  • Allowing third parties to inter-operate with the gatekeeper's own service in certain specific situations.
  • Allowing business users to access data that they generate in their use of the gatekeeper's platform.
  • Providing companies advertising on their platform with the tools and information necessary for advertisers and publishers to carry out their own independent verification of their advertisements hosted by the gatekeeper.
  • Allowing business users to promote their offer and conclude contracts with their customers outside the gatekeeper's platform.

Examples of prohibited behaviour include:

  • Self-preferencing – treating services and products offered by the gatekeeper itself more favourably in ranking than similar services or products offered by third parties on the gatekeeper's platform.
  • Preventing consumers from linking up to businesses outside their platforms.
  • Preventing users from un-installing any pre-installed software or app.

The second limb is a market investigation tool (previously referred to as the New Competition Tool). This would give the European Commission powers to conduct an investigation to consider: whether a core platform provider should be designated as gatekeeper; where there has been systematic non-compliance; and whether services should be added to the list of core platform services. The Commission will also detect unfair or new practices that have not been adequately addressed by the DMA. When a gatekeeper intends to buy smaller rivals, they may need to inform and seek approval from the Commission.

What are the sanctions?

Failure to comply with the rules could lead to fines of up to 10% of global turnover, and, in the case of systematic infringements, structural remedies.

What are the next steps?

Like the Digital Services Act, the Digital Markets Act will require the approval of both the European Parliament and the European Council. In addition, the designation of "gatekeepers" will take time, and may well result in legal challenge. The final rules are not expected until 2023 at the earliest.

If these topics are of interest to you please join our seminar on 26 January 2021. Register your interest here. If you would like to discuss how these reforms may impact your business, please contact one of the experts listed below or your usual Osborne Clarke contact.