By Vikrant Rana, Anuradha Gandhi and Rachita Thakur
The European Union enacted the Digital Services Act (hereinafter referred to as the “DSA”) which came into force on November 16, 20221 to harmonize content regulations across the EU region and create streamlined process for online content moderation.
The DSA include rules that that concern online intermediaries and platforms such as E-commerce, social media, content sharing platforms, app stores and online travel and accommodation places. DSA is a part of the European Union’s effort to expand its digital regulatory framework to address the challenges posed by online services and must be read in consonance with the Recital 10 of the General Data Protection Regulations2 and the ePrivacy Directive3 as governing rules for personal data protection rules.
Why is DSA a major breakthrough?
The kind of transformation that digital services have brought in the lives of people is remarkable. With the benefits that stream from digital services, there are various concerns that also hover around, since these online services are being misused by manipulative algorithm systems to spread disinformation amongst the masses.
The European Union has adopted a modern legal framework that ensures to lay down of procedural obligations for online platforms to tackle illegal activities, provide fully harmonized measures to incentivize actions of service providers, enhance transparency, and address a wider set of risks that emerge. The DSA also provides for asymmetric measures with stronger obligations for Very Large Online Platforms thereby establishing a liability regime for online intermediaries with reinforced oversight and enforcement.4
The Digital Markets Act
The DSA along with the Digital Markets Act (hereinafter referred to as the “DMA”) form a single set of rules that apply across the EU to create a digital space in which fundamental rights of users of digital services can be protected and to foster growth, innovation and competitiveness in the market, both in the EU as well as globally.
The DMA establishes narrowly defined objective criteria for qualifying a large online platform as a ‘gatekeeper’. The criteria are applicable to a company if it:
a. Has a strong economic position and significant impact on the market;
b. Has a strong intermediation position, meaning that it links a large user base to a large number of businesses;
c. Has remained stable over time and meets the above two criteria in the last three financial years.
The issues that led to the emergence of ‘gatekeeper platforms’ include:5
(i) Weak contestability and competition in platform markets;
(ii) Unfair business practices;
(iii) Fragmented regulation and oversight of market players operating in the market.
Need for the new Legislation
The new Acts were enacted to address the following issues and problems:6
1. Increasing exposure to harmful and illegal activities online – Sale of illegal goods, unsafe toys, and counterfeit products. Dissemination of illegal content such as infringement of IP rights, child sexual abuse and material abuse, terrorist content, illegal hate speech and targeted advertising;
2. Lack of standard mechanism for national authorities to communicate and coordinate with each other;
3. Legal fragmentation and barriers for digital services – Emergence of few large platforms as gatekeepers in the digital markets with the power to act as private rule-makers acting as barriers in the internal markets, especially for SMEs, including start-ups.
Timeline for application
A transformation period is allowed to the social media intermediaries that is to say, the DSA will be made applicable from fifteen months or January 1, 2024 across the European Union. The online platforms were required to publish the number of active users by February 17, 2023 basis which the platforms will be designated as Very Large Online Platform (VLOPs) or Very Large Online Search Engine (VLOSEs). Then these services will have 4 months to comply with the provisions of the DSA that include carrying out the first annual risk assessment.
The DMA came into force on November 01, 2022. For the purposes of implementation of DMA, the companies were required to disclose information about their number of users so that they could be designated as ‘gatekeepers’. These Gatekeepers would then have to be in compliance with the obligations under the DMA until March 2024.7
EU notifies 19 social media platforms under the Digital Services Act
The European Union (hereinafter referred to as the “EU”) has confirmed the names of 19 social media platforms with more than 45 million users, as VLOPs. The 19 entities include five subsidiaries of Google’s parent alphabet, two units of Meta, two units of Microsoft, Apple’s Appstore, Twitter and Alibaba’s AliExpress.8
However, the step has not been perceived as welcoming since two of the companies, that is, Amazon and Zalando, have challenged the EU’s list of VLOPs. Amazon has challenged the decision of the European Commission on the pretext that it does not fit in the definition of a VLOP since it mainly sells products and not advertise them.9
This list of 19 entities mean that companies designated as VLOP will have added responsibilities to protect their users from illegal content and products over the internet. The VLOPs have to maintain and provide access to ad repositories allowing researchers, civil authorities and to inspect how ads are displayed and how they are targeted. They are further required to assess how their advertising systems are manipulated or otherwise contribute o societal risks, and take measures to mitigate risks.
Penalties and Obligations under the DSA?
The DSA imposes fines on companies with up to 6% of their global turnover for violating the rules. Repeated instances of breach of provisions of the rules under the DSA can also result in a complete ban from doing business in the EU.
The DSA primarily requires online platforms to take measures to prevent and remove illegal or harmful content online. The further prohibits online platform from using a person’s sensitive data such as sexual orientation, religion, ethnicity or political beliefs as criteria for targeted advertising.
For platforms that reach more than 45 million users per month have to share their data with researchers and authorities, cooperate with crisis response requirements and undergo external and independent audits.
Ensuring privacy and addressing dark patterns in the European Union
DSA is primarily an attempt to curb adoption of dark patterns by online platforms and defines ‘dark patterns’ as a design technique or mechanism that push or deceive consumers into decisions that have negative consequences on them. DSA specifically prohibits deceptive and nudging techniques, including dark patterns that could distort or impair a user’s free choice and consent by urging the users to make a decision.
Data Governance in India
India, too is constantly working towards developing a robust legal framework for services provided in the digital sector.
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code), Rules 2021
Formed under the Information Technology Act, 2000, the Information Technology (intermediary Guidelines and Digital Media Ethics Code) Rules, 2021(hereinafter referred to as the “IT Rules”) were enacted to protect the constitutional rights of ‘Digital Nagriks’ thereby enhancing due-diligence requirements and ensuring accountability of social media and other intermediaries.10
To read more about the IT Rules and Sexual Harassment in online games, click on the link: https://ssrana.in/articles/sexual-harassment-online-games/ ]
ASCI’s Guidelines on Dark Patterns
The Advertising and Standards Council of India (ASCI) a self-regulatory body has released the Guidelines on Online Deceptive Design Patterns in Advertising (hereinafter referred to as the “Guidelines”) with the aim to regulate the use of dark patterns in digital advertising. ASCI has also released the Code for Self-Regulation of Advertising content in India prohibiting misleading and offensive advertisements that do not represent the true nature of products.
[T read our article on Dark Patterns: The ‘Sinisterville’ of Digital Advertising and Marketing, kindly click on the link: https://ssrana.in/articles/digital-advertising-marketing-dark-patterns/ ]
The Digital Data Protection Act, 2023- India’s framework to regulate Digital Services
India has recently enacted the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “DPDP Act”) to regulate processing and use of personal data of individuals by the Data Fiduciaries. The Act, however, awaits notification of Rules by the Central government for its implementation.
The DPDP Act is enacted to set up a mechanism for processing of digital data and protect the rights of individuals to protect their personal data.
[To read about the DPDP Act in detail, kindly click on the link: https://www.barandbench.com/law-firms/view-point/the-digital-personal-data-protection-act-2023-a-scenario-of-arising-liabilities-2#:~:text=The%20Act%20imposes%20hefty%20penalties,to%20prevent%20personal%20data%20breach ]
Given that India’s legislation on data protection and privacy is majorly inspired by the European Union’s General Data Protection Rules and DSA, the Act and the ASCI’s Guidelines come as a welcome step to put a cap on the unauthorized, illegal, and uncontrolled information prevailing in the digital economy. With these progressive steps, the social media online platforms and intermediaries are made accountable for breach of their obligations under both the EU’s as well as India’s laws.
2 Recital 10 of GDPRs talks about the application of consistent and homogenous rules for the protection of the fundamental rights and freedom of natural persons with regard to the processing of personal data.
3 Eprivacy Directive is a legal instrument for privacy in the digital age more specifically to confidentiality of communications in the digital space. The e-privacy directive complements the General Data Protection Regulations in the European Union.
4 Executive Summary of the Impact Assessment Report, Commission Staff Working Document, Proposal for Regulation of the European Parliament and of the Council on a Single Market for Digital Services (Digital Services Act) and amending Directive 2000/31/DC, European Commission
5 Executive Summary of the Impact Assessment Report, Commission Staff Working Document, Proposal for Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act), European Commission