European Union Passes Digital Services and Markets Acts to Increase Pressure for Transparency

by Max Landaw

Recently, the European Union announced a provisional political agreement for new legislation called the Digital Services Act (DSA), which would require major digital platforms to be more transparent in the algorithms they use and give clearer avenues for the removal of abusive content and disinformation.

The EU Commission proposed the original statutory language for the DSA on December 15, 2020 and in the wake of the newly enforced General Data Protection Regulation (GDPR), the EU saw such a proposal as an “ambitious reform of the digital space, a comprehensive set of new rules for all digital services, including social media, online market places, and other online platforms that operate in the European Union . . . .”

According to the EU, the purpose of the DSA is to afford:

• Better protection of fundamental rights

• More choice, lower prices,

• And less exposure to illegal content.

The DSA retains most of the language of the 2020 proposal but the final language will contain modifications in the following areas: removal of illegal products and services from online marketplaces, immediate removal of content targeting victims of cyber violence, a ban on dark patterns (a practice of encouraging users to steer away from options not based in profiling), algorithm accountability, clear transparency of algorithms, supervisor fees for very large online platforms (“VLOPs”) of up to 0.05% of their global annual revenue, and inclusion of search engines in the category of VLOPs.

The DSA imposes due diligence obligations on all digital service providers, called intermediary services, that connect consumers to goods, services, or content. However, the obligations depend on each digital service operator’s role, size, and impact on the online ecosystem. Covered businesses under the DSA include domain name registrars, cloud computing and webhosting providers, VLOPs (which are defined as having more than 10% of the 450 million consumers (or more than 45 million consumers) of the EU), and online platforms bringing together sellers and consumers (e.g. online marketplaces, app stores, and social media platforms).

More explicitly, covered businesses must implement measures to counter illegal goods, services or content online, increased content moderation policies and transparency around the algorithms used for recommending content or products, and mitigation efforts for VLOPs to take risk-based action to prevent misuse of their systems. VLOPS, in particular, will be more carefully supervised by the EU Commission with the possibility of imposing sanctions of up to 6% of global turnover or even a ban on operating in the EU market in case of repeated serious breaches.

Based on the language around VLOPs, it has been easy to derive which companies the EU had in mind when crafting large portions of the DSA and its sister legislation, the Digital Markets Act (DMA). The DMA regulates “gatekeepers”, similar to VLOPs in that they are large companies, who the EU has stated are “bottlenecks between businesses and consumers and sometimes even control entire ecosystems, made up of different platform services such as online marketplaces, operating systems, cloud services or online search engines.” The purpose of the DMA is to ensure a higher degree of competition in digital markets by restricting certain gatekeeper practices such as treating services and products offered by the gatekeeper more favorably in ranking than similar services or products offered by third parties on the gatekeeper’s platform.

The DMA and DSA thus target companies like Amazon, Google, Apple, Microsoft, Twitter, and Meta, all American companies which would all be considered VLOPs and gatekeepers and that transact heavy volume in the EU. As a response, American lawmakers and politicians have expressed skepticism in the new legislation. Senators Ron Wyden and Mike Crapo published a joint statement on the EU legislation, stating “Given the global nature of the internet, we are concerned that the European legislative proposals, as currently drafted, will unfairly disadvantage U.S. firms to the benefit of not just European companies, but also powerful state-owned and subsidized Chinese and Russian companies, which would have negative impacts on internet users’ privacy, security and free speech.” Commerce Secretary Gina Raimondo has additionally shared skepticism that the EU legislation mostly has an impact on American companies.

More noteworthy though has been the EU’s response to Elon Musk’s pending acquisition of Twitter. The EU specifically called out Musk, with Thierry Breton, commissioner for the internal market at the EU, tweeting that “Be it cars, or social media, any company operating in Europe needs to comply with our rules -- regardless of their shareholding. Mr. Musk knows this well. He is familiar with European rules on automotive, and will quickly adapt to the Digital Services Act.”

Musk has criticized Twitter’s current content moderation policies, suggesting a more transparent approach to the platform such as making the algorithm for a user’s feed open source. Musk met with Breton in Texas recently with the two sides quelling fears of a refusal to comply with the new EU legislation as Musk stated that he agrees with everything Breton and him discussed, “I think [the new EU legislation is] exactly aligned with my thinking.”

What may be more apropos for companies outside of the VLOPs will be the obligations imposed on every covered business. All such companies will be expected to have or engage in transparency reporting, requirements on terms of service to account for fundamental rights, cooperation with national authorities, and appointing points of contact and potentially legally representatives.

In line with GDPR, it is clear that companies within the scope of the DSA will have to internally maintain records which EU bodies may demand on request, revealing company practices related to user experience on such platforms. The days where algorithms and company practices related to user data may be kept in a trade-secret fashion are more and more being chipped away. This means that existing and new companies looking to do business in the EU will have to develop models called “compliance by design” similar to the GDPR’s “privacy by design” where companies will have to anticipate the public disclosure of company practices.

Once adopted formally, the DSA will become directly applicable across the EU and will be enforceable 15 months from such a date or on January 1, 2024, whichever is later. Final language around the statute is expected soon.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.