New legal requirements on businesses

The internet has changed the world. In the last two decades, the emergence of new technologies, kinds of business and ways of working has turned our lives up-side-down and decisively affected how we work, shop, travel, eat or book a holiday.

The E-Commerce Directive, the cornerstone of the digital common market was adopted in 2000 – at a time when platforms like Amazon, Google and Booking.com were still in their infancy and Facebook, AirBnB and Instagram didn’t even exist. 

To keep up with these developments, the EU is bringing in a new legal framework. The idea behind it is to lay down guidelines for the digital world, including online platforms, and thus ensure a better and more secure digital environment for users and businesses across the whole of the EU.

So, the European legislature has introduced a raft of new laws with wide-reaching regulation of platform operators aimed at ensuring that competition is fair, cracking down on illegal content, strengthening consumer rights and building a European data economy. The Digital Markets Act, Digital Services Act, Data Act and AI Act are briefly described below.

Digital Markets Act

The Digital Markets Act (DMA), which came into force on 1 November 2022, has been directly applied since 2 May 2023 after a transitional period. Particularly “powerful” platform operators, known as gatekeepers, are placed under various duties. The objective is to open more opportunities in the digital economy to competitors of the large digital companies, business users of digital platforms and consumers through more fairness (instead of having the rules dictated to them unilaterally) and by putting limits on certain business practices. 

The list of rules on combining data includes not allowing gatekeepers to combine personal data from their platforms with other services or to use them generally or to process end-users’ personal data from third-party services that use a gatekeeper’s platform service for advertising purposes. Other duties concern not giving preference to their own services, coupling different services of a gatekeeper together, limiting possibilities to switch, imposing excessive conditions on cancelling the service and interoperability. It is also forbidden to prevent business users from offering end-users the same products and attracting them at better conditions on other channels.

Gatekeepers have to provide evidence of their compliance with these rules. They are subject to a duty to provide detailed reporting and must set up a compliance function within their organisation equipped with substantial powers that is responsible for internally monitoring the duties under the DMA.

Digital Services Act (DSA)

The Digital Services Act has been in force since 16 November 2022, with a transitional period up to 17 February 2024. The objective is to reinforce consumer protection by creating a legal framework for such things as online intermediary services (digital services with an infrastructure network such as internet access providers, access, caching and hosting providers) and online platforms, which store and publicly distribute information on the user’s behalf and thereby connect sellers and consumers, such as online marketplaces.

While the DMA has more the characteristics of anti-trust and competition law, the DSA focuses more strongly on consumer protection. The basic rules of the DSA aim to provide a basic level of transparency and responsibility. Requirements particularly concerning organisation and procedures are introduced to counter the spread of illegal content, fake news and hate speech. To make contact easier, businesses are to set up a single contact point for responsible authorities and users. Other basic rules place requirements on designing terms and conditions of business in a transparent, understandable and user-friendly way. There are also extensive obligations concerning the transparency of the advertising on online platforms. It has to be clear to users that the information they are shown is actually advertising, who it is being posted for and which natural or legal persons are financing the advertising. Particular rules further apply to personalised advertising. 

Data Act

The European Data Act is expected to be adopted at the end of the year, or the start of 2024 at the latest. The objective of the Directive is to standardise the legal basis for a European data economy and to make users’ (consumers’) and businesses’ access to data easier. The Act provides for a triangular relationship between the manufacturer of a data-generating product or service, the user and a recipient, in using generated data.  

The example can be taken from the automotive sector that until now insurance companies and independent garages have not had access to certain data from present or future cars to be able to carry out repairs, etc. By incorporating incentive schemes into their contracts with the users of the digital product/service they would prompt them to exercise their claim against the manufacturer (data owner) to have the data disclosed and receive access to certain data for set purposes as a data recipient.

This raises a host of questions for businesses that they will have to deal with to ensure their competitiveness. Because, under the Data Act, businesses can be both obliged parties and beneficiaries. Duties are placed on the manufacturers and providers of digital, data-generating products and services, in particular, that affect the design and development of the product/service (data access by design) to give the Data Act the widest level of application.  The arrangement of the contractual relations between manufacturers/providers, users and potential data recipients is also a particular focus. This includes the duty to disclose data or the duty for businesses to have the way to obtain data from devices and services for which they have not until now had access, data which they need to develop their business models.

AI Act

Artificial intelligence continues to make huge strides forward. The Regulation laying down harmonised rules on artificial intelligence (the Artificial Intelligence Act) is expected to be applied in respect of the development and use of AI systems from the end of 2023/start of 2024 for AI systems for such things as processing language, customer analysis, personalised advertising, price optimisation and chatbots, all the way to HR tools like those used to select applicants and perform analysis of staff. 

Taking a risk-based approach, according to which AI systems are categorised into different risk classes, the rules of the AI Act cover manufacturers, operators and users, depending on the risk of the AI system involved. These duties are accompanied by rules on legal enforcement and supervision of compliance with the AI Act as well as a schedule of fines containing various levels of sanctions.