The European Commission is expected to unveil a proposed regulation this month that could bring about significant change to the digital landscape in the European Union, and potentially beyond.

Proposed by the commission as part of its Work Programme 2020, the Digital Services Act is a legislative package that, in part, seeks to overhaul the European Union’s 20-year-old e-Commerce Directive. The European Parliament said the DSA “aims to shape the digital economy at EU level as well as setting the standards for the rest of the world, as it did with data protection.”

“The DSA is, I think, one of the most important proposals being discussed at the Commission right now,” said Shopify Associate General Counsel and Data Protection Officer Vivek Narayanadas, CIPP/E, CIPP/US. “It’s an incredibly promising opportunity to address a range of really difficult and important issues to make sure the Internet remains a safe place for users and a competitive space for businesses.”

The commission last week also proposed the Data Governance Act, a set of rules to help facilitate data sharing across the EU. It includes measures to increase trust in data sharing, rules on neutrality and practices to give Europeans more control over how their data is used.

The proposal runs parallel to the DSA, said Future of Privacy Forum Senior Counsel for Global Privacy Gabriela Zanfir-Fortuna. "They are part of the same efforts of the European Commission to create a Digital Single Market that is functional, facilitates data sharing (personal and non-personal), primarily with innovation, research and the public good in mind, seemingly, while at the same time respecting the right to the protection of personal data and the other fundamental rights that Europeans have," she said. 

The commission is also expected to release the Digital Markets Act, which, according to European Digital Rights, "aims at opening the digital market by establishing limits to current digital gatekeepers." Both the DMA and DSA are expected to be released Dec. 9, 2020. 

DSA's potential scope 

Three parliamentary committees have published respective reports on the DSA proposal and a public consultation that gathered insight from platforms, businesses and consumer associations, ended in September. In its report, the Legal Affairs Committee urged the commission to put forward legislation that implements stricter rules on harmful content, gives users more control over what they see online, and more strictly regulates targeted advertising. The Committee on the Internal Market and Consumer Protection called for online platforms and intermediaries to improve detecting and removing false content, while the Committee on Civil Liberties, Justice and Home Affairs called for content removal to be “diligent, proportionate and non-discriminatory.”

As the commission is currently drafting the DSA — that draft is expected to be released in early December — details of what the proposal will include are not concretely known but have been gleaned from the committee reports, submissions through the public consultation and some leaks, said Fieldfisher Director of Technology, Outsourcing and Privacy Emily Parris.

They point to two main pillars the proposal aims to cover, she said, the first regulating digital service providers’ responsibilities and liabilities regarding illegal and harmful content, the second proposing greater regulation of large online platforms, referred to as “gatekeepers.”

In aiming to tackle illegal activity and harmful content, Parris said the proposal “could impact a whole wide range of different online players,” including large online platforms, as well as intermediaries like app stores or online marketplaces.

“The current rules in place have been there since the early 2000s,” Parris said. “Now, 20 years later, platforms have a completely different role, they have a huge societal and economic importance and the scale of online harms is completely different. And so there is real momentum both at the EU level, the policy level, and among individual member states to force platforms to do more.”

Early indications are that the proposal will also include provisions around algorithmic transparency, Parris said.

“We all love to get the content we like, but that comes with some risks,” she said. “There are hints we’ll see more rules about more transparency of the algorithms platforms use, or how content is recommended, how systems are working to deliver content to the user, and maybe a bit more user choice and transparency in that area.”

In looking to regulate digital “gatekeepers,” the commission is targeting large platforms “and the economic power and the impact” they have on consumers and the market, Parris said. While the concrete definition of “gatekeeper” within the DSA is not yet known, in an October speech, Executive Vice President Margrethe Vestager identified gatekeepers as “a few huge digital platforms” online consumers have “come to rely on.”

A list of ex-ante prohibited practices for “gatekeepers” is being considered, which leaked documents indicate could be related to data use. A leaked informal working document includes a list of unfair practices related to data — for example, restricting gatekeepers from using data for purposes other than its own commercial activities. The document also states gatekeepers would be subject to an annual audit of advertising metrics and reporting practices, as well as consumer profiling practices.

“I think what the commission is concerned about is the impact on consumers and on the ability of other businesses to compete in the same market as the larger platforms. Commissioners mentioned they are concerned that platforms have access to huge amounts of data that they manage to collect from the businesses that use their services and then those platforms are able to leverage that data themselves to develop their own products and services in adjacent markets,” Parris said.

'It will have a significant impact' 

The DSA’s impact could be wide-spread, Parris said. As the EU General Data Protection Regulation applies to those controlling data of users in the EU wherever they operate, it’s likely the DSA will do the same, she said.

“That raises all the same enforcement challenges that we’ve seen with the GDPR,” she said. “The big question for platforms — what they will want — is certainty. What do they have to do to comply, what are the sanctions going to be for noncompliance. The hints are that sanctions will be about systemic failure rather than individual failings.”

How the DSA will fit with the existing GDPR is not yet known, Zanfir-Fortuna said. But if the e-Commerce Directive is revised through the DSA, that’s of interest to privacy professionals.

“The DSA could actually revise the e-Commerce Directive, and if you look at the GDPR, there’s actually an exception from the scope of the GDPR that it is without prejudice to whatever involves the directive,” she said. “So even if the two laws are in conflict then you apply the e-Commerce Directive. This is why a lot of privacy professionals are following this. You want to know where the GDPR ends, where the e-Commerce Directive starts, where it is going.”

IAPP Netherlands Country Leader Jeroen Terstegge, CIPP/E, CIPP/US, said he expects the DSA will set boundaries on the content of digital services contracts, which could impact the application of the GDPR.

“So, if the DSA regulates digital contracts, the legality of the personal data associated with such service is a given and the GDPR would only play second fiddle to the lawfulness of the digital service in question,” he said. “In other words, for assessing the processing of personal data in digital services and platforms, it will be DSA first and GDPR second.”

Apart from the GDPR, Parris said the DSA is “probably the single largest piece of reform of online activity that we’ve seen for years.”

“It’s massive,” she said. “It will have a significant impact. And the challenge, of course, is it’s not just the EU level. Individual member states have gotten pretty impatient and are starting to push forward their own laws in this space. So global platforms are going to once again be contending with multiple layers of regulation for compliance purposes.”

Photo by Guillaume Périgois on Unsplash