CEO and editor-in-chief of 6 pages.
The EU’s Digital Markets Act (DMA) and Digital Services Act (DSA) have both been recently adopted by the European Parliament and now only have to be formally approved by the Council of the European Union. As the political agreements were already in place in March-April 2022, approval by the Council is expected, and it looks like we will see them both come into force soon.
Why is this bad? Together, the two acts represent a new approach to regulating major tech companies. Both carry hefty fines for non-compliance –up to 20% of worldwide sales for violating the DMA and up to 6% for violating the DSA. Infringing companies may be banned from acquisitions for a period of time, which is required to: push off companies or completely excluded from activities in the EU.
While both acts are cracking down on major tech companies, there are key differences. I think the best way to think about the two laws is to remember that the Digital Markets Act focuses on market power and competition, while the Digital Services Act focuses on content, advertising and e-commerce.
What does the Digital Markets Act say?
In concrete terms, the Digital Markets Act regulates “gatekeepers”—large companies providing “core platform services” such as marketplaces, social media, search engines, advertising, operating systems, and more, with a market capitalization of at least $75 billion or annual revenue of at least $7.5 billion, as well as over 45 million monthly end users and 10,000 business users per year in Europe. In short, large tech companies.
Under the DMA, these companies face a host of new requirements. Some of the more notable ones include requiring platform interoperability (for example, between messaging services such as Apple iMessage and WhatsApp), allowing users to switch between platforms without losing their data and contacts, thus preventing the installation of third-party app stores and allow apps to use third-party payment systems and login services.
Users must have access digital content purchased elsewhere will be asked to choose their default services (e.g. browser, search, assistant) and be able to remove pre-installed software. Gatekeepers require explicit user consent to combine personal data from different services (e.g. for targeted advertising) and must provide an equivalent alternative to users who opt out.
With regard to business users, gatekeepers cannot require business users to use, offer or incorporate their other services. Business users should be free to interact with customers through any channel and transact outside the platform. It also prohibits gatekeepers from using sensitive data provided by business users for advertising or any other purpose. Gatekeepers are also prohibited from imposing “unfair” prices on business users,”self-preferencetheir own products and services and “wrongly tying or bundling services”.
What does the Digital Services Act say?
The Digital Services Act, on the other hand, proposes obligations “online intermediariesprovide services in the EU, whether or not they are physically present there. (Micro/Small Businesses are exempt from certain requirements.) These online intermediaries include Internet service providers and domain registrars; hosting and cloud computing services; platforms such as marketplaces, app stores, collaborative economy platforms and social media; and “very large” platforms and search engines, defined as those that reach 10% or more of the 450 million consumers in the EU.
The DSA allows any user to flag illegal goods, services, and content for “quick removal”, challenge content decisions and seek redress for damages or loss. Platforms must also provide reports on their content moderation practices. Ads should be more transparent (e.g., on whose behalf the ad was placed and how the recipient was determined). Targeted advertisements for children are excluded, as are advertisements based on sensitive personal data (e.g. race/ethnicity, political opinions, religion, sexual orientation). Businesses also need to know who their corporate customers are promoting posts or offering products for sale on their platform, which can mean: Verify identity information (e.g. bank accounts/statements, company certificates).
What does this mean for technology leaders?
As with the DMA, the DSA places an additional burden on the largest tech companies. Major tech platforms should allow users to choose the algorithmic recommendation system that dictates their feeds. They must also make themselves available for external independent audits, conduct annual assessments of their systemic risks, and provide data access to authorities and vetted investigators, among other requirements.
In my view, some of these requirements pose more of an inconvenience than a real threat to big tech. For example, interoperability could help the leading incumbents by eroding the business models of smaller players. Certainly, the costs associated with regulation often favor the players who can afford it. In some cases, the big tech companies have already seen the writing on the wall and moved in the given direction anyway, for example towards user consent.
Other terms directly address the benefits that large tech companies enjoy and present serious technology and business model challenges. For example, allowing users to choose the algorithm for their feed is not trivial. The content requirements of the DSA are likely to lead to the hiring and implementation of highly labor-intensive processes. Allowing apps to use third-party payment systems targets the lucrative business models of app stores. Obtaining explicit user consent to combine even their own first-party data will be painful for the advertising giants. The list goes on.
While there are questions about how the DMA and DSA will be enforced in practice, some major tech companies have to question whether the European market is worth it due to the sheer scale of the DSA and DMA — and the magnitude of their potential fines. But there’s no guarantee that, even if they pull back, they wouldn’t face the same dynamics in other regions. The battle against big technology and for consumer privacy and consent is not just a Europe phenomenon, and European laws often become global norms.
The DMA and DSA may herald a new era of reining in the power of big tech companies — not just in Europe, but around the world.