Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: European Commission launches Digital Services Act package consultation

On 2 June 2020, the European Commission ('the Commission') initiated its public consultation on the Digital Services Act1, a landmark package that is considered key in shaping Europe's digital future. The purpose of the proposed Digital Services Act is to update, strengthen, and harmonise the current EU regulatory framework for digital services that dates back to the EU Directive 2000/31/EC regarding Certain Legal Aspects Related to Services of the Information Society in the Internal Market, with Particular Reference to Electronic Commerce ('the eCommerce Directive') from 2000. The reform package will also consider the liability regime for online platforms and measures to 'level out the playing field' from an EU competition law perspective. William Long and Lauren Cuyvers, from Sidley Austin LLP, consider the Digital Services Act and how this may affect digital services across different Member States in the future.

wayra / Signature collection / istockphoto.com

Scope

The Digital Services Act package applies to digital services or 'information society services' within the meaning of the eCommerce Directive, which are broadly defined as 'services provided through electronic means, at a distance, at the request of the user.' The Commission's consultation focuses on online platforms in particular, which include businesses such as ecommerce market places, social networks, as well as online streaming and collaborative economy platforms. The current legal framework applicable to digital services had remained materially unchanged since the adoption of the eCommerce Directive. However, the rise of new developments (social media, blockchain) and challenges (more harmful and illegal online content, and online distribution of illegal products) warranted a new legislative initiative. Moreover, the Commission rightfully considered that the current eCommerce Directive, which requires implementation into EU Member State law, leads to fragmentation and legal uncertainty.

Online platform liability reform

Studies have shown that the current liability regime for online platforms under the eCommerce Directive varies greatly from one Member State to another, and there is a need for harmonisation. Under the eCommerce Directive, online intermediaries who host or transmit illegal content provided by a third party (e.g., platform users) are exempt from liability unless they are aware of the illegal nature of the content and are not acting adequately to stop it (e.g., perform a 'notice and take down'). As such, the current regime, referred to as the 'safe harbour' exemption, is mainly characterised by self-regulation.

The Commission is considering a reform of the liability regime that may vary from simply clarifying the current regime, to putting in place an actual secondary liability regime for online platforms.

Firstly, the Commission is considering an extension of the scope of the current eCommerce Directive for the secondary liability regime to encompass both 'illegal' and 'harmful' content, and potentially also 'online disinformation' and 'online advertisements.'

Secondly, it will have to consider and clarify whether the new digital service providers, such as online advertising services, social networks, and online marketplaces, could or could not rely on the safe harbour regime. Related obligations, such as 'notice-and-take-down' and 'automated filtering' will also need to be taken into account.

Thirdly, the Commission may take the opportunity to enshrine a 'Good Samaritan' clause, which refers to situations where hosting providers take proactive steps to detect, remove, or disable access to illegal content and will not face punishment for this. Essentially, such a clause is meant to incentivise online platforms to reinforce their control and take more active steps in respect of the content they host in order to reduce harmful content online.

Competitor data access/portability requirements

In line with the overall trend of the proposal to correct market imbalances from a competition law perspective, the Commission is also considering introducing a set of supplementary obligations for online platforms that have a significant position in the market. Those supplementary obligations are expected to consist of regulatory requirements on data access and data portability. The Commission recognises the power of data in the market, and the role it can play in leveraging network effects to enforce a market position. These regulatory obligations could, in turn, exist in data being made available or ported from a strong market player to a weaker market player in light of fair competition.

As such, the Commission is also exploring whether the new framework should go beyond the rules of the GDPR, which only requires organisations to grant access or transfer personal data to individuals who exercise their rights under the GDPR. The regulatory requirement to grant access/transfer data under the present consultation would be broader in scope and involve more of a risk assessment of (i) whether the data would be disclosed to competitors (not individuals) and (ii) if it would involve disclosing large sets of data (as opposed to data related to a single individual).

Data privacy and other implications

There are a number of issues organisations would have to tackle and take into account when handling these regulatory access/portability requests. Firstly, they would have to assess the redaction of trade secrets and confidential business information, taking into account that the data will be shared with a competitor.

Secondly, an organisation would want to consider whether complying with this requirement violates any of its other (regulatory or contractual) obligations. The organisation may, for instance, be prevented from sharing data under a data processing agreement it has with one of its customers. A processor processing personal data on behalf of a controller, for example, is usually contractually restricted to respond to these types of requests.

Thirdly, and most importantly from a data privacy perspective, the organisation should ensure that granting access to and/or transferring data to a competitor does not violate its requirements under the GDPR. Prior to granting access/transferring, organisations will need to consider the need for technical and/or organisational measures such as pseudonymisation/anonymisation and encryption, and for contractually restricting access rights (for example, to specific employees of the competitor who effectively have a need to process it). To the extent that the personal data is not anonymised, within the meaning of the GDPR, the sharing/transfer of data will have to comply with GDPR requirements, and organisations, both on the receiving and sharing end, will need to consider their transparency and transfer requirements, as well as the requirement to identify a legal basis for this processing activity.

Lastly, companies should consider whether they have the practical tools and internal capacity to handle these types of regulatory obligations. It is likely that both privacy and competition legal teams will have to be involved to ensure that only the data that is relevant for responding to the request is disclosed (cfr. the GDPR's data minimisation principle). Organisations will also have to identify a user-friendly sharing tool and a way to single out relevant data.

Next steps

At this stage, the Commission is still in the 'draft and design' phase. That said, its assessment is well advanced, and it plans to publish draft legislation by the end of 2020. Stakeholders are invited to submit their comments through the consultation2, set up in the form of a questionnaire, before 8 September 2020.

William Long Partner
[email protected]
Lauren Cuyvers Associate
[email protected]
Sidley Austin LLP, London and Brussels


1. See: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_962
2. Available at: https://ec.europa.eu/eusurvey/runner/Digital_Services_Act