Rethinking regulation of data-driven digital platforms

Bringing the regulation of digital platforms up to date

Cross-sector interest in data-driven business models is inspired, in no small part, by the success of the businesses that first identified how to turn reams of data into scalable revenue streams. Many of these models are platforms that facilitate the coming together of different parties who wish to interact, whether for social or commercial reasons, including social media, market places and search engines. Many are now at the heart of the digital and online economy. 

Over the last few years, the European Commission has reviewed the existing regulatory framework for digital markets to ensure that these frameworks are as effective as possible in light of developments since they first emerged, in the early years of the internet. These reviews have resulted in a number of legislative proposals from the European Commission, including amongst others the Digital Markets Act (DMA) and the Digital Services Act (DSA). At the time of writing, political agreement has been reached between the Commission, the Council of Ministers and the European Parliament in relation to the fundamentals of the DMA and the DSA, but the technical detail is still being finalised and the final texts are not yet available. Both are currently expected to become law in autumn 2022, with a further period for compliance. 

These two pieces of legislation sit front and centre in a shift in the approach to the regulation of digital platforms, products and services in the EU.

A new approach to regulation

Proactive regulation

The DMA is focused on ensuring "contestable and fair markets in the digital sector". Digital platforms, like all businesses, are subject to competition law. But over time policy-makers and legislators in Europe started to question whether the usual toolbox of powers and sanctions were sufficient to maintain effective competition in these markets, and whether more could or should be done to support European competitors (given that businesses from the USA and China are often in the vanguard of these markets). As noted in Chapter 2.1, the European Commission considers data to be a "key factor of production" and so the accessibility of data in digital platform markets has been a particular area of focus. 

The Commission has concluded that the particular economics of digital markets have caused some platforms to become "gatekeepers", able to influence the fairness and contestability of their markets in a structural way. In the Commission's view, these issues have proved difficult to address using general competition law, either because the actions are not illegal in themselves under those laws, or because investigating and remedying infringements after the event has proved complex and cumbersome, particularly in the context of what are often fast-moving markets. Moreover, it considers that reversing any harm caused can be difficult. A similar conclusion was reached by policymakers in the UK, which is also planning specific legislation to deal with digital markets to be overseen by a new Digital Markets Unit.

General competition law sets out overarching prohibitions applicable to all businesses. Case law and enforcement has built up understanding over time of the types of commercial behaviour or agreements that will fall within the prohibitions. The DMA, by contrast, sets out detailed provisions specifying actions that "gatekeepers" must or must not take. Gatekeepers will be formally designated as such by the Commission, on the basis of parameters set out in the DMA. 

As regards data, the DMA seeks, first, to limit the extent to which datasets about an individual are combined, requiring consent or another lawful basis for processing under the EU's General Data Protection Regulation. In addition, it seeks to increase the portability of data about an individual user from one platform to another, with the intention of making it easier for customers to switch to an alternative provider, or to use a number of providers at the same time (known as "multi-homing"). 

The DSA, similarly, imposes much more granular expectations on online platforms regarding illegal online content than the previous approach of the e-Commerce Directive (which currently governs liability of platforms for online content). The new regulation will require active monitoring of risk, adoption of effective mechanisms to remove illegal content or to verify the identify of traders using online marketplaces and includes requirements for reporting to the Commission. It will also require transparency around certain algorithms such as recommendation engines, and will impose controls on the use of data-driven profiling of users. 

Data-driven business models The role of legal teams in delivering success Download the full report >

Tiered regulation

The DMA and DSA represent a significant increase in regulation of digital businesses. Both are notable in being uniform across the EU, but not uniform in their application to businesses. As noted, the DMA will apply only to businesses designated as gatekeepers, while the DSA contains fewer burdens for smaller businesses which will, moreover, be given a longer period for compliance once the legislation is in force. 

In addition, the mechanics of enforcement of the DSA are also impacted by the scale of the business concerned, as explained below.  

Centralisation of enforcement

Currently, the only area where the Commission has direct powers to enforce EU law is in the field of competition law. Both the DMA and the DSA will create new, exclusive areas of jurisdiction for the Commission – a rare and significant extension of its role. 

As regards the DSA, this role was not included in the Commission's original proposals for the legislation but was added by the European Parliament and Council of Ministers during the legislative process. It is in notable contrast to the decentralised approach of other European legislation, including the General Data Protection Regulation (GDPR), that is enforced by national regulators. 

The DMA applies only to designated gatekeepers with a certain scale and impact, and will be enforced entirely by the Commission. For the DSA, the Commission will take over enforcement in relation to very large online platforms, meaning those with over 45 million users in the EU, i.e. roughly 10 per cent of the population of the EU. The finalised text of the legislation is not available at the time of writing but it has been reported that such platforms will also be required to pay a yearly fee of up to 0,05% of their global turnover to fund enforcement by the Commission – again, a new approach to enforcement of EU law. 

It remains to be seen whether the approach in the DSA, entrusting enforcement of the most significant cases to the Commission, is the beginning of a new trend in digital regulation enforcement. A recently leaked draft suggests that the European Parliament will seek to amend the proposed AI Act (see Chapter 2.7) to provide for a similar centralised approach in relation to breaches that meet specified thresholds indicating a significant EU dimension. 

This shift in approach can be interpreted as a desire for consistency across the EU. It will reduce the risk of diluting the impact of enforcement by being split across numerous national regulators – a criticism which is sometimes made in relation to the track record of enforcement under the GDPR. Potentially, it puts considerable power in the hands of the Commission to shape digital markets going forwards. 

As an aside, it is worth noting a significant ramification of centralising EU enforcement. Where the Commission undertakes an investigation under EU-level powers, the EU rules of legal professional privilege will be in play. This means that legal advice from in-house counsel (or from non-EU- qualified lawyers) will not be considered privileged and will not, therefore, be protected from disclosure to the Commission. In some Member States, the advice of in-house lawyers is not privileged in any case, but in those where it is (for example, many Member States with a common law legal system), the loss of such protection from disclosure in a Commission investigation is a significant point to bear in mind in terms of risk management for the legal team. 

Compliance by design 

The nature of data-driven business models such as digital platforms, products and services is that the software that underpins or delivers them is often automated, whether in a simple way or using complex AI systems. As such, regulatory compliance will typically need to be designed into the system from the outset. 

This is a trend that has been seen increasingly for digital regulation, and the DMA and DSA continue the theme. For example, where provisions create rights of access to data, this will need to be integrated into the structure of the system, building the technical functionality needed to fulfill the regulatory requirement. Retrofitting compliance into existing systems can be difficult – the relatively short deadlines for compliance in the DSA and DMA once the two regulations are in force are particularly noteworthy in this context.