Despite a few weeks absence from these pages, I have not been idle. I'll explain more in other posts, but in part I've been ploughing through the EU's new regulations on Digital Markets and Digital Services, briefly summarised here, with more below.
In the course of providing certain “core platform services” for business users to reach their end users online, very large digital platform operators (“gatekeepers”) act as private rule-makers and may create ‘bottlenecks’ and ‘choke points’ that limit access, unfairly exploit data for their own purposes and/or impose unfair conditions on participants. Therefore, the EU has introduced the Digital Markets Act (DMA)) to control gatekeepers’ practices that either fall outside the existing EU competition controls or cannot be effectively addressed by those rules. Member state’s regulators cannot go further than the DMA restrictions and the restrictions must be applied consistently throughout the EU. Gatekeepers can be fined up to 20% of worldwide revenue for breaches.
The DMA will start to apply in May 2023 and gatekeepers will have six months to comply, once they have been designated.
The EU’s Digital Services Act (DSA) establishes a harmonized approach to protecting EU-based users of online communication, e-commerce, hosting and search services across the EU, by granting intermediary service providers (“ISPs”) exemption from certain liability if they perform certain obligations. An ISP will be in scope if it is either based in the EU or has a substantial connection with the EU (a significant number of users as a proportion of the population or by targeting its activities at one or more Member States). There are extra requirements for ‘very large online’ platforms and search engines; and some exemptions for small enterprises and micro-enterprises.
The DSA applies from 17 February 2024 (4 months after designation as a VLO platform/search engine). However, ISPs will need to begin reporting their average monthly active users by 17 February 2023, and then every six months; and arrangements for the designation of VLO status and supervisory fees will apply from 16 November 2022.
Digital Markets Act in Detail
In the course of providing certain “core platform
services” for business users to reach their end users online, very large
digital platform operators (“gatekeepers”) act as private rule-makers,
‘bottlenecks’ and ‘choke points’ with the opportunity to limit access, exploit
customer data for their own purposes and impose unfair conditions on businesses
and end users. Similar opportunities arise in relation to advertisers and
publishers of content on the gatekeepers’ platforms. Therefore, the EU has
introduced the Digital
Markets Act (DMA)) to control gatekeepers’ practices
that either fall outside the existing EU competition controls or can’t be
effectively addressed by those rules. Member state’s regulators cannot go
further than the DMA restrictions and the restrictions must be applied
consistently throughout the EU. Gatekeepers can be fined up to 20% of worldwide
revenue for breaches. The DMA will start to apply in May 2023 and gatekeepers
will have six months to comply, once they have been designated.
Which platforms are gatekeepers?
A platform can be designated as a gatekeeper if it
satisfies the following criteria (unless it can prove otherwise):
•
It has a significant impact on the
internal market, which is presumed where the undertaking to which it
belongs has either an annual EU turnover of at least €7.5bn in each of the last
three financial years, or average market capitalisation/value of at least €75bn
in the last financial year, and provides a core platform service in at least 3
member states;
•
It operates a core platform
service that serves as an important gateway for business users to reach end
users, which is presumed where the service reaches user
thresholds of 45m monthly active EU-based end users and 10,000 yearly active EU-based
business users in the last financial year; and
•
It enjoys, or will enjoy, an
entrenched and durable position in its operations,
which is presumed where the user thresholds were met in each of the last 3
financial years.
What gatekeeper services are
affected?
A
“core platform service” means any of the following:
•
online intermediation services;
•
online search engines;
•
online social networking services;
•
video-sharing platform services;
•
operating systems;
•
web browsers;
•
virtual assistants;
•
cloud computing services;
• number-independent interpersonal
communication services (NIICS) – e.g. WhatsApp, Messenger, and other online
communications services that do not actually connect using public telecoms
number plans (even if your mobile number might be used as an identifier), but
the DMA will not apply to other electronic communications networks defined in
the European
Electronic Communications Code;
•
advertising services, including
any advertising networks, advertising exchanges and any other advertising
intermediation services, provided by a provider of any of the core platform
services listed above.
Such service providers must notify the European Commission
within two months after those thresholds are met (with any argument that the
related criteria should not apply), but failure to do so does not prevent the
Commission from designating these providers as gatekeepers, either then or
following a market investigation.
Designation may change if there has been a substantial
change or error in any of the facts on which it was based and Commission must
also review the designation at least every three years. The Commission must
maintain a public list of gatekeepers and their affected core platform
services.
Obligations on gatekeepers
Specific requirements are aimed at protecting various
types of participant from adverse practices in the course of their use of gatekeepers’
designated core platform services, regardless of whether the relevant practice
is contractual, commercial, technical or of some other nature.
Gatekeepers must publish general conditions of access,
including an alternative dispute resolution mechanism, and cannot terminate a
core platform service on conditions that are disproportionate. Participants in
the service, must be able to exercise their rights to terminate without undue
difficulty.
End-users
Gatekeepers need end users’ fully informed consent (as
per GDPR) to process their personal data for online advertising; combine or
cross-use it with personal data from any other services provided by the
gatekeeper or a third-party services; or sign the end user into to other
services of the gatekeeper to combine their personal data. Where an end user’s consent
has been refused or withdrawn, the gatekeeper may only make one request for the
same consent for a year.
End users must be able to un-install any pre-installed
software applications on a gatekeeper’s core platform service (but a gatekeeper
may preserve applications that are essential for the functioning of the
operating system or device where such applications cannot technically be
offered on a standalone basis by third-parties).
Gatekeepers must not technically restrict end users from
subscribing for or switching between applications and services using the
operating system, including choice of Internet access provider.
End users must have effective portability of the data
generated through their activity and be given the tools to achieve that,
including continuous and real-time access.
A gatekeeper must not make the exercise of end users’
rights unduly difficult or degrade the quality or condition of any of the core
platform service provided to end users who exercise their rights.
A gatekeeper must submit any techniques for profiling
of consumers to an independent audit within six months of using them.
Business users
Gatekeepers must:
•
not prevent business users from
offering the same products or services to end users through third-party online
intermediation services or their own direct online sales channel at prices or
conditions that are different from those offered through the gatekeeper’s
service;
•
allow business users, free of
charge, to communicate and promote offers to end users acquired via its core
platform service or through other channels and conclude contracts with those
end users, regardless of whether and for what purpose they use the core
platform service;
•
allow end users to access and use
content, subscriptions, features or other items through its core platform
services, by using the software application of a business user (including where
those end users acquired such items from the relevant business user) without
using the core platform services of the gatekeeper;
•
not directly or indirectly prevent
or restrict business users or end users from raising any issue of
non-compliance of any kind by the gatekeeper with any relevant public authority
or courts (without prejudice to the right of business users and gatekeepers to specify
lawful complaints-handling processes);
•
in the context of business users’
services using the gatekeeper’s core platform service, not require end users or
business users to use, offer, or interoperate with the gatekeeper’s own
identification service, web browser engine or payment service (or technical
services that support payment services, including systems for in-app purchases);
•
not require business users or end
users to subscribe to, or register with, any further designated core platform
services as a condition for being able to use, access, sign up for or
registering with any of that gatekeeper’s designated core platform services;
•
not use in competition with
business users any business data not publicly available that is provided by or
generated through activities by their use of the core platform services or related
services (including data generated or provided by the business users’
customers).
•
provide business users with
effective portability of the data generated through their activity and the
tools to achieve that, including continuous and real-time access.
•
provide business users (or their
authorised third parties), free of charge:
•
effective, high-quality,
continuous and real-time access and use of aggregated or non-aggregated data,
that is provided or generated in the use of the relevant core platform service
by those business users and their end users engaging with their products;
•
provide access and use for personal
data only where directly connected with the use effectuated by the end user in
respect of the products of the business user through the core platform service with
the end users’ consent.
•
apply fair and non-discriminatory
general conditions of access for business users to its software application
store (where designated).
•
not make the obtaining of consents
by a business user more burdensome than for its own services.
•
not make the exercise of business
users’ rights unduly difficult or degrade the quality or condition of any of
the core platform service provided to business users who exercise their rights.
•
submit any techniques for
profiling of consumers to an independent audit within six months of using them.
Advertisers
Gatekeepers must provide on request to each advertiser
to which it supplies online advertising services (or their authorised third
parties) daily and free of charge:
·
information on each advertisement
placed, the price and fees paid, remuneration received by the advertising publisher
and the basis of calculation. If a publisher of advertising does not consent to
the sharing of information regarding its remuneration, the gatekeeper shall
provide the advertiser with the daily average remuneration received by that
publisher, including any deductions and surcharges;
· access to the gatekeeper’s
performance measuring tools and the information necessary for advertisers to
carry out their own independent verification of the advertisement inventory,
including aggregated and non-aggregated data.
Publishers
Gatekeepers must provide:
·
on request to each publisher to
which it supplies online advertising services (or their authorised third
parties) daily and free of charge information concerning the display of each ad
from the publisher’s inventory, the remuneration received and fees paid by that
publisher, the price paid by the advertiser and the basis of calculation. If an
advertiser does not consent to the sharing of such information, the gatekeeper
shall provide the daily average price paid by that advertiser for the relevant
ad, including any deductions and surcharges.
·
access to the gatekeeper’s
performance measuring tools and the information necessary for publishers to
carry out their own independent verification of the advertisement inventory,
including aggregated and non-aggregated data.
Third Party Software Providers
Gatekeepers must:
•
allow the installation and
effective use of third-party software applications or software application
stores using, or interoperating with, the gatekeeper’s operating systems and
allow those applications or stores to be accessed by means other than via that
gatekeeper (subject to proportionate measures to ensure those applications or
stores don’t endanger the integrity of the gatekeeper’s systems).
•
Not treat the gatekeepers’ own
group products more favourably in ranking and related indexing and crawling, than
similar third party products; and apply fair and non-discriminatory conditions
to such ranking.
•
Allow third party service and
hardware providers, free of charge, effective interoperability with (and access
for the purposes of interoperability) the same hardware and software features
accessed or controlled via the gatekeeper’s designated operating system or
virtual assistant as are available to the gatekeepers own services or hardware.
•
Provide, on request, to any third
party online search engine providers access on fair, reasonable and
non-discriminatory terms to the gatekeeper’s data on ranking, query, click and
view relating to free and paid search results generated by the gatekeeper’s end
users (subject to anonymisation of personal data).
Interoperability
A relevant gatekeeper must make the basic
functionalities of its NIICS interoperable with the NIICS of another provider
offering or intending to offer such services in the EU, by providing the
necessary technical means that facilitate interoperability, upon request and
free of charge. The gatekeeper must publish a ‘reference offer’ specifying the
technical details and conditions of interoperability, including necessary
details on security and end-to-end encryption which must be preserved across
the interoperable services. Any NIICS provider may then request
interoperability for some or all of the basic functionalities, and the
gatekeeper has three months to render those functionalities operational. Only
the personal data of end users that is strictly necessary to provide effective
interoperability may be collected and exchanged.
Over time, a relevant gatekeeper must at least make
the following functionalities interoperable where it provides those
functionalities to its own end users:
Basic functionalities:
within three months of request:
•
end-to-end text messaging between
two end users;
•
sharing of images, voice messages,
videos and other attached files in end-to-end communication between two end
users;
Group
functionalities: Within 2 years from designation:
•
end-to-end text messaging within
groups of individual end users;
•
sharing of images, voice messages,
videos and other attached files in end-to-end communication between a group
chat and an individual end user;
End-to-end
voice and video calls: Within 4 years from the
designation:
•
end-to-end voice calls between two
individual end users;
•
end-to-end video calls between two
individual end users;
•
end-to-end voice calls between a
group chat and an individual end user;
•
end-to-end video calls between a
group chat and an individual end user.
Compliance
Measures
The Commission has vast powers to ensure compliance
with the DMA, including monitoring, imposing conditions and fines, obtaining
reports, granting exemptions on public interest grounds (health and security)
and undertaking market investigations.
Conclusion
The types of services and restrictions covered by the DMA reflect
many of the complaints and concerns generated in the course of the explosive
growth of various ‘tech giants’ over the past fifteen years or so. The Commission has been very assertive on the wider
competition front, so it seems likely to use these powers actively. This
should go a considerable way toward addressing various ‘externalities’ that
were simply left for the market or regulators to address. Perhaps some business
models that were choked off might now regenerate, albeit in digital form.
At the same time, gatekeepers may feel aggrieved that the enormous
benefits that have accrued to them from a relentless commitment to solving
users’ problems and creating genuinely useful services from launch not so long
ago are already being unfairly curtailed or shared with businesses that have
not had to make that journey or commitment.
At any rate, it remains to be seen whether the gatekeepers will
comply quietly or continue what seems to have been an endless game of
cat-and-mouse…
Digital Services Act in Detail
The EU’s Digital
Services Act (DSA) establishes a harmonized approach to protecting EU-based users of
online communication, e-commerce, hosting and search services across the EU, by
granting intermediary service providers (“ISPs”) exemption from certain liability
if they perform certain obligations. An ISP will be in scope if it is either
based in the EU or has a substantial connection with the EU (a significant
number of users as a proportion of the population or by targeting its
activities at one or more Member States). There are extra requirements for ISPs
with at least 45m average monthly active
EU users (designated as ‘very
large online’ (VLO) platforms and VLO search
engines). There are exemptions for small enterprises and
micro-enterprises. A small enterprise employs fewer than 50 persons and has an
annual turnover and/or annual balance sheet total which does not exceed €10m. A
micro-enterprise employs fewer than 10 persons and has an annual turnover
and/or annual balance sheet total that does not exceed €2m.
The DSA
applies from 17 February 2024 (4 months after designation as a VLO
platform/search engine). However, ISPs will need to begin reporting their
average monthly active users by 17 February 2023, and then every six months;
and arrangements for the designation of VLO status and supervisory fees will
apply from 16 November 2022.
Users can be
any natural or legal person actually using or receiving the intermediary
service, (particularly those seeking information or making information
accessible).
Intermediary
services consist of the transmission of data in or the provision of access to a communication network (‘mere conduit’);
the automatic, intermediate and temporary storage of information, solely for
its more efficient onward transmission to other users on their request
(‘caching’); and/or the storage
of information provided
by, and at the request of, a user
(‘hosting’). Online search engines are therefore ISPs, for example.
Chapter II - Liability of ISPs
‘Mere conduit’
A ‘mere
conduit’ ISP won’t be liable
for the information transmitted or accessed, so long as it does not initiate the transmission; does not select the receiver; and does not select or modify the information contained in it.
This extends to caching where the information is not stored for any
period longer than is reasonably necessary for transmission.
‘Caching’
A caching ISP
won’t be liable for caching so long as it does
not modify the information and is in no way involved with the
information transmitted or stored other than for storing it; complies with conditions on access to the information;
complies with rules
regarding the updating
of the information, specified in a manner widely recognised and used by
industry; and acts expeditiously to remove or to disable access to the
information it has stored upon obtaining actual knowledge of the fact that the
information at the initial source has been removed or disabled, or an
order for such removal
or disablement has been made.
‘Hosting’
A hosting ISP
won’t be liable for the information stored at the request of a user
so long as it does not have actual knowledge of illegal activity
or illegal content
and is not aware of facts or circumstances making it illegal; or acts expeditiously to remove or to
disable access to the illegal content on obtaining such knowledge or awareness;
and the user is not acting under the authority or the control of the provider
(which it would be where the ISP determines the price of products offered by
the user, for example).
This immunity
does not extend to liability under
consumer protection law of online platforms that allow consumers to conclude
distance contracts with traders, where the platform presents
the specific item of information or otherwise enables
the specific transaction at issue in a way that would lead an average consumer to believe that the
information, product or service, is provided either by the online platform itself or by a user who is acting under its
authority or control.
Voluntary own-initiative investigations and legal compliance
ISPs shall not be deemed ineligible for the exemptions from liability solely because they, in good faith and in a
diligent manner, carry out voluntary own-initiative investigations into, or
take other measures aimed at detecting, identifying and removing, or disabling access to, illegal
content, or take the necessary measures to comply
with applicable EU law (or national implementing law). It is not clear whether
compliance with non-EU law would disable the exemptions.
No general monitoring or active fact-finding obligations
ISPs
have no general obligation to monitor the information which they transmit or store, or to actively seek
facts or circumstances indicating illegal activity.
Orders to act against illegal
content
Upon the
receipt of an order to act against illegal content, ISPs must inform the
authorities of any effect
given to the order without
undue delay. This information
is shared with the Digital Services Coordinator from the Member State of the
issuing authority who shares it with all other
EU Digital Services Coordinators.
The ISP must
inform the user concerned of the order received and the effect given to it,
including a statement of reasons,
the possibilities for redress that exist, and a description of the
territorial scope of the order.
Orders to provide
information
Upon receipt
of an order to provide specific information about one or more specific
individual users, ISPs must without undue delay inform
the authorities of its receipt and of the effect given to it. The Digital Services Coordinator of the Member
State concerned shares a
copy of the order with all EU
Digital Services Coordinators.
Chapter III - Due
diligence obligations for a transparent and safe online environment
Section
1 - Provisions applicable to all ISPs
Points of contact
ISPs shall
designate a single
point of contact
to enable them to communicate directly, by
electronic means, with Member States’ authorities; and another for users (to
communicate directly and rapidly with them, by electronic means and in a user-friendly manner,
including by allowing
users to choose the means of
communication, which must not solely rely on automated tools).
Legal representatives
ISPs which are
not based in the EU must specify a legal representative in one of the Member
States where the provider offers its services,
mandated to deal with all issues necessary for the receipt of,
compliance with and enforcement of decisions issued in relation to the DSA in
an efficient and timely manner. The designated legal
representative may be held liable
for non-compliance with obligations under
the DSA, without prejudice to the liability and legal actions that could be
initiated against the ISP. The designation of such
a legal representative will
not itself constitute an establishment in the EU.
Terms and conditions
ISPs’ terms
and conditions (Service Terms) must include information on any restrictions
that they impose in relation to the use of their service. The Service Terms must be in clear, plain,
intelligible, user-friendly and unambiguous language, and shall be publicly
available in an easily accessible and machine-readable format. Users must be
informed of any significant changes.
Service Terms
for services primarily directed at minors or predominantly used by
them, must be such that minors can understand them.
Providers of VLO platforms and of VLO search engines
(VLO Providers) shall provide users with a concise,
easily-accessible and machine-readable summary of Service Terms
and conditions, including the available remedies and redress mechanisms, in
clear and unambiguous language; and publish their Service Terms in the official
language(s) of each Member State in which they offer their services.
Transparency reporting obligations for ISPs
ISPs (except
micro/small enterprises, unless they are VLO platforms) must publish a report
at least annually on any content
moderation that they engaged in during the relevant
period, including the number of orders received in relation to illegal content,
by type; voluntary content moderation; the number of complaints received, their
basis, decisions taken and median time taken to resolve; any use made of automated means for the purpose of content moderation.
Section
2 - Additional Provisions for Hosting ISPs, including ‘Online Platforms’
Notice and action mechanisms
Hosting ISPs must
have mechanisms to allow any individual or entity to notify them
electronically of the presence of illegal content
on their services, which are easy to
access and user-friendly. To give rise to actual knowledge or awareness of the
specific item where they allow the
hosting ISP to identify the illegality
without a detailed legal examination. The ISP must confirm receipt without
undue delay and notify that individual or entity of its decision, providing information on the
possibilities for redress in respect of that decision. Hosting ISPs must act in a timely,
diligent, non-arbitrary and objective
manner and specify where they use
automated means for processing the notice or decision-making.
Statement of reasons
Where they
have a user’s electronic contact details, Hosting ISPs must provide users with a clear and specific
statement of reasons
for restrictions imposed where the user’s information is illegal content
or incompatible with the ISP’s Service Terms (except commercial spam).
Notification of suspicions of criminal offences
Hosting ISPs
which become aware of any information giving rise to a suspicion that a
criminal offence involving a threat to the life or safety of a person or
persons has taken place, is taking place
or is likely to take place,
must promptly inform the authorities of the Member State(s) where the offence
is suspected to take
place, where the suspected offender is based or where the victim is
based or the authorities in its home Member
State and/or Europol.
Section
3 - Additional provisions applicable to Online Platform Providers (Hosting)
The term
‘online platform’ means a hosting service that stores and disseminates
information to the public at the user’s request.
This term excludes
an activity that is a minor and
purely ancillary feature of another service
or a minor functionality of the principal service and, for objective
and technical reasons, cannot be used without that other service, so long as that
integration of the feature or functionality into the other service is not a
means to circumvent the applicability of the DSA.
Exclusion for micro
and small enterprises
This Section does not apply to OPPs
that qualify as micro or small enterprises or that previously qualified as a micro
or small enterprise for 12 months after losing that status (unless they are VLO
platforms).
Internal complaint-handling system and Out-of-court dispute
settlement
An OPP must give the user and any other
complainant access to its complaint-handling system to lodge a complaint,
electronically and free of charge for at least 6 months, where the
provider notifies a user of a decision that information provided by the user constitutes illegal content or
is incompatible with its Service Terms, so long as that decision affects whether or not to remove or disable
access to or restrict visibility of the information; suspend or terminate the provision of all
or part of the service; or
suspend or terminate the user’s account or ability to monetise the information provided by the user.
Wrongful
decisions must be reversed without undue delay.
OPPs must
inform complainants without undue delay of their reasoned decision in respect
of the information to which the complaint relates and options to resolve any
dispute.
These decisions
must be under the supervision of appropriately qualified staff, and not solely
automated.
Both parties
must engage with the selected
certified out-of-court dispute settlement process in good faith,
but providers may refuse to engage if a dispute
has already been resolved concerning the same information and the same grounds. Out of
court settlements cannot be imposed as binding settlements, however.
If the
out-of-court resolution favours the user, the OPP must pay all the fees charged
by the alternative dispute resolution body, and reimburse the user for any
reasonable expenses it has paid in relation
to the dispute settlement.
If the dispute
settlement favours the OPP, the user is not required to reimburse the OPP for
any fees or other expenses paid or payable in relation to the dispute
settlement, unless the user manifestly acted in bad faith.
Fees
charged to OPPs by out-of-court dispute settlement bodies must be reasonable
and not exceed the costs incurred
by the body.
For users,
the dispute settlement shall be available
free of charge or at a nominal fee.
Trusted flaggers
The status
of ‘trusted flagger’
under the DSA must be awarded
by Digital Services Coordinator of the Member
State in which
the applicant is established
where the applicant: has particular expertise and competence for the purposes
of detecting, identifying and notifying illegal content;
is independent from any
OPP; and carries out its activities for the purposes
of submitting notices
diligently, accurately and
objectively.
OPPs shall
take the necessary technical and organisational measures to ensure that notices
submitted by trusted flaggers, acting within their designated area of expertise are given priority and
are processed and decided upon without undue delay.
Trusted
flaggers must publish at least once annually easily comprehensible and detailed
reports on notices they submitted during
the relevant period.
Measures and protection against misuse
Having issued
a warning, OPPs must suspend their services
to users that frequently
provide manifestly illegal content, for a reasonable period of time. This
applies also to the processing of notices and complaints by complainants that frequently submit manifestly
unfounded notices or complaints that are manifestly unfounded.
Transparency reporting obligations for OPPs
OPPs shall report to the local authorities: the
number of disputes submitted to the out-of-court dispute settlement bodies; the outcomes
of the dispute settlement; the median time needed for completing the dispute
settlement procedure; the share of disputes where the OPP implemented the
decisions of the body; the number of
suspensions imposed for the provision
of manifestly illegal
content, the submission of manifestly unfounded notices and the submission of
manifestly unfounded complaints.
OPPs must publish
for each online platform or online search engine information on the average
monthly active users in the EU, calculated as an average over the period of the
past six months and in accordance with the any specified methodology. Such up
to date information must also be provided to the local Digital Services Coordinator and the Commission, upon their request
and without undue delay.
Digital Services
Coordinators must inform the Commission when an OPP or online search engine provider meets the threshold of average monthly
active users for designation under the DSA.
Online interface design
and organisation
OPPs must not
design, organise or operate their Online Interfaces in a way that deceives or manipulates users or in a way that otherwise materially distorts or impairs
the ability of users to make free and informed decisions. This does not apply
to practices covered by GDPR or the
Directive on unfair business-to-consumer practices.
Advertising on online platforms
For each
specific advertisement presented by an OPP to each individual user on its
Online Interface the OPP shall ensure that the user is able to identify, in a clear, concise and unambiguous manner and in real time: that the information is an advertisement; the advertiser (and the person who paid for the ad
if different from the advertiser); the main parameters used to determine the user
to whom the advertisement is presented and how to change those parameters, if
applicable.
OPPs must provide users with a functionality to declare whether the content they
provide is or contains commercial communications; and must ensure that other users can identify that content is or contains commercial communications,
as described.
OPPs must not
present advertisements to users based on ‘profiling’ using ‘special categories’ of personal data,
as defined in GDPR.
Recommender system transparency
A
‘recommender system’ is a fully or partially automated system used by an online
platform to suggest specific information to users or prioritise that information in its Online
Interface, including as a result
of a user’s search or otherwise determining the
relative order or prominence of the information.
OPPs that use recommender systems must set out in
their Service Terms in plain and intelligible language the main
parameters used and any options for the users to modify or influence those
parameters, including at least: the criteria which
are most significant in determining the information suggested to the user; and the reasons for the relative
importance of those
parameters.
Where several
options are available
to determine the relative
order of information presented to users, the user must be allowed to select and modify
their preferred option at any time in the specific section where the
information is being prioritised.
Online protection of minors
OPPs
accessible to minors must have appropriate and proportionate measures
to ensure ‘a high level’
of privacy, safety,
and security of minors;
and must not present ads based on profiling users’ personal data when they are reasonably certain
that the user is a minor
(without having to process additional personal
data to assess whether the user
is a minor).
Section
4 - Additional provisions applicable to E-commerce Platforms
Exclusion for micro
and small enterprises
This Section applies
to OPPs that allow consumers
to conclude distance
contracts with traders (“E-commerce Platform Provider”
or “EPP”), including those that have been designated as VLO platforms.
But it does not apply to EPPs that qualify as micro or small enterprises or that previously qualified as a micro or small enterprise for 12 months after
losing that status (unless the traders are VLO platforms).
Traceability of traders
EPPs shall
ensure that traders can only use those online platforms to promote messages or offer
products or services
to EU-based consumers if the EPP has first obtained the trader’s
contact details, identity document, payment details, membership of any trade
body and self-certification by the trader committing to only offer products or services that comply with the applicable rules of EU
law.
EPPs must use
best efforts to assess whether the information is reliable and complete,
through the use of any freely accessible official online database or Online
Interface made available by a Member
State or the EU
or by requesting the trader to provide supporting documents, but traders
are liable for the accuracy of the information provided. If the trader fails to
provide the required information, the OPP must suspend service to the trader
until it does. The trader must have the right to lodge a complaint (without
prejudice to the requirements for restriction, suspension or termination under
the Regulation on fairness and transparency for online traders).
EPPs must
store the information for six months
after the end of the contractual relationship with the trader
concerned, then must delete the information. The EPP may only disclose the information to third parties where so
required in accordance with the applicable law, but must make certain information available on its online
platform to users
in a clear, easily accessible and comprehensible manner, at
least where information on the product or service is presented.
Compliance by design
EPPs shall ensure that their
Online Interfaces are designed
and rganized in a way that enables traders to comply with their obligations regarding pre-contractual information, compliance and product safety information under applicable EU
law, including contact and labelling information.
EPPs must
also make reasonable efforts to randomly check in any official, freely accessible
and machine-readable online database or Online Interface whether the products
or services offered have been identified as illegal.
Right to
information
Where an EPP becomes aware that an illegal
product or service has been offered by a trader to
EU-based consumers through its services,
that provider must inform consumers who purchased the illegal product or
service (if the EPP has their details) within the preceding six months that the product or service is illegal;
the identity of the trader;
and any relevant
means of redress.
If the EPP does not have the
contact details of all consumers concerned, it must publish the information in
a way that is easily accessible on its Online
Interface.
Section
5 - Additional obligations for providers of VLO platforms and of VLO
search engines
Risk assessment and mitigation
VLO Providers
must diligently identify, analyse
and assess any systemic risks in the EU
stemming from the design, functioning or use of their
service and its related systems at least annually and prior to deploying
functionalities that are likely to have a critical impact on those risks.
The risk assessment must be specific to their services and proportionate to the
systemic risks, taking into consideration their severity and probability. The supporting documents
must be held for at least three years and be provided on request to the
Commission and local Digital Services Coordinator.
VLO providers
must have reasonable, proportionate and effective mitigation measures, tailored
to the specific systemic
risks identified, with particular consideration to the impacts of
such measures on fundamental rights.
Crisis response mechanism
Where extraordinary circumstances lead to a serious threat to public
security or public
health in the EU (‘crisis’),
the Commission can require VLO providers to assess whether, and if so to what
extent and how, the functioning and use of their services significantly contribute to a serious threat; identify and apply specific,
effective and proportionate measures to prevent,
eliminate or limit any
such contribution; and report to the Commission on the assessments, on the measures taken.
Independent audit
VLO Providers must be independently audited at least once
annually at their own expense to assess compliance with the above obligations; any commitments undertaken pursuant to codes of conduct
adopted under the DSA and the crisis protocols for extraordinary
circumstances affecting public health and security.
The auditors
must be independent and not have any conflicts of interest with the
VLO Provider or any legal person connected to that provider (no non-audit
services related to the matters audited or any
legal person connected
to that provider in the 12 months
prior to the beginning of the audit and no commitment to providing them with
such services in the 12 months’ after; not provide
the auditing services for longer than 10 consecutive years; fees cannot be contingent on the result of the
audit; must have proven expertise
in the area of risk management, technical
competence and capabilities, as well as having proven objectivity and professional ethics,
based in particular on adherence to codes of practice or appropriate
standards.
An audit
reports must be substantiated, in writing, and shall include certain
specified information, including an opinion that is either ‘positive’,
‘positive with comments’ or ‘negative’; with operational recommendations on specific measures to achieve compliance
and the recommended timeframe to achieve compliance.
The VLO Provider then has a month to adopt a report setting out the
measures necessary to implement recommendations or justify not doing so.
Recommender systems
VLO
Providers must provide at least
one option for each of their recommender systems which is not based on profiling as defined in GDPR.
Additional online advertising transparency
VLO Providers
who present advertisements on their Online Interfaces shall compile and make
publicly available in a specific section of their Online Interface (through a
searchable and reliable tool that allows multicriteria queries) and APIs, a
repository containing certain information about the ads for the entire period
during which the ad is presented until one year afterwards, making reasonable efforts to ensure
that the information is accurate and complete,
including whether the advertisement was intended to be presented specifically to one or more particular groups
of users and if
so, the main parameters used for that
purpose including where
applicable the main parameters used to exclude
one or more of such
particular groups; and the total number
of users reached,
broken down by Member State; and where a specific advertisement was
taken down for illegality or incompatibility with the VLO Provider’s terms and
conditions, the repository shall instead
include the information required for statements of reasons or the legal
basis for take-down orders.
Data access and scrutiny
VLO Providers
must provide their home Digital Services Coordinator with access to data
necessary to monitor and assess compliance with the DSA within a reasonable period specified in any request,
which may only be accessed for the purpose of monitoring and assessing
compliance with the DSA and the DSC must take due account of the rights and
interests of the VLO Providers and the users
concerned, including the protection of personal data, confidentiality,
trade secrets, and security of the VLO service. VLO Providers must explain the
design, logic the functioning and the testing of their algorithmic systems,
including their recommender systems; and provide access to ‘vetted researchers’
conducting research that contributes to the detection, identification and
understanding of systemic risks in the EU and assessment of the adequacy,
efficiency and impacts of the risk mitigation measures.
Compliance function
VLO Providers
must have a compliance function that
is independent from their operational functions and composed of one or more
compliance officers with sufficient authority, stature,
qualifications, knowledge, experience, ability, resources and access to
the management/board to monitor the VLO Provider’s compliance with the DSA and
carry out certain specified functions. The head of compliance must report directly to the management body and cannot be removed without
prior approval of the
management body.
The management body of the VLO
Provider shall: define,
oversee and be accountable for the implementation of the provider's
governance arrangements that ensure the independence of the compliance
function, including the division of responsibilities within the organisation of
VLO Provider, the prevention of conflicts of interest, and sound management of
systemic risks; approve and review at
least annually, the strategies and policies for taking up, managing, monitoring
and mitigating the risks; and devote sufficient time to the consideration of mitigation
measures and ensure that adequate
resources are allocated to risk management.
Transparency reporting obligations
VLO Providers
must publish their transparency reports at least
every six months (rather than annually) with certain additional
information, including the human resources that the provider of VLO platforms
dedicates to content moderation; the qualifications and linguistic expertise of moderators; and indicators
of accuracy and related information on the use of automated content moderation, each broken down by each official language
of the Member State(s) where
its services are offered.
Supervisory fee
Each VLO
Provider will be charged an annual supervisory fee that takes into account
the costs incurred in the previous year; is
proportionate to the VLO Provider’s number of average
monthly active users in the
EU; but must not exceed 0,05 % of its worldwide annual
net income in the preceding financial
year.