Digital platforms are a particular case of the broader platform category and thus have distinct characteristics. At the same time, they come in different forms and shapes. Putting them into a single box is not a piece of cake. Indeed, the devil is in the details. That is undoubtedly a challenge for policymakers and regulators.
But before taking an expeditious regulatory dive, we must consider what drives legislative and regulatory efforts. Four core drivers can be pinpointed .
1. Content. Many digital platforms facilitate the global creation, distribution and sharing of immense data and information. However, some of that content might infringe existing laws, including IPR, criminal behavior, terrorism and other similar activities. Since platforms are not liable for the content users create and share, regulation (including self-regulation) seems the only effective way to address the issue. Content is one of the main drivers of existing platform regulatory initiatives.
2. Competition. Large digital platforms benefit from winner-takes-mostly-all effects, thus eating a large part of the pie and leaving breadcrumbs for the rest to share. They can also buy out competitors and exercise undue market power in some sectors. Antitrust legislation seems the most adequate here, but new approaches might also prove effective .
3. Fiscal gaps/Taxation. Platforms freely operate in many countries, regardless of whether they have legal representation in each of them. They disintermediate local markets while centralizing digital intermediation under their wings. The impact on local enterprises and news media can be profound. Moreover, they are not subject to local taxation despite profiting from local users.
4. Digital Sovereignty. Digital technologies have become critical players in the overall development of nations while potentially propelling increased living standards and human development. From that perspective, developing or strengthening a local digital technology ecosystem must be on the table. The recent AI advances are just another reminder of the importance of setting related national policies and legislation. Current legislations by the EU, India and China are geared in such a direction .
While countries can opt for any of the above in parallel or sequentially, Digital Sovereignty is hardly ever explicitly mentioned. It is thus seen as the long-term outcome propelled by the other three.
According to some observers, the EU is the global leader in platform regulation . And it also leads the pack with the ongoing AI legislative process expected to be approved early next year .
Building on the success of the GDPR, enacted in 2018, the EU was then hard-pressed to update older digital legislation, such as the 2000 E-commerce Directive (ECD). Back then, platforms were barely in existence. Twenty years later, they had become too big and powerful, while the ECD looked like an old and rusty percolator. The Union opted to develop two interrelated pieces of legislation, the Digital Services Act (DSA) and the Digital Markets Act (DMA) . The DSA is a content-driven legislation, while the DMA tackles competitive markets. I will focus on the DSA to showcase how the EU defines platforms and summarize the scope of the new regulations.
Of course, the EU is well aware of the platform discussions I shared in the previous two parts of this post. And since the DSA is centered on content, the starting point is Intermediary Service Providers (ISPs, not to be confused with Internet Service Providers) that disseminate data, information and knowledge to the public as part of their core business without demanding any direct action by the service end user. Off the bat, platforms such as Uber and Airbnb and interpersonal communication systems that require users’ inputs fall off the radar screen. The goal is to control the flow of illegal content, which comprises content, products, services and activities that break existing EU laws. The scale of the ISPs’ reach is also critical as they could potentially reach a substantial part of the EU’s population, thus having a more significant overall impact.
So, how does the DSA capture all other two-sided and multisided platforms? It deploys a nifty three-tier classification depicted via not-so-nifty language. ISPs can be “mere conduit,” “caching,” or “hosting” in nature. The first encompasses all those who provide network and telecommunication services such as Internet exchange points, mobile access points, VPNs, DNS services, certificate authorities and VoIP providers, among others. “Caching” ISPs include proxy and caching services and content delivery networks. Hosting includes data centers, cloud providers and online platforms. The latter, in turn, comprise social networks, search engines, and ISPs that allow trade between businesses and consumers. The figure below summarizes the DSA ISP approach.
Source: Author’s elaboration
Indeed, the DSA scheme is quite comprehensive and covers all bases, from when a user connects to the Internet using a given operating system, a browser, a VPN, and an Internet service provider to when it accesses a given online platform whose data and applications are sitting on the cloud or an edge data center nearby, whether owned or not by the platform. All these players are thus subject to DSA regulations. All these actors in the content network are thus subject to DSA regulations or “obligations,” the word the legislation text uses throughout.
Since online platform size is critical, the DSA introduces criteria to distinguish between online platforms and very large online platforms (VLOPs) and very large online search engines (VLOSEs). Online platforms with over 45 million users, or 10 percent of the EU’s population, fall under such rubrics. The European Commission has identified 19 ISPs as VLOPs/VLOSEs, including the usual suspects. However, I was surprised to see Wikipedia, a non-profit platform, included in the list.
In any event, we then end up with five overall regulatory categories. 1. All ISPs .2. Hosting ISPs. 3. Online platforms. 4. Online platforms doing e-commerce or e-businesses via “distant” (virtual) contracts. And 5. VLOPs/VLOSEs. And the DSA regulations are applied cumulatively, like an onion, starting with the first category. The table below summarizes the number of obligations by ISP grouping.
Note that the five OPs “distant contract” obligations only apply to VLOPs and VLOSEs undertaking the same practice. The latter then end up with 38 obligations, three inherited from previous layers but containing further requirements. Obligations range from having legal representation in the Union to compliance functions, risk assessments, and audits.
As expected, the debate on DSA effectiveness has already started . Some argue they will overburden small and medium sizes and are difficult to implement in practice and cohesively across the Union. Others are still celebrating the historic feat. And they should. Expect other countries to follow suit. The era of digital technology regulation has finally started.